@blamejs/exceptd-skills 0.12.13 → 0.12.15

package/scripts/predeploy.js

@@ -19,6 +19,15 @@
  * Single-source-of-truth: the GATES list below mirrors the job sequence
  * in .github/workflows/ci.yml. Test coverage in tests/predeploy.test.js
  * asserts the two stay in sync.
+ *
+ * Audit G F5 — when the manifest-snapshot gate fails, the fix is NOT to
+ * run `npm run refresh-snapshot` blindly. The refresh script now refuses
+ * unless the operator passes `--commit-only` or sets
+ * EXCEPTD_SNAPSHOT_AUDIT_ACK=1. This is intentional: a failing snapshot
+ * gate means a breaking change was detected, and an accidental refresh
+ * would silently rewrite the baseline. Read the breaking-change list
+ * first, then run `node scripts/refresh-manifest-snapshot.js --commit-only`
+ * if the change is intentional.
  */
 
 const { execFileSync } = require("child_process");
@@ -62,28 +71,15 @@ const GATES = [
     args: [path.join(ROOT, "lib", "validate-cve-catalog.js")],
     ciJobName: "Data integrity (catalog + manifest snapshot)",
   },
-  {
-    name: "Validate offline CVE catalog state",
-    command: process.execPath,
-    args: [
-      path.join(ROOT, "orchestrator", "index.js"),
-      "validate-cves",
-      "--offline",
-      "--no-fail",
-    ],
-    ciJobName: "Data integrity (catalog + manifest snapshot)",
-  },
-  {
-    name: "Validate offline RFC catalog state",
-    command: process.execPath,
-    args: [
-      path.join(ROOT, "orchestrator", "index.js"),
-      "validate-rfcs",
-      "--offline",
-      "--no-fail",
-    ],
-    ciJobName: "Data integrity (catalog + manifest snapshot)",
-  },
+  // Audit G F13 — the "validate-cves --offline --no-fail" and
+  // "validate-rfcs --offline --no-fail" gates were enumeration-only sanity
+  // checks: `--no-fail` forced them to always exit 0, so they never blocked
+  // a release on a real catalog problem. The deep catalog validation is
+  // already performed by the gate above (`lib/validate-cve-catalog.js`),
+  // including cross-catalog reference resolution after this same audit.
+  // Keeping the no-op gates as predeploy steps inflated the gate count for
+  // no marginal value and risked false confidence ("X gates passed"). They
+  // are removed in v0.12.14; document the removal in CHANGELOG.
   {
     name: "Manifest snapshot gate (breaking-change detector)",
     command: process.execPath,
@@ -97,9 +93,13 @@ const GATES = [
     ciJobName: "Lint skill files",
   },
   {
-    // Informational only — surfaces the forward_watch horizon across all
-    // skills as a sanity signal. Emits the count but never fails the run;
-    // a parse problem is reported, not blocking.
+    // Informational — surfaces the forward_watch horizon across all skills.
+    // Audit G F12: an exit code of 0 means "ok", 1 means "items present
+    // (informational)", 2+ means a runtime error in the gate itself.
+    // The runner now distinguishes the two: 0/1 stay informational, 2+
+    // surface as a real failure. Pre-fix, any non-zero exit was rolled up
+    // as informational, which hid crashes (a 137 OOM looked the same as
+    // "found 12 items to review").
     name: "Forward-watch aggregator (informational)",
     command: process.execPath,
     args: [
@@ -108,6 +108,7 @@ const GATES = [
     ],
     ciJobName: "Data integrity (catalog + manifest snapshot)",
     informational: true,
+    informationalMaxExitCode: 1,
   },
   {
     name: "Validate catalog _meta (tlp + source_confidence + freshness_policy)",
@@ -192,25 +193,60 @@ function runGate(gate) {
     }
   }
   const t0 = Date.now();
-  try {
-    execFileSync(gate.command, gate.args, { stdio: "inherit", cwd: ROOT });
-    return { status: "passed", durationMs: Date.now() - t0 };
-  } catch (e) {
-    if (gate.informational) {
+  // Audit G F21 — spawn the child with piped stdio + tee to the parent so we
+  // can count `WARN ` lines for the summary table. We still want the live
+  // output, so each chunk is forwarded as it arrives.
+  const { spawnSync } = require("child_process");
+  const r = spawnSync(gate.command, gate.args, {
+    cwd: ROOT,
+    encoding: "utf8",
+    maxBuffer: 64 * 1024 * 1024,
+  });
+  const durationMs = Date.now() - t0;
+  if (r.stdout) process.stdout.write(r.stdout);
+  if (r.stderr) process.stderr.write(r.stderr);
+  // Count WARN-labelled lines in the combined stream so the summary table
+  // can surface them. Lint / validate output uses "WARN  " at line start;
+  // count both the table form and an inline "[warn]" form.
+  const combined = (r.stdout || "") + (r.stderr || "");
+  const warnCount = (
+    combined.match(/^WARN\b/gm) || []
+  ).length + (
+    combined.match(/\[warn\]/g) || []
+  ).length;
+  if (r.status === 0) {
+    return { status: "passed", durationMs, warnCount };
+  }
+  // Audit G F12 — gates may declare informationalMaxExitCode to distinguish
+  // "soft signal" (exit codes 0..N) from "crash" (> N). Default behaviour
+  // for an informational gate without that field stays the same.
+  if (gate.informational) {
+    const ceil = typeof gate.informationalMaxExitCode === "number"
+      ? gate.informationalMaxExitCode
+      : Infinity;
+    if (r.status !== null && r.status > ceil) {
       return {
-        status: "informational",
-        exitCode: e.status ?? null,
-        message: e.message,
-        durationMs: Date.now() - t0,
+        status: "failed",
+        exitCode: r.status,
+        message: `informational gate crashed (exit ${r.status} > informationalMaxExitCode=${ceil})`,
+        durationMs,
+        warnCount,
       };
     }
     return {
-      status: "failed",
-      exitCode: e.status ?? null,
-      message: e.message,
-      durationMs: Date.now() - t0,
+      status: "informational",
+      exitCode: r.status ?? null,
+      durationMs,
+      warnCount,
     };
   }
+  return {
+    status: "failed",
+    exitCode: r.status ?? null,
+    message: r.error ? r.error.message : `exit ${r.status}`,
+    durationMs,
+    warnCount,
+  };
 }
 
