@blamejs/exceptd-skills 0.12.15 → 0.12.18

package/data/playbooks/library-author.json

@@ -43,7 +43,10 @@
         "on_fail": "warn"
       }
     ],
-    "mutex": ["secrets"],
+    "mutex": [
+      "secrets",
+      "containers"
+    ],
     "feeds_into": [
       {
         "playbook_id": "sbom",
@@ -563,14 +566,14 @@
         },
         {
           "id": "signing-key-material",
-          "type": "file_path",
+          "type": "file",
           "source": "Locate: cosign.pub, *.pem (public-key signing artifacts), keys/public.pem, .well-known/openpgpkey/, sigstore-cosign metadata in workflow",
           "description": "Public signing material committed to the repo or referenced from the release workflow.",
           "required": false
         },
         {
           "id": "intoto-attestations",
-          "type": "file_path",
+          "type": "file",
           "source": "Glob: *.intoto.jsonl, *.sigstore, *.sbom.json.sig, *.cdx.json.sig, attestations directory; AND for npm packages: GET https://registry.npmjs.org/${pkg} and inspect dist.attestations",
           "description": "in-toto / Sigstore / SLSA provenance attestations attached to releases.",
           "required": false,
@@ -592,7 +595,7 @@
         },
         {
           "id": "vendored-code",
-          "type": "file_path",
+          "type": "file",
           "source": "List directories: vendor/, third_party/, external/, deps/, internal/vendor/; AND for each: locate provenance manifest (vendor.json, THIRD_PARTY_PROVENANCE.md, modules.txt for Go vendored)",
           "description": "Vendored / bundled third-party code carried in the publisher's own release.",
           "required": false
@@ -644,7 +647,7 @@
         },
         {
           "id": "skill-signing-infrastructure",
-          "type": "file_path",
+          "type": "file",
           "source": "If repo ships skills / plugins / extensions: locate lib/sign.js, lib/verify.js, scripts/sign-skills.*, signatures/, keys/, AND read package.json scripts for sign/verify entries",
           "description": "Specific to AI-tool / plugin / skill publishers: Ed25519 / cosign signing scaffolding.",
           "required": false
@@ -786,7 +789,11 @@
           "description": "Mutable action reference — upstream owner can substitute action code under the same tag.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1195.001"
+          "attack_ref": "T1195.001",
+          "false_positive_checks_required": [
+            "If Dependabot is configured (.github/dependabot.yml with package-ecosystem: github-actions, schedule >= weekly) AND the repo has a recent (within last 60 days) Dependabot PR updating action SHAs — the mutable-ref window is bounded; demote to lower-confidence finding (not miss; tag-pinning is still strictly safer than SHA-pinning-with-Dependabot).",
+            "If every mutable ref points to a github-owned action (actions/*, github/*) the supply-chain risk is materially lower than third-party action refs; tag-with-rationale-in-comment is acceptable for github-owned. Demote third-party-only mutable refs above github-owned ones in reporting."
+          ]
         },
         {
           "id": "package-json-provenance-missing",
@@ -839,11 +846,15 @@
         },
         {
           "id": "tag-protection-absent",
-          "type": "api_response",
+          "type": "api_call_sequence",
           "value": "Within the branch-tag-protection artifact: gh api repos/${owner}/${repo}/tags/protection returns empty array OR 404 AND the release-workflows artifact contains a publish workflow that triggers on push tags: ['v*']",
           "description": "Release tags unprotected (theater #6) — any branch can push v* and trigger publish.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "If repository rulesets (newer model) protect the tag pattern v*.*.* with delete + non-fast-forward + update blocked AND zero bypass actors — the legacy tag-protection-rules API may return empty while protection is in place. Cross-check the rulesets API before flagging.",
+            "If the repository is read-only / archived (archived: true via the repo API) — tag protection is moot; demote to miss."
+          ]
         },
         {
           "id": "release-tag-not-signed",
@@ -871,7 +882,7 @@
         },
         {
           "id": "no-security-txt",
-          "type": "api_response",
+          "type": "api_call_sequence",
           "value": "If product has a primary domain: HTTP 404 / connection failure on /.well-known/security.txt",
           "description": "No RFC 9116 machine-discoverable disclosure path (theater #10).",
           "confidence": "deterministic",
@@ -879,7 +890,7 @@
         },
         {
           "id": "private-vuln-reporting-disabled",
-          "type": "api_response",
+          "type": "api_call_sequence",
           "value": "gh api repos/${owner}/${repo} --jq '.security_and_analysis.private_vulnerability_reporting.status' returns 'disabled'",
           "description": "GitHub private vulnerability reporting off — no OIDC-authenticated disclosure intake.",
           "confidence": "deterministic",

