Add enterprise compute quota governance

enterprise-compute-quota-governance/README.md

@@ -0,0 +1,63 @@
+# Enterprise Compute Quota Governance
+
+This module adds a focused Enterprise Tooling slice for institutional compute and
+storage governance. It helps admins see which labs, departments, and projects
+are approaching or exceeding GPU and storage allocations, then turns those
+signals into approval queue items, dashboard metrics, webhook events, and
+export-ready evidence.
+
+## Why this fits Issue #19
+
+The issue calls for admin dashboards, usage stats, custom flags, API/webhook
+integration, and export pipelines. This slice covers that surface without
+duplicating the existing open PRs for broad dashboards, export packaging,
+webhook replay, trust center, compliance packets, identity drift, retention,
+grant compliance, data residency, SLA monitoring, lab inventory, or secret
+rotation.
+
+## What is included
+
+- Portfolio dashboard metrics for GPU hours, storage, forecast cost, risk bands,
+  departments, cost centers, and top at-risk projects.
+- Deterministic quota evaluation for warning, critical, and blocked states.
+- Admin approval queue with requested decisions and action recommendations.
+- REST API catalog for dashboard, review queue, project detail, decision, and
+  export manifest routes, including service scopes and integration clients.
+- CSV quota risk register with project, lab, cost-center, quota, review queue,
+  and requested decision columns for finance and compliance exports.
+- Custom tag preservation for grant, doctoral, restricted-data, ELN sync,
+  open-science, and reproducibility initiatives.
+- Export manifest for institutional dashboards, finance chargeback ledgers,
+  compliance archives, workflow webhooks, and the REST API catalog.
+- HMAC-signed webhook payloads using synthetic sample data only.
+
+## Local verification
+
+```sh
+cd enterprise-compute-quota-governance
+npm run check
+npm test
+npm run demo
+git diff --check
+```
+
+The implementation uses only Node.js built-ins and has no install step.
+
+## Reviewer proof artifacts
+
+`npm run demo` prints the portfolio summary, review queue, REST API routes, CSV
+export metadata, and signed webhook event IDs.
+
+Reviewer-facing proof is available in:
+
+- `docs/demo.md` - what the proof demonstrates, validation steps, and sample
+  output excerpts.
+- `docs/demo.mp4` - a 40 second walkthrough of the quota policy, usage
+  evaluation, risk enforcement, approval queue, API catalog, CSV/export
+  metadata, and HMAC-signed webhook evidence.
+- `docs/demo.svg` - a static visual summary of the same synthetic proof path.
+
+The video and static preview are generated from synthetic sample data only; they
+are not production screenshots or a live deployment recording. They are intended
+to help reviewers understand how this PR supports enterprise compute quota
+governance without requiring them to infer meaning from a placeholder artifact.

enterprise-compute-quota-governance/demo.js

@@ -0,0 +1,38 @@
+"use strict";
+
+const sampleData = require("./sample-data.json");
+const { evaluateQuotaGovernance } = require("./index");
+
+const result = evaluateQuotaGovernance(sampleData);
+
+console.log("Enterprise Compute Quota Governance Demo");
+console.log(`Institution: ${result.institution}`);
+console.log(`Period: ${result.period}`);
+console.log("");
+console.log("Portfolio");
+console.log(`- Projects: ${result.dashboard.portfolio.projectCount}`);
+console.log(`- Forecast GPU hours: ${result.dashboard.portfolio.forecastGpuHours}`);
+console.log(`- Projected storage GB: ${result.dashboard.portfolio.projectedStorageGb}`);
+console.log(`- Forecast cost USD: ${result.dashboard.portfolio.forecastCostUsd}`);
+console.log(`- Risk counts: ${JSON.stringify(result.dashboard.portfolio.riskCounts)}`);
+console.log("");
+console.log("Top review queue");
+for (const item of result.approvalQueue) {
+  console.log(
+    `- ${item.severity.toUpperCase()} ${item.projectId}: ${item.requestedDecision} (${item.reasons.join("; ")})`
+  );
+}
+console.log("");
+console.log("API catalog");
+for (const endpoint of result.apiCatalog.endpoints) {
+  console.log(`- ${endpoint.method} ${endpoint.path} [${endpoint.scope}]`);
+}
+console.log("");
+console.log("CSV export");
+console.log(`- ${result.exportRegister.filename}: ${result.exportRegister.rows.length} rows`);
+console.log(`- Headers: ${result.exportRegister.headers.length}`);
+console.log("");
+console.log("Webhook events");
+for (const event of result.webhookEvents) {
+  console.log(`- ${event.id} ${event.signature.slice(0, 23)}...`);
+}

enterprise-compute-quota-governance/docs/demo.md

@@ -0,0 +1,68 @@
+# Enterprise Compute Quota Governance Demo Proof
+
+This proof artifact is designed for reviewer understanding, not only for file
+presence. It uses the synthetic data in `sample-data.json`; it does not claim to
+show production usage or a live SCIBASE deployment.
+
+## What to Review
+
+- `docs/demo.mp4` is a 40 second walkthrough of the quota governance path.
+- `docs/demo.svg` is a static companion summary for quick inspection.
+- `npm run demo` prints the same portfolio, review queue, API, export, and
+  webhook evidence used by the visual artifacts.
+
+The demo should make these claims understandable without reading the code:
+
+- quota policy thresholds produce warning, critical, and blocked states;
+- project compute and storage forecasts are compared with configured limits;
+- quota risk becomes admin review queue decisions;
+- REST API routes are scoped for dashboard, review, project detail, decision,
+  and export manifest access;
+- CSV/export manifest data is available for finance and compliance review;
+- review-required webhook events are HMAC signed from synthetic sample data.
+
+## Validation Steps
+
+```sh
+cd enterprise-compute-quota-governance
+npm run check
+npm test
+npm run demo
+git diff --check
+```
+
+Expected validation signal:
+
+- `npm run check` validates `index.js`, `demo.js`, and `test.js` syntax.
+- `npm test` verifies risk counts, approval queue order, requested decisions,
+  API routes, CSV export rows, manifest targets, custom tags, webhook
+  signatures, stable JSON serialization, and policy validation errors.
+- `npm run demo` prints reviewer-readable sample output.
+
+## Sample Output Excerpt
+
+```text
+Enterprise Compute Quota Governance Demo
+Institution: Northbridge Research University
+Period: 2026-Q2
+
+Portfolio
+- Projects: 4
+- Forecast GPU hours: 3321
+- Projected storage GB: 15010
+- Forecast cost USD: 12257
+- Risk counts: {"normal":0,"warning":2,"critical":1,"blocked":1}
+
+Top review queue
+- BLOCKED microscopy-foundation-model: block-and-escalate
+- CRITICAL climate-preprint-replication: approve-extension-or-reduce-forecast
+- WARNING neuro-open-atlas: review-before-next-allocation-cycle
+- WARNING river-sensor-elns: review-before-next-allocation-cycle
+```
+
+## Proof Boundary
+
+The MP4 is valid proof only if it remains human-understandable and directly tied
+to this PR's claim. If the video becomes stale or unclear, use this Markdown file
+and the validation commands as the primary proof rather than treating a playable
+video file as sufficient by itself.