scene-capability-engine 3.1.0 → 3.3.1

package/CHANGELOG.md

@@ -8,6 +8,30 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Added
+- **Auto handoff default takeover hard gate + preflight-check command**: `sce auto handoff` profiles now default to release-gate preflight hard requirement (`default|moqui|enterprise`), added `sce auto handoff preflight-check` (`pass|warning|blocked` + reasons/signals/recommended commands), and `handoff run` precheck/details now exposes full runtime ui-mode pressure aggregates for machine-readable triage.
+- **Interactive runtime ui-mode telemetry closed-loop**: `interactive-customization-loop` now emits runtime policy signal streams (`interactive-runtime-signals.jsonl` global + session) with `ui_mode` violation markers; `interactive-governance-report` now ingests runtime signals by default and reports runtime/ui-mode pressure metrics + alerts; weekly ops summary/gate now carry and enforce runtime ui-mode violation signals (default `RELEASE_WEEKLY_OPS_MAX_RUNTIME_UI_MODE_VIOLATION_TOTAL=0`).
+- **Interactive dual-surface runtime policy contract**: `interactive-runtime-policy-evaluate` now supports `--ui-mode` and enforces optional `policy.ui_modes` constraints (UI mode vs runtime mode/execution mode), `interactive-customization-loop` now passes UI mode through runtime evaluation by default, and baseline runtime policy/docs now include `user-app`/`ops-console` contract defaults for safer embedded assistant routing.
+- **Handoff run observability-phase weekly-ops routing**: `sce auto handoff run` now injects weekly-ops stop pressure counters into the `observability` phase details, propagates weekly pressure into `failure_summary.highlights`, and auto-adds weekly summary/gate + policy-tuning recommendations when governance weekly pressure is observed.
+- **Runtime ui-mode pressure propagation across auto governance/handoff**: `sce auto handoff gate-index` now ingests runtime weekly-ops telemetry (`runtime_block_rate`, `runtime_ui_mode_violation_*`) into history latest/aggregates/markdown; `auto governance stats|close-loop|session list|session stats|observability snapshot` now preserves runtime stop-detail pressure and recommendation signals end-to-end; `sce auto handoff run` observability/failure/recommendation outputs now surface runtime ui-mode pressure guidance by default.
+- **Handoff preflight/evidence runtime diagnostics uplift**: `sce auto handoff run` now exposes runtime ui-mode pressure fields directly in `release_gate_preflight` (including precheck details), and `sce auto handoff evidence --format markdown` / release draft outputs now render runtime block-rate + ui-mode violation lines for faster operator triage.
+- **Observability snapshot weekly-ops governance highlights**: `sce auto observability snapshot` now exposes governance weekly-ops stop pressure in `highlights` and `snapshots.governance_weekly_ops_stop`, enabling dashboards to consume weekly pressure trends directly without traversing nested governance session payloads.
+- **Governance session stats weekly-ops pressure trend**: `sce auto governance session list|stats` now exposes weekly-ops stop-detail telemetry (per-session flags + aggregated `release_gate.weekly_ops_stop` counters/rates/averages), with backward-compatible fallback that infers pressure from historical `stop_detail.reasons`.
+- **Governance close-loop weekly-ops structured stop detail**: `sce auto governance close-loop` now emits `stop_detail.weekly_ops` (latest, aggregates, pressure flags) whenever weekly release pressure contributes to a release-gate block, so embedded assistants and UI layers can consume machine-readable diagnostics without parsing reason strings.
+- **Governance close-loop now emits weekly-ops block reasons by default**: `sce auto governance close-loop` now maps weekly-ops pressure (blocked runs/rates, config-warning pressure, auth-tier/dialogue authorization block-rate pressure, latest weekly risk/governance status) into `stop_detail.reasons`, treats those signals as release-gate blocking conditions, and emits direct weekly-ops remediation recommendations in close-loop output.
+- **Governance risk routing uses weekly-ops history pressure**: `auto governance stats` now ingests `weekly_ops_*` signals from release gate history (block/warning/config-warning pressure + auth-tier/dialogue block-rate maxima), elevates risk/concerns accordingly, and emits targeted remediation recommendations for weekly gate reruns, variable fixes, and policy tuning.
+- **Release gate history weekly-ops visibility uplift**: `sce auto handoff gate-index` now ingests nested `weekly_ops` telemetry from release-gate artifacts (blocked/warnings/config-warnings/dialogue/auth-tier rates), exposes new `weekly_ops_*` aggregates in JSON/markdown, and release workflow trend notes now surface config-warning totals and weekly-ops pressure signals.
+- **Weekly ops remediation + gate config warning hardening**: `release-risk-remediation-bundle` now outputs policy-specific remediation for `dialogue-authorization` and `authorization-tier` block-rate pressure; `release-weekly-ops-gate` now emits `config_warnings` when threshold env values are invalid and falls back to safe defaults.
+- **Dialogue-authorization telemetry defaultization**: `interactive-customization-loop` now appends dialogue-authorization signal streams (`interactive-dialogue-authorization-signals.jsonl` global + session), and `interactive-governance-report` now ingests these signals by default to compute deny/review block-rate metrics with threshold alerts.
+- **Machine-readable authorization dialogue contract**: `interactive-dialogue-governance` now emits `authorization_dialogue` requirements (decision/required inputs/confirmation steps/prompts) with default baseline policy (`authorization-dialogue-policy-baseline.json`), supports explicit UI surface mode routing (`--ui-mode user-app|ops-console`), and interactive loop/flow summaries now expose `summary.dialogue_authorization_decision`.
+- **Interactive authorization tier default gate**: Added `interactive-authorization-tier-evaluate` with baseline policy (`authorization-tier-policy-baseline.json`) and integrated it into interactive loop/flow pipeline by default, enforcing profile/environment step-up rules (`business-user` suggestion-only, `system-maintainer` apply-enabled with environment-specific secondary authorization requirements).
+- **Authorization tier work-order/governance wiring**: `interactive-customization-loop` now appends authorization-tier signal streams by default, `interactive-work-order-build` ingests authorization-tier decisions/requirements into governance fields and next-actions, and `interactive-governance-report` now computes authorization-tier deny/review metrics with threshold alerts.
+- **Weekly ops hard-gate includes authorization-tier pressure**: `release-ops-weekly-summary` now carries authorization-tier deny/review/block-rate snapshot fields and risk concerns, and `release-weekly-ops-gate` now supports `RELEASE_WEEKLY_OPS_MAX_AUTHORIZATION_TIER_BLOCK_RATE_PERCENT` (default `40`) as a release blocking condition.
+- **Embedded assistant authorization dialogue baseline**: Added `docs/interactive-customization/embedded-assistant-authorization-dialogue-rules.md` to standardize user-mode vs maintainer-mode interaction, step-up authorization prompts, deny fallback behavior, and mandatory audit references for in-product AI assistants.
+- **Interactive dialogue profile governance**: `interactive-dialogue-governance` now supports `--profile business-user|system-maintainer` with profile-aware policy merge (including maintenance ticket/rollback safety prompts), and `interactive-customization-loop`/`interactive-flow`/`sce scene interactive-loop|interactive-flow` now pass through `--dialogue-profile` and expose active profile in summaries.
+- **Batch 429 exhaustion recovery guidance**: `sce auto close-loop-batch` now emits rate-limit pressure telemetry and automatic recovery recommendation metadata (`batch_retry.recovery_*`) when retry budget is exhausted under throttling, plus a ready-to-run `close-loop-recover` suggested command in CLI summary.
+- **Interactive execution-block diagnostics in summaries**: `interactive-customization-loop` now emits normalized block categories and remediation hints (`summary.execution_block_reason_category`, `summary.execution_block_remediation_hint`), with `interactive-flow` passthrough plus `summary.authorization_execute_roles` for role-policy guided UI remediation.
+- **Interactive smoke role-policy coverage**: `interactive-loop-smoke` and `interactive-flow-smoke` now run with approval role-policy + actor-role parameters by default to validate password+role dual-authorization path in CI/release smoke stage.
+- **Interactive approval role-policy step-up**: `interactive-approval-workflow` now supports optional role-based action authorization (`--role-policy`, `--actor-role`) and loop/flow/scene commands can pass role policy and actor roles (`--approval-role-policy`, `--approval-actor-role`, `--approver-actor-role`) for separation-of-duties governance.
 - **Interactive runtime policy + work-order default pipeline**: Added `interactive-runtime-policy-evaluate` and `interactive-work-order-build`, integrated both into `interactive-customization-loop` and `interactive-flow` (including `sce scene interactive-loop/interactive-flow` passthrough), with default `runtime_mode=ops-fix`, `runtime_environment=staging`, runtime non-allow fail gate option, and auditable work-order artifacts.
 - **Release weekly ops closed-loop summary**: Added `node scripts/release-ops-weekly-summary.js` (npm alias `npm run report:release-ops-weekly`) to aggregate handoff evidence, release-gate history, interactive governance, and matrix signals into one weekly risk/recommendation card (`weekly-ops-summary.json|.md`).
 - **Release workflow weekly ops asset publication**: `release.yml` now exports and publishes `weekly-ops-summary-<tag>.json|.md` alongside governance snapshot and Moqui release evidence assets.

