@blamejs/exceptd-skills 0.12.10 → 0.12.13

package/CHANGELOG.md

@@ -1,5 +1,136 @@
 # Changelog
 
+## 0.12.13 — 2026-05-14
+
+**Patch: e2e scenarios updated for the v0.12.12 jurisdiction-clock semantics.**
+
+Two e2e scenarios (`02-tanstack-worm-payload`, `09-secrets-aws-key`) assert that `phases.close.jurisdiction_clocks_count >= 1` against a `detected` classification. In v0.12.12 the clock-starts contract was tightened: `clock_starts: detect_confirmed` no longer auto-stamps when classification turns `detected`; the operator must pass `--ack` for the clock to start. Both scenarios now pass `--ack` so the contract is exercised end-to-end. No code changes; v0.12.13 ships solely to land the scenario update and a corresponding npm publish — the v0.12.12 tag exists on git but never reached the npm registry because the validate gate failed against the pre-update scenarios.
+
+Test count: 585/585. Predeploy gates: 16/16. Skills: 38/38 signed and verified.
+
+## 0.12.12 — 2026-05-13
+
+**Patch: deep multi-surface hardening — engine semantics, concurrency, signing round-trip, output bundles, validators, scheduler, curation. 73 distinct fixes across 10 surface classes.**
+
+### Engine semantics
+
+`lib/playbook-runner.js` corrects several long-standing classification and clock bugs:
+
+- **False-positive checks now gate classification.** When an indicator's `signal_overrides` says `hit` but the indicator's `false_positive_checks_required[]` haven't been attested, the verdict downgrades to `inconclusive` and `fp_checks_unsatisfied[]` is surfaced on the indicator. Operators attest FP checks with `signal_overrides: { '<id>__fp_checks': { '<check>': true } }`. Before: submitting a hit without attesting FP checks would auto-stamp `classification: detected`.
+- **Dead branch on empty submission**: the indicator-default arm previously emitted `inconclusive` for both `anyCaptured` and the empty case. Empty submissions with no captured artifacts now correctly produce `classification: not_detected` with theater verdict `clear`.
+- **`evalCondition` regex no longer crashes the run.** A malformed indicator condition (operator-authored regex) used to throw out of `analyze()`. Now wrapped in try/catch; the failure surfaces as `analyze.runtime_errors[]` with the source condition + exception message.
+- **`--strict-preconditions` is now load-bearing.** The flag escalates `precondition_unverified` / `precondition_warn` / `precondition_skip` outcomes to halt, with `escalated_from` provenance. The CLI exit body now carries `strict_preconditions_violated[]` so consumers grep'ing the JSON see the contract reason without inspecting stderr.
+- **`on_fail: skip_phase` is actually honored.** A precondition that fails `on_fail: skip_phase` now emits a placeholder detect phase `{skipped: true, classification: 'skipped', reason: <id>}` and runs analyze with empty signals. Previously the runner ignored the directive and proceeded into detect as if the precondition had passed.
+- **`clock_starts: detect_confirmed` is bound to operator awareness.** Jurisdiction notification clocks (NIS2 24h, DORA 4h, GDPR 72h, etc.) no longer auto-stamp when classification turns `detected`; the operator must pass `--ack` for the clock to start. Without `--ack`, the notification entry carries `clock_pending_ack: true`. Matches the legal contract — the clock starts from operator awareness, not from the runner's decision.
+- **`analyze.active_exploitation` is now the worst across matched CVEs**, not the first. Two matched CVEs where #1 is `suspected` and #2 is `confirmed` correctly report `confirmed`.
+- **`signal_overrides` collisions are surfaced** rather than silently last-wins. Two observations targeting the same indicator id now record the discarded values in `analyze.signal_origins_with_collisions[]`.
+- **Per-run playbook cache**: the runner reads the playbook once per `run()` invocation instead of re-loading it inside each of the seven phase calls.
+
+### Scoring
+
+`lib/scoring.js` exports a new `validateFactors(factors)` returning structured warnings for missing fields, out-of-range `blast_radius`, or non-enum `active_exploitation`. `scoreCustom(factors, {collectWarnings: true})` returns the score plus `_scoring_warnings[]` for downstream consumers; the bare-number return is preserved for backwards compatibility.
+
+### Concurrency
+
+Catalog read-modify-write was racy under concurrent `refresh --advisory --apply` invocations — five sites in `lib/refresh-external.js` and two in `lib/prefetch.js`. Now serialized via `withCatalogLock` / `withIndexLock` (lockfile-gated, atomic tmp+rename writes; 30s stale-lock reaper for crash recovery). Concurrent applies to distinct CVEs now both survive in the final catalog rather than 1/20 trials losing an entry to interleaved writes. Same pattern applied to the prefetch `_index.json`.
+
+`persistAttestation` (in `bin/exceptd.js`) no longer has a TOCTOU window between `existsSync` and `writeFileSync` — atomic create via `flag: 'wx'` (`O_EXCL`) guarantees that two concurrent runs sharing a session-id produce one winner and one explicit `EEXIST` rather than silent last-write-wins.
+
+`lib/refresh-external.js` post-pool `process.exit()` calls replaced with `process.exitCode = N; return;` so buffered stdout drains before the event loop ends (same v0.11.10 class).
