@blamejs/exceptd-skills 0.12.15 → 0.12.18

package/data/playbooks/ai-api.json

@@ -67,7 +67,9 @@
       "T1552.001",
       "T1555"
     ],
-    "cve_refs": [],
+    "cve_refs": [
+      "CVE-2026-30615"
+    ],
     "cwe_refs": [
       "CWE-522",
       "CWE-256",
@@ -472,7 +474,12 @@
           "description": "Primary credential-exposure indicator. Userland code execution → key extraction in milliseconds.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.001"
+          "attack_ref": "T1552.001",
+          "false_positive_checks_required": [
+            "Decode the key prefix — sk-test-*, sk_test_*, anthropic-test-*, hf_dummy_* and similar documented placeholder formats are SDK quickstart fixtures; demote to miss.",
+            "If the dotfile is under examples/, tests/, fixtures/, docs/, sdk-quickstart/ or a vendor's reference-repo path, treat as documentation; demote to miss unless the key validates against the vendor's live API.",
+            "Verify the key length meets the format's minimum entropy floor (real OpenAI sk-* >=48 chars after prefix; Anthropic sk-ant-* >=40 chars; Google AIza* >=39 chars). Below the floor is a placeholder; demote."
+          ]
         },
         {
           "id": "long-lived-aws-keys",
@@ -481,7 +488,12 @@
           "description": "Long-lived AWS keys in dotfile — high-value target.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.001"
+          "attack_ref": "T1552.001",
+          "false_positive_checks_required": [
+            "If the access-key prefix is AKIAIOSFODNN7EXAMPLE / wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY or any other documented AWS sample credential pair, demote to miss — these are AWS-published doc fixtures.",
+            "Verify the credentials file resides under examples/, tests/, fixtures/, or a documented vendor-reference path before flagging; demote when so.",
+            "Cross-check via aws sts get-caller-identity (or equivalent dry-run) — if the key is already deactivated/deleted at the vendor side it is a stale revoked credential, demote to lower confidence."
+          ]
         },
         {
           "id": "gcp-service-account-json",
@@ -490,7 +502,12 @@
           "description": "Service-account JSON key (long-lived) in user dotfile — known anti-pattern.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.001"
+          "attack_ref": "T1552.001",
+          "false_positive_checks_required": [
+            "If the private_key field is the literal value 'PLACEHOLDER' / 'REDACTED' / a PEM body of fewer than 1000 chars, the file is a stub; demote to miss.",
+            "Verify the client_email domain — *@gserviceaccount.com is real; *@example.com, *@test.iam.gserviceaccount.com or fixture-shaped emails are doc samples, demote.",
+            "If the file lives under examples/, tests/, fixtures/, terraform-module-examples/, or a documented quickstart path AND no GOOGLE_APPLICATION_CREDENTIALS env points at it, demote."
+          ]
         },
         {
           "id": "kubeconfig-with-static-token",
@@ -499,7 +516,12 @@
           "description": "Static kube token persists in dotfile.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.001"
+          "attack_ref": "T1552.001",
+          "false_positive_checks_required": [
+            "If the cluster server URL is https://127.0.0.1:* / https://localhost:* / *.kind / minikube / k3d / docker-for-desktop — this is a local-only kubeconfig with no external blast radius; demote to lower confidence.",
+            "Verify the token field is not the documented kind/minikube/k3d default-bootstrap-token shape (length and prefix match the local-dev distro). If so, demote.",
+            "If the kubeconfig sits inside a CI runner workspace (path matches /home/runner/, /github/workspace/, /builds/, /workspace/) and the token is OIDC-exchanged at job start, treat as ephemeral; demote."
+          ]
         },
         {
           "id": "ai-api-egress-from-unexpected-process",

