@blamejs/exceptd-skills 0.12.21 → 0.12.22

package/data/_indexes/_meta.json

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-14T23:57:30.181Z",
+  "generated_at": "2026-05-15T06:49:36.722Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 50,
   "source_hashes": {
-    "manifest.json": "4b198eb657d469f7e3662489fdbb1de0938de8436064413c981ebbd442555f12",
+    "manifest.json": "2adf0e88322f3903ffd323dbcee69b406c7d801a1539cb1e79e569e47bbafc4c",
     "data/atlas-ttps.json": "20339e0ae3cd89c06f1385be31c50f408f827edc2e8ab8aef026ade3bcf0a917",
     "data/attack-techniques.json": "6db08a8e8a4d03d9309b1d185112de7f3c9595d2cd3d24566b7ce0b3b8aa5d1a",
     "data/cve-catalog.json": "7936ba3c8f27156235bf327830e8f1a684658865e97f089aed98b2a7cdbb88ef",
@@ -25,7 +25,7 @@
     "skills/rag-pipeline-security/skill.md": "78f00a39e66f08da2894e28eeedb32137295ca019eba7110ab28282d613a97eb",
     "skills/ai-c2-detection/skill.md": "095cab9daa072bfabc87152aea1b61ccd6da8f531753b05c181629f04014b5ca",
     "skills/policy-exception-gen/skill.md": "79db45ba722a6dd9bba25bf84e0b52cf659b56b662193cef80a8273337e41df9",
-    "skills/threat-model-currency/skill.md": "d2b065610ed2f8cdece4f19a95b4e2122c150fc924b7b45fbed17f32a75f3a08",
+    "skills/threat-model-currency/skill.md": "4badf98c3d8ca5f5c9854cbb25ed994491c39a88ff1aa354b72c50e59a7d3261",
     "skills/global-grc/skill.md": "e0487de49679172347653d8c191d1f269193de6f444f6b0c6396d326e45bd72e",
     "skills/zeroday-gap-learn/skill.md": "086df0fe792c80ca864da6917958bf3df7be5ba02df1c5894972a69353306ee6",
     "skills/pqc-first/skill.md": "a5eb776e1ea3bb422a4c18a3bdf39ad2ec1651b3c25e65c89428ba319141b275",

package/data/playbooks/runtime.json

@@ -70,6 +70,8 @@
     ],
     "cve_refs": [
       "CVE-2026-31431",
+      "CVE-2026-43284",
+      "CVE-2026-43500",
       "CVE-2026-46300"
     ],
     "cwe_refs": [

package/lib/playbook-runner.js

@@ -287,6 +287,15 @@ function lockFilePath(playbookId) {
   catch { return null; }
 }
 
