@blamejs/exceptd-skills 0.12.15 → 0.12.16

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-14T16:47:17.975Z",
+  "generated_at": "2026-05-14T17:43:16.339Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 50,
   "source_hashes": {
-    "manifest.json": "e0db0f6421e782c796a972277b1ac6774222fa245ae109b87a29f5122a6eb972",
+    "manifest.json": "bfe5d173b001ae1f279ec620f84a1b5e7ae9236d51c1e814f22bf6fe66361835",
     "data/atlas-ttps.json": "20339e0ae3cd89c06f1385be31c50f408f827edc2e8ab8aef026ade3bcf0a917",
     "data/attack-techniques.json": "6db08a8e8a4d03d9309b1d185112de7f3c9595d2cd3d24566b7ce0b3b8aa5d1a",
-    "data/cve-catalog.json": "54e04fc72a1b85dd75d46dbbf646bed5f489f867df752800c62498fc0d4ee428",
+    "data/cve-catalog.json": "6e198d414a3a86dcae93ef36a2b1978734d0b1224fa66ba5184819ea0e3fb49f",
     "data/cwe-catalog.json": "19893d2a7139d86ff3fcf296b0e6cda10e357727a1d1ffb56af282104e99157a",
     "data/d3fend-catalog.json": "d219520c8d3eb61a270b25ea60f64721035e98a8d5d51d1a4e1f1140d9a586f9",
     "data/dlp-controls.json": "8ea8d907aea0a2cfd772b048a62122a322ba3284a5c36a272ad5e9d392564cb5",

package/data/cve-catalog.json

@@ -1226,4 +1226,4 @@
     },
     "last_updated": "2026-05-13"
   }
-}
+}

package/data/playbooks/ai-api.json

@@ -67,7 +67,9 @@
       "T1552.001",
       "T1555"
     ],
-    "cve_refs": [],
+    "cve_refs": [
+      "CVE-2026-30615"
+    ],
     "cwe_refs": [
       "CWE-522",
       "CWE-256",

package/data/playbooks/containers.json

@@ -29,7 +29,9 @@
         "on_fail": "halt"
       }
     ],
-    "mutex": [],
+    "mutex": [
+      "library-author"
+    ],
     "feeds_into": [
       {
         "playbook_id": "kernel",
@@ -38,13 +40,19 @@
       {
         "playbook_id": "secrets",
         "condition": "always"
+      },
+      {
+        "playbook_id": "sbom",
+        "condition": "container-image-layers.length > 0"
       }
     ]
   },
   "domain": {
     "name": "Container runtime posture + manifest review",
     "attack_class": "container-escape",
-    "atlas_refs": [],
+    "atlas_refs": [
+      "AML.T0010"
+    ],
     "attack_refs": [
       "T1611",
       "T1610",
@@ -213,7 +221,7 @@
       ]
     },
     "direct": {
-      "threat_context": "Container escape attack class in 2025-2026 is dominated by the runc / containerd / kubelet CVE chain. CVE-2024-21626 'Leaky Vessels' (runc <1.1.12 working-directory race → fd leak into host) shipped Jan 2024 with public PoC and is the canonical container-escape primitive; subsequent runc/containerd CVEs follow the same pattern (host-resource leakage via misconfigured isolation). Mandiant 2025 IR report: ~22% of cloud-tenant compromises involved a container-escape step. The escape is exquisitely sensitive to manifest posture: privileged: true grants the attacker the full host kernel (LPE without escape); hostPID/hostNetwork/hostIPC grant cross-pod visibility; runAsUser: 0 + writable host mount = direct host write. seccompProfile + AppArmor profile presence is the primary mitigation. Manifests in repos are the attestation-vs-reality battleground — admission controllers reject some but not all anti-patterns, depending on policy maturity.",
+      "threat_context": "Container escape attack class in 2025-2026 is dominated by the runc / containerd / kubelet CVE chain. Public runc / containerd / kubelet escape primitives — including the 2024 'Leaky Vessels' working-directory race class — establish the canonical pattern: host-resource leakage (fd, mount, /proc) via misconfigured isolation. Subsequent CVEs in the runc/containerd/kubelet chain follow the same shape. Mandiant 2025 IR report: ~22% of cloud-tenant compromises involved a container-escape step. The escape is exquisitely sensitive to manifest posture: privileged: true grants the attacker the full host kernel (LPE without escape); hostPID/hostNetwork/hostIPC grant cross-pod visibility; runAsUser: 0 + writable host mount = direct host write. seccompProfile + AppArmor profile presence is the primary mitigation. Manifests in repos are the attestation-vs-reality battleground — admission controllers reject some but not all anti-patterns, depending on policy maturity.",
       "rwep_threshold": {
         "escalate": 85,
         "monitor": 65,

