scene-capability-engine 3.6.2 → 3.6.3

package/CHANGELOG.md

@@ -7,6 +7,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [3.6.3] - 2026-03-05
+
+### Added
+- SQLite-backed write authorization lease flow:
+  - new policy baseline: `.sce/config/authorization-policy.json`
+  - new state tables: `auth_lease_registry`, `auth_event_stream`
+  - new commands:
+    - `sce auth grant`
+    - `sce auth status`
+    - `sce auth revoke`
+- New write-authorization module: `lib/security/write-authorization.js`.
+- New unit coverage:
+  - `tests/unit/security/write-authorization.test.js`
+  - `tests/unit/commands/auth.test.js`
+  - extended state-store auth lifecycle tests.
+
+### Changed
+- `studio apply/release/rollback` now support `--auth-lease <lease-id>` and can enforce lease-based write authorization.
+- `task rerun` now supports `--auth-lease <lease-id>` and can enforce lease-based write authorization on non-dry-run operations.
+- Authorization checks and lease audit events are persisted to `.sce/state/sce-state.sqlite`.
+
 ## [3.6.2] - 2026-03-04
 
 ### Changed

package/README.md

@@ -145,6 +145,11 @@ Studio task-stream output contract (default):
   - SQLite-only backend (`.sce/state/sce-state.sqlite`)
   - In-memory fallback only in `NODE_ENV=test` or when `SCE_STATE_ALLOW_MEMORY_FALLBACK=1`
   - Outside those conditions, unavailable SQLite support fails fast for task-ref/event persistence
+- Write authorization lease model (SQLite-backed):
+  - policy file: `.sce/config/authorization-policy.json`
+  - grant lease: `sce auth grant --scope studio:* --reason "<reason>" --auth-password <password> --json`
+  - inspect/revoke: `sce auth status --json` / `sce auth revoke --lease <lease-id> --json`
+  - protected writes accept `--auth-lease <lease-id>` on `studio apply/release/rollback` and `task rerun`
 
 ---
 
@@ -201,5 +206,5 @@ MIT. See [LICENSE](LICENSE).
 
 ---
 
-**Version**: 3.6.2  
-**Last Updated**: 2026-03-04
+**Version**: 3.6.3  
+**Last Updated**: 2026-03-05

package/README.zh.md

@@ -145,6 +145,11 @@ Studio 任务流输出契约（默认）：
   - 仅支持 SQLite 后端（`.sce/state/sce-state.sqlite`）
   - 仅在 `NODE_ENV=test` 或 `SCE_STATE_ALLOW_MEMORY_FALLBACK=1` 时允许内存回退
   - 在上述条件之外若 SQLite 不可用，任务引用/事件持久化会快速失败
+- 写入授权租约模型（SQLite 持久化）：
+  - 策略文件：`.sce/config/authorization-policy.json`
+  - 申请租约：`sce auth grant --scope studio:* --reason "<原因>" --auth-password <密码> --json`
+  - 查看/撤销：`sce auth status --json` / `sce auth revoke --lease <lease-id> --json`
+  - 受保护写操作支持 `--auth-lease <lease-id>`：`studio apply/release/rollback`、`task rerun`
 
 ---
 
@@ -201,5 +206,5 @@ MIT，见 [LICENSE](LICENSE)。
 
 ---
 
-**版本**：3.6.2  
-**最后更新**：2026-03-04
+**版本**：3.6.3  
+**最后更新**：2026-03-05

package/bin/scene-capability-engine.js

@@ -24,6 +24,7 @@ const { registerSpecRelatedCommand } = require('../lib/commands/spec-related');
 const { registerTimelineCommands } = require('../lib/commands/timeline');
 const { registerValueCommands } = require('../lib/commands/value');
 const { registerTaskCommands } = require('../lib/commands/task');
+const { registerAuthCommands } = require('../lib/commands/auth');
 const VersionChecker = require('../lib/version/version-checker');
 const {
   findLegacyKiroDirectories,
@@ -945,6 +946,7 @@ registerOrchestrateCommands(program);
 // Value realization and observability commands
 registerValueCommands(program);
 registerTaskCommands(program);
+registerAuthCommands(program);
 
