Create demo_scenarios.py

demo_scenarios.py

@@ -0,0 +1,499 @@
+"""
+Demo Scenarios for ARF 3.3.9 OSS vs Enterprise
+Pre-built scenarios showing the difference between advisory and mechanical enforcement
+"""
+
+DEMO_SCENARIOS = {
+    "database_drop": {
+        "name": "High-Risk Database Operation",
+        "action": "DROP DATABASE production CASCADE",
+        "description": "Irreversible deletion of production database",
+        "context": {
+            "environment": "production",
+            "criticality": "critical",
+            "data_loss": "irreversible",
+            "affected_users": 10000
+        },
+        "oss_result": {
+            "risk_level": "High",
+            "confidence": 0.95,
+            "recommendation": "❌ DO NOT EXECUTE - High risk of irreversible data loss",
+            "policy_violations": 2,
+            "can_execute": False,
+            "execution_status": "BLOCKED (Advisory)",
+            "reason": "Violates high-risk database policy and irreversible action policy"
+        },
+        "enterprise_result": {
+            "license_tier": "professional",
+            "gates": [
+                {"name": "license_validation", "required": True, "passed": True, "message": "Professional license valid"},
+                {"name": "risk_assessment", "required": True, "passed": False, "message": "Risk score 0.95 > 0.80 threshold"},
+                {"name": "irreversible_action", "required": True, "passed": False, "message": "DROP DATABASE is irreversible"},
+                {"name": "admin_override", "required": False, "passed": False, "message": "No admin override provided"}
+            ],
+            "gates_passed": 1,
+            "total_gates": 4,
+            "execution_authority": "DENIED",
+            "enforcement_type": "Mechanical Block",
+            "audit_trail": True,
+            "auto_remediation": "Queued for security review",
+            "value_prop": "Prevents catastrophic error with mechanical enforcement"
+        },
+        "visualization": {
+            "risk_score": 0.95,
+            "confidence": 0.95,
+            "severity": "critical"
+        }
+    },
+    
+    "service_deployment": {
+        "name": "Safe Service Deployment",
+        "action": "deploy_service v1.2.3 to staging with 25% canary",
+        "description": "Standard deployment with canary testing",
+        "context": {
+            "environment": "staging",
+            "service": "api-gateway",
+            "version": "v1.2.3",
+            "canary_percentage": 25,
+            "rollback_feasible": True,
+            "rollback_time": "2 minutes"
+        },
+        "oss_result": {
+            "risk_level": "Low",
+            "confidence": 0.88,
+            "recommendation": "✅ Looks safe - Can execute with monitoring",
+            "policy_violations": 0,
+            "can_execute": True,
+            "execution_status": "APPROVED (Advisory)",
+            "reason": "Meets all safety criteria and has rollback plan"
+        },
+        "enterprise_result": {
+            "license_tier": "professional",
+            "gates": [
+                {"name": "license_validation", "required": True, "passed": True, "message": "Professional license valid"},
+                {"name": "confidence_threshold", "required": True, "passed": True, "message": "Confidence 0.88 ≥ 0.70"},
+                {"name": "rollback_feasibility", "required": True, "passed": True, "message": "Rollback in 2 minutes"},
+                {"name": "canary_safe", "required": True, "passed": True, "message": "25% canary within limits"},
+                {"name": "environment_match", "required": True, "passed": True, "message": "Staging environment"}
+            ],
+            "gates_passed": 5,
+            "total_gates": 5,
+            "execution_authority": "GRANTED",
+            "enforcement_type": "Autonomous Execution",
+            "audit_trail": True,
+            "auto_remediation": "Auto-deploy with monitoring",
+            "value_prop": "Fully autonomous execution saves 15 minutes per deployment"
+        },
+        "visualization": {
+            "risk_score": 0.12,
+            "confidence": 0.88,
+            "severity": "low"
+        }
+    },
+    
+    "config_change": {
+        "name": "Configuration Change",
+        "action": "UPDATE config SET timeout=30 WHERE service='payment'",
+        "description": "Update payment service timeout configuration",
