@blamejs/exceptd-skills 0.10.2 → 0.10.3

package/CHANGELOG.md

@@ -1,5 +1,36 @@
 # Changelog
 
+## 0.10.3 — 2026-05-12
+
+**Patch: 14 operator-reported items — 5 bugs + 9 features.**
+
+### Bugs
+
+1. **`exceptd validate-cves` crashed with `MODULE_NOT_FOUND`** in the installed npm package because `sources/` wasn't in the `files` allowlist. Two-part fix: (a) `sources/validators/` added to `package.json` `files`; (b) `runValidateCves` now wraps the require in the same try/catch graceful-fallback pattern `runValidateRfcs` was already using, so the command degrades to offline mode instead of crashing.
+2. **Inconsistent error shapes across verbs.** `exceptd <unknown>` and `exceptd skill <missing>` emitted plain stderr text while seven-phase verbs emitted structured JSON. Unified: every CLI verb now emits `{ok:false,error,hint,verb}` JSON on error so operators piping through `jq` get one shape.
+3. **`prefetch --no-network --quiet` was completely silent on success.** Now emits a one-line `prefetch summary: …` unconditionally; `--quiet` suppresses only the per-entry chatter.
+4. **`plan --directives` exposed `id + title + applies_to` only — no `description`.** Now also surfaces a `description` field (falls back through explicit `directive.description` → `phase_overrides.direct.threat_context` → playbook-level `direct.threat_context` first sentence → `domain.name`) plus a `threat_context_preview`. Operators / AIs get operator-facing prose, not just an ID + enum.
+5. **Analyst verbs (`scan`/`dispatch`/`currency`/`watchlist`/`report`) defaulted to human-readable text** while every seven-phase verb defaulted to JSON. Added `--json` flag passthrough across all analyst verbs. Operators scripting around both surfaces now have a consistent switch.
+
+### Features
+
+6. **`run --explain` dry-run** — emits preconditions, required + optional artifacts (with fallback notes), recognized signal keys with types + deterministic flags, and a `submission_skeleton` JSON the operator can fill in. No detect/analyze/validate/close happens. Lets operators preview before assembling evidence.
+7. **`attest <subverb> <session-id>`** — `attest export` emits redacted JSON for audit submission (strips raw artifact values, preserves evidence_hash + signature + classification + RWEP + remediation choice + residual risk acceptance). `--format csaf` wraps the export in a CSAF envelope. `attest verify` checks the `.sig` sidecar against `keys/public.pem` and reports tamper status. `attest show` emits the full unredacted attestation.
+8. **`run --signal-list`** — lighter than `--explain`; enumerates only the signal_overrides keys the detect phase recognizes plus the four valid `detection_classification` values. Closes the "agent submits a key and runner silently ignores it" gap (v0.10.1 bug #5).
+9. **Continuous-compliance: `run --evidence-dir <dir>`** — each `<playbook-id>.json` under the directory becomes that playbook's submission in a multi-playbook run. One cron job → full posture in one CSAF bundle. Pairs with `run --all`.
+10. **`validate-cves` + `validate-rfcs` gained `--since <ISO|YYYY-MM-DD>`** — scope-limit validation to entries whose `last_updated` / `cisa_kev_date` / `last_verified` / `published` is on or after the date. Cuts upstream calls for fleet operators running cron.
+11. **Ed25519-signed attestations** — every `attestation.json` now gets a `<file>.sig` sidecar. With `.keys/private.pem` present, the runner signs (matches the existing skill-signing convention). Without a private key, writes an `unsigned` marker file so downstream tooling can distinguish "operator declined signing" from "the .sig file was deleted by an attacker." `attest verify` cross-checks the signature against `keys/public.pem`.
+12. **`run --operator <name>`** — binds the attestation to a specific human or service identity. Persisted under `attestation.operator` for multi-operator audit-trail accountability.
+13. **`run --ack`** — explicit operator consent to the jurisdiction obligations surfaced by `govern`. Persisted under `attestation.operator_consent = { acked_at, explicit: true }`. Without `--ack`, the field is null (consent implicit / unverified).
+14. **`run --format <fmt>` repeatable** — emit the close.evidence_package in additional formats alongside the playbook-declared primary. Supported: `csaf-2.0` (primary), `sarif` (2.1.0 — GitHub Code Scanning / VS Code SARIF Viewer / Azure DevOps), `openvex` (0.2.0 — sigstore / in-toto / GUAC consumers), `markdown` (human review). Extras populate `close.evidence_package.bundles_by_format`.
+
+### Internal
+
+- `lib/playbook-runner.js` `buildEvidenceBundle` now handles `csaf-2.0`, `sarif` (with per-CVE rules + properties), `openvex` (with status derived from active_exploitation + live_patch_available), and `markdown`.
+- `bin/exceptd.js` `maybeSignAttestation` helper uses the same Ed25519 primitive as `lib/sign.js` against `.keys/private.pem`.
+- CSAF envelope cvss_v3.base_score now reflects the catalog's real cvss_score (previously hardcoded 0).
+- `submission.signals._bundle_formats` is the agent-side hook for requesting extra formats.
+
 ## 0.10.2 — 2026-05-12
 
