@blamejs/exceptd-skills 0.12.11 → 0.12.13

package/CHANGELOG.md

@@ -1,5 +1,98 @@
 # Changelog
 
+## 0.12.13 — 2026-05-14
+
+**Patch: e2e scenarios updated for the v0.12.12 jurisdiction-clock semantics.**
+
+Two e2e scenarios (`02-tanstack-worm-payload`, `09-secrets-aws-key`) assert that `phases.close.jurisdiction_clocks_count >= 1` against a `detected` classification. In v0.12.12 the clock-starts contract was tightened: `clock_starts: detect_confirmed` no longer auto-stamps when classification turns `detected`; the operator must pass `--ack` for the clock to start. Both scenarios now pass `--ack` so the contract is exercised end-to-end. No code changes; v0.12.13 ships solely to land the scenario update and a corresponding npm publish — the v0.12.12 tag exists on git but never reached the npm registry because the validate gate failed against the pre-update scenarios.
+
+Test count: 585/585. Predeploy gates: 16/16. Skills: 38/38 signed and verified.
+
+## 0.12.12 — 2026-05-13
+
+**Patch: deep multi-surface hardening — engine semantics, concurrency, signing round-trip, output bundles, validators, scheduler, curation. 73 distinct fixes across 10 surface classes.**
+
+### Engine semantics
+
+`lib/playbook-runner.js` corrects several long-standing classification and clock bugs:
+
+- **False-positive checks now gate classification.** When an indicator's `signal_overrides` says `hit` but the indicator's `false_positive_checks_required[]` haven't been attested, the verdict downgrades to `inconclusive` and `fp_checks_unsatisfied[]` is surfaced on the indicator. Operators attest FP checks with `signal_overrides: { '<id>__fp_checks': { '<check>': true } }`. Before: submitting a hit without attesting FP checks would auto-stamp `classification: detected`.
+- **Dead branch on empty submission**: the indicator-default arm previously emitted `inconclusive` for both `anyCaptured` and the empty case. Empty submissions with no captured artifacts now correctly produce `classification: not_detected` with theater verdict `clear`.
+- **`evalCondition` regex no longer crashes the run.** A malformed indicator condition (operator-authored regex) used to throw out of `analyze()`. Now wrapped in try/catch; the failure surfaces as `analyze.runtime_errors[]` with the source condition + exception message.
+- **`--strict-preconditions` is now load-bearing.** The flag escalates `precondition_unverified` / `precondition_warn` / `precondition_skip` outcomes to halt, with `escalated_from` provenance. The CLI exit body now carries `strict_preconditions_violated[]` so consumers grep'ing the JSON see the contract reason without inspecting stderr.
+- **`on_fail: skip_phase` is actually honored.** A precondition that fails `on_fail: skip_phase` now emits a placeholder detect phase `{skipped: true, classification: 'skipped', reason: <id>}` and runs analyze with empty signals. Previously the runner ignored the directive and proceeded into detect as if the precondition had passed.
+- **`clock_starts: detect_confirmed` is bound to operator awareness.** Jurisdiction notification clocks (NIS2 24h, DORA 4h, GDPR 72h, etc.) no longer auto-stamp when classification turns `detected`; the operator must pass `--ack` for the clock to start. Without `--ack`, the notification entry carries `clock_pending_ack: true`. Matches the legal contract — the clock starts from operator awareness, not from the runner's decision.
+- **`analyze.active_exploitation` is now the worst across matched CVEs**, not the first. Two matched CVEs where #1 is `suspected` and #2 is `confirmed` correctly report `confirmed`.
+- **`signal_overrides` collisions are surfaced** rather than silently last-wins. Two observations targeting the same indicator id now record the discarded values in `analyze.signal_origins_with_collisions[]`.
+- **Per-run playbook cache**: the runner reads the playbook once per `run()` invocation instead of re-loading it inside each of the seven phase calls.
+
+### Scoring
+
+`lib/scoring.js` exports a new `validateFactors(factors)` returning structured warnings for missing fields, out-of-range `blast_radius`, or non-enum `active_exploitation`. `scoreCustom(factors, {collectWarnings: true})` returns the score plus `_scoring_warnings[]` for downstream consumers; the bare-number return is preserved for backwards compatibility.
+
+### Concurrency
+
+Catalog read-modify-write was racy under concurrent `refresh --advisory --apply` invocations — five sites in `lib/refresh-external.js` and two in `lib/prefetch.js`. Now serialized via `withCatalogLock` / `withIndexLock` (lockfile-gated, atomic tmp+rename writes; 30s stale-lock reaper for crash recovery). Concurrent applies to distinct CVEs now both survive in the final catalog rather than 1/20 trials losing an entry to interleaved writes. Same pattern applied to the prefetch `_index.json`.
+
+`persistAttestation` (in `bin/exceptd.js`) no longer has a TOCTOU window between `existsSync` and `writeFileSync` — atomic create via `flag: 'wx'` (`O_EXCL`) guarantees that two concurrent runs sharing a session-id produce one winner and one explicit `EEXIST` rather than silent last-write-wins.
+
+`lib/refresh-external.js` post-pool `process.exit()` calls replaced with `process.exitCode = N; return;` so buffered stdout drains before the event loop ends (same v0.11.10 class).
+
+### Signing round-trip
+
+`lib/sign.js` + `lib/verify.js` now normalize content (strip UTF-8 BOM, convert CRLF → LF) before computing or verifying signatures. A skill body cloned with `core.autocrlf=true` on Windows but signed on Linux CI no longer fails verification on the consumer side. Byte-level proof: all four variants of `hello\nworld\n` (LF, CRLF, BOM+LF, BOM+CRLF) normalize to the identical signature.
+
+Manifest schema validation lands in `lib/schemas/manifest.schema.json` + `loadManifestValidated()`. A tampered manifest with `path: "../../../etc/passwd"` is rejected at load time before any skill resolution. Per-skill paths must match `^skills/[A-Za-z0-9._/-]+/skill\.md$`.
+
