@blamejs/exceptd-skills 0.12.11 → 0.12.15

package/lib/validate-catalog-meta.js

@@ -52,15 +52,17 @@ const PLACEHOLDER_TOKENS = [
 ];
 
 function parseArgs(argv) {
-  const opts = { quiet: false };
+  const opts = { quiet: false, strict: false };
   for (let i = 2; i < argv.length; i++) {
     const a = argv[i];
     if (a === '--quiet' || a === '-q') opts.quiet = true;
+    else if (a === '--strict') opts.strict = true;
     else if (a === '--help' || a === '-h') {
       console.log(
-        'Usage: node lib/validate-catalog-meta.js [--quiet]\n' +
+        'Usage: node lib/validate-catalog-meta.js [--quiet] [--strict]\n' +
           '\n' +
-          '  --quiet   Suppress per-catalog PASS output; show failures only.\n',
+          '  --quiet   Suppress per-catalog PASS output; show failures only.\n' +
+          '  --strict  Promote v0.13.0-preview warnings (freshness) to errors.\n',
       );
       process.exit(0);
     } else {
@@ -80,8 +82,9 @@ function containsPlaceholder(s) {
   return PLACEHOLDER_TOKENS.some((re) => re.test(s));
 }
 
-function validateMeta(catalogPath) {
+function validateMeta(catalogPath, opts) {
   const errors = [];
+  const warnings = [];
   const data = readJson(catalogPath);
   const meta = data._meta;
 
@@ -159,8 +162,46 @@ function validateMeta(catalogPath) {
         );
       }
     }
+
+    /* Audit G F3 — freshness enforcement. When both meta.last_updated and
+     * freshness_policy.stale_after_days are present, surface a warning if
+     * (now - last_updated) > stale_after_days. Patch-class release emits at
+     * WARN level (does not fail validation); v0.13.0 will flip to an error.
+     *
+     * Optional `opts.strict` (or `opts.errorOnStale`) promotes the warning
+     * to an error today; predeploy keeps the warning posture.
+     */
+    if (
+      typeof meta.last_updated === 'string' &&
+      typeof fp.stale_after_days === 'number' &&
+      fp.stale_after_days > 0
+    ) {
+      const lu = new Date(meta.last_updated + (
+        /^\d{4}-\d{2}-\d{2}$/.test(meta.last_updated) ? 'T00:00:00Z' : ''
+      ));
+      if (!Number.isNaN(lu.getTime())) {
+        const ageDays = Math.floor((Date.now() - lu.getTime()) / 86400000);
+        if (ageDays > fp.stale_after_days) {
+          const msg =
+            `_meta freshness: last_updated ${meta.last_updated} is ${ageDays} days old ` +
+            `(stale_after_days = ${fp.stale_after_days}); refresh the catalog or bump _meta.last_updated. ` +
+            `Will hard-fail in v0.13.0.`;
+          if (opts && (opts.strict || opts.errorOnStale)) {
+            errors.push(msg);
+          } else {
+            warnings.push(msg);
+          }
+        }
+      }
+    }
   }
 
+  // Warnings are appended after errors when callers ask for the combined
+  // shape via opts.includeWarnings. Default return is errors only so the
+  // public function signature is unchanged for existing callers.
+  if (opts && opts.includeWarnings) {
+    return { errors, warnings };
+  }
   return errors;
 }
 
@@ -172,23 +213,37 @@ function main() {
     .sort();
 
   let failed = 0;
+  let warned = 0;
   for (const f of files) {
-    const errors = validateMeta(path.join(DATA_DIR, f));
-    if (errors.length === 0) {
+    const result = validateMeta(path.join(DATA_DIR, f), {
+      includeWarnings: true,
+      strict: opts.strict,
+    });
+    const errors = result.errors;
+    const warnings = result.warnings || [];
+    if (errors.length === 0 && warnings.length === 0) {
       if (!opts.quiet) console.log(`PASS  ${f}`);
+    } else if (errors.length === 0) {
+      warned++;
+      if (!opts.quiet) console.log(`WARN  ${f}`);
+      for (const w of warnings) console.log(`        - [warn] ${w}`);
     } else {
       failed++;
       console.log(`FAIL  ${f}`);
       for (const e of errors) console.log(`        - ${e}`);
+      for (const w of warnings) console.log(`        - [warn] ${w}`);
     }
   }
 
