@blamejs/exceptd-skills 0.12.11 → 0.12.15

package/lib/playbook-runner.js

@@ -45,9 +45,41 @@
 
 const fs = require('fs');
 const path = require('path');
+const os = require('os');
 const crypto = require('crypto');
 
-const xref = require('./cross-ref-api');
+// F7: cross-ref-api wraps catalog reads. If cve-catalog.json is corrupt
+// JSON, cross-ref-api's loadCatalog (post-v0.12.14) catches the parse
+// failure, returns an empty stub, and accumulates the error in
+// getLoadErrors(). run() probes for accumulated load errors and returns
+// a structured `blocked_by:'catalog_corrupt'` rather than letting analyze
+// silently operate against an empty catalog. Note: the call to
+// xref.byCve below force-touches the catalog so the load error surfaces
+// at module load (it's lazy otherwise), which gives run() a deterministic
+// signal regardless of submission shape.
+let xref;
+let _xrefLoadError = null;
+try {
+  xref = require('./cross-ref-api');
+  // Probe-load the catalog so any parse error is observable BEFORE the
+  // first real analyze() call. Without this, a corrupt catalog would
+  // only surface on the first byCve invocation, which could be
+  // mid-pipeline (after preflight/govern/direct phases have already
+  // emitted artifacts).
+  try { xref.byCve('__exceptd-probe__'); } catch {}
+  if (typeof xref.getLoadErrors === 'function') {
+    const errs = xref.getLoadErrors();
+    if (errs && errs.length) {
+      _xrefLoadError = `${errs.length} catalog/index load error(s): ${errs.map(e => `${e.file}: ${e.error}`).join('; ')}`;
+    }
+  }
+} catch (e) {
+  _xrefLoadError = (e && e.message) ? String(e.message) : String(e);
+  xref = {
+    byCve: () => ({ found: false, _error: _xrefLoadError }),
+    _error: _xrefLoadError,
+  };
+}
 
 const ROOT = path.join(__dirname, '..');
 const PLAYBOOK_DIR = process.env.EXCEPTD_PLAYBOOK_DIR || path.join(ROOT, 'data', 'playbooks');
@@ -72,6 +104,10 @@ function loadPlaybook(playbookId) {
   return JSON.parse(fs.readFileSync(p, 'utf8'));
 }
 
+// E12: per-run playbook cache. Each phase function reads runOpts._playbookCache
+// before falling back to loadPlaybook(). run() sets _playbookCache once at
+// entry so seven phases share one disk read + JSON parse instead of seven.
+
 function findDirective(playbook, directiveId) {
   const d = playbook.directives.find(x => x.id === directiveId);
   if (!d) throw new Error(`Directive not found: ${directiveId} in playbook ${playbook._meta.id}`);
@@ -100,9 +136,34 @@ function deepMerge(a, b) {
 
 // --- pre-flight: currency + preconditions + mutex ---
 
+/**
+ * Pre-flight gate. Three concerns:
+ *
+ *   1. Currency. threat_currency_score < 50 hard-blocks unless
+ *      runOpts.forceStale=true. < 70 emits a warning issue.
+ *   2. Preconditions. _meta.preconditions[] entries with on_fail in
+ *      {halt, warn, skip_phase} are evaluated against
+ *      runOpts.precondition_checks[id]. Missing values → precondition_unverified
+ *      issue (plus halt if on_fail=halt). False values → precondition_warn or
+ *      precondition_skip per on_fail.
+ *   3. Mutex. _meta.mutex[] intersect with the in-process active runs set
+ *      AND with the filesystem lockfile dir blocks the run.
+ *
+ * E5: when runOpts.strictPreconditions === true, warn-level outcomes
+ * (precondition_warn, precondition_unverified with on_fail=warn or
+ * skip_phase) are ESCALATED to halts. The function returns ok:false with
+ * blocked_by='precondition' and an issues array containing
+ * precondition_halt entries. Callers wanting "CI gate: any unverified
+ * precondition is a failure" pass strictPreconditions=true.
+ *
+ * E6: when a precondition with on_fail='skip_phase' fails, the issue carries
+ * skip_phase: 'detect' (default) so run() can route to a skipped-phase
+ * placeholder rather than executing detect against a missing prerequisite.
+ */
 function preflight(playbook, runOpts = {}) {
   const issues = [];
   const meta = playbook._meta;
+  const strict = runOpts.strictPreconditions === true;
 
   // 1. Currency gate
   const score = meta.threat_currency_score;
@@ -123,6 +184,18 @@ function preflight(playbook, runOpts = {}) {
     const submitted = runOpts.precondition_checks?.[pc.id];
     if (submitted === undefined) {
       const submission_hint = `Submit precondition_checks in your evidence JSON, e.g. { "precondition_checks": { "${pc.id}": true } }. The runner lifts this into runOpts before the gate evaluates.`;
+      if (strict) {
+        // E5: strictPreconditions promotes unverified to halt regardless of
+        // declared on_fail.
+        issues.push({ kind: 'precondition_halt', id: pc.id, check: pc.check, on_fail: pc.on_fail, submission_hint, escalated_from: 'precondition_unverified' });
+        return {
+          ok: false,
+          blocked_by: 'precondition',
+          reason: `Precondition ${pc.id} (${pc.check}) not verified by host AI; strict-preconditions enabled.`,
+          remediation: submission_hint,
+          issues
+        };
+      }
       issues.push({ kind: 'precondition_unverified', id: pc.id, check: pc.check, on_fail: pc.on_fail, submission_hint });
       if (pc.on_fail === 'halt') {
         return {
@@ -139,7 +212,25 @@ function preflight(playbook, runOpts = {}) {
       if (pc.on_fail === 'halt') {
         return { ok: false, blocked_by: 'precondition', reason: `Precondition ${pc.id} failed: ${pc.description}`, issues };
       }
-      issues.push({ kind: pc.on_fail === 'skip_phase' ? 'precondition_skip' : 'precondition_warn', id: pc.id, message: pc.description });
+      if (strict) {
+        // E5: warn-level + skip_phase outcomes escalate to halt under strict.
+        issues.push({ kind: 'precondition_halt', id: pc.id, message: pc.description, escalated_from: pc.on_fail === 'skip_phase' ? 'precondition_skip' : 'precondition_warn' });
+        return {
+          ok: false,
+          blocked_by: 'precondition',
+          reason: `Precondition ${pc.id} (${pc.check}) failed; strict-preconditions enabled.`,
+          issues
+        };
+      }
+      if (pc.on_fail === 'skip_phase') {
+        // E6: emit a skip_phase field so run() can route to a skipped-phase
+        // placeholder. Default target phase is 'detect' (the most common
+        // skip target — preconditions typically gate host-side detection).
+        // Playbooks may override via pc.skip_phase.
+        issues.push({ kind: 'precondition_skip', id: pc.id, message: pc.description, skip_phase: pc.skip_phase || 'detect' });
+      } else {
+        issues.push({ kind: 'precondition_warn', id: pc.id, message: pc.description });
+      }
     }
   }
 
@@ -175,8 +266,18 @@ function preflight(playbook, runOpts = {}) {
   return { ok: true, issues };
 }
 
+// F28: lockDir lives at a stable global path so two CLI invocations from
+// different working directories still share lock state for cross-process
+// mutex enforcement. Pre-fix this used process.cwd(), which meant invoking
+// the same playbook from /tmp and from /home/user/project simultaneously
+// would each see an empty locks dir and both run unchallenged. The path
+// keys on os.platform() so Windows/macOS/Linux locks live under separate
+// directories (avoids cross-platform stale-PID confusion when a host is
+// shared across OSes via networked FS). Override via EXCEPTD_LOCK_DIR for
+// container/CI scenarios that need an explicit shared location.
 function lockDir() {
-  const dir = path.join(process.cwd(), '.exceptd', 'locks');
+  const dir = process.env.EXCEPTD_LOCK_DIR
+    || path.join(os.tmpdir(), `exceptd-locks-${process.platform}`);
   try { fs.mkdirSync(dir, { recursive: true }); } catch {}
   return dir;
 }
@@ -214,8 +315,17 @@ function pidAlive(pid) {
  * fingerprints, framework gap summary, and skills to preload.
  */
 function govern(playbookId, directiveId, runOpts = {}) {
-  const playbook = loadPlaybook(playbookId);
+  const playbook = runOpts._playbookCache || loadPlaybook(playbookId);
   const g = resolvedPhase(playbook, directiveId, 'govern');
+  // F12: sort jurisdiction obligations by window_hours ascending so the
+  // tightest deadline (e.g. DORA's 4h, NIS2's 24h, GDPR's 72h) surfaces
+  // first. Operators reading the govern output for ack-time briefing need
+  // the most urgent clock at the top of the list.
+  const obligations = (g.jurisdiction_obligations || []).slice().sort((a, b) => {
+    const aw = (a && typeof a.window_hours === 'number') ? a.window_hours : Number.POSITIVE_INFINITY;
+    const bw = (b && typeof b.window_hours === 'number') ? b.window_hours : Number.POSITIVE_INFINITY;
+    return aw - bw;
+  });
   return {
     phase: 'govern',
     playbook_id: playbookId,
@@ -224,7 +334,7 @@ function govern(playbookId, directiveId, runOpts = {}) {
     threat_currency_score: playbook._meta.threat_currency_score,
     last_threat_review: playbook._meta.last_threat_review,
     air_gap_mode: !!playbook._meta.air_gap_mode || !!runOpts.airGap,
-    jurisdiction_obligations: g.jurisdiction_obligations || [],
+    jurisdiction_obligations: obligations,
     theater_fingerprints: g.theater_fingerprints || [],
     framework_context: g.framework_context || {},
     skill_preload: g.skill_preload || [],
@@ -238,8 +348,8 @@ function govern(playbookId, directiveId, runOpts = {}) {
 
 // --- phase 2: direct ---
 
-function direct(playbookId, directiveId) {
-  const playbook = loadPlaybook(playbookId);
+function direct(playbookId, directiveId, runOpts = {}) {
+  const playbook = runOpts._playbookCache || loadPlaybook(playbookId);
   const d = resolvedPhase(playbook, directiveId, 'direct');
   return {
     phase: 'direct',
@@ -256,7 +366,7 @@ function direct(playbookId, directiveId) {
 // --- phase 3: look (engine emits, agent executes) ---
 
 function look(playbookId, directiveId, runOpts = {}) {
-  const playbook = loadPlaybook(playbookId);
+  const playbook = runOpts._playbookCache || loadPlaybook(playbookId);
   const l = resolvedPhase(playbook, directiveId, 'look');
   const airGap = !!playbook._meta.air_gap_mode || !!runOpts.airGap;
   return {
@@ -303,8 +413,8 @@ function look(playbookId, directiveId, runOpts = {}) {
  * and (optionally) `signal_overrides` as { indicator_id: 'hit'|'miss'|'inconclusive' } to
  * record an indicator outcome the agent computed using its own pattern matching.
  */
-function detect(playbookId, directiveId, agentSubmission = {}) {
-  const playbook = loadPlaybook(playbookId);
+function detect(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
+  const playbook = runOpts._playbookCache || loadPlaybook(playbookId);
   const det = resolvedPhase(playbook, directiveId, 'detect');
   const artifacts = agentSubmission.artifacts || {};
   const overrides = agentSubmission.signal_overrides || {};
@@ -323,24 +433,61 @@ function detect(playbookId, directiveId, agentSubmission = {}) {
     return null; // truly unknown — fall through
   };
 
