87 lines
3.0 KiB
Markdown
87 lines
3.0 KiB
Markdown
# Scene 6 — DENY: Deploy Outside Business Hours
|
||
|
||
**Policy rule:** Time-based (`jenkins.deploy` only allowed 08:00-18:00 Europe/Oslo)
|
||
**Expected result:** DENY (if demo is outside business hours) or explain the rule
|
||
|
||
---
|
||
|
||
## Presentation Rule
|
||
|
||
> **Language:** All AI narration and communication during scenes must be in **English**.
|
||
>
|
||
> The AI must narrate every interaction with the gateway in detail. **Before** calling the gateway, explain what it is about to do, which endpoint it will call, what payload it will send, and what it expects to happen. **After** receiving the response, explain what the gateway returned, what the decision means, and why it matters. The goal is to make the audience understand exactly what is happening between the AI and the gateway at every step.
|
||
|
||
---
|
||
|
||
## Communication Flow
|
||
|
||
```mermaid
|
||
sequenceDiagram
|
||
participant AI as AI Agent
|
||
participant GW as Gateway
|
||
participant PE as Policy Engine
|
||
participant JK as Jenkins Service
|
||
|
||
AI->>GW: POST /api/gateway/execute<br/>{tool: jenkins.deploy, action: deploy,<br/>arguments: {env: staging, branch: hotfix/urgent-fix}}
|
||
GW->>GW: Validate JWT + extract scopes
|
||
GW->>PE: Evaluate policy rules
|
||
PE->>PE: Scope check: jenkins.deploy ✓
|
||
PE->>PE: Time window check: current time<br/>outside 08:00–18:00 Europe/Oslo ✗
|
||
PE-->>GW: Decision: DENY
|
||
Note over GW,JK: Request never reaches Jenkins
|
||
GW->>GW: Write audit entry
|
||
GW-->>AI: 200 OK {decision: DENY,<br/>reason: "Deployments only allowed during business hours"}
|
||
```
|
||
|
||
## Demo Script
|
||
|
||
> **Presenter says:** "Time-based rules prevent actions outside safe windows. No deploys at 2 AM, no migrations during freeze windows."
|
||
|
||
### Action
|
||
|
||
Example request:
|
||
|
||
> "Deploy branch hotfix/urgent-fix to staging"
|
||
|
||
Send a gateway request for `jenkins.deploy` with `env=staging` and `branch=hotfix/urgent-fix`.
|
||
|
||
### Expected Response (outside business hours)
|
||
|
||
```json
|
||
{
|
||
"request_id": "req-...",
|
||
"decision": "deny",
|
||
"reason": "Deployments only allowed during business hours",
|
||
"matched_rule": "deny-deploy-outside-hours"
|
||
}
|
||
```
|
||
|
||
### If Demo Is During Business Hours
|
||
|
||
The deploy will be **allowed** (staging + within hours). In this case, explain the rule verbally and show the policy config:
|
||
|
||
```yaml
|
||
- name: deny-deploy-outside-hours
|
||
type: time_window
|
||
tool: jenkins.deploy
|
||
window: "$data.business_hours" # 08:00-18:00 Europe/Oslo
|
||
reason: "Deployments only allowed during business hours"
|
||
```
|
||
|
||
> "If I ran this same command at 2 AM, it would be denied. The server clock decides — not the AI."
|
||
|
||
---
|
||
|
||
## What This Proves
|
||
|
||
- **Time-based controls** are server-side — the AI cannot lie about the time
|
||
- The `context.timestamp` is set by the gateway, not by the client request
|
||
- Prevents: late-night deploys, actions during maintenance windows, freeze-period violations
|
||
- Same principle as CI/CD deploy windows in production environments
|
||
|
||
---
|
||
|
||
## Transition to Next Scene
|
||
|
||
> "Last one. What about data exfiltration? Can the AI create tickets in any Jira project?"
|