@blamejs/exceptd-skills 0.10.0 → 0.10.2

package/bin/exceptd.js

@@ -101,7 +101,7 @@ const ORCHESTRATOR_PASSTHROUGH = new Set([
 
 // Seven-phase playbook verbs handled in-process (no subprocess dispatch).
 const PLAYBOOK_VERBS = new Set([
-  "plan", "govern", "direct", "look", "run", "ingest", "reattest",
+  "plan", "govern", "direct", "look", "run", "ingest", "reattest", "list-attestations",
 ]);
 
 function readPkgVersion() {
@@ -149,8 +149,9 @@ Analyst:
 
 Playbook runner — seven-phase contract
 (govern → direct → look → detect → analyze → validate → close):
-  plan [--playbook id]...    List playbooks + directives (planning JSON).
-                             [--mode m] [--session-id id] [--pretty]
+  plan [--playbook id]...    List playbooks + directives, grouped by scope.
+                             [--scope system|code|service|cross-cutting|all]
+                             [--flat] [--mode m] [--session-id id] [--pretty]
   govern <playbook>          Phase 1: GRC context (jurisdictions, theater,
                              framework gaps, skill_preload).
                              [--directive id] [--mode m] [--air-gap]
@@ -160,8 +161,14 @@ Playbook runner — seven-phase contract
   look <playbook>            Phase 3: artifact-collection spec the host AI
                              should execute.
                              [--directive id] [--air-gap]
-  run <playbook>             Phases 4-7: detect → analyze → validate → close
-                             from an agent submission JSON.
+  run [playbook]             Phases 4-7: detect → analyze → validate → close.
+                             Three invocation modes:
+                               run <playbook>           single playbook (explicit)
+                               run --scope <type>       run all playbooks of that scope
+                               run --all                run every playbook
+                               run                      auto-detect from cwd:
+                                                          .git/         → code
+                                                          /proc + os-release → system
                              [--directive id] [--evidence file|-]
                              [--session-id id] [--session-key hex]
                              [--force-stale] [--air-gap]
@@ -320,8 +327,15 @@ function firstDirectiveId(runner, playbookId) {
 }
 
 function dispatchPlaybook(cmd, argv) {
+  // Per-verb --help / -h before any positional-arg validation so users always
+  // get usage text instead of an error about missing arguments.
+  if (argv.includes("--help") || argv.includes("-h")) {
+    printPlaybookVerbHelp(cmd);
+    process.exit(0);
+  }
+
   const args = parseArgs(argv, {
-    bool:  ["pretty", "air-gap", "force-stale"],
+    bool:  ["pretty", "air-gap", "force-stale", "all", "flat", "directives", "ci", "latest", "diff-from-latest"],
     multi: ["playbook"],
   });
   const pretty = !!args.pretty;
@@ -350,24 +364,190 @@ function dispatchPlaybook(cmd, argv) {
       case "run":      return cmdRun(runner, args, runOpts, pretty);
       case "ingest":   return cmdIngest(runner, args, runOpts, pretty);
       case "reattest": return cmdReattest(runner, args, runOpts, pretty);
+      case "list-attestations": return cmdListAttestations(runner, args, runOpts, pretty);
     }
   } catch (e) {
     emitError(e.message, { verb: cmd }, pretty);
   }
 }
 
