@insureco/bio 0.5.0 → 0.8.0

package/dist/index.d.ts

@@ -1,6 +1,8 @@
-import { B as BioAuthConfig, A as AuthorizeOptions, a as AuthorizeResult, T as TokenResponse, b as BioUser, I as IntrospectResult, c as BioAdminConfig, U as UserFilters, d as UpdateUserData, e as BioDepartment, C as CreateDepartmentData, f as BioRole, g as CreateRoleData, h as BioOAuthClient, i as CreateClientData, j as BioTokenPayload, V as VerifyOptions, J as JWKSVerifyOptions } from './types-Dkb-drHZ.js';
-export { k as AdminResponse, l as BioAddress, m as BioClientTokenPayload, n as BioMessaging, o as BioUsersConfig, O as OrgMember, p as OrgMemberFilters, q as OrgMembersResult } from './types-Dkb-drHZ.js';
-export { AgencyProfile, AgencyProgram, AgencyStaffMember, AgentEmployer, AgentProfile, AppetiteMatchInput, AppetiteMatchProgram, AppetiteMatchResult, CarrierProfile, CarrierProgram, GraphClient, GraphClientConfig, ProgramProfile } from './graph.js';
+import { b as BioAuthConfig, A as AuthorizeOptions, c as AuthorizeResult, S as SilentAuthOptions, T as TokenResponse, d as BioUser, I as IntrospectResult, e as BioAdminConfig, U as UserFilters, f as UpdateUserData, g as BioDepartment, C as CreateDepartmentData, h as BioRole, i as CreateRoleData, j as BioOAuthClient, k as CreateClientData, E as EmbedClientConfig, l as EmbedLoginParams, m as EmbedAuthResult, n as EmbedSignupParams, o as EmbedMagicLinkParams, p as EmbedVerifyParams, q as EmbedRefreshParams, r as EmbedLogoutParams, s as BioTokenPayload, V as VerifyOptions, J as JWKSVerifyOptions } from './types-DOpXwdF2.js';
+export { t as AdminResponse, u as BioAddress, v as BioClientTokenPayload, w as BioMessaging, B as BioUsersConfig, x as EmbedBranding, y as EmbedUser, z as OrgMember, O as OrgMemberFilters, a as OrgMembersResult, D as ServiceRole } from './types-DOpXwdF2.js';
+export { AgencyProfile, AgencyProgram, AgencyStaffMember, AgentEmployer, AgentProfile, AppetiteMatchInput, AppetiteMatchProgram, AppetiteMatchResult, AppointmentVerifyResult, CarrierProfile, CarrierProgram, GraphChainEdge, GraphChainNode, GraphChainResult, GraphClient, GraphClientConfig, GraphSearchOptions, GraphSearchResult, GraphSearchResultItem, LicenseVerifyResult, ProgramProfile, VerifyAppointmentInput, VerifyLicenseInput } from './graph.js';
+export { PassportClient } from './passport.js';
+export { P as Passport, b as PassportBranding, c as PassportClientConfig, d as PassportCrossOrgPermission, e as PassportEventType, f as PassportMessage, g as PassportServiceGrant, h as PassportSession, a as PassportStatus, i as PassportTokenRefresher, j as PassportVillage } from './passport-types-bPgjNxv-.js';
 
 /**
  * OAuth flow client for Bio-ID SSO.
@@ -28,6 +30,14 @@ declare class BioAuth {
      * Store the state and codeVerifier securely (e.g. in a cookie) for the callback.
      */
     getAuthorizationUrl(opts: AuthorizeOptions): AuthorizeResult;
+    /**
+     * Build an authorization URL with prompt=none for silent authentication.
+     *
+     * Useful for checking if the user has an existing session without showing
+     * a login screen. If the user is not authenticated, Bio-ID redirects back
+     * with an `error=login_required` query parameter instead of showing UI.
+     */
+    silentAuth(opts: SilentAuthOptions): AuthorizeResult;
     /**
      * Exchange an authorization code for tokens.
      *
@@ -105,6 +115,91 @@ declare class BioAdmin {
     private request;
 }
 
+/**
+ * Client for Bio-ID headless embed endpoints.
+ *
+ * Use this when building custom login/signup UIs that authenticate
+ * directly against Bio-ID without redirects (no OAuth flow).
+ *
+ * All endpoints use X-Client-Id / X-Client-Secret header auth.
