@blamejs/exceptd-skills 0.12.22 → 0.12.24

package/bin/exceptd.js

@@ -58,6 +58,15 @@ const { spawnSync } = require("child_process");
 // (e.g. <somewhere>/node_modules/@blamejs/exceptd-skills).
 const PKG_ROOT = path.resolve(__dirname, "..");
 
+// Centralised exit-code constants + id validators + flag-typo suggester.
+// Replacing the prior bare-numbers + inline-regex pattern with named
+// constants so a new verb cannot regress the exit-code contract by typo,
+// and so the help-text dump (`doctor --exit-codes`) and the runtime
+// behavior share the same source of truth.
+const { EXIT_CODES, listExitCodes } = require(path.join(PKG_ROOT, "lib", "exit-codes.js"));
+const { validateIdComponent } = require(path.join(PKG_ROOT, "lib", "id-validation.js"));
+const { suggestFlag, flagsFor } = require(path.join(PKG_ROOT, "lib", "flag-suggest.js"));
+
 /**
  * Factor the EXPECTED_FINGERPRINT pin check used by
  * the attestation pipeline. Centralizes the policy (compute live SHA-256
@@ -85,14 +94,21 @@ function assertExpectedFingerprint(pubKeyPem) {
   } catch (e) {
     return `EXPECTED_FINGERPRINT check: failed to derive live fingerprint: ${e.message}`;
   }
-  // KK P1-5: route through the shared lib/verify loader so a BOM-prefixed
-  // pin file (Notepad with files.encoding=utf8bom) is tolerated identically
-  // across every verify site. The helper strips leading U+FEFF + ignores
-  // comment lines.
+  // Route through the shared lib/verify loader so a BOM-prefixed pin file
+  // (Notepad with files.encoding=utf8bom) is tolerated identically across
+  // every verify site. The helper strips leading U+FEFF + ignores comment
+  // lines.
   const { loadExpectedFingerprintFirstLine } = require(path.join(PKG_ROOT, "lib", "verify.js"));
   const firstLine = loadExpectedFingerprintFirstLine(pinPath) || "";
   if (firstLine === liveFp) return null;
-  if (process.env.KEYS_ROTATED === "1") return null;
+  if (process.env.KEYS_ROTATED === "1") {
+    process.emitWarning(
+      `EXPECTED_FINGERPRINT mismatch accepted via KEYS_ROTATED=1: live=${liveFp} pin=${firstLine}. ` +
+      `Update keys/EXPECTED_FINGERPRINT to lock the new pin.`,
+      { code: 'EXCEPTD_KEYS_ROTATED_OVERRIDE' }
+    );
+    return null;
+  }
   return (
     `EXPECTED_FINGERPRINT mismatch: live=${liveFp} pin=${firstLine}. ` +
     `If this is an intentional rotation, re-run with KEYS_ROTATED=1 and ` +
@@ -268,9 +284,11 @@ v0.12.0 canonical surface
                              --registry-check       (v0.11.14) opt-in: query npm registry
                                                     for latest published version + days behind
 
-  ci                         One-shot CI gate. Exit codes: 0 PASS, 2 detected/escalate,
-                             3 ran-but-no-evidence, 4 blocked (ok:false),
-                             5 jurisdiction clock started, 1 framework error.
+  ci                         One-shot CI gate. Exit codes: 0 PASS, 1 framework error,
+                             2 detected/escalate, 3 ran-but-no-evidence,
+                             4 blocked (ok:false), 5 jurisdiction clock started.
+                             (Codes 6/7/8/9 surface on attest verify / run /
+                             ai-run / ingest, not ci.)
                              --all | --scope <type> | (auto-detect)
                              --max-rwep <n>         cap below playbook default
                              --block-on-jurisdiction-clock
@@ -346,6 +364,8 @@ Examples:
   exceptd ci --scope code --max-rwep 70             # gate every code playbook
   exceptd ask "I think someone replaced npm packages"   # natural-language route
 
+Unknown verbs exit 2 with a structured ok:false body on stderr.
+
 Full documentation: ${PKG_ROOT}/README.md
 Project rules:      ${PKG_ROOT}/AGENTS.md
 `);
@@ -495,11 +515,9 @@ function main() {
   if (typeof resolver !== "function") {
     // Emit a structured JSON error matching the seven-phase verbs so operators
     // piping through `jq` get one consistent shape across the CLI surface.
-    // R-F8: pre-fix, the structured-JSON stderr write was followed by
-    // process.exit(2) — the v0.11.10 truncation class applied to stderr
-    // just as it does to stdout. Route through emitError() (which uses
-    // exitCode + return per v0.12.14) so the JSON drains, then promote
-    // the exit code to 2 (unknown-command remains a distinct exit class).
+    // emitError() sets exitCode + returns rather than calling process.exit()
+    // so the stderr JSON drains before teardown; promote the exit code to 2
+    // afterwards (unknown-command remains a distinct exit class).
     emitError(`unknown command "${cmd}"`, { hint: "Run `exceptd help` for the list of verbs.", verb: cmd });
     process.exitCode = 2;
     return;
@@ -507,7 +525,7 @@ function main() {
 
   const script = resolver();
   if (!fs.existsSync(script)) {
-    // R-F8: same class — emitError + exitCode rather than stderr + exit().
+    // emitError + exitCode rather than stderr + exit() so the JSON drains.
     emitError(
       `command "${cmd}" not available — expected ${path.relative(PKG_ROOT, script)} in the installed package.`,
       { verb: cmd }
@@ -521,7 +539,7 @@ function main() {
   const finalArgs = ORCHESTRATOR_PASSTHROUGH.has(effectiveCmd) ? [script, effectiveCmd, ...effectiveRest] : [script, ...effectiveRest];
   const res = spawnSync(process.execPath, finalArgs, { stdio: "inherit", cwd: PKG_ROOT });
   if (res.error) {
-    // R-F8: same class — emitError + exitCode.
+    // emitError + exitCode rather than stderr + exit() so the JSON drains.
     emitError(`failed to run ${cmd}: ${res.error.message}`, { verb: cmd });
     process.exitCode = 2;
     return;
@@ -624,7 +642,7 @@ function emitError(msg, extra, pretty) {
 }
 
 /**
- * EE P1-2: shared BOM-tolerant JSON file reader. Windows tools commonly emit
+ * Shared BOM-tolerant JSON file reader. Windows tools commonly emit
  * UTF-8-BOM (EF BB BF) or UTF-16 LE/BE (FF FE / FE FF). The default
  * `fs.readFileSync(path, "utf8")` chokes on the leading 0xFEFF (UTF-8-BOM
  * becomes a literal BOM codepoint that `JSON.parse` refuses) and decodes
@@ -699,7 +717,7 @@ function readEvidence(evidenceFlag) {
   if (stat.size > MAX_EVIDENCE_BYTES) {
     throw new Error(`evidence file too large: ${stat.size} bytes > ${MAX_EVIDENCE_BYTES} byte limit. Reduce the submission or split into multiple playbook runs.`);
   }
-  // EE P1-2: route through readJsonFile() for UTF-8-BOM / UTF-16 tolerance.
+  // Route through readJsonFile() for UTF-8-BOM / UTF-16 tolerance.
   // Windows-tool-emitted JSON commonly carries these markers; the raw "utf8"
   // decode in readFileSync chokes on the leading 0xFEFF.
   return readJsonFile(evidenceFlag);
@@ -710,7 +728,7 @@ function loadRunner() {
 }
 
 /**
- * EE P1-7: detect whether stdin actually has data without blocking.
+ * Detect whether stdin actually has data without blocking.
  *
  * `!process.stdin.isTTY` (the previous heuristic) fires when isTTY is
  * `false`, `undefined`, OR `null`. Test harnesses with custom stdin
@@ -742,13 +760,12 @@ function hasReadableStdin() {
   let st;
   try { st = fs.fstatSync(0); }
   catch {
-    // KK P1-4: fstat failed — tighten the Windows fallback to require
-    // `isTTY === false` STRICTLY (not falsy). Pre-fix `!process.stdin.isTTY`
-    // returned true when isTTY was undefined (Mocha/Jest test harness with
-    // wrapped duplexer on Windows), so the caller called `fs.readFileSync(0)`
-    // and blocked indefinitely waiting on an EOF that never came. The legacy
-    // MSYS-bash piping scenario (R-F3 in v0.12.16) sets isTTY === false on
-    // win32 when piped, so the strict check preserves that working case.
+    // fstat failed — on Windows require `isTTY === false` STRICTLY (not
+    // falsy). A non-strict check returns true when isTTY is undefined (e.g.
+    // Mocha/Jest test harnesses with a wrapped duplexer on Windows), which
+    // causes fs.readFileSync(0) to block indefinitely waiting on an EOF
+    // that never arrives. MSYS-bash piping on win32 sets isTTY === false,
+    // so the strict check still admits genuine piped input.
     if (process.platform === "win32") return process.stdin.isTTY === false;
     return false;
   }
@@ -778,13 +795,11 @@ function hasReadableStdin() {
 }
 
 /**
- * R-F10: ISO-8601 shape regex applied BEFORE Date.parse. Pre-fix, both
- * `attest list --since` and `reattest --since` accepted anything Date.parse
- * could chew on — including bare integers like "99", which JavaScript
- * happily resolves to 1999-12-01T00:00:00Z (Y2K-era millisecond / two-digit
- * year heuristic). Operators got a "valid timestamp" check that silently
- * filtered the wrong years. Now: require an explicit calendar-date shape
- * (YYYY-MM-DD with optional time component) BEFORE handing to Date.parse.
+ * ISO-8601 shape regex applied BEFORE Date.parse for --since flags. Without
+ * the regex check, bare integers like "99" coerce through Date.parse to
+ * 1999-12-01T00:00:00Z (two-digit-year heuristic), silently filtering the
+ * wrong years. Requires an explicit calendar-date shape (YYYY-MM-DD with
+ * optional time component) before handing to Date.parse.
  *
  * Returns null on success; returns the human-facing error message string
  * on failure so the caller can wrap it with its own verb prefix.
@@ -798,7 +813,7 @@ function validateIsoSince(raw) {
 }
 
 /**
- * F5: detect whether a parsed JSON document is plausibly CycloneDX VEX or
+ * Detect whether a parsed JSON document is plausibly CycloneDX VEX or
  * OpenVEX. The runner's vexFilterFromDoc returns Set(0) tolerantly for
  * anything else, which means an operator who passes SARIF / SBOM / CSAF /
  * advisory JSON by mistake gets zero filter + zero feedback. We pre-validate
@@ -820,12 +835,12 @@ function detectVexShape(doc) {
     const isBom = doc.bomFormat === "CycloneDX";
     const specStr = typeof doc.specVersion === "string" ? doc.specVersion : "";
     const hasCyclonedxMarker = isBom || specStr.startsWith("1.");
-    // R-F4: empty vulnerabilities arrays cannot vouch for CycloneDX shape
-    // on their own — `{"bomFormat":"NOT-CycloneDX","vulnerabilities":[]}`
-    // previously passed because `length === 0` always satisfied
+    // Empty vulnerabilities arrays cannot vouch for CycloneDX shape on their
+    // own — `{"bomFormat":"NOT-CycloneDX","vulnerabilities":[]}` would
+    // otherwise pass because `length === 0` trivially satisfies
     // `entriesLookVex`. Require a real CycloneDX marker (bomFormat or
-    // specVersion) when the array is empty; non-empty arrays still pass
-    // when any entry has vex-shaped fields (id / bom-ref / analysis).
+    // specVersion) when the array is empty; non-empty arrays still pass when
+    // any entry has vex-shaped fields (id / bom-ref / analysis).
     if (doc.vulnerabilities.length === 0) {
       if (hasCyclonedxMarker) {
         return { ok: true, detected: "cyclonedx-vex", top_level_keys: keys };
@@ -850,8 +865,8 @@ function detectVexShape(doc) {
   if (doc.document && doc.document.category && String(doc.document.category).startsWith("csaf_")) {
     return { ok: false, detected: "csaf-advisory-not-vex", top_level_keys: keys };
   }
-  // EE P1-1: a CycloneDX SBOM with no `vulnerabilities` key is a legitimate
-  // "0-CVE VEX filter" submission — the operator is asserting nothing here is
+  // A CycloneDX SBOM with no `vulnerabilities` key is a legitimate "0-CVE
+  // VEX filter" submission — the operator is asserting nothing here is
   // exploitable. Accept it as cyclonedx-vex with an empty filter set (the
   // runner's vexFilterFromDoc returns Set(0) for the same shape). Same logic
   // for documents that carry a CycloneDX-flavored specVersion ("1.x") without
@@ -869,6 +884,10 @@ function detectVexShape(doc) {
 }
 