+// PP P1-1: same-PID stale-lockfile reclaim threshold. A same-process orphan
+// (e.g. an earlier run() that crashed without unlinking, or a try/catch that
+// swallowed the release) older than this is presumed dead and reclaimed.
+// 30s mirrors lib/refresh-external.js and lib/prefetch.js; long enough that
+// no legitimate playbook hold reaches it (govern/look/run phases complete
+// well inside one second per playbook), short enough that a wedged process
+// recovers within one CI step rather than the rest of its lifetime.
+const STALE_LOCK_MS = 30_000;
+
 function acquireLock(playbookId) {
   const p = lockFilePath(playbookId);
   if (!p) return null;
@@ -322,6 +331,24 @@ function acquireLock(playbookId) {
           try { fs.unlinkSync(p); } catch {}
           try { writePayload(); return p; } catch { /* fall through */ }
         }
+        // PP P1-1: same-PID stale-lockfile reclaim. If the recorded pid is
+        // ours, the only way to escape an orphaned same-process lockfile is
+        // by mtime. Do NOT blindly reclaim same-PID — legitimate reentrancy
+        // (e.g. nested run() within one process) must still return null so
+        // the caller knows the lock is held. A fresh same-PID lockfile is
+        // reentrancy; one older than STALE_LOCK_MS is an orphan from a
+        // crashed prior hold (or a try/catch that swallowed the release)
+        // and must be reclaimed — otherwise the process can never acquire
+        // this lock again for the rest of its lifetime.
+        if (Number.isInteger(pid) && pid === process.pid) {
+          try {
+            const stat = fs.statSync(p);
+            if (Date.now() - stat.mtimeMs > STALE_LOCK_MS) {
+              try { fs.unlinkSync(p); } catch {}
+              try { writePayload(); return p; } catch { /* fall through */ }
+            }
+          } catch { /* stat failed — treat as held */ }
+        }
       } catch { /* unreadable lockfile — treat as held by a live process */ }
     }
     // Lock genuinely held (or filesystem error). Returning null keeps
@@ -367,6 +394,26 @@ function acquireLockDiagnostic(playbookId) {
           return { ok: false, reason: 'reclaim_failed', error: e2.message, lock_path: p, holder_pid: pid };
         }
       }
+      // PP P1-1: same-PID stale-lockfile reclaim (diagnostic variant). Same
+      // semantics as in acquireLock: a same-process lockfile older than
+      // STALE_LOCK_MS is an orphan and must be reclaimed; a fresher one is
+      // legitimate reentrancy and stays held.
+      if (Number.isInteger(pid) && pid === process.pid) {
+        let mtimeMs = null;
+        try { mtimeMs = fs.statSync(p).mtimeMs; } catch {}
+        if (mtimeMs !== null && (Date.now() - mtimeMs) > STALE_LOCK_MS) {
+          try { fs.unlinkSync(p); } catch {}
+          try {
+            fs.writeFileSync(p,
+              JSON.stringify({ pid: process.pid, started_at: new Date().toISOString(), playbook: playbookId }, null, 2),
+              { flag: 'wx' });
+            return { ok: true, path: p, reclaimed_self_stale_pid: true, prior_mtime_ms: mtimeMs };
+          } catch (e3) {
+            return { ok: false, reason: 'reclaim_failed', error: e3.message, lock_path: p, holder_pid: pid };
+          }
+        }
+        return { ok: false, reason: 'held_by_self', lock_path: p, holder_pid: pid };
+      }
