Add enterprise token rotation guard

enterprise-token-rotation-guard/package.json

@@ -0,0 +1,10 @@
+{
+  "name": "scibase-enterprise-token-rotation-guard",
+  "version": "1.0.0",
+  "type": "module",
+  "private": true,
+  "scripts": {
+    "test": "node --test test/*.test.js",
+    "demo": "node scripts/demo.js"
+  }
+}

enterprise-token-rotation-guard/readme.md

@@ -0,0 +1,22 @@
+# Enterprise Token Rotation Guard
+
+This module contributes to SCIBASE issue #19, Enterprise Tooling.
+
+It evaluates institutional API integrations before admins keep them active. The guard checks token rotation age, least-privilege scopes, active owner assignment, audit export recency, SSO group drift, and restricted-data approvals.
+
+## Local Verification
+
+```bash
+npm test
+npm run demo
+```
+
+## Demo Evidence
+
+The demo transcript is captured in `reports/demo-transcript.md`. The demo generates these reviewer artifacts:
+
+- `reports/enterprise-token-report.md`
+- `reports/enterprise-token-packet.json`
+- `reports/summary.svg`
+
+The demo data is synthetic and does not contact SSO providers, institutional repositories, or production APIs.

enterprise-token-rotation-guard/reports/demo-transcript.md

@@ -0,0 +1,35 @@
+# Enterprise Token Rotation Guard Demo Transcript
+
+Date verified: 2026-06-15
+
+Commands run from `enterprise-token-rotation-guard`:
+
+```bash
+npm test
+npm run demo
+```
+
+Test result:
+
+```text
+5 tests passed
+0 tests failed
+```
+
+Demo output:
+
+```json
+{
+  "status": "hold_integration",
+  "digest": "e8c0d01bc2dfd3d313262b963fc9babcd8ab9588f6ccba24526047ed6453fb6b",
+  "blockers": 6,
+  "heldIntegrations": 1,
+  "reportsDir": "enterprise-token-rotation-guard/reports"
+}
+```
+
+Generated reviewer artifacts:
+
+- `reports/enterprise-token-report.md`
+- `reports/enterprise-token-packet.json`
+- `reports/summary.svg`

enterprise-token-rotation-guard/reports/enterprise-token-packet.json

@@ -0,0 +1,113 @@
+{
+  "title": "SCIBASE Enterprise Token Rotation Guard",
+  "issue": "SCIBASE.AI#19",
+  "claim": "/claim #19",
+  "evaluation": {
+    "status": "hold_integration",
+    "generatedAt": "2026-06-13T19:00:00.000Z",
+    "packetId": "scibase-enterprise-token-demo",
+    "digest": "e8c0d01bc2dfd3d313262b963fc9babcd8ab9588f6ccba24526047ed6453fb6b",
+    "counts": {
+      "integrations": 2,
+      "owners": 2,
+      "blockers": 6,
+      "warnings": 1,
+      "heldIntegrations": 1
+    },
+    "blockers": [
+      {
+        "code": "orphan_owner",
+        "integrationId": "int-hris-sync",
+        "message": "Integration owner is missing or inactive."
+      },
+      {
+        "code": "stale_token",
+        "integrationId": "int-hris-sync",
+        "message": "Integration token exceeds the rotation window.",
+        "tokenAgeDays": 163
+      },
+      {
+        "code": "overbroad_scopes",
+        "integrationId": "int-hris-sync",
+        "message": "Integration has scopes outside the allowlist.",
+        "overbroadScopes": [
+          "admin:root"
+        ]
+      },
+      {
+        "code": "stale_audit_export",
+        "integrationId": "int-hris-sync",
+        "message": "Audit export is outside the recency window.",
+        "auditAgeDays": 24
+      },
+      {
+        "code": "sso_group_drift",
+        "integrationId": "int-hris-sync",
+        "message": "SSO group drift exceeds policy.",
+        "ssoGroupDrift": 6
+      },
+      {
+        "code": "missing_dpa_approval",
+        "integrationId": "int-hris-sync",
+        "message": "Restricted-data integration lacks DPA approval."
+      }
+    ],
+    "warnings": [
+      {
+        "code": "webhook_failure_streak",
+        "integrationId": "int-hris-sync",
+        "message": "Webhook delivery has repeated failures.",
+        "webhookFailures": 4
+      }
+    ],
+    "decisions": [
+      {
+        "integrationId": "int-dspace-sync",
+        "tenant": "North Campus",
+        "decision": "keep_active",
+        "reasons": [],
+        "requiredActions": []
+      },
+      {
+        "integrationId": "int-hris-sync",
+        "tenant": "Medical Research Institute",
+        "decision": "hold",
+        "reasons": [
+          "orphan_owner",
+          "stale_token",
+          "overbroad_scopes",
+          "stale_audit_export",
+          "sso_group_drift",
+          "missing_dpa_approval"
+        ],
+        "requiredActions": [
+          "Assign an active institutional owner before keeping the integration active.",
+          "Rotate the integration token and record the rotation timestamp.",
+          "Remove scopes outside the enterprise allowlist.",
+          "Generate a fresh audit export before the next sync.",
+          "Reconcile SSO group membership before syncing permissions.",
+          "Attach DPA approval before syncing restricted enterprise data."
+        ]
+      }
+    ],
+    "policy": {
+      "maxTokenAgeDays": 90,
+      "maxAuditExportAgeDays": 7,
+      "maxSsoGroupDrift": 3,
+      "allowedScopes": [
+        "project:read",
+        "project:write",
+        "review:read",
+        "webhook:publish",
+        "audit:read"
+      ]
+    }
+  },
+  "reviewerChecklist": [
+    "Integration tokens are inside the rotation window.",
+    "Scopes are limited to the enterprise allowlist.",
+    "Every integration has an active institutional owner.",
+    "Audit exports are fresh before enterprise syncs.",
+    "Restricted data integrations have DPA approval."
+  ]
+}

