scene-capability-engine 3.6.0 → 3.6.3

package/CHANGELOG.md

@@ -7,6 +7,36 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [3.6.3] - 2026-03-05
+
+### Added
+- SQLite-backed write authorization lease flow:
+  - new policy baseline: `.sce/config/authorization-policy.json`
+  - new state tables: `auth_lease_registry`, `auth_event_stream`
+  - new commands:
+    - `sce auth grant`
+    - `sce auth status`
+    - `sce auth revoke`
+- New write-authorization module: `lib/security/write-authorization.js`.
+- New unit coverage:
+  - `tests/unit/security/write-authorization.test.js`
+  - `tests/unit/commands/auth.test.js`
+  - extended state-store auth lifecycle tests.
+
+### Changed
+- `studio apply/release/rollback` now support `--auth-lease <lease-id>` and can enforce lease-based write authorization.
+- `task rerun` now supports `--auth-lease <lease-id>` and can enforce lease-based write authorization on non-dry-run operations.
+- Authorization checks and lease audit events are persisted to `.sce/state/sce-state.sqlite`.
+
+## [3.6.2] - 2026-03-04
+
+### Changed
+- Release default test gate now runs integration tests only (`npm run test:release`) for faster online publish verification.
+- `prepublishOnly` now uses `test:release` instead of `test:full`.
+- GitHub `release.yml` test job now runs integration-only release tests and skips coverage in release path.
+- Studio task-stream schema now includes normalized task-intent fields (`title_norm`, `raw_request`, `sub_goals`, `acceptance_criteria`, `needs_split`, `confidence`) while preserving existing task fields for compatibility.
+- Added version CLI integration coverage (`tests/integration/version-cli.integration.test.js`) to ensure `--version` output remains deterministic and package-aligned.
+
 ## [3.6.0] - 2026-03-04
 
 ### Added

package/README.md

@@ -130,7 +130,7 @@ SCE is tool-agnostic and works with Codex, Claude Code, Cursor, Windsurf, VS Cod
 
 Studio task-stream output contract (default):
 - IDs: `sessionId`, `sceneId`, `specId`, `taskId`, `taskRef`, `eventId`
-- Task: `task.goal`, `task.status`, `task.summary` (3-line), `task.handoff`, `task.next_action`
+- Task: `task.task_ref`, `task.title_norm`, `task.raw_request`, `task.goal`, `task.sub_goals`, `task.acceptance_criteria`, `task.needs_split`, `task.confidence`, `task.status`, `task.summary` (3-line), `task.handoff`, `task.next_action`
 - File refs: `task.file_changes[]` with `path`, `line`, `diffRef`
 - Command logs: `task.commands[]` with `cmd`, `exit_code`, `stdout`, `stderr`, `log_path`
 - Errors: `task.errors[]` with `message`, `error_bundle` (copy-ready)
@@ -145,11 +145,17 @@ Studio task-stream output contract (default):
   - SQLite-only backend (`.sce/state/sce-state.sqlite`)
   - In-memory fallback only in `NODE_ENV=test` or when `SCE_STATE_ALLOW_MEMORY_FALLBACK=1`
   - Outside those conditions, unavailable SQLite support fails fast for task-ref/event persistence
+- Write authorization lease model (SQLite-backed):
+  - policy file: `.sce/config/authorization-policy.json`
+  - grant lease: `sce auth grant --scope studio:* --reason "<reason>" --auth-password <password> --json`
+  - inspect/revoke: `sce auth status --json` / `sce auth revoke --lease <lease-id> --json`
+  - protected writes accept `--auth-lease <lease-id>` on `studio apply/release/rollback` and `task rerun`
 