       return { ok: false, reason: 'held_by_live_pid', lock_path: p, holder_pid: pid };
     }
     return { ok: false, reason: 'fs_error', error: e && e.message, lock_path: p };
@@ -1534,7 +1581,7 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
       return builtFormats.get(format);
     };
     const primaryBody = buildOnce(primaryFormat);
-    // audit CC P2-1: bundles_by_format must always be an object keyed by the
+    // bundles_by_format must always be an object keyed by the
     // primary format, even when no extra formats were requested. Pre-fix it
     // was null in the single-format case, forcing downstream tooling into a
     // `bundles_by_format ?? { [primaryFormat]: bundle_body }` shim in every
@@ -1779,16 +1826,45 @@ function getEngineVersion() {
   return _CACHED_PKG_VERSION;
 }
 
-// audit CC P1-3 / P1-4: operator-supplied identity strings (--operator) and
+// 3 / P1-4: operator-supplied identity strings (--operator) and
 // publisher namespace URLs (--publisher-namespace) flow into operator-facing
 // CSAF surfaces. Strip ASCII control characters as a defence-in-depth pass —
 // bin/exceptd.js already validates the inputs, but the runner is also called
 // from library consumers that may bypass the CLI surface.
+//
+// MM P1-D: extend the strip to Unicode bidi / format / control / surrogate /
+// private-use / unassigned categories (\p{C} under the `u` regex flag) so
+// direct library callers of buildEvidenceBundle cannot smuggle a U+202E
+// "RTL OVERRIDE" or zero-width joiner past the sanitiser the way the CLI
+// already refuses (--operator validation in bin/exceptd.js). NFC-normalise
+// first so a decomposed sequence can't combine past the codepoint check;
+// cap the result at 256 codepoints (NOT UTF-16 code units) so a string of
+// astral-plane codepoints can't smuggle a longer-than-256-display string
+// past the cap by exploiting JavaScript's surrogate-pair string length.
+// Returns null on rejection (empty after strip, or NFC normalise threw);
+// callers (the publisher-namespace + contact_details + tracking.generator
+// sites) treat null as "operator-unclaimed" and route through the existing
+// fallback (publisher.namespace = urn:exceptd:operator:unknown +
+// bundle_publisher_unclaimed runtime warning).
 function sanitizeOperatorText(s) {
   if (typeof s !== 'string') return null;
-  // eslint-disable-next-line no-control-regex
-  const cleaned = s.replace(/[\x00-\x1F\x7F]/g, '').trim();
-  return cleaned.length ? cleaned.slice(0, 256) : null;
+  // NFC first: a Cf codepoint may be expressed as a base + combining mark
+  // that recomposes into the format category under NFC. Normalise so the
+  // strip catches it.
+  let normalised;
+  try { normalised = s.normalize('NFC'); }
+  catch { return null; }
+  // Strip every Unicode codepoint matching General Category C
+  // (Cc, Cf, Cs, Co, Cn). \p{C} under the `u` flag matches all five.
+  const stripped = normalised.replace(/\p{C}/gu, '');
+  const trimmed = stripped.trim();
+  if (trimmed.length === 0) return null;
+  // Cap at 256 codepoints (Array.from counts codepoints, not UTF-16 code
+  // units, so a 256-codepoint astral-plane string isn't silently extended
+  // past the cap by surrogate-pair encoding).
+  const cps = Array.from(trimmed);
+  if (cps.length <= 256) return cps.join('');
+  return cps.slice(0, 256).join('');
 }
 
