Add enterprise trust center tooling

enterprise-trust-center/README.md

@@ -0,0 +1,75 @@
+# Enterprise Trust Center
+
+Self-contained enterprise tooling milestone for [SCIBASE.AI issue #19](https://github.com/SCIBASE-AI/SCIBASE.AI/issues/19).
+
+The module gives institutional administrators a deterministic trust-center workflow for compliance analytics, secure API cataloging, webhook events, and audit-ready exports. It is credential-free and uses only Node.js built-ins so reviewers can run it locally without setup friction.
+
+## What It Adds
+
+- Admin dashboard summary for workspace status, active users, projects, integrations, and next actions.
+- Compliance analytics for MFA coverage, audit-log coverage, webhook health, open incidents, and overdue data requests.
+- Secure API catalog showing integration scopes, owners, active key counts, rotation timestamps, risk, and webhook endpoints.
+- HMAC-signed trust-center webhook events.
+- Export pipeline catalog for repositories, journal submission packages, and funder portals with required metadata checks.
+- Procurement readiness report for SAML, DPA, security questionnaire, SLA, webhook health, API-key rotation, export readiness, blockers, and approval route.
+- Compliance export bundle with evidence manifest and audit summary.
+- Sample workspace data, tests, and a deterministic CLI demo.
+
+## Run
+
+```bash
+cd enterprise-trust-center
+npm run check
+npm test
+npm run demo
+```
+
+Expected demo shape:
+
+```json
+{
+  "workspace": "Borealis Research Institute",
+  "status": "blocked",
+  "activeUsers": 3,
+  "integrations": 2,
+  "exportPipelines": [
+    {
+      "id": "journal-submission",
+      "formats": ["jats", "docx", "latex"],
+      "readyProjects": 1,
+      "blockedProjects": 2
+    }
+  ],
+  "procurement": {
+    "status": "blocked",
+    "buyer": "Borealis IT Procurement"
+  },
+  "nextActions": [
+    {
+      "checkId": "mfa-coverage",
+      "title": "MFA coverage",
+      "remediation": "Require MFA for remaining active users before renewing institutional access."
+    }
+  ],
+  "firstSignedWebhook": {
+    "type": "trust_center.compliance_evaluated",
+    "signature": "sha256=..."
+  }
+}
+```
+
+## Demo Artifact
+
+See [docs/demo.gif](docs/demo.gif) for a short visual walkthrough of the dashboard, export, and signed webhook flow. The SVG source is also included at [docs/demo.svg](docs/demo.svg).
+
+## Files
+
+- `src/trust-center.js` - core enterprise trust-center functions, including export pipeline and procurement readiness checks.
+- `data/sample-workspace.json` - reviewable institutional workspace fixture.
+- `test/trust-center.test.js` - dependency-free Node assertions.
+- `scripts/demo.js` - CLI demo for reviewer smoke testing.
+- `docs/issue-19-requirement-map.md` - maps the implementation to the bounty requirements.
+
+## AI-Assisted Disclosure
+
+This contribution was produced with AI assistance and manually verified with the local commands above.

