@blamejs/exceptd-skills 0.12.18 → 0.12.21

package/lib/prefetch.js

@@ -18,7 +18,7 @@
  *   rfc/<doc-name>.json                               — IETF Datatracker doc record
  *   pins/<owner>__<repo>__releases.json               — MITRE GitHub releases listing
  *
- * audit M P2-K: the registered source names in SOURCES below are `rfc` and
+ * K: the registered source names in SOURCES below are `rfc` and
  * `pins`. Earlier comments + --help text said `ietf` and `github`; an
  * operator running `--source ietf` or `--source github` would hit "unknown
  * source" because no such key exists. The names below are the canonical
@@ -237,6 +237,26 @@ async function withIndexLock(cacheDir, mutator) {
       // raised when the other process is mid-unlink). Treat both as
       // "lock held, back off" rather than a fatal error.
       if (e.code !== "EEXIST" && e.code !== "EPERM") throw e;
+      // T P1-1: PID-liveness check. Same pattern as withCatalogLock in
+      // lib/refresh-external.js — read the lockfile's PID, probe with
+      // process.kill(pid, 0); ESRCH → holder dead, reclaim immediately;
+      // EPERM → holder alive (different user), keep waiting. The mtime
+      // fallback below covers malformed / unreadable lockfiles.
+      let reclaimedByPid = false;
+      try {
+        const raw = fs.readFileSync(lockPath, "utf8").trim();
+        const pid = Number.parseInt(raw, 10);
+        if (Number.isInteger(pid) && pid > 0 && pid !== process.pid) {
+          try {
+            process.kill(pid, 0);
+          } catch (probeErr) {
+            if (probeErr && probeErr.code === "ESRCH") {
+              try { fs.unlinkSync(lockPath); reclaimedByPid = true; } catch {}
+            }
+          }
+        }
+      } catch {}
+      if (reclaimedByPid) continue;
       try {
         const stat = fs.statSync(lockPath);
         if (Date.now() - stat.mtimeMs > STALE_LOCK_MS) {
@@ -302,7 +322,7 @@ function isFresh(idx, source, id, maxAgeMs) {
 
