tryaudex_core/

estimate.rs

use std::collections::HashMap;

use serde::{Deserialize, Serialize};

use crate::policy::ScopedPolicy;

/// Cost estimate for a set of IAM actions.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CostEstimate {
    /// Per-service cost breakdown.
    pub services: Vec<ServiceEstimate>,
    /// Total estimated cost for the session.
    pub total_min: f64,
    pub total_max: f64,
    /// Risk level: "low", "medium", "high".
    pub risk_level: String,
    /// Human-readable warnings.
    pub warnings: Vec<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ServiceEstimate {
    pub service: String,
    pub actions: Vec<String>,
    pub min_cost: f64,
    pub max_cost: f64,
    pub notes: String,
}

/// Known cost profiles for common AWS, GCP, and Azure services.
/// These are rough estimates based on typical usage patterns.
/// Real costs depend on usage volume, region, and data transfer.
///
/// All AWS prices reflect **us-east-1** on-demand rates. Other regions
/// typically differ by 30-50% (e.g. ap-southeast-1 is ~20-30% higher,
/// eu-west-1 ~5-15% higher). GCP prices reflect us-central1; Azure
/// prices reflect East US.
fn cost_profiles() -> HashMap<&'static str, ServiceCostProfile> {
    HashMap::from([
        // ── AWS ──
        ("s3", ServiceCostProfile {
            read_actions: &["GetObject", "ListBucket", "ListAllMyBuckets", "GetBucketLocation", "HeadObject"],
            write_actions: &["PutObject", "DeleteObject", "CreateBucket", "CopyObject"],
            read_cost_per_1k: 0.0004,   // $0.0004 per 1,000 GET requests
            write_cost_per_1k: 0.005,    // $0.005 per 1,000 PUT requests
            data_cost_per_gb: 0.023,     // $0.023/GB stored
            typical_requests: 100,
            notes: "S3 pricing: GET $0.0004/1K, PUT $0.005/1K, storage $0.023/GB/mo",
        }),
        ("lambda", ServiceCostProfile {
            read_actions: &["GetFunction", "ListFunctions", "GetFunctionConfiguration"],
            write_actions: &["InvokeFunction", "UpdateFunctionCode", "UpdateFunctionConfiguration", "CreateFunction"],
            read_cost_per_1k: 0.0,
            write_cost_per_1k: 0.20,     // ~$0.20 per 1M invocations = $0.0002/1K
            data_cost_per_gb: 0.0000167, // $0.0000166667/GB-second
            typical_requests: 10,
            notes: "Lambda: $0.20/1M requests + $0.0000166667/GB-s compute",
        }),
        ("dynamodb", ServiceCostProfile {
            read_actions: &["GetItem", "Query", "Scan", "BatchGetItem", "DescribeTable", "ListTables"],
            write_actions: &["PutItem", "UpdateItem", "DeleteItem", "BatchWriteItem"],
            read_cost_per_1k: 0.00025,   // $0.25 per 1M RRU
            write_cost_per_1k: 0.00125,  // $1.25 per 1M WRU
            data_cost_per_gb: 0.25,
            typical_requests: 100,
            notes: "DynamoDB on-demand: $0.25/1M RRU, $1.25/1M WRU",
        }),
        ("ec2", ServiceCostProfile {
            read_actions: &["DescribeInstances", "DescribeSecurityGroups", "DescribeSubnets", "DescribeVpcs", "DescribeImages"],
            write_actions: &["RunInstances", "TerminateInstances", "StartInstances", "StopInstances", "CreateSecurityGroup"],
            read_cost_per_1k: 0.0,
            write_cost_per_1k: 0.0,      // EC2 API calls are free, instances cost
            data_cost_per_gb: 0.0,
            typical_requests: 10,
            notes: "EC2 API calls are free. Instance costs: $0.0116/hr (t3.micro) to $3.84/hr (p3.16xlarge)",