package/docs/command-reference.md

@@ -727,6 +727,7 @@ Close-loop controller session maintenance:
 Cross-archive autonomous governance maintenance:
 - `sce auto governance stats [--days <n>] [--status <csv>] [--json]`: aggregate a unified governance snapshot from session/batch-session/controller-session archives plus recovery memory state.
   - JSON output includes `totals`, `throughput`, `health` (`risk_level`, `concerns`, `recommendations`, `release_gate`, `handoff_quality`), `top_master_specs`, `recovery_memory`, and full per-archive stats under `archives`.
+  - `health.release_gate` now carries weekly-ops governance pressure signals from release gate history (`weekly_ops_*`, including block/warning/config-warning totals and authorization/dialogue block-rate maxima) for risk scoring and recommendation routing.
   - When handoff Moqui matrix regressions are positive, `health.recommendations` now include phased anti-429 baseline one-shot remediation commands.
   - `health.handoff_quality` carries Moqui matrix + capability lexicon governance signals:
     - `latest_capability_expected_unknown_count`
@@ -749,6 +750,7 @@ Cross-archive autonomous governance maintenance:
   - `--governance-session-keep` (with optional `--governance-session-older-than-days`) enables post-run governance session retention pruning while protecting the current session snapshot.
   - `--execute-advisory` enables automatic advisory action execution (`recover-latest`, `controller-resume-latest`) when governance assessment detects failed sessions or controller pending goals; sce auto-selects the latest actionable advisory source and reports `skipped` (not `failed`) when no actionable source exists.
   - JSON output includes round-by-round risk/action telemetry (`rounds`, with `risk_before/risk_after` and `release_gate_before/release_gate_after`), advisory telemetry (`execute_advisory`, `advisory_policy`, `advisory_summary`, `rounds[*].advisory_actions`), `stop_detail` + `recommendations` for explicit blocking reasons, plus `initial_assessment`, `final_assessment`, and convergence metadata.
+  - When blocked by weekly release pressure, `stop_detail.weekly_ops` provides structured latest/aggregate/pressure fields so downstream agents and UI assistants do not need to parse reason strings.
   - Release-gate block reasons now include handoff matrix regression reasons when present:
     - `handoff-capability-expected-unknown-positive:<n>`
     - `handoff-capability-provided-unknown-positive:<n>`
@@ -756,8 +758,15 @@ Cross-archive autonomous governance maintenance:
     - `handoff-capability-provided-unknown-positive-rate:<percent>`
     - `handoff-moqui-matrix-regressions-positive:<n>`
     - `handoff-moqui-matrix-regressions-over-gate:<n>/<max>`
+  - Release-gate block reasons also include weekly-ops pressure reasons when present (examples):
+    - `weekly-ops-latest-blocked`
+    - `weekly-ops-blocked-runs-positive:<n>`
+    - `weekly-ops-config-warnings-positive:<n>`
+    - `weekly-ops-auth-tier-block-rate-high:<percent>`
+    - `weekly-ops-dialogue-authorization-block-rate-high:<percent>`
 - `sce auto governance session list [--limit <n>] [--status <csv>] [--resume-only] [--json]`: list persisted governance close-loop sessions (`--resume-only` filters to resumed-chain sessions only).
 - `sce auto governance session stats [--days <n>] [--status <csv>] [--resume-only] [--json]`: aggregate governance close-loop session telemetry (completion/failure/convergence, rounds, risk/stop composition, resumed-chain ratios/source counts, and aggregated `release_gate` round telemetry trends).
+  - `release_gate.weekly_ops_stop` summarizes weekly-ops stop pressure across governance sessions (session counts/rates, high-pressure/config-warning/auth-tier/dialogue pressure rates, and averaged blocked-runs/block-rate/config-warning totals).
 - `sce auto governance session prune [--keep <n>] [--older-than-days <n>] [--dry-run] [--json]`: prune governance close-loop session archive by retention policy.
 
 Close-loop recovery memory maintenance:
@@ -775,6 +784,8 @@ Autonomous KPI trend:
 Unified observability snapshot:
 - `sce auto observability snapshot [--days <n>] [--status <csv>] [--weeks <n>] [--trend-mode <mode>] [--trend-period <period>] [--out <path>] [--json]`: generate one unified observability snapshot that combines close-loop session stats, batch stats, controller stats, governance session stats, governance health, and KPI trend.
 - JSON output includes top-level `highlights` plus detailed archive/trend payloads under `snapshots`.
+  - `highlights` includes governance weekly-ops pressure counters (`governance_weekly_ops_stop_sessions`, high-pressure/config-warning/auth-tier/dialogue pressure counts/rates) plus runtime pressure counters (`governance_weekly_ops_runtime_block_rate_high_sessions`, `governance_weekly_ops_runtime_ui_mode_violation_high_sessions`, `governance_weekly_ops_runtime_ui_mode_violation_total_sum`).
+  - `snapshots.governance_weekly_ops_stop` exposes the full weekly-ops stop aggregate object from governance session stats for direct dashboard consumption.
 