package/data/playbooks/mcp.json

@@ -440,7 +440,7 @@
         },
         {
           "id": "mcp-tool-response-log",
-          "type": "log_pattern",
+          "type": "log",
           "source": "AI client MCP-protocol logs: ~/.claude/logs/mcp/*.jsonl (Claude Code), ~/.cursor/logs/mcp-*.log (Cursor), ~/.codeium/windsurf/logs/mcp_*.log (Windsurf)",
           "description": "v0.12.6: Verbatim tools/list and tools/call response capture. The only artifact that lets ANSI-escape, Unicode-Tag-smuggling, instruction-coercion-grammar, and sensitive-path-reference indicators fire. If client doesn't log MCP responses, mark inconclusive and recommend enabling MCP request/response verbose logging in client settings.",
           "required": false
@@ -550,7 +550,11 @@
           "value": "ps shows an MCP server process running with effective UID 0 or with elevated capabilities (CAP_SYS_ADMIN, CAP_NET_ADMIN)",
           "description": "MCP server with elevated privileges turns a tool-response RCE into immediate root.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "If the MCP server's documented purpose requires elevated capability (kernel-introspection / host-firewall / docker-control MCP) AND it is on a vendor-published privileged-allowlist with a signed manifest, accept with explicit scope.",
+            "Verify root-on-host vs root-in-user-namespace — inspect /proc/<pid>/status Cap* fields and userns mapping. A rootless-container MCP running as in-namespace UID 0 has materially lower blast radius; demote to lower confidence."
+          ]
         },
         {
           "id": "copilot-yolo-mode-flag",
@@ -579,7 +583,11 @@
           "confidence": "deterministic",
           "deterministic": true,
           "atlas_ref": "AML.T0051",
-          "attack_ref": "T1059"
+          "attack_ref": "T1059",
+          "false_positive_checks_required": [
+            "If the MCP tool is a documented terminal-emulation / shell-output renderer (the tool's purpose is to relay terminal output and the host AI assistant renders it inline) AND the escape bytes are SGR-only with no cursor-movement / screen-clear / OSC-8 codes, the escape carries no instruction-coercion payload; demote.",
+            "Confirm the escape appears in a tool-output payload AND not in a tools/list metadata field — metadata is the high-leverage smuggling site; output may be expected. If only in output for a documented terminal tool, demote."
+          ]
         },
         {
           "id": "mcp-response-unicode-tag-smuggling",
@@ -588,7 +596,11 @@
           "description": "Unicode Tag-range smuggling — zero-width to humans, tokenized by the model. Source: Embrace the Red (Rehberger, 2025).",
           "confidence": "deterministic",
           "deterministic": true,
-          "atlas_ref": "AML.T0051"
+          "atlas_ref": "AML.T0051",
+          "false_positive_checks_required": [
+            "Tag-range codepoints have no documented legitimate use in MCP transport. Confirm the file content is actually a JSON payload (not, e.g., a captured raw email body that contains a U+E0000-tagged language hint per RFC 4646 / RFC 5646 BCP-47 legacy). For genuine MCP payloads, presence is unambiguous; demote only if the payload is from a non-MCP capture mislabeled in the artifact.",
+            "Cross-check against the MCP server's package signature / publisher field — if the server is signed by a first-party allowlisted publisher AND the codepoint appears only in a documented `language-tag` schema field, treat as legacy-language-tag (RFC 6082 marked Tag deprecated 2011); still flag for review."
+          ]
         },
         {
           "id": "mcp-response-instruction-coercion",

