@blamejs/exceptd-skills 0.12.16 → 0.12.18

package/data/playbooks/secrets.json

@@ -391,7 +391,12 @@
           "description": "AWS Secret Access Key. Always findable in tandem with AKIA*. Independent finding because both halves are needed.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.001"
+          "attack_ref": "T1552.001",
+          "false_positive_checks_required": [
+            "Check for co-occurrence with an AKIA*/ASIA*/AGPA*/AIDA* access-key-id in a 10-line window. Without corroboration, the 40-char base64-ish string is plausibly a Base64-encoded JWT signature / random data / DB password — demote to medium when corroboration is absent.",
+            "If the value matches the AWS-published sample wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY, demote to miss (doc fixture).",
+            "Verify the file is not under examples/ / docs/ / fixtures/ AND not a known-test snapshot; demote when in a documented placeholder path."
+          ]
         },
         {
           "id": "gcp-service-account-json",
@@ -427,7 +432,12 @@
           "description": "Slack bot / user / refresh / app token.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.001"
+          "attack_ref": "T1552.001",
+          "false_positive_checks_required": [
+            "If the value is `xoxb-PLACEHOLDER` / `xoxb-EXAMPLE` / a Slack-published doc fixture (e.g. xoxb-12345-67890-AbCdEf), demote.",
+            "Verify the token format conforms to a current Slack token shape (xoxb- usually has at least three dash-separated numeric segments before the alpha suffix). Loose 10-char tail matches without segmentation can match unrelated strings; demote when segmentation is wrong.",
+            "If under examples/ / docs/ / fixtures/ AND no surrounding env var (SLACK_BOT_TOKEN / SLACK_USER_TOKEN) suggests an active config, demote."
+          ]
         },
         {
           "id": "stripe-secret-key",
@@ -436,7 +446,12 @@
           "description": "Stripe live or test secret key. Live keys are direct financial exposure.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.001"
+          "attack_ref": "T1552.001",
+          "false_positive_checks_required": [
+            "If the prefix is `sk_test_` AND the value matches a published Stripe sample test key (see Stripe API docs — they publish a small set explicitly for documentation use), demote — test keys cannot move funds.",
+            "Verify the file path is not under examples/, fixtures/, docs/, or a stripe-quickstart template — demote in documented placeholder paths.",
+            "For sk_live_*, cross-check against the Stripe API (`POST /v1/accounts/retrieve` or similar live-validity probe) only if the operator has authorised an external validation; otherwise treat the live prefix as deterministic."
+          ]
         },
         {
           "id": "jwt-token-with-secret-context",
@@ -463,7 +478,12 @@
           "description": "OpenAI API key (incl. project-scoped sk-proj-* form). Active key spend exposure.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.001"
+          "attack_ref": "T1552.001",
+          "false_positive_checks_required": [
+            "If the key prefix is `sk-test-*` / `sk-dummy-*` / `sk-XXXX` / contains only placeholder runs (XXXXX, 1234, abcd) it is a documentation fixture; demote.",
+            "Verify the key length meets the OpenAI minimum entropy floor (post-prefix length >= 48 chars). Below the floor is a placeholder; demote.",
+            "The regex `sk-[A-Za-z0-9_-]{40,}` also matches Anthropic sk-ant-* and other vendor-prefixed keys — confirm the vendor by surrounding context (env var name, comment) before classifying as OpenAI."
+          ]
         },
         {
           "id": "anthropic-api-key",
@@ -472,7 +492,12 @@
           "description": "Anthropic API key. Active key spend exposure.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1552.001"
+          "attack_ref": "T1552.001",
+          "false_positive_checks_required": [
+            "If the key is `sk-ant-api03-PLACEHOLDER...` / `sk-ant-test-*` / contains documented placeholder substrings (XXXX runs, all-zero runs), demote.",
+            "Verify the file is not under examples/, fixtures/, sdk-quickstart/, or a docs-snippet path — demote when in documented placeholder paths.",
+            "Confirm post-prefix length meets the Anthropic minimum entropy floor (>= 80 chars after sk-ant-(api03|admin01)-); below the floor is a fixture, demote."
+          ]
         },
         {
           "id": "world-writable-env-file",

package/lib/auto-discovery.js

@@ -56,6 +56,38 @@ function buildScoringInputs(kevEntry /*, nvdPayload */) {
   };
 }
 
