@pymthouse/builder-sdk 0.4.4 → 0.4.6

package/dist/{proxy-KrA1vEmh.d.ts → proxy-CZLY0IfL.d.cts}

@@ -1,4 +1,4 @@
-import { F as FetchLike } from './types-BORaHW_x.js';
+import { F as FetchLike } from './types-CcP67AZm.cjs';
 
 type SignerDmzGate = "http" | "cli";
 interface M2MClientCredentials {
@@ -26,7 +26,8 @@ interface DirectSignerProxyConfig {
     resolveM2MCredentials?: (publicClientId: string) => M2MClientCredentials | Promise<M2MClientCredentials>;
     /**
      * When set, incoming request paths matching this prefix are rewritten to the remote signer base.
-     * Example: `/api/signer/proxy` → remote `/generate-live-payment` when the suffix is empty.
+     * Example: `/api/my-bff/signer` → remote `/generate-live-payment` when the suffix is empty.
+     * This is for integrator-hosted BFF routes, not dashboard `/api/signer/*` proxy paths.
      */
     proxyPathPrefix?: string;
     /** Remote path used when the proxied suffix is empty. Defaults to `/generate-live-payment`. */
@@ -139,6 +140,7 @@ interface DeviceExchangeResponse {
     };
 }
 interface ExchangeDeviceTokenForSignerOptions {
+    /** Platform/dashboard origin for JWT exchange only (`POST .../api/signer/device/exchange`). */
     facadeUrl: string;
     deviceToken: string;
     scope?: string;
@@ -194,6 +196,7 @@ interface ApiKeyExchangeHandlerConfig {
     allowInsecureHttp?: boolean;
 }
 interface ExchangeApiKeyForSignerOptions {
+    /** Platform/dashboard origin for JWT exchange only (`POST .../api/pymthouse/keys/exchange`). */
     facadeUrl: string;
     apiKey: string;
     scope?: string;

package/dist/{proxy-0wa8QZIU.d.cts → proxy-D36SpZ6k.d.ts}

@@ -1,4 +1,4 @@
-import { F as FetchLike } from './types-BORaHW_x.cjs';
+import { F as FetchLike } from './types-CcP67AZm.js';
 
 type SignerDmzGate = "http" | "cli";
 interface M2MClientCredentials {
@@ -26,7 +26,8 @@ interface DirectSignerProxyConfig {
     resolveM2MCredentials?: (publicClientId: string) => M2MClientCredentials | Promise<M2MClientCredentials>;
     /**
      * When set, incoming request paths matching this prefix are rewritten to the remote signer base.
-     * Example: `/api/signer/proxy` → remote `/generate-live-payment` when the suffix is empty.
+     * Example: `/api/my-bff/signer` → remote `/generate-live-payment` when the suffix is empty.
+     * This is for integrator-hosted BFF routes, not dashboard `/api/signer/*` proxy paths.
