scene-capability-engine 3.6.0 → 3.6.3

package/lib/commands/studio.js

@@ -13,6 +13,7 @@ const { captureTimelineCheckpoint } = require('../runtime/project-timeline');
 const { runProblemEvaluation } = require('../problem/problem-evaluator');
 const { TaskRefRegistry } = require('../task/task-ref-registry');
 const { getSceStateStore } = require('../state/sce-state-store');
+const { ensureWriteAuthorization } = require('../security/write-authorization');
 const {
   loadStudioIntakePolicy,
   runStudioAutoIntake,
@@ -1336,6 +1337,129 @@ function buildTaskSummaryLines(job = {}, stageName = '', taskStatus = '', nextAc
   ];
 }
 
+function truncateTaskText(value = '', maxLength = 96) {
+  const normalized = normalizeString(value).replace(/\s+/g, ' ');
+  if (!normalized) {
+    return '';
+  }
+  if (normalized.length <= maxLength) {
+    return normalized;
+  }
+  return `${normalized.slice(0, Math.max(0, maxLength - 3)).trim()}...`;
+}
+
+function dedupeTaskList(items = [], limit = 3) {
+  const seen = new Set();
+  const result = [];
+  for (const item of items) {
+    const normalized = truncateTaskText(item, 120);
+    if (!normalized) {
+      continue;
+    }
+    const key = normalized.toLowerCase();
+    if (seen.has(key)) {
+      continue;
+    }
+    seen.add(key);
+    result.push(normalized);
+    if (result.length >= limit) {
+      break;
+    }
+  }
+  return result;
+}
+
+function splitTaskRawRequest(rawRequest = '') {
+  const normalized = normalizeString(rawRequest).replace(/\s+/g, ' ');
+  if (!normalized) {
+    return [];
+  }
+  const chunks = normalized
+    .split(/(?:\r?\n|[;；。!?！？]|(?:\s+\band\b\s+)|(?:\s+\bthen\b\s+)|(?:\s+\balso\b\s+)|(?:\s*并且\s*)|(?:\s*同时\s*)|(?:\s*以及\s*)|(?:\s*然后\s*))/gi)
+    .map((item) => normalizeString(item).replace(/^(?:and|then|also)\s+/i, ''))
+    .filter(Boolean);
+  return dedupeTaskList(chunks, 3);
+}
+
+function deriveTaskIntentShape(rawRequest = '', stageName = '') {
+  const normalizedRaw = normalizeString(rawRequest).replace(/\s+/g, ' ');
+  const clauses = splitTaskRawRequest(normalizedRaw);
+  const hasRaw = normalizedRaw.length > 0;
+  const inferredSubGoals = clauses.length > 1 ? clauses.slice(0, 3) : [];
+  const needsSplit = inferredSubGoals.length > 1;
+  const titleSource = clauses.length > 0
+    ? clauses[0]
+    : (hasRaw ? normalizedRaw : `Studio ${stageName || 'task'} execution`);
+
+  let confidence = hasRaw ? 0.9 : 0.6;
+  if (needsSplit) {
+    confidence = 0.72;
+  }
+  if (normalizeString(stageName) && normalizeString(stageName) !== 'plan') {
+    confidence = Math.min(0.95, confidence + 0.03);
+  }
+
+  return {
+    title_norm: truncateTaskText(titleSource, 96) || `Studio ${stageName || 'task'} execution`,
+    raw_request: hasRaw ? normalizedRaw : null,
+    sub_goals: inferredSubGoals,
+    needs_split: needsSplit,
+    confidence: Number(confidence.toFixed(2))
+  };
+}
+
+function buildTaskAcceptanceCriteria(stageName = '', job = {}, nextAction = '') {
+  const normalizedStage = normalizeString(stageName) || 'task';
+  const artifacts = job && job.artifacts ? job.artifacts : {};
+  const criteriaByStage = {
+    plan: [
+      'Scene/spec binding is resolved and persisted in studio job metadata.',
+      'Plan stage problem evaluation passes with no blockers.',
+      `Next action is executable (${nextAction || 'sce studio generate --job <job-id>'}).`
+    ],
+    generate: [
+      'Patch bundle id is produced for downstream apply stage.',
+      'Generate stage report is written to artifacts.',
+      `Next action is executable (${nextAction || 'sce studio apply --patch-bundle <id> --job <job-id>'}).`
+    ],
+    apply: [
+      'Authorization requirements are satisfied for apply stage.',
+      'Apply stage completes without policy blockers.',