package/data/playbooks/runtime.json

@@ -68,7 +68,9 @@
       "T1068",
       "T1548.003"
     ],
-    "cve_refs": [],
+    "cve_refs": [
+      "CVE-2026-31431"
+    ],
     "cwe_refs": [
       "CWE-269",
       "CWE-732",
@@ -428,7 +430,12 @@
           "description": "Multiple UID=0 accounts. T1136.001 persistence pattern. Outside legitimate installs.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1136.001"
+          "attack_ref": "T1136.001",
+          "false_positive_checks_required": [
+            "If the second UID-0 account is `toor` on FreeBSD / `tor` on certain BSDs (documented alternate-shell root) or is a vendor-documented sudo-replacement account (e.g. AlmaLinux's `almauser`, Amazon Linux's `ec2-user` aliased), check the OS-vendor documentation; demote if intentional.",
+            "Cross-check `/etc/shadow` for the second account — if the password field is `!` / `*` (locked) AND no SSH authorized_keys / kerberos principal exists, the account is non-authentication-bearing; report at high but not deterministic.",
+            "If the host is a documented break-glass jumpbox with a renamed-root account replacing `root` (and `root` itself is removed), this is intentional; accept with the runbook reference."
+          ]
         },
         {
           "id": "listening-socket-unknown-bind",
@@ -455,7 +462,11 @@
           "description": "Hijack-execution-flow primitive. Any non-root process can replace the file.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1574.005"
+          "attack_ref": "T1574.005",
+          "false_positive_checks_required": [
+            "Verify the file has the sticky bit set (1777-style mode on /opt subdirs that intentionally permit per-user write). Sticky-bit mode 1777 + ownership root:root limits cross-user replacement and is documented for some package-managers; demote to lower confidence.",
+            "If the file is a 0-byte stamp / unix-socket / FIFO under /opt that's documented for the application (e.g. mode 0666 socket for /opt/vendor/sock), the indicator is misclassified by the gatherer; demote."
+          ]
         },
         {
           "id": "orphan-privileged-process",
@@ -464,7 +475,12 @@
           "description": "Privileged orphan in a writable temp path. Common implant shape.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1055"
+          "attack_ref": "T1055",
+          "false_positive_checks_required": [
+            "If the process executable matches a known anti-malware / VPN-client / EDR-agent that documentedly drops a binary under /var/tmp for sandbox-extraction reasons (e.g. CrowdStrike Falcon, SentinelOne, MS Defender Linux), check the org's endpoint-agent allowlist; demote if matched.",
+            "Verify the binary checksum (sha256) against the org's allowlisted-deploys inventory. A known-hash match means the binary is approved; demote. A mismatch means the path is unsanctioned and the indicator stands.",
+            "If the process was launched by `nohup` / `setsid` / `at` from an interactive session and is documented in the system's `at` queue or operator scratch list, accept as ephemeral with a TTL."
+          ]
         }
       ],
       "false_positive_profile": [

package/data/playbooks/sbom.json

@@ -499,7 +499,7 @@
         },
         {
           "id": "model-weight-files",
-          "type": "file_path",
+          "type": "file",
           "source": "find $HOME ~/.cache/huggingface ~/.cache/torch /var/lib/model-store -type f \\( -name '*.pt' -o -name '*.ckpt' -o -name '*.bin' -o -name '*.safetensors' -o -name '*.gguf' \\) 2>/dev/null AND for each: file <path> AND attempt to identify Sigstore signature / OpenSSF model-signing attestation",
           "description": "Model weight artifacts — needed for AI-supply-chain analysis (ATLAS AML.T0018).",
           "required": false
@@ -528,7 +528,7 @@
         },
         {
           "id": "tanstack-payload-sweep",
-          "type": "file_path",
+          "type": "file",
           "source": "find node_modules -path '*/@tanstack/*' \\( -name 'router_init.js' -o -name 'router_runtime.js' \\) 2>/dev/null",
           "description": "CVE-2026-45321 IoC sweep — payload markers inside any installed @tanstack/* package. Captures both flat npm and pnpm-style nested layouts.",
           "required": false
@@ -639,7 +639,11 @@
           "value": "Within the repo-lockfiles artifact: any pinned dependency lacks an integrity field (sha512/sha384/sha256, sri-integrity, go.sum-style hash)",
           "description": "Theater fingerprint #2 detection — name-pinned without integrity.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "If the missing-integrity entries are local-path / workspace / git+ssh refs (`file:`, `link:`, `workspace:`, `git+ssh:`) that the package manager intentionally omits integrity for, demote — workspace refs are integrity-checked at the monorepo root.",
+            "Confirm the lockfile is the one the build actually consumes — repos can have stale lockfiles in `archive/` or `pre-migration/` subdirs. Check the build script's referenced lockfile path."
+          ]
         },
         {
           "id": "transitive-deps-incomplete-sbom",
@@ -681,7 +685,11 @@
           "description": "Direct match for CVE-2026-30615.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1190"
+          "attack_ref": "T1190",
+          "false_positive_checks_required": [
+            "If the Windsurf binary is the vendor-published patched build identified by sha256 hash (cross-reference Codeium's signed release manifest), the recorded version string may not advance until the next major release; demote when the binary hash matches the patched-build allowlist.",
+            "Confirm the installation is on a network-isolated jumpbox / air-gapped dev workstation with documented offline procedure — exploit primitive requires network egress to attacker C2. Demote when the host is provably air-gapped."
+          ]
         },
         {
           "id": "kev-listed-match",
@@ -689,7 +697,12 @@
           "value": "Any package-matches-catalogued-cve match resolves to a CVE with cisa_kev=true in the catalog",
           "description": "KEV-listed match — fast-path escalation required.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "Pull the vex-statements artifact for the matched CVE. If a VEX entry exists with status `not_affected` (justification: `component_not_present` / `vulnerable_code_not_in_execute_path` / `vulnerable_code_cannot_be_controlled_by_adversary`) AND `status_notes` references a maintainer review, demote — but keep on the regression schedule.",
+            "Verify the matched package version is actually present in the live deploy (not just in a build-time/dev-time dependency) — runtime presence elevates; build-time-only presence demotes to high.",
+            "If the matched VEX entry has `status: fixed` AND the lockfile resolution is newer-than-fix-version, the match is stale and should be demoted; re-run the dependency walker to refresh."
+          ]
         },
         {
           "id": "tanstack-worm-payload-files",

