scene-capability-engine 3.1.0 → 3.2.0

package/CHANGELOG.md

@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Added
+- **Interactive approval role-policy step-up**: `interactive-approval-workflow` now supports optional role-based action authorization (`--role-policy`, `--actor-role`) and loop/flow/scene commands can pass role policy and actor roles (`--approval-role-policy`, `--approval-actor-role`, `--approver-actor-role`) for separation-of-duties governance.
 - **Interactive runtime policy + work-order default pipeline**: Added `interactive-runtime-policy-evaluate` and `interactive-work-order-build`, integrated both into `interactive-customization-loop` and `interactive-flow` (including `sce scene interactive-loop/interactive-flow` passthrough), with default `runtime_mode=ops-fix`, `runtime_environment=staging`, runtime non-allow fail gate option, and auditable work-order artifacts.
 - **Release weekly ops closed-loop summary**: Added `node scripts/release-ops-weekly-summary.js` (npm alias `npm run report:release-ops-weekly`) to aggregate handoff evidence, release-gate history, interactive governance, and matrix signals into one weekly risk/recommendation card (`weekly-ops-summary.json|.md`).
 - **Release workflow weekly ops asset publication**: `release.yml` now exports and publishes `weekly-ops-summary-<tag>.json|.md` alongside governance snapshot and Moqui release evidence assets.

package/docs/command-reference.md

@@ -987,7 +987,7 @@ Interactive context bridge helper (script-level provider normalization):
   - npm alias: `npm run report:interactive-context-bridge`
 
 Interactive full flow helper (script-level one-command entry):
-- `node scripts/interactive-flow.js --input <path> (--goal <text> | --goal-file <path>) [--provider <moqui|generic>] [--execution-mode <suggestion|apply>] [--runtime-mode <user-assist|ops-fix|feature-dev>] [--runtime-environment <dev|staging|prod>] [--runtime-policy <path>] [--policy <path>] [--catalog <path>] [--dialogue-policy <path>] [--context-contract <path>] [--auto-execute-low-risk] [--auth-password-hash <sha256>] [--auth-password <text>] [--feedback-score <0..5>] [--work-order-out <path>] [--work-order-markdown-out <path>] [--fail-on-runtime-non-allow] [--no-matrix] [--matrix-min-score <0..100>] [--matrix-min-valid-rate <0..100>] [--matrix-compare-with <path>] [--matrix-signals <path>] [--matrix-fail-on-portfolio-fail] [--matrix-fail-on-regression] [--json]`: run `context-bridge -> interactive-loop -> matrix-baseline-snapshot` in one command for Moqui workbench integration.
+- `node scripts/interactive-flow.js --input <path> (--goal <text> | --goal-file <path>) [--provider <moqui|generic>] [--execution-mode <suggestion|apply>] [--runtime-mode <user-assist|ops-fix|feature-dev>] [--runtime-environment <dev|staging|prod>] [--runtime-policy <path>] [--policy <path>] [--catalog <path>] [--dialogue-policy <path>] [--context-contract <path>] [--approval-role-policy <path>] [--approval-actor-role <name>] [--approver-actor-role <name>] [--auto-execute-low-risk] [--auth-password-hash <sha256>] [--auth-password <text>] [--feedback-score <0..5>] [--work-order-out <path>] [--work-order-markdown-out <path>] [--fail-on-runtime-non-allow] [--no-matrix] [--matrix-min-score <0..100>] [--matrix-min-valid-rate <0..100>] [--matrix-compare-with <path>] [--matrix-signals <path>] [--matrix-fail-on-portfolio-fail] [--matrix-fail-on-regression] [--json]`: run `context-bridge -> interactive-loop -> matrix-baseline-snapshot` in one command for Moqui workbench integration.
   - Default flow artifact root: `.kiro/reports/interactive-flow/<session-id>/`
   - Default flow summary output: `.kiro/reports/interactive-flow/<session-id>/interactive-flow.summary.json`
   - Default dialogue report output: `.kiro/reports/interactive-flow/<session-id>/interactive-dialogue-governance.json`
@@ -1027,7 +1027,7 @@ Interactive change-plan generator helper (script-level stage-B planning bridge):
   - Generated plans can be evaluated directly by `interactive-change-plan-gate`.
 
