scene-capability-engine 3.6.2 → 3.6.4

package/lib/commands/session.js

@@ -102,7 +102,32 @@ function registerSessionCommands(program) {
       try {
         const store = new SessionStore(process.cwd());
         const current = await store.getSession(sessionRef || 'latest');
-        _printSessionResult('session_show', current, options.json);
+        const sceneIndex = await store.getSceneIndexDiagnostics();
+        _printSessionResult('session_show', current, options.json, {
+          session_source: 'file',
+          scene_index: sceneIndex
+        });
+      } catch (error) {
+        _exitWithError(error, options.json);
+      }
+    });
+
+  session
+    .command('list')
+    .description('List recent sessions')
+    .option('--limit <n>', 'Maximum sessions to return', '20')
+    .option('--json', 'Output as JSON')
+    .action(async (options) => {
+      try {
+        const store = new SessionStore(process.cwd());
+        const limitRaw = Number.parseInt(`${options.limit || '20'}`, 10);
+        const limit = Number.isFinite(limitRaw) && limitRaw > 0 ? Math.min(limitRaw, 5000) : 20;
+        const sessions = await store.listSessions();
+        const sceneIndex = await store.getSceneIndexDiagnostics();
+        _printSessionListResult('session_list', sessions.slice(0, limit), options.json, {
+          session_source: 'file',
+          scene_index: sceneIndex
+        });
       } catch (error) {
         _exitWithError(error, options.json);
       }
@@ -120,12 +145,13 @@ function _parsePayload(raw) {
   }
 }
 
-function _printSessionResult(action, session, asJson = false) {
+function _printSessionResult(action, session, asJson = false, metadata = {}) {
   if (asJson) {
     console.log(JSON.stringify({
       success: true,
       action,
       session,
+      ...metadata
     }, null, 2));
     return;
   }
@@ -147,6 +173,38 @@ function _printSessionResult(action, session, asJson = false) {
   if (session.objective) {
     console.log(chalk.gray(`Objective: ${session.objective}`));
   }
+  if (metadata.session_source) {
+    console.log(chalk.gray(`Session source: ${metadata.session_source}`));
+  }
+  if (metadata.scene_index && metadata.scene_index.status) {
+    console.log(chalk.gray(`Scene index consistency: ${metadata.scene_index.status}`));
+  }
+}
+
+function _printSessionListResult(action, sessions, asJson = false, metadata = {}) {
+  if (asJson) {
+    console.log(JSON.stringify({
+      success: true,
+      action,
+      total: Array.isArray(sessions) ? sessions.length : 0,
+      sessions: Array.isArray(sessions) ? sessions : [],
+      ...metadata
+    }, null, 2));
+    return;
+  }
+
+  console.log(chalk.green('✓ Sessions listed'));
+  const list = Array.isArray(sessions) ? sessions : [];
+  console.log(chalk.gray(`Total: ${list.length}`));
+  if (metadata.session_source) {
+    console.log(chalk.gray(`Session source: ${metadata.session_source}`));
+  }
+  if (metadata.scene_index && metadata.scene_index.status) {
+    console.log(chalk.gray(`Scene index consistency: ${metadata.scene_index.status}`));
+  }
+  for (const session of list) {
+    console.log(`- ${session.session_id} | ${session.status} | ${session.updated_at || session.started_at || 'n/a'}`);
+  }
 }
 
