@incodetech/core 2.0.1-rc.0 → 2.1.0-rc.0

package/dist/{setup-C5AITV8m.d.ts → setup-BbkprdVv.d.ts}

@@ -1,4 +1,4 @@
-import { n as WasmPipeline } from "./warmup-CEcppFiS.js";
+import { n as WasmPipeline } from "./warmup-Dg8Lh-50.js";
 
 //#region src/setup.d.ts
 
@@ -6,6 +6,17 @@ import { n as WasmPipeline } from "./warmup-CEcppFiS.js";
  * WASM warmup configuration. Path fields are optional; omitted values resolve to the Incode CDN defaults.
  */
 type WasmConfig = {
+  /**
+   * Self-hosted WASM root directory. Resolves standard ml-wasm-kit filenames
+   * under this path (`webLib.wasm`, `webLib.js`, `models/`, etc.). Pin a
+   * specific version folder when self-hosting so SDK updates do not change
+   * which binaries your app loads until you update this path.
+   *
+   * Example: `https://my-cdn.example.com/ml-wasm-kit-release/v2.13.21`
+   *
+   * Individual path fields override values derived from `basePath`.
+   */
+  basePath?: string;
   /** Path to the WASM binary */
   wasmPath?: string;
   /** Path to the SIMD-optimized WASM binary (optional) */
@@ -92,6 +103,18 @@ type SetupOptions = {
    * handshake at `setup()`. Coordinate with your Incode account team before
    * flipping this on.
    *
+   * **API key transmission.** E2EE requests must identify the tenant in one
+   * of two ways:
+   * - Append `/0` to the `apiURL` (e.g. `https://<e2ee-host>/0`) — the
+   *   trailing `/0` instructs the server to derive the API key from the
+   *   session JWT. Use this whenever a session token is in play.
+   * - Pass `customHeaders: { 'x-api-key': '<api key>' }` — required when
+   *   the `apiURL` does not include `/0` (sessionless setup, or any flow
+   *   that supplies the API key in the header instead of via JWT).
+   *
+   * Without one of these the server cannot identify the tenant and
+   * post-handshake requests fail.
+   *
    * Accepts:
    * - `true` → enabled with the default OAEP MGF1 hash (`'sha1'`).
    * - `false` (or omitted) → disabled.
@@ -122,6 +145,15 @@ type SetupOptions = {
   encryption?: boolean | EncryptionOptions;
   /** Optional hosting app identifier for fingerprint tracking */
   hostingApp?: string;
+  /**
+   * Disables the third-party public-IP lookup (`api.ipify.org`) used to
+   * enrich fingerprint and deepsight payloads. When `false`, the SDK uses
+   * an empty IP string and never hits ipify.
+   *
+   * OR'd with the server-side `DISABLE_IPIFY` feature flag. Default: `true`
+   * (lookup enabled).
+   */
+  ipLookup?: boolean;
 };
 /**
  * Initializes the SDK with the provided configuration.
@@ -165,13 +197,12 @@ type SetupOptions = {
  * });
  * ```
  *
- * @example Self-hosted / custom version (full or partial path overrides)
+ * @example Self-hosted WASM (pin a version folder on your CDN)
  * ```ts
  * await setup({
  *   apiURL: 'https://api.incode.com',
  *   wasm: {
- *     wasmPath: '/my-cdn/webLib.wasm',
- *     glueCodePath: '/my-cdn/webLib.js',
+ *     basePath: 'https://my-cdn.example.com/ml-wasm-kit-release/v2.13.21',
  *   },
  * });
  * ```
@@ -197,16 +228,36 @@ type SetupOptions = {
  *
  * @example Enable end-to-end encryption at boot (defaults to MGF1 = SHA-1)
  * ```ts
- * await setup({ apiURL: 'https://api.incode.com', encryption: true });
+ * // `/0` lets the server read the API key from the session JWT.
+ * await setup({
+ *   apiURL: 'https://your-e2ee-api.incodesmile.com/0',
+ *   encryption: true,
+ * });
  * ```
  *
  * @example Enable encryption with the SHA-256 MGF1 padding
  * ```ts
  * await setup({
- *   apiURL: 'https://api.incode.com',