 function authHeadersForSource(source) {
   if (source === "nvd" && process.env.NVD_API_KEY) return { apiKey: process.env.NVD_API_KEY };
-  // audit M P2-J: the registered source name for MITRE GitHub releases is
+  // J: the registered source name for MITRE GitHub releases is
   // `pins` (see SOURCES above). The prior check looked for `github`, so
   // GITHUB_TOKEN never reached the per-request Authorization header and
   // anonymous-rate-limited fetches were always used even when an operator
@@ -394,11 +414,20 @@ async function prefetch(options = {}) {
         const targetPath = entryPath(opts.cacheDir, item.source, item.id);
         const dir = path.dirname(targetPath);
         if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
-        // v0.12.12 C4: atomic write of the payload. A concurrent reader
-        // (refresh --from-cache running in parallel) sees the prior
-        // payload in full or the new payload in full, never a partial
-        // buffer.
-        writeFileAtomic(targetPath, JSON.stringify(res.json, null, 2) + "\n");
+        const body = JSON.stringify(res.json, null, 2) + "\n";
+        // T P1-3: stage the payload to a same-volume tmp file BEFORE
+        // attempting to acquire the index lock. If withIndexLock fails
+        // (timeout after MAX_RETRIES), we want the partially-completed
+        // download discarded — not left on disk as an orphan payload
+        // with no index entry. Air-gap operators feed off `readCached`,
+        // which consults the index; an unindexed payload silently becomes
+        // junk taking cache space. Pattern: stage → lock → rename+index
+        // → release. The rename is atomic same-volume; if it fails inside
+        // the lock we clean up the tmp file. If we never reach the rename
+        // (lock acquisition throws), the tmp file is unlinked in the
+        // catch block below.
+        const tmpPath = `${targetPath}.tmp.${process.pid}.${Math.random().toString(36).slice(2, 10)}`;
+        fs.writeFileSync(tmpPath, body);
         const meta = {
           fetched_at: new Date().toISOString(),
           etag: res.etag,
@@ -406,16 +435,34 @@ async function prefetch(options = {}) {
           url: item.url,
           sha256: crypto.createHash("sha256").update(JSON.stringify(res.json)).digest("hex"),
         };
-        idx.entries[entryKey(item.source, item.id)] = meta;
-        // v0.12.12 C2: persist this entry's metadata to _index.json under
-        // lock immediately, merging with whatever the on-disk index has
-        // (another concurrent prefetch may have written sibling entries).
-        // Without this, only the in-memory idx is updated; the final
-        // saveIndex() would overwrite a sibling run's writes.
-        await withIndexLock(opts.cacheDir, (current) => {
-          current.entries[entryKey(item.source, item.id)] = meta;
-          return current;
-        });
+        try {
+          // v0.12.12 C2: persist this entry's metadata to _index.json under
+          // lock immediately, merging with whatever the on-disk index has
+          // (another concurrent prefetch may have written sibling entries).
+          // Inside the lock we also rename the staged tmp → final path so
+          // a concurrent reader sees the new payload + new index entry as
+          // an atomic pair.
+          await withIndexLock(opts.cacheDir, (current) => {
+            try {
+              fs.renameSync(tmpPath, targetPath);
+            } catch (renameErr) {
+              // Surface as a failure to mutator: throwing here aborts the
+              // lock's write step. We re-throw to the outer catch which
+              // will increment errors.
+              throw renameErr;
+            }
+            current.entries[entryKey(item.source, item.id)] = meta;
+            return current;
+          });
+          // Mirror the entry into the in-memory idx for callers that read
+          // it later in this run (e.g. the final saveIndex merge).
+          idx.entries[entryKey(item.source, item.id)] = meta;
+        } catch (lockErr) {
+          // Lock failure OR rename-inside-lock failure — unlink the staged
+          // tmp so the cache directory does not accumulate orphans.
+          try { fs.unlinkSync(tmpPath); } catch {}
+          throw lockErr;
+        }
         result.fetched++;
         result.by_source[item.source].fetched++;
         log(`  [${item.source}] ${item.id} — ok`);
@@ -473,7 +520,7 @@ function readCached(cacheDir, source, id, opts = {}) {
   const idx = loadIndex(cacheDir);
   const meta = idx.entries[entryKey(source, id)];
   if (!meta) return null;
-  // audit M P2-L: when `fetched_at` is missing / non-string / unparseable,
+  // L: when `fetched_at` is missing / non-string / unparseable,
   // `new Date(undefined).getTime()` is NaN and `NaN > maxAgeMs` is false —
   // so the cached entry would have been returned as if fresh. Treat any
   // non-finite age as "no provenance, refuse" unless the caller explicitly

