@insureco/bio 0.4.0 → 0.6.0

package/dist/graph.js

@@ -0,0 +1,225 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/graph.ts
+var graph_exports = {};
+__export(graph_exports, {
+  GraphClient: () => GraphClient
+});
+module.exports = __toCommonJS(graph_exports);
+
+// src/errors.ts
+var BioError = class extends Error {
+  /** HTTP status code (if from an API response) */
+  statusCode;
+  /** Machine-readable error code (e.g. 'invalid_grant', 'token_expired') */
+  code;
+  /** Additional error details from the API */
+  details;
+  constructor(message, code, statusCode, details) {
+    super(message);
+    this.name = "BioError";
+    this.code = code;
+    this.statusCode = statusCode;
+    this.details = details;
+  }
+};
+
+// src/utils.ts
+function retryDelay(attempt) {
+  const baseDelay = Math.min(1e3 * 2 ** attempt, 5e3);
+  return baseDelay * (0.5 + Math.random() * 0.5);
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function parseJsonResponse(response) {
+  try {
+    return await response.json();
+  } catch {
+    throw new BioError(
+      `Bio-ID returned ${response.status} with non-JSON body`,
+      "parse_error",
+      response.status
+    );
+  }
+}
+
+// src/graph.ts
+var DEFAULT_TIMEOUT_MS = 1e4;
+var BIO_GRAPH_URL = "https://bio-graph.tawa.pro";
+var GraphClient = class _GraphClient {
+  graphUrl;
+  accessToken;
+  timeoutMs;
+  constructor(config = {}) {
+    this.graphUrl = (config.graphUrl ?? process.env.BIO_GRAPH_URL ?? BIO_GRAPH_URL).replace(/\/$/, "");
+    this.accessToken = config.accessToken;
+    this.timeoutMs = config.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  }
+  /**
+   * Create a GraphClient from environment variables.
+   * BIO_GRAPH_URL defaults to https://bio-graph.tawa.pro if not set.
+   */
+  static fromEnv(overrides) {
+    return new _GraphClient({
+      graphUrl: overrides?.graphUrl ?? process.env.BIO_GRAPH_URL,
+      accessToken: overrides?.accessToken,
+      timeoutMs: overrides?.timeoutMs
+    });
+  }
+  // ─── Public Profile Routes ────────────────────────────────────────────────
+  /** Look up an agent by NPN. Returns agent properties + employment chain. */
+  async getAgent(npn) {
+    return this.get(`/api/graph/agent/${encodeURIComponent(npn)}`);
+  }
+  /**
+   * Look up an agency by iecHash, raterspotId, or orgSlug.
+   * Returns agency properties + staff list + accessible programs.
+   */
+  async getAgency(iecHash) {
+    return this.get(`/api/graph/agency/${encodeURIComponent(iecHash)}`);
+  }
+  /**
+   * Look up a carrier by NAIC code, iecHash, raterspotId, or orgSlug.
+   * Returns carrier properties + managed programs.
+   */
+  async getCarrier(naic) {
+    return this.get(`/api/graph/carrier/${encodeURIComponent(naic)}`);
+  }
+  /**
+   * Look up a program by iecHash or raterspotId.
+   * Returns program properties + managing carrier or MGA.
+   */
+  async getProgram(iecHash) {
+    return this.get(`/api/graph/program/${encodeURIComponent(iecHash)}`);
+  }
+  // ─── Authenticated Routes ─────────────────────────────────────────────────
+  /**
+   * Find programs whose appetite covers a given risk.
+   * Requires an accessToken (auth: required).
+   *
+   * @param input - Risk criteria: NAICS code, state, line of business, optional limits
+   */
+  async matchAppetite(input) {
+    return this.post("/api/graph/appetite/match", input, { requiresAuth: true });
+  }
+  // ─── Internal ─────────────────────────────────────────────────────────────
+  async get(path, attempt = 0) {
+    const url = `${this.graphUrl}${path}`;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), this.timeoutMs);
+    let response;
+    try {
+      response = await fetch(url, {
+        headers: this.buildHeaders(),
+        signal: controller.signal
+      });
+    } catch (err) {
+      clearTimeout(timer);
+      const isTimeout = err instanceof Error && err.name === "AbortError";
+      if (!isTimeout && attempt < 2) {
+        await sleep(retryDelay(attempt));
+        return this.get(path, attempt + 1);
+      }
+      throw new BioError(
+        isTimeout ? "bio-graph request timed out" : `bio-graph request failed: ${String(err)}`,
+        isTimeout ? "timeout" : "network_error"
+      );
+    } finally {
+      clearTimeout(timer);
+    }
+    return this.handleResponse(response, path);
+  }
+  async post(path, body, opts = {}, attempt = 0) {
+    if (opts.requiresAuth && !this.accessToken) {
+      throw new BioError(
+        `bio-graph ${path} requires an accessToken \u2014 pass it in the GraphClient constructor`,
+        "config_error"
+      );
+    }
+    const url = `${this.graphUrl}${path}`;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), this.timeoutMs);
+    let response;
+    try {
+      response = await fetch(url, {
+        method: "POST",
+        headers: { ...this.buildHeaders(), "Content-Type": "application/json" },
+        body: JSON.stringify(body),
+        signal: controller.signal
+      });
+    } catch (err) {
+      clearTimeout(timer);
+      const isTimeout = err instanceof Error && err.name === "AbortError";
+      if (!isTimeout && attempt < 2) {
+        await sleep(retryDelay(attempt));
+        return this.post(path, body, opts, attempt + 1);
+      }
+      throw new BioError(
+        isTimeout ? "bio-graph request timed out" : `bio-graph request failed: ${String(err)}`,
+        isTimeout ? "timeout" : "network_error"
+      );
+    } finally {
+      clearTimeout(timer);
+    }
+    return this.handleResponse(response, path);
+  }
+  buildHeaders() {
+    const headers = {};
+    if (this.accessToken) {
+      headers["Authorization"] = `Bearer ${this.accessToken}`;
+    }
+    return headers;
+  }
+  async handleResponse(response, path) {
+    if (response.status === 404) {
+      throw new BioError(`bio-graph entity not found: ${path}`, "not_found", 404);
+    }
+    if (response.status === 401) {
+      throw new BioError(
+        "bio-graph authentication failed \u2014 provide a valid accessToken",
+        "unauthorized",
+        401
+      );
+    }
+    if (response.status === 402) {
+      throw new BioError(
+        "bio-graph call failed \u2014 insufficient gas tokens. Top up at tawa.insureco.io/wallet",
+        "insufficient_gas",
+        402
+      );
+    }
+    if (!response.ok) {
+      const body2 = await parseJsonResponse(response).catch(() => ({}));
+      throw new BioError(
+        `bio-graph returned ${response.status} for ${path}`,
+        "api_error",
+        response.status,
+        body2
+      );
+    }
+    const body = await parseJsonResponse(response);
+    return body;
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  GraphClient
+});