package/data/playbooks/secrets.json

@@ -35,7 +35,9 @@
         "on_fail": "warn"
       }
     ],
-    "mutex": [],
+    "mutex": [
+      "library-author"
+    ],
     "feeds_into": [
       {
         "playbook_id": "cred-stores",
@@ -389,7 +391,12 @@
           "description": "AWS Secret Access Key. Always findable in tandem with AKIA*. Independent finding because both halves are needed.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.001"
+          "attack_ref": "T1552.001",
+          "false_positive_checks_required": [
+            "Check for co-occurrence with an AKIA*/ASIA*/AGPA*/AIDA* access-key-id in a 10-line window. Without corroboration, the 40-char base64-ish string is plausibly a Base64-encoded JWT signature / random data / DB password — demote to medium when corroboration is absent.",
+            "If the value matches the AWS-published sample wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY, demote to miss (doc fixture).",
+            "Verify the file is not under examples/ / docs/ / fixtures/ AND not a known-test snapshot; demote when in a documented placeholder path."
+          ]
         },
         {
           "id": "gcp-service-account-json",
@@ -425,7 +432,12 @@
           "description": "Slack bot / user / refresh / app token.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.001"
+          "attack_ref": "T1552.001",
+          "false_positive_checks_required": [
+            "If the value is `xoxb-PLACEHOLDER` / `xoxb-EXAMPLE` / a Slack-published doc fixture (e.g. xoxb-12345-67890-AbCdEf), demote.",
+            "Verify the token format conforms to a current Slack token shape (xoxb- usually has at least three dash-separated numeric segments before the alpha suffix). Loose 10-char tail matches without segmentation can match unrelated strings; demote when segmentation is wrong.",
+            "If under examples/ / docs/ / fixtures/ AND no surrounding env var (SLACK_BOT_TOKEN / SLACK_USER_TOKEN) suggests an active config, demote."
+          ]
         },
         {
           "id": "stripe-secret-key",
@@ -434,7 +446,12 @@
           "description": "Stripe live or test secret key. Live keys are direct financial exposure.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.001"
+          "attack_ref": "T1552.001",
+          "false_positive_checks_required": [
+            "If the prefix is `sk_test_` AND the value matches a published Stripe sample test key (see Stripe API docs — they publish a small set explicitly for documentation use), demote — test keys cannot move funds.",
+            "Verify the file path is not under examples/, fixtures/, docs/, or a stripe-quickstart template — demote in documented placeholder paths.",
+            "For sk_live_*, cross-check against the Stripe API (`POST /v1/accounts/retrieve` or similar live-validity probe) only if the operator has authorised an external validation; otherwise treat the live prefix as deterministic."
+          ]
         },
         {
           "id": "jwt-token-with-secret-context",
@@ -461,7 +478,12 @@
           "description": "OpenAI API key (incl. project-scoped sk-proj-* form). Active key spend exposure.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.001"
+          "attack_ref": "T1552.001",
+          "false_positive_checks_required": [
+            "If the key prefix is `sk-test-*` / `sk-dummy-*` / `sk-XXXX` / contains only placeholder runs (XXXXX, 1234, abcd) it is a documentation fixture; demote.",
+            "Verify the key length meets the OpenAI minimum entropy floor (post-prefix length >= 48 chars). Below the floor is a placeholder; demote.",
+            "The regex `sk-[A-Za-z0-9_-]{40,}` also matches Anthropic sk-ant-* and other vendor-prefixed keys — confirm the vendor by surrounding context (env var name, comment) before classifying as OpenAI."
+          ]
         },
         {
           "id": "anthropic-api-key",
@@ -470,7 +492,12 @@
           "description": "Anthropic API key. Active key spend exposure.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.001"
+          "attack_ref": "T1552.001",
+          "false_positive_checks_required": [
+            "If the key is `sk-ant-api03-PLACEHOLDER...` / `sk-ant-test-*` / contains documented placeholder substrings (XXXX runs, all-zero runs), demote.",
+            "Verify the file is not under examples/, fixtures/, sdk-quickstart/, or a docs-snippet path — demote when in documented placeholder paths.",
+            "Confirm post-prefix length meets the Anthropic minimum entropy floor (>= 80 chars after sk-ant-(api03|admin01)-); below the floor is a fixture, demote."
+          ]
         },
         {
           "id": "world-writable-env-file",