 Interactive one-click loop helper (script-level orchestration entry):
-- `node scripts/interactive-customization-loop.js --context <path> (--goal <text> | --goal-file <path>) [--execution-mode <suggestion|apply>] [--runtime-mode <user-assist|ops-fix|feature-dev>] [--runtime-environment <dev|staging|prod>] [--runtime-policy <path>] [--policy <path>] [--catalog <path>] [--dialogue-policy <path>] [--context-contract <path>] [--no-strict-contract] [--auto-approve-low-risk] [--auto-execute-low-risk] [--auth-password-hash <sha256>] [--auth-password <text>] [--feedback-score <0..5>] [--feedback-comment <text>] [--feedback-tags <csv>] [--allow-suggestion-apply] [--work-order-out <path>] [--work-order-markdown-out <path>] [--fail-on-dialogue-deny] [--fail-on-gate-non-allow] [--fail-on-runtime-non-allow] [--json]`: run dialogue->intent->plan->gate->runtime->approval pipeline in one command and optionally trigger low-risk one-click apply via Moqui adapter.
+- `node scripts/interactive-customization-loop.js --context <path> (--goal <text> | --goal-file <path>) [--execution-mode <suggestion|apply>] [--runtime-mode <user-assist|ops-fix|feature-dev>] [--runtime-environment <dev|staging|prod>] [--runtime-policy <path>] [--policy <path>] [--catalog <path>] [--dialogue-policy <path>] [--context-contract <path>] [--approval-role-policy <path>] [--approval-actor-role <name>] [--approver-actor-role <name>] [--no-strict-contract] [--auto-approve-low-risk] [--auto-execute-low-risk] [--auth-password-hash <sha256>] [--auth-password <text>] [--feedback-score <0..5>] [--feedback-comment <text>] [--feedback-tags <csv>] [--allow-suggestion-apply] [--work-order-out <path>] [--work-order-markdown-out <path>] [--fail-on-dialogue-deny] [--fail-on-gate-non-allow] [--fail-on-runtime-non-allow] [--json]`: run dialogue->intent->plan->gate->runtime->approval pipeline in one command and optionally trigger low-risk one-click apply via Moqui adapter.
   - CLI equivalent: `sce scene interactive-loop --context <path> --goal "<goal>" --context-contract docs/interactive-customization/moqui-copilot-context-contract.json --execution-mode apply --auto-execute-low-risk --auth-password "<password>" --feedback-score 5 --json`
   - Default loop artifact root: `.kiro/reports/interactive-loop/<session-id>/`
   - Default summary output: `.kiro/reports/interactive-loop/<session-id>/interactive-customization-loop.summary.json`
@@ -1054,7 +1054,7 @@ Interactive work-order helper (script-level usage/maintenance/dev closure):
     - `.kiro/reports/interactive-work-order.md`
 
 Interactive approval workflow helper (script-level stage-B approval state machine):
-- `node scripts/interactive-approval-workflow.js --action <init|submit|approve|reject|execute|verify|archive|status> [--plan <path>] [--state-file <path>] [--audit-file <path>] [--actor <id>] [--comment <text>] [--password <text>] [--password-hash <sha256>] [--password-hash-env <name>] [--password-required] [--password-scope <csv>] [--json]`: maintain approval lifecycle state for interactive change plans and append approval events to JSONL audit logs.
+- `node scripts/interactive-approval-workflow.js --action <init|submit|approve|reject|execute|verify|archive|status> [--plan <path>] [--state-file <path>] [--audit-file <path>] [--actor <id>] [--actor-role <name>] [--role-policy <path>] [--comment <text>] [--password <text>] [--password-hash <sha256>] [--password-hash-env <name>] [--password-required] [--password-scope <csv>] [--json]`: maintain approval lifecycle state for interactive change plans and append approval events to JSONL audit logs.
   - Default state file: `.kiro/reports/interactive-approval-state.json`
   - Default audit file: `.kiro/reports/interactive-approval-events.jsonl`
   - `init` requires `--plan`; high-risk plans are marked as `approval_required=true`.

package/docs/interactive-customization/README.md

@@ -11,6 +11,7 @@ This directory contains baseline contracts and safety policy artifacts for the i
 - `guardrail-policy-baseline.json`: default secure-by-default guardrail policy.
 - `dialogue-governance-policy-baseline.json`: baseline communication rules for embedded assistant dialogue.
 - `runtime-mode-policy-baseline.json`: baseline runtime mode/environment policy (`user-assist|ops-fix|feature-dev` x `dev|staging|prod`).
+- `approval-role-policy-baseline.json`: optional approval role policy baseline (`submit/approve/execute/verify/archive` role requirements).
 - `high-risk-action-catalog.json`: baseline high-risk action classification for deny/review decisions.
 - `change-plan.sample.json`: runnable sample plan for gate checks.
 - `page-context.sample.json`: runnable page context sample for read-only intent generation.
@@ -156,6 +157,9 @@ node scripts/interactive-customization-loop.js \
   --runtime-mode ops-fix \
   --runtime-environment staging \
   --runtime-policy docs/interactive-customization/runtime-mode-policy-baseline.json \
+  --approval-role-policy docs/interactive-customization/approval-role-policy-baseline.json \
+  --approval-actor-role product-owner \
+  --approver-actor-role release-operator \
   --execution-mode apply \
   --auto-execute-low-risk \
   --auth-password-hash "<sha256-of-demo-pass>" \
@@ -223,11 +227,15 @@ node scripts/interactive-approval-workflow.js \
 
