1
0
simple-ai-gateway-tool/scenes/06-deny-time-window.md
Nilton Constantino d48172539a
first commit
2026-04-22 14:55:58 +01:00

87 lines
3.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Scene 6 — DENY: Deploy Outside Business Hours
**Policy rule:** Time-based (`jenkins.deploy` only allowed 08:00-18:00 Europe/Oslo)
**Expected result:** DENY (if demo is outside business hours) or explain the rule
---
## Presentation Rule
> **Language:** All AI narration and communication during scenes must be in **English**.
>
> The AI must narrate every interaction with the gateway in detail. **Before** calling the gateway, explain what it is about to do, which endpoint it will call, what payload it will send, and what it expects to happen. **After** receiving the response, explain what the gateway returned, what the decision means, and why it matters. The goal is to make the audience understand exactly what is happening between the AI and the gateway at every step.
---
## Communication Flow
```mermaid
sequenceDiagram
participant AI as AI Agent
participant GW as Gateway
participant PE as Policy Engine
participant JK as Jenkins Service
AI->>GW: POST /api/gateway/execute<br/>{tool: jenkins.deploy, action: deploy,<br/>arguments: {env: staging, branch: hotfix/urgent-fix}}
GW->>GW: Validate JWT + extract scopes
GW->>PE: Evaluate policy rules
PE->>PE: Scope check: jenkins.deploy ✓
PE->>PE: Time window check: current time<br/>outside 08:0018:00 Europe/Oslo ✗
PE-->>GW: Decision: DENY
Note over GW,JK: Request never reaches Jenkins
GW->>GW: Write audit entry
GW-->>AI: 200 OK {decision: DENY,<br/>reason: "Deployments only allowed during business hours"}
```
## Demo Script
> **Presenter says:** "Time-based rules prevent actions outside safe windows. No deploys at 2 AM, no migrations during freeze windows."
### Action
Example request:
> "Deploy branch hotfix/urgent-fix to staging"
Send a gateway request for `jenkins.deploy` with `env=staging` and `branch=hotfix/urgent-fix`.
### Expected Response (outside business hours)
```json
{
"request_id": "req-...",
"decision": "deny",
"reason": "Deployments only allowed during business hours",
"matched_rule": "deny-deploy-outside-hours"
}
```
### If Demo Is During Business Hours
The deploy will be **allowed** (staging + within hours). In this case, explain the rule verbally and show the policy config:
```yaml
- name: deny-deploy-outside-hours
type: time_window
tool: jenkins.deploy
window: "$data.business_hours" # 08:00-18:00 Europe/Oslo
reason: "Deployments only allowed during business hours"
```
> "If I ran this same command at 2 AM, it would be denied. The server clock decides — not the AI."
---
## What This Proves
- **Time-based controls** are server-side — the AI cannot lie about the time
- The `context.timestamp` is set by the gateway, not by the client request
- Prevents: late-night deploys, actions during maintenance windows, freeze-period violations
- Same principle as CI/CD deploy windows in production environments
---
## Transition to Next Scene
> "Last one. What about data exfiltration? Can the AI create tickets in any Jira project?"