+/**
+ * Audit M P3-O — diff severity nuance for KEV-discovered drafts.
+ *
+ * Pre-fix every KEV-derived diff carried `severity: "high"`. Operators
+ * scanning the diff stream had no way to distinguish "patch in 21 days"
+ * from "active ransomware campaign, patch yesterday." Now:
+ *
+ *   - ransomware_use === "Known"   → "critical" (campaigns observed in the wild)
+ *   - dueDate within 7 days of now → "critical" (CISA escalation window)
+ *   - otherwise                    → "high"     (still actively exploited per KEV listing)
+ *
+ * A KEV listing inherently means active exploitation; "low" / "medium"
+ * never apply here. The split is between "act today" and "act this sprint."
+ *
+ * @param {object} kevEntry
+ * @returns {"critical" | "high"}
+ */
+function deriveKevSeverity(kevEntry) {
+  const ransomware = String(kevEntry?.knownRansomwareCampaignUse || "").toLowerCase() === "known";
+  if (ransomware) return "critical";
+  const due = kevEntry?.dueDate;
+  if (typeof due === "string" && /^\d{4}-\d{2}-\d{2}/.test(due)) {
+    const dueMs = Date.parse(due);
+    if (Number.isFinite(dueMs)) {
+      const deltaMs = dueMs - Date.now();
+      // Within the next 7 days OR already past due → critical.
+      if (deltaMs <= 7 * 86_400_000) return "critical";
+    }
+  }
+  return "high";
+}
+
 const TODAY = new Date().toISOString().slice(0, 10);
 const TIMEOUT_MS = 10_000;
 const USER_AGENT = "exceptd-security/auto-discovery (+https://exceptd.com)";
@@ -259,7 +291,7 @@ function discoverNewKev(ctx, cap = DEFAULT_CAP) {
       op: "add",
       target: "cveCatalog",
       entry,
-      severity: "high",
+      severity: deriveKevSeverity(kev),
       meta: {
         date_added: kev.dateAdded || null,
         vendor: kev.vendorProject || null,
@@ -534,6 +566,7 @@ module.exports = {
   discoverNewRfcs,
   buildKevDraftEntry,
   getProjectRfcGroups,
+  deriveKevSeverity,
   SEED_RFC_GROUPS,
   DEFAULT_CAP,
 };

package/lib/schemas/playbook.schema.json

@@ -323,7 +323,13 @@
                   "confidence": { "type": "string", "enum": ["low", "medium", "high", "deterministic"] },
                   "deterministic": { "type": "boolean", "description": "True if presence is definitive proof, not probabilistic." },
                   "atlas_ref": { "type": "string" },
-                  "attack_ref": { "type": "string" }
+                  "attack_ref": { "type": "string" },
+                  "cve_ref": { "type": "string", "description": "Optional CVE / MAL-* / SNYK-* identifier this indicator binds to. When the indicator fires, the named entry is pulled into analyze.matched_cves[] (v0.12.14 F3)." },
+                  "false_positive_checks_required": {
+                    "type": "array",
+                    "items": { "type": "string" },
+                    "description": "v0.12.12+ contract: each entry is a check an AI assistant or operator must satisfy before this indicator's `hit` verdict can drive classification:detected. The runner downgrades a hit to inconclusive when this array is non-empty and no fp_checks attestation is supplied via signal_overrides[`<id>__fp_checks`]."
+                  }
                 }
               }
             },

