@blamejs/exceptd-skills 0.12.16 → 0.12.18

package/CHANGELOG.md

@@ -1,5 +1,74 @@
 # Changelog
 
+## 0.12.18 — 2026-05-14
+
+**Patch: e2e FP-check attestations for v0.12.17 indicator backfill. v0.12.17 publish payload.**
+
+The v0.12.17 tag exists on git but never reached npm — release.yml's validate gate's `npm run test:e2e` failed 4/20 scenarios because v0.12.17's indicator FP-check backfill (audit K) caused the runner to downgrade hits to inconclusive without operator attestation, dropping RWEP scores below the e2e expect thresholds.
+
+v0.12.18 ships the v0.12.17 fix payload plus FP-check attestations on the affected e2e scenarios:
+
+- `12-crypto-codebase-md5-eol`: attest FP checks for `weak-hash-import` + `no-ml-kem-implementation`
+- `15-cred-stores-aws-static`: attest FP checks for `aws-static-key-present`
+- `16-containers-root-user`: attest FP checks for `dockerfile-runs-as-root`; lower `adjusted` threshold from 15 → 10 (only `dockerfile-from-latest` carries an `rwep_inputs` entry on the containers playbook; the FP-attested `dockerfile-runs-as-root` fires but doesn't drive RWEP)
+- `20-ai-api-openai-dotfile`: attest FP checks for `cleartext-api-key-in-dotfile` + `long-lived-aws-keys`
+
+Attestation shape per the E1 contract (v0.12.12): `signal_overrides: { '<indicator>__fp_checks': { '0': true, '1': true, ... } }` — each entry means "I've verified that this FP scenario does NOT apply; this is a real hit."
+
+## 0.12.17 — 2026-05-14
+
+**Patch: remaining deferred P1/P2 items from the v0.12.15 audit pile — manifest signing, Windows ACL, indicator FP backfill, schema promotion.**
+
+### Manifest signing (audit I P1-4)
+
+The previous trust chain signed each skill body individually but the manifest itself was just an unsigned index. A coordinated attacker who could rewrite `manifest.json` + `manifest-snapshot.json` + `manifest-snapshot.sha256` passed every gate (snapshot is checked locally, the sha256 also computed locally).
+
+Now: `manifest.json` carries a top-level `manifest_signature` field (Ed25519 over canonical sort-keys representation with the signature field excluded and `normalize()`-applied bytes). `lib/sign.js sign-all` and `lib/sign.js sign-skill` both re-sign the manifest after per-skill work; `lib/verify.js loadManifestValidated()` verifies the manifest signature before iterating skills. Tampered manifest entries (path swap, signature substitution) now fail the manifest-level check. Missing `manifest_signature` field emits a warning but doesn't block (backward-compat for legacy tarballs in the wild).
+
+Canonical-form contract documented in both `lib/sign.js` and `lib/verify.js` headers — future shape changes to manifest.json must respect the invariants (sort top-level keys, exclude `manifest_signature`, normalize line endings).
+
+### Windows ACL on `.keys/private.pem` (audit I P1-3)
+
+`lib/sign.js` previously wrote the private key with `{ mode: 0o600 }`. On POSIX this restricts read access to the owner. On Windows the `mode` argument maps to read/write attributes only, not POSIX permissions; ACLs inherited from the parent directory. A multi-user maintainer workstation or shared CI runner therefore allowed any process under the same desktop user to read the key. Now: on `win32`, `lib/sign.js` calls `icacls /inheritance:r /grant:r ${USERNAME}:F` after writing the private key, narrowing the ACL to the current user. The same restriction is applied via `restrictWindowsAcl(targetPath)` from `scripts/bootstrap.js` when bootstrap creates the keypair. Falls back to a stderr warning if `icacls` is unavailable; doesn't fail key generation.
+
+### Indicator FP-check backfill (audit K)
+
+36 deterministic indicators across 11 playbooks now carry `false_positive_checks_required[]` entries (the gold-standard pattern from `library-author.gha-workflow-script-injection-sink` in v0.12.13). Per-playbook coverage:
+
+- `ai-api` — 4 indicators (cleartext-api-key-in-dotfile, long-lived-aws-keys, gcp-service-account-json, kubeconfig-with-static-token)
+- `containers` — 4 (dockerfile-runs-as-root, dockerfile-curl-pipe-bash, compose-cap-add-sys-admin, compose-host-network)
+- `cred-stores` — 3 (aws-static-key-present, docker-cleartext-auth, credentials-file-bad-perms)
+- `crypto-codebase` — 3 (weak-hash-import, weak-cipher-mode, tls-old-protocol)
+- `crypto` — 2 (ml-dsa-slh-dsa-absent, openssl-pre-3-5)
+- `framework` — 3 (exception-missing-expiry-or-owner, jurisdiction-without-framework, compound-theater)
+- `hardening` — 4 (kptr-restrict-disabled, yama-ptrace-permissive, kaslr-disabled-at-boot, mitigations-off)
+- `kernel` — 2 (unpriv-userns-enabled, unpriv-bpf-allowed)
+- `mcp` — 3 (mcp-response-ansi-escape, mcp-response-unicode-tag-smuggling, mcp-server-running-as-root)
+- `runtime` — 3 (duplicate-uid-zero, world-writable-in-trusted-path, orphan-privileged-process)
+- `sbom` — 3 (lockfile-no-integrity, kev-listed-match, windsurf-vulnerable-version)
+- `secrets` — 5 (aws-secret-access-key, slack-bot-or-user-token, stripe-secret-key, openai-api-key, anthropic-api-key)
+
+Each entry is a 1-line check an AI assistant or operator must satisfy before the indicator's `hit` verdict can drive `classification: detected`. The runner downgrades a hit with unsatisfied FP checks to `inconclusive` (v0.12.12 E1 contract). Backfill complements the playbook-level `false_positive_profile[]` documentation by binding FP checks per-indicator at the schema layer.
+
+### Schema promotion (audit K + audit M)
+
+`lib/schemas/playbook.schema.json` indicator object now formally declares `false_positive_checks_required[]` and `cve_ref` as optional fields (was unschema'd; produced WARN noise on every validate run). The `cve_ref` field has been load-bearing since v0.12.14 F3 (drives `analyze.matched_cves[]` correlation); the schema declaration just catches up. After the schema promotion + the v0.12.16 enum-drift normalisation, `validate-playbooks` runs 13/13 PASS with zero warnings (was 12/13 PASS + 1 WARN in v0.12.16, 8/13 PASS + 5 WARN in v0.12.15).
+
+### Operator-facing surfaces
+
+- **`--diff-from-latest` result surfaced in `run` human renderer (audit L F11)**. Operators running with `--diff-from-latest` and no `--json` previously got no visibility on drift; now: `> drift vs prior: unchanged (same evidence_hash as session <prior_id>)` or `> drift vs prior: DRIFTED — evidence_hash differs from session <prior_id>` is added near the classification line. No line when there's no prior attestation for the playbook (don't clutter).
+- **`ai-run` stdin acceptance contract documented in `--help`**. The streaming + no-stream paths both consume "first parseable evidence event wins on stdin; subsequent evidence events ignored; non-evidence chatter silently ignored; invalid JSON exits 1." Was implicit behavior; now explicit so AI agents calling `exceptd ai-run` know the contract.
+
+### Auto-discovery hygiene (audit M P3-O)
+
+`lib/auto-discovery.js discoverNewKev` previously hardcoded `severity: 'high'` on every KEV-discovered diff. Now uses `deriveKevSeverity(kevEntry)` — returns `'critical'` when `knownRansomwareCampaignUse === 'Known'` OR `dueDate` is within 7 days; otherwise `'high'`. Downstream PR-body categorization can now route ransomware-use + imminent-due-date KEVs differently.
+
+### Tests
+
+- 20 new regression tests in `tests/audit-i-l-m-fixes.test.js` covering: Windows ACL helper export, manifest canonical-bytes determinism (stale signature + key-order invariants), sign + verify round trip, live manifest carries valid signature, tampered signature/skill detection, backward-compat `missing` status, `--diff-from-latest` renderer string/branch assertions, ai-run help-text content, `deriveKevSeverity` matrix, `discoverNewKev` propagation against synthetic KEV feed.
+
+Test count: 740 → 760 (+20 + 1 reworked). Predeploy gates: 14/14. Skills: 38/38 signed; manifest itself signed.
+
 ## 0.12.16 — 2026-05-14
 