 function firstDirectiveId(runner, playbookId) {
+  // Defense-in-depth: callers that touch this helper directly (test
+  // harnesses, library consumers) still get path-traversal refusal.
+  const r = validateIdComponent(playbookId, "playbook");
+  if (!r.ok) throw new Error(`invalid playbook id (${r.reason}): ${typeof playbookId === "string" ? playbookId.slice(0, 80) : typeof playbookId}`);
   const pb = runner.loadPlaybook(playbookId);
   if (!pb.directives || !pb.directives.length) {
     throw new Error(`Playbook ${playbookId} has no directives.`);
@@ -894,7 +913,9 @@ function dispatchPlaybook(cmd, argv) {
             // gate alongside --signatures. doctor --registry-check + --signatures
             // were already accepted; explicit registration removes the silent
             // "unknown bool flag" surface in parseArgs.
-            "shipped-tarball", "registry-check", "signatures", "currency", "cves", "rfcs"],
+            "shipped-tarball", "registry-check", "signatures", "currency", "cves", "rfcs",
+            // doctor --exit-codes dumps the canonical exit-code table.
+            "exit-codes"],
     multi: ["playbook", "format"],
   });
   // v0.11.2 bug #60: flip defaults to human-readable. JSON via explicit --json
@@ -911,19 +932,111 @@ function dispatchPlaybook(cmd, argv) {
   // Hoist into module-level state so emit() can read it without plumbing.
   global.__exceptdWantJson = args._jsonMode;
   const pretty = !!args.pretty;
+
+  // Flag-typo defense: anything supplied by the operator that isn't on the
+  // verb's allowlist gets a Levenshtein suggestion + immediate refusal.
+  // Pre-fix, `exceptd run --evidnce ev.json` silently absorbed --evidnce as
+  // a boolean flag and produced a cryptic downstream error when the runner
+  // got no evidence. Now: refuse at the dispatcher with the suggested
+  // correct flag so operators see the typo before any side effects run.
+  //
+  // Ignore parser-internal scratch keys (`_jsonMode`, leading-underscore) +
+  // the bare-positional bucket (`_`). REQUIRES_VALUE catches the
+  // value-bearing flags that parsed as boolean true (i.e. the operator
+  // forgot the value).
+  // Value-bearing flags only. Boolean flags (--ack, --latest, --force-replay,
+  // --force-stale, --ci, --pretty, etc.) are intentionally absent because
+  // their `true` parse is the canonical operator intent.
+  const REQUIRES_VALUE = new Set([
+    "evidence", "evidence-dir", "session-id", "operator", "csaf-status",
+    "publisher-namespace", "mode", "scope", "playbook", "phase", "tlp",
+    "against", "since", "bundle-epoch", "attestation-root", "format",
+  ]);
+  const verbAllowlist = flagsFor(cmd);
+  const allowlistSet = new Set(verbAllowlist);
+  // Internal-passthrough flags used by the parser / dispatcher that aren't
+  // in the operator-facing allowlist but must not trigger the typo check.
+  // The allowlist in lib/flag-suggest.js is operator-facing-only — these
+  // are the legacy/internal escape hatches that still need to flow
+  // through without a refusal.
+  const PASSTHROUGH_FLAGS = new Set([
+    "directive", "domain", "phase", "signal-list", "explain",
+    "signatures", "currency", "cves", "rfcs", "shipped-tarball",
+    "human", "json-stdout-only", "max-rwep", "diff-from-latest",
+    "upstream-check", "latest", "force-replay", "flat", "directives",
+    "fix", "session-key", "all", "scope", "playbook",
+  ]);
+  for (const key of Object.keys(args)) {
+    if (key === "_" || key.startsWith("_")) continue;
+    // Per-verb help is universal even when not in the allowlist.
+    if (key === "help" || key === "h") continue;
+    if (PASSTHROUGH_FLAGS.has(key)) {
+      if (REQUIRES_VALUE.has(key) && args[key] === true) {
+        return emitError(
+          `${cmd}: --${key} requires a value.`,
+          { verb: cmd, flag: key },
+          pretty
+        );
+      }
+      continue;
+    }
+    if (allowlistSet.has(key)) {
+      if (REQUIRES_VALUE.has(key) && args[key] === true) {
+        return emitError(
+          `${cmd}: --${key} requires a value.`,
+          { verb: cmd, flag: key },
+          pretty
+        );
+      }
+      continue;
+    }
+    // Refuse only when a close suggestion exists (likely typo). Unknown
+    // flags with no near-match fall through to verb-level handling so a
+    // future addition doesn't require an allowlist edit in this file
+    // before it can ship. The PASSTHROUGH_FLAGS list above plus the
+    // per-verb allowlist in lib/flag-suggest.js together cover every
+    // shipped flag; anything that misses both AND has a typo suggestion
+    // is the case operators benefit from refusing.
+    const suggestion = suggestFlag(key, verbAllowlist);
+    if (suggestion) {
+      return emitError(
+        `unknown flag --${key}`,
+        { verb: cmd, suggested: suggestion },
+        pretty
+      );
+    }
+  }
   const runOpts = {
-    airGap: !!args["air-gap"],
+    // Air-gap can be requested via the explicit flag OR the
+    // EXCEPTD_AIR_GAP=1 environment variable. The env-var path is for
+    // operators who export it once at shell-init time so every subsequent
+    // invocation inherits the disposition without remembering the flag.
+    airGap: !!args["air-gap"] || process.env.EXCEPTD_AIR_GAP === "1",
     forceStale: !!args["force-stale"],
   };
+  // Air-gap advisory (one-time per process). Routed to stderr so JSON
+  // consumers on stdout don't see it. The exceptd CLI does not perform
+  // network egress in air-gap mode, but a host AI driving exceptd may
+  // still call its model API — surface the boundary so operators verify
+  // their agent runtime is offline too.
+  if (runOpts.airGap && !process.env.EXCEPTD_AIR_GAP_NOTICE_SHOWN) {
+    process.stderr.write(
+      `[exceptd] air-gap: exceptd will not perform network egress. Your AI agent may still call its model API; verify your agent runtime is also offline.\n`
+    );
+    process.env.EXCEPTD_AIR_GAP_NOTICE_SHOWN = "1";
+  }
   if (args["session-id"]) {
-    // v0.12.12: --session-id is a filesystem path component (resolves to
+    // --session-id is a filesystem path component (resolves to
     // .exceptd/attestations/<id>/attestation.json). Operator-supplied input
-    // with `..` or path separators escapes the attestation root. Validate
-    // strict allowlist before propagating.
+    // with `..` or path separators escapes the attestation root. Route
+    // through the shared validateIdComponent('session') helper so the regex
+    // + all-dots refusal stay aligned with persistAttestation /
+    // validateSessionIdForRead.
     const sid = args["session-id"];
-    if (typeof sid !== "string" || !/^[A-Za-z0-9._-]{1,64}$/.test(sid)) {
+    const r = validateIdComponent(sid, "session");
+    if (!r.ok) {
       return emitError(
-        "run: --session-id must match /^[A-Za-z0-9._-]{1,64}$/ (alphanumeric, dot, underscore, hyphen; up to 64 chars). Path separators and '..' are rejected.",
+        `run: --session-id ${r.reason}. Path separators and '..' are rejected.`,
         { provided: typeof sid === "string" ? sid.slice(0, 80) : typeof sid },
         pretty
       );
@@ -939,13 +1052,28 @@ function dispatchPlaybook(cmd, argv) {
     if (typeof ar !== "string" || ar.length === 0) {
       return emitError("run: --attestation-root must be a non-empty string.", { provided: typeof ar }, pretty);
     }
-    if (ar.split(/[\\/]/).some(seg => seg === "..")) {
+    const arSegments = ar.split(/[\\/]/);
+    if (arSegments.some(seg => seg === "..")) {
       return emitError(
         "run: --attestation-root must not contain '..' path segments. Pass an absolute path under your home directory or an explicit project-relative path without traversal.",
         { provided: ar.slice(0, 200) },
         pretty
       );
     }
+    // All-dots segments (`.`, `..`, `...`, etc.) all resolve into or above
+    // the intended parent directory, defeating the attestation-root
+    // confinement check. Refuse any non-empty segment that is entirely dots
+    // — the leading-`.` empty segment of an absolute POSIX path is allowed,
+    // and a single `.` mid-path means "this dir" but is collapsed by
+    // path.resolve anyway; explicit refusal is cheaper than reasoning about
+    // every collapsed-equivalent shape.
+    if (arSegments.some(seg => seg.length > 0 && /^\.+$/.test(seg))) {
+      return emitError(
+        "run: --attestation-root path segment cannot consist entirely of dots (rejected: '.', '..', '...', etc.). Pass an absolute path or a project-relative path without traversal.",
+        { provided: ar.slice(0, 200) },
+        pretty
+      );
+    }
     runOpts.attestationRoot = path.resolve(ar);
   }
   if (args["session-key"]) {
@@ -973,12 +1101,12 @@ function dispatchPlaybook(cmd, argv) {
   // service identity. --operator <name> persists into the attestation file
   // for audit-trail accountability.
   //
-  // F9: validate the input. Pre-fix the value flowed into runOpts unchanged,
-  // so an operator could inject newlines / control chars / arbitrary length
-  // into attestation export output (multi-line "operator:" key/value pairs
-  // are a forgery surface — a forged second line could look like a separate
-  // attestation field to a naive parser). Now: strip ASCII control chars
-  // (\x00-\x1F + \x7F), cap length at 256, reject if all-whitespace.
+  // Validate the input. Without this, a value flows into runOpts unchanged
+  // and an operator could inject newlines / control chars / arbitrary
+  // length into attestation export output (multi-line "operator:" key/value
+  // pairs are a forgery surface — a forged second line could look like a
+  // separate attestation field to a naive parser). Strip ASCII control
+  // chars (\x00-\x1F + \x7F), cap length at 256, reject if all-whitespace.
   if (args.operator !== undefined) {
     if (typeof args.operator !== "string") {
       return emitError("run: --operator must be a string.", { provided: typeof args.operator }, pretty);
@@ -1005,8 +1133,8 @@ function dispatchPlaybook(cmd, argv) {
         pretty
       );
     }
-    // EE P1-3: the ASCII-only control-char regex above misses Unicode
-    // categories Cc / Cf / Co / Cn — bidi overrides (U+202E "RTL OVERRIDE"),
+    // The ASCII-only control-char regex above misses Unicode categories
+    // Cc / Cf / Co / Cn — bidi overrides (U+202E "RTL OVERRIDE"),
     // zero-width joiners (U+200B-D), invisible format chars, private-use
     // codepoints, unassigned codepoints. An operator string like
     // "alice‮evilbob" renders as "alicebobevila" in any UI that respects
@@ -1055,15 +1183,15 @@ function dispatchPlaybook(cmd, argv) {
     runOpts.operator = normalized;
   }
 
-  // NN P1-1 / P1-2 / P1-5: --csaf-status and --publisher-namespace shape the
-  // CSAF bundle emitted by phases 5-7. Verbs that don't drive those phases
-  // (brief, plan, govern, direct, look, attest, list-attestations, discover,
-  // doctor, lint, ask, verify-attestation, reattest) never assemble a
-  // bundle, so silently consuming these flags is a UX trap. Refuse on those
-  // verbs so the operator knows the flag was discarded — same pattern as
-  // EE P1-6 closed for --ack. Error message templates and emitError prefixes
-  // use the in-scope `cmd` verb so a brief invocation says "brief:" rather
-  // than misattributing the flag to run.
+  // --csaf-status and --publisher-namespace shape the CSAF bundle emitted by
+  // phases 5-7. Verbs that don't drive those phases (brief, plan, govern,
+  // direct, look, attest, list-attestations, discover, doctor, lint, ask,
+  // verify-attestation, reattest) never assemble a bundle, so silently
+  // consuming these flags is a UX trap. Refuse on those verbs so the
+  // operator knows the flag was discarded — same pattern as --ack. Error
+  // message templates and emitError prefixes use the in-scope `cmd` verb so
+  // a brief invocation says "brief:" rather than misattributing the flag
+  // to run.
   const BUNDLE_FLAG_RELEVANT_VERBS = new Set([
     "run", "ci", "run-all", "ai-run", "ingest",
   ]);
@@ -1143,13 +1271,13 @@ function dispatchPlaybook(cmd, argv) {
   // consent was explicit vs. implicit. AGENTS.md says the AI should surface
   // and wait for ack — this is how the ack gets recorded.
   //
-  // EE P1-6: --ack only makes sense on verbs that drive phases 5-7 (run /
-  // ingest / ai-run / ci / run-all / reattest). Info-only verbs (brief,
-  // plan, govern, direct, look, attest, list-attestations, discover,
-  // doctor, lint, ask, verify-attestation) never consume an attestation
-  // clock — accepting --ack silently here was a UX trap where operators
-  // believed they had recorded consent. Refuse on those verbs so the
-  // operator knows the flag is irrelevant.
+  // --ack only makes sense on verbs that drive phases 5-7 (run / ingest /
+  // ai-run / ci / run-all / reattest). Info-only verbs (brief, plan,
+  // govern, direct, look, attest, list-attestations, discover, doctor,
+  // lint, ask, verify-attestation) never consume an attestation clock —
+  // accepting --ack silently is a UX trap where operators believe they have
+  // recorded consent. Refuse on those verbs so the operator knows the flag
+  // is irrelevant.
   const ACK_RELEVANT_VERBS = new Set([
     "run", "ingest", "ai-run", "ci", "run-all", "reattest",
   ]);
@@ -1206,7 +1334,15 @@ function dispatchPlaybook(cmd, argv) {
         return emitError(`Playbook not found: "${wanted}". ${hint}`, { verb: cmd, wanted, type: "playbook_not_found" }, pretty);
       }
     }
-    emitError(e.message, { verb: cmd }, pretty);
+    // Wrap bare e.message so operators see the verb that triggered the
+    // failure + the next action they can take. Re-running with --pretty
+    // expands the cause for log-scraping; the GitHub-issues pointer lets
+    // operators report reproducible-but-unhandled exceptions.
+    emitError(
+      `${cmd}: internal error (${e && e.message ? e.message : String(e)}). Re-run with --pretty for context; file at https://github.com/blamejs/exceptd-skills/issues if reproducible.`,
+      { verb: cmd },
+      pretty
+    );
   }
 }
 
@@ -1413,19 +1549,50 @@ Exit codes (per-verb, post-run):
   3  Ran-but-no-evidence   All inconclusive AND no --evidence supplied.
   4  Blocked               Result returned ok:false (preflight halt).
   5  CLOCK_STARTED         --block-on-jurisdiction-clock fired.
+  6  TAMPERED              Surfaced by attest verify; sidecar verification failed.
+  7  SESSION_ID_COLLISION  run --session-id duplicate without --force-overwrite.
   8  LOCK_CONTENTION       persistAttestation could not acquire the per-slot
                            attestation lock after the bounded retry budget
                            (~1-2s). Distinct from 1 so callers can retry the
                            operation rather than treat it as a hard failure.
                            Surfaces as body.lock_contention=true,
-                           body.exit_code=8.`,
+                           body.exit_code=8.
+  9  STORAGE_EXHAUSTED     Attestation write hit ENOSPC / EDQUOT / EROFS.
+
+Other operator-facing flags (full list in source; surfaced here for grep):
+  --vex <file>            CycloneDX / OpenVEX disposition filter.
+  --evidence-dir <dir>    Per-playbook submission files.
+  --attestation-root <p>  Override .exceptd/ root for this run.
+  --mode <m>              Investigation mode (self_service | authorized_pentest
+                          | ir_response | ctf | research | compliance_audit).`,
     ingest: `ingest — alias for 'run' matching AGENTS.md terminology.
 