+function printPlaybookVerbHelp(verb) {
+  const cmds = {
+    plan: `plan — list playbooks + directives, grouped by scope.
+
+Flags:
+  --playbook <id> ...     Filter to one or more playbook IDs.
+  --scope <type>          Filter by scope: system | code | service | cross-cutting | all
+  --flat                  Disable grouped-by-scope output; emit flat list.
+  --directives            Include directive id + title + applies_to per playbook.
+  --session-id <id>       Reuse a specific session ID for the planning output.
+  --mode <m>              Investigation mode forwarded into govern.
+  --pretty                Indented JSON output.`,
+    govern: `govern <playbook> — phase 1, load GRC context for a playbook.
+
+Args / flags:
+  <playbook>              Playbook ID. Required positional.
+  --directive <id>        Specific directive (default: first one).
+  --mode <m>              Investigation mode forwarded into govern policy.
+  --air-gap               Honor _meta.air_gap_mode + air_gap_alternative paths.
+  --pretty                Indented JSON output.
+
+Output: jurisdiction_obligations, theater_fingerprints, framework_context, skill_preload.`,
+    direct: `direct <playbook> — phase 2, threat context + skill chain + token budget.
+
+Args / flags:
+  <playbook>              Required positional.
+  --directive <id>        Specific directive (default: first one).
+  --pretty                Indented JSON output.`,
+    look: `look <playbook> — phase 3, artifact-collection spec the host AI executes.
+
+Args / flags:
+  <playbook>              Required positional.
+  --directive <id>        Specific directive (default: first one).
+  --air-gap               Honor air_gap_alternative paths.
+  --pretty                Indented JSON output.
+
+Output includes a 'preconditions' array — the host AI MUST verify each
+precondition with its own probes and declare results back in the submission as:
+  { "precondition_checks": { "<id>": true | false } }
+The runner refuses the run if a precondition with on_fail=halt is unverified.`,
+    run: `run [playbook] — phases 4-7 (detect → analyze → validate → close).
+
+Invocation modes:
+  run <playbook>          Single playbook (explicit).
+  run --scope <type>      Run all playbooks of that scope.
+  run --all               Run every playbook.
+  run                     Auto-detect from cwd:
+                            .git/                  → code playbooks
+                            /proc + os-release     → system playbooks
+                          Always includes cross-cutting playbooks.
+
+Flags:
+  --directive <id>        Specific directive (default: first one per playbook).
+  --evidence <file|->     Path to submission JSON or '-' for stdin.
+                          Single-playbook shape:
+                            { artifacts, signal_overrides, signals, precondition_checks }
+                          Multi-playbook shape:
+                            { "<playbook_id>": { artifacts, ... }, ... }
+  --vex <file>            Load a CycloneDX or OpenVEX document. CVEs marked
+                          not_affected | resolved | false_positive (CycloneDX)
+                          or not_affected | fixed (OpenVEX) drop out of
+                          analyze.matched_cves. The disposition is preserved
+                          under analyze.vex.dropped_cves.
+  --diff-from-latest      Compare evidence_hash against the most recent prior
+                          attestation for the same playbook in
+                          .exceptd/attestations/. Emits status: unchanged | drifted.
+  --ci                    Machine-readable verdict for CI gates. Exits non-zero
+                          (code 2) when phases.detect.classification === 'detected'
+                          OR phases.analyze.rwep.adjusted >= rwep_threshold.escalate.
+                          Logs PASS/FAIL reason to stderr.
+  --session-id <id>       Reuse a specific session ID.
+  --session-key <hex>     HMAC sign the evidence_package with this key.
+  --force-stale           Override the threat_currency_score < 50 hard-block.
+  --air-gap               Honor air_gap_alternative paths.
+  --pretty                Indented JSON output.
+
+Attestation is persisted to .exceptd/attestations/<session_id>/ on every
+successful run (single: attestation.json; multi: <playbook_id>.json).`,
+    ingest: `ingest — alias for 'run' matching AGENTS.md terminology.
+
+Flags:
+  --domain <id>           Playbook ID (overrides submission.playbook_id).
+  --directive <id>        Directive ID (overrides submission.directive_id).
+  --evidence <file|->     Submission JSON. May include playbook_id/directive_id.
+  --pretty                Indented JSON output.`,
+    reattest: `reattest [<session-id> | --latest] — replay a prior session and diff the evidence_hash.
+
+Args / flags:
+  <session-id>            Looks under .exceptd/attestations/<id>/attestation.json.
+  --latest                Find the most-recent attestation automatically.
+  --playbook <id>         Restrict --latest to a specific playbook.
+  --since <ISO>           Restrict --latest to attestations after this ISO 8601 timestamp.
+  --pretty                Indented JSON output.
+
+Reports: unchanged | drifted | resolved from evidence_hash + classification deltas.`,
+    "list-attestations": `list-attestations [--playbook <id>] — enumerate prior attestations.
+
+Args / flags:
+  --playbook <id>         Filter to one playbook.
+  --pretty                Indented JSON output.
+
+Lists every attestation under .exceptd/attestations/<session_id>/, sorted
+newest-first, with truncated evidence_hash + capture timestamp + file path.`,
+  };
+  process.stdout.write((cmds[verb] || `${verb} — no per-verb help available; see \`exceptd help\` for the full list.`) + "\n");
+}
+
 function cmdPlan(runner, args, runOpts, pretty) {
-  const playbookIds = args.playbook
+  let playbookIds = args.playbook
     ? (Array.isArray(args.playbook) ? args.playbook : [args.playbook])
     : null;
+  // --scope filters playbook list by _meta.scope.
+  if (!playbookIds && args.scope) {
+    playbookIds = filterPlaybooksByScope(runner, args.scope);
+  }
   const plan = runner.plan({
     playbookIds: playbookIds || undefined,
     mode: runOpts.mode,
     session_id: runOpts.session_id,
   });
+  // Default UX: group by scope unless --flat or a filter was applied.
+  if (!args.flat && !playbookIds) {
+    plan.grouped_by_scope = groupPlaybooksByScope(plan.playbooks);
+    plan.scope_summary = Object.fromEntries(
+      Object.entries(plan.grouped_by_scope).map(([s, list]) => [s, list.length])
+    );
+  }
+  // --directives expands each playbook entry with its directive id + title +
+  // applies_to so operators / AIs can pick a specific directive without
+  // grepping playbook source.
+  if (args.directives) {
+    for (const pb of plan.playbooks) {
+      const full = runner.loadPlaybook(pb.id);
+      pb.directives = full.directives.map(d => ({ id: d.id, title: d.title, applies_to: d.applies_to }));
+    }
+  }
   emit(plan, pretty);
 }
 
