@blamejs/exceptd-skills 0.11.14 → 0.12.0

package/data/playbooks/sbom.json

@@ -1,10 +1,22 @@
 {
   "_meta": {
     "id": "sbom",
-    "version": "1.0.0",
-    "last_threat_review": "2026-05-11",
-    "threat_currency_score": 95,
+    "version": "1.1.0",
+    "last_threat_review": "2026-05-13",
+    "threat_currency_score": 97,
     "changelog": [
+      {
+        "version": "1.1.0",
+        "date": "2026-05-13",
+        "summary": "Adds CVE-2026-45321 (Mini Shai-Hulud TanStack npm worm, 2026-05-11). Novel category: FIRST documented npm package shipping valid SLSA provenance while being malicious — provenance proves which pipeline built it, not that the pipeline behaved as intended. Detect path includes chained-primitives signature (pull_request_target + actions/cache + id-token:write co-residency), IoC sweep for .claude/settings.json SessionStart hooks + .vscode/tasks.json folder-open hooks + LaunchAgent / systemd-user persistence, registry-cooldown mitigation (.npmrc before=72h or minimumReleaseAge=4320).",
+        "cves_added": [
+          "CVE-2026-45321"
+        ],
+        "framework_gaps_updated": [
+          "slsa-l3-insufficient-vs-cache-poisoning",
+          "nist-800-218-SSDF-PS3-PO3"
+        ]
+      },
       {
         "version": "1.0.0",
         "date": "2026-05-11",
@@ -80,7 +92,8 @@
       "CVE-2026-43284",
       "CVE-2026-43500",
       "CVE-2025-53773",
-      "CVE-2026-30615"
+      "CVE-2026-30615",
+      "CVE-2026-45321"
     ],
     "cwe_refs": [
       "CWE-1357",
@@ -505,6 +518,48 @@
           "description": "Authoritative catalog for matched-CVE correlation.",
           "required": true,
           "air_gap_alternative": "Catalog is shipped with exceptd; available offline."
+        },
+        {
+          "id": "tanstack-payload-sweep",
+          "type": "file_path",
+          "source": "find node_modules -path '*/@tanstack/*' \\( -name 'router_init.js' -o -name 'router_runtime.js' \\) 2>/dev/null",
+          "description": "CVE-2026-45321 IoC sweep — payload markers inside any installed @tanstack/* package. Captures both flat npm and pnpm-style nested layouts.",
+          "required": false
+        },
+        {
+          "id": "agent-persistence-claude-settings",
+          "type": "config_file",
+          "source": ".claude/settings.json and $HOME/.claude/settings.json — read `hooks` keys, in particular SessionStart entries",
+          "description": "CVE-2026-45321 persistence vector — read every Claude Code settings file in scope to inspect hook entries.",
+          "required": false
+        },
+        {
+          "id": "agent-persistence-vscode-tasks",
+          "type": "config_file",
+          "source": ".vscode/tasks.json — read `tasks[].runOptions.runOn` for any folderOpen entries",
+          "description": "CVE-2026-45321 persistence vector — VS Code folder-open hooks re-arm the worm on every IDE re-open.",
+          "required": false
+        },
+        {
+          "id": "agent-persistence-os-level",
+          "type": "config_file",
+          "source": "$HOME/Library/LaunchAgents/*.plist (macOS) AND $HOME/.config/systemd/user/*.service (Linux) — list and read",
+          "description": "CVE-2026-45321 OS-level persistence — outlives any IDE/agent restart.",
+          "required": false
+        },
+        {
+          "id": "npmrc-cooldown-policy",
+          "type": "config_file",
+          "source": "Read .npmrc (project) and $HOME/.npmrc (user) — look for `before=` or `minimumReleaseAge=` settings",
+          "description": "Mitigation status for CVE-2026-45321 and similar fresh-publish worms. Absence is a high-confidence finding for any project that consumes npm packages.",
+          "required": false
+        },
+        {
+          "id": "github-workflows",
+          "type": "config_file",
+          "source": "Read .github/workflows/*.yml and *.yaml — extract `on:` triggers, `permissions:`, and `uses: actions/cache@*` step references",
+          "description": "CVE-2026-45321 architectural pre-condition check — detects pull_request_target + id-token:write + shared actions/cache co-residency in the same repo.",