 Flags:
   --domain <id>           Playbook ID (overrides submission.playbook_id).
   --directive <id>        Directive ID (overrides submission.directive_id).
   --evidence <file|->     Submission JSON. May include playbook_id/directive_id.
-  --pretty                Indented JSON output.`,
+  --session-id <id>       Reuse a specific session id (must satisfy
+                          /^[A-Za-z0-9._-]{1,64}$/).
+  --force-overwrite       Override session-id collision refusal.
+  --operator <name>       Bind attestation to a specific identity.
+  --ack                   Explicit operator consent for jurisdiction clock.
+  --attestation-root <p>  Override .exceptd/ root for this ingest.
+  --mode <m>              Investigation mode (self_service | authorized_pentest
+                          | ir_response | ctf | research | compliance_audit).
+  --air-gap               Honor air_gap_alternative paths.
+  --force-stale           Override threat_currency_score<50 gate.
+  --csaf-status <s>       CSAF tracking.status for the close.evidence_package
+                          bundle. One of: draft | interim (default) | final.
+                          'final' commits to CSAF §3.1.11.3.5.1 immutability —
+                          set this only after operator review of the advisory.
+  --publisher-namespace <url>
+                          CSAF document.publisher.namespace (§3.1.7.4). The
+                          operator's organisation URL, NOT the tooling vendor.
+                          Must be an http://… or https://… URL, ≤256 chars.
+  --pretty                Indented JSON output.
+
+Exit codes: 0 PASS, 1 framework, 4 blocked, 7 SESSION_ID_COLLISION,
+8 LOCK_CONTENTION, 9 STORAGE_EXHAUSTED.`,
     reattest: `reattest [<session-id> | --latest] — replay a prior session and diff the evidence_hash.
 
 Args / flags:
@@ -1435,7 +1602,12 @@ Args / flags:
   --since <ISO>           Restrict --latest to attestations after this ISO 8601 timestamp.
   --pretty                Indented JSON output.
 
-Reports: unchanged | drifted | resolved from evidence_hash + classification deltas.`,
+Reports: unchanged | drifted | resolved from evidence_hash + classification deltas.
+
+Exit codes:
+  0  verification succeeded
+  1  generic failure
+  6  TAMPERED (sidecar or signature mismatch on the prior attestation)`,
     "list-attestations": `list-attestations [--playbook <id>] — enumerate prior attestations.
 
 Args / flags:
@@ -1446,26 +1618,38 @@ Lists every attestation under .exceptd/attestations/<session_id>/, sorted
 newest-first, with truncated evidence_hash + capture timestamp + file path.`,
     attest: `attest <subverb> <session-id> — auditor-facing attestation operations.
 
-Subverbs:
+Subverbs (list | show | export | verify | diff):
   attest show <sid>       Emit the full (unredacted) attestation.
   attest list             Inventory every prior attestation under
                           ~/.exceptd/attestations/ (or EXCEPTD_HOME when set).
-                          Filter with --playbook <id> or --since <ISO>. Newest
-                          first; truncated evidence_hash + capture timestamp +
-                          path per entry.
+                          Filter with --playbook <id> or --since <ISO> (must
+                          be a parseable ISO-8601 timestamp). Newest first;
+                          truncated evidence_hash + capture timestamp + path
+                          per entry.
   attest export <sid>     Emit redacted JSON suitable for audit submission.
                           Strips raw artifact values; preserves evidence_hash,
                           signature, classification, RWEP, remediation choice.
-                          --format <csaf|sarif|openvex> wraps the export in the
-                          named envelope (default: redacted JSON).
+                          --format <csaf|csaf-2.0|json> wraps the export
+                          (default: redacted JSON; csaf yields a CSAF 2.0
+                          envelope).
   attest verify <sid>     Verify .sig sidecar against keys/public.pem.
-                          Reports tamper status per attestation file.
+                          Reports tamper status per attestation file. Replay
+                          records (kind=replay) verify under replay_results;
+                          a replay-record tamper raises body.replay_tamper +
+                          warnings[] but does NOT exit non-zero (the audit
+                          trail can be regenerated via reattest).
   attest diff <sid>       Diff <sid> against the most-recent prior attestation
                           for the same playbook, or against --against <other-sid>
                           for an explicit pair. Reports unchanged | drifted |
                           resolved per evidence_hash + classification deltas.
 
-All subverbs honor --pretty for indented JSON output.`,
+All subverbs honor --pretty for indented JSON output.
+
+Exit codes (attest verify):
+  0  verification succeeded
+  1  generic failure
+  6  TAMPERED (sidecar or signature mismatch on an attestation; replay-record
+              tamper warns but exits 0)`,
     discover: `discover — context-aware playbook recommender (v0.11.0).
 
 Replaces: scan + dispatch + recommend.
@@ -1480,7 +1664,11 @@ Flags:
   --json                  Emit JSON (default is human-readable text).
   --pretty                Indented JSON output (implies --json).
 
-Output: context + recommended_playbooks[] + next_steps[].`,
+Output: context + recommended_playbooks[] + next_steps[].
+
+discover always exits 0 (recommendations are informational; absence of a
+match is not a failure). JSON output is the canonical surface — humans see
+a digest by default; pass --json for the structured shape.`,
     doctor: `doctor — one-shot health check (v0.11.0).
 
 Replaces: currency + verify + validate-cves + validate-rfcs + signing-status.
@@ -1520,8 +1708,29 @@ Flags:
   --directive <id>        Specific directive (default: first one).
   --no-stream             Single-shot mode: emit all phases as one JSON doc
                           without reading stdin (uses runner.run directly).
+  --csaf-status <s>       CSAF tracking.status for the close.evidence_package
+                          bundle. One of: draft | interim (default) | final.
+                          'final' commits to CSAF §3.1.11.3.5.1 immutability —
+                          set this only after operator review of the advisory.
+  --publisher-namespace <url>
+                          CSAF document.publisher.namespace (§3.1.7.4). The
+                          operator's organisation URL, NOT the tooling vendor.
+                          Must be an http://… or https://… URL, ≤256 chars.
+  --evidence <file|->     Single-shot mode: pre-supplied submission JSON.
+  --operator <name>       Bind the attestation to a specific identity.
+  --ack                   Mark explicit operator consent (jurisdiction clock).
+  --force-overwrite       Override session-id collision refusal.
+  --session-id <id>       Reuse a specific session id (must satisfy
+                          /^[A-Za-z0-9._-]{1,64}$/).
   --pretty                Indented JSON output (single-shot only).
 
+Exit codes:
+  0  done                  Run completed; emitted {"event":"done","ok":true}.
+  1  framework error       Engine threw or stdin parse failure.
+  3  SESSION_ID_COLLISION  --session-id duplicate; pass --force-overwrite or fresh id.
+  8  LOCK_CONTENTION       Concurrent persistAttestation lock held.
+  9  STORAGE_EXHAUSTED     Disk/quota/RO filesystem on attestation write.
+
 Stdin event grammar (one JSON object per line):
   {"event":"evidence","payload":{"observations":{},"verdict":{}}}
 
@@ -1555,7 +1764,9 @@ Args / flags:
 
 Output: { verb, question, routed_to:[ids], confidence, next_step,
 full_match_list }. Empty match list when no token overlap — surfaces a
-hint pointing at \`exceptd brief --all\` / \`exceptd discover\`.`,
+hint pointing at \`exceptd brief --all\` / \`exceptd discover\`.
+
+ask always exits 0. JSON via --json (default is a one-line digest on TTY).`,
     ci: `ci [--all|--scope <type>] — one-shot CI gate (v0.11.0).
 
 Top-level CI verb. Equivalent to \`run --all --ci\` but with a clean
@@ -1601,6 +1812,9 @@ Exit codes:
                            regulatory clock (NIS2 24h, GDPR 72h, DORA 4h,
                            etc.) and the operator has not acked.
 
+(ci does not persist attestations per-run; exit codes 6/7/8/9 surface on
+\`attest verify\` and on \`run\` / \`ai-run\` / \`ingest\`, not on \`ci\`.)
+
 Output: verb, session_id, playbooks_run, summary{total, detected,
 max_rwep_observed, jurisdiction_clocks_started, verdict, fail_reasons[]},
 results[].`,
@@ -1652,7 +1866,15 @@ Flags: --pretty.`,
 Identical exit-code and output contract as \`run --all\`. Maintained for
 operators who script the verb form rather than the flag.
 
-See \`exceptd run --help\` for the full flag list.`,
+Flags (selected — see \`exceptd run --help\` for the full list):
+  --csaf-status <s>       CSAF tracking.status for per-run close.evidence_package
+                          bundles. One of: draft | interim (default) | final.
+                          'final' commits to CSAF §3.1.11.3.5.1 immutability —
+                          set this only after operator review of the advisory.
+  --publisher-namespace <url>
+                          CSAF document.publisher.namespace (§3.1.7.4). The
+                          operator's organisation URL, NOT the tooling vendor.
+                          Must be an http://… or https://… URL, ≤256 chars.`,
   };
   process.stdout.write((cmds[verb] || `${verb} — no per-verb help available; see \`exceptd help\` for the full list.`) + "\n");
 }
@@ -1683,9 +1905,22 @@ function cmdLint(runner, args, runOpts, pretty) {
   if (!playbookId || !evidencePath) {
     return emitError("lint: usage: exceptd lint <playbook> <evidence-file|->", null, pretty);
   }
+  if (refuseInvalidPlaybookId("lint", playbookId, pretty)) return;
   let pb;
   try { pb = runner.loadPlaybook(playbookId); }
-  catch (e) { return emitError(`lint: ${e.message}`, { playbook: playbookId }, pretty); }
+  catch (e) {
+    // Route the not-found / load-error case through the skill-to-playbook
+    // hint helper so an operator who typed a skill id (kernel-lpe-triage)
+    // gets the same actionable pointer dispatchPlaybook surfaces for cmdRun.
+    const m = e && e.message && e.message.match(/^Playbook not found: ([^\s(]+)/);
+    if (m) {
+      const hint = buildSkillToPlaybookHint(runner, m[1]);
+      if (hint) {
+        return emitError(`lint: Playbook not found: "${m[1]}". ${hint}`, { playbook: playbookId, type: "playbook_not_found" }, pretty);
+      }
+    }
+    return emitError(`lint: ${e.message}`, { playbook: playbookId }, pretty);
+  }
 
   let submission;
   try { submission = readEvidence(evidencePath); }
@@ -1824,6 +2059,7 @@ function cmdBrief(runner, args, runOpts, pretty) {
     return cmdPlan(runner, args, runOpts, pretty);
   }
 
+  if (refuseInvalidPlaybookId("brief", playbookId, pretty)) return;
   const pb = runner.loadPlaybook(playbookId);
   const directiveId = args.directive || (pb.directives[0] && pb.directives[0].id);
 
@@ -1982,6 +2218,41 @@ function validateScopeOrThrow(scope) {
   return scope;
 }
 