 function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals, sessionId, issuedAt, runOpts) {
@@ -1829,14 +1905,14 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
     // that lied to downstream NVD / Red Hat dashboards. When
     // live_patch_available is the only signal, status stays known_affected
     // and the live-patch route is surfaced as a `vendor_fix` remediation.
-    // audit CC P1-2: CSAF §3.2.1.2 restricts the `cve` field to the CVE-id
+    // CSAF §3.2.1.2 restricts the `cve` field to the CVE-id
     // regex `^CVE-[0-9]{4}-[0-9]{4,}$`. The catalog also keys non-CVE
     // identifiers off `cve_id` (MAL-2026-3083, GHSA-…, OSV-…); strict
     // validators (BSI CSAF validator, ENISA dashboard) refuse documents that
     // place non-CVE values in `cve`. Branch by prefix and route non-CVE ids
     // to the `ids[]` array with a real `system_name`.
     //
-    // audit CC P2-2: CSAF §3.2.1.5 requires `cvss_v3.vectorString` when a
+    // CSAF §3.2.1.5 requires `cvss_v3.vectorString` when a
     // cvss_v3 score block is emitted. Drop the entire score block when the
     // catalog has no CVSS data (score AND vector both unset); otherwise
     // include version + baseScore + vectorString + baseSeverity from the
@@ -1853,21 +1929,33 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
       if (typeof vec !== 'string') return '3.1';
       const m = vec.match(/^CVSS:(\d+\.\d+)\//);
       if (!m) return '3.1';
-      // CSAF cvss_v3 block only accepts 3.x; if the catalog vector is 2.0 or
-      // 4.0 we still tag the block as the value the catalog declared. Strict
-      // validators that gate cvss_v3 to 3.0/3.1 will reject 2.0/4.0 — but
-      // emitting the wrong version on a 4.0 vector would be worse.
+      // Returns the declared version verbatim. The CALLER is responsible for
+      // gating cvss_v3 emission to 3.0 / 3.1 per CSAF 2.0 schema. 2.0 and
+      // 4.0 vectors are tagged here for diagnostic clarity but never reach
+      // the cvss_v3 block downstream.
       return m[1];
     };
     const csafIdsFor = (id) => {
-      if (typeof id !== 'string' || !id) return { system_name: 'OSV', text: String(id) };
-      if (id.startsWith('GHSA-'))  return { system_name: 'GHSA', text: id };
-      if (id.startsWith('MAL-'))   return { system_name: 'Malicious-Package', text: id };
-      if (id.startsWith('OSV-'))   return { system_name: 'OSV', text: id };
-      if (id.startsWith('SNYK-'))  return { system_name: 'Snyk', text: id };
-      // Fallback: surface the raw value under a generic OSV system_name; any
-      // strict validator will at least know it's not a CVE.
-      return { system_name: 'OSV', text: id };
+      // B: null / undefined / non-string id MUST NOT emit literal
+      // "null" / "undefined" text into the vulnerabilities[] entry. Pre-fix
+      // String(id) coerced both to those literals — strict validators then
+      // rejected the document, and operators saw a phantom "null" CVE in
+      // dashboards. Return null so the caller can skip the entry entirely
+      // and surface a runtime_error for the missing id.
+      if (typeof id !== 'string' || !id) return null;
+      if (id.startsWith('GHSA-'))    return { system_name: 'GHSA', text: id };
+      if (id.startsWith('MAL-'))     return { system_name: 'Malicious-Package', text: id };
+      if (id.startsWith('OSV-'))     return { system_name: 'OSV', text: id };
+      if (id.startsWith('SNYK-'))    return { system_name: 'Snyk', text: id };
+      // A: RUSTSEC advisories carry their own tracking authority
+      // (https://rustsec.org); mis-routing them to system_name 'OSV' loses
+      // the upstream provenance link and confuses downstream ingesters that
+      // resolve by (system_name, text) pair.
+      if (id.startsWith('RUSTSEC-')) return { system_name: 'RUSTSEC', text: id };
+      // B: genuinely-unknown prefix surfaces as `exceptd-unknown`
+      // so downstream ingesters know the authority wasn't recognized — pre-fix
+      // every unknown id was misattributed to OSV.
+      return { system_name: 'exceptd-unknown', text: id };
     };
     const CSAF_CVE_RE = /^CVE-\d{4}-\d{4,}$/;
 