 // Template management commands
 const templatesCommand = require('../lib/commands/templates');

package/docs/command-reference.md

@@ -552,6 +552,8 @@ sce studio generate --scene scene.customer-order-inventory --target 331 --json
 
 # Apply generated patch metadata
 sce studio apply --patch-bundle patch-scene.customer-order-inventory-<timestamp> --json
+# Apply with explicit write lease
+sce studio apply --job <job-id> --auth-lease <lease-id> --json
 
 # Record verification result
 sce studio verify --profile standard --json
@@ -560,6 +562,8 @@ sce studio verify --profile strict --json
 # Record release event
 sce studio release --channel dev --profile standard --json
 sce studio release --channel dev --profile strict --json
+# Release with explicit write lease
+sce studio release --job <job-id> --channel dev --auth-lease <lease-id> --json
 
 # Resume from latest or explicit job
 sce studio resume --job <job-id> --json
@@ -571,6 +575,8 @@ sce studio events --job <job-id> --openhands-events ./openhands-events.json --js
 
 # Rollback a job after apply/release
 sce studio rollback --job <job-id> --reason "manual-check-failed" --json
+# Rollback with explicit write lease
+sce studio rollback --job <job-id> --reason "manual-check-failed" --auth-lease <lease-id> --json
 
 # Build scene-organized spec governance portfolio
 sce studio portfolio --json
@@ -583,6 +589,11 @@ sce studio backfill-spec-scenes --scene scene.unassigned --limit 20 --apply --js
 
 # Enforce authorization for a protected action
 SCE_STUDIO_REQUIRE_AUTH=1 SCE_STUDIO_AUTH_PASSWORD=top-secret sce studio apply --job <job-id> --auth-password top-secret --json
+
+# Grant/review/revoke write lease (stored in .sce/state/sce-state.sqlite)
+SCE_AUTH_PASSWORD=top-secret sce auth grant --scope studio:* --reason "maintenance window" --auth-password top-secret --json
+sce auth status --json
+sce auth revoke --lease <lease-id> --reason "window closed" --json
 ```
 
 Studio JSON output now includes a stable UI-oriented task stream contract (in addition to existing `job_*` fields):
@@ -689,6 +700,34 @@ Default policy file (recommended to commit): `.sce/config/studio-security.json`
 }
 ```
 
