# Scene 6 — DENY: Deploy Outside Business Hours **Policy rule:** Time-based (`jenkins.deploy` only allowed 08:00-18:00 Europe/Oslo) **Expected result:** DENY (if demo is outside business hours) or explain the rule --- ## Presentation Rule > **Language:** All AI narration and communication during scenes must be in **English**. > > The AI must narrate every interaction with the gateway in detail. **Before** calling the gateway, explain what it is about to do, which endpoint it will call, what payload it will send, and what it expects to happen. **After** receiving the response, explain what the gateway returned, what the decision means, and why it matters. The goal is to make the audience understand exactly what is happening between the AI and the gateway at every step. --- ## Communication Flow ```mermaid sequenceDiagram participant AI as AI Agent participant GW as Gateway participant PE as Policy Engine participant JK as Jenkins Service AI->>GW: POST /api/gateway/execute
{tool: jenkins.deploy, action: deploy,
arguments: {env: staging, branch: hotfix/urgent-fix}} GW->>GW: Validate JWT + extract scopes GW->>PE: Evaluate policy rules PE->>PE: Scope check: jenkins.deploy ✓ PE->>PE: Time window check: current time
outside 08:00–18:00 Europe/Oslo ✗ PE-->>GW: Decision: DENY Note over GW,JK: Request never reaches Jenkins GW->>GW: Write audit entry GW-->>AI: 200 OK {decision: DENY,
reason: "Deployments only allowed during business hours"} ``` ## Demo Script > **Presenter says:** "Time-based rules prevent actions outside safe windows. No deploys at 2 AM, no migrations during freeze windows." ### Action Example request: > "Deploy branch hotfix/urgent-fix to staging" Send a gateway request for `jenkins.deploy` with `env=staging` and `branch=hotfix/urgent-fix`. ### Expected Response (outside business hours) ```json { "request_id": "req-...", "decision": "deny", "reason": "Deployments only allowed during business hours", "matched_rule": "deny-deploy-outside-hours" } ``` ### If Demo Is During Business Hours The deploy will be **allowed** (staging + within hours). In this case, explain the rule verbally and show the policy config: ```yaml - name: deny-deploy-outside-hours type: time_window tool: jenkins.deploy window: "$data.business_hours" # 08:00-18:00 Europe/Oslo reason: "Deployments only allowed during business hours" ``` > "If I ran this same command at 2 AM, it would be denied. The server clock decides — not the AI." --- ## What This Proves - **Time-based controls** are server-side — the AI cannot lie about the time - The `context.timestamp` is set by the gateway, not by the client request - Prevents: late-night deploys, actions during maintenance windows, freeze-period violations - Same principle as CI/CD deploy windows in production environments --- ## Transition to Next Scene > "Last one. What about data exfiltration? Can the AI create tickets in any Jira project?"