 function _exitWithError(error, asJson = false) {

package/lib/commands/state.js

@@ -0,0 +1,210 @@
+const path = require('path');
+const chalk = require('chalk');
+const fs = require('fs-extra');
+const {
+  COMPONENT_DEFINITIONS,
+  buildStateMigrationPlan,
+  runStateMigration,
+  runStateDoctor,
+  runStateExport
+} = require('../state/state-migration-manager');
+
+function normalizeString(value) {
+  if (typeof value !== 'string') {
+    return '';
+  }
+  return value.trim();
+}
+
+function collectOptionValue(value, previous = []) {
+  const normalized = normalizeString(value);
+  if (!normalized) {
+    return previous;
+  }
+  return [...previous, normalized];
+}
+
+function normalizeComponentInput(value = []) {
+  if (!Array.isArray(value)) {
+    return [];
+  }
+  const items = [];
+  for (const entry of value) {
+    const normalized = normalizeString(entry);
+    if (!normalized) {
+      continue;
+    }
+    for (const token of normalized.split(/[,\s]+/g)) {
+      const cleaned = normalizeString(token);
+      if (cleaned) {
+        items.push(cleaned);
+      }
+    }
+  }
+  return Array.from(new Set(items));
+}
+
+function printPayload(payload, options = {}, title = 'State') {
+  if (options.json) {
+    console.log(JSON.stringify(payload, null, 2));
+    return;
+  }
+
+  console.log(chalk.blue(title));
+  if (payload.mode) {
+    console.log(`  Mode: ${payload.mode}`);
+  }
+  if (payload.store_path) {
+    console.log(`  Store: ${payload.store_path}`);
+  }
+  if (payload.sqlite) {
+    console.log(`  SQLite: configured=${payload.sqlite.configured ? 'yes' : 'no'} available=${payload.sqlite.available ? 'yes' : 'no'}`);
+  }
+  if (payload.summary && typeof payload.summary === 'object') {
+    for (const [key, value] of Object.entries(payload.summary)) {
+      console.log(`  ${key}: ${value}`);
+    }
+  }
+  if (Array.isArray(payload.components)) {
+    for (const item of payload.components) {
+      console.log(`  - ${item.id} | source=${item.source_record_count} | status=${item.status}`);
+    }
+  }
+  if (Array.isArray(payload.operations)) {
+    for (const item of payload.operations) {
+      console.log(`  - ${item.component_id} | ${item.status} | source=${item.source_record_count}`);
+    }
+  }
+  if (payload.out_file) {
+    console.log(`  Export: ${payload.out_file}`);
+  }
+}
+
+async function runStatePlanCommand(options = {}, dependencies = {}) {
+  const projectPath = dependencies.projectPath || process.cwd();
+  const fileSystem = dependencies.fileSystem || fs;
+  const env = dependencies.env || process.env;
+  const components = normalizeComponentInput(options.component);
+
+  const payload = await buildStateMigrationPlan({
+    componentIds: components
+  }, {
+    projectPath,
+    fileSystem,
+    env
+  });
+  printPayload(payload, options, 'State Plan');
+  return payload;
+}
+
+async function runStateDoctorCommand(options = {}, dependencies = {}) {
+  const projectPath = dependencies.projectPath || process.cwd();
+  const fileSystem = dependencies.fileSystem || fs;
+  const env = dependencies.env || process.env;
+
+  const payload = await runStateDoctor({}, {
+    projectPath,
+    fileSystem,
+    env
+  });
+  printPayload(payload, options, 'State Doctor');
+  return payload;
+}
+
+async function runStateMigrateCommand(options = {}, dependencies = {}) {
+  const projectPath = dependencies.projectPath || process.cwd();
+  const fileSystem = dependencies.fileSystem || fs;
+  const env = dependencies.env || process.env;
+  const components = normalizeComponentInput(options.component);
+  const componentIds = options.all === true ? [] : components;
+
+  const payload = await runStateMigration({
+    apply: options.apply === true,
+    all: options.all === true,
+    componentIds
+  }, {
+    projectPath,
+    fileSystem,
+    env
+  });
+  printPayload(payload, options, 'State Migrate');
+  return payload;
+}
+
+async function runStateExportCommand(options = {}, dependencies = {}) {
+  const projectPath = dependencies.projectPath || process.cwd();
+  const fileSystem = dependencies.fileSystem || fs;
+  const env = dependencies.env || process.env;
+
+  const payload = await runStateExport({
+    out: normalizeString(options.out)
+  }, {
+    projectPath,
+    fileSystem,
+    env
+  });
+  printPayload(payload, options, 'State Export');
+  return payload;
+}
+
+async function safeRun(handler, options = {}, dependencies = {}, title = 'state command') {
+  try {
+    await handler(options, dependencies);
+  } catch (error) {
+    if (options && options.json) {
+      console.log(JSON.stringify({
+        success: false,
+        mode: title.replace(/\s+/g, '-'),
+        error: error.message
+      }, null, 2));
+    } else {
+      console.error(chalk.red(`${title} failed:`), error.message);
+    }
+    process.exitCode = 1;
+  }
+}
+
+function registerStateCommands(program) {
+  const state = program
+    .command('state')
+    .description('Manage gradual migration from file registries to sqlite indexes');
+
+  const knownIds = COMPONENT_DEFINITIONS.map((item) => item.id).join(', ');
+
+  state
+    .command('plan')
+    .description('Inspect migratable file-based registries and produce migration plan')
+    .option('--component <id>', `Component id (repeatable): ${knownIds}`, collectOptionValue, [])
+    .option('--json', 'Print machine-readable JSON output')
+    .action(async (options) => safeRun(runStatePlanCommand, options, {}, 'state plan'));
+
+  state
+    .command('doctor')
+    .description('Check sqlite readiness and file/sqlite index consistency')
+    .option('--json', 'Print machine-readable JSON output')
+    .action(async (options) => safeRun(runStateDoctorCommand, options, {}, 'state doctor'));
+
+  state
+    .command('migrate')
+    .description('Migrate selected components to sqlite indexes (dry-run by default)')
+    .option('--component <id>', `Component id (repeatable): ${knownIds}`, collectOptionValue, [])
+    .option('--all', 'Migrate all known components')
+    .option('--apply', 'Apply migration writes (default is dry-run)')
+    .option('--json', 'Print machine-readable JSON output')
+    .action(async (options) => safeRun(runStateMigrateCommand, options, {}, 'state migrate'));
+
+  state
+    .command('export')
+    .description('Export sqlite state migration tables as JSON snapshot')
+    .option('--out <path>', 'Output file path', '.sce/reports/state-migration/state-export.latest.json')
+    .option('--json', 'Print machine-readable JSON output')
+    .action(async (options) => safeRun(runStateExportCommand, options, {}, 'state export'));
+}
+
+module.exports = {
+  runStatePlanCommand,
+  runStateDoctorCommand,
+  runStateMigrateCommand,
+  runStateExportCommand,
+  registerStateCommands
+};