package/lib/auto-discovery.js

@@ -31,6 +31,63 @@ const fs = require("fs");
 const path = require("path");
 const { scoreCustom } = require("./scoring");
 
+// audit M P1-C: stored rwep_factors must reproduce the stored rwep_score.
+// `buildScoringInputs` is the single source of truth for both — it captures
+// the conservative defaults applied to a freshly-imported KEV draft (CISA
+// only lists vulnerabilities with documented exploitation, so we assume a
+// public PoC exists; reboot defaults to true because most KEV-listed CVEs
+// land in the kernel / hypervisor / vendor firmware where reboot is the
+// norm). The same input object is then handed to scoreCustom for the score
+// AND mapped into the `rwep_factors` shape stored on the draft. Calling
+// scoring.validate() on the post-import catalog will no longer flag every
+// auto-imported draft for divergence > 5.
+function buildScoringInputs(kevEntry /*, nvdPayload */) {
+  void kevEntry;
+  return {
+    cisa_kev: true,
+    poc_available: true,
+    ai_assisted_weapon: false,
+    ai_discovered: false,
+    active_exploitation: "suspected",
+    blast_radius: 15,
+    patch_available: false,
+    live_patch_available: false,
+    reboot_required: true,
+  };
+}
+
+/**
+ * Audit M P3-O — diff severity nuance for KEV-discovered drafts.
+ *
+ * Pre-fix every KEV-derived diff carried `severity: "high"`. Operators
+ * scanning the diff stream had no way to distinguish "patch in 21 days"
+ * from "active ransomware campaign, patch yesterday." Now:
+ *
+ *   - ransomware_use === "Known"   → "critical" (campaigns observed in the wild)
+ *   - dueDate within 7 days of now → "critical" (CISA escalation window)
+ *   - otherwise                    → "high"     (still actively exploited per KEV listing)
+ *
+ * A KEV listing inherently means active exploitation; "low" / "medium"
+ * never apply here. The split is between "act today" and "act this sprint."
+ *
+ * @param {object} kevEntry
+ * @returns {"critical" | "high"}
+ */
+function deriveKevSeverity(kevEntry) {
+  const ransomware = String(kevEntry?.knownRansomwareCampaignUse || "").toLowerCase() === "known";
+  if (ransomware) return "critical";
+  const due = kevEntry?.dueDate;
+  if (typeof due === "string" && /^\d{4}-\d{2}-\d{2}/.test(due)) {
+    const dueMs = Date.parse(due);
+    if (Number.isFinite(dueMs)) {
+      const deltaMs = dueMs - Date.now();
+      // Within the next 7 days OR already past due → critical.
+      if (deltaMs <= 7 * 86_400_000) return "critical";
+    }
+  }
+  return "high";
+}
+
 const TODAY = new Date().toISOString().slice(0, 10);
 const TIMEOUT_MS = 10_000;
 const USER_AGENT = "exceptd-security/auto-discovery (+https://exceptd.com)";
@@ -110,37 +167,17 @@ function buildKevDraftEntry(kevEntry, nvdPayload, epssPayload) {
   const knownRansomware =
     String(kevEntry.knownRansomwareCampaignUse || "").toLowerCase() === "known";
 