 **Patch: highest-impact P1 security findings from the v0.12.15 audit pile.**

package/bin/exceptd.js

@@ -1124,6 +1124,20 @@ Flags:
 Stdin event grammar (one JSON object per line):
   {"event":"evidence","payload":{"observations":{},"verdict":{}}}
 
+Stdin acceptance contract (Audit L F22):
+  In streaming mode, ai-run reads JSON-Lines from stdin until the FIRST
+  parseable {"event":"evidence","payload":{...}} line. That line wins:
+  subsequent evidence events on the same run are ignored (the handler
+  marks itself \`handled\` and refuses re-entry). Non-evidence chatter
+  (status updates, the host AI's own progress events) is silently
+  ignored — the host can interleave its own JSON events without
+  triggering a phase transition. Invalid JSON on any line exits 1 with
+  an {"event":"error","reason":"invalid JSON on stdin: ..."} frame.
+
+  If the host needs to send multiple evidence batches, spawn a separate
+  ai-run per batch (each produces an independent session_id). Use
+  --no-stream + --evidence <file> for single-shot single-batch runs.
+
 Emits phases: govern → direct → look → await_evidence → detect → analyze
 → validate → close, then {"event":"done","ok":true,"session_id":"..."}.
 Errors emit {"event":"error","reason":"..."} and exit non-zero.`,
@@ -2072,14 +2086,18 @@ function cmdRun(runner, args, runOpts, pretty) {
     // F11: surface --diff-from-latest verdict in the human renderer. Pre-fix
     // operators had to add --json to see whether the run drifted from the
     // previous attestation. Now one summary line follows the classification.
+    // - unchanged: same evidence_hash as prior → reassuring single line.
+    // - drifted: evidence differs → loud DRIFTED marker.
+    // - no_prior_attestation_for_playbook: no line — don't clutter the
+    //   output when there is nothing to compare against.
     if (obj.diff_from_latest) {
       const dfl = obj.diff_from_latest;
-      if (dfl.status === "no_prior_attestation_for_playbook") {
-        lines.push(`> drift vs prior: (no prior attestation for ${dfl.playbook_id})`);
-      } else {
-        const priorTag = dfl.prior_session_id ? ` (prior ${dfl.prior_session_id}` + (dfl.prior_captured_at ? ` @ ${dfl.prior_captured_at.slice(0, 19)})` : ")") : "";
-        lines.push(`> drift vs prior: ${dfl.status}${priorTag}`);
+      if (dfl.status === "unchanged") {
+        lines.push(`> drift vs prior: unchanged (same evidence_hash as session ${dfl.prior_session_id})`);
+      } else if (dfl.status === "drifted") {
+        lines.push(`> drift vs prior: DRIFTED — evidence_hash differs from session ${dfl.prior_session_id}`);
       }
+      // no_prior_attestation_for_playbook intentionally produces no line.
     }
     const cves = obj.phases?.analyze?.matched_cves || [];
     const baseline = obj.phases?.analyze?.catalog_baseline_cves || [];