package/lib/commands/studio.js

@@ -13,6 +13,7 @@ const { captureTimelineCheckpoint } = require('../runtime/project-timeline');
 const { runProblemEvaluation } = require('../problem/problem-evaluator');
 const { TaskRefRegistry } = require('../task/task-ref-registry');
 const { getSceStateStore } = require('../state/sce-state-store');
+const { ensureWriteAuthorization } = require('../security/write-authorization');
 const {
   loadStudioIntakePolicy,
   runStudioAutoIntake,
@@ -2661,6 +2662,12 @@ async function runStudioApplyCommand(options = {}, dependencies = {}) {
   const job = await loadJob(paths, jobId, fileSystem);
   ensureNotRolledBack(job, 'apply');
   ensureStagePrerequisite(job, 'apply', 'generate');
+  const leaseAuthResult = await ensureWriteAuthorization('studio:apply', options, {
+    projectPath,
+    fileSystem,
+    env: dependencies.env,
+    authSecret: dependencies.authSecret
+  });
   const authResult = await ensureStudioAuthorization('apply', options, {
     projectPath,
     fileSystem,
@@ -2696,14 +2703,22 @@ async function runStudioApplyCommand(options = {}, dependencies = {}) {
 
   ensureStageCompleted(job, 'apply', {
     patch_bundle_id: patchBundleId,
-    auth_required: authResult.required,
+    auth_required: authResult.required || leaseAuthResult.required,
+    auth_password_required: authResult.required,
+    auth_lease_required: leaseAuthResult.required,
+    auth_lease_id: leaseAuthResult.lease_id || null,
+    auth_lease_expires_at: leaseAuthResult.lease_expires_at || null,
     problem_evaluation: summarizeProblemEvaluation(applyProblemEvaluation)
   });
 
