The keeper cron is the automated heartbeat monitor at the core of Deadman Vault’s proof-of-life guarantee. On every scheduled invocation, it fetches the current Stacks block height, evaluates the lifecycle state of every active vault against the on-chain clock, advances any vaults that have crossed a threshold (warning → grace period → triggered), and settles any triggered vaults by executing the keeper’s on-chain withdrawal and per-beneficiary token transfers — all without any action from the vault owner or beneficiaries.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/natureloved/DeadMan-Vault/llms.txt
Use this file to discover all available pages before exploring further.
How the Keeper Endpoint Works
The keeper runs as a standard Next.jsGET route handler at /api/keeper. Its execution time cap is set to 60 seconds via export const maxDuration = 60 — important to be aware of on Vercel’s Hobby plan, which has a lower function timeout ceiling.
On each invocation the endpoint:
- Authenticates the caller — checks that the
Authorizationheader matchesBearer <CRON_SECRET>. IfCRON_SECRETis set and the header is missing or wrong, it returns401 Unauthorizedimmediately. - Fetches the current block height — calls the Hiro API (
api.testnet.hiro.so/v2/infoon testnet) to get the live Stacks block height. - Runs
runKeeper(currentBlock)— iterates all vaults inactive,warning,grace_period, andtriggeredstates and applies lifecycle rules in order. - Returns a structured result — reports how many vaults were checked, what block the sweep ran at, and a list of actions taken.
Vercel Cron Configuration
The cron schedule is declared invercel.json at the repository root. Vercel reads this file automatically during deployment — no dashboard configuration is needed:
0 0 * * *). For a tighter heartbeat SLA — for example, advancing vaults into grace period within minutes of their deadline — change the schedule to a more frequent interval such as */15 * * * * (every 15 minutes). Keep in mind that Vercel Hobby plan limits cron frequency; the Pro plan supports per-minute invocations.
Vercel automatically injects the
Authorization: Bearer <CRON_SECRET> header on scheduled cron invocations when CRON_SECRET is set as an environment variable in the Vercel project. You do not need to configure this manually in vercel.json.Vault Lifecycle Rules
On each sweep,runKeeper applies the following rules to every active vault, in order:
Check current block vs. deadline
The keeper compares
currentBlock against each vault’s heartbeat_deadline_block. Vaults where the deadline has not yet been crossed are skipped without any state change.Warning
When the deadline is within a configurable warning window, the vault status advances to
warning and the owner receives a warning email via Resend. Notification deduplication prevents repeat emails for the same vault event.Grace period
After the deadline passes, the vault enters
grace_period. A 48-hour grace window gives the owner one final chance to check in. An urgent notification email is sent.Trigger
When the grace period expires without a heartbeat, the vault status changes to
triggered and triggered_at is recorded. Beneficiary notification emails are sent with claim information.Settlement
For triggered vaults, the keeper decrypts the vault’s keeper private key (using
KEEPER_ENCRYPTION_KEY + AES-256-GCM), executes a FlowVault withdraw on the vault’s behalf, and then sends each beneficiary their proportional USDCx share directly. If a beneficiary has a vesting schedule, vesting_release_at is checked — only beneficiaries whose cliff has matured receive their transfer in this sweep. Vested-but-unmatured beneficiaries are retried on subsequent sweeps via the partial index on beneficiaries(vesting_release_at) WHERE claimed = FALSE.The keeper is fault-isolated at the vault level. If settlement fails for one vault — due to a transient network error, an underfunded keeper address, or an on-chain broadcast timeout — that error is caught and logged, and the sweep continues processing all remaining vaults. A single failed vault never aborts the entire cron run.
Keeper Response Format
A successful sweep returns a JSON object:| Field | Description |
|---|---|
checked | Total number of vaults evaluated in this sweep |
currentBlock | Stacks block height at the time of the sweep |
actions | Array of "<action>:<vault-id>" strings for every state transition or settlement that occurred |
timestamp | ISO 8601 timestamp of the sweep completion |
Authentication
The/api/keeper endpoint validates the Authorization header against CRON_SECRET:
if (cronSecret) check means that if CRON_SECRET is not set, the endpoint skips authentication entirely — any HTTP client can trigger a sweep. Always set CRON_SECRET in production.
Testing the Keeper Manually
You can trigger a keeper sweep on demand usingcurl. This is useful for verifying your setup immediately after deployment or for forcing settlement during development:
<your-cron-secret> with the value of your CRON_SECRET environment variable. You can also test locally against the dev server: