@blamejs/exceptd-skills 0.12.10 → 0.12.13

package/lib/source-osv.js

@@ -39,17 +39,24 @@
 const https = require("https");
 const fs = require("fs");
 
+// OSV_HOST_OVERRIDE lets tests redirect the network call to a local HTTP
+// server bound on 127.0.0.1:<port>. The override accepts either a bare
+// `host:port` string or a full `http://host:port` URL. When set, the
+// underlying request switches from `https` to `http` so the test server
+// doesn't need a TLS cert. Production callers never set this.
 const OSV_HOST = "api.osv.dev";
 const REQUEST_TIMEOUT_MS = 10000;
 const USER_AGENT = "exceptd-security/source-osv (+https://exceptd.com)";
 
-// Identifier namespaces OSV uses as PRIMARY keys (i.e. that route through
-// this module rather than GHSA's CVE-search path). Keep this list in sync
-// with the dispatcher in lib/refresh-external.js — adding a new prefix
-// here is not enough; the dispatcher's --advisory regex must also accept it.
+// Identifier namespaces OSV uses as PRIMARY keys. GHSA-* is intentionally
+// NOT in this list — `seedSingleAdvisory` in lib/refresh-external.js routes
+// CVE-* and GHSA-* through `source-ghsa` because GHSA carries richer field
+// coverage (cvss object, vulnerable_version_range string, ghsa_id linkage)
+// than OSV's import of the same advisories. Keep this list in sync with the
+// dispatcher in lib/refresh-external.js — adding a new prefix here is not
+// enough; the dispatcher's --advisory regex must also accept it.
 const OSV_ID_PREFIXES = [
   "MAL-",     // OSSF Malicious Packages
-  "GHSA-",    // GitHub Security Advisories (OSV import)
   "SNYK-",    // Snyk
   "RUSTSEC-", // RustSec
   "GO-",      // Go vuln DB
@@ -72,24 +79,47 @@ const OSV_ID_PREFIXES = [
 
 /**
  * Return true when `id` looks like an OSV-native primary key (i.e. NOT a
- * CVE-* identifier). CVE-* identifiers continue to route through the GHSA
- * source because GHSA carries richer field coverage for CVE-keyed records.
+ * CVE-* identifier and NOT a GHSA-* identifier). Both CVE-* and GHSA-*
+ * route through `source-ghsa` for richer field coverage.
  */
 function isOsvId(id) {
   if (!id || typeof id !== "string") return false;
   const up = id.toUpperCase();
   if (/^CVE-\d{4}-\d+$/.test(up)) return false;
+  if (up.startsWith("GHSA-")) return false;
   return OSV_ID_PREFIXES.some((p) => up.startsWith(p));
 }
 
