@insureco/relay 0.3.1

package/dist/index.d.mts

@@ -0,0 +1,177 @@
+/** Built-in template names available in InsureRelay */
+type BuiltInTemplate = 'welcome' | 'invitation' | 'password-reset' | 'magic-link';
+/** Recipient for an email or SMS message */
+interface Recipient {
+    /** Email address (required for email channel) */
+    email?: string;
+    /** Phone number in E.164 format, e.g. +15551234567 (required for SMS channel) */
+    phone?: string;
+    /** Recipient display name */
+    name?: string;
+}
+/** Options for sending a message */
+interface SendOptions {
+    /** Override default sender address */
+    from?: string;
+    /** Reply-to address */
+    replyTo?: string;
+    /** Message priority */
+    priority?: 'high' | 'normal' | 'low';
+}
+/** Metadata attached to a message for tracking */
+interface MessageMetadata {
+    /** Name of the calling service, e.g. 'bio-id' */
+    sourceService: string;
+    /** Action that triggered the send, e.g. 'user_registered' */
+    sourceAction: string;
+    /** Correlation ID for tracing across services */
+    correlationId?: string;
+}
+/** Raw content payload for template-less sends */
+interface ContentPayload {
+    /** Email subject (required for email channel) */
+    subject?: string;
+    /** Raw HTML body (email only) */
+    html?: string;
+    /** Plain text body (required for SMS, optional fallback for email) */
+    text?: string;
+}
+/** Full request body for POST /api/relay/send */
+interface SendRequest {
+    template?: string;
+    channel: 'email' | 'sms';
+    content?: ContentPayload;
+    recipient: Recipient;
+    data: Record<string, unknown>;
+    options?: SendOptions;
+    metadata?: MessageMetadata;
+}
+/** Successful send response */
+interface SendResponse {
+    messageId: string;
+    channel: 'email' | 'sms';
+    status: 'sent';
+    providerMessageId: string;
+}
+/** Message status from GET /api/relay/status/:id */
+interface MessageStatus {
+    messageId: string;
+    channel: 'email' | 'sms';
+    template: string;
+    status: 'sent' | 'delivered' | 'failed';
+    recipient: Recipient;
+    sender: string;
+    sentAt: string;
+    providerMessageId: string;
+}
+/** API response wrapper */
+interface ApiResponse<T> {
+    success: boolean;
+    data?: T;
+    error?: string;
+    details?: Record<string, unknown>;
+}
+/** Configuration for the RelayClient */
+interface RelayClientConfig {
+    /** Shared JWT secret for minting service tokens (required when using Janus) */
+    jwtSecret?: string;
+    /** Program/org ID included in the JWT (default: derived from service name) */
+    programId?: string;
+    /** Janus gateway URL (default: http://janus.janus-prod.svc.cluster.local:3000) */
+    janusUrl?: string;
+    /** Direct relay URL for local dev (bypasses Janus, uses X-Internal-Key auth) */
+    relayUrl?: string;
+    /** Internal API key for direct relay access */
+    internalKey?: string;
+    /** Async function returning a Bearer token (e.g. Bio-ID client_credentials). Used in direct mode. */
+    accessTokenFn?: () => Promise<string>;
+    /** JWT token lifetime in seconds (default: 300 = 5 minutes) */
+    tokenTtlSeconds?: number;
+    /**
+     * Number of retry attempts on transient failures (default: 2).
+     * Note: Retries on POST /send may cause duplicate messages if the server
+     * processed the request but the response was lost. Set to 0 if duplicates
+     * are unacceptable.
+     */
+    retries?: number;
+    /** Request timeout in milliseconds (default: 10000) */
+    timeoutMs?: number;
+    /** Source service name for metadata (default: programId) */
+    sourceService?: string;
+}
+/** Base options shared by sendEmail and sendSMS */
+interface BaseSendOptions {
+    /** Template name (built-in or custom). Required unless content is provided. */
+    template?: BuiltInTemplate | (string & {});
+    /** Raw content for template-less sends. Required unless template is provided. */
+    content?: ContentPayload;
+    /** Recipient */
+    to: Recipient;
+    /** Template variables (used with template mode) */
+    data?: Record<string, unknown>;
+    /** Optional send options */
+    options?: SendOptions;
+    /** Optional metadata overrides */
+    metadata?: Partial<MessageMetadata>;
+}
+/** Options for sendEmail — requires to.email */
+interface SendEmailOptions extends BaseSendOptions {
+}
+/** Options for sendSMS — requires to.phone */
+interface SendSMSOptions extends BaseSendOptions {
+}
+
+declare class RelayError extends Error {
+    readonly statusCode: number;
+    readonly code?: string | undefined;
+    readonly details?: Record<string, unknown> | undefined;
+    constructor(message: string, statusCode: number, code?: string | undefined, details?: Record<string, unknown> | undefined);
+}
+declare class RelayClient {
+    private readonly config;
+    private cachedToken;
+    constructor(config: RelayClientConfig);
+    /**
+     * Create a RelayClient from environment variables.
