@blamejs/exceptd-skills 0.12.18 → 0.12.21

package/lib/playbook-runner.js

@@ -290,10 +290,87 @@ function lockFilePath(playbookId) {
 function acquireLock(playbookId) {
   const p = lockFilePath(playbookId);
   if (!p) return null;
+  const writePayload = () => fs.writeFileSync(
+    p,
+    JSON.stringify({ pid: process.pid, started_at: new Date().toISOString(), playbook: playbookId }, null, 2),
+    { flag: 'wx' }
+  );
   try {
-    fs.writeFileSync(p, JSON.stringify({ pid: process.pid, started_at: new Date().toISOString(), playbook: playbookId }, null, 2), { flag: 'wx' });
+    writePayload();
     return p;
-  } catch { return null; /* already locked or unwritable */ }
+  } catch (e) {
+    // DD P1-3: stale-PID reclaim. Pre-fix the EEXIST path returned null
+    // and callers proceeded UNLOCKED — a process that crashed mid-run
+    // left its lockfile behind and every subsequent invocation silently
+    // ran without mutex protection. Mirror withCatalogLock's pattern:
+    // parse the recorded pid, probe with `process.kill(pid, 0)`. ESRCH
+    // means the holder is dead — unlink and retry once. EPERM (alive,
+    // different user) or any other condition: leave the lock alone and
+    // return null with a diagnostic so the caller knows acquisition
+    // failed because the lock is genuinely held (not because the FS is
+    // broken or the playbook id is malformed).
+    if (e && (e.code === 'EEXIST' || e.code === 'EPERM')) {
+      try {
+        const raw = fs.readFileSync(p, 'utf8');
+        let pid = null;
+        try { pid = JSON.parse(raw).pid; }
+        catch {
+          const n = Number.parseInt(String(raw).trim(), 10);
+          pid = Number.isInteger(n) && n > 0 ? n : null;
+        }
+        if (Number.isInteger(pid) && pid > 0 && pid !== process.pid && !pidAlive(pid)) {
+          try { fs.unlinkSync(p); } catch {}
+          try { writePayload(); return p; } catch { /* fall through */ }
+        }
+      } catch { /* unreadable lockfile — treat as held by a live process */ }
+    }
+    // Lock genuinely held (or filesystem error). Returning null keeps
+    // back-compat with existing call sites that test `if (!lockPath)`.
+    // Callers that want a clearer diagnostic should call
+    // `acquireLockDiagnostic` instead.
+    return null;
+  }
+}
+
+// DD P1-3: callers needing to distinguish "couldn't acquire because the
+// lock is genuinely held by a live process" from "couldn't acquire
+// because of an unexpected error" can use this thin diagnostic wrapper.
+// Returns either { ok: true, path } or { ok: false, reason, lock_path?, holder_pid? }.
+// The bare `acquireLock` keeps its historical null-on-failure contract.
+function acquireLockDiagnostic(playbookId) {
+  const p = lockFilePath(playbookId);
+  if (!p) return { ok: false, reason: 'no_lock_path' };
+  try {
+    fs.writeFileSync(p,
+      JSON.stringify({ pid: process.pid, started_at: new Date().toISOString(), playbook: playbookId }, null, 2),
+      { flag: 'wx' });
+    return { ok: true, path: p };
+  } catch (e) {
+    if (e && (e.code === 'EEXIST' || e.code === 'EPERM')) {
+      let pid = null;
+      try {
+        const raw = fs.readFileSync(p, 'utf8');
+        try { pid = JSON.parse(raw).pid; }
+        catch {
+          const n = Number.parseInt(String(raw).trim(), 10);
+          pid = Number.isInteger(n) && n > 0 ? n : null;
+        }
+      } catch {}
+      if (Number.isInteger(pid) && pid > 0 && pid !== process.pid && !pidAlive(pid)) {
+        try { fs.unlinkSync(p); } catch {}
+        try {
+          fs.writeFileSync(p,
+            JSON.stringify({ pid: process.pid, started_at: new Date().toISOString(), playbook: playbookId }, null, 2),
+            { flag: 'wx' });
+          return { ok: true, path: p, reclaimed_from_pid: pid };
+        } catch (e2) {
+          return { ok: false, reason: 'reclaim_failed', error: e2.message, lock_path: p, holder_pid: pid };
+        }
+      }
+      return { ok: false, reason: 'held_by_live_pid', lock_path: p, holder_pid: pid };
+    }
+    return { ok: false, reason: 'fs_error', error: e && e.message, lock_path: p };
+  }
 }
 
 function releaseLock(lockPath) {
@@ -453,21 +530,52 @@ function detect(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
       // '<id>__fp_checks' in signal_overrides; default behavior (no
       // attestation) treats every required FP check as UNSATISFIED.
       if (verdict === 'hit' && Array.isArray(ind.false_positive_checks_required) && ind.false_positive_checks_required.length) {
-        const attestation = overrides[`${ind.id}__fp_checks`];
-        const att = (attestation && typeof attestation === 'object') ? attestation : {};
-        const unsatisfied = ind.false_positive_checks_required.filter(fpName => {
-          // Match either by exact name string OR by indexed key '0', '1', ...
-          // because false_positive_checks_required entries are free-text
-          // strings, not ids. Operators may attest either by the literal
-          // string or by index. Default: unsatisfied.
-          if (att[fpName] === true) return false;
-          const idx = ind.false_positive_checks_required.indexOf(fpName);
-          if (idx !== -1 && att[String(idx)] === true) return false;
-          return true;
-        });
-        if (unsatisfied.length > 0) {
+        // BB P2-4: a hostile or buggy attestation may be a Proxy whose property
+        // accessors throw. The filter below reads `att[fpName]` for each
+        // required check; an exception inside the read would crash detect()
+        // and abort the entire run. Wrap the FP-check evaluation in a
+        // try/catch: on throw, treat ALL required checks as unsatisfied
+        // (safest default — never silently honor an attestation we couldn't
+        // read) and surface a runtime_error so the operator sees why.