+function filterPlaybooksByScope(runner, scope) {
+  const ids = runner.listPlaybooks();
+  return ids.filter(id => {
+    try {
+      const pb = runner.loadPlaybook(id);
+      return scope === "all" || pb._meta.scope === scope;
+    } catch { return false; }
+  });
+}
+
+function groupPlaybooksByScope(playbooks) {
+  const groups = {};
+  for (const pb of playbooks) {
+    const scope = pb.scope || pb._meta?.scope || "unscoped";
+    (groups[scope] = groups[scope] || []).push(pb.id);
+  }
+  return groups;
+}
+
+/**
+ * Auto-detect which scopes apply to the cwd. Returns an array of scope strings.
+ * - `code`     when the cwd looks like a git repo
+ * - `system`   when /proc + /etc/os-release exist (Linux host)
+ * - `service`  always included as advisory — service investigations don't
+ *              depend on cwd; the operator/AI decides whether to run them
+ *
+ * Returns at minimum `['cross-cutting']` so framework correlation can always
+ * run after other findings land.
+ */
+function detectScopes() {
+  const detected = [];
+  if (fs.existsSync(path.join(process.cwd(), ".git"))) detected.push("code");
+  if (fs.existsSync("/proc") && fs.existsSync("/etc/os-release")) detected.push("system");
+  // service playbooks need explicit invocation — they have side effects
+  // (probing remote endpoints) so we don't auto-include them.
+  return detected.length ? detected : ["cross-cutting"];
+}
+
 function cmdGovern(runner, args, runOpts, pretty) {
   const playbookId = args._[0];
   if (!playbookId) return emitError("govern: missing <playbookId> positional argument.", null, pretty);
@@ -396,8 +576,32 @@ function cmdLook(runner, args, runOpts, pretty) {
 }
 
 function cmdRun(runner, args, runOpts, pretty) {
-  const playbookId = args._[0];
-  if (!playbookId) return emitError("run: missing <playbookId> positional argument.", null, pretty);
+  const positional = args._[0];
+
+  // Multi-playbook dispatch path. Triggered by --all, --scope <type>, or by
+  // a bare `exceptd run` (no positional, no flags) which auto-detects scopes
+  // from the cwd.
+  if (!positional && (args.all || args.scope)) {
+    let ids;
+    if (args.all) {
+      ids = runner.listPlaybooks();
+    } else {
+      ids = filterPlaybooksByScope(runner, args.scope);
+    }
+    return cmdRunMulti(runner, ids, args, runOpts, pretty, { trigger: args.all ? "--all" : `--scope ${args.scope}` });
+  }
+  if (!positional && !args.all && !args.scope) {
+    const scopes = detectScopes();
+    const ids = scopes.flatMap(s => filterPlaybooksByScope(runner, s));
+    const unique = [...new Set(ids)];
+    if (unique.length === 0) {
+      return emitError("run: no playbook resolved. Pass <playbookId>, --scope <type>, or --all.", null, pretty);
+    }
+    return cmdRunMulti(runner, unique, args, runOpts, pretty, { trigger: "auto-detect", detected_scopes: scopes });
+  }
+
+  // Single-playbook path (existing behavior).
+  const playbookId = positional;
   const pb = runner.loadPlaybook(playbookId);
   const directiveId = args.directive || (pb.directives[0] && pb.directives[0].id);
   if (!directiveId) return emitError(`run: playbook ${playbookId} has no directives.`, null, pretty);
@@ -417,6 +621,19 @@ function cmdRun(runner, args, runOpts, pretty) {
     runOpts.precondition_checks = submission.precondition_checks;
   }
 