+/**
+ * Wrap every operator-controlled loadPlaybook() call so a path-traversal
+ * shaped id (`../../etc/passwd`, `..`, absolute path) is refused at the
+ * dispatcher before the runner ever sees it. Routes through
+ * validateIdComponent('playbook'), which enforces /^[a-z][a-z0-9-]{0,63}$/.
+ * On failure returns the structured emitError shape; on success returns
+ * null so the caller can short-circuit with a single `if (refusal) return refusal;`.
+ */
+function refuseInvalidPlaybookId(verb, playbookId, pretty) {
+  const r = validateIdComponent(playbookId, "playbook");
+  if (!r.ok) {
+    emitError(
+      `${verb}: invalid <playbook> id — ${r.reason}.`,
+      { verb, provided: typeof playbookId === "string" ? playbookId.slice(0, 80) : typeof playbookId },
+      pretty
+    );
+    return true;
+  }
+  return false;
+}
+
+/**
+ * Shared "playbook has no directives" refusal. Six sites in this file
+ * previously hand-rolled the same error string; consolidating means a
+ * future remediation pointer (e.g. "run `exceptd brief <id>` to inspect
+ * the playbook") changes in one place.
+ */
+function refuseNoDirectives(verb, playbookId, pretty) {
+  return emitError(
+    `${verb}: playbook ${playbookId} has no directives. Inspect the playbook with \`exceptd brief ${playbookId}\` or report at https://github.com/blamejs/exceptd-skills/issues.`,
+    { verb, playbook: playbookId },
+    pretty
+  );
+}
+
 function filterPlaybooksByScope(runner, scope) {
   validateScopeOrThrow(scope);
   const ids = runner.listPlaybooks();
@@ -2024,27 +2295,30 @@ function detectScopes() {
 function cmdGovern(runner, args, runOpts, pretty) {
   const playbookId = args._[0];
   if (!playbookId) return emitError("govern: missing <playbookId> positional argument.", null, pretty);
+  if (refuseInvalidPlaybookId("govern", playbookId, pretty)) return;
   const pb = runner.loadPlaybook(playbookId);
   const directiveId = args.directive || (pb.directives[0] && pb.directives[0].id);
-  if (!directiveId) return emitError(`govern: playbook ${playbookId} has no directives.`, null, pretty);
+  if (!directiveId) return refuseNoDirectives("govern", playbookId, pretty);
   emit(runner.govern(playbookId, directiveId, runOpts), pretty);
 }
 
 function cmdDirect(runner, args, pretty) {
   const playbookId = args._[0];
   if (!playbookId) return emitError("direct: missing <playbookId> positional argument.", null, pretty);
+  if (refuseInvalidPlaybookId("direct", playbookId, pretty)) return;
   const pb = runner.loadPlaybook(playbookId);
   const directiveId = args.directive || (pb.directives[0] && pb.directives[0].id);
-  if (!directiveId) return emitError(`direct: playbook ${playbookId} has no directives.`, null, pretty);
+  if (!directiveId) return refuseNoDirectives("direct", playbookId, pretty);
   emit(runner.direct(playbookId, directiveId), pretty);
 }
 
 function cmdLook(runner, args, runOpts, pretty) {
   const playbookId = args._[0];
   if (!playbookId) return emitError("look: missing <playbookId> positional argument.", null, pretty);
+  if (refuseInvalidPlaybookId("look", playbookId, pretty)) return;
   const pb = runner.loadPlaybook(playbookId);
   const directiveId = args.directive || (pb.directives[0] && pb.directives[0].id);
-  if (!directiveId) return emitError(`look: playbook ${playbookId} has no directives.`, null, pretty);
+  if (!directiveId) return refuseNoDirectives("look", playbookId, pretty);
   emit(runner.look(playbookId, directiveId, runOpts), pretty);
 }
 
@@ -2054,13 +2328,12 @@ function cmdRun(runner, args, runOpts, pretty) {
   // Multi-playbook dispatch path. Triggered by --all, --scope <type>, or by
   // a bare `exceptd run` (no positional, no flags) which auto-detects scopes
   // from the cwd.
-  // R-F9: gate on `args.scope !== undefined` rather than `args.scope`
-  // truthy. Pre-fix, `--scope ""` parsed to `args.scope === ""`, which
-  // is falsy — the dispatcher fell through to the auto-detect path and
-  // silently ran whatever scopes happened to match the cwd, masking the
-  // operator's explicit (if malformed) intent. Now: an empty string
-  // reaches validateScopeOrThrow which rejects with the accepted-set
-  // message, matching the rest of the v0.12.15 scope-validation contract.
+  // Gate on `args.scope !== undefined` rather than truthy `args.scope`.
+  // `--scope ""` parses to `args.scope === ""`, which is falsy; a truthy
+  // gate would silently fall through to auto-detect and run whatever
+  // scopes happened to match the cwd, masking the operator's explicit
+  // (if malformed) intent. An empty string reaches validateScopeOrThrow
+  // which rejects with the accepted-set message.
   if (!positional && (args.all || args.scope !== undefined)) {
     let ids;
     if (args.all) {
@@ -2076,16 +2349,32 @@ function cmdRun(runner, args, runOpts, pretty) {
     const ids = scopes.flatMap(s => filterPlaybooksByScope(runner, s));
     const unique = [...new Set(ids)];
     if (unique.length === 0) {
-      return emitError("run: no playbook resolved. Pass <playbookId>, --scope <type>, or --all.", null, pretty);
+      // Surface the auto-detect failure cause so operators see WHY no
+      // playbook was resolved instead of just "nothing matched." Mirrors
+      // detectScopes()' two probes — `.git/` for code, `/proc + os-release`
+      // for system — and enumerates the accepted explicit flags so the
+      // remediation is one line.
+      const hasGit = fs.existsSync(path.join(process.cwd(), ".git"));
+      const hasProc = fs.existsSync("/proc") && fs.existsSync("/etc/os-release");
+      const probes = [];
+      if (!hasGit) probes.push("no .git/ in cwd (code-scope auto-detect skipped)");
+      if (!hasProc) probes.push("no /proc + /etc/os-release (system-scope auto-detect skipped — not a Linux host or under sandbox)");
+      const reason = probes.length ? ` Auto-detect probes: ${probes.join("; ")}.` : "";
+      return emitError(
+        `run: no playbook resolved. Pass <playbookId>, --scope <type> (one of ${JSON.stringify(VALID_SCOPES)}), or --all.${reason}`,
+        { verb: "run", cwd: process.cwd(), detected_scopes: scopes },
+        pretty
+      );
     }
     return cmdRunMulti(runner, unique, args, runOpts, pretty, { trigger: "auto-detect", detected_scopes: scopes });
   }
 
   // Single-playbook path (existing behavior).
   const playbookId = positional;
+  if (refuseInvalidPlaybookId("run", playbookId, pretty)) return;
   const pb = runner.loadPlaybook(playbookId);
   const directiveId = args.directive || (pb.directives[0] && pb.directives[0].id);
-  if (!directiveId) return emitError(`run: playbook ${playbookId} has no directives.`, null, pretty);
+  if (!directiveId) return refuseNoDirectives("run", playbookId, pretty);
 
   // --explain: dry-run that emits the preconditions + artifacts + indicators
   // + signal keys the agent would need to supply, WITHOUT running detect/
@@ -2138,20 +2427,14 @@ function cmdRun(runner, args, runOpts, pretty) {
   // v0.11.1: auto-detect piped stdin. If no --evidence flag and stdin is a
   // pipe, assume `--evidence -`. Operators forgetting the flag previously
   // got a confusing precondition halt; now the common case "just works."
-  // R-F3: use truthy `!process.stdin.isTTY` instead of `=== false`. On
-  // Windows MSYS bash, process.stdin.isTTY is `undefined` for a piped
-  // stream — the strict `=== false` check failed and auto-detect never
-  // fired, making `echo '{...}' | exceptd run <pb>` silently behave like
-  // no-evidence on Windows. cmdAiRun's path (below) already uses the
-  // truthy form, so this brings cmdRun + cmdIngest to parity.
-  //
-  // EE P1-7: use the fstat-probing hasReadableStdin() helper instead of
-  // the raw `!process.stdin.isTTY` truthy check. Test harnesses with
-  // wrapped stdin duplexers (Mocha/Jest, Docker stdin-passthrough) leave
-  // isTTY === undefined but have no data — the raw check fell into
-  // readFileSync(0) and BLOCKED waiting for an EOF that never arrived.
-  // hasReadableStdin() does an fstat() probe first, then falls back to
-  // the truthy check only on Windows (where fstat on a pipe is unreliable).
+  // Use the fstat-probing hasReadableStdin() helper. A raw `!isTTY` check
+  // fires when isTTY is undefined (test harnesses with wrapped duplexers —
+  // Mocha/Jest, Docker stdin-passthrough — leave isTTY === undefined but
+  // never write any bytes), which causes readFileSync(0) to block waiting
+  // on an EOF that never arrives. hasReadableStdin() does an fstat() probe
+  // first, then falls back to a strict isTTY===false check only on Windows
+  // (where fstat on a pipe is unreliable). MSYS-bash on win32 reports
+  // isTTY === false for genuine piped input, so that path still works.
   if (!args.evidence && hasReadableStdin()) {
     args.evidence = "-";
   }
@@ -2187,11 +2470,10 @@ function cmdRun(runner, args, runOpts, pretty) {
   // CVE ID set through to analyze() so matched_cves drops them.
   if (args.vex) {
     let vexDoc;
-    // R-F5: cap --vex file size the same way readEvidence() caps --evidence
-    // (32 MiB — binary mebibytes, i.e. 32 * 1024 * 1024 = 33,554,432 bytes).
-    // Pre-fix, --vex did a raw readFileSync with no size check — an operator
-    // passing a multi-GB file (binary log, JSON bomb, or accident) blocked
-    // the event loop for minutes / OOM'd the process. 32 MiB is well beyond
+    // Cap --vex file size at 32 MiB (binary mebibytes, i.e. 32 * 1024 * 1024
+    // = 33,554,432 bytes), matching readEvidence()'s --evidence cap. Without
+    // the cap, a multi-GB file (binary log, JSON bomb, or accident) blocks
+    // the event loop for minutes / OOM's the process. 32 MiB is well beyond
     // any legitimate VEX submission.
     const MAX_VEX_BYTES = 32 * 1024 * 1024;
     let vstat;
@@ -2200,7 +2482,7 @@ function cmdRun(runner, args, runOpts, pretty) {
       return emitError(`run: failed to stat --vex ${args.vex}: ${e.message}`, null, pretty);
     }
     if (vstat.size > MAX_VEX_BYTES) {
-      // EE P1-4: error message names the binary mebi convention explicitly so
+      // Error message names the binary mebi convention explicitly so
       // operators don't mistake the cap for 32 * 10^6 = 32,000,000 bytes (MB).
       return emitError(
         `run: --vex file too large: ${vstat.size} bytes exceeds 32 MiB limit (${MAX_VEX_BYTES.toLocaleString("en-US")} bytes). Reduce the document or split into multiple passes.`,
@@ -2209,14 +2491,14 @@ function cmdRun(runner, args, runOpts, pretty) {
       );
     }
     try {
-      // EE P1-2: BOM-tolerant read. Windows-tool-emitted CycloneDX commonly
-      // carries UTF-8-BOM or UTF-16 LE/BE markers; the raw "utf8" decode in
+      // BOM-tolerant read. Windows-tool-emitted CycloneDX commonly carries
+      // UTF-8-BOM or UTF-16 LE/BE markers; the raw "utf8" decode in
       // readFileSync chokes on the leading 0xFEFF.
       vexDoc = readJsonFile(args.vex);
     } catch (e) {
       return emitError(`run: failed to load --vex ${args.vex}: ${e.message}`, null, pretty);
     }
-    // F5: validate the VEX shape BEFORE handing to runner.vexFilterFromDoc.
+    // Validate the VEX shape BEFORE handing to runner.vexFilterFromDoc.
     // The runner tolerantly returns Set(0) for anything that's not CycloneDX
     // or OpenVEX shape, so an operator who passes a SARIF / SBOM / CSAF
     // advisory by mistake got ZERO filter applied and ZERO feedback. Now:
@@ -2234,15 +2516,13 @@ function cmdRun(runner, args, runOpts, pretty) {
       const vexSet = runner.vexFilterFromDoc(vexDoc);
       submission.signals = submission.signals || {};
       submission.signals.vex_filter = [...vexSet];
-      // BB P1-3: vexFilterFromDoc attaches a `.fixed` Set as an own property
-      // on the returned filter Set (CycloneDX `analysis.state: 'resolved'`
-      // + OpenVEX `status: 'fixed'` go into this set). Without forwarding it
-      // through to signals.vex_fixed, analyze() never receives the fixed-
-      // disposition CVE ids — `vexFixed` stays null, `vex_status: 'fixed'`
-      // never gets annotated onto matched_cves entries, and CSAF
-      // product_status.fixed + OpenVEX status:'fixed' are unreachable from
-      // the CLI. The bundle-correctness tests only exercised the analyze()
-      // direct-call path with vex_fixed pre-injected, hiding this regression.
+      // vexFilterFromDoc attaches a `.fixed` Set as an own property on the
+      // returned filter Set (CycloneDX `analysis.state: 'resolved'` + OpenVEX
+      // `status: 'fixed'` populate it). Forward it through to
+      // signals.vex_fixed so analyze() receives the fixed-disposition CVE
+      // ids, `vex_status: 'fixed'` annotates matched_cves entries, and CSAF
+      // product_status.fixed + OpenVEX status:'fixed' propagate into the
+      // bundle.
       submission.signals.vex_fixed = vexSet.fixed ? [...vexSet.fixed] : [];
     } catch (e) {
       return emitError(`run: failed to apply --vex ${args.vex}: ${e.message}`, null, pretty);
@@ -2281,14 +2561,14 @@ function cmdRun(runner, args, runOpts, pretty) {
   // ack state by that name (`result.ack` is shorter + matches the CLI flag).
   if (result && runOpts.operator) result.operator = runOpts.operator;
 
