RubyGems - lex-governance - Versions diffs - 0.2.1 → 0.3.0 - Mend

lex-governance 0.2.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/lib/legion/extensions/governance/helpers/authority.rb +42 -0
data/lib/legion/extensions/governance/helpers/council.rb +43 -0
data/lib/legion/extensions/governance/runners/governance.rb +83 -0
data/lib/legion/extensions/governance/version.rb +1 -1
metadata +3 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c49ec8c4434d925672bf24d03d0d568673dba8007ea72303b5d345fb87a5142c
-  data.tar.gz: 85e0ccc337f078cdc9cd7f8b4f2abf0c311f66c1bc9fc15ed0e6483f4c187290
+  metadata.gz: 3189a600f236fa9cc937e52c9c5591b62e8c99468d061b9eb4fdc69c3ee26d04
+  data.tar.gz: 1d55e9b3727a66c33e7414a19719c5326387abe784ca8a1d88e52e73ac1f2778
 SHA512:
-  metadata.gz: 16ce4ad3ee7c08f7feeaf9e48efc9ff7ac15a1636be69e7cf59103a61684f3f77f296b2ee791be8c11caa4443e5b5790d55acc31f96899f77c96e7d932847b72
-  data.tar.gz: 42ef43f72cfd53b14b3095128b441809568fb03a6885631e3607089b69a2d8c0a981db3e788724d3b5f4164333c5bf3b142735d33e7a6ced5d9739d16740354b
+  metadata.gz: bd0099e5d6c31ede525c9fdb9856d70101bba628b7ffa99acdd863c81d3cd5549ce57c2ec35a668329b07886e6b17919fe3b871fd962bd83f669ffff4557348d
+  data.tar.gz: 8f894c7e5624de924d69a1eb3a30c0fd21bab6d8d1eacb20a1e042a6c699c4f97ccb2bb2f8c333c28bf6d44a8c6f4cd828fabfcb522a60c9d599810078b03088

data/lib/legion/extensions/governance/helpers/authority.rb ADDED Viewed

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+module Legion
+  module Extensions
+    module Governance
+      module Helpers
+        module Authority
+          AUTHORITY_REQUIRED = {
+            %w[active paused] => :owner_or_manager,
+            %w[paused active] => :owner_or_manager,
+            %w[active retired] => :owner_or_manager
+          }.freeze
+          module_function
+          def check_authority(principal_id:, from_state:, to_state:, worker_owner: nil, **)
+            required = authority_for(from_state, to_state)
+            return { allowed: true, reason: :no_authority_required } unless required
+            return { allowed: true, reason: :system_principal } if principal_id == 'system'
+            return { allowed: false, reason: :authority_required, required: required } if principal_id.nil?
+            case required
+            when :owner_or_manager
+              if principal_id == worker_owner
+                { allowed: true, reason: :owner_match }
+              else
+                { allowed: false, reason: :authority_required, required: required,
+                  principal_id: principal_id, worker_owner: worker_owner }
+              end
+            else
+              { allowed: false, reason: :authority_required, required: required }
+            end
+          end
+          def authority_for(from_state, to_state)
+            AUTHORITY_REQUIRED[[from_state, to_state]]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/governance/helpers/council.rb ADDED Viewed

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+module Legion
+  module Extensions
+    module Governance
+      module Helpers
+        module Council
+          module_function
+          def council_approved?(worker_id:, from_state:, to_state:, **)
+            return { allowed: true, reason: :audit_not_loaded } unless defined?(Legion::Extensions::Audit::Runners::ApprovalQueue)
+            record = find_approved_record(worker_id: worker_id, from_state: from_state, to_state: to_state)
+            if record
+              { allowed: true, reason: :council_approved, approval_id: record[:id] }
+            else
+              { allowed: false, reason: :council_approval_required,
+                worker_id: worker_id, from_state: from_state, to_state: to_state }
+            end
+          end
+          def submit_approval(worker_id:, from_state:, to_state:, requester_id:, **)
+            unless defined?(Legion::Extensions::Audit::Runners::ApprovalQueue)
+              return { success: false, reason: :audit_not_loaded }
+            end
+            Legion::Extensions::Audit::Runners::ApprovalQueue.submit(
+              approval_type: 'lifecycle_transition',
+              payload: { worker_id: worker_id, from_state: from_state, to_state: to_state },
+              requester_id: requester_id
+            )
+          end
+          def find_approved_record(**)
+            nil
+          rescue StandardError
+            nil
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/governance/runners/governance.rb CHANGED Viewed