 Agent-facing spec interfaces:
 - `sce auto spec status <spec-name> [--json]`: structured status for one spec (`docs`, `task_progress`, `collaboration`, `health`).
@@ -792,6 +803,9 @@ Dual-track handoff integration:
 - `sce auto handoff capability-matrix --manifest <path> [--profile <default|moqui|enterprise>] [--strict] [--strict-warnings] [--min-capability-coverage <n>] [--min-capability-semantic <n>] [--no-require-capability-semantic] [--format <json|markdown>] [--out <path>] [--remediation-queue-out <path>] [--fail-on-gap] [--json]`: generate a fast Moqui capability matrix (`template-diff + baseline + capability coverage + semantic completeness`) and optionally fail fast on gaps.
 - When matrix regressions are detected in baseline compare, recommendations prioritize capability-cluster phased execution first (`npm run run:matrix-remediation-clusters-phased -- --json`), then baseline phased one-shot (`node scripts/moqui-matrix-remediation-phased-runner.js --baseline ... --json`).
 - When `manifest.capabilities` is empty, sce auto-infers canonical expected capabilities from `manifest.templates` using the Moqui lexicon before deciding whether capability coverage should be skipped.
+- `sce auto handoff preflight-check [--profile <default|moqui|enterprise>] [--history-file <path>] [--require-release-gate-preflight|--no-require-release-gate-preflight] [--release-evidence-window <n>] [--require-pass] [--json]`: inspect release-gate history preflight readiness and return machine-readable `pass|warning|blocked` status with reasons, runtime weekly-ops pressure signals, and executable remediation commands.
+  - `--require-pass` exits non-zero when status is not `pass` (recommended for CI/release hard gates).
+  - Default policy follows profile defaults and enforces release-gate preflight hard requirement (`default`/`moqui`/`enterprise` all require preflight by default).
 - `sce auto handoff run --manifest <path> [--profile <default|moqui|enterprise>] [--out <path>] [--queue-out <path>] [--append] [--no-include-known-gaps] [--continue-from <session|latest|file>] [--continue-strategy <auto|pending|failed-only>] [--dry-run] [--strict] [--strict-warnings] [--no-dependency-batching] [--min-spec-success-rate <n>] [--max-risk-level <level>] [--max-moqui-matrix-regressions <n>] [--no-require-ontology-validation] [--no-require-moqui-baseline] [--min-capability-coverage <n>] [--no-require-capability-coverage] [--require-release-gate-preflight] [--release-evidence-window <n>] [--json]`: execute handoff end-to-end (`plan -> queue -> close-loop-batch -> observability`) with automatic report archive to `.kiro/reports/handoff-runs/<session>.json`.
   - Default mode is dependency-aware: spec integration goals are grouped into dependency batches and executed in topological order.
   - `--continue-from` resumes pending goals from an existing handoff run report (`latest`, session id, or JSON file path). For safety, sce enforces manifest-path consistency between the previous report and current run.
@@ -804,11 +818,13 @@ Dual-track handoff integration:
   - Run output includes `moqui_capability_coverage` snapshot by default (when manifest `capabilities` is declared), with artifacts at `.kiro/reports/release-evidence/moqui-capability-coverage.json` and `.kiro/reports/release-evidence/moqui-capability-coverage.md`.
   - When `manifest.capabilities` is not declared, sce attempts lexicon-based capability inference from `manifest.templates` first; only fully non-mappable manifests keep capability coverage in skipped mode.
   - Run output includes `release_gate_preflight` (latest release gate history signal snapshot + blocked reasons) and carries this context into `warnings`.
-  - `release_gate_preflight` is advisory by default; use `--require-release-gate-preflight` to hard-fail when preflight is unavailable/blocked.
+  - `release_gate_preflight` now also carries runtime weekly-ops pressure metrics (`latest_weekly_ops_runtime_block_rate_percent`, `latest_weekly_ops_runtime_ui_mode_violation_total`, `latest_weekly_ops_runtime_ui_mode_violation_rate_percent`) for UI-mode policy diagnostics.
+  - `release_gate_preflight` is hard-gated by default; use `--no-require-release-gate-preflight` only for emergency bypass or isolated diagnostics.
+  - `phases[*].details` for `observability` now includes weekly-ops stop pressure counters (`weekly_ops_stop_sessions`, `weekly_ops_high_pressure_sessions`, config-warning/auth-tier/dialogue pressure session counts) and runtime pressure counters (`weekly_ops_runtime_block_rate_high_sessions`, `weekly_ops_runtime_ui_mode_violation_high_sessions`, `weekly_ops_runtime_ui_mode_violation_total_sum`) sourced from the unified observability snapshot.
   - `--profile` applies preset gate policy defaults before explicit option overrides:
-    - `default`: current baseline gate policy.
-    - `moqui`: explicit Moqui-intake baseline (same strict defaults as `default`).
-    - `enterprise`: stricter release control baseline (`max-risk-level=medium`, `require-release-gate-preflight=true`, `release-evidence-window=10`).
+    - `default`: default takeover policy (release-gate preflight hard requirement enabled).
+    - `moqui`: explicit Moqui-intake baseline (same hard-gate defaults as `default`).
+    - `enterprise`: stricter release control baseline (`max-risk-level=medium`, `release-evidence-window=10`, preflight hard requirement enabled).
   - When Moqui baseline/capability gates fail, sce auto-generates remediation queue lines at `.kiro/auto/moqui-remediation.lines`.
   - Run result includes `failure_summary` (failed phase/gate/release-gate preflight highlights) and `recommendations` with executable follow-up commands (for example, auto-generated `--continue-from <session>` on failed/incomplete batches).
   - When matrix regressions are detected, recommendations now prioritize capability-cluster phased execution (`npm run run:matrix-remediation-clusters-phased -- --json`) and include capability-cluster batch fallback plus baseline phased one-shot remediation (`node scripts/moqui-matrix-remediation-phased-runner.js --baseline ... --json`).
@@ -827,6 +843,7 @@ Dual-track handoff integration:
   - `--window` (1-50, default `5`) controls how many recent sessions are aggregated in review.
   - JSON output includes `current_overview` (with `release_gate_preflight`, `failure_summary`, and preflight policy flags), `aggregates.status_counts`, `aggregates.gate_pass_rate_percent`, and `risk_layers`.
   - Markdown output includes `Current Gate`, `Current Release Gate Preflight`, `Current Failure Summary`, `Current Ontology`, `Current Regression`, `Current Moqui Baseline`, `Current Capability Coverage`, `Trend Series`, and `Risk Layer View`.
+  - `Current Release Gate Preflight` includes runtime pressure lines (runtime block-rate and ui-mode violation totals/rates) when signals exist in release-gate history.
   - Add `--release-draft <path>` to auto-generate a release notes draft and evidence review markdown in one run.
   - `--release-version` sets draft version tag (defaults to `v<package.json version>`), and `--release-date` accepts `YYYY-MM-DD` (default: current UTC date).
   - Use `--review-out <path>` to override the generated evidence review markdown path (default `.kiro/reports/release-evidence/handoff-evidence-review.md`).
@@ -834,7 +851,7 @@ Dual-track handoff integration:
   - Default scan dir is `.kiro/reports/release-evidence`, default output file is `.kiro/reports/release-evidence/release-gate-history.json`.
   - `--history-file` merges an existing index (for example, previous release asset) before dedup/refresh.
   - `--keep` retains latest N entries (`1-5000`, default `200`).
-  - Aggregates include scene package batch, capability unknown trend, drift, and release-preflight/hard-gate signals (`scene_package_batch_*`, `capability_expected_unknown_*`, `capability_provided_unknown_*`, `drift_alert_*`, `drift_block_*`, `release_gate_preflight_*`) when present in gate reports.
+  - Aggregates include scene package batch, capability unknown trend, drift, weekly ops pressure (including runtime ui-mode/runtime block-rate telemetry), config warning pressure, and release-preflight/hard-gate signals (`scene_package_batch_*`, `capability_expected_unknown_*`, `capability_provided_unknown_*`, `drift_alert_*`, `drift_block_*`, `weekly_ops_*`, `config_warnings_total`, `release_gate_preflight_*`) when present in gate reports.
   - `--markdown-out <path>` writes a human-readable trend card markdown for PR/Issue handoff.
 
