@insureco/bio 0.3.0 → 0.5.0

package/dist/index.d.ts

@@ -1,267 +1,6 @@
-/** Configuration for BioAuth (OAuth flow client) */
-interface BioAuthConfig {
-    /** OAuth client ID (env: BIO_CLIENT_ID) */
-    clientId: string;
-    /** OAuth client secret (env: BIO_CLIENT_SECRET) */
-    clientSecret: string;
-    /** Bio-ID issuer URL (env: BIO_ID_URL, default: https://bio.tawa.pro) */
-    issuer?: string;
-    /** Number of retry attempts on transient failures (default: 2) */
-    retries?: number;
-    /** Request timeout in milliseconds (default: 10000) */
-    timeoutMs?: number;
-}
-/** Configuration for BioAdmin (admin API client) */
-interface BioAdminConfig {
-    /** Bio-ID base URL (env: BIO_ID_URL, default: https://bio.tawa.pro) */
-    baseUrl?: string;
-    /** Internal API key for service-to-service auth (env: INTERNAL_API_KEY) */
-    internalKey?: string;
-    /** Async function returning a Bearer token (alternative to internalKey) */
-    accessTokenFn?: () => Promise<string>;
-    /** Number of retry attempts on transient failures (default: 2) */
-    retries?: number;
-    /** Request timeout in milliseconds (default: 10000) */
-    timeoutMs?: number;
-}
-/** Options for building an authorization URL */
-interface AuthorizeOptions {
-    /** Callback URL where Bio-ID redirects after authorization */
-    redirectUri: string;
-    /** OAuth scopes to request (default: ['openid', 'profile', 'email']) */
-    scopes?: string[];
-    /** CSRF state parameter (auto-generated if not provided) */
-    state?: string;
-    /** Optional org slug to pre-select during authorization (for multi-org users) */
-    organization?: string;
-}
-/** Result from getAuthorizationUrl() */
-interface AuthorizeResult {
-    /** Full authorization URL to redirect the user to */
-    url: string;
-    /** State parameter (for CSRF validation on callback) */
-    state: string;
-    /** PKCE code verifier (store securely, send during token exchange) */
-    codeVerifier: string;
-    /** PKCE code challenge (included in the URL) */
-    codeChallenge: string;
-}
-/** Response from the /api/oauth/token endpoint */
-interface TokenResponse {
-    access_token: string;
-    token_type: 'Bearer';
-    expires_in: number;
-    refresh_token?: string;
-    scope: string;
-    id_token?: string;
-}
-/** Response from the /api/auth/introspect endpoint */
-interface IntrospectResult {
-    active: boolean;
-    user?: {
-        id: string;
-        email: string;
-        name: string;
-        org: string;
-        roles: string[];
-    };
-    tokenType?: 'client_credentials';
-    clientId?: string;
-    scopes?: string[];
-    orgId?: string;
-    orgSlug?: string;
-    organizationName?: string;
-}
-/** Decoded access token payload (user auth) */
-interface BioTokenPayload {
-    iss: string;
-    sub: string;
-    aud: string;
-    exp: number;
-    iat: number;
-    bioId: string;
-    email: string;
-    name: string;
-    userType: string;
-    roles: string[];
-    permissions: string[];
-    orgId?: string;
-    orgSlug?: string;
-    /** Org-specific role slugs within the user's active org (from OrgMembership) */
-    orgRoles?: string[];
-    /** Job title at the active org (from OrgMembership.jobTitle) */
-    orgTitle?: string;
-    /** Additional modules granted by the org specifically (from OrgMembership.enabled_modules) */
-    orgModules?: string[];
-    client_id: string;
-    scope: string;
-    enabled_modules?: string[];
-    onboarding?: {
-        platform: boolean;
-        modules: Record<string, {
-            completed: string[];
-            due: string[];
-        }>;
-    };
-}
-/** Decoded client credentials token payload (service-to-service) */
-interface BioClientTokenPayload {
-    iss: string;
-    exp: number;
-    iat: number;
-    client_id: string;
-    scope: string;
-    token_type: 'client_credentials';
-    orgId?: string;
-    orgSlug?: string;
-}
-/** Options for local JWT verification (HS256) */
-interface VerifyOptions {
-    /** Expected issuer (default: config issuer) */
-    issuer?: string;
-    /** Expected audience (client_id) */
-    audience?: string;
-}
-/** Options for JWKS-based JWT verification (RS256) */
-interface JWKSVerifyOptions {
