@blamejs/exceptd-skills 0.12.16 → 0.12.20

package/lib/auto-discovery.js

@@ -29,7 +29,7 @@
 
 const fs = require("fs");
 const path = require("path");
-const { scoreCustom } = require("./scoring");
+const { scoreCustom, RWEP_WEIGHTS, ACTIVE_EXPLOITATION_LADDER } = require("./scoring");
 
 // audit M P1-C: stored rwep_factors must reproduce the stored rwep_score.
 // `buildScoringInputs` is the single source of truth for both — it captures
@@ -56,6 +56,70 @@ function buildScoringInputs(kevEntry /*, nvdPayload */) {
   };
 }
 
+// audit X P1: cve-catalog.schema.json's `rwep_factors` requires the post-weight
+// numeric shape (cisa_kev: 0|25, poc_available: 0|20, ai_factor: 0|15,
+// active_exploitation: 0|5|10|20, blast_radius: 0..30, patch_available: 0|-15,
+// live_patch_available: 0|-10, reboot_required: 0|5). Pre-fix the auto-discovery
+// builder stored the SHAPE-A (boolean + string-ladder) factor bag — semantically
+// fine because deriveRwepFromFactors handles either shape, but the strict
+// JSON-schema validator (and any downstream tooling that types-checks the
+// catalog field) rejected drafts as malformed. Convert the boolean inputs to
+// the schema-required post-weight shape so the curate-apply gate (which loads
+// the strict schema) doesn't reject KEV-discovered drafts post-promotion.
+//
+// `ai_factor` is the schema-required key name; auto-discovery's boolean
+// inputs are split across `ai_discovered` + `ai_assisted_weapon`, mirroring
+// scoreCustom's contract. The factor fires when either flag is true (same as
+// scoreCustom).
+function toPostWeightFactors(inputs) {
+  const aeMultiplier = ACTIVE_EXPLOITATION_LADDER[inputs.active_exploitation] ?? 0;
+  const reboot = (inputs.reboot_required === true) || (inputs.patch_required_reboot === true);
+  const blastRaw = Number.isFinite(Number(inputs.blast_radius)) ? Number(inputs.blast_radius) : 0;
+  const blastClamped = Math.max(0, Math.min(RWEP_WEIGHTS.blast_radius, blastRaw));
+  return {
+    cisa_kev: inputs.cisa_kev ? RWEP_WEIGHTS.cisa_kev : 0,
+    poc_available: inputs.poc_available ? RWEP_WEIGHTS.poc_available : 0,
+    ai_factor: (inputs.ai_assisted_weapon || inputs.ai_discovered) ? RWEP_WEIGHTS.ai_factor : 0,
+    active_exploitation: RWEP_WEIGHTS.active_exploitation * aeMultiplier,
+    blast_radius: blastClamped,
+    patch_available: inputs.patch_available ? RWEP_WEIGHTS.patch_available : 0,
+    live_patch_available: inputs.live_patch_available ? RWEP_WEIGHTS.live_patch_available : 0,
+    reboot_required: reboot ? RWEP_WEIGHTS.reboot_required : 0,
+  };
+}
+
+/**
+ * Audit M P3-O — diff severity nuance for KEV-discovered drafts.
+ *
+ * Pre-fix every KEV-derived diff carried `severity: "high"`. Operators
+ * scanning the diff stream had no way to distinguish "patch in 21 days"
+ * from "active ransomware campaign, patch yesterday." Now:
+ *
+ *   - ransomware_use === "Known"   → "critical" (campaigns observed in the wild)
+ *   - dueDate within 7 days of now → "critical" (CISA escalation window)
+ *   - otherwise                    → "high"     (still actively exploited per KEV listing)
+ *
+ * A KEV listing inherently means active exploitation; "low" / "medium"
+ * never apply here. The split is between "act today" and "act this sprint."
+ *
+ * @param {object} kevEntry
+ * @returns {"critical" | "high"}
+ */
+function deriveKevSeverity(kevEntry) {
+  const ransomware = String(kevEntry?.knownRansomwareCampaignUse || "").toLowerCase() === "known";
+  if (ransomware) return "critical";
+  const due = kevEntry?.dueDate;
+  if (typeof due === "string" && /^\d{4}-\d{2}-\d{2}/.test(due)) {
+    const dueMs = Date.parse(due);
+    if (Number.isFinite(dueMs)) {
+      const deltaMs = dueMs - Date.now();
+      // Within the next 7 days OR already past due → critical.
+      if (deltaMs <= 7 * 86_400_000) return "critical";
+    }
+  }
+  return "high";
+}
+
 const TODAY = new Date().toISOString().slice(0, 10);
 const TIMEOUT_MS = 10_000;
 const USER_AGENT = "exceptd-security/auto-discovery (+https://exceptd.com)";
@@ -140,11 +204,22 @@ function buildKevDraftEntry(kevEntry, nvdPayload, epssPayload) {
   // rwep_score was computed from concrete defaults (poc=true, reboot=true).
   // `scoring.validate()` then flagged every auto-imported draft for
   // divergence > 5. Now: one canonical input object → both surfaces.
+  //
+  // audit X P1: the catalog's JSON-schema for `rwep_factors` requires the
+  // POST-WEIGHT numeric shape (ai_factor / numeric ladder contributions /
+  // numeric ±deductions) — not the SHAPE-A boolean + string-ladder shape
+  // that scoreCustom consumes. Pre-fix the boolean shape was stored
+  // verbatim, so curate-apply's strict-schema gate rejected KEV-discovered
+  // drafts as soon as anyone tried to promote them — they were
+  // permanently unpromotable.
+  //
   // The curation flow rewrites these once an operator answers the editorial
-  // questions; until then, the boolean shape on rwep_factors is the
-  // conservative-default snapshot and reproduces the score exactly.
+  // questions; until then, the post-weight numeric shape on rwep_factors
+  // reproduces the score exactly (sum of values === rwep_score, because
+  // blast_radius weight=30 matches the raw-cap convention documented in
+  // scoring.js header).
   const scoringInputs = buildScoringInputs(kevEntry, nvdPayload);
-  const rwep_factors = { ...scoringInputs };
+  const rwep_factors = toPostWeightFactors(scoringInputs);
   const rwep_score = scoreCustom(scoringInputs);
 
