@blamejs/exceptd-skills 0.12.11 → 0.12.15

package/bin/exceptd.js

@@ -541,10 +541,16 @@ function emit(obj, pretty, humanRenderer) {
 }
 
 function emitError(msg, extra, pretty) {
+  // v0.12.14 (audit A P1-2): the v0.11.13 emit() fix used exitCode + return
+  // to defend stdout-buffered writes from truncation under piped consumers.
+  // emitError() (stderr) kept process.exit(1), which has the same truncation
+  // class — CLAUDE.md's "fix the class, not the instance." Now: write to
+  // stderr, set exitCode = 1, return. Every caller already uses
+  // `return emitError(...)` so the return-value propagation is clean.
   const body = Object.assign({ ok: false, error: msg }, extra || {});
   const s = pretty ? JSON.stringify(body, null, 2) : JSON.stringify(body);
   process.stderr.write(s + "\n");
-  process.exit(1);
+  process.exitCode = 1;
 }
 
 function readEvidence(evidenceFlag) {
@@ -554,6 +560,17 @@ function readEvidence(evidenceFlag) {
     if (!buf.trim()) return {};
     return JSON.parse(buf);
   }
+  // v0.12.12: read enforces a max size to defend against an operator
+  // accidentally passing a multi-gigabyte file (binary, log, or
+  // adversarial JSON bomb). 32 MB is well beyond any legitimate
+  // submission and still drains in a single read on modern hardware.
+  const MAX_EVIDENCE_BYTES = 32 * 1024 * 1024;
+  let stat;
+  try { stat = fs.statSync(evidenceFlag); }
+  catch (e) { throw new Error(`evidence path not readable: ${e.message}`); }
+  if (stat.size > MAX_EVIDENCE_BYTES) {
+    throw new Error(`evidence file too large: ${stat.size} bytes > ${MAX_EVIDENCE_BYTES} byte limit. Reduce the submission or split into multiple playbook runs.`);
+  }
   return JSON.parse(fs.readFileSync(evidenceFlag, "utf8"));
 }
 
@@ -607,8 +624,39 @@ function dispatchPlaybook(cmd, argv) {
     airGap: !!args["air-gap"],
     forceStale: !!args["force-stale"],
   };
-  if (args["session-id"]) runOpts.session_id = args["session-id"];
-  if (args["attestation-root"]) runOpts.attestationRoot = args["attestation-root"];
+  if (args["session-id"]) {
+    // v0.12.12: --session-id is a filesystem path component (resolves to
+    // .exceptd/attestations/<id>/attestation.json). Operator-supplied input
+    // with `..` or path separators escapes the attestation root. Validate
+    // strict allowlist before propagating.
+    const sid = args["session-id"];
+    if (typeof sid !== "string" || !/^[A-Za-z0-9._-]{1,64}$/.test(sid)) {
+      return emitError(
+        "run: --session-id must match /^[A-Za-z0-9._-]{1,64}$/ (alphanumeric, dot, underscore, hyphen; up to 64 chars). Path separators and '..' are rejected.",
+        { provided: typeof sid === "string" ? sid.slice(0, 80) : typeof sid },
+        pretty
+      );
+    }
+    runOpts.session_id = sid;
+  }
+  if (args["attestation-root"]) {
+    // v0.12.12: --attestation-root must resolve to an absolute path the
+    // operator owns. Reject `..`-bearing relatives at input so a misconfigured
+    // env doesn't write outside the intended root. Final resolution still
+    // happens in resolveAttestationRoot — this is the input-validation layer.
+    const ar = args["attestation-root"];
+    if (typeof ar !== "string" || ar.length === 0) {
+      return emitError("run: --attestation-root must be a non-empty string.", { provided: typeof ar }, pretty);
+    }
+    if (ar.split(/[\\/]/).some(seg => seg === "..")) {
+      return emitError(
+        "run: --attestation-root must not contain '..' path segments. Pass an absolute path under your home directory or an explicit project-relative path without traversal.",
+        { provided: ar.slice(0, 200) },
+        pretty
+      );
+    }
+    runOpts.attestationRoot = path.resolve(ar);
+  }
   if (args["session-key"]) {
     // Bug #33: validate that --session-key is hex. Previously any string was
     // silently accepted; HMAC signing then either failed silently or produced
@@ -1395,7 +1443,26 @@ function cmdPlan(runner, args, runOpts, pretty) {
   emit(plan, pretty);
 }
 
+// v0.12.15 (audit L F1, F2): --scope must validate against the accepted
+// set. The prior shape silently returned [] for any unknown scope, which
+// in `run --scope nonsense` produced `count: 0` + exit 0 (cmd reports
+// "ran 0 playbooks") and in `ci --scope nonsense` silently ran only the
+// cross-cutting set (the union with `framework` produced a false-positive
+// PASS). Both are operator-intent loss patterns CLAUDE.md flags as the
+// "field-present, content-wrong" class.