      */
     proxyPathPrefix?: string;
     /** Remote path used when the proxied suffix is empty. Defaults to `/generate-live-payment`. */
@@ -139,6 +140,7 @@ interface DeviceExchangeResponse {
     };
 }
 interface ExchangeDeviceTokenForSignerOptions {
+    /** Platform/dashboard origin for JWT exchange only (`POST .../api/signer/device/exchange`). */
     facadeUrl: string;
     deviceToken: string;
     scope?: string;
@@ -194,6 +196,7 @@ interface ApiKeyExchangeHandlerConfig {
     allowInsecureHttp?: boolean;
 }
 interface ExchangeApiKeyForSignerOptions {
+    /** Platform/dashboard origin for JWT exchange only (`POST .../api/pymthouse/keys/exchange`). */
     facadeUrl: string;
     apiKey: string;
     scope?: string;

package/dist/signer/gateway.cjs

@@ -0,0 +1,542 @@
+'use strict';
+
+var oauth4webapi = require('oauth4webapi');
+
+// src/errors.ts
+var PmtHouseError = class extends Error {
+  status;
+  code;
+  details;
+  constructor(message, {
+    status = 500,
+    code = "pymthouse_error",
+    details
+  } = {}) {
+    super(message);
+    this.name = "PmtHouseError";
+    this.status = status;
+    this.code = code;
+    this.details = details;
+  }
+};
+
+// src/string-utils.ts
+function stripTrailingSlashes(value) {
+  let end = value.length;
+  while (end > 0 && (value.codePointAt(end - 1) ?? 0) === 47) {
+    end--;
+  }
+  return value.slice(0, end);
+}
+function endsWithIgnoreCase(value, suffix) {
+  if (suffix.length > value.length) {
+    return false;
+  }
+  const start = value.length - suffix.length;
+  for (let i = 0; i < suffix.length; i++) {
+    const a = value.codePointAt(start + i) ?? 0;
+    const b = suffix.codePointAt(i) ?? 0;
+    if (a !== b && (a | 32) !== (b | 32)) {
+      return false;
+    }
+  }
+  return true;
+}
+function stripSuffixIgnoreCase(value, suffix) {
+  return endsWithIgnoreCase(value, suffix) ? value.slice(0, value.length - suffix.length) : value;
+}
+function stripIssuerOriginFromOidcUrl(issuerUrl) {
+  let base = stripTrailingSlashes(issuerUrl.trim());
+  base = stripSuffixIgnoreCase(base, "/api/v1/oidc");
+  base = stripSuffixIgnoreCase(base, "/oidc");
+  return stripTrailingSlashes(base);
+}
+var CACHE_TTL_MS = 5 * 60 * 1e3;
+var discoveryCache = /* @__PURE__ */ new Map();
+function normalizedIssuerKey(issuerUrl) {
+  return stripTrailingSlashes(issuerUrl);
+}
+async function loadAuthorizationServer(issuerUrl, fetchImpl, options = {}) {
+  const key = normalizedIssuerKey(issuerUrl);
+  const now = Date.now();
+  const cached = discoveryCache.get(key);
+  if (!options.force && cached && now - cached.fetchedAt < CACHE_TTL_MS) {
+    return cached.as;
+  }
+  const issuerIdentifier = new URL(key);
+  const discoveryOpts = {
+    algorithm: "oidc",
+    [oauth4webapi.customFetch]: fetchImpl
+  };
+  if (options.allowInsecureHttp) {
+    discoveryOpts[oauth4webapi.allowInsecureRequests] = true;
+  }
+  let response;
+  try {
+    response = await oauth4webapi.discoveryRequest(issuerIdentifier, discoveryOpts);
+  } catch (e) {
+    throw mapDiscoveryNetworkError(e);
+  }
+  let as;
+  try {
+    as = await oauth4webapi.processDiscoveryResponse(issuerIdentifier, response);
+  } catch (e) {
+    throw mapOAuthDiscoveryError(e);
+  }
+  discoveryCache.set(key, { as, fetchedAt: now });
+  return as;
+}
+function mapOAuthDiscoveryError(error) {
+  if (error instanceof PmtHouseError) {
+    return error;
+  }
+  if (error instanceof Error) {
+    return new PmtHouseError(error.message, {
+      status: 500,
+      code: "oidc_discovery_invalid",
+      details: { cause: error.cause }
+    });
+  }
+  return new PmtHouseError("OIDC discovery failed", {
+    status: 500,
+    code: "oidc_discovery_invalid"
+  });
+}
+function mapDiscoveryNetworkError(error) {