package/lib/sign.js

@@ -24,6 +24,38 @@
  * validateSkillPath() below). Without this a tampered manifest could
  * sign or verify arbitrary files outside the skills/ tree.
  *
+ * Manifest signing contract (must mirror lib/verify.js):
+ *   After all individual skill signatures are written, sign-all signs
+ *   the manifest itself. The canonical bytes are computed as:
+ *     1. Read the manifest object after all skill signatures land.
+ *     2. Delete the top-level `manifest_signature` field if present
+ *        (idempotency — re-signing after rotation must produce the same
+ *        canonical bytes whether or not a stale signature is there).
+ *     3. Serialize via JSON.stringify(obj, sortedTopLevelKeys, 2). The
+ *        top-level keys are stringified in lexicographic order so a
+ *        re-ordered manifest signs to the same bytes. Nested objects
+ *        keep their natural key order (skills[] entries already follow
+ *        a stable convention).
+ *     4. Apply normalize() (CRLF→LF, BOM strip) — same transform skills
+ *        use, so the manifest signature survives any line-ending churn.
+ *   ANY change to canonicalManifestBytes() or this contract requires
+ *   the matching change in lib/verify.js. A coordinated attacker who
+ *   rewrites manifest.json + manifest-snapshot.json + manifest-snapshot.sha256
+ *   without the private key produces a manifest_signature mismatch that
+ *   lib/verify.js refuses to load.
+ *
+ * Windows ACL contract:
+ *   On win32, `fs.writeFileSync(..., { mode: 0o600 })` only affects
+ *   read-only attributes — it does NOT establish a POSIX-style restrictive
+ *   ACL. Any process running under the same desktop user can read the key
+ *   by default ACL inheritance from the parent. After writing
+ *   .keys/private.pem on Windows, restrictWindowsAcl() shells to icacls
+ *   to strip inherited entries and grant Full Control only to the current
+ *   user. If icacls is unavailable (Server Core, exotic shells), the call
+ *   warns to stderr but does not fail keypair generation — generating the
+ *   key was the load-bearing step; ACL tightening is best-effort hardening
+ *   on top.
+ *
  * Signing ceremony:
  *   1. node lib/sign.js generate-keypair    — generate keypair (one time, per deployment)
  *   2. node lib/sign.js sign-all            — sign all skills (after any content change)
@@ -44,6 +76,7 @@
 const fs = require('fs');
 const path = require('path');
 const crypto = require('crypto');
+const { execFileSync } = require('child_process');
 
 const ROOT = path.join(__dirname, '..');
 const MANIFEST_PATH = path.join(ROOT, 'manifest.json');
@@ -79,6 +112,11 @@ function generateKeypair({ rotate = false } = {}) {
   fs.writeFileSync(PRIVATE_KEY_PATH, privateKey, { encoding: 'utf8', mode: 0o600 });
   fs.writeFileSync(PUBLIC_KEY_PATH, publicKey, { encoding: 'utf8', mode: 0o644 });
 
+  // Audit I P1-3: on win32, fs.writeFileSync `mode` does not produce
+  // a POSIX-style restrictive ACL. Tighten via icacls so other desktop
+  // users on the same workstation / CI runner can't read the key.
+  restrictWindowsAcl(PRIVATE_KEY_PATH);
+
   if (rotate) {
     console.log('[sign] Keypair rotated. All existing signatures are now invalid — run: node lib/sign.js sign-all');
   } else {
@@ -128,6 +166,16 @@ function signAll() {
     signed++;
   }
 
+  // Audit I P1-4: sign the manifest itself. Removes any existing
+  // manifest_signature field so the canonical bytes are deterministic
+  // across re-runs, signs with the private key, then writes the result.
+  // A coordinated attacker who rewrites the manifest (and snapshot, and
+  // snapshot SHA) without the private key produces an invalid manifest
+  // signature; lib/verify.js refuses to load the manifest.
+  delete manifest.manifest_signature;
+  const manifestSig = signCanonicalManifest(manifest, privateKey);
+  manifest.manifest_signature = manifestSig;
+
   fs.writeFileSync(MANIFEST_PATH, JSON.stringify(manifest, null, 2) + '\n', 'utf8');
 