+ *
+ * @example
+ * ```typescript
+ * import { EmbedClient } from '@insureco/bio'
+ *
+ * const embed = EmbedClient.fromEnv()
+ *
+ * // Login
+ * const result = await embed.login({ email: 'user@example.com', password: 'secret' })
+ * console.log(result.accessToken, result.user.bioId)
+ *
+ * // Refresh
+ * const refreshed = await embed.refresh({ refreshToken: result.refreshToken })
+ *
+ * // Logout
+ * await embed.logout({ refreshToken: result.refreshToken })
+ * ```
+ */
+declare class EmbedClient {
+    private readonly bioIdUrl;
+    private readonly clientId;
+    private readonly clientSecret;
+    private readonly retries;
+    private readonly timeoutMs;
+    constructor(config: EmbedClientConfig);
+    /**
+     * Create an EmbedClient from environment variables.
+     *
+     * Reads: BIO_CLIENT_ID, BIO_CLIENT_SECRET, BIO_ID_URL
+     */
+    static fromEnv(overrides?: Partial<EmbedClientConfig>): EmbedClient;
+    /**
+     * Authenticate a user with email and password.
+     *
+     * @param params - Email and password
+     * @returns Access token, refresh token, user profile, and optional branding
+     */
+    login(params: EmbedLoginParams): Promise<EmbedAuthResult>;
+    /**
+     * Create a new user account.
+     *
+     * @param params - Email, password, name, and optional invite token
+     * @returns Access token, refresh token, user profile, and optional branding
+     */
+    signup(params: EmbedSignupParams): Promise<EmbedAuthResult>;
+    /**
+     * Send a magic link email to the user.
+     *
+     * The user clicks the link to authenticate without a password.
+     * After sending, use `verify()` with the token from the link.
+     *
+     * @param params - Email address to send the magic link to
+     */
+    sendMagicLink(params: EmbedMagicLinkParams): Promise<void>;
+    /**
+     * Verify a magic link token and exchange it for auth tokens.
+     *
+     * @param params - The token from the magic link
+     * @returns Access token, refresh token, user profile, and optional branding
+     */
+    verify(params: EmbedVerifyParams): Promise<EmbedAuthResult>;
+    /**
+     * Refresh an expired access token using a refresh token.
+     *
+     * @param params - The refresh token to exchange
+     * @returns New access token, rotated refresh token, user profile, and optional branding
+     */
+    refresh(params: EmbedRefreshParams): Promise<EmbedAuthResult>;
+    /**
+     * Revoke a refresh token (logout).
+     *
+     * @param params - The refresh token to revoke
+     */
+    logout(params: EmbedLogoutParams): Promise<void>;
+    private embedRequest;
+    private fetchWithRetry;
+}
+
 /** Error thrown by Bio SDK operations */
 declare class BioError extends Error {
     /** HTTP status code (if from an API response) */
@@ -155,4 +250,4 @@ declare function isTokenExpired(token: string, bufferSeconds?: number): boolean;
  */
 declare function verifyTokenJWKS(token: string, options?: JWKSVerifyOptions): Promise<BioTokenPayload>;
 
-export { AuthorizeOptions, AuthorizeResult, BioAdmin, BioAdminConfig, BioAuth, BioAuthConfig, BioDepartment, BioError, BioOAuthClient, BioRole, BioTokenPayload, BioUser, CreateClientData, CreateDepartmentData, CreateRoleData, IntrospectResult, JWKSVerifyOptions, TokenResponse, UpdateUserData, UserFilters, VerifyOptions, decodeToken, generatePKCE, isTokenExpired, verifyToken, verifyTokenJWKS };
+export { AuthorizeOptions, AuthorizeResult, BioAdmin, BioAdminConfig, BioAuth, BioAuthConfig, BioDepartment, BioError, BioOAuthClient, BioRole, BioTokenPayload, BioUser, CreateClientData, CreateDepartmentData, CreateRoleData, EmbedAuthResult, EmbedClient, EmbedClientConfig, EmbedLoginParams, EmbedLogoutParams, EmbedMagicLinkParams, EmbedRefreshParams, EmbedSignupParams, EmbedVerifyParams, IntrospectResult, JWKSVerifyOptions, SilentAuthOptions, TokenResponse, UpdateUserData, UserFilters, VerifyOptions, decodeToken, generatePKCE, isTokenExpired, verifyToken, verifyTokenJWKS };

package/dist/index.js

@@ -33,7 +33,9 @@ __export(index_exports, {
   BioAdmin: () => BioAdmin,
   BioAuth: () => BioAuth,
   BioError: () => BioError,
+  EmbedClient: () => EmbedClient,
   GraphClient: () => GraphClient,
+  PassportClient: () => PassportClient,
   decodeToken: () => decodeToken,
   generatePKCE: () => generatePKCE,
   isTokenExpired: () => isTokenExpired,
@@ -171,6 +173,23 @@ var BioAuth = class _BioAuth {
       codeChallenge
     };
   }
+  /**
+   * Build an authorization URL with prompt=none for silent authentication.