package/lib/refresh-external.js

@@ -94,6 +94,12 @@ function parseArgs(argv) {
     else if (a.startsWith("--from-fixture=")) out.fromFixture = a.slice("--from-fixture=".length);
     else if (a === "--report-out") out.reportOut = argv[++i];
     else if (a.startsWith("--report-out=")) out.reportOut = a.slice("--report-out=".length);
+    // FF P1-3: previously only EXCEPTD_AIR_GAP=1 reached the GHSA/OSV source
+    // modules — the CLI flag was undocumented in parseArgs, so a downstream
+    // operator following the documented `--air-gap` path silently allowed
+    // network calls. Now the flag is honoured; env var still works as a
+    // fallback so existing automation isn't broken.
+    else if (a === "--air-gap") out.airGap = true;
   }
   return out;
 }
@@ -549,7 +555,7 @@ const GHSA_SOURCE = {
     return ghsa.buildDiff(ctx);
   },
   async applyDiff(ctx, diffs) {
-    // v0.12.14 (audit B-F1): the prior shape mutated ctx.cveCatalog in
+    // v0.12.14: the prior shape mutated ctx.cveCatalog in
     // memory but NEVER persisted to disk. Bulk `--source ghsa --apply`
     // reported "applied: N updates" while the catalog file gained zero
     // entries. Worse under `--swarm`: KEV's withCatalogLock would re-read
@@ -602,7 +608,7 @@ const OSV_SOURCE = {
     return osv.buildDiff(ctx);
   },
   async applyDiff(ctx, diffs) {
-    // v0.12.14 (audit B-F1): same fix as GHSA — route the read-modify-write
+    // v0.12.14: same fix as GHSA — route the read-modify-write
     // through withCatalogLock so writes actually land on disk and so
     // concurrent --source osv --apply doesn't lose updates.
     const catalogPath = ctx.cvePath || ABS("data/cve-catalog.json");
@@ -846,6 +852,11 @@ function loadCtx(opts) {
     d3fendCatalog: JSON.parse(fs.readFileSync(ABS("data/d3fend-catalog.json"), "utf8")),
     fixtures: null,
     cacheDir: null,
+    // FF P1-3: thread --air-gap (or EXCEPTD_AIR_GAP=1) through to ctx.airGap
+    // so the GHSA + OSV source modules (lib/source-ghsa.js, lib/source-osv.js)
+    // can branch on ctx.airGap and refuse network egress. Pre-fix the GHSA/OSV
+    // sources only saw `ctx?.airGap` as undefined when the CLI flag was used.
+    airGap: !!(opts && opts.airGap) || process.env.EXCEPTD_AIR_GAP === "1",
   };
   if (opts.fromFixture) {
     ctx.fixtures = { dir: path.resolve(opts.fromFixture), kev: true, epss: true, nvd: true, rfc: true, pins: true, ghsa: true, osv: true };
@@ -938,6 +949,33 @@ async function withCatalogLock(catalogPath, mutator) {
       // Windows the same race surfaces as EPERM (sharing-violation raised
       // when the holder is mid-unlink). Treat both as "lock held, back off."
       if (e.code !== "EEXIST" && e.code !== "EPERM") throw e;
+      // T P1-1: PID-liveness check before falling back to mtime. The
+      // lockfile already contains String(process.pid) of the holder; parse
+      // it and probe with `process.kill(pid, 0)`. ESRCH means the holder is
+      // dead — reclaim immediately rather than waiting STALE_LOCK_MS for
+      // the mtime gate to expire. EPERM (holder alive, different user) is
+      // treated as "alive, keep waiting." The mtime gate remains as a
+      // belt-and-suspenders for the case where the lockfile content is
+      // missing / malformed / belongs to a recycled PID. Matches the PID
+      // pattern in orchestrator/index.js _acquireWatchLock and
+      // lib/playbook-runner.js pidAlive().
+      let reclaimedByPid = false;
+      try {
+        const raw = fs.readFileSync(lockPath, "utf8").trim();
+        const pid = Number.parseInt(raw, 10);
+        if (Number.isInteger(pid) && pid > 0 && pid !== process.pid) {
+          try {
+            process.kill(pid, 0);
+            // holder alive
+          } catch (probeErr) {
+            if (probeErr && probeErr.code === "ESRCH") {
+              try { fs.unlinkSync(lockPath); reclaimedByPid = true; } catch {}
+            }
+            // EPERM and anything else: treat as alive, fall through to mtime/sleep.
+          }
+        }
+      } catch {} // unreadable lockfile — proceed to mtime fallback
+      if (reclaimedByPid) continue;
       // Stale-lock check before sleeping — a long-dead holder shouldn't keep
       // us waiting MAX_RETRIES * backoff before we recover.
       try {

package/lib/refresh-network.js

@@ -112,7 +112,7 @@ function getBuffer(url, timeoutMs) {
       }
       const chunks = [];
       let total = 0;
-      // v0.12.14 (audit F5): enforce streaming size cap so a hostile
+      // v0.12.14: enforce streaming size cap so a hostile
       // registry CDN can't stream gigabytes into RAM.
       res.on("data", (c) => {
         total += c.length;
@@ -194,14 +194,63 @@ function verifyDetached(publicKeyObj, payload, sigB64) {
 // v0.12.14 (audit F1, F7): CRLF/BOM normalization mirrors lib/verify.js's
 // normalize(). Duplicated here to keep refresh-network free of cross-module
 // runtime deps. ANY change here MUST be mirrored in lib/verify.js +
-// lib/sign.js — the three normalize() implementations form a byte-stability
-// contract.
+// lib/sign.js + scripts/verify-shipped-tarball.js — the four normalize()
+// implementations form a byte-stability contract enforced by
+// tests/normalize-contract.test.js.
 function normalizeSkillBytes(buf) {
   let s = Buffer.isBuffer(buf) ? buf.toString("utf8") : String(buf);
   if (s.length > 0 && s.charCodeAt(0) === 0xFEFF) s = s.slice(1);
   return Buffer.from(s.replace(/\r\n/g, "\n"), "utf8");
 }
 