+        try {
+          const attestation = overrides[`${ind.id}__fp_checks`];
+          // S P1-A: arrays satisfy `typeof === 'object'` but are NOT a valid
+          // attestation map. A submission like
+          //   signal_overrides: { sig__fp_checks: [true, true] }
+          // would previously have its truthy entries matched via the index
+          // fallback (att['0'] === true), silently bypassing every FP-check
+          // requirement. Reject arrays explicitly so they fall through to the
+          // empty-attestation branch (every required check unsatisfied).
+          const safeAtt = Array.isArray(attestation) ? null : attestation;
+          const att = (safeAtt && typeof safeAtt === 'object') ? safeAtt : {};
+          const unsatisfied = ind.false_positive_checks_required.filter(fpName => {
+            // Match either by exact name string OR by indexed key '0', '1', ...
+            // because false_positive_checks_required entries are free-text
+            // strings, not ids. Operators may attest either by the literal
+            // string or by index. Default: unsatisfied.
+            if (att[fpName] === true) return false;
+            const idx = ind.false_positive_checks_required.indexOf(fpName);
+            if (idx !== -1 && att[String(idx)] === true) return false;
+            return true;
+          });
+          if (unsatisfied.length > 0) {
+            verdict = 'inconclusive';
+            fpChecksUnsatisfied = unsatisfied;
+          }
+        } catch (e) {
+          // Treat every required check as unsatisfied — we couldn't trust the
+          // attestation map. Surface the throw so operators can chase the
+          // root cause (Proxy with a throwing getter, frozen object that
+          // tripped invariants, etc.).
           verdict = 'inconclusive';
-          fpChecksUnsatisfied = unsatisfied;
+          fpChecksUnsatisfied = ind.false_positive_checks_required.slice();
+          if (runOpts && Array.isArray(runOpts._runErrors)) {
+            runOpts._runErrors.push({
+              kind: 'fp_attestation_threw',
+              indicator_id: ind.id,
+              message: (e && e.message) ? String(e.message) : String(e),
+            });
+          }
         }
       }
     } else {
@@ -507,12 +615,60 @@ function detect(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
   // full false_positive_profile checks and reached an explicit verdict —
   // engine-computed classification can't represent "I saw the indicators and
   // confirmed they're all benign" without this override.
-  const override = (agentSubmission.signals && agentSubmission.signals.detection_classification);
+  const rawOverride = (agentSubmission.signals && agentSubmission.signals.detection_classification);
   const validOverrides = new Set(['detected', 'inconclusive', 'not_detected', 'clean']);
+  // BB P2-1: any override that's a non-empty string but NOT in the allowlist
+  // (e.g. 'present', 'unknown', '', '  detected  ', 'Detected') must surface
+  // as a runtime_error rather than silently falling through to engine-computed
+  // classification. Operators submitting case variants / whitespace-padded
+  // strings deserve a clear diagnostic, not a quiet downgrade. Treat the
+  // override as absent for classification purposes once recorded.
+  const overrideIsString = typeof rawOverride === 'string';
+  const overrideIsInAllowlist = overrideIsString && validOverrides.has(rawOverride);
+  if (rawOverride !== undefined && rawOverride !== null && !overrideIsInAllowlist) {
+    if (runOpts && Array.isArray(runOpts._runErrors)) {
+      runOpts._runErrors.push({
+        kind: 'classification_override_invalid',
+        supplied: rawOverride,
+        allowed: ['detected', 'inconclusive', 'not_detected', 'clean'],
+        reason: 'signals.detection_classification must be one of the allowlist values exactly (case-sensitive, no surrounding whitespace). Override ignored; engine-computed classification used.',
+      });
+    }
+  }
+  const override = overrideIsInAllowlist ? rawOverride : undefined;
+
+  // BB P1-1 / BB P1-2: extend the v0.12.19 S P1-B gate to refuse ALL
+  // classification overrides (`detected`, `clean`, `not_detected`) when any
+  // indicator was FP-downgraded. A submission that maps to `'not_detected'`
+  // (either by literal `not_detected` OR by `'clean'`, which v0.12.19 mapped
+  // to `'not_detected'` at this site) MUST NOT hide a `verdict: 'hit'`
+  // indicator whose `false_positive_checks_required[]` were unattested —
+  // that's a strictly worse false-negative outcome than allowing 'detected'
+  // through. Substitute 'inconclusive' and emit a runtime_error.
+  // BB P2-2: record indicator IDs and an unsatisfied-checks count ONLY —
+  // never the literal FP-check check-name strings (those are an attestation-
+  // bypass hint for a hostile agent reading the runtime_errors).