   const product = [kevEntry.vendorProject, kevEntry.product]
@@ -190,10 +265,21 @@ function buildKevDraftEntry(kevEntry, nvdPayload, epssPayload) {
       kevEntry.notes ? String(kevEntry.notes) : null,
     ].filter(Boolean),
     // v0.12.15 (audit M P1-B): schema requires source_verified to be a
-    // YYYY-MM-DD string OR null; the prior `false` boolean produced an
-    // entry that failed strict catalog validation. Use null to mean
-    // "not yet verified" — operators populate the date during curation.
-    source_verified: null,
+    // YYYY-MM-DD string; the prior `false` boolean (then null) produced
+    // entries that failed strict catalog validation.
+    //
+    // audit X P1: the CISA KEV listing IS the verification source for a
+    // KEV-discovered draft — the entry's `verification_sources` array
+    // already points to the KEV catalog URL, and KEV's appearance is what
+    // triggered the auto-import. Pre-fix the field stayed null, which
+    // (a) blocked curate-apply's strict-schema check (which requires a
+    // YYYY-MM-DD string) and (b) left operators no signal that the
+    // upstream HAD in fact verified the entry's authoritative listing.
+    // Now we date-stamp it as TODAY (the import day). Operators may
+    // overwrite during full curation if they revalidate from a fresher
+    // KEV pull — the field always semantically means "the date a
+    // verification source confirmed this CVE id."
+    source_verified: TODAY,
     last_updated: TODAY,
     last_verified: TODAY,
     // v0.12.15 (audit M P1-D): `_auto_imported` must be the boolean `true`
@@ -217,7 +303,6 @@ function buildKevDraftEntry(kevEntry, nvdPayload, epssPayload) {
         "patch_available + live_patch_available + live_patch_tools",
         "blast_radius numeric in rwep_factors (currently default 15)",
         "RWEP score recompute after the above land",
-        "source_verified once a project maintainer has confirmed the upstream",
       ],
     },
   };
@@ -259,7 +344,7 @@ function discoverNewKev(ctx, cap = DEFAULT_CAP) {
       op: "add",
       target: "cveCatalog",
       entry,
-      severity: "high",
+      severity: deriveKevSeverity(kev),
       meta: {
         date_added: kev.dateAdded || null,
         vendor: kev.vendorProject || null,
@@ -534,6 +619,7 @@ module.exports = {
   discoverNewRfcs,
   buildKevDraftEntry,
   getProjectRfcGroups,
+  deriveKevSeverity,
   SEED_RFC_GROUPS,
   DEFAULT_CAP,
 };