+`lib/lint-skills.js` rejects duplicate frontmatter keys (last-wins parsing previously masked identity spoofing) and walks `skills/` for orphan `skill.md` files not referenced in the manifest.
+
+The fingerprint banner now prints AFTER the verdict line in both `sign-all` and `verify`, so a quick read of `gh run watch` output isn't ambiguous about pass/fail.
+
+### Path traversal hardening
+
+- `--session-id` now enforces `^[A-Za-z0-9._-]{1,64}$` (alphanumeric, dot, underscore, hyphen; up to 64 chars). Path separators and `..` are rejected at input.
+- `--attestation-root` rejects `..`-bearing relative paths and resolves to an absolute path before propagation.
+- `--evidence-dir` validates each `<id>.json` entry, refuses traversal-escaping resolved paths.
+- `--evidence` enforces a 32 MB file-size limit to defend against adversarial JSON bombs.
+- `persistAttestation` validates the session-id + filename and confirms the resolved directory stays under the attestation root.
+- `parseTar` in `lib/refresh-network.js` skips entries with `..` segments or absolute paths — defense-in-depth against a compromised registry CDN shipping path-traversal tarballs.
+
+### Output bundles (CSAF 2.0 / SARIF 2.1.0 / OpenVEX 0.2.0)
+
+`buildEvidenceBundle()` in `lib/playbook-runner.js` produces bundles that pass canonical-schema validation against each spec:
+
+- **CSAF**: `csaf_security_advisory` documents now include a populated `product_tree.full_product_names[]`; every `vulnerabilities[]` entry references a declared product via `product_status` (`known_affected` / `fixed` / `under_investigation`). NVD / Red Hat / ENISA CSAF dashboards previously rejected exceptd CSAF output for missing product_tree.
+- **SARIF**: indicator-hit results now populate `physicalLocation.artifactLocation.uri` from the playbook's look-phase artifact source paths so GitHub Code Scanning surfaces them. Null property-bag keys are pruned. Framework-gap results carry `kind: "informational"` per spec §3.27.9.
+- **OpenVEX**: every statement carries `products` (B1). Status semantics rebuilt — indicator hits become `affected` with an `action_statement` from the validate phase's selected remediation; misses become `not_affected` with `vulnerable_code_not_present` justification; inconclusive stays `under_investigation` (no action_statement). Framework-gap statements are removed from the VEX feed entirely (they're control-design observations, not vulnerabilities — they remain in CSAF and SARIF). Vulnerability `@id` values now follow RFC 8141 (`urn:cve:<id>`, `urn:exceptd:indicator:<playbook>:<id>`), replacing the unregistered `exceptd:` scheme.
+
+### Validators
+
+`lib/validate-playbooks.js` is a new validator that checks all 13 shipped playbooks against `lib/schemas/playbook.schema.json` plus cross-catalog references (`atlas_refs`, `cve_refs`, `cwe_refs`, `d3fend_refs`, `attack_refs`), internal consistency (duplicate indicator ids, RWEP threshold ordering, obligation_ref resolution), and feeds_into / mutex / skill_chain resolution. Wired as predeploy gate 16 (informational in v0.12.12; flips to enforcing in v0.13.0). 75-entry `data/attack-techniques.json` lands to support `attack_refs` resolution across skills and playbooks.
+
+`lib/validate-cve-catalog.js` adds warning-class checks for the Hard Rule #14 iocs-when-poc-and-exploit-url contract, `atlas_refs` + `cwe_refs` cross-catalog resolution, duplicate-name detection, impossible-date guards, and strict CVSS-version prefix recognition. All new findings emit as warnings in v0.12.12 to preserve patch-class compatibility; v0.13.0 will flip them to errors.
+
+`lib/lint-skills.js` extends section detection to require an anchored `^## <Section>` heading with ≥20 words of body text (warning-class), resolves `attack_refs` against `data/attack-techniques.json`, and flags missing "Defensive Countermeasure Mapping" sections on skills whose `last_threat_review >= 2026-05-11`.
+
+### Curation `--apply`
+
+`lib/cve-curation.js` gains the missing apply path. `curate(cveId, {apply: true, answers})` validates each answer against a per-field whitelist, applies, derives `rwep_score` from `rwep_factors` when an explicit score isn't supplied, computes `residual_warnings[]` against the required-schema set, and promotes the draft (strips `_auto_imported` + `_draft` + `_draft_reason`) when zero warnings remain. CLI surface: `exceptd refresh --curate <id> --answers <file>` or the explicit `--apply` alias. The questionnaire now always asks for `cvss_score`, `cvss_vector`, patch fields, `affected_versions`, and `cisa_kev` when those are unpopulated — without these, the apply path can't produce a schema-passing entry. Severity rendering for `cvss_score: null` returns `unrated` (was misleading `low`). Catalog reads honor absolute paths on Windows. OSV-imported drafts now show `"OSV: <id>"` in `auto_imported_from` (was always `"unknown"`).
+
+### Scheduler
+
+`orchestrator/scheduler.js` `MONTHLY_CVE_VALIDATION` (2.59 billion ms) and `ANNUAL_AUDIT` (31.5 billion ms) exceeded Node's INT32 setTimeout limit (2.15 billion ms), which silently clamps to 1 ms — producing a 1000 fires/sec stdout flood on idle `exceptd watch`. New `scheduleEvery(intervalMs, handler)` primitive uses a bounded `setInterval` (capped at 24 h) with wall-clock elapsed comparison. Idle watch goes from 1000 lines/sec to 0.
+
+### Predeploy
+
+`scripts/predeploy.js` now reports per-gate timing (`(NNN ms)` next to each pass / fail / informational line + the summary table). New 16th gate `Validate playbooks` runs informationally in v0.12.12.
+
+### Repository
+
+- `.github/workflows/ci.yml` gains a `validate-playbooks` job (`continue-on-error: true` in v0.12.12).
+- `manifest-snapshot.json` + `sbom.cdx.json` + `data/_indexes/` refreshed.
+- `data/attack-techniques.json` new — 75 ATT&CK technique entries with v17 metadata, supporting `attack_refs` resolution across the catalog.
+
+Test count: 492 → 573 (+81 across engine, sign/verify, refresh-external, prefetch, scheduler, cve-curation, bundle-correctness, validate-playbooks, and operator-bugs test files). Predeploy gates: 16/16. Skills: 38/38 signed and verified.
+
 ## 0.12.11 — 2026-05-13
 