package/data/playbooks/containers.json

@@ -29,7 +29,9 @@
         "on_fail": "halt"
       }
     ],
-    "mutex": [],
+    "mutex": [
+      "library-author"
+    ],
     "feeds_into": [
       {
         "playbook_id": "kernel",
@@ -38,13 +40,19 @@
       {
         "playbook_id": "secrets",
         "condition": "always"
+      },
+      {
+        "playbook_id": "sbom",
+        "condition": "container-image-layers.length > 0"
       }
     ]
   },
   "domain": {
     "name": "Container runtime posture + manifest review",
     "attack_class": "container-escape",
-    "atlas_refs": [],
+    "atlas_refs": [
+      "AML.T0010"
+    ],
     "attack_refs": [
       "T1611",
       "T1610",
@@ -213,7 +221,7 @@
       ]
     },
     "direct": {
-      "threat_context": "Container escape attack class in 2025-2026 is dominated by the runc / containerd / kubelet CVE chain. CVE-2024-21626 'Leaky Vessels' (runc <1.1.12 working-directory race → fd leak into host) shipped Jan 2024 with public PoC and is the canonical container-escape primitive; subsequent runc/containerd CVEs follow the same pattern (host-resource leakage via misconfigured isolation). Mandiant 2025 IR report: ~22% of cloud-tenant compromises involved a container-escape step. The escape is exquisitely sensitive to manifest posture: privileged: true grants the attacker the full host kernel (LPE without escape); hostPID/hostNetwork/hostIPC grant cross-pod visibility; runAsUser: 0 + writable host mount = direct host write. seccompProfile + AppArmor profile presence is the primary mitigation. Manifests in repos are the attestation-vs-reality battleground — admission controllers reject some but not all anti-patterns, depending on policy maturity.",
+      "threat_context": "Container escape attack class in 2025-2026 is dominated by the runc / containerd / kubelet CVE chain. Public runc / containerd / kubelet escape primitives — including the 2024 'Leaky Vessels' working-directory race class — establish the canonical pattern: host-resource leakage (fd, mount, /proc) via misconfigured isolation. Subsequent CVEs in the runc/containerd/kubelet chain follow the same shape. Mandiant 2025 IR report: ~22% of cloud-tenant compromises involved a container-escape step. The escape is exquisitely sensitive to manifest posture: privileged: true grants the attacker the full host kernel (LPE without escape); hostPID/hostNetwork/hostIPC grant cross-pod visibility; runAsUser: 0 + writable host mount = direct host write. seccompProfile + AppArmor profile presence is the primary mitigation. Manifests in repos are the attestation-vs-reality battleground — admission controllers reject some but not all anti-patterns, depending on policy maturity.",
       "rwep_threshold": {
         "escalate": 85,
         "monitor": 65,
@@ -417,7 +425,12 @@
           "description": "Container will run as root inside the namespace. Combined with any namespace escape, root-on-host.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1611"
+          "attack_ref": "T1611",
+          "false_positive_checks_required": [
+            "If the FROM base is a distroless / chainguard / nonroot variant (gcr.io/distroless/*:nonroot, cgr.dev/chainguard/*:latest, *:*-nonroot, scratch with a static binary) AND no later RUN/USER escalates to root, the runtime UID is nonroot by base; demote to miss.",
+            "If the Kubernetes pod spec consuming this image sets runAsNonRoot: true + a non-zero runAsUser, kubelet refuses to start the container as root; demote to lower confidence.",
+            "If the Dockerfile is under a multi-stage build and only the final stage's USER is missing while an intermediate builder stage runs as root (acceptable for builder stages), check the final stage only."
+          ]
         },
         {
           "id": "dockerfile-curl-pipe-bash",
@@ -426,7 +439,12 @@
           "description": "Build-time supply-chain compromise primitive. Compromised CDN or DNS rebind = arbitrary code in image.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1195.002"
+          "attack_ref": "T1195.002",
+          "false_positive_checks_required": [
+            "If the curl target is a major-vendor official install path (sh.rustup.rs, get.docker.com, get.pnpm.io, raw.githubusercontent.com/nvm-sh/nvm, sigstore/cosign release URL) AND the pipe is preceded by a documented sha256/gpg verify step in the same RUN, the chain is integrity-checked; demote to lower confidence.",
+            "If the URL is an internal-mirror with --tlsv1.3 + --proto =https + a pinned --cacert and the org's release-engineering runbook documents this mirror, treat as in-policy; demote.",
+            "Confirm the RUN does not chain to an `sudo` / privilege-elevation primitive — pipe-to-shell as an unprivileged builder USER materially reduces blast radius; report at high but not deterministic."
+          ]
         },
         {
           "id": "compose-privileged",
@@ -444,7 +462,12 @@
           "description": "Dangerous capability granted. SYS_ADMIN especially is functionally equivalent to root-on-host.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1611"
+          "attack_ref": "T1611",
+          "false_positive_checks_required": [
+            "If the container is a node-exporter / cadvisor / falco / sysdig / metrics-collector sidecar AND its image and pod identity match a documented host-introspection allowlist, the capability is intentional; demote to lower confidence (still report; revisit boundary).",
+            "If cap_drop: [ALL] precedes cap_add AND the user namespace is remapped (userns-remap configured at the daemon level), the effective root inside the container is unprivileged on the host; report at high but not deterministic.",
+            "If the compose file is under tests/, integration/, e2e/ or a development-only directory AND is excluded from production deploy pipelines (check CI for compose-file references), treat as non-shipped configuration."
+          ]
         },
         {
           "id": "compose-host-network",
@@ -453,7 +476,11 @@
           "description": "Host namespace sharing. Cross-process visibility + tampering primitive.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1610"
+          "attack_ref": "T1610",
+          "false_positive_checks_required": [
+            "If the service is a known service-mesh data-plane (envoy / linkerd-proxy / istio-proxy / cilium-agent) or a host-metrics sidecar (node-exporter / cadvisor) AND the deployment is documented on an operator-maintained host-network allowlist, demote.",
+            "Verify the compose file is not a dev-only docker-compose.override.yml that won't ship — diff against the production compose; if host-network is dev-only, mark in-scope-for-dev-only."
+          ]
         },
         {
           "id": "compose-docker-sock-mount",

