@terminator-network/core 0.1.0

package/dist/index.js

@@ -0,0 +1,1109 @@
+// src/config.ts
+import { z } from "zod";
+import { homedir } from "os";
+import { join } from "path";
+var ConfigSchema = z.object({
+  // Cloudflare Email
+  cfApiToken: z.string().optional(),
+  cfAccountId: z.string().optional(),
+  cfZoneId: z.string().optional(),
+  emailDomain: z.string().optional(),
+  // Twilio
+  twilioAccountSid: z.string().optional(),
+  twilioAuthToken: z.string().optional(),
+  // Lithic
+  lithicApiKey: z.string().optional(),
+  lithicEnvironment: z.enum(["sandbox", "production"]).default("sandbox"),
+  // General
+  dbPath: z.string().default(join(homedir(), ".terminator", "terminator.db")),
+  logLevel: z.enum(["debug", "info", "warn", "error"]).default("info"),
+  maxIdentities: z.coerce.number().int().positive().default(50),
+  defaultTtlMinutes: z.coerce.number().int().positive().default(60),
+  defaultSpendLimitCents: z.coerce.number().int().positive().default(5e3)
+});
+function loadConfig(overrides) {
+  const raw = {
+    cfApiToken: process.env.TERMINATOR_CF_API_TOKEN,
+    cfAccountId: process.env.TERMINATOR_CF_ACCOUNT_ID,
+    cfZoneId: process.env.TERMINATOR_CF_ZONE_ID,
+    emailDomain: process.env.TERMINATOR_EMAIL_DOMAIN,
+    twilioAccountSid: process.env.TERMINATOR_TWILIO_ACCOUNT_SID,
+    twilioAuthToken: process.env.TERMINATOR_TWILIO_AUTH_TOKEN,
+    lithicApiKey: process.env.TERMINATOR_LITHIC_API_KEY,
+    lithicEnvironment: process.env.TERMINATOR_LITHIC_ENVIRONMENT,
+    dbPath: process.env.TERMINATOR_DB_PATH,
+    logLevel: process.env.TERMINATOR_LOG_LEVEL,
+    maxIdentities: process.env.TERMINATOR_MAX_IDENTITIES,
+    defaultTtlMinutes: process.env.TERMINATOR_DEFAULT_TTL_MINUTES,
+    defaultSpendLimitCents: process.env.TERMINATOR_DEFAULT_SPEND_LIMIT_CENTS,
+    ...overrides
+  };
+  const filtered = Object.fromEntries(
+    Object.entries(raw).filter(([_, v]) => v !== void 0)
+  );
+  const result = ConfigSchema.safeParse(filtered);
+  if (!result.success) {
+    const issues = result.error.issues.map((i) => `  ${i.path.join(".")}: ${i.message}`);
+    throw new Error(`Terminator configuration error:
+${issues.join("\n")}`);
+  }
+  return result.data;
+}
+function getConfiguredProviders(config) {
+  return {
+    email: !!(config.cfApiToken && config.cfAccountId && config.emailDomain),
+    phone: !!(config.twilioAccountSid && config.twilioAuthToken),
+    card: !!config.lithicApiKey
+  };
+}
+
+// src/identity/persona.ts
+var FIRST_NAMES = [
+  "Alex",
+  "Jordan",
+  "Taylor",
+  "Morgan",
+  "Casey",
+  "Riley",
+  "Quinn",
+  "Avery",
+  "Blake",
+  "Drew",
+  "Ellis",
+  "Finley",
+  "Harper",
+  "Jamie",
+  "Kai",
+  "Lane",
+  "Marley",
+  "Nico",
+  "Parker",
+  "Reese",
+  "Sage",
+  "Skyler",
+  "Tatum",
+  "Val",
+  "Wren"
+];
+var LAST_NAMES = [
+  "Anderson",
+  "Brooks",
+  "Chen",
+  "Davis",
+  "Evans",
+  "Foster",
+  "Garcia",
+  "Hayes",
+  "Ito",
+  "Jensen",
+  "Kim",
+  "Lambert",
+  "Mitchell",
+  "Nakamura",
+  "Ortiz",
+  "Palmer",
+  "Reed",
+  "Shaw",
+  "Torres",
+  "Vance",
+  "Walsh",
+  "Young",
+  "Zhang",
+  "Barrett",
+  "Cole"
+];
+var STREETS = [
+  "123 Oak Ave",
+  "456 Maple St",
+  "789 Pine Rd",
+  "321 Elm Dr",
+  "654 Cedar Ln",
+  "987 Birch Way",
+  "147 Willow Ct",
+  "258 Spruce Blvd",
+  "369 Aspen Pl",
+  "741 Walnut Ter"
+];
+var CITIES_STATES = [
+  { city: "Portland", state: "OR", zip: "97201" },
+  { city: "Austin", state: "TX", zip: "78701" },
+  { city: "Denver", state: "CO", zip: "80202" },
+  { city: "Seattle", state: "WA", zip: "98101" },
+  { city: "Chicago", state: "IL", zip: "60601" },
+  { city: "Boston", state: "MA", zip: "02101" },
+  { city: "Atlanta", state: "GA", zip: "30301" },
+  { city: "Miami", state: "FL", zip: "33101" },
+  { city: "Phoenix", state: "AZ", zip: "85001" },
+  { city: "Minneapolis", state: "MN", zip: "55401" }
+];
+function pick(arr) {
+  return arr[Math.floor(Math.random() * arr.length)];
+}
+function createPersona() {
+  const firstName = pick(FIRST_NAMES);
+  const lastName = pick(LAST_NAMES);
+  const location = pick(CITIES_STATES);
+  const street = pick(STREETS);
+  return {
+    firstName,
+    lastName,
+    fullName: `${firstName} ${lastName}`,
+    address: {
+      line1: street,
+      city: location.city,
+      state: location.state,