 /**
- * Low-level HTTPS GET against OSV. Resolves to { ok, record|error, source }.
+ * Resolve the OSV transport target. When OSV_HOST_OVERRIDE is set the
+ * request switches to plain HTTP on the override host:port so test
+ * harnesses can stand up a local server without TLS. Production omits the
+ * override entirely and lands on api.osv.dev over HTTPS.
  */
-function osvGet(path, timeoutMs = REQUEST_TIMEOUT_MS) {
+function osvTransport() {
+  const override = process.env.OSV_HOST_OVERRIDE;
+  if (!override) return { mod: https, host: OSV_HOST, port: 443 };
+  // Accept either "host:port" or a full URL.
+  let raw = override.trim();
+  if (/^https?:\/\//i.test(raw)) {
+    const u = new URL(raw);
+    return { mod: require("http"), host: u.hostname, port: parseInt(u.port, 10) || 80 };
+  }
+  const [h, p] = raw.split(":");
+  return { mod: require("http"), host: h || "127.0.0.1", port: parseInt(p, 10) || 80 };
+}
+
+/**
+ * Low-level GET against OSV. Resolves to { ok, record|error, source }.
+ * Honors OSV_HOST_OVERRIDE for offline tests.
+ */
+function osvGet(reqPath, timeoutMs = REQUEST_TIMEOUT_MS) {
   return new Promise((resolve) => {
-    const req = https.get({
-      host: OSV_HOST,
-      path,
+    const { mod, host, port } = osvTransport();
+    const req = mod.get({
+      host,
+      port,
+      path: reqPath,
       headers: {
         "Accept": "application/json",
         "User-Agent": USER_AGENT,
@@ -98,7 +128,11 @@ function osvGet(path, timeoutMs = REQUEST_TIMEOUT_MS) {
     }, (res) => {
       if (res.statusCode !== 200) {
         res.resume();
-        return resolve({ ok: false, error: `OSV returned HTTP ${res.statusCode}`, source: "offline" });
+        const status = res.statusCode;
+        const error = status === 429
+          ? `OSV rate-limited (HTTP 429)`
+          : `OSV returned HTTP ${status}`;
+        return resolve({ ok: false, error, status, source: "offline" });
       }
       const chunks = [];
       res.on("data", (c) => chunks.push(c));
@@ -111,20 +145,22 @@ function osvGet(path, timeoutMs = REQUEST_TIMEOUT_MS) {
         }
       });
     });
-    req.on("timeout", () => req.destroy(new Error("timeout")));
+    req.on("timeout", () => req.destroy(new Error("OSV request timed out")));
     req.on("error", (e) => resolve({ ok: false, error: e.message, source: "offline" }));
   });
 }
 
 /**
- * Low-level HTTPS POST against OSV. Body is JSON-stringified.
+ * Low-level POST against OSV. Body is JSON-stringified.
  */
-function osvPost(path, body, timeoutMs = REQUEST_TIMEOUT_MS) {
+function osvPost(reqPath, body, timeoutMs = REQUEST_TIMEOUT_MS) {
   return new Promise((resolve) => {
     const payload = Buffer.from(JSON.stringify(body), "utf8");
-    const req = https.request({
-      host: OSV_HOST,
-      path,
+    const { mod, host, port } = osvTransport();
+    const req = mod.request({
+      host,
+      port,
+      path: reqPath,
       method: "POST",
       headers: {
         "Content-Type": "application/json",
@@ -136,7 +172,11 @@ function osvPost(path, body, timeoutMs = REQUEST_TIMEOUT_MS) {
     }, (res) => {
       if (res.statusCode !== 200) {
         res.resume();
-        return resolve({ ok: false, error: `OSV returned HTTP ${res.statusCode}`, source: "offline" });
+        const status = res.statusCode;
+        const error = status === 429
+          ? `OSV rate-limited (HTTP 429)`
+          : `OSV returned HTTP ${status}`;
+        return resolve({ ok: false, error, status, source: "offline" });
       }
       const chunks = [];
       res.on("data", (c) => chunks.push(c));
@@ -149,7 +189,7 @@ function osvPost(path, body, timeoutMs = REQUEST_TIMEOUT_MS) {
         }
       });
     });
-    req.on("timeout", () => req.destroy(new Error("timeout")));
+    req.on("timeout", () => req.destroy(new Error("OSV request timed out")));
     req.on("error", (e) => resolve({ ok: false, error: e.message, source: "offline" }));
     req.write(payload);
     req.end();
@@ -157,14 +197,36 @@ function osvPost(path, body, timeoutMs = REQUEST_TIMEOUT_MS) {
 }
 