package/dist/graph.mjs

@@ -0,0 +1,7 @@
+import {
+  GraphClient
+} from "./chunk-PLN6QPED.mjs";
+import "./chunk-NK5VXXWF.mjs";
+export {
+  GraphClient
+};

package/dist/index.d.mts

@@ -1,5 +1,6 @@
-import { B as BioAuthConfig, A as AuthorizeOptions, a as AuthorizeResult, T as TokenResponse, b as BioUser, I as IntrospectResult, c as BioAdminConfig, U as UserFilters, d as UpdateUserData, e as BioDepartment, C as CreateDepartmentData, f as BioRole, g as CreateRoleData, h as BioOAuthClient, i as CreateClientData, j as BioTokenPayload, V as VerifyOptions, J as JWKSVerifyOptions } from './types-Dkb-drHZ.mjs';
-export { k as AdminResponse, l as BioAddress, m as BioClientTokenPayload, n as BioMessaging, o as BioUsersConfig, O as OrgMember, p as OrgMemberFilters, q as OrgMembersResult } from './types-Dkb-drHZ.mjs';
+import { B as BioAuthConfig, A as AuthorizeOptions, a as AuthorizeResult, T as TokenResponse, b as BioUser, I as IntrospectResult, c as BioAdminConfig, U as UserFilters, d as UpdateUserData, e as BioDepartment, C as CreateDepartmentData, f as BioRole, g as CreateRoleData, h as BioOAuthClient, i as CreateClientData, E as EmbedClientConfig, j as EmbedLoginParams, k as EmbedAuthResult, l as EmbedSignupParams, m as EmbedMagicLinkParams, n as EmbedVerifyParams, o as EmbedRefreshParams, p as EmbedLogoutParams, q as BioTokenPayload, V as VerifyOptions, J as JWKSVerifyOptions } from './types-CJe1FP61.mjs';
+export { r as AdminResponse, s as BioAddress, t as BioClientTokenPayload, u as BioMessaging, v as BioUsersConfig, w as EmbedBranding, x as EmbedUser, O as OrgMember, y as OrgMemberFilters, z as OrgMembersResult } from './types-CJe1FP61.mjs';
+export { AgencyProfile, AgencyProgram, AgencyStaffMember, AgentEmployer, AgentProfile, AppetiteMatchInput, AppetiteMatchProgram, AppetiteMatchResult, CarrierProfile, CarrierProgram, GraphClient, GraphClientConfig, ProgramProfile } from './graph.mjs';
 