 **Patch: OSV source hardening, indicator regex widening, CWE/framework-gap reconciliation. v0.12.10 audit closeout.**

package/bin/exceptd.js

@@ -554,6 +554,17 @@ function readEvidence(evidenceFlag) {
     if (!buf.trim()) return {};
     return JSON.parse(buf);
   }
+  // v0.12.12: read enforces a max size to defend against an operator
+  // accidentally passing a multi-gigabyte file (binary, log, or
+  // adversarial JSON bomb). 32 MB is well beyond any legitimate
+  // submission and still drains in a single read on modern hardware.
+  const MAX_EVIDENCE_BYTES = 32 * 1024 * 1024;
+  let stat;
+  try { stat = fs.statSync(evidenceFlag); }
+  catch (e) { throw new Error(`evidence path not readable: ${e.message}`); }
+  if (stat.size > MAX_EVIDENCE_BYTES) {
+    throw new Error(`evidence file too large: ${stat.size} bytes > ${MAX_EVIDENCE_BYTES} byte limit. Reduce the submission or split into multiple playbook runs.`);
+  }
   return JSON.parse(fs.readFileSync(evidenceFlag, "utf8"));
 }
 
@@ -607,8 +618,39 @@ function dispatchPlaybook(cmd, argv) {
     airGap: !!args["air-gap"],
     forceStale: !!args["force-stale"],
   };
-  if (args["session-id"]) runOpts.session_id = args["session-id"];
-  if (args["attestation-root"]) runOpts.attestationRoot = args["attestation-root"];
+  if (args["session-id"]) {
+    // v0.12.12: --session-id is a filesystem path component (resolves to
+    // .exceptd/attestations/<id>/attestation.json). Operator-supplied input
+    // with `..` or path separators escapes the attestation root. Validate
+    // strict allowlist before propagating.
+    const sid = args["session-id"];
+    if (typeof sid !== "string" || !/^[A-Za-z0-9._-]{1,64}$/.test(sid)) {
+      return emitError(
+        "run: --session-id must match /^[A-Za-z0-9._-]{1,64}$/ (alphanumeric, dot, underscore, hyphen; up to 64 chars). Path separators and '..' are rejected.",
+        { provided: typeof sid === "string" ? sid.slice(0, 80) : typeof sid },
+        pretty
+      );
+    }
+    runOpts.session_id = sid;
+  }
+  if (args["attestation-root"]) {
+    // v0.12.12: --attestation-root must resolve to an absolute path the
+    // operator owns. Reject `..`-bearing relatives at input so a misconfigured
+    // env doesn't write outside the intended root. Final resolution still
+    // happens in resolveAttestationRoot — this is the input-validation layer.
+    const ar = args["attestation-root"];
+    if (typeof ar !== "string" || ar.length === 0) {
+      return emitError("run: --attestation-root must be a non-empty string.", { provided: typeof ar }, pretty);
+    }
+    if (ar.split(/[\\/]/).some(seg => seg === "..")) {
+      return emitError(
+        "run: --attestation-root must not contain '..' path segments. Pass an absolute path under your home directory or an explicit project-relative path without traversal.",
+        { provided: ar.slice(0, 200) },
+        pretty
+      );
+    }
+    runOpts.attestationRoot = path.resolve(ar);
+  }
   if (args["session-key"]) {
     // Bug #33: validate that --session-key is hex. Previously any string was
     // silently accepted; HMAC signing then either failed silently or produced
@@ -1678,6 +1720,14 @@ function cmdRun(runner, args, runOpts, pretty) {
       i.kind === "precondition_unverified" || i.kind === "precondition_warn"
     );
     if (warnIssues.length > 0) {
+      // v0.12.12: surface the contract violation in the emitted body so
+      // downstream consumers grepping the JSON see WHY the exit is non-zero.
+      // result.ok stays true (the playbook executed) but the explicit flag
+      // makes the strict-preconditions contract observable, not just inferable
+      // from exit code + stderr line.
+      result.strict_preconditions_violated = warnIssues.map(i => ({