 ---
 
 ## Important Version Changes
 
+- `3.6.2`: Added release-level version integration tests (`tests/integration/version-cli.integration.test.js`) and switched release default verification to integration-only gate (`npm run test:release`) for faster publish feedback.
 - `3.6.0`: Added hierarchical task references (`taskRef`, format `SS.PP.TT`) backed by SQLite state store `.sce/state/sce-state.sqlite`, plus new task commands (`sce task ref/show/rerun`) for reference lookup and deterministic rerun.
 - `3.5.2`: Introduced task-stream output contract for Studio commands (`sessionId/sceneId/specId/taskId/eventId`, structured `task.*` fields, `event[]` audit stream) and added OpenHands raw-event bridge via `sce studio events --openhands-events <path>`.
 - `3.5.1`: Enforced stricter Studio intake defaults (`--manual-spec` and `--no-spec-governance` blocked unless policy override), added historical spec scene backfill command (`sce studio backfill-spec-scenes`) and persisted override mapping (`.sce/spec-governance/spec-scene-overrides.json`) for portfolio/related-spec alignment.
@@ -200,5 +206,5 @@ MIT. See [LICENSE](LICENSE).
 
 ---
 
-**Version**: 3.6.0  
-**Last Updated**: 2026-03-04
+**Version**: 3.6.3  
+**Last Updated**: 2026-03-05

package/README.zh.md

@@ -130,7 +130,7 @@ SCE 对工具无锁定，可接入 Codex、Claude Code、Cursor、Windsurf、VS
 
 Studio 任务流输出契约（默认）：
 - ID 字段：`sessionId`、`sceneId`、`specId`、`taskId`、`taskRef`、`eventId`
-- 任务主体：`task.goal`、`task.status`、`task.summary`（固定三行）、`task.handoff`、`task.next_action`
+- 任务主体：`task.task_ref`、`task.title_norm`、`task.raw_request`、`task.goal`、`task.sub_goals`、`task.acceptance_criteria`、`task.needs_split`、`task.confidence`、`task.status`、`task.summary`（固定三行）、`task.handoff`、`task.next_action`
 - 文件引用：`task.file_changes[]`（`path`、`line`、`diffRef`）
 - 命令执行：`task.commands[]`（`cmd`、`exit_code`、`stdout`、`stderr`、`log_path`）
 - 错误复制：`task.errors[]`（`message`、`error_bundle`，可直接复制给 AI 修复）
@@ -145,11 +145,17 @@ Studio 任务流输出契约（默认）：
   - 仅支持 SQLite 后端（`.sce/state/sce-state.sqlite`）
   - 仅在 `NODE_ENV=test` 或 `SCE_STATE_ALLOW_MEMORY_FALLBACK=1` 时允许内存回退
   - 在上述条件之外若 SQLite 不可用，任务引用/事件持久化会快速失败
+- 写入授权租约模型（SQLite 持久化）：
+  - 策略文件：`.sce/config/authorization-policy.json`
+  - 申请租约：`sce auth grant --scope studio:* --reason "<原因>" --auth-password <密码> --json`
+  - 查看/撤销：`sce auth status --json` / `sce auth revoke --lease <lease-id> --json`
+  - 受保护写操作支持 `--auth-lease <lease-id>`：`studio apply/release/rollback`、`task rerun`
 
 ---
 
 ## 重要版本变更
 
+- `3.6.2`：新增发布版本号集成测试（`tests/integration/version-cli.integration.test.js`），并将发布默认验证切换为仅 integration 门禁（`npm run test:release`），加速发布反馈。
 - `3.6.0`：新增分层任务引用（`taskRef`，格式 `SS.PP.TT`），持久化到 SQLite 状态库 `.sce/state/sce-state.sqlite`；新增 `sce task ref/show/rerun` 用于引用查询与可重放执行。
 - `3.5.2`：新增 Studio 任务流输出契约（`sessionId/sceneId/specId/taskId/eventId`、结构化 `task.*` 字段、`event[]` 审计流），并新增 OpenHands 原始事件桥接能力：`sce studio events --openhands-events <path>`。
 - `3.5.1`：默认强化 Studio intake 治理（`--manual-spec`、`--no-spec-governance` 在未显式放开策略时会被阻断），新增历史 spec 场景回填命令 `sce studio backfill-spec-scenes`，并写入 `.sce/spec-governance/spec-scene-overrides.json` 以统一 portfolio 与 related-spec 的场景映射。
@@ -200,5 +206,5 @@ MIT，见 [LICENSE](LICENSE)。
 
