fix(hosted): ESM signer loading + tokenId-based Opinion economics validation

Two bugs that each blocked all hosted writes for affected callers:

1. The ESM build lazy-loaded ethers via bare require(), which is undefined
   in ESM. The lazy-signer bridge swallowed the ReferenceError, silently
   dropping the caller's privateKey — every hosted write then failed with
   "hosted write requires a signer". loadEthers() now uses native require
   in CJS and process.getBuiltinModule('node:module').createRequire in ESM.

2. The Opinion economics validator required message.opinion_market_id, but
   the current trading-API message schema signs the outcome tokenId instead
   — every current-schema Opinion order died pre-sign with "economic
   mismatch: message.opinion_market_id missing". Both SDK validators now
   check message.tokenId against resolved.token_id; the opinion_market_id
   equality check applies only when the message carries the field.

Verified live against trade.pmxt.dev from an ESM consumer (pmxt-arb).
TS jest 47/47, Python typeddata suite 34/34.

Author: realfishsam

changelog.md

@@ -2,6 +2,17 @@
 
 All notable changes to this project will be documented in this file.
 
+## [2.49.11] - 2026-06-12
+
+Hosted trading works from ESM apps and Opinion orders pass pre-sign validation. Two independent bugs each blocked all hosted writes for affected callers: the ESM build could not lazy-load ethers (bare `require` is undefined in ESM, and the failure was silently swallowed — the signer was dropped and every write died with "hosted write requires a signer" even when a `privateKey` was passed), and the client-side economics validator demanded `message.opinion_market_id` from a trading-API message schema that no longer carries it (the signed economic identity is the outcome `tokenId`). Both verified live against `trade.pmxt.dev` from an ESM consumer.
+
+### Fixed
+
+- **TS `pmxt/signers.ts`**: New `loadEthers()` helper used by `EthersSigner` — native `require` in the CJS build, `process.getBuiltinModule("node:module").createRequire(...)` in the ESM build (Node >= 20.16). Previously the ESM build's bare `require("ethers")` threw `ReferenceError`, which the lazy-signer bridge in the Exchange constructor caught and swallowed, silently discarding the caller's `privateKey`.
+- **TS `pmxt/hosted-typed-data.ts`**: signature verification now loads ethers via the same helper instead of bare `require`.
+- **TS `pmxt/hosted-typed-data.ts` + Python `pmxt/_hosted_typeddata.py`**: `validateOpinionMarketId` / `_validate_opinion_market_id` now validate `message.tokenId` against `resolved.token_id` — the field that is actually signed. The `opinion_market_id` equality check only applies when the message carries the field (legacy schema); requiring it unconditionally rejected every current-schema Opinion order pre-sign with `economic mismatch: message.opinion_market_id missing`.
+- **Python `tests/test_hosted_typeddata.py`**: opinion economics tests updated to the tokenId-based contract (mismatch rejection on `resolved.token_id`, params-only quirks no longer block, legacy `opinion_market_id` mismatch still rejected when present in the message).
+
 ## [2.49.10] - 2026-06-12
 
 Hosted custody docs now link to the public contract explorer pages instead of private GitHub source paths, and explicitly disclose that explorer source verification/public source publication is still pending.

sdks/python/pmxt/_hosted_typeddata.py

@@ -480,6 +480,35 @@ def _validate_worst_price(
 
 
 def _validate_opinion_market_id(message: Mapping[str, Any], build_response: Any) -> None:
+    # The current trading-API Opinion message schema does not embed
+    # opinion_market_id — the signed economic identity is the outcome
+    # tokenId. Validate that against the build response's resolved token.
+    # The legacy opinion_market_id check only applies when the message
+    # actually carries the field (older API versions).
+    expected_token = _first_present(
+        _path(build_response, "resolved", "token_id"),
+        _path(build_response, "resolved", "tokenId"),
+        _value(build_response, "token_id"),
+        _value(build_response, "tokenId"),
+    )
+    actual_token = _first_present(
+        _value(message, "tokenId"),
+        _value(message, "token_id"),
+    )
+    if actual_token is _MISSING:
+        _economic_fail("message.tokenId missing")
+    if expected_token is not _MISSING and _id_value(
+        actual_token, "message.tokenId"
+    ) != _id_value(expected_token, "resolved.token_id"):
+        _economic_fail(f"tokenId expected {expected_token} got {actual_token}")
+
+    actual = _first_present(
+        _value(message, "opinion_market_id"),
+        _value(message, "opinionMarketId"),
+    )
+    if actual is _MISSING:
+        return  # current schema: tokenId-only message
+
     expected = _first_present(
         _path(build_response, "resolved", "opinion_market_id"),
         _path(build_response, "resolved", "opinionMarketId"),
@@ -491,15 +520,6 @@ def _validate_opinion_market_id(message: Mapping[str, Any], build_response: Any)
     if expected is _MISSING:
         _economic_fail("resolved.opinion_market_id missing")
 
