@blamejs/exceptd-skills 0.12.20 → 0.12.22

package/data/playbooks/hardening.json

@@ -62,7 +62,8 @@
     "cve_refs": [
       "CVE-2026-31431",
       "CVE-2026-43284",
-      "CVE-2026-43500"
+      "CVE-2026-43500",
+      "CVE-2026-46300"
     ],
     "cwe_refs": [
       "CWE-732",
@@ -183,6 +184,30 @@
             "control_id": "Application Hardening / OS Hardening",
             "designed_for": "Hardening application + OS with documented baseline.",
             "insufficient_because": "Maturity Level 1-3 are progressive but each accepts attestation evidence at the time of assessment. No real-time drift requirement at any maturity level."
+          },
+          {
+            "framework": "nis2",
+            "control_id": "Art.21(2)(e)",
+            "designed_for": "Security in network and information systems acquisition, development and maintenance.",
+            "insufficient_because": "Names secure configuration as essential measure. Implementing acts have not bound kernel-level hardening flags or continuous attestation; classical CIS-benchmark posture satisfies the article's text."
+          },
+          {
+            "framework": "dora",
+            "control_id": "Art.9",
+            "designed_for": "ICT systems, protocols and tools — protective and preventative measures.",
+            "insufficient_because": "Article requires 'state-of-the-art' protective measures without enumerating kernel hardening flags. Financial-entity ICT can be DORA-compliant while kernel hardening posture remains weak relative to the current LPE threat landscape."
+          },
+          {
+            "framework": "uk-caf",
+            "control_id": "B4 — System security",
+            "designed_for": "NCSC CAF outcome that operational systems are protected against cyber attack.",
+            "insufficient_because": "Outcome-based. Achievable on a baseline-documented configuration even when live hardening flags (kernel.kptr_restrict, kernel.dmesg_restrict, kernel.yama.ptrace_scope) drift downward between assessments."
+          },
+          {
+            "framework": "au-ism",
+            "control_id": "ISM-1417",
+            "designed_for": "Australian Government ISM control on hardening operating system configurations.",
+            "insufficient_because": "Control evidences a hardened baseline at deployment. Post-deployment sysctl drift, manual override during incident response, or fleet-management config-push regressions are not detected by the ISM's evidence model."
           }
         ]
       },

package/data/playbooks/kernel.json

@@ -70,12 +70,14 @@
     "cve_refs": [
       "CVE-2026-31431",
       "CVE-2026-43284",
-      "CVE-2026-43500"
+      "CVE-2026-43500",
+      "CVE-2026-46300"
     ],
     "cwe_refs": [
       "CWE-416",
       "CWE-362",
-      "CWE-787"
+      "CWE-787",
+      "CWE-672"
     ],
     "d3fend_refs": [
       "D3-KBPI",
@@ -186,6 +188,24 @@
             "control_id": "Art.21(2)(c)",
             "designed_for": "Vulnerability handling and disclosure for essential entities.",
             "insufficient_because": "Specifies process, not tempo. Permits patch-handling procedures that don't differentiate weaponized-in-hours kernel LPEs from theoretical issues."
+          },
+          {
+            "framework": "uk-caf",
+            "control_id": "B4 — System security",
+            "designed_for": "NCSC CAF outcome that operational systems are protected against cyber attack, including timely patching.",
+            "insufficient_because": "Outcome-based — does not bind a tempo to KEV-listed kernel LPEs. Regulator interpretation of 'timely' varies; a 30-day reading is defensible under CAF while the public PoC weaponizes in hours."
+          },
+          {
+            "framework": "au-essential-8",
+            "control_id": "Strategy 2 — Patch operating systems",
+            "designed_for": "ASD mitigation strategy for OS patching, with maturity levels 1-3.",
+            "insufficient_because": "Maturity Level 3 requires patching within 48 hours of vendor release for internet-facing services and 1 month for workstations. Neither tempo references CISA KEV or PoC availability; a kernel LPE with a same-day public exploit can satisfy ML3 while remaining exposed."
+          },
+          {
+            "framework": "au-ism",
+            "control_id": "ISM-1493",
+            "designed_for": "Australian Government ISM control for applying patches, updates, or vendor mitigations within 48 hours of release when an exploit exists.",
+            "insufficient_because": "48-hour clock anchors to vendor patch availability, not KEV listing. Kernels with live-patch capability go undocumented as a deployed mitigation; the control does not require live-patching as a fallback when reboot windows exceed 48 hours."
           }
         ]
       },