+
+### Signing round-trip
+
+`lib/sign.js` + `lib/verify.js` now normalize content (strip UTF-8 BOM, convert CRLF → LF) before computing or verifying signatures. A skill body cloned with `core.autocrlf=true` on Windows but signed on Linux CI no longer fails verification on the consumer side. Byte-level proof: all four variants of `hello\nworld\n` (LF, CRLF, BOM+LF, BOM+CRLF) normalize to the identical signature.
+
+Manifest schema validation lands in `lib/schemas/manifest.schema.json` + `loadManifestValidated()`. A tampered manifest with `path: "../../../etc/passwd"` is rejected at load time before any skill resolution. Per-skill paths must match `^skills/[A-Za-z0-9._/-]+/skill\.md$`.
+
+`lib/lint-skills.js` rejects duplicate frontmatter keys (last-wins parsing previously masked identity spoofing) and walks `skills/` for orphan `skill.md` files not referenced in the manifest.
+
+The fingerprint banner now prints AFTER the verdict line in both `sign-all` and `verify`, so a quick read of `gh run watch` output isn't ambiguous about pass/fail.
+
+### Path traversal hardening
+
+- `--session-id` now enforces `^[A-Za-z0-9._-]{1,64}$` (alphanumeric, dot, underscore, hyphen; up to 64 chars). Path separators and `..` are rejected at input.
+- `--attestation-root` rejects `..`-bearing relative paths and resolves to an absolute path before propagation.
+- `--evidence-dir` validates each `<id>.json` entry, refuses traversal-escaping resolved paths.
+- `--evidence` enforces a 32 MB file-size limit to defend against adversarial JSON bombs.
+- `persistAttestation` validates the session-id + filename and confirms the resolved directory stays under the attestation root.
+- `parseTar` in `lib/refresh-network.js` skips entries with `..` segments or absolute paths — defense-in-depth against a compromised registry CDN shipping path-traversal tarballs.
+
+### Output bundles (CSAF 2.0 / SARIF 2.1.0 / OpenVEX 0.2.0)
+
+`buildEvidenceBundle()` in `lib/playbook-runner.js` produces bundles that pass canonical-schema validation against each spec:
+
+- **CSAF**: `csaf_security_advisory` documents now include a populated `product_tree.full_product_names[]`; every `vulnerabilities[]` entry references a declared product via `product_status` (`known_affected` / `fixed` / `under_investigation`). NVD / Red Hat / ENISA CSAF dashboards previously rejected exceptd CSAF output for missing product_tree.
+- **SARIF**: indicator-hit results now populate `physicalLocation.artifactLocation.uri` from the playbook's look-phase artifact source paths so GitHub Code Scanning surfaces them. Null property-bag keys are pruned. Framework-gap results carry `kind: "informational"` per spec §3.27.9.
+- **OpenVEX**: every statement carries `products` (B1). Status semantics rebuilt — indicator hits become `affected` with an `action_statement` from the validate phase's selected remediation; misses become `not_affected` with `vulnerable_code_not_present` justification; inconclusive stays `under_investigation` (no action_statement). Framework-gap statements are removed from the VEX feed entirely (they're control-design observations, not vulnerabilities — they remain in CSAF and SARIF). Vulnerability `@id` values now follow RFC 8141 (`urn:cve:<id>`, `urn:exceptd:indicator:<playbook>:<id>`), replacing the unregistered `exceptd:` scheme.
+
+### Validators
+
+`lib/validate-playbooks.js` is a new validator that checks all 13 shipped playbooks against `lib/schemas/playbook.schema.json` plus cross-catalog references (`atlas_refs`, `cve_refs`, `cwe_refs`, `d3fend_refs`, `attack_refs`), internal consistency (duplicate indicator ids, RWEP threshold ordering, obligation_ref resolution), and feeds_into / mutex / skill_chain resolution. Wired as predeploy gate 16 (informational in v0.12.12; flips to enforcing in v0.13.0). 75-entry `data/attack-techniques.json` lands to support `attack_refs` resolution across skills and playbooks.
+
+`lib/validate-cve-catalog.js` adds warning-class checks for the Hard Rule #14 iocs-when-poc-and-exploit-url contract, `atlas_refs` + `cwe_refs` cross-catalog resolution, duplicate-name detection, impossible-date guards, and strict CVSS-version prefix recognition. All new findings emit as warnings in v0.12.12 to preserve patch-class compatibility; v0.13.0 will flip them to errors.
+
+`lib/lint-skills.js` extends section detection to require an anchored `^## <Section>` heading with ≥20 words of body text (warning-class), resolves `attack_refs` against `data/attack-techniques.json`, and flags missing "Defensive Countermeasure Mapping" sections on skills whose `last_threat_review >= 2026-05-11`.
+
+### Curation `--apply`
+
+`lib/cve-curation.js` gains the missing apply path. `curate(cveId, {apply: true, answers})` validates each answer against a per-field whitelist, applies, derives `rwep_score` from `rwep_factors` when an explicit score isn't supplied, computes `residual_warnings[]` against the required-schema set, and promotes the draft (strips `_auto_imported` + `_draft` + `_draft_reason`) when zero warnings remain. CLI surface: `exceptd refresh --curate <id> --answers <file>` or the explicit `--apply` alias. The questionnaire now always asks for `cvss_score`, `cvss_vector`, patch fields, `affected_versions`, and `cisa_kev` when those are unpopulated — without these, the apply path can't produce a schema-passing entry. Severity rendering for `cvss_score: null` returns `unrated` (was misleading `low`). Catalog reads honor absolute paths on Windows. OSV-imported drafts now show `"OSV: <id>"` in `auto_imported_from` (was always `"unknown"`).