+   *
+   * Useful for checking if the user has an existing session without showing
+   * a login screen. If the user is not authenticated, Bio-ID redirects back
+   * with an `error=login_required` query parameter instead of showing UI.
+   */
+  silentAuth(opts) {
+    const result = this.getAuthorizationUrl({
+      redirectUri: opts.redirectUri,
+      scopes: opts.scopes,
+      state: opts.state
+    });
+    const url = new URL(result.url);
+    url.searchParams.set("prompt", "none");
+    return { ...result, url: url.toString() };
+  }
   /**
    * Exchange an authorization code for tokens.
    *
@@ -586,6 +605,257 @@ var BioAdmin = class _BioAdmin {
   }
 };
 
+// src/embed.ts
+var DEFAULT_BIO_URL = "https://bio.tawa.pro";
+var DEFAULT_TIMEOUT_MS3 = 1e4;
+var EmbedClient = class _EmbedClient {
+  bioIdUrl;
+  clientId;
+  clientSecret;
+  retries;
+  timeoutMs;
+  constructor(config) {
+    if (!config.clientId) {
+      throw new BioError("clientId is required", "config_error");
+    }
+    if (!config.clientSecret) {
+      throw new BioError("clientSecret is required", "config_error");
+    }
+    this.clientId = config.clientId;
+    this.clientSecret = config.clientSecret;
+    this.bioIdUrl = (config.bioIdUrl ?? DEFAULT_BIO_URL).replace(/\/$/, "");
+    this.retries = config.retries ?? 2;
+    this.timeoutMs = config.timeoutMs ?? DEFAULT_TIMEOUT_MS3;
+  }
+  /**
+   * Create an EmbedClient from environment variables.
+   *
+   * Reads: BIO_CLIENT_ID, BIO_CLIENT_SECRET, BIO_ID_URL
+   */
+  static fromEnv(overrides) {
+    const clientId = overrides?.clientId ?? process.env.BIO_CLIENT_ID;
+    const clientSecret = overrides?.clientSecret ?? process.env.BIO_CLIENT_SECRET;
+    if (!clientId) {
+      throw new BioError(
+        "BIO_CLIENT_ID environment variable is required",
+        "config_error"
+      );
+    }
+    if (!clientSecret) {
+      throw new BioError(
+        "BIO_CLIENT_SECRET environment variable is required",
+        "config_error"
+      );
+    }
+    return new _EmbedClient({
+      clientId,
+      clientSecret,
+      bioIdUrl: overrides?.bioIdUrl ?? process.env.BIO_ID_URL,
+      retries: overrides?.retries,
+      timeoutMs: overrides?.timeoutMs
+    });
+  }
+  /**
+   * Authenticate a user with email and password.
+   *
+   * @param params - Email and password
+   * @returns Access token, refresh token, user profile, and optional branding
+   */
+  async login(params) {
+    if (!params.email) throw new BioError("email is required", "validation_error");
+    if (!params.password) throw new BioError("password is required", "validation_error");
+    return this.embedRequest("/api/embed/login", {
+      email: params.email,
+      password: params.password
+    });
+  }
+  /**
+   * Create a new user account.
+   *
+   * @param params - Email, password, name, and optional invite token
+   * @returns Access token, refresh token, user profile, and optional branding
+   */
+  async signup(params) {
+    if (!params.email) throw new BioError("email is required", "validation_error");
+    if (!params.password) throw new BioError("password is required", "validation_error");
+    if (!params.name) throw new BioError("name is required", "validation_error");
+    const body = {
+      email: params.email,
+      password: params.password,
+      name: params.name
+    };
+    if (params.inviteToken) {
+      body.inviteToken = params.inviteToken;
+    }
+    return this.embedRequest("/api/embed/signup", body);
+  }
+  /**
+   * Send a magic link email to the user.
