Add project break-glass access guard

project-break-glass-access-guard/README.md

@@ -0,0 +1,34 @@
+# Project Break-Glass Access Guard
+
+This module provides a focused User & Project Management slice for SCIBASE issue
+#11. It evaluates emergency break-glass access requests for locked or
+time-sensitive scientific workspaces before temporary owner/admin access is
+granted.
+
+## What It Covers
+
+- Owner/admin emergency access requests for locked project spaces.
+- Reason-code and reason-detail requirements.
+- Fresh MFA gates for sensitive temporary access.
+- Least-privilege object scopes with short expiry windows.
+- Protected data-class review holds.
+- Sponsor approval or after-hours justification.
+- Immutable audit receipts and mandatory post-access review.
+
+## Run
+
+```bash
+npm run check
+npm test
+npm run demo
+```
+
+Generated artifacts are written to `reports/`:
+
+- `summary.json`
+- `reviewer-packet.md`
+- `summary.svg`
+- `demo.mp4`
+
+All data is synthetic and does not touch real identity providers, user accounts,
+project permissions, or production workspaces.

project-break-glass-access-guard/acceptance-notes.md

@@ -0,0 +1,19 @@
+# Acceptance Notes
+
+The guard classifies requests as:
+
+- `approved`: temporary scoped access can be granted.
+- `approve_with_review`: after-hours access can proceed with mandatory owner review.
+- `steward_review`: protected or risky access requires steward approval first.
+- `denied`: request does not meet break-glass entry requirements.
+
+Validation commands:
+
+```bash
+npm run check
+npm test
+npm run demo
+ffprobe -v error -show_entries format=duration,size -show_entries stream=codec_name,width,height,pix_fmt -of default=noprint_wrappers=1 reports/demo.mp4
+git diff --check
+git diff --cached --check
+```

project-break-glass-access-guard/demo.js

@@ -0,0 +1,31 @@
+const fs = require("node:fs");
+const path = require("node:path");
+const {
+  analyzeBreakGlassAccess,
+  renderMarkdownReport,
+  renderSvgSummary,
+} = require("./index");
+const { sampleBreakGlassPacket } = require("./sample-data");
+
+const reportsDir = path.join(__dirname, "reports");
+fs.mkdirSync(reportsDir, { recursive: true });
+
+const result = analyzeBreakGlassAccess(sampleBreakGlassPacket, {
+  asOf: "2026-05-22T12:00:00.000Z",
+});
+
+fs.writeFileSync(
+  path.join(reportsDir, "summary.json"),
+  `${JSON.stringify(result, null, 2)}\n`
+);
+fs.writeFileSync(
+  path.join(reportsDir, "reviewer-packet.md"),
+  renderMarkdownReport(result)
+);
+fs.writeFileSync(
+  path.join(reportsDir, "summary.svg"),
+  renderSvgSummary(result)
+);
+
+console.log("project break-glass access guard demo artifacts written");
+console.log(`audit digest: ${result.auditDigest}`);