package/data/playbooks/cred-stores.json

@@ -43,7 +43,9 @@
   "domain": {
     "name": "Per-user credential store inventory + identity-assurance posture",
     "attack_class": "identity-abuse",
-    "atlas_refs": [],
+    "atlas_refs": [
+      "AML.T0055"
+    ],
     "attack_refs": [
       "T1078",
       "T1552.001",

package/data/playbooks/crypto-codebase.json

@@ -393,77 +393,77 @@
         },
         {
           "id": "hash-primitive-call-sites",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep across the repo (excluding test/spec/fixture/node_modules/vendor/.venv/target/dist/build) for hash-primitive call sites. Patterns: `crypto.createHash\\(`, `crypto.createHmac\\(`, `hashlib\\.(md5|sha1|sha224|sha256|sha384|sha512|blake2b|blake2s|sha3_)`, `MessageDigest\\.getInstance\\(`, `Digest::(MD5|SHA1|SHA256)`, `hash/md5`, `hash/sha1`, `\"md5\"`, `\"sha1\"`, `\"sha-1\"`, `\"sha256\"`, `\"sha3-256\"`. Use Grep with multiline=true where the algorithm-name string is on a different line from the constructor.",
           "description": "Every hash-primitive call site. Distinguish security-context usage (signature input, MAC input, integrity check, password derivation, token derivation) from non-security usage (cache key, ETag, dedup). The non-security distinction must be evidenced inline; absent evidence, treat as security-context.",
           "required": true
         },
         {
           "id": "cipher-and-kex-call-sites",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for cipher and KEX call sites: `createCipheriv\\(`, `createDecipheriv\\(`, `crypto\\.publicEncrypt\\(`, `crypto\\.privateDecrypt\\(`, `createDiffieHellman\\(`, `createECDH\\(`, `crypto\\.generateKeyPair`, `Cipher\\.getInstance\\(`, `aesgcm`, `ChaCha20Poly1305`, `\\.(seal|open)\\(`, `OpenSSL::Cipher`, hardcoded curve names `\"P-256\"`, `\"secp256r1\"`, `\"prime256v1\"`, `\"P-384\"`, `\"secp384r1\"`, `\"P-521\"`, `\"secp521r1\"`, `\"secp256k1\"`, `\"X25519\"`, `\"X448\"`.",
           "description": "Cipher and key-exchange call sites. Identify mode (GCM/CBC/CTR/ECB), curve, key size, IV-generation pattern. ECB mode anywhere is a hard fail. CBC without HMAC is a hard fail. AES-128 without GCM authenticator is a finding.",
           "required": true
         },
         {
           "id": "signature-call-sites",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for signature operations: `crypto\\.sign\\(`, `crypto\\.verify\\(`, `Signature\\.getInstance\\(`, `\\.sign_pss\\(`, `\\.verify_pss\\(`, `RSA-PSS`, `RSA-PKCS1`, `ECDSA`, `Ed25519`, `Ed448`, `ML-DSA`, `Dilithium`, `SLH-DSA`, `SPHINCS`. Capture key sizes for RSA (look for `modulusLength`, `key_size`, `--rsa-2048` literals), curve choice for ECDSA, hash choice paired with signature (RSA-SHA1 is a hard fail).",
           "description": "Signature scheme inventory. RSA-1024 anywhere is a hard fail; RSA-2048 with > 5-year sensitivity requires PQC roadmap; ECDSA-P256 acceptable today but needs hybrid ML-DSA migration plan; bare RSA-PKCS1 (not PSS) for new signatures is a finding.",
           "required": true
         },
         {
           "id": "kdf-call-sites",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for key-derivation calls: `pbkdf2(Sync)?\\(`, `PBKDF2`, `hashlib\\.pbkdf2_hmac`, `bcrypt\\.(hash|hashSync|compare)`, `scrypt(Sync)?\\(`, `argon2\\.(hash|verify)`, `argon2id`, `hkdf\\(`, `HKDF`, `derive_key`. For each, extract the cost parameters: PBKDF2 iterations, bcrypt cost factor, scrypt N/r/p, argon2 t/m/p.",
           "description": "Key-derivation parameter inventory. Apply OWASP 2023 minimums: PBKDF2-HMAC-SHA256 >= 600,000; PBKDF2-HMAC-SHA512 >= 210,000; bcrypt cost >= 12; scrypt N >= 2^17, r=8, p=1; argon2id m >= 19 MiB (19456 KiB), t >= 2, p >= 1. Any parameter below minimum is a finding.",
           "required": true
         },
         {
           "id": "rng-call-sites",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for RNG sources: `Math\\.random\\(`, `random\\.random\\(`, `random\\.randint\\(`, `random\\.choice\\(`, `rand\\(`, `srand\\(`, `mt_rand\\(`, `secrets\\.(token_|randbits|choice)`, `crypto\\.randomBytes\\(`, `crypto\\.getRandomValues\\(`, `crypto\\.randomUUID\\(`, `os\\.urandom\\(`, `getrandom\\(`, `SecureRandom`, `OsRng`, `ThreadRng`, `/dev/urandom`, `/dev/random`. Capture file_path:line for each.",
           "description": "RNG-source inventory. Production-context Math.random / random.random / rand without cryptographic-RNG fallback is CWE-338. Distinguish test/spec/fixture usage explicitly via path allowlist; production usage requires a cryptographic RNG.",