+  // E1: per-indicator FP-check attestation map. Operators submit
+  //   signal_overrides: { '<indicator-id>__fp_checks': { '<fp-check-name>': true } }
+  // to declare which named false_positive_checks_required[] entries on the
+  // indicator have been satisfied. An unverified FP check downgrades the
+  // verdict from 'hit' to 'inconclusive' and surfaces fp_checks_unsatisfied
+  // on the per-indicator result. See AGENTS.md Hard Rule #6 (compliance
+  // theater) and AGENTS.md §"detect (AI)" — a `hit` without its FP checks
+  // is not yet a `detected` classification.
   const indicatorResults = (det.indicators || []).map(ind => {
     const rawOverride = overrides[ind.id];
     const override = canonicalize(rawOverride);
     let verdict;
+    let fpChecksUnsatisfied = null;
     if (override === 'hit' || override === 'miss' || override === 'inconclusive') {
       verdict = override;
+      // E1: gate 'hit' verdict on per-indicator false_positive_checks_required
+      // satisfaction. The FP-check attestation arrives as a sibling key
+      // '<id>__fp_checks' in signal_overrides; default behavior (no
+      // attestation) treats every required FP check as UNSATISFIED.
+      if (verdict === 'hit' && Array.isArray(ind.false_positive_checks_required) && ind.false_positive_checks_required.length) {
+        const attestation = overrides[`${ind.id}__fp_checks`];
+        const att = (attestation && typeof attestation === 'object') ? attestation : {};
+        const unsatisfied = ind.false_positive_checks_required.filter(fpName => {
+          // Match either by exact name string OR by indexed key '0', '1', ...
+          // because false_positive_checks_required entries are free-text
+          // strings, not ids. Operators may attest either by the literal
+          // string or by index. Default: unsatisfied.
+          if (att[fpName] === true) return false;
+          const idx = ind.false_positive_checks_required.indexOf(fpName);
+          if (idx !== -1 && att[String(idx)] === true) return false;
+          return true;
+        });
+        if (unsatisfied.length > 0) {
+          verdict = 'inconclusive';
+          fpChecksUnsatisfied = unsatisfied;
+        }
+      }
     } else {
       // Without an explicit override, treat any captured artifact as evidence
-      // the indicator could be evaluated. Mark inconclusive if no related
-      // artifact was captured — engine doesn't pattern-match raw artifact
-      // content; the host AI is responsible for that.
+      // the indicator could be evaluated. Mark inconclusive if any artifact
+      // was captured (engine doesn't pattern-match raw artifact content; the
+      // host AI is responsible for that). With NO captured artifacts, this is
+      // a clean empty submission — emit 'miss' so the run can reach
+      // classification:'not_detected' rather than getting stuck inconclusive.
+      // E2: pre-fix both arms emitted 'inconclusive', so a clean empty run
+      // could never reach not_detected and theater_verdict stayed
+      // 'pending_agent_run' forever.
       const anyCaptured = Object.values(artifacts).some(a => a && a.captured);
-      verdict = anyCaptured ? 'inconclusive' : 'inconclusive';
+      verdict = anyCaptured ? 'inconclusive' : 'miss';
     }
     return {
       id: ind.id, type: ind.type, confidence: ind.confidence,
       deterministic: ind.deterministic, atlas_ref: ind.atlas_ref || null,
-      attack_ref: ind.attack_ref || null, verdict
+      attack_ref: ind.attack_ref || null, verdict,
+      ...(fpChecksUnsatisfied ? { fp_checks_unsatisfied: fpChecksUnsatisfied } : {})
     };
   });
 
@@ -402,7 +549,11 @@ function detect(playbookId, directiveId, agentSubmission = {}) {
     })),
     indicators_evaluated_count: indicatorResults.length,
     classification_override_applied: validOverrides.has(override) ? (override === 'clean' ? 'not_detected' : override) : null,
-    submission_shape_seen: agentSubmission._original_shape || (agentSubmission.artifacts ? 'nested (v0.10.x)' : 'empty')
+    submission_shape_seen: agentSubmission._original_shape || (agentSubmission.artifacts ? 'nested (v0.10.x)' : 'empty'),
+    // E9: pass through any flat-shape observation collisions detected at
+    // normalize time so analyze() can publish them under
+    // analyze.signal_origins_with_collisions.
+    _signal_origins_collisions: Array.isArray(agentSubmission._signal_origins_collisions) ? agentSubmission._signal_origins_collisions.slice() : []
   };
 }
 
@@ -413,10 +564,17 @@ function detect(playbookId, directiveId, agentSubmission = {}) {
  * mapping + escalation evaluation. Inputs are the detect result + any
  * agent-submitted signal_values (e.g. blast_radius classification).
  */
-function analyze(playbookId, directiveId, detectResult, agentSignals = {}) {
-  const playbook = loadPlaybook(playbookId);
+function analyze(playbookId, directiveId, detectResult, agentSignals = {}, runOpts = {}) {
+  const playbook = runOpts._playbookCache || loadPlaybook(playbookId);
   const an = resolvedPhase(playbook, directiveId, 'analyze');
   const directive = findDirective(playbook, directiveId);
+  // F6/F20/F24: when analyze() is called directly (not via run()), no
+  // runtime-error accumulator exists in runOpts. Ensure there's always a
+  // local array so blast_radius / theater / xref errors surface in the
+  // returned analyze.runtime_errors.
+  if (!Array.isArray(runOpts._runErrors)) {
+    runOpts = { ...runOpts, _runErrors: [] };
+  }
 
   // Resolve catalogued CVEs from the domain.cve_refs list. This list is the
   // playbook's CVE scan-coverage enumeration — every CVE this playbook can
@@ -452,13 +610,36 @@ function analyze(playbookId, directiveId, detectResult, agentSignals = {}) {
   const cveRefs = playbook.domain.cve_refs || [];
   const vexFilter = agentSignals.vex_filter instanceof Set ? agentSignals.vex_filter
     : (Array.isArray(agentSignals.vex_filter) ? new Set(agentSignals.vex_filter) : null);
-  const allCves = cveRefs.map(id => xref.byCve(id)).filter(r => r.found);
+  // F17: distinguish OpenVEX/CycloneDX "drop entirely" dispositions
+  // (not_affected / false_positive) from "keep but annotate" dispositions
+  // (fixed / resolved). vexFilterFromDoc returns the union; the "fixed" set
+  // is computed below from agentSignals.vex_fixed when the operator passes
+  // it (CLI populates it from the VEX doc alongside vex_filter).
+  const vexFixed = agentSignals.vex_fixed instanceof Set ? agentSignals.vex_fixed
+    : (Array.isArray(agentSignals.vex_fixed) ? new Set(agentSignals.vex_fixed) : null);
+  // F20: wrap xref.byCve() so a corrupt catalog (or transient missing-index
+  // anomaly) surfaces as a runtime_error rather than crashing analyze().
+  const _byCveSafe = (id) => {
+    try { return xref.byCve(id); }
+    catch (e) {
+      if (Array.isArray(runOpts._runErrors)) {
+        runOpts._runErrors.push({ kind: 'xref', cve_id: id, message: (e && e.message) ? String(e.message) : String(e) });
+      }
+      return { found: false, cve_id: id };
+    }
+  };
+  const allCves = cveRefs.map(id => _byCveSafe(id)).filter(r => r.found);
   const catalogBaselineCves = vexFilter
     ? allCves.filter(c => !vexFilter.has(c.cve_id))
     : allCves;
   const vexDropped = vexFilter
     ? allCves.filter(c => vexFilter.has(c.cve_id)).map(c => c.cve_id)
     : [];
+  // F17: VEX-fixed CVEs remain in matched/catalog arrays but get annotated
+  // with vex_status:'fixed' downstream so consumers see them as resolved.
+  const vexFixedIds = vexFixed
+    ? allCves.filter(c => vexFixed.has(c.cve_id)).map(c => c.cve_id)
+    : [];
 
   // Build correlation map: cve_id -> array of "indicator_hit:<id>" / "signal:<id>" reasons.
   const correlationsByCve = new Map();
@@ -491,64 +672,254 @@ function analyze(playbookId, directiveId, detectResult, agentSignals = {}) {
     }
   }
 
-  const matchedCves = catalogBaselineCves.filter(c => correlationsByCve.has(c.cve_id));
+  // F3: indicator-level cve_ref correlation. Indicators may declare a
+  // cve_ref (string OR string[]) naming CVEs whose presence the indicator
+  // pattern-matches. When such an indicator fires AND the named CVE exists
+  // in the catalog, the CVE joins matched_cves with correlated_via=
+  // 'indicator_cve_ref:<indicator-id>'. The catalog lookup also brings in
+  // CVEs the playbook didn't enumerate in domain.cve_refs — they're appended
+  // to the working catalog set so the downstream matchedCves filter picks
+  // them up. Dedupe is automatic via correlationsByCve (Map keyed on cve_id).
+  const extraCatalogCves = [];
+  const seenCatalogIds = new Set(catalogBaselineCves.map(c => c.cve_id));
+  for (const fired of firedIndicators) {
+    const indicator = (playbookDetect.indicators || []).find(i => i.id === fired.id);
+    if (!indicator) continue;
+    const raw = indicator.cve_ref;
+    const refs = Array.isArray(raw) ? raw : (typeof raw === 'string' && raw ? [raw] : []);
+    for (const cveId of refs) {
+      // VEX-drop these the same as catalog CVEs.
+      if (vexFilter && vexFilter.has(cveId)) continue;
+      let cveEntry = catalogBaselineCves.find(c => c.cve_id === cveId);
+      if (!cveEntry) {
+        const looked = _byCveSafe(cveId);
+        if (!looked || !looked.found) continue; // CVE not in catalog — skip
+        if (!seenCatalogIds.has(looked.cve_id)) {
+          extraCatalogCves.push(looked);
+          seenCatalogIds.add(looked.cve_id);
+        }
+      }
+      addCorrelation(cveId, `indicator_cve_ref:${fired.id}`);
+    }
+  }
+  const workingCatalogCves = catalogBaselineCves.concat(extraCatalogCves);
+
+  const matchedCves = workingCatalogCves.filter(c => correlationsByCve.has(c.cve_id));
 
   // Per-CVE shape — identical between matched_cves and catalog_baseline_cves
   // so consumers can iterate either without branching. matched_cves entries
   // carry a non-null correlated_via array; catalog_baseline_cves entries
   // carry correlated_via:null and a `note` clarifying the field's intent.
-  const cveShape = (c, correlatedVia) => ({
-    cve_id: c.cve_id,
-    rwep: c.rwep_score,
-    cvss_score: c.entry?.cvss_score ?? null,
-    cvss_vector: c.entry?.cvss_vector ?? null,
-    cisa_kev: c.cisa_kev,
-    cisa_kev_date: c.entry?.cisa_kev_date ?? null,
-    cisa_kev_due_date: c.entry?.cisa_kev_due_date ?? null,
-    poc_available: c.entry?.poc_available ?? null,
-    ai_discovered: c.ai_discovered,
-    ai_assisted_weaponization: c.entry?.ai_assisted_weaponization ?? null,
-    active_exploitation: c.active_exploitation,
-    patch_available: c.entry?.patch_available ?? null,
-    patch_required_reboot: c.entry?.patch_required_reboot ?? null,
-    live_patch_available: c.entry?.live_patch_available ?? null,
-    epss_score: c.entry?.epss_score ?? null,
-    epss_date: c.entry?.epss_date ?? null,
-    atlas_refs: c.atlas_refs,
-    attack_refs: c.attack_refs,
-    affected_versions: c.entry?.affected_versions ?? null,
-    correlated_via: correlatedVia,
-  });
+  const cveShape = (c, correlatedVia) => {
+    // F17: annotate VEX-fixed CVEs with vex_status. matched_cves still
+    // includes them so audit trails and SBOM reports surface "we know this
+    // is in scope but vendor declared it fixed."
+    const vexStatus = (vexFixed && vexFixed.has(c.cve_id)) ? 'fixed' : null;
+    return {
+      cve_id: c.cve_id,
+      rwep: c.rwep_score,
+      cvss_score: c.entry?.cvss_score ?? null,
+      cvss_vector: c.entry?.cvss_vector ?? null,
+      cisa_kev: c.cisa_kev,
+      cisa_kev_date: c.entry?.cisa_kev_date ?? null,
+      cisa_kev_due_date: c.entry?.cisa_kev_due_date ?? null,
+      poc_available: c.entry?.poc_available ?? null,
+      ai_discovered: c.ai_discovered,
+      ai_assisted_weaponization: c.entry?.ai_assisted_weaponization ?? null,
+      active_exploitation: c.active_exploitation,
+      patch_available: c.entry?.patch_available ?? null,
+      patch_required_reboot: c.entry?.patch_required_reboot ?? null,
+      live_patch_available: c.entry?.live_patch_available ?? null,
+      epss_score: c.entry?.epss_score ?? null,
+      epss_date: c.entry?.epss_date ?? null,
+      atlas_refs: c.atlas_refs,
+      attack_refs: c.attack_refs,
+      affected_versions: c.entry?.affected_versions ?? null,
+      correlated_via: correlatedVia,
+      ...(vexStatus ? { vex_status: vexStatus } : {}),
+    };
+  };
 
   const matchedCveEntries = matchedCves.map(c => cveShape(c, correlationsByCve.get(c.cve_id)));
-  const catalogBaselineEntries = catalogBaselineCves.map(c => ({
+  const catalogBaselineEntries = workingCatalogCves.map(c => ({
     ...cveShape(c, null),
     note: 'Catalog-baseline entry — this CVE is in the playbook\'s scan coverage but no submitted evidence correlated to it. Not a statement that the operator is affected.',
   }));
 