package/data/_indexes/_meta.json

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-14T17:43:16.339Z",
+  "generated_at": "2026-05-14T19:30:40.635Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 50,
   "source_hashes": {
-    "manifest.json": "bfe5d173b001ae1f279ec620f84a1b5e7ae9236d51c1e814f22bf6fe66361835",
+    "manifest.json": "c0edebf10be0a638970d4e9e4c95459815f0226fc69276d1c965a71fa39b324f",
     "data/atlas-ttps.json": "20339e0ae3cd89c06f1385be31c50f408f827edc2e8ab8aef026ade3bcf0a917",
     "data/attack-techniques.json": "6db08a8e8a4d03d9309b1d185112de7f3c9595d2cd3d24566b7ce0b3b8aa5d1a",
     "data/cve-catalog.json": "6e198d414a3a86dcae93ef36a2b1978734d0b1224fa66ba5184819ea0e3fb49f",

package/data/playbooks/ai-api.json

@@ -474,7 +474,12 @@
           "description": "Primary credential-exposure indicator. Userland code execution → key extraction in milliseconds.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.001"
+          "attack_ref": "T1552.001",
+          "false_positive_checks_required": [
+            "Decode the key prefix — sk-test-*, sk_test_*, anthropic-test-*, hf_dummy_* and similar documented placeholder formats are SDK quickstart fixtures; demote to miss.",
+            "If the dotfile is under examples/, tests/, fixtures/, docs/, sdk-quickstart/ or a vendor's reference-repo path, treat as documentation; demote to miss unless the key validates against the vendor's live API.",
+            "Verify the key length meets the format's minimum entropy floor (real OpenAI sk-* >=48 chars after prefix; Anthropic sk-ant-* >=40 chars; Google AIza* >=39 chars). Below the floor is a placeholder; demote."
+          ]
         },
         {
           "id": "long-lived-aws-keys",
@@ -483,7 +488,12 @@
           "description": "Long-lived AWS keys in dotfile — high-value target.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.001"
+          "attack_ref": "T1552.001",
+          "false_positive_checks_required": [
+            "If the access-key prefix is AKIAIOSFODNN7EXAMPLE / wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY or any other documented AWS sample credential pair, demote to miss — these are AWS-published doc fixtures.",
+            "Verify the credentials file resides under examples/, tests/, fixtures/, or a documented vendor-reference path before flagging; demote when so.",
+            "Cross-check via aws sts get-caller-identity (or equivalent dry-run) — if the key is already deactivated/deleted at the vendor side it is a stale revoked credential, demote to lower confidence."
+          ]
         },
         {
           "id": "gcp-service-account-json",
@@ -492,7 +502,12 @@
           "description": "Service-account JSON key (long-lived) in user dotfile — known anti-pattern.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.001"
+          "attack_ref": "T1552.001",
+          "false_positive_checks_required": [
+            "If the private_key field is the literal value 'PLACEHOLDER' / 'REDACTED' / a PEM body of fewer than 1000 chars, the file is a stub; demote to miss.",
+            "Verify the client_email domain — *@gserviceaccount.com is real; *@example.com, *@test.iam.gserviceaccount.com or fixture-shaped emails are doc samples, demote.",
+            "If the file lives under examples/, tests/, fixtures/, terraform-module-examples/, or a documented quickstart path AND no GOOGLE_APPLICATION_CREDENTIALS env points at it, demote."
+          ]
         },
         {
           "id": "kubeconfig-with-static-token",
@@ -501,7 +516,12 @@
           "description": "Static kube token persists in dotfile.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.001"
+          "attack_ref": "T1552.001",
+          "false_positive_checks_required": [
+            "If the cluster server URL is https://127.0.0.1:* / https://localhost:* / *.kind / minikube / k3d / docker-for-desktop — this is a local-only kubeconfig with no external blast radius; demote to lower confidence.",
+            "Verify the token field is not the documented kind/minikube/k3d default-bootstrap-token shape (length and prefix match the local-dev distro). If so, demote.",
+            "If the kubeconfig sits inside a CI runner workspace (path matches /home/runner/, /github/workspace/, /builds/, /workspace/) and the token is OIDC-exchanged at job start, treat as ephemeral; demote."
+          ]
         },
         {
           "id": "ai-api-egress-from-unexpected-process",