package/lib/playbook-runner.js

@@ -454,7 +454,15 @@ function detect(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
       // attestation) treats every required FP check as UNSATISFIED.
       if (verdict === 'hit' && Array.isArray(ind.false_positive_checks_required) && ind.false_positive_checks_required.length) {
         const attestation = overrides[`${ind.id}__fp_checks`];
-        const att = (attestation && typeof attestation === 'object') ? attestation : {};
+        // S P1-A: arrays satisfy `typeof === 'object'` but are NOT a valid
+        // attestation map. A submission like
+        //   signal_overrides: { sig__fp_checks: [true, true] }
+        // would previously have its truthy entries matched via the index
+        // fallback (att['0'] === true), silently bypassing every FP-check
+        // requirement. Reject arrays explicitly so they fall through to the
+        // empty-attestation branch (every required check unsatisfied).
+        const safeAtt = Array.isArray(attestation) ? null : attestation;
+        const att = (safeAtt && typeof safeAtt === 'object') ? safeAtt : {};
         const unsatisfied = ind.false_positive_checks_required.filter(fpName => {
           // Match either by exact name string OR by indexed key '0', '1', ...
           // because false_positive_checks_required entries are free-text
@@ -510,9 +518,33 @@ function detect(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
   const override = (agentSubmission.signals && agentSubmission.signals.detection_classification);
   const validOverrides = new Set(['detected', 'inconclusive', 'not_detected', 'clean']);
 
+  // S P1-B: block a `detected` agent override when any indicator was
+  // downgraded to inconclusive because its false_positive_checks_required[]
+  // entries were not attested. Without this gate, an agent that submits
+  // `signals.detection_classification: 'detected'` can force the run-level
+  // classification past FP checks the engine just refused to honor — exactly
+  // the contract Hard Rule #6 (compliance theater) forbids. Substitute
+  // 'inconclusive' and surface a runtime_error so the operator sees the
+  // override was refused (not silently ignored).
+  const anyFpDowngrade = indicatorResults.some(r => Array.isArray(r.fp_checks_unsatisfied) && r.fp_checks_unsatisfied.length > 0);
+
   let classification;
   if (override && validOverrides.has(override)) {
     classification = override === 'clean' ? 'not_detected' : override;
+    if (classification === 'detected' && anyFpDowngrade) {
+      classification = 'inconclusive';
+      if (runOpts && Array.isArray(runOpts._runErrors)) {
+        runOpts._runErrors.push({
+          kind: 'classification_override_blocked',
+          attempted: 'detected',
+          substituted: 'inconclusive',
+          reason: 'FP-check downgrade: one or more indicators downgraded to inconclusive because false_positive_checks_required entries were not attested. Agent override to `detected` refused.',
+          indicators_with_unsatisfied_fp_checks: indicatorResults
+            .filter(r => Array.isArray(r.fp_checks_unsatisfied) && r.fp_checks_unsatisfied.length > 0)
+            .map(r => ({ id: r.id, fp_checks_unsatisfied: r.fp_checks_unsatisfied })),
+        });
+      }
+    }
   } else if (hasDeterministicHit || hasHighConfHit) {
     classification = 'detected';
   } else if (hits.length === 0 && indicatorResults.every(r => r.verdict === 'miss')) {
@@ -1361,16 +1393,35 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
   const extraFormats = Array.isArray(agentSignals._bundle_formats)
     ? agentSignals._bundle_formats.filter(f => f !== primaryFormat)
     : [];
-  const evidencePackage = c.evidence_package ? {
-    bundle_format: primaryFormat,
-    contents: c.evidence_package.contents || [],
-    destination: c.evidence_package.destination || 'local_only',
-    signed: c.evidence_package.signed !== false,
-    bundle_body: buildEvidenceBundle(primaryFormat, playbook, analyzeResult, validateResult, agentSignals, sessionId),
-    bundles_by_format: extraFormats.length ? Object.fromEntries(
-      [primaryFormat, ...extraFormats].map(f => [f, buildEvidenceBundle(f, playbook, analyzeResult, validateResult, agentSignals, sessionId)])
-    ) : null,
-  } : null;
+  // audit W P2-B: build every bundle once and reuse, so bundle_body and
+  // bundles_by_format[primary] are the same object identity (and hence
+  // identical on every nested timestamp). Pre-fix, buildEvidenceBundle was
+  // invoked twice for the primary format and each invocation crystallised
+  // a fresh Date.now() — operators diffing bundle_body against
+  // bundles_by_format.<primary> saw spurious millisecond drift on
+  // tracking.initial_release_date / timestamp / current_release_date.
+  const evidencePackage = c.evidence_package ? (() => {
+    const issuedAt = new Date().toISOString();
+    const builtFormats = new Map();
+    const buildOnce = (format) => {
+      if (!builtFormats.has(format)) {
+        builtFormats.set(format, buildEvidenceBundle(format, playbook, analyzeResult, validateResult, agentSignals, sessionId, issuedAt));
+      }
+      return builtFormats.get(format);
+    };
+    const primaryBody = buildOnce(primaryFormat);
+    const byFormat = extraFormats.length
+      ? Object.fromEntries([primaryFormat, ...extraFormats].map(f => [f, buildOnce(f)]))
+      : null;
+    return {
+      bundle_format: primaryFormat,
+      contents: c.evidence_package.contents || [],
+      destination: c.evidence_package.destination || 'local_only',
+      signed: c.evidence_package.signed !== false,
+      bundle_body: primaryBody,
+      bundles_by_format: byFormat,
+    };
+  })() : null;
 