package/data/playbooks/mcp.json

@@ -289,6 +289,24 @@
             "control_id": "Art.13 / Annex I",
             "designed_for": "Essential cybersecurity requirements for products with digital elements.",
             "insufficient_because": "Manufacturer of an MCP server is captured, but tool sideloading by developers is not — and the CRA's manufacturer obligations don't translate cleanly to maintainer-signed packages on npm/PyPI."
+          },
+          {
+            "framework": "uk-caf",
+            "control_id": "A4 — Supply chain",
+            "designed_for": "NCSC CAF outcome that supply-chain risks to the essential function are understood and managed.",
+            "insufficient_because": "Outcome is scoped to suppliers the org has a relationship with. Developer-installed MCP servers reach the engineering environment without ever being onboarded as a supplier; the outcome cannot be assessed against an inventory that does not include them."
+          },
+          {
+            "framework": "au-essential-8",
+            "control_id": "Strategy 3 — Application control",
+            "designed_for": "ASD mitigation strategy restricting execution to an approved set of applications.",
+            "insufficient_because": "Application control gates classical executables. MCP servers run inside the developer's IDE or AI client as plugin modules — they bypass the strategy's enforcement surface entirely on standard ML2/ML3 implementations."
+          },
+          {
+            "framework": "au-ism",
+            "control_id": "ISM-1546",
+            "designed_for": "Australian Government ISM control on software supply-chain risk management for sourced software.",
+            "insufficient_because": "Targets sourced software with a procurement trail. Developer-initiated MCP plugin installation produces no procurement artefact, so the control's evidence requirements cannot bind."
           }
         ]
       },

package/data/playbooks/runtime.json

@@ -69,7 +69,10 @@
       "T1548.003"
     ],
     "cve_refs": [
-      "CVE-2026-31431"
+      "CVE-2026-31431",
+      "CVE-2026-43284",
+      "CVE-2026-43500",
+      "CVE-2026-46300"
     ],
     "cwe_refs": [
       "CWE-269",
@@ -190,6 +193,24 @@
             "control_id": "Art.21(2)(i)",
             "designed_for": "Access control policies, including privileged accounts.",
             "insufficient_because": "Policy-shaped, not state-shaped. Permits policy compliance without state-of-host evidence."
+          },
+          {
+            "framework": "uk-caf",
+            "control_id": "B2 — Identity and access control",
+            "designed_for": "NCSC CAF outcome that the org understands, documents and manages access to networks and systems supporting the essential function.",
+            "insufficient_because": "Outcome is achievable on documented intent. State-of-host enumeration (live sudoers, SUID, world-writable, cron/timer) is not a required artefact; sustained drift between documented and actual access is invisible to the CAF assessor."
+          },
+          {
+            "framework": "au-essential-8",
+            "control_id": "Strategy 5 — Restrict admin privileges",
+            "designed_for": "ASD mitigation strategy limiting administrative privilege scope and re-validation cadence.",
+            "insufficient_because": "Targets explicit administrative accounts. SUID binaries, sudoers wildcards, and cron-as-root entries grant equivalent privilege without appearing in the strategy's admin-account inventory."
+          },
+          {
+            "framework": "au-ism",
+            "control_id": "ISM-1382",
+            "designed_for": "Australian Government ISM control on privileged-account management and audit.",
+            "insufficient_because": "Audit cadence anchors on account creation/modification events. Persistent SUID/cron drift between audits does not trigger an event, so the control's audit trail can be clean while the host state is not."
           }
         ]
       },