+ *   apiURL: 'https://your-e2ee-api.incodesmile.com/0',
  *   encryption: { mgf1: 'sha256' },
  * });
  * ```
+ *
+ * @example E2EE without the `/0` suffix — pass the API key explicitly
+ * ```ts
+ * await setup({
+ *   apiURL: 'https://your-e2ee-api.incodesmile.com',
+ *   encryption: true,
+ *   customHeaders: { 'x-api-key': process.env.INCODE_API_KEY },
+ * });
+ * ```
+ * @example Disable third-party IP lookup
+ * ```ts
+ * await setup({
+ *   apiURL: 'https://api.incode.com',
+ *   ipLookup: false,
+ * });
+ * ```
  */
 declare function setup(options: SetupOptions): Promise<void>;
 /**

package/dist/{setup-DsM8IG7k.esm.js → setup-BqEfrdja.esm.js}

@@ -1,15 +1,15 @@
-import { a as executeWasmRequest, c as setupWasmConnection, i as WasmWebClientError, n as warmupWasm, o as initializeWasmWebClient, s as setWebApiHttpTransport } from "./BaseWasmProvider-C_DLEI40.esm.js";
-import { t as WasmUtilProvider } from "./WasmUtilProvider-j98OJf-S.esm.js";
+import { a as WasmWebClientError, c as setWebApiHttpTransport, f as deriveSiblingJsPath, l as setupWasmConnection, o as executeWasmRequest, r as warmupWasm, s as initializeWasmWebClient, t as WasmUtilProvider } from "./WasmUtilProvider-CiEN7Gjn.esm.js";
 import { t as BrowserTimerProvider } from "./BrowserTimerProvider-DhNc_x02.esm.js";
 import { a as resetApi, i as isApiConfigured, n as getApi, o as setClient, r as getToken, t as api } from "./api-CESGtpbH.esm.js";
-import { _ as resetAnalyticsBatcher, g as getAnalyticsBatcher, m as createAnalyticsBatchingService, v as setAnalyticsBatcher } from "./events-D6-e4vok.esm.js";
-import { t as endpoints } from "./endpoints-CnN3SyDa.esm.js";
-import { i as resetSessionInit, r as initializeSession } from "./session-CGtQJJzB.esm.js";
+import { _ as resetAnalyticsBatcher, g as getAnalyticsBatcher, m as createAnalyticsBatchingService, v as setAnalyticsBatcher } from "./events-Dvvriq9l.esm.js";
+import { t as endpoints } from "./endpoints-BeTK0Mlt.esm.js";
+import { r as resetDeviceStatsQueue, t as addDeviceStats } from "./stats-BMNUG1AU.esm.js";
+import { a as setClientIpLookupEnabled, i as resetSessionInit, r as initializeSession } from "./sessionInitializer-B8H5MsXM.esm.js";
 
 //#region ../infra/src/wasm/wasmDefaults.ts
 const WASM_CDN_BASE_URL = "https://cdn.incodesmile.com/ml-wasm-kit-release";
 /** The WASM version bundled and tested with this SDK release. */
-const DEFAULT_WASM_VERSION = "v2.13.21";
+const DEFAULT_WASM_VERSION = "v2.14.07-post7";
 const PATH_KEYS = [
 	"wasmPath",
 	"wasmSimdPath",
@@ -74,9 +74,9 @@ function pickPath(key, overrides, defaultValue) {
 	}
 	return raw.trim();
 }
-/** Builds the standard WarmupConfig from the Incode CDN. */
-function buildDefaultWasmConfig() {
-	const base = `${WASM_CDN_BASE_URL}/${DEFAULT_WASM_VERSION}`;
+/** Builds a WarmupConfig from a directory that mirrors the ml-wasm-kit CDN layout. */
+function buildWasmConfigFromBasePath(basePath) {
+	const base = basePath.endsWith("/") ? basePath.slice(0, -1) : basePath;
 	return {
 		wasmPath: `${base}/webLib.wasm`,
 		wasmSimdPath: `${base}/webLibSimd.wasm`,
@@ -85,21 +85,17 @@ function buildDefaultWasmConfig() {
 		modelsBasePath: `${base}/models`
 	};
 }
-/**
-* Derives a sibling `.js` glue path from a `.wasm` binary path. Used when the
-* caller supplies `wasmSimdPath` but no explicit `glueCodeSimdPath`, mirroring
-* the legacy CDN naming convention (`webLibSimd.wasm` <-> `webLibSimd.js`).
-*/
-function deriveSiblingJsPath(wasmPath) {
-	return wasmPath.replace(/\.wasm($|\?)/, ".js$1");