        }),
        ("iam", ServiceCostProfile {
            read_actions: &["GetRole", "GetPolicy", "GetPolicyVersion", "ListRolePolicies", "ListAttachedRolePolicies"],
            write_actions: &["CreateRole", "DeleteRole", "AttachRolePolicy", "DetachRolePolicy", "PutRolePolicy", "DeleteRolePolicy", "PassRole"],
            read_cost_per_1k: 0.0,
            write_cost_per_1k: 0.0,
            data_cost_per_gb: 0.0,
            typical_requests: 10,
            notes: "IAM API calls are free. WARNING: IAM changes affect account security",
        }),
        ("sqs", ServiceCostProfile {
            read_actions: &["ReceiveMessage", "GetQueueAttributes", "ListQueues"],
            write_actions: &["SendMessage", "DeleteMessage", "CreateQueue"],
            read_cost_per_1k: 0.0004,
            write_cost_per_1k: 0.0004,
            data_cost_per_gb: 0.0,
            typical_requests: 100,
            notes: "SQS: $0.40/1M requests (first 1M free)",
        }),
        ("sns", ServiceCostProfile {
            read_actions: &["ListTopics", "GetTopicAttributes"],
            write_actions: &["Publish"],
            read_cost_per_1k: 0.0,
            write_cost_per_1k: 0.0005,
            data_cost_per_gb: 0.0,
            typical_requests: 10,
            notes: "SNS: $0.50/1M publishes",
        }),
        ("ecr", ServiceCostProfile {
            read_actions: &["GetAuthorizationToken", "BatchCheckLayerAvailability", "GetDownloadUrlForLayer", "BatchGetImage", "DescribeRepositories"],
            write_actions: &["PutImage", "InitiateLayerUpload", "UploadLayerPart", "CompleteLayerUpload", "CreateRepository"],
            read_cost_per_1k: 0.0,
            write_cost_per_1k: 0.0,
            data_cost_per_gb: 0.10,
            typical_requests: 10,
            notes: "ECR: $0.10/GB/month storage. Data transfer charges apply",
        }),
        ("logs", ServiceCostProfile {
            read_actions: &["GetLogEvents", "DescribeLogGroups", "DescribeLogStreams", "FilterLogEvents"],
            write_actions: &["PutLogEvents", "CreateLogGroup", "CreateLogStream"],
            read_cost_per_1k: 0.005,
            write_cost_per_1k: 0.0,
            data_cost_per_gb: 0.50,
            typical_requests: 50,
            notes: "CloudWatch Logs: $0.50/GB ingested, $0.005/1K queries",
        }),
        ("sts", ServiceCostProfile {
            read_actions: &["GetCallerIdentity"],
            write_actions: &["AssumeRole"],
            read_cost_per_1k: 0.0,
            write_cost_per_1k: 0.0,
            data_cost_per_gb: 0.0,
            typical_requests: 1,
            notes: "STS API calls are free",
        }),
        ("cloudformation", ServiceCostProfile {
            read_actions: &["DescribeStacks", "ListStacks", "GetTemplate"],
            write_actions: &["CreateStack", "UpdateStack", "DeleteStack"],
            read_cost_per_1k: 0.0,
            write_cost_per_1k: 0.0,
            data_cost_per_gb: 0.0,
            typical_requests: 10,
            notes: "CloudFormation: free for AWS resources, $0.0009/handler operation for third-party",
        }),
        // NOTE: The Bedrock cost profile below is a rough order-of-magnitude
        // estimate based on a fixed per-invocation rate. It is NOT token-volume
        // aware — real costs scale with prompt/completion length and vary widely
        // by model (e.g. Claude 3 Haiku vs. Claude 3 Opus). Do not use these
        // figures for budget enforcement; they are indicative only.