           "required": true
         },
         {
           "id": "hardcoded-key-material",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for hardcoded crypto material: PEM markers `-----BEGIN (RSA |EC |DSA |PRIVATE |PUBLIC |CERTIFICATE )?(PRIVATE|PUBLIC) KEY-----`, SSH key prefixes `ssh-rsa AAAA`, `ssh-ed25519 AAAA`, `ecdsa-sha2-nistp256 AAAA`, hex-blob heuristics for keys (>= 64 hex chars on a single literal line), base64-encoded blobs >= 256 chars in source files. Cross-reference with the `secrets` playbook for the exfil-secret angle; here the focus is library-author shipping defaults that look like keys (e.g. example certs, demo keys, sample HMAC seeds that downstream consumers fail to rotate).",
           "description": "Hardcoded key material shipped with the library. Library-author angle: any 'demo' or 'example' key that downstream consumers fail to rotate becomes a universal-default vulnerability (cf. embedded-router demo keys, Wi-Fi default WPA keys, IoT bootloader signing keys).",
           "required": false
         },
         {
           "id": "tls-config-construction",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for in-code TLS context construction: `tls\\.createSecureContext`, `tls\\.createServer`, `https\\.createServer`, `ssl\\.SSLContext\\(`, `ssl\\.create_default_context`, `rustls::ServerConfig`, `rustls::ClientConfig`, `tls\\.Config\\{`, `SSL_CTX_new`, options like `minVersion`, `maxVersion`, `secureProtocol`, `ciphers`, `ecdhCurve`, `sigalgs`, `groups`, `ALPNProtocols`.",
           "description": "In-code TLS configuration. Library authors that construct TLS contexts internally must default to TLS 1.3 minimum, X25519MLKEM768 group preference (when openssl >= 3.5 detected), modern cipher list. Hardcoded `secureProtocol: 'TLSv1_method'` or `minVersion: 'TLSv1'` is a hard fail.",
           "required": false
         },
         {
           "id": "pqc-adoption-signals",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for PQC adoption: `ml[-_]?kem`, `ml[-_]?dsa`, `slh[-_]?dsa`, `kyber`, `dilithium`, `sphincs`, `falcon`, `kemEncapsulate`, `kemDecapsulate`, `EVP_KEM_`, `OQS_KEM_`, `oqsprovider`, `liboqs`, `noble-post-quantum`, `pqcrypto::`, `aws-lc-rs::pqc`, `circl/sign/dilithium`, `circl/kem/kyber`.",
           "description": "PQC adoption signals. If `pqc-readiness-gap` directive runs, this artifact is the primary input. Distinguish concrete cryptographic operations from configuration strings, feature-flag names, and comments.",
           "required": false
         },
         {
           "id": "fips-provider-activation",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for FIPS-mode activation: `OSSL_PROVIDER_load.*fips`, `crypto\\.setFips\\(`, `openssl::provider::Provider::load_default`, `Provider::load.*\"fips\"`, openssl.cnf or fipsmodule.cnf files in the repo, environment-variable references to `OPENSSL_FIPS`, `OPENSSL_CONF`. Capture whether the activation is conditional (e.g. only if env var set) or unconditional.",
           "description": "FIPS-provider activation evidence. The `fips-validation-status` directive uses this to distinguish runtime FIPS activation from link-time FIPS claims.",
           "required": false
         },
         {
           "id": "vendored-crypto-tree",
-          "type": "file_path",
+          "type": "file",
           "source": "Glob for vendored crypto: `vendor/**/{crypto,openssl,sodium,nacl,kyber,dilithium,sphincs,curve25519,blake2,sha3,argon2}*`, `third_party/**/*crypto*`, `crates/**/*crypto*` (excluding the package's own crypto module). Look for upstream-reference files: `UPSTREAM`, `ORIGIN`, `PROVENANCE.md`, `.upstream-commit`, integrity hashes in lockfiles.",
           "description": "Vendored cryptographic primitives. Library authors sometimes vendor crypto to reduce dep tree or for licensing reasons. Without provenance + integrity audit, vendored crypto is a supply-chain backdoor opportunity.",
           "required": false
         },
         {
           "id": "ci-crypto-tests",
-          "type": "file_path",
+          "type": "file",
           "source": "Glob for CI configs: `.github/workflows/**/*.yml`, `.gitlab-ci.yml`, `.circleci/config.yml`, `azure-pipelines.yml`, `Jenkinsfile`. Grep for crypto-test invocations, FIPS-test runs, constant-time analysis tools (`dudect`, `valgrind --tool=memcheck` on secret-dependent code, `ctgrind`).",
           "description": "Build-time crypto verification. Absence of constant-time tests on vendored PQC primitives is a finding for the `pqc-readiness-gap` directive.",
           "required": false