   if (evidencePackage && evidencePackage.signed && runOpts.session_key) {
     const body = JSON.stringify(evidencePackage.bundle_body);
@@ -1540,20 +1591,59 @@ function buildProductBinding(playbook, sessionId) {
 // Code Scanning hides results without `artifactLocation.uri`, so we
 // surface at least one candidate when any is known. Returns null when no
 // candidate exists — caller MUST omit `locations` rather than emit empty.
+//
+// audit W P2-A: source segments are heterogeneous — many playbook artifacts
+// describe a shell-command capture (`uname -r`) or human prose, not a real
+// file or URI. SARIF `artifactLocation.uri` is defined as a URI reference
+// (RFC 3986); shell-command text + prose breaks downstream consumers
+// (GitHub Code Scanning rejects with "invalid URI" or renders garbled).
+// We accept only path-shaped candidates: absolute POSIX paths, `~`-home
+// paths, relative paths, drive-prefixed Windows paths, or file-URI
+// strings. Everything else (commands, English) is dropped, and locations
+// is omitted entirely when no candidate survives.
+// Path-shape predicate: accept anything that begins with a POSIX absolute
+// path (`/...`), home (`~/...` or `~`), relative dot (`./...`, `../...`,
+// or a bare `.`), drive-prefixed Windows path (`C:\...`, `C:/...`), or a
+// `file:` URI. Also accept simple relative names that contain a slash
+// (e.g. `etc/os-release`, `subdir/file.json`) — these are common in
+// playbook artifact source fields. Reject anything with internal
+// whitespace (commands like `uname -r`, prose like `kpatch list || ls
+// /sys/kernel/livepatch`) or that looks like a sentence.
+function looksLikePath(src) {
+  if (typeof src !== 'string') return false;
+  const trimmed = src.trim();
+  if (!trimmed) return false;
+  if (/\s/.test(trimmed)) return false;
+  if (/^file:/i.test(trimmed)) return true;
+  if (/^[A-Za-z]:[/\\]/.test(trimmed)) return true;       // Windows drive
+  if (/^[/~]/.test(trimmed)) return true;                  // POSIX abs / home
+  if (/^\.\.?(?:[/\\]|$)/.test(trimmed)) return true;      // relative dot
+  if (/^[A-Za-z0-9_.+-]+[/\\][^\s]+$/.test(trimmed)) return true;  // bare relative path
+  return false;
+}
 function sarifLocationsForIndicator(playbook, indicator) {
+  void indicator;
   const arts = (playbook.phases?.look?.artifacts) || [];
   const candidates = arts
     .map(a => a && (a.source || a.air_gap_alternative))
     .filter(Boolean)
     .map(src => String(src).split(/\s+(?:AND|OR)\s+/i)[0].trim())
-    .filter(src => src && !/^https?:/i.test(src));
+    .filter(src => src && !/^https?:/i.test(src))
+    .filter(looksLikePath);
   if (!candidates.length) return null;
   return [{ physicalLocation: { artifactLocation: { uri: candidates[0] } } }];
 }
 