 # submit -> approve -> execute -> verify
 node scripts/interactive-approval-workflow.js --action submit --actor product-owner --json
-node scripts/interactive-approval-workflow.js --action approve --actor security-admin --json
-node scripts/interactive-approval-workflow.js --action execute --actor release-operator --password "demo-pass" --json
-node scripts/interactive-approval-workflow.js --action verify --actor qa-owner --json
+node scripts/interactive-approval-workflow.js --action approve --actor security-admin --actor-role security-admin --json
+node scripts/interactive-approval-workflow.js --action execute --actor release-operator --actor-role release-operator --password "demo-pass" --json
+node scripts/interactive-approval-workflow.js --action verify --actor qa-owner --actor-role qa-owner --json
 ```
 
+When role control is required, initialize workflow with:
+- `--role-policy docs/interactive-customization/approval-role-policy-baseline.json`
+- and pass `--actor-role <role>` in each mutating action.
+
 Run the Moqui adapter interface (`capabilities/plan/validate/apply/rollback`):
 
 ```bash

package/docs/interactive-customization/approval-role-policy-baseline.json

@@ -0,0 +1,36 @@
+{
+  "version": "1.0.0",
+  "profile": "interactive-approval-role-baseline",
+  "role_requirements": {
+    "submit": [
+      "product-owner",
+      "ops-engineer",
+      "workflow-operator"
+    ],
+    "approve": [
+      "security-admin",
+      "product-owner",
+      "workflow-operator"
+    ],
+    "reject": [
+      "security-admin",
+      "product-owner",
+      "workflow-operator"
+    ],
+    "execute": [
+      "release-operator",
+      "ops-engineer",
+      "workflow-operator"
+    ],
+    "verify": [
+      "qa-owner",
+      "release-operator",
+      "workflow-operator"
+    ],
+    "archive": [
+      "product-owner",
+      "release-operator",
+      "workflow-operator"
+    ]
+  }
+}

package/docs/security-governance-default-baseline.md

@@ -15,6 +15,7 @@ This baseline is the default operating policy for SCE-driven delivery, including
 - Low-risk auto-apply is allowed only when gate result is `allow`.
 - Runtime policy gate is mandatory before apply (`runtime_mode=ops-fix`, `runtime_environment=staging` by default).
 - Runtime non-allow (`deny|review-required`) should block unattended apply (`--fail-on-runtime-non-allow`).
+- Enable role-based action control when environment requires stronger separation of duties (`approval-role-policy-baseline.json` + `--actor-role`).
 - Apply-mode mutating plans require password authorization (`authorization.password_required=true` by default).
 - Password verifier hash must be supplied via `SCE_INTERACTIVE_AUTH_PASSWORD_SHA256` (or explicit override).
 - Work-order artifacts (`interactive-work-order.json|.md`) are required for usage/maintenance/dev integrated auditing.

