@blamejs/exceptd-skills 0.12.13 → 0.12.15

package/keys/EXPECTED_FINGERPRINT

@@ -0,0 +1 @@
+SHA256:JX04VjFprM7+3gHJdO0Wi4tTCf1RKI9Roza3XOzAe0Y=

package/lib/auto-discovery.js

@@ -184,10 +184,21 @@ function buildKevDraftEntry(kevEntry, nvdPayload, epssPayload) {
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       kevEntry.notes ? String(kevEntry.notes) : null,
     ].filter(Boolean),
-    source_verified: false,
+    // v0.12.15 (audit M P1-B): schema requires source_verified to be a
+    // YYYY-MM-DD string OR null; the prior `false` boolean produced an
+    // entry that failed strict catalog validation. Use null to mean
+    // "not yet verified" — operators populate the date during curation.
+    source_verified: null,
     last_updated: TODAY,
     last_verified: TODAY,
-    _auto_imported: {
+    // v0.12.15 (audit M P1-D): `_auto_imported` must be the boolean `true`
+    // for lib/validate-cve-catalog.js's draft-recognition check (strict
+    // `=== true` comparison). The prior object-shape was non-recognizable
+    // and the strict validator treated KEV-discovered drafts as
+    // hard-error entries instead of warning-tier drafts. The provenance
+    // metadata that used to be inline now lives in `_auto_imported_meta`.
+    _auto_imported: true,
+    _auto_imported_meta: {
       source: "KEV discovery",
       imported_at: TODAY,
       curation_needed: [
@@ -476,14 +487,20 @@ async function discoverNewRfcs(ctx, opts = {}) {
       skills_referencing: [],
       errata_count: null,
       last_verified: TODAY,
-      _auto_imported: {
+      // v0.12.15 (audit M P1-D, P3-T): boolean `_auto_imported: true` for
+      // strict-validator recognition; provenance moved to sibling
+      // `_auto_imported_meta`. Errata-URL hint converted to a real template
+      // literal so the rfc number actually interpolates (the previous double-
+      // quoted string left `${number}` as literal text in operator output).
+      _auto_imported: true,
+      _auto_imported_meta: {
         source: `RFC discovery (IETF ${wg} working group)`,
         imported_at: TODAY,
         curation_needed: [
           "relevance — project-specific framing of how this RFC matters for mid-2026 threats",
           "lag_notes — what gaps remain or where the RFC falls short",
           "skills_referencing — list of skills that should cite this RFC",
-          "errata_count — populate from <rfc-editor.org/errata/rfc${number}>",
+          `errata_count — populate from <rfc-editor.org/errata/rfc${number}>`,
         ],
       },
     };

package/lib/cross-ref-api.js

@@ -21,6 +21,15 @@ const INDEX_DIR = path.join(DATA_DIR, '_indexes');
 
 const _cache = new Map();
 
+// v0.12.14 (audit C-F7): catalog corruption no longer crashes the runner
+// uncaught. A malformed JSON file in data/ used to produce a SyntaxError
+// at require-time of any consumer (lib/playbook-runner.js), which threw
+// out of the run() entrypoint without honoring AGENTS.md's "non-zero
+// exit + {ok:false, error} to stderr" contract. Now: caught + degraded
+// to an empty catalog with a recorded _loadError that downstream code
+// can inspect.
+const _loadErrors = [];
+
 function loadCatalog(filename) {
   if (_cache.has(filename)) return _cache.get(filename);
   const full = path.join(DATA_DIR, filename);
@@ -28,9 +37,17 @@ function loadCatalog(filename) {
     _cache.set(filename, {});
     return {};
   }
-  const parsed = JSON.parse(fs.readFileSync(full, 'utf8'));
-  _cache.set(filename, parsed);
-  return parsed;
+  try {
+    const parsed = JSON.parse(fs.readFileSync(full, 'utf8'));
+    _cache.set(filename, parsed);
+    return parsed;
+  } catch (e) {
+    _loadErrors.push({ kind: 'catalog', file: filename, error: e.message });
+    const stub = {};
+    Object.defineProperty(stub, '_loadError', { value: e.message, enumerable: false });
+    _cache.set(filename, stub);
+    return stub;
+  }
 }
 