+        id: i.id, kind: i.kind, message: i.message || null, on_fail: i.on_fail || null,
+      }));
       process.stderr.write(`[exceptd run] --strict-preconditions: ${warnIssues.length} unverified/warn precondition(s) — exit 1.\n`);
       emit(result, pretty);
       // v0.11.11: exitCode + return so emit()'s stdout flushes (process.exit
@@ -1922,13 +1972,28 @@ function cmdRunMulti(runner, ids, args, runOpts, pretty, meta) {
   // contract in one pass.
   if (args["evidence-dir"]) {
     const dir = args["evidence-dir"];
+    if (typeof dir !== "string" || dir.length === 0) {
+      return emitError("run: --evidence-dir must be a non-empty string.", null, pretty);
+    }
     if (!fs.existsSync(dir)) {
       return emitError(`run: --evidence-dir ${dir} does not exist.`, null, pretty);
     }
+    const resolvedDir = path.resolve(dir);
+    // v0.12.12: only `<playbook-id>.json` entries are honored. Reject
+    // anything where the filename strip leaves traversal segments — npm
+    // refuses to write such filenames so the realistic risk is an operator
+    // symlink/junction inside the dir, but the filter is cheap.
     for (const f of fs.readdirSync(dir).filter(x => x.endsWith(".json"))) {
       const pbId = f.replace(/\.json$/, "");
+      if (!/^[A-Za-z0-9_.-]+$/.test(pbId)) {
+        return emitError(`run: --evidence-dir entry ${JSON.stringify(f)} has unsafe playbook-id segment.`, null, pretty);
+      }
+      const entryPath = path.resolve(path.join(resolvedDir, f));
+      if (!entryPath.startsWith(resolvedDir + path.sep)) {
+        return emitError(`run: --evidence-dir entry ${f} resolves outside the directory; refusing.`, null, pretty);
+      }
       try {
-        bundle[pbId] = JSON.parse(fs.readFileSync(path.join(dir, f), "utf8"));
+        bundle[pbId] = JSON.parse(fs.readFileSync(entryPath, "utf8"));
       } catch (e) {
         return emitError(`run: failed to parse --evidence-dir entry ${f}: ${e.message}`, null, pretty);
       }
@@ -2128,47 +2193,86 @@ function deriveRunTag() {
 function persistAttestation(args) {
   const { sessionId, playbookId, directiveId, evidenceHash, operator,
           operatorConsent, submission, runOpts, forceOverwrite, filename } = args;
+  // v0.12.12: session-id is supposed to be sanitized at input. Defense in
+  // depth: reject anything that path-traverses out of the attestation root.
+  if (!/^[A-Za-z0-9._-]{1,64}$/.test(sessionId || "")) {
+    return {
+      ok: false,
+      error: `Refusing to persist attestation with unsafe session-id: ${JSON.stringify(sessionId).slice(0, 80)}. Must match /^[A-Za-z0-9._-]{1,64}$/.`,
+      existingPath: null,
+    };
+  }
+  if (!/^[A-Za-z0-9._-]{1,64}\.json$/.test(filename || "")) {
+    return {
+      ok: false,
+      error: `Refusing to persist attestation with unsafe filename: ${JSON.stringify(filename).slice(0, 80)}.`,
+      existingPath: null,
+    };
+  }
   const root = resolveAttestationRoot(runOpts);
   const dir = path.join(root, sessionId);
   const filePath = path.join(dir, filename);
-
-  let prior = null;
-  if (fs.existsSync(filePath)) {
-    try { prior = JSON.parse(fs.readFileSync(filePath, "utf8")); } catch {}
-    if (!forceOverwrite) {
-      return {
-        ok: false,
-        error: `Attestation already exists at ${path.relative(process.cwd(), filePath)}. Session-id collision (${sessionId}) — refusing to overwrite to preserve audit trail.`,
-        existingPath: path.relative(process.cwd(), filePath),
-      };
-    }
+  // Final-resolution check: dir must remain inside root after normalization.
+  const normRoot = path.resolve(root) + path.sep;
+  if (!(path.resolve(dir) + path.sep).startsWith(normRoot)) {
+    return {
+      ok: false,
+      error: `Refusing to persist attestation outside root. session_id=${sessionId} root=${root}`,
+      existingPath: null,
+    };
   }
 