package/data/playbooks/cred-stores.json

@@ -43,7 +43,9 @@
   "domain": {
     "name": "Per-user credential store inventory + identity-assurance posture",
     "attack_class": "identity-abuse",
-    "atlas_refs": [],
+    "atlas_refs": [
+      "AML.T0055"
+    ],
     "attack_refs": [
       "T1078",
       "T1552.001",
@@ -418,7 +420,12 @@
           "description": "Long-lived AWS IAM user key. AAL1-equivalent. Static credential.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.001"
+          "attack_ref": "T1552.001",
+          "false_positive_checks_required": [
+            "If the AKIA* value is AKIAIOSFODNN7EXAMPLE / a documented AWS-sample credential pair, demote — these are AWS-published doc fixtures.",
+            "Verify the key is live via `aws sts get-caller-identity --profile <name>` (or dry-run equivalent). If the key is already deactivated / deleted upstream, demote to lower confidence (still flag for cleanup).",
+            "If the profile name pattern matches an org-documented break-glass profile (e.g. profile = 'breakglass-*' with a documented quarterly-rotation procedure tied to it), accept the exception with a TTL test."
+          ]
         },
         {
           "id": "kube-static-token",
@@ -445,7 +452,12 @@
           "description": "Docker registry credentials in cleartext (base64 is not encryption). credHelpers/credsStore would route to OS keychain or cloud-IAM-federated path.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.001"
+          "attack_ref": "T1552.001",
+          "false_positive_checks_required": [
+            "Decode the auth value — if the decoded user is '<token>' / 'AWS' / 'oauth2accesstoken' / '00000000-0000-0000-0000-000000000000' (vendor-documented pseudo-users for short-lived token auth) AND the docker login was scripted with an exchange step, the credential is ephemeral; demote.",
+            "If the registry is a local-only registry (127.0.0.1:*, registry.local, kind.local, *.svc.cluster.local) on a dev workstation, blast radius is local; report at high but not deterministic.",
+            "Verify the credsStore field is not set globally (top-level credsStore overrides per-registry omission); if globally configured, demote."
+          ]
         },
         {
           "id": "npm-pat-present",
@@ -496,7 +508,12 @@
           "description": "Permissive permissions on a credential file. Local-user theft primitive.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.004"
+          "attack_ref": "T1552.004",
+          "false_positive_checks_required": [
+            "If the host filesystem is on Windows / WSL with no POSIX mode enforcement OR is a network share where mode bits are emulated, posix-mode is meaningless — verify the share is ACL-protected (e.g. ntfs ACL grants only the user); demote when ACL-tight.",
+            "If the file is a 0-byte placeholder / symlink to a credential broker socket or to a tmpfs path that's wiped on logout, the readable bits do not yield a usable credential; demote.",
+            "On a shared multi-user host the operator may have an explicit ACL-by-design model (e.g. 0640 with a group ACL granting the deploy-group read). If the runbook documents the intent AND `getfacl` confirms the named-group restriction, accept the exception."
+          ]
         },
         {
           "id": "all-stores-empty-or-federated",