+  const anyFpDowngrade = indicatorResults.some(r => Array.isArray(r.fp_checks_unsatisfied) && r.fp_checks_unsatisfied.length > 0);
 
   let classification;
-  if (override && validOverrides.has(override)) {
+  if (override) {
     classification = override === 'clean' ? 'not_detected' : override;
+    if (anyFpDowngrade) {
+      const substituted = 'inconclusive';
+      const attempted = override; // record what the operator submitted, not the mapped form
+      classification = substituted;
+      if (runOpts && Array.isArray(runOpts._runErrors)) {
+        runOpts._runErrors.push({
+          kind: 'classification_override_blocked',
+          attempted,
+          substituted,
+          reason: 'FP-check downgrade: one or more indicators downgraded to inconclusive because false_positive_checks_required entries were not attested. Agent classification override refused.',
+          indicators_with_unsatisfied_fp_checks: indicatorResults
+            .filter(r => Array.isArray(r.fp_checks_unsatisfied) && r.fp_checks_unsatisfied.length > 0)
+            .map(r => ({ id: r.id, fp_checks_unsatisfied_count: r.fp_checks_unsatisfied.length })),
+        });
+      }
+    }
   } else if (hasDeterministicHit || hasHighConfHit) {
     classification = 'detected';
   } else if (hits.length === 0 && indicatorResults.every(r => r.verdict === 'miss')) {
@@ -548,7 +704,7 @@ function detect(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
       from_observation: agentSubmission._signal_origins?.[i.id] || null,
     })),
     indicators_evaluated_count: indicatorResults.length,
-    classification_override_applied: validOverrides.has(override) ? (override === 'clean' ? 'not_detected' : override) : null,
+    classification_override_applied: override ? (override === 'clean' ? 'not_detected' : override) : null,
     submission_shape_seen: agentSubmission._original_shape || (agentSubmission.artifacts ? 'nested (v0.10.x)' : 'empty'),
     // E9: pass through any flat-shape observation collisions detected at
     // normalize time so analyze() can publish them under
@@ -839,7 +995,7 @@ function analyze(playbookId, directiveId, detectResult, agentSignals = {}, runOp
   }
   // F5: use the first evidence-correlated CVE as the canonical attribute
   // source for factor scaling. If matchedCves is empty there's no per-CVE
-  // evidence to gate on. v0.12.15 (audit N F1): the prior fallback was
+  // evidence to gate on. v0.12.15: the prior fallback was
   // `factorCve = null` → every factor returned 0 → catalog-shape playbooks
   // (secrets, library-author, crypto-codebase, framework, cred-stores,
   // containers, runtime, crypto, ai-api) that detect WITHOUT a per-CVE
@@ -866,7 +1022,7 @@ function analyze(playbookId, directiveId, detectResult, agentSignals = {}, runOp
     null);
     if (factorCve) factorCveSource = 'domain';
   }
-  // v0.12.15 (audit N F1): five shipped playbooks (secrets, library-author,
+  // v0.12.15: five shipped playbooks (secrets, library-author,
   // crypto-codebase, framework, cred-stores, containers, runtime, crypto,
   // ai-api) ship with empty `domain.cve_refs` because their attack class is
   // class-of-vulnerability rather than CVE-specific. For those playbooks
@@ -1361,16 +1517,41 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
   const extraFormats = Array.isArray(agentSignals._bundle_formats)
     ? agentSignals._bundle_formats.filter(f => f !== primaryFormat)
     : [];
-  const evidencePackage = c.evidence_package ? {
-    bundle_format: primaryFormat,
-    contents: c.evidence_package.contents || [],
-    destination: c.evidence_package.destination || 'local_only',
-    signed: c.evidence_package.signed !== false,
-    bundle_body: buildEvidenceBundle(primaryFormat, playbook, analyzeResult, validateResult, agentSignals, sessionId),
-    bundles_by_format: extraFormats.length ? Object.fromEntries(
-      [primaryFormat, ...extraFormats].map(f => [f, buildEvidenceBundle(f, playbook, analyzeResult, validateResult, agentSignals, sessionId)])
-    ) : null,
-  } : null;
+  // B: build every bundle once and reuse, so bundle_body and
+  // bundles_by_format[primary] are the same object identity (and hence
+  // identical on every nested timestamp). Pre-fix, buildEvidenceBundle was
+  // invoked twice for the primary format and each invocation crystallised
+  // a fresh Date.now() — operators diffing bundle_body against
+  // bundles_by_format.<primary> saw spurious millisecond drift on
+  // tracking.initial_release_date / timestamp / current_release_date.
+  const evidencePackage = c.evidence_package ? (() => {
+    const issuedAt = new Date().toISOString();
+    const builtFormats = new Map();
+    const buildOnce = (format) => {
+      if (!builtFormats.has(format)) {
+        builtFormats.set(format, buildEvidenceBundle(format, playbook, analyzeResult, validateResult, agentSignals, sessionId, issuedAt, runOpts));
+      }
+      return builtFormats.get(format);
+    };
+    const primaryBody = buildOnce(primaryFormat);
+    // audit CC P2-1: bundles_by_format must always be an object keyed by the
+    // primary format, even when no extra formats were requested. Pre-fix it
+    // was null in the single-format case, forcing downstream tooling into a
+    // `bundles_by_format ?? { [primaryFormat]: bundle_body }` shim in every
+    // consumer. Now the field is canonically present so iteration is
+    // uniform across single- and multi-format emissions.
+    const byFormat = Object.fromEntries(
+      [primaryFormat, ...extraFormats].map(f => [f, buildOnce(f)])
+    );
+    return {
+      bundle_format: primaryFormat,
+      contents: c.evidence_package.contents || [],
+      destination: c.evidence_package.destination || 'local_only',
+      signed: c.evidence_package.signed !== false,
+      bundle_body: primaryBody,
+      bundles_by_format: byFormat,
+    };
+  })() : null;
 
   if (evidencePackage && evidencePackage.signed && runOpts.session_key) {
     const body = JSON.stringify(evidencePackage.bundle_body);
@@ -1540,20 +1721,87 @@ function buildProductBinding(playbook, sessionId) {
 // Code Scanning hides results without `artifactLocation.uri`, so we
 // surface at least one candidate when any is known. Returns null when no
 // candidate exists — caller MUST omit `locations` rather than emit empty.
+//
+// A: source segments are heterogeneous — many playbook artifacts
+// describe a shell-command capture (`uname -r`) or human prose, not a real
+// file or URI. SARIF `artifactLocation.uri` is defined as a URI reference
+// (RFC 3986); shell-command text + prose breaks downstream consumers
+// (GitHub Code Scanning rejects with "invalid URI" or renders garbled).
+// We accept only path-shaped candidates: absolute POSIX paths, `~`-home
+// paths, relative paths, drive-prefixed Windows paths, or file-URI
+// strings. Everything else (commands, English) is dropped, and locations
+// is omitted entirely when no candidate survives.