+      postalCode: location.zip,
+      country: "US"
+    }
+  };
+}
+
+// src/kill-switch.ts
+var KillSwitch = class {
+  constructor(identityStore, activityLog, emailProvider, phoneProvider, cardProvider) {
+    this.identityStore = identityStore;
+    this.activityLog = activityLog;
+    this.emailProvider = emailProvider;
+    this.phoneProvider = phoneProvider;
+    this.cardProvider = cardProvider;
+  }
+  async killIdentity(id) {
+    const identity = this.identityStore.get(id);
+    if (!identity) throw new Error(`Identity not found: ${id}`);
+    this.identityStore.updateStatus(id, "killing");
+    this.activityLog.append({
+      identityId: id,
+      eventType: "identity.killing",
+      provider: null,
+      resourceType: "identity",
+      resourceId: id,
+      details: null,
+      costEstimateCents: null
+    });
+    const result = {
+      identityId: id,
+      emailRevoked: false,
+      phoneRevoked: false,
+      cardRevoked: false,
+      errors: []
+    };
+    const tasks = [];
+    if (identity.email && identity.emailProviderId && this.emailProvider) {
+      tasks.push(
+        this.revokeEmail(identity, result)
+      );
+    }
+    if (identity.phone && identity.phoneProviderId && this.phoneProvider) {
+      tasks.push(
+        this.revokePhone(identity, result)
+      );
+    }
+    if (identity.cardProviderId && this.cardProvider) {
+      tasks.push(
+        this.revokeCard(identity, result)
+      );
+    }
+    await Promise.allSettled(tasks);
+    this.identityStore.updateStatus(id, "killed");
+    this.activityLog.append({
+      identityId: id,
+      eventType: "identity.killed",
+      provider: null,
+      resourceType: "identity",
+      resourceId: id,
+      details: {
+        emailRevoked: result.emailRevoked,
+        phoneRevoked: result.phoneRevoked,
+        cardRevoked: result.cardRevoked,
+        errors: result.errors
+      },
+      costEstimateCents: null
+    });
+    return result;
+  }
+  async killAll() {
+    const active = this.identityStore.list("active");
+    const provisioning = this.identityStore.list("provisioning");
+    const all = [...active, ...provisioning];
+    const results = [];
+    for (const identity of all) {
+      try {
+        const result = await this.killIdentity(identity.id);
+        results.push(result);
+      } catch (error) {
+        results.push({
+          identityId: identity.id,
+          emailRevoked: false,
+          phoneRevoked: false,
+          cardRevoked: false,
+          errors: [error instanceof Error ? error.message : String(error)]
+        });
+      }
+    }
+    return results;
+  }
+  async revokeEmail(identity, result) {
+    try {
+      await this.emailProvider.deleteInbox({
+        address: identity.email,
+        providerId: identity.emailProviderId,
+        provider: this.emailProvider.name
+      });
+      result.emailRevoked = true;
+      this.activityLog.append({
+        identityId: identity.id,
+        eventType: "email.inbox_deleted",
+        provider: this.emailProvider.name,
+        resourceType: "email",
+        resourceId: identity.emailProviderId,
+        details: { address: identity.email },
+        costEstimateCents: null
+      });
+    } catch (error) {
+      result.errors.push(`Email: ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
+  async revokePhone(identity, result) {
+    try {
+      await this.phoneProvider.releaseNumber({
+        number: identity.phone,
+        providerId: identity.phoneProviderId,
+        provider: this.phoneProvider.name
+      });
+      result.phoneRevoked = true;
+      this.activityLog.append({
+        identityId: identity.id,
+        eventType: "phone.released",
+        provider: this.phoneProvider.name,
+        resourceType: "phone",
+        resourceId: identity.phoneProviderId,
+        details: { number: identity.phone },
+        costEstimateCents: null
+      });
+    } catch (error) {
+      result.errors.push(`Phone: ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
+  async revokeCard(identity, result) {
+    try {
+      await this.cardProvider.deactivateCard({
+        lastFour: identity.cardLastFour,
+        providerId: identity.cardProviderId,
+        provider: this.cardProvider.name
+      });
+      result.cardRevoked = true;