+          "required": false
         }
       ],
       "collection_scope": {
@@ -628,6 +683,68 @@
           "description": "KEV-listed match — fast-path escalation required.",
           "confidence": "deterministic",
           "deterministic": true
+        },
+        {
+          "id": "tanstack-worm-payload-files",
+          "type": "file_path",
+          "value": "node_modules/@tanstack/*/router_init.js exists OR node_modules/@tanstack/*/router_runtime.js exists",
+          "description": "CVE-2026-45321 (Mini Shai-Hulud) payload markers — these files do not exist in clean TanStack packages.",
+          "confidence": "deterministic",
+          "deterministic": true,
+          "attack_ref": "T1195.002"
+        },
+        {
+          "id": "tanstack-worm-resolved-during-publish-window",
+          "type": "log_pattern",
+          "value": "Lockfile entry for any @tanstack/* package resolved within 2026-05-11T19:20Z..2026-05-11T19:26Z (the malicious publish window)",
+          "description": "CVE-2026-45321 timing match — any @tanstack/* package whose lockfile-recorded resolution timestamp falls inside the 6-minute attacker publish window is suspect even if the payload markers were since cleaned.",
+          "confidence": "high",
+          "deterministic": false,
+          "attack_ref": "T1195.002"
+        },
+        {
+          "id": "agent-persistence-claude-session-start-hook",
+          "type": "file_path",
+          "value": ".claude/settings.json contains hooks.SessionStart referencing .vscode/setup.mjs OR any non-blamejs-installed script",
+          "description": "CVE-2026-45321 persistence vector — worm installs a SessionStart hook to re-arm on next Claude Code launch. Any SessionStart hook running an in-repo .mjs that the operator didn't author is suspect.",
+          "confidence": "deterministic",
+          "deterministic": true,
+          "attack_ref": "T1574"
+        },
+        {
+          "id": "agent-persistence-vscode-folder-open-task",
+          "type": "file_path",
+          "value": ".vscode/tasks.json contains a runOptions.runOn=folderOpen task pointing at .vscode/setup.mjs or similar",
+          "description": "CVE-2026-45321 persistence vector — folder-open hook re-arms on every VS Code re-open of the directory.",
+          "confidence": "deterministic",
+          "deterministic": true,
+          "attack_ref": "T1547"
+        },
+        {
+          "id": "agent-persistence-os-level",
+          "type": "file_path",
+          "value": "~/Library/LaunchAgents/com.tanstack.*.plist exists (macOS) OR ~/.config/systemd/user/*.service references an in-repo staged setup.mjs (Linux)",
+          "description": "CVE-2026-45321 OS-level persistence — outlives any IDE/agent restart. Targets macOS LaunchAgents + Linux systemd-user units.",
+          "confidence": "deterministic",
+          "deterministic": true,
+          "attack_ref": "T1547"
+        },
+        {
+          "id": "ci-cache-poisoning-co-residency",
+          "type": "log_pattern",
+          "value": "Repo .github/workflows/ contains BOTH (a) a workflow with `on: pull_request_target` AND (b) any workflow with `permissions: id-token: write` AND (c) any actions/cache step shared between the two",
+          "description": "Architectural pre-condition for CVE-2026-45321-style chained-primitives attacks. Even without the payload, this co-residency means any successful fork-PR exploit can poison the cache that the publish workflow restores. Mitigation: separate cache namespaces, or remove pull_request_target.",
+          "confidence": "deterministic",
+          "deterministic": true,
+          "attack_ref": "T1195.002"
+        },
+        {
+          "id": "npm-registry-no-cooldown",
+          "type": "file_path",
+          "value": ".npmrc and ~/.npmrc both lack `before=` or `minimumReleaseAge=` settings, AND project consumes any npm package",