 /**
- * Read EXCEPTD_OSV_FIXTURE and return an array of OSV records. Accepts
- * either a single object or an array on disk.
+ * Read EXCEPTD_OSV_FIXTURE and return a structured envelope. Matches the
+ * GHSA-source convention: on any failure (missing file, malformed JSON,
+ * root not object/array) return `{ ok: false, error, source: "offline" }`
+ * rather than throw — operators on the CLI surface get a structured error
+ * instead of a Node stack trace.
+ *
+ * Returns:
+ *   null                                          when env var is unset
+ *   { ok: true, advisories: [...], source }       on success
+ *   { ok: false, error, source: "offline" }       on any failure
  */
 function readFixture() {
   const fp = process.env.EXCEPTD_OSV_FIXTURE;
   if (!fp) return null;
-  const raw = JSON.parse(fs.readFileSync(fp, "utf8"));
-  return Array.isArray(raw) ? raw : [raw];
+  let raw;
+  try {
+    raw = fs.readFileSync(fp, "utf8");
+  } catch (e) {
+    return { ok: false, error: `fixture: ${e.message}`, source: "offline" };
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (e) {
+    return { ok: false, error: `fixture: ${e.message}`, source: "offline" };
+  }
+  if (parsed == null || (typeof parsed !== "object")) {
+    return { ok: false, error: `fixture: root must be an OSV record object or array (got ${typeof parsed})`, source: "offline" };
+  }
+  return { ok: true, advisories: Array.isArray(parsed) ? parsed : [parsed], source: "fixture" };
 }
 
 /**
@@ -176,12 +238,19 @@ function readFixture() {
  */
 async function fetchAdvisoryById(id, opts = {}) {
   if (!id || typeof id !== "string") {
-    return { ok: false, error: "id is required (MAL-*, GHSA-*, SNYK-*, etc.)", source: "offline" };
+    return { ok: false, error: "id is required (MAL-*, SNYK-*, RUSTSEC-*, etc.)", source: "offline" };
   }
+  // OSV.dev's /v1/vulns/{id} is case-sensitive — `mal-2026-3083` 404s while
+  // `MAL-2026-3083` resolves. Uppercase at entry so operators piping
+  // lowercase ids from grep/jq don't get a surprising 404 from the network
+  // path. Fixture lookup already case-folds, so this normalization is a
+  // no-op there but harmless.
+  id = id.toUpperCase();
   const fixture = readFixture();
   if (fixture) {
-    const want = id.toUpperCase();
-    const match = fixture.find((rec) => {
+    if (!fixture.ok) return fixture; // F1: structured error envelope
+    const want = id;
+    const match = fixture.advisories.find((rec) => {
       const recId = (rec && rec.id) ? String(rec.id).toUpperCase() : null;
       if (recId === want) return true;
       const aliases = Array.isArray(rec?.aliases) ? rec.aliases.map((a) => String(a).toUpperCase()) : [];
@@ -205,9 +274,10 @@ async function fetchAdvisoriesForPackage(name, ecosystem, version, opts = {}) {
   }
   const fixture = readFixture();
   if (fixture) {
+    if (!fixture.ok) return fixture; // F1: structured error envelope
     // Best-effort fixture filtering: match any record whose `affected[]`
     // contains the requested package + ecosystem (+ version when set).
-    const matches = fixture.filter((rec) => {
+    const matches = fixture.advisories.filter((rec) => {
       const affected = Array.isArray(rec?.affected) ? rec.affected : [];
       return affected.some((a) => {
         const pkg = a?.package || {};
@@ -241,37 +311,112 @@ function pickCatalogKey(rec) {
 }
 
