scene-capability-engine 3.6.44 → 3.6.46

package/scripts/interactive-authorization-tier-evaluate.js

@@ -0,0 +1,413 @@
+#!/usr/bin/env node
+'use strict';
+
+const path = require('path');
+const fs = require('fs-extra');
+
+const DEFAULT_POLICY = 'docs/interactive-customization/authorization-tier-policy-baseline.json';
+const DEFAULT_OUT = '.sce/reports/interactive-authorization-tier.json';
+const DIALOGUE_PROFILES = new Set(['business-user', 'system-maintainer']);
+const RUNTIME_ENVIRONMENTS = new Set(['dev', 'staging', 'prod']);
+
+const BUILTIN_POLICY = {
+  version: '1.0.0',
+  defaults: {
+    profile: 'business-user'
+  },
+  profiles: {
+    'business-user': {
+      allow_execution_modes: ['suggestion'],
+      auto_execute_allowed: false,
+      allow_live_apply: false
+    },
+    'system-maintainer': {
+      allow_execution_modes: ['suggestion', 'apply'],
+      auto_execute_allowed: true,
+      allow_live_apply: true
+    }
+  },
+  environments: {
+    dev: {
+      require_secondary_authorization: false,
+      require_password_for_apply: false,
+      require_role_policy: false,
+      require_distinct_actor_roles: false,
+      manual_review_required_for_apply: false
+    },
+    staging: {
+      require_secondary_authorization: true,
+      require_password_for_apply: true,
+      require_role_policy: false,
+      require_distinct_actor_roles: false,
+      manual_review_required_for_apply: false
+    },
+    prod: {
+      require_secondary_authorization: true,
+      require_password_for_apply: true,
+      require_role_policy: true,
+      require_distinct_actor_roles: true,
+      manual_review_required_for_apply: true
+    }
+  }
+};
+
+function parseArgs(argv) {
+  const options = {
+    executionMode: 'suggestion',
+    dialogueProfile: 'business-user',
+    runtimeMode: null,
+    runtimeEnvironment: 'staging',
+    autoExecuteLowRisk: false,
+    liveApply: false,
+    policy: DEFAULT_POLICY,
+    out: DEFAULT_OUT,
+    failOnNonAllow: false,
+    json: false
+  };
+
+  for (let index = 0; index < argv.length; index += 1) {
+    const token = argv[index];
+    const next = argv[index + 1];
+    if (token === '--execution-mode' && next) {
+      options.executionMode = next;
+      index += 1;
+    } else if (token === '--dialogue-profile' && next) {
+      options.dialogueProfile = next;
+      index += 1;
+    } else if (token === '--runtime-mode' && next) {
+      options.runtimeMode = next;
+      index += 1;
+    } else if (token === '--runtime-environment' && next) {
+      options.runtimeEnvironment = next;
+      index += 1;
+    } else if (token === '--auto-execute-low-risk') {
+      options.autoExecuteLowRisk = true;
+    } else if (token === '--live-apply') {
+      options.liveApply = true;
+    } else if (token === '--policy' && next) {
+      options.policy = next;
+      index += 1;
+    } else if (token === '--out' && next) {
+      options.out = next;
+      index += 1;
+    } else if (token === '--fail-on-non-allow') {
+      options.failOnNonAllow = true;
+    } else if (token === '--json') {
+      options.json = true;
+    } else if (token === '--help' || token === '-h') {
+      printHelpAndExit(0);
+    }
+  }
+
+  options.executionMode = `${options.executionMode || ''}`.trim().toLowerCase() || 'suggestion';
+  options.dialogueProfile = `${options.dialogueProfile || ''}`.trim().toLowerCase() || 'business-user';
+  options.runtimeEnvironment = `${options.runtimeEnvironment || ''}`.trim().toLowerCase() || 'staging';
+
+  if (!['suggestion', 'apply'].includes(options.executionMode)) {
+    throw new Error('--execution-mode must be one of: suggestion, apply');
+  }
