@insureco/bio 0.4.0 → 0.6.0

package/dist/index.js

@@ -33,6 +33,8 @@ __export(index_exports, {
   BioAdmin: () => BioAdmin,
   BioAuth: () => BioAuth,
   BioError: () => BioError,
+  EmbedClient: () => EmbedClient,
+  GraphClient: () => GraphClient,
   decodeToken: () => decodeToken,
   generatePKCE: () => generatePKCE,
   isTokenExpired: () => isTokenExpired,
@@ -585,6 +587,257 @@ var BioAdmin = class _BioAdmin {
   }
 };
 
+// src/embed.ts
+var DEFAULT_BIO_URL = "https://bio.tawa.pro";
+var DEFAULT_TIMEOUT_MS3 = 1e4;
+var EmbedClient = class _EmbedClient {
+  bioIdUrl;
+  clientId;
+  clientSecret;
+  retries;
+  timeoutMs;
+  constructor(config) {
+    if (!config.clientId) {
+      throw new BioError("clientId is required", "config_error");
+    }
+    if (!config.clientSecret) {
+      throw new BioError("clientSecret is required", "config_error");
+    }
+    this.clientId = config.clientId;
+    this.clientSecret = config.clientSecret;
+    this.bioIdUrl = (config.bioIdUrl ?? DEFAULT_BIO_URL).replace(/\/$/, "");
+    this.retries = config.retries ?? 2;
+    this.timeoutMs = config.timeoutMs ?? DEFAULT_TIMEOUT_MS3;
+  }
+  /**
+   * Create an EmbedClient from environment variables.
+   *
+   * Reads: BIO_CLIENT_ID, BIO_CLIENT_SECRET, BIO_ID_URL
+   */
+  static fromEnv(overrides) {
+    const clientId = overrides?.clientId ?? process.env.BIO_CLIENT_ID;
+    const clientSecret = overrides?.clientSecret ?? process.env.BIO_CLIENT_SECRET;
+    if (!clientId) {
+      throw new BioError(
+        "BIO_CLIENT_ID environment variable is required",
+        "config_error"
+      );
+    }
+    if (!clientSecret) {
+      throw new BioError(
+        "BIO_CLIENT_SECRET environment variable is required",
+        "config_error"
+      );
+    }
+    return new _EmbedClient({
+      clientId,
+      clientSecret,
+      bioIdUrl: overrides?.bioIdUrl ?? process.env.BIO_ID_URL,
+      retries: overrides?.retries,
+      timeoutMs: overrides?.timeoutMs
+    });
+  }
+  /**
+   * Authenticate a user with email and password.
+   *
+   * @param params - Email and password
+   * @returns Access token, refresh token, user profile, and optional branding
+   */
+  async login(params) {
+    if (!params.email) throw new BioError("email is required", "validation_error");
+    if (!params.password) throw new BioError("password is required", "validation_error");
+    return this.embedRequest("/api/embed/login", {
+      email: params.email,
+      password: params.password
+    });
+  }
+  /**
+   * Create a new user account.
+   *
+   * @param params - Email, password, name, and optional invite token
+   * @returns Access token, refresh token, user profile, and optional branding
+   */
+  async signup(params) {
+    if (!params.email) throw new BioError("email is required", "validation_error");
+    if (!params.password) throw new BioError("password is required", "validation_error");
+    if (!params.name) throw new BioError("name is required", "validation_error");
+    const body = {
+      email: params.email,
+      password: params.password,
+      name: params.name
+    };
+    if (params.inviteToken) {
+      body.inviteToken = params.inviteToken;
+    }
+    return this.embedRequest("/api/embed/signup", body);
+  }
+  /**
+   * Send a magic link email to the user.
+   *
+   * The user clicks the link to authenticate without a password.
+   * After sending, use `verify()` with the token from the link.