 /**
- * Pull a numeric CVSS score out of an OSV severity[] entry (CVSS v3 / v4
- * vector strings start with "CVSS:3.x/" or "CVSS:4.0/"). Returns null if
- * no parseable score is present.
+ * CVSS 3.1 base-score computation from a vector string. Implements Table 6
+ * of the FIRST CVSS 3.1 specification. Used when an OSV record carries a
+ * vector but no embedded numeric score (the common case for MAL-* records).
+ * Returns null on malformed input.
+ *
+ * Reference: https://www.first.org/cvss/v3.1/specification-document
+ */
+function cvss3BaseScore(vector) {
+  if (typeof vector !== "string") return null;
+  const m = vector.match(/^CVSS:3\.\d\/(.+)$/);
+  if (!m) return null;
+  const parts = m[1].split("/");
+  const metrics = {};
+  for (const p of parts) {
+    const [k, v] = p.split(":");
+    if (!k || !v) return null;
+    metrics[k] = v;
+  }
+  // Required metrics — bail if any are missing.
+  for (const k of ["AV", "AC", "PR", "UI", "S", "C", "I", "A"]) {
+    if (!metrics[k]) return null;
+  }
+  const AV_W = { N: 0.85, A: 0.62, L: 0.55, P: 0.2 };
+  const AC_W = { L: 0.77, H: 0.44 };
+  const UI_W = { N: 0.85, R: 0.62 };
+  const CIA_W = { H: 0.56, L: 0.22, N: 0 };
+  // PR weights depend on Scope.
+  const PR_W_U = { N: 0.85, L: 0.62, H: 0.27 };
+  const PR_W_C = { N: 0.85, L: 0.68, H: 0.5 };
+  const scope = metrics.S;
+  if (scope !== "U" && scope !== "C") return null;
+  const av = AV_W[metrics.AV];
+  const ac = AC_W[metrics.AC];
+  const ui = UI_W[metrics.UI];
+  const pr = (scope === "C" ? PR_W_C : PR_W_U)[metrics.PR];
+  const c = CIA_W[metrics.C];
+  const i = CIA_W[metrics.I];
+  const a = CIA_W[metrics.A];
+  if ([av, ac, ui, pr, c, i, a].some((x) => x == null)) return null;
+  const iss = 1 - ((1 - c) * (1 - i) * (1 - a));
+  let impact;
+  if (scope === "U") {
+    impact = 6.42 * iss;
+  } else {
+    impact = 7.52 * (iss - 0.029) - 3.25 * Math.pow(iss - 0.02, 15);
+  }
+  if (impact <= 0) return 0.0;
+  const exploitability = 8.22 * av * ac * pr * ui;
+  let base;
+  if (scope === "U") {
+    base = Math.min(impact + exploitability, 10);
+  } else {
+    base = Math.min(1.08 * (impact + exploitability), 10);
+  }
+  // roundUp1: round up to one decimal (CVSS 3.1 §7.1).
+  const rounded = Math.ceil(base * 10) / 10;
+  if (!Number.isFinite(rounded) || rounded < 0 || rounded > 10) return null;
+  return rounded;
+}
+
+/**
+ * Pull a numeric CVSS score + vector out of an OSV severity[] entry. CVSS
+ * vectors start with "CVSS:3.x/" or "CVSS:4.0/". When multiple vectors are
+ * present (e.g. both V3 and V4), the highest version wins regardless of
+ * array order. When the OSV record has no embedded numeric tail, the score
+ * is computed from the vector itself via cvss3BaseScore(). Returns null
+ * components when nothing parseable is present.
  */
 function extractCvss(rec) {
   const sev = Array.isArray(rec?.severity) ? rec.severity : [];
   let score = null;
-  let vector = null;
+  let bestVector = null;
+  let bestVersion = 0;
   for (const s of sev) {
     if (typeof s?.score !== "string") continue;
     const v = s.score.trim();
-    // Bare numeric score
+    // Bare numeric score (no vector prefix).
     const num = parseFloat(v);
     if (!Number.isNaN(num) && num >= 0 && num <= 10 && !v.includes("/")) {
       if (score == null) score = num;
       continue;
     }
-    // CVSS vector — accept the highest-version vector we see.
-    if (/^CVSS:[34]/.test(v)) {
-      vector = v;
-      // Try to parse the score out of the trailing fragment if encoded
-      // as "CVSS:3.1/AV:.../9.3" — most OSV records don't embed it here,
-      // but some Snyk-imported records do.
-      const m = v.match(/\/(\d+(?:\.\d+)?)$/);
-      if (m && score == null) {
-        const candidate = parseFloat(m[1]);
-        if (candidate >= 0 && candidate <= 10) score = candidate;
-      }
+    const m = v.match(/^CVSS:(\d+\.\d+)/);
+    if (!m) continue;
+    const ver = parseFloat(m[1]);
+    if (ver > bestVersion) {
+      bestVersion = ver;
+      bestVector = v;
     }
   }
-  return { score, vector };
+  // If we picked a vector, try to read an embedded score from the trailing
+  // fragment (some Snyk records carry it as ".../9.3"). Otherwise compute
+  // it from the vector for CVSS 3.x. CVSS 4.0 base-score derivation is
+  // intentionally not implemented here — that's a v0.13 follow-up.
+  if (bestVector && score == null) {
+    const tail = bestVector.match(/\/(\d+(?:\.\d+)?)$/);
+    if (tail) {
+      const candidate = parseFloat(tail[1]);
+      if (candidate >= 0 && candidate <= 10) score = candidate;
+    }
+    if (score == null && /^CVSS:3\./.test(bestVector)) {
+      const computed = cvss3BaseScore(bestVector);
+      if (computed != null) score = computed;
+    }
+  }
+  return { score, vector: bestVector };
 }
 