package/data/playbooks/sbom.json

@@ -354,6 +354,24 @@
             "control_id": "Art.14",
             "designed_for": "Actively-exploited-vulnerability 24-hour notification.",
             "insufficient_because": "Notification window is tight; many orgs lack the SBOM-to-active-exploit correlation infrastructure to detect within window. Process gap, not control-text gap."
+          },
+          {
+            "framework": "uk-caf",
+            "control_id": "A4 — Supply chain",
+            "designed_for": "NCSC CAF outcome that supply-chain risks to the essential function are understood and managed.",
+            "insufficient_because": "Outcome is met by an SBOM-of-record at a point in time. Continuous transitive drift, VEX correlation, and AI-codegen provenance fall outside the outcome's reporting cadence; an annual CAF review can return 'achieved' against a stale inventory."
+          },
+          {
+            "framework": "au-essential-8",
+            "control_id": "Strategy 1 — Patch applications",
+            "designed_for": "ASD mitigation strategy for application patching, with maturity levels 1-3.",
+            "insufficient_because": "Strategy tempo (48-hour ML3 for internet-facing) assumes the org can enumerate which applications carry a CVE. Without continuous SBOM-to-CVE correlation, the patch clock does not start until the org happens to notice."
+          },
+          {
+            "framework": "au-ism",
+            "control_id": "ISM-1546",
+            "designed_for": "Australian Government ISM control on software supply-chain risk management for sourced software.",
+            "insufficient_because": "Control evidence is sourced-software-centric. Open-source transitive dependencies and AI-coding-assistant-emitted code are not 'sourced' under the ISM's evidence model; the control cannot bind their integrity."
           }
         ]
       },

package/data/playbooks/secrets.json

@@ -204,6 +204,12 @@
             "control_id": "164.312(a)(2)(iv)",
             "designed_for": "Encryption + decryption — mechanism to encrypt and decrypt ePHI.",
             "insufficient_because": "Targets encryption mechanism, not key material storage in source artifacts."
+          },
+          {
+            "framework": "uk-caf",
+            "control_id": "B3 — Data security",
+            "designed_for": "NCSC CAF outcome that data important to the essential function is protected from compromise, including credential and key material.",
+            "insufficient_because": "Outcome can be assessed against managed secret-store contents. Plaintext credentials leaked into source-code repositories, CI logs, IaC files, and AI assistant context windows do not register on the outcome's evidence surface."
           }
         ]
       },

