The jso-protector/governance module gives release tooling a shared authorization, identity-configuration, provisioning, and audit contract. The account dashboard now adds durable organization, SCIM-token, directory-user, and audit storage plus a bearer-authenticated /v1/scim/Users.ashx endpoint. Apply App_Data/CreateEnterpriseGovernanceTables.sql before enabling it.
Role-based release policy
Built-in roles are owner, admin, developer, reviewer, and viewer. Permissions distinguish protection runs, project changes, evidence export, member/token administration, billing, and audit review.
const governance = require("jso-protector/governance");
const policy = governance.createGovernancePolicy({
members: [
{ id: "release-bot", role: "developer" },
{ id: "security-review", role: "reviewer" }
]
});
if (!policy.authorize("release-bot", "protect").allowed) {
throw new Error("release actor is not allowed to protect this build");
}
Scoped automation tokens
Token descriptors validate known scopes, expiration, and revocation metadata without storing or printing the secret. Supported scopes cover protection, evidence read/export, project changes, and audit read access. The hosted service must still authenticate the token and enforce the result server-side.
Tamper-evident audit trail
Each local audit event includes its sequence and the SHA-256 hash of the previous event. verify() detects changed, removed, or reordered evidence before a release packet is handed to a reviewer. Store the resulting events in your governed log destination; this local chain is not a substitute for hosted immutable retention.
Enterprise identity and SCIM lifecycle
validateEnterpriseIdentityConfig() validates HTTPS OIDC issuer/client configuration or SAML SSO/entity/signing-certificate configuration, verified domains, enforcement mode, and default role. After the deployment adapter verifies the assertion signature, authenticateEnterprisePrincipal() enforces issuer, audience, expiry, nonce, verified email, and organization domain before mapping a role. The hosted /v1/scim/Users.ashx route supplies bearer-authenticated SCIM create, read, filter, replace/patch, and deactivate behavior with organization isolation; tokens are displayed once and stored only as SHA-256 hashes.
const directory = governance.createOrganizationDirectory({
organizationId: "customer-42"
});
const scim = governance.createScimService({
directory,
bearerToken: process.env.JSO_SCIM_TOKEN
});
// Mount through the HTTPS adapter used by your deployment:
const result = scim.handle({ method, url, headers, body });
Hosted enterprise boundary
Organization and SCIM directory persistence are implemented in the hosted product and administered at /dashboard/enterprise-governance.aspx. Production rollout still requires the database migration, backup/retention policy, IdP metadata exchange, and an OIDC/SAML callback that verifies provider signatures before creating a session. The presence of these controls is not a SOC 2 certification; certification requires an independent audit of operating controls.