enterprise-trust-center/data/sample-workspace.json

@@ -0,0 +1,136 @@
+{
+  "id": "inst-borealis",
+  "name": "Borealis Research Institute",
+  "plan": "enterprise",
+  "users": [
+    { "id": "u-001", "status": "active", "role": "admin", "mfaEnabled": true },
+    { "id": "u-002", "status": "active", "role": "principal-investigator", "mfaEnabled": true },
+    { "id": "u-003", "status": "active", "role": "researcher", "mfaEnabled": false },
+    { "id": "u-004", "status": "invited", "role": "reviewer", "mfaEnabled": false }
+  ],
+  "projects": [
+    {
+      "id": "p-101",
+      "title": "Longitudinal microbiome atlas",
+      "auditLogEnabled": true,
+      "exportMetadata": {
+        "doi": "10.5555/borealis.microbiome",
+        "orcid": "0000-0002-1825-0097",
+        "license": "CC-BY-4.0",
+        "versionHistory": true,
+        "citationIds": ["pmid:123456"],
+        "grantId": "NIH-R01-42",
+        "openAccessStatus": "compliant"
+      }
+    },
+    {
+      "id": "p-102",
+      "title": "Climate model reproducibility pack",
+      "auditLogEnabled": true,
+      "exportMetadata": {
+        "doi": "10.5555/borealis.climate",
+        "license": "CC-BY-4.0",
+        "versionHistory": true,
+        "openAccessStatus": "pending"
+      }
+    },
+    {
+      "id": "p-103",
+      "title": "Retrospective cohort review",
+      "auditLogEnabled": false,
+      "exportMetadata": {
+        "orcid": "0000-0003-1415-9265"
+      }
+    }
+  ],
+  "exportTargets": [
+    {
+      "id": "zenodo",
+      "name": "Zenodo deposition",
+      "category": "indexed-repository",
+      "formats": ["datacite-json", "archive-zip"],
+      "requiredFields": ["doi", "license", "versionHistory"],
+      "preservedIdentifiers": ["doi", "citationIds", "versionHistory"]
+    },
+    {
+      "id": "journal-submission",
+      "name": "Journal submission package",
+      "category": "journal",
+      "formats": ["jats", "docx", "latex"],
+      "requiredFields": ["doi", "orcid", "license"],
+      "preservedIdentifiers": ["doi", "orcid", "citationIds"]
+    },
+    {
+      "id": "funder-portal",
+      "name": "Funder compliance report",
+      "category": "grant-portal",
+      "formats": ["grant-report-json", "csv"],
+      "requiredFields": ["grantId", "openAccessStatus"],
+      "preservedIdentifiers": ["doi", "orcid"]
+    }
+  ],
+  "integrations": [
+    {
+      "id": "semantic-scholar",
+      "name": "Semantic Scholar export",
+      "category": "literature",
+      "scopes": ["read:projects", "write:citations"],
+      "owners": ["u-002"],
+      "risk": "low",
+      "webhookUrl": "https://example.edu/hooks/semantic-scholar"
+    },
+    {
+      "id": "institutional-archive",
+      "name": "Institutional archive",
+      "category": "repository",
+      "scopes": ["read:projects", "write:projects"],
+      "owners": ["u-001"],
+      "risk": "medium",
+      "webhookUrl": "https://archive.example.edu/scibase/hooks"
+    }
+  ],
+  "apiKeys": [
+    {
+      "id": "key-001",
+      "integrationId": "semantic-scholar",
+      "status": "active",
+      "rotatedAt": "2026-05-01T10:00:00Z"
+    },
+    {
+      "id": "key-002",
+      "integrationId": "institutional-archive",
+      "status": "active",
+      "rotatedAt": "2026-04-17T14:30:00Z"
+    }
+  ],
+  "events": [
+    { "id": "evt-001", "status": "delivered", "type": "project.exported" },
+    { "id": "evt-002", "status": "delivered", "type": "citation.synced" },
+    { "id": "evt-003", "status": "failed", "type": "dataset.archived" }
+  ],
+  "dataRequests": [
+    { "id": "dr-001", "status": "closed", "type": "export" },
+    { "id": "dr-002", "status": "overdue", "type": "deletion" }
+  ],
+  "incidents": [
+    { "id": "inc-001", "severity": "medium", "status": "open" },
+    { "id": "inc-002", "severity": "critical", "status": "resolved" }
+  ],
+  "auditLog": [
+    { "id": "audit-001", "action": "project.created", "actorId": "u-002" },
+    { "id": "audit-002", "action": "integration.connected", "actorId": "u-001" },
+    { "id": "audit-003", "action": "export.generated", "actorId": "u-001" }
+  ],
+  "procurement": {
+    "asOf": "2026-05-14T00:00:00Z",
+    "buyer": "Borealis IT Procurement",
+    "renewalDate": "2026-09-01",
+    "evidence": {
+      "samlConfigured": true,
+      "dpaSigned": true,
+      "securityQuestionnaireComplete": false,
+      "slaHours": 48,
+      "activeKeyRotationDaysMax": 30
+    }
+  }
+}

