Add enterprise integration secret rotation gate

enterprise-integration-secret-rotation/README.md

@@ -0,0 +1,24 @@
+# Enterprise Integration Secret Rotation
+
+This module adds an Enterprise Tooling slice for institutional API and webhook governance. It is intentionally self-contained and synthetic-data-only so reviewers can validate the behavior without credentials, third-party services, or local platform setup.
+
+It covers the issue's enterprise API and webhook requirements by evaluating:
+
+- institutional API clients for stale credentials, unauthorized scopes, owner gaps, expiry, and break-glass misuse
+- webhook destinations for signing-secret age, unsafe overlap windows, missing HMAC policy, weak idempotency, dead-letter gaps, and recipient verification
+- dashboard-ready risk metrics for admins
+- deterministic audit evidence packets suitable for compliance exports
+
+## Local Validation
+
+```sh
+node enterprise-integration-secret-rotation/test.js
+node enterprise-integration-secret-rotation/demo.js
+```
+
+## Demo Evidence
+
+- [demo.mp4](demo.mp4) shows the problem, implementation scope, acceptance behavior, and validation commands.
+- [demo.svg](demo.svg) provides a static preview of the admin risk queue.
+- [requirements-map.md](requirements-map.md) maps the implementation to issue #19.
+- [acceptance-notes.md](acceptance-notes.md) lists the reviewer checks.

enterprise-integration-secret-rotation/acceptance-notes.md

@@ -0,0 +1,12 @@
+# Acceptance Notes
+
+Reviewer checklist:
+
+1. Run `node enterprise-integration-secret-rotation/test.js`.
+2. Run `node enterprise-integration-secret-rotation/demo.js`.
+3. Confirm the DSpace production API client is marked critical because it is expired, over-scoped, and has unjustified break-glass access.
+4. Confirm the ELN webhook is marked critical because its signing secret is overdue, its overlap window is too long, and its idempotency/dead-letter policy is incomplete.
+5. Confirm the Canvas/NIH-style low-risk integrations remain in monitor state.
+6. Confirm the evidence packet includes deterministic `sourceDigest`, `findingDigest`, and `packetDigest` values.
+
+This is a narrow Enterprise Tooling implementation rather than a broad placeholder. It targets a payment-relevant gap for real institutions: keeping API credentials and webhook signing secrets safe while still producing admin and compliance evidence.

enterprise-integration-secret-rotation/demo.js

@@ -0,0 +1,79 @@
+"use strict";
+
+const { evaluateEnterpriseIntegrationGovernance } = require("./index");
+
+const input = {
+  generatedAt: "2026-05-17T01:25:00.000Z",
+  apiClients: [
+    {
+      id: "api-dspace-prod",
+      name: "DSpace institutional archive sync",
+      systems: ["DSpace", "ORCID"],
+      environment: "production",
+      scopes: ["repository:read", "publication:write", "admin:*"],
+      allowedScopes: ["repository:read", "publication:write"],
+      owner: { name: "Research IT", email: "research-it@example.edu" },
+      credentialLastRotatedAt: "2026-01-01T00:00:00.000Z",
+      credentialLastUsedAt: "2026-05-16T10:00:00.000Z",
+      expiresAt: "2026-05-10T00:00:00.000Z",
+      hasBreakGlassAccess: true,
+    },
+    {
+      id: "api-orcid-prod",
+      name: "ORCID affiliation updater",
+      systems: ["ORCID", "HRIS"],
+      environment: "production",
+      scopes: ["person:read", "affiliation:write"],
+      allowedScopes: ["person:read", "affiliation:write"],
+      owner: { name: "Identity Team", email: "identity@example.edu" },
+      credentialLastRotatedAt: "2026-04-28T00:00:00.000Z",
+      credentialLastUsedAt: "2026-05-16T09:30:00.000Z",
+      expiresAt: "2026-10-01T00:00:00.000Z",
+      hasBreakGlassAccess: false,
+    },
+  ],
+  webhooks: [
+    {
+      id: "hook-eln-publication",
+      name: "ELN publication webhook",
+      destinationSystem: "Benchling ELN",
+      eventTypes: ["project.published", "review.completed"],
+      allowedEventTypes: ["project.published", "review.completed"],
+      transport: "https",
+      signatureAlgorithm: "hmac-sha256",
+      signingSecretLastRotatedAt: "2026-03-01T00:00:00.000Z",
+      activeSecretCount: 2,
+      activeSecretWindowStartedAt: "2026-05-13T00:00:00.000Z",
+      idempotencyKeyPolicy: "optional",
+      deadLetterQueue: false,
+      recipientVerification: true,
+    },
+    {
+      id: "hook-funder-report",
+      name: "Funder compliance report webhook",
+      destinationSystem: "NIH RePORTER",
+      eventTypes: ["export.ready"],
+      allowedEventTypes: ["export.ready"],
+      transport: "https",
+      signatureAlgorithm: "hmac-sha256",
+      signingSecretLastRotatedAt: "2026-05-05T00:00:00.000Z",
+      activeSecretCount: 1,
+      idempotencyKeyPolicy: "required",
+      deadLetterQueue: true,
+      recipientVerification: true,
+    },
+  ],
+};
+
+const result = evaluateEnterpriseIntegrationGovernance(input);
+
+console.log(JSON.stringify({
+  dashboard: result.dashboard,
+  topFindings: result.findings.slice(0, 3).map((finding) => ({
+    id: finding.id,
+    severity: finding.severity,
+    action: finding.action,
+    issues: finding.issues,
+  })),
+  evidencePacket: result.evidencePacket,
+}, null, 2));