+// Path-shape predicate: accept anything that begins with a POSIX absolute
+// path (`/...`), home (`~/...` or `~`), relative dot (`./...`, `../...`,
+// or a bare `.`), drive-prefixed Windows path (`C:\...`, `C:/...`), or a
+// `file:` URI. Also accept simple relative names that contain a slash
+// (e.g. `etc/os-release`, `subdir/file.json`) — these are common in
+// playbook artifact source fields. Reject anything with internal
+// whitespace (commands like `uname -r`, prose like `kpatch list || ls
+// /sys/kernel/livepatch`) or that looks like a sentence.
+function looksLikePath(src) {
+  if (typeof src !== 'string') return false;
+  const trimmed = src.trim();
+  if (!trimmed) return false;
+  if (/\s/.test(trimmed)) return false;
+  if (/^file:/i.test(trimmed)) return true;
+  if (/^[A-Za-z]:[/\\]/.test(trimmed)) return true;       // Windows drive
+  if (/^[/~]/.test(trimmed)) return true;                  // POSIX abs / home
+  if (/^\.\.?(?:[/\\]|$)/.test(trimmed)) return true;      // relative dot
+  if (/^[A-Za-z0-9_.+-]+[/\\][^\s]+$/.test(trimmed)) return true;  // bare relative path
+  return false;
+}
 function sarifLocationsForIndicator(playbook, indicator) {
+  void indicator;
   const arts = (playbook.phases?.look?.artifacts) || [];
   const candidates = arts
     .map(a => a && (a.source || a.air_gap_alternative))
     .filter(Boolean)
     .map(src => String(src).split(/\s+(?:AND|OR)\s+/i)[0].trim())
-    .filter(src => src && !/^https?:/i.test(src));
+    .filter(src => src && !/^https?:/i.test(src))
+    .filter(looksLikePath);
   if (!candidates.length) return null;
   return [{ physicalLocation: { artifactLocation: { uri: candidates[0] } } }];
 }
 
-function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals, sessionId) {
+// Resolve the package version once per process so CSAF tracking.generator
+// can name the engine that emitted the advisory. Best-effort read — bundle
+// emission must not crash if package.json is missing (e.g. exotic install).
+let _CACHED_PKG_VERSION = null;
+function getEngineVersion() {
+  if (_CACHED_PKG_VERSION != null) return _CACHED_PKG_VERSION;
+  try {
+    const pkg = require(path.join(__dirname, '..', 'package.json'));
+    _CACHED_PKG_VERSION = (pkg && typeof pkg.version === 'string') ? pkg.version : 'unknown';
+  } catch {
+    _CACHED_PKG_VERSION = 'unknown';
+  }
+  return _CACHED_PKG_VERSION;
+}
+
+// audit CC P1-3 / P1-4: operator-supplied identity strings (--operator) and
+// publisher namespace URLs (--publisher-namespace) flow into operator-facing
+// CSAF surfaces. Strip ASCII control characters as a defence-in-depth pass —
+// bin/exceptd.js already validates the inputs, but the runner is also called
+// from library consumers that may bypass the CLI surface.
+function sanitizeOperatorText(s) {
+  if (typeof s !== 'string') return null;
+  // eslint-disable-next-line no-control-regex
+  const cleaned = s.replace(/[\x00-\x1F\x7F]/g, '').trim();
+  return cleaned.length ? cleaned.slice(0, 256) : null;
+}
+
+function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals, sessionId, issuedAt, runOpts) {
+  runOpts = runOpts || {};
   const playbookSlug = urnSlug(playbook._meta.id);
   const { productId, productPurl, productName } = buildProductBinding(playbook, sessionId);
+  // B: pin one `now` value per bundle build (and accept an
+  // upstream-provided issuedAt) so multi-format emit produces identical
+  // tracking timestamps across CSAF / OpenVEX / SARIF when close() is
+  // building several formats from the same run. Without the parameter,
+  // each invocation crystallised a fresh `Date.now()` and bundle_body
+  // versus bundles_by_format[primary] would diverge on milliseconds.
+  const now = typeof issuedAt === 'string' && issuedAt ? issuedAt : new Date().toISOString();
 
   // CSAF-2.0 shape. v0.11.5 (#82): include vulnerabilities for both matched
   // catalogue CVEs AND fired indicators (treated as advisory pseudo-CVEs
@@ -1571,38 +1819,205 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
       name: productName,
       product_identification_helper: { purl: productPurl }
     }];
+    // A: `fixed` product_status MUST reflect operator-supplied VEX
+    // disposition (vex_status === 'fixed' — see analyze() F17), not the
+    // catalog's global `live_patch_available` flag. The catalog flag means
+    // "vendor publishes a live-patch in the world", not "operator deployed
+    // it on this host". Pre-fix the CSAF emitter declared every
+    // live-patchable CVE as fixed regardless of whether the operator's
+    // evidence actually showed the patch applied, producing CSAF documents
+    // that lied to downstream NVD / Red Hat dashboards. When
+    // live_patch_available is the only signal, status stays known_affected
+    // and the live-patch route is surfaced as a `vendor_fix` remediation.
+    // audit CC P1-2: CSAF §3.2.1.2 restricts the `cve` field to the CVE-id
+    // regex `^CVE-[0-9]{4}-[0-9]{4,}$`. The catalog also keys non-CVE
+    // identifiers off `cve_id` (MAL-2026-3083, GHSA-…, OSV-…); strict
+    // validators (BSI CSAF validator, ENISA dashboard) refuse documents that
+    // place non-CVE values in `cve`. Branch by prefix and route non-CVE ids
+    // to the `ids[]` array with a real `system_name`.
+    //
+    // audit CC P2-2: CSAF §3.2.1.5 requires `cvss_v3.vectorString` when a
+    // cvss_v3 score block is emitted. Drop the entire score block when the
+    // catalog has no CVSS data (score AND vector both unset); otherwise
+    // include version + baseScore + vectorString + baseSeverity from the
+    // catalog entry.