+      this.activityLog.append({
+        identityId: identity.id,
+        eventType: "card.deactivated",
+        provider: this.cardProvider.name,
+        resourceType: "card",
+        resourceId: identity.cardProviderId,
+        details: { lastFour: identity.cardLastFour },
+        costEstimateCents: null
+      });
+    } catch (error) {
+      result.errors.push(`Card: ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
+};
+
+// src/parsers/verification.ts
+var CODE_PATTERNS = [
+  // "Your code is 123456" or "verification code: 123456"
+  /(?:code|otp|pin|token)\s*(?:is|:)\s*(\d{4,8})/i,
+  // "123456 is your verification code"
+  /(\d{4,8})\s+is\s+your\s+(?:verification|confirmation|security)\s+code/i,
+  // "Enter 123456 to verify"
+  /enter\s+(\d{4,8})\s+to/i,
+  // Standalone 6-digit code on its own line
+  /^(\d{6})$/m,
+  // "G-123456" (Google-style)
+  /[A-Z]-(\d{4,8})/
+];
+function parseVerificationCode(text) {
+  for (const pattern of CODE_PATTERNS) {
+    const match = text.match(pattern);
+    if (match?.[1]) {
+      return {
+        code: match[1],
+        pattern: pattern.source
+      };
+    }
+  }
+  return null;
+}
+
+// src/policies/engine.ts
+var PolicyEngine = class {
+  constructor(policyStore, identityStore, config) {
+    this.policyStore = policyStore;
+    this.identityStore = identityStore;
+    this.config = config;
+  }
+  checkCreateIdentity(resources, spendLimitCents) {
+    const violations = [];
+    const policies = this.policyStore.getEnabled();
+    for (const policy of policies) {
+      const violation = this.evaluateForCreate(policy, resources, spendLimitCents);
+      if (violation) violations.push(violation);
+    }
+    const activeCount = this.identityStore.countActive();
+    if (activeCount >= this.config.maxIdentities) {
+      violations.push({
+        policy: "built-in:max_identities",
+        ruleType: "max_identities",
+        message: `Maximum active identities reached (${activeCount}/${this.config.maxIdentities})`
+      });
+    }
+    return violations;
+  }
+  evaluateForCreate(policy, resources, spendLimitCents) {
+    switch (policy.ruleType) {
+      case "max_identities": {
+        const max = policy.ruleValue;
+        const activeCount = this.identityStore.countActive();
+        if (activeCount >= max) {
+          return {
+            policy: policy.name,
+            ruleType: policy.ruleType,
+            message: `Policy "${policy.name}": max identities (${max}) reached`
+          };
+        }
+        return null;
+      }
+      case "max_spend_per_identity": {
+        const maxSpend = policy.ruleValue;
+        const requestedSpend = spendLimitCents ?? this.config.defaultSpendLimitCents;
+        if (resources.includes("card") && requestedSpend > maxSpend) {
+          return {
+            policy: policy.name,
+            ruleType: policy.ruleType,
+            message: `Policy "${policy.name}": spend limit $${(requestedSpend / 100).toFixed(2)} exceeds max $${(maxSpend / 100).toFixed(2)}`
+          };
+        }
+        return null;
+      }
+      case "require_card_approval": {
+        if (resources.includes("card") && policy.ruleValue === true) {
+          return {
+            policy: policy.name,
+            ruleType: policy.ruleType,
+            message: `Policy "${policy.name}": card creation requires explicit approval`
+          };
+        }
+        return null;
+      }
+      default:
+        return null;
+    }
+  }
+};
+
+// src/providers/card/mock.ts
+import { ulid } from "ulid";
+var MockCardProvider = class {
+  name = "mock";
+  cards = /* @__PURE__ */ new Map();
+  async createCard(_identity, options) {
+    const id = ulid();
+    const lastFour = String(Math.floor(1e3 + Math.random() * 9e3));
+    const details = {
+      pan: `4242424242${String(Math.floor(1e5 + Math.random() * 9e5))}${lastFour}`,
+      cvv: String(Math.floor(100 + Math.random() * 900)),
+      expMonth: (/* @__PURE__ */ new Date()).getMonth() + 1,
+      expYear: (/* @__PURE__ */ new Date()).getFullYear() + 2,
+      lastFour
+    };
+    this.cards.set(id, { details, active: true });
+    return { lastFour, providerId: id, provider: this.name };
+  }
+  async getCardDetails(card) {
+    const entry = this.cards.get(card.providerId);
+    if (!entry) throw new Error(`Card not found: ${card.providerId}`);