 ---
 
-**版本**：3.6.0  
-**最后更新**：2026-03-04
+**版本**：3.6.3  
+**最后更新**：2026-03-05

package/bin/scene-capability-engine.js

@@ -24,6 +24,7 @@ const { registerSpecRelatedCommand } = require('../lib/commands/spec-related');
 const { registerTimelineCommands } = require('../lib/commands/timeline');
 const { registerValueCommands } = require('../lib/commands/value');
 const { registerTaskCommands } = require('../lib/commands/task');
+const { registerAuthCommands } = require('../lib/commands/auth');
 const VersionChecker = require('../lib/version/version-checker');
 const {
   findLegacyKiroDirectories,
@@ -945,6 +946,7 @@ registerOrchestrateCommands(program);
 // Value realization and observability commands
 registerValueCommands(program);
 registerTaskCommands(program);
+registerAuthCommands(program);
 
 // Template management commands
 const templatesCommand = require('../lib/commands/templates');

package/docs/command-reference.md

@@ -552,6 +552,8 @@ sce studio generate --scene scene.customer-order-inventory --target 331 --json
 
 # Apply generated patch metadata
 sce studio apply --patch-bundle patch-scene.customer-order-inventory-<timestamp> --json
+# Apply with explicit write lease
+sce studio apply --job <job-id> --auth-lease <lease-id> --json
 
 # Record verification result
 sce studio verify --profile standard --json
@@ -560,6 +562,8 @@ sce studio verify --profile strict --json
 # Record release event
 sce studio release --channel dev --profile standard --json
 sce studio release --channel dev --profile strict --json
+# Release with explicit write lease
+sce studio release --job <job-id> --channel dev --auth-lease <lease-id> --json
 
 # Resume from latest or explicit job
 sce studio resume --job <job-id> --json
@@ -571,6 +575,8 @@ sce studio events --job <job-id> --openhands-events ./openhands-events.json --js
 
 # Rollback a job after apply/release
 sce studio rollback --job <job-id> --reason "manual-check-failed" --json
+# Rollback with explicit write lease
+sce studio rollback --job <job-id> --reason "manual-check-failed" --auth-lease <lease-id> --json
 
 # Build scene-organized spec governance portfolio
 sce studio portfolio --json
@@ -583,11 +589,16 @@ sce studio backfill-spec-scenes --scene scene.unassigned --limit 20 --apply --js
 
 # Enforce authorization for a protected action
 SCE_STUDIO_REQUIRE_AUTH=1 SCE_STUDIO_AUTH_PASSWORD=top-secret sce studio apply --job <job-id> --auth-password top-secret --json
+
+# Grant/review/revoke write lease (stored in .sce/state/sce-state.sqlite)
+SCE_AUTH_PASSWORD=top-secret sce auth grant --scope studio:* --reason "maintenance window" --auth-password top-secret --json
+sce auth status --json
+sce auth revoke --lease <lease-id> --reason "window closed" --json
 ```
 
 Studio JSON output now includes a stable UI-oriented task stream contract (in addition to existing `job_*` fields):
 - root IDs: `sessionId`, `sceneId`, `specId`, `taskId`, `taskRef`, `eventId`
-- `task.goal`, `task.status`, `task.summary` (fixed 3-line summary), `task.handoff`, `task.next_action`
+- `task.task_ref`, `task.title_norm`, `task.raw_request`, `task.goal`, `task.sub_goals`, `task.acceptance_criteria`, `task.needs_split`, `task.confidence`, `task.status`, `task.summary` (fixed 3-line summary), `task.handoff`, `task.next_action`
 - `task.file_changes[]`: `path`, `line`, `diffRef`
 - `task.commands[]`: `cmd`, `exit_code`, `stdout`, `stderr`, `log_path`
 - `task.errors[]`: `message`, `error_bundle` (copy-ready diagnostic bundle)
@@ -689,6 +700,34 @@ Default policy file (recommended to commit): `.sce/config/studio-security.json`
 }
 ```
 