   // S5: verdict line FIRST, fingerprint banner after. An operator
@@ -136,7 +184,7 @@ function signAll() {
   if (errors > 0) {
     console.error(`\n[sign] FAILED — ${signed} signed, ${errors} errors.`);
   } else {
-    console.log(`\n[sign] ${signed} skills signed.`);
+    console.log(`\n[sign] ${signed} skills signed. Manifest signed.`);
   }
   printFingerprintBanner();
 
@@ -160,6 +208,11 @@ function signOne(skillName) {
   skill.signed_at = new Date().toISOString();
   delete skill.sha256;
 
+  // P1-4: re-sign the manifest after the per-skill signature changes.
+  // Without this a single-skill sign leaves manifest_signature stale.
+  delete manifest.manifest_signature;
+  manifest.manifest_signature = signCanonicalManifest(manifest, privateKey);
+
   fs.writeFileSync(MANIFEST_PATH, JSON.stringify(manifest, null, 2) + '\n', 'utf8');
   console.log(`[sign] Signed: ${skillName}`);
   printFingerprintBanner();
@@ -244,6 +297,105 @@ function loadManifest() {
   return JSON.parse(fs.readFileSync(MANIFEST_PATH, 'utf8'));
 }
 
+/**
+ * Audit I P1-4 — canonical byte form of the manifest, used for both
+ * signing (lib/sign.js) and verification (lib/verify.js).
+ *
+ * Contract: the same logical manifest content must produce the same bytes
+ * regardless of (a) whether a stale manifest_signature is present, (b)
+ * key order at any depth, (c) line endings or BOM.
+ *
+ *   1. Clone, delete manifest_signature.
+ *   2. Recursively sort object keys at every depth (NOT the top-level
+ *      whitelist trap — see codex P1 PR #12: passing
+ *      `Object.keys(manifest).sort()` as the JSON.stringify replacer-array
+ *      treats it as a property allowlist applied to EVERY object level.
+ *      Nested fields like `skills[].path` and `skills[].signature` got
+ *      silently dropped from the canonical bytes, letting an attacker
+ *      swap them without breaking the signature. Now we deep-canonicalize
+ *      every object).
+ *   3. Apply normalize() — strip leading BOM, convert CRLF → LF.
+ *
+ * @param {object} manifest
+ * @returns {Buffer} canonical UTF-8 bytes
+ */
+function canonicalize(value) {
+  if (Array.isArray(value)) return value.map(canonicalize);
+  if (value && typeof value === 'object') {
+    const out = {};
+    for (const key of Object.keys(value).sort()) {
+      out[key] = canonicalize(value[key]);
+    }
+    return out;
+  }
+  return value;
+}
+
+function canonicalManifestBytes(manifest) {
+  const clone = { ...manifest };
+  delete clone.manifest_signature;
+  const json = JSON.stringify(canonicalize(clone), null, 2);
+  return Buffer.from(normalize(json), 'utf8');
+}
+
+/**
+ * Sign the canonical manifest bytes with the Ed25519 private key.
+ * Returns the manifest_signature object literal to splice into the
+ * manifest top level.
+ *
+ * @param {object} manifest
+ * @param {string} privateKey PEM-encoded Ed25519 private key
+ * @returns {{algorithm:'Ed25519', signature_base64:string, signed_at:string}}
+ */
+function signCanonicalManifest(manifest, privateKey) {
+  const bytes = canonicalManifestBytes(manifest);
+  const sig = crypto.sign(null, bytes, {
+    key: privateKey,
+    dsaEncoding: 'ieee-p1363',
+  });
+  return {
+    algorithm: 'Ed25519',
+    signature_base64: sig.toString('base64'),
+    signed_at: new Date().toISOString(),
+  };
+}
+
+/**
+ * Audit I P1-3 — tighten Windows ACL on the private key.
+ *
+ * fs.writeFileSync({mode: 0o600}) on win32 only affects read-only
+ * attributes; the file inherits its ACL from the parent. icacls strips
+ * inheritance and grants Full Control only to the current user. Any
+ * failure (icacls missing, exotic shell, environment without USERNAME)
+ * is warned to stderr — generating the key was the load-bearing step,
+ * ACL tightening is best-effort hardening.
+ *
+ * @param {string} targetPath absolute path of the private key file
+ */
+function restrictWindowsAcl(targetPath) {
+  if (process.platform !== 'win32') return;
+  const user = process.env.USERNAME;
+  if (!user) {
+    console.warn('[sign] WARN: USERNAME env var not set — skipping Windows ACL hardening on ' + targetPath);
+    return;
+  }
+  try {
+    execFileSync('icacls', [
+      targetPath,
+      '/inheritance:r',
+      '/grant:r',
+      `${user}:F`,
+    ], { stdio: ['ignore', 'ignore', 'pipe'] });
+  } catch (err) {
+    console.warn(
+      '[sign] WARN: icacls hardening failed on ' + targetPath + ': ' +
+      ((err && err.message) || String(err)) +
+      ' — the key was written but ACL inheritance was not stripped. ' +
+      'Other desktop users on this machine may be able to read it.'
+    );
+  }
+}
+
 function printFingerprintBanner() {
   if (!fs.existsSync(PUBLIC_KEY_PATH)) return;
   try {
@@ -303,4 +455,13 @@ Signing ceremony (first time):
   }
 }
 