+Write lease model (optional, policy-driven, SQLite-backed):
+- Policy file: `.sce/config/authorization-policy.json`
+- Lease/event persistence: `.sce/state/sce-state.sqlite` (`auth_lease_registry`, `auth_event_stream`)
+- Default protected actions: `studio:apply`, `studio:release`, `studio:rollback`, `task:rerun`
+- Default lease TTL: 15 minutes (`default_ttl_minutes`)
+- Write commands accept `--auth-lease <lease-id>`
+- Policy env overrides:
+  - `SCE_AUTH_REQUIRE_LEASE=1`
+  - `SCE_AUTH_PASSWORD_ENV=<ENV_NAME>`
+  - `SCE_AUTH_ENFORCE_ACTIONS=studio:apply,task:rerun`
+
+Default write authorization policy (recommended to commit): `.sce/config/authorization-policy.json`
+
+```json
+{
+  "enabled": false,
+  "enforce_actions": ["studio:apply", "studio:release", "studio:rollback", "task:rerun"],
+  "default_ttl_minutes": 15,
+  "max_ttl_minutes": 120,
+  "require_password_for_grant": true,
+  "require_password_for_revoke": false,
+  "password_env": "SCE_AUTH_PASSWORD",
+  "default_scope": ["project:*"],
+  "allow_test_bypass": true,
+  "allow_password_as_inline_lease": false
+}
+```
+
 Studio intake policy file (default, recommended to commit): `.sce/config/studio-intake-policy.json`
 
 ```json

package/lib/commands/auth.js

@@ -0,0 +1,269 @@
+const chalk = require('chalk');
+const fs = require('fs-extra');
+const {
+  grantWriteAuthorizationLease,
+  revokeWriteAuthorizationLease,
+  collectWriteAuthorizationStatus,
+  getWriteAuthorizationLease
+} = require('../security/write-authorization');
+
+function normalizeString(value) {
+  if (typeof value !== 'string') {
+    return '';
+  }
+  return value.trim();
+}
+
+function normalizeInteger(value, fallback = 0) {
+  const parsed = Number.parseInt(`${value}`, 10);
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    return fallback;
+  }
+  return parsed;
+}
+
+function normalizeScopeInput(value) {
+  if (Array.isArray(value)) {
+    return value;
+  }
+  const text = normalizeString(value);
+  if (!text) {
+    return [];
+  }
+  return text.split(/[,\s]+/g).map((item) => normalizeString(item)).filter(Boolean);
+}
+
+function printAuthPayload(payload, options = {}) {
+  if (options.json) {
+    console.log(JSON.stringify(payload, null, 2));
+    return;
+  }
+
+  const mode = normalizeString(payload.mode);
+  if (mode === 'auth-grant') {
+    console.log(chalk.blue(`Auth lease granted: ${payload.lease.lease_id}`));
+    console.log(`  Subject: ${payload.lease.subject}`);
+    console.log(`  Role: ${payload.lease.role}`);
+    console.log(`  Scope: ${(payload.lease.scope || []).join(', ') || 'n/a'}`);
+    console.log(`  Expires: ${payload.lease.expires_at || 'n/a'}`);
+    console.log(`  Store: ${payload.store_path || 'n/a'}`);
+    return;
+  }
+
+  if (mode === 'auth-revoke') {
+    console.log(chalk.blue(`Auth lease revoked: ${payload.lease.lease_id}`));
+    console.log(`  Subject: ${payload.lease.subject}`);
+    console.log(`  Revoked at: ${payload.lease.revoked_at || 'n/a'}`);
+    console.log(`  Store: ${payload.store_path || 'n/a'}`);
+    return;
+  }
+
+  if (mode === 'auth-status') {
+    if (payload.lease) {
+      console.log(chalk.blue(`Auth lease: ${payload.lease.lease_id}`));
+      console.log(`  Subject: ${payload.lease.subject}`);
+      console.log(`  Role: ${payload.lease.role}`);
+      console.log(`  Scope: ${(payload.lease.scope || []).join(', ') || 'n/a'}`);
+      console.log(`  Expires: ${payload.lease.expires_at || 'n/a'}`);
+      console.log(`  Revoked: ${payload.lease.revoked_at || 'no'}`);
+    } else {
+      console.log(chalk.blue('Auth lease status'));
+      console.log(`  Active leases: ${payload.summary.active_lease_count}`);
+      console.log(`  Events: ${payload.summary.event_count}`);
+    }
+    console.log(`  Store: ${payload.store_path || 'n/a'}`);
+  }
+}
+
+async function runAuthGrantCommand(options = {}, dependencies = {}) {
+  const projectPath = dependencies.projectPath || process.cwd();
+  const fileSystem = dependencies.fileSystem || fs;
+  const env = dependencies.env || process.env;
+
+  const granted = await grantWriteAuthorizationLease({
+    subject: options.subject,
+    role: options.role,
+    scope: normalizeScopeInput(options.scope),
