@insureco/bio 0.5.0 → 0.8.0

package/dist/{chunk-PLN6QPED.mjs → chunk-CKHMGUDP.mjs}

@@ -64,7 +64,48 @@ var GraphClient = class _GraphClient {
   async matchAppetite(input) {
     return this.post("/api/graph/appetite/match", input, { requiresAuth: true });
   }
+  // ─── Verification Routes (auth required, gas-metered) ─────────────────────
+  /**
+   * Verify an agent's license for a given state and line of business.
+   * Returns validity, license number, expiry, and a Septor proof hash.
+   */
+  async verifyLicense(input) {
+    return this.post("/api/graph/verify/license", input, { requiresAuth: true });
+  }
+  /**
+   * Verify an agent's appointment with a carrier.
+   * Returns validity, appointed date, states, and a Septor proof hash.
+   */
+  async verifyAppointment(input) {
+    return this.post("/api/graph/verify/appointment", input, { requiresAuth: true });
+  }
+  /**
+   * Get the distribution chain for an entity (agent → agency → MGA → carrier).
+   * Requires an accessToken (auth: required).
+   */
+  async getChain(entityId) {
+    return this.getAuth(`/api/graph/chain/${encodeURIComponent(entityId)}`);
+  }
+  /**
+   * Search across Agent, Agency, MGA, and Carrier nodes.
+   * Public route — no auth required.
+   */
+  async search(query, options) {
+    const params = new URLSearchParams({ q: query });
+    if (options?.limit) params.set("limit", String(options.limit));
+    if (options?.types?.length) params.set("types", options.types.join(","));
+    return this.get(`/api/graph/search?${params.toString()}`);
+  }
   // ─── Internal ─────────────────────────────────────────────────────────────
+  async getAuth(path) {
+    if (!this.accessToken) {
+      throw new BioError(
+        `bio-graph ${path} requires an accessToken \u2014 pass it in the GraphClient constructor`,
+        "config_error"
+      );
+    }
+    return this.get(path);
+  }
   async get(path, attempt = 0) {
     const url = `${this.graphUrl}${path}`;
     const controller = new AbortController();

