npm - @girardmedia/bootspring - Versions diffs - 2.0.22 → 2.0.23 - Mend

@girardmedia/bootspring 2.0.22 → 2.0.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/bin/bootspring.js +5 -0
package/cli/org.js +474 -0
package/cli/preseed.js +9 -301
package/cli/seed.js +23 -1074
package/core/api-client.js +77 -0
package/core/entitlements.js +36 -0
package/core/organizations.js +223 -0
package/core/policies.js +51 -6
package/core/policy-matrix.js +303 -0
package/core/project-context.js +1 -0
package/intelligence/orchestrator/config/index.js +4 -1
package/intelligence/orchestrator/config/pack-lifecycle.js +262 -0
package/intelligence/orchestrator.js +17 -512
package/mcp/contracts/mcp-contract.v1.json +1 -1
package/package.json +1 -1

package/core/policy-matrix.js ADDED Viewed

@@ -0,0 +1,303 @@
+/**
+ * Policy Matrix
+ * Comprehensive policy definitions for org-level gates
+ * @package bootspring
+ */
+/**
+ * Policy scopes define what can be controlled
+ */
+const POLICY_SCOPES = {
+  skills: {
+    external: 'skills.external',        // Third-party/external skills
+    premium: 'skills.premium',          // Premium skill categories
+    ai: 'skills.ai',                    // AI-powered skills
+    all: 'skills.*'
+  },
+  workflows: {
+    parallel: 'workflows.parallel',     // Parallel execution
+    premium: 'workflows.premium',       // Premium workflow packs
+    custom: 'workflows.custom',         // Custom workflow definitions
+    all: 'workflows.*'
+  },
+  agents: {
+    technical: 'agents.technical',      // Technical experts
+    business: 'agents.business',        // Business/legal experts
+    enterprise: 'agents.enterprise',    // Enterprise-only agents
+    all: 'agents.*'
+  },
+  features: {
+    telemetry: 'features.telemetry',    // Usage telemetry
+    cloudSync: 'features.cloud_sync',   // Cloud synchronization
+    teamSharing: 'features.team_sharing', // Team context sharing
+    auditLogs: 'features.audit_logs',   // Audit logging
+    apiAccess: 'features.api_access',   // Direct API access
+    all: 'features.*'
+  }
+};
+/**
+ * Default policy matrix by tier
+ * Defines what's allowed/blocked per tier
+ */
+const TIER_POLICY_DEFAULTS = {
+  free: {
+    allowed: [
+      'skills.external',
+      'agents.technical',
+      'features.telemetry'
+    ],
+    blocked: [
+      'skills.premium',
+      'skills.ai',
+      'workflows.premium',
+      'workflows.parallel',
+      'agents.business',
+      'agents.enterprise',
+      'features.cloud_sync',
+      'features.team_sharing',
+      'features.audit_logs'
+    ],
+    limits: {
+      skillsPerDay: 50,
+      workflowsPerDay: 10,
+      agentInvocationsPerDay: 20
+    }
+  },
+  pro: {
+    allowed: [
+      'skills.*',
+      'workflows.*',
+      'agents.technical',
+      'agents.business',
+      'features.telemetry',
+      'features.cloud_sync'
+    ],
+    blocked: [
+      'agents.enterprise',
+      'features.team_sharing',
+      'features.audit_logs'
+    ],
+    limits: {
+      skillsPerDay: 500,
+      workflowsPerDay: 100,
+      agentInvocationsPerDay: 200
+    }
+  },
+  team: {
+    allowed: [
+      'skills.*',
+      'workflows.*',
+      'agents.*',
+      'features.telemetry',
+      'features.cloud_sync',
+      'features.team_sharing',
+      'features.audit_logs'
+    ],
+    blocked: [],
+    limits: {
+      skillsPerDay: 2000,
+      workflowsPerDay: 500,
+      agentInvocationsPerDay: 1000,
+      teamMembers: 10
+    }
+  },
+  enterprise: {
+    allowed: ['*'],
+    blocked: [],
+    limits: {
+      skillsPerDay: -1,  // Unlimited
+      workflowsPerDay: -1,
+      agentInvocationsPerDay: -1,
+      teamMembers: -1
+    }
+  }
+};
+/**
+ * Profile-specific policy overrides
+ * Applied on top of tier defaults
+ */
+const PROFILE_OVERRIDES = {
+  startup: {
+    // Startup profile: permissive, fast iteration
+    overrides: {},
+    additionalBlocked: []
+  },
+  regulated: {
+    // Regulated profile: compliance-focused
+    overrides: {
+      requireApproval: ['workflows.custom', 'skills.external'],
+      auditAll: true,
+      dataResidency: true
+    },
+    additionalBlocked: [
+      'skills.external',
+      'workflows.growth-pack'
+    ]
+  },
+  enterprise: {