+Write lease model (optional, policy-driven, SQLite-backed):
+- Policy file: `.sce/config/authorization-policy.json`
+- Lease/event persistence: `.sce/state/sce-state.sqlite` (`auth_lease_registry`, `auth_event_stream`)
+- Default protected actions: `studio:apply`, `studio:release`, `studio:rollback`, `task:rerun`
+- Default lease TTL: 15 minutes (`default_ttl_minutes`)
+- Write commands accept `--auth-lease <lease-id>`
+- Policy env overrides:
+  - `SCE_AUTH_REQUIRE_LEASE=1`
+  - `SCE_AUTH_PASSWORD_ENV=<ENV_NAME>`
+  - `SCE_AUTH_ENFORCE_ACTIONS=studio:apply,task:rerun`
+
+Default write authorization policy (recommended to commit): `.sce/config/authorization-policy.json`
+
+```json
+{
+  "enabled": false,
+  "enforce_actions": ["studio:apply", "studio:release", "studio:rollback", "task:rerun"],
+  "default_ttl_minutes": 15,
+  "max_ttl_minutes": 120,
+  "require_password_for_grant": true,
+  "require_password_for_revoke": false,
+  "password_env": "SCE_AUTH_PASSWORD",
+  "default_scope": ["project:*"],
+  "allow_test_bypass": true,
+  "allow_password_as_inline_lease": false
+}
+```
+
 Studio intake policy file (default, recommended to commit): `.sce/config/studio-intake-policy.json`
 
 ```json

package/docs/release-checklist.md

@@ -7,10 +7,10 @@
 ## 1. Functional Verification
 
 ```bash
-# Fast CI smoke suite (integration-focused)
-npm run test:smoke
+# Default release test gate (integration-only)
+npm run test:release
 
-# Full regression suite (unit + integration + properties)
+# Optional full regression suite (unit + integration + properties)
 npm run test:full
 