        ("bedrock", ServiceCostProfile {
            read_actions: &["ListFoundationModels", "GetFoundationModel"],
            write_actions: &["InvokeModel", "InvokeModelWithResponseStream"],
            read_cost_per_1k: 0.0,
            write_cost_per_1k: 3.0,      // ~$0.003/1K input tokens * 1K calls (rough estimate)
            data_cost_per_gb: 0.0,
            typical_requests: 10,
            notes: "Bedrock: $0.003-$0.06/1K input tokens depending on model. \
                    WARNING: This estimate is NOT token-volume aware — actual costs scale \
                    with prompt/completion length. Use for risk categorisation only, \
                    not budget enforcement.",
        }),
        ("sagemaker", ServiceCostProfile {
            read_actions: &["DescribeEndpoint", "ListEndpoints", "DescribeTrainingJob"],
            write_actions: &["CreateEndpoint", "CreateTrainingJob", "InvokeEndpoint"],
            read_cost_per_1k: 0.0,
            write_cost_per_1k: 0.0,
            data_cost_per_gb: 0.0,
            typical_requests: 5,
            notes: "SageMaker: $0.046/hr (ml.t3.medium) to $32.77/hr (ml.p3.16xlarge). Training and inference billed separately",
        }),
        // ── GCP (service names are dot-prefix, e.g. "storage") ──
        ("storage", ServiceCostProfile {
            read_actions: &["objects.get", "objects.list", "buckets.get", "buckets.list"],
            write_actions: &["objects.create", "objects.delete", "buckets.create"],
            read_cost_per_1k: 0.0004,    // $0.004/10K Class A ops
            write_cost_per_1k: 0.005,    // $0.05/10K Class B ops
            data_cost_per_gb: 0.020,     // $0.020/GB/mo Standard
            typical_requests: 100,
            notes: "GCS pricing: Class A $0.05/10K, Class B $0.004/10K, storage $0.020/GB/mo",
        }),
        ("compute", ServiceCostProfile {
            read_actions: &["instances.get", "instances.list", "zones.list"],
            write_actions: &["instances.create", "instances.delete", "instances.start", "instances.stop"],
            read_cost_per_1k: 0.0,
            write_cost_per_1k: 0.0,
            data_cost_per_gb: 0.0,
            typical_requests: 10,
            notes: "GCE API calls are free. Instance costs: $0.0076/hr (e2-micro) to $2.84/hr (a2-megagpu-16g)",
        }),
        ("bigquery", ServiceCostProfile {
            read_actions: &["tables.getData", "jobs.get", "datasets.get"],
            write_actions: &["jobs.create", "tables.create", "tables.insert"],
            read_cost_per_1k: 0.0,
            write_cost_per_1k: 0.0,
            data_cost_per_gb: 0.00625,    // $6.25/TB queried = $0.00625/GB
            typical_requests: 10,
            notes: "BigQuery on-demand: $6.25/TB queried, $0.02/GB/mo storage",
        }),
        ("cloudfunctions", ServiceCostProfile {
            read_actions: &["functions.get", "functions.list"],
            write_actions: &["functions.create", "functions.call"],
            read_cost_per_1k: 0.0,
            write_cost_per_1k: 0.0004,   // $0.40/1M invocations
            data_cost_per_gb: 0.0000025, // $0.0000025/GB-s
            typical_requests: 10,
            notes: "Cloud Functions: $0.40/1M invocations + $0.0000025/GB-s compute",
        }),
        ("pubsub", ServiceCostProfile {
            read_actions: &["subscriptions.pull", "topics.get"],
            write_actions: &["topics.publish", "topics.create", "subscriptions.create"],
            read_cost_per_1k: 0.0,