 Moqui template library lexicon audit (script-level governance helper):
@@ -888,12 +905,18 @@ Release weekly ops gate helper (release hard-gate):
     - `RELEASE_WEEKLY_OPS_MAX_RISK_LEVEL=medium`
   - optional thresholds:
     - `RELEASE_WEEKLY_OPS_MAX_GOVERNANCE_BREACHES=<n>`
+    - `RELEASE_WEEKLY_OPS_MAX_AUTHORIZATION_TIER_BLOCK_RATE_PERCENT=<n>` (default `40`)
+    - `RELEASE_WEEKLY_OPS_MAX_DIALOGUE_AUTHORIZATION_BLOCK_RATE_PERCENT=<n>` (default `40`)
+    - `RELEASE_WEEKLY_OPS_MAX_RUNTIME_UI_MODE_VIOLATION_TOTAL=<n>` (default `0`)
+    - `RELEASE_WEEKLY_OPS_MAX_RUNTIME_UI_MODE_VIOLATION_RATE_PERCENT=<n>`
     - `RELEASE_WEEKLY_OPS_MAX_MATRIX_REGRESSION_RATE_PERCENT=<n>`
+  - invalid numeric threshold values emit `config_warnings` and fall back to defaults.
   - merges result into `RELEASE_GATE_REPORT_FILE` when provided.
 - npm alias: `npm run gate:release-ops-weekly`
 
 Release risk remediation bundle helper (weekly + drift unified command pack):
 - `node scripts/release-risk-remediation-bundle.js [--gate-report <path>] [--out <path>] [--markdown-out <path>] [--lines-out <path>] [--json]`: derive deduplicated remediation commands from `release-gate` report signals (`weekly_ops`, `drift`) and export JSON/Markdown/lines artifacts.
+  - when weekly gate includes `dialogue-authorization`/`authorization-tier` block-rate pressure, plan includes policy-specific diagnostics (`interactive-dialogue-governance`, `interactive-authorization-tier-evaluate`).
   - Default input: `.kiro/reports/release-evidence/release-gate.json`
   - Default outputs:
     - `.kiro/reports/release-evidence/release-risk-remediation-bundle.json`
@@ -987,11 +1010,15 @@ Interactive context bridge helper (script-level provider normalization):
   - npm alias: `npm run report:interactive-context-bridge`
 
 Interactive full flow helper (script-level one-command entry):
-- `node scripts/interactive-flow.js --input <path> (--goal <text> | --goal-file <path>) [--provider <moqui|generic>] [--execution-mode <suggestion|apply>] [--runtime-mode <user-assist|ops-fix|feature-dev>] [--runtime-environment <dev|staging|prod>] [--runtime-policy <path>] [--policy <path>] [--catalog <path>] [--dialogue-policy <path>] [--context-contract <path>] [--auto-execute-low-risk] [--auth-password-hash <sha256>] [--auth-password <text>] [--feedback-score <0..5>] [--work-order-out <path>] [--work-order-markdown-out <path>] [--fail-on-runtime-non-allow] [--no-matrix] [--matrix-min-score <0..100>] [--matrix-min-valid-rate <0..100>] [--matrix-compare-with <path>] [--matrix-signals <path>] [--matrix-fail-on-portfolio-fail] [--matrix-fail-on-regression] [--json]`: run `context-bridge -> interactive-loop -> matrix-baseline-snapshot` in one command for Moqui workbench integration.
+- `node scripts/interactive-flow.js --input <path> (--goal <text> | --goal-file <path>) [--provider <moqui|generic>] [--execution-mode <suggestion|apply>] [--runtime-mode <user-assist|ops-fix|feature-dev>] [--runtime-environment <dev|staging|prod>] [--runtime-policy <path>] [--authorization-tier-policy <path>] [--authorization-tier-out <path>] [--policy <path>] [--catalog <path>] [--dialogue-policy <path>] [--dialogue-profile <business-user|system-maintainer>] [--ui-mode <user-app|ops-console>] [--context-contract <path>] [--approval-role-policy <path>] [--approval-actor-role <name>] [--approver-actor-role <name>] [--auto-execute-low-risk] [--auth-password-hash <sha256>] [--auth-password <text>] [--feedback-score <0..5>] [--work-order-out <path>] [--work-order-markdown-out <path>] [--fail-on-runtime-non-allow] [--no-matrix] [--matrix-min-score <0..100>] [--matrix-min-valid-rate <0..100>] [--matrix-compare-with <path>] [--matrix-signals <path>] [--matrix-fail-on-portfolio-fail] [--matrix-fail-on-regression] [--json]`: run `context-bridge -> interactive-loop -> matrix-baseline-snapshot` in one command for Moqui workbench integration.
   - Default flow artifact root: `.kiro/reports/interactive-flow/<session-id>/`
   - Default flow summary output: `.kiro/reports/interactive-flow/<session-id>/interactive-flow.summary.json`
   - Default dialogue report output: `.kiro/reports/interactive-flow/<session-id>/interactive-dialogue-governance.json`
+  - Default dialogue-authorization signal stream:
+    - `.kiro/reports/interactive-flow/<session-id>/interactive-dialogue-authorization-signals.jsonl` (session)
+    - `.kiro/reports/interactive-dialogue-authorization-signals.jsonl` (global append-only stream)
   - Default runtime report output: `.kiro/reports/interactive-flow/<session-id>/interactive-runtime-policy.json`
+  - Default authorization tier report output: `.kiro/reports/interactive-flow/<session-id>/interactive-authorization-tier.json`
   - Default work-order outputs:
     - `.kiro/reports/interactive-flow/<session-id>/interactive-work-order.json`
     - `.kiro/reports/interactive-flow/<session-id>/interactive-work-order.md`
@@ -1014,9 +1041,13 @@ Interactive read-only intent helper (script-level stage-A copilot bridge):
   - This helper never executes write actions; it only produces suggestion-stage artifacts.
 