-function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals, sessionId) {
+function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals, sessionId, issuedAt) {
   const playbookSlug = urnSlug(playbook._meta.id);
   const { productId, productPurl, productName } = buildProductBinding(playbook, sessionId);
+  // audit W P2-B: pin one `now` value per bundle build (and accept an
+  // upstream-provided issuedAt) so multi-format emit produces identical
+  // tracking timestamps across CSAF / OpenVEX / SARIF when close() is
+  // building several formats from the same run. Without the parameter,
+  // each invocation crystallised a fresh `Date.now()` and bundle_body
+  // versus bundles_by_format[primary] would diverge on milliseconds.
+  const now = typeof issuedAt === 'string' && issuedAt ? issuedAt : new Date().toISOString();
 
   // CSAF-2.0 shape. v0.11.5 (#82): include vulnerabilities for both matched
   // catalogue CVEs AND fired indicators (treated as advisory pseudo-CVEs
@@ -1571,14 +1661,30 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
       name: productName,
       product_identification_helper: { purl: productPurl }
     }];
+    // audit W P1-A: `fixed` product_status MUST reflect operator-supplied VEX
+    // disposition (vex_status === 'fixed' — see analyze() F17), not the
+    // catalog's global `live_patch_available` flag. The catalog flag means
+    // "vendor publishes a live-patch in the world", not "operator deployed
+    // it on this host". Pre-fix the CSAF emitter declared every
+    // live-patchable CVE as fixed regardless of whether the operator's
+    // evidence actually showed the patch applied, producing CSAF documents
+    // that lied to downstream NVD / Red Hat dashboards. When
+    // live_patch_available is the only signal, status stays known_affected
+    // and the live-patch route is surfaced as a `vendor_fix` remediation.
     const cveVulns = analyze.matched_cves.map(c => {
-      const isAffected = c.live_patch_available !== true;
+      const isFixed = c.vex_status === 'fixed';
+      const remediations = [{
+        category: 'vendor_fix',
+        details: validate.selected_remediation?.description
+          || (c.live_patch_available ? 'Vendor publishes a live-patch — see CVE catalog `live_patch_tools` for the operator-side step.' : 'See selected remediation path.'),
+        product_ids: [productId],
+      }];
       return {
         cve: c.cve_id,
         scores: [{ products: [productId], cvss_v3: { base_score: c.cvss_score || 0 } }],
         threats: c.active_exploitation === 'confirmed' ? [{ category: 'exploit_status', details: 'Active exploitation confirmed (CISA KEV).' }] : [],
-        remediations: [{ category: 'vendor_fix', details: validate.selected_remediation?.description || 'See selected remediation path.', product_ids: [productId] }],
-        product_status: isAffected ? { known_affected: [productId] } : { fixed: [productId] }
+        remediations,
+        product_status: isFixed ? { fixed: [productId] } : { known_affected: [productId] }
       };
     });
     const indicatorVulns = indicatorHits.map(i => ({
@@ -1587,22 +1693,35 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
       remediations: [{ category: 'mitigation', details: validate.selected_remediation?.description || `Consult playbook brief: exceptd brief ${playbook._meta.id}.`, product_ids: [productId] }],
       product_status: { known_affected: [productId] }
     }));
-    const gapVulns = (analyze.framework_gap_mapping || []).map((g, idx) => ({
-      ids: [{ system_name: 'exceptd-framework-gap', text: `${g.framework}:${g.claimed_control || `gap-${idx}`}` }],
-      notes: [
-        { category: 'description', text: g.actual_gap || `Framework gap in ${g.framework} ${g.claimed_control || ''}` },
-        { category: 'general', text: g.claimed_control ? `Claimed control: ${g.claimed_control}` : null },
-      ].filter(n => n.text),
-      remediations: g.required_control ? [{ category: 'mitigation', details: g.required_control, product_ids: [productId] }] : [],
-      product_status: { under_investigation: [productId] }
-    }));
-    const now = new Date().toISOString();
+    // audit W P2-D: framework-gap entries used to ride in `vulnerabilities[]`
+    // with `ids: [{ system_name: 'exceptd-framework-gap' }]`. The
+    // `system_name` slot is reserved for recognised vulnerability tracking
+    // authorities (CVE, GHSA, etc.); exceptd-framework-gap is not one, and
+    // every downstream CSAF consumer (NVD ingester, Red Hat dashboard,
+    // ENISA validator) flagged every run for unknown ids and rendered
+    // false-positive advisories at the framework_gap_mapping length. Now
+    // framework gaps land in `document.notes[]` with `category: details`
+    // where they belong as advisory context, not pseudo-CVEs.
+    const gapNotes = (analyze.framework_gap_mapping || []).map((g, idx) => {
+      const lines = [
+        `Framework: ${g.framework}`,
+        g.claimed_control ? `Claimed control: ${g.claimed_control}` : null,
+        g.actual_gap ? `Gap: ${g.actual_gap}` : null,
+        g.required_control ? `Required: ${g.required_control}` : null,
+      ].filter(Boolean);
+      return {
+        category: 'details',
+        title: `Framework gap ${idx + 1}: ${g.framework}${g.claimed_control ? ' / ' + g.claimed_control : ''}`,
+        text: lines.join('\n'),
+      };
+    });
     return {
       document: {
         category: 'csaf_security_advisory',
         csaf_version: '2.0',
         publisher: { category: 'vendor', name: 'exceptd', namespace: 'https://exceptd.com' },