+          "description": "Mitigation gap for CVE-2026-45321 and similar fresh-publish worms. Without a registry cooldown, `npm install` will accept a version published seconds ago. Recommended: `before=72h` (npm 11+) or `minimumReleaseAge=4320` minutes. The worm was caught publicly within 20 minutes; 72h is overkill-safe.",
+          "confidence": "high",
+          "deterministic": false
         }
       ],
       "false_positive_profile": [

package/data/zeroday-lessons.json

@@ -373,5 +373,98 @@
       "basis": "No vendor management or supply chain control covers MCP servers. 150M+ affected downloads suggests extremely broad exposure.",
       "theater_pattern": "vendor_management_ai"
     }
+  },
+  "CVE-2026-45321": {
+    "name": "Mini Shai-Hulud TanStack npm worm",
+    "lesson_date": "2026-05-13",
+    "attack_vector": {
+      "description": "Three chained primitives across one repository's CI: (1) pull_request_target on a non-publishing workflow ran fork-PR code with base-repo permissions, (2) that run poisoned actions/cache under a key the publish workflow would later restore, (3) on next main push the publish workflow restored the poisoned cache, attacker code read /proc/<runner>/mem to lift the OIDC token before the official publish step, and shipped malicious tarballs to npm with VALID SLSA provenance. 84 versions across 42 @tanstack/* packages published in a 6-minute window 2026-05-11 19:20-19:26 UTC.",
+      "privileges_required": "Any GitHub account that can open a pull request to the target repository (no maintainer access required).",
+      "complexity": "engineering-grade — chained primitives, deep CI knowledge, /proc/<pid>/mem token-scraping under id-token:write",
+      "ai_factor": "None observed. Engineering-grade tradecraft attributed to TeamPCP. Notable for what it didn't need: AI didn't make this attack possible. CI-trust-boundary misuse + cache co-residency made it possible."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Forbid pull_request_target co-residency with id-token:write workflows in the same repo, OR isolate actions/cache namespaces per trigger class so fork-PR runs cannot write to a key any tag/main run will read.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Architectural — eliminates the chain. Hardest part is auditing every repo for the architectural pre-condition; this is what the sbom playbook's `ci-cache-poisoning-co-residency` indicator checks."
+      },
+      "detection": {
+        "what_would_have_worked": "Consumer-side fresh-publish cooldown (.npmrc before=72h or minimumReleaseAge=4320 minutes). External researchers caught this worm within 20 minutes of publish; 72h is overkill-safe.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Defense in depth — operators who would have installed the malicious version on 2026-05-11 19:25Z would not have, because the cooldown would have rejected it."
+      },
+      "response": {
+        "what_would_have_worked": "Token rotation triggered by the npm yank notice, paired with host-snapshot BEFORE rotation (the worm payload carries a destructive wipe on token-revocation).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Reduces blast radius post-exploitation. The destructive-on-revocation property means hasty rotation can lose evidence."
+      }
+    },
+    "framework_coverage": {
+      "SLSA-L3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "SLSA L3 build-integrity is necessary but insufficient against cache-poisoning attacks within the build. The malicious tarballs shipped with VALID SLSA provenance — provenance proves which pipeline built the artifact, not that the pipeline behaved as intended."
+      },
+      "NIST-800-218-SSDF": {
+        "covered": true,
+        "adequate": false,
+        "gap": "PS.3 + PO.3 don't address cache poisoning between sibling workflows in the same repo. SSDF presumes per-workflow trust isolation that GitHub Actions' shared actions/cache breaks."
+      },
+      "NIST-800-53-SA-12": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Supply chain protection treats provenance + signing as the trust anchor. CVE-2026-45321 demonstrates both can be intact on a malicious package."