+// B + Q P1: in-line manifest-signature verifier. Kept here
+// rather than imported from lib/verify.js so refresh-network.js retains
+// its no-cross-module-dep posture (mirrors the per-skill verify path).
+// ANY change to canonical-bytes computation here MUST stay in lockstep
+// with lib/sign.js canonicalManifestBytes() / lib/verify.js
+// canonicalManifestBytes() — tests/normalize-contract.test.js enforces.
+function canonicalizeForRefresh(value) {
+  if (Array.isArray(value)) return value.map(canonicalizeForRefresh);
+  if (value && typeof value === "object") {
+    const out = {};
+    for (const key of Object.keys(value).sort()) {
+      out[key] = canonicalizeForRefresh(value[key]);
+    }
+    return out;
+  }
+  return value;
+}
+function canonicalManifestBytesForRefresh(manifest) {
+  const clone = Object.assign({}, manifest);
+  delete clone.manifest_signature;
+  const json = JSON.stringify(canonicalizeForRefresh(clone), null, 2);
+  return normalizeSkillBytes(Buffer.from(json, "utf8"));
+}
+function verifyTarballManifestSignature(manifest, publicKeyPem) {
+  const sig = manifest && manifest.manifest_signature;
+  if (!sig || typeof sig !== "object") return { status: "missing" };
+  if (typeof sig.signature_base64 !== "string") {
+    return { status: "invalid", reason: "manifest_signature.signature_base64 missing or not a string" };
+  }
+  if (sig.algorithm !== "Ed25519") {
+    return { status: "invalid", reason: `manifest_signature.algorithm must be 'Ed25519' (got ${JSON.stringify(sig.algorithm)})` };
+  }
+  let signatureBytes;
+  try { signatureBytes = Buffer.from(sig.signature_base64, "base64"); }
+  catch (e) { return { status: "invalid", reason: `malformed base64: ${e.message}` }; }
+  const bytes = canonicalManifestBytesForRefresh(manifest);
+  let ok = false;
+  try {
+    ok = crypto.verify(null, bytes, {
+      key: publicKeyPem,
+      dsaEncoding: "ieee-p1363",
+    }, signatureBytes);
+  } catch (e) {
+    return { status: "invalid", reason: `crypto.verify threw: ${e.message}` };
+  }
+  return ok ? { status: "valid" } : { status: "invalid", reason: "Ed25519 manifest signature did not verify against local public.pem" };
+}
+
 // Manifest path validation. Mirrors lib/verify.js validateSkillPath().
 function validateManifestSkillPath(skillPath) {
   if (typeof skillPath !== "string") throw new Error(`manifest skill.path must be a string, got ${typeof skillPath}`);
@@ -211,7 +260,7 @@ function validateManifestSkillPath(skillPath) {
   return skillPath;
 }
 
-// v0.12.14 (audit F5): tarball download size cap. A hostile registry CDN
+// v0.12.14: tarball download size cap. A hostile registry CDN
 // could stream gigabytes; Node buffers chunks in RAM until OOM. Current
 // tarball is ~2 MB; 200 MB is generous defense-in-depth. Tunable via
 // EXCEPTD_TARBALL_SIZE_CAP_BYTES for future growth.
@@ -286,7 +335,7 @@ async function main() {
     process.exitCode = 2; return;
   }
 
-  // v0.12.14 (audit F5): defense-in-depth tarball size cap.
+  // v0.12.14: defense-in-depth tarball size cap.
   const sizeCap = tarballSizeCap();
   if (tgzBuf.length > sizeCap) {
     emit({ ok: false, error: `tarball exceeds size cap: ${tgzBuf.length} bytes > ${sizeCap} (EXCEPTD_TARBALL_SIZE_CAP_BYTES)` }, opts.json);
@@ -357,7 +406,7 @@ async function main() {
     process.exitCode = 5; return;
   }
 
-  // v0.12.16 (audit I P1-5): cross-check the local public key against
+  // v0.12.16: cross-check the local public key against
   // keys/EXPECTED_FINGERPRINT (the CI-pinned signing key). The prior
   // refresh-network code only compared LOCAL ↔ TARBALL fingerprints, so a
   // coordinated attacker who swapped both `keys/public.pem` on the operator's
@@ -402,7 +451,34 @@ async function main() {
   try { tarballManifest = JSON.parse(tarballManifestEntry.body.toString("utf8")); }
   catch (e) { emit({ ok: false, error: `tarball manifest.json parse: ${e.message}` }, opts.json); process.exitCode = 4; return; }
 