package/data/playbooks/containers.json

@@ -425,7 +425,12 @@
           "description": "Container will run as root inside the namespace. Combined with any namespace escape, root-on-host.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1611"
+          "attack_ref": "T1611",
+          "false_positive_checks_required": [
+            "If the FROM base is a distroless / chainguard / nonroot variant (gcr.io/distroless/*:nonroot, cgr.dev/chainguard/*:latest, *:*-nonroot, scratch with a static binary) AND no later RUN/USER escalates to root, the runtime UID is nonroot by base; demote to miss.",
+            "If the Kubernetes pod spec consuming this image sets runAsNonRoot: true + a non-zero runAsUser, kubelet refuses to start the container as root; demote to lower confidence.",
+            "If the Dockerfile is under a multi-stage build and only the final stage's USER is missing while an intermediate builder stage runs as root (acceptable for builder stages), check the final stage only."
+          ]
         },
         {
           "id": "dockerfile-curl-pipe-bash",
@@ -434,7 +439,12 @@
           "description": "Build-time supply-chain compromise primitive. Compromised CDN or DNS rebind = arbitrary code in image.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1195.002"
+          "attack_ref": "T1195.002",
+          "false_positive_checks_required": [
+            "If the curl target is a major-vendor official install path (sh.rustup.rs, get.docker.com, get.pnpm.io, raw.githubusercontent.com/nvm-sh/nvm, sigstore/cosign release URL) AND the pipe is preceded by a documented sha256/gpg verify step in the same RUN, the chain is integrity-checked; demote to lower confidence.",
+            "If the URL is an internal-mirror with --tlsv1.3 + --proto =https + a pinned --cacert and the org's release-engineering runbook documents this mirror, treat as in-policy; demote.",
+            "Confirm the RUN does not chain to an `sudo` / privilege-elevation primitive — pipe-to-shell as an unprivileged builder USER materially reduces blast radius; report at high but not deterministic."
+          ]
         },
         {
           "id": "compose-privileged",
@@ -452,7 +462,12 @@
           "description": "Dangerous capability granted. SYS_ADMIN especially is functionally equivalent to root-on-host.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1611"
+          "attack_ref": "T1611",
+          "false_positive_checks_required": [
+            "If the container is a node-exporter / cadvisor / falco / sysdig / metrics-collector sidecar AND its image and pod identity match a documented host-introspection allowlist, the capability is intentional; demote to lower confidence (still report; revisit boundary).",
+            "If cap_drop: [ALL] precedes cap_add AND the user namespace is remapped (userns-remap configured at the daemon level), the effective root inside the container is unprivileged on the host; report at high but not deterministic.",
+            "If the compose file is under tests/, integration/, e2e/ or a development-only directory AND is excluded from production deploy pipelines (check CI for compose-file references), treat as non-shipped configuration."
+          ]
         },
         {
           "id": "compose-host-network",
@@ -461,7 +476,11 @@
           "description": "Host namespace sharing. Cross-process visibility + tampering primitive.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1610"
+          "attack_ref": "T1610",
+          "false_positive_checks_required": [
+            "If the service is a known service-mesh data-plane (envoy / linkerd-proxy / istio-proxy / cilium-agent) or a host-metrics sidecar (node-exporter / cadvisor) AND the deployment is documented on an operator-maintained host-network allowlist, demote.",
+            "Verify the compose file is not a dev-only docker-compose.override.yml that won't ship — diff against the production compose; if host-network is dev-only, mark in-scope-for-dev-only."
+          ]
         },
         {
           "id": "compose-docker-sock-mount",

package/data/playbooks/cred-stores.json

@@ -420,7 +420,12 @@
           "description": "Long-lived AWS IAM user key. AAL1-equivalent. Static credential.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.001"
+          "attack_ref": "T1552.001",
+          "false_positive_checks_required": [
+            "If the AKIA* value is AKIAIOSFODNN7EXAMPLE / a documented AWS-sample credential pair, demote — these are AWS-published doc fixtures.",
+            "Verify the key is live via `aws sts get-caller-identity --profile <name>` (or dry-run equivalent). If the key is already deactivated / deleted upstream, demote to lower confidence (still flag for cleanup).",
+            "If the profile name pattern matches an org-documented break-glass profile (e.g. profile = 'breakglass-*' with a documented quarterly-rotation procedure tied to it), accept the exception with a TTL test."
+          ]
         },
         {
           "id": "kube-static-token",
@@ -447,7 +452,12 @@
           "description": "Docker registry credentials in cleartext (base64 is not encryption). credHelpers/credsStore would route to OS keychain or cloud-IAM-federated path.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.001"
+          "attack_ref": "T1552.001",
+          "false_positive_checks_required": [
+            "Decode the auth value — if the decoded user is '<token>' / 'AWS' / 'oauth2accesstoken' / '00000000-0000-0000-0000-000000000000' (vendor-documented pseudo-users for short-lived token auth) AND the docker login was scripted with an exchange step, the credential is ephemeral; demote.",
+            "If the registry is a local-only registry (127.0.0.1:*, registry.local, kind.local, *.svc.cluster.local) on a dev workstation, blast radius is local; report at high but not deterministic.",
+            "Verify the credsStore field is not set globally (top-level credsStore overrides per-registry omission); if globally configured, demote."
+          ]
         },
         {
           "id": "npm-pat-present",
@@ -498,7 +508,12 @@
           "description": "Permissive permissions on a credential file. Local-user theft primitive.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.004"
+          "attack_ref": "T1552.004",
+          "false_positive_checks_required": [
+            "If the host filesystem is on Windows / WSL with no POSIX mode enforcement OR is a network share where mode bits are emulated, posix-mode is meaningless — verify the share is ACL-protected (e.g. ntfs ACL grants only the user); demote when ACL-tight.",
+            "If the file is a 0-byte placeholder / symlink to a credential broker socket or to a tmpfs path that's wiped on logout, the readable bits do not yield a usable credential; demote.",
+            "On a shared multi-user host the operator may have an explicit ACL-by-design model (e.g. 0640 with a group ACL granting the deploy-group read). If the runbook documents the intent AND `getfacl` confirms the named-group restriction, accept the exception."
+          ]
         },
         {
           "id": "all-stores-empty-or-federated",