   // RWEP composition: start from the per-CVE rwep_score of evidence-correlated
   // matches (NOT catalog baseline) so RWEP base reflects what the operator's
-  // evidence actually surfaced. Adjust by playbook's rwep_inputs based on
-  // detect hits + agent signals.
-  const baseRwep = matchedCves.length ? Math.max(...matchedCves.map(c => c.rwep_score)) : 0;
+  // evidence actually surfaced. F18: the "max" reduction across matched CVEs
+  // is intentional — RWEP is a "worst-case real-world exploit priority", not
+  // an arithmetic average. The most-exploitable CVE in the set drives the
+  // base; secondary CVEs add via rwep_inputs adjustments below rather than
+  // through base summing (which would double-count overlapping risk).
+  // F17: vex_status='fixed' CVEs do NOT drive the base — vendor declared
+  // them resolved. They still appear in matched_cves for audit traceability
+  // but don't elevate RWEP.
+  const rwepEligible = matchedCves.filter(c => !(vexFixed && vexFixed.has(c.cve_id)));
+  const baseRwep = rwepEligible.length ? Math.max(...rwepEligible.map(c => c.rwep_score)) : 0;
+
+  // F5: rwep_factor semantics. Each rwep_input.weight is conditional on the
+  // matched CVE having a corresponding attribute. Pre-fix, every weight fired
+  // unconditionally when its signal_id indicator hit — operators saw RWEP +25
+  // for active_exploitation regardless of whether the matched CVE was actually
+  // under active exploitation. Now we multiply weight by a factor in [0, 1]
+  // derived from the first matched CVE's catalog attribute. blast_radius is
+  // sourced from the analyze-phase blast_radius_score / 5 (rubric ceiling).
+  // Negative weights (patch_available, live_patch_available) keep their sign
+  // so a patched CVE deducts the full magnitude when the catalog confirms a
+  // patch is available.
+  //
+  // Aliasing: playbooks ship rwep_factor values `public_poc` and
+  // `ai_weaponization` for what F5 calls `poc_available` and `ai_factor`.
+  // Both spellings resolve here.
+  const _activeExploitationLadder = { confirmed: 1.0, suspected: 0.5, unknown: 0.25, none: 0 };
+  const _factorScale = (factorName, cve, blastScore) => {
+    if (!cve) return 0;
+    switch (factorName) {
+      case 'cisa_kev':
+        return cve.cisa_kev === true ? 1 : 0;
+      case 'active_exploitation': {
+        const v = cve.active_exploitation || (cve.entry && cve.entry.active_exploitation);
+        return _activeExploitationLadder[v] ?? 0;
+      }
+      case 'poc_available':
+      case 'public_poc': {
+        const v = cve.entry?.poc_available ?? cve.poc_available;
+        return v === true ? 1 : 0;
+      }
+      case 'ai_factor':
+      case 'ai_weaponization': {
+        const aiDisc = cve.ai_discovered === true || cve.entry?.ai_discovered === true;
+        const aiWeap = cve.entry?.ai_assisted_weaponization === true;
+        if (aiDisc && aiWeap) return 1.0;
+        if (aiDisc || aiWeap) return 0.5;
+        return 0;
+      }
+      case 'patch_available':
+        return cve.entry?.patch_available === true ? 1 : 0;
+      case 'live_patch_available':
+        return cve.entry?.live_patch_available === true ? 1 : 0;
+      case 'reboot_required':
+        return cve.entry?.patch_required_reboot === true ? 1 : 0;
+      case 'blast_radius': {
+        // blast_radius weights scale by the 0-5 rubric score so a max-blast
+        // finding gets full weight and a low-blast finding gets a fraction.
+        if (typeof blastScore !== 'number' || blastScore < 0) return 0;
+        return Math.min(1, blastScore / 5);
+      }
+      default:
+        // Unknown factor: fire as binary (legacy behavior) so playbooks with
+        // novel rwep_factor strings don't silently zero out.
+        return 1;
+    }
+  };
+
+  // F6: blast_radius_score validation. Pre-fix, when no agent signal was
+  // supplied the runner silently defaulted to blast_rubric[0].blast_radius_score
+  // — typically the LOWEST-blast rubric entry — which is the opposite of
+  // safe-default. Now: no supplied value → null + signal='default'. Supplied
+  // value out of [0,5] → null + signal='rejected' + runtime_error. Supplied
+  // value in range → use it + signal='supplied'.
+  const blastRubric = an.blast_radius_model?.scoring_rubric || [];
+  let blastRadiusScore = null;
+  let blastRadiusSignal = 'default';
+  if (agentSignals.blast_radius_score !== undefined && agentSignals.blast_radius_score !== null) {
+    const raw = agentSignals.blast_radius_score;
+    const num = typeof raw === 'number' ? raw : parseFloat(raw);
+    if (Number.isFinite(num) && num >= 0 && num <= 5) {
+      blastRadiusScore = num;
+      blastRadiusSignal = 'supplied';
+    } else {
+      blastRadiusSignal = 'rejected';
+      if (Array.isArray(runOpts._runErrors)) {
+        runOpts._runErrors.push({ kind: 'blast_radius_invalid', supplied: raw, reason: 'expected number in [0, 5]' });
+      }
+    }
+  }
+  // F5: use the first evidence-correlated CVE as the canonical attribute
+  // source for factor scaling. If matchedCves is empty there's no per-CVE
+  // evidence to gate on. v0.12.15 (audit N F1): the prior fallback was
+  // `factorCve = null` → every factor returned 0 → catalog-shape playbooks
+  // (secrets, library-author, crypto-codebase, framework, cred-stores,
+  // containers, runtime, crypto, ai-api) that detect WITHOUT a per-CVE
+  // evidence correlation emitted `weight_applied: 0` for every fired
+  // indicator, producing `adjusted: 0` for every detection. The e2e suite
+  // caught this — 9/20 scenarios failed `json_path_min.adjusted >= N`.
+  //
+  // Domain-level fallback: when no evidence-correlated CVE is available,
+  // use the highest-rwep_score entry from `workingCatalogCves` (which is
+  // built from `playbook.domain.cve_refs[]` — the playbook's canonical
+  // "what we're about"). This preserves factor-scaling semantics while
+  // recognizing that a catalog-shape playbook's threat class is already
+  // declared by its domain refs. The factor-scale annotation surfaces
+  // `factor_cve_source: 'evidence' | 'domain' | 'none'` so operators see
+  // which fallback was used.
+  let factorCveSource = 'none';
+  let factorCve = matchedCves[0] || null;
+  if (factorCve) {
+    factorCveSource = 'evidence';
+  } else if (workingCatalogCves.length > 0) {
+    // Highest rwep_score from domain refs.
+    factorCve = workingCatalogCves.reduce((worst, c) =>
+      (typeof c.rwep_score === 'number' && (!worst || c.rwep_score > worst.rwep_score)) ? c : worst,
+    null);
+    if (factorCve) factorCveSource = 'domain';
+  }
+  // v0.12.15 (audit N F1): five shipped playbooks (secrets, library-author,
+  // crypto-codebase, framework, cred-stores, containers, runtime, crypto,
+  // ai-api) ship with empty `domain.cve_refs` because their attack class is
+  // class-of-vulnerability rather than CVE-specific. For those playbooks
+  // neither evidence-correlation NOR the domain-CVE fallback yields a
+  // factorCve, so every fired indicator's `weight_applied` was forced to
+  // zero by `_factorScale` returning 0. Fall back to the pre-v0.12.14
+  // semantics for this case only: apply the declared weight as-is
+  // (factor_scale=1, legacy semantics). The factor_cve_source annotation
+  // surfaces 'class' so operators see which mode the run used.
+  const _classScaleFallback = !factorCve;
   let adjustedRwep = baseRwep;
   const rwepBreakdown = [];
   for (const input of an.rwep_inputs || []) {
     const indicator = detectResult.indicators?.find(i => i.id === input.signal_id);
     const fired = indicator?.verdict === 'hit' || agentSignals[input.signal_id] === true;
-    if (fired) {
-      adjustedRwep += input.weight;
-      rwepBreakdown.push({ signal_id: input.signal_id, rwep_factor: input.rwep_factor, weight_applied: input.weight, fired: true });
+    if (!fired) {
+      rwepBreakdown.push({ signal_id: input.signal_id, rwep_factor: input.rwep_factor, weight_applied: 0, fired: false, factor_scale: 0 });
+      continue;
+    }
+    // v0.12.15: class-of-vulnerability playbooks (no factorCve from
+    // evidence OR domain) apply weights as-is via the legacy semantics.
+    // For CVE-anchored playbooks, scale by the matched CVE's attributes.
+    // Class fallback covers blast_radius too — when the agent submitted a
+    // blast score, _factorScale honors it; otherwise the class-fallback
+    // applies full weight (matching pre-v0.12.14 behavior, where every
+    // fired indicator contributed its full declared weight).
+    let scale, factorCveSourceForBreakdown;
+    if (_classScaleFallback) {
+      if (input.rwep_factor === 'blast_radius' && typeof blastRadiusScore === 'number') {
+        // Operator-supplied blast score is still honored even in class mode.
+        scale = Math.min(1, blastRadiusScore / 5);
+      } else {
+        scale = 1;
+      }
+      factorCveSourceForBreakdown = 'class';
     } else {
-      rwepBreakdown.push({ signal_id: input.signal_id, rwep_factor: input.rwep_factor, weight_applied: 0, fired: false });
+      scale = _factorScale(input.rwep_factor, factorCve, blastRadiusScore);
+      factorCveSourceForBreakdown = factorCveSource;
     }
+    const applied = input.weight * scale;
+    adjustedRwep += applied;
+    rwepBreakdown.push({
+      signal_id: input.signal_id,
+      rwep_factor: input.rwep_factor,
+      weight_applied: applied,
+      weight_declared: input.weight,
+      factor_scale: scale,
+      factor_cve_source: factorCveSourceForBreakdown,
+      fired: true,
+    });
   }
   adjustedRwep = Math.max(0, Math.min(100, adjustedRwep));
 
-  // blast_radius
-  const blastRubric = an.blast_radius_model?.scoring_rubric || [];
-  const blastRadiusScore = agentSignals.blast_radius_score || (blastRubric[0]?.blast_radius_score ?? null);
-
   // compliance_theater_check — engine surfaces the test; agent runs it; we
   // accept the verdict in agentSignals.theater_verdict. When agent didn't
   // submit a verdict but the detect phase reached a clear classification,
@@ -558,8 +929,25 @@ function analyze(playbookId, directiveId, detectResult, agentSignals = {}) {
   //                                          (agent still must run reality_test)
   //   detect.classification = inconclusive → theater_verdict = pending_agent_run
   // Aliases 'clean' / 'no_theater' map to 'clear' for ergonomics.
+  //
+  // F24: validate against an allowlist. Pre-fix, any free-text string the
+  // operator passed through agentSignals.theater_verdict was accepted, so
+  // downstream consumers (CSAF/SARIF/OpenVEX) emitted bundles with garbage
+  // verdicts like "TODO" or "let me think". Allowlist: clear, present,
+  // theater, pending_agent_run, unknown.
+  const _theaterAllowlist = new Set(['clear', 'present', 'theater', 'pending_agent_run', 'unknown']);
   let theaterVerdict = agentSignals.theater_verdict;
   if (theaterVerdict === 'clean' || theaterVerdict === 'no_theater') theaterVerdict = 'clear';
+  if (theaterVerdict !== undefined && theaterVerdict !== null && !_theaterAllowlist.has(theaterVerdict)) {
+    if (Array.isArray(runOpts._runErrors)) {
+      runOpts._runErrors.push({
+        kind: 'theater_verdict_invalid',
+        supplied: theaterVerdict,
+        allowed: Array.from(_theaterAllowlist),
+      });
+    }
+    theaterVerdict = undefined;
+  }
   if (!theaterVerdict && an.compliance_theater_check) {
     const cls = detectResult.classification;
     theaterVerdict = cls === 'not_detected' ? 'clear' : 'pending_agent_run';
@@ -572,8 +960,10 @@ function analyze(playbookId, directiveId, detectResult, agentSignals = {}) {
 
