@girardmedia/bootspring 2.0.22 → 2.0.23

package/core/api-client.js

@@ -944,6 +944,83 @@ const api = {
   async getPreseedWizard(projectId) {
     requireAuth();
     return directRequest('GET', `/projects/${encodeURIComponent(projectId)}/preseed/wizard`);
+  },
+
+  // =====================================================
+  // Organization Methods
+  // =====================================================
+
+  /**
+   * List organizations for current user
+   * @returns {Promise<Array>} List of organizations
+   */
+  async listOrganizations() {
+    requireAuth();
+    return request('GET', '/organizations');
+  },
+
+  /**
+   * Get organization details
+   * @param {string} orgId - Organization ID
+   * @returns {Promise<object>} Organization details with members
+   */
+  async getOrganization(orgId) {
+    requireAuth();
+    return request('GET', `/organizations/${encodeURIComponent(orgId)}`);
+  },
+
+  /**
+   * Get organization policy
+   * @param {string} orgId - Organization ID
+   * @returns {Promise<object>} Organization policy settings
+   */
+  async getOrgPolicy(orgId) {
+    requireAuth();
+    return request('GET', `/organizations/${encodeURIComponent(orgId)}/policy`);
+  },
+
+  /**
+   * Update organization policy
+   * @param {string} orgId - Organization ID
+   * @param {object} policy - Policy settings to update
+   * @returns {Promise<object>} Updated policy
+   */
+  async updateOrgPolicy(orgId, policy) {
+    requireAuth();
+    return request('PATCH', `/organizations/${encodeURIComponent(orgId)}/policy`, policy);
+  },
+
+  /**
+   * List organization members
+   * @param {string} orgId - Organization ID
+   * @returns {Promise<Array>} List of members
+   */
+  async listOrgMembers(orgId) {
+    requireAuth();
+    return request('GET', `/organizations/${encodeURIComponent(orgId)}/members`);
+  },
+
+  /**
+   * Get member policy overrides
+   * @param {string} orgId - Organization ID
+   * @param {string} userId - User ID
+   * @returns {Promise<object>} Member policy overrides
+   */
+  async getMemberPolicy(orgId, userId) {
+    requireAuth();
+    return request('GET', `/organizations/${encodeURIComponent(orgId)}/members/${encodeURIComponent(userId)}/policy`);
+  },
+
+  /**
+   * Update member policy overrides
+   * @param {string} orgId - Organization ID
+   * @param {string} userId - User ID
+   * @param {object} policy - Policy overrides
+   * @returns {Promise<object>} Updated member policy
+   */
+  async updateMemberPolicy(orgId, userId, policy) {
+    requireAuth();
+    return request('PATCH', `/organizations/${encodeURIComponent(orgId)}/members/${encodeURIComponent(userId)}/policy`, policy);
   }
 };
 

package/core/entitlements.js

@@ -197,10 +197,24 @@ function isPremiumWorkflow(workflow) {
   return tier !== 'free';
 }
 
+// Lazy-load pack lifecycle to avoid circular dependency
+let _packLifecycle = null;
+function getPackLifecycle() {
+  if (!_packLifecycle) {
+    try {
+      _packLifecycle = require('../intelligence/orchestrator/config/pack-lifecycle');
+    } catch {
+      _packLifecycle = { isPackVisibleToUser: () => true, getPackStage: () => 'ga' };
+    }
+  }
+  return _packLifecycle;
+}
+
 function checkWorkflowAccess(workflow, options = {}) {
   const context = resolveWorkflowAccessContext(options);
   const policy = policies.getPolicyProfile(context.policyProfile, options);
 
+  // Check if workflow is blocked by policy
   if (policies.isWorkflowBlocked(workflow, policy)) {
     return {
       allowed: false,
@@ -210,6 +224,28 @@ function checkWorkflowAccess(workflow, options = {}) {
     };
   }
 
+  // Check pack lifecycle visibility (for premium packs)
+  const packName = workflow?.pack;
+  if (packName) {
+    const lifecycle = getPackLifecycle();
+    const isVisible = lifecycle.isPackVisibleToUser(packName, {
+      tier: context.tier,
+      userId: options.userId,
+      deviceId: options.deviceId
+    });
+
+    if (!isVisible) {
+      const stage = lifecycle.getPackStage(packName);
+      return {
+        allowed: false,
+        code: 'pack_not_available',
+        reason: `Pack "${packName}" is not available in your rollout group (stage: ${stage})`,
+        context,
+        stage
+      };
+    }
+  }
+
   if (!isPremiumWorkflow(workflow)) {
     return {
       allowed: true,