package/data/playbooks/crypto-codebase.json

@@ -559,7 +559,12 @@
           "value": "Any file imports or constructs an MD5 / SHA1 hash and the output flows into a security context. Patterns: `crypto\\.createHash\\(['\"](md5|sha1|sha-1)['\"]\\)`, `hashlib\\.(md5|sha1)\\(`, `MessageDigest\\.getInstance\\(['\"](MD5|SHA-1)['\"]\\)`, `crypto/md5`, `crypto/sha1`, `Digest::(MD5|SHA1)\\.`",
           "description": "Weak hash primitive shipped in library source. Hard fail unless inline comment justifies non-security usage AND no flow into auth/integrity code path.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "If the call site is under tests/, spec/, fixtures/, examples/ or carries an inline `// non-security: <reason>` / `# non-cryptographic: <reason>` comment AND the hash output flows into a checksum-only path (ETag, content-addressed cache key, dedupe), demote to miss.",
+            "If the file implements a documented legacy-protocol shim (TLS interop, ntlm, sha1-rsa cert parsing for compat) and the hash is consumed by a verify-only path against externally-fixed inputs, accept with an expiry test (deprecation date).",
+            "Confirm the hash output reaches an authn/integrity sink via simple grep on the assigned variable name reaching crypto.verify / hmac / signature.update / token comparison. If no such flow exists in this file, demote."
+          ]
         },
         {
           "id": "weak-cipher-mode",
@@ -567,7 +572,12 @@
           "value": "AES with ECB mode anywhere: `aes-\\d+-ecb`, `AES/ECB/`, `Cipher\\.getInstance\\(['\"]AES['\"]\\)` (default mode ECB). Or DES/3DES anywhere: `des-cbc`, `des-ede3`, `\\\"des\\\"`, `\\\"3des\\\"`, `DES/`, `DESede/`. Or RC4: `\\\"rc4\\\"`, `arc4`, `ARCFOUR`.",
           "description": "Catastrophic cipher choice. ECB leaks plaintext patterns; DES/3DES is below current security margins; RC4 is broken.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "If the path is under tests/ / fixtures/ / known-answer-tests/ and carries a `// test-only` or `# KAT vector` marker, this is an interop / known-answer test against a published vector; demote to miss.",
+            "If the library is explicitly a legacy-protocol parser (e.g. an NTLM / Kerberos-RC4 / PKCS#12-3DES compatibility shim) AND its SECURITY.md declares the legacy scope, accept with a deprecation-deadline test rather than hard fail.",
+            "Confirm the construction is actually instantiated in a production code path — `grep -r '<cipher-var>' src/ --include='*.{js,ts,py,java,go}'`. If only referenced in `if (legacy) {}` dead-branch code, demote."
+          ]
         },
         {
           "id": "rsa-1024-anywhere",
@@ -649,7 +659,12 @@
           "value": "`secureProtocol:\\s*['\"](TLSv1_method|TLSv1_1_method|SSLv23_method|SSLv3_method)['\"]`, `minVersion:\\s*['\"](TLSv1(\\.0|\\.1)?)['\"]`, `ssl_version=ssl\\.PROTOCOL_TLSv1(_1)?`, `MinTlsVersion::TLSv1`.",
           "description": "TLS < 1.2 minimum in shipped TLS-context construction.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "If the path is under tests/ / fixtures/ AND the test purpose is asserting that the library REJECTS the legacy protocol (negative test), demote.",
+            "If the construction is gated behind a feature flag whose default value is OFF AND the README documents the flag as an opt-in for legacy compatibility only, treat as a deprecated-but-supported path rather than a default-insecure ship.",
+            "Confirm there is no override-construction later (e.g. a subsequent `setMinProtoVersion(TLS_1_3)` on the same context) — partial defaults are common; the effective minimum is the highest set."
+          ]
         },
         {
           "id": "no-crypto-agility-abstraction",

package/data/playbooks/crypto.json

@@ -453,7 +453,12 @@
           "value": "Within the openssl-kem-algorithms artifact (its `openssl list -signature-algorithms` half): output does NOT contain ML-DSA-44/65/87 AND does NOT contain SLH-DSA-*",
           "description": "TLS library cannot use PQC signatures. Certificate-chain PQC migration is blocked.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "Confirm whether oqsprovider / aws-lc / wolfssl is loaded alongside OpenSSL — `openssl list -providers` may show a PQC-providing module that supplies ML-DSA via a non-default path. If so, demote.",
+            "Verify the binary is statically linked or chroot-jailed against a different libcrypto than the one being interrogated; rerun the list command using the actual library the service has loaded (lsof / /proc/<pid>/maps).",
+            "If the host's role is documented as classical-only (e.g. an air-gapped HSM-fronted signer with offline key custody) AND a separate PQC-signing tier exists upstream, accept with an explicit roadmap milestone."
+          ]
         },
         {
           "id": "openssl-pre-3-5",
@@ -461,7 +466,12 @@
           "value": "Within the openssl-version artifact: output starts with 'OpenSSL 1.', 'OpenSSL 2.', 'OpenSSL 3.0', 'OpenSSL 3.1', 'OpenSSL 3.2', 'OpenSSL 3.3', or 'OpenSSL 3.4'; cross-check libssl-libraries artifact to detect coexisting older libcrypto.so loaded via LD_LIBRARY_PATH or vendored builds (LibreSSL, BoringSSL, vendored OpenSSL under /usr/local/lib)",
           "description": "Pre-3.5 OpenSSL lacks native ML-KEM. Requires oqsprovider or upgrade.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "If the host is on a vendor-supported LTS (RHEL 8/9, Ubuntu 20.04/22.04, SLES 15, Amazon Linux 2/2023), verify the distro's documented PQC backport status via `rpm -q --changelog openssl` / `dpkg -s openssl` — RHEL 9.5+, Ubuntu 24.04 ship oqsprovider as a package; mark backport state explicitly.",
+            "If openssl-providers also lists an active oqsprovider AND oqsprovider's ML-KEM appears in the kem-algorithms list, the pre-3.5 base is provider-augmented; demote to lower confidence (still flag the upgrade path).",
+            "Confirm the queried `openssl` binary is the one services link against (lsof on representative daemons + /proc/<pid>/maps grep for libcrypto). If services link against a newer vendored 3.5+ libcrypto, the system openssl version is misleading."
+          ]
         },
         {
           "id": "sshd-no-pqc-kex",