            write_cost_per_1k: 0.0,
            data_cost_per_gb: 0.04,      // $40/TiB
            typical_requests: 100,
            notes: "Pub/Sub: $40/TiB message delivery (first 10 GiB free)",
        }),
        ("run", ServiceCostProfile {
            read_actions: &["services.get", "services.list"],
            write_actions: &["services.create", "services.replaceService"],
            read_cost_per_1k: 0.0,
            write_cost_per_1k: 0.0,
            data_cost_per_gb: 0.0,
            typical_requests: 5,
            notes: "Cloud Run: $0.00002400/vCPU-s, $0.00000250/GiB-s, $0.40/1M requests",
        }),
        // ── Azure (service names are "Microsoft.X") ──
        ("Microsoft.Storage", ServiceCostProfile {
            read_actions: &["storageAccounts/read", "storageAccounts/blobServices/containers/blobs/read"],
            write_actions: &["storageAccounts/write", "storageAccounts/blobServices/containers/blobs/write"],
            read_cost_per_1k: 0.0004,
            write_cost_per_1k: 0.005,
            data_cost_per_gb: 0.018,     // $0.018/GB Hot LRS
            typical_requests: 100,
            notes: "Azure Blob: $0.018/GB/mo Hot, PUT $0.065/10K, GET $0.005/10K",
        }),
        ("Microsoft.Compute", ServiceCostProfile {
            read_actions: &["virtualMachines/read", "disks/read"],
            write_actions: &["virtualMachines/write", "virtualMachines/start/action", "virtualMachines/delete"],
            read_cost_per_1k: 0.0,
            write_cost_per_1k: 0.0,
            data_cost_per_gb: 0.0,
            typical_requests: 10,
            notes: "Azure VM API calls are free. Instance costs: $0.008/hr (B1ls) to $3.045/hr (NC24s_v3)",
        }),
        ("Microsoft.Sql", ServiceCostProfile {
            read_actions: &["servers/read", "servers/databases/read"],
            write_actions: &["servers/write", "servers/databases/write"],
            read_cost_per_1k: 0.0,
            write_cost_per_1k: 0.0,
            data_cost_per_gb: 0.0,
            typical_requests: 5,
            notes: "Azure SQL: $0.0211/hr (Basic) to $174.98/hr (Business Critical). Billed per DTU or vCore",
        }),
        ("Microsoft.ContainerService", ServiceCostProfile {
            read_actions: &["managedClusters/read"],
            write_actions: &["managedClusters/write", "managedClusters/delete"],
            read_cost_per_1k: 0.0,
            write_cost_per_1k: 0.0,
            data_cost_per_gb: 0.0,
            typical_requests: 5,
            notes: "AKS: free control plane, node costs apply. Standard tier $0.10/hr per cluster",
        }),
        ("Microsoft.KeyVault", ServiceCostProfile {
            read_actions: &["vaults/read", "vaults/secrets/read"],
            write_actions: &["vaults/write", "vaults/secrets/write"],
            read_cost_per_1k: 0.003,     // $0.03/10K operations
            write_cost_per_1k: 0.003,
            data_cost_per_gb: 0.0,
            typical_requests: 10,
            notes: "Key Vault: $0.03/10K operations (secrets), $1/key/mo (HSM-protected keys)",
        }),
        ("Microsoft.Web", ServiceCostProfile {
            read_actions: &["sites/read", "serverFarms/read"],
            write_actions: &["sites/write", "serverFarms/write"],
            read_cost_per_1k: 0.0,
            write_cost_per_1k: 0.0,
            data_cost_per_gb: 0.0,
            typical_requests: 5,
            notes: "App Service: $0.018/hr (B1) to $0.80/hr (P3v3). Free tier available",
        }),
    ])
}