-  // v0.12.14 (audit F1): the prior loop iterated `sk.id` + a fixed payload
+  // B + Q P1: verify the top-level manifest_signature against
+  // the LOCAL public key before honoring any entry in the tarball manifest.
+  // The previous flow iterated `manifest.skills[].signature` per-skill but
+  // never authenticated the manifest envelope itself — a coordinated
+  // attacker who flipped paths/names/atlas_refs on entries already covered
+  // by per-skill signatures (which sign only the skill body bytes, not the
+  // metadata around them) could re-shape catalog routing without breaking
+  // any per-skill signature. The manifest signature closes that gap.
+  //
+  // Unlike post-install verify (which warns-and-continues on missing
+  // signature for legacy-tarball compat), refresh-network REQUIRES the
+  // signature: this code path is publishing fresh content into the local
+  // tree, and the tarball must already be ≥ v0.12.17 to have reached the
+  // registry through the sign-all gate.
+  const manifestSigResult = verifyTarballManifestSignature(tarballManifest, localPubKeyText);
+  if (manifestSigResult.status !== "valid") {
+    emit({
+      ok: false,
+      error: `tarball manifest_signature ${manifestSigResult.status} — refusing to swap`,
+      reason: manifestSigResult.reason || null,
+      hint: manifestSigResult.status === "missing"
+        ? "Tarball predates v0.12.17 manifest signing. Run `npm update -g @blamejs/exceptd-skills` instead so the full provenance-verified install path runs."
+        : "Tarball manifest envelope failed Ed25519 verification against the LOCAL public key. Run `npm update -g @blamejs/exceptd-skills` for the full provenance-verified path, or report this tarball at https://github.com/blamejs/exceptd-skills/issues.",
+    }, opts.json);
+    process.exitCode = 5; return;
+  }
+
+  // v0.12.14: the prior loop iterated `sk.id` + a fixed payload
   // path `skills/<id>/SKILL.md`. Manifest entries actually expose `name` +
   // `path` (a forward-slash relative path like `skills/<name>/skill.md`,
   // lowercase). Result: the loop matched zero entries; `failures.length === 0`
@@ -458,7 +534,7 @@ async function main() {
     process.exitCode = 5; return;
   }
 
-  // v0.12.14 (audit F2): the swap loop replaces `data/` + `manifest.json` +
+  // v0.12.14: the swap loop replaces `data/` + `manifest.json` +
   // `manifest-snapshot.json` in addition to `skills/`. None of those files
   // are covered by the per-skill Ed25519 signature (which signs only the
   // skill body bytes). The only integrity check between the registry and
@@ -499,7 +575,7 @@ async function main() {
     return;
   }
 
-  // v0.12.14 (audit F4): the prior swap loop renamed targets one-by-one,
+  // v0.12.14: the prior swap loop renamed targets one-by-one,
   // and a mid-loop failure left the install half-applied with no automatic
   // rollback. New shape: rename all old targets into a single backup dir
   // first (so the install is empty-of-old before any new content is moved
@@ -523,7 +599,7 @@ async function main() {
       written++;
     }
 
-    // v0.12.14 (audit F10): use PID + random suffix in the backup dir name
+    // v0.12.14: use PID + random suffix in the backup dir name
     // so concurrent refresh-network invocations don't collide on the
     // millisecond clock.
     const backupSuffix = `${process.pid}-${crypto.randomBytes(4).toString("hex")}`;
@@ -564,7 +640,7 @@ async function main() {
       message: `refreshed catalog from v${localVersion} → v${latestVersion} (${verifiedCount}/${skills.length} signatures verified). Backup at ${path.relative(ROOT, backupDir)} — safe to remove after verifying the new run.`,
     }, opts.json);
   } catch (e) {
-    // v0.12.14 (audit F4): walk completedSteps in reverse to undo partial work.
+    // v0.12.14: walk completedSteps in reverse to undo partial work.
     const rollbackErrors = [];
     for (const step of [...completedSteps].reverse()) {
       try {
@@ -603,4 +679,16 @@ if (require.main === module) {
   });
 }
 
