@girardmedia/bootspring 2.0.21 → 2.0.23

package/core/policy-matrix.js

@@ -0,0 +1,303 @@
+/**
+ * Policy Matrix
+ * Comprehensive policy definitions for org-level gates
+ * @package bootspring
+ */
+
+/**
+ * Policy scopes define what can be controlled
+ */
+const POLICY_SCOPES = {
+  skills: {
+    external: 'skills.external',        // Third-party/external skills
+    premium: 'skills.premium',          // Premium skill categories
+    ai: 'skills.ai',                    // AI-powered skills
+    all: 'skills.*'
+  },
+  workflows: {
+    parallel: 'workflows.parallel',     // Parallel execution
+    premium: 'workflows.premium',       // Premium workflow packs
+    custom: 'workflows.custom',         // Custom workflow definitions
+    all: 'workflows.*'
+  },
+  agents: {
+    technical: 'agents.technical',      // Technical experts
+    business: 'agents.business',        // Business/legal experts
+    enterprise: 'agents.enterprise',    // Enterprise-only agents
+    all: 'agents.*'
+  },
+  features: {
+    telemetry: 'features.telemetry',    // Usage telemetry
+    cloudSync: 'features.cloud_sync',   // Cloud synchronization
+    teamSharing: 'features.team_sharing', // Team context sharing
+    auditLogs: 'features.audit_logs',   // Audit logging
+    apiAccess: 'features.api_access',   // Direct API access
+    all: 'features.*'
+  }
+};
+
+/**
+ * Default policy matrix by tier
+ * Defines what's allowed/blocked per tier
+ */
+const TIER_POLICY_DEFAULTS = {
+  free: {
+    allowed: [
+      'skills.external',
+      'agents.technical',
+      'features.telemetry'
+    ],
+    blocked: [
+      'skills.premium',
+      'skills.ai',
+      'workflows.premium',
+      'workflows.parallel',
+      'agents.business',
+      'agents.enterprise',
+      'features.cloud_sync',
+      'features.team_sharing',
+      'features.audit_logs'
+    ],
+    limits: {
+      skillsPerDay: 50,
+      workflowsPerDay: 10,
+      agentInvocationsPerDay: 20
+    }
+  },
+  pro: {
+    allowed: [
+      'skills.*',
+      'workflows.*',
+      'agents.technical',
+      'agents.business',
+      'features.telemetry',
+      'features.cloud_sync'
+    ],
+    blocked: [
+      'agents.enterprise',
+      'features.team_sharing',
+      'features.audit_logs'
+    ],
+    limits: {
+      skillsPerDay: 500,
+      workflowsPerDay: 100,
+      agentInvocationsPerDay: 200
+    }
+  },
+  team: {
+    allowed: [
+      'skills.*',
+      'workflows.*',
+      'agents.*',
+      'features.telemetry',
+      'features.cloud_sync',
+      'features.team_sharing',
+      'features.audit_logs'
+    ],
+    blocked: [],
+    limits: {
+      skillsPerDay: 2000,
+      workflowsPerDay: 500,
+      agentInvocationsPerDay: 1000,
+      teamMembers: 10
+    }
+  },
+  enterprise: {
+    allowed: ['*'],
+    blocked: [],
+    limits: {
+      skillsPerDay: -1,  // Unlimited
+      workflowsPerDay: -1,
+      agentInvocationsPerDay: -1,
+      teamMembers: -1
+    }
+  }
+};
+
+/**
+ * Profile-specific policy overrides
+ * Applied on top of tier defaults
+ */
+const PROFILE_OVERRIDES = {
+  startup: {
+    // Startup profile: permissive, fast iteration
+    overrides: {},
+    additionalBlocked: []
+  },
+  regulated: {
+    // Regulated profile: compliance-focused
+    overrides: {
+      requireApproval: ['workflows.custom', 'skills.external'],
+      auditAll: true,
+      dataResidency: true
+    },
+    additionalBlocked: [
+      'skills.external',
+      'workflows.growth-pack'
+    ]
+  },
+  enterprise: {
+    // Enterprise profile: full control
+    overrides: {
+      ssoRequired: true,
+      auditAll: true,
+      approvalWorkflow: true
+    },
+    additionalBlocked: []
+  }
+};
+
+/**
+ * Member role permissions
+ * What each role can do within an org
+ */
+const ROLE_PERMISSIONS = {
+  owner: {
+    canManageOrg: true,
+    canManageMembers: true,
+    canManagePolicies: true,
+    canManageBilling: true,
+    canUseAllFeatures: true
+  },
+  admin: {
+    canManageOrg: false,
+    canManageMembers: true,
+    canManagePolicies: true,
+    canManageBilling: false,
+    canUseAllFeatures: true
+  },
+  member: {
+    canManageOrg: false,
+    canManageMembers: false,
+    canManagePolicies: false,