-  // EE P1-6: --ack consent only counts when a jurisdiction clock is actually
-  // at stake — i.e. the run produced classification=detected (a real finding
+  // --ack consent only counts when a jurisdiction clock is actually at
+  // stake — i.e. the run produced classification=detected (a real finding
   // that may trigger NIS2 24h / DORA 4h / GDPR 72h obligations). On a
-  // not-detected or inconclusive run, persisting the consent silently was
-  // misleading: the attestation file recorded operator acknowledgement of
-  // a clock that never started. Now: surface the ack state in the run body
-  // either way so operators see what happened, but only persist
-  // `operator_consent` into the attestation when classification === detected.
+  // not-detected or inconclusive run, persisting the consent would record
+  // operator acknowledgement of a clock that never started. Surface the
+  // ack state in the run body either way so operators see what happened,
+  // but only persist `operator_consent` into the attestation when
+  // classification === detected.
   const detectClassification = result && result.phases && result.phases.detect
     ? result.phases.detect.classification
     : null;
@@ -2313,7 +2593,7 @@ function cmdRun(runner, args, runOpts, pretty) {
       directiveId: result.directive_id,
       evidenceHash: result.evidence_hash,
       operator: runOpts.operator,
-      // EE P1-6: gate consent persistence on classification=detected.
+      // Gate consent persistence on classification=detected.
       operatorConsent: consentApplies ? runOpts.operator_consent : null,
       submission,
       runOpts,
@@ -2322,31 +2602,34 @@ function cmdRun(runner, args, runOpts, pretty) {
     });
     if (!persistResult.ok) {
       // Session-id collision without --force-overwrite, OR --force-overwrite
-      // lost the lockfile race. Refuse, surface the existing path so the
-      // operator can decide, emit JSON to stderr matching the unified error
-      // shape. Exit non-zero — a silent overwrite is a tamper-evidence
-      // violation. v0.12.14: exitCode + return instead of process.exit so
-      // the stderr line drains under piped CI consumers.
-      //
-      // When persistAttestation lost the lockfile race it pinned
-      // process.exitCode = 8 (LOCK_CONTENTION) before returning. Don't
-      // overwrite that with 3 — preserve the exit-8 contract callers depend
-      // on to distinguish lock-busy from collision.
+      // lost the lockfile race, OR the filesystem refused the write (full
+      // disk, quota, read-only). Three distinct exit-code classes:
+      //   8  LOCK_CONTENTION       — retry from the outside (transient)
+      //   9  STORAGE_EXHAUSTED     — disk/quota/RO — operator-side infra fix
+      //   7  SESSION_ID_COLLISION  — pass --force-overwrite or fresh id
+      // Route through emitError() shape so the body goes to stderr and exit
+      // codes propagate via the emit() contract.
       const err = {
         ok: false,
         error: persistResult.error,
         existing_attestation: persistResult.existingPath,
-        hint: "Pass --force-overwrite to replace, or supply a fresh --session-id (omit the flag for an auto-generated hex).",
+        hint: persistResult.storage_exhausted
+          ? "Free disk space, lift quota, or remount the attestation root read-write; then retry."
+          : "Pass --force-overwrite to replace, or supply a fresh --session-id (omit the flag for an auto-generated hex).",
         verb: "run",
       };
       if (persistResult.lock_contention) {
         err.lock_contention = true;
-        err.exit_code = 8;
+        err.exit_code = EXIT_CODES.LOCK_CONTENTION;
       }
-      process.stderr.write(JSON.stringify(err) + "\n");
-      if (!persistResult.lock_contention) {
-        process.exitCode = 3;
+      if (persistResult.storage_exhausted) {
+        err.storage_exhausted = true;
+        err.exit_code = EXIT_CODES.STORAGE_EXHAUSTED;
       }
+      emitError(persistResult.error, err, pretty);
+      if (persistResult.lock_contention) process.exitCode = EXIT_CODES.LOCK_CONTENTION;
+      else if (persistResult.storage_exhausted) process.exitCode = EXIT_CODES.STORAGE_EXHAUSTED;
+      else process.exitCode = EXIT_CODES.SESSION_ID_COLLISION;
       return;
     }
     if (persistResult.prior_session_id) {
@@ -2360,14 +2643,13 @@ function cmdRun(runner, args, runOpts, pretty) {
   }
 
   if (result && result.ok === false) {
-    // F19: align preflight-halt exit code between `run --ci` and `ci`.
-    // Pre-fix `run --ci` exited 1 (FRAMEWORK_ERROR) while `ci` on the same
-    // halt exited 4 (BLOCKED). Now both use 4 when --ci is in effect, so
-    // operators can wire one set of exit-code expectations regardless of
-    // which verb they call. Without --ci the legacy exit 1 is preserved
-    // (ok:false bodies are framework signals when no CI gating is asked for).
+    // Align preflight-halt exit code between `run --ci` and `ci`: both use
+    // 4 (BLOCKED) when --ci is in effect so operators can wire one set of
+    // exit-code expectations regardless of which verb they call. Without
+    // --ci the legacy exit 1 is preserved (ok:false bodies are framework
+    // signals when no CI gating is requested).
     process.stderr.write((pretty ? JSON.stringify(result, null, 2) : JSON.stringify(result)) + "\n");
-    process.exitCode = args.ci ? 4 : 1;
+    process.exitCode = args.ci ? EXIT_CODES.BLOCKED : EXIT_CODES.GENERIC_FAILURE;
     return;
   }
 
@@ -2388,11 +2670,11 @@ function cmdRun(runner, args, runOpts, pretty) {
       result.strict_preconditions_violated = warnIssues.map(i => ({
         id: i.id, kind: i.kind, message: i.message || null, on_fail: i.on_fail || null,
       }));
-      process.stderr.write(`[exceptd run] --strict-preconditions: ${warnIssues.length} unverified/warn precondition(s) — exit 1.\n`);
+      process.stderr.write(`[exceptd run] --strict-preconditions: ${warnIssues.length} unverified/warn precondition(s) — exit ${EXIT_CODES.GENERIC_FAILURE}.\n`);
       emit(result, pretty);
       // v0.11.11: exitCode + return so emit()'s stdout flushes (process.exit
       // can truncate buffered async stdout writes when piped).
-      process.exitCode = 1;
+      process.exitCode = EXIT_CODES.GENERIC_FAILURE;
       return;
     }
   }
@@ -2430,9 +2712,9 @@ function cmdRun(runner, args, runOpts, pretty) {
       const refs = startedClocks
         .map(n => `${n.obligation_ref || n.jurisdiction || "?"}@${n.clock_started_at}`)
         .join("; ");
-      process.stderr.write(`[exceptd run --block-on-jurisdiction-clock] CLOCK_STARTED: ${startedClocks.length} jurisdiction clock(s) running and unacked: ${refs}. Exit 5.\n`);
+      process.stderr.write(`[exceptd run --block-on-jurisdiction-clock] CLOCK_STARTED: ${startedClocks.length} jurisdiction clock(s) running and unacked: ${refs}. Exit ${EXIT_CODES.JURISDICTION_CLOCK_STARTED}.\n`);
       emit(result, pretty);
-      process.exitCode = 5;
+      process.exitCode = EXIT_CODES.JURISDICTION_CLOCK_STARTED;
       return;
     }
   }
@@ -2469,12 +2751,12 @@ function cmdRun(runner, args, runOpts, pretty) {
     // under piped consumers (CI runners, jq, test harnesses).
     if (classification === "detected") {
       process.stderr.write(`[exceptd run --ci] FAIL: classification=detected rwep=${adjusted} threshold=${threshold}\n`);
-      process.exitCode = 2;
+      process.exitCode = EXIT_CODES.DETECTED_ESCALATE;
       return;
     }
     if (classification === "inconclusive" && escalate) {
       process.stderr.write(`[exceptd run --ci] FAIL: classification=inconclusive AND rwep=${adjusted} >= threshold=${threshold}\n`);
-      process.exitCode = 2;
+      process.exitCode = EXIT_CODES.DETECTED_ESCALATE;
       return;
     }
     if (classification === "inconclusive") {
@@ -2573,9 +2855,10 @@ function cmdRun(runner, args, runOpts, pretty) {
     const top = rwep?.threshold?.escalate ?? "n/a";
     const verdictIcon = cls === "detected" ? "[!! DETECTED]" : cls === "inconclusive" ? "[i  INCONCLUSIVE]" : "[ok]";
     lines.push(`\n${verdictIcon}  classification=${cls}  RWEP ${adj}/${top}${adj !== base ? ` (Δ${adj - base} from operator evidence)` : " (catalog baseline)"}  blast_radius=${obj.phases?.analyze?.blast_radius_score ?? "n/a"}/5`);
-    // F11: surface --diff-from-latest verdict in the human renderer. Pre-fix
-    // operators had to add --json to see whether the run drifted from the
-    // previous attestation. Now one summary line follows the classification.
+    // F11: surface --diff-from-latest verdict in the human renderer so
+    // operators see whether the run drifted from the previous attestation
+    // without adding --json. One summary line follows the classification.
+    // Marker text is grep-matched by tests/audit-i-l-m-fixes.test.js F11.
     // - unchanged: same evidence_hash as prior → reassuring single line.
     // - drifted: evidence differs → loud DRIFTED marker.
     // - no_prior_attestation_for_playbook: no line — don't clutter the
@@ -2653,7 +2936,7 @@ function cmdRun(runner, args, runOpts, pretty) {
  * inconclusive findings + visibility gaps) when no --evidence is given.
  */
 /**
- * F13: collapse per-playbook notification_actions into a deduped rollup.
+ * Collapse per-playbook notification_actions into a deduped rollup.
  * Multi-playbook runs frequently surface the same jurisdiction clock from
  * 5-10 contributing playbooks (every EU-touching playbook starts a fresh
  * NIS2 Art.23 24h clock). Operators were drafting one notification per
@@ -2688,12 +2971,11 @@ function buildJurisdictionClockRollup(results) {
           existing.deadline = n.deadline;
         }
       } else {
-        // R-F11: emit `obligation` (the field name the CHANGELOG v0.12.16
-        // entry promised) AND retain `obligation_ref` as a kept-name alias
+        // Emit `obligation` and retain `obligation_ref` as a kept-name alias
         // for any consumer that already parses the older shape. The dedupe
         // key still keys on n.obligation_ref since that's the field
         // notification-action stubs carry; the rollup body just exposes
-        // both names so the documented contract is truthful.
+        // both names.
         const obligation = n.obligation_ref || null;
         m.set(key, {
           jurisdiction: n.jurisdiction || null,
@@ -2740,20 +3022,30 @@ function cmdRunMulti(runner, ids, args, runOpts, pretty, meta) {
     // symlink/junction inside the dir, but the filter is cheap.
     for (const f of fs.readdirSync(dir).filter(x => x.endsWith(".json"))) {
       const pbId = f.replace(/\.json$/, "");
-      if (!/^[A-Za-z0-9_.-]+$/.test(pbId)) {
-        return emitError(`run: --evidence-dir entry ${JSON.stringify(f)} has unsafe playbook-id segment.`, null, pretty);
+      // Reuse the shared playbook-id validator so the --evidence-dir entry
+      // filter agrees with the runtime playbook-id allowlist. Previously
+      // accepted dots / underscores / uppercase that no real playbook id
+      // uses, which would silently absorb a typo'd filename as a "valid"
+      // entry that loadPlaybook then refused mid-loop.
+      const pbCheck = validateIdComponent(pbId, "playbook");
+      if (!pbCheck.ok) {
+        return emitError(
+          `run: --evidence-dir entry ${JSON.stringify(f)} has invalid playbook-id segment (${pbCheck.reason}).`,
+          { entry: f, expected_shape: "<playbook-id>.json (lowercase, starts with letter, no dots)" },
+          pretty
+        );
       }
       const entryPath = path.resolve(path.join(resolvedDir, f));
       if (!entryPath.startsWith(resolvedDir + path.sep)) {
         return emitError(`run: --evidence-dir entry ${f} resolves outside the directory; refusing.`, null, pretty);
       }
-      // R-F12: the path.resolve check above only catches `..` traversal in
-      // the joined path; fs.readFileSync(entryPath) still follows symlinks,
-      // so a `<pb-id>.json -> /etc/shadow` symlink inside the dir would
-      // happily slurp the target. lstat is symlink-aware (it does NOT
-      // follow); refuse anything that's not a regular file. Defense in
-      // depth on top of the readdir filter — a junction (Windows) or
-      // bind-mount can shape-shift in between filter and read.
+      // The path.resolve check above only catches `..` traversal in the
+      // joined path; fs.readFileSync(entryPath) still follows symlinks, so
+      // a `<pb-id>.json -> /etc/shadow` symlink inside the dir would happily
+      // slurp the target. lstat is symlink-aware (it does NOT follow);
+      // refuse anything that's not a regular file. Defense in depth on top
+      // of the readdir filter — a junction (Windows) or bind-mount can
+      // shape-shift in between filter and read.
       let lst;
       try { lst = fs.lstatSync(entryPath); }
       catch (e) {
@@ -2765,9 +3057,9 @@ function cmdRunMulti(runner, ids, args, runOpts, pretty, meta) {
       if (!lst.isFile()) {
         return emitError(`run: --evidence-dir entry ${f} is not a regular file; refusing.`, { entry: f }, pretty);
       }
-      // EE P1-5: Windows directory junctions are reparse-point dirs that
+      // Windows directory junctions are reparse-point dirs that
       // `lstat().isSymbolicLink()` returns FALSE for (Node treats them as
-      // ordinary directories). They bypass the symlink refusal above. Use
+      // ordinary directories), bypassing the symlink refusal above. Use
       // realpathSync to resolve the entry and confirm it still lives under
       // the resolved evidence-dir — the realpath approach is portable
       // (catches POSIX symlinks too, defense in depth) and works regardless
@@ -2784,10 +3076,10 @@ function cmdRunMulti(runner, ids, args, runOpts, pretty, meta) {
           pretty
         );
       }
-      // EE P1-5 (hardlink defense in depth): no clean cross-platform refusal
-      // exists — hardlinks are indistinguishable from regular files at the
-      // inode level. Surface a stderr warning when nlink > 1 so the operator
-      // is aware a second name may point at the same file. Not a refusal —
+      // Hardlink defense in depth: no clean cross-platform refusal exists —
+      // hardlinks are indistinguishable from regular files at the inode
+      // level. Surface a stderr warning when nlink > 1 so the operator is
+      // aware a second name may point at the same file. Not a refusal —
       // legitimate use cases (atomic rename, package-manager dedup) produce
       // nlink > 1 without malicious intent.
       if (lst.nlink > 1) {
@@ -2803,10 +3095,19 @@ function cmdRunMulti(runner, ids, args, runOpts, pretty, meta) {
 
   const results = [];
   for (const id of ids) {
+    // Defense-in-depth: ids come from listPlaybooks() / filterPlaybooksByScope
+    // (which read trusted catalog data), but threading every id through
+    // validateIdComponent('playbook') means a corrupt catalog cannot
+    // path-traverse via this loop either.
+    const r = validateIdComponent(id, "playbook");
+    if (!r.ok) {
+      results.push({ playbook_id: id, ok: false, error: `invalid playbook id (${r.reason})` });
+      continue;
+    }
     const pb = runner.loadPlaybook(id);
     const directiveId = args.directive || (pb.directives[0] && pb.directives[0].id);
     if (!directiveId) {
-      results.push({ playbook_id: id, ok: false, error: "no directives" });
+      results.push({ playbook_id: id, ok: false, error: `playbook ${id} has no directives` });
       continue;
     }
     const submission = bundle[id] || {};
@@ -2815,16 +3116,13 @@ function cmdRunMulti(runner, ids, args, runOpts, pretty, meta) {
 
     const result = runner.run(id, directiveId, submission, perRunOpts);
 