+    const csafCvssSeverity = (score) => {
+      if (typeof score !== 'number') return null;
+      if (score >= 9.0) return 'CRITICAL';
+      if (score >= 7.0) return 'HIGH';
+      if (score >= 4.0) return 'MEDIUM';
+      if (score > 0.0)  return 'LOW';
+      return 'NONE';
+    };
+    const csafCvssVersionFromVector = (vec) => {
+      if (typeof vec !== 'string') return '3.1';
+      const m = vec.match(/^CVSS:(\d+\.\d+)\//);
+      if (!m) return '3.1';
+      // CSAF cvss_v3 block only accepts 3.x; if the catalog vector is 2.0 or
+      // 4.0 we still tag the block as the value the catalog declared. Strict
+      // validators that gate cvss_v3 to 3.0/3.1 will reject 2.0/4.0 — but
+      // emitting the wrong version on a 4.0 vector would be worse.
+      return m[1];
+    };
+    const csafIdsFor = (id) => {
+      if (typeof id !== 'string' || !id) return { system_name: 'OSV', text: String(id) };
+      if (id.startsWith('GHSA-'))  return { system_name: 'GHSA', text: id };
+      if (id.startsWith('MAL-'))   return { system_name: 'Malicious-Package', text: id };
+      if (id.startsWith('OSV-'))   return { system_name: 'OSV', text: id };
+      if (id.startsWith('SNYK-'))  return { system_name: 'Snyk', text: id };
+      // Fallback: surface the raw value under a generic OSV system_name; any
+      // strict validator will at least know it's not a CVE.
+      return { system_name: 'OSV', text: id };
+    };
+    const CSAF_CVE_RE = /^CVE-\d{4}-\d{4,}$/;
+
     const cveVulns = analyze.matched_cves.map(c => {
-      const isAffected = c.live_patch_available !== true;
-      return {
-        cve: c.cve_id,
-        scores: [{ products: [productId], cvss_v3: { base_score: c.cvss_score || 0 } }],
+      const isFixed = c.vex_status === 'fixed';
+      const remediations = [{
+        category: 'vendor_fix',
+        details: validate.selected_remediation?.description
+          || (c.live_patch_available ? 'Vendor publishes a live-patch — see CVE catalog `live_patch_tools` for the operator-side step.' : 'See selected remediation path.'),
+        product_ids: [productId],
+      }];
+      // audit CC P2-2: only emit cvss_v3 score block when we have a real
+      // vector string AND a numeric score. Pre-fix every vuln carried
+      // `cvss_v3: { base_score: 0 }` even when the catalog had no CVSS
+      // signal — strict validators reject the truncated block, and
+      // `base_score: 0` was a downstream-misleading default that suggested
+      // an authoritative "informational" score where there was simply no
+      // data.
+      const hasCvss = typeof c.cvss_score === 'number' && typeof c.cvss_vector === 'string' && c.cvss_vector.length > 0;
+      const scores = hasCvss ? [{
+        products: [productId],
+        cvss_v3: {
+          version: csafCvssVersionFromVector(c.cvss_vector),
+          baseScore: c.cvss_score,
+          vectorString: c.cvss_vector,
+          baseSeverity: csafCvssSeverity(c.cvss_score),
+        }
+      }] : [];
+      const base = {
+        scores,
         threats: c.active_exploitation === 'confirmed' ? [{ category: 'exploit_status', details: 'Active exploitation confirmed (CISA KEV).' }] : [],
-        remediations: [{ category: 'vendor_fix', details: validate.selected_remediation?.description || 'See selected remediation path.', product_ids: [productId] }],
-        product_status: isAffected ? { known_affected: [productId] } : { fixed: [productId] }
+        remediations,
+        product_status: isFixed ? { fixed: [productId] } : { known_affected: [productId] }
       };
+      // audit CC P1-2: route by id shape.
+      if (CSAF_CVE_RE.test(c.cve_id)) {
+        return { cve: c.cve_id, ...base };
+      }
+      return { ids: [csafIdsFor(c.cve_id)], ...base };
     });
     const indicatorVulns = indicatorHits.map(i => ({
+      // CSAF `system_name` values land in operator-facing validators; the
+      // "exceptd-indicator" pseudo-authority is namespaced enough that NVD /
+      // Red Hat / ENISA dashboards render it as a non-CVE finding without
+      // misattributing to a real registry (CVE, GHSA, OSV).
       ids: [{ system_name: 'exceptd-indicator', text: `${playbook._meta.id}:${i.id}` }],
       notes: [{ category: 'description', text: `Indicator ${i.id} fired (${i.confidence}${i.deterministic ? ' / deterministic' : ''}) in playbook ${playbook._meta.id}.` }],
       remediations: [{ category: 'mitigation', details: validate.selected_remediation?.description || `Consult playbook brief: exceptd brief ${playbook._meta.id}.`, product_ids: [productId] }],
       product_status: { known_affected: [productId] }
     }));
-    const gapVulns = (analyze.framework_gap_mapping || []).map((g, idx) => ({
-      ids: [{ system_name: 'exceptd-framework-gap', text: `${g.framework}:${g.claimed_control || `gap-${idx}`}` }],
-      notes: [
-        { category: 'description', text: g.actual_gap || `Framework gap in ${g.framework} ${g.claimed_control || ''}` },
-        { category: 'general', text: g.claimed_control ? `Claimed control: ${g.claimed_control}` : null },
-      ].filter(n => n.text),
-      remediations: g.required_control ? [{ category: 'mitigation', details: g.required_control, product_ids: [productId] }] : [],
-      product_status: { under_investigation: [productId] }
-    }));
-    const now = new Date().toISOString();
+    // D: framework-gap entries used to ride in `vulnerabilities[]`
+    // with `ids: [{ system_name: 'exceptd-framework-gap' }]`. The
+    // `system_name` slot is reserved for recognised vulnerability tracking
+    // authorities (CVE, GHSA, etc.); exceptd-framework-gap is not one, and
+    // every downstream CSAF consumer (NVD ingester, Red Hat dashboard,
+    // ENISA validator) flagged every run for unknown ids and rendered
+    // false-positive advisories at the framework_gap_mapping length. Now
+    // framework gaps land in `document.notes[]` with `category: details`
+    // where they belong as advisory context, not pseudo-CVEs.