+  if (!DIALOGUE_PROFILES.has(options.dialogueProfile)) {
+    throw new Error(`--dialogue-profile must be one of: ${Array.from(DIALOGUE_PROFILES).join(', ')}`);
+  }
+  if (!RUNTIME_ENVIRONMENTS.has(options.runtimeEnvironment)) {
+    throw new Error(`--runtime-environment must be one of: ${Array.from(RUNTIME_ENVIRONMENTS).join(', ')}`);
+  }
+
+  return options;
+}
+
+function printHelpAndExit(code) {
+  const lines = [
+    'Usage: node scripts/interactive-authorization-tier-evaluate.js [options]',
+    '',
+    'Options:',
+    '  --execution-mode <mode>         suggestion|apply (default: suggestion)',
+    '  --dialogue-profile <name>       business-user|system-maintainer (default: business-user)',
+    '  --runtime-mode <name>           Runtime mode context (optional)',
+    '  --runtime-environment <name>    dev|staging|prod (default: staging)',
+    '  --auto-execute-low-risk         Evaluate low-risk auto execute request',
+    '  --live-apply                    Evaluate live apply request',
+    `  --policy <path>                 Authorization tier policy JSON (default: ${DEFAULT_POLICY})`,
+    `  --out <path>                    Output JSON report path (default: ${DEFAULT_OUT})`,
+    '  --fail-on-non-allow             Exit code 2 when decision is deny/review-required',
+    '  --json                          Print payload as JSON',
+    '  -h, --help                      Show this help'
+  ];
+  console.log(lines.join('\n'));
+  process.exit(code);
+}
+
+function resolvePath(cwd, value) {
+  return path.isAbsolute(value) ? value : path.resolve(cwd, value);
+}
+
+function normalizeStringList(values = []) {
+  return Array.from(new Set(
+    (Array.isArray(values) ? values : [])
+      .map(item => `${item || ''}`.trim().toLowerCase())
+      .filter(Boolean)
+  ));
+}
+
+async function readJsonFile(filePath, label) {
+  if (!(await fs.pathExists(filePath))) {
+    throw new Error(`${label} not found: ${filePath}`);
+  }
+  const raw = await fs.readFile(filePath, 'utf8');
+  try {
+    return JSON.parse(raw);
+  } catch (error) {
+    throw new Error(`invalid JSON in ${label}: ${error.message}`);
+  }
+}
+
+function normalizeProfilePolicy(rawProfile = {}) {
+  const profile = rawProfile && typeof rawProfile === 'object' ? rawProfile : {};
+  return {
+    allow_execution_modes: normalizeStringList(profile.allow_execution_modes),
+    auto_execute_allowed: profile.auto_execute_allowed === true,
+    allow_live_apply: profile.allow_live_apply === true
+  };
+}
+
+function normalizeEnvironmentPolicy(rawEnvironment = {}) {
+  const environment = rawEnvironment && typeof rawEnvironment === 'object' ? rawEnvironment : {};
+  return {
+    require_secondary_authorization: environment.require_secondary_authorization === true,
+    require_password_for_apply: environment.require_password_for_apply === true,
+    require_role_policy: environment.require_role_policy === true,
+    require_distinct_actor_roles: environment.require_distinct_actor_roles === true,
+    manual_review_required_for_apply: environment.manual_review_required_for_apply === true
+  };
+}
+
+function normalizePolicy(rawPolicy = {}) {
+  const policy = rawPolicy && typeof rawPolicy === 'object' ? rawPolicy : {};
+  const defaults = policy.defaults && typeof policy.defaults === 'object' ? policy.defaults : {};
+  const inputProfiles = policy.profiles && typeof policy.profiles === 'object' ? policy.profiles : {};
+  const inputEnvironments = policy.environments && typeof policy.environments === 'object' ? policy.environments : {};
+
+  const profiles = {};
+  for (const [name, config] of Object.entries(BUILTIN_POLICY.profiles)) {
+    profiles[name] = normalizeProfilePolicy(config);