+     *
+     * Reads: JANUS_URL, JWT_SECRET, PROGRAM_ID, RELAY_DIRECT_URL, RELAY_INTERNAL_KEY
+     */
+    static fromEnv(): RelayClient;
+    /**
+     * Send an email through InsureRelay.
+     * Provide either `template` (with `data`) or `content` (raw HTML/text).
+     */
+    sendEmail(options: SendEmailOptions): Promise<SendResponse>;
+    /**
+     * Send an SMS through InsureRelay.
+     * Provide either `template` (with `data`) or `content` (raw text).
+     */
+    sendSMS(options: SendSMSOptions): Promise<SendResponse>;
+    /**
+     * Get the delivery status of a sent message.
+     */
+    getStatus(messageId: string): Promise<MessageStatus>;
+    /**
+     * List available templates on the relay service.
+     */
+    listTemplates(): Promise<string[]>;
+    /**
+     * Low-level send — use sendEmail() or sendSMS() instead.
+     */
+    send(body: SendRequest): Promise<SendResponse>;
+    private request;
+    private buildRequest;
+    private getToken;
+}
+
+/**
+ * Mint a short-lived HS256 JWT for service-to-service auth through Janus.
+ * Uses only Node.js built-in crypto — zero dependencies.
+ */
+declare function mintServiceJwt(secret: string, programId: string, ttlSeconds?: number): string;
+/**
+ * Check if a JWT is expired or will expire within the given buffer (seconds).
+ */
+declare function isTokenExpired(token: string, bufferSeconds?: number): boolean;
+
+export { type ApiResponse, type BuiltInTemplate, type ContentPayload, type MessageMetadata, type MessageStatus, type Recipient, RelayClient, type RelayClientConfig, RelayError, type SendEmailOptions, type SendOptions, type SendRequest, type SendResponse, type SendSMSOptions, isTokenExpired, mintServiceJwt };

package/dist/index.d.ts

@@ -0,0 +1,177 @@
+/** Built-in template names available in InsureRelay */
+type BuiltInTemplate = 'welcome' | 'invitation' | 'password-reset' | 'magic-link';
+/** Recipient for an email or SMS message */
+interface Recipient {
+    /** Email address (required for email channel) */
+    email?: string;
+    /** Phone number in E.164 format, e.g. +15551234567 (required for SMS channel) */
+    phone?: string;
+    /** Recipient display name */
+    name?: string;
+}
+/** Options for sending a message */
+interface SendOptions {
+    /** Override default sender address */
+    from?: string;
+    /** Reply-to address */
+    replyTo?: string;
+    /** Message priority */
+    priority?: 'high' | 'normal' | 'low';
+}
+/** Metadata attached to a message for tracking */
+interface MessageMetadata {
+    /** Name of the calling service, e.g. 'bio-id' */
+    sourceService: string;
+    /** Action that triggered the send, e.g. 'user_registered' */
+    sourceAction: string;
+    /** Correlation ID for tracing across services */
+    correlationId?: string;
+}
+/** Raw content payload for template-less sends */
+interface ContentPayload {
+    /** Email subject (required for email channel) */
+    subject?: string;
+    /** Raw HTML body (email only) */
+    html?: string;
+    /** Plain text body (required for SMS, optional fallback for email) */
+    text?: string;
+}
+/** Full request body for POST /api/relay/send */
+interface SendRequest {
+    template?: string;
+    channel: 'email' | 'sms';
+    content?: ContentPayload;
+    recipient: Recipient;
+    data: Record<string, unknown>;
+    options?: SendOptions;
+    metadata?: MessageMetadata;
+}
+/** Successful send response */
+interface SendResponse {
+    messageId: string;
+    channel: 'email' | 'sms';
+    status: 'sent';
+    providerMessageId: string;
+}
+/** Message status from GET /api/relay/status/:id */
+interface MessageStatus {
+    messageId: string;
+    channel: 'email' | 'sms';
+    template: string;
+    status: 'sent' | 'delivered' | 'failed';
+    recipient: Recipient;
+    sender: string;
+    sentAt: string;
+    providerMessageId: string;
+}
+/** API response wrapper */
+interface ApiResponse<T> {
+    success: boolean;
+    data?: T;
+    error?: string;
+    details?: Record<string, unknown>;
+}
+/** Configuration for the RelayClient */
+interface RelayClientConfig {
+    /** Shared JWT secret for minting service tokens (required when using Janus) */
+    jwtSecret?: string;
+    /** Program/org ID included in the JWT (default: derived from service name) */
+    programId?: string;
+    /** Janus gateway URL (default: http://janus.janus-prod.svc.cluster.local:3000) */
+    janusUrl?: string;
+    /** Direct relay URL for local dev (bypasses Janus, uses X-Internal-Key auth) */
+    relayUrl?: string;
+    /** Internal API key for direct relay access */
+    internalKey?: string;
+    /** Async function returning a Bearer token (e.g. Bio-ID client_credentials). Used in direct mode. */
+    accessTokenFn?: () => Promise<string>;
+    /** JWT token lifetime in seconds (default: 300 = 5 minutes) */
+    tokenTtlSeconds?: number;
+    /**
+     * Number of retry attempts on transient failures (default: 2).