 # Guardrail: fail on newly introduced .skip tests

package/docs/zh/release-checklist.md

@@ -7,10 +7,10 @@
 ## 1. 功能验证
 
 ```bash
-# 快速 CI 冒烟（integration 为主）
-npm run test:smoke
+# 默认发布测试门禁（仅 integration）
+npm run test:release
 
-# 全量回归（unit + integration + properties）
+# 可选全量回归（unit + integration + properties）
 npm run test:full
 
 # 防回归：禁止新增 .skip 测试

package/lib/commands/auth.js

@@ -0,0 +1,269 @@
+const chalk = require('chalk');
+const fs = require('fs-extra');
+const {
+  grantWriteAuthorizationLease,
+  revokeWriteAuthorizationLease,
+  collectWriteAuthorizationStatus,
+  getWriteAuthorizationLease
+} = require('../security/write-authorization');
+
+function normalizeString(value) {
+  if (typeof value !== 'string') {
+    return '';
+  }
+  return value.trim();
+}
+
+function normalizeInteger(value, fallback = 0) {
+  const parsed = Number.parseInt(`${value}`, 10);
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    return fallback;
+  }
+  return parsed;
+}
+
+function normalizeScopeInput(value) {
+  if (Array.isArray(value)) {
+    return value;
+  }
+  const text = normalizeString(value);
+  if (!text) {
+    return [];
+  }
+  return text.split(/[,\s]+/g).map((item) => normalizeString(item)).filter(Boolean);
+}
+
+function printAuthPayload(payload, options = {}) {
+  if (options.json) {
+    console.log(JSON.stringify(payload, null, 2));
+    return;
+  }
+
+  const mode = normalizeString(payload.mode);
+  if (mode === 'auth-grant') {
+    console.log(chalk.blue(`Auth lease granted: ${payload.lease.lease_id}`));
+    console.log(`  Subject: ${payload.lease.subject}`);
+    console.log(`  Role: ${payload.lease.role}`);
+    console.log(`  Scope: ${(payload.lease.scope || []).join(', ') || 'n/a'}`);
+    console.log(`  Expires: ${payload.lease.expires_at || 'n/a'}`);
+    console.log(`  Store: ${payload.store_path || 'n/a'}`);
+    return;
+  }
+
+  if (mode === 'auth-revoke') {
+    console.log(chalk.blue(`Auth lease revoked: ${payload.lease.lease_id}`));
+    console.log(`  Subject: ${payload.lease.subject}`);
+    console.log(`  Revoked at: ${payload.lease.revoked_at || 'n/a'}`);
+    console.log(`  Store: ${payload.store_path || 'n/a'}`);
+    return;
+  }
+
+  if (mode === 'auth-status') {
+    if (payload.lease) {
+      console.log(chalk.blue(`Auth lease: ${payload.lease.lease_id}`));
+      console.log(`  Subject: ${payload.lease.subject}`);
+      console.log(`  Role: ${payload.lease.role}`);
+      console.log(`  Scope: ${(payload.lease.scope || []).join(', ') || 'n/a'}`);
+      console.log(`  Expires: ${payload.lease.expires_at || 'n/a'}`);
+      console.log(`  Revoked: ${payload.lease.revoked_at || 'no'}`);
+    } else {
+      console.log(chalk.blue('Auth lease status'));
+      console.log(`  Active leases: ${payload.summary.active_lease_count}`);
+      console.log(`  Events: ${payload.summary.event_count}`);
+    }
+    console.log(`  Store: ${payload.store_path || 'n/a'}`);
+  }
+}
+
+async function runAuthGrantCommand(options = {}, dependencies = {}) {
+  const projectPath = dependencies.projectPath || process.cwd();
+  const fileSystem = dependencies.fileSystem || fs;
+  const env = dependencies.env || process.env;
+
+  const granted = await grantWriteAuthorizationLease({
+    subject: options.subject,
+    role: options.role,
+    scope: normalizeScopeInput(options.scope),
+    ttlMinutes: normalizeInteger(options.ttlMinutes, 15),
+    reason: options.reason,
+    authPassword: options.authPassword,
+    actor: options.actor,
+    metadata: {
+      source: 'sce auth grant'
+    }
+  }, {
+    projectPath,
+    fileSystem,
+    env,
+    authSecret: dependencies.authSecret
+  });
+
+  const payload = {
+    mode: 'auth-grant',
+    success: true,
+    policy: granted.policy,
+    policy_path: granted.policy_path,
+    lease: granted.lease,
+    store_path: granted.store_path
+  };
+
+  printAuthPayload(payload, options);
+  return payload;
+}
+
+async function runAuthStatusCommand(options = {}, dependencies = {}) {
+  const projectPath = dependencies.projectPath || process.cwd();
+  const fileSystem = dependencies.fileSystem || fs;
+  const env = dependencies.env || process.env;
+  const leaseId = normalizeString(options.lease);
+
+  if (leaseId) {
+    const [status, lease] = await Promise.all([
+      collectWriteAuthorizationStatus({
+        activeOnly: options.all !== true,
+        limit: normalizeInteger(options.limit, 20),
+        eventsLimit: normalizeInteger(options.eventsLimit, 20)
+      }, {
+        projectPath,
+        fileSystem,
+        env
+      }),
+      getWriteAuthorizationLease(leaseId, {