-module.exports = { generateKeypair, signAll, signOne, normalize, validateSkillPath };
+module.exports = {
+  generateKeypair,
+  signAll,
+  signOne,
+  normalize,
+  validateSkillPath,
+  canonicalManifestBytes,
+  signCanonicalManifest,
+  restrictWindowsAcl,
+};

package/lib/verify.js

@@ -30,6 +30,24 @@
  * additionalProperties=false at the skill level catches typos and
  * unknown fields that would otherwise silently be dropped.
  *
+ * Manifest signature contract (must mirror lib/sign.js):
+ *   The manifest carries a top-level `manifest_signature` field. Before
+ *   iterating skills, loadManifestValidated() extracts the signature,
+ *   recomputes the canonical bytes, and verifies against keys/public.pem.
+ *   On failure, all skill verification is blocked with a structured
+ *   error. When the field is absent (older v0.11.x / pre-v0.12.17
+ *   tarballs in the wild), a warning is emitted but verification
+ *   continues — this preserves backward compatibility for installs that
+ *   predate manifest signing.
+ *
+ *   Canonical bytes are computed identically to lib/sign.js
+ *   canonicalManifestBytes():
+ *     1. Clone, delete manifest_signature.
+ *     2. JSON.stringify with top-level keys sorted lexicographically.
+ *     3. Apply normalize() — strip BOM, CRLF → LF.
+ *   ANY change to the canonical form requires the matching change in
+ *   lib/sign.js. Round-trip stability is a hard contract.
+ *
  * Signing ceremony: see lib/sign.js
  * Public key: keys/public.pem (tracked in repo)
  * Private key: .keys/private.pem (gitignored, kept off-repo)
@@ -112,7 +130,19 @@ function signAll() {
   const privateKey = loadPrivateKey();
   if (!privateKey) throw new Error('No private key at .keys/private.pem — run: node lib/sign.js generate-keypair');
 
-  const manifest = loadManifestValidated();
+  // P1-4: load the manifest without the signature gate. We're about to
+  // mutate the manifest (re-sign skills + re-sign the manifest itself),
+  // so a stale manifest_signature mismatch here is expected — not a
+  // tampering signal. Schema + path validation still apply.
+  const manifest = loadManifest();
+  const schema = JSON.parse(fs.readFileSync(MANIFEST_SCHEMA_PATH, 'utf8'));
+  const errors0 = validateAgainstSchema(manifest, schema, 'manifest');
+  if (errors0.length > 0) {
+    const detail = errors0.slice(0, 10).map(e => '  - ' + e).join('\n');
+    throw new Error(`[verify] manifest.json failed schema validation before re-sign:\n${detail}`);
+  }
+  for (const skill of (manifest.skills || [])) validateSkillPath(skill.path);
+
   const result = { signed: [], errors: [] };
 
   for (const skill of manifest.skills) {
@@ -128,8 +158,20 @@ function signAll() {
     result.signed.push(skill.name);
   }
 