package/data/playbooks/crypto-codebase.json

@@ -393,77 +393,77 @@
         },
         {
           "id": "hash-primitive-call-sites",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep across the repo (excluding test/spec/fixture/node_modules/vendor/.venv/target/dist/build) for hash-primitive call sites. Patterns: `crypto.createHash\\(`, `crypto.createHmac\\(`, `hashlib\\.(md5|sha1|sha224|sha256|sha384|sha512|blake2b|blake2s|sha3_)`, `MessageDigest\\.getInstance\\(`, `Digest::(MD5|SHA1|SHA256)`, `hash/md5`, `hash/sha1`, `\"md5\"`, `\"sha1\"`, `\"sha-1\"`, `\"sha256\"`, `\"sha3-256\"`. Use Grep with multiline=true where the algorithm-name string is on a different line from the constructor.",
           "description": "Every hash-primitive call site. Distinguish security-context usage (signature input, MAC input, integrity check, password derivation, token derivation) from non-security usage (cache key, ETag, dedup). The non-security distinction must be evidenced inline; absent evidence, treat as security-context.",
           "required": true
         },
         {
           "id": "cipher-and-kex-call-sites",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for cipher and KEX call sites: `createCipheriv\\(`, `createDecipheriv\\(`, `crypto\\.publicEncrypt\\(`, `crypto\\.privateDecrypt\\(`, `createDiffieHellman\\(`, `createECDH\\(`, `crypto\\.generateKeyPair`, `Cipher\\.getInstance\\(`, `aesgcm`, `ChaCha20Poly1305`, `\\.(seal|open)\\(`, `OpenSSL::Cipher`, hardcoded curve names `\"P-256\"`, `\"secp256r1\"`, `\"prime256v1\"`, `\"P-384\"`, `\"secp384r1\"`, `\"P-521\"`, `\"secp521r1\"`, `\"secp256k1\"`, `\"X25519\"`, `\"X448\"`.",
           "description": "Cipher and key-exchange call sites. Identify mode (GCM/CBC/CTR/ECB), curve, key size, IV-generation pattern. ECB mode anywhere is a hard fail. CBC without HMAC is a hard fail. AES-128 without GCM authenticator is a finding.",
           "required": true
         },
         {
           "id": "signature-call-sites",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for signature operations: `crypto\\.sign\\(`, `crypto\\.verify\\(`, `Signature\\.getInstance\\(`, `\\.sign_pss\\(`, `\\.verify_pss\\(`, `RSA-PSS`, `RSA-PKCS1`, `ECDSA`, `Ed25519`, `Ed448`, `ML-DSA`, `Dilithium`, `SLH-DSA`, `SPHINCS`. Capture key sizes for RSA (look for `modulusLength`, `key_size`, `--rsa-2048` literals), curve choice for ECDSA, hash choice paired with signature (RSA-SHA1 is a hard fail).",
           "description": "Signature scheme inventory. RSA-1024 anywhere is a hard fail; RSA-2048 with > 5-year sensitivity requires PQC roadmap; ECDSA-P256 acceptable today but needs hybrid ML-DSA migration plan; bare RSA-PKCS1 (not PSS) for new signatures is a finding.",
           "required": true
         },
         {
           "id": "kdf-call-sites",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for key-derivation calls: `pbkdf2(Sync)?\\(`, `PBKDF2`, `hashlib\\.pbkdf2_hmac`, `bcrypt\\.(hash|hashSync|compare)`, `scrypt(Sync)?\\(`, `argon2\\.(hash|verify)`, `argon2id`, `hkdf\\(`, `HKDF`, `derive_key`. For each, extract the cost parameters: PBKDF2 iterations, bcrypt cost factor, scrypt N/r/p, argon2 t/m/p.",
           "description": "Key-derivation parameter inventory. Apply OWASP 2023 minimums: PBKDF2-HMAC-SHA256 >= 600,000; PBKDF2-HMAC-SHA512 >= 210,000; bcrypt cost >= 12; scrypt N >= 2^17, r=8, p=1; argon2id m >= 19 MiB (19456 KiB), t >= 2, p >= 1. Any parameter below minimum is a finding.",
           "required": true
         },
         {
           "id": "rng-call-sites",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for RNG sources: `Math\\.random\\(`, `random\\.random\\(`, `random\\.randint\\(`, `random\\.choice\\(`, `rand\\(`, `srand\\(`, `mt_rand\\(`, `secrets\\.(token_|randbits|choice)`, `crypto\\.randomBytes\\(`, `crypto\\.getRandomValues\\(`, `crypto\\.randomUUID\\(`, `os\\.urandom\\(`, `getrandom\\(`, `SecureRandom`, `OsRng`, `ThreadRng`, `/dev/urandom`, `/dev/random`. Capture file_path:line for each.",
           "description": "RNG-source inventory. Production-context Math.random / random.random / rand without cryptographic-RNG fallback is CWE-338. Distinguish test/spec/fixture usage explicitly via path allowlist; production usage requires a cryptographic RNG.",
           "required": true
         },
         {
           "id": "hardcoded-key-material",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for hardcoded crypto material: PEM markers `-----BEGIN (RSA |EC |DSA |PRIVATE |PUBLIC |CERTIFICATE )?(PRIVATE|PUBLIC) KEY-----`, SSH key prefixes `ssh-rsa AAAA`, `ssh-ed25519 AAAA`, `ecdsa-sha2-nistp256 AAAA`, hex-blob heuristics for keys (>= 64 hex chars on a single literal line), base64-encoded blobs >= 256 chars in source files. Cross-reference with the `secrets` playbook for the exfil-secret angle; here the focus is library-author shipping defaults that look like keys (e.g. example certs, demo keys, sample HMAC seeds that downstream consumers fail to rotate).",
           "description": "Hardcoded key material shipped with the library. Library-author angle: any 'demo' or 'example' key that downstream consumers fail to rotate becomes a universal-default vulnerability (cf. embedded-router demo keys, Wi-Fi default WPA keys, IoT bootloader signing keys).",
           "required": false
         },
         {
           "id": "tls-config-construction",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for in-code TLS context construction: `tls\\.createSecureContext`, `tls\\.createServer`, `https\\.createServer`, `ssl\\.SSLContext\\(`, `ssl\\.create_default_context`, `rustls::ServerConfig`, `rustls::ClientConfig`, `tls\\.Config\\{`, `SSL_CTX_new`, options like `minVersion`, `maxVersion`, `secureProtocol`, `ciphers`, `ecdhCurve`, `sigalgs`, `groups`, `ALPNProtocols`.",
           "description": "In-code TLS configuration. Library authors that construct TLS contexts internally must default to TLS 1.3 minimum, X25519MLKEM768 group preference (when openssl >= 3.5 detected), modern cipher list. Hardcoded `secureProtocol: 'TLSv1_method'` or `minVersion: 'TLSv1'` is a hard fail.",
           "required": false
         },
         {