+   *
+   * @param params - Email address to send the magic link to
+   */
+  async sendMagicLink(params) {
+    if (!params.email) throw new BioError("email is required", "validation_error");
+    const response = await this.fetchWithRetry(
+      "POST",
+      `${this.bioIdUrl}/api/embed/magic-link`,
+      JSON.stringify({ email: params.email })
+    );
+    const json = await parseJsonResponse(response);
+    if (!response.ok) {
+      throw new BioError(
+        extractErrorMessage(json, response.status),
+        extractErrorCode(json),
+        response.status,
+        json
+      );
+    }
+  }
+  /**
+   * Verify a magic link token and exchange it for auth tokens.
+   *
+   * @param params - The token from the magic link
+   * @returns Access token, refresh token, user profile, and optional branding
+   */
+  async verify(params) {
+    if (!params.token) throw new BioError("token is required", "validation_error");
+    return this.embedRequest("/api/embed/verify", {
+      token: params.token
+    });
+  }
+  /**
+   * Refresh an expired access token using a refresh token.
+   *
+   * @param params - The refresh token to exchange
+   * @returns New access token, rotated refresh token, user profile, and optional branding
+   */
+  async refresh(params) {
+    if (!params.refreshToken) throw new BioError("refreshToken is required", "validation_error");
+    return this.embedRequest("/api/embed/refresh", {
+      refreshToken: params.refreshToken
+    });
+  }
+  /**
+   * Revoke a refresh token (logout).
+   *
+   * @param params - The refresh token to revoke
+   */
+  async logout(params) {
+    if (!params.refreshToken) throw new BioError("refreshToken is required", "validation_error");
+    const response = await this.fetchWithRetry(
+      "POST",
+      `${this.bioIdUrl}/api/embed/logout`,
+      JSON.stringify({ refreshToken: params.refreshToken })
+    );
+    const json = await parseJsonResponse(response);
+    if (!response.ok) {
+      throw new BioError(
+        extractErrorMessage(json, response.status),
+        extractErrorCode(json),
+        response.status,
+        json
+      );
+    }
+  }
+  // ── Private helpers ──────────────────────────────────────────────────────
+  async embedRequest(path, body) {
+    const response = await this.fetchWithRetry(
+      "POST",
+      `${this.bioIdUrl}${path}`,
+      JSON.stringify(body)
+    );
+    const json = await parseJsonResponse(response);
+    if (!response.ok) {
+      throw new BioError(
+        extractErrorMessage(json, response.status),
+        extractErrorCode(json),
+        response.status,
+        json
+      );
+    }
+    return mapEmbedResponse(json);
+  }
+  async fetchWithRetry(method, url, body, attempt = 0) {
+    try {
+      const response = await fetch(url, {
+        method,
+        headers: {
+          "Content-Type": "application/json",
+          "X-Client-Id": this.clientId,
+          "X-Client-Secret": this.clientSecret
+        },
+        body,
+        signal: AbortSignal.timeout(this.timeoutMs)
+      });
+      if (response.status >= 500 && attempt < this.retries) {
+        await sleep(retryDelay(attempt));
+        return this.fetchWithRetry(method, url, body, attempt + 1);
+      }
+      return response;
+    } catch (err) {
+      if (attempt < this.retries) {
+        await sleep(retryDelay(attempt));
+        return this.fetchWithRetry(method, url, body, attempt + 1);
+      }
+      const isTimeout = err instanceof DOMException && err.name === "TimeoutError";
+      throw new BioError(
+        isTimeout ? `Request timed out after ${this.timeoutMs}ms` : err instanceof Error ? err.message : "Network error",