package/dist/chunk-UBURAGWI.mjs

@@ -0,0 +1,154 @@
+// src/passport-client.ts
+var PassportClient = class {
+  config;
+  ws = null;
+  _passport = null;
+  _status = "disconnected";
+  reconnectAttempt = 0;
+  reconnectTimer = null;
+  listeners = /* @__PURE__ */ new Map();
+  closed = false;
+  constructor(config) {
+    this.config = {
+      autoReconnect: true,
+      maxReconnectDelay: 3e4,
+      ...config
+    };
+  }
+  /** Current passport object (null until first identity message) */
+  get passport() {
+    return this._passport;
+  }
+  /** Current connection status */
+  get status() {
+    return this._status;
+  }
+  /** Connect to the passport WebSocket */
+  connect() {
+    if (this.closed) return;
+    this.setStatus("connecting");
+    const url = new URL("/passport", this.config.bioIdUrl.replace(/^http/, "ws"));
+    url.searchParams.set("token", this.config.accessToken);
+    url.searchParams.set("version", "1");
+    if (this.config.service) {
+      url.searchParams.set("service", this.config.service);
+    }
+    this.ws = new WebSocket(url.toString());
+    this.ws.onopen = () => {
+      this.reconnectAttempt = 0;
+      this.setStatus("connected");
+      this.emit("connected", this._status);
+    };
+    this.ws.onmessage = (event) => {
+      try {
+        const data = JSON.parse(
+          typeof event.data === "string" ? event.data : ""
+        );
+        if (data.type === "identity" || data.type === "passport_updated") {
+          this._passport = data.passport ?? null;
+          this.emit(data.type, this._passport);
+        } else if (data.type === "revoked") {
+          this._passport = null;
+          this.emit("revoked");
+        }
+      } catch {
+      }
+    };
+    this.ws.onclose = (event) => {
+      this.setStatus("disconnected");
+      this.emit("disconnected", this._status);
+      if (event?.code === 4003 && this.config.refreshToken && this.config.bioAuth) {
+        this.handleTokenRefresh();
+        return;
+      }
+      this.scheduleReconnect();
+    };
+    this.ws.onerror = () => {
+      const error = new Error("Passport WebSocket error");
+      this.emit("error", error);
+    };
+  }
+  /** Subscribe to an event */
+  on(event, handler) {
+    if (!this.listeners.has(event)) {
+      this.listeners.set(event, /* @__PURE__ */ new Set());
+    }
+    this.listeners.get(event).add(handler);
+  }
+  /** Unsubscribe from an event */
+  off(event, handler) {
+    this.listeners.get(event)?.delete(handler);
+  }
+  /** Disconnect and stop reconnecting */
+  close() {
+    this.closed = true;
+    if (this.reconnectTimer) {
+      clearTimeout(this.reconnectTimer);
+      this.reconnectTimer = null;
+    }
+    if (this.ws) {
+      this.ws.onclose = null;
+      this.ws.close();
+      this.ws = null;
+    }
+    this.setStatus("disconnected");
+  }
+  /** Update access token (e.g. after refresh) and reconnect */
+  updateToken(accessToken) {
+    this.config.accessToken = accessToken;
+    if (this.ws) {
+      this.ws.onclose = null;
+      this.ws.close();
+      this.ws = null;
+    }
+    this.reconnectAttempt = 0;
+    this.connect();
+  }
+  async handleTokenRefresh() {
+    if (!this.config.refreshToken || !this.config.bioAuth) return;
+    try {
+      const tokens = await this.config.bioAuth.refreshToken(this.config.refreshToken);
+      this.config.accessToken = tokens.access_token;
+      if (tokens.refresh_token) {
+        this.config.refreshToken = tokens.refresh_token;
+      }
+      if (this.config.onTokenRefresh) {
+        this.config.onTokenRefresh(tokens);
+      }
+      this.reconnectAttempt = 0;
+      this.connect();
+    } catch {
+      this.emit("error", new Error("Token refresh failed"));
+    }
+  }
+  setStatus(status) {
+    this._status = status;
+  }
+  emit(event, ...args) {
+    const handlers = this.listeners.get(event);
+    if (handlers) {
+      for (const handler of handlers) {
+        try {
+          handler(...args);
+        } catch {
+        }
+      }
+    }
+  }
+  scheduleReconnect() {
+    if (this.closed || !this.config.autoReconnect) return;
+    const delay = Math.min(
+      1e3 * Math.pow(2, this.reconnectAttempt),
+      this.config.maxReconnectDelay ?? 3e4
+    );
+    this.reconnectAttempt++;
+    this.reconnectTimer = setTimeout(() => {
+      this.reconnectTimer = null;
+      this.connect();
+    }, delay);
+  }
+};
+
+export {
+  PassportClient
+};

package/dist/graph.d.mts

@@ -136,6 +136,57 @@ interface AppetiteMatchResult {
     programs: AppetiteMatchProgram[];
     total: number;
 }
+interface VerifyLicenseInput {
+    npn: string;
+    state: string;
+    lob: string;
+}
+interface LicenseVerifyResult {
+    valid: boolean;
+    licenseNumber: string | null;
+    expiry: string | null;
+    septorProof: string;
+}
+interface VerifyAppointmentInput {
+    npn: string;
+    carrierNaic: string;
+}
+interface AppointmentVerifyResult {
+    valid: boolean;
+    appointedDate: string | null;
+    states: string[];
+    septorProof: string;
+}
+interface GraphChainNode {
+    id: string;
+    type: string;
+    label: string;
+}
+interface GraphChainEdge {
+    source: string;
+    target: string;
+    type: string;
+}
+interface GraphChainResult {
+    nodes: GraphChainNode[];
+    edges: GraphChainEdge[];
+}
+interface GraphSearchOptions {
+    limit?: number;
+    types?: string[];
+}
+interface GraphSearchResultItem {
+    type: string;
+    iecHash: string;
+    name: string;
+    npn?: string;
+    naic?: string;
+    orgSlug?: string;
+}
+interface GraphSearchResult {
+    results: GraphSearchResultItem[];
+    total: number;
+}
 /**
  * Client for bio-graph InsureBio distribution graph endpoints.
  *
@@ -195,10 +246,31 @@ declare class GraphClient {
      * @param input - Risk criteria: NAICS code, state, line of business, optional limits
      */
     matchAppetite(input: AppetiteMatchInput): Promise<AppetiteMatchResult>;
+    /**
+     * Verify an agent's license for a given state and line of business.
+     * Returns validity, license number, expiry, and a Septor proof hash.
+     */
+    verifyLicense(input: VerifyLicenseInput): Promise<LicenseVerifyResult>;
+    /**
+     * Verify an agent's appointment with a carrier.
+     * Returns validity, appointed date, states, and a Septor proof hash.
+     */
+    verifyAppointment(input: VerifyAppointmentInput): Promise<AppointmentVerifyResult>;
+    /**
+     * Get the distribution chain for an entity (agent → agency → MGA → carrier).
+     * Requires an accessToken (auth: required).
+     */
+    getChain(entityId: string): Promise<GraphChainResult>;
+    /**
+     * Search across Agent, Agency, MGA, and Carrier nodes.
+     * Public route — no auth required.
+     */
+    search(query: string, options?: GraphSearchOptions): Promise<GraphSearchResult>;
+    private getAuth;
     private get;
     private post;
     private buildHeaders;
     private handleResponse;
 }
 