package/lib/commands/scene.js

@@ -582,7 +582,10 @@ function registerSceneCommands(program) {
     .option('--work-order-out <path>', 'Work-order JSON output file path')
     .option('--work-order-markdown-out <path>', 'Work-order markdown output file path')
     .option('--approval-actor <id>', 'Approval workflow actor')
+    .option('--approval-actor-role <name>', 'Approval workflow actor role')
     .option('--approver-actor <id>', 'Auto-approve actor')
+    .option('--approver-actor-role <name>', 'Auto-approve actor role')
+    .option('--approval-role-policy <path>', 'Approval role policy JSON path')
     .option('--skip-submit', 'Skip approval submit step')
     .option('--auto-approve-low-risk', 'Auto-approve low-risk allow plans')
     .option('--auto-execute-low-risk', 'Auto-run low-risk apply for allow+low plans')
@@ -649,7 +652,10 @@ function registerSceneCommands(program) {
     .option('--work-order-markdown-out <path>', 'Work-order markdown output file path')
     .option('--out <path>', 'Flow summary output file path')
     .option('--approval-actor <id>', 'Approval workflow actor')
+    .option('--approval-actor-role <name>', 'Approval workflow actor role')
     .option('--approver-actor <id>', 'Auto-approve actor')
+    .option('--approver-actor-role <name>', 'Auto-approve actor role')
+    .option('--approval-role-policy <path>', 'Approval role policy JSON path')
     .option('--skip-submit', 'Skip approval submit step')
     .option('--auto-approve-low-risk', 'Auto-approve low-risk allow plans')
     .option('--auto-execute-low-risk', 'Auto-run low-risk apply for allow+low plans')
@@ -11166,7 +11172,10 @@ function normalizeSceneInteractiveFlowOptions(options = {}) {
     bridgeOutContext: options.bridgeOutContext ? String(options.bridgeOutContext).trim() : undefined,
     bridgeOutReport: options.bridgeOutReport ? String(options.bridgeOutReport).trim() : undefined,
     approvalActor: options.approvalActor ? String(options.approvalActor).trim() : undefined,
+    approvalActorRole: options.approvalActorRole ? String(options.approvalActorRole).trim().toLowerCase() : undefined,
     approverActor: options.approverActor ? String(options.approverActor).trim() : undefined,
+    approverActorRole: options.approverActorRole ? String(options.approverActorRole).trim().toLowerCase() : undefined,
+    approvalRolePolicy: options.approvalRolePolicy ? String(options.approvalRolePolicy).trim() : undefined,
     skipSubmit: options.skipSubmit === true,
     autoApproveLowRisk: options.autoApproveLowRisk === true,
     autoExecuteLowRisk: options.autoExecuteLowRisk === true,
@@ -11277,7 +11286,10 @@ function normalizeSceneInteractiveLoopOptions(options = {}) {
     workOrderOut: options.workOrderOut ? String(options.workOrderOut).trim() : undefined,
     workOrderMarkdownOut: options.workOrderMarkdownOut ? String(options.workOrderMarkdownOut).trim() : undefined,
     approvalActor: options.approvalActor ? String(options.approvalActor).trim() : undefined,
+    approvalActorRole: options.approvalActorRole ? String(options.approvalActorRole).trim().toLowerCase() : undefined,
     approverActor: options.approverActor ? String(options.approverActor).trim() : undefined,
+    approverActorRole: options.approverActorRole ? String(options.approverActorRole).trim().toLowerCase() : undefined,
+    approvalRolePolicy: options.approvalRolePolicy ? String(options.approvalRolePolicy).trim() : undefined,
     skipSubmit: options.skipSubmit === true,
     autoApproveLowRisk: options.autoApproveLowRisk === true,
     autoExecuteLowRisk: options.autoExecuteLowRisk === true,
@@ -11656,9 +11668,18 @@ async function runSceneInteractiveFlowCommand(rawOptions = {}, dependencies = {}
   if (options.approvalActor) {
     args.push('--approval-actor', options.approvalActor);
   }
+  if (options.approvalActorRole) {
+    args.push('--approval-actor-role', options.approvalActorRole);
+  }
   if (options.approverActor) {
     args.push('--approver-actor', options.approverActor);
   }
+  if (options.approverActorRole) {
+    args.push('--approver-actor-role', options.approverActorRole);
+  }
+  if (options.approvalRolePolicy) {
+    args.push('--approval-role-policy', options.approvalRolePolicy);
+  }
   if (options.skipSubmit) {
     args.push('--skip-submit');
   }
@@ -11872,9 +11893,18 @@ async function runSceneInteractiveLoopCommand(rawOptions = {}, dependencies = {}
   if (options.approvalActor) {
     args.push('--approval-actor', options.approvalActor);
   }
+  if (options.approvalActorRole) {
+    args.push('--approval-actor-role', options.approvalActorRole);
+  }
   if (options.approverActor) {
     args.push('--approver-actor', options.approverActor);
   }
+  if (options.approverActorRole) {
+    args.push('--approver-actor-role', options.approverActorRole);
+  }
+  if (options.approvalRolePolicy) {
+    args.push('--approval-role-policy', options.approvalRolePolicy);
+  }
   if (options.skipSubmit) {
     args.push('--skip-submit');
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scene-capability-engine",
-  "version": "3.1.0",
+  "version": "3.2.0",
   "description": "SCE (Scene Capability Engine) - A CLI tool and npm package for spec-driven development with AI coding assistants.",
   "main": "index.js",
   "bin": {