+        isTimeout ? "timeout" : "network_error"
+      );
+    }
+  }
+};
+function mapEmbedResponse(raw) {
+  const data = raw.data ?? raw;
+  const rawUser = data.user ?? {};
+  const rawBranding = data.branding;
+  const user = {
+    bioId: rawUser.bioId,
+    email: rawUser.email,
+    name: rawUser.name,
+    orgSlug: rawUser.orgSlug
+  };
+  const result = {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    tokenType: data.token_type ?? "Bearer",
+    expiresIn: data.expires_in,
+    user
+  };
+  if (rawBranding) {
+    result.branding = {
+      displayName: rawBranding.displayName,
+      logoUrl: rawBranding.logoUrl,
+      logoMarkUrl: rawBranding.logoMarkUrl,
+      primaryColor: rawBranding.primaryColor,
+      secondaryColor: rawBranding.secondaryColor,
+      verified: rawBranding.verified,
+      whiteLabelApproved: rawBranding.whiteLabelApproved
+    };
+  }
+  return result;
+}
+function extractErrorMessage(json, status) {
+  const error = json.error;
+  if (typeof error === "object" && error !== null) {
+    return error.message ?? `Embed API returned ${status}`;
+  }
+  if (typeof error === "string") {
+    return error;
+  }
+  return `Embed API returned ${status}`;
+}
+function extractErrorCode(json) {
+  const error = json.error;
+  if (typeof error === "object" && error !== null) {
+    return error.code ?? "embed_error";
+  }
+  return "embed_error";
+}
+
 // src/jwt.ts
 var import_node_crypto3 = __toESM(require("crypto"));
 var DEFAULT_ISSUERS = [
@@ -737,11 +990,172 @@ async function verifyTokenJWKS(token, options) {
   }
   return payload;
 }
+
+// src/graph.ts
+var DEFAULT_TIMEOUT_MS4 = 1e4;
+var BIO_GRAPH_URL = "https://bio-graph.tawa.pro";
+var GraphClient = class _GraphClient {
+  graphUrl;
+  accessToken;
+  timeoutMs;
+  constructor(config = {}) {
+    this.graphUrl = (config.graphUrl ?? process.env.BIO_GRAPH_URL ?? BIO_GRAPH_URL).replace(/\/$/, "");
+    this.accessToken = config.accessToken;
+    this.timeoutMs = config.timeoutMs ?? DEFAULT_TIMEOUT_MS4;
+  }
+  /**
+   * Create a GraphClient from environment variables.
+   * BIO_GRAPH_URL defaults to https://bio-graph.tawa.pro if not set.
+   */
+  static fromEnv(overrides) {
+    return new _GraphClient({
+      graphUrl: overrides?.graphUrl ?? process.env.BIO_GRAPH_URL,
+      accessToken: overrides?.accessToken,
+      timeoutMs: overrides?.timeoutMs
+    });
+  }
+  // ─── Public Profile Routes ────────────────────────────────────────────────
+  /** Look up an agent by NPN. Returns agent properties + employment chain. */
+  async getAgent(npn) {
+    return this.get(`/api/graph/agent/${encodeURIComponent(npn)}`);
+  }
+  /**
+   * Look up an agency by iecHash, raterspotId, or orgSlug.
+   * Returns agency properties + staff list + accessible programs.
+   */
+  async getAgency(iecHash) {
+    return this.get(`/api/graph/agency/${encodeURIComponent(iecHash)}`);
+  }
+  /**
+   * Look up a carrier by NAIC code, iecHash, raterspotId, or orgSlug.
+   * Returns carrier properties + managed programs.
+   */
+  async getCarrier(naic) {
+    return this.get(`/api/graph/carrier/${encodeURIComponent(naic)}`);
+  }
+  /**
+   * Look up a program by iecHash or raterspotId.
+   * Returns program properties + managing carrier or MGA.
+   */
+  async getProgram(iecHash) {
+    return this.get(`/api/graph/program/${encodeURIComponent(iecHash)}`);
+  }
+  // ─── Authenticated Routes ─────────────────────────────────────────────────
+  /**
+   * Find programs whose appetite covers a given risk.
+   * Requires an accessToken (auth: required).