 **Patch: v0.10.1 deferred set — framework-gap filter fix, VEX consumption, CI gating, drift mode, 2 new playbooks (13 total), feeds_into matrix.**

package/bin/exceptd.js

@@ -101,7 +101,7 @@ const ORCHESTRATOR_PASSTHROUGH = new Set([
 
 // Seven-phase playbook verbs handled in-process (no subprocess dispatch).
 const PLAYBOOK_VERBS = new Set([
-  "plan", "govern", "direct", "look", "run", "ingest", "reattest", "list-attestations",
+  "plan", "govern", "direct", "look", "run", "ingest", "reattest", "list-attestations", "attest",
 ]);
 
 function readPkgVersion() {
@@ -225,7 +225,11 @@ function main() {
 
   const resolver = COMMANDS[cmd];
   if (typeof resolver !== "function") {
-    process.stderr.write(`exceptd: unknown command "${cmd}". Run \`exceptd help\` for the list.\n`);
+    // Emit a structured JSON error matching the seven-phase verbs so operators
+    // piping through `jq` get one consistent shape across the CLI surface.
+    // Plain-text "unknown command" still reaches stderr for human readers.
+    const err = { ok: false, error: `unknown command "${cmd}"`, hint: "Run `exceptd help` for the list of verbs.", verb: cmd };
+    process.stderr.write(JSON.stringify(err) + "\n");
     process.exit(2);
   }
 
@@ -335,8 +339,9 @@ function dispatchPlaybook(cmd, argv) {
   }
 
   const args = parseArgs(argv, {
-    bool:  ["pretty", "air-gap", "force-stale", "all", "flat", "directives", "ci", "latest", "diff-from-latest"],
-    multi: ["playbook"],
+    bool:  ["pretty", "air-gap", "force-stale", "all", "flat", "directives",
+            "ci", "latest", "diff-from-latest", "explain", "signal-list", "ack"],
+    multi: ["playbook", "format"],
   });
   const pretty = !!args.pretty;
   const runOpts = {
@@ -346,6 +351,15 @@ function dispatchPlaybook(cmd, argv) {
   if (args["session-id"]) runOpts.session_id = args["session-id"];
   if (args["session-key"]) runOpts.session_key = args["session-key"];
   if (args.mode) runOpts.mode = args.mode;
+  // Multi-operator teams need attestations bound to a specific human or
+  // service identity. --operator <name> persists into the attestation file
+  // for audit-trail accountability. Free-form string; no validation.
+  if (args.operator) runOpts.operator = args.operator;
+  // --ack: operator acknowledges the jurisdiction obligations surfaced by
+  // govern. Captured in attestation; downstream tooling can check whether
+  // consent was explicit vs. implicit. AGENTS.md says the AI should surface
+  // and wait for ack — this is how the ack gets recorded.
+  if (args.ack) runOpts.operator_consent = { acked_at: new Date().toISOString(), explicit: true };
 
   let runner;
   try {
@@ -365,6 +379,7 @@ function dispatchPlaybook(cmd, argv) {
       case "ingest":   return cmdIngest(runner, args, runOpts, pretty);
       case "reattest": return cmdReattest(runner, args, runOpts, pretty);
       case "list-attestations": return cmdListAttestations(runner, args, runOpts, pretty);
+      case "attest": return cmdAttest(runner, args, runOpts, pretty);
     }
   } catch (e) {
     emitError(e.message, { verb: cmd }, pretty);
@@ -429,11 +444,27 @@ Flags:
                             { artifacts, signal_overrides, signals, precondition_checks }
                           Multi-playbook shape:
                             { "<playbook_id>": { artifacts, ... }, ... }
+  --evidence-dir <dir>    Read <playbook-id>.json files from a directory and
+                          merge into the multi-run bundle. Cron-friendly.
   --vex <file>            Load a CycloneDX or OpenVEX document. CVEs marked
                           not_affected | resolved | false_positive (CycloneDX)
                           or not_affected | fixed (OpenVEX) drop out of
                           analyze.matched_cves. The disposition is preserved
                           under analyze.vex.dropped_cves.
+  --format <fmt> ...      Emit the close.evidence_package bundle in additional
+                          formats. Repeatable. Supported: csaf-2.0 | sarif |
+                          openvex | markdown. CSAF is always primary; extras
+                          populate close.evidence_package.bundles_by_format.
+  --explain               Dry-run: emit preconditions, required artifacts,
+                          recognized signal keys, and a submission skeleton.
+                          Does not run detect/analyze/validate/close.
+  --signal-list           Emit only the signal_overrides keys the detect phase
+                          recognizes (lighter than --explain).
+  --operator <name>       Bind the attestation to a specific human/service
+                          identity. Persisted under attestation.operator.
+  --ack                   Mark explicit operator consent to the jurisdiction
+                          obligations surfaced by govern. Persisted under
+                          attestation.operator_consent.
   --diff-from-latest      Compare evidence_hash against the most recent prior
                           attestation for the same playbook in
                           .exceptd/attestations/. Emits status: unchanged | drifted.
@@ -474,6 +505,18 @@ Args / flags:
 