   const total = files.length;
-  const passed = total - failed;
+  const passed = total - failed - warned;
+  const warnSuffix = warned ? `, ${warned} with warnings` : '';
+  const failSuffix = failed ? `, ${failed} failed` : '';
   console.log(
-    `\n${passed}/${total} catalogs validated${failed ? `, ${failed} failed` : ''}.`,
+    `\n${passed}/${total} catalogs validated${warnSuffix}${failSuffix}.`,
   );
-  process.exit(failed === 0 ? 0 : 1);
+  // F18: process.exitCode + return so buffered writes drain.
+  process.exitCode = failed === 0 ? 0 : 1;
 }
 
 if (require.main === module) {

package/lib/validate-cve-catalog.js

@@ -31,17 +31,56 @@ const REPO_ROOT = path.resolve(__dirname, '..');
 const SCHEMA_PATH = path.join(REPO_ROOT, 'lib', 'schemas', 'cve-catalog.schema.json');
 const CATALOG_PATH = path.join(REPO_ROOT, 'data', 'cve-catalog.json');
 const LESSONS_PATH = path.join(REPO_ROOT, 'data', 'zeroday-lessons.json');
+const ATLAS_PATH = path.join(REPO_ROOT, 'data', 'atlas-ttps.json');
+const CWE_PATH = path.join(REPO_ROOT, 'data', 'cwe-catalog.json');
+const ATTACK_PATH = path.join(REPO_ROOT, 'data', 'attack-techniques.json');
+const D3FEND_PATH = path.join(REPO_ROOT, 'data', 'd3fend-catalog.json');
+const FRAMEWORK_GAPS_PATH = path.join(REPO_ROOT, 'data', 'framework-control-gaps.json');
+
+// v0.12.12 — patterns that mark a verification_sources URL as a public exploit
+// or PoC location. When poc_available: true AND a verification source matches
+// one of these, the entry must carry an `iocs` block per AGENTS.md Hard Rule
+// #14. Surfaced as WARNING-only for v0.12.12 so drafts and pre-IoC entries
+// don't break patch-class compatibility; v0.13.0 will tighten to error.
+const PUBLIC_EXPLOIT_URL_PATTERNS = [
+  /github\.com\/.+\/(exploits?|poc|pocs)\b/i,
+  /\bexploit-?db\.com\b/i,
+  /\bpacketstormsecurity\.com\b/i,
+  /\bmetasploit\b/i,
+  /\/poc\//i,
+  /-poc\b/i,
+];
+
+// v0.12.12 — Tightened CVSS-vector prefix. Schema's existing pattern accepts
+// any "CVSS:<digits>/"; the strict pattern below admits only known CVSS
+// versions (2.0 / 3.0 / 3.1 / 4.0). Emitted as WARNING for v0.12.12; v0.13.0
+// will tighten the schema itself.
+const STRICT_CVSS_PATTERN = /^CVSS:(2\.0|3\.[01]|4\.0)\//;
+
+// v0.12.12 — Impossible-date guard. Reject obviously bogus year ranges
+// (typos like 1014 or 20262) without rejecting legitimate ISO dates.
+const MIN_VALID_YEAR = 1990;
+const MAX_VALID_YEAR = 2100;
+const DATE_FIELDS = [
+  'last_updated',
+  'source_verified',
+  'cisa_kev_date',
+  'cisa_kev_due_date',
+  'epss_date',
+];
 
 function parseArgs(argv) {
-  const opts = { quiet: false };
+  const opts = { quiet: false, strict: false };
   for (let i = 2; i < argv.length; i++) {
     const a = argv[i];
     if (a === '--quiet' || a === '-q') opts.quiet = true;
+    else if (a === '--strict') opts.strict = true;
     else if (a === '--help' || a === '-h') {
       console.log(
-        'Usage: node lib/validate-cve-catalog.js [--quiet]\n' +
+        'Usage: node lib/validate-cve-catalog.js [--quiet] [--strict]\n' +
           '\n' +
-          '  --quiet   Suppress per-CVE PASS output; show failures only.\n',
+          '  --quiet   Suppress per-CVE PASS output; show failures only.\n' +
+          '  --strict  Promote v0.13.0-preview warnings to errors. Off by default.\n',
       );
       process.exit(0);
     } else {
@@ -162,17 +201,152 @@ function validate(value, schema, schemaName, pathStr) {
   return errors;
 }
 