+    canManageBilling: false,
+    canUseAllFeatures: true
+  },
+  viewer: {
+    canManageOrg: false,
+    canManageMembers: false,
+    canManagePolicies: false,
+    canManageBilling: false,
+    canUseAllFeatures: false
+  }
+};
+
+/**
+ * Check if a scope matches a pattern
+ * @param {string} scope - Specific scope (e.g., 'skills.external')
+ * @param {string} pattern - Pattern to match (e.g., 'skills.*' or 'skills.external')
+ * @returns {boolean}
+ */
+function matchesScope(scope, pattern) {
+  if (pattern === '*') return true;
+  if (pattern === scope) return true;
+  if (pattern.endsWith('.*')) {
+    const prefix = pattern.slice(0, -2);
+    return scope.startsWith(prefix + '.');
+  }
+  return false;
+}
+
+/**
+ * Check if a scope is allowed by policy
+ * @param {string} scope - Scope to check
+ * @param {string[]} allowed - Allowed patterns
+ * @param {string[]} blocked - Blocked patterns
+ * @returns {boolean}
+ */
+function isScopeAllowed(scope, allowed, blocked) {
+  // Check blocked first (blocked takes precedence)
+  for (const pattern of blocked) {
+    if (matchesScope(scope, pattern)) {
+      return false;
+    }
+  }
+  // Check allowed
+  for (const pattern of allowed) {
+    if (matchesScope(scope, pattern)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+/**
+ * Build effective policy for an org member
+ * @param {string} tier - Org tier (free/pro/team/enterprise)
+ * @param {string} profile - Policy profile (startup/regulated/enterprise)
+ * @param {object} memberOverrides - Per-member policy overrides
+ * @returns {object} Effective policy
+ */
+function buildEffectivePolicy(tier, profile, memberOverrides = {}) {
+  const tierDefaults = TIER_POLICY_DEFAULTS[tier] || TIER_POLICY_DEFAULTS.free;
+  const profileOverrides = PROFILE_OVERRIDES[profile] || PROFILE_OVERRIDES.startup;
+
+  // Merge allowed/blocked lists
+  const allowed = [...tierDefaults.allowed];
+  const blocked = [
+    ...tierDefaults.blocked,
+    ...profileOverrides.additionalBlocked
+  ];
+
+  // Apply member overrides
+  if (memberOverrides.additionalAllowed) {
+    allowed.push(...memberOverrides.additionalAllowed);
+  }
+  if (memberOverrides.additionalBlocked) {
+    blocked.push(...memberOverrides.additionalBlocked);
+  }
+
+  return {
+    tier,
+    profile,
+    allowed: [...new Set(allowed)],
+    blocked: [...new Set(blocked)],
+    limits: { ...tierDefaults.limits, ...(memberOverrides.limits || {}) },
+    overrides: { ...profileOverrides.overrides, ...(memberOverrides.overrides || {}) }
+  };
+}
+
+/**
+ * Check access against effective policy
+ * @param {string} scope - Scope to check
+ * @param {object} policy - Effective policy
+ * @returns {object} Access result
+ */
+function checkPolicyAccess(scope, policy) {
+  const allowed = isScopeAllowed(scope, policy.allowed, policy.blocked);
+
+  if (!allowed) {
+    return {
+      allowed: false,
+      code: 'policy_blocked',
+      scope,
+      reason: `Scope "${scope}" is blocked by ${policy.profile} policy`
+    };
+  }
+
+  // Check if approval is required
+  if (policy.overrides.requireApproval?.some(p => matchesScope(scope, p))) {
+    return {
+      allowed: true,
+      requiresApproval: true,
+      scope,
+      reason: `Scope "${scope}" requires approval under ${policy.profile} policy`
+    };
+  }
+
+  return {
+    allowed: true,
+    scope
+  };
+}
+
+module.exports = {
+  POLICY_SCOPES,
+  TIER_POLICY_DEFAULTS,
+  PROFILE_OVERRIDES,
+  ROLE_PERMISSIONS,
+  matchesScope,
+  isScopeAllowed,
+  buildEffectivePolicy,
+  checkPolicyAccess
+};

package/core/project-context.js

@@ -36,6 +36,7 @@ const EXEMPT_COMMANDS = [
   'billing',  // Billing status/info accessible without project
   'preseed',  // Preseed works locally, auth enhances features
   'seed',     // Seed works locally for scaffolding
+  'org',      // Org policy accessible without project
 ];
 
 // Sub-commands of auth that are exempt

package/dist/cli/index.d.ts

@@ -0,0 +1,3 @@
+export { S as SimpleTodoItem, T as TodoItem, d as dashboard, g as generate, a as generateClaudeMd, r as runDashboard, b as runGenerate, c as runTelemetry, e as runTodo, t as telemetry, f as todo } from '../index-UiYCgwiH.js';
+import '../context-McpJQa_2.js';
+import 'zod';