+const VALID_SCOPES = ["system", "code", "service", "cross-cutting", "all"];
+
+function validateScopeOrThrow(scope) {
+  if (typeof scope !== "string" || !VALID_SCOPES.includes(scope)) {
+    throw new Error(
+      `--scope must be one of ${JSON.stringify(VALID_SCOPES)}; got ${JSON.stringify(scope)}.`
+    );
+  }
+  return scope;
+}
+
 function filterPlaybooksByScope(runner, scope) {
+  validateScopeOrThrow(scope);
   const ids = runner.listPlaybooks();
   return ids.filter(id => {
     try {
@@ -1471,7 +1538,8 @@ function cmdRun(runner, args, runOpts, pretty) {
     if (args.all) {
       ids = runner.listPlaybooks();
     } else {
-      ids = filterPlaybooksByScope(runner, args.scope);
+      try { ids = filterPlaybooksByScope(runner, args.scope); }
+      catch (e) { return emitError(`run: ${e.message}`, { provided_scope: args.scope }, pretty); }
     }
     return cmdRunMulti(runner, ids, args, runOpts, pretty, { trigger: args.all ? "--all" : `--scope ${args.scope}` });
   }
@@ -1651,8 +1719,11 @@ function cmdRun(runner, args, runOpts, pretty) {
         hint: "Pass --force-overwrite to replace, or supply a fresh --session-id (omit the flag for an auto-generated hex).",
         verb: "run",
       };
+      // v0.12.14 (audit A P1-2): exitCode + return instead of process.exit
+      // so the stderr line drains under piped CI consumers.
       process.stderr.write(JSON.stringify(err) + "\n");
-      process.exit(3);
+      process.exitCode = 3;
+      return;
     }
     if (persistResult.prior_session_id) {
       // Force-overwrite happened — surface the prior_session_id in the
@@ -1665,8 +1736,10 @@ function cmdRun(runner, args, runOpts, pretty) {
   }
 
   if (result && result.ok === false) {
+    // v0.12.14: exitCode + return; matches the emitError class fix.
     process.stderr.write((pretty ? JSON.stringify(result, null, 2) : JSON.stringify(result)) + "\n");
-    process.exit(1);
+    process.exitCode = 1;
+    return;
   }
 
   // v0.11.6 (#96): --strict-preconditions escalates warn-level preflight
@@ -1678,6 +1751,14 @@ function cmdRun(runner, args, runOpts, pretty) {
       i.kind === "precondition_unverified" || i.kind === "precondition_warn"
     );
     if (warnIssues.length > 0) {
+      // v0.12.12: surface the contract violation in the emitted body so
+      // downstream consumers grepping the JSON see WHY the exit is non-zero.
+      // result.ok stays true (the playbook executed) but the explicit flag
+      // makes the strict-preconditions contract observable, not just inferable
+      // from exit code + stderr line.
+      result.strict_preconditions_violated = warnIssues.map(i => ({
+        id: i.id, kind: i.kind, message: i.message || null, on_fail: i.on_fail || null,
+      }));
       process.stderr.write(`[exceptd run] --strict-preconditions: ${warnIssues.length} unverified/warn precondition(s) — exit 1.\n`);
       emit(result, pretty);
       // v0.11.11: exitCode + return so emit()'s stdout flushes (process.exit
@@ -1922,13 +2003,28 @@ function cmdRunMulti(runner, ids, args, runOpts, pretty, meta) {
   // contract in one pass.
   if (args["evidence-dir"]) {
     const dir = args["evidence-dir"];
+    if (typeof dir !== "string" || dir.length === 0) {
+      return emitError("run: --evidence-dir must be a non-empty string.", null, pretty);
+    }
     if (!fs.existsSync(dir)) {
       return emitError(`run: --evidence-dir ${dir} does not exist.`, null, pretty);
     }
+    const resolvedDir = path.resolve(dir);
+    // v0.12.12: only `<playbook-id>.json` entries are honored. Reject
+    // anything where the filename strip leaves traversal segments — npm
+    // refuses to write such filenames so the realistic risk is an operator
+    // symlink/junction inside the dir, but the filter is cheap.
     for (const f of fs.readdirSync(dir).filter(x => x.endsWith(".json"))) {
       const pbId = f.replace(/\.json$/, "");
+      if (!/^[A-Za-z0-9_.-]+$/.test(pbId)) {
+        return emitError(`run: --evidence-dir entry ${JSON.stringify(f)} has unsafe playbook-id segment.`, null, pretty);
+      }
+      const entryPath = path.resolve(path.join(resolvedDir, f));
+      if (!entryPath.startsWith(resolvedDir + path.sep)) {
+        return emitError(`run: --evidence-dir entry ${f} resolves outside the directory; refusing.`, null, pretty);
+      }
       try {
-        bundle[pbId] = JSON.parse(fs.readFileSync(path.join(dir, f), "utf8"));
+        bundle[pbId] = JSON.parse(fs.readFileSync(entryPath, "utf8"));
       } catch (e) {
         return emitError(`run: failed to parse --evidence-dir entry ${f}: ${e.message}`, null, pretty);
       }
@@ -2128,47 +2224,86 @@ function deriveRunTag() {
 function persistAttestation(args) {
   const { sessionId, playbookId, directiveId, evidenceHash, operator,
           operatorConsent, submission, runOpts, forceOverwrite, filename } = args;
+  // v0.12.12: session-id is supposed to be sanitized at input. Defense in
+  // depth: reject anything that path-traverses out of the attestation root.