           "id": "pqc-adoption-signals",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for PQC adoption: `ml[-_]?kem`, `ml[-_]?dsa`, `slh[-_]?dsa`, `kyber`, `dilithium`, `sphincs`, `falcon`, `kemEncapsulate`, `kemDecapsulate`, `EVP_KEM_`, `OQS_KEM_`, `oqsprovider`, `liboqs`, `noble-post-quantum`, `pqcrypto::`, `aws-lc-rs::pqc`, `circl/sign/dilithium`, `circl/kem/kyber`.",
           "description": "PQC adoption signals. If `pqc-readiness-gap` directive runs, this artifact is the primary input. Distinguish concrete cryptographic operations from configuration strings, feature-flag names, and comments.",
           "required": false
         },
         {
           "id": "fips-provider-activation",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for FIPS-mode activation: `OSSL_PROVIDER_load.*fips`, `crypto\\.setFips\\(`, `openssl::provider::Provider::load_default`, `Provider::load.*\"fips\"`, openssl.cnf or fipsmodule.cnf files in the repo, environment-variable references to `OPENSSL_FIPS`, `OPENSSL_CONF`. Capture whether the activation is conditional (e.g. only if env var set) or unconditional.",
           "description": "FIPS-provider activation evidence. The `fips-validation-status` directive uses this to distinguish runtime FIPS activation from link-time FIPS claims.",
           "required": false
         },
         {
           "id": "vendored-crypto-tree",
-          "type": "file_path",
+          "type": "file",
           "source": "Glob for vendored crypto: `vendor/**/{crypto,openssl,sodium,nacl,kyber,dilithium,sphincs,curve25519,blake2,sha3,argon2}*`, `third_party/**/*crypto*`, `crates/**/*crypto*` (excluding the package's own crypto module). Look for upstream-reference files: `UPSTREAM`, `ORIGIN`, `PROVENANCE.md`, `.upstream-commit`, integrity hashes in lockfiles.",
           "description": "Vendored cryptographic primitives. Library authors sometimes vendor crypto to reduce dep tree or for licensing reasons. Without provenance + integrity audit, vendored crypto is a supply-chain backdoor opportunity.",
           "required": false
         },
         {
           "id": "ci-crypto-tests",
-          "type": "file_path",
+          "type": "file",
           "source": "Glob for CI configs: `.github/workflows/**/*.yml`, `.gitlab-ci.yml`, `.circleci/config.yml`, `azure-pipelines.yml`, `Jenkinsfile`. Grep for crypto-test invocations, FIPS-test runs, constant-time analysis tools (`dudect`, `valgrind --tool=memcheck` on secret-dependent code, `ctgrind`).",
           "description": "Build-time crypto verification. Absence of constant-time tests on vendored PQC primitives is a finding for the `pqc-readiness-gap` directive.",
           "required": false
@@ -559,7 +559,12 @@
           "value": "Any file imports or constructs an MD5 / SHA1 hash and the output flows into a security context. Patterns: `crypto\\.createHash\\(['\"](md5|sha1|sha-1)['\"]\\)`, `hashlib\\.(md5|sha1)\\(`, `MessageDigest\\.getInstance\\(['\"](MD5|SHA-1)['\"]\\)`, `crypto/md5`, `crypto/sha1`, `Digest::(MD5|SHA1)\\.`",
           "description": "Weak hash primitive shipped in library source. Hard fail unless inline comment justifies non-security usage AND no flow into auth/integrity code path.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "If the call site is under tests/, spec/, fixtures/, examples/ or carries an inline `// non-security: <reason>` / `# non-cryptographic: <reason>` comment AND the hash output flows into a checksum-only path (ETag, content-addressed cache key, dedupe), demote to miss.",
+            "If the file implements a documented legacy-protocol shim (TLS interop, ntlm, sha1-rsa cert parsing for compat) and the hash is consumed by a verify-only path against externally-fixed inputs, accept with an expiry test (deprecation date).",
+            "Confirm the hash output reaches an authn/integrity sink via simple grep on the assigned variable name reaching crypto.verify / hmac / signature.update / token comparison. If no such flow exists in this file, demote."
+          ]
         },
         {
           "id": "weak-cipher-mode",
@@ -567,7 +572,12 @@
           "value": "AES with ECB mode anywhere: `aes-\\d+-ecb`, `AES/ECB/`, `Cipher\\.getInstance\\(['\"]AES['\"]\\)` (default mode ECB). Or DES/3DES anywhere: `des-cbc`, `des-ede3`, `\\\"des\\\"`, `\\\"3des\\\"`, `DES/`, `DESede/`. Or RC4: `\\\"rc4\\\"`, `arc4`, `ARCFOUR`.",
           "description": "Catastrophic cipher choice. ECB leaks plaintext patterns; DES/3DES is below current security margins; RC4 is broken.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "If the path is under tests/ / fixtures/ / known-answer-tests/ and carries a `// test-only` or `# KAT vector` marker, this is an interop / known-answer test against a published vector; demote to miss.",
+            "If the library is explicitly a legacy-protocol parser (e.g. an NTLM / Kerberos-RC4 / PKCS#12-3DES compatibility shim) AND its SECURITY.md declares the legacy scope, accept with a deprecation-deadline test rather than hard fail.",
+            "Confirm the construction is actually instantiated in a production code path — `grep -r '<cipher-var>' src/ --include='*.{js,ts,py,java,go}'`. If only referenced in `if (legacy) {}` dead-branch code, demote."
+          ]
         },
         {
           "id": "rsa-1024-anywhere",
@@ -649,7 +659,12 @@
           "value": "`secureProtocol:\\s*['\"](TLSv1_method|TLSv1_1_method|SSLv23_method|SSLv3_method)['\"]`, `minVersion:\\s*['\"](TLSv1(\\.0|\\.1)?)['\"]`, `ssl_version=ssl\\.PROTOCOL_TLSv1(_1)?`, `MinTlsVersion::TLSv1`.",
           "description": "TLS < 1.2 minimum in shipped TLS-context construction.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "If the path is under tests/ / fixtures/ AND the test purpose is asserting that the library REJECTS the legacy protocol (negative test), demote.",
+            "If the construction is gated behind a feature flag whose default value is OFF AND the README documents the flag as an opt-in for legacy compatibility only, treat as a deprecated-but-supported path rather than a default-insecure ship.",
+            "Confirm there is no override-construction later (e.g. a subsequent `setMinProtoVersion(TLS_1_3)` on the same context) — partial defaults are common; the effective minimum is the highest set."
+          ]
         },
         {
           "id": "no-crypto-agility-abstraction",