+    if (!entry.active) throw new Error(`Card is deactivated: ${card.providerId}`);
+    return entry.details;
+  }
+  async deactivateCard(card) {
+    const entry = this.cards.get(card.providerId);
+    if (entry) entry.active = false;
+  }
+  async healthCheck() {
+    return { provider: this.name, healthy: true, message: "Mock provider always healthy" };
+  }
+};
+
+// src/providers/email/mock.ts
+import { ulid as ulid2 } from "ulid";
+var MockEmailProvider = class {
+  name = "mock";
+  inboxes = /* @__PURE__ */ new Map();
+  async createInbox(identity) {
+    const id = ulid2();
+    const address = `${identity.persona.firstName.toLowerCase()}-${id.slice(-6).toLowerCase()}@mock.terminator.test`;
+    this.inboxes.set(address, []);
+    return { address, providerId: id, provider: this.name };
+  }
+  async getMessages(inbox, since) {
+    const messages = this.inboxes.get(inbox.address) ?? [];
+    if (!since) return messages;
+    return messages.filter((m) => new Date(m.receivedAt) >= since);
+  }
+  async deleteInbox(inbox) {
+    this.inboxes.delete(inbox.address);
+  }
+  async healthCheck() {
+    return { provider: this.name, healthy: true, message: "Mock provider always healthy" };
+  }
+  // Test helper: inject a message into an inbox
+  injectMessage(address, message) {
+    const messages = this.inboxes.get(address);
+    if (!messages) throw new Error(`No inbox found for ${address}`);
+    messages.push({
+      ...message,
+      id: ulid2(),
+      receivedAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+  }
+};
+
+// src/providers/phone/mock.ts
+import { ulid as ulid3 } from "ulid";
+var MockPhoneProvider = class {
+  name = "mock";
+  numbers = /* @__PURE__ */ new Map();
+  async provisionNumber(_identity, _options) {
+    const id = ulid3();
+    const areaCode = Math.floor(200 + Math.random() * 800);
+    const lineNumber = Math.floor(1e6 + Math.random() * 9e6);
+    const number = `+1${areaCode}${lineNumber}`;
+    this.numbers.set(number, []);
+    return { number, providerId: id, provider: this.name };
+  }
+  async getMessages(phone, since) {
+    const messages = this.numbers.get(phone.number) ?? [];
+    if (!since) return messages;
+    return messages.filter((m) => new Date(m.receivedAt) >= since);
+  }
+  async releaseNumber(phone) {
+    this.numbers.delete(phone.number);
+  }
+  async healthCheck() {
+    return { provider: this.name, healthy: true, message: "Mock provider always healthy" };
+  }
+  // Test helper: inject an SMS into a number
+  injectSms(number, message) {
+    const messages = this.numbers.get(number);
+    if (!messages) throw new Error(`No phone number found for ${number}`);
+    messages.push({
+      ...message,
+      id: ulid3(),
+      receivedAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+  }
+};
+
+// src/store/activity-log.ts
+import { ulid as ulid4 } from "ulid";
+function rowToEvent(row) {
+  return {
+    id: row.id,
+    identityId: row.identity_id,
+    timestamp: row.timestamp,
+    eventType: row.event_type,
+    provider: row.provider,
+    resourceType: row.resource_type,
+    resourceId: row.resource_id,
+    details: row.details ? JSON.parse(row.details) : null,
+    costEstimateCents: row.cost_estimate_cents
+  };
+}
+var ActivityLog = class {
+  constructor(db) {
+    this.db = db;
+  }
+  append(event) {
+    const id = ulid4();
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    this.db.prepare(`
+			INSERT INTO activity_log (
+				id, identity_id, timestamp, event_type, provider,
+				resource_type, resource_id, details, cost_estimate_cents
+			) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+		`).run(
+      id,
+      event.identityId,
+      timestamp,
+      event.eventType,
+      event.provider,
+      event.resourceType,
+      event.resourceId,
+      event.details ? JSON.stringify(event.details) : null,
+      event.costEstimateCents
+    );
+    return { id, timestamp, ...event };
+  }
+  query(options) {
+    const conditions = [];
+    const values = [];
+    if (options?.identityId) {
+      conditions.push("identity_id = ?");
+      values.push(options.identityId);
+    }
+    if (options?.eventType) {
+      conditions.push("event_type = ?");
+      values.push(options.eventType);
+    }
+    if (options?.since) {