+  if (!/^[A-Za-z0-9._-]{1,64}$/.test(sessionId || "")) {
+    return {
+      ok: false,
+      error: `Refusing to persist attestation with unsafe session-id: ${JSON.stringify(sessionId).slice(0, 80)}. Must match /^[A-Za-z0-9._-]{1,64}$/.`,
+      existingPath: null,
+    };
+  }
+  if (!/^[A-Za-z0-9._-]{1,64}\.json$/.test(filename || "")) {
+    return {
+      ok: false,
+      error: `Refusing to persist attestation with unsafe filename: ${JSON.stringify(filename).slice(0, 80)}.`,
+      existingPath: null,
+    };
+  }
   const root = resolveAttestationRoot(runOpts);
   const dir = path.join(root, sessionId);
   const filePath = path.join(dir, filename);
-
-  let prior = null;
-  if (fs.existsSync(filePath)) {
-    try { prior = JSON.parse(fs.readFileSync(filePath, "utf8")); } catch {}
-    if (!forceOverwrite) {
-      return {
-        ok: false,
-        error: `Attestation already exists at ${path.relative(process.cwd(), filePath)}. Session-id collision (${sessionId}) — refusing to overwrite to preserve audit trail.`,
-        existingPath: path.relative(process.cwd(), filePath),
-      };
-    }
+  // Final-resolution check: dir must remain inside root after normalization.
+  const normRoot = path.resolve(root) + path.sep;
+  if (!(path.resolve(dir) + path.sep).startsWith(normRoot)) {
+    return {
+      ok: false,
+      error: `Refusing to persist attestation outside root. session_id=${sessionId} root=${root}`,
+      existingPath: null,
+    };
   }
 
   try {
     fs.mkdirSync(dir, { recursive: true });
-    const attestation = {
-      session_id: sessionId,
-      playbook_id: playbookId,
-      directive_id: directiveId,
-      evidence_hash: evidenceHash,
-      operator: operator || null,
-      operator_consent: operatorConsent || null,
-      submission,
-      run_opts: { airGap: runOpts.airGap, forceStale: runOpts.forceStale, mode: runOpts.mode },
-      captured_at: new Date().toISOString(),
-      // When overwriting (with --force-overwrite), link to the prior content
-      // by evidence_hash + capture timestamp. session_id is the same (that's
-      // why we collided), so it's the hash + timestamp that distinguish.
-      prior_evidence_hash: prior ? (prior.evidence_hash || null) : null,
-      prior_captured_at: prior ? (prior.captured_at || null) : null,
-    };
-    fs.writeFileSync(filePath, JSON.stringify(attestation, null, 2));
-    maybeSignAttestation(filePath);
-    return {
-      ok: true,
-      prior_session_id: prior ? sessionId : null,
-      overwrote_at: prior ? prior.captured_at : null,
+    const writeAttestation = (priorEvidenceHash, priorCapturedAt, flag) => {
+      const attestation = {
+        session_id: sessionId,
+        playbook_id: playbookId,
+        directive_id: directiveId,
+        evidence_hash: evidenceHash,
+        operator: operator || null,
+        operator_consent: operatorConsent || null,
+        submission,
+        run_opts: { airGap: runOpts.airGap, forceStale: runOpts.forceStale, mode: runOpts.mode },
+        captured_at: new Date().toISOString(),
+        // When overwriting (with --force-overwrite), link to the prior content
+        // by evidence_hash + capture timestamp. session_id is the same (that's
+        // why we collided), so it's the hash + timestamp that distinguish.
+        prior_evidence_hash: priorEvidenceHash,
+        prior_captured_at: priorCapturedAt,
+      };
+      // Atomic-create via O_EXCL ('wx' flag) eliminates the TOCTOU window
+      // between existsSync and writeFileSync. Two concurrent run-with-same-
+      // session-id invocations now produce one winner + one EEXIST loser,
+      // not silent last-write-wins.
+      fs.writeFileSync(filePath, JSON.stringify(attestation, null, 2), { flag });
+      maybeSignAttestation(filePath);
     };
+
+    try {
+      writeAttestation(null, null, "wx");
+      return { ok: true, prior_session_id: null, overwrote_at: null };
+    } catch (eExcl) {
+      if (eExcl.code !== "EEXIST") throw eExcl;
+      // Slot already taken — read prior to chain audit trail, then decide.
+      let prior = null;
+      try { prior = JSON.parse(fs.readFileSync(filePath, "utf8")); } catch { /* malformed prior — proceed */ }
+      if (!forceOverwrite) {
+        return {
+          ok: false,
+          error: `Attestation already exists at ${path.relative(process.cwd(), filePath)}. Session-id collision (${sessionId}) — refusing to overwrite to preserve audit trail.`,
+          existingPath: path.relative(process.cwd(), filePath),
+        };
+      }
+      writeAttestation(prior ? (prior.evidence_hash || null) : null,
+                       prior ? (prior.captured_at || null) : null,
+                       "w");
+      return {
+        ok: true,
+        prior_session_id: prior ? sessionId : null,
+        overwrote_at: prior ? prior.captured_at : null,
+      };
+    }
   } catch (e) {
     return { ok: false, error: `Failed to write attestation: ${e.message}`, existingPath: null };
   }
@@ -2243,12 +2378,43 @@ function maybeSignAttestation(filePath) {
  * default root and the legacy cwd-relative root; returns whichever exists.