package/data/playbooks/crypto.json

@@ -339,7 +339,7 @@
         },
         {
           "id": "libssl-libraries",
-          "type": "file_path",
+          "type": "file",
           "source": "ldconfig -p | grep -E 'libssl|libcrypto|libtls' AND find /usr/lib /usr/local/lib -name 'libssl*' -o -name 'libcrypto*' 2>/dev/null",
           "description": "Installed TLS libraries — catches non-default OpenSSL builds, vendored libcrypto, LibreSSL, BoringSSL.",
           "required": false
@@ -453,7 +453,12 @@
           "value": "Within the openssl-kem-algorithms artifact (its `openssl list -signature-algorithms` half): output does NOT contain ML-DSA-44/65/87 AND does NOT contain SLH-DSA-*",
           "description": "TLS library cannot use PQC signatures. Certificate-chain PQC migration is blocked.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "Confirm whether oqsprovider / aws-lc / wolfssl is loaded alongside OpenSSL — `openssl list -providers` may show a PQC-providing module that supplies ML-DSA via a non-default path. If so, demote.",
+            "Verify the binary is statically linked or chroot-jailed against a different libcrypto than the one being interrogated; rerun the list command using the actual library the service has loaded (lsof / /proc/<pid>/maps).",
+            "If the host's role is documented as classical-only (e.g. an air-gapped HSM-fronted signer with offline key custody) AND a separate PQC-signing tier exists upstream, accept with an explicit roadmap milestone."
+          ]
         },
         {
           "id": "openssl-pre-3-5",
@@ -461,7 +466,12 @@
           "value": "Within the openssl-version artifact: output starts with 'OpenSSL 1.', 'OpenSSL 2.', 'OpenSSL 3.0', 'OpenSSL 3.1', 'OpenSSL 3.2', 'OpenSSL 3.3', or 'OpenSSL 3.4'; cross-check libssl-libraries artifact to detect coexisting older libcrypto.so loaded via LD_LIBRARY_PATH or vendored builds (LibreSSL, BoringSSL, vendored OpenSSL under /usr/local/lib)",
           "description": "Pre-3.5 OpenSSL lacks native ML-KEM. Requires oqsprovider or upgrade.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "If the host is on a vendor-supported LTS (RHEL 8/9, Ubuntu 20.04/22.04, SLES 15, Amazon Linux 2/2023), verify the distro's documented PQC backport status via `rpm -q --changelog openssl` / `dpkg -s openssl` — RHEL 9.5+, Ubuntu 24.04 ship oqsprovider as a package; mark backport state explicitly.",
+            "If openssl-providers also lists an active oqsprovider AND oqsprovider's ML-KEM appears in the kem-algorithms list, the pre-3.5 base is provider-augmented; demote to lower confidence (still flag the upgrade path).",
+            "Confirm the queried `openssl` binary is the one services link against (lsof on representative daemons + /proc/<pid>/maps grep for libcrypto). If services link against a newer vendored 3.5+ libcrypto, the system openssl version is misleading."
+          ]
         },
         {
           "id": "sshd-no-pqc-kex",