+      conditions.push("timestamp >= ?");
+      values.push(options.since);
+    }
+    const where = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
+    const limit = options?.limit ? `LIMIT ${options.limit}` : "LIMIT 100";
+    const rows = this.db.prepare(
+      `SELECT * FROM activity_log ${where} ORDER BY timestamp DESC ${limit}`
+    ).all(...values);
+    return rows.map(rowToEvent);
+  }
+};
+
+// src/store/database.ts
+import Database from "better-sqlite3";
+import { mkdirSync } from "fs";
+import { dirname } from "path";
+var SCHEMA = `
+CREATE TABLE IF NOT EXISTS identities (
+  id TEXT PRIMARY KEY,
+  persona_first_name TEXT NOT NULL,
+  persona_last_name TEXT NOT NULL,
+  persona_full_name TEXT NOT NULL,
+  persona_address_json TEXT NOT NULL,
+  email TEXT,
+  email_provider_id TEXT,
+  phone TEXT,
+  phone_provider_id TEXT,
+  card_last_four TEXT,
+  card_provider_id TEXT,
+  status TEXT NOT NULL DEFAULT 'created',
+  spend_limit_cents INTEGER,
+  ttl_expires_at TEXT,
+  resources_json TEXT NOT NULL DEFAULT '[]',
+  created_at TEXT NOT NULL,
+  updated_at TEXT NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS activity_log (
+  id TEXT PRIMARY KEY,
+  identity_id TEXT,
+  timestamp TEXT NOT NULL,
+  event_type TEXT NOT NULL,
+  provider TEXT,
+  resource_type TEXT,
+  resource_id TEXT,
+  details TEXT,
+  cost_estimate_cents INTEGER,
+  FOREIGN KEY (identity_id) REFERENCES identities(id)
+);
+
+CREATE TABLE IF NOT EXISTS policies (
+  id TEXT PRIMARY KEY,
+  name TEXT NOT NULL,
+  rule_type TEXT NOT NULL,
+  rule_value TEXT NOT NULL,
+  enabled INTEGER NOT NULL DEFAULT 1,
+  created_at TEXT NOT NULL
+);
+
+CREATE INDEX IF NOT EXISTS idx_activity_identity ON activity_log(identity_id);
+CREATE INDEX IF NOT EXISTS idx_activity_timestamp ON activity_log(timestamp);
+CREATE INDEX IF NOT EXISTS idx_activity_event_type ON activity_log(event_type);
+CREATE INDEX IF NOT EXISTS idx_identities_status ON identities(status);
+`;
+function createDatabase(dbPath) {
+  mkdirSync(dirname(dbPath), { recursive: true });
+  const db = new Database(dbPath);
+  db.pragma("journal_mode = WAL");
+  db.pragma("foreign_keys = ON");
+  db.exec(SCHEMA);
+  return db;
+}
+function createInMemoryDatabase() {
+  const db = new Database(":memory:");
+  db.pragma("foreign_keys = ON");
+  db.exec(SCHEMA);
+  return db;
+}
+
+// src/store/identities.ts
+import { ulid as ulid5 } from "ulid";
+
+// src/identity/state-machine.ts
+var VALID_TRANSITIONS = {
+  created: ["provisioning", "failed"],
+  provisioning: ["active", "failed", "killing"],
+  active: ["killing"],
+  killing: ["killed", "failed"],
+  killed: [],
+  failed: ["provisioning", "killing"]
+};
+function canTransition(from, to) {
+  return VALID_TRANSITIONS[from]?.includes(to) ?? false;
+}
+function assertTransition(from, to) {
+  if (!canTransition(from, to)) {
+    throw new Error(`Invalid identity transition: ${from} -> ${to}`);
+  }
+}
+
+// src/store/identities.ts
+function rowToIdentity(row) {
+  return {
+    id: row.id,
+    persona: {
+      firstName: row.persona_first_name,
+      lastName: row.persona_last_name,
+      fullName: row.persona_full_name,
+      address: JSON.parse(row.persona_address_json)
+    },
+    status: row.status,
+    email: row.email ?? void 0,
+    emailProviderId: row.email_provider_id ?? void 0,
+    phone: row.phone ?? void 0,
+    phoneProviderId: row.phone_provider_id ?? void 0,
+    cardLastFour: row.card_last_four ?? void 0,
+    cardProviderId: row.card_provider_id ?? void 0,
+    spendLimitCents: row.spend_limit_cents ?? void 0,
+    ttlExpiresAt: row.ttl_expires_at ?? void 0,
+    resources: JSON.parse(row.resources_json),
+    createdAt: row.created_at,
+    updatedAt: row.updated_at
+  };
+}
+var IdentityStore = class {
+  constructor(db) {
+    this.db = db;
+  }
+  create(persona, resources, options) {
+    const id = ulid5();
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const ttlExpiresAt = options?.ttlMinutes ? new Date(Date.now() + options.ttlMinutes * 6e4).toISOString() : null;
+    this.db.prepare(`
+			INSERT INTO identities (
+				id, persona_first_name, persona_last_name, persona_full_name,
+				persona_address_json, status, spend_limit_cents, ttl_expires_at,
+				resources_json, created_at, updated_at
+			) VALUES (?, ?, ?, ?, ?, 'created', ?, ?, ?, ?, ?)