+  // --vex <file>: load a CycloneDX/OpenVEX document and pass the not_affected
+  // CVE ID set through to analyze() so matched_cves drops them.
+  if (args.vex) {
+    try {
+      const vexDoc = JSON.parse(fs.readFileSync(args.vex, "utf8"));
+      const vexSet = runner.vexFilterFromDoc(vexDoc);
+      submission.signals = submission.signals || {};
+      submission.signals.vex_filter = [...vexSet];
+    } catch (e) {
+      return emitError(`run: failed to load --vex ${args.vex}: ${e.message}`, null, pretty);
+    }
+  }
+
   const result = runner.run(playbookId, directiveId, submission, runOpts);
 
   // Persist attestation for reattest cycles when the run succeeded.
@@ -443,9 +660,146 @@ function cmdRun(runner, args, runOpts, pretty) {
     process.stderr.write((pretty ? JSON.stringify(result, null, 2) : JSON.stringify(result)) + "\n");
     process.exit(1);
   }
+
+  // --diff-from-latest: compare evidence_hash against the most recent prior
+  // attestation for this playbook. Drift mode for cron baselines.
+  // We've already persisted the CURRENT attestation above, so the find must
+  // skip our session_id to get the actual prior one.
+  if (args["diff-from-latest"] && result && result.evidence_hash) {
+    const prior = findLatestAttestation({ playbookId, excludeSessionId: result.session_id });
+    if (prior) {
+      const priorHash = prior.parsed.evidence_hash;
+      result.diff_from_latest = {
+        prior_session_id: prior.parsed.session_id,
+        prior_captured_at: prior.parsed.captured_at,
+        prior_evidence_hash: priorHash,
+        new_evidence_hash: result.evidence_hash,
+        status: priorHash === result.evidence_hash ? "unchanged" : "drifted",
+      };
+    } else {
+      result.diff_from_latest = { status: "no_prior_attestation_for_playbook", playbook_id: playbookId };
+    }
+  }
+
+  // --ci: machine-readable verdict for CI gates.
+  //
+  // The detect phase classification is the host-specific signal — "is THIS
+  // environment exploitable for the catalogued CVEs". rwep.base is the
+  // worst-known catalog score for the domain, which is roughly constant
+  // regardless of the local environment; we don't fail CI on that alone or
+  // every CI run against a domain with KEV-listed catalog entries would
+  // perma-fail.
+  //
+  // Verdict:
+  //   detected                → FAIL (exit 2)
+  //   inconclusive + rwep ≥ escalate
+  //                           → FAIL (the agent's evidence raised RWEP)
+  //   not_detected            → PASS (exit 0)
+  //   inconclusive + rwep < escalate
+  //                           → PASS with WARN to stderr (visibility gap)
+  if (args.ci && result && result.phases) {
+    const classification = result.phases.detect && result.phases.detect.classification;
+    const rwep = result.phases.analyze && result.phases.analyze.rwep;
+    const threshold = rwep && rwep.threshold && rwep.threshold.escalate;
+    const adjusted = rwep && typeof rwep.adjusted === "number" ? rwep.adjusted : 0;
+    const escalate = typeof threshold === "number" && adjusted >= threshold;
+
+    emit(result, pretty);
+
+    if (classification === "detected") {
+      process.stderr.write(`[exceptd run --ci] FAIL: classification=detected rwep=${adjusted} threshold=${threshold}\n`);
+      process.exit(2);
+    }
+    if (classification === "inconclusive" && escalate) {
+      process.stderr.write(`[exceptd run --ci] FAIL: classification=inconclusive AND rwep=${adjusted} >= threshold=${threshold}\n`);
+      process.exit(2);
+    }
+    if (classification === "inconclusive") {
+      process.stderr.write(`[exceptd run --ci] PASS+WARN: classification=inconclusive rwep=${adjusted} < threshold=${threshold} (visibility gap)\n`);
+    } else {
+      process.stderr.write(`[exceptd run --ci] PASS: classification=${classification} rwep=${adjusted}\n`);
+    }
+    return;
+  }
+
   emit(result, pretty);
 }
 