+/** Builds the standard WarmupConfig from the Incode CDN. */
+function buildDefaultWasmConfig() {
+	return buildWasmConfigFromBasePath(`${WASM_CDN_BASE_URL}/${DEFAULT_WASM_VERSION}`);
 }
 /**
 * Merges optional WASM path overrides with CDN defaults. Explicit non-blank
 * paths take precedence. Blank override strings log a warning and fall back to defaults.
 */
 function resolveWasmConfig(overrides) {
-	const defaults = buildDefaultWasmConfig();
-	if (!overrides) return defaults;
+	if (!overrides) return buildDefaultWasmConfig();
+	const defaults = buildWasmConfigFromBasePath(pickPath("basePath", overrides, `${WASM_CDN_BASE_URL}/${DEFAULT_WASM_VERSION}`));
 	const simdDefault = defaults.wasmSimdPath ?? defaults.wasmPath;
 	const modelsDefault = defaults.modelsBasePath ?? (() => {
 		const lastSlash = defaults.wasmPath.lastIndexOf("/");
@@ -670,9 +666,127 @@ async function withHandshakeFailureContext(wantsEncryption, fn) {
 	}
 }
 
+//#endregion
+//#region ../infra/src/providers/browser/DevtoolsDetectorProvider.ts
+var DevtoolsDetectorProvider = class {
+	constructor() {
+		this.detectorPaused = true;
+		this.isDevtoolsOpen = false;
+	}
+	start(options) {
+		if (!this.canUseDevtoolsDetector() || this.heart) return;
+		this.startDetector({
+			pollingIntervalSeconds: .25,
+			maxMillisBeforeAckWhenClosed: 100,
+			moreAnnoyingDebuggerStatements: 1,
+			onDetectOpen: options.onInspectorOpened,
+			onDetectClose: void 0,
+			startup: "asap"
+		});
+	}
+	stop() {
+		this.clearNextPulse();
+		this.resolveVerdict?.(null);
+		this.resolveVerdict = void 0;
+		this.heart?.terminate();
+		this.heart = void 0;
+		this.detectorPaused = true;
+		this.isDevtoolsOpen = false;
+	}
+	canUseDevtoolsDetector() {
+		return typeof globalThis !== "undefined" && typeof Worker !== "undefined" && typeof URL !== "undefined" && typeof URL.createObjectURL === "function" && typeof Blob !== "undefined";
+	}
+	createDetectorWorker() {
+		return new Worker(URL.createObjectURL(new Blob([`"use strict";
+onmessage = (ev) => { postMessage({isOpenBeat:true});
+  debugger; for (let i = 0; i < ev.data.moreDebugs; i++) { debugger; }
+  postMessage({isOpenBeat:false});
+};`], { type: "text/javascript" })));
+	}
+	clearNextPulse() {
+		if (this.nextPulseTimeout !== void 0) {
+			clearTimeout(this.nextPulseTimeout);
+			this.nextPulseTimeout = void 0;
+		}
+	}
+	doOnePulse(moreDebugs) {
+		this.heart?.postMessage({ moreDebugs });
+	}
+	startDetector(config) {
+		this.heart = this.createDetectorWorker();
+		const onHeartMsg = (msg) => {
+			if (msg.data.isOpenBeat) new Promise((resolve) => {
+				this.resolveVerdict = resolve;
+				setTimeout(() => {
+					this.resolveVerdict?.(true);
+				}, config.maxMillisBeforeAckWhenClosed + 1);
+			}).then((verdict) => {
+				if (verdict === null) return;
+				if (verdict !== this.isDevtoolsOpen) {
+					this.isDevtoolsOpen = verdict;
+					if (verdict) config.onDetectOpen();
+					else if (config.onDetectClose) config.onDetectClose();
+				}
+				this.clearNextPulse();
+				this.nextPulseTimeout = setTimeout(() => {
+					this.nextPulseTimeout = void 0;
+					this.doOnePulse(config.moreAnnoyingDebuggerStatements);
+				}, config.pollingIntervalSeconds * 1e3);
+			});
+			else this.resolveVerdict?.(false);
+		};
+		this.heart.addEventListener("message", onHeartMsg);
+		const resume = () => {
+			if (!this.detectorPaused) return;
+			this.detectorPaused = false;
+			this.doOnePulse(config.moreAnnoyingDebuggerStatements);
+		};
+		switch (config.startup) {
+			case "manual": break;
+			case "asap":
+				resume();