 function fmtMs(ms) {
@@ -258,8 +294,16 @@ function main() {
         : "✗";
     const timing = fmtMs(outcome.durationMs);
     const timingSuffix = timing ? `  (${timing})` : "";
+    // F21 — surface WARN counts so a gate that "passed (3 warnings)" is
+    // distinguishable from one that passed cleanly. Pre-fix, warnings
+    // printed by individual gates (validate-cve-catalog, lint-skills,
+    // validate-playbooks) scrolled past invisible in the summary.
+    const warnSuffix =
+      outcome.warnCount && outcome.warnCount > 0
+        ? ` (${outcome.warnCount} warning${outcome.warnCount === 1 ? "" : "s"})`
+        : "";
     process.stdout.write(
-      `  ${icon} ${gate.name.padEnd(widest)}  ${outcome.status}${timingSuffix}\n`
+      `  ${icon} ${gate.name.padEnd(widest)}  ${outcome.status}${warnSuffix}${timingSuffix}\n`
     );
   }
 

package/scripts/refresh-manifest-snapshot.js

@@ -11,10 +11,22 @@
  * blindly — read the breaking-change list first. A breaking change is
  * a surface narrowing every downstream consumer needs to know about.
  *
+ * Audit G F5 — commitOnly mode. Pass `--commit-only` (or set the env
+ * EXCEPTD_SNAPSHOT_AUDIT_ACK=1) to acknowledge that the operator
+ * deliberately wants to overwrite the committed snapshot. When neither
+ * flag nor env is set AND the snapshot would actually change, the
+ * script refuses and emits a structured diff hint. This stops an
+ * accidental `npm run refresh-snapshot` (run as muscle-memory while
+ * triaging a failing gate) from masking a real breaking change.
+ *
  * Usage:
- *   node scripts/refresh-manifest-snapshot.js
- *   git add manifest-snapshot.json
- *   git commit -m "refresh manifest snapshot: <what changed>"
+ *   node scripts/refresh-manifest-snapshot.js              # dry-shows the diff
+ *   EXCEPTD_SNAPSHOT_AUDIT_ACK=1 \
+ *     node scripts/refresh-manifest-snapshot.js            # writes the new snapshot
+ *   node scripts/refresh-manifest-snapshot.js --commit-only   # same thing, on argv
+ *
+ * The flag is documented in scripts/predeploy.js so contributors see it
+ * the moment the snapshot gate fails.
  */
 
 const fs = require("fs");
@@ -50,8 +62,47 @@ function captureSurface(manifest) {
 
 const manifest = JSON.parse(fs.readFileSync(MANIFEST_PATH, "utf8"));
 const snapshot = captureSurface(manifest);
+const newJson = JSON.stringify(snapshot, null, 2) + "\n";
+
+// F5 — refuse to overwrite an existing snapshot unless the operator
+// has explicitly acknowledged the rewrite (env or --commit-only flag).
+const argv = process.argv.slice(2);
+const commitOnly =
+  argv.includes("--commit-only") ||
+  process.env.EXCEPTD_SNAPSHOT_AUDIT_ACK === "1";
 