  * Returns null if neither has the session.
  */
+/**
+ * v0.12.14 (audit A P1-1): session-id validation — applied at every READ
+ * site, not just writes. The write path (persistAttestation) was hardened
+ * in v0.12.12, but the read paths (findSessionDir / cmdAttest / cmdReattest)
+ * accepted arbitrary strings and joined them into path.join(root, id) with
+ * no normalization. Reproducer that exfiltrated $HOME/.claude.json:
+ *   exceptd attest show '../../..'
+ *
+ * Validation regex + root-confinement check matches persistAttestation.
+ */
+function validateSessionIdForRead(sessionId) {
+  if (typeof sessionId !== "string" || !/^[A-Za-z0-9._-]{1,64}$/.test(sessionId)) {
+    throw new Error(
+      `Invalid session-id: ${JSON.stringify(sessionId).slice(0, 80)}. Must match /^[A-Za-z0-9._-]{1,64}$/.`
+    );
+  }
+  return sessionId;
+}
+
 function findSessionDir(sessionId, runOpts) {
+  // v0.12.14 (audit A P1-1): validate the session-id at every read path.
+  try { validateSessionIdForRead(sessionId); }
+  catch { return null; }
   const candidates = [
     path.join(resolveAttestationRoot(runOpts), sessionId),
     path.join(process.cwd(), ".exceptd", "attestations", sessionId),
   ];
-  for (const c of candidates) if (fs.existsSync(c)) return c;
+  for (const c of candidates) {
+    // Final-resolution check: the resolved candidate must stay strictly
+    // inside its parent root after normalization. Defense in depth on top
+    // of the regex check above — catches anything that survives the
+    // string-level filter.
+    const parent = path.dirname(c);
+    const resolved = path.resolve(c);
+    if (!resolved.startsWith(path.resolve(parent) + path.sep)) continue;
+    if (fs.existsSync(c)) return c;
+  }
   return null;
 }
 
@@ -3274,6 +3440,26 @@ function cmdDoctor(runner, args, runOpts, pretty) {
 }
 
 function cmdListAttestations(runner, args, runOpts, pretty) {
+  // v0.12.14 (audit A P2-3): --playbook is registered as `multi:` so
+  // `--playbook a --playbook b` lands as an array. The prior filter used
+  // strict equality (`j.playbook_id !== args.playbook`) — always false for
+  // array, silently producing count: 0. Normalize to a Set up-front.
+  const playbookFilter = (() => {
+    if (args.playbook == null) return null;
+    const list = Array.isArray(args.playbook) ? args.playbook : [args.playbook];
+    return new Set(list.filter(x => typeof x === "string" && x.length > 0));
+  })();
+  // v0.12.14 (audit A P2-6): --since must be a parseable ISO-8601 timestamp.
+  // Prior behavior silently accepted any string and lexically compared to
+  // captured_at, producing 0-result or full-result depending on the string.
+  if (args.since != null) {
+    if (typeof args.since !== "string" || isNaN(Date.parse(args.since))) {
+      return emitError(
+        `attest list: --since must be a parseable ISO-8601 timestamp (e.g. 2026-05-01 or 2026-05-01T00:00:00Z). Got: ${JSON.stringify(String(args.since)).slice(0, 80)}`,
+        null, pretty
+      );
+    }
+  }
   // Enumerate sessions across both v0.11.0 default root and legacy cwd-
   // relative root, so operators with prior attestations still see them.
   const roots = [resolveAttestationRoot(runOpts), path.join(process.cwd(), ".exceptd", "attestations")];
@@ -3291,7 +3477,8 @@ function cmdListAttestations(runner, args, runOpts, pretty) {
       for (const f of files) {
         try {
           const j = JSON.parse(fs.readFileSync(path.join(sdir, f), "utf8"));
-          if (args.playbook && j.playbook_id !== args.playbook) continue;
+          // v0.12.14: normalized array-set filter (see top of fn).
+          if (playbookFilter && !playbookFilter.has(j.playbook_id)) continue;
           if (args.since && (j.captured_at || "") < args.since) continue;
           entries.push({
             session_id: sid,
@@ -3311,7 +3498,7 @@ function cmdListAttestations(runner, args, runOpts, pretty) {
     ok: true,
     attestations: entries,
     count: entries.length,
-    filter: { playbook: args.playbook || null, since: args.since || null },
+    filter: { playbook: playbookFilter ? [...playbookFilter] : null, since: args.since || null },
     roots_searched: [...seenRoots],
   }, pretty, (obj) => {
     // v0.11.6 (#95) human renderer for attest list: one row per session.
@@ -3367,8 +3554,14 @@ function cmdAiRun(runner, args, runOpts, pretty) {
     directPhase = runner.direct(playbookId, directiveId);
     lookPhase = runner.look(playbookId, directiveId, runOpts);
   } catch (e) {
-    process.stdout.write(JSON.stringify({ event: "error", reason: e.message, phase: "info" }) + "\n");
-    process.exit(1);
+    // v0.12.12 (T8): process.exit(1) immediately after a stdout write can
+    // truncate buffered output under piped consumers (same class as v0.11.10
+    // #100). Use exitCode+return so the JSONL error frame drains. Also write
+    // the framed error event so the stdout-only JSONL contract holds — host
+    // AIs reading this stream must see structured frames, never bare text.
