scene-capability-engine 3.6.44 → 3.6.46

package/CHANGELOG.md

@@ -7,6 +7,31 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [3.6.46] - 2026-03-13
+
+### Added
+- Added `scripts/npm-package-runtime-asset-check.js` and the `npm run gate:npm-runtime-assets` release gate to verify that every runtime `scripts/*.js` file is present in the npm pack dry-run payload before publish.
+- Added Spec `123-00-npm-package-runtime-asset-integrity` with requirements, design, tasks, and deliverables to formalize the npm runtime asset integrity fix.
+- Added unit coverage for runtime script discovery, pack payload parsing, missing-script detection, and pack execution failure reporting.
+
+### Fixed
+- Fixed npm package publish contents by including the root `scripts/` directory in the package `files` allowlist, so installed `sce` tarballs no longer crash on missing runtime assets such as `scripts/git-managed-gate.js`.
+- Fixed the new runtime asset gate on Windows by executing `npm pack --json --dry-run` through a shell-compatible path and raising the output buffer ceiling for large package manifests.
+
+## [3.6.45] - 2026-03-13
+
+### Added
+- Added collaboration governance auditing via `lib/workspace/collab-governance-audit.js` and the new `sce workspace collab-governance-audit` command to check collaboration Git boundaries, runtime-state tracking drift, multi-agent config presence/validity, legacy `.kiro*` references, and steering boundary hygiene.
+- Added Spec `122-00-sce-collab-governance-audit` with requirements, design, tasks, and a dogfooded delivery manifest to formalize the new co-work governance capability.
+- Added unit/integration coverage for collaboration governance drift scenarios, including missing ignore rules, tracked runtime files, legacy naming references, and strict CLI failure behavior.
+
+### Changed
+- Expanded the repository `.gitignore` collaboration boundary rules to cover coordination logs, machine identity, spec lock directories, `tasks.md.lock`, and steering lock/pending runtime files.
+- Seeded `.sce/config/multi-agent.json` as the canonical project-level multi-agent config baseline for governance auditing and future co-work enablement.
+
+### Fixed
+- Removed `.sce/steering/CURRENT_CONTEXT.md` from Git tracking so the repository now conforms to its own runtime/personal-state governance boundary.
+
 ## [3.6.44] - 2026-03-13
 
 ### Fixed

package/bin/scene-capability-engine.js

@@ -34,6 +34,7 @@ const {
 } = require('../lib/workspace/legacy-kiro-migrator');
 const { auditSceTracking } = require('../lib/workspace/sce-tracking-audit');
 const { auditSpecDeliverySync } = require('../lib/workspace/spec-delivery-audit');
+const { auditCollabGovernance } = require('../lib/workspace/collab-governance-audit');
 const { applyTakeoverBaseline } = require('../lib/workspace/takeover-baseline');
 
 const i18n = getI18n();
@@ -170,7 +171,9 @@ function isLegacyMigrationAllowlistedCommand(args) {
 
   if (command === 'workspace') {
     const subcommand = args[commandIndex + 1];
-    return subcommand === 'legacy-scan' || subcommand === 'legacy-migrate';
+    return subcommand === 'legacy-scan'
+      || subcommand === 'legacy-migrate'
+      || subcommand === 'collab-governance-audit';
   }
 
   return false;
@@ -198,7 +201,7 @@ function isTakeoverAutoApplySkippedCommand(args) {
   }
 
   const subcommand = args[commandIndex + 1];
-  return subcommand === 'takeover-audit';
+  return subcommand === 'takeover-audit' || subcommand === 'collab-governance-audit';
 }
 
 /**
@@ -784,6 +787,37 @@ workspaceCmd
     console.log(chalk.gray(`Conflict files: ${report.conflict_files}`));
   });
 