-    actual = _first_present(
-        _value(message, "opinion_market_id"),
-        _value(message, "opinionMarketId"),
-        _path(build_response, "params", "opinion_market_id"),
-        _path(build_response, "params", "opinionMarketId"),
-    )
-    if actual is _MISSING:
-        _economic_fail("message.opinion_market_id missing")
-
     if _id_value(actual, "message.opinion_market_id") != _id_value(
         expected,
         "resolved.opinion_market_id",

sdks/python/tests/test_hosted_typeddata.py

@@ -525,10 +525,42 @@ def test_validate_economics_rejects_market_worst_price_outside_domain(pinned: in
         )
 
 
-def test_validate_economics_rejects_opinion_market_id_mismatch() -> None:
+def test_validate_economics_rejects_opinion_token_id_mismatch() -> None:
+    # The signed economic identity on Opinion is the outcome tokenId — a
+    # build response resolving a different token than the message must fail.
+    fixture = _fixture("opinion_buy")
+    response = _replace_path(fixture["build_response"], ("resolved", "token_id"), "7777")
+
+    with pytest.raises(InvalidSignature):
+        validate_economics(
+            route=fixture["route"],
+            build_request=_copy(fixture["build_request"]),
+            build_response=response,
+        )
+
+
+def test_validate_economics_ignores_params_market_id_when_message_has_no_field() -> None:
+    # Current API schema: the signed message carries tokenId only. A
+    # params/resolved opinion_market_id quirk must NOT block the order —
+    # requiring message.opinion_market_id blocked every real Opinion order.
     fixture = _fixture("opinion_buy")
     response = _replace_path(fixture["build_response"], ("params", "opinion_market_id"), 7_777)
 
+    validate_economics(
+        route=fixture["route"],
+        build_request=_copy(fixture["build_request"]),
+        build_response=response,
+    )
+
+
+def test_validate_economics_rejects_legacy_message_market_id_mismatch() -> None:
+    # Legacy schema: when the message DOES carry opinion_market_id it must
+    # still match the build response.
+    fixture = _fixture("opinion_buy")
+    response = _copy(fixture["build_response"])
+    response["typed_data"]["message"]["opinion_market_id"] = 1234
+    response["resolved"]["opinion_market_id"] = 7_777
+
     with pytest.raises(InvalidSignature):
         validate_economics(
             route=fixture["route"],

sdks/typescript/pmxt/hosted-typed-data.ts

@@ -11,7 +11,7 @@
 
 import { InvalidSignature } from "./hosted-errors";
 import { to6dec } from "./hosted-mappers";
-import { TypedData } from "./signers";
+import { TypedData, loadEthers } from "./signers";
 