+		`).run(
+      id,
+      persona.firstName,
+      persona.lastName,
+      persona.fullName,
+      JSON.stringify(persona.address),
+      options?.spendLimitCents ?? null,
+      ttlExpiresAt,
+      JSON.stringify(resources),
+      now,
+      now
+    );
+    return this.get(id);
+  }
+  get(id) {
+    const row = this.db.prepare("SELECT * FROM identities WHERE id = ?").get(id);
+    return row ? rowToIdentity(row) : null;
+  }
+  list(status) {
+    const rows = status ? this.db.prepare("SELECT * FROM identities WHERE status = ? ORDER BY created_at DESC").all(status) : this.db.prepare("SELECT * FROM identities ORDER BY created_at DESC").all();
+    return rows.map(rowToIdentity);
+  }
+  updateStatus(id, newStatus) {
+    const current = this.get(id);
+    if (!current) throw new Error(`Identity not found: ${id}`);
+    assertTransition(current.status, newStatus);
+    this.db.prepare("UPDATE identities SET status = ?, updated_at = ? WHERE id = ?").run(
+      newStatus,
+      (/* @__PURE__ */ new Date()).toISOString(),
+      id
+    );
+    return this.get(id);
+  }
+  updateResources(id, updates) {
+    const sets = [];
+    const values = [];
+    if (updates.email !== void 0) {
+      sets.push("email = ?");
+      values.push(updates.email ?? null);
+    }
+    if (updates.emailProviderId !== void 0) {
+      sets.push("email_provider_id = ?");
+      values.push(updates.emailProviderId ?? null);
+    }
+    if (updates.phone !== void 0) {
+      sets.push("phone = ?");
+      values.push(updates.phone ?? null);
+    }
+    if (updates.phoneProviderId !== void 0) {
+      sets.push("phone_provider_id = ?");
+      values.push(updates.phoneProviderId ?? null);
+    }
+    if (updates.cardLastFour !== void 0) {
+      sets.push("card_last_four = ?");
+      values.push(updates.cardLastFour ?? null);
+    }
+    if (updates.cardProviderId !== void 0) {
+      sets.push("card_provider_id = ?");
+      values.push(updates.cardProviderId ?? null);
+    }
+    if (sets.length === 0) return this.get(id);
+    sets.push("updated_at = ?");
+    values.push((/* @__PURE__ */ new Date()).toISOString());
+    values.push(id);
+    this.db.prepare(`UPDATE identities SET ${sets.join(", ")} WHERE id = ?`).run(...values);
+    return this.get(id);
+  }
+  getExpired() {
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const rows = this.db.prepare(
+      "SELECT * FROM identities WHERE ttl_expires_at IS NOT NULL AND ttl_expires_at <= ? AND status = 'active'"
+    ).all(now);
+    return rows.map(rowToIdentity);
+  }
+  countActive() {
+    const row = this.db.prepare(
+      "SELECT COUNT(*) as count FROM identities WHERE status IN ('created', 'provisioning', 'active')"
+    ).get();
+    return row.count;
+  }
+};
+
+// src/store/policies.ts
+import { ulid as ulid6 } from "ulid";
+function rowToPolicy(row) {
+  return {
+    id: row.id,
+    name: row.name,
+    ruleType: row.rule_type,
+    ruleValue: JSON.parse(row.rule_value),
+    enabled: row.enabled === 1,
+    createdAt: row.created_at
+  };
+}
+var PolicyStore = class {
+  constructor(db) {
+    this.db = db;
+  }
+  create(name, ruleType, ruleValue) {
+    const id = ulid6();
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    this.db.prepare(`
+			INSERT INTO policies (id, name, rule_type, rule_value, enabled, created_at)
+			VALUES (?, ?, ?, ?, 1, ?)