+    process.stdout.write(JSON.stringify({ event: "error", reason: e.message, phase: "info", playbook_id: playbookId, directive_id: directiveId }) + "\n");
+    process.exitCode = 1;
+    return;
   }
 
   const governEvent = {
@@ -3444,8 +3637,41 @@ function cmdAiRun(runner, args, runOpts, pretty) {
       return emitError(`ai-run: runner threw: ${e.message}`, { playbook: playbookId }, pretty);
     }
     if (!result || result.ok === false) {
+      // v0.12.12: same exit-after-write anti-pattern as the pre-stream
+      // load path. Use exitCode + return so stderr drains.
       process.stderr.write((pretty ? JSON.stringify(result || {}, null, 2) : JSON.stringify(result || {})) + "\n");
-      process.exit(1);
+      process.exitCode = 1;
+      return;
+    }
+    // v0.12.14 (audit A P2-1): ai-run --no-stream previously emitted a
+    // session_id but never persisted the attestation, so the AI agent
+    // calling ai-run couldn't chain into `attest show / verify / diff`
+    // or `reattest` with the returned id. Now: same persistAttestation
+    // shape as cmdRun, so AI-facing flow round-trips cleanly.
+    if (result.session_id) {
+      const persistResult = persistAttestation({
+        sessionId: result.session_id,
+        playbookId: result.playbook_id || playbookId,
+        directiveId: result.directive_id || directiveId,
+        evidenceHash: result.evidence_hash,
+        operator: runOpts.operator,
+        operatorConsent: runOpts.operator_consent,
+        submission,
+        runOpts,
+        forceOverwrite: !!args["force-overwrite"],
+        filename: "attestation.json",
+      });
+      if (!persistResult.ok && !args["force-overwrite"]) {
+        // Collision without --force-overwrite. AI agents typically pass
+        // unique session ids each run, so this path is rare but surface
+        // it cleanly via the same JSONL contract.
+        process.stdout.write(JSON.stringify({
+          event: "error", reason: persistResult.error,
+          existing_attestation: persistResult.existingPath,
+        }) + "\n");
+        process.exitCode = 3;
+        return;
+      }
     }
     // v0.11.8 (#101): unify ai-run --no-stream shape with `run`. Pre-0.11.8
     // ai-run flattened phases to top-level (`govern`, `direct`, `look`, ...),
@@ -3523,6 +3749,28 @@ function cmdAiRun(runner, args, runOpts, pretty) {
     writeLine({ phase: "analyze", ...result.phases?.analyze });
     writeLine({ phase: "validate", ...result.phases?.validate });
     writeLine({ phase: "close", ...result.phases?.close });
+    // v0.12.14 (audit A P2-1): persist the attestation in streaming mode
+    // too. Without this, the session_id emitted in the `done` frame
+    // can't be resolved by `attest show / verify / diff` or `reattest`.
+    if (result.session_id) {
+      const persistResult = persistAttestation({
+        sessionId: result.session_id,
+        playbookId: result.playbook_id || playbookId,
+        directiveId: result.directive_id || directiveId,
+        evidenceHash: result.evidence_hash,
+        operator: runOpts.operator,
+        operatorConsent: runOpts.operator_consent,
+        submission,
+        runOpts,
+        forceOverwrite: !!args["force-overwrite"],
+        filename: "attestation.json",
+      });
+      if (!persistResult.ok && !args["force-overwrite"]) {
+        writeLine({ event: "error", reason: persistResult.error,
+                    existing_attestation: persistResult.existingPath });
+        return finish(3);
+      }
+    }
     writeLine({ event: "done", ok: true, session_id: result.session_id, evidence_hash: result.evidence_hash });
     return finish(0);
   };
@@ -3766,7 +4014,8 @@ function cmdCi(runner, args, runOpts, pretty) {
   } else if (args.all) {
     ids = runner.listPlaybooks();
   } else if (scope) {
-    ids = filterPlaybooksByScope(runner, scope);
+    try { ids = filterPlaybooksByScope(runner, scope); }
+    catch (e) { return emitError(`ci: ${e.message}`, { provided_scope: scope }, pretty); }
     // Always include cross-cutting playbooks regardless of scope choice.
     const cross = filterPlaybooksByScope(runner, "cross-cutting");
     ids = [...new Set([...ids, ...cross])];
@@ -3963,8 +4212,10 @@ function cmdCi(runner, args, runOpts, pretty) {
     emit({ verb: "ci", session_id: sessionId, format: fmt, bundles_count: bundles.length, bundles }, pretty);
   } else if (fmt && fmt !== "json") {
     // v0.11.4 (#76): garbage format rejected with structured error, not silent empty stdout.