+  if (error instanceof PmtHouseError) {
+    return error;
+  }
+  if (error instanceof Error) {
+    return new PmtHouseError(`Failed to load OIDC discovery: ${error.message}`, {
+      status: 502,
+      code: "oidc_discovery_failed"
+    });
+  }
+  return new PmtHouseError("Failed to load OIDC discovery", {
+    status: 502,
+    code: "oidc_discovery_failed"
+  });
+}
+
+// src/encoding.ts
+function encodeClientSecretBasic(clientId, clientSecret) {
+  const raw = `${clientId}:${clientSecret}`;
+  const b64 = typeof Buffer !== "undefined" ? Buffer.from(raw, "utf8").toString("base64") : btoa(Array.from(new TextEncoder().encode(raw), (c) => String.fromCharCode(c)).join(""));
+  return `Basic ${b64}`;
+}
+
+// src/signer/fetch-json.ts
+function oauthFailureDescription(parsed, failureLabel, status) {
+  if (typeof parsed.error_description === "string") {
+    return parsed.error_description;
+  }
+  if (typeof parsed.error === "string") {
+    return parsed.error;
+  }
+  return `${failureLabel} (${status})`;
+}
+async function readJsonObjectFromResponse(response, options) {
+  const text = await response.text();
+  let parsed;
+  try {
+    parsed = text ? JSON.parse(text) : {};
+  } catch {
+    throw new PmtHouseError(options.invalidJsonMessage, {
+      status: 502,
+      code: options.invalidJsonCode,
+      details: { status: response.status }
+    });
+  }
+  if (!response.ok) {
+    const description = oauthFailureDescription(parsed, options.failureLabel, response.status);
+    throw new PmtHouseError(description, {
+      status: response.status,
+      code: typeof parsed.error === "string" ? parsed.error : options.defaultErrorCode,
+      details: parsed
+    });
+  }
+  return parsed;
+}
+
+// src/signer/json-fields.ts
+function readStringField(body, key, errorCode, messagePrefix = "Response") {
+  const value = body[key];
+  if (typeof value !== "string" || !value.trim()) {
+    throw new PmtHouseError(`${messagePrefix} missing ${key}`, {
+      status: 502,
+      code: errorCode
+    });
+  }
+  return value.trim();
+}
+function readExpiresIn(body, errorCode) {
+  const expiresIn = body.expires_in;
+  if (typeof expiresIn !== "number" || !Number.isFinite(expiresIn) || expiresIn <= 0) {
+    throw new PmtHouseError("Response missing expires_in", {
+      status: 502,
+      code: errorCode
+    });
+  }
+  return Math.floor(expiresIn);
+}
+
+// src/signer/mint-token.ts
+var SIGN_MINT_USER_TOKEN_SCOPE = "sign:mint_user_token";
+var DEFAULT_TTL_REFRESH_RATIO = 0.8;
+var TOKEN_RESPONSE_ERROR = "invalid_token_response";
+function signerJwtAudience(issuerUrl) {
+  return stripTrailingSlashes(issuerUrl);
+}
+function parseMintUserSignerTokenResponse(body, ttlRefreshRatio = DEFAULT_TTL_REFRESH_RATIO) {
+  const accessToken = readStringField(body, "access_token", TOKEN_RESPONSE_ERROR, "Token response");
+  const expiresIn = readExpiresIn(body, TOKEN_RESPONSE_ERROR);
+  const balanceUsdMicros = readStringField(
+    body,
+    "balanceUsdMicros",
+    TOKEN_RESPONSE_ERROR,
+    "Token response"
+  );
+  const lifetimeGrantedUsdMicros = readStringField(
+    body,
+    "lifetimeGrantedUsdMicros",
+    TOKEN_RESPONSE_ERROR,
+    "Token response"
+  );
+  const now = Date.now();
+  const expiresAt = now + expiresIn * 1e3;
+  const refreshAt = now + Math.floor(expiresIn * 1e3 * ttlRefreshRatio);
+  return {
+    jwt: accessToken,
+    expiresAt,
+    refreshAt,
+    balanceUsdMicros,
+    lifetimeGrantedUsdMicros
+  };
+}
+async function mintUserSignerToken(options) {
+  const fetchImpl = options.fetch ?? fetch;
+  const issuerUrl = stripTrailingSlashes(options.issuerUrl);
+  const as = await loadAuthorizationServer(issuerUrl, fetchImpl, {
+    allowInsecureHttp: options.allowInsecureHttp