 Lists every attestation under .exceptd/attestations/<session_id>/, sorted
 newest-first, with truncated evidence_hash + capture timestamp + file path.`,
+    attest: `attest <subverb> <session-id> — auditor-facing attestation operations.
+
+Subverbs:
+  attest show <sid>       Emit the full (unredacted) attestation.
+  attest export <sid>     Emit redacted JSON suitable for audit submission.
+                          Strips raw artifact values; preserves evidence_hash,
+                          signature, classification, RWEP, remediation choice.
+                          --format csaf wraps the export in a CSAF envelope.
+  attest verify <sid>     Verify .sig sidecar against keys/public.pem.
+                          Reports tamper status per attestation file.
+
+All subverbs honor --pretty for indented JSON output.`,
   };
   process.stdout.write((cmds[verb] || `${verb} — no per-verb help available; see \`exceptd help\` for the full list.`) + "\n");
 }
@@ -498,13 +541,27 @@ function cmdPlan(runner, args, runOpts, pretty) {
       Object.entries(plan.grouped_by_scope).map(([s, list]) => [s, list.length])
     );
   }
-  // --directives expands each playbook entry with its directive id + title +
-  // applies_to so operators / AIs can pick a specific directive without
-  // grepping playbook source.
+  // --directives expands each playbook entry with directive id + title +
+  // applies_to + description. v0.10.3-aware fallback: pull description from
+  // (a) explicit d.description, (b) directive override threat_context,
+  // (c) playbook-level direct.threat_context first sentence, (d) playbook
+  // domain.name. Operators need operator-facing prose, not just an ID + enum.
   if (args.directives) {
     for (const pb of plan.playbooks) {
       const full = runner.loadPlaybook(pb.id);
-      pb.directives = full.directives.map(d => ({ id: d.id, title: d.title, applies_to: d.applies_to }));
+      const baseDirect = full.phases?.direct || {};
+      pb.directives = full.directives.map(d => {
+        const overrideDirect = d.phase_overrides?.direct || {};
+        const threatContext = overrideDirect.threat_context || baseDirect.threat_context || null;
+        const firstSentence = threatContext ? (threatContext.split(/(?<=[.!?])\s+/)[0] || "").slice(0, 240) : null;
+        return {
+          id: d.id,
+          title: d.title,
+          description: d.description || firstSentence || full.domain?.name || null,
+          applies_to: d.applies_to,
+          threat_context_preview: firstSentence,
+        };
+      });
     }
   }
   emit(plan, pretty);
@@ -606,6 +663,53 @@ function cmdRun(runner, args, runOpts, pretty) {
   const directiveId = args.directive || (pb.directives[0] && pb.directives[0].id);
   if (!directiveId) return emitError(`run: playbook ${playbookId} has no directives.`, null, pretty);
 