+     * Note: Retries on POST /send may cause duplicate messages if the server
+     * processed the request but the response was lost. Set to 0 if duplicates
+     * are unacceptable.
+     */
+    retries?: number;
+    /** Request timeout in milliseconds (default: 10000) */
+    timeoutMs?: number;
+    /** Source service name for metadata (default: programId) */
+    sourceService?: string;
+}
+/** Base options shared by sendEmail and sendSMS */
+interface BaseSendOptions {
+    /** Template name (built-in or custom). Required unless content is provided. */
+    template?: BuiltInTemplate | (string & {});
+    /** Raw content for template-less sends. Required unless template is provided. */
+    content?: ContentPayload;
+    /** Recipient */
+    to: Recipient;
+    /** Template variables (used with template mode) */
+    data?: Record<string, unknown>;
+    /** Optional send options */
+    options?: SendOptions;
+    /** Optional metadata overrides */
+    metadata?: Partial<MessageMetadata>;
+}
+/** Options for sendEmail — requires to.email */
+interface SendEmailOptions extends BaseSendOptions {
+}
+/** Options for sendSMS — requires to.phone */
+interface SendSMSOptions extends BaseSendOptions {
+}
+
+declare class RelayError extends Error {
+    readonly statusCode: number;
+    readonly code?: string | undefined;
+    readonly details?: Record<string, unknown> | undefined;
+    constructor(message: string, statusCode: number, code?: string | undefined, details?: Record<string, unknown> | undefined);
+}
+declare class RelayClient {
+    private readonly config;
+    private cachedToken;
+    constructor(config: RelayClientConfig);
+    /**
+     * Create a RelayClient from environment variables.
+     *
+     * Reads: JANUS_URL, JWT_SECRET, PROGRAM_ID, RELAY_DIRECT_URL, RELAY_INTERNAL_KEY
+     */
+    static fromEnv(): RelayClient;
+    /**
+     * Send an email through InsureRelay.
+     * Provide either `template` (with `data`) or `content` (raw HTML/text).
+     */
+    sendEmail(options: SendEmailOptions): Promise<SendResponse>;
+    /**
+     * Send an SMS through InsureRelay.
+     * Provide either `template` (with `data`) or `content` (raw text).
+     */
+    sendSMS(options: SendSMSOptions): Promise<SendResponse>;
+    /**
+     * Get the delivery status of a sent message.
+     */
+    getStatus(messageId: string): Promise<MessageStatus>;
+    /**
+     * List available templates on the relay service.
+     */
+    listTemplates(): Promise<string[]>;
+    /**
+     * Low-level send — use sendEmail() or sendSMS() instead.
+     */
+    send(body: SendRequest): Promise<SendResponse>;
+    private request;
+    private buildRequest;
+    private getToken;
+}
+
+/**
+ * Mint a short-lived HS256 JWT for service-to-service auth through Janus.
+ * Uses only Node.js built-in crypto — zero dependencies.
+ */
+declare function mintServiceJwt(secret: string, programId: string, ttlSeconds?: number): string;
+/**
+ * Check if a JWT is expired or will expire within the given buffer (seconds).