package/data/playbooks/crypto.json

@@ -339,7 +339,7 @@
         },
         {
           "id": "libssl-libraries",
-          "type": "file_path",
+          "type": "file",
           "source": "ldconfig -p | grep -E 'libssl|libcrypto|libtls' AND find /usr/lib /usr/local/lib -name 'libssl*' -o -name 'libcrypto*' 2>/dev/null",
           "description": "Installed TLS libraries — catches non-default OpenSSL builds, vendored libcrypto, LibreSSL, BoringSSL.",
           "required": false

package/data/playbooks/hardening.json

@@ -35,7 +35,9 @@
         "on_fail": "warn"
       }
     ],
-    "mutex": [],
+    "mutex": [
+      "kernel"
+    ],
     "feeds_into": [
       {
         "playbook_id": "kernel",

package/data/playbooks/kernel.json

@@ -45,7 +45,9 @@
         "on_fail": "warn"
       }
     ],
-    "mutex": [],
+    "mutex": [
+      "hardening"
+    ],
     "feeds_into": [
       {
         "playbook_id": "sbom",

package/data/playbooks/library-author.json

@@ -43,7 +43,10 @@
         "on_fail": "warn"
       }
     ],
-    "mutex": ["secrets"],
+    "mutex": [
+      "secrets",
+      "containers"
+    ],
     "feeds_into": [
       {
         "playbook_id": "sbom",
@@ -563,14 +566,14 @@
         },
         {
           "id": "signing-key-material",
-          "type": "file_path",
+          "type": "file",
           "source": "Locate: cosign.pub, *.pem (public-key signing artifacts), keys/public.pem, .well-known/openpgpkey/, sigstore-cosign metadata in workflow",
           "description": "Public signing material committed to the repo or referenced from the release workflow.",
           "required": false
         },
         {
           "id": "intoto-attestations",
-          "type": "file_path",
+          "type": "file",
           "source": "Glob: *.intoto.jsonl, *.sigstore, *.sbom.json.sig, *.cdx.json.sig, attestations directory; AND for npm packages: GET https://registry.npmjs.org/${pkg} and inspect dist.attestations",
           "description": "in-toto / Sigstore / SLSA provenance attestations attached to releases.",
           "required": false,
@@ -592,7 +595,7 @@
         },
         {
           "id": "vendored-code",
-          "type": "file_path",
+          "type": "file",
           "source": "List directories: vendor/, third_party/, external/, deps/, internal/vendor/; AND for each: locate provenance manifest (vendor.json, THIRD_PARTY_PROVENANCE.md, modules.txt for Go vendored)",
           "description": "Vendored / bundled third-party code carried in the publisher's own release.",
           "required": false
@@ -644,7 +647,7 @@
         },
         {
           "id": "skill-signing-infrastructure",
-          "type": "file_path",
+          "type": "file",
           "source": "If repo ships skills / plugins / extensions: locate lib/sign.js, lib/verify.js, scripts/sign-skills.*, signatures/, keys/, AND read package.json scripts for sign/verify entries",
           "description": "Specific to AI-tool / plugin / skill publishers: Ed25519 / cosign signing scaffolding.",
           "required": false
@@ -786,7 +789,11 @@
           "description": "Mutable action reference — upstream owner can substitute action code under the same tag.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1195.001"
+          "attack_ref": "T1195.001",
+          "false_positive_checks_required": [
+            "If Dependabot is configured (.github/dependabot.yml with package-ecosystem: github-actions, schedule >= weekly) AND the repo has a recent (within last 60 days) Dependabot PR updating action SHAs — the mutable-ref window is bounded; demote to lower-confidence finding (not miss; tag-pinning is still strictly safer than SHA-pinning-with-Dependabot).",
+            "If every mutable ref points to a github-owned action (actions/*, github/*) the supply-chain risk is materially lower than third-party action refs; tag-with-rationale-in-comment is acceptable for github-owned. Demote third-party-only mutable refs above github-owned ones in reporting."
+          ]
         },
         {
           "id": "package-json-provenance-missing",
@@ -839,11 +846,15 @@
         },
         {
           "id": "tag-protection-absent",
-          "type": "api_response",