-export { type AgencyProfile, type AgencyProgram, type AgencyStaffMember, type AgentEmployer, type AgentProfile, type AppetiteMatchInput, type AppetiteMatchProgram, type AppetiteMatchResult, type CarrierProfile, type CarrierProgram, GraphClient, type GraphClientConfig, type ProgramProfile };
+export { type AgencyProfile, type AgencyProgram, type AgencyStaffMember, type AgentEmployer, type AgentProfile, type AppetiteMatchInput, type AppetiteMatchProgram, type AppetiteMatchResult, type AppointmentVerifyResult, type CarrierProfile, type CarrierProgram, type GraphChainEdge, type GraphChainNode, type GraphChainResult, GraphClient, type GraphClientConfig, type GraphSearchOptions, type GraphSearchResult, type GraphSearchResultItem, type LicenseVerifyResult, type ProgramProfile, type VerifyAppointmentInput, type VerifyLicenseInput };

package/dist/graph.d.ts

@@ -136,6 +136,57 @@ interface AppetiteMatchResult {
     programs: AppetiteMatchProgram[];
     total: number;
 }
+interface VerifyLicenseInput {
+    npn: string;
+    state: string;
+    lob: string;
+}
+interface LicenseVerifyResult {
+    valid: boolean;
+    licenseNumber: string | null;
+    expiry: string | null;
+    septorProof: string;
+}
+interface VerifyAppointmentInput {
+    npn: string;
+    carrierNaic: string;
+}
+interface AppointmentVerifyResult {
+    valid: boolean;
+    appointedDate: string | null;
+    states: string[];
+    septorProof: string;
+}
+interface GraphChainNode {
+    id: string;
+    type: string;
+    label: string;
+}
+interface GraphChainEdge {
+    source: string;
+    target: string;
+    type: string;
+}
+interface GraphChainResult {
+    nodes: GraphChainNode[];
+    edges: GraphChainEdge[];
+}
+interface GraphSearchOptions {
+    limit?: number;
+    types?: string[];
+}
+interface GraphSearchResultItem {
+    type: string;
+    iecHash: string;
+    name: string;
+    npn?: string;
+    naic?: string;
+    orgSlug?: string;
+}
+interface GraphSearchResult {
+    results: GraphSearchResultItem[];
+    total: number;
+}
 /**
  * Client for bio-graph InsureBio distribution graph endpoints.
  *
@@ -195,10 +246,31 @@ declare class GraphClient {
      * @param input - Risk criteria: NAICS code, state, line of business, optional limits
      */
     matchAppetite(input: AppetiteMatchInput): Promise<AppetiteMatchResult>;
+    /**
+     * Verify an agent's license for a given state and line of business.
+     * Returns validity, license number, expiry, and a Septor proof hash.
+     */
+    verifyLicense(input: VerifyLicenseInput): Promise<LicenseVerifyResult>;
+    /**
+     * Verify an agent's appointment with a carrier.
+     * Returns validity, appointed date, states, and a Septor proof hash.
+     */
+    verifyAppointment(input: VerifyAppointmentInput): Promise<AppointmentVerifyResult>;
+    /**
+     * Get the distribution chain for an entity (agent → agency → MGA → carrier).
+     * Requires an accessToken (auth: required).
+     */
+    getChain(entityId: string): Promise<GraphChainResult>;
+    /**
+     * Search across Agent, Agency, MGA, and Carrier nodes.
+     * Public route — no auth required.
+     */
+    search(query: string, options?: GraphSearchOptions): Promise<GraphSearchResult>;
+    private getAuth;
     private get;
     private post;
     private buildHeaders;
     private handleResponse;
 }
 