   await saveJob(paths, job, fileSystem);
   const applyEvent = await appendStudioEvent(paths, job, 'stage.apply.completed', {
     patch_bundle_id: patchBundleId,
-    auth_required: authResult.required,
+    auth_required: authResult.required || leaseAuthResult.required,
+    auth_password_required: authResult.required,
+    auth_lease_required: leaseAuthResult.required,
+    auth_lease_id: leaseAuthResult.lease_id || null,
+    auth_lease_expires_at: leaseAuthResult.lease_expires_at || null,
     problem_evaluation: summarizeProblemEvaluation(applyProblemEvaluation)
   }, fileSystem);
   await writeLatestJob(paths, jobId, fileSystem);
@@ -2890,6 +2905,12 @@ async function runStudioReleaseCommand(options = {}, dependencies = {}) {
   const job = await loadJob(paths, jobId, fileSystem);
   ensureNotRolledBack(job, 'release');
   ensureStagePrerequisite(job, 'release', 'verify');
+  const leaseAuthResult = await ensureWriteAuthorization('studio:release', options, {
+    projectPath,
+    fileSystem,
+    env: dependencies.env,
+    authSecret: dependencies.authSecret
+  });
   const authResult = await ensureStudioAuthorization('release', options, {
     projectPath,
     fileSystem,
@@ -3006,7 +3027,11 @@ async function runStudioReleaseCommand(options = {}, dependencies = {}) {
         passed: false,
         report: releaseReportPath,
         gate_steps: gateResult.steps,
-        auth_required: authResult.required,
+        auth_required: authResult.required || leaseAuthResult.required,
+        auth_password_required: authResult.required,
+        auth_lease_required: leaseAuthResult.required,
+        auth_lease_id: leaseAuthResult.lease_id || null,
+        auth_lease_expires_at: leaseAuthResult.lease_expires_at || null,
         problem_evaluation: summarizeProblemEvaluation(releaseProblemEvaluation),
         domain_chain: domainChainMetadata,
         auto_errorbook_records: autoErrorbookRecords
@@ -3017,7 +3042,11 @@ async function runStudioReleaseCommand(options = {}, dependencies = {}) {
       channel,
       release_ref: releaseRef,
       report: releaseReportPath,
-      auth_required: authResult.required,
+      auth_required: authResult.required || leaseAuthResult.required,
+      auth_password_required: authResult.required,
+      auth_lease_required: leaseAuthResult.required,
+      auth_lease_id: leaseAuthResult.lease_id || null,
+      auth_lease_expires_at: leaseAuthResult.lease_expires_at || null,
       problem_evaluation: summarizeProblemEvaluation(releaseProblemEvaluation),
       domain_chain: domainChainMetadata,
       auto_errorbook_records: autoErrorbookRecords
@@ -3032,7 +3061,11 @@ async function runStudioReleaseCommand(options = {}, dependencies = {}) {
     release_ref: releaseRef,
     report: releaseReportPath,
     gate_steps: gateResult.steps,
-    auth_required: authResult.required,
+    auth_required: authResult.required || leaseAuthResult.required,
+    auth_password_required: authResult.required,
+    auth_lease_required: leaseAuthResult.required,
+    auth_lease_id: leaseAuthResult.lease_id || null,
+    auth_lease_expires_at: leaseAuthResult.lease_expires_at || null,
     problem_evaluation: summarizeProblemEvaluation(releaseProblemEvaluation),
     domain_chain: domainChainMetadata,
     auto_errorbook_records: autoErrorbookRecords
@@ -3064,7 +3097,11 @@ async function runStudioReleaseCommand(options = {}, dependencies = {}) {
     channel,
     release_ref: releaseRef,
     report: releaseReportPath,
-    auth_required: authResult.required,
+    auth_required: authResult.required || leaseAuthResult.required,
+    auth_password_required: authResult.required,
+    auth_lease_required: leaseAuthResult.required,
+    auth_lease_id: leaseAuthResult.lease_id || null,
+    auth_lease_expires_at: leaseAuthResult.lease_expires_at || null,
     problem_evaluation: summarizeProblemEvaluation(releaseProblemEvaluation),
     domain_chain: domainChainMetadata,
     auto_errorbook_records: autoErrorbookRecords
@@ -3119,6 +3156,12 @@ async function runStudioRollbackCommand(options = {}, dependencies = {}) {
 
   const reason = normalizeString(options.reason) || 'manual-rollback';
   const job = await loadJob(paths, jobId, fileSystem);
+  const leaseAuthResult = await ensureWriteAuthorization('studio:rollback', options, {
+    projectPath,
+    fileSystem,
+    env: dependencies.env,
+    authSecret: dependencies.authSecret
+  });
   const authResult = await ensureStudioAuthorization('rollback', options, {
     projectPath,
     fileSystem,
@@ -3134,7 +3177,11 @@ async function runStudioRollbackCommand(options = {}, dependencies = {}) {
   job.rollback = {
     reason,
     rolled_back_at: job.updated_at,
-    auth_required: authResult.required
+    auth_required: authResult.required || leaseAuthResult.required,
+    auth_password_required: authResult.required,
+    auth_lease_required: leaseAuthResult.required,
+    auth_lease_id: leaseAuthResult.lease_id || null,
+    auth_lease_expires_at: leaseAuthResult.lease_expires_at || null
   };
 