+function looksLikePublicExploitSource(url) {
+  if (typeof url !== 'string') return false;
+  return PUBLIC_EXPLOIT_URL_PATTERNS.some((re) => re.test(url));
+}
+
+function isUsableDate(value) {
+  if (typeof value !== 'string' || !/^\d{4}-\d{2}-\d{2}$/.test(value)) {
+    return { ok: false, reason: 'not in YYYY-MM-DD shape' };
+  }
+  const d = new Date(value + 'T00:00:00Z');
+  if (Number.isNaN(d.getTime())) return { ok: false, reason: 'unparseable' };
+  const year = Number(value.slice(0, 4));
+  if (year < MIN_VALID_YEAR || year > MAX_VALID_YEAR) {
+    return {
+      ok: false,
+      reason: `year ${year} outside ${MIN_VALID_YEAR}..${MAX_VALID_YEAR}`,
+    };
+  }
+  return { ok: true };
+}
+
+function additionalChecks(key, entry, ctx) {
+  const warnings = [];
+
+  // V1 — Hard Rule #14 conditional: poc + public-exploit URL → iocs required.
+  if (entry.poc_available === true) {
+    const sources = Array.isArray(entry.verification_sources)
+      ? entry.verification_sources
+      : [];
+    const hasPublicExploitSource = sources.some(looksLikePublicExploitSource);
+    if (hasPublicExploitSource) {
+      const iocs = entry.iocs;
+      const iocsPopulated =
+        iocs && typeof iocs === 'object' && !Array.isArray(iocs) && Object.keys(iocs).length > 0;
+      if (!iocsPopulated) {
+        warnings.push(
+          `${key}: poc_available=true and verification_sources includes a public-exploit URL, but iocs is missing or empty (AGENTS.md Hard Rule #14)`,
+        );
+      }
+    }
+  }
+
+  // V2 — Cross-catalog reference resolution. Unresolved refs are warnings
+  // for v0.12.x; v0.13.0 will flip to hard failures. Audit D's V2 expansion
+  // (Audit G) extends the walk from cwe_refs only to attack_refs, atlas_refs,
+  // d3fend_refs, AND framework_control_gaps.
+  const REF_FIELDS = [
+    { field: 'atlas_refs', set: ctx.atlasKeys, file: 'data/atlas-ttps.json' },
+    { field: 'cwe_refs', set: ctx.cweKeys, file: 'data/cwe-catalog.json' },
+    { field: 'attack_refs', set: ctx.attackKeys, file: 'data/attack-techniques.json' },
+    { field: 'd3fend_refs', set: ctx.d3fendKeys, file: 'data/d3fend-catalog.json' },
+    {
+      field: 'framework_control_gaps',
+      set: ctx.frameworkKeys,
+      file: 'data/framework-control-gaps.json',
+    },
+  ];
+  for (const { field, set, file } of REF_FIELDS) {
+    if (!set) continue; // catalog absent — skip silently (defense-in-depth)
+    const refs = entry[field];
+    if (!Array.isArray(refs)) continue;
+    for (const ref of refs) {
+      if (typeof ref !== 'string') continue;
+      if (!set.has(ref)) {
+        warnings.push(
+          `${key}: ${field} entry "${ref}" not in ${file} (will hard-fail in v0.13.0)`,
+        );
+      }
+    }
+  }
+
+  // V4 — Impossible-date guard.
+  for (const f of DATE_FIELDS) {
+    const v = entry[f];
+    if (v === undefined || v === null) continue;
+    const r = isUsableDate(v);
+    if (!r.ok) {
+      warnings.push(`${key}: ${f} value ${JSON.stringify(v)} is invalid (${r.reason})`);
+    }
+  }
+
+  // Sch1 — strict CVSS-vector prefix (warning-only for v0.12.12). The schema
+  // pattern stays loose; this admits only known CVSS versions.
+  if (typeof entry.cvss_vector === 'string' && entry.cvss_vector.length > 0) {
+    if (!STRICT_CVSS_PATTERN.test(entry.cvss_vector)) {
+      warnings.push(
+        `${key}: cvss_vector ${JSON.stringify(entry.cvss_vector)} does not match the strict prefix /^CVSS:(2.0|3.0|3.1|4.0)\\//. Schema tolerates this in v0.12.12; v0.13.0 will tighten the schema.`,
+      );
+    }
+  }
+
+  return warnings;
+}
+
 function main() {
   const opts = parseArgs(process.argv);
   const schema = readJson(SCHEMA_PATH);
   const catalog = readJson(CATALOG_PATH);
   const lessons = readJson(LESSONS_PATH);
+  const atlas = fs.existsSync(ATLAS_PATH) ? readJson(ATLAS_PATH) : {};
+  const cwe = fs.existsSync(CWE_PATH) ? readJson(CWE_PATH) : {};
+  const attack = fs.existsSync(ATTACK_PATH) ? readJson(ATTACK_PATH) : null;
+  const d3fend = fs.existsSync(D3FEND_PATH) ? readJson(D3FEND_PATH) : null;
+  const frameworks = fs.existsSync(FRAMEWORK_GAPS_PATH)
+    ? readJson(FRAMEWORK_GAPS_PATH)
+    : null;
+
+  const ctx = {
+    atlasKeys: new Set(Object.keys(atlas).filter((k) => !k.startsWith('_'))),
+    cweKeys: new Set(Object.keys(cwe).filter((k) => !k.startsWith('_'))),
+    attackKeys: attack
+      ? new Set(Object.keys(attack).filter((k) => !k.startsWith('_')))
+      : null,
+    d3fendKeys: d3fend
+      ? new Set(Object.keys(d3fend).filter((k) => !k.startsWith('_')))
+      : null,
+    frameworkKeys: frameworks
+      ? new Set(Object.keys(frameworks).filter((k) => !k.startsWith('_')))
+      : null,
+  };
 