 /**
  * OAuth flow client for Bio-ID SSO.
@@ -104,6 +105,91 @@ declare class BioAdmin {
     private request;
 }
 
+/**
+ * Client for Bio-ID headless embed endpoints.
+ *
+ * Use this when building custom login/signup UIs that authenticate
+ * directly against Bio-ID without redirects (no OAuth flow).
+ *
+ * All endpoints use X-Client-Id / X-Client-Secret header auth.
+ *
+ * @example
+ * ```typescript
+ * import { EmbedClient } from '@insureco/bio'
+ *
+ * const embed = EmbedClient.fromEnv()
+ *
+ * // Login
+ * const result = await embed.login({ email: 'user@example.com', password: 'secret' })
+ * console.log(result.accessToken, result.user.bioId)
+ *
+ * // Refresh
+ * const refreshed = await embed.refresh({ refreshToken: result.refreshToken })
+ *
+ * // Logout
+ * await embed.logout({ refreshToken: result.refreshToken })
+ * ```
+ */
+declare class EmbedClient {
+    private readonly bioIdUrl;
+    private readonly clientId;
+    private readonly clientSecret;
+    private readonly retries;
+    private readonly timeoutMs;
+    constructor(config: EmbedClientConfig);
+    /**
+     * Create an EmbedClient from environment variables.
+     *
+     * Reads: BIO_CLIENT_ID, BIO_CLIENT_SECRET, BIO_ID_URL
+     */
+    static fromEnv(overrides?: Partial<EmbedClientConfig>): EmbedClient;
+    /**
+     * Authenticate a user with email and password.
+     *
+     * @param params - Email and password
+     * @returns Access token, refresh token, user profile, and optional branding
+     */
+    login(params: EmbedLoginParams): Promise<EmbedAuthResult>;
+    /**
+     * Create a new user account.
+     *
+     * @param params - Email, password, name, and optional invite token
+     * @returns Access token, refresh token, user profile, and optional branding
+     */
+    signup(params: EmbedSignupParams): Promise<EmbedAuthResult>;
+    /**
+     * Send a magic link email to the user.
+     *
+     * The user clicks the link to authenticate without a password.
+     * After sending, use `verify()` with the token from the link.
+     *
+     * @param params - Email address to send the magic link to
+     */
+    sendMagicLink(params: EmbedMagicLinkParams): Promise<void>;
+    /**
+     * Verify a magic link token and exchange it for auth tokens.
+     *
+     * @param params - The token from the magic link
+     * @returns Access token, refresh token, user profile, and optional branding
+     */
+    verify(params: EmbedVerifyParams): Promise<EmbedAuthResult>;
+    /**
+     * Refresh an expired access token using a refresh token.
+     *
+     * @param params - The refresh token to exchange
+     * @returns New access token, rotated refresh token, user profile, and optional branding
+     */
+    refresh(params: EmbedRefreshParams): Promise<EmbedAuthResult>;
+    /**
+     * Revoke a refresh token (logout).
+     *
+     * @param params - The refresh token to revoke
+     */
+    logout(params: EmbedLogoutParams): Promise<void>;
+    private embedRequest;
+    private fetchWithRetry;
+}
+
 /** Error thrown by Bio SDK operations */
 declare class BioError extends Error {
     /** HTTP status code (if from an API response) */
@@ -154,4 +240,4 @@ declare function isTokenExpired(token: string, bufferSeconds?: number): boolean;
  */
 declare function verifyTokenJWKS(token: string, options?: JWKSVerifyOptions): Promise<BioTokenPayload>;
 