+      `Next action is executable (${nextAction || 'sce studio verify --job <job-id>'}).`
+    ],
+    verify: [
+      'Verification gates finish with no required-step failures.',
+      `Verify report is available (${normalizeString(artifacts.verify_report) || 'artifact pending'}).`,
+      `Next action is executable (${nextAction || 'sce studio release --job <job-id>'}).`
+    ],
+    release: [
+      'Release gates pass under configured release profile.',
+      `Release reference is emitted (${normalizeString(artifacts.release_ref) || 'artifact pending'}).`,
+      `Next action is executable (${nextAction || 'complete'}).`
+    ],
+    rollback: [
+      'Rollback stage transitions job status to rolled_back.',
+      'Rollback evidence is appended to studio event stream.',
+      `Recovery next action is executable (${nextAction || 'sce studio plan --scene <scene-id> --from-chat <session>'}).`
+    ],
+    events: [
+      'Events stream payload is available for task-level audit.',
+      'Task envelope preserves normalized IDs and handoff fields.',
+      `Next action is explicit (${nextAction || 'n/a'}).`
+    ],
+    resume: [
+      'Current job status and stage progress are restored deterministically.',
+      'Task envelope remains schema-compatible for downstream UI.',
+      `Next action is explicit (${nextAction || 'n/a'}).`
+    ]
+  };
+  return criteriaByStage[normalizedStage] || [
+    'Task envelope contains normalized identifiers and task contract fields.',
+    'Task output preserves evidence, command logs, and error bundles.',
+    `Next action is explicit (${nextAction || 'n/a'}).`
+  ];
+}
+
 function buildTaskEnvelope(mode, job, options = {}) {
   const stageName = resolveTaskStage(mode, job, options.stageName);
   const stageState = stageName && job && job.stages && job.stages[stageName]
@@ -1359,8 +1483,10 @@ function buildTaskEnvelope(mode, job, options = {}) {
     || (normalizeString(job && job.job_id)
       ? `${job.job_id}:${stageName || 'task'}`
       : null);
-  const goal = normalizeString(job?.source?.goal)
+  const rawRequest = normalizeString(job?.source?.goal);
+  const goal = rawRequest
     || `Studio ${stageName || 'task'} execution`;
+  const taskIntent = deriveTaskIntentShape(rawRequest, stageName);
   const sessionId = normalizeString(job?.session?.scene_session_id) || null;
   const sceneId = normalizeString(job?.scene?.id) || null;
   const specId = normalizeString(job?.scene?.spec_id) || normalizeString(job?.source?.spec_id) || null;
@@ -1400,7 +1526,14 @@ function buildTaskEnvelope(mode, job, options = {}) {
     eventId: normalizeString(latestEvent && latestEvent.event_id) || null,
     task: {
       ref: taskRef,
+      task_ref: taskRef,
+      title_norm: taskIntent.title_norm,
+      raw_request: taskIntent.raw_request,
       goal,
+      sub_goals: taskIntent.sub_goals,
+      acceptance_criteria: buildTaskAcceptanceCriteria(stageName, job, nextAction),
+      needs_split: taskIntent.needs_split,
+      confidence: taskIntent.confidence,
       status: taskStatus,
       summary: buildTaskSummaryLines(job, stageName, taskStatus, nextAction, taskRef),
       handoff: normalizedHandoff,
@@ -2529,6 +2662,12 @@ async function runStudioApplyCommand(options = {}, dependencies = {}) {
   const job = await loadJob(paths, jobId, fileSystem);
   ensureNotRolledBack(job, 'apply');
   ensureStagePrerequisite(job, 'apply', 'generate');
+  const leaseAuthResult = await ensureWriteAuthorization('studio:apply', options, {
+    projectPath,
+    fileSystem,
+    env: dependencies.env,
+    authSecret: dependencies.authSecret
+  });
   const authResult = await ensureStudioAuthorization('apply', options, {
     projectPath,
     fileSystem,
@@ -2564,14 +2703,22 @@ async function runStudioApplyCommand(options = {}, dependencies = {}) {
 