+				break;
+			case "domContentLoaded":
+				if (typeof document !== "undefined" && document.readyState !== "loading") resume();
+				else if (typeof document !== "undefined") document.addEventListener("DOMContentLoaded", resume, { once: true });
+				break;
+		}
+	}
+};
+
+//#endregion
+//#region src/internal/device/devtoolsDetectorBridge.ts
+const devtoolsDetector = new DevtoolsDetectorProvider();
+async function reportInspectorOpened() {
+	try {
+		(await WasmUtilProvider.getInstance()).setInspectorOpened(true);
+	} catch {
+		return;
+	}
+	addDeviceStats({ inspectorOpened: true });
+}
+/**
+* Starts the devtools inspector detector (ported from legacy welcome `setupFiles`).
+*/
+function startDevtoolsDetector() {
+	devtoolsDetector.start({ onInspectorOpened: () => {
+		reportInspectorOpened();
+	} });
+}
+/**
+* Stops the devtools detector. Invoked from {@link reset}.
+*/
+function stopDevtoolsDetector() {
+	devtoolsDetector.stop();
+}
+
 //#endregion
 //#region src/setup.ts
 let wasmConfig;
+/**
+* Legacy Java backend default for OAEP MGF1 padding compatibility.
+* Most existing Incode E2EE environments expect this.
+*/
 const DEFAULT_MGF1 = "sha1";
 /**
 * Normalizes the public `encryption` option into the internal shape used by
@@ -738,13 +852,12 @@ let configured = false;
 * });
 * ```
 *
-* @example Self-hosted / custom version (full or partial path overrides)
+* @example Self-hosted WASM (pin a version folder on your CDN)
 * ```ts
 * await setup({
 *   apiURL: 'https://api.incode.com',
 *   wasm: {
-*     wasmPath: '/my-cdn/webLib.wasm',
-*     glueCodePath: '/my-cdn/webLib.js',
+*     basePath: 'https://my-cdn.example.com/ml-wasm-kit-release/v2.13.21',
 *   },
 * });
 * ```
@@ -770,18 +883,39 @@ let configured = false;
 *
 * @example Enable end-to-end encryption at boot (defaults to MGF1 = SHA-1)
 * ```ts
-* await setup({ apiURL: 'https://api.incode.com', encryption: true });
+* // `/0` lets the server read the API key from the session JWT.
+* await setup({
+*   apiURL: 'https://your-e2ee-api.incodesmile.com/0',
+*   encryption: true,
+* });
 * ```
 *
 * @example Enable encryption with the SHA-256 MGF1 padding
 * ```ts
 * await setup({
-*   apiURL: 'https://api.incode.com',
+*   apiURL: 'https://your-e2ee-api.incodesmile.com/0',
 *   encryption: { mgf1: 'sha256' },
 * });
 * ```
+*
+* @example E2EE without the `/0` suffix — pass the API key explicitly
+* ```ts
+* await setup({
+*   apiURL: 'https://your-e2ee-api.incodesmile.com',
+*   encryption: true,
+*   customHeaders: { 'x-api-key': process.env.INCODE_API_KEY },
+* });
+* ```
+* @example Disable third-party IP lookup
+* ```ts
+* await setup({
+*   apiURL: 'https://api.incode.com',
+*   ipLookup: false,
+* });
+* ```
 */
 async function setup(options) {
+	if (options.ipLookup !== void 0) setClientIpLookupEnabled(options.ipLookup);
 	if (!getAnalyticsBatcher()) setAnalyticsBatcher(createAnalyticsBatchingService({
 		endpoint: endpoints.events,
 		authToken: () => getToken(),
@@ -815,6 +949,7 @@ async function setup(options) {
 			...effectiveWasm,
 			pipelines: effectiveWasm.pipelines ? [...effectiveWasm.pipelines] : void 0
 		});
+		startDevtoolsDetector();
 	}
 }
 /**
@@ -874,8 +1009,11 @@ function isConfigured() {
 * Resets the SDK configuration. Useful for testing.
 */
 function reset() {
+	stopDevtoolsDetector();
+	resetDeviceStatsQueue();
 	resetApi();
 	resetSessionInit();
+	setClientIpLookupEnabled(true);
 	resetAnalyticsBatcher();
 	resetHttpClientState();
 	configured = false;
@@ -884,4 +1022,4 @@ function reset() {
 }
 