+        "context": {
+            "environment": "production",
+            "service": "payment",
+            "change_type": "configuration",
+            "affected_services": ["payment", "checkout"],
+            "validation_required": True
+        },
+        "oss_result": {
+            "risk_level": "Medium",
+            "confidence": 0.75,
+            "recommendation": "⚠️ Review recommended - Medium risk to payment services",
+            "policy_violations": 1,
+            "can_execute": False,
+            "execution_status": "REVIEW REQUIRED",
+            "reason": "Production payment service changes require additional review"
+        },
+        "enterprise_result": {
+            "license_tier": "starter",
+            "gates": [
+                {"name": "license_validation", "required": True, "passed": True, "message": "Starter license valid"},
+                {"name": "risk_assessment", "required": True, "passed": True, "message": "Risk score 0.25 ≤ 0.80"},
+                {"name": "payment_service", "required": True, "passed": False, "message": "Payment service requires admin approval"},
+                {"name": "admin_approval", "required": True, "passed": True, "message": "Admin approval received"},
+                {"name": "change_window", "required": True, "passed": True, "message": "Within maintenance window"}
+            ],
+            "gates_passed": 4,
+            "total_gates": 5,
+            "execution_authority": "GRANTED",
+            "enforcement_type": "Human-in-the-Loop Approval",
+            "audit_trail": True,
+            "auto_remediation": "Queued for execution after approval",
+            "value_prop": "Human oversight with mechanical validation ensures safety"
+        },
+        "visualization": {
+            "risk_score": 0.25,
+            "confidence": 0.75,
+            "severity": "medium"
+        }
+    },
+    
+    "user_permission_grant": {
+        "name": "User Permission Grant",
+        "action": "GRANT admin_role TO user@company.com",
+        "description": "Grant administrative privileges to user",
+        "context": {
+            "environment": "production",
+            "role": "admin_role",
+            "user": "user@company.com",
+            "justification": "New team member",
+            "approver": "cto@company.com"
+        },
+        "oss_result": {
+            "risk_level": "High",
+            "confidence": 0.82,
+            "recommendation": "❌ High risk - Administrative grants require multi-factor approval",
+            "policy_violations": 2,
+            "can_execute": False,
+            "execution_status": "BLOCKED (Advisory)",
+            "reason": "Admin role grants require additional security review"
+        },
+        "enterprise_result": {
+            "license_tier": "enterprise",
+            "gates": [
+                {"name": "license_validation", "required": True, "passed": True, "message": "Enterprise license valid"},
+                {"name": "security_review", "required": True, "passed": True, "message": "Security team review completed"},
+                {"name": "multi_factor_auth", "required": True, "passed": True, "message": "MFA verification passed"},
+                {"name": "compliance_check", "required": True, "passed": True, "message": "SOX compliance validated"},
+                {"name": "approval_chain", "required": True, "passed": True, "message": "CTO and Security Lead approved"}
+            ],
+            "gates_passed": 5,
+            "total_gates": 5,
+            "execution_authority": "GRANTED",
+            "enforcement_type": "Compliance-Enforced Execution",
+            "audit_trail": True,
+            "auto_remediation": "Auto-provision with compliance logging",
+            "value_prop": "Automates complex compliance requirements with full audit trail"
+        },
+        "visualization": {
+            "risk_score": 0.68,
+            "confidence": 0.82,
+            "severity": "high"
+        }
+    },
+    
+    "sensitive_data_access": {
+        "name": "Sensitive Data Access",
+        "action": "SELECT * FROM pci_data WHERE card_number LIKE '4111%'",
+        "description": "Access to PCI-sensitive payment card data",
+        "context": {
+            "environment": "production",
+            "data_classification": "pci",
+            "user_role": "analyst",