-fs.writeFileSync(SNAPSHOT_PATH, JSON.stringify(snapshot, null, 2) + "\n", "utf8");
+if (fs.existsSync(SNAPSHOT_PATH) && !commitOnly) {
+  const current = fs.readFileSync(SNAPSHOT_PATH, "utf8");
+  // Normalise the _generated_at timestamp for comparison — that field
+  // changes every run and shouldn't trigger the guard.
+  const stripGenerated = (s) => s.replace(
+    /"_generated_at":\s*"[^"]+",?\s*\n?/, ""
+  );
+  if (stripGenerated(current) === stripGenerated(newJson)) {
+    console.log("[refresh-manifest-snapshot] snapshot unchanged — nothing to do.");
+    process.exit(0);
+  }
+  process.stderr.write(
+    "[refresh-manifest-snapshot] REFUSING to overwrite manifest-snapshot.json — " +
+    "the captured surface differs from the committed snapshot.\n" +
+    "  Re-run with `--commit-only` (or EXCEPTD_SNAPSHOT_AUDIT_ACK=1) to confirm " +
+    "the rewrite is intentional. The check-manifest-snapshot.js gate exists to " +
+    "force a deliberate decision about removed skills / triggers / refs before " +
+    "the baseline is rewritten.\n"
+  );
+  process.exit(1);
+}
+
+fs.writeFileSync(SNAPSHOT_PATH, newJson, "utf8");
 
 console.log(`[refresh-manifest-snapshot] wrote ${snapshot.skill_count} skills to manifest-snapshot.json`);
 console.log("[refresh-manifest-snapshot] commit this file alongside the surface change.");
+
+// Audit G F23 — write a tracked SHA-256 of the snapshot so the
+// check-manifest-snapshot.js gate can verify integrity (no hand edits
+// after refresh).
+const crypto = require("crypto");
+const snapshotSha = crypto.createHash("sha256").update(newJson).digest("hex");
+const snapshotShaPath = path.join(ROOT, "manifest-snapshot.sha256");
+fs.writeFileSync(snapshotShaPath, snapshotSha + "  manifest-snapshot.json\n", "utf8");
+console.log(`[refresh-manifest-snapshot] wrote integrity hash to manifest-snapshot.sha256`);