 //#endregion
-export { setup as a, buildDefaultWasmConfig as c, setWasmConfig as i, resolveWasmConfig as l, isConfigured as n, upgradeToWasmHttpClient$1 as o, reset as r, DEFAULT_WASM_VERSION as s, initializeWasmUtil as t };
+export { setup as a, buildDefaultWasmConfig as c, setWasmConfig as i, buildWasmConfigFromBasePath as l, isConfigured as n, upgradeToWasmHttpClient$1 as o, reset as r, DEFAULT_WASM_VERSION as s, initializeWasmUtil as t, resolveWasmConfig as u };

package/dist/signature.d.ts

@@ -1,5 +1,5 @@
-import { t as Manager } from "./Manager-C8PrhBOx.js";
-import "./Actor-CI32dTbG.js";
+import { t as Manager } from "./Manager-BHn8wH8K.js";
+import "./Actor-Y0_Fj-KL.js";
 
 //#region src/modules/signature/types.d.ts
 /**

package/dist/signature.esm.js

@@ -1,8 +1,8 @@
 import "./api-CESGtpbH.esm.js";
-import { n as eventModuleNames, o as createManagerInstrumentation } from "./events-D6-e4vok.esm.js";
-import "./endpoints-CnN3SyDa.esm.js";
-import { c as createManager, s as createActor } from "./xstate.esm-B70JrNqo.esm.js";
-import { t as signatureMachine } from "./signatureStateMachine-B5-QVUve.esm.js";
+import { n as eventModuleNames, o as createManagerInstrumentation } from "./events-Dvvriq9l.esm.js";
+import "./endpoints-BeTK0Mlt.esm.js";
+import { c as createManager, s as createActor } from "./xstate.esm-C9wncMQa.esm.js";
+import { t as signatureMachine } from "./signatureStateMachine-C5qqYLRz.esm.js";
 
 //#region src/modules/signature/signatureActor.ts
 function createSignatureActor(options) {

package/dist/{signatureStateMachine-B5-QVUve.esm.js → signatureStateMachine-C5qqYLRz.esm.js}

@@ -1,7 +1,7 @@
 import { t as api } from "./api-CESGtpbH.esm.js";
-import { h as addEvent, n as eventModuleNames, r as eventScreenNames } from "./events-D6-e4vok.esm.js";
-import { t as endpoints } from "./endpoints-CnN3SyDa.esm.js";
-import { a as fromPromise, r as assign, t as setup } from "./xstate.esm-B70JrNqo.esm.js";
+import { h as addEvent, n as eventModuleNames, r as eventScreenNames } from "./events-Dvvriq9l.esm.js";
+import { t as endpoints } from "./endpoints-BeTK0Mlt.esm.js";
+import { a as fromPromise, r as assign, t as setup } from "./xstate.esm-C9wncMQa.esm.js";
 