+		`).run(id, name, ruleType, JSON.stringify(ruleValue), now);
+    return this.get(id);
+  }
+  get(id) {
+    const row = this.db.prepare("SELECT * FROM policies WHERE id = ?").get(id);
+    return row ? rowToPolicy(row) : null;
+  }
+  list() {
+    const rows = this.db.prepare("SELECT * FROM policies ORDER BY created_at DESC").all();
+    return rows.map(rowToPolicy);
+  }
+  getEnabled() {
+    const rows = this.db.prepare(
+      "SELECT * FROM policies WHERE enabled = 1 ORDER BY created_at DESC"
+    ).all();
+    return rows.map(rowToPolicy);
+  }
+  setEnabled(id, enabled) {
+    this.db.prepare("UPDATE policies SET enabled = ? WHERE id = ?").run(enabled ? 1 : 0, id);
+  }
+  delete(id) {
+    this.db.prepare("DELETE FROM policies WHERE id = ?").run(id);
+  }
+};
+
+// src/terminator.ts
+var Terminator = class {
+  config;
+  identityStore;
+  activityLog;
+  policyStore;
+  policyEngine;
+  killSwitch;
+  emailProvider;
+  phoneProvider;
+  cardProvider;
+  db;
+  constructor(options = {}) {
+    this.config = loadConfig(options.config);
+    this.db = options.inMemory ? createInMemoryDatabase() : createDatabase(this.config.dbPath);
+    this.identityStore = new IdentityStore(this.db);
+    this.activityLog = new ActivityLog(this.db);
+    this.policyStore = new PolicyStore(this.db);
+    this.emailProvider = options.emailProvider ?? new MockEmailProvider();
+    this.phoneProvider = options.phoneProvider ?? new MockPhoneProvider();
+    this.cardProvider = options.cardProvider ?? new MockCardProvider();
+    this.policyEngine = new PolicyEngine(
+      this.policyStore,
+      this.identityStore,
+      this.config
+    );
+    this.killSwitch = new KillSwitch(
+      this.identityStore,
+      this.activityLog,
+      this.emailProvider,
+      this.phoneProvider,
+      this.cardProvider
+    );
+  }
+  async createIdentity(options = {}) {
+    const resources = options.resources ?? ["email", "phone", "card"];
+    const spendLimitCents = options.spendLimitCents ?? this.config.defaultSpendLimitCents;
+    const ttlMinutes = options.ttlMinutes ?? this.config.defaultTtlMinutes;
+    const violations = this.policyEngine.checkCreateIdentity(resources, spendLimitCents);
+    const cardApprovalViolation = violations.find(
+      (v) => v.ruleType === "require_card_approval"
+    );
+    const otherViolations = violations.filter((v) => v.ruleType !== "require_card_approval");
+    if (otherViolations.length > 0) {
+      throw new PolicyViolationError(otherViolations);
+    }
+    if (cardApprovalViolation && resources.includes("card") && !options.confirm) {
+      throw new PolicyViolationError([cardApprovalViolation]);
+    }
+    const persona = createPersona();
+    let identity = this.identityStore.create(persona, resources, {
+      spendLimitCents,
+      ttlMinutes
+    });
+    this.activityLog.append({
+      identityId: identity.id,
+      eventType: "identity.created",
+      provider: null,
+      resourceType: "identity",
+      resourceId: identity.id,
+      details: { resources, persona: { name: persona.fullName } },
+      costEstimateCents: null
+    });
+    identity = this.identityStore.updateStatus(identity.id, "provisioning");
+    this.activityLog.append({
+      identityId: identity.id,
+      eventType: "identity.provisioning",
+      provider: null,
+      resourceType: "identity",
+      resourceId: identity.id,
+      details: { resources },
+      costEstimateCents: null
+    });
+    const errors = [];
+    if (resources.includes("email") && this.emailProvider) {
+      try {
+        const inbox = await this.emailProvider.createInbox(identity);
+        identity = this.identityStore.updateResources(identity.id, {
+          email: inbox.address,
+          emailProviderId: inbox.providerId
+        });
+        persona.email = inbox.address;
+        this.activityLog.append({
+          identityId: identity.id,
+          eventType: "email.inbox_created",
+          provider: this.emailProvider.name,
+          resourceType: "email",
+          resourceId: inbox.providerId,
+          details: { address: inbox.address },
+          costEstimateCents: 0
+        });
+      } catch (error) {
+        errors.push(`email: ${error instanceof Error ? error.message : String(error)}`);
+      }
+    }
+    if (resources.includes("phone") && this.phoneProvider) {
+      try {
+        const phone = await this.phoneProvider.provisionNumber(identity);
+        identity = this.identityStore.updateResources(identity.id, {
+          phone: phone.number,
+          phoneProviderId: phone.providerId
+        });
+        persona.phone = phone.number;
+        this.activityLog.append({
+          identityId: identity.id,
+          eventType: "phone.provisioned",
+          provider: this.phoneProvider.name,
+          resourceType: "phone",
+          resourceId: phone.providerId,
+          details: { number: phone.number },
+          costEstimateCents: 115
+          // ~$1.15/month for Twilio number
+        });
+      } catch (error) {
+        errors.push(`phone: ${error instanceof Error ? error.message : String(error)}`);
+      }
+    }
+    if (resources.includes("card") && this.cardProvider) {
+      try {
+        const card = await this.cardProvider.createCard(identity, {