+ */
+declare function isTokenExpired(token: string, bufferSeconds?: number): boolean;
+
+export { type ApiResponse, type BuiltInTemplate, type ContentPayload, type MessageMetadata, type MessageStatus, type Recipient, RelayClient, type RelayClientConfig, RelayError, type SendEmailOptions, type SendOptions, type SendRequest, type SendResponse, type SendSMSOptions, isTokenExpired, mintServiceJwt };

package/dist/index.js

@@ -0,0 +1,357 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  RelayClient: () => RelayClient,
+  RelayError: () => RelayError,
+  isTokenExpired: () => isTokenExpired,
+  mintServiceJwt: () => mintServiceJwt
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/jwt.ts
+var import_node_crypto = require("crypto");
+function base64url(input) {
+  const buf = typeof input === "string" ? Buffer.from(input) : input;
+  return buf.toString("base64url");
+}
+function mintServiceJwt(secret, programId, ttlSeconds = 300) {
+  if (!secret || secret.length < 32) {
+    throw new Error("iec-relay: JWT secret must be at least 32 characters (256 bits) for HS256");
+  }
+  const header = base64url(JSON.stringify({ alg: "HS256", typ: "JWT" }));
+  const now = Math.floor(Date.now() / 1e3);
+  const payload = {
+    iss: `iec-relay:${programId}`,
+    programId,
+    scopes: ["service:relay"],
+    iat: now,
+    exp: now + ttlSeconds
+  };
+  const encodedPayload = base64url(JSON.stringify(payload));
+  const signature = (0, import_node_crypto.createHmac)("sha256", secret).update(`${header}.${encodedPayload}`).digest("base64url");
+  return `${header}.${encodedPayload}.${signature}`;
+}
+function isTokenExpired(token, bufferSeconds = 30) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return true;
+    const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
+    const now = Math.floor(Date.now() / 1e3);
+    return payload.exp <= now + bufferSeconds;
+  } catch {
+    return true;
+  }
+}
+
+// src/client.ts
+var DEFAULT_JANUS_URL = "http://janus.janus-prod.svc.cluster.local:3000";
+var RELAY_API_PATH = "/api/relay";
+var DEFAULT_TIMEOUT_MS = 1e4;
+var RelayError = class extends Error {
+  constructor(message, statusCode, code, details) {
+    super(message);
+    this.statusCode = statusCode;
+    this.code = code;
+    this.details = details;
+    this.name = "RelayError";
+  }
+};
+var RelayClient = class _RelayClient {
+  config;
+  cachedToken = null;
+  constructor(config) {
+    if (!config.jwtSecret && !config.relayUrl) {
+      throw new Error(
+        "iec-relay: Either jwtSecret (for Janus) or relayUrl (for direct) is required"
+      );
+    }
+    if (config.jwtSecret && !config.programId) {
+      throw new Error("iec-relay: programId is required when using jwtSecret");
+    }
+    this.config = {
+      ...config,
+      retries: config.retries ?? 2,
+      tokenTtlSeconds: config.tokenTtlSeconds ?? 300,
+      sourceService: config.sourceService ?? config.programId ?? "unknown",
+      timeoutMs: config.timeoutMs ?? DEFAULT_TIMEOUT_MS
+    };
+  }
+  /**
+   * Create a RelayClient from environment variables.
+   *
+   * Reads: JANUS_URL, JWT_SECRET, PROGRAM_ID, RELAY_DIRECT_URL, RELAY_INTERNAL_KEY
+   */
+  static fromEnv() {
+    const relayUrl = process.env.RELAY_DIRECT_URL;
+    const internalKey = process.env.RELAY_INTERNAL_KEY;
+    if (relayUrl) {
+      return new _RelayClient({
+        relayUrl,
+        internalKey,
+        sourceService: process.env.PROGRAM_ID ?? process.env.SERVICE_NAME
+      });
+    }
+    const jwtSecret = process.env.JWT_SECRET;
+    if (!jwtSecret) {
+      throw new Error(
+        "iec-relay: Set JWT_SECRET + PROGRAM_ID (for Janus) or RELAY_DIRECT_URL (for direct)"
+      );
+    }
+    return new _RelayClient({
+      jwtSecret,
+      programId: process.env.PROGRAM_ID,
+      janusUrl: process.env.JANUS_URL
+    });
+  }
+  /**
+   * Send an email through InsureRelay.
+   * Provide either `template` (with `data`) or `content` (raw HTML/text).