package/scripts/validate-vendor-online.js

@@ -0,0 +1,169 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * scripts/validate-vendor-online.js — Audit G F6.
+ *
+ * Optional, network-touching companion to lib/validate-vendor.js. For every
+ * file recorded in vendor/blamejs/_PROVENANCE.json, fetches the upstream
+ * blob from github.com/<source_repo>/blob/<pinned_commit>/<upstream_path>
+ * (via the raw.githubusercontent.com mirror), hashes it, and compares the
+ * result against the `upstream_sha256_at_pin` recorded in _PROVENANCE.json.
+ *
+ * This catches the class where _PROVENANCE.json was hand-edited to
+ * advertise a `upstream_sha256_at_pin` that does not actually match what
+ * upstream had at that commit. lib/validate-vendor.js only checks that the
+ * local vendored file matches its own recorded hash — that's self-attesting.
+ * This script extends the check to upstream, closing the gap.
+ *
+ * Not part of `npm run predeploy` by default — the predeploy gate sequence
+ * must remain network-independent (offline gates only). Run manually:
+ *
+ *   node scripts/validate-vendor-online.js
+ *   node scripts/validate-vendor-online.js --timeout 30000
+ *   node scripts/validate-vendor-online.js --json
+ *
+ * Exit codes:
+ *   0  every vendored file's upstream_sha256_at_pin matched upstream
+ *   1  at least one mismatch
+ *   2  runtime / network error
+ *
+ * Zero npm deps. Node 24 stdlib only.
+ */
+
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+const https = require("https");
+
+const ROOT = path.join(__dirname, "..");
+const PROV_PATH = path.join(ROOT, "vendor", "blamejs", "_PROVENANCE.json");
+
+function parseArgs(argv) {
+  const out = { timeoutMs: 15000, json: false };
+  for (let i = 2; i < argv.length; i++) {
+    const a = argv[i];
+    if (a === "--timeout") out.timeoutMs = Number(argv[++i]) || out.timeoutMs;
+    else if (a === "--json") out.json = true;
+    else if (a === "--help" || a === "-h") {
+      process.stdout.write(
+        "Usage: node scripts/validate-vendor-online.js [--timeout <ms>] [--json]\n"
+      );
+      process.exit(0);
+    } else {
+      process.stderr.write(`Unknown argument: ${a}\n`);
+      process.exit(2);
+    }
+  }
+  return out;
+}
+
+function rawUrlForPin(sourceRepo, commit, upstreamPath) {
+  // Translate https://github.com/owner/repo → raw.githubusercontent.com/owner/repo
+  // sourceRepo may end in .git; strip it. Tolerate trailing slash.
+  const m = (sourceRepo || "").match(
+    /^https?:\/\/github\.com\/([^/]+)\/([^/]+?)(?:\.git)?\/?$/
+  );
+  if (!m) return null;
+  const [, owner, repo] = m;
+  const cleanPath = String(upstreamPath || "").replace(/^\/+/, "");
+  return `https://raw.githubusercontent.com/${owner}/${repo}/${commit}/${cleanPath}`;
+}
+
+const MAX_REDIRECTS = 5;
+
+function fetchBuffer(url, timeoutMs, redirectsLeft = MAX_REDIRECTS) {
+  return new Promise((resolve, reject) => {
+    const req = https.get(url, (res) => {
+      // v0.12.14 (codex P2): cap redirect hops. A redirect loop (or a
+      // hostile / mis-configured upstream that keeps returning 3xx with
+      // Location pointing back to itself) used to recurse until stack
+      // overflow or hang. Now: count hops, fail clean on exhaustion.
+      if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+        res.resume();
+        if (redirectsLeft <= 0) {
+          return reject(new Error(`exceeded ${MAX_REDIRECTS} redirects fetching ${url}`));
+        }
+        return resolve(fetchBuffer(res.headers.location, timeoutMs, redirectsLeft - 1));
+      }
+      if (res.statusCode !== 200) {
+        res.resume();
+        return reject(new Error(`HTTP ${res.statusCode} for ${url}`));
+      }
+      const chunks = [];
+      res.on("data", (c) => chunks.push(c));
+      res.on("end", () => resolve(Buffer.concat(chunks)));
+      res.on("error", reject);
+    });
+    req.on("error", reject);
+    req.setTimeout(timeoutMs, () => {
+      req.destroy(new Error(`timeout after ${timeoutMs}ms fetching ${url}`));
+    });
+  });
+}
+
+async function main() {
+  const opts = parseArgs(process.argv);
+  if (!fs.existsSync(PROV_PATH)) {
+    process.stderr.write(`vendor/blamejs/_PROVENANCE.json missing\n`);
+    process.exitCode = 2;
+    return;
+  }
+  const prov = JSON.parse(fs.readFileSync(PROV_PATH, "utf8"));
+  const sourceRepo = prov.source_repo;
+  const pinnedCommit = prov.pinned_commit;
+  if (!sourceRepo || !pinnedCommit) {
+    process.stderr.write(`_PROVENANCE.json missing source_repo or pinned_commit\n`);
+    process.exitCode = 2;
+    return;
+  }
+
+  const findings = [];
+  for (const [name, info] of Object.entries(prov.files || {})) {
+    const url = rawUrlForPin(sourceRepo, pinnedCommit, info.upstream_path);
+    if (!url) {
+      findings.push({ name, ok: false, reason: `cannot compute raw URL for ${sourceRepo}` });
+      continue;
+    }
+    try {
+      const buf = await fetchBuffer(url, opts.timeoutMs);
+      const sha = crypto.createHash("sha256").update(buf).digest("hex");
+      if (info.upstream_sha256_at_pin && sha !== info.upstream_sha256_at_pin) {
+        findings.push({
+          name,
+          ok: false,
+          reason:
+            `upstream sha mismatch: recorded ${String(info.upstream_sha256_at_pin).slice(0, 12)}…, ` +
+            `live ${sha.slice(0, 12)}…`,
+          url,
+        });
+      } else {
+        findings.push({ name, ok: true, sha, url });
+      }
+    } catch (e) {
+      findings.push({ name, ok: false, reason: `fetch failed: ${e.message}`, url });
+    }
+  }
+
+  const failed = findings.filter((f) => !f.ok);
+  if (opts.json) {
+    process.stdout.write(JSON.stringify({ ok: failed.length === 0, findings }, null, 2) + "\n");
+  } else {
+    for (const f of findings) {
+      if (f.ok) process.stdout.write(`PASS  ${f.name}  ${f.sha.slice(0, 12)}…\n`);
+      else process.stdout.write(`FAIL  ${f.name}  ${f.reason}\n`);
+    }
+    process.stdout.write(
+      `\n${findings.length - failed.length}/${findings.length} vendored files match upstream pin.\n`
+    );
+  }
+  process.exitCode = failed.length === 0 ? 0 : 1;
+}
+
+if (require.main === module) {
+  main().catch((e) => {
+    process.stderr.write(`runtime error: ${e.message}\n`);
+    process.exitCode = 2;
+  });
+}
+
+module.exports = { rawUrlForPin, fetchBuffer };