+    // Enterprise profile: full control
+    overrides: {
+      ssoRequired: true,
+      auditAll: true,
+      approvalWorkflow: true
+    },
+    additionalBlocked: []
+  }
+};
+/**
+ * Member role permissions
+ * What each role can do within an org
+ */
+const ROLE_PERMISSIONS = {
+  owner: {
+    canManageOrg: true,
+    canManageMembers: true,
+    canManagePolicies: true,
+    canManageBilling: true,
+    canUseAllFeatures: true
+  },
+  admin: {
+    canManageOrg: false,
+    canManageMembers: true,
+    canManagePolicies: true,
+    canManageBilling: false,
+    canUseAllFeatures: true
+  },
+  member: {
+    canManageOrg: false,
+    canManageMembers: false,
+    canManagePolicies: false,
+    canManageBilling: false,
+    canUseAllFeatures: true
+  },
+  viewer: {
+    canManageOrg: false,
+    canManageMembers: false,
+    canManagePolicies: false,
+    canManageBilling: false,
+    canUseAllFeatures: false
+  }
+};
+/**
+ * Check if a scope matches a pattern
+ * @param {string} scope - Specific scope (e.g., 'skills.external')
+ * @param {string} pattern - Pattern to match (e.g., 'skills.*' or 'skills.external')
+ * @returns {boolean}
+ */
+function matchesScope(scope, pattern) {
+  if (pattern === '*') return true;
+  if (pattern === scope) return true;
+  if (pattern.endsWith('.*')) {
+    const prefix = pattern.slice(0, -2);
+    return scope.startsWith(prefix + '.');
+  }
+  return false;
+}
+/**
+ * Check if a scope is allowed by policy
+ * @param {string} scope - Scope to check
+ * @param {string[]} allowed - Allowed patterns
+ * @param {string[]} blocked - Blocked patterns
+ * @returns {boolean}
+ */
+function isScopeAllowed(scope, allowed, blocked) {
+  // Check blocked first (blocked takes precedence)
+  for (const pattern of blocked) {
+    if (matchesScope(scope, pattern)) {
+      return false;
+    }
+  }
+  // Check allowed
+  for (const pattern of allowed) {
+    if (matchesScope(scope, pattern)) {
+      return true;
+    }
+  }
+  return false;
+}
+/**
+ * Build effective policy for an org member
+ * @param {string} tier - Org tier (free/pro/team/enterprise)
+ * @param {string} profile - Policy profile (startup/regulated/enterprise)
+ * @param {object} memberOverrides - Per-member policy overrides
+ * @returns {object} Effective policy
+ */
+function buildEffectivePolicy(tier, profile, memberOverrides = {}) {
+  const tierDefaults = TIER_POLICY_DEFAULTS[tier] || TIER_POLICY_DEFAULTS.free;
+  const profileOverrides = PROFILE_OVERRIDES[profile] || PROFILE_OVERRIDES.startup;
+  // Merge allowed/blocked lists
+  const allowed = [...tierDefaults.allowed];
+  const blocked = [
+    ...tierDefaults.blocked,
+    ...profileOverrides.additionalBlocked
+  ];
+  // Apply member overrides
+  if (memberOverrides.additionalAllowed) {
+    allowed.push(...memberOverrides.additionalAllowed);
+  }
+  if (memberOverrides.additionalBlocked) {
+    blocked.push(...memberOverrides.additionalBlocked);
+  }
+  return {
+    tier,
+    profile,
+    allowed: [...new Set(allowed)],
+    blocked: [...new Set(blocked)],
+    limits: { ...tierDefaults.limits, ...(memberOverrides.limits || {}) },
+    overrides: { ...profileOverrides.overrides, ...(memberOverrides.overrides || {}) }
+  };
+}
+/**
+ * Check access against effective policy
+ * @param {string} scope - Scope to check
+ * @param {object} policy - Effective policy
+ * @returns {object} Access result
+ */
+function checkPolicyAccess(scope, policy) {
+  const allowed = isScopeAllowed(scope, policy.allowed, policy.blocked);
+  if (!allowed) {
+    return {
+      allowed: false,
+      code: 'policy_blocked',
+      scope,
+      reason: `Scope "${scope}" is blocked by ${policy.profile} policy`
+    };
+  }
+  // Check if approval is required
+  if (policy.overrides.requireApproval?.some(p => matchesScope(scope, p))) {
+    return {
+      allowed: true,
+      requiresApproval: true,
+      scope,
+      reason: `Scope "${scope}" requires approval under ${policy.profile} policy`
+    };
+  }
+  return {
+    allowed: true,
+    scope
+  };
+}
+module.exports = {
+  POLICY_SCOPES,
+  TIER_POLICY_DEFAULTS,
+  PROFILE_OVERRIDES,
+  ROLE_PERMISSIONS,
+  matchesScope,
+  isScopeAllowed,
+  buildEffectivePolicy,
+  checkPolicyAccess
+};