-    // NN P1-4: mirror the cmdRun consent gate (EE P1-6). --ack consent only
-    // counts when a jurisdiction clock is actually at stake on THIS
-    // playbook's verdict — i.e. its detect.classification === 'detected'.
-    // Pre-fix cmdRunMulti passed `perRunOpts.operator_consent` for every
-    // playbook in the iteration regardless of that playbook's individual
-    // classification, so a single --ack on a run-all invocation persisted
-    // explicit consent into attestations whose run never started a clock.
-    // Now: per-playbook gating with the same `ack_skipped_reason` surface
-    // cmdRun emits, so consumers see exactly which playbooks consumed the
-    // ack and which didn't.
+    // Per-playbook --ack gating: consent only counts when a jurisdiction
+    // clock is actually at stake on THIS playbook's verdict — i.e. its
+    // detect.classification === 'detected'. Without this gate, a single
+    // --ack on a run-all invocation would persist explicit consent into
+    // every playbook's attestation regardless of whether that playbook's
+    // run started a clock. The `ack_skipped_reason` surface mirrors cmdRun
+    // so consumers see exactly which playbooks consumed the ack.
     const perDetectClassification = result && result.phases && result.phases.detect
       ? result.phases.detect.classification
       : null;
@@ -2849,8 +3147,8 @@ function cmdRunMulti(runner, ids, args, runOpts, pretty, meta) {
         directiveId,
         evidenceHash: result.evidence_hash,
         operator: perRunOpts.operator,
-        // NN P1-4: gate consent persistence on this playbook's
-        // classification, not on the aggregate run's --ack presence.
+        // Gate consent persistence on this playbook's classification, not
+        // on the aggregate run's --ack presence.
         operatorConsent: perConsentApplies ? perRunOpts.operator_consent : null,
         submission,
         runOpts: perRunOpts,
@@ -2860,8 +3158,19 @@ function cmdRunMulti(runner, ids, args, runOpts, pretty, meta) {
       if (!persisted.ok) {
         // Multi-run collision: don't abort the whole bundle; surface in the
         // per-playbook result so the operator can see exactly which
-        // playbook's attestation refused to overwrite.
+        // playbook's attestation refused to overwrite. Propagate
+        // lock_contention / storage_exhausted / exit_code so the aggregate
+        // exit-code gate below picks the right top-level code (8 / 9 /
+        // 7 / 1) instead of collapsing every persist failure to 1.
         result.attestation_persist = { ok: false, error: persisted.error };
+        if (persisted.lock_contention) {
+          result.attestation_persist.lock_contention = true;
+          result.attestation_persist.exit_code = EXIT_CODES.LOCK_CONTENTION;
+        }
+        if (persisted.storage_exhausted) {
+          result.attestation_persist.storage_exhausted = true;
+          result.attestation_persist.exit_code = EXIT_CODES.STORAGE_EXHAUSTED;
+        }
       } else if (persisted.prior_session_id) {
         result.attestation_persist = { ok: true, prior_session_id: persisted.prior_session_id, overwrote_at: persisted.overwrote_at };
       }
@@ -2869,12 +3178,12 @@ function cmdRunMulti(runner, ids, args, runOpts, pretty, meta) {
     results.push(result);
   }
 
-  // F13: dedupe jurisdiction-clock notification actions across all playbook
-  // results into a single rollup. Pre-fix a 13-playbook multi-run with 8
-  // contributors of "EU NIS2 Art.23 24h" produced 8 separate entries, so
-  // operators drafted 8 NIS2 notifications when one was sufficient. Per-
-  // playbook entries are preserved on individual results; this rollup is
-  // additive — keyed on (jurisdiction, regulation, obligation_ref,
+  // Dedupe jurisdiction-clock notification actions across all playbook
+  // results into a single rollup. Without this, a 13-playbook multi-run
+  // with 8 contributors of "EU NIS2 Art.23 24h" produces 8 separate
+  // entries and operators draft 8 NIS2 notifications when one suffices.
+  // Per-playbook entries are preserved on individual results; this rollup
+  // is additive — keyed on (jurisdiction, regulation, obligation_ref,
   // window_hours) — with a triggered_by_playbooks[] list so operators see
   // which playbooks contributed.
   const jurisdictionClockRollup = buildJurisdictionClockRollup(results);
@@ -2900,27 +3209,33 @@ function cmdRunMulti(runner, ids, args, runOpts, pretty, meta) {
   // the body but exit code stayed 0 — CI gates couldn't distinguish "ran
   // clean" from "blocked." v0.12.8: use exitCode (not process.exit()) so
   // the aggregate JSON emitted above is allowed to fully drain.
+  //
+  // Aggregate exit-code precedence: LOCK_CONTENTION > STORAGE_EXHAUSTED >
+  // BLOCKED. Lock contention is transient (retry-from-outside fixes it);
+  // storage exhaustion is an infra event requiring operator action;
+  // ok:false in a per-playbook result is the BLOCKED case. Surfacing the
+  // most-specific code first means a CI gate can branch on the right
+  // remediation without parsing the body.
+  const anyLockBusy = results.some(r => r.attestation_persist && r.attestation_persist.lock_contention === true);
+  const anyStorageExhausted = results.some(r => r.attestation_persist && r.attestation_persist.storage_exhausted === true);
   const anyBlocked = results.some(r => r.ok === false);
-  if (anyBlocked) { process.exitCode = 1; return; }
+  if (anyLockBusy) { process.exitCode = EXIT_CODES.LOCK_CONTENTION; return; }
+  if (anyStorageExhausted) { process.exitCode = EXIT_CODES.STORAGE_EXHAUSTED; return; }
+  if (anyBlocked) { process.exitCode = EXIT_CODES.GENERIC_FAILURE; return; }
 }
 
 function cmdIngest(runner, args, runOpts, pretty) {
   // `ingest` matches the AGENTS.md ingest contract. The submission JSON may
   // carry playbook_id + directive_id; --domain/--directive flags override.
   let submission = {};
-  // F4: auto-detect piped stdin (parity with cmdRun). Without this,
-  // `echo '{...}' | exceptd ingest` failed with "no playbook resolved"
-  // because args.evidence stayed undefined and the routing JSON never got
-  // read. Mirrors the cmdRun behavior at line 1614.
-  // R-F3: use truthy `!process.stdin.isTTY` rather than `=== false`. On
-  // Windows MSYS bash, isTTY is `undefined` for piped streams — the
-  // strict `=== false` check failed and ingest silently treated the
-  // routing JSON as absent. CHANGELOG v0.12.16 F4 ("cmdIngest auto-
-  // detects piped stdin") was a no-op on Windows pre-fix.
-  //
-  // EE P1-7: route through hasReadableStdin() — see cmdRun for rationale.
-  // Wrapped-stdin test harnesses (Mocha/Jest, Docker stdin-passthrough)
-  // would otherwise block here forever on the readFileSync(0) call.
+  // Auto-detect piped stdin (parity with cmdRun) so
+  // `echo '{...}' | exceptd ingest` reads the routing JSON instead of
+  // failing with "no playbook resolved" because args.evidence stays
+  // undefined.
+  // Route stdin auto-detection through hasReadableStdin() (see cmdRun for
+  // rationale). Wrapped-stdin test harnesses (Mocha/Jest, Docker
+  // stdin-passthrough) would otherwise block here forever on the
+  // readFileSync(0) call when isTTY === undefined.
   if (!args.evidence && hasReadableStdin()) {
     args.evidence = "-";
   }
@@ -2933,11 +3248,12 @@ function cmdIngest(runner, args, runOpts, pretty) {
   }
   const playbookId = args.domain || submission.playbook_id || submission.domain;
   if (!playbookId) return emitError("ingest: no playbook resolved — pass --domain <id> or include playbook_id in evidence JSON.", null, pretty);
+  if (refuseInvalidPlaybookId("ingest", playbookId, pretty)) return;
   const pb = runner.loadPlaybook(playbookId);
   const directiveId = args.directive
     || submission.directive_id
     || (pb.directives[0] && pb.directives[0].id);
-  if (!directiveId) return emitError(`ingest: playbook ${playbookId} has no directives.`, null, pretty);
+  if (!directiveId) return refuseNoDirectives("ingest", playbookId, pretty);
 