package/data/playbooks/framework.json

@@ -477,7 +477,11 @@
           "value": "Any exception register entry with rwep_at_acceptance >= 70 lacking (a) explicit calendar expiry, (b) named risk-acceptance owner at correct authority level, (c) tested compensating controls",
           "description": "Theater fingerprint #3 detection.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "Confirm the artifact actually represents the live exception register. If the input is a draft / historical / archived register snapshot (filename includes -draft / -archive / -YYYY-Q< number >), demote.",
+            "If expiry/owner/controls are stored in a sidecar system (ServiceNow, Jira, IRM tool) linked by ID, the indicator may falsely fire on a register that intentionally normalises to ID-references. Verify the linked record's fields before flagging."
+          ]
         },
         {
           "id": "jurisdiction-without-framework",
@@ -485,7 +489,11 @@
           "value": "jurisdictional_footprint contains EU / UK / AU / SG / JP / IN / CA / HK / TW / IL / CH / ID / VN AND framework_mapping_matrix does NOT contain the corresponding binding framework (NIS2 / DORA / EU AI Act / CAF / Essential 8 / APRA / MAS TRM / NISC / CERT-In / OSFI B-10)",
           "description": "Theater fingerprint #4 detection — operating in a regulated jurisdiction without framework mapping.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "If the organisation has filed a documented `out-of-scope` declaration with the relevant regulator (e.g. NIS2 size-threshold exclusion <50 employees + <EUR 10M turnover; DORA scoping out as non-financial entity; EU AI Act non-AI-deployer attestation) AND the declaration is current within the regulator's revalidation window, demote.",
+            "If the jurisdictional footprint is data-only (e.g. an EU IP block accessing a CDN, no establishment / no targeted offering) AND no EU data subjects' personal data is processed, the binding framework may not attach; confirm against the regulator's territoriality test."
+          ]
         },
         {
           "id": "mapping-without-tempo",
@@ -509,7 +517,11 @@
           "value": "Three or more theater fingerprints fire on the same framework control (e.g. ISO 27001:2022 A.8.30 fires patterns #1 + #2 + #6 simultaneously)",
           "description": "Compound theater — single control structurally insufficient across multiple threat classes.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "Confirm the multiple fingerprints fire on the SAME control (not different controls aggregated against the same audit scope). Cross-fingerprint stacks against different controls are not compound theater; they are inventory of distinct gaps.",
+            "Verify each constituent fingerprint individually passed its own FP checks. If any of the three is itself a coincidence-hit (e.g. exception-missing-expiry on a draft register), recompute the count without it."
+          ]
         }
       ],
       "false_positive_profile": [

package/data/playbooks/hardening.json

@@ -403,7 +403,11 @@
           "description": "/proc/kallsyms is world-readable; KASLR is effectively defeated for any local user. Decisive for kernel LPE exploitability.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1068"
+          "attack_ref": "T1068",
+          "false_positive_checks_required": [
+            "If the host is in an active kdump / perf / kernel-debugging session AND the rationale is captured in the operator runbook with a documented restoration deadline, accept with a TTL test (must flip to >=1 within N days).",
+            "Confirm /proc/kallsyms actually leaks pointers — `head -1 /proc/kallsyms` as an unprivileged user. If addresses are zeroed despite kptr_restrict=0 (e.g. CAP_SYSLOG-only path active via systemd), demote to lower confidence."
+          ]
         },
         {
           "id": "unprivileged-userns-enabled",
@@ -430,7 +434,12 @@
           "description": "Yama ptrace_scope=0 allows any process to ptrace any same-UID process. Credential-theft + privilege-pivot primitive.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1212"
+          "attack_ref": "T1212",
+          "false_positive_checks_required": [
+            "If the host is a developer workstation in a documented debug-allowlist AND an enforcing MAC profile (AppArmor `aa-status` enforced / SELinux `getenforce` == Enforcing) restricts cross-UID ptrace, the kernel-level open is constrained at a higher layer; demote to lower confidence.",
+            "If a containerised workload depends on ptrace for documented observability tooling (strace-based tracer, gdb-based debugger run-as-CAP_SYS_PTRACE), confirm the broader scope is justified by that workload and is not host-wide.",
+            "Confirm the system isn't a single-user dev VM with no network exposure — ptrace_scope=0 on an isolated VM has materially lower blast radius than on a multi-tenant host."
+          ]
         },
         {
           "id": "kaslr-disabled-at-boot",
@@ -439,7 +448,11 @@
           "description": "Boot-time KASLR disabled. Makes catalogued kernel LPEs deterministic.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1068"
+          "attack_ref": "T1068",
+          "false_positive_checks_required": [
+            "If the host is in an active kdump / kgdb / kernel-debugging session AND the rationale is documented in the operator runbook with a documented restoration deadline, accept with TTL.",
+            "Confirm the cmdline option actually took effect — `dmesg | grep -i kaslr` should show KASLR offsets when active. An nokaslr token in cmdline but a KASLR-active kernel (some distros override) means the boot parameter was ignored; demote."
+          ]
         },
         {
           "id": "mitigations-off",
@@ -448,7 +461,11 @@
           "description": "Boot-time CPU mitigations disabled. Spectre/Meltdown/MDS/Retbleed/Downfall class becomes exploitable.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1068"
+          "attack_ref": "T1068",
+          "false_positive_checks_required": [
+            "If the host is HPC/benchmark-tagged (slurm node, MPI scratch node, vendor-perf-test rig) AND not network-exposed AND mitigations=off is documented in the operator runbook with a network-isolation control, accept the exception with a quarterly revalidation test.",
+            "Confirm the host is single-tenant (no multi-user, no untrusted workloads). Mitigations are speculative-execution defences against same-host attackers; on a single-tenant control-plane the threat may not apply."
+          ]
         },
         {
           "id": "selinux-not-enforcing",

