scene-capability-engine 3.6.45 → 3.6.47

package/scripts/clarification-first-audit.js

@@ -0,0 +1,322 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+const REQUIRED_CHECKS = [
+  {
+    path: 'scripts/interactive-dialogue-governance.js',
+    requiredSnippets: [
+      'contextHasBusinessScope',
+      'goalMentionsBusinessScope',
+      'business scene/module/page/entity context is missing; clarify scope before fallback or execution',
+      'Which module/page/entity is affected first?'
+    ]
+  },
+  {
+    path: 'scripts/symbol-evidence-locate.js',
+    requiredSnippets: [
+      'clarify_business_scope',
+      'Clarify target module/page/entity and business constraints before deciding whether scoped writes are safe.'
+    ]
+  },
+  {
+    path: 'lib/workspace/takeover-baseline.js',
+    requiredSnippets: [
+      'CLARIFICATION_FIRST_CORE_PRINCIPLE_HEADING',
+      '_reconcileCorePrinciplesBaseline',
+      '这条规则适用于所有接入 SCE 的项目、模式和交互面，不允许按项目例外绕过。'
+    ]
+  },
+  {
+    path: 'docs/interactive-customization/dialogue-governance-policy-baseline.json',
+    requiredSnippets: [
+      'clarify and narrow scope before using any fallback restriction; do not replace understanding with blanket disable',
+      'Which entity or business rule is affected, and what constraint must stay intact?'
+    ]
+  },
+  {
+    path: '.sce/steering/CORE_PRINCIPLES.md',
+    requiredSnippets: [
+      '业务场景未知时必须先澄清，禁止直接彻底禁用',
+      '这条规则适用于所有接入 SCE 的项目、模式和交互面，不允许按项目例外绕过。'
+    ]
+  },
+  {
+    path: 'template/.sce/steering/CORE_PRINCIPLES.md',
+    requiredSnippets: [
+      '业务场景未知时先澄清，不得直接彻底禁用',
+      '这条规则适用于所有使用 SCE 的项目，不设项目级例外。'
+    ]
+  },
+  {
+    path: 'README.md',
+    requiredSnippets: [
+      'When business scene/module/page/entity context is missing, SCE must route to clarification first; unknown business scope must not be turned into blanket disable.'
+    ]
+  },
+  {
+    path: 'README.zh.md',
+    requiredSnippets: [
+      '缺少业务场景/模块/页面/实体上下文时，SCE 必须先进入澄清，而不是把未知业务范围直接变成一刀切禁用'
+    ]
+  },
+  {
+    path: 'docs/security-governance-default-baseline.md',
+    requiredSnippets: [
+      'Missing business scene/module/page/entity context must route to clarification first; unknown scope is never a valid reason for blanket disable.',
+      'This clarification-first rule applies to every SCE-integrated project and surface with no project-specific exception.'
+    ]
+  },
+  {
+    path: 'docs/starter-kit/README.md',
+    requiredSnippets: [
+      'This baseline applies to every onboarded project with no project-specific exception.',
+      'missing business scope is handled through clarification, not blanket disable fallback.'
+    ]
+  },
+  {
+    path: 'docs/command-reference.md',
+    requiredSnippets: [
+      'Missing business scene/module/page/entity context defaults to `clarify`; unknown scope must not be converted into blanket disable fallback.'