 //#region src/modules/signature/signatureServices.ts
 /**

package/dist/stats-BMNUG1AU.esm.js

@@ -0,0 +1,41 @@
+import { r as getToken, t as api } from "./api-CESGtpbH.esm.js";
+import { t as endpoints } from "./endpoints-BeTK0Mlt.esm.js";
+
+//#region src/modules/stats/statsServices.ts
+const deviceStatsQueue = [];
+async function postDeviceStatsNow(stats) {
+	try {
+		await api.post(endpoints.deviceStats, stats);
+	} catch {
+		return;
+	}
+}
+/**
+* Sends device stats to the backend. Queues payloads until a session token is set
+* and {@link flushDeviceStatsQueue} runs after fingerprint submission.
+*/
+async function addDeviceStats(stats) {
+	if (!getToken()) {
+		deviceStatsQueue.push(stats);
+		return;
+	}
+	await postDeviceStatsNow(stats);
+}
+/**
+* Flushes stats queued before the session token was available. Call after device
+* fingerprint submission succeeds (legacy `emptyDeviceStatsQueue` parity).
+*/
+function flushDeviceStatsQueue() {
+	if (!getToken()) return;
+	const queued = deviceStatsQueue.splice(0);
+	for (const stats of queued) postDeviceStatsNow(stats);
+}
+/**
+* Clears the pre-session queue. For testing only.
+*/
+function resetDeviceStatsQueue() {
+	deviceStatsQueue.length = 0;
+}
+
+//#endregion
+export { flushDeviceStatsQueue as n, resetDeviceStatsQueue as r, addDeviceStats as t };

package/dist/stats.d.ts

@@ -1,6 +1,7 @@
 //#region src/modules/stats/statsServices.d.ts
 type LabelInspectionStatus = 'FAIL' | 'PASS';
 type DeviceStats = {
+  inspectorOpened?: boolean;
   cameraLabelInspectionStatus?: LabelInspectionStatus;
   virtualCameraDetected?: boolean;
   frontIdStatsAnalysisStatus?: string;
@@ -9,8 +10,18 @@ type DeviceStats = {
   motionStatus?: string;
 };
 /**
- * Sends device stats to the backend.
+ * Sends device stats to the backend. Queues payloads until a session token is set
+ * and {@link flushDeviceStatsQueue} runs after fingerprint submission.
  */
 declare function addDeviceStats(stats: DeviceStats): Promise<void>;
+/**
+ * Flushes stats queued before the session token was available. Call after device
+ * fingerprint submission succeeds (legacy `emptyDeviceStatsQueue` parity).
+ */
+declare function flushDeviceStatsQueue(): void;
+/**
+ * Clears the pre-session queue. For testing only.
+ */
+declare function resetDeviceStatsQueue(): void;
 //#endregion
-export { type DeviceStats, type LabelInspectionStatus, addDeviceStats };
+export { type DeviceStats, type LabelInspectionStatus, addDeviceStats, flushDeviceStatsQueue, resetDeviceStatsQueue };

package/dist/stats.esm.js

@@ -1,4 +1,5 @@
 import "./api-CESGtpbH.esm.js";
-import { t as addDeviceStats } from "./stats-CIfiPzb1.esm.js";
+import "./endpoints-BeTK0Mlt.esm.js";
+import { n as flushDeviceStatsQueue, r as resetDeviceStatsQueue, t as addDeviceStats } from "./stats-BMNUG1AU.esm.js";
 
-export { addDeviceStats };
+export { addDeviceStats, flushDeviceStatsQueue, resetDeviceStatsQueue };

package/dist/trust-graph.d.ts

@@ -1,4 +1,5 @@
-import { t as Manager } from "./Manager-C8PrhBOx.js";
+import { t as Manager } from "./Manager-BHn8wH8K.js";
+import * as xstate585 from "xstate";
 