 /**
@@ -373,6 +518,23 @@ function normalizeAdvisory(rec) {
   // OSV.dev canonical advisory URL — used as the primary vendor advisory.
   const osvUrl = `https://osv.dev/vulnerability/${encodeURIComponent(rec.id)}`;
 
+  // F6: dedupe verification_sources. OSV records frequently carry the
+  // canonical osv.dev URL in references[] as well, which would otherwise
+  // produce a duplicate alongside the prepended `osvUrl`.
+  const verification_sources = Array.from(new Set([
+    osvUrl,
+    ...(/^CVE-/i.test(catalogKey) ? [`https://nvd.nist.gov/vuln/detail/${catalogKey}`] : []),
+    ...refUrls.slice(0, 10),
+  ]));
+
+  // F5: EPSS coverage does not extend to non-CVE identifiers. Surface this
+  // explicitly so curators know to re-query if MITRE later assigns a CVE
+  // id to the entry. Wording mirrors the MAL-2026-3083 catalog entry.
+  const isCveKey = /^CVE-/i.test(catalogKey);
+  const epss_note = isCveKey
+    ? null
+    : "EPSS coverage does not extend to non-CVE identifiers. FIRST EPSS API only indexes CVE keys; MAL-* / SNYK-* / GHSA-* / RUSTSEC-* / etc. return no data. Re-query and populate epss_score when MITRE assigns a CVE id and the entry is renamed.";
+
   return {
     [catalogKey]: {
       name: rec.summary || rec.id,
@@ -407,15 +569,12 @@ function normalizeAdvisory(rec) {
       epss_score: null,
       epss_percentile: null,
       epss_date: null,
-      epss_source: /^CVE-/i.test(catalogKey)
+      epss_note,
+      epss_source: isCveKey
         ? `https://api.first.org/data/v1/epss?cve=${catalogKey}`
         : null,
       source_verified: published || today,
-      verification_sources: [
-        osvUrl,
-        ...(/^CVE-/i.test(catalogKey) ? [`https://nvd.nist.gov/vuln/detail/${catalogKey}`] : []),
-        ...refUrls.slice(0, 10),
-      ],
+      verification_sources,
       vendor_advisories: [
         {
           vendor: "OSV.dev",
@@ -451,19 +610,26 @@ async function buildDiff(ctx) {
       status: "ok",
       diffs: [],
       errors: 0,
+      unreachable_count: 0,
+      normalize_error_count: 0,
       summary: "OSV: no ids requested (set ctx.osv_ids to seed a draft, or pass --advisory <MAL-...> for one-shot import).",
     };
   }
   const existingKeys = new Set(Object.keys(ctx.cveCatalog || {}));
   const diffs = [];
-  let errors = 0;
+  // F7: distinguish unreachable (fetch failed, network or 5xx) from
+  // normalize-rejected (record fetched but normalization produced null).
+  // Operators triaging a refresh-report want to know whether to chase a
+  // network outage or a malformed upstream record.
+  let unreachable = 0;
+  let normalizeErrors = 0;
   for (const id of ids) {
     const r = await fetchAdvisoryById(id);
-    if (!r.ok) { errors++; continue; }
+    if (!r.ok) { unreachable++; continue; }
     const rec = r.advisories[0];
-    if (!rec) { errors++; continue; }
+    if (!rec) { unreachable++; continue; }
     const normalized = normalizeAdvisory(rec);
-    if (!normalized) { errors++; continue; }
+    if (!normalized) { normalizeErrors++; continue; }
     const key = Object.keys(normalized)[0];
     if (existingKeys.has(key)) continue;
     diffs.push({
@@ -475,11 +641,14 @@ async function buildDiff(ctx) {
       source: "osv",
     });
   }
+  const errors = unreachable + normalizeErrors;
   return {
     status: errors === 0 ? "ok" : errors === ids.length ? "unreachable" : "partial",
     diffs,
     errors,
-    summary: `OSV fetched ${ids.length} id(s); ${diffs.length} new entry diff(s), ${errors} failure(s).`,
+    unreachable_count: unreachable,
+    normalize_error_count: normalizeErrors,
+    summary: `OSV fetched ${ids.length} id(s); ${diffs.length} new entry diff(s), ${unreachable} unreachable, ${normalizeErrors} normalize-rejected.`,
   };
 }
 