+
+### Scheduler
+
+`orchestrator/scheduler.js` `MONTHLY_CVE_VALIDATION` (2.59 billion ms) and `ANNUAL_AUDIT` (31.5 billion ms) exceeded Node's INT32 setTimeout limit (2.15 billion ms), which silently clamps to 1 ms — producing a 1000 fires/sec stdout flood on idle `exceptd watch`. New `scheduleEvery(intervalMs, handler)` primitive uses a bounded `setInterval` (capped at 24 h) with wall-clock elapsed comparison. Idle watch goes from 1000 lines/sec to 0.
+
+### Predeploy
+
+`scripts/predeploy.js` now reports per-gate timing (`(NNN ms)` next to each pass / fail / informational line + the summary table). New 16th gate `Validate playbooks` runs informationally in v0.12.12.
+
+### Repository
+
+- `.github/workflows/ci.yml` gains a `validate-playbooks` job (`continue-on-error: true` in v0.12.12).
+- `manifest-snapshot.json` + `sbom.cdx.json` + `data/_indexes/` refreshed.
+- `data/attack-techniques.json` new — 75 ATT&CK technique entries with v17 metadata, supporting `attack_refs` resolution across the catalog.
+
+Test count: 492 → 573 (+81 across engine, sign/verify, refresh-external, prefetch, scheduler, cve-curation, bundle-correctness, validate-playbooks, and operator-bugs test files). Predeploy gates: 16/16. Skills: 38/38 signed and verified.
+
+## 0.12.11 — 2026-05-13
+
+**Patch: OSV source hardening, indicator regex widening, CWE/framework-gap reconciliation. v0.12.10 audit closeout.**
+
+### OSV source hardening
+
+`lib/source-osv.js` matures from greenfield to GHSA-parity:
+
+- **Structured fixture-I/O error envelope.** Missing or malformed `EXCEPTD_OSV_FIXTURE` paths no longer crash with a Node stack trace; the source returns `{ok:false, error, source:"offline"}` matching the GHSA convention. Operators piping the CLI through `jq` or scripting around exit codes get a structured failure they can branch on.
+- **Case-fold ids before lookup.** `fetchAdvisoryById("mal-2026-3083")` (lowercase) now resolves correctly. OSV.dev's `/v1/vulns/{id}` is case-sensitive — the source uppercases the id at entry before any branch on fixture lookup or network call.
+- **Highest-CVSS-version wins + compute from vector.** `extractCvss` previously overwrote the chosen vector on every loop iteration ("last wins" not "highest-version wins") and returned `null` `score` when the OSV record carried only a vector string with no embedded numeric tail. Both fixed: explicit version-comparison via the `CVSS:N.M` prefix, and a new `cvss3BaseScore(vector)` helper that computes the CVSS 3.1 base score per FIRST §7.1 (handles Scope:U + Scope:C). MAL-* records that previously normalized to `cvss_score: null` / `active_exploitation: "unknown"` now carry computed scores.
+- **GHSA-404 → OSV fallback for CVE-*.** `seedSingleAdvisory` previously routed `CVE-*` unconditionally through `source-ghsa`. When GHSA returned 404 for a CVE that had only PYSEC / RUSTSEC / SNYK / MAL coverage, the operator saw `GHSA returned HTTP 404` even though OSV had the record. Now: on GHSA-404 for a CVE-* id, retry via `source-osv.fetchAdvisoryById(id)`; surface the combined error when both 404.
+- **`epss_note` on non-CVE drafts.** Non-CVE catalog keys (MAL-*, SNYK-*, RUSTSEC-*, etc.) now carry a populated `epss_note` documenting the FIRST EPSS API limitation — drafts no longer look incomplete to downstream consumers grepping for the field.
+- **`verification_sources` deduped.** The canonical `osv.dev/vulnerability/<id>` URL was previously both prepended unconditionally AND pulled from `rec.references[]`. Deduped via `new Set` before return.
+- **`buildDiff` error categorization.** Returns `unreachable_count` + `normalize_error_count` separately so an operator can distinguish "OSV unreachable" from "10 ids returned but none normalized cleanly."
+- **`GHSA-` dropped from `OSV_ID_PREFIXES`.** The export previously listed GHSA-* even though the dispatcher unconditionally routes GHSA-* through `source-ghsa`. `isOsvId("GHSA-...")` now returns false. A top-of-file comment documents the routing decision (GHSA has richer field coverage for that namespace).
+- **`OSV_HOST_OVERRIDE` env var for offline HTTP testing.** New stubbing surface — lets `tests/source-osv.test.js` spin up a local HTTP server to exercise HTTP 500 / 429 / timeout / parse-error paths previously uncovered. 429 surfaces as `rate-limited`; timeout error message clarified.
+- **`seedSingleAdvisory` exported** for in-process testing.
+
+### Indicator regex widening
+
+`gha-workflow-script-injection-sink` (added v0.12.10) previously anchored on `run:\s*\|` (block-scalar pipe only). Single-line `run: echo "${{ github.event.comment.body }}"` bypassed the regex despite being the same vulnerability class. Widened to `run:[\s\S]*?...` which admits both block-scalar AND single-line forms. The indicator's `confidence` drops from `deterministic` → `high` and `deterministic` flag flips to `false` to reflect the reasoning step still required for the false-positive demotion (sandboxed `pull_request` + `contents: read` permissions). `tests/gha-workflow-script-injection-sink.test.js` lands as a new end-to-end regex test with 8 fixture YAML cases covering both the catch and the FP-demotion classes. All 5 of this repo's own `.github/workflows/*.yml` files remain clean against the widened regex.
