@pymthouse/builder-sdk 0.4.5 → 0.4.6

package/dist/{client-GP-mTEI7.d.cts → client-CEBVgCD7.d.cts}

@@ -58,6 +58,16 @@ declare class PmtHouseClient {
     exchangeForSignerSession(input: {
         userJwt: string;
         resource?: string;
+        /**
+         * When true, omit the RFC 8707 `resource` parameter entirely. This selects
+         * the documented PymtHouse gateway/opaque signer-session exchange
+         * (long-lived `pmth_*` token) rather than the signer-JWT path that a
+         * `resource = issuer` indicator routes to. Takes precedence over
+         * {@link resource}.
+         */
+        omitResource?: boolean;
+        /** Optional `scope` for the exchange (e.g. `sign:job`). Omitted when unset. */
+        scope?: string;
     }): Promise<TokenExchangeResponse>;
     /**
      * Mint a short-lived per-user JWT with the Builder API, then exchange it for
@@ -115,7 +125,15 @@ declare class PmtHouseClient {
         signal?: AbortSignal;
     }): Promise<GetAppManifestResult>;
     /**
-     * Upsert an external user, mint a short-lived JWT, and exchange for an opaque signer session.
+     * Upsert an external user, mint a short-lived JWT, and exchange it for a
+     * long-lived opaque (`pmth_*`) signer session.
+     *
+     * Performs the *documented* remote-signer-session exchange (see
+     * `builder-api.md` → "Remote signer session exchange"): the RFC 8693 token
+     * exchange is sent with `scope=sign:job` and **no `resource` indicator**,
+     * which selects the PymtHouse gateway/opaque path. A prior implementation set
+     * `resource = issuer`, which routed to the signer-JWT path and returned a JWT
+     * that {@link parseSignerSessionExchange} then rejected as non-opaque.
      */
     mintSignerSessionForExternalUser(input: MintSignerSessionForExternalUserInput): Promise<SignerSessionToken>;
     /**

package/dist/{client-BhNz0ZAA.d.ts → client-D-p6v8ju.d.ts}

@@ -58,6 +58,16 @@ declare class PmtHouseClient {
     exchangeForSignerSession(input: {
         userJwt: string;
         resource?: string;
+        /**
+         * When true, omit the RFC 8707 `resource` parameter entirely. This selects
+         * the documented PymtHouse gateway/opaque signer-session exchange
+         * (long-lived `pmth_*` token) rather than the signer-JWT path that a
+         * `resource = issuer` indicator routes to. Takes precedence over
+         * {@link resource}.
+         */
+        omitResource?: boolean;
+        /** Optional `scope` for the exchange (e.g. `sign:job`). Omitted when unset. */
+        scope?: string;
     }): Promise<TokenExchangeResponse>;
     /**
      * Mint a short-lived per-user JWT with the Builder API, then exchange it for
@@ -115,7 +125,15 @@ declare class PmtHouseClient {
         signal?: AbortSignal;
     }): Promise<GetAppManifestResult>;
     /**
-     * Upsert an external user, mint a short-lived JWT, and exchange for an opaque signer session.
+     * Upsert an external user, mint a short-lived JWT, and exchange it for a
+     * long-lived opaque (`pmth_*`) signer session.
+     *
+     * Performs the *documented* remote-signer-session exchange (see
+     * `builder-api.md` → "Remote signer session exchange"): the RFC 8693 token
+     * exchange is sent with `scope=sign:job` and **no `resource` indicator**,
+     * which selects the PymtHouse gateway/opaque path. A prior implementation set
+     * `resource = issuer`, which routed to the signer-JWT path and returned a JWT
+     * that {@link parseSignerSessionExchange} then rejected as non-opaque.
      */
     mintSignerSessionForExternalUser(input: MintSignerSessionForExternalUserInput): Promise<SignerSessionToken>;
     /**

package/dist/env.cjs

@@ -1226,8 +1226,13 @@ var PmtHouseClient = class {
     params.set("subject_token", input.userJwt);
     params.set("subject_token_type", SUBJECT_ACCESS_TOKEN_TYPE2);
     params.set("requested_token_type", REQUESTED_ACCESS_TOKEN_TYPE);
-    const resourceCandidate = typeof input.resource === "string" && input.resource.trim() !== "" ? input.resource.trim() : this.issuerUrl;
-    params.set("resource", stripTrailingSlashes(resourceCandidate));
+    if (typeof input.scope === "string" && input.scope.trim() !== "") {
+      params.set("scope", input.scope.trim());
+    }
+    if (!input.omitResource) {
+      const resourceCandidate = typeof input.resource === "string" && input.resource.trim() !== "" ? input.resource.trim() : this.issuerUrl;
+      params.set("resource", stripTrailingSlashes(resourceCandidate));
+    }
     try {
       const response = await oauth4webapi.genericTokenEndpointRequest(
         as,
@@ -1513,18 +1518,31 @@ var PmtHouseClient = class {
     };
   }
   /**
-   * Upsert an external user, mint a short-lived JWT, and exchange for an opaque signer session.
+   * Upsert an external user, mint a short-lived JWT, and exchange it for a
+   * long-lived opaque (`pmth_*`) signer session.
+   *
+   * Performs the *documented* remote-signer-session exchange (see
+   * `builder-api.md` → "Remote signer session exchange"): the RFC 8693 token
+   * exchange is sent with `scope=sign:job` and **no `resource` indicator**,
+   * which selects the PymtHouse gateway/opaque path. A prior implementation set
+   * `resource = issuer`, which routed to the signer-JWT path and returned a JWT
+   * that {@link parseSignerSessionExchange} then rejected as non-opaque.
    */
   async mintSignerSessionForExternalUser(input) {
+    const scope = input.scope ?? SIGN_JOB_SCOPE;
     await this.upsertAppUser({
       externalUserId: input.externalUserId,
       email: input.email,
       status: "active"
     });
-    const exchange = await this.mintUserSignerSessionToken({
+    const userToken = await this.mintUserAccessToken({
       externalUserId: input.externalUserId,
-      scope: input.scope ?? SIGN_JOB_SCOPE,
-      resource: this.issuerUrl
+      scope
+    });
+    const exchange = await this.exchangeForSignerSession({
+      userJwt: userToken.access_token,
+      omitResource: true,
+      scope
     });
     return parseSignerSessionExchange(exchange);
   }