+  });
+  const tokenEndpoint = as.token_endpoint;
+  if (!tokenEndpoint) {
+    throw new PmtHouseError("OIDC discovery document is missing token_endpoint", {
+      status: 500,
+      code: "oidc_discovery_invalid"
+    });
+  }
+  const audience = signerJwtAudience(issuerUrl);
+  const body = new URLSearchParams({
+    grant_type: "client_credentials",
+    scope: SIGN_MINT_USER_TOKEN_SCOPE,
+    external_user_id: options.externalUserId,
+    audience
+  });
+  const response = await fetchImpl(tokenEndpoint, {
+    method: "POST",
+    headers: {
+      Authorization: encodeClientSecretBasic(options.m2mClientId, options.m2mClientSecret),
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json"
+    },
+    body: body.toString(),
+    cache: "no-store"
+  });
+  const parsed = await readJsonObjectFromResponse(response, {
+    invalidJsonMessage: "Token endpoint returned invalid JSON",
+    invalidJsonCode: TOKEN_RESPONSE_ERROR,
+    failureLabel: "Token mint failed",
+    defaultErrorCode: "token_mint_failed"
+  });
+  return parseMintUserSignerTokenResponse(parsed);
+}
+
+// src/signer/device-exchange.ts
+var TOKEN_EXCHANGE_GRANT = "urn:ietf:params:oauth:grant-type:token-exchange";
+var SUBJECT_ACCESS_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token";
+var EXCHANGE_RESPONSE_ERROR = "invalid_exchange_response";
+async function mintSignerTokenFromDeviceToken(options) {
+  const fetchImpl = options.fetch ?? fetch;
+  const issuerUrl = stripTrailingSlashes(options.issuerUrl);
+  const as = await loadAuthorizationServer(issuerUrl, fetchImpl, {
+    allowInsecureHttp: options.allowInsecureHttp
+  });
+  const tokenEndpoint = as.token_endpoint;
+  if (!tokenEndpoint) {
+    throw new PmtHouseError("OIDC discovery document is missing token_endpoint", {
+      status: 500,
+      code: "oidc_discovery_invalid"
+    });
+  }
+  const audience = options.audience?.trim() || issuerUrl;
+  const params = new URLSearchParams({
+    grant_type: TOKEN_EXCHANGE_GRANT,
+    subject_token: options.deviceToken,
+    subject_token_type: SUBJECT_ACCESS_TOKEN_TYPE,
+    audience,
+    resource: audience
+  });
+  if (options.scope?.trim()) {
+    params.set("scope", options.scope.trim());
+  }
+  const response = await fetchImpl(tokenEndpoint, {
+    method: "POST",
+    headers: {
+      Authorization: encodeClientSecretBasic(options.m2mClientId, options.m2mClientSecret),
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json"
+    },
+    body: params.toString(),
+    cache: "no-store"
+  });
+  const parsed = await readJsonObjectFromResponse(response, {
+    invalidJsonMessage: "Token endpoint returned invalid JSON",
+    invalidJsonCode: "invalid_token_response",
+    failureLabel: "Signer JWT exchange failed",
+    defaultErrorCode: "token_exchange_failed"
+  });
+  const cached = parseMintUserSignerTokenResponse(parsed);
+  return {
+    access_token: cached.jwt,
+    expires_in: readExpiresIn(parsed, EXCHANGE_RESPONSE_ERROR),
+    scope: readStringField(parsed, "scope", EXCHANGE_RESPONSE_ERROR),
+    balanceUsdMicros: cached.balanceUsdMicros,
+    lifetimeGrantedUsdMicros: cached.lifetimeGrantedUsdMicros
+  };
+}
+
+// src/signer/api-key-exchange.ts
+var EXCHANGE_RESPONSE_ERROR2 = "invalid_exchange_response";
+async function mintUserAccessTokenFromApiKey(input) {
+  const fetchImpl = input.fetch ?? fetch;
+  const issuerOrigin = stripIssuerOriginFromOidcUrl(input.issuerUrl);
+  const url = `${issuerOrigin}/api/v1/apps/${encodeURIComponent(input.publicClientId)}/auth/api-key/token`;
+  const response = await fetchImpl(url, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${input.apiKey}`,
+      "Content-Type": "application/json",
+      Accept: "application/json"
+    },