 // The constants module is updated in a parallel-agent change to add these
 // allowlists. We import them at runtime so we don't hard-fail if the change
@@ -508,24 +508,43 @@ function validateOpinionMarketId(
     message: Record<string, unknown>,
     buildResponse: any,
 ): void {
-    const expected = firstPresent(
+    // The current trading-API Opinion message schema does not embed
+    // opinion_market_id — the signed economic identity is the outcome
+    // tokenId. Validate that against the build response's resolved token.
+    // The legacy opinion_market_id check only applies when the message
+    // actually carries the field (older API versions).
+    const expectedToken = firstPresent(
+        getPath(buildResponse, "resolved", "token_id"),
+        getPath(buildResponse, "resolved", "tokenId"),
+        getField(buildResponse, "token_id"),
+        getField(buildResponse, "tokenId"),
+    );
+    const actualToken = firstPresent(
+        getField(message, "tokenId"),
+        getField(message, "token_id"),
+    );
+    if (actualToken === MISSING) economicFail("message.tokenId missing");
+    if (expectedToken !== MISSING && idValue(actualToken) !== idValue(expectedToken)) {
+        economicFail(`tokenId expected ${expectedToken} got ${actualToken}`);
+    }
+
+    const actualMarketId = firstPresent(
+        getField(message, "opinion_market_id"),
+        getField(message, "opinionMarketId"),
+    );
+    if (actualMarketId === MISSING) return; // current schema: tokenId-only message
+
+    const expectedMarketId = firstPresent(
         getPath(buildResponse, "resolved", "opinion_market_id"),
         getPath(buildResponse, "resolved", "opinionMarketId"),
         getField(buildResponse, "opinion_market_id"),
         getField(buildResponse, "opinionMarketId"),
         getPath(buildResponse, "params", "opinion_market_id"),
         getPath(buildResponse, "params", "opinionMarketId"),
     );
-    if (expected === MISSING) economicFail("resolved.opinion_market_id missing");
-
-    const actual = firstPresent(
-        getField(message, "opinion_market_id"),
-        getField(message, "opinionMarketId"),
-    );
-    if (actual === MISSING) economicFail("message.opinion_market_id missing");
-
-    if (idValue(actual) !== idValue(expected)) {
-        economicFail(`opinion_market_id expected ${expected} got ${actual}`);
+    if (expectedMarketId === MISSING) economicFail("resolved.opinion_market_id missing");
+    if (idValue(actualMarketId) !== idValue(expectedMarketId)) {
+        economicFail(`opinion_market_id expected ${expectedMarketId} got ${actualMarketId}`);
     }
 }
 
@@ -575,12 +594,11 @@ export function verifySignature(
 
     let ethers: any;
     try {
-        // eslint-disable-next-line @typescript-eslint/no-require-imports
-        ethers = require("ethers");
-    } catch {
+        ethers = loadEthers("ethers is required for hosted signature verification");
+    } catch (err) {
         throw new InvalidSignature(
             0,
-            "ethers is required for hosted signature verification",
+            err instanceof Error ? err.message : "ethers is required for hosted signature verification",
         );
     }
 

sdks/typescript/pmxt/signers.ts

@@ -38,6 +38,33 @@ export interface Signer {
 const ETHERS_INSTALL_HINT =
     "hosted trading requires the optional 'ethers' peer dependency. Install with: npm install ethers";
 
+/**
+ * Load ethers lazily in BOTH module systems. The CJS build has native
+ * `require`; the ESM build does not — bare `require("ethers")` there threw
+ * ReferenceError, which callers swallowed, silently dropping the signer and
+ * killing every hosted write with "hosted write requires a signer".
+ */
+export function loadEthers(installHint: string = ETHERS_INSTALL_HINT): any {
+    if (typeof require === "function") {
+        try {
+            // eslint-disable-next-line @typescript-eslint/no-require-imports
+            return require("ethers");
+        } catch {
+            throw new Error(installHint);
+        }
+    }
+    // ESM: synthesize a require. getBuiltinModule is sync-safe in both
+    // module systems (Node >= 20.16).
+    const nodeModule = (globalThis as any).process?.getBuiltinModule?.("node:module");
+    const req = nodeModule?.createRequire?.(`${process.cwd()}/__pmxt_resolver__.js`);
+    if (!req) throw new Error(installHint);
+    try {
+        return req("ethers");
+    } catch {
+        throw new Error(installHint);
+    }
+}
+
 /**
  * Built-in signer backed by an ethers `Wallet`.
  *
@@ -49,13 +76,7 @@ export class EthersSigner implements Signer {
     readonly address: string;
 
     constructor(privateKey: string) {
-        let ethers: any;
-        try {
-            // eslint-disable-next-line @typescript-eslint/no-require-imports
-            ethers = require("ethers");
-        } catch {
-            throw new Error(ETHERS_INSTALL_HINT);
-        }
+        const ethers = loadEthers();
         this._wallet = new ethers.Wallet(privateKey);
         this.address = this._wallet.address;
     }