   const cveKeys = Object.keys(catalog).filter((k) => !k.startsWith('_'));
   const lessonKeys = new Set(Object.keys(lessons).filter((k) => !k.startsWith('_')));
 
   let failed = 0;
   let drafts = 0;
+  let warned = 0;
+
+  // V3 — Duplicate-name detection across all non-_meta entries.
+  const nameToKeys = new Map();
+  for (const k of cveKeys) {
+    const n = catalog[k] && catalog[k].name;
+    if (typeof n === 'string' && n.length > 0) {
+      if (!nameToKeys.has(n)) nameToKeys.set(n, []);
+      nameToKeys.get(n).push(k);
+    }
+  }
+  const dupNameWarnings = [];
+  for (const [n, ks] of nameToKeys) {
+    if (ks.length > 1) {
+      dupNameWarnings.push(
+        `duplicate CVE name ${JSON.stringify(n)} across keys: ${ks.join(', ')}`,
+      );
+    }
+  }
+
   for (const key of cveKeys) {
     const entry = catalog[key];
     // v0.12.0: GHSA-imported drafts are flagged `_auto_imported: true` +
@@ -182,26 +356,39 @@ function main() {
     // `exceptd run cve-curation --advisory <id>`.
     const isDraft = entry && (entry._auto_imported === true || entry._draft === true);
     const errors = validate(entry, schema, 'cve', key);
+    let warnings = additionalChecks(key, entry, ctx);
     if (!lessonKeys.has(key) && !isDraft) {
       errors.push(
         `${key}: missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live)`,
       );
     }
+    // F20 — --strict promotes per-CVE warnings to errors. Drafts are
+    // exempt (drafts already exit non-fail).
+    if (opts.strict && !isDraft) {
+      errors.push(...warnings);
+      warnings = [];
+    }
     if (isDraft) {
       drafts++;
       if (!opts.quiet) {
         console.log(`DRAFT ${key} (auto-imported — needs editorial review)`);
         for (const e of errors) console.log(`        - [warn] ${e}`);
+        for (const w of warnings) console.log(`        - [warn] ${w}`);
       }
       // Drafts don't increment `failed` — they're warnings, not errors.
       continue;
     }
-    if (errors.length === 0) {
+    if (errors.length === 0 && warnings.length === 0) {
       if (!opts.quiet) console.log(`PASS  ${key}`);
+    } else if (errors.length === 0) {
+      warned++;
+      if (!opts.quiet) console.log(`WARN  ${key}`);
+      for (const w of warnings) console.log(`        - [warn] ${w}`);
     } else {
       failed++;
       console.log(`FAIL  ${key}`);
       for (const e of errors) console.log(`        - ${e}`);
+      for (const w of warnings) console.log(`        - [warn] ${w}`);
     }
   }
 