+          "type": "api_call_sequence",
           "value": "Within the branch-tag-protection artifact: gh api repos/${owner}/${repo}/tags/protection returns empty array OR 404 AND the release-workflows artifact contains a publish workflow that triggers on push tags: ['v*']",
           "description": "Release tags unprotected (theater #6) — any branch can push v* and trigger publish.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "If repository rulesets (newer model) protect the tag pattern v*.*.* with delete + non-fast-forward + update blocked AND zero bypass actors — the legacy tag-protection-rules API may return empty while protection is in place. Cross-check the rulesets API before flagging.",
+            "If the repository is read-only / archived (archived: true via the repo API) — tag protection is moot; demote to miss."
+          ]
         },
         {
           "id": "release-tag-not-signed",
@@ -871,7 +882,7 @@
         },
         {
           "id": "no-security-txt",
-          "type": "api_response",
+          "type": "api_call_sequence",
           "value": "If product has a primary domain: HTTP 404 / connection failure on /.well-known/security.txt",
           "description": "No RFC 9116 machine-discoverable disclosure path (theater #10).",
           "confidence": "deterministic",
@@ -879,7 +890,7 @@
         },
         {
           "id": "private-vuln-reporting-disabled",
-          "type": "api_response",
+          "type": "api_call_sequence",
           "value": "gh api repos/${owner}/${repo} --jq '.security_and_analysis.private_vulnerability_reporting.status' returns 'disabled'",
           "description": "GitHub private vulnerability reporting off — no OIDC-authenticated disclosure intake.",
           "confidence": "deterministic",

package/data/playbooks/mcp.json

@@ -440,7 +440,7 @@
         },
         {
           "id": "mcp-tool-response-log",
-          "type": "log_pattern",
+          "type": "log",
           "source": "AI client MCP-protocol logs: ~/.claude/logs/mcp/*.jsonl (Claude Code), ~/.cursor/logs/mcp-*.log (Cursor), ~/.codeium/windsurf/logs/mcp_*.log (Windsurf)",
           "description": "v0.12.6: Verbatim tools/list and tools/call response capture. The only artifact that lets ANSI-escape, Unicode-Tag-smuggling, instruction-coercion-grammar, and sensitive-path-reference indicators fire. If client doesn't log MCP responses, mark inconclusive and recommend enabling MCP request/response verbose logging in client settings.",
           "required": false

package/data/playbooks/runtime.json

@@ -68,7 +68,9 @@
       "T1068",
       "T1548.003"
     ],
-    "cve_refs": [],
+    "cve_refs": [
+      "CVE-2026-31431"
+    ],
     "cwe_refs": [
       "CWE-269",
       "CWE-732",

package/data/playbooks/sbom.json

@@ -499,7 +499,7 @@
         },
         {
           "id": "model-weight-files",
-          "type": "file_path",
+          "type": "file",
           "source": "find $HOME ~/.cache/huggingface ~/.cache/torch /var/lib/model-store -type f \\( -name '*.pt' -o -name '*.ckpt' -o -name '*.bin' -o -name '*.safetensors' -o -name '*.gguf' \\) 2>/dev/null AND for each: file <path> AND attempt to identify Sigstore signature / OpenSSF model-signing attestation",
           "description": "Model weight artifacts — needed for AI-supply-chain analysis (ATLAS AML.T0018).",
           "required": false
@@ -528,7 +528,7 @@
         },
         {
           "id": "tanstack-payload-sweep",
-          "type": "file_path",
+          "type": "file",
           "source": "find node_modules -path '*/@tanstack/*' \\( -name 'router_init.js' -o -name 'router_runtime.js' \\) 2>/dev/null",
           "description": "CVE-2026-45321 IoC sweep — payload markers inside any installed @tanstack/* package. Captures both flat npm and pnpm-style nested layouts.",
           "required": false

package/data/playbooks/secrets.json

@@ -35,7 +35,9 @@
         "on_fail": "warn"
       }
     ],
-    "mutex": [],
+    "mutex": [
+      "library-author"
+    ],
     "feeds_into": [
       {
         "playbook_id": "cred-stores",

package/lib/auto-discovery.js

@@ -31,6 +31,31 @@ const fs = require("fs");
 const path = require("path");
 const { scoreCustom } = require("./scoring");
 