-export { type AgencyProfile, type AgencyProgram, type AgencyStaffMember, type AgentEmployer, type AgentProfile, type AppetiteMatchInput, type AppetiteMatchProgram, type AppetiteMatchResult, type CarrierProfile, type CarrierProgram, GraphClient, type GraphClientConfig, type ProgramProfile };
+export { type AgencyProfile, type AgencyProgram, type AgencyStaffMember, type AgentEmployer, type AgentProfile, type AppetiteMatchInput, type AppetiteMatchProgram, type AppetiteMatchResult, type AppointmentVerifyResult, type CarrierProfile, type CarrierProgram, type GraphChainEdge, type GraphChainNode, type GraphChainResult, GraphClient, type GraphClientConfig, type GraphSearchOptions, type GraphSearchResult, type GraphSearchResultItem, type LicenseVerifyResult, type ProgramProfile, type VerifyAppointmentInput, type VerifyLicenseInput };

package/dist/graph.js

@@ -120,7 +120,48 @@ var GraphClient = class _GraphClient {
   async matchAppetite(input) {
     return this.post("/api/graph/appetite/match", input, { requiresAuth: true });
   }
+  // ─── Verification Routes (auth required, gas-metered) ─────────────────────
+  /**
+   * Verify an agent's license for a given state and line of business.
+   * Returns validity, license number, expiry, and a Septor proof hash.
+   */
+  async verifyLicense(input) {
+    return this.post("/api/graph/verify/license", input, { requiresAuth: true });
+  }
+  /**
+   * Verify an agent's appointment with a carrier.
+   * Returns validity, appointed date, states, and a Septor proof hash.
+   */
+  async verifyAppointment(input) {
+    return this.post("/api/graph/verify/appointment", input, { requiresAuth: true });
+  }
+  /**
+   * Get the distribution chain for an entity (agent → agency → MGA → carrier).
+   * Requires an accessToken (auth: required).
+   */
+  async getChain(entityId) {
+    return this.getAuth(`/api/graph/chain/${encodeURIComponent(entityId)}`);
+  }
+  /**
+   * Search across Agent, Agency, MGA, and Carrier nodes.
+   * Public route — no auth required.
+   */
+  async search(query, options) {
+    const params = new URLSearchParams({ q: query });
+    if (options?.limit) params.set("limit", String(options.limit));
+    if (options?.types?.length) params.set("types", options.types.join(","));
+    return this.get(`/api/graph/search?${params.toString()}`);
+  }
   // ─── Internal ─────────────────────────────────────────────────────────────
+  async getAuth(path) {
+    if (!this.accessToken) {
+      throw new BioError(
+        `bio-graph ${path} requires an accessToken \u2014 pass it in the GraphClient constructor`,
+        "config_error"
+      );
+    }
+    return this.get(path);
+  }
   async get(path, attempt = 0) {
     const url = `${this.graphUrl}${path}`;
     const controller = new AbortController();

package/dist/graph.mjs

@@ -1,6 +1,6 @@
 import {
   GraphClient
-} from "./chunk-PLN6QPED.mjs";
+} from "./chunk-CKHMGUDP.mjs";
 import "./chunk-NK5VXXWF.mjs";
 export {
   GraphClient