+    ]
+  }
+];
+
+const PROHIBITED_SNIPPETS = [
+  {
+    value: 'block_high_risk_write',
+    allowedPaths: [
+      'scripts/clarification-first-audit.js',
+      'tests/unit/scripts/clarification-first-audit.test.js'
+    ]
+  },
+  {
+    value: 'Fallback to answer-only mode and block high-risk writes.',
+    allowedPaths: [
+      'scripts/clarification-first-audit.js',
+      'tests/unit/scripts/clarification-first-audit.test.js'
+    ]
+  }
+];
+
+const SEARCH_DIRECTORIES = ['lib', 'scripts', 'docs', '.sce', 'template', 'tests'];
+const SEARCH_EXTENSIONS = new Set(['.js', '.md', '.json', '.txt', '.yaml', '.yml']);
+
+function parseArgs(argv = process.argv.slice(2)) {
+  const options = {
+    projectPath: process.cwd(),
+    json: false,
+    failOnViolation: false,
+    out: null
+  };
+
+  for (let index = 0; index < argv.length; index += 1) {
+    const token = argv[index];
+    const next = argv[index + 1];
+    if (token === '--project-path' && next) {
+      options.projectPath = path.resolve(next);
+      index += 1;
+      continue;
+    }
+    if (token === '--json') {
+      options.json = true;
+      continue;
+    }
+    if (token === '--fail-on-violation') {
+      options.failOnViolation = true;
+      continue;
+    }
+    if (token === '--out' && next) {
+      options.out = path.resolve(next);
+      index += 1;
+      continue;
+    }
+    if (token === '--help' || token === '-h') {
+      printHelpAndExit(0);
+    }
+  }
+
+  return options;
+}
+
+function printHelpAndExit(code) {
+  const lines = [
+    'Usage: node scripts/clarification-first-audit.js [options]',
+    '',
+    'Options:',
+    '  --project-path <path>   Project root to audit (default: current directory)',
+    '  --json                  Print JSON payload',
+    '  --fail-on-violation     Exit code 2 when any violation is found',
+    '  --out <path>            Write JSON payload to file',
+    '  -h, --help              Show this help'
+  ];
+  console.log(lines.join('\n'));
+  process.exit(code);
+}
+
+function normalizeSlashes(value) {
+  return `${value || ''}`.replace(/\\/g, '/');
+}
+
+function pushViolation(violations, severity, rule, file, message) {
+  violations.push({
+    severity,
+    rule,
+    file,
+    message
+  });
+}
+
+function readText(filePath) {
+  return fs.readFileSync(filePath, 'utf8');
+}
+
+function collectFilesRecursive(rootDir, relativeRoot = '') {
+  if (!fs.existsSync(rootDir)) {
+    return [];
+  }
+  const results = [];
+  const entries = fs.readdirSync(rootDir, { withFileTypes: true });
+  for (const entry of entries) {
+    const absolutePath = path.join(rootDir, entry.name);
+    const relativePath = normalizeSlashes(path.join(relativeRoot, entry.name));
+    if (entry.isDirectory()) {
+      if (entry.name === 'node_modules' || entry.name === '.git') {
+        continue;
+      }
+      results.push(...collectFilesRecursive(absolutePath, relativePath));
+      continue;
+    }
+    if (!entry.isFile()) {
+      continue;
+    }
+    if (!SEARCH_EXTENSIONS.has(path.extname(entry.name).toLowerCase())) {
+      continue;
+    }
+    results.push({
+      absolutePath,
+      relativePath
+    });
+  }
+  return results;
+}
+
+function auditClarificationFirst(options = {}) {
+  const projectPath = path.resolve(options.projectPath || process.cwd());
+  const violations = [];
+  const checkedFiles = [];
+
+  for (const check of REQUIRED_CHECKS) {
+    const relativePath = normalizeSlashes(check.path);
+    const absolutePath = path.join(projectPath, relativePath);
+    checkedFiles.push(relativePath);
+    if (!fs.existsSync(absolutePath)) {
+      pushViolation(
+        violations,
+        'error',
+        'missing_required_file',
+        relativePath,
+        `Required clarification-first baseline file is missing: ${relativePath}`
+      );
+      continue;
+    }
+
+    const content = readText(absolutePath);
+    for (const snippet of check.requiredSnippets) {
+      if (!content.includes(snippet)) {
+        pushViolation(
+          violations,
+          'error',
+          'missing_required_snippet',
+          relativePath,
+          `Missing required clarification-first snippet: ${snippet}`
+        );
+      }
+    }
+  }