+
+### CWE reverse-references
+
+The v0.12.10 catalog additions cited existing CWEs (CWE-89, CWE-77, CWE-94) without updating their reverse-reference `evidence_cves` arrays. Bidirectional linkage restored: CWE-89 now lists CVE-2026-42208 (LiteLLM SQLi), CWE-77 lists MAL-2026-3083 (elementary-data secondary classification), CWE-94 adds MAL-2026-3083 alongside the existing CVE-2025-53773 and CVE-2026-30615.
+
+### Framework-control-gaps key reconciliation
+
+Eight `framework_control_gaps` keys used by the v0.12.10 catalog additions did not resolve in `data/framework-control-gaps.json`. Six reconciled to canonical existing forms: `SLSA-L3` → `SLSA-v1.0-Build-L3`; `OWASP-LLM01` → `OWASP-LLM-Top-10-2025-LLM01`; `NIST-800-218-PO.4` → `NIST-800-218-SSDF`; `NIS2-Art21-2d` / `-2g` → `NIS2-Art21-patch-management`; `NIS2-Art21-2e` → `NIS2-Art21-incident-handling`. Two genuinely-distinct citations gained new entries in the framework-gaps catalog: `EU-CRA-Art13` (essential cybersecurity requirements + technical documentation; the elementary-data class of supply-chain compromise where the maintainer is a victim) and `NIST-800-53-SI-10` (information input validation; the trust-boundary-vs-inside-boundary distinction that argument-injection / SQL-injection / prompt-injection exploit). All `framework_control_gaps` references in the catalog now resolve to a real entry.
+
+### Repository
+
+- `lib/source-ghsa.js` "unrecognized id format" error message widened to enumerate the OSV-native prefixes operators can pass via `--advisory` (was previously CVE/GHSA only).
+- `README.md` documents the OSV source: install command, `--advisory MAL-...` form, `EXCEPTD_OSV_FIXTURE` env var, the fresh-disclosure workflow expanded to mention OSV's coverage breadth.
+
+Test count: 462 → 492 (+30: 18 OSV source-hardening tests + 10 indicator regex tests + 2 catalog drift assertions). Predeploy gates: 15/15. Skills: 38/38 signed and verified.
+
 ## 0.12.10 — 2026-05-13
 
 **Patch: OSV.dev wired as an upstream source, three new catalog entries, one new library-author indicator.**

package/README.md

@@ -135,6 +135,7 @@ You want to refresh CVE/RFC data, run currency checks, or generate reports. Inst
 npx @blamejs/exceptd-skills doctor                                # health check
 npx @blamejs/exceptd-skills refresh --apply --swarm               # pull KEV/NVD/EPSS/RFC/GHSA + apply
 npx @blamejs/exceptd-skills refresh --advisory CVE-2026-45321     # seed one CVE draft from GHSA
+npx @blamejs/exceptd-skills refresh --advisory MAL-2026-3083      # seed via OSV (MAL-/SNYK-/RUSTSEC-/USN-/PYSEC-/GO-/MGASA-/UVI-)
 npx @blamejs/exceptd-skills refresh --curate CVE-2026-45321       # surface editorial questions for a draft
 npx @blamejs/exceptd-skills refresh --network                     # swap data/ from latest signed npm tarball
 ```
@@ -148,7 +149,7 @@ exceptd help
 
 Air-gapped operation: run `exceptd refresh --prefetch` on a connected host, copy the resulting `.cache/upstream/` to the airgap, run `exceptd refresh --from-cache <path> --apply` over there. The vendored upstream snapshots replace every network call.
 
-Fresh-disclosure workflow (v0.12.0): the nightly auto-PR job pulls KEV / NVD / EPSS / IETF / **GHSA** (added in v0.12.0). KEV typically takes days; NVD ~10 days; GHSA fires within hours of disclosure and covers npm + PyPI + Maven + Go + NuGet + …. New CVE IDs land as drafts (`_auto_imported: true`, `_draft: true`) that the catalog validator treats as warnings, not errors — operators get the fresh entry immediately, editorial review (framework gaps, IoCs, ATLAS/ATT&CK refs) follows via `exceptd refresh --curate <CVE-ID>`. For "I want this CVE today, not tomorrow": `exceptd refresh --advisory <CVE-or-GHSA-ID> --apply`.
+Fresh-disclosure workflow (v0.12.0): the nightly auto-PR job pulls KEV / NVD / EPSS / IETF / **GHSA** (added in v0.12.0) / **OSV** (added in v0.12.10). KEV typically takes days; NVD ~10 days; GHSA fires within hours of disclosure and covers npm + PyPI + Maven + Go + NuGet + …; OSV aggregates the OSSF Malicious Packages dataset (`MAL-*` keys) + Snyk + RustSec + Mageia + Ubuntu USN + Go Vuln DB + PYSEC + UVI on top of GHSA — useful for malicious-package compromises that don't have CVEs yet (`exceptd refresh --advisory MAL-2026-3083`). New IDs land as drafts (`_auto_imported: true`, `_draft: true`) that the catalog validator treats as warnings, not errors — operators get the fresh entry immediately, editorial review (framework gaps, IoCs, ATLAS/ATT&CK refs) follows via `exceptd refresh --curate <ID>`. For "I want this advisory today, not tomorrow": `exceptd refresh --advisory <CVE-or-GHSA-or-MAL-or-SNYK-or-RUSTSEC-ID> --apply`.