+workspaceCmd
+  .command('collab-governance-audit')
+  .description('Audit collaboration governance boundaries, runtime git hygiene, and legacy naming drift')
+  .option('--json', 'Output in JSON format')
+  .option('--strict', 'Exit non-zero when collaboration governance violations are found')
+  .action(async (options) => {
+    const report = await auditCollabGovernance(process.cwd());
+
+    if (options.json) {
+      console.log(JSON.stringify(report, null, 2));
+    } else if (report.passed) {
+      console.log(chalk.green('✓ Collaboration governance audit passed.'));
+      console.log(chalk.gray(`Missing ignore rules: ${report.summary.missing_gitignore_rules}`));
+      console.log(chalk.gray(`Legacy references: ${report.summary.legacy_reference_count}`));
+      if (report.warnings.length > 0) {
+        report.warnings.forEach((item) => console.log(chalk.gray(`  - ${item}`)));
+      }
+    } else {
+      console.log(chalk.red('✖ Collaboration governance audit failed.'));
+      report.violations.forEach((item) => console.log(chalk.gray(`  - ${item}`)));
+      if (report.warnings.length > 0) {
+        console.log(chalk.yellow('Warnings:'));
+        report.warnings.forEach((item) => console.log(chalk.gray(`  - ${item}`)));
+      }
+    }
+
+    if (!report.passed && options.strict) {
+      process.exitCode = 1;
+    }
+  });
+
 workspaceCmd
   .command('delivery-audit')
   .description('Audit spec delivery manifests against git tracking and upstream sync state')

package/docs/command-reference.md

@@ -347,6 +347,11 @@ sce workspace legacy-migrate --dry-run --json
 sce workspace tracking-audit
 sce workspace tracking-audit --json
 
+# Audit collaboration governance boundaries and legacy naming drift
+sce workspace collab-governance-audit
+sce workspace collab-governance-audit --json
+sce workspace collab-governance-audit --strict
+
 # Audit takeover baseline drift (non-mutating)
 sce workspace takeover-audit
 sce workspace takeover-audit --json

package/docs/releases/README.md

@@ -9,6 +9,8 @@ This directory stores release-facing documents:
 ## Archived Versions
 
 - [Release checklist](../release-checklist.md)
+- [v3.6.46 release notes](./v3.6.46.md)
+- [v3.6.45 release notes](./v3.6.45.md)
 - [v3.6.44 release notes](./v3.6.44.md)
 - [v3.6.43 release notes](./v3.6.43.md)
 - [v3.6.42 release notes](./v3.6.42.md)

package/docs/releases/v3.6.45.md

@@ -0,0 +1,18 @@
+# v3.6.45 Release Notes
+
+Release date: 2026-03-13
+
+## Highlights
+
+- Added `sce workspace collab-governance-audit` to convert collaboration governance drift into an executable audit, covering `.gitignore` boundaries, runtime-state tracking, `multi-agent.json`, legacy `.kiro*` references, and `.sce/steering/` boundary hygiene.
+- Brought the repository itself into compliance by extending the collaboration ignore rules, seeding `.sce/config/multi-agent.json`, and removing `.sce/steering/CURRENT_CONTEXT.md` from Git tracking while preserving the local file.
+
+## Verification
+
+- `npx jest tests/unit/workspace/collab-governance-audit.test.js tests/integration/workspace-collab-governance-audit-cli.integration.test.js --runInBand`
+- `node bin/sce.js workspace collab-governance-audit --strict`
+
+## Release Notes
+
+- This patch is intentionally audit-first. It adds a reusable governance gate for co-work drift, rather than introducing auto-migration or hidden cross-machine sync behavior.
+- The shipped baseline now reflects the intended runtime boundary: collaboration runtime files stay local, while shared config and specs remain versioned.

package/docs/releases/v3.6.46.md

@@ -0,0 +1,23 @@
+# v3.6.46 Release Notes
+
+Release date: 2026-03-13
+
+## Highlights
+
+- Fixed the npm package publish surface so the root `scripts/` directory is included in the released tarball again.
+- Added `npm run gate:npm-runtime-assets`, which inspects `npm pack --json --dry-run` output and blocks publish if any runtime `scripts/*.js` file would be missing from the package.
+- Hardened the new gate for Windows by running `npm pack` through a shell-compatible path and increasing the command output buffer for the repository's large manifest.
+
+## Verification
+
+- `npx jest tests/unit/scripts/npm-package-runtime-asset-check.test.js --runInBand`
+- `node scripts/npm-package-runtime-asset-check.js --json`
+- `npm pack --json --dry-run`
+- Installed the packed `scene-capability-engine-3.6.46.tgz` into a clean temp project and verified:
+  - `node node_modules/scene-capability-engine/bin/scene-capability-engine.js --version`
+  - `node node_modules/scene-capability-engine/bin/scene-capability-engine.js workspace delivery-audit --json`
+
+## Release Notes
+
+- This release fixes the broken runtime asset packaging observed in `3.6.44` and `3.6.45`. The failure mode was a missing `scripts/git-managed-gate.js`, but the underlying defect affected the full root `scripts/` runtime surface.
+- For already-installed `3.6.44` or `3.6.45`, the smallest emergency patch is to restore `scripts/git-managed-gate.js` into the installed package. `3.6.46` is the proper fix and should replace those versions.