-    /** JWKS endpoint URL (default: https://bio.tawa.pro/.well-known/jwks.json) */
-    jwksUri?: string;
-    /** Expected issuer — defaults to accepting bio.insureco.io, bio.tawa.insureco.io, and bio.tawa.pro */
-    issuer?: string;
-    /** Expected audience (client_id) */
-    audience?: string;
-}
-/** User profile from /api/oauth/userinfo or admin API */
-interface BioUser {
-    sub: string;
-    bioId: string;
-    email: string;
-    emailVerified: boolean;
-    name: string;
-    firstName?: string;
-    lastName?: string;
-    userType: string;
-    roles: string[];
-    permissions: string[];
-    status: string;
-    orgId?: string;
-    orgSlug?: string;
-    organizationId?: string;
-    organizationName?: string;
-    departmentId?: string;
-    departmentName?: string;
-    managerId?: string;
-    enabledModules?: string[];
-    jobTitle?: string;
-    phoneHome?: string;
-    phoneWork?: string;
-    phoneCell?: string;
-    phone?: string;
-    addressHome?: BioAddress;
-    addressWork?: BioAddress;
-    messaging?: BioMessaging;
-    preferences?: Record<string, unknown>;
-    lastLoginAt?: number;
-}
-interface BioAddress {
-    street?: string;
-    city?: string;
-    state?: string;
-    zip?: string;
-    country?: string;
-}
-interface BioMessaging {
-    slack?: string;
-    teams?: string;
-    skype?: string;
-    whatsapp?: string;
-}
-/** Filters for listing users */
-interface UserFilters {
-    search?: string;
-    status?: string;
-    userType?: string;
-    organizationId?: string;
-    page?: number;
-    limit?: number;
-}
-/** Data for updating a user */
-interface UpdateUserData {
-    firstName?: string;
-    lastName?: string;
-    displayName?: string;
-    roles?: string[];
-    status?: string;
-    userType?: string;
-    departmentId?: string;
-    jobTitle?: string;
-    permissions?: string[];
-    enabled_modules?: string[];
-}
-/** Department from admin API */
-interface BioDepartment {
-    id: string;
-    name: string;
-    description?: string;
-    organizationId: string;
-    headId?: string;
-    parentId?: string;
-    memberCount?: number;
-}
-/** Data for creating a department */
-interface CreateDepartmentData {
-    name: string;
-    description?: string;
-    headId?: string;
-    parentId?: string;
-}
-/** Role from admin API */
-interface BioRole {
-    id: string;
-    name: string;
-    description?: string;
-    permissions: string[];
-    isSystem?: boolean;
-}
-/** Data for creating a role */
-interface CreateRoleData {
-    name: string;
-    description?: string;
-    permissions: string[];
-}
-/** OAuth client from admin API */
-interface BioOAuthClient {
-    clientId: string;
-    name: string;
-    description?: string;
-    redirectUris: string[];
-    allowedScopes: string[];
-    allowedGrantTypes: string[];
-    isActive: boolean;
-    orgId?: string;
-    orgSlug?: string;
-    accessTokenTtl?: number;
-    refreshTokenTtl?: number;
-}
-/** Data for creating an OAuth client */
-interface CreateClientData {
-    name: string;
-    description?: string;
-    redirectUris: string[];
-    allowedScopes?: string[];
-    allowedGrantTypes?: string[];
-}
-/** Admin API response wrapper */
-interface AdminResponse<T> {
-    success: boolean;
-    data?: T;
-    error?: string;
-    meta?: {
-        total: number;
-        page: number;
-        limit: number;
-    };
-}
+import { B as BioAuthConfig, A as AuthorizeOptions, a as AuthorizeResult, T as TokenResponse, b as BioUser, I as IntrospectResult, c as BioAdminConfig, U as UserFilters, d as UpdateUserData, e as BioDepartment, C as CreateDepartmentData, f as BioRole, g as CreateRoleData, h as BioOAuthClient, i as CreateClientData, j as BioTokenPayload, V as VerifyOptions, J as JWKSVerifyOptions } from './types-Dkb-drHZ.js';
+export { k as AdminResponse, l as BioAddress, m as BioClientTokenPayload, n as BioMessaging, o as BioUsersConfig, O as OrgMember, p as OrgMemberFilters, q as OrgMembersResult } from './types-Dkb-drHZ.js';
+export { AgencyProfile, AgencyProgram, AgencyStaffMember, AgentEmployer, AgentProfile, AppetiteMatchInput, AppetiteMatchProgram, AppetiteMatchResult, CarrierProfile, CarrierProgram, GraphClient, GraphClientConfig, ProgramProfile } from './graph.js';
 