enterprise-trust-center/docs/issue-19-requirement-map.md

@@ -0,0 +1,21 @@
+# Issue #19 Requirement Map
+
+This module is a focused milestone for SCIBASE issue #19, Enterprise Tooling. It avoids external credentials and keeps all behavior deterministic for review.
+
+| Issue requirement | Implementation |
+| --- | --- |
+| Institutional admin dashboards | `buildAdminDashboard()` produces workspace headline metrics, risk status, compliance checks, integrations, and next actions. |
+| Contributor, usage, and compliance analytics | `computeUsageAnalytics()` derives MFA coverage, audit-log coverage, webhook health, incidents, data requests, project totals, and integration counts. |
+| Secure API catalog | `buildApiCatalog()` lists connected integrations, scopes, owners, key rotation status, risk, and webhook endpoints. |
+| Webhooks | `generateWebhookEvents()` creates trust-center events and `signWebhookEvent()` signs payloads with HMAC SHA-256. |
+| Export pipelines | `buildExportPipelineCatalog()` models repository, journal, and funder-portal targets with formats, required metadata, ready projects, blocked projects, and preserved identifiers. `packageComplianceExport()` includes that catalog in the audit-ready export bundle. |
+| Enterprise procurement readiness | `buildProcurementReadinessReport()` checks SAML, DPA, security questionnaire, SLA, webhook health, API key rotation, export readiness, blockers, and approval route metadata for institutional review. |
+| Reviewer-friendly demo | `npm run demo` prints a deterministic trust-center summary from `data/sample-workspace.json`. |
+| Local verification | `npm run check` and `npm test` validate syntax and behavior without network calls. |
+
+## Review Notes
+
+- The module is isolated under `enterprise-trust-center/`.
+- It uses only Node.js built-ins.
+- It is designed as a mergeable enterprise-tooling slice rather than a placeholder integration.
+- The compliance policy is intentionally configurable through `evaluateCompliance(workspace, policy)`.

enterprise-trust-center/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "scibase-enterprise-trust-center",
+  "version": "0.1.0",
+  "private": true,
+  "description": "Self-contained enterprise tooling milestone for SCIBASE institutional trust center workflows.",
+  "type": "commonjs",
+  "scripts": {
+    "check": "node --check src/trust-center.js && node --check scripts/demo.js && node --check test/trust-center.test.js",
+    "demo": "node scripts/demo.js",
+    "test": "node test/trust-center.test.js"
+  }
+}

enterprise-trust-center/scripts/demo.js

@@ -0,0 +1,36 @@
+"use strict";
+
+const path = require("path");
+const sampleWorkspace = require(path.join("..", "data", "sample-workspace.json"));
+const { buildEnterpriseTrustCenter } = require("../src/trust-center");
+
+const trustCenter = buildEnterpriseTrustCenter(sampleWorkspace, {
+  webhookSecret: "demo-secret",
+});
+
+const summary = {
+  workspace: trustCenter.dashboard.workspace.name,
+  status: trustCenter.dashboard.headline.status,
+  activeUsers: trustCenter.dashboard.headline.activeUsers,
+  integrations: trustCenter.dashboard.headline.apiIntegrations,
+  exportPipelines: trustCenter.dashboard.exportPipelines.map((pipeline) => ({
+    id: pipeline.id,
+    formats: pipeline.formats,
+    readyProjects: pipeline.readyProjectIds.length,
+    blockedProjects: pipeline.blockedProjects.length,
+  })),
+  procurement: {
+    status: trustCenter.dashboard.procurement.status,
+    buyer: trustCenter.dashboard.procurement.buyer,
+    blockers: trustCenter.dashboard.procurement.blockers,
+    approvalRoute: trustCenter.dashboard.procurement.approvalRoute,
+  },
+  nextActions: trustCenter.dashboard.nextActions,
+  firstSignedWebhook: {
+    type: trustCenter.signedWebhookEvents[0].type,
+    signature: trustCenter.signedWebhookEvents[0].signature.slice(0, 24) + "...",
+  },
+  exportId: trustCenter.complianceExport.exportId,
+};
+
+console.log(JSON.stringify(summary, null, 2));