package/data/zeroday-lessons.json

@@ -688,5 +688,107 @@
       "basis": "MCP ecosystem patch hygiene lags traditional CVE timelines. Most AI-agent operators do not maintain an explicit MCP tool allowlist; SI-10 audits accept the MCP plugin as a vendored dependency without auditing its argv handling.",
       "theater_pattern": "vendored_mcp_plugin_inherits_vendor_trust"
     }
+  },
+  "CVE-2026-46300": {
+    "name": "Fragnesia",
+    "lesson_date": "2026-05-14",
+    "attack_vector": {
+      "description": "Page-cache corruption via XFRM ESP-in-TCP skb coalescing in the Linux kernel. skb_try_coalesce() drops the SKBFL_SHARED_FRAG marker when coalescing paged fragments, so the kernel loses track of externally-backed fragments (page-cache pages spliced from a file). Unprivileged local user can overwrite read-only file data in the kernel page cache without touching the on-disk file. Public PoC targets /usr/bin/su for a deterministic root shell.",
+      "privileges_required": "unprivileged local user or container process",
+      "complexity": "deterministic, no race condition",
+      "ai_factor": "Human-discovered by William Bowling (V12 security team). Not AI-discovered, but lives in the same primitive class as the AI-discoverable Dirty Frag family — the upstream patch for Dirty Frag introduced this sibling bug."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Module-unload mitigation: blacklist esp4 / esp6 / rxrpc in /etc/modprobe.d/ where IPsec and Kerberos-AFS are not required. Identical mitigation set to Dirty Frag (CVE-2026-43284 / CVE-2026-43500) — any host already mitigated for Dirty Frag by module blacklist is already mitigated for Fragnesia.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Eliminates the attack surface on hosts that don't need ESP or RxRPC. Full kernel update via vendor channels closes the bug everywhere else; live-patch is the non-reboot path."
+      },
+      "detection": {
+        "what_would_have_worked": "Page-cache integrity monitoring — read a setuid binary through the page cache (`vmtouch` + `sha256sum`) and compare to a freshly-read-from-disk copy after `echo 3 > /proc/sys/vm/drop_caches`. Mismatch is the primary forensic signature.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "File-integrity tools that hash on-disk bytes (AIDE, Tripwire, IMA in measure-only mode) miss this entirely — the on-disk file is unchanged. Detection coverage requires page-cache-aware integrity checks, which no major framework requires."
+      },
+      "response": {
+        "what_would_have_worked": "Module unload + kernel update + venv-style page-cache flush of long-running processes that hold a setuid binary mapped read-only.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Reduces blast radius post-exploitation. The corrupted page-cache entry survives until the affected page is evicted or the process re-maps the file — drop_caches is the operational reset."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "30-day SLA is exploitation window for a deterministic public PoC. Module-unload mitigation is non-reboot and available immediately but is not a required compensating control under SI-2."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Appropriate timescales undefined; standard 30-day interpretation is unsafe for deterministic LPE with public PoC."
+      },
+      "NIS2-Art21-2c": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Patch-management measures are undefined for fast-cycle kernel LPEs with public PoC."
+      },
+      "DORA-Art9": {
+        "covered": true,
+        "adequate": false,
+        "gap": "ICT incident management presumes vendor-patch cadence; module-unload as immediate mitigation has no place in the typical DORA evidence pack."
+      },
+      "UK-CAF-B4": {
+        "covered": true,
+        "adequate": false,
+        "gap": "System security principle is silent on subsystem module disable as a compensating control for unpatched kernel LPE."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": "partial",
+        "gap": "Essential 8 patch-applications maturity ladder anchors on advisory date, not on PoC availability. ML3 48h is still long for a deterministic public exploit."
+      },
+      "FILE-INTEGRITY-CONTROLS": {
+        "covered": false,
+        "adequate": false,
+        "gap": "AIDE / Tripwire / IMA in measure-only mode hash on-disk bytes and miss page-cache-resident corruption entirely. No framework requires page-cache-aware integrity verification."
+      }
+    },
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-016",
+        "name": "PAGE-CACHE-INTEGRITY-VERIFICATION",
+        "description": "For setuid binaries on production hosts: periodically (or on alert) read the binary through the page cache, drop caches, re-read from disk, and compare hashes. Mismatch indicates page-cache-resident corruption that on-disk-only file-integrity tools cannot detect.",
+        "evidence": "CVE-2026-46300 (Fragnesia) — corrupts the page-cache copy of /usr/bin/su without modifying the on-disk file. AIDE / Tripwire / IMA measure-only show clean.",
+        "gap_closes": [
+          "FILE-INTEGRITY-CONTROLS"
+        ]
+      },
+      {
+        "id": "NEW-CTRL-017",
+        "name": "BUG-FAMILY-MITIGATION-PERSISTENCE",
+        "description": "When a CVE patch lands, retain the pre-patch compensating controls (module blacklists, sysctl restrictions) until the patched code has soaked for a stated review period. Patches for one bug in a primitive class can introduce sibling bugs in the same class; the original compensating control may still apply to the sibling.",
+        "evidence": "CVE-2026-46300 (Fragnesia) — introduced by the patch for CVE-2026-43284 / CVE-2026-43500 (Dirty Frag). The esp4 / esp6 / rxrpc blacklist used for Dirty Frag mitigation is identically effective against Fragnesia.",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIS2-Art21-2c"
+        ]
+      },
+      {
+        "id": "NEW-CTRL-018",
+        "name": "SCANNER-PAPER-COMPLIANCE-TEST",
+        "description": "A vulnerability scanner that reports 'patched' based on kernel package version alone is paper compliance. The operational test: does the scan account for the module-unload mitigation surface, AND does it verify the kernel is on a build that includes the specific Fragnesia patch (not just any version newer than the Dirty Frag patch that introduced Fragnesia)?",
+        "evidence": "CVE-2026-46300 — kernels patched for Dirty Frag but predating the Fragnesia patch report 'patched for CVE-2026-43284' while still exposed to CVE-2026-46300.",
+        "gap_closes": [
+          "ISO-27001-2022-A.8.8"
+        ]
+      }
+    ],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 75,
+      "basis": "Operators who already blacklisted esp4 / esp6 / rxrpc for Dirty Frag are already mitigated. Operators who relied on kernel-package-version alone (a scanner saying 'patched') with vanilla SI-2 / A.8.8 SLAs are exposed during the patch window. Exposure drops sharply if CISA KEV-lists the CVE (federal 21-day SLA fires) or if active exploitation is observed.",
+      "theater_pattern": "patch_management"
+    }
   }
 }