+/**
+ * Multi-playbook run. Iterates `ids` (already filtered by scope or auto-detect),
+ * runs each through runner.run with a shared session_id, persists each
+ * attestation under .exceptd/attestations/<session_id>/<playbook_id>.json, and
+ * emits a single aggregate bundle. Refuses if no evidence is provided (the
+ * host AI MUST submit observations per playbook — the engine can't synthesize them).
+ *
+ * Evidence shape for multi-run: { <playbook_id>: { artifacts, signal_overrides, signals, precondition_checks } }
+ * Falls back to running every playbook with empty evidence (engine returns
+ * inconclusive findings + visibility gaps) when no --evidence is given.
+ */
+function cmdRunMulti(runner, ids, args, runOpts, pretty, meta) {
+  const sessionId = runOpts.session_id || require("crypto").randomBytes(8).toString("hex");
+  runOpts.session_id = sessionId;
+
+  let bundle = {};
+  if (args.evidence) {
+    try { bundle = readEvidence(args.evidence); } catch (e) {
+      return emitError(`run: failed to read evidence bundle: ${e.message}`, { evidence: args.evidence }, pretty);
+    }
+  }
+
+  const results = [];
+  for (const id of ids) {
+    const pb = runner.loadPlaybook(id);
+    const directiveId = args.directive || (pb.directives[0] && pb.directives[0].id);
+    if (!directiveId) {
+      results.push({ playbook_id: id, ok: false, error: "no directives" });
+      continue;
+    }
+    const submission = bundle[id] || {};
+    const perRunOpts = { ...runOpts };
+    if (submission.precondition_checks) perRunOpts.precondition_checks = submission.precondition_checks;
+
+    const result = runner.run(id, directiveId, submission, perRunOpts);
+
+    // Persist per-playbook attestation under the shared session.
+    if (result && result.ok) {
+      try {
+        const dir = path.join(process.cwd(), ".exceptd", "attestations", sessionId);
+        fs.mkdirSync(dir, { recursive: true });
+        fs.writeFileSync(
+          path.join(dir, `${id}.json`),
+          JSON.stringify({
+            session_id: sessionId,
+            playbook_id: id,
+            directive_id: directiveId,
+            evidence_hash: result.evidence_hash,
+            submission,
+            run_opts: { airGap: perRunOpts.airGap, forceStale: perRunOpts.forceStale, mode: perRunOpts.mode },
+            captured_at: new Date().toISOString(),
+          }, null, 2)
+        );
+      } catch { /* non-fatal */ }
+    }
+    results.push(result);
+  }
+
+  emit({
+    ok: results.every(r => r.ok !== false),
+    session_id: sessionId,
+    trigger: meta.trigger,
+    detected_scopes: meta.detected_scopes || null,
+    playbooks_run: ids,
+    summary: {
+      total: results.length,
+      succeeded: results.filter(r => r.ok !== false).length,
+      blocked: results.filter(r => r.ok === false).length,
+      detected: results.filter(r => r.phases?.detect?.classification === "detected").length,
+      inconclusive: results.filter(r => r.phases?.detect?.classification === "inconclusive").length,
+    },
+    results,
+  }, pretty);
+}
+
 function cmdIngest(runner, args, runOpts, pretty) {
   // `ingest` matches the AGENTS.md ingest contract. The submission JSON may
   // carry playbook_id + directive_id; --domain/--directive flags override.
@@ -504,11 +858,52 @@ function cmdIngest(runner, args, runOpts, pretty) {
   emit(result, pretty);
 }
 