 Interactive dialogue governance helper (script-level communication-rule gate):
-- `node scripts/interactive-dialogue-governance.js (--goal <text> | --goal-file <path>) [--context <path>] [--policy <path>] [--out <path>] [--fail-on-deny] [--json]`: evaluate user request text against embedded-assistant communication policy, output `allow|clarify|deny`, and produce clarification questions for non-technical users.
+- `node scripts/interactive-dialogue-governance.js (--goal <text> | --goal-file <path>) [--context <path>] [--policy <path>] [--profile <business-user|system-maintainer>] [--ui-mode <user-app|ops-console>] [--execution-mode <suggestion|apply>] [--runtime-environment <dev|staging|prod>] [--authorization-dialogue-policy <path>] [--out <path>] [--fail-on-deny] [--json]`: evaluate user request text against embedded-assistant communication policy, output `allow|clarify|deny`, and produce machine-readable authorization dialogue requirements (`authorization_dialogue`) for non-technical users.
+  - Embedded assistant authorization dialogue baseline: `docs/interactive-customization/embedded-assistant-authorization-dialogue-rules.md`
+  - Dual-surface integration guide: `docs/interactive-customization/dual-ui-mode-integration-guide.md`
   - Default output: `.kiro/reports/interactive-dialogue-governance.json`
   - Default policy: `docs/interactive-customization/dialogue-governance-policy-baseline.json` (fallback builtin policy when missing)
+  - Default authorization dialogue policy: `docs/interactive-customization/authorization-dialogue-policy-baseline.json`
+  - Default profile: `business-user` (use `system-maintainer` for maintenance/operator conversations)
   - `--fail-on-deny` exits with code `2` to block unsafe requests in CI/automation.
 
 Interactive change-plan generator helper (script-level stage-B planning bridge):
@@ -1027,13 +1058,23 @@ Interactive change-plan generator helper (script-level stage-B planning bridge):
   - Generated plans can be evaluated directly by `interactive-change-plan-gate`.
 
 Interactive one-click loop helper (script-level orchestration entry):
-- `node scripts/interactive-customization-loop.js --context <path> (--goal <text> | --goal-file <path>) [--execution-mode <suggestion|apply>] [--runtime-mode <user-assist|ops-fix|feature-dev>] [--runtime-environment <dev|staging|prod>] [--runtime-policy <path>] [--policy <path>] [--catalog <path>] [--dialogue-policy <path>] [--context-contract <path>] [--no-strict-contract] [--auto-approve-low-risk] [--auto-execute-low-risk] [--auth-password-hash <sha256>] [--auth-password <text>] [--feedback-score <0..5>] [--feedback-comment <text>] [--feedback-tags <csv>] [--allow-suggestion-apply] [--work-order-out <path>] [--work-order-markdown-out <path>] [--fail-on-dialogue-deny] [--fail-on-gate-non-allow] [--fail-on-runtime-non-allow] [--json]`: run dialogue->intent->plan->gate->runtime->approval pipeline in one command and optionally trigger low-risk one-click apply via Moqui adapter.
+- `node scripts/interactive-customization-loop.js --context <path> (--goal <text> | --goal-file <path>) [--execution-mode <suggestion|apply>] [--runtime-mode <user-assist|ops-fix|feature-dev>] [--runtime-environment <dev|staging|prod>] [--runtime-policy <path>] [--authorization-tier-policy <path>] [--authorization-tier-out <path>] [--policy <path>] [--catalog <path>] [--dialogue-policy <path>] [--dialogue-profile <business-user|system-maintainer>] [--ui-mode <user-app|ops-console>] [--context-contract <path>] [--approval-role-policy <path>] [--approval-actor-role <name>] [--approver-actor-role <name>] [--no-strict-contract] [--auto-approve-low-risk] [--auto-execute-low-risk] [--auth-password-hash <sha256>] [--auth-password <text>] [--feedback-score <0..5>] [--feedback-comment <text>] [--feedback-tags <csv>] [--allow-suggestion-apply] [--work-order-out <path>] [--work-order-markdown-out <path>] [--fail-on-dialogue-deny] [--fail-on-gate-non-allow] [--fail-on-runtime-non-allow] [--json]`: run dialogue->intent->plan->gate->runtime->authorization-tier->approval pipeline in one command and optionally trigger low-risk one-click apply via Moqui adapter.
   - CLI equivalent: `sce scene interactive-loop --context <path> --goal "<goal>" --context-contract docs/interactive-customization/moqui-copilot-context-contract.json --execution-mode apply --auto-execute-low-risk --auth-password "<password>" --feedback-score 5 --json`
   - Default loop artifact root: `.kiro/reports/interactive-loop/<session-id>/`
   - Default summary output: `.kiro/reports/interactive-loop/<session-id>/interactive-customization-loop.summary.json`
 - `--auto-execute-low-risk` executes `interactive-moqui-adapter --action low-risk-apply` only when `risk_level=low`, dialogue decision != `deny`, and gate decision=`allow`.
 - `--runtime-mode` and `--runtime-environment` default to `ops-fix@staging`; runtime decision must be `allow` before low-risk auto execute.
+- Authorization tier defaults:
+  - `business-user` profile is suggestion-only (`apply` denied by default)
+  - `system-maintainer` profile can apply, but environment step-up requirements still apply (password/role separation/manual review)
 - Default runtime report: `.kiro/reports/interactive-loop/<session-id>/interactive-runtime-policy.json`
+- Default authorization tier report: `.kiro/reports/interactive-loop/<session-id>/interactive-authorization-tier.json`
+- Default authorization tier signal stream:
+  - Session: `.kiro/reports/interactive-loop/<session-id>/interactive-authorization-tier-signals.jsonl`
+  - Global: `.kiro/reports/interactive-authorization-tier-signals.jsonl`
+- Default dialogue-authorization signal stream:
+  - Session: `.kiro/reports/interactive-loop/<session-id>/interactive-dialogue-authorization-signals.jsonl`
+  - Global: `.kiro/reports/interactive-dialogue-authorization-signals.jsonl`
 - Default work-order outputs:
   - `.kiro/reports/interactive-loop/<session-id>/interactive-work-order.json`
   - `.kiro/reports/interactive-loop/<session-id>/interactive-work-order.md`
@@ -1042,19 +1083,26 @@ Interactive one-click loop helper (script-level orchestration entry):
 - npm alias: `npm run run:interactive-loop -- --context docs/interactive-customization/page-context.sample.json --goal "Improve order entry clarity" --json`
 
 Interactive runtime policy helper (script-level mode/environment gate):
-- `node scripts/interactive-runtime-policy-evaluate.js --plan <path> [--runtime-mode <user-assist|ops-fix|feature-dev>] [--runtime-environment <dev|staging|prod>] [--policy <path>] [--fail-on-non-allow] [--json]`: evaluate plan execution safety by runtime role and environment constraints.
+- `node scripts/interactive-runtime-policy-evaluate.js --plan <path> [--ui-mode <user-app|ops-console>] [--runtime-mode <user-assist|ops-fix|feature-dev>] [--runtime-environment <dev|staging|prod>] [--policy <path>] [--fail-on-non-allow] [--json]`: evaluate plan execution safety by runtime role, UI surface, and environment constraints.
   - Default policy: `docs/interactive-customization/runtime-mode-policy-baseline.json`
+  - `policy.ui_modes` (when configured) enforces UI-surface contract, such as `user-app` suggestion-only and apply routed to `ops-console`.
   - Default output: `.kiro/reports/interactive-runtime-policy.json`
   - `--fail-on-non-allow` exits with code `2` on `deny` or `review-required`.
 