 /**
  * OAuth flow client for Bio-ID SSO.
@@ -416,4 +155,4 @@ declare function isTokenExpired(token: string, bufferSeconds?: number): boolean;
  */
 declare function verifyTokenJWKS(token: string, options?: JWKSVerifyOptions): Promise<BioTokenPayload>;
 
-export { type AdminResponse, type AuthorizeOptions, type AuthorizeResult, type BioAddress, BioAdmin, type BioAdminConfig, BioAuth, type BioAuthConfig, type BioClientTokenPayload, type BioDepartment, BioError, type BioMessaging, type BioOAuthClient, type BioRole, type BioTokenPayload, type BioUser, type CreateClientData, type CreateDepartmentData, type CreateRoleData, type IntrospectResult, type JWKSVerifyOptions, type TokenResponse, type UpdateUserData, type UserFilters, type VerifyOptions, decodeToken, generatePKCE, isTokenExpired, verifyToken, verifyTokenJWKS };
+export { AuthorizeOptions, AuthorizeResult, BioAdmin, BioAdminConfig, BioAuth, BioAuthConfig, BioDepartment, BioError, BioOAuthClient, BioRole, BioTokenPayload, BioUser, CreateClientData, CreateDepartmentData, CreateRoleData, IntrospectResult, JWKSVerifyOptions, TokenResponse, UpdateUserData, UserFilters, VerifyOptions, decodeToken, generatePKCE, isTokenExpired, verifyToken, verifyTokenJWKS };

package/dist/index.js

@@ -33,6 +33,7 @@ __export(index_exports, {
   BioAdmin: () => BioAdmin,
   BioAuth: () => BioAuth,
   BioError: () => BioError,
+  GraphClient: () => GraphClient,
   decodeToken: () => decodeToken,
   generatePKCE: () => generatePKCE,
   isTokenExpired: () => isTokenExpired,
@@ -737,11 +738,171 @@ async function verifyTokenJWKS(token, options) {
   }
   return payload;
 }
+
+// src/graph.ts
+var DEFAULT_TIMEOUT_MS3 = 1e4;
+var BIO_GRAPH_URL = "https://bio-graph.tawa.pro";
+var GraphClient = class _GraphClient {
+  graphUrl;
+  accessToken;
+  timeoutMs;
+  constructor(config = {}) {
+    this.graphUrl = (config.graphUrl ?? process.env.BIO_GRAPH_URL ?? BIO_GRAPH_URL).replace(/\/$/, "");
+    this.accessToken = config.accessToken;
+    this.timeoutMs = config.timeoutMs ?? DEFAULT_TIMEOUT_MS3;
+  }
+  /**
+   * Create a GraphClient from environment variables.
+   * BIO_GRAPH_URL defaults to https://bio-graph.tawa.pro if not set.
+   */
+  static fromEnv(overrides) {
+    return new _GraphClient({
+      graphUrl: overrides?.graphUrl ?? process.env.BIO_GRAPH_URL,
+      accessToken: overrides?.accessToken,
+      timeoutMs: overrides?.timeoutMs
+    });
+  }
+  // ─── Public Profile Routes ────────────────────────────────────────────────
+  /** Look up an agent by NPN. Returns agent properties + employment chain. */
+  async getAgent(npn) {
+    return this.get(`/api/graph/agent/${encodeURIComponent(npn)}`);
+  }
+  /**
+   * Look up an agency by iecHash, raterspotId, or orgSlug.
+   * Returns agency properties + staff list + accessible programs.
+   */
+  async getAgency(iecHash) {
+    return this.get(`/api/graph/agency/${encodeURIComponent(iecHash)}`);
+  }
+  /**
+   * Look up a carrier by NAIC code, iecHash, raterspotId, or orgSlug.
+   * Returns carrier properties + managed programs.
+   */
+  async getCarrier(naic) {
+    return this.get(`/api/graph/carrier/${encodeURIComponent(naic)}`);
+  }
+  /**
+   * Look up a program by iecHash or raterspotId.
+   * Returns program properties + managing carrier or MGA.
+   */
+  async getProgram(iecHash) {
+    return this.get(`/api/graph/program/${encodeURIComponent(iecHash)}`);
+  }
+  // ─── Authenticated Routes ─────────────────────────────────────────────────
+  /**
+   * Find programs whose appetite covers a given risk.
+   * Requires an accessToken (auth: required).
+   *
+   * @param input - Risk criteria: NAICS code, state, line of business, optional limits
+   */
+  async matchAppetite(input) {
+    return this.post("/api/graph/appetite/match", input, { requiresAuth: true });
+  }
+  // ─── Internal ─────────────────────────────────────────────────────────────
+  async get(path, attempt = 0) {
+    const url = `${this.graphUrl}${path}`;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), this.timeoutMs);
+    let response;
+    try {
+      response = await fetch(url, {
+        headers: this.buildHeaders(),
+        signal: controller.signal
+      });
+    } catch (err) {
+      clearTimeout(timer);
+      const isTimeout = err instanceof Error && err.name === "AbortError";
+      if (!isTimeout && attempt < 2) {
+        await sleep(retryDelay(attempt));
+        return this.get(path, attempt + 1);
+      }
+      throw new BioError(
+        isTimeout ? "bio-graph request timed out" : `bio-graph request failed: ${String(err)}`,
+        isTimeout ? "timeout" : "network_error"
+      );
+    } finally {
+      clearTimeout(timer);
+    }
+    return this.handleResponse(response, path);
+  }
+  async post(path, body, opts = {}, attempt = 0) {
+    if (opts.requiresAuth && !this.accessToken) {
+      throw new BioError(
+        `bio-graph ${path} requires an accessToken \u2014 pass it in the GraphClient constructor`,
+        "config_error"
+      );
+    }
+    const url = `${this.graphUrl}${path}`;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), this.timeoutMs);
+    let response;
+    try {
+      response = await fetch(url, {
+        method: "POST",
+        headers: { ...this.buildHeaders(), "Content-Type": "application/json" },
+        body: JSON.stringify(body),
+        signal: controller.signal
+      });
+    } catch (err) {
+      clearTimeout(timer);
+      const isTimeout = err instanceof Error && err.name === "AbortError";
+      if (!isTimeout && attempt < 2) {
+        await sleep(retryDelay(attempt));
+        return this.post(path, body, opts, attempt + 1);
+      }
+      throw new BioError(
+        isTimeout ? "bio-graph request timed out" : `bio-graph request failed: ${String(err)}`,
+        isTimeout ? "timeout" : "network_error"
+      );
+    } finally {
+      clearTimeout(timer);
+    }
+    return this.handleResponse(response, path);
+  }
+  buildHeaders() {
+    const headers = {};
+    if (this.accessToken) {
+      headers["Authorization"] = `Bearer ${this.accessToken}`;
+    }
+    return headers;
+  }
+  async handleResponse(response, path) {
+    if (response.status === 404) {
+      throw new BioError(`bio-graph entity not found: ${path}`, "not_found", 404);
+    }
+    if (response.status === 401) {
+      throw new BioError(
+        "bio-graph authentication failed \u2014 provide a valid accessToken",
+        "unauthorized",
+        401
+      );
+    }
+    if (response.status === 402) {
+      throw new BioError(
+        "bio-graph call failed \u2014 insufficient gas tokens. Top up at tawa.insureco.io/wallet",
+        "insufficient_gas",
+        402
+      );
+    }
+    if (!response.ok) {
+      const body2 = await parseJsonResponse(response).catch(() => ({}));
+      throw new BioError(
+        `bio-graph returned ${response.status} for ${path}`,
+        "api_error",
+        response.status,
+        body2
+      );
+    }
+    const body = await parseJsonResponse(response);
+    return body;
+  }
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   BioAdmin,
   BioAuth,
   BioError,
+  GraphClient,
   decodeToken,
   generatePKCE,
   isTokenExpired,