+    // v0.12.14: exitCode + return; matches the emitError class fix.
     process.stderr.write(JSON.stringify({ ok: false, error: `ci: --format "${fmt}" not in accepted set ["summary","markdown","csaf-2.0","sarif","openvex","json"].`, verb: "ci" }) + "\n");
-    process.exit(2);
+    process.exitCode = 2;
+    return;
   } else {
     emit({ verb: "ci", session_id: sessionId, playbooks_run: ids, summary, results }, pretty);
   }

package/data/_indexes/_meta.json

@@ -1,61 +1,62 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-13T21:19:48.889Z",
+  "generated_at": "2026-05-14T16:47:17.975Z",
   "generator": "scripts/build-indexes.js",
-  "source_count": 49,
+  "source_count": 50,
   "source_hashes": {
-    "manifest.json": "b7e77cd5de579732b6dd352720557c3ba2ac93f472de50f4e1f861a665a2760b",
-    "data/atlas-ttps.json": "f3f75ff2778a0a2c7d953a21386bc4f265cb2685ce41242eee45f9e9f2a6add6",
-    "data/cve-catalog.json": "197f5313d93f0a7225d5ff275e21cbd067b3970a6f2fdc6da35f81c847e8bdee",
-    "data/cwe-catalog.json": "19ce1fad3ed0b0687ec9a328b2d6cd1b544eea7f19140234ec1a8467de1f908d",
+    "manifest.json": "e0db0f6421e782c796a972277b1ac6774222fa245ae109b87a29f5122a6eb972",
+    "data/atlas-ttps.json": "20339e0ae3cd89c06f1385be31c50f408f827edc2e8ab8aef026ade3bcf0a917",
+    "data/attack-techniques.json": "6db08a8e8a4d03d9309b1d185112de7f3c9595d2cd3d24566b7ce0b3b8aa5d1a",
+    "data/cve-catalog.json": "54e04fc72a1b85dd75d46dbbf646bed5f489f867df752800c62498fc0d4ee428",
+    "data/cwe-catalog.json": "19893d2a7139d86ff3fcf296b0e6cda10e357727a1d1ffb56af282104e99157a",
     "data/d3fend-catalog.json": "d219520c8d3eb61a270b25ea60f64721035e98a8d5d51d1a4e1f1140d9a586f9",
     "data/dlp-controls.json": "8ea8d907aea0a2cfd772b048a62122a322ba3284a5c36a272ad5e9d392564cb5",
-    "data/exploit-availability.json": "7dad52f459c324c40aa4df7cd9157f6a19f670fdfb9d8f687d777c9d99798668",
-    "data/framework-control-gaps.json": "9240ea4a825090fe2716947f2f6f9171c065a133ef003e04d2fbc4f01fc55bdf",
+    "data/exploit-availability.json": "24352ffa23c9f319624452497d9dcfc5c0a1d16255ad9557990acb4652ec5e1f",
+    "data/framework-control-gaps.json": "182417e662e36cd75a4c74f91c650131b58067fc412878094ff71eff3c1053cb",
     "data/global-frameworks.json": "84fd19061f052e4ccf66308a7b8d3fd38e00325e97e9e5e19e4d9b302c128957",
-    "data/rfc-references.json": "583360bae01e324d752bd28a7d344b4276478381426428d683fc82b0ac19d64a",
+    "data/rfc-references.json": "c0b684e586269bdb6864c55ae0e802742c6c103e81c7fff1613796bd460e727b",
     "data/zeroday-lessons.json": "d670e73dfd5237ceb71a56326676d90c05387b9547f8ed6f3a60a153854b444b",
-    "skills/kernel-lpe-triage/skill.md": "e8b8601cd3b66d25150bf17f2edd2ef18f10ca6d81ee62aaf874432ee5bdc4b3",
-    "skills/ai-attack-surface/skill.md": "2775fe50d58d6437fb629b2f796714ef76ff7b86d271ee5bbd4064b9ca0b0ef6",
-    "skills/mcp-agent-trust/skill.md": "de17a4eee67096c737f2eb5972828445021e674fe6c28434cca34d290825739c",
-    "skills/framework-gap-analysis/skill.md": "86c86761b91d04bcd1ec684fb3d65cf5c2881fde59b03d33fa59baddbbf64d31",
-    "skills/compliance-theater/skill.md": "e05a1df149b241421e86d81adcf4eae42697721f3a9ea8ffc54dd79cc03bd67b",
-    "skills/exploit-scoring/skill.md": "d51a5b7b614eb8d7fe539ec1943cfb6f0387e95cfe4eec39102564a9f93ac363",
-    "skills/rag-pipeline-security/skill.md": "061d9dd18fd930cddc11fdfa063847b9688d24fe785278e4d01f529f494d797c",
-    "skills/ai-c2-detection/skill.md": "a92158c113f7aa6a45be721727fda2957bbe9c52139e396e54f4bfa6a721a821",
-    "skills/policy-exception-gen/skill.md": "a6103dd567405f02ba767ee1ce2432c2c564688389efc789cf05cd61c4c8774c",
-    "skills/threat-model-currency/skill.md": "438a5f8e193a2684c37fc329ab3ab6e0d4a0365a4a04cb9e6a14fc8ddc15dfc7",
-    "skills/global-grc/skill.md": "a9f4477368e260609793b77275e65e255b5c8067b7ae777047a70f3edb373e50",