+Interactive authorization-tier helper (script-level profile/environment step-up gate):
+- `node scripts/interactive-authorization-tier-evaluate.js [--execution-mode <suggestion|apply>] [--dialogue-profile <business-user|system-maintainer>] [--runtime-mode <name>] [--runtime-environment <dev|staging|prod>] [--auto-execute-low-risk] [--live-apply] [--policy <path>] [--out <path>] [--fail-on-non-allow] [--json]`: evaluate whether execution intent is permitted under dialogue profile and runtime environment authorization tier.
+  - Default policy: `docs/interactive-customization/authorization-tier-policy-baseline.json`
+  - Default output: `.kiro/reports/interactive-authorization-tier.json`
+  - `--fail-on-non-allow` exits with code `2` on `deny` or `review-required`.
+
 Interactive work-order helper (script-level usage/maintenance/dev closure):
-- `node scripts/interactive-work-order-build.js --plan <path> [--dialogue <path>] [--intent <path>] [--gate <path>] [--runtime <path>] [--approval-state <path>] [--execution-attempted] [--execution-result <value>] [--execution-id <id>] [--out <path>] [--markdown-out <path>] [--json]`: build auditable work-order record from dialogue/plan/gate/runtime/approval/execution signals.
+- `node scripts/interactive-work-order-build.js --plan <path> [--dialogue <path>] [--intent <path>] [--gate <path>] [--runtime <path>] [--authorization-tier <path>] [--approval-state <path>] [--execution-attempted] [--execution-result <value>] [--execution-id <id>] [--out <path>] [--markdown-out <path>] [--json]`: build auditable work-order record from dialogue/plan/gate/runtime/authorization-tier/approval/execution signals.
   - Default outputs:
     - `.kiro/reports/interactive-work-order.json`
     - `.kiro/reports/interactive-work-order.md`
 
 Interactive approval workflow helper (script-level stage-B approval state machine):
-- `node scripts/interactive-approval-workflow.js --action <init|submit|approve|reject|execute|verify|archive|status> [--plan <path>] [--state-file <path>] [--audit-file <path>] [--actor <id>] [--comment <text>] [--password <text>] [--password-hash <sha256>] [--password-hash-env <name>] [--password-required] [--password-scope <csv>] [--json]`: maintain approval lifecycle state for interactive change plans and append approval events to JSONL audit logs.
+- `node scripts/interactive-approval-workflow.js --action <init|submit|approve|reject|execute|verify|archive|status> [--plan <path>] [--state-file <path>] [--audit-file <path>] [--actor <id>] [--actor-role <name>] [--role-policy <path>] [--comment <text>] [--password <text>] [--password-hash <sha256>] [--password-hash-env <name>] [--password-required] [--password-scope <csv>] [--json]`: maintain approval lifecycle state for interactive change plans and append approval events to JSONL audit logs.
   - Default state file: `.kiro/reports/interactive-approval-state.json`
   - Default audit file: `.kiro/reports/interactive-approval-events.jsonl`
   - `init` requires `--plan`; high-risk plans are marked as `approval_required=true`.
@@ -1078,11 +1126,14 @@ Interactive user feedback helper (script-level stage-D feedback ingestion):
 - npm alias: `npm run log:interactive-feedback -- --score 5 --comment "clear and safe"`
 
 Interactive governance report helper (script-level stage-D/6 observability + alerting):
-- `node scripts/interactive-governance-report.js [--intent-audit <path>] [--approval-audit <path>] [--execution-ledger <path>] [--feedback-file <path>] [--matrix-signals <path>] [--thresholds <path>] [--period <weekly|monthly|all|custom>] [--from <iso>] [--to <iso>] [--out <path>] [--markdown-out <path>] [--fail-on-alert] [--json]`: compute interactive governance KPIs (adoption/success/rollback/security-intercept/satisfaction + matrix pass/regression/stage-error), evaluate threshold breaches, and emit machine/human-readable governance report.
+- `node scripts/interactive-governance-report.js [--intent-audit <path>] [--approval-audit <path>] [--execution-ledger <path>] [--feedback-file <path>] [--matrix-signals <path>] [--dialogue-authorization-signals <path>] [--runtime-signals <path>] [--authorization-tier-signals <path>] [--thresholds <path>] [--period <weekly|monthly|all|custom>] [--from <iso>] [--to <iso>] [--out <path>] [--markdown-out <path>] [--fail-on-alert] [--json]`: compute interactive governance KPIs (adoption/success/rollback/security-intercept/satisfaction + matrix pass/regression/stage-error + dialogue/runtime/authorization-tier pressure), evaluate threshold breaches, and emit machine/human-readable governance report.
   - Default thresholds: `docs/interactive-customization/governance-threshold-baseline.json`
   - Default minimum intent sample threshold: `min_intent_samples=5` (below this becomes warning, not breach)
   - Default feedback input: `.kiro/reports/interactive-user-feedback.jsonl`
   - Default matrix input: `.kiro/reports/interactive-matrix-signals.jsonl`
+  - Default dialogue authorization signal input: `.kiro/reports/interactive-dialogue-authorization-signals.jsonl`
+  - Default runtime policy signal input: `.kiro/reports/interactive-runtime-signals.jsonl`
+  - Default authorization tier signal input: `.kiro/reports/interactive-authorization-tier-signals.jsonl`
   - Default outputs:
     - `.kiro/reports/interactive-governance-report.json`
     - `.kiro/reports/interactive-governance-report.md`