+  }
+  for (const [name, config] of Object.entries(inputProfiles)) {
+    const key = `${name || ''}`.trim().toLowerCase();
+    if (!key) {
+      continue;
+    }
+    const normalizedConfig = normalizeProfilePolicy(config);
+    profiles[key] = {
+      ...profiles[key],
+      ...normalizedConfig,
+      allow_execution_modes: normalizedConfig.allow_execution_modes.length > 0
+        ? normalizedConfig.allow_execution_modes
+        : (profiles[key] && profiles[key].allow_execution_modes) || []
+    };
+  }
+
+  const environments = {};
+  for (const [name, config] of Object.entries(BUILTIN_POLICY.environments)) {
+    environments[name] = normalizeEnvironmentPolicy(config);
+  }
+  for (const [name, config] of Object.entries(inputEnvironments)) {
+    const key = `${name || ''}`.trim().toLowerCase();
+    if (!key) {
+      continue;
+    }
+    environments[key] = {
+      ...environments[key],
+      ...normalizeEnvironmentPolicy(config)
+    };
+  }
+
+  const defaultProfile = `${defaults.profile || BUILTIN_POLICY.defaults.profile || 'business-user'}`.trim().toLowerCase() || 'business-user';
+  return {
+    version: `${policy.version || BUILTIN_POLICY.version || '1.0.0'}`.trim() || '1.0.0',
+    defaults: {
+      profile: profiles[defaultProfile] ? defaultProfile : 'business-user'
+    },
+    profiles,
+    environments
+  };
+}
+
+async function loadPolicy(policyPath, cwd) {
+  const resolved = resolvePath(cwd, policyPath || DEFAULT_POLICY);
+  if (!(await fs.pathExists(resolved))) {
+    return {
+      source: 'builtin-default',
+      from_file: false,
+      policy: normalizePolicy(BUILTIN_POLICY)
+    };
+  }
+  const raw = await readJsonFile(resolved, 'authorization tier policy');
+  return {
+    source: path.relative(cwd, resolved) || '.',
+    from_file: true,
+    policy: normalizePolicy(raw)
+  };
+}
+
+function addViolation(violations, severity, code, message, details = {}) {
+  violations.push({
+    severity,
+    code,
+    message,
+    details
+  });
+}
+
+function decideFromViolations(violations = []) {
+  if (violations.some(item => item && item.severity === 'deny')) {
+    return 'deny';
+  }
+  if (violations.some(item => item && item.severity === 'review')) {
+    return 'review-required';
+  }
+  return 'allow';
+}
+
+function evaluateAuthorizationTier(options, policy) {
+  const activeProfile = options.dialogueProfile || policy.defaults.profile || 'business-user';
+  const profileConfig = policy.profiles[activeProfile];
+  if (!profileConfig) {
+    throw new Error(`profile not found in policy: ${activeProfile}`);
+  }
+  const environmentConfig = policy.environments[options.runtimeEnvironment];
+  if (!environmentConfig) {
+    throw new Error(`runtime environment not found in policy: ${options.runtimeEnvironment}`);
+  }
+
+  const violations = [];
+  const executionModeAllowed = profileConfig.allow_execution_modes.includes(options.executionMode);
+
+  if (!executionModeAllowed) {
+    addViolation(
+      violations,
+      'deny',
+      'profile-execution-mode-not-allowed',
+      `dialogue profile "${activeProfile}" does not allow execution_mode "${options.executionMode}"`,
+      {
+        dialogue_profile: activeProfile,
+        execution_mode: options.executionMode,
+        allow_execution_modes: profileConfig.allow_execution_modes
+      }
+    );
+  }
+  if (options.autoExecuteLowRisk && profileConfig.auto_execute_allowed !== true) {
+    addViolation(
+      violations,
+      'deny',
+      'profile-auto-execute-not-allowed',
+      `dialogue profile "${activeProfile}" does not allow low-risk auto execute`,
+      { dialogue_profile: activeProfile }