   ensureStageCompleted(job, 'apply', {
     patch_bundle_id: patchBundleId,
-    auth_required: authResult.required,
+    auth_required: authResult.required || leaseAuthResult.required,
+    auth_password_required: authResult.required,
+    auth_lease_required: leaseAuthResult.required,
+    auth_lease_id: leaseAuthResult.lease_id || null,
+    auth_lease_expires_at: leaseAuthResult.lease_expires_at || null,
     problem_evaluation: summarizeProblemEvaluation(applyProblemEvaluation)
   });
 
   await saveJob(paths, job, fileSystem);
   const applyEvent = await appendStudioEvent(paths, job, 'stage.apply.completed', {
     patch_bundle_id: patchBundleId,
-    auth_required: authResult.required,
+    auth_required: authResult.required || leaseAuthResult.required,
+    auth_password_required: authResult.required,
+    auth_lease_required: leaseAuthResult.required,
+    auth_lease_id: leaseAuthResult.lease_id || null,
+    auth_lease_expires_at: leaseAuthResult.lease_expires_at || null,
     problem_evaluation: summarizeProblemEvaluation(applyProblemEvaluation)
   }, fileSystem);
   await writeLatestJob(paths, jobId, fileSystem);
@@ -2758,6 +2905,12 @@ async function runStudioReleaseCommand(options = {}, dependencies = {}) {
   const job = await loadJob(paths, jobId, fileSystem);
   ensureNotRolledBack(job, 'release');
   ensureStagePrerequisite(job, 'release', 'verify');
+  const leaseAuthResult = await ensureWriteAuthorization('studio:release', options, {
+    projectPath,
+    fileSystem,
+    env: dependencies.env,
+    authSecret: dependencies.authSecret
+  });
   const authResult = await ensureStudioAuthorization('release', options, {
     projectPath,
     fileSystem,
@@ -2874,7 +3027,11 @@ async function runStudioReleaseCommand(options = {}, dependencies = {}) {
         passed: false,
         report: releaseReportPath,
         gate_steps: gateResult.steps,
-        auth_required: authResult.required,
+        auth_required: authResult.required || leaseAuthResult.required,
+        auth_password_required: authResult.required,
+        auth_lease_required: leaseAuthResult.required,
+        auth_lease_id: leaseAuthResult.lease_id || null,
+        auth_lease_expires_at: leaseAuthResult.lease_expires_at || null,
         problem_evaluation: summarizeProblemEvaluation(releaseProblemEvaluation),
         domain_chain: domainChainMetadata,
         auto_errorbook_records: autoErrorbookRecords
@@ -2885,7 +3042,11 @@ async function runStudioReleaseCommand(options = {}, dependencies = {}) {
       channel,
       release_ref: releaseRef,
       report: releaseReportPath,
-      auth_required: authResult.required,
+      auth_required: authResult.required || leaseAuthResult.required,
+      auth_password_required: authResult.required,
+      auth_lease_required: leaseAuthResult.required,
+      auth_lease_id: leaseAuthResult.lease_id || null,
+      auth_lease_expires_at: leaseAuthResult.lease_expires_at || null,
       problem_evaluation: summarizeProblemEvaluation(releaseProblemEvaluation),
       domain_chain: domainChainMetadata,
       auto_errorbook_records: autoErrorbookRecords
@@ -2900,7 +3061,11 @@ async function runStudioReleaseCommand(options = {}, dependencies = {}) {
     release_ref: releaseRef,
     report: releaseReportPath,
     gate_steps: gateResult.steps,
-    auth_required: authResult.required,
+    auth_required: authResult.required || leaseAuthResult.required,
+    auth_password_required: authResult.required,
+    auth_lease_required: leaseAuthResult.required,
+    auth_lease_id: leaseAuthResult.lease_id || null,
+    auth_lease_expires_at: leaseAuthResult.lease_expires_at || null,
     problem_evaluation: summarizeProblemEvaluation(releaseProblemEvaluation),
     domain_chain: domainChainMetadata,
     auto_errorbook_records: autoErrorbookRecords
@@ -2932,7 +3097,11 @@ async function runStudioReleaseCommand(options = {}, dependencies = {}) {
     channel,
     release_ref: releaseRef,
     report: releaseReportPath,
-    auth_required: authResult.required,
+    auth_required: authResult.required || leaseAuthResult.required,
+    auth_password_required: authResult.required,
+    auth_lease_required: leaseAuthResult.required,
+    auth_lease_id: leaseAuthResult.lease_id || null,
+    auth_lease_expires_at: leaseAuthResult.lease_expires_at || null,
     problem_evaluation: summarizeProblemEvaluation(releaseProblemEvaluation),
     domain_chain: domainChainMetadata,
     auto_errorbook_records: autoErrorbookRecords
@@ -2987,6 +3156,12 @@ async function runStudioRollbackCommand(options = {}, dependencies = {}) {
 
   const reason = normalizeString(options.reason) || 'manual-rollback';
   const job = await loadJob(paths, jobId, fileSystem);
+  const leaseAuthResult = await ensureWriteAuthorization('studio:rollback', options, {
+    projectPath,
+    fileSystem,
+    env: dependencies.env,
+    authSecret: dependencies.authSecret
+  });
   const authResult = await ensureStudioAuthorization('rollback', options, {
     projectPath,
     fileSystem,
@@ -3002,7 +3177,11 @@ async function runStudioRollbackCommand(options = {}, dependencies = {}) {
   job.rollback = {
     reason,
     rolled_back_at: job.updated_at,
-    auth_required: authResult.required
+    auth_required: authResult.required || leaseAuthResult.required,
+    auth_password_required: authResult.required,
+    auth_lease_required: leaseAuthResult.required,
+    auth_lease_id: leaseAuthResult.lease_id || null,
+    auth_lease_expires_at: leaseAuthResult.lease_expires_at || null
   };
 