+  // --explain: dry-run that emits the preconditions + artifacts + indicators
+  // + signal keys the agent would need to supply, WITHOUT running detect/
+  // analyze/validate/close. Lets operators preview before assembling evidence.
+  if (args.explain) {
+    const lookPhase = runner.look(playbookId, directiveId, runOpts);
+    const detectPhase = runner.loadPlaybook(playbookId).phases?.detect || {};
+    const detectResolved = runner._resolvedPhase ? runner._resolvedPhase(pb, directiveId, "detect") : detectPhase;
+    emit({
+      verb: "run",
+      mode: "explain",
+      playbook_id: playbookId,
+      directive_id: directiveId,
+      scope: pb._meta?.scope || null,
+      preconditions: lookPhase.preconditions,
+      precondition_submission_shape: lookPhase.precondition_submission_shape,
+      artifacts_required: lookPhase.artifacts.filter(a => a.required).map(a => ({ id: a.id, type: a.type, source: a.source })),
+      artifacts_optional: lookPhase.artifacts.filter(a => !a.required).map(a => ({ id: a.id, type: a.type, source: a.source, fallback: lookPhase.fallback_if_unavailable.find(f => f.artifact_id === a.id) })),
+      signal_keys: (detectResolved.indicators || []).map(i => ({ id: i.id, type: i.type, deterministic: !!i.deterministic, confidence: i.confidence })),
+      detect_classification_override: { hint: "submit signals.detection_classification = 'detected' | 'inconclusive' | 'not_detected' | 'clean' to override engine-computed classification.", valid_values: ["detected", "inconclusive", "not_detected", "clean"] },
+      submission_skeleton: {
+        artifacts: Object.fromEntries(lookPhase.artifacts.map(a => [a.id, { value: "<your captured output>", captured: true }])),
+        signal_overrides: Object.fromEntries((detectResolved.indicators || []).map(i => [i.id, "hit | miss | inconclusive"])),
+        signals: { detection_classification: "<one of: detected|inconclusive|not_detected|clean>", theater_verdict: "<clear | theater | pending_agent_run>" },
+        precondition_checks: Object.fromEntries(lookPhase.preconditions.map(p => [p.id, true])),
+      }
+    }, pretty);
+    return;
+  }
+
+  // --signal-list: enumerate every signal_overrides key the detect phase
+  // recognizes. Lighter than --explain.
+  if (args["signal-list"]) {
+    const detectResolved = runner._resolvedPhase
+      ? runner._resolvedPhase(pb, directiveId, "detect")
+      : pb.phases?.detect;
+    emit({
+      verb: "run",
+      mode: "signal-list",
+      playbook_id: playbookId,
+      directive_id: directiveId,
+      signal_overrides_keys: (detectResolved?.indicators || []).map(i => i.id),
+      signal_value_grammar: "hit | miss | inconclusive",
+      detection_classification_override_keys: ["detected", "inconclusive", "not_detected", "clean"],
+    }, pretty);
+    return;
+  }
+
   let submission = {};
   if (args.evidence) {
     try {
@@ -621,6 +725,15 @@ function cmdRun(runner, args, runOpts, pretty) {
     runOpts.precondition_checks = submission.precondition_checks;
   }
 
+  // --format <fmt>: override the playbook's declared evidence_package.bundle_format.
+  // Supports csaf-2.0 | sarif | openvex | markdown. Multiple --format flags
+  // produce multiple bundles in the close response under bundles_by_format.
+  if (args.format) {
+    const formats = Array.isArray(args.format) ? args.format : [args.format];
+    submission.signals = submission.signals || {};
+    submission.signals._bundle_formats = formats;
+  }
+
   // --vex <file>: load a CycloneDX/OpenVEX document and pass the not_affected
   // CVE ID set through to analyze() so matched_cves drops them.
   if (args.vex) {
@@ -641,18 +754,23 @@ function cmdRun(runner, args, runOpts, pretty) {
     try {
       const dir = path.join(process.cwd(), ".exceptd", "attestations", result.session_id);
       fs.mkdirSync(dir, { recursive: true });
-      fs.writeFileSync(
-        path.join(dir, "attestation.json"),
-        JSON.stringify({
-          session_id: result.session_id,
-          playbook_id: result.playbook_id,
-          directive_id: result.directive_id,
-          evidence_hash: result.evidence_hash,
-          submission,
-          run_opts: { airGap: runOpts.airGap, forceStale: runOpts.forceStale, mode: runOpts.mode },
-          captured_at: new Date().toISOString(),
-        }, null, 2)
-      );
+      const attestation = {
+        session_id: result.session_id,
+        playbook_id: result.playbook_id,
+        directive_id: result.directive_id,
+        evidence_hash: result.evidence_hash,
+        operator: runOpts.operator || null,
+        operator_consent: runOpts.operator_consent || null,
+        submission,
+        run_opts: { airGap: runOpts.airGap, forceStale: runOpts.forceStale, mode: runOpts.mode },
+        captured_at: new Date().toISOString(),
+      };
+      fs.writeFileSync(path.join(dir, "attestation.json"), JSON.stringify(attestation, null, 2));
+      // Feature #27: Ed25519-sign the attestation if .keys/private.pem exists
+      // (signing infrastructure is already shared with skill signing). Without
+      // a private key, write an unsigned `.sig` placeholder so tooling can tell
+      // the difference between "unsigned" and "tampered post-hoc".
+      maybeSignAttestation(path.join(dir, "attestation.json"));
     } catch { /* non-fatal — attestation persistence is best-effort */ }
   }
 