package/scripts/verify-shipped-tarball.js

@@ -18,6 +18,20 @@
  * The bug was invisible because CI's verify ran against the SOURCE tree,
  * not the shipped tarball. This gate closes that gap.
  *
+ * Audit G:
+ *   F9  — After the first-pass extraction (using the source-tree parseTar),
+ *         re-parse the tarball using the parseTar shipped INSIDE the
+ *         extracted tree itself. If the two parses disagree, fail with a
+ *         structured error. Catches the class where the shipped parser
+ *         silently rejects entries the source parser accepts (or vice
+ *         versa), which would mean operators run a different extractor
+ *         than CI exercised.
+ *   F15 — Invoke `npm pack --offline` so the gate cannot be blocked by
+ *         registry reachability problems during predeploy.
+ *   F4  — Cross-check the extracted public.pem against
+ *         keys/EXPECTED_FINGERPRINT (warn-and-continue when missing, fail
+ *         when present-but-mismatched and KEYS_ROTATED != 1).
+ *
  * Exit codes:
  *   0  verify passed against the packed tarball
  *   1  verify failed against the packed tarball (the bug class above)
@@ -42,7 +56,10 @@ function fail(msg, code = 1) {
 const tmpRoot = fs.mkdtempSync(path.join(os.tmpdir(), "verify-shipped-"));
 try {
   emit(`packing into ${tmpRoot} ...`);
-  const pack = spawnSync("npm", ["pack", "--pack-destination", tmpRoot], {
+  // F15 — pass --offline. Predeploy must run without registry
+  // reachability; `npm pack` does not need the network for a local
+  // package and forcing offline mode hard-locks the assumption.
+  const pack = spawnSync("npm", ["pack", "--offline", "--pack-destination", tmpRoot], {
     cwd: ROOT,
     encoding: "utf8",
     shell: process.platform === "win32",
@@ -60,10 +77,10 @@ try {
   const extractDir = path.join(tmpRoot, "extract");
   fs.mkdirSync(extractDir, { recursive: true });
   const zlib = require("zlib");
-  const { parseTar } = require(path.join(ROOT, "lib", "refresh-network.js"));
+  const { parseTar: parseTarSource } = require(path.join(ROOT, "lib", "refresh-network.js"));
   const tgz = fs.readFileSync(tarballPath);
   const tarBuf = zlib.gunzipSync(tgz);
-  const entries = parseTar(tarBuf);
+  const entries = parseTarSource(tarBuf);
   for (const e of entries) {
     if (!e.name) continue;
     const dst = path.join(extractDir, e.name);
@@ -77,6 +94,65 @@ try {
   }
   emit(`extracted to ${pkgRoot}`);
 
+  // Audit G F9 — load the extracted tree's OWN parseTar and re-parse the
+  // tarball. If the two parsers diverge on entry list or content, the
+  // gate trips: this means CI exercised a different parser than operators
+  // will. Defense against drift between source and shipped tarball when
+  // someone edits lib/refresh-network.js without re-vendoring or vice
+  // versa.
+  const shippedParserPath = path.join(pkgRoot, "lib", "refresh-network.js");
+  if (!fs.existsSync(shippedParserPath)) {
+    fail(`extracted tree missing lib/refresh-network.js (cannot run F9 cross-parse check)`, 2);
+  }
+  let parseTarShipped;
+  try {
+    parseTarShipped = require(shippedParserPath).parseTar;
+  } catch (e) {
+    fail(`failed to load extracted parseTar: ${e.message}`, 2);
+  }
+  if (typeof parseTarShipped !== "function") {
+    fail(`extracted lib/refresh-network.js does not export parseTar`, 2);
+  }
+  const shippedEntries = parseTarShipped(tarBuf);
+  // Compare counts first — fast bailout.
+  const divergences = [];
+  if (shippedEntries.length !== entries.length) {
+    divergences.push(
+      `entry count divergence: source-tree parser produced ${entries.length}, ` +
+      `shipped parser produced ${shippedEntries.length}`
+    );
+  } else {
+    // Walk in parallel; tarball entry order is deterministic so positional
+    // compare is correct. Compare name + byte length + body bytes.
+    for (let i = 0; i < entries.length; i++) {
+      const a = entries[i];
+      const b = shippedEntries[i];
+      if (a.name !== b.name) {
+        divergences.push(`entry[${i}] name mismatch: source=${a.name} shipped=${b.name}`);
+        continue;
+      }
+      const aBuf = Buffer.isBuffer(a.body) ? a.body : Buffer.from(a.body);
+      const bBuf = Buffer.isBuffer(b.body) ? b.body : Buffer.from(b.body);
+      if (aBuf.length !== bBuf.length || !aBuf.equals(bBuf)) {
+        divergences.push(
+          `entry[${i}] (${a.name}) body bytes differ between source-tree and shipped parser ` +
+          `(source ${aBuf.length} bytes vs shipped ${bBuf.length} bytes)`
+        );
+      }
+    }
+  }
+  if (divergences.length > 0) {
+    emit(`*** F9: parseTar divergence between source-tree and shipped tree ***`);
+    for (const d of divergences.slice(0, 5)) emit(`  - ${d}`);
+    if (divergences.length > 5) emit(`  ... and ${divergences.length - 5} more`);
+    fail(
+      `parseTar implementations diverge between source tree and shipped tarball. ` +
+      `Operators will run a different extractor than CI exercised. Refusing to publish.`,
+      1
+    );
+  }
+  emit(`F9: source-tree and shipped parseTar agree on ${entries.length} entries`);
+
   // Run the verifier inline against the extracted package tree. This avoids
   // having to spawn a separate process whose cwd resolution differs across
   // platforms.
@@ -108,6 +184,33 @@ try {
     emit(`*** Something between sign and pack is swapping the key. Verify will fail below. ***`);
   }
 