 
 Optional env vars for higher rate budgets:
 
@@ -157,6 +158,7 @@ Optional env vars for higher rate budgets:
 | `NVD_API_KEY` | Lifts NVD 2.0 from 5 → 50 requests per 30s window. Free key at <https://nvd.nist.gov/developers/request-an-api-key>. |
 | `GITHUB_TOKEN` | Lifts GitHub Releases + GHSA from 60 → 5000 requests per hour. |
 | `EXCEPTD_GHSA_FIXTURE` | Path to a JSON fixture matching the api.github.com/advisories shape. For offline tests + air-gap workflows. |
+| `EXCEPTD_OSV_FIXTURE` | Path to a JSON fixture matching the OSV schema (https://ossf.github.io/osv-schema/). For offline tests + air-gap workflows against the OSV source (added v0.12.10). |
 | `EXCEPTD_REGISTRY_FIXTURE` | Path to a JSON fixture matching the npm registry response. Used by `doctor --registry-check` + `run --upstream-check` + `refresh --network` for offline testing. |
 
 ### 3. Maintainer (extend / sign / publish)

package/bin/exceptd.js

@@ -554,6 +554,17 @@ function readEvidence(evidenceFlag) {
     if (!buf.trim()) return {};
     return JSON.parse(buf);
   }
+  // v0.12.12: read enforces a max size to defend against an operator
+  // accidentally passing a multi-gigabyte file (binary, log, or
+  // adversarial JSON bomb). 32 MB is well beyond any legitimate
+  // submission and still drains in a single read on modern hardware.
+  const MAX_EVIDENCE_BYTES = 32 * 1024 * 1024;
+  let stat;
+  try { stat = fs.statSync(evidenceFlag); }
+  catch (e) { throw new Error(`evidence path not readable: ${e.message}`); }
+  if (stat.size > MAX_EVIDENCE_BYTES) {
+    throw new Error(`evidence file too large: ${stat.size} bytes > ${MAX_EVIDENCE_BYTES} byte limit. Reduce the submission or split into multiple playbook runs.`);
+  }
   return JSON.parse(fs.readFileSync(evidenceFlag, "utf8"));
 }
 
@@ -607,8 +618,39 @@ function dispatchPlaybook(cmd, argv) {
     airGap: !!args["air-gap"],
     forceStale: !!args["force-stale"],
   };
-  if (args["session-id"]) runOpts.session_id = args["session-id"];
-  if (args["attestation-root"]) runOpts.attestationRoot = args["attestation-root"];
+  if (args["session-id"]) {
+    // v0.12.12: --session-id is a filesystem path component (resolves to
+    // .exceptd/attestations/<id>/attestation.json). Operator-supplied input
+    // with `..` or path separators escapes the attestation root. Validate
+    // strict allowlist before propagating.
+    const sid = args["session-id"];
+    if (typeof sid !== "string" || !/^[A-Za-z0-9._-]{1,64}$/.test(sid)) {
+      return emitError(
+        "run: --session-id must match /^[A-Za-z0-9._-]{1,64}$/ (alphanumeric, dot, underscore, hyphen; up to 64 chars). Path separators and '..' are rejected.",
+        { provided: typeof sid === "string" ? sid.slice(0, 80) : typeof sid },
+        pretty
+      );
+    }
+    runOpts.session_id = sid;
+  }
+  if (args["attestation-root"]) {
+    // v0.12.12: --attestation-root must resolve to an absolute path the
+    // operator owns. Reject `..`-bearing relatives at input so a misconfigured
+    // env doesn't write outside the intended root. Final resolution still
+    // happens in resolveAttestationRoot — this is the input-validation layer.
+    const ar = args["attestation-root"];
+    if (typeof ar !== "string" || ar.length === 0) {
+      return emitError("run: --attestation-root must be a non-empty string.", { provided: typeof ar }, pretty);
+    }
+    if (ar.split(/[\\/]/).some(seg => seg === "..")) {
+      return emitError(
+        "run: --attestation-root must not contain '..' path segments. Pass an absolute path under your home directory or an explicit project-relative path without traversal.",
+        { provided: ar.slice(0, 200) },
+        pretty
+      );
+    }
+    runOpts.attestationRoot = path.resolve(ar);
+  }
   if (args["session-key"]) {
     // Bug #33: validate that --session-key is hex. Previously any string was
     // silently accepted; HMAC signing then either failed silently or produced
@@ -1678,6 +1720,14 @@ function cmdRun(runner, args, runOpts, pretty) {
       i.kind === "precondition_unverified" || i.kind === "precondition_warn"
     );
     if (warnIssues.length > 0) {
+      // v0.12.12: surface the contract violation in the emitted body so
+      // downstream consumers grepping the JSON see WHY the exit is non-zero.
+      // result.ok stays true (the playbook executed) but the explicit flag
+      // makes the strict-preconditions contract observable, not just inferable
+      // from exit code + stderr line.