+            "purpose": "fraud investigation",
+            "masking_required": True
+        },
+        "oss_result": {
+            "risk_level": "Critical",
+            "confidence": 0.99,
+            "recommendation": "🚨 CRITICAL RISK - PCI data access requires special authorization",
+            "policy_violations": 3,
+            "can_execute": False,
+            "execution_status": "BLOCKED (Advisory)",
+            "reason": "PCI data access requires Data Protection Officer approval"
+        },
+        "enterprise_result": {
+            "license_tier": "enterprise",
+            "gates": [
+                {"name": "license_validation", "required": True, "passed": True, "message": "Enterprise license valid"},
+                {"name": "pci_compliance", "required": True, "passed": True, "message": "PCI DSS 4.0 compliant"},
+                {"name": "data_masking", "required": True, "passed": True, "message": "Auto-masking enabled"},
+                {"name": "dpo_approval", "required": True, "passed": True, "message": "Data Protection Officer approved"},
+                {"name": "audit_logging", "required": True, "passed": True, "message": "Full query logging enabled"},
+                {"name": "access_time_limit", "required": True, "passed": True, "message": "4-hour access window"}
+            ],
+            "gates_passed": 6,
+            "total_gates": 6,
+            "execution_authority": "GRANTED (WITH SAFEGUARDS)",
+            "enforcement_type": "Compliance-Enforced with Safeguards",
+            "audit_trail": True,
+            "auto_remediation": "Auto-masking + time-limited access",
+            "value_prop": "Enables necessary work while automatically enforcing compliance"
+        },
+        "visualization": {
+            "risk_score": 0.99,
+            "confidence": 0.99,
+            "severity": "critical"
+        }
+    },
+    
+    "auto_scaling_adjustment": {
+        "name": "Auto-Scaling Adjustment",
+        "action": "scale deployment frontend from 10 to 50 pods",
+        "description": "Increase frontend service capacity",
+        "context": {
+            "environment": "production",
+            "service": "frontend",
+            "current_pods": 10,
+            "target_pods": 50,
+            "reason": "Black Friday traffic spike",
+            "budget_impact": "$1200/day"
+        },
+        "oss_result": {
+            "risk_level": "Low",
+            "confidence": 0.92,
+            "recommendation": "✅ Safe - Standard scaling operation",
+            "policy_violations": 0,
+            "can_execute": True,
+            "execution_status": "APPROVED (Advisory)",
+            "reason": "Within normal operational parameters"
+        },
+        "enterprise_result": {
+            "license_tier": "professional",
+            "gates": [
+                {"name": "license_validation", "required": True, "passed": True, "message": "Professional license valid"},
+                {"name": "budget_check", "required": True, "passed": True, "message": "Within monthly budget"},
+                {"name": "capacity_planning", "required": True, "passed": True, "message": "Matches capacity plan"},
+                {"name": "auto_scale", "required": True, "passed": True, "message": "Auto-scaling group configured"},
+                {"name": "monitoring", "required": True, "passed": True, "message": "CloudWatch alarms active"}
+            ],
+            "gates_passed": 5,
+            "total_gates": 5,
+            "execution_authority": "GRANTED",
+            "enforcement_type": "Autonomous Execution",
+            "audit_trail": True,
+            "auto_remediation": "Auto-scale with cost optimization",
+            "value_prop": "Fully autonomous scaling with cost controls"
+        },
+        "visualization": {
+            "risk_score": 0.08,
+            "confidence": 0.92,
+            "severity": "low"
+        }
+    },
+    
+    "emergency_rollback": {
+        "name": "Emergency Rollback",
+        "action": "rollback_service payment to v1.1.0 immediately",
+        "description": "Emergency rollback due to critical bug",
+        "context": {
+            "environment": "production",
+            "service": "payment",
+            "from_version": "v1.2.0",
+            "to_version": "v1.1.0",
+            "severity": "critical",
+            "incident_id": "INC-2024-789",
+            "approved_by": "oncall_engineer"