package/core/organizations.js

@@ -0,0 +1,223 @@
+/**
+ * Organizations Module
+ * Org-level policy resolution and caching
+ * @package bootspring
+ */
+
+const apiClient = require('./api-client');
+const policyMatrix = require('./policy-matrix');
+const auth = require('./auth');
+
+// Cache for org data (5 minute TTL)
+const ORG_CACHE_TTL = 5 * 60 * 1000;
+const orgCache = new Map();
+
+/**
+ * Organization structure
+ * @typedef {object} Organization
+ * @property {string} id - Organization ID
+ * @property {string} name - Organization name
+ * @property {string} tier - Subscription tier (team/enterprise)
+ * @property {string} policyProfile - Default policy profile
+ * @property {object} settings - Org settings
+ * @property {OrgMember[]} members - Organization members
+ */
+
+/**
+ * Organization member structure
+ * @typedef {object} OrgMember
+ * @property {string} userId - User ID
+ * @property {string} email - User email
+ * @property {string} role - Member role (owner/admin/member/viewer)
+ * @property {object} policyOverrides - Per-member policy overrides
+ */
+
+/**
+ * Get organization from cache or API
+ * @param {string} orgId - Organization ID
+ * @param {object} options - Options including apiKey
+ * @returns {Promise<Organization|null>}
+ */
+async function getOrganization(orgId, options = {}) {
+  if (!orgId) return null;
+
+  const cacheKey = `org:${orgId}`;
+  const cached = orgCache.get(cacheKey);
+
+  if (cached && Date.now() - cached.timestamp < ORG_CACHE_TTL) {
+    return cached.data;
+  }
+
+  try {
+    const org = await apiClient.getOrganization(orgId, options);
+    if (org) {
+      orgCache.set(cacheKey, { data: org, timestamp: Date.now() });
+    }
+    return org;
+  } catch {
+    // Return cached data if available, even if stale
+    return cached?.data || null;
+  }
+}
+
+/**
+ * Get organization member
+ * @param {string} orgId - Organization ID
+ * @param {string} userId - User ID
+ * @param {object} options - Options
+ * @returns {Promise<OrgMember|null>}
+ */
+async function getOrgMember(orgId, userId, options = {}) {
+  const org = await getOrganization(orgId, options);
+  if (!org?.members) return null;
+  return org.members.find(m => m.userId === userId) || null;
+}
+
+/**
+ * Resolve organization context from credentials/env
+ * @param {object} options - Options
+ * @returns {Promise<object>} Org context
+ */
+async function resolveOrgContext(options = {}) {
+  // Try to get org ID from various sources
+  const orgId = options.orgId
+    || process.env.BOOTSPRING_ORG_ID
+    || auth.getCredentials()?.orgId;
+
+  if (!orgId) {
+    return {
+      hasOrg: false,
+      orgId: null,
+      org: null,
+      member: null,
+      policy: null
+    };
+  }
+
+  const org = await getOrganization(orgId, options);
+  if (!org) {
+    return {
+      hasOrg: false,
+      orgId,
+      org: null,
+      member: null,
+      policy: null
+    };
+  }
+
+  // Get current user's membership
+  const userId = options.userId || auth.getCredentials()?.userId;
+  const member = userId ? await getOrgMember(orgId, userId, options) : null;
+
+  // Build effective policy
+  const policy = policyMatrix.buildEffectivePolicy(
+    org.tier || 'team',
+    org.policyProfile || 'startup',
+    member?.policyOverrides || {}
+  );
+
+  return {
+    hasOrg: true,
+    orgId,
+    org,
+    member,
+    policy,
+    role: member?.role || 'viewer'
+  };
+}
+
+/**
+ * Check if user has permission in org
+ * @param {string} permission - Permission to check
+ * @param {object} orgContext - Organization context
+ * @returns {boolean}
+ */
+function hasOrgPermission(permission, orgContext) {
+  if (!orgContext?.hasOrg) return false;
+
+  const role = orgContext.role || 'viewer';
+  const rolePerms = policyMatrix.ROLE_PERMISSIONS[role];
+
+  if (!rolePerms) return false;
+  return rolePerms[permission] === true;
+}
+
+/**
+ * Check policy access for a scope
+ * @param {string} scope - Scope to check (e.g., 'skills.external')
+ * @param {object} options - Options including orgId
+ * @returns {Promise<object>} Access result
+ */
+async function checkOrgPolicyAccess(scope, options = {}) {
+  const orgContext = await resolveOrgContext(options);
+
+  // If no org, fall back to user-level policy
+  if (!orgContext.hasOrg || !orgContext.policy) {
+    return {
+      allowed: true,
+      hasOrgPolicy: false,
+      scope
+    };
+  }
+
+  const result = policyMatrix.checkPolicyAccess(scope, orgContext.policy);
+  return {
+    ...result,
+    hasOrgPolicy: true,
+    orgId: orgContext.orgId,
+    tier: orgContext.policy.tier,
+    profile: orgContext.policy.profile
+  };
+}
+
+/**
+ * Get org policy summary for display
+ * @param {object} options - Options
+ * @returns {Promise<object>} Policy summary
+ */
+async function getOrgPolicySummary(options = {}) {
+  const orgContext = await resolveOrgContext(options);
+
+  if (!orgContext.hasOrg) {
+    return {
+      hasOrg: false,
+      message: 'No organization context'
+    };
+  }
+
+  const policy = orgContext.policy;
+  return {
+    hasOrg: true,
+    orgId: orgContext.orgId,
+    orgName: orgContext.org?.name,
+    tier: policy.tier,
+    profile: policy.profile,
+    role: orgContext.role,
+    allowedScopes: policy.allowed.length,
+    blockedScopes: policy.blocked.length,
+    limits: policy.limits,
+    overrides: Object.keys(policy.overrides)
+  };
+}
+
+/**
+ * Clear organization cache
+ * @param {string} [orgId] - Specific org to clear, or all if not specified
+ */
+function clearOrgCache(orgId) {
+  if (orgId) {
+    orgCache.delete(`org:${orgId}`);
+  } else {
+    orgCache.clear();
+  }
+}
+
+module.exports = {
+  getOrganization,
+  getOrgMember,
+  resolveOrgContext,
+  hasOrgPermission,
+  checkOrgPolicyAccess,
+  getOrgPolicySummary,
+  clearOrgCache
+};