+    ttlMinutes: normalizeInteger(options.ttlMinutes, 15),
+    reason: options.reason,
+    authPassword: options.authPassword,
+    actor: options.actor,
+    metadata: {
+      source: 'sce auth grant'
+    }
+  }, {
+    projectPath,
+    fileSystem,
+    env,
+    authSecret: dependencies.authSecret
+  });
+
+  const payload = {
+    mode: 'auth-grant',
+    success: true,
+    policy: granted.policy,
+    policy_path: granted.policy_path,
+    lease: granted.lease,
+    store_path: granted.store_path
+  };
+
+  printAuthPayload(payload, options);
+  return payload;
+}
+
+async function runAuthStatusCommand(options = {}, dependencies = {}) {
+  const projectPath = dependencies.projectPath || process.cwd();
+  const fileSystem = dependencies.fileSystem || fs;
+  const env = dependencies.env || process.env;
+  const leaseId = normalizeString(options.lease);
+
+  if (leaseId) {
+    const [status, lease] = await Promise.all([
+      collectWriteAuthorizationStatus({
+        activeOnly: options.all !== true,
+        limit: normalizeInteger(options.limit, 20),
+        eventsLimit: normalizeInteger(options.eventsLimit, 20)
+      }, {
+        projectPath,
+        fileSystem,
+        env
+      }),
+      getWriteAuthorizationLease(leaseId, {
+        projectPath,
+        fileSystem,
+        env
+      })
+    ]);
+
+    const payload = {
+      mode: 'auth-status',
+      success: true,
+      policy: status.policy,
+      policy_path: status.policy_path,
+      lease: lease || null,
+      summary: {
+        active_lease_count: Array.isArray(status.leases) ? status.leases.length : 0,
+        event_count: Array.isArray(status.events) ? status.events.length : 0
+      },
+      events: Array.isArray(status.events) ? status.events : [],
+      store_path: status.store_path
+    };
+    printAuthPayload(payload, options);
+    return payload;
+  }
+
+  const status = await collectWriteAuthorizationStatus({
+    activeOnly: options.all !== true,
+    limit: normalizeInteger(options.limit, 20),
+    eventsLimit: normalizeInteger(options.eventsLimit, 20)
+  }, {
+    projectPath,
+    fileSystem,
+    env
+  });
+
+  const payload = {
+    mode: 'auth-status',
+    success: true,
+    policy: status.policy,
+    policy_path: status.policy_path,
+    leases: Array.isArray(status.leases) ? status.leases : [],
+    events: Array.isArray(status.events) ? status.events : [],
+    summary: {
+      active_lease_count: Array.isArray(status.leases) ? status.leases.length : 0,
+      event_count: Array.isArray(status.events) ? status.events.length : 0
+    },
+    store_path: status.store_path
+  };
+
+  printAuthPayload(payload, options);
+  return payload;
+}
+
+async function runAuthRevokeCommand(options = {}, dependencies = {}) {
+  const leaseId = normalizeString(options.lease);
+  if (!leaseId) {
+    throw new Error('--lease is required');
+  }
+
+  const projectPath = dependencies.projectPath || process.cwd();
+  const fileSystem = dependencies.fileSystem || fs;
+  const env = dependencies.env || process.env;
+
+  const revoked = await revokeWriteAuthorizationLease(leaseId, {
+    authPassword: options.authPassword,
+    reason: options.reason,
+    actor: options.actor
+  }, {
+    projectPath,
+    fileSystem,
+    env,
+    authSecret: dependencies.authSecret
+  });
+
+  const payload = {
+    mode: 'auth-revoke',
+    success: true,
+    policy: revoked.policy,
+    policy_path: revoked.policy_path,
+    lease: revoked.lease,
+    store_path: revoked.store_path
+  };
+
+  printAuthPayload(payload, options);
+  return payload;
+}
+
+function runAuthCommand(handler, options = {}, context = 'auth') {
+  Promise.resolve(handler(options))
+    .catch((error) => {
+      console.error(chalk.red(`${context} failed: ${error.message}`));
+      process.exitCode = 1;
+    });
+}
+
+function registerAuthCommands(program) {
+  const auth = program
+    .command('auth')
+    .description('Manage temporary write authorization leases');
+
+  auth
+    .command('grant')
+    .description('Grant a write authorization lease (persisted in sqlite)')
+    .option('--subject <subject>', 'Lease subject (default: current user)')
+    .option('--role <role>', 'Subject role', 'maintainer')