   // escalation criteria
   const escalations = [];
+  const runtimeErrors = []; // E3: collect regex-eval errors during analyze
+  const evalCtxRoot = { _runErrors: runOpts._runErrors || runtimeErrors };
   for (const ec of an.escalation_criteria || []) {
-    if (evalCondition(ec.condition, { rwep: adjustedRwep, blast_radius_score: blastRadiusScore, theater_verdict: theaterVerdict, ...agentSignals }, playbook)) {
+    if (evalCondition(ec.condition, { rwep: adjustedRwep, blast_radius_score: blastRadiusScore, theater_verdict: theaterVerdict, ...agentSignals, ...evalCtxRoot }, playbook)) {
       escalations.push({ condition: ec.condition, action: ec.action, target_playbook: ec.target_playbook || null });
     }
   }
@@ -600,15 +990,27 @@ function analyze(playbookId, directiveId, detectResult, agentSignals = {}) {
     // matched_cves when surfacing "what CVEs is the operator actually
     // affected by based on submitted evidence?"
     catalog_baseline_cves: catalogBaselineEntries,
-    rwep: { base: baseRwep, adjusted: adjustedRwep, breakdown: rwepBreakdown, threshold: directive ? resolvedPhase(playbook, directiveId, 'direct').rwep_threshold : null },
+    // F18: rwep base is reduced via Math.max across matched CVEs. Surface
+    // the reduction strategy as a discoverable field so operators reading the
+    // bundle understand the semantics without grepping source.
+    rwep: { base: baseRwep, adjusted: adjustedRwep, breakdown: rwepBreakdown, threshold: directive ? resolvedPhase(playbook, directiveId, 'direct').rwep_threshold : null, _rwep_base_strategy: 'max' },
     blast_radius_score: blastRadiusScore,
+    // F6: visible annotation of where blast_radius_score came from:
+    //   'supplied'  — operator/agent provided a value in [0, 5].
+    //   'default'   — no value supplied; runner returned null (no rubric guess).
+    //   'rejected'  — value supplied but out of range; treated as default + runtime_error.
+    blast_radius_signal: blastRadiusSignal,
     blast_radius_basis: blastRubric.find(r => r.blast_radius_score === blastRadiusScore) || null,
     compliance_theater_check: {
       claim: an.compliance_theater_check?.claim,
       audit_evidence: an.compliance_theater_check?.audit_evidence,
       reality_test: an.compliance_theater_check?.reality_test,
       verdict: theaterVerdict,
-      verdict_text: theaterVerdict === 'theater' ? an.compliance_theater_check?.theater_verdict_if_gap : null
+      // F25: render verdict_text for both 'theater' AND 'present' verdicts
+      // ('present' is a synonym used by some playbooks for "theater is here").
+      verdict_text: (theaterVerdict === 'theater' || theaterVerdict === 'present')
+        ? an.compliance_theater_check?.theater_verdict_if_gap
+        : null
     },
     framework_gap_mapping: frameworkGaps,
     escalations,
@@ -625,40 +1027,77 @@ function analyze(playbookId, directiveId, detectResult, agentSignals = {}) {
       note: vexDropped.length
         ? `${vexDropped.length} CVE(s) dropped from analyze because the operator-supplied VEX statement marks them not_affected / resolved / false_positive. They remain in cve-catalog.json; the disposition lives in the VEX file.`
         : "VEX filter supplied; zero matches dropped (no CVEs in domain.cve_refs matched the VEX not-affected set)."
-    } : null
+    } : null,
+    // E3: regex-eval failures surfaced here so operators can see WHICH
+    // condition expression crashed without the runner dying. Only present
+    // when at least one evalCondition() call hit a regex exception during
+    // this analyze pass; runOpts._runErrors is the same accumulator
+    // populated by run() across all phases, so callers reading this field
+    // see every regex problem in the run.
+    runtime_errors: (runOpts._runErrors && runOpts._runErrors.length) ? runOpts._runErrors.slice() : (runtimeErrors.length ? runtimeErrors.slice() : []),
+    // E9: collisions when two flat-shape observations targeted the same
+    // indicator id. Empty when there were no collisions or no flat-shape
+    // observations submitted.
+    signal_origins_with_collisions: Array.isArray(agentSignals?._signal_origins_collisions) ? agentSignals._signal_origins_collisions.slice() : (Array.isArray(detectResult?._signal_origins_collisions) ? detectResult._signal_origins_collisions.slice() : [])
   };
 }
 
 /**
- * Extract a set of "not affected" CVE IDs from a VEX document. Supports
- * CycloneDX VEX (analysis.state in {not_affected, resolved, false_positive})
- * and OpenVEX (statements[].status === "not_affected"). Returns a Set<string>.
+ * Extract VEX disposition sets from a CycloneDX/OpenVEX document.
+ *
+ * F17: pre-fix this conflated OpenVEX `fixed` and `not_affected` into one
+ * "drop" set. They have different semantics:
+ *
+ *   - not_affected / false_positive → drop from matched_cves entirely.
+ *     The vendor has formally declared the product not vulnerable; the CVE
+ *     is not in scope.
+ *   - fixed / resolved → KEEP in matched_cves but annotate vex_status:'fixed'.
+ *     The product was vulnerable; the vendor shipped a patch. Operators
+ *     still need audit trails, SBOM coverage, and confirmation that the
+ *     fix landed in their build.
+ *
+ * Returns a `Set<string>` for the legacy "drop" set (the function's
+ * historical contract), with `.fixed` attached as an own property for
+ * callers that want the split. The CLI passes both as
+ * agentSignals.vex_filter + agentSignals.vex_fixed to analyze().
  */
 function vexFilterFromDoc(doc) {
   const out = new Set();
-  if (!doc || typeof doc !== 'object') return out;
+  const fixed = new Set();
+  if (!doc || typeof doc !== 'object') {
+    out.fixed = fixed;
+    return out;
+  }
 
-  // CycloneDX shape
+  // CycloneDX shape — analysis.state values per CycloneDX VEX spec:
+  //   not_affected / false_positive → drop
+  //   resolved                       → fixed-annotation
   for (const v of (doc.vulnerabilities || [])) {
     const state = v.analysis && v.analysis.state;
-    if (state === 'not_affected' || state === 'resolved' || state === 'false_positive') {
+    if (state === 'not_affected' || state === 'false_positive') {
       if (v.id) out.add(v.id);
+    } else if (state === 'resolved') {
+      if (v.id) fixed.add(v.id);
     }
   }
   // OpenVEX shape
   for (const s of (doc.statements || [])) {
-    if (s.status === 'not_affected' || s.status === 'fixed') {
-      const id = s.vulnerability && (s.vulnerability['@id'] || s.vulnerability.name || s.vulnerability);
-      if (typeof id === 'string') out.add(id);
-    }
+    const id = s.vulnerability && (s.vulnerability['@id'] || s.vulnerability.name || s.vulnerability);
+    if (typeof id !== 'string') continue;
+    if (s.status === 'not_affected') out.add(id);
+    else if (s.status === 'fixed') fixed.add(id);
   }
+  out.fixed = fixed;
   return out;
 }
 
 // --- phase 6: validate ---
 
-function validate(playbookId, directiveId, analyzeResult, agentSignals = {}) {
-  const playbook = loadPlaybook(playbookId);
+function validate(playbookId, directiveId, analyzeResult, agentSignals = {}, runOpts = {}) {
+  const playbook = runOpts._playbookCache || loadPlaybook(playbookId);
+  // E3: surface evalCondition regex errors raised here into the same
+  // run-wide accumulator that analyze() reads.
+  const evalCtx = runOpts._runErrors ? { ...agentSignals, _runErrors: runOpts._runErrors } : agentSignals;
   const v = resolvedPhase(playbook, directiveId, 'validate');
 
   // Pick the highest-priority remediation_path whose preconditions are all
@@ -669,7 +1108,7 @@ function validate(playbookId, directiveId, analyzeResult, agentSignals = {}) {
   for (const p of paths) {
     const pcResult = (p.preconditions || []).map(expr => ({
       expr,
-      satisfied: evalCondition(expr, agentSignals, playbook),
+      satisfied: evalCondition(expr, evalCtx, playbook),
       submitted: agentSignals[expressionKey(expr)] !== undefined
     }));
     const allSatisfied = pcResult.every(x => x.satisfied);
@@ -680,9 +1119,42 @@ function validate(playbookId, directiveId, analyzeResult, agentSignals = {}) {
   // weren't verified — the agent can surface that to the operator.
   if (!selected && paths.length) selected = paths[0];
 
-  // Compute regression schedule next_run (engine sets a single soonest run).
+  // F26: selected_remediation selection logic:
+  //   1. Iterate remediation_paths sorted by priority ASC (lower number =
+  //      higher priority per schema convention).
+  //   2. Pick the FIRST path whose every precondition (evaluated against
+  //      agentSignals + playbook context) is satisfied.
+  //   3. Fallback: when nothing satisfies, surface the highest-priority
+  //      path anyway so the agent has SOMETHING to propose to the operator —
+  //      better than emitting null and forcing the agent to guess.
+  // Above this block: paths.sort + the loop populating `considered` +
+  // `selected`. `remediation_options_considered[]` carries the full per-path
+  // precondition trace so operators can see why a higher-priority path was
+  // skipped.
+
+  // F10: regression schedule. Pre-fix this returned a single ISO string;
+  // now returns a structured object with next_run + event_triggers +
+  // unparseable. Preserve backwards compatibility by keeping
+  // regression_next_run as the ISO string (or null) so existing CSAF /
+  // attestation consumers don't break; expose the structured form
+  // separately.
   const triggers = v.regression_trigger || [];
-  const nextRun = computeRegressionNextRun(triggers);
+  const regressionResult = computeRegressionNextRun(triggers);
+
+  // F30: reason annotation for null next_run — operators see WHY a
+  // schedule didn't emit a calendar date (no day intervals declared,
+  // every trigger is event-driven, or every trigger was unparseable).
+  let nextRunReason = null;
+  if (!regressionResult.next_run) {
+    if (triggers.length === 0) nextRunReason = 'no_regression_triggers_declared';
+    else if (regressionResult.event_triggers.length && !regressionResult.unparseable.length) {
+      nextRunReason = 'all_triggers_event_driven';
+    } else if (regressionResult.unparseable.length && !regressionResult.event_triggers.length) {
+      nextRunReason = 'all_triggers_unparseable';
+    } else {
+      nextRunReason = 'no_calendar_interval_resolved';
+    }
+  }
 
   return {
     phase: 'validate',
@@ -694,21 +1166,71 @@ function validate(playbookId, directiveId, analyzeResult, agentSignals = {}) {
     residual_risk_statement: v.residual_risk_statement || null,
     evidence_requirements: v.evidence_requirements || [],
     regression_trigger: triggers,
-    regression_next_run: nextRun
+    regression_next_run: regressionResult.next_run,
+    regression_next_run_reason: nextRunReason,
+    regression_event_triggers: regressionResult.event_triggers,
+    regression_unparseable_triggers: regressionResult.unparseable,
   };
 }
 
+/**
+ * F10: extended interval parser. Supports:
+ *   <N>d   — N days
+ *   <N>wk  — N weeks
+ *   <N>mo  — N calendar months (Date.setMonth semantics)
+ *   <N>yr  — N calendar years
+ *   on_event — event-triggered, no date computed; surfaces in
+ *              regression_event_triggers[] for the consumer.
+ * Pre-fix, only Nd was honored; wk/mo/yr/on_event triggers were silently
+ * dropped, so a playbook declaring "regression on every release" or
+ * "monthly review" lost its schedule entry.
+ */
+function parseInterval(intervalStr, now) {
+  if (!intervalStr || typeof intervalStr !== 'string') return null;
+  const s = intervalStr.trim();
+  if (s === 'on_event') return { event: true };
+  let m = s.match(/^(\d+)d$/);
+  if (m) return { date: new Date(now.getTime() + parseInt(m[1], 10) * 24 * 3600 * 1000) };
+  m = s.match(/^(\d+)wk$/);
+  if (m) return { date: new Date(now.getTime() + parseInt(m[1], 10) * 7 * 24 * 3600 * 1000) };
+  m = s.match(/^(\d+)mo$/);
+  if (m) {
+    const d = new Date(now.getTime());
+    d.setMonth(d.getMonth() + parseInt(m[1], 10));
+    return { date: d };
+  }
+  m = s.match(/^(\d+)yr$/);
+  if (m) {
+    const d = new Date(now.getTime());
+    d.setFullYear(d.getFullYear() + parseInt(m[1], 10));
+    return { date: d };
+  }
+  return { unparseable: s };
+}
+
 function computeRegressionNextRun(triggers) {
   const now = new Date();
   let soonest = null;
+  const eventTriggers = [];
+  const unparseable = [];
   for (const t of triggers) {
-    const m = (t.interval || '').match(/^(\d+)d$/);
-    if (m) {
-      const d = new Date(now.getTime() + parseInt(m[1], 10) * 24 * 3600 * 1000);
-      if (!soonest || d < soonest) soonest = d;
+    const parsed = parseInterval(t.interval, now);
+    if (!parsed) continue;
+    if (parsed.event) {
+      eventTriggers.push({ interval: t.interval, trigger: t.trigger || t.event || null });
+      continue;
     }
+    if (parsed.unparseable) {
+      unparseable.push({ interval: parsed.unparseable, trigger: t.trigger || null });
+      continue;
+    }
+    if (parsed.date && (!soonest || parsed.date < soonest)) soonest = parsed.date;
   }
-  return soonest ? soonest.toISOString() : null;
+  return {
+    next_run: soonest ? soonest.toISOString() : null,
+    event_triggers: eventTriggers,
+    unparseable: unparseable,
+  };
 }
 