   const sceneSessionId = normalizeString(job && job.session && job.session.scene_session_id);
@@ -3508,6 +3555,7 @@ function registerStudioCommands(program) {
     .command('apply')
     .description('Apply generated patch bundle metadata to studio job')
     .option('--patch-bundle <id>', 'Patch bundle identifier (defaults to generated artifact)')
+    .option('--auth-lease <lease-id>', 'Write authorization lease id (sce auth grant)')
     .option('--auth-password <password>', 'Authorization password for protected apply action')
     .option('--require-auth', 'Require authorization even when policy is advisory')
     .option('--job <job-id>', 'Studio job id (defaults to latest)')
@@ -3527,6 +3575,7 @@ function registerStudioCommands(program) {
     .description('Record release stage for studio job')
     .option('--channel <channel>', 'Release channel (dev|prod)', 'dev')
     .option('--profile <profile>', 'Release gate profile', 'standard')
+    .option('--auth-lease <lease-id>', 'Write authorization lease id (sce auth grant)')
     .option('--auth-password <password>', 'Authorization password for protected release action')
     .option('--require-auth', 'Require authorization even when policy is advisory')
     .option('--release-ref <ref>', 'Explicit release reference/tag')
@@ -3555,6 +3604,7 @@ function registerStudioCommands(program) {
     .description('Rollback a studio job after apply/release')
     .option('--job <job-id>', 'Studio job id (defaults to latest)')
     .option('--reason <reason>', 'Rollback reason')
+    .option('--auth-lease <lease-id>', 'Write authorization lease id (sce auth grant)')
     .option('--auth-password <password>', 'Authorization password for protected rollback action')
     .option('--require-auth', 'Require authorization even when policy is advisory')
     .option('--json', 'Print machine-readable JSON output')

package/lib/commands/task.js

@@ -11,6 +11,7 @@ const chalk = require('chalk');
 const TaskClaimer = require('../task/task-claimer');
 const WorkspaceManager = require('../workspace/workspace-manager');
 const { TaskRefRegistry } = require('../task/task-ref-registry');
+const { ensureWriteAuthorization } = require('../security/write-authorization');
 
 function normalizeString(value) {
   if (typeof value !== 'string') {
@@ -436,6 +437,17 @@ async function runTaskRerunCommand(options = {}, dependencies = {}) {
   if (!lookup) {
     throw new Error(`Task ref not found: ${taskRef}`);
   }
+  const writeAuthResult = dryRun
+    ? {
+      required: false,
+      passed: true
+    }
+    : await ensureWriteAuthorization('task:rerun', options, {
+      projectPath,
+      fileSystem,
+      env: dependencies.env,
+      authSecret: dependencies.authSecret
+    });
 
   if (isStudioTaskRef(lookup)) {
     const stage = resolveStudioStageFromTaskKey(lookup.task_key);
@@ -453,7 +465,12 @@ async function runTaskRerunCommand(options = {}, dependencies = {}) {
       stage,
       job_id: normalizeString(job?.job_id) || null,
       dry_run: dryRun,
-      command: stringifySceArgs(rerunPlan.args)
+      command: stringifySceArgs(rerunPlan.args),
+      authorization: {
+        required: writeAuthResult.required === true,
+        lease_id: writeAuthResult.lease_id || null,
+        lease_expires_at: writeAuthResult.lease_expires_at || null
+      }
     };
 
     if (!dryRun) {
@@ -486,7 +503,12 @@ async function runTaskRerunCommand(options = {}, dependencies = {}) {
     task_ref: lookup.task_ref,
     rerun_type: 'spec-task',
     dry_run: dryRun,
-    command: `sce task claim ${lookup.spec_id} ${lookup.task_key}`
+    command: `sce task claim ${lookup.spec_id} ${lookup.task_key}`,
+    authorization: {
+      required: writeAuthResult.required === true,
+      lease_id: writeAuthResult.lease_id || null,
+      lease_expires_at: writeAuthResult.lease_expires_at || null
+    }
   };
 
   if (!dryRun) {
@@ -734,6 +756,7 @@ function registerTaskCommands(program) {
     .description('Rerun task by hierarchical reference')
     .requiredOption('--ref <task-ref>', 'Task reference (SS.PP.TT)')
     .option('--dry-run', 'Preview rerun command without executing')
+    .option('--auth-lease <lease-id>', 'Write authorization lease id (sce auth grant)')
     .option('--from-chat <session>', 'Override session for studio plan rerun')
     .option('--job <job-id>', 'Override studio job id')
     .option('--profile <profile>', 'Override profile for studio verify/release rerun')