+
+  const searchableFiles = SEARCH_DIRECTORIES.flatMap((dirName) => {
+    const absoluteDir = path.join(projectPath, dirName);
+    return collectFilesRecursive(absoluteDir, dirName);
+  });
+
+  for (const file of searchableFiles) {
+    const content = readText(file.absolutePath);
+    for (const rule of PROHIBITED_SNIPPETS) {
+      if (!content.includes(rule.value)) {
+        continue;
+      }
+      const allowedPaths = Array.isArray(rule.allowedPaths) ? rule.allowedPaths.map(normalizeSlashes) : [];
+      if (allowedPaths.includes(file.relativePath)) {
+        continue;
+      }
+      pushViolation(
+        violations,
+        'error',
+        'prohibited_legacy_disable_phrase',
+        file.relativePath,
+        `Prohibited legacy fallback phrase found: ${rule.value}`
+      );
+    }
+  }
+
+  const errorCount = violations.filter((item) => item.severity === 'error').length;
+  return {
+    mode: 'clarification-first-audit',
+    project_path: projectPath,
+    checked_files: checkedFiles,
+    searched_file_count: searchableFiles.length,
+    violation_count: violations.length,
+    error_count: errorCount,
+    passed: violations.length === 0,
+    violations
+  };
+}
+
+function writeReportIfNeeded(report, outPath) {
+  if (!outPath) {
+    return;
+  }
+  const resolved = path.resolve(outPath);
+  fs.mkdirSync(path.dirname(resolved), { recursive: true });
+  fs.writeFileSync(resolved, `${JSON.stringify(report, null, 2)}\n`, 'utf8');
+}
+
+function main() {
+  const options = parseArgs(process.argv.slice(2));
+  const report = auditClarificationFirst(options);
+  writeReportIfNeeded(report, options.out);
+
+  if (options.json) {
+    process.stdout.write(`${JSON.stringify(report, null, 2)}\n`);
+  } else if (report.passed) {
+    console.log('[clarification-first-audit] passed');
+  } else {
+    console.error(`[clarification-first-audit] failed with ${report.violation_count} violation(s)`);
+    for (const violation of report.violations) {
+      console.error(`[clarification-first-audit] ${violation.rule} ${violation.file}: ${violation.message}`);
+    }
+  }
+
+  if (options.failOnViolation && !report.passed) {
+    process.exitCode = 2;
+  }
+}
+
+if (require.main === module) {
+  try {
+    main();
+  } catch (error) {
+    console.error(`[clarification-first-audit] ${error.message}`);
+    process.exit(1);
+  }
+}
+
+module.exports = {
+  REQUIRED_CHECKS,
+  PROHIBITED_SNIPPETS,
+  parseArgs,
+  auditClarificationFirst
+};

package/scripts/errorbook-registry-health-gate.js

@@ -0,0 +1,172 @@
+#!/usr/bin/env node
+'use strict';
+
+const path = require('path');
+const { runErrorbookRegistryHealthCommand } = require('../lib/commands/errorbook');
+
+function parseBoolean(value, fallback = false) {
+  if (typeof value === 'boolean') {
+    return value;
+  }
+  const normalized = `${value || ''}`.trim().toLowerCase();
+  if (!normalized) {
+    return fallback;
+  }
+  if (['1', 'true', 'yes', 'on', 'y'].includes(normalized)) {
+    return true;
+  }
+  if (['0', 'false', 'no', 'off', 'n'].includes(normalized)) {
+    return false;
+  }
+  return fallback;
+}
+
+function parseArgs(argv = [], env = process.env) {
+  const options = {
+    strict: parseBoolean(env.SCE_REGISTRY_HEALTH_STRICT, false),
+    json: false,
+    projectPath: process.cwd(),
+    maxShards: 8,
+    shardSample: 2
+  };
+
+  for (let index = 0; index < argv.length; index += 1) {
+    const token = argv[index];
+    const next = argv[index + 1];
+
+    if (token === '--strict') {
+      options.strict = true;
+    } else if (token === '--no-strict') {
+      options.strict = false;
+    } else if (token === '--json') {
+      options.json = true;
+    } else if (token === '--project-path' && next) {
+      options.projectPath = path.resolve(next);
+      index += 1;
+    } else if (token === '--config' && next) {
+      options.config = next;
+      index += 1;
+    } else if (token === '--cache' && next) {
+      options.cache = next;
+      index += 1;
+    } else if (token === '--source' && next) {
+      options.source = next;
+      index += 1;
+    } else if (token === '--source-name' && next) {
+      options.sourceName = next;
+      index += 1;
+    } else if (token === '--index' && next) {