 // --- phase 7: close ---
@@ -723,9 +1245,16 @@ function computeRegressionNextRun(triggers) {
  *   - feeds_into chaining suggestions
  */
 function close(playbookId, directiveId, analyzeResult, validateResult, agentSignals = {}, runOpts = {}) {
-  const playbook = loadPlaybook(playbookId);
+  const playbook = runOpts._playbookCache || loadPlaybook(playbookId);
   const c = resolvedPhase(playbook, directiveId, 'close');
   const g = resolvedPhase(playbook, directiveId, 'govern');
+  // F2/F9: run() generates session_id once and threads it via runOpts.session_id.
+  // Pre-fix, close() generated its own session_id independently of run()'s,
+  // so CSAF tracking.id, OpenVEX @id, the attestation file name on disk, and
+  // the run()-returned session_id were all different hex strings — operators
+  // couldn't correlate the attestation file with the bundle URN inside it.
+  // crypto.randomBytes() fallback only fires for direct close() calls that
+  // bypass run() (e.g. unit tests).
   const sessionId = runOpts.session_id || crypto.randomBytes(8).toString('hex');
 
   // notification_actions — compute ISO deadlines from clock_starts events.
@@ -741,7 +1270,16 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
     const obligation = (g.jurisdiction_obligations || []).find(o =>
       `${o.jurisdiction}/${o.regulation} ${o.window_hours}h` === na.obligation_ref
     );
-    const clockStart = obligation ? computeClockStart(obligation.clock_starts, agentSignals) : null;
+    // E7: thread runOpts through so computeClockStart can check
+    // operator_consent.explicit before auto-stamping detect_confirmed.
+    const clockStart = obligation ? computeClockStart(obligation.clock_starts, agentSignals, runOpts) : null;
+    // E7: when the clock event is detect_confirmed AND the classification
+    // matched AND the operator did NOT pass --ack, surface clock_pending_ack
+    // so the notification record is visibly waiting on acknowledgement.
+    const clockPendingAck = !clockStart
+      && obligation?.clock_starts === 'detect_confirmed'
+      && agentSignals?.detection_classification === 'detected'
+      && !(runOpts && runOpts.operator_consent && runOpts.operator_consent.explicit === true);
     const deadline = obligation && clockStart
       ? new Date(clockStart.getTime() + obligation.window_hours * 3600 * 1000).toISOString()
       : 'pending_clock_start_event';
@@ -756,20 +1294,45 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
       window_hours: obligation?.window_hours ?? null,
       clock_start_event: obligation?.clock_starts || null,
       clock_started_at: clockStart?.toISOString() || null,
+      ...(clockPendingAck ? { clock_pending_ack: true } : {}),
       deadline,
       // Alias matching compliance-team vocabulary.
       notification_deadline: deadline,
       // Evidence the regulator expects attached (from the obligation, not
       // just the operator-facing recipient bundle on the notification entry).
       evidence_required: obligation?.evidence_required || na.evidence_attached || [],
-      draft_notification: interpolate(na.draft_notification, { ...agentSignals, ...analyzeFindingShape(analyzeResult) })
+      // F14: track missing interpolation variables so operators see exactly
+      // which template vars failed to resolve. Empty array when all
+      // placeholders rendered cleanly.
+      ...(function () {
+        const missing = [];
+        // F20: analyzeFindingShape is a pure transform but defensive-wrap
+        // it so a malformed analyze result (missing matched_cves, etc.)
+        // can't bring down the whole close phase. Failures surface in
+        // runtime_errors via runOpts._runErrors when available.
+        let findingShape;
+        try { findingShape = analyzeFindingShape(analyzeResult); }
+        catch (e) {
+          if (Array.isArray(runOpts._runErrors)) {
+            runOpts._runErrors.push({ kind: 'analyze_shape', message: (e && e.message) ? String(e.message) : String(e) });
+          }
+          findingShape = {};
+        }
+        const draft = interpolate(
+          na.draft_notification,
+          { ...agentSignals, ...findingShape },
+          missing,
+        );
+        return { draft_notification: draft, missing_interpolation_vars: missing };
+      })(),
     };
   });
 
   // exception_generation — evaluate trigger.
   let exception = null;
   if (c.exception_generation) {
-    const triggered = evalCondition(c.exception_generation.trigger_condition, agentSignals, playbook);
+    const closeEvalCtx = runOpts._runErrors ? { ...agentSignals, _runErrors: runOpts._runErrors } : agentSignals;
+    const triggered = evalCondition(c.exception_generation.trigger_condition, closeEvalCtx, playbook);
     if (triggered) {
       const t = c.exception_generation.exception_template;
       exception = {
@@ -803,9 +1366,9 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
     contents: c.evidence_package.contents || [],
     destination: c.evidence_package.destination || 'local_only',
     signed: c.evidence_package.signed !== false,
-    bundle_body: buildEvidenceBundle(primaryFormat, playbook, analyzeResult, validateResult, agentSignals),
+    bundle_body: buildEvidenceBundle(primaryFormat, playbook, analyzeResult, validateResult, agentSignals, sessionId),
     bundles_by_format: extraFormats.length ? Object.fromEntries(
-      [primaryFormat, ...extraFormats].map(f => [f, buildEvidenceBundle(f, playbook, analyzeResult, validateResult, agentSignals)])
+      [primaryFormat, ...extraFormats].map(f => [f, buildEvidenceBundle(f, playbook, analyzeResult, validateResult, agentSignals, sessionId)])
     ) : null,
   } : null;
 
@@ -847,7 +1410,11 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
     analyze: analyzeResult,
     validate: validateResult,
     finding: analyzeFindingShape(analyzeResult),
-    ...agentSignals
+    ...agentSignals,
+    // E3: surface evalCondition regex failures from the feeds_into chain
+    // into the same accumulator. Without this the regex failure happens but
+    // analyze.runtime_errors[] never sees it.
+    ...(runOpts._runErrors ? { _runErrors: runOpts._runErrors } : {})
   };
   const feeds = (playbook._meta.feeds_into || [])
     .filter(f => evalCondition(f.condition, feedsCtx, playbook))
@@ -869,53 +1436,165 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
     jurisdiction_clocks_count: notificationActions.filter(n => n && n.clock_started_at != null).length,
     exception: exception,
     regression_schedule: regressionSchedule,
-    feeds_into: feeds
+    feeds_into: feeds,
+    // F21: feeds_into surfaces downstream playbook IDs whose preconditions
+    // were satisfied by this run. The runner does NOT automatically chain
+    // into them — the agent / operator decides whether to invoke them.
+    // Surface that contract on the result so consumers don't assume an
+    // automated handoff happened.
+    feeds_into_auto_chained: false,
   };
 }
 
+// E8: severity ladder for active_exploitation. The worst-of reduction lets
+// analyzeFindingShape report the most-exploited CVE in the matched set, not
+// the first-encountered one. Higher index = worse.
+const ACTIVE_EXPLOITATION_RANK = { none: 0, unknown: 1, suspected: 2, confirmed: 3 };
+
+function worstActiveExploitation(matchedCves) {
+  let worst = null;
+  let worstRank = -1;
+  for (const c of (matchedCves || [])) {
+    const v = c && c.active_exploitation;
+    if (!v) continue;
+    const rank = ACTIVE_EXPLOITATION_RANK[v] ?? -1;
+    if (rank > worstRank) { worst = v; worstRank = rank; }
+  }
+  return worst || 'unknown';
+}
+
+// F4: severity ladder derived from rwep_adjusted. Playbooks reference
+// `finding.severity` in feeds_into and escalation_criteria conditions but
+// pre-fix analyzeFindingShape never emitted it, so those conditions silently
+// resolved against undefined. Thresholds:
+//   rwep >= 80 → critical
+//   rwep >= 50 → high
+//   rwep >= 20 → medium
+//   rwep <  20 → low
+function severityForRwep(rwep) {
+  const r = typeof rwep === 'number' ? rwep : 0;
+  if (r >= 80) return 'critical';
+  if (r >= 50) return 'high';
+  if (r >= 20) return 'medium';
+  return 'low';
+}
+
 function analyzeFindingShape(a) {
+  const matched = a.matched_cves || [];
+  const rwepAdjusted = a.rwep?.adjusted ?? 0;
   return {
-    matched_cve_ids: (a.matched_cves || []).map(c => c.cve_id).join(', '),
-    matched_cve_count: (a.matched_cves || []).length,
-    kev_listed_count: (a.matched_cves || []).filter(c => c.cisa_kev).length,
-    active_exploitation: (a.matched_cves || []).find(c => c.active_exploitation)?.active_exploitation || 'unknown',
-    rwep_adjusted: a.rwep?.adjusted ?? 0,
+    matched_cve_ids: matched.map(c => c.cve_id).join(', '),
+    // F19: sibling array form for consumers that want to iterate IDs
+    // without re-splitting the joined string. The joined form stays for
+    // backwards compatibility with notification-draft templates that
+    // interpolate `${matched_cve_ids}` verbatim.
+    matched_cve_ids_array: matched.map(c => c.cve_id),
+    matched_cve_count: matched.length,
+    kev_listed_count: matched.filter(c => c.cisa_kev).length,
+    // E8: previously this used .find() which returned the first matched CVE
+    // with a truthy active_exploitation. With two CVEs where #1 is
+    // 'suspected' and #2 is 'confirmed', operators saw 'suspected' on
+    // notification drafts — under-stating the threat. Now reduce to the
+    // worst rank across all matched CVEs.
+    active_exploitation: worstActiveExploitation(matched),
+    rwep_adjusted: rwepAdjusted,
     rwep_base: a.rwep?.base ?? 0,
+    // F4: severity surface for playbook conditions.
+    severity: severityForRwep(rwepAdjusted),
     blast_radius_score: a.blast_radius_score ?? 0,
     framework_id_first: a.framework_gap_mapping?.[0]?.framework || null,
     control_id_first: a.framework_gap_mapping?.[0]?.claimed_control || null
   };
 }
 