package/data/playbooks/framework.json

@@ -477,7 +477,11 @@
           "value": "Any exception register entry with rwep_at_acceptance >= 70 lacking (a) explicit calendar expiry, (b) named risk-acceptance owner at correct authority level, (c) tested compensating controls",
           "description": "Theater fingerprint #3 detection.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "Confirm the artifact actually represents the live exception register. If the input is a draft / historical / archived register snapshot (filename includes -draft / -archive / -YYYY-Q< number >), demote.",
+            "If expiry/owner/controls are stored in a sidecar system (ServiceNow, Jira, IRM tool) linked by ID, the indicator may falsely fire on a register that intentionally normalises to ID-references. Verify the linked record's fields before flagging."
+          ]
         },
         {
           "id": "jurisdiction-without-framework",
@@ -485,7 +489,11 @@
           "value": "jurisdictional_footprint contains EU / UK / AU / SG / JP / IN / CA / HK / TW / IL / CH / ID / VN AND framework_mapping_matrix does NOT contain the corresponding binding framework (NIS2 / DORA / EU AI Act / CAF / Essential 8 / APRA / MAS TRM / NISC / CERT-In / OSFI B-10)",
           "description": "Theater fingerprint #4 detection — operating in a regulated jurisdiction without framework mapping.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "If the organisation has filed a documented `out-of-scope` declaration with the relevant regulator (e.g. NIS2 size-threshold exclusion <50 employees + <EUR 10M turnover; DORA scoping out as non-financial entity; EU AI Act non-AI-deployer attestation) AND the declaration is current within the regulator's revalidation window, demote.",
+            "If the jurisdictional footprint is data-only (e.g. an EU IP block accessing a CDN, no establishment / no targeted offering) AND no EU data subjects' personal data is processed, the binding framework may not attach; confirm against the regulator's territoriality test."
+          ]
         },
         {
           "id": "mapping-without-tempo",
@@ -509,7 +517,11 @@
           "value": "Three or more theater fingerprints fire on the same framework control (e.g. ISO 27001:2022 A.8.30 fires patterns #1 + #2 + #6 simultaneously)",
           "description": "Compound theater — single control structurally insufficient across multiple threat classes.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "Confirm the multiple fingerprints fire on the SAME control (not different controls aggregated against the same audit scope). Cross-fingerprint stacks against different controls are not compound theater; they are inventory of distinct gaps.",
+            "Verify each constituent fingerprint individually passed its own FP checks. If any of the three is itself a coincidence-hit (e.g. exception-missing-expiry on a draft register), recompute the count without it."
+          ]
         }
       ],
       "false_positive_profile": [