+    );
+  }
+  if (options.liveApply && profileConfig.allow_live_apply !== true) {
+    addViolation(
+      violations,
+      'deny',
+      'profile-live-apply-not-allowed',
+      `dialogue profile "${activeProfile}" does not allow live apply`,
+      { dialogue_profile: activeProfile }
+    );
+  }
+  if (options.executionMode === 'apply' && environmentConfig.manual_review_required_for_apply === true) {
+    addViolation(
+      violations,
+      'review',
+      'environment-manual-review-required',
+      `runtime environment "${options.runtimeEnvironment}" requires manual review for apply`,
+      { runtime_environment: options.runtimeEnvironment }
+    );
+  }
+
+  const decision = decideFromViolations(violations);
+  const requirements = {
+    apply_allowed: executionModeAllowed,
+    auto_execute_allowed: decision === 'allow' && profileConfig.auto_execute_allowed === true,
+    live_apply_allowed: decision === 'allow' && profileConfig.allow_live_apply === true,
+    require_secondary_authorization: environmentConfig.require_secondary_authorization === true,
+    require_password_for_apply: environmentConfig.require_password_for_apply === true,
+    require_role_policy: environmentConfig.require_role_policy === true,
+    require_distinct_actor_roles: environmentConfig.require_distinct_actor_roles === true,
+    manual_review_required_for_apply: environmentConfig.manual_review_required_for_apply === true
+  };
+
+  return {
+    decision,
+    reasons: violations.map(item => item.message),
+    violations,
+    context: {
+      execution_mode: options.executionMode,
+      dialogue_profile: activeProfile,
+      runtime_mode: options.runtimeMode || null,
+      runtime_environment: options.runtimeEnvironment,
+      auto_execute_low_risk: options.autoExecuteLowRisk === true,
+      live_apply: options.liveApply === true
+    },
+    requirements
+  };
+}
+
+async function main() {
+  const options = parseArgs(process.argv.slice(2));
+  const cwd = process.cwd();
+  const outPath = resolvePath(cwd, options.out || DEFAULT_OUT);
+  const policyRuntime = await loadPolicy(options.policy, cwd);
+  const evaluation = evaluateAuthorizationTier(options, policyRuntime.policy);
+
+  const payload = {
+    mode: 'interactive-authorization-tier-evaluate',
+    generated_at: new Date().toISOString(),
+    policy: {
+      source: policyRuntime.source,
+      from_file: policyRuntime.from_file,
+      version: policyRuntime.policy.version,
+      default_profile: policyRuntime.policy.defaults.profile
+    },
+    ...evaluation,
+    output: {
+      json: path.relative(cwd, outPath) || '.'
+    }
+  };
+
+  await fs.ensureDir(path.dirname(outPath));
+  await fs.writeJson(outPath, payload, { spaces: 2 });
+
+  if (options.json) {
+    process.stdout.write(`${JSON.stringify(payload, null, 2)}\n`);
+  } else {
+    process.stdout.write(`Interactive authorization-tier decision: ${payload.decision}\n`);
+    process.stdout.write(`- Profile: ${payload.context.dialogue_profile}\n`);
+    process.stdout.write(`- Runtime: ${payload.context.runtime_environment}\n`);
+    process.stdout.write(`- Output: ${payload.output.json}\n`);
+  }
+
+  if (options.failOnNonAllow && payload.decision !== 'allow') {
+    process.exitCode = 2;
+  }
+}
+
+if (require.main === module) {
+  main().catch((error) => {
+    console.error(`Interactive authorization-tier evaluate failed: ${error.message}`);
+    process.exit(1);
+  });
+}
+
+module.exports = {
+  DEFAULT_POLICY,
+  DEFAULT_OUT,
+  DIALOGUE_PROFILES,
+  RUNTIME_ENVIRONMENTS,
+  BUILTIN_POLICY,
+  parseArgs,
+  resolvePath,
+  readJsonFile,
+  normalizePolicy,
+  loadPolicy,
+  evaluateAuthorizationTier,