-module.exports = { parseTar, fingerprintPublicKey };
+module.exports = {
+  parseTar,
+  fingerprintPublicKey,
+  // A: exported for tests/normalize-contract.test.js so the
+  // byte-stability contract can be asserted across all four normalize()
+  // implementations (lib/sign.js, lib/verify.js, lib/refresh-network.js,
+  // scripts/verify-shipped-tarball.js).
+  normalizeSkillBytes,
+  // B + Q P1: exported for in-process tests of the refresh
+  // path's manifest envelope check.
+  verifyTarballManifestSignature,
+  canonicalManifestBytesForRefresh,
+};

package/lib/scoring.js

@@ -5,7 +5,7 @@
  * Supplements CVSS with exploit availability, active exploitation, and operational constraints.
  *
  * ----------------------------------------------------------------------------
- * `rwep_factors` dual-semantics (audit J F2)
+ * `rwep_factors` dual-semantics
  * ----------------------------------------------------------------------------
  * Catalog entries (data/cve-catalog.json) store `rwep_factors` as an object
  * whose values are POST-WEIGHT CONTRIBUTIONS for boolean / ladder factors
@@ -62,7 +62,7 @@ const RWEP_WEIGHTS = {
   reboot_required:       5
 };
 
-// audit J F4: active_exploitation ladder. Aligned with playbook-runner's
+// active_exploitation ladder. Aligned with playbook-runner's
 // _activeExploitationLadder so the catalog scorer and the runtime evaluator
 // produce identical results for the same string value. 'unknown' contributes
 // a quarter of the confirmed weight (5 points) — operationally "we have not
@@ -76,7 +76,7 @@ const ACTIVE_EXPLOITATION_LADDER = {
 };
 
 // The canonical set of factor keys scoreCustom recognises. Used by
-// validateFactors to flag unknown keys (audit J F8).
+// validateFactors to flag unknown keys.
 const RECOGNISED_FACTOR_KEYS = new Set([
   'cisa_kev', 'poc_available', 'ai_assisted_weapon', 'ai_discovered',
   'active_exploitation', 'blast_radius', 'patch_available',
@@ -125,7 +125,7 @@ function validateFactors(factors) {
   } else if (!aeAllowed.includes(factors.active_exploitation)) {
     warnings.push(`active_exploitation: expected one of ${aeAllowed.join(', ')}, got ${JSON.stringify(factors.active_exploitation)}`);
   }
-  // audit J F6: NaN diagnostics. The prior message read "expected number,
+  // NaN diagnostics. The prior message read "expected number,
   // got number (null)" because `JSON.stringify(NaN) === 'null'` and `typeof
   // NaN === 'number'`. Number.isFinite catches NaN + Infinity + -Infinity
   // and emits a useful message.
@@ -140,7 +140,7 @@ function validateFactors(factors) {
   } else if (factors.blast_radius < 0 || factors.blast_radius > 30) {
     warnings.push(`blast_radius: ${factors.blast_radius} out of expected range [0, 30] (clamped to weight ceiling, but the value usually indicates a unit-of-measure mistake)`);
   }
-  // audit J F8: surface unknown factor keys so a typo'd answer file
+  // surface unknown factor keys so a typo'd answer file
   // (`patch_avilable`, `cisa-kev`, etc.) doesn't silently default to false
   // with no diagnostic.
   for (const k of Object.keys(factors)) {
@@ -173,7 +173,7 @@ function scoreCustom(factors, opts) {
     patch_available = false,
     live_patch_available = false,
     reboot_required = false,
-    // v0.12.15 (audit J F9): the CVE catalog field is `patch_required_reboot`
+    // v0.12.15: the CVE catalog field is `patch_required_reboot`
     // but scoreCustom historically expected `reboot_required`. validate()
     // already aliases at the call site; accept either spelling here so a
     // direct caller passing the catalog entry doesn't silently lose the
@@ -186,7 +186,7 @@ function scoreCustom(factors, opts) {
   score += cisa_kev ? RWEP_WEIGHTS.cisa_kev : 0;
   score += poc_available ? RWEP_WEIGHTS.poc_available : 0;
   score += (ai_assisted_weapon || ai_discovered) ? RWEP_WEIGHTS.ai_factor : 0;
-  // audit J F4 + F16: active_exploitation goes through the ladder rather
+  // active_exploitation goes through the ladder rather
   // than two hand-written branches with `Math.floor(weight/2)`. The floor
   // was a no-op for even weights (20/2 = 10) but would have silently
   // truncated to asymmetric results if a future operator bumped the
@@ -195,7 +195,7 @@ function scoreCustom(factors, opts) {
   // aligns the catalog scorer with playbook-runner._activeExploitationLadder.
   const aeMultiplier = ACTIVE_EXPLOITATION_LADDER[active_exploitation] ?? 0;
   score += RWEP_WEIGHTS.active_exploitation * aeMultiplier;
-  // v0.12.15 (audit J F1, F5): blast_radius numeric coercion must reject
+  // v0.12.15: blast_radius numeric coercion must reject
   // NaN, Infinity, and strings explicitly. The prior `typeof === 'number'`
   // check passed NaN (which is `typeof === 'number'`) into `Math.min/max`
   // which propagates NaN through the final clamp, defeating the [0,100]
@@ -208,12 +208,12 @@ function scoreCustom(factors, opts) {
   score += live_patch_available ? RWEP_WEIGHTS.live_patch_available : 0;
   score += rebootFactor ? RWEP_WEIGHTS.reboot_required : 0;
 