-  // Compute initial RWEP. KEV → +25, suspected exploitation → +10.
-  // Unknown PoC/AI flags default to false (conservative — we don't
-  // claim more than we know). Blast radius defaults to 15 (mid-range)
-  // since we can't infer it from KEV metadata alone.
-  const rwep_factors = {
-    cisa_kev: true,
-    poc_available: null,                  // unknown — curation needed
-    ai_assisted_weapon: null,
-    ai_discovered: null,
-    active_exploitation: "suspected",     // KEV listing implies exploitation
-    blast_radius: 15,
-    patch_available: null,
-    live_patch_available: null,
-    reboot_required: null,
-  };
-  // scoreCustom() treats null fields as false, which under-counts the
-  // score. Pass concrete defaults for unknowns: poc_available=true is
-  // the conservative assumption for KEV entries (CISA generally only
-  // adds entries with documented exploitation), and reboot_required=
-  // true biases toward urgency.
-  const rwep_score = scoreCustom({
-    cisa_kev: true,
-    poc_available: true,
-    ai_assisted_weapon: false,
-    ai_discovered: false,
-    active_exploitation: "suspected",
-    blast_radius: 15,
-    patch_available: false,
-    live_patch_available: false,
-    reboot_required: true,
-  });
+  // audit M P1-C: stored rwep_factors and computed rwep_score MUST agree.
+  // Previously rwep_factors held nulls (for unknown poc/ai/reboot) but
+  // rwep_score was computed from concrete defaults (poc=true, reboot=true).
+  // `scoring.validate()` then flagged every auto-imported draft for
+  // divergence > 5. Now: one canonical input object → both surfaces.
+  // The curation flow rewrites these once an operator answers the editorial
+  // questions; until then, the boolean shape on rwep_factors is the
+  // conservative-default snapshot and reproduces the score exactly.
+  const scoringInputs = buildScoringInputs(kevEntry, nvdPayload);
+  const rwep_factors = { ...scoringInputs };
+  const rwep_score = scoreCustom(scoringInputs);
 
   const product = [kevEntry.vendorProject, kevEntry.product]
     .filter(Boolean)
@@ -254,7 +291,7 @@ function discoverNewKev(ctx, cap = DEFAULT_CAP) {
       op: "add",
       target: "cveCatalog",
       entry,
-      severity: "high",
+      severity: deriveKevSeverity(kev),
       meta: {
         date_added: kev.dateAdded || null,
         vendor: kev.vendorProject || null,
@@ -529,6 +566,7 @@ module.exports = {
   discoverNewRfcs,
   buildKevDraftEntry,
   getProjectRfcGroups,
+  deriveKevSeverity,
   SEED_RFC_GROUPS,
   DEFAULT_CAP,
 };

package/lib/cve-curation.js

@@ -43,6 +43,14 @@ const path = require("path");
 //      before deciding promotion.
 const { withCatalogLock } = require("./refresh-external");
 const { validate: validateAgainstSchema } = require("./validate-cve-catalog");
+// audit J F3: derive rwep_score via the canonical scoring helper rather
+// than a blind `Object.values(...).reduce(sum)`. The helper detects shape
+// (boolean inputs → scoreCustom; post-weight numeric inputs → sum + clamp)
+// so the curation apply-path produces a score that matches whatever the
+// catalog scorer or playbook-runner would have produced for the same
+// factors. Direct dependency on scoring.js is intentional — scoring.js is
+// the authoritative formula.
+const { deriveRwepFromFactors } = require("./scoring");
 
 const ROOT = path.resolve(__dirname, "..");
 const CVE_SCHEMA_PATH = path.join(ROOT, "lib", "schemas", "cve-catalog.schema.json");
@@ -562,17 +570,15 @@ function applyAnswersUnderLock(cveId, catalog, catalogPath, answers) {
     appliedFields.push(field);
   }
 