+// audit M P1-C: stored rwep_factors must reproduce the stored rwep_score.
+// `buildScoringInputs` is the single source of truth for both — it captures
+// the conservative defaults applied to a freshly-imported KEV draft (CISA
+// only lists vulnerabilities with documented exploitation, so we assume a
+// public PoC exists; reboot defaults to true because most KEV-listed CVEs
+// land in the kernel / hypervisor / vendor firmware where reboot is the
+// norm). The same input object is then handed to scoreCustom for the score
+// AND mapped into the `rwep_factors` shape stored on the draft. Calling
+// scoring.validate() on the post-import catalog will no longer flag every
+// auto-imported draft for divergence > 5.
+function buildScoringInputs(kevEntry /*, nvdPayload */) {
+  void kevEntry;
+  return {
+    cisa_kev: true,
+    poc_available: true,
+    ai_assisted_weapon: false,
+    ai_discovered: false,
+    active_exploitation: "suspected",
+    blast_radius: 15,
+    patch_available: false,
+    live_patch_available: false,
+    reboot_required: true,
+  };
+}
+
 const TODAY = new Date().toISOString().slice(0, 10);
 const TIMEOUT_MS = 10_000;
 const USER_AGENT = "exceptd-security/auto-discovery (+https://exceptd.com)";
@@ -110,37 +135,17 @@ function buildKevDraftEntry(kevEntry, nvdPayload, epssPayload) {
   const knownRansomware =
     String(kevEntry.knownRansomwareCampaignUse || "").toLowerCase() === "known";
 
-  // Compute initial RWEP. KEV → +25, suspected exploitation → +10.
-  // Unknown PoC/AI flags default to false (conservative — we don't
-  // claim more than we know). Blast radius defaults to 15 (mid-range)
-  // since we can't infer it from KEV metadata alone.
-  const rwep_factors = {
-    cisa_kev: true,
-    poc_available: null,                  // unknown — curation needed
-    ai_assisted_weapon: null,
-    ai_discovered: null,
-    active_exploitation: "suspected",     // KEV listing implies exploitation
-    blast_radius: 15,
-    patch_available: null,
-    live_patch_available: null,
-    reboot_required: null,
-  };
-  // scoreCustom() treats null fields as false, which under-counts the
-  // score. Pass concrete defaults for unknowns: poc_available=true is
-  // the conservative assumption for KEV entries (CISA generally only
-  // adds entries with documented exploitation), and reboot_required=
-  // true biases toward urgency.
-  const rwep_score = scoreCustom({
-    cisa_kev: true,
-    poc_available: true,
-    ai_assisted_weapon: false,
-    ai_discovered: false,
-    active_exploitation: "suspected",
-    blast_radius: 15,
-    patch_available: false,
-    live_patch_available: false,
-    reboot_required: true,
-  });
+  // audit M P1-C: stored rwep_factors and computed rwep_score MUST agree.
+  // Previously rwep_factors held nulls (for unknown poc/ai/reboot) but
+  // rwep_score was computed from concrete defaults (poc=true, reboot=true).
+  // `scoring.validate()` then flagged every auto-imported draft for
+  // divergence > 5. Now: one canonical input object → both surfaces.
+  // The curation flow rewrites these once an operator answers the editorial
+  // questions; until then, the boolean shape on rwep_factors is the
+  // conservative-default snapshot and reproduces the score exactly.
+  const scoringInputs = buildScoringInputs(kevEntry, nvdPayload);
+  const rwep_factors = { ...scoringInputs };
+  const rwep_score = scoreCustom(scoringInputs);
 
   const product = [kevEntry.vendorProject, kevEntry.product]
     .filter(Boolean)