+      },
+      "EU-CRA-Art13": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Vulnerability-handling provisions presume detectable signal at consumption. Valid provenance neutralizes the standard consumer-side check."
+      },
+      "NIS2-Art21-2d": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Supply chain risk management presumes detectable signal at consumption."
+      }
+    },
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-008",
+        "name": "CI-WORKFLOW-TRUST-BOUNDARY-ISOLATION",
+        "description": "Forbid pull_request_target co-residency with id-token:write workflows in the same repository. If co-residency is required, isolate actions/cache namespaces per trigger class.",
+        "evidence": "CVE-2026-45321 — chained primitives required exactly this co-residency to succeed",
+        "gap_closes": [
+          "NIST-800-218-SSDF",
+          "SLSA-L3"
+        ]
+      },
+      {
+        "id": "NEW-CTRL-009",
+        "name": "REGISTRY-COOLDOWN-POLICY",
+        "description": "Consumer-side registry cooldown (.npmrc before=72h or minimumReleaseAge=4320 minutes) refuses to install any version published within the last 72 hours.",
+        "evidence": "CVE-2026-45321 — caught publicly within 20 minutes; 72h is overkill-safe",
+        "gap_closes": [
+          "NIST-800-53-SA-12",
+          "NIS2-Art21-2d"
+        ]
+      },
+      {
+        "id": "NEW-CTRL-010",
+        "name": "AGENT-PERSISTENCE-HOOK-ALLOWLIST",
+        "description": "AI coding assistants must allowlist hooks. SessionStart hooks in .claude/settings.json + folder-open tasks in .vscode/tasks.json + OS-level LaunchAgents/systemd-user units that reference in-repo staged scripts must be approved by the operator before execution.",
+        "evidence": "CVE-2026-45321 — the worm installs persistence via all three hook surfaces",
+        "gap_closes": [
+          "ALL-AI-AGENT-PERSISTENCE"
+        ]
+      }
+    ],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 95,
+      "basis": "SLSA L3 + provenance + signing all pass on the malicious package. Standard supply-chain audits (SBOM check, provenance verify, signature verify) all give green. The architectural pre-condition (pull_request_target + id-token:write + shared actions/cache) is not in any compliance framework's control catalog. Combined ~150M+ weekly downloads across 42 packages = extremely broad exposure.",
+      "theater_pattern": "provenance_signed_therefore_safe"
+    }
   }
 }

package/keys/public.pem

@@ -1,3 +1,3 @@
 -----BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEAbyrz9k9voneYsqY63g6A5y4jTcuiJd0FEDtk4li5uIE=
+MCowBQYDK2VwAyEA8r4wi/onMuK7+R3naEBpBUU8LDfUlt0D67FKS7IpRp4=
 -----END PUBLIC KEY-----

package/lib/cve-curation.js

@@ -0,0 +1,274 @@
+"use strict";
+
+/**
+ * lib/cve-curation.js
+ *
+ * Editorial-enrichment helper for auto-imported CVE catalog drafts. Given
+ * a CVE ID that exists in data/cve-catalog.json as a draft (flagged
+ * `_auto_imported: true`), this module cross-references the draft against
+ * the project's existing catalogs and produces STRUCTURED EDITORIAL
+ * QUESTIONS — candidate framework gaps, ATLAS techniques, ATT&CK techniques,
+ * CWE refs — that a human reviewer or AI assistant uses to fill in the
+ * null editorial fields.
+ *
+ * Not "AI-assisted" in the LLM sense. The cross-reference logic is
+ * deterministic pattern-matching against catalogs already in the install.
+ * The output is a checklist of "fields to answer, with candidates ranked
+ * by relevance" — the reviewer makes the final call on each.
+ *
+ * Output shape (one JSON object on stdout):
+ *   {
+ *     ok: true,
+ *     verb: "refresh",
+ *     mode: "cve-curation",
+ *     cve_id, draft_entry,
+ *     editorial_questions: [
+ *       { field, current_value, candidates: [{id, score, reason}], ask }
+ *     ],
+ *     next_steps: [...]