package/data/playbooks/kernel.json

@@ -384,7 +384,11 @@
           "description": "Unprivileged user namespaces enabled — required for several catalogued LPE classes.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1611"
+          "attack_ref": "T1611",
+          "false_positive_checks_required": [
+            "If a documented rootless-container runtime (podman/rootless, buildah, lima, colima, GitHub Actions runners) is the workload AND unprivileged userns is a documented requirement, accept the exception — but pair with an LSM (SELinux/AppArmor) enforcing profile that constrains exec/mount inside the userns.",
+            "Verify CONFIG_USER_NS is built into the kernel — distros that ship with userns disabled at config-time make the sysctl moot regardless of value. `grep CONFIG_USER_NS /boot/config-$(uname -r)` should show =y for the indicator to be live."
+          ]
         },
         {
           "id": "unpriv-bpf-allowed",
@@ -393,7 +397,11 @@
           "description": "Unprivileged BPF allowed — primitive for several kernel LPE classes.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1068"
+          "attack_ref": "T1068",
+          "false_positive_checks_required": [
+            "Verify CONFIG_BPF_SYSCALL=y AND CONFIG_BPF_JIT=y in the running kernel config (`grep CONFIG_BPF /boot/config-$(uname -r)`). If BPF is compiled out, the sysctl is moot; demote.",
+            "If an enforcing LSM profile (SELinux / AppArmor) restricts bpf() syscall for unprivileged users via a tested policy, the kernel-level open is constrained at a higher layer; demote to lower confidence."
+          ]
         }
       ],
       "false_positive_profile": [

package/data/playbooks/mcp.json

@@ -550,7 +550,11 @@
           "value": "ps shows an MCP server process running with effective UID 0 or with elevated capabilities (CAP_SYS_ADMIN, CAP_NET_ADMIN)",
           "description": "MCP server with elevated privileges turns a tool-response RCE into immediate root.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "If the MCP server's documented purpose requires elevated capability (kernel-introspection / host-firewall / docker-control MCP) AND it is on a vendor-published privileged-allowlist with a signed manifest, accept with explicit scope.",
+            "Verify root-on-host vs root-in-user-namespace — inspect /proc/<pid>/status Cap* fields and userns mapping. A rootless-container MCP running as in-namespace UID 0 has materially lower blast radius; demote to lower confidence."
+          ]
         },
         {
           "id": "copilot-yolo-mode-flag",
@@ -579,7 +583,11 @@
           "confidence": "deterministic",
           "deterministic": true,
           "atlas_ref": "AML.T0051",
-          "attack_ref": "T1059"
+          "attack_ref": "T1059",
+          "false_positive_checks_required": [
+            "If the MCP tool is a documented terminal-emulation / shell-output renderer (the tool's purpose is to relay terminal output and the host AI assistant renders it inline) AND the escape bytes are SGR-only with no cursor-movement / screen-clear / OSC-8 codes, the escape carries no instruction-coercion payload; demote.",
+            "Confirm the escape appears in a tool-output payload AND not in a tools/list metadata field — metadata is the high-leverage smuggling site; output may be expected. If only in output for a documented terminal tool, demote."
+          ]
         },
         {
           "id": "mcp-response-unicode-tag-smuggling",
@@ -588,7 +596,11 @@
           "description": "Unicode Tag-range smuggling — zero-width to humans, tokenized by the model. Source: Embrace the Red (Rehberger, 2025).",
           "confidence": "deterministic",
           "deterministic": true,
-          "atlas_ref": "AML.T0051"
+          "atlas_ref": "AML.T0051",
+          "false_positive_checks_required": [
+            "Tag-range codepoints have no documented legitimate use in MCP transport. Confirm the file content is actually a JSON payload (not, e.g., a captured raw email body that contains a U+E0000-tagged language hint per RFC 4646 / RFC 5646 BCP-47 legacy). For genuine MCP payloads, presence is unambiguous; demote only if the payload is from a non-MCP capture mislabeled in the artifact.",
+            "Cross-check against the MCP server's package signature / publisher field — if the server is signed by a first-party allowlisted publisher AND the codepoint appears only in a documented `language-tag` schema field, treat as legacy-language-tag (RFC 6082 marked Tag deprecated 2011); still flag for review."
+          ]
         },
         {
           "id": "mcp-response-instruction-coercion",