package/lib/cve-curation.js

@@ -43,6 +43,14 @@ const path = require("path");
 //      before deciding promotion.
 const { withCatalogLock } = require("./refresh-external");
 const { validate: validateAgainstSchema } = require("./validate-cve-catalog");
+// audit J F3: derive rwep_score via the canonical scoring helper rather
+// than a blind `Object.values(...).reduce(sum)`. The helper detects shape
+// (boolean inputs → scoreCustom; post-weight numeric inputs → sum + clamp)
+// so the curation apply-path produces a score that matches whatever the
+// catalog scorer or playbook-runner would have produced for the same
+// factors. Direct dependency on scoring.js is intentional — scoring.js is
+// the authoritative formula.
+const { deriveRwepFromFactors } = require("./scoring");
 
 const ROOT = path.resolve(__dirname, "..");
 const CVE_SCHEMA_PATH = path.join(ROOT, "lib", "schemas", "cve-catalog.schema.json");
@@ -562,17 +570,15 @@ function applyAnswersUnderLock(cveId, catalog, catalogPath, answers) {
     appliedFields.push(field);
   }
 
-  // Derive rwep_score from rwep_factors when factors supplied without an
-  // explicit score. lib/scoring.js owns the canonical formula; we sum the
-  // numeric values here as a fallback.
+  // audit J F3: derive rwep_score via the canonical scoring helper rather
+  // than a blind sum. deriveRwepFromFactors detects shape (boolean inputs
+  // → scoreCustom; post-weight numeric inputs → sum + clamp) and routes
+  // accordingly, so the apply-path produces a score that agrees with
+  // scoring.validate() instead of diverging from it.
   if ("rwep_factors" in answers && !("rwep_score" in answers)
       && entry.rwep_factors && typeof entry.rwep_factors === "object") {
-    let sum = 0;
-    for (const v of Object.values(entry.rwep_factors)) {
-      if (typeof v === "number") sum += v;
-    }
-    entry.rwep_score = Math.max(0, Math.min(100, sum));
-    appliedFields.push("rwep_score (derived from rwep_factors)");
+    entry.rwep_score = deriveRwepFromFactors(entry.rwep_factors);
+    appliedFields.push("rwep_score (derived from rwep_factors via scoring.deriveRwepFromFactors)");
   }
 
   // last_updated reflects the apply moment.

package/lib/prefetch.js

@@ -15,8 +15,14 @@
  *   kev/known_exploited_vulnerabilities.json          — full KEV feed
  *   nvd/<cve-id>.json                                 — NVD 2.0 per-CVE response
  *   epss/<cve-id>.json                                — EPSS per-CVE response
- *   ietf/<doc-name>.json                              — IETF Datatracker doc record
- *   github/<owner>__<repo>__releases.json             — releases listing
+ *   rfc/<doc-name>.json                               — IETF Datatracker doc record
+ *   pins/<owner>__<repo>__releases.json               — MITRE GitHub releases listing
+ *
+ * audit M P2-K: the registered source names in SOURCES below are `rfc` and
+ * `pins`. Earlier comments + --help text said `ietf` and `github`; an
+ * operator running `--source ietf` or `--source github` would hit "unknown
+ * source" because no such key exists. The names below are the canonical
+ * ones consumed by --source filtering.
  *
  * Usage:
  *   node lib/prefetch.js                  # fetch everything not fresh
@@ -137,8 +143,8 @@ Sources:
   kev      CISA Known Exploited Vulnerabilities
   nvd      NIST NVD 2.0 per-CVE
   epss     FIRST EPSS per-CVE
-  ietf     IETF Datatracker per-RFC
-  github   MITRE GitHub releases (ATLAS / ATT&CK / D3FEND / CWE)
+  rfc      IETF Datatracker per-RFC
+  pins     MITRE GitHub releases (ATLAS / ATT&CK)
 
 Options:
   --max-age <dur>     skip entries fresher than this (e.g. 12h, 1d). Default: 24h.
@@ -296,7 +302,15 @@ function isFresh(idx, source, id, maxAgeMs) {
 
 function authHeadersForSource(source) {
   if (source === "nvd" && process.env.NVD_API_KEY) return { apiKey: process.env.NVD_API_KEY };
-  if (source === "github" && process.env.GITHUB_TOKEN) return { Authorization: `Bearer ${process.env.GITHUB_TOKEN}` };
+  // audit M P2-J: the registered source name for MITRE GitHub releases is
+  // `pins` (see SOURCES above). The prior check looked for `github`, so
+  // GITHUB_TOKEN never reached the per-request Authorization header and
+  // anonymous-rate-limited fetches were always used even when an operator
+  // had supplied a token. Accept both spellings so this is forgiving of
+  // the historical naming and the registered name.
+  if ((source === "pins" || source === "github") && process.env.GITHUB_TOKEN) {
+    return { Authorization: `Bearer ${process.env.GITHUB_TOKEN}` };
+  }
   return {};
 }
 