+    const gapNotes = (analyze.framework_gap_mapping || []).map((g, idx) => {
+      const lines = [
+        `Framework: ${g.framework}`,
+        g.claimed_control ? `Claimed control: ${g.claimed_control}` : null,
+        g.actual_gap ? `Gap: ${g.actual_gap}` : null,
+        g.required_control ? `Required: ${g.required_control}` : null,
+      ].filter(Boolean);
+      return {
+        category: 'details',
+        title: `Framework gap ${idx + 1}: ${g.framework}${g.claimed_control ? ' / ' + g.claimed_control : ''}`,
+        text: lines.join('\n'),
+      };
+    });
+    // audit CC P1-3: CSAF §3.1.7.4 publisher.namespace MUST be the trust
+    // anchor of the entity publishing the advisory — the OPERATOR running the
+    // scan, not the tool vendor. Pre-fix every CSAF emitted by the runner
+    // claimed https://exceptd.com as namespace, falsely attributing
+    // responsibility for advisory accuracy to the tooling provider. Resolve
+    // in priority order: explicit --publisher-namespace > --operator if it
+    // looks URL-shaped > fallback `urn:exceptd:operator:unknown` with a note
+    // documenting the gap.
+    const operatorClean = sanitizeOperatorText(runOpts.operator);
+    const explicitNs = sanitizeOperatorText(runOpts.publisherNamespace);
+    let publisherNamespace;
+    let publisherNamespaceSource;
+    if (explicitNs && /^https?:\/\//i.test(explicitNs)) {
+      publisherNamespace = explicitNs;
+      publisherNamespaceSource = 'runOpts.publisherNamespace';
+    } else if (operatorClean && /^https?:\/\//i.test(operatorClean)) {
+      publisherNamespace = operatorClean;
+      publisherNamespaceSource = 'runOpts.operator';
+    } else {
+      publisherNamespace = 'urn:exceptd:operator:unknown';
+      publisherNamespaceSource = 'fallback';
+    }
+    const namespaceFallbackNote = (publisherNamespaceSource === 'fallback') ? [{
+      category: 'general',
+      title: 'Publisher namespace not supplied',
+      text: 'No --publisher-namespace and no URL-shaped --operator were supplied to this run. CSAF §3.1.7.4 requires the namespace to be the publisher\'s trust anchor — i.e. the OPERATOR running the scan, not the tooling vendor. Re-emit with `--publisher-namespace https://your-org.example` (or a URL-shaped `--operator`) to attribute responsibility for advisory accuracy correctly.'
+    }] : [];
+    // audit CC P1-3: ALSO surface the unclaimed-publisher condition through
+    // the structured runtime_errors[] accumulator so machine-readable
+    // consumers (CI gates, dashboards) can branch on it without parsing
+    // notes[] prose. The orchestrator's post-close pass folds late-pushed
+    // _runErrors into phases.analyze.runtime_errors before the run-level
+    // return, so the warning surfaces alongside other run-time anomalies.
+    // De-dupe: only push once per bundle-build pass (multi-format emit
+    // builds CSAF once via memoization, so this fires at most once per run).
+    if (publisherNamespaceSource === 'fallback' && Array.isArray(runOpts._runErrors)) {
+      const already = runOpts._runErrors.some(e => e && e.kind === 'bundle_publisher_unclaimed');
+      if (!already) {
+        runOpts._runErrors.push({
+          kind: 'bundle_publisher_unclaimed',
+          reason: 'CSAF document.publisher.namespace fell back to urn:exceptd:operator:unknown because no --publisher-namespace and no URL-shaped --operator were supplied. Operator attribution is unclaimed on this advisory.',
+          remediation: 'Re-run with --publisher-namespace <https-url> (or a URL-shaped --operator).'
+        });
+      }
+    }
+
+    // audit CC P1-4: thread the validated --operator name into
+    // tracking.generator (engine identity) AND publisher.contact_details
+    // (operator-of-record). engine.version is read from the package once per
+    // process. contact_details is omitted when no operator was supplied so
+    // the field doesn't carry a misleading null.
+    const publisherBlock = {
+      category: 'vendor',
+      name: 'exceptd',
+      namespace: publisherNamespace,
+    };
+    if (operatorClean) publisherBlock.contact_details = operatorClean;
+
+    // audit CC P1-1: CSAF §3.1.11.3.5.1 defines `final` as an immutable
+    // advisory; subsequent re-emits against the same tracking.id are
+    // refused by strict validators (BSI CSAF Validator). Runtime detection
+    // runs with no operator review loop are inherently revisable, so the
+    // default is `interim`. Operators who have reviewed and are ready to
+    // promote pass `--csaf-status final` (threaded via runOpts.csafStatus);
+    // any other value falls back to `interim` rather than emitting an
+    // unrecognized status word.
+    const allowedCsafStatuses = new Set(['draft', 'interim', 'final']);
+    const csafStatus = allowedCsafStatuses.has(runOpts.csafStatus)
+      ? runOpts.csafStatus
+      : 'interim';
+
     return {
       document: {
         category: 'csaf_security_advisory',
         csaf_version: '2.0',
-        publisher: { category: 'vendor', name: 'exceptd', namespace: 'https://exceptd.com' },
+        publisher: publisherBlock,
         title: `exceptd finding: ${playbook.domain.name} (${analyze.matched_cves.length} CVE(s), ${indicatorHits.length} indicator hit(s), ${(analyze.framework_gap_mapping || []).length} framework gap(s))`,
+        notes: [...namespaceFallbackNote, ...gapNotes],
         tracking: {
           // F2/F9: CSAF tracking.id binds to the run's session_id (threaded
           // from run() via close()) so attestation file names, OpenVEX
@@ -1611,15 +2026,21 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
           // the same millisecond collided and one run's documents
           // referenced ids that didn't match anything else on disk.
           id: `exceptd-${playbook._meta.id}-${sessionId}`,
-          status: 'final',
+          status: csafStatus,
           version: playbook._meta.version,
+          // audit CC P1-4: name the engine that emitted the advisory.