+   */
+  async sendEmail(options) {
+    if (!options.to.email || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(options.to.email)) {
+      throw new RelayError(
+        "Valid recipient email is required for email channel",
+        400,
+        "VALIDATION_ERROR"
+      );
+    }
+    if (!options.template && !options.content) {
+      throw new RelayError(
+        "Either template or content is required",
+        400,
+        "VALIDATION_ERROR"
+      );
+    }
+    if (options.template && options.content) {
+      throw new RelayError(
+        "Provide template or content, not both",
+        400,
+        "VALIDATION_ERROR"
+      );
+    }
+    if (options.content) {
+      if (!options.content.subject) {
+        throw new RelayError(
+          "Email content requires a subject",
+          400,
+          "VALIDATION_ERROR"
+        );
+      }
+      if (!options.content.html && !options.content.text) {
+        throw new RelayError(
+          "Email content requires either html or text",
+          400,
+          "VALIDATION_ERROR"
+        );
+      }
+    }
+    const sourceAction = options.metadata?.sourceAction ?? options.template ?? "raw_email";
+    return this.send({
+      ...options.template ? { template: options.template } : {},
+      ...options.content ? { content: options.content } : {},
+      channel: "email",
+      recipient: options.to,
+      data: options.data ?? {},
+      options: options.options,
+      metadata: {
+        sourceService: options.metadata?.sourceService ?? this.config.sourceService,
+        sourceAction,
+        correlationId: options.metadata?.correlationId
+      }
+    });
+  }
+  /**
+   * Send an SMS through InsureRelay.
+   * Provide either `template` (with `data`) or `content` (raw text).
+   */
+  async sendSMS(options) {
+    if (!options.to.phone || !/^\+[1-9]\d{1,14}$/.test(options.to.phone)) {
+      throw new RelayError(
+        "Recipient phone must be in E.164 format (e.g., +15551234567)",
+        400,
+        "VALIDATION_ERROR"
+      );
+    }
+    if (!options.template && !options.content) {
+      throw new RelayError(
+        "Either template or content is required",
+        400,
+        "VALIDATION_ERROR"
+      );
+    }
+    if (options.template && options.content) {
+      throw new RelayError(
+        "Provide template or content, not both",
+        400,
+        "VALIDATION_ERROR"
+      );
+    }
+    if (options.content && !options.content.text) {
+      throw new RelayError(
+        "SMS content requires text",
+        400,
+        "VALIDATION_ERROR"
+      );
+    }
+    const sourceAction = options.metadata?.sourceAction ?? options.template ?? "raw_sms";
+    return this.send({
+      ...options.template ? { template: options.template } : {},
+      ...options.content ? { content: options.content } : {},
+      channel: "sms",
+      recipient: options.to,
+      data: options.data ?? {},
+      options: options.options,
+      metadata: {
+        sourceService: options.metadata?.sourceService ?? this.config.sourceService,
+        sourceAction,
+        correlationId: options.metadata?.correlationId
+      }
+    });
+  }
+  /**
+   * Get the delivery status of a sent message.
+   */
+  async getStatus(messageId) {
+    return this.request("GET", `/status/${messageId}`);
+  }
+  /**
+   * List available templates on the relay service.
+   */
+  async listTemplates() {
+    const response = await this.request("GET", "/templates");
+    return response.templates;
+  }
+  /**
+   * Low-level send — use sendEmail() or sendSMS() instead.
+   */
+  async send(body) {
+    return this.request("POST", "/send", body);
+  }
+  async request(method, path, body, attempt = 0) {
+    const { url, headers } = await this.buildRequest(path);
+    const fetchOptions = {
+      method,
+      headers: {
+        ...headers,
+        ...body ? { "Content-Type": "application/json" } : {}
+      },
+      ...body ? { body: JSON.stringify(body) } : {},
+      signal: AbortSignal.timeout(this.config.timeoutMs)
+    };
+    let response;
+    try {
+      response = await fetch(url, fetchOptions);
+    } catch (err) {
+      if (attempt < this.config.retries) {
+        const baseDelay = Math.min(1e3 * 2 ** attempt, 5e3);
+        const delay = baseDelay * (0.5 + Math.random() * 0.5);
+        await sleep(delay);
+        return this.request(method, path, body, attempt + 1);
+      }
+      const isTimeout = err instanceof DOMException && err.name === "TimeoutError";
+      const message = isTimeout ? `Request timed out after ${this.config.timeoutMs}ms` : err instanceof Error ? err.message : "Network error";
+      throw new RelayError(
+        `Failed to reach InsureRelay: ${message}`,
+        0,
+        isTimeout ? "TIMEOUT" : "NETWORK_ERROR"
+      );
+    }
+    let json;
+    try {