+ *   }
+ *
+ * Exits non-zero (3) so CI pipelines see "editorial review pending" even
+ * on a successful curation run.
+ */
+
+const fs = require("fs");
+const path = require("path");
+
+const ROOT = path.resolve(__dirname, "..");
+
+function loadJson(rel) {
+  try { return JSON.parse(fs.readFileSync(path.join(ROOT, rel), "utf8")); }
+  catch { return null; }
+}
+
+/**
+ * Score a candidate by counting keyword overlap with the draft entry.
+ * Returns 0..100. Pure heuristic — reviewer makes the final call.
+ */
+function keywordOverlapScore(draftText, candidateText) {
+  if (!draftText || !candidateText) return 0;
+  const draftWords = new Set(
+    String(draftText).toLowerCase().split(/[^a-z0-9_]+/).filter(w => w.length > 3)
+  );
+  const candWords = new Set(
+    String(candidateText).toLowerCase().split(/[^a-z0-9_]+/).filter(w => w.length > 3)
+  );
+  let overlap = 0;
+  for (const w of candWords) if (draftWords.has(w)) overlap++;
+  const denom = Math.max(candWords.size, 1);
+  return Math.round((overlap / denom) * 100);
+}
+
+function pickCandidates(draftDigest, catalog, idField, descriptionField) {
+  if (!catalog || typeof catalog !== "object") return [];
+  const candidates = [];
+  for (const [key, entry] of Object.entries(catalog)) {
+    if (key.startsWith("_")) continue;
+    const id = entry?.[idField] || key;
+    const desc = entry?.[descriptionField] || entry?.name || entry?.description || "";
+    const score = keywordOverlapScore(draftDigest, desc + " " + id);
+    if (score > 0) {
+      candidates.push({ id, score, reason: `keyword overlap with: ${(desc || id).slice(0, 120)}` });
+    }
+  }
+  candidates.sort((a, b) => b.score - a.score);
+  return candidates.slice(0, 5);
+}
+
+/**
+ * Build the curation report for a single CVE ID.
+ */
+function curate(cveId, { catalogPath, opts = {} } = {}) {
+  const catalog = loadJson(catalogPath || "data/cve-catalog.json");
+  if (!catalog || !catalog[cveId]) {
+    return {
+      ok: false,
+      verb: "refresh",
+      mode: "cve-curation",
+      error: `CVE ${cveId} not in data/cve-catalog.json. Seed it first via \`exceptd refresh --advisory ${cveId} --apply\`.`,
+    };
+  }
+  const draft = catalog[cveId];
+
+  // Only curate drafts. Editing a human-curated entry is intentional and
+  // happens via direct file edit — refusing here prevents accidental
+  // suggestion-storms on entries that have already been reviewed.
+  if (!draft._auto_imported && !draft._draft) {
+    return {
+      ok: false,
+      verb: "refresh",
+      mode: "cve-curation",
+      error: `${cveId} is a human-curated entry (no _auto_imported flag). Curation only applies to drafts. Edit directly if changes are intended.`,
+      existing_last_updated: draft.last_updated,
+    };
+  }
+
+  // Digest of the draft — feed into keyword-overlap scoring.
+  const draftDigest = [
+    draft.name || "",
+    draft.affected || "",
+    (draft.affected_versions || []).join(" "),
+    draft.vector || "",
+    draft.type || "",
+  ].filter(Boolean).join(" ");
+
+  // Pull candidate catalogs. Each is optional — missing catalogs are skipped
+  // gracefully.