package/core/project-context.js CHANGED Viewed

@@ -36,6 +36,7 @@ const EXEMPT_COMMANDS = [
   'billing',  // Billing status/info accessible without project
   'preseed',  // Preseed works locally, auth enhances features
   'seed',     // Seed works locally for scaffolding
+  'org',      // Org policy accessible without project
 ];
 // Sub-commands of auth that are exempt

package/intelligence/orchestrator/config/index.js CHANGED Viewed

@@ -8,6 +8,7 @@ const { PHASE_AGENTS, TECHNICAL_TRIGGERS } = require('./phases');
 const { WORKFLOWS } = require('./workflows');
 const { REMEDIATION_PATHS } = require('./remediation');
 const { FAILURE_SIGNATURES, SEVERITY_WEIGHTS, PARALLEL_FAILURE_STRATEGIES } = require('./failure-signatures');
+const packLifecycle = require('./pack-lifecycle');
 module.exports = {
   PHASE_AGENTS,
@@ -16,5 +17,7 @@ module.exports = {
   REMEDIATION_PATHS,
   FAILURE_SIGNATURES,
   SEVERITY_WEIGHTS,
-  PARALLEL_FAILURE_STRATEGIES
+  PARALLEL_FAILURE_STRATEGIES,
+  // Pack lifecycle exports
+  ...packLifecycle
 };