+      json = await response.json();
+    } catch {
+      if (response.status >= 500 && attempt < this.config.retries) {
+        const baseDelay = Math.min(1e3 * 2 ** attempt, 5e3);
+        const delay = baseDelay * (0.5 + Math.random() * 0.5);
+        await sleep(delay);
+        return this.request(method, path, body, attempt + 1);
+      }
+      throw new RelayError(
+        `InsureRelay returned ${response.status} with non-JSON body`,
+        response.status,
+        "PARSE_ERROR"
+      );
+    }
+    if (!response.ok) {
+      if (response.status >= 500 && attempt < this.config.retries) {
+        const baseDelay = Math.min(1e3 * 2 ** attempt, 5e3);
+        const delay = baseDelay * (0.5 + Math.random() * 0.5);
+        await sleep(delay);
+        return this.request(method, path, body, attempt + 1);
+      }
+      throw new RelayError(
+        json.error ?? `InsureRelay returned ${response.status}`,
+        response.status,
+        json.error,
+        json.details
+      );
+    }
+    if (!json.data) {
+      throw new RelayError("InsureRelay returned success but no data", 500, "EMPTY_RESPONSE");
+    }
+    return json.data;
+  }
+  async buildRequest(path) {
+    const headers = {};
+    if (this.config.relayUrl) {
+      const url2 = `${this.config.relayUrl}${path}`;
+      if (this.config.accessTokenFn) {
+        headers["Authorization"] = `Bearer ${await this.config.accessTokenFn()}`;
+      } else if (this.config.internalKey) {
+        headers["X-Internal-Key"] = this.config.internalKey;
+      }
+      return { url: url2, headers };
+    }
+    const baseUrl = this.config.janusUrl ?? DEFAULT_JANUS_URL;
+    const url = `${baseUrl}${RELAY_API_PATH}${path}`;
+    headers["Authorization"] = `Bearer ${this.getToken()}`;
+    return { url, headers };
+  }
+  getToken() {
+    if (this.cachedToken && !isTokenExpired(this.cachedToken)) {
+      return this.cachedToken;
+    }
+    if (!this.config.jwtSecret || !this.config.programId) {
+      throw new RelayError(
+        "jwtSecret and programId are required for Janus auth",
+        500,
+        "CONFIG_ERROR"
+      );
+    }
+    this.cachedToken = mintServiceJwt(
+      this.config.jwtSecret,
+      this.config.programId,
+      this.config.tokenTtlSeconds
+    );
+    return this.cachedToken;
+  }
+};
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  RelayClient,
+  RelayError,
+  isTokenExpired,
+  mintServiceJwt
+});

package/dist/index.mjs

@@ -0,0 +1,327 @@
+// src/jwt.ts
+import { createHmac } from "crypto";
+function base64url(input) {
+  const buf = typeof input === "string" ? Buffer.from(input) : input;
+  return buf.toString("base64url");
+}
+function mintServiceJwt(secret, programId, ttlSeconds = 300) {
+  if (!secret || secret.length < 32) {
+    throw new Error("iec-relay: JWT secret must be at least 32 characters (256 bits) for HS256");
+  }
+  const header = base64url(JSON.stringify({ alg: "HS256", typ: "JWT" }));
+  const now = Math.floor(Date.now() / 1e3);
+  const payload = {
+    iss: `iec-relay:${programId}`,
+    programId,
+    scopes: ["service:relay"],
+    iat: now,
+    exp: now + ttlSeconds
+  };
+  const encodedPayload = base64url(JSON.stringify(payload));
+  const signature = createHmac("sha256", secret).update(`${header}.${encodedPayload}`).digest("base64url");
+  return `${header}.${encodedPayload}.${signature}`;
+}
+function isTokenExpired(token, bufferSeconds = 30) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return true;
+    const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
+    const now = Math.floor(Date.now() / 1e3);
+    return payload.exp <= now + bufferSeconds;
+  } catch {
+    return true;
+  }
+}
+
+// src/client.ts
+var DEFAULT_JANUS_URL = "http://janus.janus-prod.svc.cluster.local:3000";
+var RELAY_API_PATH = "/api/relay";
+var DEFAULT_TIMEOUT_MS = 1e4;
+var RelayError = class extends Error {
+  constructor(message, statusCode, code, details) {
+    super(message);
+    this.statusCode = statusCode;
+    this.code = code;
+    this.details = details;
+    this.name = "RelayError";
+  }
+};
+var RelayClient = class _RelayClient {
+  config;
+  cachedToken = null;
+  constructor(config) {
+    if (!config.jwtSecret && !config.relayUrl) {
+      throw new Error(
+        "iec-relay: Either jwtSecret (for Janus) or relayUrl (for direct) is required"
+      );
+    }
+    if (config.jwtSecret && !config.programId) {
+      throw new Error("iec-relay: programId is required when using jwtSecret");
+    }
+    this.config = {
+      ...config,
+      retries: config.retries ?? 2,
+      tokenTtlSeconds: config.tokenTtlSeconds ?? 300,
+      sourceService: config.sourceService ?? config.programId ?? "unknown",
+      timeoutMs: config.timeoutMs ?? DEFAULT_TIMEOUT_MS
+    };
+  }
+  /**
+   * Create a RelayClient from environment variables.