+      result.strict_preconditions_violated = warnIssues.map(i => ({
+        id: i.id, kind: i.kind, message: i.message || null, on_fail: i.on_fail || null,
+      }));
       process.stderr.write(`[exceptd run] --strict-preconditions: ${warnIssues.length} unverified/warn precondition(s) — exit 1.\n`);
       emit(result, pretty);
       // v0.11.11: exitCode + return so emit()'s stdout flushes (process.exit
@@ -1922,13 +1972,28 @@ function cmdRunMulti(runner, ids, args, runOpts, pretty, meta) {
   // contract in one pass.
   if (args["evidence-dir"]) {
     const dir = args["evidence-dir"];
+    if (typeof dir !== "string" || dir.length === 0) {
+      return emitError("run: --evidence-dir must be a non-empty string.", null, pretty);
+    }
     if (!fs.existsSync(dir)) {
       return emitError(`run: --evidence-dir ${dir} does not exist.`, null, pretty);
     }
+    const resolvedDir = path.resolve(dir);
+    // v0.12.12: only `<playbook-id>.json` entries are honored. Reject
+    // anything where the filename strip leaves traversal segments — npm
+    // refuses to write such filenames so the realistic risk is an operator
+    // symlink/junction inside the dir, but the filter is cheap.
     for (const f of fs.readdirSync(dir).filter(x => x.endsWith(".json"))) {
       const pbId = f.replace(/\.json$/, "");
+      if (!/^[A-Za-z0-9_.-]+$/.test(pbId)) {
+        return emitError(`run: --evidence-dir entry ${JSON.stringify(f)} has unsafe playbook-id segment.`, null, pretty);
+      }
+      const entryPath = path.resolve(path.join(resolvedDir, f));
+      if (!entryPath.startsWith(resolvedDir + path.sep)) {
+        return emitError(`run: --evidence-dir entry ${f} resolves outside the directory; refusing.`, null, pretty);
+      }
       try {
-        bundle[pbId] = JSON.parse(fs.readFileSync(path.join(dir, f), "utf8"));
+        bundle[pbId] = JSON.parse(fs.readFileSync(entryPath, "utf8"));
       } catch (e) {
         return emitError(`run: failed to parse --evidence-dir entry ${f}: ${e.message}`, null, pretty);
       }
@@ -2128,47 +2193,86 @@ function deriveRunTag() {
 function persistAttestation(args) {
   const { sessionId, playbookId, directiveId, evidenceHash, operator,
           operatorConsent, submission, runOpts, forceOverwrite, filename } = args;
+  // v0.12.12: session-id is supposed to be sanitized at input. Defense in
+  // depth: reject anything that path-traverses out of the attestation root.
+  if (!/^[A-Za-z0-9._-]{1,64}$/.test(sessionId || "")) {
+    return {
+      ok: false,
+      error: `Refusing to persist attestation with unsafe session-id: ${JSON.stringify(sessionId).slice(0, 80)}. Must match /^[A-Za-z0-9._-]{1,64}$/.`,
+      existingPath: null,
+    };
+  }
+  if (!/^[A-Za-z0-9._-]{1,64}\.json$/.test(filename || "")) {
+    return {
+      ok: false,
+      error: `Refusing to persist attestation with unsafe filename: ${JSON.stringify(filename).slice(0, 80)}.`,
+      existingPath: null,
+    };
+  }
   const root = resolveAttestationRoot(runOpts);
   const dir = path.join(root, sessionId);
   const filePath = path.join(dir, filename);
-
-  let prior = null;
-  if (fs.existsSync(filePath)) {
-    try { prior = JSON.parse(fs.readFileSync(filePath, "utf8")); } catch {}
-    if (!forceOverwrite) {
-      return {
-        ok: false,
-        error: `Attestation already exists at ${path.relative(process.cwd(), filePath)}. Session-id collision (${sessionId}) — refusing to overwrite to preserve audit trail.`,
-        existingPath: path.relative(process.cwd(), filePath),
-      };
-    }
+  // Final-resolution check: dir must remain inside root after normalization.
+  const normRoot = path.resolve(root) + path.sep;
+  if (!(path.resolve(dir) + path.sep).startsWith(normRoot)) {
+    return {
+      ok: false,
+      error: `Refusing to persist attestation outside root. session_id=${sessionId} root=${root}`,
+      existingPath: null,
+    };
   }
 
   try {
     fs.mkdirSync(dir, { recursive: true });
-    const attestation = {
-      session_id: sessionId,
-      playbook_id: playbookId,
-      directive_id: directiveId,
-      evidence_hash: evidenceHash,
-      operator: operator || null,
-      operator_consent: operatorConsent || null,
-      submission,
-      run_opts: { airGap: runOpts.airGap, forceStale: runOpts.forceStale, mode: runOpts.mode },
-      captured_at: new Date().toISOString(),
-      // When overwriting (with --force-overwrite), link to the prior content
-      // by evidence_hash + capture timestamp. session_id is the same (that's
-      // why we collided), so it's the hash + timestamp that distinguish.
-      prior_evidence_hash: prior ? (prior.evidence_hash || null) : null,
-      prior_captured_at: prior ? (prior.captured_at || null) : null,
-    };
-    fs.writeFileSync(filePath, JSON.stringify(attestation, null, 2));
-    maybeSignAttestation(filePath);
-    return {
-      ok: true,
-      prior_session_id: prior ? sessionId : null,
-      overwrote_at: prior ? prior.captured_at : null,
+    const writeAttestation = (priorEvidenceHash, priorCapturedAt, flag) => {
+      const attestation = {
+        session_id: sessionId,
+        playbook_id: playbookId,
+        directive_id: directiveId,
+        evidence_hash: evidenceHash,
+        operator: operator || null,
+        operator_consent: operatorConsent || null,
+        submission,
+        run_opts: { airGap: runOpts.airGap, forceStale: runOpts.forceStale, mode: runOpts.mode },
+        captured_at: new Date().toISOString(),
+        // When overwriting (with --force-overwrite), link to the prior content
+        // by evidence_hash + capture timestamp. session_id is the same (that's
+        // why we collided), so it's the hash + timestamp that distinguish.