+  const atlas = loadJson("data/atlas-ttps.json");
+  const attack = loadJson("data/attack-ttps.json");
+  const cwe = loadJson("data/cwe-catalog.json");
+  const frameworkGaps = loadJson("data/framework-control-gaps.json");
+
+  const atlasCandidates = pickCandidates(draftDigest, atlas, "ttp_id", "description");
+  const attackCandidates = pickCandidates(draftDigest, attack, "ttp_id", "description");
+  const cweCandidates = pickCandidates(draftDigest, cwe, "cwe_id", "description");
+  const frameworkCandidates = pickCandidates(draftDigest, frameworkGaps, "control_id", "description");
+
+  // Build the editorial-questions list. Each entry names the catalog field,
+  // its current value (likely null on a draft), ranked candidates, and a
+  // specific ASK to surface what the reviewer needs to decide.
+  const questions = [];
+
+  if (!draft.atlas_refs || draft.atlas_refs.length === 0) {
+    questions.push({
+      field: "atlas_refs",
+      current_value: draft.atlas_refs || [],
+      candidates: atlasCandidates,
+      ask: "Which MITRE ATLAS techniques are present in the attack chain? (Adversarial ML technique mapping — relevant if any model, training pipeline, or AI agent is involved.)",
+    });
+  }
+
+  if (!draft.attack_refs || draft.attack_refs.length === 0) {
+    questions.push({
+      field: "attack_refs",
+      current_value: draft.attack_refs || [],
+      candidates: attackCandidates,
+      ask: "Which MITRE ATT&CK techniques are present in the attack chain? (Required for SOC integration and detection-engineering downstream.)",
+    });
+  }
+
+  if (!draft.framework_control_gaps) {
+    questions.push({
+      field: "framework_control_gaps",
+      current_value: null,
+      candidates: frameworkCandidates,
+      ask: "Which framework controls CLAIM to cover this CVE's category, and where do they fall short? Per AGENTS.md Hard Rule #6, every framework finding must include a test that distinguishes paper compliance from actual security. Cover NIST-800-53 + EU (NIS2/DORA/EU AI Act) + UK (CAF) + AU (ISM) + ISO 27001:2022 at minimum.",
+    });
+  }
+
+  if (!draft.iocs) {
+    questions.push({
+      field: "iocs",
+      current_value: null,
+      candidates: [],
+      ask: "What artifacts indicate compromise on a host running the affected version? Group by (a) payload_artifacts — file/process names the payload writes or runs, (b) persistence_artifacts — hooks, config entries, OS-level units that re-arm the payload, (c) behavioral — log / cache / network patterns, (d) destructive — any tripwire that destroys evidence on remediation. The sbom playbook's detect indicators feed off these.",
+    });
+  }
+
+  if (draft.poc_available === null) {
+    questions.push({
+      field: "poc_available",
+      current_value: null,
+      candidates: [],
+      ask: "Is a public PoC or in-the-wild exploitation evidence available? If yes, set poc_available: true + add poc_description summarizing capability (deterministic vs probabilistic, single-stage vs multi-stage, byte-size if known).",
+    });
+  }
+
+  if (draft.ai_discovered === null || draft.ai_assisted_weaponization === null) {
+    questions.push({
+      field: "ai_discovered + ai_assisted_weaponization",
+      current_value: { ai_discovered: draft.ai_discovered, ai_assisted_weaponization: draft.ai_assisted_weaponization },
+      candidates: [],
+      ask: "Was this vulnerability AI-discovered (per AGENTS.md Hard Rule #7, ~41% of 2025 zero-days were)? AI-assisted weaponization? Set both fields explicitly — null is not acceptable on a published entry.",
+    });
+  }
+
+  if (!draft.rwep_factors || draft.rwep_score === null) {
+    questions.push({
+      field: "rwep_score + rwep_factors",
+      current_value: { rwep_score: draft.rwep_score, rwep_factors: draft.rwep_factors },
+      candidates: [],