@@ -218,13 +405,32 @@ function main() {
     }
   }
 
+  // V3 — emit duplicate-name warnings as a catalog-wide tail block.
+  for (const w of dupNameWarnings) {
+    console.log(`WARN  catalog`);
+    console.log(`        - [warn] ${w}`);
+  }
+
   const total = cveKeys.length;
-  const passed = total - failed - drafts;
+  const passed = total - failed - drafts - warned;
   const summary = `\n${passed}/${total} CVE entries validated` +
     (drafts ? `, ${drafts} draft(s) (auto-imported)` : '') +
+    (warned ? `, ${warned} with warnings` : '') +
     (failed ? `, ${failed} failed` : '') + '.';
   console.log(summary);
-  process.exit(failed === 0 ? 0 : 1);
+  // F18: process.exitCode + return so buffered output drains.
+  process.exitCode = failed === 0 ? 0 : 1;
 }
 
-main();
+module.exports = {
+  validate,
+  looksLikePublicExploitSource,
+  isUsableDate,
+  additionalChecks,
+  PUBLIC_EXPLOIT_URL_PATTERNS,
+  STRICT_CVSS_PATTERN,
+};
+
+if (require.main === module) {
+  main();
+}

package/lib/validate-indexes.js

@@ -12,6 +12,8 @@
  *   3. Fail if any hash diverges (the indexes are stale).
  *   4. Fail if a new source file exists that's not in the index (the
  *      index doesn't reflect current state).
+ *   5. Fail if source_hashes is empty (build-indexes never ran).
+ *   6. Fail if any data/*.json or listed source is a symlink.
  *
  * Exit 0 on success, 1 on staleness.
  *
@@ -34,50 +36,99 @@ function sha256(buf) {
   return crypto.createHash("sha256").update(buf).digest("hex");
 }
 
-if (!fs.existsSync(META)) {
-  console.error("[validate-indexes] data/_indexes/_meta.json missing — run `npm run build-indexes`.");
-  process.exit(1);
-}
+function main() {
+  if (!fs.existsSync(META)) {
+    console.error("[validate-indexes] data/_indexes/_meta.json missing — run `npm run build-indexes`.");
+    // v0.11.13 pattern: exitCode + return so async stdout/stderr writes drain.
+    process.exitCode = 1;
+    return;
+  }
 
-const meta = JSON.parse(fs.readFileSync(META, "utf8"));
-const recorded = meta.source_hashes || {};
+  const meta = JSON.parse(fs.readFileSync(META, "utf8"));
+  const recorded = meta.source_hashes || {};
 