+   *
+   * The user clicks the link to authenticate without a password.
+   * After sending, use `verify()` with the token from the link.
+   *
+   * @param params - Email address to send the magic link to
+   */
+  async sendMagicLink(params) {
+    if (!params.email) throw new BioError("email is required", "validation_error");
+    const response = await this.fetchWithRetry(
+      "POST",
+      `${this.bioIdUrl}/api/embed/magic-link`,
+      JSON.stringify({ email: params.email })
+    );
+    const json = await parseJsonResponse(response);
+    if (!response.ok) {
+      throw new BioError(
+        extractErrorMessage(json, response.status),
+        extractErrorCode(json),
+        response.status,
+        json
+      );
+    }
+  }
+  /**
+   * Verify a magic link token and exchange it for auth tokens.
+   *
+   * @param params - The token from the magic link
+   * @returns Access token, refresh token, user profile, and optional branding
+   */
+  async verify(params) {
+    if (!params.token) throw new BioError("token is required", "validation_error");
+    return this.embedRequest("/api/embed/verify", {
+      token: params.token
+    });
+  }
+  /**
+   * Refresh an expired access token using a refresh token.
+   *
+   * @param params - The refresh token to exchange
+   * @returns New access token, rotated refresh token, user profile, and optional branding
+   */
+  async refresh(params) {
+    if (!params.refreshToken) throw new BioError("refreshToken is required", "validation_error");
+    return this.embedRequest("/api/embed/refresh", {
+      refreshToken: params.refreshToken
+    });
+  }
+  /**
+   * Revoke a refresh token (logout).
+   *
+   * @param params - The refresh token to revoke
+   */
+  async logout(params) {
+    if (!params.refreshToken) throw new BioError("refreshToken is required", "validation_error");
+    const response = await this.fetchWithRetry(
+      "POST",
+      `${this.bioIdUrl}/api/embed/logout`,
+      JSON.stringify({ refreshToken: params.refreshToken })
+    );
+    const json = await parseJsonResponse(response);
+    if (!response.ok) {
+      throw new BioError(
+        extractErrorMessage(json, response.status),
+        extractErrorCode(json),
+        response.status,
+        json
+      );
+    }
+  }
+  // ── Private helpers ──────────────────────────────────────────────────────
+  async embedRequest(path, body) {
+    const response = await this.fetchWithRetry(
+      "POST",
+      `${this.bioIdUrl}${path}`,
+      JSON.stringify(body)
+    );
+    const json = await parseJsonResponse(response);
+    if (!response.ok) {
+      throw new BioError(
+        extractErrorMessage(json, response.status),
+        extractErrorCode(json),
+        response.status,
+        json
+      );
+    }
+    return mapEmbedResponse(json);
+  }
+  async fetchWithRetry(method, url, body, attempt = 0) {
+    try {
+      const response = await fetch(url, {
+        method,
+        headers: {
+          "Content-Type": "application/json",
+          "X-Client-Id": this.clientId,
+          "X-Client-Secret": this.clientSecret
+        },
+        body,
+        signal: AbortSignal.timeout(this.timeoutMs)
+      });
+      if (response.status >= 500 && attempt < this.retries) {
+        await sleep(retryDelay(attempt));
+        return this.fetchWithRetry(method, url, body, attempt + 1);
+      }
+      return response;
+    } catch (err) {
+      if (attempt < this.retries) {
+        await sleep(retryDelay(attempt));
+        return this.fetchWithRetry(method, url, body, attempt + 1);
+      }