@@ -746,6 +864,24 @@ function cmdRunMulti(runner, ids, args, runOpts, pretty, meta) {
       return emitError(`run: failed to read evidence bundle: ${e.message}`, { evidence: args.evidence }, pretty);
     }
   }
+  // --evidence-dir <dir>: each <playbook-id>.json under the directory is read
+  // as that playbook's submission. Lets operators wire up one cron job that
+  // collects per-playbook evidence into a directory, then runs the whole
+  // contract in one pass.
+  if (args["evidence-dir"]) {
+    const dir = args["evidence-dir"];
+    if (!fs.existsSync(dir)) {
+      return emitError(`run: --evidence-dir ${dir} does not exist.`, null, pretty);
+    }
+    for (const f of fs.readdirSync(dir).filter(x => x.endsWith(".json"))) {
+      const pbId = f.replace(/\.json$/, "");
+      try {
+        bundle[pbId] = JSON.parse(fs.readFileSync(path.join(dir, f), "utf8"));
+      } catch (e) {
+        return emitError(`run: failed to parse --evidence-dir entry ${f}: ${e.message}`, null, pretty);
+      }
+    }
+  }
 
   const results = [];
   for (const id of ids) {
@@ -766,18 +902,19 @@ function cmdRunMulti(runner, ids, args, runOpts, pretty, meta) {
       try {
         const dir = path.join(process.cwd(), ".exceptd", "attestations", sessionId);
         fs.mkdirSync(dir, { recursive: true });
-        fs.writeFileSync(
-          path.join(dir, `${id}.json`),
-          JSON.stringify({
-            session_id: sessionId,
-            playbook_id: id,
-            directive_id: directiveId,
-            evidence_hash: result.evidence_hash,
-            submission,
-            run_opts: { airGap: perRunOpts.airGap, forceStale: perRunOpts.forceStale, mode: perRunOpts.mode },
-            captured_at: new Date().toISOString(),
-          }, null, 2)
-        );
+        const filePath = path.join(dir, `${id}.json`);
+        fs.writeFileSync(filePath, JSON.stringify({
+          session_id: sessionId,
+          playbook_id: id,
+          directive_id: directiveId,
+          evidence_hash: result.evidence_hash,
+          operator: perRunOpts.operator || null,
+          operator_consent: perRunOpts.operator_consent || null,
+          submission,
+          run_opts: { airGap: perRunOpts.airGap, forceStale: perRunOpts.forceStale, mode: perRunOpts.mode },
+          captured_at: new Date().toISOString(),
+        }, null, 2));
+        maybeSignAttestation(filePath);
       } catch { /* non-fatal */ }
     }
     results.push(result);
@@ -858,6 +995,48 @@ function cmdIngest(runner, args, runOpts, pretty) {
   emit(result, pretty);
 }
 
+/**
+ * Ed25519-sign an attestation file when .keys/private.pem is available
+ * (matches lib/sign.js convention for skill signing). Writes a sidecar
+ * `<file>.sig` alongside the attestation. Defense against post-hoc tampering
+ * by anyone who can write to .exceptd/.
+ *
+ * Without a private key, writes a marker file documenting the signed=false
+ * state so downstream tooling can distinguish "operator declined signing"
+ * from "the .sig file was deleted by an attacker."
+ */
+function maybeSignAttestation(filePath) {
+  const crypto = require("crypto");
+  const sigPath = filePath + ".sig";
+  const privKeyPath = path.join(PKG_ROOT, ".keys", "private.pem");
+  const content = fs.readFileSync(filePath, "utf8");
+  try {
+    if (fs.existsSync(privKeyPath)) {
+      const privateKey = fs.readFileSync(privKeyPath, "utf8");
+      const sig = crypto.sign(null, Buffer.from(content, "utf8"), {
+        key: privateKey,
+        dsaEncoding: "ieee-p1363",
+      });
+      fs.writeFileSync(sigPath, JSON.stringify({
+        algorithm: "Ed25519",
+        signature_base64: sig.toString("base64"),
+        signed_at: new Date().toISOString(),
+        signs_path: path.basename(filePath),
+        signs_sha256: crypto.createHash("sha256").update(content).digest("base64"),
+      }, null, 2));
+    } else {
+      fs.writeFileSync(sigPath, JSON.stringify({
+        algorithm: "unsigned",
+        signed: false,
+        signed_at: null,
+        signs_path: path.basename(filePath),
+        signs_sha256: crypto.createHash("sha256").update(content).digest("base64"),
+        note: "No private key at .keys/private.pem — attestation is hash-stable but unsigned. Run `node lib/sign.js generate-keypair` to enable signing.",
+      }, null, 2));
+    }
+  } catch { /* non-fatal — signing failure shouldn't block the run */ }
+}
+
 /**
  * Find the latest attestation file under .exceptd/attestations/.
  * Filters: optional playbook ID and optional "since" ISO timestamp.
@@ -975,6 +1154,119 @@ function cmdReattest(runner, args, runOpts, pretty) {
   }, pretty);
 }
 