 //#region src/modules/trust-graph/trustGraphManager.d.ts
 type TrustGraphIdleState = {
@@ -31,15 +32,43 @@ type TrustGraphState = TrustGraphIdleState | TrustGraphFinishedState;
  */
 declare function createTrustGraphManager(): Manager<TrustGraphState> & {
   /**
-   * Kicks off the trust-graph module.
-   * Transitions immediately from 'idle' to 'finished' (backend-only, no SDK action).
+   * Retained for API compatibility. Trust-graph is a headless skip module
+   * whose machine starts in `finished` (backend-only, no SDK action), so there
+   * is nothing to kick off and calling this has no effect.
+   *
+   * @deprecated The module completes on its own as soon as the manager is
+   * created; reading `getState()` / subscribing is sufficient.
    */
   load(): void;
 };
 type TrustGraphManager = ReturnType<typeof createTrustGraphManager>;
 //#endregion
 //#region src/modules/trust-graph/trustGraphStateMachine.d.ts
-declare const trustGraphMachine: any;
+type TrustGraphContext = Record<string, never>;
+/**
+ * Trust-graph is a headless "skip" module: it has no UI and the SDK performs no
+ * client-side action. The backend runs the analysis from session data already
+ * collected, so the machine must reach its `final` state as soon as it starts.
+ *
+ * The flow orchestrator invokes this machine via `runChildModule` and advances
+ * the flow only when the invoked machine *completes* (reaches a top-level
+ * `final` state) — it never sends a kickoff event. A machine that waited for an
+ * external event (e.g. `LOAD`) would therefore never complete inside a flow,
+ * leaving an empty shell on screen and the session permanently incomplete.
+ *
+ * Mirror the `noOpFlowModuleMachine` / `identitySearchMachine` headless pattern:
+ * start directly in the `final` state.
+ */
+declare const trustGraphMachine: xstate585.StateMachine<TrustGraphContext, xstate585.AnyEventObject, {}, never, never, never, never, "finished", string, xstate585.NonReducibleUnknown, xstate585.NonReducibleUnknown, xstate585.EventObject, xstate585.MetaObject, {
+  readonly id: "trust-graph";
+  readonly initial: "finished";
+  readonly context: {};
+  readonly states: {
+    readonly finished: {
+      readonly type: "final";
+    };
+  };
+}>;
 //#endregion
 //#region src/modules/trust-graph/types.d.ts
 /**

package/dist/trust-graph.esm.js

@@ -1,19 +1,27 @@
 import "./api-CESGtpbH.esm.js";
-import { n as eventModuleNames, o as createManagerInstrumentation } from "./events-D6-e4vok.esm.js";
-import { c as createManager, s as createActor, t as setup } from "./xstate.esm-B70JrNqo.esm.js";
+import { n as eventModuleNames, o as createManagerInstrumentation } from "./events-Dvvriq9l.esm.js";
+import { c as createManager, s as createActor, t as setup } from "./xstate.esm-C9wncMQa.esm.js";
 
 //#region src/modules/trust-graph/trustGraphStateMachine.ts
-const trustGraphMachine = setup({ types: {
-	context: {},
-	events: {}
-} }).createMachine({
+/**
+* Trust-graph is a headless "skip" module: it has no UI and the SDK performs no
+* client-side action. The backend runs the analysis from session data already
+* collected, so the machine must reach its `final` state as soon as it starts.
+*
+* The flow orchestrator invokes this machine via `runChildModule` and advances
+* the flow only when the invoked machine *completes* (reaches a top-level
+* `final` state) — it never sends a kickoff event. A machine that waited for an
+* external event (e.g. `LOAD`) would therefore never complete inside a flow,
+* leaving an empty shell on screen and the session permanently incomplete.
+*
+* Mirror the `noOpFlowModuleMachine` / `identitySearchMachine` headless pattern:
+* start directly in the `final` state.
+*/
+const trustGraphMachine = setup({ types: { context: {} } }).createMachine({
 	id: "trust-graph",
-	initial: "idle",
+	initial: "finished",
 	context: {},
-	states: {
-		idle: { on: { LOAD: { target: "finished" } } },
-		finished: { type: "final" }
-	}
+	states: { finished: { type: "final" } }
 });
 