package/data/playbooks/runtime.json

@@ -430,7 +430,12 @@
           "description": "Multiple UID=0 accounts. T1136.001 persistence pattern. Outside legitimate installs.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1136.001"
+          "attack_ref": "T1136.001",
+          "false_positive_checks_required": [
+            "If the second UID-0 account is `toor` on FreeBSD / `tor` on certain BSDs (documented alternate-shell root) or is a vendor-documented sudo-replacement account (e.g. AlmaLinux's `almauser`, Amazon Linux's `ec2-user` aliased), check the OS-vendor documentation; demote if intentional.",
+            "Cross-check `/etc/shadow` for the second account — if the password field is `!` / `*` (locked) AND no SSH authorized_keys / kerberos principal exists, the account is non-authentication-bearing; report at high but not deterministic.",
+            "If the host is a documented break-glass jumpbox with a renamed-root account replacing `root` (and `root` itself is removed), this is intentional; accept with the runbook reference."
+          ]
         },
         {
           "id": "listening-socket-unknown-bind",
@@ -457,7 +462,11 @@
           "description": "Hijack-execution-flow primitive. Any non-root process can replace the file.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1574.005"
+          "attack_ref": "T1574.005",
+          "false_positive_checks_required": [
+            "Verify the file has the sticky bit set (1777-style mode on /opt subdirs that intentionally permit per-user write). Sticky-bit mode 1777 + ownership root:root limits cross-user replacement and is documented for some package-managers; demote to lower confidence.",
+            "If the file is a 0-byte stamp / unix-socket / FIFO under /opt that's documented for the application (e.g. mode 0666 socket for /opt/vendor/sock), the indicator is misclassified by the gatherer; demote."
+          ]
         },
         {
           "id": "orphan-privileged-process",
@@ -466,7 +475,12 @@
           "description": "Privileged orphan in a writable temp path. Common implant shape.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1055"
+          "attack_ref": "T1055",
+          "false_positive_checks_required": [
+            "If the process executable matches a known anti-malware / VPN-client / EDR-agent that documentedly drops a binary under /var/tmp for sandbox-extraction reasons (e.g. CrowdStrike Falcon, SentinelOne, MS Defender Linux), check the org's endpoint-agent allowlist; demote if matched.",
+            "Verify the binary checksum (sha256) against the org's allowlisted-deploys inventory. A known-hash match means the binary is approved; demote. A mismatch means the path is unsanctioned and the indicator stands.",
+            "If the process was launched by `nohup` / `setsid` / `at` from an interactive session and is documented in the system's `at` queue or operator scratch list, accept as ephemeral with a TTL."
+          ]
         }
       ],
       "false_positive_profile": [

package/data/playbooks/sbom.json

@@ -639,7 +639,11 @@
           "value": "Within the repo-lockfiles artifact: any pinned dependency lacks an integrity field (sha512/sha384/sha256, sri-integrity, go.sum-style hash)",
           "description": "Theater fingerprint #2 detection — name-pinned without integrity.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "If the missing-integrity entries are local-path / workspace / git+ssh refs (`file:`, `link:`, `workspace:`, `git+ssh:`) that the package manager intentionally omits integrity for, demote — workspace refs are integrity-checked at the monorepo root.",
+            "Confirm the lockfile is the one the build actually consumes — repos can have stale lockfiles in `archive/` or `pre-migration/` subdirs. Check the build script's referenced lockfile path."
+          ]
         },
         {
           "id": "transitive-deps-incomplete-sbom",
@@ -681,7 +685,11 @@
           "description": "Direct match for CVE-2026-30615.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1190"
+          "attack_ref": "T1190",
+          "false_positive_checks_required": [
+            "If the Windsurf binary is the vendor-published patched build identified by sha256 hash (cross-reference Codeium's signed release manifest), the recorded version string may not advance until the next major release; demote when the binary hash matches the patched-build allowlist.",
+            "Confirm the installation is on a network-isolated jumpbox / air-gapped dev workstation with documented offline procedure — exploit primitive requires network egress to attacker C2. Demote when the host is provably air-gapped."
+          ]
         },
         {
           "id": "kev-listed-match",
@@ -689,7 +697,12 @@
           "value": "Any package-matches-catalogued-cve match resolves to a CVE with cisa_kev=true in the catalog",
           "description": "KEV-listed match — fast-path escalation required.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "Pull the vex-statements artifact for the matched CVE. If a VEX entry exists with status `not_affected` (justification: `component_not_present` / `vulnerable_code_not_in_execute_path` / `vulnerable_code_cannot_be_controlled_by_adversary`) AND `status_notes` references a maintainer review, demote — but keep on the regression schedule.",
+            "Verify the matched package version is actually present in the live deploy (not just in a build-time/dev-time dependency) — runtime presence elevates; build-time-only presence demotes to high.",
+            "If the matched VEX entry has `status: fixed` AND the lockfile resolution is newer-than-fix-version, the match is stale and should be demoted; re-run the dependency walker to refresh."
+          ]
         },
         {
           "id": "tanstack-worm-payload-files",