@@ -489,5 +658,7 @@ module.exports = {
   normalizeAdvisory,
   buildDiff,
   isOsvId,
+  extractCvss,
+  cvss3BaseScore,
   OSV_ID_PREFIXES,
 };

package/lib/validate-cve-catalog.js

@@ -31,6 +31,40 @@ const REPO_ROOT = path.resolve(__dirname, '..');
 const SCHEMA_PATH = path.join(REPO_ROOT, 'lib', 'schemas', 'cve-catalog.schema.json');
 const CATALOG_PATH = path.join(REPO_ROOT, 'data', 'cve-catalog.json');
 const LESSONS_PATH = path.join(REPO_ROOT, 'data', 'zeroday-lessons.json');
+const ATLAS_PATH = path.join(REPO_ROOT, 'data', 'atlas-ttps.json');
+const CWE_PATH = path.join(REPO_ROOT, 'data', 'cwe-catalog.json');
+
+// v0.12.12 — patterns that mark a verification_sources URL as a public exploit
+// or PoC location. When poc_available: true AND a verification source matches
+// one of these, the entry must carry an `iocs` block per AGENTS.md Hard Rule
+// #14. Surfaced as WARNING-only for v0.12.12 so drafts and pre-IoC entries
+// don't break patch-class compatibility; v0.13.0 will tighten to error.
+const PUBLIC_EXPLOIT_URL_PATTERNS = [
+  /github\.com\/.+\/(exploits?|poc|pocs)\b/i,
+  /\bexploit-?db\.com\b/i,
+  /\bpacketstormsecurity\.com\b/i,
+  /\bmetasploit\b/i,
+  /\/poc\//i,
+  /-poc\b/i,
+];
+
+// v0.12.12 — Tightened CVSS-vector prefix. Schema's existing pattern accepts
+// any "CVSS:<digits>/"; the strict pattern below admits only known CVSS
+// versions (2.0 / 3.0 / 3.1 / 4.0). Emitted as WARNING for v0.12.12; v0.13.0
+// will tighten the schema itself.
+const STRICT_CVSS_PATTERN = /^CVSS:(2\.0|3\.[01]|4\.0)\//;
+
+// v0.12.12 — Impossible-date guard. Reject obviously bogus year ranges
+// (typos like 1014 or 20262) without rejecting legitimate ISO dates.
+const MIN_VALID_YEAR = 1990;
+const MAX_VALID_YEAR = 2100;
+const DATE_FIELDS = [
+  'last_updated',
+  'source_verified',
+  'cisa_kev_date',
+  'cisa_kev_due_date',
+  'epss_date',
+];
 
 function parseArgs(argv) {
   const opts = { quiet: false };
@@ -162,17 +196,126 @@ function validate(value, schema, schemaName, pathStr) {
   return errors;
 }
 