@@ -1879,18 +1967,59 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
           || (c.live_patch_available ? 'Vendor publishes a live-patch — see CVE catalog `live_patch_tools` for the operator-side step.' : 'See selected remediation path.'),
         product_ids: [productId],
       }];
-      // audit CC P2-2: only emit cvss_v3 score block when we have a real
+      // B: catalog entries with a missing / non-string cve_id
+      // pre-fix produced literal `text: "null"` / `text: "undefined"` entries
+      // under ids[]. Skip the vulnerability entry entirely and surface a
+      // runtime_error so the catalog gap is visible to operators / CI gates.
+      const idIsCve = typeof c.cve_id === 'string' && CSAF_CVE_RE.test(c.cve_id);
+      let idEntry = null;
+      if (!idIsCve) {
+        idEntry = csafIdsFor(c.cve_id);
+        if (idEntry == null) {
+          if (Array.isArray(runOpts._runErrors)) {
+            const alreadyMissing = runOpts._runErrors.some(e => e && e.kind === 'bundle_cve_id_missing');
+            if (!alreadyMissing) {
+              runOpts._runErrors.push({
+                kind: 'bundle_cve_id_missing',
+                reason: 'A matched_cves[] entry has no string cve_id (null / undefined / non-string). The CSAF vulnerability entry was omitted to avoid emitting literal "null" / "undefined" text under vulnerabilities[].ids[].',
+                remediation: 'Inspect the CVE catalog feed that produced this match; the upstream record is missing its identifier and should be refreshed or excluded.'
+              });
+            }
+          }
+          return null;
+        }
+      }
+      // only emit cvss_v3 score block when we have a real
       // vector string AND a numeric score. Pre-fix every vuln carried
       // `cvss_v3: { base_score: 0 }` even when the catalog had no CVSS
       // signal — strict validators reject the truncated block, and
       // `base_score: 0` was a downstream-misleading default that suggested
       // an authoritative "informational" score where there was simply no
       // data.
+      //
+      // C: CSAF 2.0 `cvss_v3` ONLY accepts version 3.0 / 3.1.
+      // Catalog vectors prefixed CVSS:2.0/ or CVSS:4.0/ would pre-fix emit a
+      // cvss_v3 block with version: '2.0' / '4.0', which strict validators
+      // (BSI CSAF Validator) reject outright. Drop the block for non-3.x
+      // vectors and surface a runtime_error so operators can see why their
+      // CVSS data didn't make it through.
       const hasCvss = typeof c.cvss_score === 'number' && typeof c.cvss_vector === 'string' && c.cvss_vector.length > 0;
-      const scores = hasCvss ? [{
+      const vectorVersion = hasCvss ? csafCvssVersionFromVector(c.cvss_vector) : null;
+      const cvssV3Eligible = hasCvss && (vectorVersion === '3.0' || vectorVersion === '3.1');
+      if (hasCvss && !cvssV3Eligible && Array.isArray(runOpts._runErrors)) {
+        const alreadyUnsup = runOpts._runErrors.some(e => e && e.kind === 'bundle_cvss_v3_version_unsupported');
+        if (!alreadyUnsup) {
+          runOpts._runErrors.push({
+            kind: 'bundle_cvss_v3_version_unsupported',
+            reason: `Catalog entry carries CVSS vector with version ${vectorVersion}; CSAF 2.0 cvss_v3 block only accepts versions 3.0 / 3.1. The score block was omitted from this vulnerability to keep the document valid against strict CSAF validators.`,
+            remediation: 'Backfill a CVSS 3.1 vector against this CVE in the catalog, or wait for CSAF 2.1 (cvss_v4 support) — exceptd targets CSAF 2.0 today.'
+          });
+        }
+      }
+      const scores = cvssV3Eligible ? [{
         products: [productId],
         cvss_v3: {
-          version: csafCvssVersionFromVector(c.cvss_vector),
+          version: vectorVersion,
           baseScore: c.cvss_score,
           vectorString: c.cvss_vector,
           baseSeverity: csafCvssSeverity(c.cvss_score),
@@ -1902,12 +2031,12 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
         remediations,
         product_status: isFixed ? { fixed: [productId] } : { known_affected: [productId] }
       };
-      // audit CC P1-2: route by id shape.
-      if (CSAF_CVE_RE.test(c.cve_id)) {
+      // route by id shape.
+      if (idIsCve) {
         return { cve: c.cve_id, ...base };
       }
-      return { ids: [csafIdsFor(c.cve_id)], ...base };
-    });
+      return { ids: [idEntry], ...base };
+    }).filter(v => v != null);
     const indicatorVulns = indicatorHits.map(i => ({
       // CSAF `system_name` values land in operator-facing validators; the
       // "exceptd-indicator" pseudo-authority is namespaced enough that NVD /
@@ -1940,7 +2069,7 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
         text: lines.join('\n'),
       };
     });
-    // audit CC P1-3: CSAF §3.1.7.4 publisher.namespace MUST be the trust
+    // CSAF §3.1.7.4 publisher.namespace MUST be the trust
     // anchor of the entity publishing the advisory — the OPERATOR running the
     // scan, not the tool vendor. Pre-fix every CSAF emitted by the runner
     // claimed https://exceptd.com as namespace, falsely attributing
@@ -1967,7 +2096,7 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
       title: 'Publisher namespace not supplied',
       text: 'No --publisher-namespace and no URL-shaped --operator were supplied to this run. CSAF §3.1.7.4 requires the namespace to be the publisher\'s trust anchor — i.e. the OPERATOR running the scan, not the tooling vendor. Re-emit with `--publisher-namespace https://your-org.example` (or a URL-shaped `--operator`) to attribute responsibility for advisory accuracy correctly.'
     }] : [];
-    // audit CC P1-3: ALSO surface the unclaimed-publisher condition through
+    // ALSO surface the unclaimed-publisher condition through
     // the structured runtime_errors[] accumulator so machine-readable
     // consumers (CI gates, dashboards) can branch on it without parsing
     // notes[] prose. The orchestrator's post-close pass folds late-pushed
@@ -1986,7 +2115,7 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
       }
     }
 