+   *
+   * Reads: JANUS_URL, JWT_SECRET, PROGRAM_ID, RELAY_DIRECT_URL, RELAY_INTERNAL_KEY
+   */
+  static fromEnv() {
+    const relayUrl = process.env.RELAY_DIRECT_URL;
+    const internalKey = process.env.RELAY_INTERNAL_KEY;
+    if (relayUrl) {
+      return new _RelayClient({
+        relayUrl,
+        internalKey,
+        sourceService: process.env.PROGRAM_ID ?? process.env.SERVICE_NAME
+      });
+    }
+    const jwtSecret = process.env.JWT_SECRET;
+    if (!jwtSecret) {
+      throw new Error(
+        "iec-relay: Set JWT_SECRET + PROGRAM_ID (for Janus) or RELAY_DIRECT_URL (for direct)"
+      );
+    }
+    return new _RelayClient({
+      jwtSecret,
+      programId: process.env.PROGRAM_ID,
+      janusUrl: process.env.JANUS_URL
+    });
+  }
+  /**
+   * Send an email through InsureRelay.
+   * Provide either `template` (with `data`) or `content` (raw HTML/text).
+   */
+  async sendEmail(options) {
+    if (!options.to.email || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(options.to.email)) {
+      throw new RelayError(
+        "Valid recipient email is required for email channel",
+        400,
+        "VALIDATION_ERROR"
+      );
+    }
+    if (!options.template && !options.content) {
+      throw new RelayError(
+        "Either template or content is required",
+        400,
+        "VALIDATION_ERROR"
+      );
+    }
+    if (options.template && options.content) {
+      throw new RelayError(
+        "Provide template or content, not both",
+        400,
+        "VALIDATION_ERROR"
+      );
+    }
+    if (options.content) {
+      if (!options.content.subject) {
+        throw new RelayError(
+          "Email content requires a subject",
+          400,
+          "VALIDATION_ERROR"
+        );
+      }
+      if (!options.content.html && !options.content.text) {
+        throw new RelayError(
+          "Email content requires either html or text",
+          400,
+          "VALIDATION_ERROR"
+        );
+      }
+    }
+    const sourceAction = options.metadata?.sourceAction ?? options.template ?? "raw_email";
+    return this.send({
+      ...options.template ? { template: options.template } : {},
+      ...options.content ? { content: options.content } : {},
+      channel: "email",
+      recipient: options.to,
+      data: options.data ?? {},
+      options: options.options,
+      metadata: {
+        sourceService: options.metadata?.sourceService ?? this.config.sourceService,
+        sourceAction,
+        correlationId: options.metadata?.correlationId
+      }
+    });
+  }
+  /**
+   * Send an SMS through InsureRelay.
+   * Provide either `template` (with `data`) or `content` (raw text).
+   */
+  async sendSMS(options) {
+    if (!options.to.phone || !/^\+[1-9]\d{1,14}$/.test(options.to.phone)) {
+      throw new RelayError(
+        "Recipient phone must be in E.164 format (e.g., +15551234567)",
+        400,
+        "VALIDATION_ERROR"
+      );
+    }
+    if (!options.template && !options.content) {
+      throw new RelayError(
+        "Either template or content is required",
+        400,
+        "VALIDATION_ERROR"
+      );
+    }
+    if (options.template && options.content) {
+      throw new RelayError(
+        "Provide template or content, not both",
+        400,
+        "VALIDATION_ERROR"
+      );
+    }
+    if (options.content && !options.content.text) {
+      throw new RelayError(
+        "SMS content requires text",
+        400,
+        "VALIDATION_ERROR"
+      );
+    }
+    const sourceAction = options.metadata?.sourceAction ?? options.template ?? "raw_sms";
+    return this.send({
+      ...options.template ? { template: options.template } : {},
+      ...options.content ? { content: options.content } : {},
+      channel: "sms",
+      recipient: options.to,
+      data: options.data ?? {},
+      options: options.options,
+      metadata: {
+        sourceService: options.metadata?.sourceService ?? this.config.sourceService,
+        sourceAction,
+        correlationId: options.metadata?.correlationId
+      }
+    });
+  }
+  /**
+   * Get the delivery status of a sent message.
+   */
+  async getStatus(messageId) {
+    return this.request("GET", `/status/${messageId}`);
+  }
+  /**
+   * List available templates on the relay service.
+   */
+  async listTemplates() {
+    const response = await this.request("GET", "/templates");
+    return response.templates;
+  }
+  /**
+   * Low-level send — use sendEmail() or sendSMS() instead.