+    body: JSON.stringify(input.scope ? { scope: input.scope } : {}),
+    cache: "no-store"
+  });
+  const parsed = await readJsonObjectFromResponse(response, {
+    invalidJsonMessage: "API key token exchange returned invalid JSON",
+    invalidJsonCode: "invalid_token_response",
+    failureLabel: "API key token exchange failed",
+    defaultErrorCode: "api_key_token_exchange_failed"
+  });
+  const accessToken = parsed.access_token;
+  if (typeof accessToken !== "string" || !accessToken.trim()) {
+    throw new PmtHouseError("API key token exchange missing access_token", {
+      status: 502,
+      code: EXCHANGE_RESPONSE_ERROR2
+    });
+  }
+  const expiresIn = typeof parsed.expires_in === "number" && Number.isFinite(parsed.expires_in) ? parsed.expires_in : 900;
+  const scope = typeof parsed.scope === "string" && parsed.scope.trim() ? parsed.scope.trim() : input.scope?.trim() || "sign:job";
+  return {
+    access_token: accessToken.trim(),
+    expires_in: expiresIn,
+    scope
+  };
+}
+async function mintSignerSessionFromApiKey(input) {
+  const userToken = await mintUserAccessTokenFromApiKey({
+    issuerUrl: input.issuerUrl,
+    publicClientId: input.publicClientId,
+    apiKey: input.apiKey,
+    scope: input.scope,
+    fetch: input.fetch
+  });
+  return mintSignerTokenFromDeviceToken({
+    issuerUrl: input.issuerUrl,
+    m2mClientId: input.m2mClientId,
+    m2mClientSecret: input.m2mClientSecret,
+    deviceToken: userToken.access_token,
+    scope: userToken.scope,
+    audience: input.audience,
+    fetch: input.fetch,
+    allowInsecureHttp: input.allowInsecureHttp
+  });
+}
+
+// src/signer/gateway-token.ts
+function requireString(value, label) {
+  if (typeof value !== "string") {
+    throw new PmtHouseError(`${label} must be a string`, {
+      status: 400,
+      code: "invalid_gateway_token"
+    });
+  }
+  return value.trim();
+}
+function optionalString(value, label) {
+  if (value === void 0 || value === null) {
+    return void 0;
+  }
+  return requireString(value, label) || void 0;
+}
+function encodeBase64Json(value) {
+  const json = JSON.stringify(value);
+  if (typeof Buffer === "undefined") {
+    const binary = Array.from(
+      new TextEncoder().encode(json),
+      (c) => String.fromCodePoint(c)
+    ).join("");
+    return btoa(binary);
+  }
+  return Buffer.from(json, "utf8").toString("base64");
+}
+function decodeBase64Json(token) {
+  const trimmed = requireString(token, "gateway token");
+  let json;
+  try {
+    if (typeof Buffer === "undefined") {
+      json = new TextDecoder().decode(
+        Uint8Array.from(atob(trimmed), (c) => c.codePointAt(0) ?? 0)
+      );
+    } else {
+      json = Buffer.from(trimmed, "base64").toString("utf8");
+    }
+  } catch {
+    throw new PmtHouseError("Invalid gateway token: expected base64-encoded JSON", {
+      status: 400,
+      code: "invalid_gateway_token"
+    });
+  }
+  try {
+    return JSON.parse(json);
+  } catch {
+    throw new PmtHouseError("Invalid gateway token: expected UTF-8 JSON payload", {
+      status: 400,
+      code: "invalid_gateway_token"
+    });
+  }
+}
+function normalizeStringMap(map) {
+  if (!map) {
+    return void 0;
+  }
+  const entries = Object.entries(map).filter(
+    ([key, value]) => key.trim() && typeof value === "string"
+  );
+  return entries.length > 0 ? Object.fromEntries(entries) : void 0;
+}
+function buildGatewayToken(input) {
+  if (input === null || typeof input !== "object") {
+    throw new PmtHouseError("buildGatewayToken requires an input object", {
+      status: 400,
+      code: "invalid_gateway_token"
+    });
+  }
+  const signer = requireString(input.signer, "signer URL");
+  if (!signer) {
+    throw new PmtHouseError("buildGatewayToken requires a non-empty signer URL", {