+      ask: "Compute RWEP using lib/scoring.js weights: cisa_kev(+25) + poc_available(+20) + ai_factor(+15) + active_exploitation(confirmed=+20 / suspected=+10) + blast_radius(0..30) + patch_available(-15) + live_patch_available(-10) + reboot_required(+5). The score field is the sum; the factors field shows the contributions.",
+    });
+  }
+
+  if (!draft.vector) {
+    questions.push({
+      field: "vector",
+      current_value: null,
+      candidates: [],
+      ask: "One-paragraph attack vector explanation. Distinguish (a) reachability (how attacker gets to the vulnerable surface), (b) primitive (what the bug actually gives them), (c) escalation (what they do with the primitive). For chained-primitives attacks (e.g. CVE-2026-45321 TanStack worm), enumerate each primitive separately.",
+    });
+  }
+
+  return {
+    ok: true,
+    verb: "refresh",
+    mode: "cve-curation",
+    cve_id: cveId,
+    draft_summary: {
+      name: draft.name,
+      type: draft.type,
+      cvss_score: draft.cvss_score,
+      severity: draft.cvss_score >= 9 ? "critical" : draft.cvss_score >= 7 ? "high" : draft.cvss_score >= 4 ? "medium" : "low",
+      affected: draft.affected,
+      published_at: draft._source_published_at || null,
+      auto_imported_from: draft._source_ghsa_id ? `GHSA: ${draft._source_ghsa_id}` : "unknown",
+    },
+    editorial_questions: questions,
+    questions_open: questions.length,
+    next_steps: [
+      `Answer each editorial question above. The catalog gate (lib/validate-cve-catalog.js) currently treats this entry as a DRAFT (warning, not error) — answers convert it to a full entry.`,
+      `Add a matching entry to data/zeroday-lessons.json (rule #6: zero-day learning loop must be live).`,
+      `Update last_threat_review and threat_currency_score on any playbook whose cve_refs includes ${cveId}.`,
+      `Remove the _auto_imported and _draft flags from the catalog entry once editorial review is complete.`,
+      `Run \`npm run predeploy\` — the strict gate should now pass without DRAFT warnings on this entry.`,
+    ],
+  };
+}
+
+/**
+ * CLI entry — wired from bin/exceptd.js via `refresh --curate <id>`.
+ */
+async function cli(argv) {
+  const opts = { advisory: null, json: false, catalogPath: null };
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    if (a === "--json") opts.json = true;
+    else if (a === "--catalog") opts.catalogPath = argv[++i];
+    else if (a.startsWith("--catalog=")) opts.catalogPath = a.slice("--catalog=".length);
+    else if (a === "--curate") opts.advisory = argv[++i];
+    else if (a.startsWith("--curate=")) opts.advisory = a.slice("--curate=".length);
+    else if (!a.startsWith("--") && !opts.advisory) opts.advisory = a;
+  }
+  if (!opts.advisory) {
+    const err = { ok: false, verb: "refresh", mode: "cve-curation", error: "missing --curate <CVE-ID>" };
+    if (opts.json) process.stdout.write(JSON.stringify(err) + "\n");
+    else process.stderr.write(`[refresh --curate] ${err.error}\n`);
+    process.exitCode = 2;
+    return;
+  }
+  const result = curate(opts.advisory, { catalogPath: opts.catalogPath, opts });
+  if (opts.json || !result.ok) {
+    process.stdout.write(JSON.stringify(result) + "\n");
+  } else {
+    process.stdout.write(`[refresh --curate] ${result.cve_id} — ${result.questions_open} editorial question(s) open\n`);
+    for (const q of result.editorial_questions) {
+      process.stdout.write(`\n  ${q.field}:\n`);
+      process.stdout.write(`    ask: ${q.ask}\n`);
+      if (q.candidates && q.candidates.length > 0) {
+        process.stdout.write(`    top candidates: ${q.candidates.slice(0, 3).map(c => c.id).join(", ")}\n`);
+      }
+    }
+    process.stdout.write(`\n  Run with --json for the full structured output.\n`);
+  }
+  // Always non-zero on a successful curation — "editorial review pending."
+  process.exitCode = result.ok ? 3 : 2;
+}
+
+if (require.main === module) {
+  cli(process.argv.slice(2));
+}
+
+module.exports = { curate, keywordOverlapScore };