-// Discover the current canonical source set.
-const manifest = JSON.parse(fs.readFileSync(ABS("manifest.json"), "utf8"));
-const liveSources = new Set();
-liveSources.add("manifest.json");
-for (const f of fs.readdirSync(ABS("data"))) {
-  if (f.endsWith(".json")) liveSources.add("data/" + f);
-}
-for (const s of manifest.skills) liveSources.add(s.path);
+  // Audit G F1 — reject an empty source_hashes table outright. The previous
+  // gate would silently pass when source_hashes was {} (or missing entirely)
+  // because the for-loop body never executed; the resulting "0 sources" pass
+  // banner falsely advertised the indexes as current. An empty source-hash
+  // table means build-indexes was never run, or was run against an empty
+  // repo, and the index files themselves are not trustworthy.
+  if (Object.keys(recorded).length === 0) {
+    console.error(
+      "[validate-indexes] data/_indexes/_meta.json source_hashes is empty — " +
+      "this means build-indexes did not populate the index. " +
+      "Regenerate with: npm run build-indexes"
+    );
+    process.exitCode = 1;
+    return;
+  }
+
+  // Discover the current canonical source set.
+  const manifest = JSON.parse(fs.readFileSync(ABS("manifest.json"), "utf8"));
+  const liveSources = new Set();
+  liveSources.add("manifest.json");
+  // Audit G F16 — use lstat to detect symlinks. A symlinked .json under data/
+  // would be hashed via the followed target, allowing a malicious checkout
+  // (or a misconfigured filesystem) to swap data origin without tripping the
+  // gate. Reject symlinks outright.
+  for (const f of fs.readdirSync(ABS("data"))) {
+    if (!f.endsWith(".json")) continue;
+    const abs = ABS("data/" + f);
+    const st = fs.lstatSync(abs);
+    if (st.isSymbolicLink()) {
+      console.error(
+        `[validate-indexes] data/${f} is a symbolic link — refusing to follow. ` +
+        `Replace with the real file or remove the entry.`
+      );
+      process.exitCode = 1;
+      return;
+    }
+    liveSources.add("data/" + f);
+  }
+  for (const s of manifest.skills) liveSources.add(s.path);
 
-const drift = [];
-const missing = [];
-const recordedKeys = new Set(Object.keys(recorded));
+  const drift = [];
+  const missing = [];
+  const recordedKeys = new Set(Object.keys(recorded));
 
-for (const p of liveSources) {
-  if (!recordedKeys.has(p)) {
-    missing.push(`new source not in index: ${p}`);
-    continue;
+  for (const p of liveSources) {
+    if (!recordedKeys.has(p)) {
+      missing.push(`new source not in index: ${p}`);
+      continue;
+    }
+    const abs = ABS(p);
+    // F16 — also check listed-but-symlinked sources. lstatSync on a missing
+    // file throws; mirror the existsSync semantics by guarding it.
+    if (fs.existsSync(abs)) {
+      const st = fs.lstatSync(abs);
+      if (st.isSymbolicLink()) {
+        missing.push(`source ${p} is a symbolic link — refusing to follow`);
+        continue;
+      }
+    }
+    const live = sha256(fs.readFileSync(abs));
+    if (live !== recorded[p]) {
+      drift.push(`hash drift: ${p} (recorded ${recorded[p].slice(0, 12)}…, live ${live.slice(0, 12)}…)`);
+    }
   }
-  const live = sha256(fs.readFileSync(ABS(p)));
-  if (live !== recorded[p]) {
-    drift.push(`hash drift: ${p} (recorded ${recorded[p].slice(0, 12)}…, live ${live.slice(0, 12)}…)`);
+  for (const p of recordedKeys) {
+    if (!liveSources.has(p)) {
+      missing.push(`stale source in index (file removed): ${p}`);
+    }
   }
-}
-for (const p of recordedKeys) {
-  if (!liveSources.has(p)) {
-    missing.push(`stale source in index (file removed): ${p}`);
+
+  const issues = [...drift, ...missing];
+  if (issues.length === 0) {
+    console.log(`[validate-indexes] indexes current — ${recordedKeys.size} sources hashed at ${meta.generated_at}.`);
+    return;
   }
-}
 
-const issues = [...drift, ...missing];
-if (issues.length === 0) {
-  console.log(`[validate-indexes] indexes current — ${recordedKeys.size} sources hashed at ${meta.generated_at}.`);
-  process.exit(0);
+  console.error("[validate-indexes] indexes STALE:");
+  for (const i of issues) console.error("  • " + i);
+  console.error("[validate-indexes] regenerate with: npm run build-indexes");
+  process.exitCode = 1;
 }
 
-console.error("[validate-indexes] indexes STALE:");
-for (const i of issues) console.error("  • " + i);
-console.error("[validate-indexes] regenerate with: npm run build-indexes");
-process.exit(1);
+if (require.main === module) main();
+
+module.exports = { main };