         title: `exceptd finding: ${playbook.domain.name} (${analyze.matched_cves.length} CVE(s), ${indicatorHits.length} indicator hit(s), ${(analyze.framework_gap_mapping || []).length} framework gap(s))`,
+        notes: gapNotes,
         tracking: {
           // F2/F9: CSAF tracking.id binds to the run's session_id (threaded
           // from run() via close()) so attestation file names, OpenVEX
@@ -1619,7 +1738,7 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
         }
       },
       product_tree: { full_product_names: fullProductNames },
-      vulnerabilities: [...cveVulns, ...indicatorVulns, ...gapVulns],
+      vulnerabilities: [...cveVulns, ...indicatorVulns],
       exceptd_extension: {
         classification: analyze._detect_classification,
         rwep: analyze.rwep,
@@ -1712,11 +1831,16 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
           rules: [...cveRules, ...indicatorRules, ...gapRules],
         } },
         results: [...cveResults, ...indicatorResults, ...gapResults],
-        invocations: [{ executionSuccessful: true, properties: {
+        invocations: [{ executionSuccessful: true, properties: stripNulls({
+          // audit W P3-A: apply the B7 stripNulls contract here too — the
+          // `remediation` field is null for any run that didn't surface a
+          // selected_remediation, and SARIF viewers render null property
+          // values as visible empty rows. Same helper as the result
+          // property bags above.
           playbook: playbook._meta.id, classification: analyze._detect_classification || 'unknown',
           rwep_adjusted: analyze.rwep?.adjusted || 0,
           remediation: validate.selected_remediation?.id || null,
-        } }],
+        }) }],
       }]
     };
   }
@@ -1737,7 +1861,12 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
   //        `urn:exceptd:indicator:<playbook>:<indicator-id>` (RFC 8141) so
   //        they pass IRI validation in downstream VEX consumers.
   if (format === 'openvex' || format === 'openvex-0.2.0') {
-    const issued = new Date().toISOString();
+    // audit W P2-B: reuse the bundle-wide `now` so OpenVEX `timestamp`
+    // aligns with CSAF `document.tracking.initial_release_date` when both
+    // formats are emitted in the same close() pass. Pre-fix each format
+    // crystallised its own Date.now() value, and the two bundles in
+    // bundles_by_format disagreed on milliseconds.
+    const issued = now;
     const productEntry = {
       '@id': productPurl,
       subcomponents: [{ '@id': productPurl }],
@@ -1752,6 +1881,17 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
       if (remediationDescription) return `Apply remediation from validate phase: ${remediationDescription}`;
       return fallback;
     };
+    // audit W P1-A: same `vex_status === 'fixed'` correctness rule as the
+    // CSAF emitter. The catalog `live_patch_available` flag is a global
+    // "vendor publishes a live-patch" signal, not an operator-host
+    // disposition. Treating it as `status: fixed` made OpenVEX statements
+    // claim resolution that the operator hadn't actually attested to.
+    // VEX consumers downstream of CISA / SBOM / supply-chain pipelines
+    // treat `fixed` as authoritative — emitting it without operator
+    // attestation is a downstream-misleading bug. Now the OpenVEX
+    // statement says `affected` (with action_statement pointing to the
+    // remediation, which may itself be the vendor live-patch route) unless
+    // the operator declared `vex_status: fixed` on the matched CVE.
     const cveStatements = analyze.matched_cves.map(c => {
       const stmt = {
         vulnerability: { '@id': `urn:cve:${urnSlug(c.cve_id)}`, name: c.cve_id },
@@ -1759,11 +1899,13 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
         timestamp: issued,
         impact_statement: `RWEP ${c.rwep}. Blast radius ${analyze.blast_radius_score}/5.`,
       };
-      if (c.live_patch_available) {
+      if (c.vex_status === 'fixed') {
         stmt.status = 'fixed';
       } else {
         stmt.status = 'affected';
-        stmt.action_statement = actionStatementFor('Apply remediation from validate phase.');
+        stmt.action_statement = actionStatementFor(c.live_patch_available
+          ? 'Vendor publishes a live-patch — see catalog `live_patch_tools` and apply, then re-attest.'
+          : 'Apply remediation from validate phase.');
       }
       return stmt;
     });
@@ -2104,6 +2246,20 @@ function run(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
   // non-fatal anomalies surfaced into analyze.runtime_errors[].
   const runErrors = [];
   cachedRunOpts._runErrors = runErrors;
+  // U REG-1: normalizeSubmission may push structured errors (e.g.
+  // signal_overrides_invalid) onto submission._runErrors. Pre-fix these were
+  // stranded — they never reached the run-level accumulator that analyze()
+  // slices into runtime_errors[], so F20's "analyze surfaces all runtime
+  // errors" contract was silently broken. Splice the pre-run errors into
+  // the run-level accumulator and strip the field off the submission so it
+  // doesn't pollute the F1 evidence_hash digest (the hash canonicalizes the
+  // submission and a non-deterministic _runErrors would change it).
+  if (Array.isArray(agentSubmission._runErrors) && agentSubmission._runErrors.length) {
+    runErrors.push(...agentSubmission._runErrors);
+  }
+  if (agentSubmission && Object.prototype.hasOwnProperty.call(agentSubmission, '_runErrors')) {
+    delete agentSubmission._runErrors;
+  }
   // E6: phases the runner should SKIP execution for, based on skip_phase
   // preconditions surfaced in preflight.issues.
   const skipPhases = new Set();