-  // Derive rwep_score from rwep_factors when factors supplied without an
-  // explicit score. lib/scoring.js owns the canonical formula; we sum the
-  // numeric values here as a fallback.
+  // audit J F3: derive rwep_score via the canonical scoring helper rather
+  // than a blind sum. deriveRwepFromFactors detects shape (boolean inputs
+  // → scoreCustom; post-weight numeric inputs → sum + clamp) and routes
+  // accordingly, so the apply-path produces a score that agrees with
+  // scoring.validate() instead of diverging from it.
   if ("rwep_factors" in answers && !("rwep_score" in answers)
       && entry.rwep_factors && typeof entry.rwep_factors === "object") {
-    let sum = 0;
-    for (const v of Object.values(entry.rwep_factors)) {
-      if (typeof v === "number") sum += v;
-    }
-    entry.rwep_score = Math.max(0, Math.min(100, sum));
-    appliedFields.push("rwep_score (derived from rwep_factors)");
+    entry.rwep_score = deriveRwepFromFactors(entry.rwep_factors);
+    appliedFields.push("rwep_score (derived from rwep_factors via scoring.deriveRwepFromFactors)");
   }
 
   // last_updated reflects the apply moment.

package/lib/prefetch.js

@@ -15,8 +15,14 @@
  *   kev/known_exploited_vulnerabilities.json          — full KEV feed
  *   nvd/<cve-id>.json                                 — NVD 2.0 per-CVE response
  *   epss/<cve-id>.json                                — EPSS per-CVE response
- *   ietf/<doc-name>.json                              — IETF Datatracker doc record
- *   github/<owner>__<repo>__releases.json             — releases listing
+ *   rfc/<doc-name>.json                               — IETF Datatracker doc record
+ *   pins/<owner>__<repo>__releases.json               — MITRE GitHub releases listing
+ *
+ * audit M P2-K: the registered source names in SOURCES below are `rfc` and
+ * `pins`. Earlier comments + --help text said `ietf` and `github`; an
+ * operator running `--source ietf` or `--source github` would hit "unknown
+ * source" because no such key exists. The names below are the canonical
+ * ones consumed by --source filtering.
  *
  * Usage:
  *   node lib/prefetch.js                  # fetch everything not fresh
@@ -137,8 +143,8 @@ Sources:
   kev      CISA Known Exploited Vulnerabilities
   nvd      NIST NVD 2.0 per-CVE
   epss     FIRST EPSS per-CVE
-  ietf     IETF Datatracker per-RFC
-  github   MITRE GitHub releases (ATLAS / ATT&CK / D3FEND / CWE)
+  rfc      IETF Datatracker per-RFC
+  pins     MITRE GitHub releases (ATLAS / ATT&CK)
 
 Options:
   --max-age <dur>     skip entries fresher than this (e.g. 12h, 1d). Default: 24h.
@@ -296,7 +302,15 @@ function isFresh(idx, source, id, maxAgeMs) {
 
 function authHeadersForSource(source) {
   if (source === "nvd" && process.env.NVD_API_KEY) return { apiKey: process.env.NVD_API_KEY };
-  if (source === "github" && process.env.GITHUB_TOKEN) return { Authorization: `Bearer ${process.env.GITHUB_TOKEN}` };
+  // audit M P2-J: the registered source name for MITRE GitHub releases is
+  // `pins` (see SOURCES above). The prior check looked for `github`, so
+  // GITHUB_TOKEN never reached the per-request Authorization header and
+  // anonymous-rate-limited fetches were always used even when an operator
+  // had supplied a token. Accept both spellings so this is forgiving of
+  // the historical naming and the registered name.
+  if ((source === "pins" || source === "github") && process.env.GITHUB_TOKEN) {
+    return { Authorization: `Bearer ${process.env.GITHUB_TOKEN}` };
+  }
   return {};
 }
 
@@ -459,13 +473,21 @@ function readCached(cacheDir, source, id, opts = {}) {
   const idx = loadIndex(cacheDir);
   const meta = idx.entries[entryKey(source, id)];
   if (!meta) return null;
-  const ageMs = Date.now() - new Date(meta.fetched_at).getTime();
-  if (!opts.allowStale && ageMs > maxAgeMs) return null;
+  // audit M P2-L: when `fetched_at` is missing / non-string / unparseable,
+  // `new Date(undefined).getTime()` is NaN and `NaN > maxAgeMs` is false —
+  // so the cached entry would have been returned as if fresh. Treat any
+  // non-finite age as "no provenance, refuse" unless the caller explicitly
+  // opted into allowStale.
+  const ageMs = meta.fetched_at ? Date.now() - new Date(meta.fetched_at).getTime() : NaN;
+  if (!opts.allowStale) {
+    if (!meta.fetched_at || !Number.isFinite(ageMs)) return null;
+    if (ageMs > maxAgeMs) return null;
+  }
   const p = entryPath(cacheDir, source, id);
   if (!fs.existsSync(p)) return null;
   try {
     const data = JSON.parse(fs.readFileSync(p, "utf8"));
-    return { data, age_ms: ageMs, meta };
+    return { data, age_ms: Number.isFinite(ageMs) ? ageMs : null, meta };
   } catch {
     return null;
   }

package/lib/refresh-network.js

@@ -357,6 +357,46 @@ async function main() {
     process.exitCode = 5; return;
   }
 