   try {
     fs.mkdirSync(dir, { recursive: true });
-    const attestation = {
-      session_id: sessionId,
-      playbook_id: playbookId,
-      directive_id: directiveId,
-      evidence_hash: evidenceHash,
-      operator: operator || null,
-      operator_consent: operatorConsent || null,
-      submission,
-      run_opts: { airGap: runOpts.airGap, forceStale: runOpts.forceStale, mode: runOpts.mode },
-      captured_at: new Date().toISOString(),
-      // When overwriting (with --force-overwrite), link to the prior content
-      // by evidence_hash + capture timestamp. session_id is the same (that's
-      // why we collided), so it's the hash + timestamp that distinguish.
-      prior_evidence_hash: prior ? (prior.evidence_hash || null) : null,
-      prior_captured_at: prior ? (prior.captured_at || null) : null,
-    };
-    fs.writeFileSync(filePath, JSON.stringify(attestation, null, 2));
-    maybeSignAttestation(filePath);
-    return {
-      ok: true,
-      prior_session_id: prior ? sessionId : null,
-      overwrote_at: prior ? prior.captured_at : null,
+    const writeAttestation = (priorEvidenceHash, priorCapturedAt, flag) => {
+      const attestation = {
+        session_id: sessionId,
+        playbook_id: playbookId,
+        directive_id: directiveId,
+        evidence_hash: evidenceHash,
+        operator: operator || null,
+        operator_consent: operatorConsent || null,
+        submission,
+        run_opts: { airGap: runOpts.airGap, forceStale: runOpts.forceStale, mode: runOpts.mode },
+        captured_at: new Date().toISOString(),
+        // When overwriting (with --force-overwrite), link to the prior content
+        // by evidence_hash + capture timestamp. session_id is the same (that's
+        // why we collided), so it's the hash + timestamp that distinguish.
+        prior_evidence_hash: priorEvidenceHash,
+        prior_captured_at: priorCapturedAt,
+      };
+      // Atomic-create via O_EXCL ('wx' flag) eliminates the TOCTOU window
+      // between existsSync and writeFileSync. Two concurrent run-with-same-
+      // session-id invocations now produce one winner + one EEXIST loser,
+      // not silent last-write-wins.
+      fs.writeFileSync(filePath, JSON.stringify(attestation, null, 2), { flag });
+      maybeSignAttestation(filePath);
     };
+
+    try {
+      writeAttestation(null, null, "wx");
+      return { ok: true, prior_session_id: null, overwrote_at: null };
+    } catch (eExcl) {
+      if (eExcl.code !== "EEXIST") throw eExcl;
+      // Slot already taken — read prior to chain audit trail, then decide.
+      let prior = null;
+      try { prior = JSON.parse(fs.readFileSync(filePath, "utf8")); } catch { /* malformed prior — proceed */ }
+      if (!forceOverwrite) {
+        return {
+          ok: false,
+          error: `Attestation already exists at ${path.relative(process.cwd(), filePath)}. Session-id collision (${sessionId}) — refusing to overwrite to preserve audit trail.`,
+          existingPath: path.relative(process.cwd(), filePath),
+        };
+      }
+      writeAttestation(prior ? (prior.evidence_hash || null) : null,
+                       prior ? (prior.captured_at || null) : null,
+                       "w");
+      return {
+        ok: true,
+        prior_session_id: prior ? sessionId : null,
+        overwrote_at: prior ? prior.captured_at : null,
+      };
+    }
   } catch (e) {
     return { ok: false, error: `Failed to write attestation: ${e.message}`, existingPath: null };
   }
@@ -3367,8 +3471,14 @@ function cmdAiRun(runner, args, runOpts, pretty) {
     directPhase = runner.direct(playbookId, directiveId);
     lookPhase = runner.look(playbookId, directiveId, runOpts);
   } catch (e) {
-    process.stdout.write(JSON.stringify({ event: "error", reason: e.message, phase: "info" }) + "\n");
-    process.exit(1);
+    // v0.12.12 (T8): process.exit(1) immediately after a stdout write can
+    // truncate buffered output under piped consumers (same class as v0.11.10
+    // #100). Use exitCode+return so the JSONL error frame drains. Also write
+    // the framed error event so the stdout-only JSONL contract holds — host
+    // AIs reading this stream must see structured frames, never bare text.
+    process.stdout.write(JSON.stringify({ event: "error", reason: e.message, phase: "info", playbook_id: playbookId, directive_id: directiveId }) + "\n");
+    process.exitCode = 1;
+    return;
   }
 
