feat(zerotier): add ZeroTier network governance module

Add comprehensive ZeroTier integration for managing network access: - Portal networks: manager-created ZeroTier network bindings - Device registration: user-owned ZeroTier node endpoints - Approval workflows: request/approve/revoke network access - Activation sessions: time-limited network authorization - Kill switch: emergency access revocation - Reconciliation job: sync portal state with ZeroTier controller Includes ZeroTier client SDK supporting both Central and self-hosted controller APIs, with full CRUD operations for networks and members.
2026-03-20 21:50:20 +10:30
parent 49e724222f
commit 1789590167
27 changed files with 4862 additions and 4 deletions
@@ -213,3 +213,81 @@ class MfaRequirementOverride(str, Enum):
    INHERIT = "inherit"
    REQUIRED = "required"
    EXEMPT = "exempt"
+
+
+# ── ZeroTier / Portal Network ────────────────────────────────────────────────
+
+
+class NetworkEnvironment(str, Enum):
+    """Environment tag for a portal network."""
+
+    PRODUCTION = "production"
+    STAGING = "staging"
+    DEVELOPMENT = "development"
+    LAB = "lab"
+
+
+class NetworkRequestMode(str, Enum):
+    """How users request access to a portal network."""
+
+    OPEN = "open"                    # anyone in the org can request
+    APPROVAL_REQUIRED = "approval_required"  # manager must approve
+    INVITE_ONLY = "invite_only"      # only managers can assign
+
+
+class ApprovalGrantType(str, Enum):
+    """How a user was granted network access."""
+
+    REQUESTED = "requested"          # user initiated
+    ASSIGNED = "assigned"            # manager initiated
+
+
+class ApprovalState(str, Enum):
+    """State of a user network approval record."""
+
+    PENDING = "pending"
+    APPROVED = "approved"
+    REJECTED = "rejected"
+    REVOKED = "revoked"
+    SUSPENDED = "suspended"
+
+
+class MembershipState(str, Enum):
+    """State of a device network membership record."""
+
+    PENDING_DEVICE_REGISTRATION = "pending_device_registration"
+    PENDING_REQUEST = "pending_request"
+    PENDING_MANAGER_APPROVAL = "pending_manager_approval"
+    APPROVED_INACTIVE = "approved_inactive"
+    JOINED_DEAUTHORIZED = "joined_deauthorized"
+    ACTIVE_AUTHORIZED = "active_authorized"
+    ACTIVATION_EXPIRED = "activation_expired"
+    SUSPENDED = "suspended"
+    REVOKED = "revoked"
+    REJECTED = "rejected"
+
+
+class ActivationEndReason(str, Enum):
+    """Why an activation session ended."""
+
+    EXPIRED = "expired"
+    LOGOUT = "logout"
+    KILL_SWITCH = "kill_switch"
+    MANUAL_REVOKE = "manual_revoke"
+    APPROVAL_REVOKED = "approval_revoked"
+    ADMIN_ACTION = "admin_action"
+
+
+class KillSwitchScope(str, Enum):
+    """Scope of a kill switch event."""
+
+    ORGANIZATION = "organization"
+    GLOBAL = "global"
+    SELECTED_NETWORKS = "selected_networks"
+
+
+class DeviceStatus(str, Enum):
+    """Status of a registered device."""
+
+    ACTIVE = "active"
+    INACTIVE = "inactive"