   const sceneSessionId = normalizeString(job && job.session && job.session.scene_session_id);
@@ -3376,6 +3555,7 @@ function registerStudioCommands(program) {
     .command('apply')
     .description('Apply generated patch bundle metadata to studio job')
     .option('--patch-bundle <id>', 'Patch bundle identifier (defaults to generated artifact)')
+    .option('--auth-lease <lease-id>', 'Write authorization lease id (sce auth grant)')
     .option('--auth-password <password>', 'Authorization password for protected apply action')
     .option('--require-auth', 'Require authorization even when policy is advisory')
     .option('--job <job-id>', 'Studio job id (defaults to latest)')
@@ -3395,6 +3575,7 @@ function registerStudioCommands(program) {
     .description('Record release stage for studio job')
     .option('--channel <channel>', 'Release channel (dev|prod)', 'dev')
     .option('--profile <profile>', 'Release gate profile', 'standard')
+    .option('--auth-lease <lease-id>', 'Write authorization lease id (sce auth grant)')
     .option('--auth-password <password>', 'Authorization password for protected release action')
     .option('--require-auth', 'Require authorization even when policy is advisory')
     .option('--release-ref <ref>', 'Explicit release reference/tag')
@@ -3423,6 +3604,7 @@ function registerStudioCommands(program) {
     .description('Rollback a studio job after apply/release')
     .option('--job <job-id>', 'Studio job id (defaults to latest)')
     .option('--reason <reason>', 'Rollback reason')
+    .option('--auth-lease <lease-id>', 'Write authorization lease id (sce auth grant)')
     .option('--auth-password <password>', 'Authorization password for protected rollback action')
     .option('--require-auth', 'Require authorization even when policy is advisory')
     .option('--json', 'Print machine-readable JSON output')

package/lib/commands/task.js

@@ -11,6 +11,7 @@ const chalk = require('chalk');
 const TaskClaimer = require('../task/task-claimer');
 const WorkspaceManager = require('../workspace/workspace-manager');
 const { TaskRefRegistry } = require('../task/task-ref-registry');
+const { ensureWriteAuthorization } = require('../security/write-authorization');
 
 function normalizeString(value) {
   if (typeof value !== 'string') {
@@ -436,6 +437,17 @@ async function runTaskRerunCommand(options = {}, dependencies = {}) {
   if (!lookup) {
     throw new Error(`Task ref not found: ${taskRef}`);
   }
+  const writeAuthResult = dryRun
+    ? {
+      required: false,
+      passed: true
+    }
+    : await ensureWriteAuthorization('task:rerun', options, {
+      projectPath,
+      fileSystem,
+      env: dependencies.env,
+      authSecret: dependencies.authSecret
+    });
 
   if (isStudioTaskRef(lookup)) {
     const stage = resolveStudioStageFromTaskKey(lookup.task_key);
@@ -453,7 +465,12 @@ async function runTaskRerunCommand(options = {}, dependencies = {}) {
       stage,
       job_id: normalizeString(job?.job_id) || null,
       dry_run: dryRun,
-      command: stringifySceArgs(rerunPlan.args)
+      command: stringifySceArgs(rerunPlan.args),
+      authorization: {
+        required: writeAuthResult.required === true,
+        lease_id: writeAuthResult.lease_id || null,
+        lease_expires_at: writeAuthResult.lease_expires_at || null
+      }
     };
 
     if (!dryRun) {
@@ -486,7 +503,12 @@ async function runTaskRerunCommand(options = {}, dependencies = {}) {
     task_ref: lookup.task_ref,
     rerun_type: 'spec-task',
     dry_run: dryRun,
-    command: `sce task claim ${lookup.spec_id} ${lookup.task_key}`
+    command: `sce task claim ${lookup.spec_id} ${lookup.task_key}`,
+    authorization: {
+      required: writeAuthResult.required === true,
+      lease_id: writeAuthResult.lease_id || null,
+      lease_expires_at: writeAuthResult.lease_expires_at || null
+    }
   };
 
   if (!dryRun) {
@@ -734,6 +756,7 @@ function registerTaskCommands(program) {
     .description('Rerun task by hierarchical reference')
     .requiredOption('--ref <task-ref>', 'Task reference (SS.PP.TT)')
     .option('--dry-run', 'Preview rerun command without executing')
+    .option('--auth-lease <lease-id>', 'Write authorization lease id (sce auth grant)')
     .option('--from-chat <session>', 'Override session for studio plan rerun')
     .option('--job <job-id>', 'Override studio job id')
     .option('--profile <profile>', 'Override profile for studio verify/release rerun')