+    .option('--scope <scope>', 'Scope list, comma-separated (example: studio:*,task:rerun)')
+    .option('--ttl-minutes <minutes>', 'Lease TTL in minutes', '15')
+    .option('--reason <reason>', 'Grant reason')
+    .option('--actor <actor>', 'Audit actor override')
+    .option('--auth-password <password>', 'Authorization password for grant policy')
+    .option('--json', 'Print machine-readable JSON output')
+    .action((options) => runAuthCommand(runAuthGrantCommand, options, 'auth grant'));
+
+  auth
+    .command('status')
+    .description('Show current authorization lease and event status from sqlite')
+    .option('--lease <lease-id>', 'Inspect one lease id')
+    .option('--all', 'Include inactive/revoked leases')
+    .option('--limit <n>', 'Lease result limit', '20')
+    .option('--events-limit <n>', 'Auth event result limit', '20')
+    .option('--json', 'Print machine-readable JSON output')
+    .action((options) => runAuthCommand(runAuthStatusCommand, options, 'auth status'));
+
+  auth
+    .command('revoke')
+    .description('Revoke a write authorization lease')
+    .requiredOption('--lease <lease-id>', 'Lease id')
+    .option('--reason <reason>', 'Revoke reason')
+    .option('--actor <actor>', 'Audit actor override')
+    .option('--auth-password <password>', 'Authorization password for revoke policy')
+    .option('--json', 'Print machine-readable JSON output')
+    .action((options) => runAuthCommand(runAuthRevokeCommand, options, 'auth revoke'));
+}
+
+module.exports = {
+  runAuthGrantCommand,
+  runAuthStatusCommand,
+  runAuthRevokeCommand,
+  registerAuthCommands
+};

package/lib/commands/studio.js

@@ -13,6 +13,7 @@ const { captureTimelineCheckpoint } = require('../runtime/project-timeline');
 const { runProblemEvaluation } = require('../problem/problem-evaluator');
 const { TaskRefRegistry } = require('../task/task-ref-registry');
 const { getSceStateStore } = require('../state/sce-state-store');
+const { ensureWriteAuthorization } = require('../security/write-authorization');
 const {
   loadStudioIntakePolicy,
   runStudioAutoIntake,
@@ -2661,6 +2662,12 @@ async function runStudioApplyCommand(options = {}, dependencies = {}) {
   const job = await loadJob(paths, jobId, fileSystem);
   ensureNotRolledBack(job, 'apply');
   ensureStagePrerequisite(job, 'apply', 'generate');
+  const leaseAuthResult = await ensureWriteAuthorization('studio:apply', options, {
+    projectPath,
+    fileSystem,
+    env: dependencies.env,
+    authSecret: dependencies.authSecret
+  });
   const authResult = await ensureStudioAuthorization('apply', options, {
     projectPath,
     fileSystem,
@@ -2696,14 +2703,22 @@ async function runStudioApplyCommand(options = {}, dependencies = {}) {
 
   ensureStageCompleted(job, 'apply', {
     patch_bundle_id: patchBundleId,
-    auth_required: authResult.required,
+    auth_required: authResult.required || leaseAuthResult.required,
+    auth_password_required: authResult.required,
+    auth_lease_required: leaseAuthResult.required,
+    auth_lease_id: leaseAuthResult.lease_id || null,
+    auth_lease_expires_at: leaseAuthResult.lease_expires_at || null,
     problem_evaluation: summarizeProblemEvaluation(applyProblemEvaluation)
   });
 
   await saveJob(paths, job, fileSystem);
   const applyEvent = await appendStudioEvent(paths, job, 'stage.apply.completed', {
     patch_bundle_id: patchBundleId,
-    auth_required: authResult.required,
+    auth_required: authResult.required || leaseAuthResult.required,
+    auth_password_required: authResult.required,
+    auth_lease_required: leaseAuthResult.required,
+    auth_lease_id: leaseAuthResult.lease_id || null,
+    auth_lease_expires_at: leaseAuthResult.lease_expires_at || null,
     problem_evaluation: summarizeProblemEvaluation(applyProblemEvaluation)
   }, fileSystem);
   await writeLatestJob(paths, jobId, fileSystem);
@@ -2890,6 +2905,12 @@ async function runStudioReleaseCommand(options = {}, dependencies = {}) {
   const job = await loadJob(paths, jobId, fileSystem);
   ensureNotRolledBack(job, 'release');
   ensureStagePrerequisite(job, 'release', 'verify');
+  const leaseAuthResult = await ensureWriteAuthorization('studio:release', options, {
+    projectPath,
+    fileSystem,
+    env: dependencies.env,