@@ -459,13 +473,21 @@ function readCached(cacheDir, source, id, opts = {}) {
   const idx = loadIndex(cacheDir);
   const meta = idx.entries[entryKey(source, id)];
   if (!meta) return null;
-  const ageMs = Date.now() - new Date(meta.fetched_at).getTime();
-  if (!opts.allowStale && ageMs > maxAgeMs) return null;
+  // audit M P2-L: when `fetched_at` is missing / non-string / unparseable,
+  // `new Date(undefined).getTime()` is NaN and `NaN > maxAgeMs` is false —
+  // so the cached entry would have been returned as if fresh. Treat any
+  // non-finite age as "no provenance, refuse" unless the caller explicitly
+  // opted into allowStale.
+  const ageMs = meta.fetched_at ? Date.now() - new Date(meta.fetched_at).getTime() : NaN;
+  if (!opts.allowStale) {
+    if (!meta.fetched_at || !Number.isFinite(ageMs)) return null;
+    if (ageMs > maxAgeMs) return null;
+  }
   const p = entryPath(cacheDir, source, id);
   if (!fs.existsSync(p)) return null;
   try {
     const data = JSON.parse(fs.readFileSync(p, "utf8"));
-    return { data, age_ms: ageMs, meta };
+    return { data, age_ms: Number.isFinite(ageMs) ? ageMs : null, meta };
   } catch {
     return null;
   }

package/lib/refresh-network.js

@@ -357,6 +357,46 @@ async function main() {
     process.exitCode = 5; return;
   }
 
+  // v0.12.16 (audit I P1-5): cross-check the local public key against
+  // keys/EXPECTED_FINGERPRINT (the CI-pinned signing key). The prior
+  // refresh-network code only compared LOCAL ↔ TARBALL fingerprints, so a
+  // coordinated attacker who swapped both `keys/public.pem` on the operator's
+  // host AND the registry tarball passed every check — fingerprints match
+  // each other but match the attacker's key. The pin in EXPECTED_FINGERPRINT
+  // is the external trust anchor that closes this gap.
+  //
+  // Honors `KEYS_ROTATED=1` env to allow legitimate key rotation without
+  // re-bootstrap. Missing EXPECTED_FINGERPRINT file → warn-and-continue
+  // (don't break existing installs whose tree predates the pin file).
+  const expectedFingerprintPath = path.join(ROOT, "keys", "EXPECTED_FINGERPRINT");
+  if (fs.existsSync(expectedFingerprintPath) && !process.env.KEYS_ROTATED) {
+    try {
+      const expectedFp = fs.readFileSync(expectedFingerprintPath, "utf8")
+        .split(/\r?\n/).map(l => l.trim()).find(l => l.length > 0);
+      // v0.12.16 (codex P1 PR #11): `expectedFp` is read verbatim from
+      // keys/EXPECTED_FINGERPRINT (formatted as `SHA256:<base64>`), but
+      // `fingerprintPublicKey()` returns the raw base64 without the
+      // `SHA256:` prefix. Comparing the two raw strings would refuse every
+      // legitimate run unless KEYS_ROTATED=1 was set. Normalize by stripping
+      // the prefix from the pin file before compare. lib/verify.js's
+      // checkExpectedFingerprint() does the symmetric thing (adds the
+      // prefix to localFp); either side works as long as one is canonical.
+      const expectedFpBase64 = expectedFp && expectedFp.startsWith("SHA256:")
+        ? expectedFp.slice("SHA256:".length)
+        : expectedFp;
+      if (expectedFpBase64 && expectedFpBase64 !== localFp) {
+        emit({
+          ok: false,
+          error: `local keys/public.pem fingerprint diverges from keys/EXPECTED_FINGERPRINT pin`,
+          local_fingerprint: "SHA256:" + localFp,
+          pinned_fingerprint: expectedFp,
+          hint: "Either keys/public.pem was rotated since the pin was set (rerun `npm run bootstrap` to re-pin), or the local public.pem was tampered with. Set KEYS_ROTATED=1 to bypass once. Refusing to swap on --network.",
+        }, opts.json);
+        process.exitCode = 5; return;
+      }
+    } catch { /* unreadable pin file = warn-and-continue */ }
+  }
+
   // Verify every signed entry in the tarball manifest using the local key.
   let tarballManifest;
   try { tarballManifest = JSON.parse(tarballManifestEntry.body.toString("utf8")); }