-export { AuthorizeOptions, AuthorizeResult, BioAdmin, BioAdminConfig, BioAuth, BioAuthConfig, BioDepartment, BioError, BioOAuthClient, BioRole, BioTokenPayload, BioUser, CreateClientData, CreateDepartmentData, CreateRoleData, IntrospectResult, JWKSVerifyOptions, TokenResponse, UpdateUserData, UserFilters, VerifyOptions, decodeToken, generatePKCE, isTokenExpired, verifyToken, verifyTokenJWKS };
+export { AuthorizeOptions, AuthorizeResult, BioAdmin, BioAdminConfig, BioAuth, BioAuthConfig, BioDepartment, BioError, BioOAuthClient, BioRole, BioTokenPayload, BioUser, CreateClientData, CreateDepartmentData, CreateRoleData, EmbedAuthResult, EmbedClient, EmbedClientConfig, EmbedLoginParams, EmbedLogoutParams, EmbedMagicLinkParams, EmbedRefreshParams, EmbedSignupParams, EmbedVerifyParams, IntrospectResult, JWKSVerifyOptions, TokenResponse, UpdateUserData, UserFilters, VerifyOptions, decodeToken, generatePKCE, isTokenExpired, verifyToken, verifyTokenJWKS };

package/dist/index.d.ts

@@ -1,5 +1,6 @@
-import { B as BioAuthConfig, A as AuthorizeOptions, a as AuthorizeResult, T as TokenResponse, b as BioUser, I as IntrospectResult, c as BioAdminConfig, U as UserFilters, d as UpdateUserData, e as BioDepartment, C as CreateDepartmentData, f as BioRole, g as CreateRoleData, h as BioOAuthClient, i as CreateClientData, j as BioTokenPayload, V as VerifyOptions, J as JWKSVerifyOptions } from './types-Dkb-drHZ.js';
-export { k as AdminResponse, l as BioAddress, m as BioClientTokenPayload, n as BioMessaging, o as BioUsersConfig, O as OrgMember, p as OrgMemberFilters, q as OrgMembersResult } from './types-Dkb-drHZ.js';
+import { B as BioAuthConfig, A as AuthorizeOptions, a as AuthorizeResult, T as TokenResponse, b as BioUser, I as IntrospectResult, c as BioAdminConfig, U as UserFilters, d as UpdateUserData, e as BioDepartment, C as CreateDepartmentData, f as BioRole, g as CreateRoleData, h as BioOAuthClient, i as CreateClientData, E as EmbedClientConfig, j as EmbedLoginParams, k as EmbedAuthResult, l as EmbedSignupParams, m as EmbedMagicLinkParams, n as EmbedVerifyParams, o as EmbedRefreshParams, p as EmbedLogoutParams, q as BioTokenPayload, V as VerifyOptions, J as JWKSVerifyOptions } from './types-CJe1FP61.js';
+export { r as AdminResponse, s as BioAddress, t as BioClientTokenPayload, u as BioMessaging, v as BioUsersConfig, w as EmbedBranding, x as EmbedUser, O as OrgMember, y as OrgMemberFilters, z as OrgMembersResult } from './types-CJe1FP61.js';
+export { AgencyProfile, AgencyProgram, AgencyStaffMember, AgentEmployer, AgentProfile, AppetiteMatchInput, AppetiteMatchProgram, AppetiteMatchResult, CarrierProfile, CarrierProgram, GraphClient, GraphClientConfig, ProgramProfile } from './graph.js';
 
 /**
  * OAuth flow client for Bio-ID SSO.
@@ -104,6 +105,91 @@ declare class BioAdmin {
     private request;
 }
 