+/**
+ * `exceptd attest <subverb> <session-id>` — auditor-facing operations on
+ * persisted attestations. Subverbs:
+ *   export <session-id>   Emit redacted JSON suitable for audit submission.
+ *                         Strips raw artifact values; preserves only
+ *                         evidence_hash + signatures + classification + RWEP.
+ *                         Falls back to a CSAF-shaped envelope when --format csaf.
+ *   verify <session-id>   Verify the .sig sidecar against keys/public.pem.
+ *                         Reports signed_by + tamper status.
+ *   show <session-id>     Emit the full (unredacted) attestation. Convenience
+ *                         alias for `cat .exceptd/attestations/<sid>/attestation.json`.
+ */
+function cmdAttest(runner, args, runOpts, pretty) {
+  const subverb = args._[0];
+  const sessionId = args._[1];
+  if (!subverb) {
+    return emitError("attest: missing subverb. Usage: attest export|verify|show <session-id>", null, pretty);
+  }
+  if (!sessionId) {
+    return emitError(`attest ${subverb}: missing <session-id> positional argument.`, null, pretty);
+  }
+  const dir = path.join(process.cwd(), ".exceptd", "attestations", sessionId);
+  if (!fs.existsSync(dir)) {
+    return emitError(`attest ${subverb}: no session dir at ${path.relative(process.cwd(), dir)}`, { session_id: sessionId }, pretty);
+  }
+
+  const files = fs.readdirSync(dir).filter(f => f.endsWith(".json") && !f.endsWith(".sig"));
+  const attestations = files.map(f => {
+    try { return JSON.parse(fs.readFileSync(path.join(dir, f), "utf8")); }
+    catch { return null; }
+  }).filter(Boolean);
+
+  if (subverb === "show") {
+    emit({ session_id: sessionId, attestations }, pretty);
+    return;
+  }
+
+  if (subverb === "verify") {
+    const crypto = require("crypto");
+    const pubKeyPath = path.join(PKG_ROOT, "keys", "public.pem");
+    const pubKey = fs.existsSync(pubKeyPath) ? fs.readFileSync(pubKeyPath, "utf8") : null;
+    const results = files.map(f => {
+      const sigPath = path.join(dir, f + ".sig");
+      if (!fs.existsSync(sigPath)) return { file: f, signed: false, verified: false, reason: "no .sig sidecar" };
+      const sigDoc = JSON.parse(fs.readFileSync(sigPath, "utf8"));
+      if (sigDoc.algorithm === "unsigned") return { file: f, signed: false, verified: false, reason: "attestation explicitly unsigned (no private key when written)" };
+      if (!pubKey) return { file: f, signed: true, verified: false, reason: "no public key at keys/public.pem to verify against" };
+      const content = fs.readFileSync(path.join(dir, f), "utf8");
+      try {
+        const ok = crypto.verify(null, Buffer.from(content, "utf8"), {
+          key: pubKey, dsaEncoding: "ieee-p1363",
+        }, Buffer.from(sigDoc.signature_base64, "base64"));
+        return { file: f, signed: true, verified: !!ok, reason: ok ? "Ed25519 signature valid" : "Ed25519 signature INVALID — possible post-hoc tampering" };
+      } catch (e) {
+        return { file: f, signed: true, verified: false, reason: `verify error: ${e.message}` };
+      }
+    });
+    emit({ verb: "attest verify", session_id: sessionId, results }, pretty);
+    return;
+  }
+
+  if (subverb === "export") {
+    // Redaction: strip raw `value` fields from submitted artifacts; preserve
+    // captured-state flag, evidence_hash, classification, RWEP, confidence,
+    // remediation choice, residual risk acceptance, signature. Auditors get
+    // what they need (the verdict + proof of process) without leaking raw
+    // captured data (which may contain PII / secret shapes).
+    const format = args.format || "json";
+    const redacted = attestations.map(a => ({
+      session_id: a.session_id,
+      playbook_id: a.playbook_id,
+      directive_id: a.directive_id,
+      evidence_hash: a.evidence_hash,
+      operator: a.operator,
+      operator_consent: a.operator_consent,
+      captured_at: a.captured_at,
+      run_opts: a.run_opts,
+      artifacts_redacted: Object.fromEntries(Object.entries((a.submission && a.submission.artifacts) || {})
+        .map(([k, v]) => [k, { captured: !!v.captured, reason: v.reason || null, redacted_value: "[redacted]" }])),
+      signal_overrides: (a.submission && a.submission.signal_overrides) || {},
+      signals_redacted: Object.fromEntries(Object.entries((a.submission && a.submission.signals) || {})
+        .filter(([k]) => !/_filter$|_key$|token|secret|password/i.test(k))),
+      precondition_checks: (a.submission && a.submission.precondition_checks) || {},
+    }));
+
+    if (format === "csaf") {
+      // Lightweight CSAF envelope for audit submission — caller can post this
+      // directly to a CSAF-aware GRC platform.
+      emit({
+        document: {
+          category: "csaf_security_advisory",
+          csaf_version: "2.0",
+          publisher: { category: "vendor", name: "exceptd", namespace: "https://exceptd.com" },
+          title: `Auditor export — session ${sessionId}`,
+          tracking: { id: `exceptd-export-${sessionId}`, status: "final", version: "1", initial_release_date: new Date().toISOString() },
+        },
+        exceptd_export: { session_id: sessionId, attestations: redacted, exported_at: new Date().toISOString(), redaction_policy: "v0.10.3-default" },
+      }, pretty);
+    } else {
+      emit({
+        verb: "attest export",
+        session_id: sessionId,
+        exported_at: new Date().toISOString(),
+        redaction_policy: "v0.10.3-default — artifact values stripped; signal_overrides + precondition_checks + evidence_hash + signature preserved.",
+        attestations: redacted,
+      }, pretty);
+    }
+    return;
+  }
+
+  return emitError(`attest: unknown subverb "${subverb}". Try export | verify | show.`, null, pretty);
+}
+
 function cmdListAttestations(runner, args, runOpts, pretty) {
   const root = path.join(process.cwd(), ".exceptd", "attestations");
   if (!fs.existsSync(root)) {