+  // Audit G F4 — key-pin cross-check against the EXTRACTED tree. The pin
+  // is consumed from keys/EXPECTED_FINGERPRINT in the extracted package —
+  // that's the file operators will actually receive on `npm install`.
+  // Warn when absent, fail when present-but-mismatched (unless KEYS_ROTATED).
+  const expectedFpPath = path.join(pkgRoot, "keys", "EXPECTED_FINGERPRINT");
+  if (fs.existsSync(expectedFpPath)) {
+    const raw = fs.readFileSync(expectedFpPath, "utf8").trim();
+    const firstLine = raw.split(/\r?\n/).map((l) => l.trim()).find((l) => l.length > 0) || "";
+    const liveFpLine = `SHA256:${pubFp}`;
+    if (firstLine !== liveFpLine) {
+      if (process.env.KEYS_ROTATED === "1") {
+        emit(`WARN: extracted public.pem fingerprint ${liveFpLine} differs from pin ${firstLine}; KEYS_ROTATED=1 accepted`);
+      } else {
+        fail(
+          `keys/EXPECTED_FINGERPRINT (${firstLine}) does not match the extracted ` +
+          `public.pem fingerprint (${liveFpLine}). If this is an intentional rotation ` +
+          `set KEYS_ROTATED=1 and commit the new pin.`,
+          1
+        );
+      }
+    } else {
+      emit(`F4: key pin verified — ${liveFpLine} matches keys/EXPECTED_FINGERPRINT`);
+    }
+  } else {
+    emit(`WARN: keys/EXPECTED_FINGERPRINT not in extracted tree — key-pin check skipped`);
+  }
+
   let pass = 0, miss = 0, fail_count = 0;
   const failures = [];
   for (const s of (manifest.skills || [])) {

package/skills/ai-attack-surface/skill.md

@@ -63,7 +63,7 @@ The AI attack surface is not speculative. It is actively exploited. The followin
 
 ### 1. Prompt Injection as Enterprise RCE
 
-**CVE-2025-53773** — Hidden prompt injection in GitHub Copilot PR descriptions enabling RCE. CVSS 9.6. The attack embeds adversarial instructions in GitHub PR descriptions. When a developer uses GitHub Copilot to review or summarize the PR, the injected instructions execute in the context of the developer's session, enabling remote code execution.
+**CVE-2025-53773** — Hidden prompt injection in GitHub Copilot agent mode coerces the assistant to write `"chat.tools.autoApprove": true` into `.vscode/settings.json`, flipping every subsequent tool call into auto-approval. CVSS 7.8 (AV:L — local-vector through developer-side IDE interaction; RWEP 30). The attack embeds adversarial instructions in any agent-readable content (source comments, README, PR descriptions, retrieved docs, MCP tool responses). Once the YOLO-mode flag lands, the next shell tool call executes attacker-chosen commands in the developer's user context.
 