+  main
+};

package/scripts/interactive-change-plan-gate.js

@@ -0,0 +1,225 @@
+#!/usr/bin/env node
+'use strict';
+
+const path = require('path');
+const fs = require('fs-extra');
+
+const {
+  DEFAULT_POLICY,
+  DEFAULT_CATALOG,
+  toUniqueList,
+  normalizeRiskLevel,
+  buildCheck,
+  evaluatePlanGate
+} = require('../lib/interactive-customization/change-plan-gate-core');
+const DEFAULT_OUT = '.sce/reports/interactive-change-plan-gate.json';
+const DEFAULT_MARKDOWN_OUT = '.sce/reports/interactive-change-plan-gate.md';
+
+function parseArgs(argv) {
+  const options = {
+    plan: null,
+    policy: DEFAULT_POLICY,
+    catalog: null,
+    out: DEFAULT_OUT,
+    markdownOut: DEFAULT_MARKDOWN_OUT,
+    failOnBlock: false,
+    failOnNonAllow: false,
+    json: false
+  };
+
+  for (let i = 0; i < argv.length; i += 1) {
+    const token = argv[i];
+    const next = argv[i + 1];
+    if (token === '--plan' && next) {
+      options.plan = next;
+      i += 1;
+    } else if (token === '--policy' && next) {
+      options.policy = next;
+      i += 1;
+    } else if (token === '--catalog' && next) {
+      options.catalog = next;
+      i += 1;
+    } else if (token === '--out' && next) {
+      options.out = next;
+      i += 1;
+    } else if (token === '--markdown-out' && next) {
+      options.markdownOut = next;
+      i += 1;
+    } else if (token === '--fail-on-block') {
+      options.failOnBlock = true;
+    } else if (token === '--fail-on-non-allow') {
+      options.failOnNonAllow = true;
+    } else if (token === '--json') {
+      options.json = true;
+    } else if (token === '--help' || token === '-h') {
+      printHelpAndExit(0);
+    }
+  }
+
+  if (!options.plan) {
+    throw new Error('--plan is required.');
+  }
+
+  return options;
+}
+
+function printHelpAndExit(code) {
+  const lines = [
+    'Usage: node scripts/interactive-change-plan-gate.js --plan <path> [options]',
+    '',
+    'Options:',
+    '  --plan <path>            Change plan JSON file (required)',
+    `  --policy <path>          Guardrail policy JSON file (default: ${DEFAULT_POLICY})`,
+    `  --catalog <path>         High-risk action catalog JSON file (default: ${DEFAULT_CATALOG})`,
+    `  --out <path>             Report JSON output path (default: ${DEFAULT_OUT})`,
+    `  --markdown-out <path>    Report markdown output path (default: ${DEFAULT_MARKDOWN_OUT})`,
+    '  --fail-on-block          Exit code 2 when decision is deny',
+    '  --fail-on-non-allow      Exit code 2 when decision is deny/review-required',
+    '  --json                   Print JSON report to stdout',
+    '  -h, --help               Show this help'
+  ];
+  console.log(lines.join('\n'));
+  process.exit(code);
+}
+
+function parseJson(text, sourceLabel) {
+  try {
+    return JSON.parse(text);
+  } catch (error) {
+    throw new Error(`invalid JSON in ${sourceLabel}: ${error.message}`);
+  }
+}
+
+async function readJsonFile(filePath, sourceLabel) {
+  if (!(await fs.pathExists(filePath))) {
+    throw new Error(`${sourceLabel} not found: ${filePath}`);
+  }
+  const content = await fs.readFile(filePath, 'utf8');
+  return parseJson(content, sourceLabel);
+}
+
+function buildMarkdown(report) {
+  const lines = [];
+  lines.push('# Interactive Change Plan Gate');
+  lines.push('');
+  lines.push(`- Generated at: ${report.generated_at}`);
+  lines.push(`- Decision: ${report.decision}`);
+  lines.push(`- Plan: ${report.inputs.plan}`);
+  lines.push(`- Policy: ${report.inputs.policy}`);
+  lines.push(`- Catalog: ${report.inputs.catalog}`);
+  lines.push('');
+  lines.push('## Summary');
+  lines.push('');
+  lines.push(`- Checks: ${report.summary.check_total}`);
