Add execution environment drift governance

execution-environment-drift-governance/README.md

@@ -0,0 +1,66 @@
+# Execution Environment Drift Governance
+
+This module is a focused slice for SCIBASE.AI issue #14, **Scientific/Engineering Data & Code Hosting**. It covers the reproducible execution side of data/code hosting: environment fingerprints, dependency drift, artifact-to-runtime readiness, scheduled rerun decisions, retention/export evidence, and reviewer-ready requirement mapping.
+
+It is intentionally dependency-free and credential-free. The sample data is synthetic.
+
+## What It Adds
+
+- Deterministic artifact capsules for datasets, notebooks, JSON supplements, scripts, and media.
+- Metadata-aware preview decisions for notebook, tabular, JSON, image, code, and generic artifacts.
+- FAIR scoring plus JSON-LD and DataCite payload generation for DOI/export readiness.
+- Container/runtime fingerprinting with pinned image checks, dependency version drift, GPU capability changes, and network policy drift.
+- Compute trigger planning for scheduled reruns and "reproduce results" workflows.
+- Retention/export evidence for regulated artifacts, embargoes, DOI readiness, and audit digests.
+- Requirement mapping back to issue #14 for storage, metadata, executable environments, compute triggers, and export governance.
+
+## Demo
+
+```bash
+npm run demo
+```
+
+The demo writes:
+
+```text
+demo/execution-drift-governance-packet.json
+```
+
+That packet includes artifact digests, environment drift decisions, rerun actions, retention/export evidence, and the requirement map.
+
+A short visual demo is included at:
+
+```text
+demo/execution-drift-governance-demo.mp4
+```
+
+## Tests
+
+```bash
+npm test
+```
+
+The tests cover:
+
+- Stable hashing regardless of object key order.
+- Artifact type detection.
+- Environment fingerprint determinism.
+- Blocking unpinned container images and `latest` dependencies.
+- Restricted human-subject artifact gating.
+- Safe scheduled rerun decisions.
+- Retention/export evidence and requirement mapping.
+
+## Requirement Map
+
+| Issue #14 requirement | Evidence in this module |
+| --- | --- |
+| Scalable storage engine for datasets/code/supplementary files | Artifact capsules include type detection, content digests, preview policy, version metadata, and path organization. |
+| Metadata-aware previews and versioning/diffing | Preview policy and stable artifact digests enable deterministic review and version comparison. |
+| JSON-LD, DataCite, schema.org, FAIR compliance | Each artifact evaluation emits JSON-LD/DataCite payloads and FAIR score checks with DOI thresholds. |
+| Executable environments | Runtime capsules are normalized and fingerprinted; drift checks cover base image, package versions, GPU, and network policy. |
+| Sandboxed execution and compute triggers | Rerun plans decide `RUN_NOW`, `SCHEDULED`, `REVIEW_REQUIRED`, or `BLOCKED` using artifacts, environments, cadence, and compute budgets. |
+| Export/retention governance | Retention evidence covers regulated data, embargoes, DOI readiness, and immutable evidence digests. |
+
+## Design Notes
+
+The module does not run untrusted code. It produces governance decisions that an execution service can consume before enabling notebook/script reruns. That keeps the slice safe and reviewable while still addressing the executable-environment requirements in the bounty.

execution-environment-drift-governance/demo.js

@@ -0,0 +1,21 @@
+const { writeFileSync, mkdirSync } = require("fs");
+const path = require("path");
+const { buildGovernancePacket } = require("./src");
+const { sampleProject } = require("./src/sample-data");
+
+const packet = buildGovernancePacket(sampleProject);
+const outDir = path.join(__dirname, "demo");
+const outFile = path.join(outDir, "execution-drift-governance-packet.json");
+
+mkdirSync(outDir, { recursive: true });
+writeFileSync(outFile, `${JSON.stringify(packet, null, 2)}\n`);
+
+console.log("Execution Environment Drift Governance Demo");
+console.log(`Project: ${packet.projectId}`);
+console.log(`Artifacts: ${packet.summary.artifacts}`);
+console.log(`Ready artifacts: ${packet.summary.readyArtifacts}`);
+console.log(`Blocked artifacts: ${packet.summary.blockedArtifacts}`);
+console.log(`Runnable now: ${packet.summary.runnableNow}`);
+console.log(`Review-required reruns: ${packet.summary.reviewReruns}`);
+console.log(`Blocked reruns: ${packet.summary.blockedReruns}`);
+console.log(`Packet: ${outFile}`);

execution-environment-drift-governance/demo/demo-card.html

@@ -0,0 +1,51 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <title>Execution Drift Governance Demo</title>
+    <style>
+      body {
+        margin: 0;
+        width: 1280px;
+        height: 720px;
+        background: #0f172a;
+        color: #f8fafc;
+        font-family: Arial, sans-serif;
+      }
+      main {
+        padding: 64px;
+      }
+      h1 {
+        font-size: 48px;
+        margin: 0 0 34px;
+      }
+      p {
+        font-size: 30px;
+        line-height: 1.45;
+        margin: 16px 0;
+      }
+      .blue {
+        color: #93c5fd;
+      }
+      .yellow {
+        color: #facc15;
+      }
+      .green {
+        color: #bbf7d0;
+      }
+      .pink {
+        color: #fda4af;
+      }
+    </style>
+  </head>
+  <body>
+    <main>
+      <h1>SCIBASE.AI execution drift governance</h1>
+      <p class="blue">Artifacts: 3, ready: 2, blocked: 1</p>
+      <p>Environment checks: pinned images, dependency drift, GPU, network policy</p>
+      <p class="yellow">Rerun plans: 1 RUN_NOW, 1 BLOCKED with audit reasons</p>
+      <p class="green">Output: demo/execution-drift-governance-packet.json</p>
+      <p class="pink">No credentials, no external services, synthetic data only</p>
+    </main>
+  </body>
+</html>

execution-environment-drift-governance/demo/demo-text.txt

@@ -0,0 +1,7 @@
+SCIBASE.AI execution drift governance
+
+Artifacts: 3, ready: 2, blocked: 1
+Environment checks: pinned images, dependency drift, GPU, network policy
+Rerun plans: 1 RUN_NOW, 1 BLOCKED with audit reasons
+Output: demo/execution-drift-governance-packet.json
+No credentials, no external services, synthetic data only