@vibeiao/sdk 0.1.25 → 0.1.30

package/dist/chunk-EBI7WT76.js

@@ -0,0 +1,140 @@
+// src/survivalEscapeHatch.ts
+var defaultPolicy = {
+  enabled: true,
+  provider: "bitlaunch",
+  allowedModes: ["SURVIVE", "BLINK"],
+  requirePreProvisionedProviderAccount: true,
+  requireProviderApiKey: true,
+  providerApiKeyEnv: "BITLAUNCH_API_KEY",
+  maxProvisionUsd: 20,
+  minPostProvisionReserveUsd: 10,
+  requireRecentBackup: true,
+  maxBackupAgeMs: 6 * 60 * 60 * 1e3,
+  // 6h
+  requireRecentRestoreDrill: true,
+  maxRestoreDrillAgeMs: 24 * 60 * 60 * 1e3
+  // 24h
+};
+var checklistForProvider = (provider) => [
+  `Use pre-provisioned ${provider} account only (no signup flow during incident).`,
+  "Write encrypted backup now and verify artifact exists.",
+  "Run restore drill against that backup and verify pass.",
+  "Provision from known template and bootstrap script.",
+  "Run smoke checks (health, memory restore, process running).",
+  "Only mark migration complete after post-boot validation passes."
+];
+var evaluateEscapeHatch = (snapshot, policy, options) => {
+  const p = {
+    ...defaultPolicy,
+    ...policy || {}
+  };
+  const nowMs = snapshot.nowMs ?? Date.now();
+  const resolveEnv = options?.resolveEnv;
+  const failures = [];
+  const warnings = [];
+  const requiredEnv = [];
+  const manualItems = [];
+  const estimatedProvisionUsd = Number(snapshot.estimatedProvisionUsd ?? NaN);
+  const currentReserveUsd = Number(snapshot.currentReserveUsd ?? NaN);
+  const hasApiKeyByEnv = resolveEnv ? Boolean(resolveEnv(p.providerApiKeyEnv)) : false;
+  const hasProviderApiKey = snapshot.hasProviderApiKey ?? hasApiKeyByEnv;
+  if (!p.enabled) {
+    failures.push("escape hatch is disabled by policy");
+  }
+  if (!p.allowedModes.includes(snapshot.mode)) {
+    failures.push(`mode ${snapshot.mode} is not allowed for escape hatch (${p.allowedModes.join(", ")})`);
+  }
+  if (p.requirePreProvisionedProviderAccount && !snapshot.hasPreProvisionedProviderAccount) {
+    failures.push("provider account is not pre-provisioned");
+    manualItems.push("Pre-provision provider account before automated escape hatch can run.");
+  }
+  if (p.requireProviderApiKey && !hasProviderApiKey) {
+    failures.push(`missing provider API key (${p.providerApiKeyEnv})`);
+    requiredEnv.push(p.providerApiKeyEnv);
+    manualItems.push(`Set ${p.providerApiKeyEnv} via secure env management.`);
+  }
+  if (!Number.isFinite(estimatedProvisionUsd) || estimatedProvisionUsd <= 0) {
+    failures.push("estimatedProvisionUsd must be a positive number");
+  }
+  if (!Number.isFinite(currentReserveUsd) || currentReserveUsd < 0) {
+    failures.push("currentReserveUsd must be a non-negative number");
+  }
+  const safeProvisionUsd = Number.isFinite(estimatedProvisionUsd) ? estimatedProvisionUsd : 0;
+  const safeReserveUsd = Number.isFinite(currentReserveUsd) ? currentReserveUsd : 0;
+  const postProvisionReserveUsd = safeReserveUsd - safeProvisionUsd;
+  if (safeProvisionUsd > p.maxProvisionUsd) {
+    failures.push(`estimated provisioning cost (${safeProvisionUsd}) exceeds maxProvisionUsd (${p.maxProvisionUsd})`);
+  }
+  if (postProvisionReserveUsd < p.minPostProvisionReserveUsd) {
+    failures.push(
+      `post-provision reserve (${postProvisionReserveUsd}) is below minPostProvisionReserveUsd (${p.minPostProvisionReserveUsd})`
+    );
+  }
+  if (p.requireRecentBackup) {
+    if (!snapshot.backupWrittenAtMs) {
+      failures.push("missing backupWrittenAtMs proof");
+    } else if (nowMs - snapshot.backupWrittenAtMs > p.maxBackupAgeMs) {
+      failures.push(`backup is stale (ageMs=${nowMs - snapshot.backupWrittenAtMs}, maxBackupAgeMs=${p.maxBackupAgeMs})`);
+    }
+  }
+  if (p.requireRecentRestoreDrill) {
+    if (!snapshot.restoreDrillPassedAtMs) {
+      failures.push("missing restoreDrillPassedAtMs proof");
+    } else if (nowMs - snapshot.restoreDrillPassedAtMs > p.maxRestoreDrillAgeMs) {
+      failures.push(
+        `restore drill is stale (ageMs=${nowMs - snapshot.restoreDrillPassedAtMs}, maxRestoreDrillAgeMs=${p.maxRestoreDrillAgeMs})`
+      );
+    }
+  }
+  if (snapshot.mode === "BLINK" && postProvisionReserveUsd < p.minPostProvisionReserveUsd + 2) {
+    warnings.push("BLINK mode with thin reserve after provisioning; high risk of immediate re-blink.");
+  }
+  const allowed = failures.length === 0;
+  const reason = allowed ? "escape hatch guardrails satisfied" : `escape hatch denied: ${failures[0]}`;
+  return {
+    allowed,
+    provider: p.provider,
+    reason,
+    failures,
+    warnings,
+    requiredEnv: Array.from(new Set(requiredEnv)),
+    checklist: checklistForProvider(p.provider),
+    manualIntervention: {
+      needed: manualItems.length > 0,
+      items: Array.from(new Set(manualItems))
+    },
+    budget: {
+      estimatedProvisionUsd: safeProvisionUsd,
+      currentReserveUsd: safeReserveUsd,
+      postProvisionReserveUsd,
+      maxProvisionUsd: p.maxProvisionUsd,
+      minPostProvisionReserveUsd: p.minPostProvisionReserveUsd
+    }
+  };
+};
+var formatEscapeHatchDecision = (decision) => {
+  const lines = [];
+  lines.push(decision.allowed ? "[ESCAPE_HATCH] ALLOWED" : "[ESCAPE_HATCH] DENIED");
+  lines.push(`Provider: ${decision.provider}`);
+  lines.push(`Reason: ${decision.reason}`);
+  lines.push(
+    `Budget: est=${decision.budget.estimatedProvisionUsd}, reserve=${decision.budget.currentReserveUsd}, post=${decision.budget.postProvisionReserveUsd}`
+  );
+  if (decision.failures.length) {
+    lines.push("Failures:");
+    decision.failures.forEach((f) => lines.push(`- ${f}`));
+  }
+  if (decision.requiredEnv.length) {
+    lines.push(`Required env: ${decision.requiredEnv.join(", ")}`);
+  }
+  if (decision.manualIntervention.needed) {
+    lines.push("Manual intervention:");
+    decision.manualIntervention.items.forEach((i) => lines.push(`- ${i}`));
+  }
+  return lines.join("\n");
+};
+
+export {
+  evaluateEscapeHatch,
+  formatEscapeHatchDecision
+};