+/**
+ * Find the latest attestation file under .exceptd/attestations/.
+ * Filters: optional playbook ID and optional "since" ISO timestamp.
+ * Returns { sessionId, playbookId, file, parsed } or null.
+ */
+function findLatestAttestation(opts = {}) {
+  const root = path.join(process.cwd(), ".exceptd", "attestations");
+  if (!fs.existsSync(root)) return null;
+  const sessions = fs.readdirSync(root, { withFileTypes: true })
+    .filter(d => d.isDirectory())
+    .map(d => d.name);
+  const candidates = [];
+  for (const sid of sessions) {
+    const sdir = path.join(root, sid);
+    for (const f of fs.readdirSync(sdir).filter(x => x.endsWith(".json"))) {
+      try {
+        const p = path.join(sdir, f);
+        const j = JSON.parse(fs.readFileSync(p, "utf8"));
+        if (opts.playbookId && j.playbook_id !== opts.playbookId) continue;
+        if (opts.since && (j.captured_at || "") < opts.since) continue;
+        if (opts.excludeSessionId && sid === opts.excludeSessionId) continue;
+        candidates.push({ sessionId: sid, playbookId: j.playbook_id, file: p, parsed: j });
+      } catch { /* skip malformed */ }
+    }
+  }
+  candidates.sort((a, b) => (b.parsed.captured_at || "").localeCompare(a.parsed.captured_at || ""));
+  return candidates[0] || null;
+}
+
 function cmdReattest(runner, args, runOpts, pretty) {
-  const sessionId = args._[0];
-  if (!sessionId) return emitError("reattest: missing <session-id> positional argument.", null, pretty);
+  // --latest [--playbook <id>] [--since <ISO>] — find prior attestation
+  // without requiring the operator to know the session-id.
+  let sessionId = args._[0];
+  let attFile = null;
+  if (!sessionId && args.latest) {
+    const found = findLatestAttestation({
+      playbookId: args.playbook ? (Array.isArray(args.playbook) ? args.playbook[0] : args.playbook) : null,
+      since: args.since || null,
+    });
+    if (!found) return emitError("reattest: --latest found no matching attestations.", { filter: { playbook: args.playbook || null, since: args.since || null } }, pretty);
+    sessionId = found.sessionId;
+    attFile = found.file;
+  }
+  if (!sessionId) return emitError("reattest: missing <session-id>. Pass a session-id or --latest [--playbook <id>] [--since <ISO>].", null, pretty);
   const dir = path.join(process.cwd(), ".exceptd", "attestations", sessionId);
-  const attFile = path.join(dir, "attestation.json");
+  if (!attFile) attFile = path.join(dir, "attestation.json");
   if (!fs.existsSync(attFile)) {
     return emitError(`reattest: no attestation found at ${path.relative(process.cwd(), attFile)}`, { session_id: sessionId }, pretty);
   }
@@ -580,6 +975,44 @@ function cmdReattest(runner, args, runOpts, pretty) {
   }, pretty);
 }
 
+function cmdListAttestations(runner, args, runOpts, pretty) {
+  const root = path.join(process.cwd(), ".exceptd", "attestations");
+  if (!fs.existsSync(root)) {
+    return emit({ ok: true, attestations: [], note: `No attestations directory at ${path.relative(process.cwd(), root)}` }, pretty);
+  }
+  const sessions = fs.readdirSync(root, { withFileTypes: true })
+    .filter(d => d.isDirectory())
+    .map(d => d.name);
+
+  const entries = [];
+  for (const sid of sessions) {
+    const sdir = path.join(root, sid);
+    const files = fs.readdirSync(sdir).filter(f => f.endsWith(".json"));
+    for (const f of files) {
+      try {
+        const j = JSON.parse(fs.readFileSync(path.join(sdir, f), "utf8"));
+        // Apply --playbook filter if supplied.
+        if (args.playbook && j.playbook_id !== args.playbook) continue;
+        entries.push({
+          session_id: sid,
+          playbook_id: j.playbook_id,
+          directive_id: j.directive_id,
+          evidence_hash: j.evidence_hash ? j.evidence_hash.slice(0, 16) + "..." : null,
+          captured_at: j.captured_at || null,
+          file: path.relative(process.cwd(), path.join(sdir, f)),
+        });
+      } catch { /* skip malformed */ }
+    }
+  }
+  entries.sort((a, b) => (b.captured_at || "").localeCompare(a.captured_at || ""));
+  emit({
+    ok: true,
+    attestations: entries,
+    count: entries.length,
+    filter: { playbook: args.playbook || null },
+  }, pretty);
+}
+
 if (require.main === module) main();
 
 module.exports = { COMMANDS, PKG_ROOT, PLAYBOOK_VERBS };

package/data/_indexes/_meta.json

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-12T05:54:24.968Z",
+  "generated_at": "2026-05-12T13:50:32.319Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 49,
   "source_hashes": {
-    "manifest.json": "d10eff5e3267bca05be76ef3146f0ccd995a4d5a2dd5c958430b251432dfadff",
+    "manifest.json": "3614ad87835688365283c95a8b7af1d66f14928c07efef750c206ba2f13aab33",
     "data/atlas-ttps.json": "1500b5830dab070c4252496964a8c0948e1052a656e2c7c6e1efaf0350645e13",
     "data/cve-catalog.json": "a81d3e4b491b27ccc084596b063a6108ff10c9eb01d7776922fc393980b534fe",
     "data/cwe-catalog.json": "c3367d469b4b3d31e4c56397dd7a8305a0be338ecd85afa27804c0c9ce12157b",