+function looksLikePublicExploitSource(url) {
+  if (typeof url !== 'string') return false;
+  return PUBLIC_EXPLOIT_URL_PATTERNS.some((re) => re.test(url));
+}
+
+function isUsableDate(value) {
+  if (typeof value !== 'string' || !/^\d{4}-\d{2}-\d{2}$/.test(value)) {
+    return { ok: false, reason: 'not in YYYY-MM-DD shape' };
+  }
+  const d = new Date(value + 'T00:00:00Z');
+  if (Number.isNaN(d.getTime())) return { ok: false, reason: 'unparseable' };
+  const year = Number(value.slice(0, 4));
+  if (year < MIN_VALID_YEAR || year > MAX_VALID_YEAR) {
+    return {
+      ok: false,
+      reason: `year ${year} outside ${MIN_VALID_YEAR}..${MAX_VALID_YEAR}`,
+    };
+  }
+  return { ok: true };
+}
+
+function additionalChecks(key, entry, ctx) {
+  const warnings = [];
+
+  // V1 — Hard Rule #14 conditional: poc + public-exploit URL → iocs required.
+  if (entry.poc_available === true) {
+    const sources = Array.isArray(entry.verification_sources)
+      ? entry.verification_sources
+      : [];
+    const hasPublicExploitSource = sources.some(looksLikePublicExploitSource);
+    if (hasPublicExploitSource) {
+      const iocs = entry.iocs;
+      const iocsPopulated =
+        iocs && typeof iocs === 'object' && !Array.isArray(iocs) && Object.keys(iocs).length > 0;
+      if (!iocsPopulated) {
+        warnings.push(
+          `${key}: poc_available=true and verification_sources includes a public-exploit URL, but iocs is missing or empty (AGENTS.md Hard Rule #14)`,
+        );
+      }
+    }
+  }
+
+  // V2 — Cross-catalog reference resolution. Unresolved refs are warnings
+  // for v0.12.12; v0.13.0 will flip to hard failures.
+  for (const ref of entry.atlas_refs || []) {
+    if (!ctx.atlasKeys.has(ref)) {
+      warnings.push(
+        `${key}: atlas_refs entry "${ref}" not in data/atlas-ttps.json (will hard-fail in v0.13.0)`,
+      );
+    }
+  }
+  for (const ref of entry.cwe_refs || []) {
+    if (!ctx.cweKeys.has(ref)) {
+      warnings.push(
+        `${key}: cwe_refs entry "${ref}" not in data/cwe-catalog.json (will hard-fail in v0.13.0)`,
+      );
+    }
+  }
+
+  // V4 — Impossible-date guard.
+  for (const f of DATE_FIELDS) {
+    const v = entry[f];
+    if (v === undefined || v === null) continue;
+    const r = isUsableDate(v);
+    if (!r.ok) {
+      warnings.push(`${key}: ${f} value ${JSON.stringify(v)} is invalid (${r.reason})`);
+    }
+  }
+
+  // Sch1 — strict CVSS-vector prefix (warning-only for v0.12.12). The schema
+  // pattern stays loose; this admits only known CVSS versions.
+  if (typeof entry.cvss_vector === 'string' && entry.cvss_vector.length > 0) {
+    if (!STRICT_CVSS_PATTERN.test(entry.cvss_vector)) {
+      warnings.push(
+        `${key}: cvss_vector ${JSON.stringify(entry.cvss_vector)} does not match the strict prefix /^CVSS:(2.0|3.0|3.1|4.0)\\//. Schema tolerates this in v0.12.12; v0.13.0 will tighten the schema.`,
+      );
+    }
+  }
+
+  return warnings;
+}
+
 function main() {
   const opts = parseArgs(process.argv);
   const schema = readJson(SCHEMA_PATH);
   const catalog = readJson(CATALOG_PATH);
   const lessons = readJson(LESSONS_PATH);
+  const atlas = fs.existsSync(ATLAS_PATH) ? readJson(ATLAS_PATH) : {};
+  const cwe = fs.existsSync(CWE_PATH) ? readJson(CWE_PATH) : {};
+
+  const ctx = {
+    atlasKeys: new Set(Object.keys(atlas).filter((k) => !k.startsWith('_'))),
+    cweKeys: new Set(Object.keys(cwe).filter((k) => !k.startsWith('_'))),
+  };
 