+        prior_evidence_hash: priorEvidenceHash,
+        prior_captured_at: priorCapturedAt,
+      };
+      // Atomic-create via O_EXCL ('wx' flag) eliminates the TOCTOU window
+      // between existsSync and writeFileSync. Two concurrent run-with-same-
+      // session-id invocations now produce one winner + one EEXIST loser,
+      // not silent last-write-wins.
+      fs.writeFileSync(filePath, JSON.stringify(attestation, null, 2), { flag });
+      maybeSignAttestation(filePath);
     };
+
+    try {
+      writeAttestation(null, null, "wx");
+      return { ok: true, prior_session_id: null, overwrote_at: null };
+    } catch (eExcl) {
+      if (eExcl.code !== "EEXIST") throw eExcl;
+      // Slot already taken — read prior to chain audit trail, then decide.
+      let prior = null;
+      try { prior = JSON.parse(fs.readFileSync(filePath, "utf8")); } catch { /* malformed prior — proceed */ }
+      if (!forceOverwrite) {
+        return {
+          ok: false,
+          error: `Attestation already exists at ${path.relative(process.cwd(), filePath)}. Session-id collision (${sessionId}) — refusing to overwrite to preserve audit trail.`,
+          existingPath: path.relative(process.cwd(), filePath),
+        };
+      }
+      writeAttestation(prior ? (prior.evidence_hash || null) : null,
+                       prior ? (prior.captured_at || null) : null,
+                       "w");
+      return {
+        ok: true,
+        prior_session_id: prior ? sessionId : null,
+        overwrote_at: prior ? prior.captured_at : null,
+      };
+    }
   } catch (e) {
     return { ok: false, error: `Failed to write attestation: ${e.message}`, existingPath: null };
   }
@@ -3367,8 +3471,14 @@ function cmdAiRun(runner, args, runOpts, pretty) {
     directPhase = runner.direct(playbookId, directiveId);
     lookPhase = runner.look(playbookId, directiveId, runOpts);
   } catch (e) {
-    process.stdout.write(JSON.stringify({ event: "error", reason: e.message, phase: "info" }) + "\n");
-    process.exit(1);
+    // v0.12.12 (T8): process.exit(1) immediately after a stdout write can
+    // truncate buffered output under piped consumers (same class as v0.11.10
+    // #100). Use exitCode+return so the JSONL error frame drains. Also write
+    // the framed error event so the stdout-only JSONL contract holds — host
+    // AIs reading this stream must see structured frames, never bare text.
+    process.stdout.write(JSON.stringify({ event: "error", reason: e.message, phase: "info", playbook_id: playbookId, directive_id: directiveId }) + "\n");
+    process.exitCode = 1;
+    return;
   }
 
   const governEvent = {
@@ -3444,8 +3554,11 @@ function cmdAiRun(runner, args, runOpts, pretty) {
       return emitError(`ai-run: runner threw: ${e.message}`, { playbook: playbookId }, pretty);
     }
     if (!result || result.ok === false) {
+      // v0.12.12: same exit-after-write anti-pattern as the pre-stream
+      // load path. Use exitCode + return so stderr drains.
       process.stderr.write((pretty ? JSON.stringify(result || {}, null, 2) : JSON.stringify(result || {})) + "\n");
-      process.exit(1);
+      process.exitCode = 1;
+      return;
     }
     // v0.11.8 (#101): unify ai-run --no-stream shape with `run`. Pre-0.11.8
     // ai-run flattened phases to top-level (`govern`, `direct`, `look`, ...),

package/data/_indexes/_meta.json

@@ -1,17 +1,18 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-13T17:30:56.669Z",
+  "generated_at": "2026-05-14T14:28:45.659Z",
   "generator": "scripts/build-indexes.js",
-  "source_count": 49,
+  "source_count": 50,
   "source_hashes": {
-    "manifest.json": "b7501793892cdfd22ede52a21ec60629d000a5a562373948dd33c1b840776189",
+    "manifest.json": "a3c012232fd18e4a2186bf3243fb969bb411e6815d170f568e42867ce7c6c308",
     "data/atlas-ttps.json": "f3f75ff2778a0a2c7d953a21386bc4f265cb2685ce41242eee45f9e9f2a6add6",
-    "data/cve-catalog.json": "e4ee5a94bfab0109c2dbd9531a1cd3ad96ce37ad4ec36523d699beace5b6d5d4",
-    "data/cwe-catalog.json": "9d71498894a74a235d2c9dae97d062499529cb031184a4011172bf6dce9f3c3d",
+    "data/attack-techniques.json": "b6dde8f2d8bbe809cbd017d1490b16c01cc54034d695bc8535613b699e3b45c6",
+    "data/cve-catalog.json": "197f5313d93f0a7225d5ff275e21cbd067b3970a6f2fdc6da35f81c847e8bdee",
+    "data/cwe-catalog.json": "19ce1fad3ed0b0687ec9a328b2d6cd1b544eea7f19140234ec1a8467de1f908d",
     "data/d3fend-catalog.json": "d219520c8d3eb61a270b25ea60f64721035e98a8d5d51d1a4e1f1140d9a586f9",
     "data/dlp-controls.json": "8ea8d907aea0a2cfd772b048a62122a322ba3284a5c36a272ad5e9d392564cb5",