+  // P1-4: re-sign the manifest after the per-skill signatures changed.
+  delete manifest.manifest_signature;
+  const canonical = canonicalManifestBytes(manifest);
+  const manifestSig = crypto.sign(null, canonical, {
+    key: privateKey, dsaEncoding: 'ieee-p1363',
+  });
+  manifest.manifest_signature = {
+    algorithm: 'Ed25519',
+    signature_base64: manifestSig.toString('base64'),
+    signed_at: new Date().toISOString(),
+  };
+
   fs.writeFileSync(MANIFEST_PATH, JSON.stringify(manifest, null, 2) + '\n', 'utf8');
-  console.log(`[verify] Signed ${result.signed.length} skills with Ed25519 private key.`);
+  console.log(`[verify] Signed ${result.signed.length} skills with Ed25519 private key. Manifest signed.`);
   return result;
 }
 
@@ -244,6 +286,86 @@ function loadManifest() {
   return JSON.parse(fs.readFileSync(MANIFEST_PATH, 'utf8'));
 }
 
+/**
+ * Audit I P1-4 — canonical byte form of the manifest.
+ *
+ * Mirrors lib/sign.js canonicalManifestBytes(). Any divergence here
+ * breaks the verify-after-sign round trip; do not modify in isolation.
+ *
+ * v0.12.17 (codex P1 PR #12): use deep canonicalize() instead of the
+ * top-level sortedKeys replacer-array. The replacer-array form acts as
+ * a property allowlist applied to EVERY object level — nested fields
+ * like skills[].path and skills[].signature got silently dropped from
+ * the canonical bytes, letting an attacker swap them without breaking
+ * the signature.
+ *
+ * @param {object} manifest
+ * @returns {Buffer} canonical UTF-8 bytes
+ */
+function canonicalize(value) {
+  if (Array.isArray(value)) return value.map(canonicalize);
+  if (value && typeof value === 'object') {
+    const out = {};
+    for (const key of Object.keys(value).sort()) {
+      out[key] = canonicalize(value[key]);
+    }
+    return out;
+  }
+  return value;
+}
+
+function canonicalManifestBytes(manifest) {
+  const clone = { ...manifest };
+  delete clone.manifest_signature;
+  const json = JSON.stringify(canonicalize(clone), null, 2);
+  return Buffer.from(normalize(json), 'utf8');
+}
+
+/**
+ * Verify the top-level manifest_signature against keys/public.pem.
+ *
+ * Returns one of:
+ *   { status: 'missing' }  — field absent (legacy tarball; warn-but-proceed)
+ *   { status: 'valid' }    — signature verifies
+ *   { status: 'invalid',   — signature malformed, wrong key, or tampered
+ *     reason: string }
+ *   { status: 'no-key',    — keys/public.pem absent
+ *     reason: string }
+ *
+ * @param {object} manifest
+ */
+function verifyManifestSignature(manifest) {
+  const sig = manifest && manifest.manifest_signature;
+  if (!sig || typeof sig !== 'object') return { status: 'missing' };
+  if (typeof sig.signature_base64 !== 'string') {
+    return { status: 'invalid', reason: 'manifest_signature.signature_base64 missing or not a string' };
+  }
+  if (sig.algorithm && sig.algorithm !== 'Ed25519') {
+    return { status: 'invalid', reason: `unsupported manifest_signature.algorithm: ${sig.algorithm}` };
+  }
+  const publicKey = loadPublicKey();
+  if (!publicKey) {
+    return { status: 'no-key', reason: 'public key missing at keys/public.pem' };
+  }
+  let signatureBytes;
+  try {
+    signatureBytes = Buffer.from(sig.signature_base64, 'base64');
+  } catch (e) {
+    return { status: 'invalid', reason: `malformed base64 in manifest_signature: ${e.message}` };
+  }