   // Strip the routing keys so the runner only sees the contract shape it expects.
   const cleanedSubmission = {
@@ -2984,17 +3300,24 @@ function cmdIngest(runner, args, runOpts, pretty) {
       filename: "attestation.json",
     });
     if (!persisted.ok) {
-      // Surface the collision; do not silently clobber. Preserve
-      // LOCK_CONTENTION exit 8 set by persistAttestation when
-      // --force-overwrite hit the lockfile race.
+      // Route every persist-failure shape through emitError so the
+      // emit() ok:false → exitCode contract applies uniformly. Three
+      // exit classes: LOCK_CONTENTION (transient), STORAGE_EXHAUSTED
+      // (infra), SESSION_ID_COLLISION (operator decision).
       const ctx = { session_id: result.session_id, existing_path: persisted.existingPath };
       if (persisted.lock_contention) {
         ctx.lock_contention = true;
-        ctx.exit_code = 8;
-        process.stderr.write(JSON.stringify({ ok: false, error: persisted.error, ...ctx }) + "\n");
-        return;
+        ctx.exit_code = EXIT_CODES.LOCK_CONTENTION;
       }
-      return emitError(persisted.error, ctx, pretty);
+      if (persisted.storage_exhausted) {
+        ctx.storage_exhausted = true;
+        ctx.exit_code = EXIT_CODES.STORAGE_EXHAUSTED;
+      }
+      emitError(persisted.error, ctx, pretty);
+      if (persisted.lock_contention) process.exitCode = EXIT_CODES.LOCK_CONTENTION;
+      else if (persisted.storage_exhausted) process.exitCode = EXIT_CODES.STORAGE_EXHAUSTED;
+      else process.exitCode = EXIT_CODES.SESSION_ID_COLLISION;
+      return;
     }
     if (persisted.prior_session_id) {
       result.attestation_persist = { ok: true, prior_session_id: persisted.prior_session_id, overwrote_at: persisted.overwrote_at };
@@ -3141,21 +3464,21 @@ function persistAttestation(args) {
           existingPath: path.relative(process.cwd(), filePath),
         };
       }
-      // T P1-2: serialize the read-prior + write-new sequence behind a
-      // lockfile so concurrent --force-overwrite invocations against the
-      // same session-id slot do not degrade to last-write-wins. Pattern
-      // matches withCatalogLock + withIndexLock: O_EXCL 'wx' on a sibling
-      // .lock file with bounded retry, PID-liveness check on contention,
-      // mtime fallback for orphaned lockfiles.
-      // DD P1-2: MAX_RETRIES capped at 10 (was 50). persistAttestation is a
-      // sync function called from sync callers throughout the CLI, so the
-      // wait loop must busy-spin (no event-loop yield available). At 50
-      // retries × ~200ms backoff per spin the worst case was ~10s of pegged-
-      // CPU + frozen-event-loop stall under attestation contention. Capping
-      // at 10 bounds the freeze at ~1-2s; beyond that callers receive the
-      // LOCK_CONTENTION sentinel on the result object and can retry from the
-      // outside without holding the CPU. Async refactor of persistAttestation
-      // + every caller is a v0.13.0 candidate.
+      // Serialize the read-prior + write-new sequence behind a lockfile so
+      // concurrent --force-overwrite invocations against the same session-id
+      // slot do not degrade to last-write-wins. Pattern matches
+      // withCatalogLock + withIndexLock: O_EXCL 'wx' on a sibling .lock file
+      // with bounded retry, PID-liveness check on contention, mtime fallback
+      // for orphaned lockfiles.
+      // DD P1-2: MAX_RETRIES is capped at 10. persistAttestation is sync and
+      // called from sync callers, so the wait loop must busy-spin (no
+      // event-loop yield available). A larger bound would peg the CPU and
+      // freeze the event loop for multiple seconds under attestation
+      // contention. Capping at 10 bounds the freeze at ~1-2s; beyond that
+      // callers receive the LOCK_CONTENTION sentinel on the result object
+      // and can retry from the outside without holding the CPU. Async
+      // refactor of persistAttestation + every caller is a v0.13.0
+      // candidate.
       const lockPath = filePath + ".lock";
       const MAX_RETRIES = 10;
       const STALE_LOCK_MS = 30_000;
@@ -3166,6 +3489,22 @@ function persistAttestation(args) {
           acquired = true;
           break;
         } catch (lockErr) {
+          // Distinguish lockfile contention (EEXIST/EPERM = another holder)
+          // from storage-exhaustion classes (ENOSPC = disk full,
+          // EROFS = read-only fs, EDQUOT = quota exceeded). The latter are
+          // infra-level failures that no amount of retry-spin will resolve;
+          // surface them with a distinct exit code (STORAGE_EXHAUSTED = 9)
+          // so operator runbooks can branch on "free disk" vs "retry".
+          if (lockErr.code === "ENOSPC" || lockErr.code === "EROFS" || lockErr.code === "EDQUOT") {
+            process.exitCode = EXIT_CODES.STORAGE_EXHAUSTED;
+            return {
+              ok: false,
+              error: `STORAGE_EXHAUSTED: ${lockErr.message}`,
+              existingPath: path.relative(process.cwd(), filePath),
+              storage_exhausted: true,
+              exit_code: EXIT_CODES.STORAGE_EXHAUSTED,
+            };
+          }
           if (lockErr.code !== "EEXIST" && lockErr.code !== "EPERM") throw lockErr;
           let reclaimed = false;
           try {
@@ -3194,28 +3533,25 @@ function persistAttestation(args) {
         }
       }
       if (!acquired) {
-        // DD P1-2: lock_contention sentinel so callers can distinguish a
-        // genuine lock-busy condition (retry-from-outside is the right move)
-        // from a hard failure (write error, permission denial). The sync
-        // spin budget was bounded above so we hit this return after ~1-2s
-        // of contention rather than the prior ~10s.
+        // Surface lock_contention as a distinct sentinel so callers can
+        // distinguish a genuine lock-busy condition (retry-from-outside is
+        // the right move) from a hard failure (write error, permission
+        // denial). The sync spin budget is bounded above so this return
+        // fires after ~1-2s of contention.
         //
-        // PP P1-2: emit() auto-maps any ok:false body to process.exitCode = 1
-        // (it only writes exitCode = 1 when the current value is 0). Pre-fix
-        // the LOCK_CONTENTION return collapsed onto exit 1 along with every
-        // other hard failure — defeating the "callers can distinguish
-        // lock-busy from hard failure" promise. Pin process.exitCode = 8
-        // HERE, before the caller hands the body to emit(); emit() will
-        // preserve the already-non-zero value. Exit code 8 is reserved
-        // exclusively for LOCK_CONTENTION (attestation persist); see the
-        // exit-code table in printGlobalHelp().
-        process.exitCode = 8;
+        // emit() auto-maps any ok:false body to process.exitCode = 1 (only
+        // when the current value is still 0). Pin process.exitCode = 8 HERE
+        // before the caller hands the body to emit(); emit() preserves the
+        // already-non-zero value. Exit code 8 is reserved exclusively for
+        // LOCK_CONTENTION (attestation persist); see the exit-code table in
+        // printGlobalHelp().
+        process.exitCode = EXIT_CODES.LOCK_CONTENTION;
         return {
           ok: false,
           error: `LOCK_CONTENTION: Failed to acquire attestation lock at ${path.relative(process.cwd(), lockPath)} after ${MAX_RETRIES} attempts (~1-2s of contention). Retry the operation; if it persists, inspect the lockfile for a stale holder.`,
           existingPath: path.relative(process.cwd(), filePath),
           lock_contention: true,
-          exit_code: 8,
+          exit_code: EXIT_CODES.LOCK_CONTENTION,
         };
       }
       try {
@@ -3238,6 +3574,19 @@ function persistAttestation(args) {
       }
     }
   } catch (e) {
+    // ENOSPC / EROFS / EDQUOT are storage-exhaustion classes — surface
+    // them with a distinct sentinel + exit code so callers route them
+    // through a different remediation path than generic write errors.
+    if (e && (e.code === "ENOSPC" || e.code === "EROFS" || e.code === "EDQUOT")) {
+      process.exitCode = EXIT_CODES.STORAGE_EXHAUSTED;
+      return {
+        ok: false,
+        error: `STORAGE_EXHAUSTED: ${e.message}`,
+        existingPath: null,
+        storage_exhausted: true,
+        exit_code: EXIT_CODES.STORAGE_EXHAUSTED,
+      };
+    }
     return { ok: false, error: `Failed to write attestation: ${e.message}`, existingPath: null };
   }
 }
@@ -3253,7 +3602,7 @@ function persistAttestation(args) {
  * from "the .sig file was deleted by an attacker."
  */
 /**
- * C: byte-stability normalize() for the attestation pipeline.
+ * Byte-stability normalize() for the attestation pipeline.
  * Strips a leading UTF-8 BOM and collapses CRLF → LF. Mirrors the
  * normalize() implementations in lib/sign.js, lib/verify.js,
  * lib/refresh-network.js, and scripts/verify-shipped-tarball.js. Five
@@ -3279,13 +3628,13 @@ function maybeSignAttestation(filePath) {
   // (reporting only PKG_ROOT now), not by making `run` follow a cwd key the
   // verifier doesn't trust.
   const privKeyPath = path.join(PKG_ROOT, ".keys", "private.pem");
-  // C: normalize attestation bytes before sign — strip leading
-  // UTF-8 BOM + collapse CRLF to LF. Mirrors lib/sign.js / lib/verify.js /
+  // Normalize attestation bytes before sign — strip leading UTF-8 BOM +
+  // collapse CRLF to LF. Mirrors lib/sign.js / lib/verify.js /
   // lib/refresh-network.js / scripts/verify-shipped-tarball.js. The
   // attestation file lives on disk under .exceptd/ and can pick up CRLF
   // through git-attribute / editor round-trips on Windows; without
   // normalization the sign/verify pair diverges on the same logical content.
-  // The byte-stability contract is now five sites; tests/normalize-contract
+  // The byte-stability contract spans five sites; tests/normalize-contract
   // .test.js enforces byte-identical output across all of them.
   const rawContent = fs.readFileSync(filePath, "utf8");
   const content = normalizeAttestationBytes(rawContent);
@@ -3309,16 +3658,15 @@ function maybeSignAttestation(filePath) {
         key: privateKey,
         dsaEncoding: "ieee-p1363",
       });
-      // KK P1-1: the sidecar's Ed25519 signature covers ONLY the
-      // attestation file bytes. Fields that travel inside the .sig but are
-      // NOT in the signed message are replay-rewrite trivial: an attacker
-      // who can write the directory can mutate them without invalidating
-      // the signature. Drop `signed_at`, `signs_path`, `signs_sha256` from
-      // the sidecar shape — they were unsigned metadata posing as
-      // attestation context. Operators reading freshness use filesystem
-      // mtime; the attestation file's `captured_at` field is what's
-      // signed. The sidecar now carries only the algorithm tag, the
-      // Ed25519 signature payload, and an explanatory note.
+      // The sidecar's Ed25519 signature covers ONLY the attestation file
+      // bytes. Fields that travel inside the .sig but are NOT in the signed
+      // message are replay-rewrite trivial: an attacker who can write the
+      // directory can mutate them without invalidating the signature. The
+      // sidecar therefore carries only the algorithm tag, the Ed25519
+      // signature payload, and an explanatory note — no `signed_at`,
+      // `signs_path`, or `signs_sha256`. Operators reading freshness use
+      // filesystem mtime; the attestation file's `captured_at` field is
+      // what's signed.
       fs.writeFileSync(sigPath, JSON.stringify({
         algorithm: "Ed25519",
         signature_base64: sig.toString("base64"),
@@ -3350,9 +3698,13 @@ function maybeSignAttestation(filePath) {
  * Validation regex + root-confinement check matches persistAttestation.
  */
 function validateSessionIdForRead(sessionId) {
-  if (typeof sessionId !== "string" || !/^[A-Za-z0-9._-]{1,64}$/.test(sessionId)) {
+  // Route through validateIdComponent('session') so the regex + all-dots
+  // refusal stay aligned with the write-path validator in
+  // persistAttestation. Single source of truth in lib/id-validation.js.
+  const r = validateIdComponent(sessionId, "session");
+  if (!r.ok) {
     throw new Error(
-      `Invalid session-id: ${JSON.stringify(sessionId).slice(0, 80)}. Must match /^[A-Za-z0-9._-]{1,64}$/.`
+      `Invalid session-id: ${typeof sessionId === "string" ? JSON.stringify(sessionId).slice(0, 80) : typeof sessionId}. ${r.reason}.`
     );
   }
   return sessionId;
@@ -3411,6 +3763,12 @@ function walkAttestationDir(root, opts, candidates) {
       try {
         const p = path.join(sdir, f);
         const j = JSON.parse(fs.readFileSync(p, "utf8"));
+        // Replay records (kind: 'replay') are an audit trail of force-replay
+        // overrides, not a separate attestation. They have no captured_at /
+        // evidence_hash and must not surface as candidates for --latest.
+        // Gate on the parsed kind so a renamed file cannot smuggle a replay
+        // record into the listing.
+        if (j && j.kind === "replay") continue;
         if (opts.playbookId && j.playbook_id !== opts.playbookId) continue;
         if (opts.since && (j.captured_at || "") < opts.since) continue;
         if (opts.excludeSessionId && sid === opts.excludeSessionId) continue;
@@ -3421,14 +3779,14 @@ function walkAttestationDir(root, opts, candidates) {
 }
 
 /**
- * F10: factored Ed25519-sidecar verification used by both `attest verify`
- * and `reattest`. Returns { file, signed, verified, reason } for a given
+ * Factored Ed25519-sidecar verification used by both `attest verify` and
+ * `reattest`. Returns { file, signed, verified, reason } for a given
  * attestation file path.
  *
- * Pre-fix, cmdReattest read attestation.json via JSON.parse with no
- * authenticity check. A tampered attestation was silently consumed and the
- * drift verdict was computed against forged input. Now cmdReattest calls
- * this and refuses on verify-fail unless --force-replay is set.
+ * Callers must check `signed && verified` before consuming the
+ * attestation. cmdReattest refuses to replay on verify-fail unless
+ * --force-replay is set, so a tampered attestation cannot silently feed
+ * forged input into the drift verdict.
  */
 function verifyAttestationSidecar(attFile) {
   const crypto = require("crypto");
@@ -3488,15 +3846,15 @@ function verifyAttestationSidecar(attFile) {
     }
     return { file: attFile, signed: false, verified: false, reason: "attestation explicitly unsigned (no private key when written)" };
   }
-  // KK P1-3: strict algorithm check. Pre-fix the verifier branched only on
-  // `=== "unsigned"`; null, undefined, "RSA-PSS", arrays, etc. fell through
-  // to crypto.verify with the default Ed25519 args — which would either
-  // succeed against the wrong-algorithm signature bytes accidentally (an
-  // attacker who can write the sidecar can replay an existing Ed25519
-  // signature under a downgrade-bait algorithm tag) or throw a generic
-  // verify error. Refuse anything that isn't exactly "Ed25519" or
-  // "unsigned" with a structured tamper class so callers can route the
-  // refusal through the same exit-6 path as other tamper events.
+  // Strict algorithm check. A branch on `=== "unsigned"` alone would let
+  // null, undefined, "RSA-PSS", arrays, etc. fall through to crypto.verify
+  // with default Ed25519 args — which can either succeed against
+  // wrong-algorithm signature bytes accidentally (an attacker who can
+  // write the sidecar replays an existing Ed25519 signature under a
+  // downgrade-bait algorithm tag) or throw a generic verify error.
+  // Refuse anything that isn't exactly "Ed25519" or "unsigned" with a
+  // structured tamper class so callers can route the refusal through the
+  // same exit-6 path as other tamper events.
   if (sigDoc.algorithm !== "Ed25519") {
     return {
       file: attFile,
@@ -3512,9 +3870,9 @@ function verifyAttestationSidecar(attFile) {
   let content;
   try {
     const raw = fs.readFileSync(attFile, "utf8");
-    // C: apply the same normalize() used by the signer so the
-    // verify path is byte-stable across CRLF / BOM churn (Windows checkout
-    // with core.autocrlf=true, editor round-trips, git-attributes flips).
+    // Apply the same normalize() used by the signer so the verify path is
+    // byte-stable across CRLF / BOM churn (Windows checkout with
+    // core.autocrlf=true, editor round-trips, git-attributes flips).
     content = normalizeAttestationBytes(raw);
   }
   catch (e) { return { file: attFile, signed: true, verified: false, reason: `attestation read error: ${e.message}` }; }
@@ -3534,13 +3892,14 @@ function verifyAttestationSidecar(attFile) {
 }
 
 function cmdReattest(runner, args, runOpts, pretty) {
-  // F29: --since ISO-8601 validation parity with `attest list --since`
-  // (already fixed in v0.12.12). Pre-fix, an invalid date silently passed
-  // through to walkAttestationDir, where the lexical comparison either
-  // matched all or none unpredictably.
+  const crypto = require("crypto");
+  // Validate --since as ISO-8601, mirroring `attest list --since`. An
+  // invalid date would otherwise pass through to walkAttestationDir, where
+  // the lexical comparison either matches all or none unpredictably.
   if (args.since != null) {
-    // R-F10: regex BEFORE Date.parse — bare integers like "99" would
-    // otherwise parse as the year 1999 and silently filter wrong eras.
+    // ISO-8601 shape regex BEFORE Date.parse — bare integers like "99"
+    // would otherwise parse as the year 1999 and silently filter wrong
+    // eras.
     const sinceErr = validateIsoSince(args.since);
     if (sinceErr) return emitError(`reattest: ${sinceErr}`, null, pretty);
   }
@@ -3564,35 +3923,31 @@ function cmdReattest(runner, args, runOpts, pretty) {
     return emitError(`reattest: no attestation found at ${attFile}`, { session_id: sessionId }, pretty);
   }
 