+/**
+ * Client for Bio-ID headless embed endpoints.
+ *
+ * Use this when building custom login/signup UIs that authenticate
+ * directly against Bio-ID without redirects (no OAuth flow).
+ *
+ * All endpoints use X-Client-Id / X-Client-Secret header auth.
+ *
+ * @example
+ * ```typescript
+ * import { EmbedClient } from '@insureco/bio'
+ *
+ * const embed = EmbedClient.fromEnv()
+ *
+ * // Login
+ * const result = await embed.login({ email: 'user@example.com', password: 'secret' })
+ * console.log(result.accessToken, result.user.bioId)
+ *
+ * // Refresh
+ * const refreshed = await embed.refresh({ refreshToken: result.refreshToken })
+ *
+ * // Logout
+ * await embed.logout({ refreshToken: result.refreshToken })
+ * ```
+ */
+declare class EmbedClient {
+    private readonly bioIdUrl;
+    private readonly clientId;
+    private readonly clientSecret;
+    private readonly retries;
+    private readonly timeoutMs;
+    constructor(config: EmbedClientConfig);
+    /**
+     * Create an EmbedClient from environment variables.
+     *
+     * Reads: BIO_CLIENT_ID, BIO_CLIENT_SECRET, BIO_ID_URL
+     */
+    static fromEnv(overrides?: Partial<EmbedClientConfig>): EmbedClient;
+    /**
+     * Authenticate a user with email and password.
+     *
+     * @param params - Email and password
+     * @returns Access token, refresh token, user profile, and optional branding
+     */
+    login(params: EmbedLoginParams): Promise<EmbedAuthResult>;
+    /**
+     * Create a new user account.
+     *
+     * @param params - Email, password, name, and optional invite token
+     * @returns Access token, refresh token, user profile, and optional branding
+     */
+    signup(params: EmbedSignupParams): Promise<EmbedAuthResult>;
+    /**
+     * Send a magic link email to the user.
+     *
+     * The user clicks the link to authenticate without a password.
+     * After sending, use `verify()` with the token from the link.
+     *
+     * @param params - Email address to send the magic link to
+     */
+    sendMagicLink(params: EmbedMagicLinkParams): Promise<void>;
+    /**
+     * Verify a magic link token and exchange it for auth tokens.
+     *
+     * @param params - The token from the magic link
+     * @returns Access token, refresh token, user profile, and optional branding
+     */
+    verify(params: EmbedVerifyParams): Promise<EmbedAuthResult>;
+    /**
+     * Refresh an expired access token using a refresh token.
+     *
+     * @param params - The refresh token to exchange
+     * @returns New access token, rotated refresh token, user profile, and optional branding
+     */
+    refresh(params: EmbedRefreshParams): Promise<EmbedAuthResult>;
+    /**
+     * Revoke a refresh token (logout).
+     *
+     * @param params - The refresh token to revoke
+     */
+    logout(params: EmbedLogoutParams): Promise<void>;
+    private embedRequest;
+    private fetchWithRetry;
+}
+
 /** Error thrown by Bio SDK operations */
 declare class BioError extends Error {
     /** HTTP status code (if from an API response) */
@@ -154,4 +240,4 @@ declare function isTokenExpired(token: string, bufferSeconds?: number): boolean;
  */
 declare function verifyTokenJWKS(token: string, options?: JWKSVerifyOptions): Promise<BioTokenPayload>;
 
-export { AuthorizeOptions, AuthorizeResult, BioAdmin, BioAdminConfig, BioAuth, BioAuthConfig, BioDepartment, BioError, BioOAuthClient, BioRole, BioTokenPayload, BioUser, CreateClientData, CreateDepartmentData, CreateRoleData, IntrospectResult, JWKSVerifyOptions, TokenResponse, UpdateUserData, UserFilters, VerifyOptions, decodeToken, generatePKCE, isTokenExpired, verifyToken, verifyTokenJWKS };
+export { AuthorizeOptions, AuthorizeResult, BioAdmin, BioAdminConfig, BioAuth, BioAuthConfig, BioDepartment, BioError, BioOAuthClient, BioRole, BioTokenPayload, BioUser, CreateClientData, CreateDepartmentData, CreateRoleData, EmbedAuthResult, EmbedClient, EmbedClientConfig, EmbedLoginParams, EmbedLogoutParams, EmbedMagicLinkParams, EmbedRefreshParams, EmbedSignupParams, EmbedVerifyParams, IntrospectResult, JWKSVerifyOptions, TokenResponse, UpdateUserData, UserFilters, VerifyOptions, decodeToken, generatePKCE, isTokenExpired, verifyToken, verifyTokenJWKS };