+      options.index = next;
+      index += 1;
+    } else if (token === '--max-shards' && next) {
+      options.maxShards = Number.parseInt(next, 10);
+      index += 1;
+    } else if (token === '--shard-sample' && next) {
+      options.shardSample = Number.parseInt(next, 10);
+      index += 1;
+    } else if (token === '--help' || token === '-h') {
+      options.help = true;
+    }
+  }
+
+  return options;
+}
+
+function printHelp() {
+  const lines = [
+    'Usage: node scripts/errorbook-registry-health-gate.js [options]',
+    '',
+    'Options:',
+    '  --strict                Exit with code 2 when health check reports errors',
+    '  --no-strict             Force advisory mode even if env is strict',
+    '  --project-path <path>   Override project path (default: cwd)',
+    '  --config <path>         Registry config path override',
+    '  --cache <path>          Registry cache path override',
+    '  --source <url-or-path>  Override registry source JSON',
+    '  --source-name <name>    Override registry source label',
+    '  --index <url-or-path>   Override registry index JSON',
+    '  --max-shards <n>        Max index-resolved shards to validate (default: 8)',
+    '  --shard-sample <n>      Number of shard files to fetch for validation (default: 2)',
+    '  --json                  Print JSON payload',
+    '  -h, --help              Show this help',
+    '',
+    'Environment:',
+    '  SCE_REGISTRY_HEALTH_STRICT=1 enables strict mode by default'
+  ];
+  process.stdout.write(`${lines.join('\n')}\n`);
+}
+
+async function runErrorbookRegistryHealthGateScript(options = {}) {
+  const health = await runErrorbookRegistryHealthCommand({
+    config: options.config,
+    cache: options.cache,
+    source: options.source,
+    sourceName: options.sourceName,
+    index: options.index,
+    maxShards: options.maxShards,
+    shardSample: options.shardSample,
+    silent: true
+  }, {
+    projectPath: options.projectPath
+  });
+
+  if (options.json) {
+    process.stdout.write(`${JSON.stringify({
+      ...health,
+      mode: 'errorbook-registry-health-gate',
+      strict: options.strict === true
+    }, null, 2)}\n`);
+  } else if (health.passed) {
+    process.stdout.write('[errorbook-registry-health-gate] passed\n');
+    process.stdout.write(
+      `[errorbook-registry-health-gate] sources=${health.config.source_count} warnings=${health.warning_count} errors=0\n`
+    );
+  } else {
+    process.stdout.write('[errorbook-registry-health-gate] alert\n');
+    process.stdout.write(
+      `[errorbook-registry-health-gate] sources=${health.config.source_count} warnings=${health.warning_count} errors=${health.error_count}\n`
+    );
+    health.errors.slice(0, 20).forEach((message) => {
+      process.stdout.write(`[errorbook-registry-health-gate] error=${message}\n`);
+    });
+  }
+
+  const exitCode = options.strict && !health.passed ? 2 : 0;
+  return {
+    ...health,
+    mode: 'errorbook-registry-health-gate',
+    strict: options.strict === true,
+    exit_code: exitCode
+  };
+}
+
+if (require.main === module) {
+  const options = parseArgs(process.argv.slice(2));
+  if (options.help) {
+    printHelp();
+    process.exit(0);
+  }
+
+  runErrorbookRegistryHealthGateScript(options)
+    .then((result) => {
+      process.exitCode = result.exit_code;
+    })
+    .catch((error) => {
+      const payload = {
+        mode: 'errorbook-registry-health-gate',
+        passed: false,
+        error: error.message
+      };
+      if (options.json) {
+        process.stdout.write(`${JSON.stringify(payload, null, 2)}\n`);
+      } else {
+        process.stderr.write(`[errorbook-registry-health-gate] error=${error.message}\n`);
+      }
+      process.exitCode = 1;
+    });
+}
+
+module.exports = {
+  parseArgs,
+  runErrorbookRegistryHealthGateScript
+};

package/scripts/errorbook-release-gate.js

@@ -0,0 +1,132 @@
+#!/usr/bin/env node
+'use strict';
+
+const path = require('path');
+const { evaluateErrorbookReleaseGate } = require('../lib/commands/errorbook');
+
+function parseArgs(argv = []) {
+  const options = {
+    minRisk: 'high',
+    minQuality: 70,
+    includeVerified: false,
+    failOnBlock: false,
+    json: false,