package/docs/interactive-customization/README.md

@@ -10,7 +10,10 @@ This directory contains baseline contracts and safety policy artifacts for the i
 - `page-context.schema.json`: schema for page-level read-only context payloads.
 - `guardrail-policy-baseline.json`: default secure-by-default guardrail policy.
 - `dialogue-governance-policy-baseline.json`: baseline communication rules for embedded assistant dialogue.
-- `runtime-mode-policy-baseline.json`: baseline runtime mode/environment policy (`user-assist|ops-fix|feature-dev` x `dev|staging|prod`).
+- `authorization-dialogue-policy-baseline.json`: machine-readable authorization dialogue policy (profile/env confirmation + step-up prompts).
+- `authorization-tier-policy-baseline.json`: baseline authorization tier policy for profile/environment step-up requirements.
+- `runtime-mode-policy-baseline.json`: baseline runtime mode/environment policy (`user-assist|ops-fix|feature-dev` x `dev|staging|prod`) with optional `ui_modes` surface contract (`user-app|ops-console`).
+- `approval-role-policy-baseline.json`: optional approval role policy baseline (`submit/approve/execute/verify/archive` role requirements).
 - `high-risk-action-catalog.json`: baseline high-risk action classification for deny/review decisions.
 - `change-plan.sample.json`: runnable sample plan for gate checks.
 - `page-context.sample.json`: runnable page context sample for read-only intent generation.
@@ -26,6 +29,8 @@ This directory contains baseline contracts and safety policy artifacts for the i
 - `governance-threshold-baseline.json`: governance KPI threshold baseline for alerting.
 - `governance-report-template.md`: periodic governance report template.
 - `governance-alert-playbook.md`: threshold breach response workflow.
+- `embedded-assistant-authorization-dialogue-rules.md`: required user/maintainer conversation + authorization behavior for embedded AI assistants.
+- `dual-ui-mode-integration-guide.md`: integration pattern for user-app and ops-console dual-surface deployments.
 - `phase-acceptance-evidence.md`: stage A/B/C/D acceptance evidence checklist.
 - `non-technical-usability-report.md`: business-user usability assessment and improvement backlog.
 - `cross-industry-replication-guide.md`: replication boundary and rollout sequence beyond Moqui.
@@ -70,10 +75,12 @@ Run one-command full flow (bridge -> loop):
 node scripts/interactive-flow.js \
   --input docs/interactive-customization/moqui-context-provider.sample.json \
   --goal "Adjust order screen field layout for clearer input flow" \
+  --dialogue-profile system-maintainer \
   --runtime-mode ops-fix \
   --runtime-environment staging \
   --context-contract docs/interactive-customization/moqui-copilot-context-contract.json \
   --dialogue-policy docs/interactive-customization/dialogue-governance-policy-baseline.json \
+  --authorization-tier-policy docs/interactive-customization/authorization-tier-policy-baseline.json \
   --runtime-policy docs/interactive-customization/runtime-mode-policy-baseline.json \
   --execution-mode apply \
   --auto-execute-low-risk \
@@ -104,9 +111,21 @@ Flow output defaults:
 - Bridge context: `.kiro/reports/interactive-flow/<session-id>/interactive-page-context.normalized.json`
 - Loop summary: `.kiro/reports/interactive-flow/<session-id>/interactive-customization-loop.summary.json`
 - Dialogue governance report: `.kiro/reports/interactive-flow/<session-id>/interactive-dialogue-governance.json`
+- Dialogue authorization signal stream:
+  - Session: `.kiro/reports/interactive-flow/<session-id>/interactive-dialogue-authorization-signals.jsonl`
+  - Global: `.kiro/reports/interactive-dialogue-authorization-signals.jsonl`
+- Authorization tier report: `.kiro/reports/interactive-flow/<session-id>/interactive-authorization-tier.json`
+- Authorization tier signal stream:
+  - Session: `.kiro/reports/interactive-flow/<session-id>/interactive-authorization-tier-signals.jsonl`
+  - Global: `.kiro/reports/interactive-authorization-tier-signals.jsonl`
 - Matrix summary JSON: `.kiro/reports/interactive-flow/<session-id>/moqui-template-baseline.json`
 - Matrix summary Markdown: `.kiro/reports/interactive-flow/<session-id>/moqui-template-baseline.md`
 - Matrix signal stream: `.kiro/reports/interactive-matrix-signals.jsonl`
+- Loop/flow summaries now include execution block diagnostics:
+  - `summary.dialogue_authorization_decision` (`allow|review-required|deny`)
+  - `summary.execution_block_reason_category` (`password-authorization|role-policy|authorization-tier|runtime-policy|approval-policy|unknown`)
+  - `summary.execution_block_remediation_hint` (human-readable fix hint)
+  - `summary.authorization_execute_roles` (flow-level execute role requirements when role policy is enabled)
 
 Build read-only change intent from page context:
 
@@ -133,8 +152,13 @@ Run dialogue governance (communication-rule check only):
 ```bash
 node scripts/interactive-dialogue-governance.js \
   --goal "Improve order entry speed without changing payment policy" \
+  --execution-mode suggestion \
+  --runtime-environment staging \
+  --profile business-user \
+  --ui-mode user-app \
   --context docs/interactive-customization/page-context.sample.json \
   --policy docs/interactive-customization/dialogue-governance-policy-baseline.json \
+  --authorization-dialogue-policy docs/interactive-customization/authorization-dialogue-policy-baseline.json \
   --json
 ```
 
@@ -146,6 +170,8 @@ node scripts/interactive-customization-loop.js \
   --context docs/interactive-customization/page-context.sample.json \
   --context-contract docs/interactive-customization/moqui-copilot-context-contract.json \
   --goal "Improve order entry clarity for business users" \
+  --dialogue-profile business-user \
+  --ui-mode user-app \
   --json
 
 # low-risk one-click apply loop
@@ -153,9 +179,15 @@ node scripts/interactive-customization-loop.js \
   --context docs/interactive-customization/page-context.sample.json \
   --context-contract docs/interactive-customization/moqui-copilot-context-contract.json \
   --goal "Adjust order screen field layout for clearer input flow" \
+  --dialogue-profile system-maintainer \
+  --ui-mode ops-console \
   --runtime-mode ops-fix \
   --runtime-environment staging \
+  --authorization-tier-policy docs/interactive-customization/authorization-tier-policy-baseline.json \
   --runtime-policy docs/interactive-customization/runtime-mode-policy-baseline.json \
+  --approval-role-policy docs/interactive-customization/approval-role-policy-baseline.json \
+  --approval-actor-role product-owner \
+  --approver-actor-role release-operator \
   --execution-mode apply \
   --auto-execute-low-risk \
   --auth-password-hash "<sha256-of-demo-pass>" \
@@ -170,6 +202,7 @@ sce scene interactive-loop \
   --context docs/interactive-customization/page-context.sample.json \
   --context-contract docs/interactive-customization/moqui-copilot-context-contract.json \
   --goal "Adjust order screen field layout for clearer input flow" \
+  --dialogue-profile system-maintainer \
   --execution-mode apply \
   --auto-execute-low-risk \
   --auth-password-hash "<sha256-of-demo-pass>" \
@@ -181,21 +214,38 @@ sce scene interactive-loop \
 `--feedback-score` writes feedback into both:
 - Session artifact: `.kiro/reports/interactive-loop/<session-id>/interactive-user-feedback.jsonl`
 - Governance global stream: `.kiro/reports/interactive-user-feedback.jsonl`
+- `--dialogue-profile` defaults to `business-user`; use `system-maintainer` for operations/maintenance sessions that must surface ticket + rollback requirements before execution.
+- `--ui-mode user-app|ops-console` binds interaction surface semantics (user app vs management console) and participates in authorization dialogue decisioning.
+- In default authorization tier, `business-user` only allows `suggestion` mode; apply path requires `system-maintainer` profile plus environment-specific step-up requirements.
 - Context contract validation is strict by default (required fields, payload size, forbidden keys). Use `--no-strict-contract` only for temporary diagnostics.
 - `--execution-mode apply` with mutating actions requires password authorization by default (`plan.authorization.password_required=true`).
 - Runtime policy defaults to `ops-fix@staging`; low-risk auto execute requires runtime decision `allow`.
+- Runtime policy can enforce UI-surface contract via `ui_modes` (default baseline: `user-app` suggestion-only, `ops-console` supports apply).
 