@@ -5,6 +5,23 @@ module Legion
     module Governance
       module Runners
         module Governance
+          def review_transition(worker_id:, from_state:, to_state:, principal_id: nil, worker_owner: nil, **)
+            return { allowed: true, skipped: true } unless governance_enabled?
+            results = []
+            results << check_airb_approval(worker_id: worker_id)
+            results << check_council_approval(worker_id: worker_id, from_state: from_state, to_state: to_state)
+            results << check_authority_level(principal_id: principal_id, from_state: from_state, to_state: to_state,
+                                             worker_owner: worker_owner)
+            blocked = results.reject { |r| r[:allowed] }
+            return { allowed: true, checks: results } if blocked.empty?
+            auto = try_auto_submit(blocked, worker_id: worker_id, from_state: from_state, to_state: to_state,
+                                            requester_id: principal_id || 'system')
+            { allowed: false, reasons: blocked.map { |r| r[:reason] }, checks: results, auto_submitted: auto }
+          end
           def check_airb_approval(worker_id:, **)
             require_relative '../helpers/airb'
             record = Helpers::Airb.fetch(worker_id: worker_id)
@@ -21,6 +38,72 @@ module Legion
               reason: allowed ? :airb_cleared : :airb_blocked
             }
           end
+          def check_council_approval(worker_id:, from_state:, to_state:, **)
+            require_relative '../helpers/council'
+            required = council_required?(from_state, to_state)
+            return { allowed: true, reason: :no_council_required } unless required
+            Helpers::Council.council_approved?(worker_id: worker_id, from_state: from_state, to_state: to_state)
+          end
+          def check_authority_level(principal_id:, from_state:, to_state:, worker_owner: nil, **)
+            require_relative '../helpers/authority'
+            Helpers::Authority.check_authority(
+              principal_id: principal_id, from_state: from_state, to_state: to_state,
+              worker_owner: worker_owner
+            )
+          end
+          def governance_enabled?
+            gov = Legion::Settings[:governance]
+            return false if gov.is_a?(Hash) && gov.key?(:enabled) && gov[:enabled] == false
+            if Legion::Settings.dig(:governance, :bypass_in_dev) && Legion::Settings.respond_to?(:dev_mode?) && Legion::Settings.dev_mode?
+              return false
+            end
+            true
+          end
+          def auto_submit?
+            gov = Legion::Settings[:governance]
+            return true unless gov.is_a?(Hash) && gov.key?(:auto_submit_approval)
+            gov[:auto_submit_approval]
+          end
+          def council_required_transitions
+            Legion::Settings.dig(:governance, :council, :required_transitions)
+          end
+          private
+          def try_auto_submit(blocked, worker_id:, from_state:, to_state:, requester_id:)
+            return false unless auto_submit? && blocked.any? { |r| r[:reason] == :council_approval_required }
+            require_relative '../helpers/council'
+            Helpers::Council.submit_approval(worker_id: worker_id, from_state: from_state, to_state: to_state,
+                                             requester_id: requester_id)
+            true
+          end
+          def council_required?(from_state, to_state)
+            custom = council_required_transitions
+            if custom
+              custom.any? { |pair| pair == [from_state, to_state] }
+            else
+              governance_required_defaults.key?([from_state, to_state])
+            end
+          end
+          def governance_required_defaults
+            if defined?(Legion::DigitalWorker::Lifecycle::GOVERNANCE_REQUIRED)
+              Legion::DigitalWorker::Lifecycle::GOVERNANCE_REQUIRED
+            else
+              { %w[retired terminated] => :council_approval, %w[active terminated] => :council_approval }
+            end
+          end
         end
       end
     end

data/lib/legion/extensions/governance/version.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 module Legion
   module Extensions
     module Governance
-      VERSION = '0.2.1'
+      VERSION = '0.3.0'
     end
   end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: lex-governance
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.3.0
 platform: ruby
 authors:
 - Esity
@@ -18,6 +18,8 @@ extra_rdoc_files: []
 files:
 - lib/legion/extensions/governance.rb
 - lib/legion/extensions/governance/helpers/airb.rb
+- lib/legion/extensions/governance/helpers/authority.rb
+- lib/legion/extensions/governance/helpers/council.rb
 - lib/legion/extensions/governance/runners/governance.rb
 - lib/legion/extensions/governance/version.rb
 homepage: https://github.com/LegionIO