package/dist/index.d.mts

@@ -1,6 +1,8 @@
-import { B as BioAuthConfig, A as AuthorizeOptions, a as AuthorizeResult, T as TokenResponse, b as BioUser, I as IntrospectResult, c as BioAdminConfig, U as UserFilters, d as UpdateUserData, e as BioDepartment, C as CreateDepartmentData, f as BioRole, g as CreateRoleData, h as BioOAuthClient, i as CreateClientData, j as BioTokenPayload, V as VerifyOptions, J as JWKSVerifyOptions } from './types-Dkb-drHZ.mjs';
-export { k as AdminResponse, l as BioAddress, m as BioClientTokenPayload, n as BioMessaging, o as BioUsersConfig, O as OrgMember, p as OrgMemberFilters, q as OrgMembersResult } from './types-Dkb-drHZ.mjs';
-export { AgencyProfile, AgencyProgram, AgencyStaffMember, AgentEmployer, AgentProfile, AppetiteMatchInput, AppetiteMatchProgram, AppetiteMatchResult, CarrierProfile, CarrierProgram, GraphClient, GraphClientConfig, ProgramProfile } from './graph.mjs';
+import { b as BioAuthConfig, A as AuthorizeOptions, c as AuthorizeResult, S as SilentAuthOptions, T as TokenResponse, d as BioUser, I as IntrospectResult, e as BioAdminConfig, U as UserFilters, f as UpdateUserData, g as BioDepartment, C as CreateDepartmentData, h as BioRole, i as CreateRoleData, j as BioOAuthClient, k as CreateClientData, E as EmbedClientConfig, l as EmbedLoginParams, m as EmbedAuthResult, n as EmbedSignupParams, o as EmbedMagicLinkParams, p as EmbedVerifyParams, q as EmbedRefreshParams, r as EmbedLogoutParams, s as BioTokenPayload, V as VerifyOptions, J as JWKSVerifyOptions } from './types-DOpXwdF2.mjs';
+export { t as AdminResponse, u as BioAddress, v as BioClientTokenPayload, w as BioMessaging, B as BioUsersConfig, x as EmbedBranding, y as EmbedUser, z as OrgMember, O as OrgMemberFilters, a as OrgMembersResult, D as ServiceRole } from './types-DOpXwdF2.mjs';
+export { AgencyProfile, AgencyProgram, AgencyStaffMember, AgentEmployer, AgentProfile, AppetiteMatchInput, AppetiteMatchProgram, AppetiteMatchResult, AppointmentVerifyResult, CarrierProfile, CarrierProgram, GraphChainEdge, GraphChainNode, GraphChainResult, GraphClient, GraphClientConfig, GraphSearchOptions, GraphSearchResult, GraphSearchResultItem, LicenseVerifyResult, ProgramProfile, VerifyAppointmentInput, VerifyLicenseInput } from './graph.mjs';
+export { PassportClient } from './passport.mjs';
+export { P as Passport, b as PassportBranding, c as PassportClientConfig, d as PassportCrossOrgPermission, e as PassportEventType, f as PassportMessage, g as PassportServiceGrant, h as PassportSession, a as PassportStatus, i as PassportTokenRefresher, j as PassportVillage } from './passport-types-bPgjNxv-.mjs';
 
 /**
  * OAuth flow client for Bio-ID SSO.
@@ -28,6 +30,14 @@ declare class BioAuth {
      * Store the state and codeVerifier securely (e.g. in a cookie) for the callback.
      */
     getAuthorizationUrl(opts: AuthorizeOptions): AuthorizeResult;
+    /**
+     * Build an authorization URL with prompt=none for silent authentication.
+     *
+     * Useful for checking if the user has an existing session without showing
+     * a login screen. If the user is not authenticated, Bio-ID redirects back
+     * with an `error=login_required` query parameter instead of showing UI.
+     */
+    silentAuth(opts: SilentAuthOptions): AuthorizeResult;
     /**
      * Exchange an authorization code for tokens.
      *
@@ -105,6 +115,91 @@ declare class BioAdmin {
     private request;
 }
 