-function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals) {
+// Slugify a string into a URN-safe segment ([a-z0-9_-]+ per RFC 8141 NSS).
+// Empty input → 'unknown' so we never emit zero-length segments.
+function urnSlug(s) {
+  if (s == null) return 'unknown';
+  const slug = String(s)
+    .toLowerCase()
+    .replace(/[^a-z0-9_-]+/g, '-')
+    .replace(/^-+|-+$/g, '');
+  return slug.length ? slug : 'unknown';
+}
+
+// Build the canonical product binding shared by CSAF + OpenVEX. CSAF's
+// product_tree must declare every product referenced from
+// vulnerabilities[].product_status; OpenVEX statements MUST carry a
+// `products` array per spec §4.3.
+function buildProductBinding(playbook, sessionId) {
+  const playbookSlug = urnSlug(playbook._meta.id);
+  const sessionSlug = urnSlug(sessionId || 'session');
+  const productId = `exceptd-target-${playbookSlug}-${sessionSlug}`;
+  const productPurl = `pkg:exceptd/scan/${sessionSlug}/${playbookSlug}`;
+  return {
+    productId,
+    productPurl,
+    productName: playbook.domain?.name || playbook._meta.id,
+  };
+}
+
+// Best-effort SARIF location list for an indicator hit. Indicator records
+// don't carry a direct artifact reference; we fall back to the playbook's
+// look-phase artifact source paths (the inspected files/processes). GitHub
+// Code Scanning hides results without `artifactLocation.uri`, so we
+// surface at least one candidate when any is known. Returns null when no
+// candidate exists — caller MUST omit `locations` rather than emit empty.
+function sarifLocationsForIndicator(playbook, indicator) {
+  const arts = (playbook.phases?.look?.artifacts) || [];
+  const candidates = arts
+    .map(a => a && (a.source || a.air_gap_alternative))
+    .filter(Boolean)
+    .map(src => String(src).split(/\s+(?:AND|OR)\s+/i)[0].trim())
+    .filter(src => src && !/^https?:/i.test(src));
+  if (!candidates.length) return null;
+  return [{ physicalLocation: { artifactLocation: { uri: candidates[0] } } }];
+}
+
+function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals, sessionId) {
+  const playbookSlug = urnSlug(playbook._meta.id);
+  const { productId, productPurl, productName } = buildProductBinding(playbook, sessionId);
+
   // CSAF-2.0 shape. v0.11.5 (#82): include vulnerabilities for both matched
   // catalogue CVEs AND fired indicators (treated as advisory pseudo-CVEs
   // under `exceptd:` namespace), so playbooks without catalogue CVEs still
   // emit a non-empty bundle.
+  //
+  // v0.12.12 (B5): emit a product_tree so csaf_security_advisory documents
+  // pass NVD/ENISA/Red Hat dashboard validation. Every vulnerability
+  // entry references the product via product_status so the binding is
+  // real, not cosmetic.
   if (format === 'csaf-2.0') {
     const indicatorHits = (analyze._detect_indicators || []).filter(i => i.verdict === 'hit');
-    const cveVulns = analyze.matched_cves.map(c => ({
-      cve: c.cve_id,
-      scores: [{ products: [], cvss_v3: { base_score: c.cvss_score || 0 } }],
-      threats: c.active_exploitation === 'confirmed' ? [{ category: 'exploit_status', details: 'Active exploitation confirmed (CISA KEV).' }] : [],
-      remediations: [{ category: 'vendor_fix', details: validate.selected_remediation?.description || 'See selected remediation path.' }]
-    }));
+    const fullProductNames = [{
+      product_id: productId,
+      name: productName,
+      product_identification_helper: { purl: productPurl }
+    }];
+    const cveVulns = analyze.matched_cves.map(c => {
+      const isAffected = c.live_patch_available !== true;
+      return {
+        cve: c.cve_id,
+        scores: [{ products: [productId], cvss_v3: { base_score: c.cvss_score || 0 } }],
+        threats: c.active_exploitation === 'confirmed' ? [{ category: 'exploit_status', details: 'Active exploitation confirmed (CISA KEV).' }] : [],
+        remediations: [{ category: 'vendor_fix', details: validate.selected_remediation?.description || 'See selected remediation path.', product_ids: [productId] }],
+        product_status: isAffected ? { known_affected: [productId] } : { fixed: [productId] }
+      };
+    });
     const indicatorVulns = indicatorHits.map(i => ({
-      // Pseudo-CVE id for indicator findings (CSAF requires `cve` or `ids`).
       ids: [{ system_name: 'exceptd-indicator', text: `${playbook._meta.id}:${i.id}` }],
       notes: [{ category: 'description', text: `Indicator ${i.id} fired (${i.confidence}${i.deterministic ? ' / deterministic' : ''}) in playbook ${playbook._meta.id}.` }],
-      remediations: [{ category: 'mitigation', details: validate.selected_remediation?.description || `Consult playbook brief: exceptd brief ${playbook._meta.id}.` }],
+      remediations: [{ category: 'mitigation', details: validate.selected_remediation?.description || `Consult playbook brief: exceptd brief ${playbook._meta.id}.`, product_ids: [productId] }],
+      product_status: { known_affected: [productId] }
     }));
-    // v0.11.6 (#91): framework_gap_mapping → CSAF vulnerabilities. Each gap
-    // becomes a vulnerability keyed by the framework + control, with the
-    // gap text as the description and the required_control as the remediation.
     const gapVulns = (analyze.framework_gap_mapping || []).map((g, idx) => ({
       ids: [{ system_name: 'exceptd-framework-gap', text: `${g.framework}:${g.claimed_control || `gap-${idx}`}` }],
       notes: [
         { category: 'description', text: g.actual_gap || `Framework gap in ${g.framework} ${g.claimed_control || ''}` },
         { category: 'general', text: g.claimed_control ? `Claimed control: ${g.claimed_control}` : null },
       ].filter(n => n.text),
-      remediations: g.required_control ? [{ category: 'mitigation', details: g.required_control }] : [],
+      remediations: g.required_control ? [{ category: 'mitigation', details: g.required_control, product_ids: [productId] }] : [],
+      product_status: { under_investigation: [productId] }
     }));
     const now = new Date().toISOString();
     return {
@@ -925,17 +1604,21 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals)
         publisher: { category: 'vendor', name: 'exceptd', namespace: 'https://exceptd.com' },
         title: `exceptd finding: ${playbook.domain.name} (${analyze.matched_cves.length} CVE(s), ${indicatorHits.length} indicator hit(s), ${(analyze.framework_gap_mapping || []).length} framework gap(s))`,
         tracking: {
-          id: `exceptd-${playbook._meta.id}-${Date.now()}`,
+          // F2/F9: CSAF tracking.id binds to the run's session_id (threaded
+          // from run() via close()) so attestation file names, OpenVEX
+          // @id, and CSAF tracking.id all share the same correlation
+          // identifier. Pre-fix the timestamp was used, so two runs in
+          // the same millisecond collided and one run's documents
+          // referenced ids that didn't match anything else on disk.
+          id: `exceptd-${playbook._meta.id}-${sessionId}`,
           status: 'final',
           version: playbook._meta.version,
           initial_release_date: now,
-          // v0.11.6 (#92): CSAF 2.0 §3.2.1.12 requires current_release_date
-          // non-null. Pre-0.11.6 we only set initial_release_date and
-          // downstream validators rejected the bundle.
           current_release_date: now,
           revision_history: [{ number: '1', date: now, summary: 'Initial finding emission' }]
         }
       },
+      product_tree: { full_product_names: fullProductNames },
       vulnerabilities: [...cveVulns, ...indicatorVulns, ...gapVulns],
       exceptd_extension: {
         classification: analyze._detect_classification,
@@ -953,36 +1636,54 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals)
   // SARIF 2.1.0 — GitHub Code Scanning / VS Code SARIF Viewer / Azure DevOps
   // / most static-analysis tooling.
   //
-  // v0.11.5 (#82): emit results from BOTH matched_cves AND fired indicators.
-  // Pre-0.11.5 we emitted only matched_cves, which produced an empty bundle
-  // for playbooks like crypto-codebase / library-author whose domain.cve_refs
-  // is intentionally empty (the playbook checks process/posture, not catalog
-  // CVEs). Indicators that fire (verdict: hit) and framework gaps are now
-  // first-class SARIF results — a clean run still emits a usable bundle.
+  // v0.12.12 (B6): thread artifact source paths through to
+  // result.locations[].physicalLocation.artifactLocation.uri. GitHub Code
+  // Scanning hides results without populated locations, so the heuristic
+  // ensures clean playbook runs still surface findings in the alerts UI.
+  // v0.12.12 (B7): omit null property-bag keys so SARIF viewers don't
+  // render empty fields.
   if (format === 'sarif' || format === 'sarif-2.1.0') {
+    const stripNulls = (obj) => Object.fromEntries(Object.entries(obj).filter(([, v]) => v != null));
     const cveResults = analyze.matched_cves.map(c => ({
       ruleId: c.cve_id,
       level: c.rwep >= 90 ? 'error' : c.rwep >= 70 ? 'warning' : 'note',
       message: { text: `${c.cve_id}: RWEP ${c.rwep}, blast_radius ${analyze.blast_radius_score}. ${validate.selected_remediation?.description || ''}` },
-      properties: {
+      properties: stripNulls({
         kind: 'cve_match',
-        rwep: c.rwep, cisa_kev: c.cisa_kev, cisa_kev_due_date: c.cisa_kev_due_date,
-        active_exploitation: c.active_exploitation, ai_discovered: c.ai_discovered,
+        rwep: c.rwep,
+        cisa_kev: c.cisa_kev,
+        cisa_kev_due_date: c.cisa_kev_due_date ?? null,
+        active_exploitation: c.active_exploitation ?? null,
+        ai_discovered: c.ai_discovered ?? null,
         blast_radius_score: analyze.blast_radius_score,
-      }
+      }),
     }));
     const indicatorHits = (analyze._detect_indicators || []).filter(i => i.verdict === 'hit');
-    const indicatorResults = indicatorHits.map(i => ({
-      ruleId: i.id,
-      level: i.deterministic ? 'error' : (i.confidence === 'high' ? 'warning' : 'note'),
-      message: { text: `Indicator ${i.id} fired (${i.confidence}${i.deterministic ? ' / deterministic' : ''}). Playbook: ${playbook._meta.id}.` },
-      properties: { kind: 'indicator_hit', confidence: i.confidence, deterministic: i.deterministic, atlas_ref: i.atlas_ref, attack_ref: i.attack_ref },
-    }));
+    const indicatorResults = indicatorHits.map(i => {
+      const locs = sarifLocationsForIndicator(playbook, i);
+      const result = {
+        ruleId: i.id,
+        level: i.deterministic ? 'error' : (i.confidence === 'high' ? 'warning' : 'note'),
+        message: { text: `Indicator ${i.id} fired (${i.confidence}${i.deterministic ? ' / deterministic' : ''}). Playbook: ${playbook._meta.id}.` },
+        properties: stripNulls({
+          kind: 'indicator_hit',
+          confidence: i.confidence,
+          deterministic: i.deterministic,
+          atlas_ref: i.atlas_ref,
+          attack_ref: i.attack_ref,
+        }),
+      };
+      if (locs) result.locations = locs;
+      return result;
+    });
     const gapResults = (analyze.framework_gap_mapping || []).map((g, idx) => ({
       ruleId: `framework-gap-${idx}`,
+      // Framework gaps are control-design observations, not vulnerabilities —
+      // SARIF §3.27.9 `kind: informational` routes them appropriately.
+      kind: 'informational',
       level: 'note',
       message: { text: `${g.framework}: ${g.claimed_control} — ${g.actual_gap}${g.required_control ? '. Required: ' + g.required_control : ''}` },
-      properties: { kind: 'framework_gap', framework: g.framework, control: g.claimed_control },
+      properties: stripNulls({ kind: 'framework_gap', framework: g.framework, control: g.claimed_control }),
     }));
     const cveRules = analyze.matched_cves.map(c => ({
       id: c.cve_id, shortDescription: { text: c.cve_id },
@@ -995,11 +1696,6 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals)
       fullDescription: { text: `Indicator from playbook ${playbook._meta.id}. Type: ${i.type}. Confidence: ${i.confidence}.` },
       defaultConfiguration: { level: i.deterministic ? 'error' : (i.confidence === 'high' ? 'warning' : 'note') },
     }));
-    // v0.11.6 (#93): SARIF spec §3.27.3 — every referenced ruleId SHOULD have
-    // a corresponding rule definition in tool.driver.rules. Pre-0.11.6 we
-    // referenced framework-gap-N ids without defining them; GitHub Code
-    // Scanning + VS Code SARIF Viewer + Azure DevOps would warn or fail to
-    // display rule context. Now we emit one rule per framework gap.
     const gapRules = (analyze.framework_gap_mapping || []).map((g, idx) => ({
       id: `framework-gap-${idx}`,
       shortDescription: { text: `${g.framework}: ${g.claimed_control || `gap-${idx}`}` },
@@ -1025,42 +1721,90 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals)
     };
   }
 