+      const isTimeout = err instanceof DOMException && err.name === "TimeoutError";
+      throw new BioError(
+        isTimeout ? `Request timed out after ${this.timeoutMs}ms` : err instanceof Error ? err.message : "Network error",
+        isTimeout ? "timeout" : "network_error"
+      );
+    }
+  }
+};
+function mapEmbedResponse(raw) {
+  const data = raw.data ?? raw;
+  const rawUser = data.user ?? {};
+  const rawBranding = data.branding;
+  const user = {
+    bioId: rawUser.bioId,
+    email: rawUser.email,
+    name: rawUser.name,
+    orgSlug: rawUser.orgSlug
+  };
+  const result = {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    tokenType: data.token_type ?? "Bearer",
+    expiresIn: data.expires_in,
+    user
+  };
+  if (rawBranding) {
+    result.branding = {
+      displayName: rawBranding.displayName,
+      logoUrl: rawBranding.logoUrl,
+      logoMarkUrl: rawBranding.logoMarkUrl,
+      primaryColor: rawBranding.primaryColor,
+      secondaryColor: rawBranding.secondaryColor,
+      verified: rawBranding.verified,
+      whiteLabelApproved: rawBranding.whiteLabelApproved
+    };
+  }
+  return result;
+}
+function extractErrorMessage(json, status) {
+  const error = json.error;
+  if (typeof error === "object" && error !== null) {
+    return error.message ?? `Embed API returned ${status}`;
+  }
+  if (typeof error === "string") {
+    return error;
+  }
+  return `Embed API returned ${status}`;
+}
+function extractErrorCode(json) {
+  const error = json.error;
+  if (typeof error === "object" && error !== null) {
+    return error.code ?? "embed_error";
+  }
+  return "embed_error";
+}
+
 // src/jwt.ts
 var import_node_crypto3 = __toESM(require("crypto"));
 var DEFAULT_ISSUERS = [
@@ -740,7 +1010,7 @@ async function verifyTokenJWKS(token, options) {
 }
 
 // src/graph.ts
-var DEFAULT_TIMEOUT_MS3 = 1e4;
+var DEFAULT_TIMEOUT_MS4 = 1e4;
 var BIO_GRAPH_URL = "https://bio-graph.tawa.pro";
 var GraphClient = class _GraphClient {
   graphUrl;
@@ -749,7 +1019,7 @@ var GraphClient = class _GraphClient {
   constructor(config = {}) {
     this.graphUrl = (config.graphUrl ?? process.env.BIO_GRAPH_URL ?? BIO_GRAPH_URL).replace(/\/$/, "");
     this.accessToken = config.accessToken;
-    this.timeoutMs = config.timeoutMs ?? DEFAULT_TIMEOUT_MS3;
+    this.timeoutMs = config.timeoutMs ?? DEFAULT_TIMEOUT_MS4;
   }
   /**
    * Create a GraphClient from environment variables.
@@ -798,7 +1068,48 @@ var GraphClient = class _GraphClient {
   async matchAppetite(input) {
     return this.post("/api/graph/appetite/match", input, { requiresAuth: true });
   }
+  // ─── Verification Routes (auth required, gas-metered) ─────────────────────
+  /**
+   * Verify an agent's license for a given state and line of business.
+   * Returns validity, license number, expiry, and a Septor proof hash.
+   */
+  async verifyLicense(input) {
+    return this.post("/api/graph/verify/license", input, { requiresAuth: true });
+  }
+  /**
+   * Verify an agent's appointment with a carrier.
+   * Returns validity, appointed date, states, and a Septor proof hash.
+   */
+  async verifyAppointment(input) {
+    return this.post("/api/graph/verify/appointment", input, { requiresAuth: true });
+  }
+  /**
+   * Get the distribution chain for an entity (agent → agency → MGA → carrier).
+   * Requires an accessToken (auth: required).
+   */
+  async getChain(entityId) {
+    return this.getAuth(`/api/graph/chain/${encodeURIComponent(entityId)}`);
+  }
+  /**
+   * Search across Agent, Agency, MGA, and Carrier nodes.
+   * Public route — no auth required.