+    authSecret: dependencies.authSecret
+  });
   const authResult = await ensureStudioAuthorization('release', options, {
     projectPath,
     fileSystem,
@@ -3006,7 +3027,11 @@ async function runStudioReleaseCommand(options = {}, dependencies = {}) {
         passed: false,
         report: releaseReportPath,
         gate_steps: gateResult.steps,
-        auth_required: authResult.required,
+        auth_required: authResult.required || leaseAuthResult.required,
+        auth_password_required: authResult.required,
+        auth_lease_required: leaseAuthResult.required,
+        auth_lease_id: leaseAuthResult.lease_id || null,
+        auth_lease_expires_at: leaseAuthResult.lease_expires_at || null,
         problem_evaluation: summarizeProblemEvaluation(releaseProblemEvaluation),
         domain_chain: domainChainMetadata,
         auto_errorbook_records: autoErrorbookRecords
@@ -3017,7 +3042,11 @@ async function runStudioReleaseCommand(options = {}, dependencies = {}) {
       channel,
       release_ref: releaseRef,
       report: releaseReportPath,
-      auth_required: authResult.required,
+      auth_required: authResult.required || leaseAuthResult.required,
+      auth_password_required: authResult.required,
+      auth_lease_required: leaseAuthResult.required,
+      auth_lease_id: leaseAuthResult.lease_id || null,
+      auth_lease_expires_at: leaseAuthResult.lease_expires_at || null,
       problem_evaluation: summarizeProblemEvaluation(releaseProblemEvaluation),
       domain_chain: domainChainMetadata,
       auto_errorbook_records: autoErrorbookRecords
@@ -3032,7 +3061,11 @@ async function runStudioReleaseCommand(options = {}, dependencies = {}) {
     release_ref: releaseRef,
     report: releaseReportPath,
     gate_steps: gateResult.steps,
-    auth_required: authResult.required,
+    auth_required: authResult.required || leaseAuthResult.required,
+    auth_password_required: authResult.required,
+    auth_lease_required: leaseAuthResult.required,
+    auth_lease_id: leaseAuthResult.lease_id || null,
+    auth_lease_expires_at: leaseAuthResult.lease_expires_at || null,
     problem_evaluation: summarizeProblemEvaluation(releaseProblemEvaluation),
     domain_chain: domainChainMetadata,
     auto_errorbook_records: autoErrorbookRecords
@@ -3064,7 +3097,11 @@ async function runStudioReleaseCommand(options = {}, dependencies = {}) {
     channel,
     release_ref: releaseRef,
     report: releaseReportPath,
-    auth_required: authResult.required,
+    auth_required: authResult.required || leaseAuthResult.required,
+    auth_password_required: authResult.required,
+    auth_lease_required: leaseAuthResult.required,
+    auth_lease_id: leaseAuthResult.lease_id || null,
+    auth_lease_expires_at: leaseAuthResult.lease_expires_at || null,
     problem_evaluation: summarizeProblemEvaluation(releaseProblemEvaluation),
     domain_chain: domainChainMetadata,
     auto_errorbook_records: autoErrorbookRecords
@@ -3119,6 +3156,12 @@ async function runStudioRollbackCommand(options = {}, dependencies = {}) {
 
   const reason = normalizeString(options.reason) || 'manual-rollback';
   const job = await loadJob(paths, jobId, fileSystem);
+  const leaseAuthResult = await ensureWriteAuthorization('studio:rollback', options, {
+    projectPath,
+    fileSystem,
+    env: dependencies.env,
+    authSecret: dependencies.authSecret
+  });
   const authResult = await ensureStudioAuthorization('rollback', options, {
     projectPath,
     fileSystem,
@@ -3134,7 +3177,11 @@ async function runStudioRollbackCommand(options = {}, dependencies = {}) {
   job.rollback = {
     reason,
     rolled_back_at: job.updated_at,
-    auth_required: authResult.required
+    auth_required: authResult.required || leaseAuthResult.required,
+    auth_password_required: authResult.required,
+    auth_lease_required: leaseAuthResult.required,
+    auth_lease_id: leaseAuthResult.lease_id || null,
+    auth_lease_expires_at: leaseAuthResult.lease_expires_at || null
   };
 
   const sceneSessionId = normalizeString(job && job.session && job.session.scene_session_id);
@@ -3508,6 +3555,7 @@ function registerStudioCommands(program) {
     .command('apply')
     .description('Apply generated patch bundle metadata to studio job')