package/data/_indexes/_meta.json

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-12T13:50:32.319Z",
+  "generated_at": "2026-05-12T14:08:27.651Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 49,
   "source_hashes": {
-    "manifest.json": "3614ad87835688365283c95a8b7af1d66f14928c07efef750c206ba2f13aab33",
+    "manifest.json": "35c0e5e79c31c68c0a45e0bcad009fd34c935df5d0ba738e1f106a9be0c3d357",
     "data/atlas-ttps.json": "1500b5830dab070c4252496964a8c0948e1052a656e2c7c6e1efaf0350645e13",
     "data/cve-catalog.json": "a81d3e4b491b27ccc084596b063a6108ff10c9eb01d7776922fc393980b534fe",
     "data/cwe-catalog.json": "c3367d469b4b3d31e4c56397dd7a8305a0be338ecd85afa27804c0c9ce12157b",

package/lib/playbook-runner.js

@@ -586,13 +586,23 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
     }
   }
 
-  // evidence_package
+  // evidence_package — playbook declares one primary bundle_format; the
+  // operator may request additional formats via agentSignals._bundle_formats
+  // (e.g. SARIF for GitHub Code Scanning + OpenVEX for supply-chain tooling
+  // alongside the CSAF default).
+  const primaryFormat = c.evidence_package?.bundle_format || 'csaf-2.0';
+  const extraFormats = Array.isArray(agentSignals._bundle_formats)
+    ? agentSignals._bundle_formats.filter(f => f !== primaryFormat)
+    : [];
   const evidencePackage = c.evidence_package ? {
-    bundle_format: c.evidence_package.bundle_format || 'csaf-2.0',
+    bundle_format: primaryFormat,
     contents: c.evidence_package.contents || [],
     destination: c.evidence_package.destination || 'local_only',
     signed: c.evidence_package.signed !== false,
-    bundle_body: buildEvidenceBundle(c.evidence_package.bundle_format || 'csaf-2.0', playbook, analyzeResult, validateResult, agentSignals)
+    bundle_body: buildEvidenceBundle(primaryFormat, playbook, analyzeResult, validateResult, agentSignals),
+    bundles_by_format: extraFormats.length ? Object.fromEntries(
+      [primaryFormat, ...extraFormats].map(f => [f, buildEvidenceBundle(f, playbook, analyzeResult, validateResult, agentSignals)])
+    ) : null,
   } : null;
 