+   *
+   * @param input - Risk criteria: NAICS code, state, line of business, optional limits
+   */
+  async matchAppetite(input) {
+    return this.post("/api/graph/appetite/match", input, { requiresAuth: true });
+  }
+  // ─── Internal ─────────────────────────────────────────────────────────────
+  async get(path, attempt = 0) {
+    const url = `${this.graphUrl}${path}`;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), this.timeoutMs);
+    let response;
+    try {
+      response = await fetch(url, {
+        headers: this.buildHeaders(),
+        signal: controller.signal
+      });
+    } catch (err) {
+      clearTimeout(timer);
+      const isTimeout = err instanceof Error && err.name === "AbortError";
+      if (!isTimeout && attempt < 2) {
+        await sleep(retryDelay(attempt));
+        return this.get(path, attempt + 1);
+      }
+      throw new BioError(
+        isTimeout ? "bio-graph request timed out" : `bio-graph request failed: ${String(err)}`,
+        isTimeout ? "timeout" : "network_error"
+      );
+    } finally {
+      clearTimeout(timer);
+    }
+    return this.handleResponse(response, path);
+  }
+  async post(path, body, opts = {}, attempt = 0) {
+    if (opts.requiresAuth && !this.accessToken) {
+      throw new BioError(
+        `bio-graph ${path} requires an accessToken \u2014 pass it in the GraphClient constructor`,
+        "config_error"
+      );
+    }
+    const url = `${this.graphUrl}${path}`;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), this.timeoutMs);
+    let response;
+    try {
+      response = await fetch(url, {
+        method: "POST",
+        headers: { ...this.buildHeaders(), "Content-Type": "application/json" },
+        body: JSON.stringify(body),
+        signal: controller.signal
+      });
+    } catch (err) {
+      clearTimeout(timer);
+      const isTimeout = err instanceof Error && err.name === "AbortError";
+      if (!isTimeout && attempt < 2) {
+        await sleep(retryDelay(attempt));
+        return this.post(path, body, opts, attempt + 1);
+      }
+      throw new BioError(
+        isTimeout ? "bio-graph request timed out" : `bio-graph request failed: ${String(err)}`,
+        isTimeout ? "timeout" : "network_error"
+      );
+    } finally {
+      clearTimeout(timer);
+    }
+    return this.handleResponse(response, path);
+  }
+  buildHeaders() {
+    const headers = {};
+    if (this.accessToken) {
+      headers["Authorization"] = `Bearer ${this.accessToken}`;
+    }
+    return headers;
+  }
+  async handleResponse(response, path) {
+    if (response.status === 404) {
+      throw new BioError(`bio-graph entity not found: ${path}`, "not_found", 404);
+    }
+    if (response.status === 401) {
+      throw new BioError(
+        "bio-graph authentication failed \u2014 provide a valid accessToken",
+        "unauthorized",
+        401
+      );
+    }
+    if (response.status === 402) {
+      throw new BioError(
+        "bio-graph call failed \u2014 insufficient gas tokens. Top up at tawa.insureco.io/wallet",
+        "insufficient_gas",
+        402
+      );
+    }
+    if (!response.ok) {
+      const body2 = await parseJsonResponse(response).catch(() => ({}));
+      throw new BioError(
+        `bio-graph returned ${response.status} for ${path}`,
+        "api_error",
+        response.status,
+        body2
+      );
+    }
+    const body = await parseJsonResponse(response);
+    return body;
+  }
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   BioAdmin,
   BioAuth,
   BioError,
+  EmbedClient,
+  GraphClient,
   decodeToken,
   generatePKCE,
   isTokenExpired,

package/dist/index.mjs

@@ -1,3 +1,6 @@
+import {
+  GraphClient
+} from "./chunk-PLN6QPED.mjs";
 import {
   BioError,
   parseJsonResponse,
@@ -512,6 +515,257 @@ var BioAdmin = class _BioAdmin {
   }
 };
 
+// src/embed.ts
+var DEFAULT_BIO_URL = "https://bio.tawa.pro";
+var DEFAULT_TIMEOUT_MS3 = 1e4;
+var EmbedClient = class _EmbedClient {
+  bioIdUrl;
+  clientId;
+  clientSecret;
+  retries;
+  timeoutMs;
+  constructor(config) {
+    if (!config.clientId) {
+      throw new BioError("clientId is required", "config_error");
+    }
+    if (!config.clientSecret) {
+      throw new BioError("clientSecret is required", "config_error");
+    }
+    this.clientId = config.clientId;
+    this.clientSecret = config.clientSecret;
+    this.bioIdUrl = (config.bioIdUrl ?? DEFAULT_BIO_URL).replace(/\/$/, "");
+    this.retries = config.retries ?? 2;
+    this.timeoutMs = config.timeoutMs ?? DEFAULT_TIMEOUT_MS3;
+  }
+  /**
+   * Create an EmbedClient from environment variables.