+/**
+ * Client for Bio-ID headless embed endpoints.
+ *
+ * Use this when building custom login/signup UIs that authenticate
+ * directly against Bio-ID without redirects (no OAuth flow).
+ *
+ * All endpoints use X-Client-Id / X-Client-Secret header auth.
+ *
+ * @example
+ * ```typescript
+ * import { EmbedClient } from '@insureco/bio'
+ *
+ * const embed = EmbedClient.fromEnv()
+ *
+ * // Login
+ * const result = await embed.login({ email: 'user@example.com', password: 'secret' })
+ * console.log(result.accessToken, result.user.bioId)
+ *
+ * // Refresh
+ * const refreshed = await embed.refresh({ refreshToken: result.refreshToken })
+ *
+ * // Logout
+ * await embed.logout({ refreshToken: result.refreshToken })
+ * ```
+ */
+declare class EmbedClient {
+    private readonly bioIdUrl;
+    private readonly clientId;
+    private readonly clientSecret;
+    private readonly retries;
+    private readonly timeoutMs;
+    constructor(config: EmbedClientConfig);
+    /**
+     * Create an EmbedClient from environment variables.
+     *
+     * Reads: BIO_CLIENT_ID, BIO_CLIENT_SECRET, BIO_ID_URL
+     */
+    static fromEnv(overrides?: Partial<EmbedClientConfig>): EmbedClient;
+    /**
+     * Authenticate a user with email and password.
+     *
+     * @param params - Email and password
+     * @returns Access token, refresh token, user profile, and optional branding
+     */
+    login(params: EmbedLoginParams): Promise<EmbedAuthResult>;
+    /**
+     * Create a new user account.
+     *
+     * @param params - Email, password, name, and optional invite token
+     * @returns Access token, refresh token, user profile, and optional branding
+     */
+    signup(params: EmbedSignupParams): Promise<EmbedAuthResult>;
+    /**
+     * Send a magic link email to the user.
+     *
+     * The user clicks the link to authenticate without a password.
+     * After sending, use `verify()` with the token from the link.
+     *
+     * @param params - Email address to send the magic link to
+     */
+    sendMagicLink(params: EmbedMagicLinkParams): Promise<void>;
+    /**
+     * Verify a magic link token and exchange it for auth tokens.
+     *
+     * @param params - The token from the magic link
+     * @returns Access token, refresh token, user profile, and optional branding
+     */
+    verify(params: EmbedVerifyParams): Promise<EmbedAuthResult>;
+    /**
+     * Refresh an expired access token using a refresh token.
+     *
+     * @param params - The refresh token to exchange
+     * @returns New access token, rotated refresh token, user profile, and optional branding
+     */
+    refresh(params: EmbedRefreshParams): Promise<EmbedAuthResult>;
+    /**
+     * Revoke a refresh token (logout).
+     *
+     * @param params - The refresh token to revoke
+     */
+    logout(params: EmbedLogoutParams): Promise<void>;
+    private embedRequest;
+    private fetchWithRetry;
+}
+
 /** Error thrown by Bio SDK operations */
 declare class BioError extends Error {
     /** HTTP status code (if from an API response) */
@@ -155,4 +250,4 @@ declare function isTokenExpired(token: string, bufferSeconds?: number): boolean;
  */
 declare function verifyTokenJWKS(token: string, options?: JWKSVerifyOptions): Promise<BioTokenPayload>;
 
-export { AuthorizeOptions, AuthorizeResult, BioAdmin, BioAdminConfig, BioAuth, BioAuthConfig, BioDepartment, BioError, BioOAuthClient, BioRole, BioTokenPayload, BioUser, CreateClientData, CreateDepartmentData, CreateRoleData, IntrospectResult, JWKSVerifyOptions, TokenResponse, UpdateUserData, UserFilters, VerifyOptions, decodeToken, generatePKCE, isTokenExpired, verifyToken, verifyTokenJWKS };
+export { AuthorizeOptions, AuthorizeResult, BioAdmin, BioAdminConfig, BioAuth, BioAuthConfig, BioDepartment, BioError, BioOAuthClient, BioRole, BioTokenPayload, BioUser, CreateClientData, CreateDepartmentData, CreateRoleData, EmbedAuthResult, EmbedClient, EmbedClientConfig, EmbedLoginParams, EmbedLogoutParams, EmbedMagicLinkParams, EmbedRefreshParams, EmbedSignupParams, EmbedVerifyParams, IntrospectResult, JWKSVerifyOptions, SilentAuthOptions, TokenResponse, UpdateUserData, UserFilters, VerifyOptions, decodeToken, generatePKCE, isTokenExpired, verifyToken, verifyTokenJWKS };