 This is not a chatbot trick. This is enterprise RCE via a developer tool used by hundreds of millions of developers. The attack surface is any system that:
 - Feeds external content (user input, web content, documents, PR descriptions, emails, calendar events) into an LLM prompt
@@ -71,13 +71,13 @@ This is not a chatbot trick. This is enterprise RCE via a developer tool used by
 
 **Attack success rates against SOTA defenses:** A 2026 meta-analysis of 78 studies found adaptive prompt injection strategies succeed against state-of-the-art defenses at rates exceeding 85%. No current framework has adequate controls for this.
 
-**ATLAS ref:** AML.T0054 (Craft Adversarial Data — NLP)
+**ATLAS ref:** AML.T0054 (LLM Jailbreak) and AML.T0051 (LLM Prompt Injection)
 
 ### 2. MCP Supply Chain — Architectural RCE
 
 The Model Context Protocol (MCP) introduced an architectural vulnerability affecting every major AI coding assistant: Cursor, VS Code + GitHub Copilot, Windsurf, Claude Code, Gemini CLI.
 
-**CVE-2026-30615** — Windsurf. Zero user interaction required. The vulnerability allows a malicious MCP server (or a compromised legitimate MCP server) to execute arbitrary code in the context of the AI assistant. 150M+ affected downloads.
+**CVE-2026-30615** — Windsurf MCP. CVSS 8.0 (AV:L — local-vector RCE requiring attacker-controlled HTML the MCP client processes; RWEP 35). The vulnerability allows a malicious or compromised MCP server to drive code execution in the context of the AI assistant once a victim installs it. 150M+ combined downloads across MCP-capable assistants share the same architectural attack surface.
 
 This is a supply chain attack surface. Every MCP server a user installs is a potential RCE vector. Trust boundaries that exist for npm packages do not exist for MCP servers because most MCP clients do not enforce signed manifests or tool allowlists.
 
@@ -89,13 +89,13 @@ This is a supply chain attack surface. Every MCP server a user installs is a pot
 
 The implication: the time between a vulnerability's introduction into a codebase and its reliable exploitation has compressed from months or years to hours or days for AI-capable threat actors. Patch management SLAs designed for human-speed exploit development are structurally inadequate.
 
-**ATLAS ref:** AML.T0017 (Develop Capabilities)
+**ATLAS ref:** AML.T0016 (Obtain Capabilities: Develop Capabilities)
 
 ### 4. AI Credential Phishing Acceleration
 
 Credential theft driven by AI increased 160% in 2025. 82.6% of phishing emails now contain AI-generated content undetectable by grammar/style checks. Traditional phishing detection heuristics (poor grammar, unusual phrasing, template patterns) are no longer reliable detectors.
 
-**ATLAS ref:** AML.T0018 (Acquire Public ML Artifacts — misuse of generation capability)
+**ATLAS ref:** AML.T0016 (Obtain Capabilities: Develop Capabilities — misuse of public AI APIs to generate phishing payloads)
 
 ### 5. AI as Covert C2 — SesameOp
 
@@ -127,6 +127,14 @@ Training pipeline targeting has moved beyond data injection to directly biasing
 
 AI-assisted reconnaissance is observed at 36,000 probes per second per campaign. Traditional rate-based detection (100–1,000 req/s threshold alerts) does not fire at legitimate-looking distributed AI-directed probe rates until significant reconnaissance has already occurred.
 
+### 10. LLM-Gateway Credential Theft as AI Attack Surface
+
+**CVE-2026-42208** — BerriAI LiteLLM Proxy authorization-header SQL injection (CVSS 9.8 / CVSS v4 9.3 / CISA KEV-listed 2026-05-08, due 2026-05-29). LiteLLM is the open-source LLM-API gateway used in front of agent stacks, MCP-server fronts, and multi-model proxy deployments — exactly the trust hinge that this skill's threat-context section treats as the credential boundary for hosted-model use. The proxy concatenated an attacker-controlled `Authorization` header value into a SQL query in the error-logging path, so a single curl-able POST against `/chat/completions` with a SQL-injection payload returns the managed-credentials DB content without prior auth. Patched in 1.83.7+; temporary workaround `general_settings: disable_error_logs: true`. Any organisation whose AI attack-surface inventory treats the LLM gateway as "just a reverse proxy" misses that the gateway holds every downstream model-provider credential.
+
+### 11. AI-Discovered + AI-Weaponized Supply-Chain Worms
+
+**CVE-2026-45321** — Mini Shai-Hulud TanStack npm worm (CVSS 9.6, ~150M weekly downloads across 42 @tanstack/* packages, CISA KEV pending). Disclosed 2026-05-11. The attack chain — Pwn-Request via `pull_request_target` on TanStack's bundle-size workflow, pnpm-store cache poisoning under the `actions/cache` key, and OIDC-token theft on the next main push — is engineering-grade and weaponizes three independently-benign primitives. While attribution (TeamPCP) records no AI-assisted exploit development for this specific instance, the worm pattern is exactly what AML.T0016-class capability-development now produces at AI cadence: chained CI/CD primitives that no individual component owner recognises as exploitable. Treat the @tanstack/* surface as an exemplar of the broader AML.T0010 (ML Supply Chain Compromise) threat applied to JS toolchains that the AI assistant ecosystem depends on.
+
 ---
 