   const cveKeys = Object.keys(catalog).filter((k) => !k.startsWith('_'));
   const lessonKeys = new Set(Object.keys(lessons).filter((k) => !k.startsWith('_')));
 
   let failed = 0;
   let drafts = 0;
+  let warned = 0;
+
+  // V3 — Duplicate-name detection across all non-_meta entries.
+  const nameToKeys = new Map();
+  for (const k of cveKeys) {
+    const n = catalog[k] && catalog[k].name;
+    if (typeof n === 'string' && n.length > 0) {
+      if (!nameToKeys.has(n)) nameToKeys.set(n, []);
+      nameToKeys.get(n).push(k);
+    }
+  }
+  const dupNameWarnings = [];
+  for (const [n, ks] of nameToKeys) {
+    if (ks.length > 1) {
+      dupNameWarnings.push(
+        `duplicate CVE name ${JSON.stringify(n)} across keys: ${ks.join(', ')}`,
+      );
+    }
+  }
+
   for (const key of cveKeys) {
     const entry = catalog[key];
     // v0.12.0: GHSA-imported drafts are flagged `_auto_imported: true` +
@@ -182,6 +325,7 @@ function main() {
     // `exceptd run cve-curation --advisory <id>`.
     const isDraft = entry && (entry._auto_imported === true || entry._draft === true);
     const errors = validate(entry, schema, 'cve', key);
+    const warnings = additionalChecks(key, entry, ctx);
     if (!lessonKeys.has(key) && !isDraft) {
       errors.push(
         `${key}: missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live)`,
@@ -192,16 +336,22 @@ function main() {
       if (!opts.quiet) {
         console.log(`DRAFT ${key} (auto-imported — needs editorial review)`);
         for (const e of errors) console.log(`        - [warn] ${e}`);
+        for (const w of warnings) console.log(`        - [warn] ${w}`);
       }
       // Drafts don't increment `failed` — they're warnings, not errors.
       continue;
     }
-    if (errors.length === 0) {
+    if (errors.length === 0 && warnings.length === 0) {
       if (!opts.quiet) console.log(`PASS  ${key}`);
+    } else if (errors.length === 0) {
+      warned++;
+      if (!opts.quiet) console.log(`WARN  ${key}`);
+      for (const w of warnings) console.log(`        - [warn] ${w}`);
     } else {
       failed++;
       console.log(`FAIL  ${key}`);
       for (const e of errors) console.log(`        - ${e}`);
+      for (const w of warnings) console.log(`        - [warn] ${w}`);
     }
   }
 
@@ -218,13 +368,31 @@ function main() {
     }
   }
 
+  // V3 — emit duplicate-name warnings as a catalog-wide tail block.
+  for (const w of dupNameWarnings) {
+    console.log(`WARN  catalog`);
+    console.log(`        - [warn] ${w}`);
+  }
+
   const total = cveKeys.length;
-  const passed = total - failed - drafts;
+  const passed = total - failed - drafts - warned;
   const summary = `\n${passed}/${total} CVE entries validated` +
     (drafts ? `, ${drafts} draft(s) (auto-imported)` : '') +
+    (warned ? `, ${warned} with warnings` : '') +
     (failed ? `, ${failed} failed` : '') + '.';
   console.log(summary);
   process.exit(failed === 0 ? 0 : 1);
 }
 
-main();
+module.exports = {
+  validate,
+  looksLikePublicExploitSource,
+  isUsableDate,
+  additionalChecks,
+  PUBLIC_EXPLOIT_URL_PATTERNS,
+  STRICT_CVSS_PATTERN,
+};
+
+if (require.main === module) {
+  main();
+}