+  const bytes = canonicalManifestBytes(manifest);
+  let ok = false;
+  try {
+    ok = crypto.verify(null, bytes, {
+      key: publicKey,
+      dsaEncoding: 'ieee-p1363',
+    }, signatureBytes);
+  } catch (e) {
+    return { status: 'invalid', reason: `crypto.verify threw: ${e.message}` };
+  }
+  return ok ? { status: 'valid' } : { status: 'invalid', reason: 'Ed25519 manifest signature did not verify against keys/public.pem — manifest.json has been tampered or signed with a different key' };
+}
+
 /**
  * Load the manifest and validate it against
  * lib/schemas/manifest.schema.json + the path-traversal guard.
@@ -252,6 +374,14 @@ function loadManifest() {
  * is a fatal-class bug — surface it loudly rather than verify-against-
  * a-corrupt-manifest.
  *
+ * Audit I P1-4: also verifies the top-level manifest_signature. On
+ * invalid signature, throws a structured error blocking all skill
+ * verification (a coordinated attacker who rewrote manifest.json +
+ * manifest-snapshot.json + manifest-snapshot.sha256 still cannot forge
+ * the Ed25519 signature without the private key). When the signature
+ * field is absent, emits a stderr warning but proceeds — preserves
+ * backward compatibility for v0.12.16-and-earlier tarballs.
+ *
  * @returns {object}
  */
 function loadManifestValidated() {
@@ -269,6 +399,21 @@ function loadManifestValidated() {
   for (const skill of manifest.skills) {
     validateSkillPath(skill.path);
   }
+  // Audit I P1-4 — manifest signature gate. Runs after schema + path
+  // validation so a malformed manifest reports the structural failure
+  // before the cryptographic one.
+  const sigResult = verifyManifestSignature(manifest);
+  if (sigResult.status === 'invalid') {
+    throw new Error(`[verify] manifest_signature verification FAILED — ${sigResult.reason}. The manifest has been modified (or signed with a different key) since last sign-all. Refusing to verify any skill against this manifest.`);
+  }
+  if (sigResult.status === 'missing') {
+    console.warn('[verify] WARN: manifest.json has no top-level manifest_signature field. This tarball predates v0.12.17 manifest signing; skills will still be verified but a coordinated rewrite of manifest.json could go undetected. Re-run `node lib/sign.js sign-all` to add the signature.');
+  } else if (sigResult.status === 'no-key') {
+    // Surfaced separately so the warning matches the missing-key path
+    // that verifyAll() already handles — don't fail here, the verifyAll
+    // entry point will emit a no_key result of its own.
+    console.warn(`[verify] WARN: cannot verify manifest_signature — ${sigResult.reason}.`);
+  }
   return manifest;
 }
 
@@ -554,5 +699,7 @@ module.exports = {
   validateAgainstSchema,
   publicKeyFingerprint,
   checkExpectedFingerprint,
+  canonicalManifestBytes,
+  verifyManifestSignature,
   EXPECTED_FINGERPRINT_PATH,
 };

package/manifest-snapshot.json

@@ -1,6 +1,6 @@
 {
   "_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
-  "_generated_at": "2026-05-14T15:55:39.383Z",
+  "_generated_at": "2026-05-14T18:49:21.239Z",
   "atlas_version": "5.1.0",
   "skill_count": 38,
   "skills": [

package/manifest-snapshot.sha256

@@ -1 +1 @@
-ca9d31e533c9d494e1ac5875e0a45176101438c3d75d44387187e367ccae21ad  manifest-snapshot.json
+7e10f4b0b1c6cfa096e35ca28cdd8a95c19e51537cdd3e22628aecb87c72db1b  manifest-snapshot.json