package/data/playbooks/hardening.json

@@ -35,7 +35,9 @@
         "on_fail": "warn"
       }
     ],
-    "mutex": [],
+    "mutex": [
+      "kernel"
+    ],
     "feeds_into": [
       {
         "playbook_id": "kernel",
@@ -401,7 +403,11 @@
           "description": "/proc/kallsyms is world-readable; KASLR is effectively defeated for any local user. Decisive for kernel LPE exploitability.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1068"
+          "attack_ref": "T1068",
+          "false_positive_checks_required": [
+            "If the host is in an active kdump / perf / kernel-debugging session AND the rationale is captured in the operator runbook with a documented restoration deadline, accept with a TTL test (must flip to >=1 within N days).",
+            "Confirm /proc/kallsyms actually leaks pointers — `head -1 /proc/kallsyms` as an unprivileged user. If addresses are zeroed despite kptr_restrict=0 (e.g. CAP_SYSLOG-only path active via systemd), demote to lower confidence."
+          ]
         },
         {
           "id": "unprivileged-userns-enabled",
@@ -428,7 +434,12 @@
           "description": "Yama ptrace_scope=0 allows any process to ptrace any same-UID process. Credential-theft + privilege-pivot primitive.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1212"
+          "attack_ref": "T1212",
+          "false_positive_checks_required": [
+            "If the host is a developer workstation in a documented debug-allowlist AND an enforcing MAC profile (AppArmor `aa-status` enforced / SELinux `getenforce` == Enforcing) restricts cross-UID ptrace, the kernel-level open is constrained at a higher layer; demote to lower confidence.",
+            "If a containerised workload depends on ptrace for documented observability tooling (strace-based tracer, gdb-based debugger run-as-CAP_SYS_PTRACE), confirm the broader scope is justified by that workload and is not host-wide.",
+            "Confirm the system isn't a single-user dev VM with no network exposure — ptrace_scope=0 on an isolated VM has materially lower blast radius than on a multi-tenant host."
+          ]
         },
         {
           "id": "kaslr-disabled-at-boot",
@@ -437,7 +448,11 @@
           "description": "Boot-time KASLR disabled. Makes catalogued kernel LPEs deterministic.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1068"
+          "attack_ref": "T1068",
+          "false_positive_checks_required": [
+            "If the host is in an active kdump / kgdb / kernel-debugging session AND the rationale is documented in the operator runbook with a documented restoration deadline, accept with TTL.",
+            "Confirm the cmdline option actually took effect — `dmesg | grep -i kaslr` should show KASLR offsets when active. An nokaslr token in cmdline but a KASLR-active kernel (some distros override) means the boot parameter was ignored; demote."
+          ]
         },
         {
           "id": "mitigations-off",
@@ -446,7 +461,11 @@
           "description": "Boot-time CPU mitigations disabled. Spectre/Meltdown/MDS/Retbleed/Downfall class becomes exploitable.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1068"
+          "attack_ref": "T1068",
+          "false_positive_checks_required": [
+            "If the host is HPC/benchmark-tagged (slurm node, MPI scratch node, vendor-perf-test rig) AND not network-exposed AND mitigations=off is documented in the operator runbook with a network-isolation control, accept the exception with a quarterly revalidation test.",
+            "Confirm the host is single-tenant (no multi-user, no untrusted workloads). Mitigations are speculative-execution defences against same-host attackers; on a single-tenant control-plane the threat may not apply."
+          ]
         },
         {
           "id": "selinux-not-enforcing",

package/data/playbooks/kernel.json

@@ -45,7 +45,9 @@
         "on_fail": "warn"
       }
     ],
-    "mutex": [],
+    "mutex": [
+      "hardening"
+    ],
     "feeds_into": [
       {
         "playbook_id": "sbom",
@@ -382,7 +384,11 @@
           "description": "Unprivileged user namespaces enabled — required for several catalogued LPE classes.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1611"
+          "attack_ref": "T1611",
+          "false_positive_checks_required": [
+            "If a documented rootless-container runtime (podman/rootless, buildah, lima, colima, GitHub Actions runners) is the workload AND unprivileged userns is a documented requirement, accept the exception — but pair with an LSM (SELinux/AppArmor) enforcing profile that constrains exec/mount inside the userns.",
+            "Verify CONFIG_USER_NS is built into the kernel — distros that ship with userns disabled at config-time make the sysctl moot regardless of value. `grep CONFIG_USER_NS /boot/config-$(uname -r)` should show =y for the indicator to be live."
+          ]
         },
         {
           "id": "unpriv-bpf-allowed",
@@ -391,7 +397,11 @@
           "description": "Unprivileged BPF allowed — primitive for several kernel LPE classes.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1068"
+          "attack_ref": "T1068",
+          "false_positive_checks_required": [
+            "Verify CONFIG_BPF_SYSCALL=y AND CONFIG_BPF_JIT=y in the running kernel config (`grep CONFIG_BPF /boot/config-$(uname -r)`). If BPF is compiled out, the sysctl is moot; demote.",
+            "If an enforcing LSM profile (SELinux / AppArmor) restricts bpf() syscall for unprivileged users via a tested policy, the kernel-level open is constrained at a higher layer; demote to lower confidence."
+          ]
         }
       ],
       "false_positive_profile": [