package/docs/zh/releases/README.md

@@ -9,6 +9,8 @@
 ## 历史版本归档
 
 - [发布检查清单](../release-checklist.md)
+- [v3.6.46 发布说明](./v3.6.46.md)
+- [v3.6.45 发布说明](./v3.6.45.md)
 - [v3.6.44 发布说明](./v3.6.44.md)
 - [v3.6.43 发布说明](./v3.6.43.md)
 - [v3.6.42 发布说明](./v3.6.42.md)

package/docs/zh/releases/v3.6.45.md

@@ -0,0 +1,18 @@
+# v3.6.45 发布说明
+
+发布日期：2026-03-13
+
+## 重点变化
+
+- 新增 `sce workspace collab-governance-audit`，把协作治理漂移变成可执行审计，覆盖 `.gitignore` 边界、运行态文件误入 Git、`multi-agent.json`、遗留 `.kiro*` 引用，以及 `.sce/steering/` 核心区治理。
+- 同步把仓库自身基线校正到合规状态：补齐协作 ignore 规则、落地 `.sce/config/multi-agent.json`，并将 `.sce/steering/CURRENT_CONTEXT.md` 从 Git 跟踪中移除但保留本地文件。
+
+## 验证
+
+- `npx jest tests/unit/workspace/collab-governance-audit.test.js tests/integration/workspace-collab-governance-audit-cli.integration.test.js --runInBand`
+- `node bin/sce.js workspace collab-governance-audit --strict`
+
+## 发布说明
+
+- 这个补丁版刻意采用 audit-first 策略：先把 co-work 治理漂移显式化并形成可复用门禁，而不是直接引入自动迁移或隐式同步。
+- 本次发版后的仓库基线与能力目标一致：协作运行态文件留在本地，共享配置和 spec 继续纳入版本化治理。

package/docs/zh/releases/v3.6.46.md

@@ -0,0 +1,23 @@
+# v3.6.46 发布说明
+
+发布日期：2026-03-13
+
+## 重点变化
+
+- 修复 npm 包发布内容，重新把根目录 `scripts/` 一并纳入 tarball，避免安装后的 `sce` 因缺少运行时脚本而崩溃。
+- 新增 `npm run gate:npm-runtime-assets`，基于 `npm pack --json --dry-run` 检查所有运行时 `scripts/*.js` 是否都会进入发布包，缺失时直接阻断发布。
+- 加固了该门禁在 Windows 下的执行路径，避免 `npm pack` 命令解析和大体积输出导致误判。
+
+## 验证
+
+- `npx jest tests/unit/scripts/npm-package-runtime-asset-check.test.js --runInBand`
+- `node scripts/npm-package-runtime-asset-check.js --json`
+- `npm pack --json --dry-run`
+- 将打出的 `scene-capability-engine-3.6.46.tgz` 安装到全新临时工程后验证：
+  - `node node_modules/scene-capability-engine/bin/scene-capability-engine.js --version`
+  - `node node_modules/scene-capability-engine/bin/scene-capability-engine.js workspace delivery-audit --json`
+
+## 发布说明
+
+- 这次补丁修复的是 `3.6.44` 与 `3.6.45` 中已经暴露的 npm 运行时缺件问题。表面报错是 `scripts/git-managed-gate.js` 缺失，但根因是整个根级 `scripts/` 运行时面没有被发布进去。
+- 对已经安装的 `3.6.44` 或 `3.6.45`，最小应急补丁是补回安装目录中的 `scripts/git-managed-gate.js`；`3.6.46` 才是完整的正式修复版本。