+        },
+        "oss_result": {
+            "risk_level": "Medium",
+            "confidence": 0.78,
+            "recommendation": "⚠️ Proceed with caution - Rollback may affect transactions",
+            "policy_violations": 0,
+            "can_execute": True,
+            "execution_status": "APPROVED (Advisory)",
+            "reason": "Emergency override for critical incident"
+        },
+        "enterprise_result": {
+            "license_tier": "enterprise",
+            "gates": [
+                {"name": "license_validation", "required": True, "passed": True, "message": "Enterprise license valid"},
+                {"name": "emergency_override", "required": True, "passed": True, "message": "Emergency mode activated"},
+                {"name": "incident_linked", "required": True, "passed": True, "message": "Linked to INC-2024-789"},
+                {"name": "rollback_safe", "required": True, "passed": True, "message": "Rollback path verified"},
+                {"name": "communication_sent", "required": True, "passed": True, "message": "Stakeholders notified"},
+                {"name": "post_mortem_required", "required": True, "passed": True, "message": "Post-mortem queued"}
+            ],
+            "gates_passed": 6,
+            "total_gates": 6,
+            "execution_authority": "GRANTED",
+            "enforcement_type": "Emergency Protocol Execution",
+            "audit_trail": True,
+            "auto_remediation": "Auto-rollback with incident linking",
+            "value_prop": "Structured emergency response with full audit and post-mortem automation"
+        },
+        "visualization": {
+            "risk_score": 0.22,
+            "confidence": 0.78,
+            "severity": "medium"
+        }
+    }
+}
+
+# Gate definitions for visualization
+GATE_DEFINITIONS = {
+    "license_validation": {
+        "description": "Validate enterprise license is active and appropriate tier",
+        "weight": 0.3,
+        "required": True,
+        "enterprise_only": True
+    },
+    "confidence_threshold": {
+        "description": "Confidence score must meet minimum threshold",
+        "weight": 0.25,
+        "required": True,
+        "threshold": 0.7
+    },
+    "risk_assessment": {
+        "description": "Risk score must be below maximum threshold",
+        "weight": 0.25,
+        "required": True,
+        "threshold": 0.8
+    },
+    "rollback_feasibility": {
+        "description": "Rollback plan must exist and be feasible",
+        "weight": 0.1,
+        "required": False,
+        "enterprise_only": False
+    },
+    "admin_approval": {
+        "description": "Human approval required for certain actions",
+        "weight": 0.1,
+        "required": False,
+        "enterprise_only": True,
+        "tiers": ["starter"]
+    },
+    "compliance_check": {
+        "description": "Compliance with regulations (GDPR, PCI, SOX, etc.)",
+        "weight": 0.1,
+        "required": False,
+        "enterprise_only": True,
+        "tiers": ["enterprise"]
+    },
+    "budget_check": {
+        "description": "Check against budget limits and forecasts",
+        "weight": 0.05,
+        "required": False,
+        "enterprise_only": True
+    }
+}
+
+# License tier comparisons
+LICENSE_TIERS = {
+    "trial": {
+        "name": "Trial",
+        "price": 0,
+        "enforcement": "advisory",
+        "max_agents": 3,
+        "gates_available": ["confidence_threshold", "risk_assessment"],
+        "limitations": ["No mechanical enforcement", "14-day limit", "Community support"],
+        "best_for": "Evaluation and testing"
+    },
+    "starter": {
+        "name": "Starter",
+        "price": 2000,
+        "enforcement": "human_approval",
+        "max_agents": 10,
+        "gates_available": ["license_validation", "confidence_threshold", "risk_assessment", "admin_approval"],
+        "features": ["Human-in-the-loop gates", "Basic audit trail", "Email support"],
+        "best_for": "Small teams with human oversight"
+    },
+    "professional": {
+        "name": "Professional",
+        "price": 5000,
+        "enforcement": "autonomous",
+        "max_agents": 50,
+        "gates_available": ["license_validation", "confidence_threshold", "risk_assessment", "rollback_feasibility", "budget_check"],
+        "features": ["Autonomous execution", "Advanced audit", "Priority support", "SLA 99.5%"],