enterprise-token-rotation-guard/reports/enterprise-token-report.md

@@ -0,0 +1,25 @@
+# Enterprise Token Rotation Guard Report
+
+Issue: SCIBASE.AI#19
+Claim marker: `/claim #19`
+Status: `hold_integration`
+Digest: `e8c0d01bc2dfd3d313262b963fc9babcd8ab9588f6ccba24526047ed6453fb6b`
+
+## Reviewer Checklist
+- Integration tokens are inside the rotation window.
+- Scopes are limited to the enterprise allowlist.
+- Every integration has an active institutional owner.
+- Audit exports are fresh before enterprise syncs.
+- Restricted data integrations have DPA approval.
+
+## Blockers
+- orphan_owner: Integration owner is missing or inactive.
+- stale_token: Integration token exceeds the rotation window.
+- overbroad_scopes: Integration has scopes outside the allowlist.
+- stale_audit_export: Audit export is outside the recency window.
+- sso_group_drift: SSO group drift exceeds policy.
+- missing_dpa_approval: Restricted-data integration lacks DPA approval.
+
+## Integration Decisions
+- int-dspace-sync: keep_active
+- int-hris-sync: hold (orphan_owner, stale_token, overbroad_scopes, stale_audit_export, sso_group_drift, missing_dpa_approval)

enterprise-token-rotation-guard/scripts/demo.js

@@ -0,0 +1,29 @@
+import fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+import {
+  buildReviewerPacket,
+  demoPacket,
+  renderMarkdownReport,
+  renderSvgSummary
+} from "../src/index.js";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const moduleRoot = path.resolve(__dirname, "..");
+const reportsDir = path.join(moduleRoot, "reports");
+const packet = demoPacket();
+const reviewerPacket = buildReviewerPacket(packet, { now: packet.generatedAt });
+
+fs.mkdirSync(reportsDir, { recursive: true });
+fs.writeFileSync(path.join(reportsDir, "enterprise-token-packet.json"), `${JSON.stringify(reviewerPacket, null, 2)}\n`);
+fs.writeFileSync(path.join(reportsDir, "enterprise-token-report.md"), renderMarkdownReport(packet, { now: packet.generatedAt }));
+fs.writeFileSync(path.join(reportsDir, "summary.svg"), renderSvgSummary(packet, { now: packet.generatedAt }));
+
+console.log(JSON.stringify({
+  status: reviewerPacket.evaluation.status,
+  digest: reviewerPacket.evaluation.digest,
+  blockers: reviewerPacket.evaluation.counts.blockers,
+  heldIntegrations: reviewerPacket.evaluation.counts.heldIntegrations,
+  reportsDir
+}, null, 2));