   const governEvent = {
@@ -3444,8 +3554,11 @@ function cmdAiRun(runner, args, runOpts, pretty) {
       return emitError(`ai-run: runner threw: ${e.message}`, { playbook: playbookId }, pretty);
     }
     if (!result || result.ok === false) {
+      // v0.12.12: same exit-after-write anti-pattern as the pre-stream
+      // load path. Use exitCode + return so stderr drains.
       process.stderr.write((pretty ? JSON.stringify(result || {}, null, 2) : JSON.stringify(result || {})) + "\n");
-      process.exit(1);
+      process.exitCode = 1;
+      return;
     }
     // v0.11.8 (#101): unify ai-run --no-stream shape with `run`. Pre-0.11.8
     // ai-run flattened phases to top-level (`govern`, `direct`, `look`, ...),

package/data/_indexes/_meta.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-13T21:19:48.889Z",
+  "generated_at": "2026-05-14T14:28:45.659Z",
   "generator": "scripts/build-indexes.js",
-  "source_count": 49,
+  "source_count": 50,
   "source_hashes": {
-    "manifest.json": "b7e77cd5de579732b6dd352720557c3ba2ac93f472de50f4e1f861a665a2760b",
+    "manifest.json": "a3c012232fd18e4a2186bf3243fb969bb411e6815d170f568e42867ce7c6c308",
     "data/atlas-ttps.json": "f3f75ff2778a0a2c7d953a21386bc4f265cb2685ce41242eee45f9e9f2a6add6",
+    "data/attack-techniques.json": "b6dde8f2d8bbe809cbd017d1490b16c01cc54034d695bc8535613b699e3b45c6",
     "data/cve-catalog.json": "197f5313d93f0a7225d5ff275e21cbd067b3970a6f2fdc6da35f81c847e8bdee",
     "data/cwe-catalog.json": "19ce1fad3ed0b0687ec9a328b2d6cd1b544eea7f19140234ec1a8467de1f908d",
     "data/d3fend-catalog.json": "d219520c8d3eb61a270b25ea60f64721035e98a8d5d51d1a4e1f1140d9a586f9",
@@ -55,7 +56,7 @@
     "skills/age-gates-child-safety/skill.md": "c741d7dca9da0abb09bdebb8a02e803ce4ae9fb9a6904fb8df3ec19cae83917d"
   },
   "skill_count": 38,
-  "catalog_count": 10,
+  "catalog_count": 11,
   "index_stats": {
     "xref_entries": {
       "cwe_refs": 34,
@@ -80,8 +81,8 @@
     "theater_fingerprints": 7,
     "currency_action_required": 0,
     "frequency_fields": 7,
-    "activity_feed_events": 49,
-    "catalog_summaries": 10,
+    "activity_feed_events": 50,
+    "catalog_summaries": 11,
     "stale_content_findings": 0
   },
   "invalidation_note": "If any source file in source_hashes has a different SHA-256 than recorded here, the indexes are stale. Re-run `npm run build-indexes`."

package/data/_indexes/activity-feed.json

@@ -2,7 +2,7 @@
   "_meta": {
     "schema_version": "1.0.0",
     "note": "Per-artifact 'last changed' feed sorted descending by date. Skill events from manifest.last_threat_review; catalog events from data/<catalog>.json _meta.last_updated.",
-    "event_count": 49
+    "event_count": 50
   },
   "events": [
     {
@@ -13,6 +13,14 @@
       "schema_version": "1.0.0",
       "entry_count": 15
     },
+    {
+      "date": "2026-05-13",
+      "type": "catalog_update",
+      "artifact": "data/attack-techniques.json",
+      "path": "data/attack-techniques.json",
+      "schema_version": "1.0.0",
+      "entry_count": 75
+    },
     {
       "date": "2026-05-13",
       "type": "catalog_update",
@@ -356,7 +364,7 @@
       "type": "manifest_review",
       "artifact": "manifest.json",
       "path": "manifest.json",
-      "note": "manifest threat_review_date — 38 skills, 10 catalogs"
+      "note": "manifest threat_review_date — 38 skills, 11 catalogs"
     }
   ]
 }