+   */
+  async search(query, options) {
+    const params = new URLSearchParams({ q: query });
+    if (options?.limit) params.set("limit", String(options.limit));
+    if (options?.types?.length) params.set("types", options.types.join(","));
+    return this.get(`/api/graph/search?${params.toString()}`);
+  }
   // ─── Internal ─────────────────────────────────────────────────────────────
+  async getAuth(path) {
+    if (!this.accessToken) {
+      throw new BioError(
+        `bio-graph ${path} requires an accessToken \u2014 pass it in the GraphClient constructor`,
+        "config_error"
+      );
+    }
+    return this.get(path);
+  }
   async get(path, attempt = 0) {
     const url = `${this.graphUrl}${path}`;
     const controller = new AbortController();
@@ -897,12 +1208,165 @@ var GraphClient = class _GraphClient {
     return body;
   }
 };
+
+// src/passport-client.ts
+var PassportClient = class {
+  config;
+  ws = null;
+  _passport = null;
+  _status = "disconnected";
+  reconnectAttempt = 0;
+  reconnectTimer = null;
+  listeners = /* @__PURE__ */ new Map();
+  closed = false;
+  constructor(config) {
+    this.config = {
+      autoReconnect: true,
+      maxReconnectDelay: 3e4,
+      ...config
+    };
+  }
+  /** Current passport object (null until first identity message) */
+  get passport() {
+    return this._passport;
+  }
+  /** Current connection status */
+  get status() {
+    return this._status;
+  }
+  /** Connect to the passport WebSocket */
+  connect() {
+    if (this.closed) return;
+    this.setStatus("connecting");
+    const url = new URL("/passport", this.config.bioIdUrl.replace(/^http/, "ws"));
+    url.searchParams.set("token", this.config.accessToken);
+    url.searchParams.set("version", "1");
+    if (this.config.service) {
+      url.searchParams.set("service", this.config.service);
+    }
+    this.ws = new WebSocket(url.toString());
+    this.ws.onopen = () => {
+      this.reconnectAttempt = 0;
+      this.setStatus("connected");
+      this.emit("connected", this._status);
+    };
+    this.ws.onmessage = (event) => {
+      try {
+        const data = JSON.parse(
+          typeof event.data === "string" ? event.data : ""
+        );
+        if (data.type === "identity" || data.type === "passport_updated") {
+          this._passport = data.passport ?? null;
+          this.emit(data.type, this._passport);
+        } else if (data.type === "revoked") {
+          this._passport = null;
+          this.emit("revoked");
+        }
+      } catch {
+      }
+    };
+    this.ws.onclose = (event) => {
+      this.setStatus("disconnected");
+      this.emit("disconnected", this._status);
+      if (event?.code === 4003 && this.config.refreshToken && this.config.bioAuth) {
+        this.handleTokenRefresh();
+        return;
+      }
+      this.scheduleReconnect();
+    };
+    this.ws.onerror = () => {
+      const error = new Error("Passport WebSocket error");
+      this.emit("error", error);
+    };
+  }
+  /** Subscribe to an event */
+  on(event, handler) {
+    if (!this.listeners.has(event)) {
+      this.listeners.set(event, /* @__PURE__ */ new Set());
+    }
+    this.listeners.get(event).add(handler);
+  }
+  /** Unsubscribe from an event */
+  off(event, handler) {
+    this.listeners.get(event)?.delete(handler);
+  }
+  /** Disconnect and stop reconnecting */
+  close() {
+    this.closed = true;
+    if (this.reconnectTimer) {
+      clearTimeout(this.reconnectTimer);
+      this.reconnectTimer = null;
+    }
+    if (this.ws) {
+      this.ws.onclose = null;
+      this.ws.close();
+      this.ws = null;
+    }
+    this.setStatus("disconnected");
+  }
+  /** Update access token (e.g. after refresh) and reconnect */
+  updateToken(accessToken) {
+    this.config.accessToken = accessToken;
+    if (this.ws) {
+      this.ws.onclose = null;
+      this.ws.close();
+      this.ws = null;
+    }
+    this.reconnectAttempt = 0;
+    this.connect();
+  }
+  async handleTokenRefresh() {
+    if (!this.config.refreshToken || !this.config.bioAuth) return;
+    try {
+      const tokens = await this.config.bioAuth.refreshToken(this.config.refreshToken);
+      this.config.accessToken = tokens.access_token;
+      if (tokens.refresh_token) {
+        this.config.refreshToken = tokens.refresh_token;
+      }
+      if (this.config.onTokenRefresh) {
+        this.config.onTokenRefresh(tokens);
+      }
+      this.reconnectAttempt = 0;
+      this.connect();
+    } catch {
+      this.emit("error", new Error("Token refresh failed"));
+    }
+  }
+  setStatus(status) {
+    this._status = status;
+  }
+  emit(event, ...args) {
+    const handlers = this.listeners.get(event);
+    if (handlers) {
+      for (const handler of handlers) {
+        try {
+          handler(...args);
+        } catch {
+        }
+      }
+    }
+  }
+  scheduleReconnect() {
+    if (this.closed || !this.config.autoReconnect) return;
+    const delay = Math.min(
+      1e3 * Math.pow(2, this.reconnectAttempt),
+      this.config.maxReconnectDelay ?? 3e4
+    );
+    this.reconnectAttempt++;
+    this.reconnectTimer = setTimeout(() => {
+      this.reconnectTimer = null;
+      this.connect();
+    }, delay);
+  }
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   BioAdmin,
   BioAuth,
   BioError,
+  EmbedClient,
   GraphClient,
+  PassportClient,
   decodeToken,
   generatePKCE,
   isTokenExpired,