+          // CSAF §3.1.11.3.2 places this under tracking.generator.engine.
+          generator: {
+            engine: { name: 'exceptd', version: getEngineVersion() },
+            date: now,
+          },
           initial_release_date: now,
           current_release_date: now,
           revision_history: [{ number: '1', date: now, summary: 'Initial finding emission' }]
         }
       },
       product_tree: { full_product_names: fullProductNames },
-      vulnerabilities: [...cveVulns, ...indicatorVulns, ...gapVulns],
+      vulnerabilities: [...cveVulns, ...indicatorVulns],
       exceptd_extension: {
         classification: analyze._detect_classification,
         rwep: analyze.rwep,
@@ -1629,6 +2050,7 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
         evidence_requirements: validate.evidence_requirements,
         residual_risk_statement: validate.residual_risk_statement,
         indicators_fired: indicatorHits.map(i => ({ id: i.id, confidence: i.confidence, deterministic: i.deterministic })),
+        publisher_namespace_source: publisherNamespaceSource,
       }
     };
   }
@@ -1644,8 +2066,17 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
   // render empty fields.
   if (format === 'sarif' || format === 'sarif-2.1.0') {
     const stripNulls = (obj) => Object.fromEntries(Object.entries(obj).filter(([, v]) => v != null));
+    // audit CC P2-6: SARIF rule ids are global within a single sarif-log run.
+    // Pre-fix, generic ruleIds like `framework-gap-0` (and shared CVE ids
+    // across playbooks) collided when results from multiple playbook runs
+    // were merged into one SARIF document — GitHub Code Scanning de-dupes
+    // by ruleId, so the second playbook's rule definition silently
+    // overwrote the first. Prefix every ruleId with the playbook slug so
+    // every rule definition is unambiguously attributable to one playbook,
+    // and cross-playbook merges retain all results.
+    const rulePrefix = `${playbookSlug}/`;
     const cveResults = analyze.matched_cves.map(c => ({
-      ruleId: c.cve_id,
+      ruleId: `${rulePrefix}${c.cve_id}`,
       level: c.rwep >= 90 ? 'error' : c.rwep >= 70 ? 'warning' : 'note',
       message: { text: `${c.cve_id}: RWEP ${c.rwep}, blast_radius ${analyze.blast_radius_score}. ${validate.selected_remediation?.description || ''}` },
       properties: stripNulls({
@@ -1662,7 +2093,7 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
     const indicatorResults = indicatorHits.map(i => {
       const locs = sarifLocationsForIndicator(playbook, i);
       const result = {
-        ruleId: i.id,
+        ruleId: `${rulePrefix}${i.id}`,
         level: i.deterministic ? 'error' : (i.confidence === 'high' ? 'warning' : 'note'),
         message: { text: `Indicator ${i.id} fired (${i.confidence}${i.deterministic ? ' / deterministic' : ''}). Playbook: ${playbook._meta.id}.` },
         properties: stripNulls({
@@ -1677,7 +2108,7 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
       return result;
     });
     const gapResults = (analyze.framework_gap_mapping || []).map((g, idx) => ({
-      ruleId: `framework-gap-${idx}`,
+      ruleId: `${rulePrefix}framework-gap-${idx}`,
       // Framework gaps are control-design observations, not vulnerabilities —
       // SARIF §3.27.9 `kind: informational` routes them appropriately.
       kind: 'informational',
@@ -1686,18 +2117,18 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
       properties: stripNulls({ kind: 'framework_gap', framework: g.framework, control: g.claimed_control }),
     }));
     const cveRules = analyze.matched_cves.map(c => ({
-      id: c.cve_id, shortDescription: { text: c.cve_id },
+      id: `${rulePrefix}${c.cve_id}`, shortDescription: { text: c.cve_id },
       fullDescription: { text: `RWEP ${c.rwep} · KEV=${c.cisa_kev} · active_exploitation=${c.active_exploitation}` },
       defaultConfiguration: { level: c.rwep >= 90 ? 'error' : c.rwep >= 70 ? 'warning' : 'note' },
       helpUri: `https://nvd.nist.gov/vuln/detail/${c.cve_id}`,
     }));
     const indicatorRules = indicatorHits.map(i => ({
-      id: i.id, shortDescription: { text: i.id },
+      id: `${rulePrefix}${i.id}`, shortDescription: { text: i.id },
       fullDescription: { text: `Indicator from playbook ${playbook._meta.id}. Type: ${i.type}. Confidence: ${i.confidence}.` },
       defaultConfiguration: { level: i.deterministic ? 'error' : (i.confidence === 'high' ? 'warning' : 'note') },
     }));
     const gapRules = (analyze.framework_gap_mapping || []).map((g, idx) => ({
-      id: `framework-gap-${idx}`,
+      id: `${rulePrefix}framework-gap-${idx}`,
       shortDescription: { text: `${g.framework}: ${g.claimed_control || `gap-${idx}`}` },
       fullDescription: { text: g.actual_gap || `Framework gap in ${g.framework}` },
       defaultConfiguration: { level: 'note' },
@@ -1712,11 +2143,16 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
           rules: [...cveRules, ...indicatorRules, ...gapRules],
         } },
         results: [...cveResults, ...indicatorResults, ...gapResults],
-        invocations: [{ executionSuccessful: true, properties: {
+        invocations: [{ executionSuccessful: true, properties: stripNulls({
+          // A: apply the B7 stripNulls contract here too — the
+          // `remediation` field is null for any run that didn't surface a
+          // selected_remediation, and SARIF viewers render null property
+          // values as visible empty rows. Same helper as the result
+          // property bags above.