+    projectPath: process.cwd()
+  };
+
+  for (let index = 0; index < argv.length; index += 1) {
+    const token = argv[index];
+    const next = argv[index + 1];
+
+    if (token === '--min-risk' && next) {
+      options.minRisk = `${next}`.trim().toLowerCase();
+      index += 1;
+    } else if (token === '--min-quality' && next) {
+      const parsed = Number.parseInt(`${next}`, 10);
+      if (Number.isFinite(parsed)) {
+        options.minQuality = Math.max(0, Math.min(100, parsed));
+      }
+      index += 1;
+    } else if (token === '--include-verified') {
+      options.includeVerified = true;
+    } else if (token === '--fail-on-block') {
+      options.failOnBlock = true;
+    } else if (token === '--json') {
+      options.json = true;
+    } else if (token === '--project-path' && next) {
+      options.projectPath = path.resolve(next);
+      index += 1;
+    } else if (token === '--help' || token === '-h') {
+      options.help = true;
+    }
+  }
+
+  return options;
+}
+
+function printHelp() {
+  const lines = [
+    'Usage: node scripts/errorbook-release-gate.js [options]',
+    '',
+    'Options:',
+    '  --min-risk <level>      Risk threshold to block release (low|medium|high, default: high)',
+    '  --min-quality <0-100>   Minimum curation quality for unresolved entries (default: 70)',
+    '  --include-verified      Also inspect verified (non-promoted) entries for risk threshold',
+    '                          (temporary mitigation policy is always enforced for active entries)',
+    '  --fail-on-block         Exit with code 2 when gate is blocked',
+    '  --project-path <path>   Override project path (default: cwd)',
+    '  --json                  Print JSON payload',
+    '  -h, --help              Show this help'
+  ];
+  process.stdout.write(`${lines.join('\n')}\n`);
+}
+
+async function runErrorbookReleaseGateScript(options = {}) {
+  const payload = await evaluateErrorbookReleaseGate({
+    minRisk: options.minRisk,
+    minQuality: options.minQuality,
+    includeVerified: options.includeVerified
+  }, {
+    projectPath: options.projectPath
+  });
+
+  if (options.json) {
+    process.stdout.write(`${JSON.stringify(payload, null, 2)}\n`);
+  } else if (payload.passed) {
+    process.stdout.write('[errorbook-release-gate] passed\n');
+    process.stdout.write(`[errorbook-release-gate] inspected=${payload.inspected_count} blocked=0\n`);
+  } else {
+    process.stdout.write('[errorbook-release-gate] blocked\n');
+    process.stdout.write(
+      `[errorbook-release-gate] inspected=${payload.inspected_count} blocked=${payload.blocked_count} min-risk=${payload.gate.min_risk} min-quality=${payload.gate.min_quality}\n`
+    );
+    process.stdout.write(
+      `[errorbook-release-gate] risk-blocked=${payload.risk_blocked_count || 0} curation-blocked=${payload.curation_blocked_count || 0} mitigation-blocked=${payload.mitigation_blocked_count || 0}\n`
+    );
+    payload.blocked_entries.slice(0, 20).forEach((item) => {
+      const policy = Array.isArray(item.policy_violations) && item.policy_violations.length > 0
+        ? ` policy=${item.policy_violations.join('|')}`
+        : '';
+      process.stdout.write(
+        `[errorbook-release-gate] entry=${item.id} risk=${item.risk} status=${item.status} quality=${item.quality_score}${policy}\n`
+      );
+    });
+  }
+
+  const exitCode = options.failOnBlock && !payload.passed ? 2 : 0;
+  return {
+    ...payload,
+    exit_code: exitCode
+  };
+}
+
+if (require.main === module) {
+  const options = parseArgs(process.argv.slice(2));
+  if (options.help) {
+    printHelp();
+    process.exit(0);
+  }
+
+  runErrorbookReleaseGateScript(options)
+    .then((result) => {
+      process.exitCode = result.exit_code;
+    })
+    .catch((error) => {
+      const payload = {
+        mode: 'errorbook-release-gate',
+        passed: false,
+        error: error.message
+      };
+      if (options.json) {
+        process.stdout.write(`${JSON.stringify(payload, null, 2)}\n`);
+      } else {
+        process.stderr.write(`[errorbook-release-gate] error=${error.message}\n`);
+      }
+      process.exitCode = 1;
+    });
+}
+
+module.exports = {
+  parseArgs,
+  runErrorbookReleaseGateScript
+};