package/lib/auto-discovery.js

@@ -31,7 +31,7 @@ const fs = require("fs");
 const path = require("path");
 const { scoreCustom, RWEP_WEIGHTS, ACTIVE_EXPLOITATION_LADDER } = require("./scoring");
 
-// audit M P1-C: stored rwep_factors must reproduce the stored rwep_score.
+// C: stored rwep_factors must reproduce the stored rwep_score.
 // `buildScoringInputs` is the single source of truth for both — it captures
 // the conservative defaults applied to a freshly-imported KEV draft (CISA
 // only lists vulnerabilities with documented exploitation, so we assume a
@@ -56,7 +56,7 @@ function buildScoringInputs(kevEntry /*, nvdPayload */) {
   };
 }
 
-// audit X P1: cve-catalog.schema.json's `rwep_factors` requires the post-weight
+// cve-catalog.schema.json's `rwep_factors` requires the post-weight
 // numeric shape (cisa_kev: 0|25, poc_available: 0|20, ai_factor: 0|15,
 // active_exploitation: 0|5|10|20, blast_radius: 0..30, patch_available: 0|-15,
 // live_patch_available: 0|-10, reboot_required: 0|5). Pre-fix the auto-discovery
@@ -89,7 +89,7 @@ function toPostWeightFactors(inputs) {
 }
 
 /**
- * Audit M P3-O — diff severity nuance for KEV-discovered drafts.
+ * O — diff severity nuance for KEV-discovered drafts.
  *
  * Pre-fix every KEV-derived diff carried `severity: "high"`. Operators
  * scanning the diff stream had no way to distinguish "patch in 21 days"
@@ -199,13 +199,13 @@ function buildKevDraftEntry(kevEntry, nvdPayload, epssPayload) {
   const knownRansomware =
     String(kevEntry.knownRansomwareCampaignUse || "").toLowerCase() === "known";
 
-  // audit M P1-C: stored rwep_factors and computed rwep_score MUST agree.
+  // C: stored rwep_factors and computed rwep_score MUST agree.
   // Previously rwep_factors held nulls (for unknown poc/ai/reboot) but
   // rwep_score was computed from concrete defaults (poc=true, reboot=true).
   // `scoring.validate()` then flagged every auto-imported draft for
   // divergence > 5. Now: one canonical input object → both surfaces.
   //
-  // audit X P1: the catalog's JSON-schema for `rwep_factors` requires the
+  // the catalog's JSON-schema for `rwep_factors` requires the
   // POST-WEIGHT numeric shape (ai_factor / numeric ladder contributions /
   // numeric ±deductions) — not the SHAPE-A boolean + string-ladder shape
   // that scoreCustom consumes. Pre-fix the boolean shape was stored
@@ -264,11 +264,11 @@ function buildKevDraftEntry(kevEntry, nvdPayload, epssPayload) {
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       kevEntry.notes ? String(kevEntry.notes) : null,
     ].filter(Boolean),
-    // v0.12.15 (audit M P1-B): schema requires source_verified to be a
+    // v0.12.15 (B): schema requires source_verified to be a
     // YYYY-MM-DD string; the prior `false` boolean (then null) produced
     // entries that failed strict catalog validation.
     //
-    // audit X P1: the CISA KEV listing IS the verification source for a
+    // the CISA KEV listing IS the verification source for a
     // KEV-discovered draft — the entry's `verification_sources` array
     // already points to the KEV catalog URL, and KEV's appearance is what
     // triggered the auto-import. Pre-fix the field stayed null, which
@@ -282,7 +282,7 @@ function buildKevDraftEntry(kevEntry, nvdPayload, epssPayload) {
     source_verified: TODAY,
     last_updated: TODAY,
     last_verified: TODAY,
-    // v0.12.15 (audit M P1-D): `_auto_imported` must be the boolean `true`
+    // v0.12.15 (D): `_auto_imported` must be the boolean `true`
     // for lib/validate-cve-catalog.js's draft-recognition check (strict
     // `=== true` comparison). The prior object-shape was non-recognizable
     // and the strict validator treated KEV-discovered drafts as
@@ -577,7 +577,7 @@ async function discoverNewRfcs(ctx, opts = {}) {
       skills_referencing: [],
       errata_count: null,
       last_verified: TODAY,
-      // v0.12.15 (audit M P1-D, P3-T): boolean `_auto_imported: true` for
+      // v0.12.15 (D, P3-T): boolean `_auto_imported: true` for
       // strict-validator recognition; provenance moved to sibling
       // `_auto_imported_meta`. Errata-URL hint converted to a real template
       // literal so the rfc number actually interpolates (the previous double-