struct ServiceCostProfile {
    read_actions: &'static [&'static str],
    write_actions: &'static [&'static str],
    read_cost_per_1k: f64,
    write_cost_per_1k: f64,
    data_cost_per_gb: f64,
    typical_requests: u32,
    notes: &'static str,
}

/// Estimate the potential cost of running a session with the given policy.
///
/// NOTE: These are rough floor-price estimates based on us-east-1 / us-central1 /
/// East US on-demand pricing. Actual costs vary by region, usage, and pricing model.
pub fn estimate(policy: &ScopedPolicy, ttl_seconds: u64) -> CostEstimate {
    let profiles = cost_profiles();
    let mut services = Vec::new();
    let mut warnings = Vec::new();
    let disclaimer = "Cost estimates use floor prices (us-east-1 / us-central1 / East US) — \
         actual costs may be higher depending on region, data transfer, and usage volume."
        .to_string();
    let mut total_min = 0.0;
    let mut total_max = 0.0;

    // Group actions by service
    let mut by_service: HashMap<String, Vec<String>> = HashMap::new();
    for action in &policy.actions {
        by_service
            .entry(action.service.clone())
            .or_default()
            .push(action.action.clone());
    }

    let ttl_hours = ttl_seconds as f64 / 3600.0;

    for (service, actions) in &by_service {
        // R6-M7: profile keys for Azure use canonical casing
        // (`Microsoft.Storage`), but `parse_azure` preserves whatever
        // case the user typed. Fall back to a case-insensitive lookup
        // so `microsoft.storage` still matches `Microsoft.Storage`.
        let profile_entry = profiles.get(service.as_str()).or_else(|| {
            profiles
                .iter()
                .find(|(k, _)| k.eq_ignore_ascii_case(service.as_str()))
                .map(|(_, v)| v)
        });
        if let Some(profile) = profile_entry {
            let mut read_count = 0;
            let mut write_count = 0;

            for action in actions {
                // R6-M9: detect embedded `*` (e.g. `storageAccounts/*`,
                // `objects.*`) as a service-wide wildcard rather than
                // falling through to the unknown-action branch. Only a
                // bare `*` was treated as a wildcard before; anything
                // with a prefix was charged as "unknown, assume write"
                // and under-estimated cost against a mixed workload.
                if action == "*" || action.contains('*') {
                    read_count += profile.typical_requests;
                    write_count += profile.typical_requests;
                    warnings.push(format!(
                        "{}:{} contains a wildcard — cost depends on actual usage",
                        service, action
                    ));
                } else if profile
                    .read_actions
                    .iter()
                    .any(|r| action.starts_with(r) || *r == action.as_str())
                {
                    read_count += profile.typical_requests;
                } else if profile
                    .write_actions
                    .iter()
                    .any(|w| action.starts_with(w) || *w == action.as_str())
                {
                    write_count += profile.typical_requests;
                } else {
                    // Unknown action, assume write
                    write_count += profile.typical_requests / 2;
                }
            }

            // Scale by TTL (longer sessions = more potential requests)
            let scale = (ttl_hours * 0.5).max(1.0); // at least 1x
            let scaled_reads = (read_count as f64 * scale) as u32;
            let scaled_writes = (write_count as f64 * scale) as u32;

            let read_cost = (scaled_reads as f64 / 1000.0) * profile.read_cost_per_1k;
            let write_cost = (scaled_writes as f64 / 1000.0) * profile.write_cost_per_1k;
            let min_cost = read_cost + write_cost;
            // Max assumes 10x typical usage
            let max_cost = min_cost * 10.0 + profile.data_cost_per_gb * 0.1;

            total_min += min_cost;
            total_max += max_cost;

            services.push(ServiceEstimate {
                service: service.clone(),
                actions: actions.clone(),
                min_cost,
                max_cost,
                notes: profile.notes.to_string(),
            });

            // High-cost warnings
            if service == "ec2"
                && actions
                    .iter()
                    .any(|a| a.contains("RunInstances") || a == "*")
            {
                warnings.push(
                    "ec2:RunInstances can launch instances costing up to $3.84/hr".to_string(),
                );
            }
        } else {
            services.push(ServiceEstimate {
                service: service.clone(),
                actions: actions.clone(),
                min_cost: 0.0,
                max_cost: 0.0,
                notes: "No cost estimate available for this service".to_string(),
            });
        }
    }

    // Determine risk level
    let risk_level = if total_max > 10.0 || !warnings.is_empty() {
        "high"
    } else if total_max > 1.0 {
        "medium"
    } else {
        "low"
    }
    .to_string();

    // IAM-specific warnings
    if by_service.contains_key("iam") {
        warnings.push("IAM actions can modify account security — review carefully".to_string());
    }

    // Add persistent disclaimer (after risk calculation so it doesn't inflate risk level)
    warnings.insert(0, disclaimer);

    services.sort_by(|a, b| {
        b.max_cost
            .partial_cmp(&a.max_cost)
            .unwrap_or(std::cmp::Ordering::Equal)
    });

    // Sanitize any NaN/Inf that could arise from degenerate floating-point
    // arithmetic before serialization — serde_json rejects non-finite f64.
    let sanitize = |v: f64| if v.is_finite() { v } else { 0.0 };
    let total_min = sanitize(total_min);
    let total_max = sanitize(total_max);
    let services: Vec<ServiceEstimate> = services
        .into_iter()
        .map(|mut s| {
            s.min_cost = sanitize(s.min_cost);
            s.max_cost = sanitize(s.max_cost);
            s
        })
        .collect();

    CostEstimate {
        services,
        total_min,
        total_max,
        risk_level,
        warnings,
    }
}