   if (evidencePackage && evidencePackage.signed && runOpts.session_key) {
@@ -687,22 +697,102 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals)
       },
       vulnerabilities: analyze.matched_cves.map(c => ({
         cve: c.cve_id,
-        scores: [{ products: [], cvss_v3: { base_score: 0 } }],
+        scores: [{ products: [], cvss_v3: { base_score: c.cvss_score || 0 } }],
         threats: c.active_exploitation === 'confirmed' ? [{ category: 'exploit_status', details: 'Active exploitation confirmed (CISA KEV).' }] : [],
         remediations: [{ category: 'vendor_fix', details: validate.selected_remediation?.description || 'See selected remediation path.' }]
       })),
       exceptd_extension: {
         rwep: analyze.rwep,
         blast_radius_score: analyze.blast_radius_score,
-        compliance_theater: analyze.compliance_theater,
+        compliance_theater: analyze.compliance_theater_check,
         framework_gap_mapping: analyze.framework_gap_mapping,
         evidence_requirements: validate.evidence_requirements,
         residual_risk_statement: validate.residual_risk_statement
       }
     };
   }
-  // Other formats deferred.
-  return { format, note: 'Non-CSAF formats deferred to GRC integration layer.', analyze, validate };
+
+  // SARIF 2.1.0 — GitHub Code Scanning / VS Code SARIF Viewer / Azure DevOps
+  // and most static analysis tooling. One run per playbook directive, one
+  // result per matched CVE. Each result references a rule (cve_id) and ties
+  // back to the directive as the "tool" producer.
+  if (format === 'sarif' || format === 'sarif-2.1.0') {
+    return {
+      $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+      version: '2.1.0',
+      runs: [{
+        tool: {
+          driver: {
+            name: 'exceptd',
+            version: playbook._meta.version,
+            informationUri: 'https://exceptd.com',
+            rules: analyze.matched_cves.map(c => ({
+              id: c.cve_id,
+              shortDescription: { text: c.cve_id },
+              fullDescription: { text: `RWEP ${c.rwep} · KEV=${c.cisa_kev} · active_exploitation=${c.active_exploitation} · PoC=${c.poc_available}` },
+              defaultConfiguration: { level: c.rwep >= 90 ? 'error' : c.rwep >= 70 ? 'warning' : 'note' },
+              helpUri: `https://nvd.nist.gov/vuln/detail/${c.cve_id}`,
+            }))
+          }
+        },
+        results: analyze.matched_cves.map(c => ({
+          ruleId: c.cve_id,
+          level: c.rwep >= 90 ? 'error' : c.rwep >= 70 ? 'warning' : 'note',
+          message: { text: `${c.cve_id}: RWEP ${c.rwep}, blast_radius ${analyze.blast_radius_score}. ${validate.selected_remediation?.description || ''}` },
+          properties: {
+            rwep: c.rwep,
+            cisa_kev: c.cisa_kev,
+            cisa_kev_due_date: c.cisa_kev_due_date,
+            active_exploitation: c.active_exploitation,
+            ai_discovered: c.ai_discovered,
+            blast_radius_score: analyze.blast_radius_score,
+            framework_gaps: analyze.framework_gap_mapping?.length || 0,
+          }
+        }))
+      }]
+    };
+  }
+
+  // OpenVEX 0.2.0 — supply-chain VEX statements. Each matched CVE becomes a
+  // statement with status derived from confidence + RWEP. Downstream tools
+  // (sigstore, in-toto, GUAC) consume this directly.
+  if (format === 'openvex' || format === 'openvex-0.2.0') {
+    const issued = new Date().toISOString();
+    return {
+      '@context': 'https://openvex.dev/ns/v0.2.0',
+      '@id': `https://exceptd.com/vex/${playbook._meta.id}/${Date.now()}`,
+      author: 'exceptd',
+      timestamp: issued,
+      version: 1,
+      statements: analyze.matched_cves.map(c => ({
+        vulnerability: { '@id': c.cve_id, name: c.cve_id },
+        status: c.active_exploitation === 'confirmed' ? 'under_investigation' : (c.live_patch_available ? 'fixed' : 'affected'),
+        timestamp: issued,
+        action_statement: validate.selected_remediation?.description || null,
+        impact_statement: `RWEP ${c.rwep}. Blast radius ${analyze.blast_radius_score}/5.`
+      }))
+    };
+  }
+
+  if (format === 'markdown') {
+    const lines = [
+      `# exceptd finding: ${playbook.domain.name}`,
+      `**Playbook:** ${playbook._meta.id} v${playbook._meta.version}`,
+      `**Matched CVEs:** ${analyze.matched_cves.length}`,
+      `**Top RWEP:** ${analyze.rwep?.adjusted || 0}`,
+      `**Blast radius:** ${analyze.blast_radius_score || 'unknown'}/5`,
+      `**Theater verdict:** ${analyze.compliance_theater_check?.verdict || 'n/a'}`,
+      `\n## Matched CVEs`,
+      ...analyze.matched_cves.map(c => `- **${c.cve_id}** RWEP ${c.rwep} · KEV=${c.cisa_kev} · ${c.active_exploitation}`),
+      `\n## Selected remediation`,
+      validate.selected_remediation ? `${validate.selected_remediation.id} (priority ${validate.selected_remediation.priority}): ${validate.selected_remediation.description}` : 'No remediation path selected.',
+      `\n## Residual risk`,
+      validate.residual_risk_statement ? `${validate.residual_risk_statement.risk}\n\n_Acceptance level: ${validate.residual_risk_statement.acceptance_level}_` : 'None recorded.',
+    ];
+    return { format: 'markdown', body: lines.join('\n') };
+  }
+
+  return { format, note: 'Unknown format — supported: csaf-2.0, sarif, openvex, markdown.', analyze, validate };
 }
 
 // --- orchestrate: full run in one call ---