package/lib/cross-ref-api.js

@@ -19,9 +19,16 @@ const ROOT = path.join(__dirname, '..');
 const DATA_DIR = process.env.EXCEPTD_DATA_DIR || path.join(ROOT, 'data');
 const INDEX_DIR = path.join(DATA_DIR, '_indexes');
 
+// DD P1-1: cache entries store the parsed payload AND the mtimeMs of the
+// source file at parse-time. Each load call re-stats the file; if mtime
+// matches, the cached value is returned (one syscall, no parse). If mtime
+// changed, re-parse + repopulate. If stat fails (file vanished mid-run,
+// permission glitch), fall back to the cached value. Pre-fix the cache was
+// process-lifetime — long-running `orchestrator watch` processes never saw
+// `data/cve-catalog.json` mutations driven by `exceptd refresh --apply`.
 const _cache = new Map();
 
-// v0.12.14 (audit C-F7): catalog corruption no longer crashes the runner
+// v0.12.14: catalog corruption no longer crashes the runner
 // uncaught. A malformed JSON file in data/ used to produce a SyntaxError
 // at require-time of any consumer (lib/playbook-runner.js), which threw
 // out of the run() entrypoint without honoring AGENTS.md's "non-zero
@@ -30,42 +37,56 @@ const _cache = new Map();
 // can inspect.
 const _loadErrors = [];
 
+function _statMtime(p) {
+  try { return fs.statSync(p).mtimeMs; }
+  catch { return null; }
+}
+
 function loadCatalog(filename) {
-  if (_cache.has(filename)) return _cache.get(filename);
   const full = path.join(DATA_DIR, filename);
+  const mtime = _statMtime(full);
+  const cached = _cache.get(filename);
+  if (cached && (mtime === null || cached.mtime === mtime)) {
+    return cached.value;
+  }
   if (!fs.existsSync(full)) {
-    _cache.set(filename, {});
+    _cache.set(filename, { value: {}, mtime });
     return {};
   }
   try {
     const parsed = JSON.parse(fs.readFileSync(full, 'utf8'));
-    _cache.set(filename, parsed);
+    _cache.set(filename, { value: parsed, mtime });
     return parsed;
   } catch (e) {
     _loadErrors.push({ kind: 'catalog', file: filename, error: e.message });
     const stub = {};
     Object.defineProperty(stub, '_loadError', { value: e.message, enumerable: false });
-    _cache.set(filename, stub);
+    _cache.set(filename, { value: stub, mtime });
     return stub;
   }
 }
 