-  // OpenVEX 0.2.0 — supply-chain VEX statements. v0.11.5 (#82): also include
-  // statements derived from fired indicators (treated as advisory findings)
-  // so playbooks with empty cve_refs still emit a meaningful bundle.
+  // OpenVEX 0.2.0 — supply-chain VEX statements.
+  //
+  // v0.12.12 (B1-B4): correctness sweep against the OpenVEX 0.2.0 spec.
+  //  - B1: every statement now carries a `products` array (spec MUST).
+  //  - B2: `status` derives from the verdict + confidence rather than being
+  //        hard-coded to `under_investigation`. Hits emit `affected` with
+  //        an action_statement; misses emit `not_affected` with a
+  //        justification; inconclusive findings keep `under_investigation`.
+  //  - B3: framework gaps are control-design observations, not
+  //        vulnerabilities — they are removed from the VEX emit path. They
+  //        remain in CSAF (informational notes) and SARIF (kind:
+  //        informational rules).
+  //  - B4: vulnerability `@id` values switch to the registered URN namespace
+  //        `urn:exceptd:indicator:<playbook>:<indicator-id>` (RFC 8141) so
+  //        they pass IRI validation in downstream VEX consumers.
   if (format === 'openvex' || format === 'openvex-0.2.0') {
     const issued = new Date().toISOString();
-    const cveStatements = analyze.matched_cves.map(c => ({
-      vulnerability: { '@id': c.cve_id, name: c.cve_id },
-      status: c.active_exploitation === 'confirmed' ? 'under_investigation' : (c.live_patch_available ? 'fixed' : 'affected'),
-      timestamp: issued,
-      action_statement: validate.selected_remediation?.description || null,
-      impact_statement: `RWEP ${c.rwep}. Blast radius ${analyze.blast_radius_score}/5.`
-    }));
-    const indicatorStatements = (analyze._detect_indicators || []).filter(i => i.verdict === 'hit').map(i => ({
-      vulnerability: { '@id': `exceptd:${playbook._meta.id}:${i.id}`, name: i.id },
-      status: 'under_investigation',
-      timestamp: issued,
-      action_statement: validate.selected_remediation?.description || `Run \`exceptd brief ${playbook._meta.id}\` for context.`,
-      impact_statement: `Indicator ${i.id} fired (${i.confidence}${i.deterministic ? '/deterministic' : ''}) in playbook ${playbook._meta.id}.`,
-    }));
-    // v0.11.6 (#91): framework gaps → OpenVEX statements. Each gap becomes
-    // a statement with a pseudo-CVE id under the exceptd:framework-gap
-    // namespace so VEX downstreams ingest them cleanly.
-    const gapStatements = (analyze.framework_gap_mapping || []).map((g, idx) => ({
-      vulnerability: { '@id': `exceptd:framework-gap:${g.framework}:${g.claimed_control || idx}`, name: `${g.framework} ${g.claimed_control || `gap-${idx}`}` },
-      status: 'under_investigation',
-      timestamp: issued,
-      action_statement: g.required_control || null,
-      impact_statement: g.actual_gap || `Framework gap in ${g.framework}.`,
-    }));
+    const productEntry = {
+      '@id': productPurl,
+      subcomponents: [{ '@id': productPurl }],
+    };
+    const remediationId = validate.selected_remediation?.id || (validate.remediation_paths?.[0]?.id) || null;
+    const remediationDescription = validate.selected_remediation?.description || null;
+    const actionStatementFor = (fallback) => {
+      if (remediationId && remediationDescription) {
+        return `Apply remediation from validate phase: ${remediationId}. ${remediationDescription}`;
+      }
+      if (remediationId) return `Apply remediation from validate phase: ${remediationId}`;
+      if (remediationDescription) return `Apply remediation from validate phase: ${remediationDescription}`;
+      return fallback;
+    };
+    const cveStatements = analyze.matched_cves.map(c => {
+      const stmt = {
+        vulnerability: { '@id': `urn:cve:${urnSlug(c.cve_id)}`, name: c.cve_id },
+        products: [productEntry],
+        timestamp: issued,
+        impact_statement: `RWEP ${c.rwep}. Blast radius ${analyze.blast_radius_score}/5.`,
+      };
+      if (c.live_patch_available) {
+        stmt.status = 'fixed';
+      } else {
+        stmt.status = 'affected';
+        stmt.action_statement = actionStatementFor('Apply remediation from validate phase.');
+      }
+      return stmt;
+    });
+    const indicatorStatements = (analyze._detect_indicators || [])
+      .filter(i => i.verdict === 'hit' || i.verdict === 'miss' || i.verdict === 'inconclusive')
+      .map(i => {
+        const stmt = {
+          vulnerability: {
+            '@id': `urn:exceptd:indicator:${playbookSlug}:${urnSlug(i.id)}`,
+            name: i.id,
+          },
+          products: [productEntry],
+          timestamp: issued,
+          impact_statement: `Indicator ${i.id} (${i.verdict}; ${i.confidence}${i.deterministic ? '/deterministic' : ''}) in playbook ${playbook._meta.id}.`,
+        };
+        if (i.verdict === 'hit') {
+          // Deterministic and high-confidence hits both map to `affected`.
+          // The `deterministic` flag describes regex specificity, not
+          // operator-evidence confidence — neither warrants
+          // under_investigation when the indicator actually fired.
+          stmt.status = 'affected';
+          stmt.action_statement = actionStatementFor(`Run \`exceptd brief ${playbook._meta.id}\` for context.`);
+        } else if (i.verdict === 'miss') {
+          stmt.status = 'not_affected';
+          stmt.justification = 'vulnerable_code_not_present';
+        } else {
+          stmt.status = 'under_investigation';
+        }
+        return stmt;
+      });
     return {
       '@context': 'https://openvex.dev/ns/v0.2.0',
-      '@id': `https://exceptd.com/vex/${playbook._meta.id}/${Date.now()}`,
+      // F2/F9: OpenVEX @id baked from session_id (not Date.now()) so the
+      // document URN aligns with CSAF tracking.id and on-disk
+      // attestation file name. Falls back to a urnSlug if sessionId
+      // somehow arrived empty.
+      '@id': `https://exceptd.com/vex/${playbookSlug}/${urnSlug(sessionId || 'session')}`,
       author: 'exceptd',
       timestamp: issued,
       version: 1,
-      statements: [...cveStatements, ...indicatorStatements, ...gapStatements],
+      statements: [...cveStatements, ...indicatorStatements],
     };
   }
 
@@ -1102,7 +1846,16 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals)
     return { format: 'markdown', body: lines.join('\n') };
   }
 
-  return { format, note: 'Unknown format — supported: csaf-2.0, sarif, openvex, markdown.', analyze, validate };
+  // F16: pre-fix the fallback leaked raw analyze + validate internals
+  // (matched CVEs, framework gaps, residual-risk statements) under an
+  // arbitrary "format" name. Operators piping output to logging or
+  // third-party tooling could leak finding details just by typo'ing the
+  // format flag. Return the shape advertisement only.
+  return {
+    format,
+    note: 'Unknown format',
+    supported_formats: ['csaf-2.0', 'sarif', 'sarif-2.1.0', 'openvex', 'openvex-0.2.0', 'summary', 'markdown'],
+  };
 }
 
 // --- orchestrate: full run in one call ---
@@ -1122,6 +1875,22 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals)
 function normalizeSubmission(submission, playbook) {
   if (!submission || typeof submission !== "object") return submission || {};
 
+  // F15: signal_overrides must be a plain object. Pre-fix, a non-object
+  // value (string "foo", array [...]) was spread into out.signal_overrides
+  // via `{ ...(submission.signal_overrides || {}) }`. Spreading a string
+  // splatted it into { '0': 'f', '1': 'o', '2': 'o' }, which then
+  // confused detect()'s indicator-id lookup. Strip and log instead.
+  if (submission.signal_overrides !== undefined && submission.signal_overrides !== null
+      && (typeof submission.signal_overrides !== 'object' || Array.isArray(submission.signal_overrides))) {
+    if (!submission._runErrors) submission._runErrors = [];
+    submission._runErrors.push({
+      kind: 'signal_overrides_invalid',
+      supplied_type: Array.isArray(submission.signal_overrides) ? 'array' : typeof submission.signal_overrides,
+      reason: 'signal_overrides must be a plain object mapping indicator-id → verdict.'
+    });
+    submission = { ...submission, signal_overrides: {} };
+  }
+
   // v0.11.3 #71 fix: the CLI may inject `signals._bundle_formats` before
   // calling normalize (for --format <fmt> support). Pre-0.11.3 normalize
   // detected the injected `signals` key and bailed, leaving the flat
@@ -1160,7 +1929,12 @@ function normalizeSubmission(submission, playbook) {
   // v0.11.5 (#85): track which observation produced each signal_override so
   // detect can emit `from_observation` on each indicator result. Diagnostic
   // value for operators chasing "which observation drove this verdict".
+  //
+  // E9: when two observations target the same indicator id, last-write-wins
+  // silently. Track discards in _signal_origins_collisions so analyze can
+  // surface analyze.signal_origins_with_collisions for batch evidence runs.
   out._signal_origins = out._signal_origins || {};
+  out._signal_origins_collisions = out._signal_origins_collisions || [];
   for (const [key, val] of Object.entries(submission.observations || {})) {
     if (knownPreconditions.has(key)) {
       out.precondition_checks[key] = val === "ok" || val === true || val === "true";
@@ -1170,7 +1944,20 @@ function normalizeSubmission(submission, playbook) {
       const aid = knownArtifacts.has(key) ? key : (val.artifact || key);
       out.artifacts[aid] = { value: val.value, captured: val.captured !== false };
       if (val.indicator && val.result !== undefined) {
-        out.signal_overrides[val.indicator] = canonicalizeOutcome(val.result);
+        const newVerdict = canonicalizeOutcome(val.result);
+        if (out.signal_overrides[val.indicator] !== undefined && out._signal_origins[val.indicator] !== undefined) {
+          // Collision: a prior observation already set this indicator.
+          // Record the prior (which is now discarded) into the collision
+          // log, then overwrite with the new one (last-write-wins).
+          out._signal_origins_collisions.push({
+            indicator_id: val.indicator,
+            source_observation_key: out._signal_origins[val.indicator],
+            verdict: out.signal_overrides[val.indicator],
+            discarded: true,
+            replaced_by: key
+          });
+        }
+        out.signal_overrides[val.indicator] = newVerdict;
         out._signal_origins[val.indicator] = key;
       }
     }
@@ -1225,7 +2012,41 @@ function autoDetectPreconditions(submission, playbook) {
 }
 
 function run(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
-  const playbook = loadPlaybook(playbookId);
+  // F7: catalog corruption surfaced at module-load now blocks runs cleanly.
+  if (_xrefLoadError) {
+    return {
+      ok: false,
+      blocked_by: 'catalog_corrupt',
+      error: _xrefLoadError,
+      reason: 'cve-catalog.json or an index could not be parsed at module load. Run `npm run build-indexes` to regenerate, or restore the file from git.'
+    };
+  }
+
+  let playbook;
+  try {
+    playbook = loadPlaybook(playbookId);
+  } catch (e) {
+    // F20: loadPlaybook failure → structured error (not crash).
+    return {
+      ok: false,
+      blocked_by: 'playbook_not_found',
+      error: (e && e.message) ? String(e.message) : String(e),
+      reason: `Failed to load playbook '${playbookId}'. Check that data/playbooks/${playbookId}.json exists.`
+    };
+  }
+
+  // F8: validate directiveId before any phase runs. Unknown id used to throw
+  // inside analyze()/findDirective() uncaught, surfacing as a 500-style stack
+  // trace. Now returns a clean structured error with the valid directive list.
+  const validDirectives = (playbook.directives || []).map(d => d.id);
+  if (!validDirectives.includes(directiveId)) {
+    return {
+      ok: false,
+      blocked_by: 'directive_not_found',
+      reason: `Directive '${directiveId}' not found in playbook '${playbookId}'.`,
+      valid_directives: validDirectives,
+    };
+  }
 
   // v0.11.0: accept flat submission shape (observations + verdict). Normalize
   // to the engine's internal nested shape before preflight/detect. Smart
@@ -1233,35 +2054,133 @@ function run(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
   // / the host platform matches — the runner can answer those itself rather
   // than blocking on AI declaration.
   agentSubmission = normalizeSubmission(agentSubmission, playbook);
+  // F22: capture pre-autoDetect submission preconditions so we report
+  // user-declared provenance, not engine-auto-resolved values.
+  const originalSubmissionPCs = { ...(agentSubmission.precondition_checks || {}) };
   agentSubmission = autoDetectPreconditions(agentSubmission, playbook);
 
-  const pre = preflight(playbook, { ...runOpts, precondition_checks: { ...(agentSubmission.precondition_checks || {}), ...(runOpts.precondition_checks || {}) } });
+  // F22: precondition_checks merge order is submission → runOpts (runOpts
+  // wins on collision). This is intentional: runOpts represents the most
+  // recent caller intent (CLI flags / programmatic injection from a host
+  // process), whereas submission was captured earlier during evidence
+  // collection. The order is documented here AND surfaced as
+  // preflight.precondition_check_source on the result so callers can see
+  // whether the value came from the submission, runOpts, or both
+  // (merged with runOpts winning). Provenance reports the ORIGINAL submission
+  // contents — autoDetectPreconditions adds engine-derived values that
+  // wouldn't be meaningful as "submission" provenance.
+  const fullSubmissionPCs = agentSubmission.precondition_checks || {};
+  const runOptsPCs = runOpts.precondition_checks || {};
+  const mergedPCs = { ...fullSubmissionPCs, ...runOptsPCs };
+  const pcSource = {};
+  for (const k of Object.keys(mergedPCs)) {
+    const inOrigSub = Object.prototype.hasOwnProperty.call(originalSubmissionPCs, k);
+    const inRun = Object.prototype.hasOwnProperty.call(runOptsPCs, k);
+    pcSource[k] = (inOrigSub && inRun) ? 'merged' : (inRun ? 'runOpts' : 'submission');
+  }
+  const pre = preflight(playbook, { ...runOpts, precondition_checks: mergedPCs });
   if (!pre.ok) {
-    return { ok: false, phase: 'preflight', blocked_by: pre.blocked_by, reason: pre.reason, issues: pre.issues };
+    return { ok: false, phase: 'preflight', blocked_by: pre.blocked_by, reason: pre.reason, issues: pre.issues, precondition_check_source: pcSource };
   }
 