 //#endregion
@@ -28,10 +36,8 @@ function mapState(snapshot) {
 	if (snapshot.matches("finished")) return { status: "finished" };
 	return { status: "idle" };
 }
-function createApi({ actor }) {
-	return { load() {
-		actor.send({ type: "LOAD" });
-	} };
+function createApi(_options) {
+	return { load() {} };
 }
 /**
 * Creates a trust-graph manager for headless usage.

package/dist/{types-CFV9G_7j.d.ts → types-Bj9hdFjU.d.ts}

@@ -1,4 +1,4 @@
-import { t as CameraStream } from "./camera-DBSxa6ML.js";
+import { t as CameraStream } from "./camera-SRBpPq2X.js";
 
 //#region src/modules/document-upload/types.d.ts
 

package/dist/{types-BP1m8VRw.d.ts → types-DOUhndhT.d.ts}

@@ -1,4 +1,5 @@
-import { t as DocumentUploadConfig } from "./types-CFV9G_7j.js";
+import { t as DocumentUploadConfig } from "./types-Bj9hdFjU.js";
+import { s as RiskAddon } from "./types-DvGZI7BF.js";
 
 //#region src/modules/flow/types.d.ts
 type EmptyConfig = Record<string, never>;
@@ -25,6 +26,16 @@ type TutorialIdConfig = {
   usSmartCapture: boolean;
   showCaptureButtonInAuto?: boolean;
   alwaysCaptureBackOfId?: boolean;
+  /**
+   * [ENG-44176] When `false`, the SDK forwards `extractIdFace=false` to
+   * `POST /omni/add/front-id/v2` (and to the manual-upload + digital-upload
+   * variants), so the backend skips biometric face extraction and no
+   * biometric template is created. Omitted / `true` preserves current
+   * behavior. Use in jurisdictions with biometric-consent restrictions
+   * (e.g. Quebec / Law 25); downstream face-match will not be available
+   * for the resulting session.
+   */
+  extractIdFace?: boolean;
   perCountryPerDocOverrides: Record<string, Record<string, {
     onlyFront: boolean;
     onlyBack: boolean;
@@ -91,7 +102,7 @@ type FlowModuleConfig = {
     uniqueBeneficialOwnerSource: 'userInput';
   };
   EXTERNAL_VERIFICATION: {
-    source: 'US_DRIVERS_LICENSE_1' | 'US_TELCO_1' | 'US_TELCO_2' | 'US_CONSUMER_1' | 'US_CREDIT_BUREAU_1' | 'MX_CONSUMER_1' | 'BR_GOVT_1' | 'CA_RES_CREDIT' | 'UK_CREDIT_BUREAU_1' | 'ES_1' | 'CL_1' | 'AR_1' | 'GR_1' | 'GT_1' | 'BR_CPF_1';
+    source: 'US_DRIVERS_LICENSE_1' | 'US_TELCO_1' | 'US_TELCO_2' | 'US_CONSUMER_1' | 'US_CREDIT_BUREAU_1' | 'MX_CONSUMER_1' | 'BR_GOVT_1' | 'CA_RES_CREDIT' | 'UK_CREDIT_BUREAU_1' | 'ES_1' | 'CL_1' | 'AR_1' | 'GR_1' | 'GT_1' | 'BR_CPF_1' | 'RISK_ADDONS_ONLY';
     checkName: boolean;
     nameSource: 'userInput' | 'document' | 'poa' | 'phoneModuleInput' | 'emailModuleInput';
     checkEmail: boolean;
@@ -120,6 +131,7 @@ type FlowModuleConfig = {
     idNum1Source: 'userInput' | 'document' | 'poa' | 'phoneModuleInput' | 'emailModuleInput';
     checkGender: boolean;
     genderSource: 'userInput' | 'document' | 'poa' | 'phoneModuleInput' | 'emailModuleInput';
+    riskAddons?: RiskAddon[];
   };
   EMAIL: {
     otpVerification: boolean;