package/data/_indexes/catalog-summaries.json

@@ -2,7 +2,7 @@
   "_meta": {
     "schema_version": "1.0.0",
     "note": "Per-catalog compact summary so AI consumers can discover available data without loading every _meta block. Purpose strings are curated in scripts/builders/catalog-summaries.js.",
-    "catalog_count": 10
+    "catalog_count": 11
   },
   "catalogs": {
     "atlas-ttps.json": {
@@ -27,6 +27,28 @@
         "AML.T0018"
       ]
     },
+    "attack-techniques.json": {
+      "path": "data/attack-techniques.json",
+      "purpose": null,
+      "schema_version": "1.0.0",
+      "last_updated": "2026-05-13",
+      "tlp": "CLEAR",
+      "source_confidence_default": "A1",
+      "freshness_policy": {
+        "default_review_cadence_days": 90,
+        "stale_after_days": 180,
+        "rebuild_after_days": 365,
+        "note": "Catalog must be rebuilt against the upstream ATT&CK release whenever MITRE publishes a new version. AGENTS.md hard rule #8 requires the bump to be intentional, not silent."
+      },
+      "entry_count": 75,
+      "sample_keys": [
+        "T0001",
+        "T0017",
+        "T0051",
+        "T0096",
+        "T0853"
+      ]
+    },
     "cve-catalog.json": {
       "path": "data/cve-catalog.json",
       "purpose": "Per-CVE record (CVSS, EPSS, CISA KEV, RWEP, AI-discovery, vendor advisories, framework gaps, ATLAS/ATT&CK mappings). Cross-validated against NVD + CISA KEV + FIRST EPSS via validate-cves.",

