Add enterprise identity provisioning drift

[SIRXIII]

/claim #19

Summary

• add a self-contained enterprise-identity-provisioning-drift module for Enterprise Tooling
• detect SCIM/SAML/HRIS/ORCID personnel sync drift, including terminated HRIS users with active SCIBASE access, missing SSO/provisioning records, stale ORCID evidence, MFA gaps, and department mapping drift
• generate project-level revoke/recertify actions, access-review queues, signed webhook event envelopes, and deterministic audit digests for research-office governance
• include synthetic sample data, tests, requirement mapping, an SVG preview, and a short H.264 MP4 demo artifact

Why this slice is distinct

This focuses on institutional identity provisioning drift before stale people data affects enterprise dashboards, exports, compliance packets, or webhook replay systems. It avoids duplicating existing #19 submissions around broad admin dashboards, export pipelines, compliance evidence packets, trust centers, audit signal routers, or webhook replay ledgers.

Demo

• enterprise-identity-provisioning-drift/docs/demo.mp4
• enterprise-identity-provisioning-drift/docs/demo.svg
• cd enterprise-identity-provisioning-drift && npm run demo

Verification

cd enterprise-identity-provisioning-drift
npm run check
npm test
npm run demo
ffprobe -v error -select_streams v:0 -show_entries stream=codec_name,width,height,duration -of default=noprint_wrappers=1 docs/demo.mp4
cd ..
git diff --check
rg -n "api[_-]?key|private[_-]?key|password|secret|token|wallet|ssn" enterprise-identity-provisioning-drift

Local results:

enterprise-identity-provisioning-drift tests passed
Status: block_access_until_remediated
Findings: 11
Critical: 1
Project actions: 4
codec_name=h264
width=1280
height=1280
duration=6.000000
git diff --check passed
secret pattern scan returned no matches

AI-assisted with OpenAI Codex; I reviewed and locally verified the implementation before submission.