+  // v0.12.16 (audit I P1-5): cross-check the local public key against
+  // keys/EXPECTED_FINGERPRINT (the CI-pinned signing key). The prior
+  // refresh-network code only compared LOCAL ↔ TARBALL fingerprints, so a
+  // coordinated attacker who swapped both `keys/public.pem` on the operator's
+  // host AND the registry tarball passed every check — fingerprints match
+  // each other but match the attacker's key. The pin in EXPECTED_FINGERPRINT
+  // is the external trust anchor that closes this gap.
+  //
+  // Honors `KEYS_ROTATED=1` env to allow legitimate key rotation without
+  // re-bootstrap. Missing EXPECTED_FINGERPRINT file → warn-and-continue
+  // (don't break existing installs whose tree predates the pin file).
+  const expectedFingerprintPath = path.join(ROOT, "keys", "EXPECTED_FINGERPRINT");
+  if (fs.existsSync(expectedFingerprintPath) && !process.env.KEYS_ROTATED) {
+    try {
+      const expectedFp = fs.readFileSync(expectedFingerprintPath, "utf8")
+        .split(/\r?\n/).map(l => l.trim()).find(l => l.length > 0);
+      // v0.12.16 (codex P1 PR #11): `expectedFp` is read verbatim from
+      // keys/EXPECTED_FINGERPRINT (formatted as `SHA256:<base64>`), but
+      // `fingerprintPublicKey()` returns the raw base64 without the
+      // `SHA256:` prefix. Comparing the two raw strings would refuse every
+      // legitimate run unless KEYS_ROTATED=1 was set. Normalize by stripping
+      // the prefix from the pin file before compare. lib/verify.js's
+      // checkExpectedFingerprint() does the symmetric thing (adds the
+      // prefix to localFp); either side works as long as one is canonical.
+      const expectedFpBase64 = expectedFp && expectedFp.startsWith("SHA256:")
+        ? expectedFp.slice("SHA256:".length)
+        : expectedFp;
+      if (expectedFpBase64 && expectedFpBase64 !== localFp) {
+        emit({
+          ok: false,
+          error: `local keys/public.pem fingerprint diverges from keys/EXPECTED_FINGERPRINT pin`,
+          local_fingerprint: "SHA256:" + localFp,
+          pinned_fingerprint: expectedFp,
+          hint: "Either keys/public.pem was rotated since the pin was set (rerun `npm run bootstrap` to re-pin), or the local public.pem was tampered with. Set KEYS_ROTATED=1 to bypass once. Refusing to swap on --network.",
+        }, opts.json);
+        process.exitCode = 5; return;
+      }
+    } catch { /* unreadable pin file = warn-and-continue */ }
+  }
+
   // Verify every signed entry in the tarball manifest using the local key.
   let tarballManifest;
   try { tarballManifest = JSON.parse(tarballManifestEntry.body.toString("utf8")); }

package/lib/schemas/playbook.schema.json

@@ -323,7 +323,13 @@
                   "confidence": { "type": "string", "enum": ["low", "medium", "high", "deterministic"] },
                   "deterministic": { "type": "boolean", "description": "True if presence is definitive proof, not probabilistic." },
                   "atlas_ref": { "type": "string" },
-                  "attack_ref": { "type": "string" }
+                  "attack_ref": { "type": "string" },
+                  "cve_ref": { "type": "string", "description": "Optional CVE / MAL-* / SNYK-* identifier this indicator binds to. When the indicator fires, the named entry is pulled into analyze.matched_cves[] (v0.12.14 F3)." },
+                  "false_positive_checks_required": {
+                    "type": "array",
+                    "items": { "type": "string" },
+                    "description": "v0.12.12+ contract: each entry is a check an AI assistant or operator must satisfy before this indicator's `hit` verdict can drive classification:detected. The runner downgrades a hit to inconclusive when this array is non-empty and no fp_checks attestation is supplied via signal_overrides[`<id>__fp_checks`]."
+                  }
                 }
               }
             },