-    "skills/zeroday-gap-learn/skill.md": "581ad3600287195d4e669627bcb3e07241375c11f0d68b73faad114a9e946d42",
-    "skills/pqc-first/skill.md": "5b4300d71890c16b1de31d380859babaa3631729cedb0c0a397a1ff097524773",
-    "skills/skill-update-loop/skill.md": "6956359babb31e6c21e9ca3e4331b895700747a28559f8cee5d81fee9d1d8a02",
-    "skills/security-maturity-tiers/skill.md": "92470f55e07027974359a5f3945e4bce6b849fc7fb849ab543f2d457393db98b",
-    "skills/researcher/skill.md": "1d1ad5a264f964cc9042058b492a4706fb2e8d26885b1137fef790325c5805d8",
-    "skills/attack-surface-pentest/skill.md": "40f5a6a6c80e6084a1c09fb0085d0083f4970385bf76098015e57fc17ad7b326",
+    "skills/kernel-lpe-triage/skill.md": "1da5a85a8728768055cba2e19f5c1a6cbb568a3dd49985a2cf1cf381f6ee30b0",
+    "skills/ai-attack-surface/skill.md": "922a36632ebb6026c97369168046972f9cd6e634c09fcb97facc830bebe25558",
+    "skills/mcp-agent-trust/skill.md": "c604074050a75c401d50d2d495129022ab4bd2fd5c1ca66bb648c26bc9bde301",
+    "skills/framework-gap-analysis/skill.md": "9add77ac4dd7d36090bae81d19d3be2b55ed9753dce75f176a7e7d205e2afd12",
+    "skills/compliance-theater/skill.md": "7c319cf78946d213eef6be9a1582c0f24658428ea7fddd0bd14ac81e6fa1f2fa",
+    "skills/exploit-scoring/skill.md": "f0e71ad7d9597088001b625e8b1ae18d936c527f48e9c12bacdbfbb8580444b6",
+    "skills/rag-pipeline-security/skill.md": "78f00a39e66f08da2894e28eeedb32137295ca019eba7110ab28282d613a97eb",
+    "skills/ai-c2-detection/skill.md": "095cab9daa072bfabc87152aea1b61ccd6da8f531753b05c181629f04014b5ca",
+    "skills/policy-exception-gen/skill.md": "79db45ba722a6dd9bba25bf84e0b52cf659b56b662193cef80a8273337e41df9",
+    "skills/threat-model-currency/skill.md": "694dbf0f8ec2d4ffbf893a507d054643620ab2618b56f87ade32f500345ec41b",
+    "skills/global-grc/skill.md": "e0487de49679172347653d8c191d1f269193de6f444f6b0c6396d326e45bd72e",
+    "skills/zeroday-gap-learn/skill.md": "cb11bbbec9fadf152d8f30bded22c40f29d63074a6729cd45a1628ee3cfbb181",
+    "skills/pqc-first/skill.md": "a5eb776e1ea3bb422a4c18a3bdf39ad2ec1651b3c25e65c89428ba319141b275",
+    "skills/skill-update-loop/skill.md": "95268eb083a22b164661c14db401f5c57995fdd1ca86b35fb399b0c8419c4273",
+    "skills/security-maturity-tiers/skill.md": "817f0bca44297d03fb206c446fbf3f93aa3a64c309d6ef5efd046e6e47874030",
+    "skills/researcher/skill.md": "51d03d9eaea52d2bbbdd67709035db494d44819ce58931ca025cab3025c9fad7",
+    "skills/attack-surface-pentest/skill.md": "8d404f6662d9bc3765d716ec7b38e302f17574a2267245fd68eeedfdbf212f42",
     "skills/fuzz-testing-strategy/skill.md": "83b1929a0d1e09a58908b91125ebc91ff14323ab9acc9bab6c4b04903b69b837",
-    "skills/dlp-gap-analysis/skill.md": "61149c692de109d5cfd00cada60478539f28374380b5ce17017603d71967ab58",
-    "skills/supply-chain-integrity/skill.md": "961eb734df9965fa726720ac9f849bdcdc32108625d1d589602005967b836ea8",
+    "skills/dlp-gap-analysis/skill.md": "11a299cdcf8902e22b8662e55369da9d8b5ae804edf237412df0ddbe684a04d0",
+    "skills/supply-chain-integrity/skill.md": "32c8c31b07caedf6146ab548a67a25408d9ae6ca1365edc6703782a3265de108",
     "skills/defensive-countermeasure-mapping/skill.md": "e62c71ba3be2b4d0f7dfa529fec007cba6bee3013f76b93756e3e6310f2d22ab",
-    "skills/identity-assurance/skill.md": "a4aff24b0d0f4684d144f85cbc74c8a9a5711a7ec9c6d473f677f053dc1c658c",
-    "skills/ot-ics-security/skill.md": "500a002b662217393243d093efa639cdf30ca76d1869d6c1896425492c5d652e",
+    "skills/identity-assurance/skill.md": "6fd734d5cf8eed031537c9ccb1ad11c09ec4e88d31c45d86046a2154a6770990",
+    "skills/ot-ics-security/skill.md": "d239ed497816e00ad14568e9fcca68ffdc7cb0c2a2cbd4960b35fab2065cce31",
     "skills/coordinated-vuln-disclosure/skill.md": "c96fd2254abf8a29819f8175da85094bea1afe589fecc92abcf1289b30895030",
-    "skills/threat-modeling-methodology/skill.md": "eb03a6c12c637c38917fecd97007459dfe99cbab5dfae696a736f08db13c124c",