package/dist/index.mjs

@@ -1,23 +1,16 @@
+import {
+  GraphClient
+} from "./chunk-PLN6QPED.mjs";
+import {
+  BioError,
+  parseJsonResponse,
+  retryDelay,
+  sleep
+} from "./chunk-NK5VXXWF.mjs";
+
 // src/auth.ts
 import crypto2 from "crypto";
 
-// src/errors.ts
-var BioError = class extends Error {
-  /** HTTP status code (if from an API response) */
-  statusCode;
-  /** Machine-readable error code (e.g. 'invalid_grant', 'token_expired') */
-  code;
-  /** Additional error details from the API */
-  details;
-  constructor(message, code, statusCode, details) {
-    super(message);
-    this.name = "BioError";
-    this.code = code;
-    this.statusCode = statusCode;
-    this.details = details;
-  }
-};
-
 // src/pkce.ts
 import crypto from "crypto";
 function generatePKCE() {
@@ -26,26 +19,6 @@ function generatePKCE() {
   return { codeVerifier, codeChallenge };
 }
 
-// src/utils.ts
-function retryDelay(attempt) {
-  const baseDelay = Math.min(1e3 * 2 ** attempt, 5e3);
-  return baseDelay * (0.5 + Math.random() * 0.5);
-}
-function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
-}
-async function parseJsonResponse(response) {
-  try {
-    return await response.json();
-  } catch {
-    throw new BioError(
-      `Bio-ID returned ${response.status} with non-JSON body`,
-      "parse_error",
-      response.status
-    );
-  }
-}
-
 // src/auth.ts
 var DEFAULT_ISSUER = "https://bio.tawa.pro";
 var DEFAULT_SCOPES = ["openid", "profile", "email"];
@@ -698,6 +671,7 @@ export {
   BioAdmin,
   BioAuth,
   BioError,
+  GraphClient,
   decodeToken,
   generatePKCE,
   isTokenExpired,