-    // audit CC P1-4: thread the validated --operator name into
+    // thread the validated --operator name into
     // tracking.generator (engine identity) AND publisher.contact_details
     // (operator-of-record). engine.version is read from the package once per
     // process. contact_details is omitted when no operator was supplied so
@@ -1998,7 +2127,7 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
     };
     if (operatorClean) publisherBlock.contact_details = operatorClean;
 
-    // audit CC P1-1: CSAF §3.1.11.3.5.1 defines `final` as an immutable
+    // CSAF §3.1.11.3.5.1 defines `final` as an immutable
     // advisory; subsequent re-emits against the same tracking.id are
     // refused by strict validators (BSI CSAF Validator). Runtime detection
     // runs with no operator review loop are inherently revisable, so the
@@ -2028,7 +2157,7 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
           id: `exceptd-${playbook._meta.id}-${sessionId}`,
           status: csafStatus,
           version: playbook._meta.version,
-          // audit CC P1-4: name the engine that emitted the advisory.
+          // name the engine that emitted the advisory.
           // CSAF §3.1.11.3.2 places this under tracking.generator.engine.
           generator: {
             engine: { name: 'exceptd', version: getEngineVersion() },
@@ -2066,7 +2195,7 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
   // render empty fields.
   if (format === 'sarif' || format === 'sarif-2.1.0') {
     const stripNulls = (obj) => Object.fromEntries(Object.entries(obj).filter(([, v]) => v != null));
-    // audit CC P2-6: SARIF rule ids are global within a single sarif-log run.
+    // SARIF rule ids are global within a single sarif-log run.
     // Pre-fix, generic ruleIds like `framework-gap-0` (and shared CVE ids
     // across playbooks) collided when results from multiple playbook runs
     // were merged into one SARIF document — GitHub Code Scanning de-dupes
@@ -2994,6 +3123,10 @@ module.exports = {
   vexFilterFromDoc,
   normalizeSubmission,
   autoDetectPreconditions,
+  // MM P1-D: exposed for tests/audit-vv-trust-fixes.test.js so library-side
+  // direct callers (the fallback path the CLI guard cannot reach) can be
+  // exercised without spawning a CLI subprocess.
+  sanitizeOperatorText,
   // internal helpers exposed for tests
   _resolvedPhase: resolvedPhase,
   _deepMerge: deepMerge,

package/lib/refresh-network.js

@@ -191,7 +191,7 @@ function verifyDetached(publicKeyObj, payload, sigB64) {
   } catch { return false; }
 }
 
-// v0.12.14 (audit F1, F7): CRLF/BOM normalization mirrors lib/verify.js's
+// v0.12.14: CRLF/BOM normalization mirrors lib/verify.js's
 // normalize(). Duplicated here to keep refresh-network free of cross-module
 // runtime deps. ANY change here MUST be mirrored in lib/verify.js +
 // lib/sign.js + scripts/verify-shipped-tarball.js — the four normalize()
@@ -342,7 +342,7 @@ async function main() {
     process.exitCode = 4; return;
   }
 
-  // v0.12.14 (audit F6, F3): verify SHA-512 SRI first (collision-resistant
+  // v0.12.14: verify SHA-512 SRI first (collision-resistant
   // beyond SHA-1 reach), then SHA-1 shasum for compatibility, then dist.
   // signatures[] (npm registry's Ed25519 signing key). Each layer is
   // defense-in-depth — registry compromise that produces a SHA-1 collision
@@ -420,8 +420,13 @@ async function main() {
   const expectedFingerprintPath = path.join(ROOT, "keys", "EXPECTED_FINGERPRINT");
   if (fs.existsSync(expectedFingerprintPath) && !process.env.KEYS_ROTATED) {
     try {
-      const expectedFp = fs.readFileSync(expectedFingerprintPath, "utf8")
-        .split(/\r?\n/).map(l => l.trim()).find(l => l.length > 0);
+      // KK P1-5: route through the shared lib/verify loader so a BOM-prefixed
+      // pin file (Notepad with files.encoding=utf8bom) is tolerated identically
+      // across every verify site. Pre-fix the inline split-trim-find returned
+      // the BOM as part of the first line, which would never match a live
+      // fingerprint and would block every legitimate refresh-network run.
+      const { loadExpectedFingerprintFirstLine } = require("./verify.js");
+      const expectedFp = loadExpectedFingerprintFirstLine(expectedFingerprintPath);
       // v0.12.16 (codex P1 PR #11): `expectedFp` is read verbatim from
       // keys/EXPECTED_FINGERPRINT (formatted as `SHA256:<base64>`), but
       // `fingerprintPublicKey()` returns the raw base64 without the

package/lib/validate-cve-catalog.js

@@ -244,8 +244,8 @@ function additionalChecks(key, entry, ctx) {
   }
 
   // V2 — Cross-catalog reference resolution. Unresolved refs are warnings
-  // for v0.12.x; v0.13.0 will flip to hard failures. Audit D's V2 expansion
-  // (Audit G) extends the walk from cwe_refs only to attack_refs, atlas_refs,
+  // for v0.12.x; v0.13.0 will flip to hard failures. V2 expansion
+  // extends the walk from cwe_refs only to attack_refs, atlas_refs,
   // d3fend_refs, AND framework_control_gaps.
   const REF_FIELDS = [
     { field: 'atlas_refs', set: ctx.atlasKeys, file: 'data/atlas-ttps.json' },