package/data/attack-techniques.json

@@ -0,0 +1,96 @@
+{
+  "_meta": {
+    "schema_version": "1.0.0",
+    "last_updated": "2026-05-13",
+    "attack_version": "v17",
+    "attack_version_date": "2025-06-25",
+    "source": "https://attack.mitre.org — MITRE ATT&CK Enterprise + ICS. Only techniques currently referenced by shipped exceptd skills and playbooks. The full ATT&CK matrix (~700 techniques) is intentionally not duplicated here; this is a resolution catalog for cross-reference validation, not a substitute for attack.mitre.org. See `npm run refresh-attack-techniques` (v0.13.0+) for the full corpus.",
+    "tlp": "CLEAR",
+    "source_confidence": {
+      "scheme": "Admiralty (A-F + 1-6)",
+      "default": "A1",
+      "note": "A1 (completely reliable, confirmed) — MITRE ATT&CK is a public reference catalog. Per-entry overrides are not currently used; if an entry's mapping is uncertain it is left out of the catalog rather than carried with reduced confidence."
+    },
+    "freshness_policy": {
+      "default_review_cadence_days": 90,
+      "stale_after_days": 180,
+      "rebuild_after_days": 365,
+      "note": "Catalog must be rebuilt against the upstream ATT&CK release whenever MITRE publishes a new version. AGENTS.md hard rule #8 requires the bump to be intentional, not silent."
+    }
+  },
+  "T0001": { "name": "Authority Spoof", "version": "v17" },
+  "T0017": { "name": "Spearphishing Attachment (ICS)", "version": "v17" },
+  "T0051": { "name": "Position Tampering", "version": "v17" },
+  "T0096": { "name": "Remote System Discovery (ICS)", "version": "v17" },
+  "T0853": { "name": "Scripting", "version": "v17" },
+  "T0855": { "name": "Unauthorized Command Message", "version": "v17" },
+  "T0867": { "name": "Lateral Tool Transfer", "version": "v17" },
+  "T0883": { "name": "Internet Accessible Device", "version": "v17" },
+  "T1021": { "name": "Remote Services", "version": "v17" },
+  "T1027": { "name": "Obfuscated Files or Information", "version": "v17" },
+  "T1040": { "name": "Network Sniffing", "version": "v17" },
+  "T1041": { "name": "Exfiltration Over C2 Channel", "version": "v17" },
+  "T1053.003": { "name": "Scheduled Task/Job: Cron", "version": "v17" },
+  "T1055": { "name": "Process Injection", "version": "v17" },
+  "T1059": { "name": "Command and Scripting Interpreter", "version": "v17" },
+  "T1068": { "name": "Exploitation for Privilege Escalation", "version": "v17" },
+  "T1071": { "name": "Application Layer Protocol", "version": "v17" },
+  "T1078": { "name": "Valid Accounts", "version": "v17" },
+  "T1078.002": { "name": "Valid Accounts: Domain Accounts", "version": "v17" },
+  "T1078.003": { "name": "Valid Accounts: Local Accounts", "version": "v17" },
+  "T1078.004": { "name": "Valid Accounts: Cloud Accounts", "version": "v17" },
+  "T1098": { "name": "Account Manipulation", "version": "v17" },
+  "T1102": { "name": "Web Service", "version": "v17" },
+  "T1110": { "name": "Brute Force", "version": "v17" },
+  "T1110.001": { "name": "Brute Force: Password Guessing", "version": "v17" },
+  "T1133": { "name": "External Remote Services", "version": "v17" },
+  "T1136.001": { "name": "Create Account: Local Account", "version": "v17" },
+  "T1190": { "name": "Exploit Public-Facing Application", "version": "v17" },
+  "T1195": { "name": "Supply Chain Compromise", "version": "v17" },
+  "T1195.001": { "name": "Supply Chain Compromise: Software Dependencies and Development Tools", "version": "v17" },
+  "T1195.002": { "name": "Supply Chain Compromise: Software Supply Chain", "version": "v17" },
+  "T1199": { "name": "Trusted Relationship", "version": "v17" },
+  "T1203": { "name": "Exploitation for Client Execution", "version": "v17" },
+  "T1212": { "name": "Exploitation for Credential Access", "version": "v17" },
+  "T1213": { "name": "Data from Information Repositories", "version": "v17" },
+  "T1485": { "name": "Data Destruction", "version": "v17" },
+  "T1486": { "name": "Data Encrypted for Impact", "version": "v17" },
+  "T1505": { "name": "Server Software Component", "version": "v17" },
+  "T1518": { "name": "Software Discovery", "version": "v17" },
+  "T1525": { "name": "Implant Internal Image", "version": "v17" },
+  "T1528": { "name": "Steal Application Access Token", "version": "v17" },
+  "T1530": { "name": "Data from Cloud Storage", "version": "v17" },
+  "T1543": { "name": "Create or Modify System Process", "version": "v17" },
+  "T1546": { "name": "Event Triggered Execution", "version": "v17" },
+  "T1547": { "name": "Boot or Logon Autostart Execution", "version": "v17" },
+  "T1548.001": { "name": "Abuse Elevation Control Mechanism: Setuid and Setgid", "version": "v17" },
+  "T1548.003": { "name": "Abuse Elevation Control Mechanism: Sudo and Sudo Caching", "version": "v17" },
+  "T1552": { "name": "Unsecured Credentials", "version": "v17" },
+  "T1552.001": { "name": "Unsecured Credentials: Credentials In Files", "version": "v17" },
+  "T1552.004": { "name": "Unsecured Credentials: Private Keys", "version": "v17" },
+  "T1552.005": { "name": "Unsecured Credentials: Cloud Instance Metadata API", "version": "v17" },
+  "T1552.007": { "name": "Unsecured Credentials: Container API", "version": "v17" },
+  "T1554": { "name": "Compromise Host Software Binary", "version": "v17" },
+  "T1555": { "name": "Credentials from Password Stores", "version": "v17" },
+  "T1556": { "name": "Modify Authentication Process", "version": "v17" },
+  "T1557": { "name": "Adversary-in-the-Middle", "version": "v17" },
+  "T1562.001": { "name": "Impair Defenses: Disable or Modify Tools", "version": "v17" },
+  "T1562.006": { "name": "Impair Defenses: Indicator Blocking", "version": "v17" },
+  "T1565": { "name": "Data Manipulation", "version": "v17" },
+  "T1566": { "name": "Phishing", "version": "v17" },
+  "T1566.001": { "name": "Phishing: Spearphishing Attachment", "version": "v17" },
+  "T1566.002": { "name": "Phishing: Spearphishing Link", "version": "v17" },
+  "T1566.003": { "name": "Phishing: Spearphishing via Service", "version": "v17" },
+  "T1567": { "name": "Exfiltration Over Web Service", "version": "v17" },
+  "T1568": { "name": "Dynamic Resolution", "version": "v17" },
+  "T1570": { "name": "Lateral Tool Transfer", "version": "v17" },
+  "T1573": { "name": "Encrypted Channel", "version": "v17" },
+  "T1574": { "name": "Hijack Execution Flow", "version": "v17" },
+  "T1574.005": { "name": "Hijack Execution Flow: Executable Installer File Permissions Weakness", "version": "v17" },
+  "T1595": { "name": "Active Scanning", "version": "v17" },
+  "T1600": { "name": "Weaken Encryption", "version": "v17" },
+  "T1606.001": { "name": "Forge Web Credentials: Web Cookies", "version": "v17" },
+  "T1610": { "name": "Deploy Container", "version": "v17" },
+  "T1611": { "name": "Escape to Host", "version": "v17" },
+  "T1613": { "name": "Container and Resource Discovery", "version": "v17" }
+}