package/lib/prefetch.js

@@ -237,6 +237,26 @@ async function withIndexLock(cacheDir, mutator) {
       // raised when the other process is mid-unlink). Treat both as
       // "lock held, back off" rather than a fatal error.
       if (e.code !== "EEXIST" && e.code !== "EPERM") throw e;
+      // T P1-1: PID-liveness check. Same pattern as withCatalogLock in
+      // lib/refresh-external.js — read the lockfile's PID, probe with
+      // process.kill(pid, 0); ESRCH → holder dead, reclaim immediately;
+      // EPERM → holder alive (different user), keep waiting. The mtime
+      // fallback below covers malformed / unreadable lockfiles.
+      let reclaimedByPid = false;
+      try {
+        const raw = fs.readFileSync(lockPath, "utf8").trim();
+        const pid = Number.parseInt(raw, 10);
+        if (Number.isInteger(pid) && pid > 0 && pid !== process.pid) {
+          try {
+            process.kill(pid, 0);
+          } catch (probeErr) {
+            if (probeErr && probeErr.code === "ESRCH") {
+              try { fs.unlinkSync(lockPath); reclaimedByPid = true; } catch {}
+            }
+          }
+        }
+      } catch {}
+      if (reclaimedByPid) continue;
       try {
         const stat = fs.statSync(lockPath);
         if (Date.now() - stat.mtimeMs > STALE_LOCK_MS) {
@@ -394,11 +414,20 @@ async function prefetch(options = {}) {
         const targetPath = entryPath(opts.cacheDir, item.source, item.id);
         const dir = path.dirname(targetPath);
         if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
-        // v0.12.12 C4: atomic write of the payload. A concurrent reader
-        // (refresh --from-cache running in parallel) sees the prior
-        // payload in full or the new payload in full, never a partial
-        // buffer.
-        writeFileAtomic(targetPath, JSON.stringify(res.json, null, 2) + "\n");
+        const body = JSON.stringify(res.json, null, 2) + "\n";
+        // T P1-3: stage the payload to a same-volume tmp file BEFORE
+        // attempting to acquire the index lock. If withIndexLock fails
+        // (timeout after MAX_RETRIES), we want the partially-completed
+        // download discarded — not left on disk as an orphan payload
+        // with no index entry. Air-gap operators feed off `readCached`,
+        // which consults the index; an unindexed payload silently becomes
+        // junk taking cache space. Pattern: stage → lock → rename+index
+        // → release. The rename is atomic same-volume; if it fails inside
+        // the lock we clean up the tmp file. If we never reach the rename
+        // (lock acquisition throws), the tmp file is unlinked in the
+        // catch block below.
+        const tmpPath = `${targetPath}.tmp.${process.pid}.${Math.random().toString(36).slice(2, 10)}`;
+        fs.writeFileSync(tmpPath, body);
         const meta = {
           fetched_at: new Date().toISOString(),
           etag: res.etag,
@@ -406,16 +435,34 @@ async function prefetch(options = {}) {
           url: item.url,
           sha256: crypto.createHash("sha256").update(JSON.stringify(res.json)).digest("hex"),
         };
-        idx.entries[entryKey(item.source, item.id)] = meta;
-        // v0.12.12 C2: persist this entry's metadata to _index.json under
-        // lock immediately, merging with whatever the on-disk index has
-        // (another concurrent prefetch may have written sibling entries).
-        // Without this, only the in-memory idx is updated; the final
-        // saveIndex() would overwrite a sibling run's writes.