+   *
+   * Reads: BIO_CLIENT_ID, BIO_CLIENT_SECRET, BIO_ID_URL
+   */
+  static fromEnv(overrides) {
+    const clientId = overrides?.clientId ?? process.env.BIO_CLIENT_ID;
+    const clientSecret = overrides?.clientSecret ?? process.env.BIO_CLIENT_SECRET;
+    if (!clientId) {
+      throw new BioError(
+        "BIO_CLIENT_ID environment variable is required",
+        "config_error"
+      );
+    }
+    if (!clientSecret) {
+      throw new BioError(
+        "BIO_CLIENT_SECRET environment variable is required",
+        "config_error"
+      );
+    }
+    return new _EmbedClient({
+      clientId,
+      clientSecret,
+      bioIdUrl: overrides?.bioIdUrl ?? process.env.BIO_ID_URL,
+      retries: overrides?.retries,
+      timeoutMs: overrides?.timeoutMs
+    });
+  }
+  /**
+   * Authenticate a user with email and password.
+   *
+   * @param params - Email and password
+   * @returns Access token, refresh token, user profile, and optional branding
+   */
+  async login(params) {
+    if (!params.email) throw new BioError("email is required", "validation_error");
+    if (!params.password) throw new BioError("password is required", "validation_error");
+    return this.embedRequest("/api/embed/login", {
+      email: params.email,
+      password: params.password
+    });
+  }
+  /**
+   * Create a new user account.
+   *
+   * @param params - Email, password, name, and optional invite token
+   * @returns Access token, refresh token, user profile, and optional branding
+   */
+  async signup(params) {
+    if (!params.email) throw new BioError("email is required", "validation_error");
+    if (!params.password) throw new BioError("password is required", "validation_error");
+    if (!params.name) throw new BioError("name is required", "validation_error");
+    const body = {
+      email: params.email,
+      password: params.password,
+      name: params.name
+    };
+    if (params.inviteToken) {
+      body.inviteToken = params.inviteToken;
+    }
+    return this.embedRequest("/api/embed/signup", body);
+  }
+  /**
+   * Send a magic link email to the user.
+   *
+   * The user clicks the link to authenticate without a password.
+   * After sending, use `verify()` with the token from the link.
+   *
+   * @param params - Email address to send the magic link to
+   */
+  async sendMagicLink(params) {
+    if (!params.email) throw new BioError("email is required", "validation_error");
+    const response = await this.fetchWithRetry(
+      "POST",
+      `${this.bioIdUrl}/api/embed/magic-link`,
+      JSON.stringify({ email: params.email })
+    );
+    const json = await parseJsonResponse(response);
+    if (!response.ok) {
+      throw new BioError(
+        extractErrorMessage(json, response.status),
+        extractErrorCode(json),
+        response.status,
+        json
+      );
+    }
+  }
+  /**
+   * Verify a magic link token and exchange it for auth tokens.
+   *
+   * @param params - The token from the magic link
+   * @returns Access token, refresh token, user profile, and optional branding
+   */
+  async verify(params) {
+    if (!params.token) throw new BioError("token is required", "validation_error");
+    return this.embedRequest("/api/embed/verify", {
+      token: params.token
+    });
+  }
+  /**
+   * Refresh an expired access token using a refresh token.
+   *
+   * @param params - The refresh token to exchange
+   * @returns New access token, rotated refresh token, user profile, and optional branding
+   */
+  async refresh(params) {
+    if (!params.refreshToken) throw new BioError("refreshToken is required", "validation_error");
+    return this.embedRequest("/api/embed/refresh", {
+      refreshToken: params.refreshToken
+    });
+  }
+  /**
+   * Revoke a refresh token (logout).