 function loadIndex(filename) {
-  if (_cache.has('idx:' + filename)) return _cache.get('idx:' + filename);
   const full = path.join(INDEX_DIR, filename);
+  const mtime = _statMtime(full);
+  const key = 'idx:' + filename;
+  const cached = _cache.get(key);
+  if (cached && (mtime === null || cached.mtime === mtime)) {
+    return cached.value;
+  }
   if (!fs.existsSync(full)) {
-    _cache.set('idx:' + filename, {});
+    _cache.set(key, { value: {}, mtime });
     return {};
   }
   try {
     const parsed = JSON.parse(fs.readFileSync(full, 'utf8'));
-    _cache.set('idx:' + filename, parsed);
+    _cache.set(key, { value: parsed, mtime });
     return parsed;
   } catch (e) {
     _loadErrors.push({ kind: 'index', file: filename, error: e.message });
     const stub = {};
     Object.defineProperty(stub, '_loadError', { value: e.message, enumerable: false });
-    _cache.set('idx:' + filename, stub);
+    _cache.set(key, { value: stub, mtime });
     return stub;
   }
 }
@@ -84,11 +105,23 @@ function entries(catalog) {
  * Full correlation for a CVE ID. Returns the catalog entry plus everything
  * that references it across skills, framework gaps, theater fingerprints,
  * recipes, and zero-day lessons.
+ *
+ * FF P1-4: auto-imported drafts (entries with `_auto_imported === true`) are
+ * EXCLUDED by default. Drafts carry conservative-default mechanical fields
+ * and null analytical fields pending curation; downstream analyze / bundle
+ * emitters that assume `byCve()` returns curated data would treat the draft's
+ * placeholders as authoritative. The cve-curation flow (which surfaces the
+ * editorial questionnaire) opts in via `byCve(id, { include_drafts: true })`.
+ * Every other caller stays on the default exclude path.
  */
-function byCve(cveId) {
+function byCve(cveId, opts) {
+  const includeDrafts = !!(opts && opts.include_drafts);
   const catalog = loadCatalog('cve-catalog.json');
   const entry = catalog[cveId];
   if (!entry) return { found: false, cve_id: cveId };
+  if (!includeDrafts && entry._auto_imported === true) {
+    return { found: false, cve_id: cveId, _draft_excluded: true };
+  }
 
   const xref = loadIndex('xref.json');
   const recipes = loadIndex('recipes.json');

package/lib/cve-curation.js

@@ -43,7 +43,7 @@ const path = require("path");
 //      before deciding promotion.
 const { withCatalogLock } = require("./refresh-external");
 const { validate: validateAgainstSchema } = require("./validate-cve-catalog");
-// audit J F3: derive rwep_score via the canonical scoring helper rather
+// derive rwep_score via the canonical scoring helper rather
 // than a blind `Object.values(...).reduce(sum)`. The helper detects shape
 // (boolean inputs → scoreCustom; post-weight numeric inputs → sum + clamp)
 // so the curation apply-path produces a score that matches whatever the
@@ -58,7 +58,7 @@ let _cveSchemaCache = null;
 function loadCveEntrySchema() {
   if (_cveSchemaCache) return _cveSchemaCache;
   try {
-    // v0.12.15 (audit M P1-A): the prior version of this function looked for
+    // v0.12.15 (A): the prior version of this function looked for
     // either `root.patternProperties["^CVE-\\d{4}-\\d+$"]` or an object
     // `root.additionalProperties`. The actual schema at lib/schemas/cve-
     // catalog.schema.json has NEITHER — its top level IS the entry shape
@@ -279,7 +279,7 @@ function buildQuestionnaire(cveId, draft) {
   // Pull candidate catalogs. Each is optional — missing catalogs are skipped
   // gracefully. J7 makes these one-shot loads per process.
   const atlas = loadJson("data/atlas-ttps.json");
-  // v0.12.15 (audit M P1-E): the catalog ships as data/attack-techniques.json
+  // v0.12.15 (E): the catalog ships as data/attack-techniques.json
   // (renamed from data/attack-ttps.json before the v0.12.12 release; the
   // canonical file path is also what lib/validate-cve-catalog.js consumes).
   // The prior `data/attack-ttps.json` lookup silently fell back to an empty
@@ -570,7 +570,7 @@ function applyAnswersUnderLock(cveId, catalog, catalogPath, answers) {
     appliedFields.push(field);
   }
 
-  // audit J F3: derive rwep_score via the canonical scoring helper rather
+  // derive rwep_score via the canonical scoring helper rather
   // than a blind sum. deriveRwepFromFactors detects shape (boolean inputs
   // → scoreCustom; post-weight numeric inputs → sum + clamp) and routes
   // accordingly, so the apply-path produces a score that agrees with