package/intelligence/orchestrator/config/pack-lifecycle.js ADDED Viewed

@@ -0,0 +1,262 @@
+/**
+ * Pack Lifecycle Configuration
+ * Manages premium pack rollout stages: draft -> QA -> canary -> GA
+ * @package bootspring
+ */
+/**
+ * Lifecycle stages
+ */
+const LIFECYCLE_STAGES = {
+  DRAFT: 'draft',       // Internal development, not visible to users
+  QA: 'qa',             // Internal testing, visible to team accounts
+  CANARY: 'canary',     // Limited rollout (25% of eligible users)
+  GA: 'ga'              // General availability (100% rollout)
+};
+/**
+ * Stage order for progression
+ */
+const STAGE_ORDER = ['draft', 'qa', 'canary', 'ga'];
+/**
+ * Default rollout percentages per stage
+ */
+const DEFAULT_ROLLOUT = {
+  draft: 0,       // Not available to users
+  qa: 5,          // 5% of team/enterprise users for internal QA
+  canary: 25,     // 25% of eligible users
+  ga: 100         // All eligible users
+};
+/**
+ * Pack lifecycle definitions
+ * Tracks current stage and rollout status for each premium pack
+ */
+const PACK_LIFECYCLE = {
+  'launch-pack': {
+    name: 'Launch Pack',
+    description: 'Premium guided launch workflow from freeze to production validation',
+    currentStage: 'ga',
+    stageHistory: [
+      { stage: 'draft', date: '2026-01-15', approved_by: 'system' },
+      { stage: 'qa', date: '2026-01-22', approved_by: 'system' },
+      { stage: 'canary', date: '2026-02-01', approved_by: 'system' },
+      { stage: 'ga', date: '2026-02-15', approved_by: 'system' }
+    ],
+    rolloutPercentage: 100,
+    qualityGates: {
+      errorRateThreshold: 0.01,  // Max 1% error rate to advance
+      minUsageCount: 10,         // Min 10 uses in current stage
+      minSuccessRate: 0.95       // 95% completion rate
+    },
+    featureFlags: {}
+  },
+  'reliability-pack': {
+    name: 'Reliability Pack',
+    description: 'Premium reliability hardening workflow for incidents and regressions',
+    currentStage: 'ga',
+    stageHistory: [
+      { stage: 'draft', date: '2026-01-15', approved_by: 'system' },
+      { stage: 'qa', date: '2026-01-22', approved_by: 'system' },
+      { stage: 'canary', date: '2026-02-01', approved_by: 'system' },
+      { stage: 'ga', date: '2026-02-15', approved_by: 'system' }
+    ],
+    rolloutPercentage: 100,
+    qualityGates: {
+      errorRateThreshold: 0.01,
+      minUsageCount: 10,
+      minSuccessRate: 0.95
+    },
+    featureFlags: {}
+  },
+  'growth-pack': {
+    name: 'Growth Pack',
+    description: 'Premium experimentation workflow for activation and conversion improvements',
+    currentStage: 'ga',
+    stageHistory: [
+      { stage: 'draft', date: '2026-01-15', approved_by: 'system' },
+      { stage: 'qa', date: '2026-01-22', approved_by: 'system' },
+      { stage: 'canary', date: '2026-02-01', approved_by: 'system' },
+      { stage: 'ga', date: '2026-02-15', approved_by: 'system' }
+    ],
+    rolloutPercentage: 100,
+    qualityGates: {
+      errorRateThreshold: 0.01,
+      minUsageCount: 10,
+      minSuccessRate: 0.95
+    },
+    featureFlags: {}
+  }
+};
+/**
+ * Get pack lifecycle info
+ * @param {string} packName - Pack name (e.g., 'launch-pack')
+ * @returns {object|null} Pack lifecycle info
+ */
+function getPackLifecycle(packName) {
+  return PACK_LIFECYCLE[packName] || null;
+}
+/**
+ * Get current stage for a pack
+ * @param {string} packName - Pack name
+ * @returns {string} Current stage
+ */
+function getPackStage(packName) {
+  const lifecycle = getPackLifecycle(packName);
+  return lifecycle?.currentStage || 'draft';
+}
+/**
+ * Check if pack is visible to user based on stage and rollout
+ * @param {string} packName - Pack name
+ * @param {object} options - Options including tier, userId
+ * @returns {boolean} Whether pack is visible
+ */
+function isPackVisibleToUser(packName, options = {}) {
+  const lifecycle = getPackLifecycle(packName);
+  if (!lifecycle) return false;