-  // audit J F10: keep the pre-clamp value so collectWarnings consumers can
+  // keep the pre-clamp value so collectWarnings consumers can
   // see deduction magnitude (e.g. a -25 raw score collapsed to 0 hides the
   // fact that the entry had three mitigating factors).
   const rawUnclamped = score;
 
-  // v0.12.15 (audit J F1): defense-in-depth clamp against any unforeseen
+  // v0.12.15: defense-in-depth clamp against any unforeseen
   // NaN production above (negative weight + Infinity + math edge case).
   const clamped = Number.isFinite(score) ? Math.min(100, Math.max(0, score)) : 0;
   if (opts && opts.collectWarnings) {
@@ -227,7 +227,7 @@ function scoreCustom(factors, opts) {
 }
 
 /**
- * audit J F3 + audit M P1-C bridge: derive an RWEP score from a
+ * Derive an RWEP score from a
  * `rwep_factors` object regardless of which shape it uses.
  *
  *   - SHAPE A (boolean / string-ladder): values are booleans + an
@@ -275,7 +275,7 @@ function compare(cveId, catalog, opts) {
   const entry = catalog[cveId];
   if (!entry) throw new Error(`CVE not in catalog: ${cveId}`);
 
-  // audit J F11: `--recompute` ignores the stored rwep_score and forces a
+  // `--recompute` ignores the stored rwep_score and forces a
   // fresh computation from rwep_factors. Useful for catching catalog drift
   // (stored score grew stale relative to current weights) and for auditing
   // the divergence between stored vs. formula-derived scores.
@@ -294,7 +294,7 @@ function compare(cveId, catalog, opts) {
   const cvssEquivalent = cvss * 10;
   const delta = rwep - cvssEquivalent;
 
-  // audit J F15: narrow the "broadly aligned" band from ±20 to ±10. The old
+  // narrow the "broadly aligned" band from ±20 to ±10. The old
   // ±20 band swallowed the Copy Fail RWEP-vs-CVSS divergence (delta = 12)
   // where the operator-facing point is precisely that the CVSS-calibrated
   // SLA is insufficient. ±10 is the tightest classifier that still treats
@@ -342,6 +342,15 @@ function validate(catalog) {
   const errors = [];
   for (const [cveId, entry] of Object.entries(catalog)) {
     if (cveId.startsWith('_')) continue;
+    // FF P1-1: skip auto-imported drafts. KEV/GHSA/OSV-discovered drafts
+    // store a conservative-default rwep_score (poc=true, reboot=true, etc.)
+    // alongside `poc_available: null` and other null-until-curated factor
+    // fields, so the recomputed-vs-stored divergence check ALWAYS fires
+    // against them — flooding the predeploy gate. Drafts are reviewed
+    // separately via the `_auto_imported_meta.curation_needed` list and the
+    // strict catalog validator's draft-warning tier. Once curation promotes
+    // an entry, `_auto_imported` is cleared and full validation resumes.
+    if (entry && entry._auto_imported === true) continue;
     for (const field of CVE_SCHEMA_REQUIRED) {
       if (!(field in entry)) {
         errors.push(`${cveId}: missing required field '${field}'`);

package/lib/sign.js

@@ -112,7 +112,7 @@ function generateKeypair({ rotate = false } = {}) {
   fs.writeFileSync(PRIVATE_KEY_PATH, privateKey, { encoding: 'utf8', mode: 0o600 });
   fs.writeFileSync(PUBLIC_KEY_PATH, publicKey, { encoding: 'utf8', mode: 0o644 });
 