     "data/exploit-availability.json": "7dad52f459c324c40aa4df7cd9157f6a19f670fdfb9d8f687d777c9d99798668",
-    "data/framework-control-gaps.json": "8804a10bf77e987453ea76ae717153118dc5cc625f42e98f78213b08fa144f73",
+    "data/framework-control-gaps.json": "9240ea4a825090fe2716947f2f6f9171c065a133ef003e04d2fbc4f01fc55bdf",
     "data/global-frameworks.json": "84fd19061f052e4ccf66308a7b8d3fd38e00325e97e9e5e19e4d9b302c128957",
     "data/rfc-references.json": "583360bae01e324d752bd28a7d344b4276478381426428d683fc82b0ac19d64a",
     "data/zeroday-lessons.json": "d670e73dfd5237ceb71a56326676d90c05387b9547f8ed6f3a60a153854b444b",
@@ -55,7 +56,7 @@
     "skills/age-gates-child-safety/skill.md": "c741d7dca9da0abb09bdebb8a02e803ce4ae9fb9a6904fb8df3ec19cae83917d"
   },
   "skill_count": 38,
-  "catalog_count": 10,
+  "catalog_count": 11,
   "index_stats": {
     "xref_entries": {
       "cwe_refs": 34,
@@ -80,8 +81,8 @@
     "theater_fingerprints": 7,
     "currency_action_required": 0,
     "frequency_fields": 7,
-    "activity_feed_events": 49,
-    "catalog_summaries": 10,
+    "activity_feed_events": 50,
+    "catalog_summaries": 11,
     "stale_content_findings": 0
   },
   "invalidation_note": "If any source file in source_hashes has a different SHA-256 than recorded here, the indexes are stale. Re-run `npm run build-indexes`."

package/data/_indexes/activity-feed.json

@@ -2,7 +2,7 @@
   "_meta": {
     "schema_version": "1.0.0",
     "note": "Per-artifact 'last changed' feed sorted descending by date. Skill events from manifest.last_threat_review; catalog events from data/<catalog>.json _meta.last_updated.",
-    "event_count": 49
+    "event_count": 50
   },
   "events": [
     {
@@ -13,6 +13,14 @@
       "schema_version": "1.0.0",
       "entry_count": 15
     },
+    {
+      "date": "2026-05-13",
+      "type": "catalog_update",
+      "artifact": "data/attack-techniques.json",
+      "path": "data/attack-techniques.json",
+      "schema_version": "1.0.0",
+      "entry_count": 75
+    },
     {
       "date": "2026-05-13",
       "type": "catalog_update",
@@ -349,14 +357,14 @@
       "artifact": "data/framework-control-gaps.json",
       "path": "data/framework-control-gaps.json",
       "schema_version": "1.0.0",
-      "entry_count": 59
+      "entry_count": 61
     },
     {
       "date": "2026-05-01",
       "type": "manifest_review",
       "artifact": "manifest.json",
       "path": "manifest.json",
-      "note": "manifest threat_review_date — 38 skills, 10 catalogs"
+      "note": "manifest threat_review_date — 38 skills, 11 catalogs"
     }
   ]
 }

package/data/_indexes/catalog-summaries.json

@@ -2,7 +2,7 @@
   "_meta": {
     "schema_version": "1.0.0",
     "note": "Per-catalog compact summary so AI consumers can discover available data without loading every _meta block. Purpose strings are curated in scripts/builders/catalog-summaries.js.",
-    "catalog_count": 10
+    "catalog_count": 11
   },
   "catalogs": {
     "atlas-ttps.json": {
@@ -27,6 +27,28 @@
         "AML.T0018"
       ]
     },
+    "attack-techniques.json": {
+      "path": "data/attack-techniques.json",
+      "purpose": null,
+      "schema_version": "1.0.0",
+      "last_updated": "2026-05-13",
+      "tlp": "CLEAR",
+      "source_confidence_default": "A1",
+      "freshness_policy": {
+        "default_review_cadence_days": 90,
+        "stale_after_days": 180,
+        "rebuild_after_days": 365,
+        "note": "Catalog must be rebuilt against the upstream ATT&CK release whenever MITRE publishes a new version. AGENTS.md hard rule #8 requires the bump to be intentional, not silent."
+      },
+      "entry_count": 75,
+      "sample_keys": [
+        "T0001",
+        "T0017",
+        "T0051",
+        "T0096",
+        "T0853"
+      ]
+    },
     "cve-catalog.json": {
       "path": "data/cve-catalog.json",
       "purpose": "Per-CVE record (CVSS, EPSS, CISA KEV, RWEP, AI-discovery, vendor advisories, framework gaps, ATLAS/ATT&CK mappings). Cross-validated against NVD + CISA KEV + FIRST EPSS via validate-cves.",
@@ -150,7 +172,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 59,
+      "entry_count": 61,
       "sample_keys": [
         "NIST-800-53-SI-2",
         "NIST-800-53-SC-8",

package/data/_indexes/frequency.json

@@ -2084,7 +2084,9 @@
       "AU-Essential-8-MFA",
       "AU-Essential-8-Patch",
       "EU-AI-Act-Art-15",
+      "EU-CRA-Art13",
       "NIS2-Art21-incident-handling",
+      "NIST-800-53-SI-10",
       "UK-CAF-A1",
       "UK-CAF-B2",
       "UK-CAF-C1",