 Run runtime mode/environment policy evaluation directly:
 
 ```bash
 node scripts/interactive-runtime-policy-evaluate.js \
   --plan .kiro/reports/interactive-change-plan.generated.json \
+  --ui-mode ops-console \
   --runtime-mode ops-fix \
   --runtime-environment staging \
   --policy docs/interactive-customization/runtime-mode-policy-baseline.json \
   --json
 ```
 
+Run authorization tier profile/environment evaluation directly:
+
+```bash
+node scripts/interactive-authorization-tier-evaluate.js \
+  --execution-mode apply \
+  --dialogue-profile system-maintainer \
+  --runtime-environment staging \
+  --auto-execute-low-risk \
+  --policy docs/interactive-customization/authorization-tier-policy-baseline.json \
+  --json
+```
+
 Build interactive work-order artifacts directly:
 
 ```bash
@@ -204,6 +254,7 @@ node scripts/interactive-work-order-build.js \
   --dialogue .kiro/reports/interactive-dialogue-governance.json \
   --gate .kiro/reports/interactive-change-plan-gate.json \
   --runtime .kiro/reports/interactive-runtime-policy.json \
+  --authorization-tier .kiro/reports/interactive-authorization-tier.json \
   --approval-state .kiro/reports/interactive-approval-state.json \
   --execution-attempted \
   --execution-result success \
@@ -223,11 +274,15 @@ node scripts/interactive-approval-workflow.js \
 
 # submit -> approve -> execute -> verify
 node scripts/interactive-approval-workflow.js --action submit --actor product-owner --json
-node scripts/interactive-approval-workflow.js --action approve --actor security-admin --json
-node scripts/interactive-approval-workflow.js --action execute --actor release-operator --password "demo-pass" --json
-node scripts/interactive-approval-workflow.js --action verify --actor qa-owner --json
+node scripts/interactive-approval-workflow.js --action approve --actor security-admin --actor-role security-admin --json
+node scripts/interactive-approval-workflow.js --action execute --actor release-operator --actor-role release-operator --password "demo-pass" --json
+node scripts/interactive-approval-workflow.js --action verify --actor qa-owner --actor-role qa-owner --json
 ```
 
+When role control is required, initialize workflow with:
+- `--role-policy docs/interactive-customization/approval-role-policy-baseline.json`
+- and pass `--actor-role <role>` in each mutating action.
+
 Run the Moqui adapter interface (`capabilities/plan/validate/apply/rollback`):
 
 ```bash
@@ -301,6 +356,9 @@ node scripts/interactive-governance-report.js \
 
 The governance report consumes feedback events from `.kiro/reports/interactive-user-feedback.jsonl` by default.
 The governance report also consumes matrix signals from `.kiro/reports/interactive-matrix-signals.jsonl` by default.
+The governance report consumes dialogue-authorization signals from `.kiro/reports/interactive-dialogue-authorization-signals.jsonl` by default.
+The governance report consumes runtime policy signals from `.kiro/reports/interactive-runtime-signals.jsonl` by default.
+The governance report consumes authorization-tier signals from `.kiro/reports/interactive-authorization-tier-signals.jsonl` by default.
 When `intent_total` is below `min_intent_samples` (default `5`), adoption emits a low-severity sample warning instead of a breach.
 
 Export matrix regression remediation queue lines (for close-loop-batch):

package/docs/interactive-customization/approval-role-policy-baseline.json

@@ -0,0 +1,36 @@
+{
+  "version": "1.0.0",
+  "profile": "interactive-approval-role-baseline",
+  "role_requirements": {
+    "submit": [
+      "product-owner",
+      "ops-engineer",
+      "workflow-operator"
+    ],
+    "approve": [
+      "security-admin",
+      "product-owner",
+      "workflow-operator"
+    ],
+    "reject": [
+      "security-admin",
+      "product-owner",
+      "workflow-operator"
+    ],
+    "execute": [
+      "release-operator",
+      "ops-engineer",
+      "workflow-operator"
+    ],
+    "verify": [
+      "qa-owner",
+      "release-operator",
+      "workflow-operator"
+    ],
+    "archive": [
+      "product-owner",
+      "release-operator",
+      "workflow-operator"
+    ]
+  }
+}

package/docs/interactive-customization/authorization-dialogue-policy-baseline.json

@@ -0,0 +1,47 @@
+{
+  "version": "1.0.0",
+  "default_profile": "business-user",
+  "prompt_templates": {
+    "scope_confirmation": "Confirm target module/page and business boundary before execution.",
+    "impact_confirmation": "Confirm expected business impact and out-of-scope boundaries.",
+    "rollback_confirmation": "Confirm rollback reference is prepared before apply.",
+    "ticket_reference": "Provide approved change ticket id.",
+    "password_step_up": "Complete one-time password authorization before apply.",
+    "role_policy": "Provide actor role and approver role according to role policy.",
+    "role_separation": "Confirm operator role and approver role are different.",
+    "manual_review_ack": "Acknowledge manual review is required before production apply."
+  },
+  "profiles": {
+    "business-user": {
+      "allow_execution_modes": ["suggestion"],
+      "base_required_steps": ["scope_confirmation"]
+    },
+    "system-maintainer": {
+      "allow_execution_modes": ["suggestion", "apply"],
+      "base_required_steps": ["scope_confirmation", "impact_confirmation", "rollback_confirmation"]
+    }
+  },
+  "environments": {
+    "dev": {
+      "require_ticket": false,
+      "require_password_for_apply": false,
+      "require_role_policy": false,
+      "require_distinct_actor_roles": false,
+      "require_manual_review_ack": false
+    },
+    "staging": {
+      "require_ticket": true,
+      "require_password_for_apply": true,
+      "require_role_policy": false,
+      "require_distinct_actor_roles": false,
+      "require_manual_review_ack": false
+    },
+    "prod": {
+      "require_ticket": true,
+      "require_password_for_apply": true,
+      "require_role_policy": true,
+      "require_distinct_actor_roles": true,
+      "require_manual_review_ack": true
+    }
+  }
+}

package/docs/interactive-customization/authorization-tier-policy-baseline.json

@@ -0,0 +1,46 @@
+{
+  "version": "1.0.0",
+  "defaults": {
+    "profile": "business-user"
+  },
+  "profiles": {
+    "business-user": {
+      "allow_execution_modes": [
+        "suggestion"
+      ],
+      "auto_execute_allowed": false,
+      "allow_live_apply": false
+    },
+    "system-maintainer": {
+      "allow_execution_modes": [
+        "suggestion",
+        "apply"
+      ],
+      "auto_execute_allowed": true,
+      "allow_live_apply": true
+    }
+  },
+  "environments": {
+    "dev": {
+      "require_secondary_authorization": false,
+      "require_password_for_apply": false,
+      "require_role_policy": false,
+      "require_distinct_actor_roles": false,
+      "manual_review_required_for_apply": false
+    },
+    "staging": {
+      "require_secondary_authorization": true,
+      "require_password_for_apply": true,
+      "require_role_policy": false,
+      "require_distinct_actor_roles": false,
+      "manual_review_required_for_apply": false
+    },
+    "prod": {
+      "require_secondary_authorization": true,
+      "require_password_for_apply": true,
+      "require_role_policy": true,
+      "require_distinct_actor_roles": true,
+      "manual_review_required_for_apply": true
+    }
+  }
+}