+          spendLimitCents,
+          type: "single_use"
+        });
+        identity = this.identityStore.updateResources(identity.id, {
+          cardLastFour: card.lastFour,
+          cardProviderId: card.providerId
+        });
+        this.activityLog.append({
+          identityId: identity.id,
+          eventType: "card.created",
+          provider: this.cardProvider.name,
+          resourceType: "card",
+          resourceId: card.providerId,
+          details: { lastFour: card.lastFour, spendLimitCents },
+          costEstimateCents: 10
+          // ~$0.10 per virtual card
+        });
+      } catch (error) {
+        errors.push(`card: ${error instanceof Error ? error.message : String(error)}`);
+      }
+    }
+    const hasAnyResource = identity.email || identity.phone || identity.cardProviderId;
+    if (hasAnyResource) {
+      identity = this.identityStore.updateStatus(identity.id, "active");
+      this.activityLog.append({
+        identityId: identity.id,
+        eventType: "identity.active",
+        provider: null,
+        resourceType: "identity",
+        resourceId: identity.id,
+        details: errors.length > 0 ? { partialErrors: errors } : null,
+        costEstimateCents: null
+      });
+    } else {
+      identity = this.identityStore.updateStatus(identity.id, "failed");
+      this.activityLog.append({
+        identityId: identity.id,
+        eventType: "identity.failed",
+        provider: null,
+        resourceType: "identity",
+        resourceId: identity.id,
+        details: { errors },
+        costEstimateCents: null
+      });
+    }
+    return identity;
+  }
+  getIdentity(id) {
+    return this.identityStore.get(id);
+  }
+  listIdentities(status) {
+    if (status === "all" || status === void 0) return this.identityStore.list();
+    return this.identityStore.list(status);
+  }
+  async readMessages(identityId, since) {
+    const identity = this.identityStore.get(identityId);
+    if (!identity) throw new Error(`Identity not found: ${identityId}`);
+    const emails = [];
+    const sms = [];
+    if (identity.email && identity.emailProviderId && this.emailProvider) {
+      const inbox = {
+        address: identity.email,
+        providerId: identity.emailProviderId,
+        provider: this.emailProvider.name
+      };
+      const messages = await this.emailProvider.getMessages(inbox, since);
+      emails.push(...messages);
+    }
+    if (identity.phone && identity.phoneProviderId && this.phoneProvider) {
+      const phone = {
+        number: identity.phone,
+        providerId: identity.phoneProviderId,
+        provider: this.phoneProvider.name
+      };
+      const messages = await this.phoneProvider.getMessages(phone, since);
+      sms.push(...messages);
+    }
+    return { emails, sms };
+  }
+  async getCardDetails(identityId) {
+    const identity = this.identityStore.get(identityId);
+    if (!identity) throw new Error(`Identity not found: ${identityId}`);
+    if (!identity.cardProviderId || !this.cardProvider) {
+      throw new Error("No card associated with this identity");
+    }
+    return this.cardProvider.getCardDetails({
+      lastFour: identity.cardLastFour,
+      providerId: identity.cardProviderId,
+      provider: this.cardProvider.name
+    });
+  }
+  async extractCode(identityId) {
+    const { emails, sms } = await this.readMessages(identityId);
+    for (const msg of [...sms].reverse()) {
+      const result = parseVerificationCode(msg.body);
+      if (result) return result.code;
+    }
+    for (const msg of [...emails].reverse()) {
+      const text = msg.text || msg.subject;
+      const result = parseVerificationCode(text);
+      if (result) return result.code;
+    }
+    return null;
+  }
+  async killIdentity(id) {
+    return this.killSwitch.killIdentity(id);
+  }
+  async killAll() {
+    return this.killSwitch.killAll();
+  }
+  getActivityLog(options) {
+    return this.activityLog.query(options);
+  }
+  async checkStatus() {
+    const providers = [];
+    if (this.emailProvider) {
+      providers.push(await this.emailProvider.healthCheck());
+    }
+    if (this.phoneProvider) {
+      providers.push(await this.phoneProvider.healthCheck());
+    }
+    if (this.cardProvider) {
+      providers.push(await this.cardProvider.healthCheck());
+    }
+    return {
+      providers,
+      activeIdentities: this.identityStore.countActive(),
+      configuredProviders: {
+        email: !!this.emailProvider,
+        phone: !!this.phoneProvider,
+        card: !!this.cardProvider
+      }
+    };
+  }
+  close() {
+    this.db.close();
+  }
+};
+var PolicyViolationError = class extends Error {
+  constructor(violations) {
+    super(violations.map((v) => v.message).join("; "));
+    this.violations = violations;
+    this.name = "PolicyViolationError";
+  }
+};
+export {
+  ActivityLog,
+  IdentityStore,
+  KillSwitch,
+  MockCardProvider,
+  MockEmailProvider,
+  MockPhoneProvider,
+  PolicyEngine,
+  PolicyStore,
+  PolicyViolationError,
+  Terminator,
+  assertTransition,
+  canTransition,
+  createDatabase,
+  createInMemoryDatabase,
+  createPersona,
+  getConfiguredProviders,
+  loadConfig,
+  parseVerificationCode
+};
+//# sourceMappingURL=index.js.map