+        projectPath,
+        fileSystem,
+        env
+      })
+    ]);
+
+    const payload = {
+      mode: 'auth-status',
+      success: true,
+      policy: status.policy,
+      policy_path: status.policy_path,
+      lease: lease || null,
+      summary: {
+        active_lease_count: Array.isArray(status.leases) ? status.leases.length : 0,
+        event_count: Array.isArray(status.events) ? status.events.length : 0
+      },
+      events: Array.isArray(status.events) ? status.events : [],
+      store_path: status.store_path
+    };
+    printAuthPayload(payload, options);
+    return payload;
+  }
+
+  const status = await collectWriteAuthorizationStatus({
+    activeOnly: options.all !== true,
+    limit: normalizeInteger(options.limit, 20),
+    eventsLimit: normalizeInteger(options.eventsLimit, 20)
+  }, {
+    projectPath,
+    fileSystem,
+    env
+  });
+
+  const payload = {
+    mode: 'auth-status',
+    success: true,
+    policy: status.policy,
+    policy_path: status.policy_path,
+    leases: Array.isArray(status.leases) ? status.leases : [],
+    events: Array.isArray(status.events) ? status.events : [],
+    summary: {
+      active_lease_count: Array.isArray(status.leases) ? status.leases.length : 0,
+      event_count: Array.isArray(status.events) ? status.events.length : 0
+    },
+    store_path: status.store_path
+  };
+
+  printAuthPayload(payload, options);
+  return payload;
+}
+
+async function runAuthRevokeCommand(options = {}, dependencies = {}) {
+  const leaseId = normalizeString(options.lease);
+  if (!leaseId) {
+    throw new Error('--lease is required');
+  }
+
+  const projectPath = dependencies.projectPath || process.cwd();
+  const fileSystem = dependencies.fileSystem || fs;
+  const env = dependencies.env || process.env;
+
+  const revoked = await revokeWriteAuthorizationLease(leaseId, {
+    authPassword: options.authPassword,
+    reason: options.reason,
+    actor: options.actor
+  }, {
+    projectPath,
+    fileSystem,
+    env,
+    authSecret: dependencies.authSecret
+  });
+
+  const payload = {
+    mode: 'auth-revoke',
+    success: true,
+    policy: revoked.policy,
+    policy_path: revoked.policy_path,
+    lease: revoked.lease,
+    store_path: revoked.store_path
+  };
+
+  printAuthPayload(payload, options);
+  return payload;
+}
+
+function runAuthCommand(handler, options = {}, context = 'auth') {
+  Promise.resolve(handler(options))
+    .catch((error) => {
+      console.error(chalk.red(`${context} failed: ${error.message}`));
+      process.exitCode = 1;
+    });
+}
+
+function registerAuthCommands(program) {
+  const auth = program
+    .command('auth')
+    .description('Manage temporary write authorization leases');
+
+  auth
+    .command('grant')
+    .description('Grant a write authorization lease (persisted in sqlite)')
+    .option('--subject <subject>', 'Lease subject (default: current user)')
+    .option('--role <role>', 'Subject role', 'maintainer')
+    .option('--scope <scope>', 'Scope list, comma-separated (example: studio:*,task:rerun)')
+    .option('--ttl-minutes <minutes>', 'Lease TTL in minutes', '15')
+    .option('--reason <reason>', 'Grant reason')
+    .option('--actor <actor>', 'Audit actor override')
+    .option('--auth-password <password>', 'Authorization password for grant policy')
+    .option('--json', 'Print machine-readable JSON output')
+    .action((options) => runAuthCommand(runAuthGrantCommand, options, 'auth grant'));
+
+  auth
+    .command('status')
+    .description('Show current authorization lease and event status from sqlite')
+    .option('--lease <lease-id>', 'Inspect one lease id')
+    .option('--all', 'Include inactive/revoked leases')
+    .option('--limit <n>', 'Lease result limit', '20')
+    .option('--events-limit <n>', 'Auth event result limit', '20')
+    .option('--json', 'Print machine-readable JSON output')
+    .action((options) => runAuthCommand(runAuthStatusCommand, options, 'auth status'));
+
+  auth
+    .command('revoke')
+    .description('Revoke a write authorization lease')
+    .requiredOption('--lease <lease-id>', 'Lease id')
+    .option('--reason <reason>', 'Revoke reason')
+    .option('--actor <actor>', 'Audit actor override')
+    .option('--auth-password <password>', 'Authorization password for revoke policy')
+    .option('--json', 'Print machine-readable JSON output')
+    .action((options) => runAuthCommand(runAuthRevokeCommand, options, 'auth revoke'));
+}
+
+module.exports = {
+  runAuthGrantCommand,
+  runAuthStatusCommand,
+  runAuthRevokeCommand,
+  registerAuthCommands
+};