+   */
+  async send(body) {
+    return this.request("POST", "/send", body);
+  }
+  async request(method, path, body, attempt = 0) {
+    const { url, headers } = await this.buildRequest(path);
+    const fetchOptions = {
+      method,
+      headers: {
+        ...headers,
+        ...body ? { "Content-Type": "application/json" } : {}
+      },
+      ...body ? { body: JSON.stringify(body) } : {},
+      signal: AbortSignal.timeout(this.config.timeoutMs)
+    };
+    let response;
+    try {
+      response = await fetch(url, fetchOptions);
+    } catch (err) {
+      if (attempt < this.config.retries) {
+        const baseDelay = Math.min(1e3 * 2 ** attempt, 5e3);
+        const delay = baseDelay * (0.5 + Math.random() * 0.5);
+        await sleep(delay);
+        return this.request(method, path, body, attempt + 1);
+      }
+      const isTimeout = err instanceof DOMException && err.name === "TimeoutError";
+      const message = isTimeout ? `Request timed out after ${this.config.timeoutMs}ms` : err instanceof Error ? err.message : "Network error";
+      throw new RelayError(
+        `Failed to reach InsureRelay: ${message}`,
+        0,
+        isTimeout ? "TIMEOUT" : "NETWORK_ERROR"
+      );
+    }
+    let json;
+    try {
+      json = await response.json();
+    } catch {
+      if (response.status >= 500 && attempt < this.config.retries) {
+        const baseDelay = Math.min(1e3 * 2 ** attempt, 5e3);
+        const delay = baseDelay * (0.5 + Math.random() * 0.5);
+        await sleep(delay);
+        return this.request(method, path, body, attempt + 1);
+      }
+      throw new RelayError(
+        `InsureRelay returned ${response.status} with non-JSON body`,
+        response.status,
+        "PARSE_ERROR"
+      );
+    }
+    if (!response.ok) {
+      if (response.status >= 500 && attempt < this.config.retries) {
+        const baseDelay = Math.min(1e3 * 2 ** attempt, 5e3);
+        const delay = baseDelay * (0.5 + Math.random() * 0.5);
+        await sleep(delay);
+        return this.request(method, path, body, attempt + 1);
+      }
+      throw new RelayError(
+        json.error ?? `InsureRelay returned ${response.status}`,
+        response.status,
+        json.error,
+        json.details
+      );
+    }
+    if (!json.data) {
+      throw new RelayError("InsureRelay returned success but no data", 500, "EMPTY_RESPONSE");
+    }
+    return json.data;
+  }
+  async buildRequest(path) {
+    const headers = {};
+    if (this.config.relayUrl) {
+      const url2 = `${this.config.relayUrl}${path}`;
+      if (this.config.accessTokenFn) {
+        headers["Authorization"] = `Bearer ${await this.config.accessTokenFn()}`;
+      } else if (this.config.internalKey) {
+        headers["X-Internal-Key"] = this.config.internalKey;
+      }
+      return { url: url2, headers };
+    }
+    const baseUrl = this.config.janusUrl ?? DEFAULT_JANUS_URL;
+    const url = `${baseUrl}${RELAY_API_PATH}${path}`;
+    headers["Authorization"] = `Bearer ${this.getToken()}`;
+    return { url, headers };
+  }
+  getToken() {
+    if (this.cachedToken && !isTokenExpired(this.cachedToken)) {
+      return this.cachedToken;
+    }
+    if (!this.config.jwtSecret || !this.config.programId) {
+      throw new RelayError(
+        "jwtSecret and programId are required for Janus auth",
+        500,
+        "CONFIG_ERROR"
+      );
+    }
+    this.cachedToken = mintServiceJwt(
+      this.config.jwtSecret,
+      this.config.programId,
+      this.config.tokenTtlSeconds
+    );
+    return this.cachedToken;
+  }
+};
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+export {
+  RelayClient,
+  RelayError,
+  isTokenExpired,
+  mintServiceJwt
+};

package/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "@insureco/relay",
+  "version": "0.3.1",
+  "description": "SDK for sending email and SMS through InsureRelay on the Tawa platform",
+  "main": "dist/index.js",
+  "module": "dist/index.mjs",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsup src/index.ts --format cjs,esm --dts --clean",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "lint": "tsc --noEmit",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "insureco",
+    "tawa",
+    "relay",
+    "email",
+    "sms",
+    "sendgrid",
+    "twilio"
+  ],
+  "author": "InsurEco",
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
+  "devDependencies": {
+    "@types/node": "^25.2.3",
+    "tsup": "^8.0.0",
+    "typescript": "^5.4.0",
+    "vitest": "^2.0.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}