+  const stage = lifecycle.currentStage;
+  const rollout = lifecycle.rolloutPercentage;
+  // Draft: never visible
+  if (stage === 'draft') return false;
+  // QA: only visible to team/enterprise
+  if (stage === 'qa') {
+    const tier = options.tier || 'free';
+    return ['team', 'enterprise'].includes(tier);
+  }
+  // Canary/GA: check rollout percentage
+  if (rollout === 100) return true;
+  if (rollout === 0) return false;
+  // Hash user ID to determine if in rollout
+  const userId = options.userId || options.deviceId || 'anonymous';
+  const hash = simpleHash(userId + packName);
+  const bucket = hash % 100;
+  return bucket < rollout;
+}
+/**
+ * Simple hash function for rollout bucketing
+ * @param {string} str - String to hash
+ * @returns {number} Hash value 0-999999
+ */
+function simpleHash(str) {
+  let hash = 0;
+  for (let i = 0; i < str.length; i++) {
+    const char = str.charCodeAt(i);
+    hash = ((hash << 5) - hash) + char;
+    hash = hash & hash; // Convert to 32-bit integer
+  }
+  return Math.abs(hash);
+}
+/**
+ * Check if stage can be advanced based on quality gates
+ * @param {string} packName - Pack name
+ * @param {object} metrics - Current metrics { errorRate, usageCount, successRate }
+ * @returns {object} { canAdvance, reasons }
+ */
+function checkQualityGates(packName, metrics = {}) {
+  const lifecycle = getPackLifecycle(packName);
+  if (!lifecycle) {
+    return { canAdvance: false, reasons: ['Pack not found'] };
+  }
+  const gates = lifecycle.qualityGates;
+  const reasons = [];
+  // Check error rate
+  if (metrics.errorRate !== undefined && metrics.errorRate > gates.errorRateThreshold) {
+    reasons.push(`Error rate ${(metrics.errorRate * 100).toFixed(2)}% exceeds threshold ${(gates.errorRateThreshold * 100).toFixed(2)}%`);
+  }
+  // Check usage count
+  if (metrics.usageCount !== undefined && metrics.usageCount < gates.minUsageCount) {
+    reasons.push(`Usage count ${metrics.usageCount} below minimum ${gates.minUsageCount}`);
+  }
+  // Check success rate
+  if (metrics.successRate !== undefined && metrics.successRate < gates.minSuccessRate) {
+    reasons.push(`Success rate ${(metrics.successRate * 100).toFixed(2)}% below threshold ${(gates.minSuccessRate * 100).toFixed(2)}%`);
+  }
+  return {
+    canAdvance: reasons.length === 0,
+    reasons
+  };
+}
+/**
+ * Get next stage in lifecycle
+ * @param {string} currentStage - Current stage
+ * @returns {string|null} Next stage or null if at GA
+ */
+function getNextStage(currentStage) {
+  const index = STAGE_ORDER.indexOf(currentStage);
+  if (index === -1 || index === STAGE_ORDER.length - 1) return null;
+  return STAGE_ORDER[index + 1];
+}
+/**
+ * Get previous stage in lifecycle
+ * @param {string} currentStage - Current stage
+ * @returns {string|null} Previous stage or null if at draft
+ */
+function getPreviousStage(currentStage) {
+  const index = STAGE_ORDER.indexOf(currentStage);
+  if (index <= 0) return null;
+  return STAGE_ORDER[index - 1];
+}
+/**
+ * List all pack lifecycle statuses
+ * @returns {Array} Pack status list
+ */
+function listPackStatuses() {
+  return Object.entries(PACK_LIFECYCLE).map(([key, pack]) => ({
+    key,
+    name: pack.name,
+    description: pack.description,
+    currentStage: pack.currentStage,
+    rolloutPercentage: pack.rolloutPercentage,
+    lastUpdate: pack.stageHistory[pack.stageHistory.length - 1]?.date
+  }));
+}
+/**
+ * Get stage badge for display
+ * @param {string} stage - Stage name
+ * @returns {string} Badge string
+ */
+function getStageBadge(stage) {
+  const badges = {
+    draft: '[draft]',
+    qa: '[QA]',
+    canary: '[canary]',
+    ga: '[GA]'
+  };
+  return badges[stage] || `[${stage}]`;
+}
+module.exports = {
+  LIFECYCLE_STAGES,
+  STAGE_ORDER,
+  DEFAULT_ROLLOUT,
+  PACK_LIFECYCLE,
+  getPackLifecycle,
+  getPackStage,
+  isPackVisibleToUser,
+  checkQualityGates,
+  getNextStage,
+  getPreviousStage,
+  listPackStatuses,
+  getStageBadge
+};