+        "best_for": "Mid-size companies wanting automation"
+    },
+    "enterprise": {
+        "name": "Enterprise",
+        "price": 15000,
+        "enforcement": "full_mechanical",
+        "max_agents": 1000,
+        "gates_available": ["license_validation", "confidence_threshold", "risk_assessment", "rollback_feasibility", "compliance_check", "budget_check", "custom_gates"],
+        "features": ["Full mechanical enforcement", "Compliance automation", "Custom gates", "24/7 support", "SLA 99.9%", "Differential privacy audit"],
+        "best_for": "Large enterprises with compliance needs"
+    }
+}
+
+# Value proposition data
+VALUE_PROPOSITIONS = {
+    "risk_reduction": {
+        "oss": "Manual risk assessment",
+        "starter": "Human-validated decisions",
+        "professional": "Automated risk gates",
+        "enterprise": "Mechanical enforcement",
+        "improvement": "92% reduction in operational risk"
+    },
+    "decision_speed": {
+        "oss": "Minutes to hours",
+        "starter": "Minutes with human",
+        "professional": "Seconds (autonomous)",
+        "enterprise": "Milliseconds (mechanical)",
+        "improvement": "100x faster decisions"
+    },
+    "false_positives": {
+        "oss": "High (conservative)",
+        "starter": "Medium (human calibrated)",
+        "professional": "Low (ML-optimized)",
+        "enterprise": "Minimal (continuously tuned)",
+        "improvement": "85% reduction in false positives"
+    },
+    "operational_cost": {
+        "oss": "High (manual review)",
+        "starter": "Medium (partial automation)",
+        "professional": "Low (mostly automated)",
+        "enterprise": "Minimal (fully automated)",
+        "improvement": "75% reduction in OpEx"
+    }
+}
+
+def get_scenario_by_name(name: str) -> Dict:
+    """Get scenario by name"""
+    return DEMO_SCENARIOS.get(name, {})
+
+def get_all_scenario_names() -> List[str]:
+    """Get all scenario names"""
+    return list(DEMO_SCENARIOS.keys())
+
+def get_scenario_summary() -> List[Dict]:
+    """Get summary of all scenarios"""
+    summary = []
+    for key, scenario in DEMO_SCENARIOS.items():
+        summary.append({
+            "id": key,
+            "name": scenario["name"],
+            "action": scenario["action"],
+            "risk_level": scenario["oss_result"]["risk_level"],
+            "oss_can_execute": scenario["oss_result"]["can_execute"],
+            "enterprise_gates_passed": scenario["enterprise_result"]["gates_passed"],
+            "enterprise_total_gates": scenario["enterprise_result"]["total_gates"]
+        })
+    return summary
+
+def generate_upgrade_path(current_tier: str, target_tier: str) -> Dict:
+    """Generate upgrade path between tiers"""
+    current = LICENSE_TIERS.get(current_tier, LICENSE_TIERS["trial"])
+    target = LICENSE_TIERS.get(target_tier, LICENSE_TIERS["enterprise"])
+    
+    new_gates = [gate for gate in target["gates_available"] if gate not in current["gates_available"]]
+    new_features = [feat for feat in target.get("features", []) if feat not in current.get("features", [])]
+    
+    return {
+        "from": current["name"],
+        "to": target["name"],
+        "price_increase": target["price"] - current["price"],
+        "new_gates": new_gates,
+        "new_features": new_features,
+        "enforcement_improvement": f"{current['enforcement']} → {target['enforcement']}",
+        "agent_limit_increase": target["max_agents"] - current["max_agents"],
+        "roi_calculation": _calculate_roi(current["price"], target["price"])
+    }
+
+def _calculate_roi(current_price: int, target_price: int) -> Dict:
+    """Calculate ROI for upgrade"""
+    price_diff = target_price - current_price
+    
+    # Simplified ROI calculation
+    time_savings = 15 * 20 * 12  # 15 min saved per decision, 20 decisions/day, 12 months
+    risk_reduction = 0.92 * 100000  # 92% reduction in $100k average incident cost
+    false_positive_savings = 0.85 * 50 * 200  # 85% reduction in 50 false positives/month at $200 each
+    
+    total_savings = time_savings + risk_reduction + false_positive_savings
+    roi_months = (price_diff * 12) / total_savings if total_savings > 0 else 0
+    
+    return {
+        "annual_price_difference": price_diff * 12,
+        "estimated_annual_savings": total_savings,
+        "roi_months": max(1, roi_months),
+        "breakeven": roi_months <= 12
+    }