+      status: 400,
+      code: "invalid_gateway_token"
+    });
+  }
+  const signerHeaders = { ...input.signerHeaders };
+  const bundle = { signer };
+  const discovery = optionalString(input.discovery, "discovery URL");
+  if (discovery) {
+    bundle.discovery = discovery;
+  }
+  const rawOrchestrators = input.orchestrators ?? [];
+  if (!Array.isArray(rawOrchestrators)) {
+    throw new PmtHouseError("orchestrators must be an array of strings", {
+      status: 400,
+      code: "invalid_gateway_token"
+    });
+  }
+  const orchestrators = rawOrchestrators.map((entry) => requireString(entry, "orchestrator entry")).filter((entry) => entry.length > 0);
+  if (orchestrators.length > 0) {
+    bundle.orchestrators = orchestrators;
+  }
+  if (input.auth?.kind === "signerJwt") {
+    const accessToken = requireString(input.auth.accessToken, "signerJwt accessToken");
+    if (!accessToken) {
+      throw new PmtHouseError("signerJwt auth requires a non-empty accessToken", {
+        status: 400,
+        code: "invalid_gateway_token"
+      });
+    }
+    signerHeaders.Authorization = `Bearer ${accessToken}`;
+  } else if (input.auth?.kind === "pmthApiKey") {
+    const apiKey = requireString(input.auth.apiKey, "pmthApiKey apiKey");
+    if (!apiKey) {
+      throw new PmtHouseError("pmthApiKey auth requires a non-empty apiKey", {
+        status: 400,
+        code: "invalid_gateway_token"
+      });
+    }
+    bundle.api_key = apiKey;
+    const billing = optionalString(input.auth.billing, "pmthApiKey billing URL");
+    if (billing) {
+      bundle.billing = billing;
+    }
+  }
+  const normalizedSignerHeaders = normalizeStringMap(signerHeaders);
+  if (normalizedSignerHeaders) {
+    bundle.signer_headers = normalizedSignerHeaders;
+  }
+  const normalizedDiscoveryHeaders = normalizeStringMap(input.discoveryHeaders);
+  if (normalizedDiscoveryHeaders) {
+    bundle.discovery_headers = normalizedDiscoveryHeaders;
+  }
+  return encodeBase64Json(bundle);
+}
+function decodeGatewayToken(token) {
+  const payload = decodeBase64Json(token);
+  if (payload === null || typeof payload !== "object" || Array.isArray(payload)) {
+    throw new PmtHouseError("Invalid gateway token: payload must be a JSON object", {
+      status: 400,
+      code: "invalid_gateway_token"
+    });
+  }
+  return payload;
+}
+async function mintGatewayToken(options) {
+  let accessToken;
+  if (options.source === "m2m") {
+    const minted = await mintUserSignerToken({
+      issuerUrl: options.issuerUrl,
+      m2mClientId: options.m2mClientId,
+      m2mClientSecret: options.m2mClientSecret,
+      externalUserId: options.externalUserId,
+      fetch: options.fetch,
+      allowInsecureHttp: options.allowInsecureHttp
+    });
+    accessToken = minted.jwt;
+  } else {
+    const minted = await mintSignerSessionFromApiKey({
+      issuerUrl: options.issuerUrl,
+      publicClientId: options.publicClientId,
+      m2mClientId: options.m2mClientId,
+      m2mClientSecret: options.m2mClientSecret,
+      apiKey: options.apiKey,
+      scope: options.scope,
+      audience: options.audience,
+      fetch: options.fetch,
+      allowInsecureHttp: options.allowInsecureHttp
+    });
+    accessToken = minted.access_token;
+  }
+  return buildGatewayToken({
+    signer: options.signer,
+    discovery: options.discovery,
+    orchestrators: options.orchestrators,
+    signerHeaders: options.signerHeaders,
+    discoveryHeaders: options.discoveryHeaders,
+    auth: { kind: "signerJwt", accessToken }
+  });
+}
+
+exports.buildGatewayToken = buildGatewayToken;
+exports.decodeGatewayToken = decodeGatewayToken;
+exports.mintGatewayToken = mintGatewayToken;
+//# sourceMappingURL=gateway.cjs.map
+//# sourceMappingURL=gateway.cjs.map