-    "skills/webapp-security/skill.md": "009d9050e3c27f789efbc4c0dba4245b66d49182b503736be6a344591ba93f54",
-    "skills/ai-risk-management/skill.md": "1bbdba6b46efba8c88f8e7e1930777d39a65709ea434b6a53eed01814fa9fdad",
-    "skills/sector-healthcare/skill.md": "43608ca43eefc3a9238f6c6b0c7993e519420ffab5a18d96e17310f44ac6225a",
-    "skills/sector-financial/skill.md": "d7b538cd71a8384c9e19a86e7971049f2c1f651677e4ab9b5a1caf9526b178da",
-    "skills/sector-federal-government/skill.md": "0d18ede4d0c04975ea22bfa53b0f6d62eeb70861e16a27d239d25928fa3ff21f",
-    "skills/sector-energy/skill.md": "07ca8b582b3a94657006395ce0ef15ecb2030f676f119900b4fdb9b213f04200",
-    "skills/api-security/skill.md": "99af9882f57e884b3f66f1c17a4bc6ee24ed6531f0e28b3bdeccd5d77429ffa6",
-    "skills/cloud-security/skill.md": "18fc0f16689f3560023c9d919bec03070d3c2198dc186d1b7ca9cfe35fbfa108",
-    "skills/container-runtime-security/skill.md": "f481878aa40c42662424d32b320fc825e2550b7874224765e2150a97f0afeafb",
-    "skills/mlops-security/skill.md": "c9fb9281191b2684424f96b3d4447fe40907f633b0506e22100d909141f497be",
-    "skills/incident-response-playbook/skill.md": "27202d956fcc06c0cef7ad1ca6f352e2cdf06189516e22f796704a44c2ab2734",
-    "skills/email-security-anti-phishing/skill.md": "90e15fb89a36ac704cb092801130351a5c33bb7154bd023a347309c1a6a4f164",
+    "skills/threat-modeling-methodology/skill.md": "d57d1acc46851d4f1580858c60a90cc20732ca8a5a46da2c50e71c9bdf4cc0b4",
+    "skills/webapp-security/skill.md": "0e4726311edf96444773d84b8c0842678fe73f7625d415f860bd26fd4568f888",
+    "skills/ai-risk-management/skill.md": "4c46cce244bf22cf3814fcd8836da3725bc0c44f573846e49039827045096340",
+    "skills/sector-healthcare/skill.md": "97b4486419ab4480266bf2e938564d52bb1cdd70faae09697f695772adf02029",
+    "skills/sector-financial/skill.md": "db728a79cbd2ad149c45b34c0466452df7f4321ca968595042323b23ef7649f4",
+    "skills/sector-federal-government/skill.md": "48c3c019502c8b758598331dbad8a9b121f8dd3dc6fc68bfaf506eba7e3843e5",
+    "skills/sector-energy/skill.md": "875799aa2ad88744b646583fef0a3399abd42a979541dc99bf39825a5ef48ce9",
+    "skills/api-security/skill.md": "3ee3edd244a9240e42138edbec339ca28e01a662dfb83317af2d758ce355fb7a",
+    "skills/cloud-security/skill.md": "e0574c153aefbb0fc4581c78bc2d708ab7c49d6b5a45a985e51967b8ea740eb9",
+    "skills/container-runtime-security/skill.md": "921a7ac163e04fe8415986b0f54c1b3c8c4656576d72ccb6665dff3869c63003",
+    "skills/mlops-security/skill.md": "e3bb447033ec94b5ddc621e4b3c3ca7e971cde51584ab9653fb121a899a0eb81",
+    "skills/incident-response-playbook/skill.md": "c1033410b479f33a7a0e60a75ad02965fb70ba88f57203fa36e9c2418789e098",
+    "skills/email-security-anti-phishing/skill.md": "b5a7693b3ddbd6cd83303d092bc5e324db431245d25c4945d9f65fcffa1995e7",
     "skills/age-gates-child-safety/skill.md": "c741d7dca9da0abb09bdebb8a02e803ce4ae9fb9a6904fb8df3ec19cae83917d"
   },
   "skill_count": 38,
-  "catalog_count": 10,
+  "catalog_count": 11,
   "index_stats": {
     "xref_entries": {
       "cwe_refs": 34,
@@ -68,20 +69,20 @@
     },
     "trigger_table_entries": 453,
     "chains_cve_entries": 8,
-    "chains_cwe_entries": 53,
+    "chains_cwe_entries": 55,
     "jurisdictions_indexed": 29,
     "handoff_dag_nodes": 38,
     "summary_cards": 38,
     "section_offsets_skills": 38,
-    "token_budget_total_approx": 342364,
+    "token_budget_total_approx": 351655,
     "recipes": 8,
     "jurisdiction_clocks": 29,
     "did_ladders": 8,
     "theater_fingerprints": 7,
     "currency_action_required": 0,
     "frequency_fields": 7,
-    "activity_feed_events": 49,
-    "catalog_summaries": 10,
+    "activity_feed_events": 50,
+    "catalog_summaries": 11,
     "stale_content_findings": 0
   },
   "invalidation_note": "If any source file in source_hashes has a different SHA-256 than recorded here, the indexes are stale. Re-run `npm run build-indexes`."