+   *
+   * @param params - The refresh token to revoke
+   */
+  async logout(params) {
+    if (!params.refreshToken) throw new BioError("refreshToken is required", "validation_error");
+    const response = await this.fetchWithRetry(
+      "POST",
+      `${this.bioIdUrl}/api/embed/logout`,
+      JSON.stringify({ refreshToken: params.refreshToken })
+    );
+    const json = await parseJsonResponse(response);
+    if (!response.ok) {
+      throw new BioError(
+        extractErrorMessage(json, response.status),
+        extractErrorCode(json),
+        response.status,
+        json
+      );
+    }
+  }
+  // ── Private helpers ──────────────────────────────────────────────────────
+  async embedRequest(path, body) {
+    const response = await this.fetchWithRetry(
+      "POST",
+      `${this.bioIdUrl}${path}`,
+      JSON.stringify(body)
+    );
+    const json = await parseJsonResponse(response);
+    if (!response.ok) {
+      throw new BioError(
+        extractErrorMessage(json, response.status),
+        extractErrorCode(json),
+        response.status,
+        json
+      );
+    }
+    return mapEmbedResponse(json);
+  }
+  async fetchWithRetry(method, url, body, attempt = 0) {
+    try {
+      const response = await fetch(url, {
+        method,
+        headers: {
+          "Content-Type": "application/json",
+          "X-Client-Id": this.clientId,
+          "X-Client-Secret": this.clientSecret
+        },
+        body,
+        signal: AbortSignal.timeout(this.timeoutMs)
+      });
+      if (response.status >= 500 && attempt < this.retries) {
+        await sleep(retryDelay(attempt));
+        return this.fetchWithRetry(method, url, body, attempt + 1);
+      }
+      return response;
+    } catch (err) {
+      if (attempt < this.retries) {
+        await sleep(retryDelay(attempt));
+        return this.fetchWithRetry(method, url, body, attempt + 1);
+      }
+      const isTimeout = err instanceof DOMException && err.name === "TimeoutError";
+      throw new BioError(
+        isTimeout ? `Request timed out after ${this.timeoutMs}ms` : err instanceof Error ? err.message : "Network error",
+        isTimeout ? "timeout" : "network_error"
+      );
+    }
+  }
+};
+function mapEmbedResponse(raw) {
+  const data = raw.data ?? raw;
+  const rawUser = data.user ?? {};
+  const rawBranding = data.branding;
+  const user = {
+    bioId: rawUser.bioId,
+    email: rawUser.email,
+    name: rawUser.name,
+    orgSlug: rawUser.orgSlug
+  };
+  const result = {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    tokenType: data.token_type ?? "Bearer",
+    expiresIn: data.expires_in,
+    user
+  };
+  if (rawBranding) {
+    result.branding = {
+      displayName: rawBranding.displayName,
+      logoUrl: rawBranding.logoUrl,
+      logoMarkUrl: rawBranding.logoMarkUrl,
+      primaryColor: rawBranding.primaryColor,
+      secondaryColor: rawBranding.secondaryColor,
+      verified: rawBranding.verified,
+      whiteLabelApproved: rawBranding.whiteLabelApproved
+    };
+  }
+  return result;
+}
+function extractErrorMessage(json, status) {
+  const error = json.error;
+  if (typeof error === "object" && error !== null) {
+    return error.message ?? `Embed API returned ${status}`;
+  }
+  if (typeof error === "string") {
+    return error;
+  }
+  return `Embed API returned ${status}`;
+}
+function extractErrorCode(json) {
+  const error = json.error;
+  if (typeof error === "object" && error !== null) {
+    return error.code ?? "embed_error";
+  }
+  return "embed_error";
+}
+
 // src/jwt.ts
 import crypto3 from "crypto";
 var DEFAULT_ISSUERS = [
@@ -668,6 +922,8 @@ export {
   BioAdmin,
   BioAuth,
   BioError,
+  EmbedClient,
+  GraphClient,
   decodeToken,
   generatePKCE,
   isTokenExpired,