     .option('--patch-bundle <id>', 'Patch bundle identifier (defaults to generated artifact)')
+    .option('--auth-lease <lease-id>', 'Write authorization lease id (sce auth grant)')
     .option('--auth-password <password>', 'Authorization password for protected apply action')
     .option('--require-auth', 'Require authorization even when policy is advisory')
     .option('--job <job-id>', 'Studio job id (defaults to latest)')
@@ -3527,6 +3575,7 @@ function registerStudioCommands(program) {
     .description('Record release stage for studio job')
     .option('--channel <channel>', 'Release channel (dev|prod)', 'dev')
     .option('--profile <profile>', 'Release gate profile', 'standard')
+    .option('--auth-lease <lease-id>', 'Write authorization lease id (sce auth grant)')
     .option('--auth-password <password>', 'Authorization password for protected release action')
     .option('--require-auth', 'Require authorization even when policy is advisory')
     .option('--release-ref <ref>', 'Explicit release reference/tag')
@@ -3555,6 +3604,7 @@ function registerStudioCommands(program) {
     .description('Rollback a studio job after apply/release')
     .option('--job <job-id>', 'Studio job id (defaults to latest)')
     .option('--reason <reason>', 'Rollback reason')
+    .option('--auth-lease <lease-id>', 'Write authorization lease id (sce auth grant)')
     .option('--auth-password <password>', 'Authorization password for protected rollback action')
     .option('--require-auth', 'Require authorization even when policy is advisory')
     .option('--json', 'Print machine-readable JSON output')

package/lib/commands/task.js

@@ -11,6 +11,7 @@ const chalk = require('chalk');
 const TaskClaimer = require('../task/task-claimer');
 const WorkspaceManager = require('../workspace/workspace-manager');
 const { TaskRefRegistry } = require('../task/task-ref-registry');
+const { ensureWriteAuthorization } = require('../security/write-authorization');
 
 function normalizeString(value) {
   if (typeof value !== 'string') {
@@ -436,6 +437,17 @@ async function runTaskRerunCommand(options = {}, dependencies = {}) {
   if (!lookup) {
     throw new Error(`Task ref not found: ${taskRef}`);
   }
+  const writeAuthResult = dryRun
+    ? {
+      required: false,
+      passed: true
+    }
+    : await ensureWriteAuthorization('task:rerun', options, {
+      projectPath,
+      fileSystem,
+      env: dependencies.env,
+      authSecret: dependencies.authSecret
+    });
 
   if (isStudioTaskRef(lookup)) {
     const stage = resolveStudioStageFromTaskKey(lookup.task_key);
@@ -453,7 +465,12 @@ async function runTaskRerunCommand(options = {}, dependencies = {}) {
       stage,
       job_id: normalizeString(job?.job_id) || null,
       dry_run: dryRun,
-      command: stringifySceArgs(rerunPlan.args)
+      command: stringifySceArgs(rerunPlan.args),
+      authorization: {
+        required: writeAuthResult.required === true,
+        lease_id: writeAuthResult.lease_id || null,
+        lease_expires_at: writeAuthResult.lease_expires_at || null
+      }
     };
 
     if (!dryRun) {
@@ -486,7 +503,12 @@ async function runTaskRerunCommand(options = {}, dependencies = {}) {
     task_ref: lookup.task_ref,
     rerun_type: 'spec-task',
     dry_run: dryRun,
-    command: `sce task claim ${lookup.spec_id} ${lookup.task_key}`
+    command: `sce task claim ${lookup.spec_id} ${lookup.task_key}`,
+    authorization: {
+      required: writeAuthResult.required === true,
+      lease_id: writeAuthResult.lease_id || null,
+      lease_expires_at: writeAuthResult.lease_expires_at || null
+    }
   };
 
   if (!dryRun) {
@@ -734,6 +756,7 @@ function registerTaskCommands(program) {
     .description('Rerun task by hierarchical reference')
     .requiredOption('--ref <task-ref>', 'Task reference (SS.PP.TT)')
     .option('--dry-run', 'Preview rerun command without executing')
+    .option('--auth-lease <lease-id>', 'Write authorization lease id (sce auth grant)')
     .option('--from-chat <session>', 'Override session for studio plan rerun')
     .option('--job <job-id>', 'Override studio job id')
     .option('--profile <profile>', 'Override profile for studio verify/release rerun')