/// Format a cost estimate as human-readable text.
pub fn format_text(est: &CostEstimate) -> String {
    let mut out = String::new();

    out.push_str(&format!(
        "Estimated cost: ${:.4} — ${:.4}\n",
        est.total_min, est.total_max
    ));
    out.push_str(&format!("Risk level: {}\n\n", est.risk_level));

    for svc in &est.services {
        out.push_str(&format!(
            "  {} (${:.4} — ${:.4})\n",
            svc.service, svc.min_cost, svc.max_cost
        ));
        out.push_str(&format!("    Actions: {}\n", svc.actions.join(", ")));
        out.push_str(&format!("    {}\n", svc.notes));
    }

    if !est.warnings.is_empty() {
        out.push_str("\nWarnings:\n");
        for w in &est.warnings {
            out.push_str(&format!("  ! {}\n", w));
        }
    }

    out
}

/// Format a cost estimate as JSON.
pub fn format_json(est: &CostEstimate) -> String {
    serde_json::to_string_pretty(est).unwrap_or_else(|_| "{}".to_string())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_estimate_s3_readonly() {
        let policy = ScopedPolicy::from_allow_str("s3:GetObject,s3:ListBucket").unwrap();
        let est = estimate(&policy, 900);
        assert_eq!(est.services.len(), 1);
        assert_eq!(est.services[0].service, "s3");
        assert!(est.total_min >= 0.0);
        assert_eq!(est.risk_level, "low");
    }

    #[test]
    fn test_estimate_ec2_high_risk() {
        let policy =
            ScopedPolicy::from_allow_str("ec2:RunInstances,ec2:DescribeInstances").unwrap();
        let est = estimate(&policy, 3600);
        assert_eq!(est.risk_level, "high");
        assert!(est.warnings.iter().any(|w| w.contains("RunInstances")));
    }

    #[test]
    fn test_estimate_iam_warning() {
        let policy = ScopedPolicy::from_allow_str("iam:CreateRole").unwrap();
        let est = estimate(&policy, 900);
        assert!(est.warnings.iter().any(|w| w.contains("IAM")));
    }

    #[test]
    fn test_estimate_wildcard() {
        let policy = ScopedPolicy::from_allow_str("s3:*").unwrap();
        let est = estimate(&policy, 900);
        assert!(est.warnings.iter().any(|w| w.contains("s3:*")));
    }

    #[test]
    fn test_estimate_multi_service() {
        let policy =
            ScopedPolicy::from_allow_str("s3:GetObject,lambda:InvokeFunction,dynamodb:Query")
                .unwrap();
        let est = estimate(&policy, 900);
        assert_eq!(est.services.len(), 3);
    }

    #[test]
    fn test_estimate_unknown_service() {
        let policy = ScopedPolicy::from_allow_str("xray:GetTraceSummaries").unwrap();
        let est = estimate(&policy, 900);
        assert_eq!(est.services.len(), 1);
        assert!(est.services[0].notes.contains("No cost estimate"));
    }

    #[test]
    fn test_format_text() {
        let policy = ScopedPolicy::from_allow_str("s3:GetObject").unwrap();
        let est = estimate(&policy, 900);
        let text = format_text(&est);
        assert!(text.contains("Estimated cost"));
        assert!(text.contains("s3"));
    }

    #[test]
    fn test_format_json() {
        let policy = ScopedPolicy::from_allow_str("s3:GetObject").unwrap();
        let est = estimate(&policy, 900);
        let json = format_json(&est);
        assert!(json.contains("total_min"));
        assert!(json.contains("risk_level"));
    }

    #[test]
    fn test_longer_ttl_scales_cost() {
        let policy = ScopedPolicy::from_allow_str("s3:GetObject,s3:PutObject").unwrap();
        let short = estimate(&policy, 900); // 15 min
        let long = estimate(&policy, 14400); // 4 hours
                                             // Longer TTL should result in higher max cost
        assert!(long.total_max >= short.total_max);
    }

    #[test]
    fn test_free_services() {
        let policy = ScopedPolicy::from_allow_str("sts:GetCallerIdentity").unwrap();
        let est = estimate(&policy, 900);
        assert_eq!(est.total_min, 0.0);
    }
}