+  lines.push(`- Failed checks: ${report.summary.failed_total}`);
+  lines.push(`- Failed deny checks: ${report.summary.failed_deny_total}`);
+  lines.push(`- Failed review checks: ${report.summary.failed_review_total}`);
+  lines.push(`- Action count: ${report.summary.action_count}`);
+  lines.push(`- Risk level: ${report.summary.risk_level || 'n/a'}`);
+  lines.push('');
+  lines.push('## Checks');
+  lines.push('');
+  lines.push('| Check | Result | Severity | Details |');
+  lines.push('| --- | --- | --- | --- |');
+  for (const check of report.checks) {
+    lines.push(
+      `| ${check.id} | ${check.passed ? 'pass' : 'fail'} | ${check.severity} | ${check.details || 'n/a'} |`
+    );
+  }
+  lines.push('');
+  lines.push('## Reasons');
+  lines.push('');
+  if (!Array.isArray(report.reasons) || report.reasons.length === 0) {
+    lines.push('- none');
+  } else {
+    for (const reason of report.reasons) {
+      lines.push(`- ${reason}`);
+    }
+  }
+  return `${lines.join('\n')}\n`;
+}
+
+function resolveReportPath(cwd, value) {
+  return path.isAbsolute(value) ? value : path.resolve(cwd, value);
+}
+
+async function main() {
+  const options = parseArgs(process.argv.slice(2));
+  const cwd = process.cwd();
+
+  const planPath = resolveReportPath(cwd, options.plan);
+  const policyPath = resolveReportPath(cwd, options.policy);
+  const policy = await readJsonFile(policyPath, 'policy');
+  const catalogFromPolicy = policy && policy.catalog_policy && typeof policy.catalog_policy.catalog_file === 'string'
+    ? policy.catalog_policy.catalog_file
+    : null;
+  const catalogPath = resolveReportPath(
+    cwd,
+    options.catalog || catalogFromPolicy || DEFAULT_CATALOG
+  );
+  const [plan, catalog] = await Promise.all([
+    readJsonFile(planPath, 'plan'),
+    readJsonFile(catalogPath, 'catalog')
+  ]);
+
+  const evaluation = evaluatePlanGate(plan, policy, catalog);
+  const outPath = resolveReportPath(cwd, options.out);
+  const markdownOutPath = resolveReportPath(cwd, options.markdownOut);
+  const report = {
+    mode: 'interactive-change-plan-gate',
+    generated_at: new Date().toISOString(),
+    inputs: {
+      plan: path.relative(cwd, planPath) || '.',
+      policy: path.relative(cwd, policyPath) || '.',
+      catalog: path.relative(cwd, catalogPath) || '.'
+    },
+    ...evaluation,
+    output: {
+      json: path.relative(cwd, outPath) || '.',
+      markdown: path.relative(cwd, markdownOutPath) || '.'
+    }
+  };
+
+  await fs.ensureDir(path.dirname(outPath));
+  await fs.writeJson(outPath, report, { spaces: 2 });
+  await fs.ensureDir(path.dirname(markdownOutPath));
+  await fs.writeFile(markdownOutPath, buildMarkdown(report), 'utf8');
+
+  if (options.json) {
+    process.stdout.write(`${JSON.stringify(report, null, 2)}\n`);
+  } else {
+    process.stdout.write(`Interactive change plan gate: ${report.decision}\n`);
+    process.stdout.write(`- JSON: ${report.output.json}\n`);
+    process.stdout.write(`- Markdown: ${report.output.markdown}\n`);
+  }
+
+  if (options.failOnBlock && report.decision === 'deny') {
+    process.exitCode = 2;
+  } else if (options.failOnNonAllow && report.decision !== 'allow') {
+    process.exitCode = 2;
+  }
+}
+
+if (require.main === module) {
+  main().catch((error) => {
+    console.error(`Interactive change plan gate failed: ${error.message}`);
+    process.exit(1);
+  });
+}
+
+module.exports = {
+  DEFAULT_POLICY,
+  DEFAULT_CATALOG,
+  DEFAULT_OUT,
+  DEFAULT_MARKDOWN_OUT,
+  parseArgs,
+  parseJson,
+  readJsonFile,
+  toUniqueList,
+  normalizeRiskLevel,
+  buildCheck,
+  evaluatePlanGate,
+  buildMarkdown,
+  resolveReportPath,
+  main
+};