package/core/policies.js

@@ -1,28 +1,36 @@
 /**
  * Bootspring policy profiles
- * Team-level controls for capability gating.
+ * Team-level and org-level controls for capability gating.
  */
 
+const policyMatrix = require('./policy-matrix');
+
 const DEFAULT_POLICY_PROFILE = 'startup';
 
 const POLICY_PROFILES = {
   startup: {
     id: 'startup',
     name: 'Startup',
+    description: 'Permissive policy for fast iteration',
     allowExternalSkills: true,
-    blockedWorkflows: []
+    blockedWorkflows: [],
+    tier: 'any'
   },
   regulated: {
     id: 'regulated',
     name: 'Regulated',
+    description: 'Compliance-focused with external skill restrictions',
     allowExternalSkills: false,
-    blockedWorkflows: ['growth-pack']
+    blockedWorkflows: ['growth-pack'],
+    tier: 'team'
   },
   enterprise: {
     id: 'enterprise',
     name: 'Enterprise',
+    description: 'Full control with SSO and audit requirements',
     allowExternalSkills: true,
-    blockedWorkflows: []
+    blockedWorkflows: [],
+    tier: 'enterprise'
   }
 };
 
@@ -54,15 +62,52 @@ function getPolicyProfile(profile, options = {}) {
 }
 
 function isWorkflowBlocked(workflow, profile) {
-  const workflowKey = String(workflow?.key || '').trim();
+  const workflowKey = String(workflow?.key || workflow || '').trim();
   if (!workflowKey) return false;
   return (profile.blockedWorkflows || []).includes(workflowKey);
 }
 
+/**
+ * Check if a scope is blocked by policy
+ * @param {string} scope - Scope to check (e.g., 'skills.external')
+ * @param {string} tier - Current tier
+ * @param {string} profile - Policy profile
+ * @param {object} memberOverrides - Per-member overrides
+ * @returns {object} Access result
+ */
+function checkScopeAccess(scope, tier = 'free', profile = 'startup', memberOverrides = {}) {
+  const effectivePolicy = policyMatrix.buildEffectivePolicy(tier, profile, memberOverrides);
+  return policyMatrix.checkPolicyAccess(scope, effectivePolicy);
+}
+
+/**
+ * Get all available policy profiles
+ * @returns {object[]} List of profiles
+ */
+function listPolicyProfiles() {
+  return Object.values(POLICY_PROFILES).map(p => ({
+    id: p.id,
+    name: p.name,
+    description: p.description,
+    tier: p.tier
+  }));
+}
+
+/**
+ * Get policy scopes
+ * @returns {object} Available scopes
+ */
+function getPolicyScopes() {
+  return policyMatrix.POLICY_SCOPES;
+}
+
 module.exports = {
   DEFAULT_POLICY_PROFILE,
   POLICY_PROFILES,
   resolvePolicyProfile,
   getPolicyProfile,
-  isWorkflowBlocked
+  isWorkflowBlocked,
+  checkScopeAccess,
+  listPolicyProfiles,
+  getPolicyScopes
 };