           playbook: playbook._meta.id, classification: analyze._detect_classification || 'unknown',
           rwep_adjusted: analyze.rwep?.adjusted || 0,
           remediation: validate.selected_remediation?.id || null,
-        } }],
+        }) }],
       }]
     };
   }
@@ -1737,7 +2173,12 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
   //        `urn:exceptd:indicator:<playbook>:<indicator-id>` (RFC 8141) so
   //        they pass IRI validation in downstream VEX consumers.
   if (format === 'openvex' || format === 'openvex-0.2.0') {
-    const issued = new Date().toISOString();
+    // B: reuse the bundle-wide `now` so OpenVEX `timestamp`
+    // aligns with CSAF `document.tracking.initial_release_date` when both
+    // formats are emitted in the same close() pass. Pre-fix each format
+    // crystallised its own Date.now() value, and the two bundles in
+    // bundles_by_format disagreed on milliseconds.
+    const issued = now;
     const productEntry = {
       '@id': productPurl,
       subcomponents: [{ '@id': productPurl }],
@@ -1752,6 +2193,17 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
       if (remediationDescription) return `Apply remediation from validate phase: ${remediationDescription}`;
       return fallback;
     };
+    // A: same `vex_status === 'fixed'` correctness rule as the
+    // CSAF emitter. The catalog `live_patch_available` flag is a global
+    // "vendor publishes a live-patch" signal, not an operator-host
+    // disposition. Treating it as `status: fixed` made OpenVEX statements
+    // claim resolution that the operator hadn't actually attested to.
+    // VEX consumers downstream of CISA / SBOM / supply-chain pipelines
+    // treat `fixed` as authoritative — emitting it without operator
+    // attestation is a downstream-misleading bug. Now the OpenVEX
+    // statement says `affected` (with action_statement pointing to the
+    // remediation, which may itself be the vendor live-patch route) unless
+    // the operator declared `vex_status: fixed` on the matched CVE.
     const cveStatements = analyze.matched_cves.map(c => {
       const stmt = {
         vulnerability: { '@id': `urn:cve:${urnSlug(c.cve_id)}`, name: c.cve_id },
@@ -1759,11 +2211,13 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
         timestamp: issued,
         impact_statement: `RWEP ${c.rwep}. Blast radius ${analyze.blast_radius_score}/5.`,
       };
-      if (c.live_patch_available) {
+      if (c.vex_status === 'fixed') {
         stmt.status = 'fixed';
       } else {
         stmt.status = 'affected';
-        stmt.action_statement = actionStatementFor('Apply remediation from validate phase.');
+        stmt.action_statement = actionStatementFor(c.live_patch_available
+          ? 'Vendor publishes a live-patch — see catalog `live_patch_tools` and apply, then re-attest.'
+          : 'Apply remediation from validate phase.');
       }
       return stmt;
     });
@@ -1912,6 +2366,16 @@ function normalizeSubmission(submission, playbook) {
     signals: { ...(submission.signals || {}) },
     precondition_checks: { ...(submission.precondition_checks || {}) },
     _original_shape: 'flat (v0.11.0)',
+    // BB P1-4: normalizeSubmission pushes structured errors (e.g.
+    // signal_overrides_invalid) onto submission._runErrors above. If the
+    // submission is flat, the fresh `out` literal built here loses that
+    // accumulator unless we forward it. run()'s harvest at the entry to
+    // detect/analyze reads agentSubmission._runErrors — without this carry,
+    // flat submissions with invalid signal_overrides silently lost the
+    // v0.12.19 U REG-1 contract (errors never reached analyze.runtime_errors).
+    ...(Array.isArray(submission._runErrors) && submission._runErrors.length
+      ? { _runErrors: submission._runErrors.slice() }
+      : {}),
   };
   const knownPreconditions = new Set((playbook?._meta?.preconditions || []).map(p => p.id));
   const knownArtifacts = new Set((playbook?.phases?.look?.artifacts || []).map(a => a.id));
@@ -2104,6 +2568,20 @@ function run(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
   // non-fatal anomalies surfaced into analyze.runtime_errors[].
   const runErrors = [];
   cachedRunOpts._runErrors = runErrors;
+  // U REG-1: normalizeSubmission may push structured errors (e.g.
+  // signal_overrides_invalid) onto submission._runErrors. Pre-fix these were
+  // stranded — they never reached the run-level accumulator that analyze()
+  // slices into runtime_errors[], so F20's "analyze surfaces all runtime
+  // errors" contract was silently broken. Splice the pre-run errors into
+  // the run-level accumulator and strip the field off the submission so it
+  // doesn't pollute the F1 evidence_hash digest (the hash canonicalizes the
+  // submission and a non-deterministic _runErrors would change it).
+  if (Array.isArray(agentSubmission._runErrors) && agentSubmission._runErrors.length) {
+    runErrors.push(...agentSubmission._runErrors);
+  }
+  if (agentSubmission && Object.prototype.hasOwnProperty.call(agentSubmission, '_runErrors')) {
+    delete agentSubmission._runErrors;
+  }
   // E6: phases the runner should SKIP execution for, based on skip_phase
   // preconditions surfaced in preflight.issues.
   const skipPhases = new Set();
@@ -2522,4 +3000,8 @@ module.exports = {
   _evalCondition: evalCondition,
   _interpolate: interpolate,
   _activeRuns: _activeRuns,
+  _acquireLock: acquireLock,
+  _acquireLockDiagnostic: acquireLockDiagnostic,
+  _releaseLock: releaseLock,
+  _lockFilePath: lockFilePath,
 };