package/lib/verify.js

@@ -362,7 +362,7 @@ function verifyManifestSignature(manifest) {
   if (!publicKey) {
     return { status: 'no-key', reason: 'public key missing at keys/public.pem' };
   }
-  // Audit AA P1-3: consult keys/EXPECTED_FINGERPRINT BEFORE crypto.verify so
+  // consult keys/EXPECTED_FINGERPRINT BEFORE crypto.verify so
   // library callers (refresh-network gate, verify-shipped-tarball gate, tests,
   // downstream consumers via `require("lib/verify")`) cannot bypass the pin.
   // Previously the pin only fired at the CLI tail of `node lib/verify.js`,
@@ -593,16 +593,46 @@ function validateAgainstSchema(value, schema, here, root) {
  * @param {{sha256:string}|null} liveFp  publicKeyFingerprint() output
  * @param {string} [pinPath]             optional override (testability)
  */
+/**
+ * KK P1-5: shared loader for keys/EXPECTED_FINGERPRINT. Reads the pin file,
+ * strips a leading UTF-8 BOM (Notepad with files.encoding=utf8bom would
+ * otherwise prepend U+FEFF and silently break every verify path on the host),
+ * tolerates CRLF line endings, ignores comment lines (`#`) and blanks, and
+ * returns the first non-comment / non-empty line. Returns null if the file
+ * is unreadable / empty.
+ *
+ * Shared across four sites so every loader normalises identically:
+ *   - lib/verify.js              (manifest signature gate)
+ *   - lib/refresh-network.js     (refresh-network pre-swap gate)
+ *   - scripts/verify-shipped-tarball.js (predeploy gate)
+ *   - bin/exceptd.js             (attestation pin)
+ * tests/normalize-contract.test.js asserts byte-identical output across all
+ * four sites under a BOM + CRLF fuzz corpus.
+ */
+function loadExpectedFingerprintFirstLine(pinPath) {
+  let raw;
+  try { raw = fs.readFileSync(pinPath, 'utf8'); }
+  catch { return null; }
+  if (raw.length > 0 && raw.charCodeAt(0) === 0xFEFF) raw = raw.slice(1);
+  const lines = raw
+    .split(/\r?\n/)
+    .map((l) => l.trim())
+    .filter((l) => l.length > 0 && !l.startsWith('#'));
+  return lines[0] || null;
+}
+
 function checkExpectedFingerprint(liveFp, pinPath) {
   const p = pinPath || EXPECTED_FINGERPRINT_PATH;
   if (!fs.existsSync(p)) return { status: 'no-pin' };
   if (!liveFp || typeof liveFp.sha256 !== 'string') {
     return { status: 'mismatch', expected: 'unknown', actual: '(invalid)', rotationOverride: false };
   }
-  const expected = fs.readFileSync(p, 'utf8').trim();
-  // Tolerate trailing comment / whitespace on the same line; the file's
-  // first non-empty line is the canonical fingerprint.
-  const firstLine = expected.split(/\r?\n/).map((l) => l.trim()).find((l) => l.length > 0) || '';
+  // KK P1-5: route through the shared loader so a BOM-prefixed pin file
+  // (Notepad with files.encoding=utf8bom) is tolerated identically across
+  // every verify site. Pre-fix the verbatim split-trim-find produced a
+  // first-line of "SHA256:..." (with leading BOM) that would never equal
+  // a live fingerprint.
+  const firstLine = loadExpectedFingerprintFirstLine(p) || '';
   if (firstLine === liveFp.sha256) return { status: 'match' };
   return {
     status: 'mismatch',
@@ -740,6 +770,7 @@ module.exports = {
   validateAgainstSchema,
   publicKeyFingerprint,
   checkExpectedFingerprint,
+  loadExpectedFingerprintFirstLine,
   canonicalManifestBytes,
   verifyManifestSignature,
   EXPECTED_FINGERPRINT_PATH,