 function loadIndex(filename) {
@@ -40,9 +57,21 @@ function loadIndex(filename) {
     _cache.set('idx:' + filename, {});
     return {};
   }
-  const parsed = JSON.parse(fs.readFileSync(full, 'utf8'));
-  _cache.set('idx:' + filename, parsed);
-  return parsed;
+  try {
+    const parsed = JSON.parse(fs.readFileSync(full, 'utf8'));
+    _cache.set('idx:' + filename, parsed);
+    return parsed;
+  } catch (e) {
+    _loadErrors.push({ kind: 'index', file: filename, error: e.message });
+    const stub = {};
+    Object.defineProperty(stub, '_loadError', { value: e.message, enumerable: false });
+    _cache.set('idx:' + filename, stub);
+    return stub;
+  }
+}
+
+function getLoadErrors() {
+  return _loadErrors.slice();
 }
 
 function entries(catalog) {
@@ -221,4 +250,8 @@ module.exports = {
   // Lower-level access (engine uses these directly)
   _loadCatalog: loadCatalog,
   _loadIndex: loadIndex,
+  // v0.12.14: surface accumulated catalog/index load errors. Returns
+  // [{kind, file, error}, ...] for every catalog/index whose JSON
+  // parse failed. Empty array on a healthy install.
+  getLoadErrors,
 };

package/lib/cve-curation.js

@@ -50,11 +50,18 @@ let _cveSchemaCache = null;
 function loadCveEntrySchema() {
   if (_cveSchemaCache) return _cveSchemaCache;
   try {
+    // v0.12.15 (audit M P1-A): the prior version of this function looked for
+    // either `root.patternProperties["^CVE-\\d{4}-\\d+$"]` or an object
+    // `root.additionalProperties`. The actual schema at lib/schemas/cve-
+    // catalog.schema.json has NEITHER — its top level IS the entry shape
+    // (`{type:'object', required:[...], properties: {...}}`) because
+    // validate-cve-catalog.js iterates each CVE id key manually and runs
+    // the schema validator over each value. Result: loadCveEntrySchema()
+    // always returned null, the v0.12.12 codex P1 #1 fix (strict-schema
+    // gating of promotion) was silently disabled, and schema-violating
+    // entries promoted anyway. Use the root schema directly.
     const root = JSON.parse(fs.readFileSync(CVE_SCHEMA_PATH, "utf8"));
-    const entrySchema =
-      (root.patternProperties && root.patternProperties["^CVE-\\d{4}-\\d+$"]) ||
-      (root.additionalProperties && typeof root.additionalProperties === "object" ? root.additionalProperties : null);
-    _cveSchemaCache = entrySchema || null;
+    _cveSchemaCache = root || null;
     return _cveSchemaCache;
   } catch {
     return null;
@@ -264,7 +271,13 @@ function buildQuestionnaire(cveId, draft) {
   // Pull candidate catalogs. Each is optional — missing catalogs are skipped
   // gracefully. J7 makes these one-shot loads per process.
   const atlas = loadJson("data/atlas-ttps.json");
-  const attack = loadJson("data/attack-ttps.json");
+  // v0.12.15 (audit M P1-E): the catalog ships as data/attack-techniques.json
+  // (renamed from data/attack-ttps.json before the v0.12.12 release; the
+  // canonical file path is also what lib/validate-cve-catalog.js consumes).
+  // The prior `data/attack-ttps.json` lookup silently fell back to an empty
+  // object via loadJsonRaw's ENOENT handling, so the ATT&CK candidate
+  // questionnaire branch always returned zero proposals.
+  const attack = loadJson("data/attack-techniques.json");
   const cwe = loadJson("data/cwe-catalog.json");
   const frameworkGaps = loadJson("data/framework-control-gaps.json");
 

package/lib/lint-skills.js

@@ -635,8 +635,13 @@ function loadContext() {
  */
 function findOrphanSkillFiles(manifestSkills) {
   if (!fs.existsSync(SKILLS_DIR)) return [];
+  // F19 — manifest paths are stored as forward-slash strings by contract
+  // (lib/verify.js validateSkillPath() rejects backslashes). The previous
+  // path.sep split was a no-op on Linux and incorrect on Windows when
+  // mixed separators arrived through other ingest paths; the cleaner
+  // contract is to normalise the comparison key directly.
   const referenced = new Set(
-    manifestSkills.map((s) => s.path.split(path.sep).join('/')),
+    manifestSkills.map((s) => String(s.path).replace(/\\/g, '/')),
   );
   const orphans = [];
   for (const entry of fs.readdirSync(SKILLS_DIR, { withFileTypes: true })) {