 ## Framework Lag Declaration
@@ -150,14 +158,14 @@ AI-assisted reconnaissance is observed at 36,000 probes per second per campaign.
 
 | ATLAS ID | Technique | Framework Coverage | Gap Description | Exploitation Example |
 |---|---|---|---|---|
-| AML.T0054 | Craft Adversarial Data — NLP | Missing in all major frameworks | No control covers adversarial text injection into LLM prompts | CVE-2025-53773 (GitHub Copilot RCE) |
+| AML.T0054 | LLM Jailbreak | Missing in all major frameworks | No control covers adversarial-instruction injection that bypasses guardrails and coerces the model into attacker-chosen actions | CVE-2025-53773 (GitHub Copilot YOLO-mode RCE) |
 | AML.T0010 | ML Supply Chain Compromise | Partial (ISO A.8.30) | A.8.30 covers outsourced development; does not cover MCP server trust, package signing for AI tools | CVE-2026-30615 (Windsurf MCP) |
 | AML.T0096 | LLM Integration Abuse (C2) | Missing in all major frameworks | No framework has a control for AI API traffic as C2 channel | SesameOp campaign |
 | AML.T0020 | Poison Training Data | Partial (NIST AI RMF) | NIST AI RMF identifies the risk; no specific technical control | Supply chain logistics model poisoning |
 | AML.T0043 | Craft Adversarial Data | Partial (SI-10) | SI-10 covers web input validation; not semantic injection in LLM prompts | RAG vector manipulation |
 | AML.T0051 | LLM Prompt Injection | Missing in all major frameworks | Zero controls in NIST, ISO, SOC 2, PCI for prompt injection | CVE-2025-53773, indirect injection via retrieved docs |
-| AML.T0017 | Develop Capabilities | Partial (awareness only) | No framework requires monitoring for AI-assisted exploit development against the org | Copy Fail AI discovery, 41% of 2025 0-days |
-| AML.T0016 | Acquire Public ML Artifacts | Missing (misuse dimension) | Frameworks don't address adversary use of public AI APIs for reconnaissance/attack | PROMPTFLUX, PROMPTSTEAL, phishing generation |
+| AML.T0017 | Discover ML Model Ontology | Partial (awareness only) | No framework requires monitoring for adversary mapping of deployed model family, guardrail surface, or system-prompt structure via inference-API probing | Reconnaissance step preceding PROMPTSTEAL-class targeting; AML-model registry exposure |
+| AML.T0016 | Obtain Capabilities: Develop Capabilities | Missing (misuse dimension) | Frameworks don't address adversary AI-assisted exploit development or use of public AI APIs to craft malware/phishing payloads | Copy Fail AI discovery (41% of 2025 0-days), PROMPTFLUX, PROMPTSTEAL, phishing generation |
 | AML.T0018 | Backdoor ML Model | Partial (NIST AI RMF) | No technical control requirements for model integrity verification | Training pipeline poisoning |
 
 ---
@@ -166,8 +174,8 @@ AI-assisted reconnaissance is observed at 36,000 probes per second per campaign.
 
 | Vulnerability | CVSS | RWEP | KEV | PoC | AI-Accelerated | Active Exploitation |
 |---|---|---|---|---|---|---|
-| CVE-2025-53773 (Copilot prompt injection RCE) | 9.6 | 91 | No | Yes — demonstrated | Yes (AI tooling enables) | Suspected |
-| CVE-2026-30615 (Windsurf MCP RCE) | 9.8 | 94 | No | Partial | No | Suspected |
+| CVE-2025-53773 (Copilot YOLO-mode RCE) | 7.8 | 30 | No | Yes — demonstrated | Yes (AI tooling enables) | Suspected |
+| CVE-2026-30615 (Windsurf MCP local-vector RCE) | 8.0 | 35 | No | Partial | No | Suspected |
 | SesameOp (AI C2 technique) | N/A | N/A | N/A | Yes (ATLAS documented) | Yes | Confirmed campaign |
 | PROMPTFLUX family | N/A | N/A | N/A | Behavioral signatures | Yes | Active |
 | PROMPTSTEAL family | N/A | N/A | N/A | Behavioral signatures | Yes | Active |