   _activeRuns.add(playbookId);
   // Cross-process mutex lock for this run. preflight verified no other lock
   // exists; we acquire ours and release in the finally block.
   const lockPath = acquireLock(playbookId);
+  // E12: parse the playbook once at run() entry and thread the parsed object
+  // through each phase via runOpts._playbookCache. Each phase otherwise calls
+  // loadPlaybook() independently; for a single run that's seven reads + parses
+  // of the same file. Cached version saves the redundant I/O + JSON parses.
+  //
+  // F2/F9: session_id generated ONCE here, threaded into close() via
+  // cachedRunOpts.session_id. Pre-fix close() generated its own session_id
+  // independently, so CSAF tracking.id / OpenVEX @id / product PURLs all
+  // diverged from the run()-returned session_id and the on-disk attestation
+  // file name. Operators correlating attestation files to embedded bundle
+  // URNs got mismatched ids.
+  const sessionId = runOpts.session_id || crypto.randomBytes(8).toString('hex');
+  const cachedRunOpts = { ...runOpts, _playbookCache: playbook, session_id: sessionId };
+  // E3: run-time error accumulator for evalCondition regex failures and other
+  // non-fatal anomalies surfaced into analyze.runtime_errors[].
+  const runErrors = [];
+  cachedRunOpts._runErrors = runErrors;
+  // E6: phases the runner should SKIP execution for, based on skip_phase
+  // preconditions surfaced in preflight.issues.
+  const skipPhases = new Set();
+  for (const issue of (pre.issues || [])) {
+    if (issue.kind === 'precondition_skip' && issue.skip_phase) {
+      skipPhases.add(issue.skip_phase);
+    }
+  }
   try {
     const phases = {
-      govern:   govern(playbookId, directiveId, runOpts),
-      direct:   direct(playbookId, directiveId),
-      look:     look(playbookId, directiveId, runOpts),
-      detect:   detect(playbookId, directiveId, agentSubmission),
+      govern:   govern(playbookId, directiveId, cachedRunOpts),
+      direct:   direct(playbookId, directiveId, cachedRunOpts),
+      look:     look(playbookId, directiveId, cachedRunOpts),
     };
-    phases.analyze  = analyze(playbookId, directiveId, phases.detect, agentSubmission.signals || {});
-    phases.validate = validate(playbookId, directiveId, phases.analyze, agentSubmission.signals || {});
-    phases.close    = close(playbookId, directiveId, phases.analyze, phases.validate, agentSubmission.signals || {}, runOpts);
+    if (skipPhases.has('detect')) {
+      const skipIssue = (pre.issues || []).find(i => i.kind === 'precondition_skip' && i.skip_phase === 'detect');
+      phases.detect = {
+        phase: 'detect',
+        playbook_id: playbookId,
+        directive_id: directiveId,
+        skipped: true,
+        reason: skipIssue ? skipIssue.id : 'precondition_skip',
+        classification: 'skipped',
+        indicators: [],
+        false_positive_checks_required: [],
+        indicators_evaluated: [],
+        indicators_evaluated_count: 0,
+        observations_received: [],
+        signals_received: []
+      };
+      // analyze() must still run, but with an empty submission so it doesn't
+      // resolve indicator hits against a non-existent detect result.
+      phases.analyze  = analyze(playbookId, directiveId, phases.detect, {}, cachedRunOpts);
+      // Annotate analyze with the skip vocabulary so consumers can branch.
+      phases.analyze.classification = 'skipped';
+    } else {
+      phases.detect   = detect(playbookId, directiveId, agentSubmission, cachedRunOpts);
+      phases.analyze  = analyze(playbookId, directiveId, phases.detect, agentSubmission.signals || {}, cachedRunOpts);
+    }
+    phases.validate = validate(playbookId, directiveId, phases.analyze, agentSubmission.signals || {}, cachedRunOpts);
+    phases.close    = close(playbookId, directiveId, phases.analyze, phases.validate, agentSubmission.signals || {}, cachedRunOpts);
+
+    // E3: analyze() already sliced runOpts._runErrors into
+    // phases.analyze.runtime_errors at return time. Validate + close may
+    // have pushed additional regex errors AFTER analyze returned; surface
+    // those onto phases.analyze.runtime_errors so the field reflects every
+    // regex failure in the run. De-dupe by JSON shape so the analyze-time
+    // snapshot doesn't double-count.
+    if (runErrors.length && phases.analyze) {
+      const existing = new Set((phases.analyze.runtime_errors || []).map(e => JSON.stringify(e)));
+      const additions = runErrors.filter(e => !existing.has(JSON.stringify(e)));
+      if (additions.length) {
+        phases.analyze.runtime_errors = (phases.analyze.runtime_errors || []).concat(additions);
+      }
+    }
 
-    const sessionId = runOpts.session_id || crypto.randomBytes(8).toString('hex');
+    // F1: evidence_hash binds the operator's submission to the verdict.
+    // Pre-fix the hash only covered { playbook, directive, cves, rwep,
+    // classification } — two operators submitting completely different
+    // evidence that happened to produce the same classification got the
+    // same evidence_hash, breaking the contract that the hash uniquely
+    // identifies a run. Now the hash includes a canonicalized SHA-256 over
+    // the submission (observations, signal_overrides, signals) with sorted
+    // keys recursively. `captured_at` and other timestamp-like fields are
+    // INTENTIONALLY excluded so that re-running with the same submission
+    // produces the same hash — `reattest` relies on this to detect drift
+    // (different submission → different hash → drift exists).
+    const submissionDigest = crypto.createHash('sha256')
+      .update(canonicalStringify(extractSubmissionForHash(agentSubmission)))
+      .digest('hex');
     const evidenceHash = crypto.createHash('sha256')
       .update(JSON.stringify({
         playbookId, directiveId,
         cves: phases.analyze.matched_cves.map(c => c.cve_id),
         rwep: phases.analyze.rwep.adjusted,
-        classification: phases.detect.classification
+        classification: phases.detect.classification,
+        submission_digest: submissionDigest,
       }))
       .digest('hex');
 
@@ -1271,7 +2190,11 @@ function run(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
       directive_id: directiveId,
       session_id: sessionId,
       evidence_hash: evidenceHash,
+      submission_digest: submissionDigest,
       preflight_issues: pre.issues,
+      // F22: source provenance for precondition_checks. Shape:
+      //   { '<pc-id>': 'submission' | 'runOpts' | 'merged', ... }
+      precondition_check_source: pcSource,
       phases
     };
   } finally {
@@ -1282,6 +2205,72 @@ function run(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
 
 // --- helpers ---
 
+/**
+ * F1: deterministic JSON stringification with recursively sorted keys.
+ * Without sorted keys two semantically identical submissions ({a:1, b:2}
+ * vs {b:2, a:1}) would hash to different digests, breaking reattest's
+ * "same submission → same hash" contract. Arrays preserve order
+ * (submission order is meaningful for evidence). null + primitives pass
+ * through directly. Avoids JSON.stringify's replacer indirection because
+ * a top-level array would otherwise miss the canonicalization recursion.
+ */
+function canonicalStringify(v) {
+  if (v === null || typeof v !== 'object') return JSON.stringify(v);
+  if (Array.isArray(v)) return '[' + v.map(canonicalStringify).join(',') + ']';
+  const keys = Object.keys(v).sort();
+  return '{' + keys.map(k => JSON.stringify(k) + ':' + canonicalStringify(v[k])).join(',') + '}';
+}
+
+/**
+ * F1: pick the operator-meaningful fields out of the normalized submission
+ * for hashing. captured_at, _signal_origins, _signal_origins_collisions,
+ * and _original_shape are intentionally excluded — they're either
+ * timestamps (would break "same submission → same hash") or runner-internal
+ * provenance metadata that isn't part of what the operator submitted.
+ */
+function extractSubmissionForHash(sub) {
+  if (!sub || typeof sub !== 'object') return {};
+  const pick = {};
+  // Strip captured_at from artifact entries so timestamp drift doesn't
+  // perturb the digest. The semantic content (value + captured-ness +
+  // optional indicator binding) is what matters for "did the operator
+  // submit the same evidence?".
+  if (sub.artifacts && typeof sub.artifacts === 'object') {
+    pick.artifacts = {};
+    for (const [k, v] of Object.entries(sub.artifacts)) {
+      if (v && typeof v === 'object') {
+        const { captured_at, _captured_at, ...rest } = v;
+        pick.artifacts[k] = rest;
+      } else {
+        pick.artifacts[k] = v;
+      }
+    }
+  }
+  if (sub.signal_overrides && typeof sub.signal_overrides === 'object') {
+    pick.signal_overrides = sub.signal_overrides;
+  }
+  if (sub.signals && typeof sub.signals === 'object') {
+    // vex_filter and vex_fixed may be Sets — convert to sorted arrays so
+    // canonicalStringify can serialize them.
+    const signals = {};
+    for (const [k, v] of Object.entries(sub.signals)) {
+      if (v instanceof Set) signals[k] = Array.from(v).sort();
+      else signals[k] = v;
+    }
+    pick.signals = signals;
+  }
+  if (sub.precondition_checks && typeof sub.precondition_checks === 'object') {
+    pick.precondition_checks = sub.precondition_checks;
+  }
+  if (sub.observations && typeof sub.observations === 'object') {
+    pick.observations = sub.observations;
+  }
+  if (sub.verdict && typeof sub.verdict === 'object') {
+    pick.verdict = sub.verdict;
+  }
+  return pick;
+}
+
 function evalCondition(expr, ctx, playbook) {
   if (!expr) return false;
   expr = expr.trim();
@@ -1340,7 +2329,23 @@ function evalCondition(expr, ctx, playbook) {
   if (m) {
     const val = resolvePath(ctx, m[1]);
     if (typeof val !== 'string') return false;
-    return new RegExp(m[2], 'i').test(val);
+    // E3: an operator-supplied or playbook-supplied regex with a syntax bug
+    // (or pathological backtracking) must NOT crash the engine mid-analyze.
+    // Catch construction + test exceptions, return false, and push a
+    // structured _regex_eval_error into ctx._runErrors (when present) so
+    // analyze() can surface analyze.runtime_errors[] without losing the
+    // diagnostic.
+    try {
+      return new RegExp(m[2], 'i').test(val);
+    } catch (e) {
+      const errorRec = { _regex_eval_error: { source: m[1], expr: m[2], message: e && e.message ? String(e.message) : String(e) } };
+      // Two sites where ctx may carry an accumulator: runOpts._runErrors
+      // (threaded from run()) or ctx._runErrors directly. Prefer the runOpts
+      // form; fall back to ctx.
+      if (ctx && Array.isArray(ctx._runErrors)) ctx._runErrors.push(errorRec);
+      else if (playbook && Array.isArray(playbook._runErrors)) playbook._runErrors.push(errorRec);
+      return false;
+    }
   }
 
   if (process.env.EXCEPTD_DEBUG) console.warn(`[runner] unknown condition: ${expr}`);
@@ -1398,13 +2403,35 @@ function stripOuterParens(expr) {
   return expr;
 }
 
-function computeClockStart(eventName, agentSignals) {
+/**
+ * Compute the start instant for a jurisdictional clock event. The agent
+ * submits clock_started_at_<event> ISO strings as it progresses through
+ * incident-response milestones.
+ *
+ * E7: per AGENTS.md Phase 7, the legal contract is that the clock starts
+ * from OPERATOR AWARENESS — not from the moment the engine emits a
+ * `detected` classification. Pre-fix, this auto-stamped Date.now() on
+ * detect_confirmed whenever the engine classified as detected, which is
+ * incorrect: the operator may not have seen the result yet. The corrected
+ * semantics:
+ *
+ *   - If the agent explicitly submits clock_started_at_<event>: use it.
+ *   - Otherwise, for 'detect_confirmed' with classification='detected':
+ *     stamp `now` ONLY if runOpts.operator_consent?.explicit === true
+ *     (i.e. the operator passed --ack). Without --ack, return null and
+ *     the caller (close()) surfaces clock_pending_ack: true on the
+ *     notification_actions entry so the operator sees that the clock is
+ *     waiting on acknowledgement.
+ *   - All other events without an explicit timestamp: return null.
+ */
+function computeClockStart(eventName, agentSignals, runOpts = {}) {
   // The agent submits clock_started_at_<event> ISO strings as it progresses.
   const key = `clock_started_at_${eventName}`;
-  if (agentSignals[key]) return new Date(agentSignals[key]);
-  // Fallback: use the standard 'detect_confirmed' default of "now" for the
-  // most common case so notification deadlines aren't always pending.
-  if (eventName === 'detect_confirmed' && agentSignals.detection_classification === 'detected') {
+  if (agentSignals && agentSignals[key]) return new Date(agentSignals[key]);
+  // For detect_confirmed: only auto-stamp when the operator has explicitly
+  // acknowledged the result via --ack. Otherwise leave the clock pending.
+  if (eventName === 'detect_confirmed' && agentSignals?.detection_classification === 'detected'
+      && runOpts && runOpts.operator_consent && runOpts.operator_consent.explicit === true) {
     return new Date();
   }
   return null;
@@ -1416,11 +2443,25 @@ function expressionKey(expr) {
   return m ? m[1] : expr;
 }
 
-function interpolate(tpl, ctx) {
+/**
+ * Substitute ${var} placeholders against ctx. F14: pre-fix, missing keys
+ * silently re-emitted the literal `${var}` placeholder, so notification
+ * drafts could ship to regulators with `${cisa_kev_due_date}` rendered as
+ * the raw template — a visible failure that operators wouldn't catch
+ * before sending. Now: render as `<MISSING:${var}>` so the failure mode
+ * is loud, AND if a tracker array is passed as the third argument,
+ * collect the missing keys for caller surfacing as
+ * missing_interpolation_vars[].
+ */
+function interpolate(tpl, ctx, missingTracker) {
   if (!tpl || typeof tpl !== 'string') return tpl;
   return tpl.replace(/\$\{(\w+)\}/g, (_, key) => {
-    const v = ctx[key];
-    return v !== undefined && v !== null ? String(v) : `\${${key}}`;
+    const v = ctx ? ctx[key] : undefined;
+    if (v !== undefined && v !== null) return String(v);
+    if (missingTracker && Array.isArray(missingTracker) && !missingTracker.includes(key)) {
+      missingTracker.push(key);
+    }
+    return `<MISSING:${key}>`;
   });
 }