-        await withIndexLock(opts.cacheDir, (current) => {
-          current.entries[entryKey(item.source, item.id)] = meta;
-          return current;
-        });
+        try {
+          // v0.12.12 C2: persist this entry's metadata to _index.json under
+          // lock immediately, merging with whatever the on-disk index has
+          // (another concurrent prefetch may have written sibling entries).
+          // Inside the lock we also rename the staged tmp → final path so
+          // a concurrent reader sees the new payload + new index entry as
+          // an atomic pair.
+          await withIndexLock(opts.cacheDir, (current) => {
+            try {
+              fs.renameSync(tmpPath, targetPath);
+            } catch (renameErr) {
+              // Surface as a failure to mutator: throwing here aborts the
+              // lock's write step. We re-throw to the outer catch which
+              // will increment errors.
+              throw renameErr;
+            }
+            current.entries[entryKey(item.source, item.id)] = meta;
+            return current;
+          });
+          // Mirror the entry into the in-memory idx for callers that read
+          // it later in this run (e.g. the final saveIndex merge).
+          idx.entries[entryKey(item.source, item.id)] = meta;
+        } catch (lockErr) {
+          // Lock failure OR rename-inside-lock failure — unlink the staged
+          // tmp so the cache directory does not accumulate orphans.
+          try { fs.unlinkSync(tmpPath); } catch {}
+          throw lockErr;
+        }
         result.fetched++;
         result.by_source[item.source].fetched++;
         log(`  [${item.source}] ${item.id} — ok`);

package/lib/refresh-external.js

@@ -938,6 +938,33 @@ async function withCatalogLock(catalogPath, mutator) {
       // Windows the same race surfaces as EPERM (sharing-violation raised
       // when the holder is mid-unlink). Treat both as "lock held, back off."
       if (e.code !== "EEXIST" && e.code !== "EPERM") throw e;
+      // T P1-1: PID-liveness check before falling back to mtime. The
+      // lockfile already contains String(process.pid) of the holder; parse
+      // it and probe with `process.kill(pid, 0)`. ESRCH means the holder is
+      // dead — reclaim immediately rather than waiting STALE_LOCK_MS for
+      // the mtime gate to expire. EPERM (holder alive, different user) is
+      // treated as "alive, keep waiting." The mtime gate remains as a
+      // belt-and-suspenders for the case where the lockfile content is
+      // missing / malformed / belongs to a recycled PID. Matches the PID
+      // pattern in orchestrator/index.js _acquireWatchLock and
+      // lib/playbook-runner.js pidAlive().
+      let reclaimedByPid = false;
+      try {
+        const raw = fs.readFileSync(lockPath, "utf8").trim();
+        const pid = Number.parseInt(raw, 10);
+        if (Number.isInteger(pid) && pid > 0 && pid !== process.pid) {
+          try {
+            process.kill(pid, 0);
+            // holder alive
+          } catch (probeErr) {
+            if (probeErr && probeErr.code === "ESRCH") {
+              try { fs.unlinkSync(lockPath); reclaimedByPid = true; } catch {}
+            }
+            // EPERM and anything else: treat as alive, fall through to mtime/sleep.
+          }
+        }
+      } catch {} // unreadable lockfile — proceed to mtime fallback
+      if (reclaimedByPid) continue;
       // Stale-lock check before sleeping — a long-dead holder shouldn't keep
       // us waiting MAX_RETRIES * backoff before we recover.
       try {