-  // Audit I P1-3: on win32, fs.writeFileSync `mode` does not produce
+  // on win32, fs.writeFileSync `mode` does not produce
   // a POSIX-style restrictive ACL. Tighten via icacls so other desktop
   // users on the same workstation / CI runner can't read the key.
   restrictWindowsAcl(PRIVATE_KEY_PATH);
@@ -166,7 +166,7 @@ function signAll() {
     signed++;
   }
 
-  // Audit I P1-4: sign the manifest itself. Removes any existing
+  // sign the manifest itself. Removes any existing
   // manifest_signature field so the canonical bytes are deterministic
   // across re-runs, signs with the private key, then writes the result.
   // A coordinated attacker who rewrites the manifest (and snapshot, and
@@ -298,7 +298,7 @@ function loadManifest() {
 }
 
 /**
- * Audit I P1-4 — canonical byte form of the manifest, used for both
+ * canonical byte form of the manifest, used for both
  * signing (lib/sign.js) and verification (lib/verify.js).
  *
  * Contract: the same logical manifest content must produce the same bytes
@@ -343,9 +343,18 @@ function canonicalManifestBytes(manifest) {
  * Returns the manifest_signature object literal to splice into the
  * manifest top level.
  *
+ * A: the previous shape included a `signed_at` ISO timestamp.
+ * That field was stripped from the canonical bytes before signing (via
+ * `delete clone.manifest_signature`), so it was NOT covered by the
+ * signature — an attacker who replayed a known-valid signature could
+ * rewrite `signed_at` to any value, lending false freshness authority to
+ * a stale signature. The field is now omitted entirely. Freshness signal
+ * lives outside the signed bytes (git-log mtime of manifest.json, npm
+ * publish timestamp).
+ *
  * @param {object} manifest
  * @param {string} privateKey PEM-encoded Ed25519 private key
- * @returns {{algorithm:'Ed25519', signature_base64:string, signed_at:string}}
+ * @returns {{algorithm:'Ed25519', signature_base64:string}}
  */
 function signCanonicalManifest(manifest, privateKey) {
   const bytes = canonicalManifestBytes(manifest);
@@ -356,12 +365,11 @@ function signCanonicalManifest(manifest, privateKey) {
   return {
     algorithm: 'Ed25519',
     signature_base64: sig.toString('base64'),
-    signed_at: new Date().toISOString(),
   };
 }
 
 /**
- * Audit I P1-3 — tighten Windows ACL on the private key.
+ * tighten Windows ACL on the private key.
  *
  * fs.writeFileSync({mode: 0o600}) on win32 only affects read-only
  * attributes; the file inherits its ACL from the parent. icacls strips

package/lib/validate-catalog-meta.js

@@ -163,7 +163,7 @@ function validateMeta(catalogPath, opts) {
       }
     }
 
-    /* Audit G F3 — freshness enforcement. When both meta.last_updated and
+    /* freshness enforcement. When both meta.last_updated and
      * freshness_policy.stale_after_days are present, surface a warning if
      * (now - last_updated) > stale_after_days. Patch-class release emits at
      * WARN level (does not fail validation); v0.13.0 will flip to an error.

package/lib/validate-indexes.js

@@ -47,7 +47,7 @@ function main() {
   const meta = JSON.parse(fs.readFileSync(META, "utf8"));
   const recorded = meta.source_hashes || {};
 
-  // Audit G F1 — reject an empty source_hashes table outright. The previous
+  // reject an empty source_hashes table outright. The previous
   // gate would silently pass when source_hashes was {} (or missing entirely)
   // because the for-loop body never executed; the resulting "0 sources" pass
   // banner falsely advertised the indexes as current. An empty source-hash
@@ -67,7 +67,7 @@ function main() {
   const manifest = JSON.parse(fs.readFileSync(ABS("manifest.json"), "utf8"));
   const liveSources = new Set();
   liveSources.add("manifest.json");
-  // Audit G F16 — use lstat to detect symlinks. A symlinked .json under data/
+  // use lstat to detect symlinks. A symlinked .json under data/
   // would be hashed via the followed target, allowing a malicious checkout
   // (or a misconfigured filesystem) to swap data origin without tripping the
   // gate. Reject symlinks outright.