-  // F10: verify the .sig sidecar BEFORE consuming the prior attestation.
-  // Pre-fix, a tampered attestation.json was silently parsed and the drift
-  // verdict was computed against forged input. Now: refuse on verify-fail
+  // Verify the .sig sidecar BEFORE consuming the prior attestation. A
+  // tampered attestation.json would otherwise be silently parsed and the
+  // drift verdict computed against forged input. Refuse on verify-fail
   // with exit 6 (TAMPERED) unless --force-replay is explicitly set.
   // Unsigned attestations (no private key was available at run time) emit
   // a stderr warning but proceed — that's an operator config issue, not
   // tampering. `verified === false && signed === true` is the real tamper
   // signal.
   const verify = verifyAttestationSidecar(attFile);
-  // 2: collapse tamper-class detection. Any non-benign
-  // sidecar state (signed-but-invalid, sidecar-corrupt, unsigned-substitution)
-  // refuses replay unless --force-replay is set. The pre-fix shape only
-  // refused on `verify.signed && !verify.verified` (signed-tamper) and on
-  // `no .sig sidecar` (missing); corrupt-JSON sidecars and substituted
-  // "unsigned" sidecars on a host WITH a private key fell into the benign
-  // NOTE branch and replay proceeded against forged input.
+  // Collapse tamper-class detection. Any non-benign sidecar state
+  // (signed-but-invalid, sidecar-corrupt, unsigned-substitution) refuses
+  // replay unless --force-replay is set. A predicate of only
+  // `verify.signed && !verify.verified` would miss corrupt-JSON sidecars
+  // and substituted "unsigned" sidecars on a host WITH a private key —
+  // both of which let replay proceed against forged input.
   const isSignedTamper = verify.signed && !verify.verified;
   const isClassTamper = !verify.signed && (
     verify.tamper_class === "sidecar-corrupt"
     || verify.tamper_class === "unsigned-substitution"
-    // KK P1-3: extend tamper-class refusal to algorithm-unsupported sidecars
-    // (anything other than "Ed25519" or "unsigned"). Pre-fix, the verifier
-    // pre-strict-check would crypto.verify against default Ed25519 args and
-    // return signed:true + verified:false on failure — which DID land in
-    // isSignedTamper. But a sidecar that throws inside crypto.verify (e.g.
-    // signature_base64 missing on the downgrade-bait shape) was routed
-    // through the catch block and emerged as signed:true + verified:false
-    // by happy accident. The strict pre-check now surfaces the class
-    // directly; refuse on that class too.
+    // Extend tamper-class refusal to algorithm-unsupported sidecars —
+    // anything other than "Ed25519" or "unsigned". Without explicit
+    // refusal, a sidecar that throws inside crypto.verify (e.g.
+    // signature_base64 missing on a downgrade-bait shape) emerges as
+    // signed:true + verified:false through the catch block by accident.
+    // The strict pre-check surfaces the class directly; refuse on it too.
     || verify.tamper_class === "algorithm-unsupported"
   );
   if ((isSignedTamper || isClassTamper) && !args["force-replay"]) {
@@ -3607,7 +3962,7 @@ function cmdReattest(runner, args, runOpts, pretty) {
       hint: "If you have inspected the attestation and the divergence is benign (e.g. you re-signed manually), pass --force-replay.",
     };
     process.stderr.write(JSON.stringify(body) + "\n");
-    process.exitCode = 6;
+    process.exitCode = EXIT_CODES.TAMPERED;
     return;
   }
   if ((isSignedTamper || isClassTamper) && args["force-replay"]) {
@@ -3634,7 +3989,7 @@ function cmdReattest(runner, args, runOpts, pretty) {
       hint: "If the sidecar was intentionally removed (e.g. a clean operator rotation) and you have inspected the attestation, pass --force-replay.",
     };
     process.stderr.write(JSON.stringify(body) + "\n");
-    process.exitCode = 6;
+    process.exitCode = EXIT_CODES.TAMPERED;
     return;
   } else if (!verify.signed && verify.reason && verify.reason.includes("no .sig sidecar") && args["force-replay"]) {
     process.stderr.write(`[exceptd reattest] WARNING: --force-replay overriding missing .sig sidecar on ${attFile}. The replay output records sidecar_verify so the override is audit-visible.\n`);
@@ -3658,7 +4013,7 @@ function cmdReattest(runner, args, runOpts, pretty) {
       hint: "If the original attestation was legitimately produced without a private key, pass --force-replay. The replay body will record sidecar_verify: 'explicitly-unsigned' + force_replay: true.",
     };
     process.stderr.write(JSON.stringify(body) + "\n");
-    process.exitCode = 6;
+    process.exitCode = EXIT_CODES.TAMPERED;
     return;
   } else if (!verify.signed && verify.reason && verify.reason.startsWith("attestation explicitly unsigned") && args["force-replay"]) {
     process.stderr.write(`[exceptd reattest] WARNING: --force-replay overriding explicitly-unsigned attestation on ${attFile}. The replay output records sidecar_verify: 'explicitly-unsigned' so the override is audit-visible.\n`);
@@ -3688,16 +4043,32 @@ function cmdReattest(runner, args, runOpts, pretty) {
     // Fallback: synthesise pass-through preconditions from the playbook so the
     // replay isn't blocked when the operator didn't originally pass them.
     try {
-      const pb = runner.loadPlaybook(prior.playbook_id);
-      const synth = {};
-      for (const pc of (pb._meta && pb._meta.preconditions) || []) synth[pc.id] = true;
-      replayOpts.precondition_checks = synth;
+      // Defense-in-depth: the prior attestation's playbook_id came from
+      // disk, but a malicious or corrupt prior could still smuggle an
+      // invalid id. validateIdComponent refuses anything outside the
+      // canonical playbook-id shape.
+      const r = validateIdComponent(prior.playbook_id, "playbook");
+      if (r.ok) {
+        const pb = runner.loadPlaybook(prior.playbook_id);
+        const synth = {};
+        for (const pc of (pb._meta && pb._meta.preconditions) || []) synth[pc.id] = true;
+        replayOpts.precondition_checks = synth;
+      }
     } catch { /* ignore */ }
   }
   const replay = runner.run(prior.playbook_id, prior.directive_id, emptySubmission, replayOpts);
 
   if (!replay || replay.ok === false) {
-    return emitError(`reattest: replay failed: ${replay && replay.reason || "unknown"}`, { replay }, pretty);
+    // When replay.reason is falsy, dump the available keys so an operator
+    // can correlate the failure to a body field — pre-fix the error message
+    // bottomed out at "unknown" with no breadcrumb into the runner output.
+    const reason = (replay && replay.reason) || (replay && replay.error) || null;
+    const keys = replay && typeof replay === "object" ? Object.keys(replay).join(",") : "(no body)";
+    return emitError(
+      `reattest: replay failed: ${reason || `no reason field — replay body keys: [${keys}]`}`,
+      { replay, replay_body_keys: replay && typeof replay === "object" ? Object.keys(replay) : null },
+      pretty
+    );
   }
 
   const priorHash = prior.evidence_hash;
@@ -3722,52 +4093,80 @@ function cmdReattest(runner, args, runOpts, pretty) {
   const sidecarVerifyClass = classifySidecarVerify(verify);
   const forceReplay = !!args["force-replay"];
 
-  // KK P1-2: persist a `replay-<isoZ>.json` audit record under the session
-  // directory whenever cmdReattest produced a replay verdict. Pre-fix the
-  // force-replay branches emitted the override body to stdout but never
-  // wrote it to disk; once the operator's shell closed the override was
-  // invisible to any subsequent auditor. Now every replay writes a new
-  // file alongside the original attestation.json, signed via the standard
-  // maybeSignAttestation path so the audit chain remains tamper-evident.
-  // The file is picked up automatically by `attest verify <sid>` (which
-  // already iterates every *.json under the session dir).
+  // Persist a `replay-<isoZ>.json` record under the session directory for
+  // every cmdReattest replay verdict. Without disk persistence, a
+  // force-replay override emitted to stdout becomes invisible to any
+  // subsequent auditor once the operator's shell closes. Each replay
+  // writes a new file alongside the original attestation.json, signed via
+  // the standard maybeSignAttestation path so the audit chain remains
+  // tamper-evident. The file is picked up automatically by
+  // `attest verify <sid>` (which iterates every *.json under the session
+  // dir).
   //
   // Filename shape: ISO-8601 uses ':' which the persistAttestation regex
   // refuses; substitute ':' with '-' and keep millisecond precision so
   // multiple replays in the same second do not collide on EEXIST. The
   // resulting filename satisfies /^[A-Za-z0-9._-]{1,64}\.json$/.
-  const replayFilename = "replay-" + replayedAt.replace(/:/g, "-") + ".json";
+  const replayBaseName = "replay-" + replayedAt.replace(/:/g, "-");
+  const replayBody = {
+    kind: "replay",
+    session_id: sessionId,
+    playbook_id: prior.playbook_id,
+    directive_id: prior.directive_id,
+    status,
+    prior_evidence_hash: priorHash,
+    replay_evidence_hash: newHash,
+    prior_captured_at: prior.captured_at,
+    replayed_at: replayedAt,
+    replay_classification: replay.phases && replay.phases.detect && replay.phases.detect.classification,
+    replay_rwep_adjusted: replay.phases && replay.phases.analyze && replay.phases.analyze.rwep && replay.phases.analyze.rwep.adjusted,
+    sidecar_verify: verify,
+    sidecar_verify_class: sidecarVerifyClass,
+    force_replay: forceReplay,
+  };
   let replayPersisted = null;
+  let replayPath = null;
   try {
-    const replayBody = {
-      kind: "replay",
-      session_id: sessionId,
-      playbook_id: prior.playbook_id,
-      directive_id: prior.directive_id,
-      status,
-      prior_evidence_hash: priorHash,
-      replay_evidence_hash: newHash,
-      prior_captured_at: prior.captured_at,
-      replayed_at: replayedAt,
-      replay_classification: replay.phases && replay.phases.detect && replay.phases.detect.classification,
-      replay_rwep_adjusted: replay.phases && replay.phases.analyze && replay.phases.analyze.rwep && replay.phases.analyze.rwep.adjusted,
-      sidecar_verify: verify,
-      sidecar_verify_class: sidecarVerifyClass,
-      force_replay: forceReplay,
-    };
-    const replayPath = path.join(path.dirname(attFile), replayFilename);
-    // O_EXCL 'wx' — millisecond-level filename + EEXIST refusal so two
-    // concurrent reattests do not silently overwrite each other.
-    fs.writeFileSync(replayPath, JSON.stringify(replayBody, null, 2), { flag: "wx" });
-    maybeSignAttestation(replayPath);
-    replayPersisted = { ok: true, path: replayPath };
+    // Retry on EEXIST: two concurrent reattests sharing the same
+    // millisecond timestamp would collide on the base name. Append a short
+    // random suffix until O_EXCL accepts the write or the cap is exhausted.
+    const dir = path.dirname(attFile);
+    const MAX_SUFFIX_TRIES = 8;
+    let written = false;
+    let lastErr = null;
+    for (let i = 0; i < MAX_SUFFIX_TRIES; i++) {
+      const suffix = i === 0 ? "" : "-" + crypto.randomBytes(3).toString("hex");
+      const candidate = path.join(dir, replayBaseName + suffix + ".json");
+      try {
+        fs.writeFileSync(candidate, JSON.stringify(replayBody, null, 2), { flag: "wx" });
+        replayPath = candidate;
+        written = true;
+        break;
+      } catch (e) {
+        lastErr = e;
+        if (!e || e.code !== "EEXIST") throw e;
+      }
+    }
+    if (!written) throw lastErr || new Error("replay-record write: EEXIST after " + MAX_SUFFIX_TRIES + " attempts");
+    replayPersisted = { ok: true, path: replayPath, sidecar_signed: true };
   } catch (e) {
-    // Non-fatal — the stdout emit is the operator's primary surface; a
+    // Non-fatal — stdout emit is the operator's primary surface; a
     // disk-persistence failure shouldn't mask the verdict. Surface the
     // condition in the response body so an operator-side audit pipeline
     // can re-run the persist later.
     replayPersisted = { ok: false, error: String((e && e.message) || e) };
   }
+  if (replayPersisted && replayPersisted.ok && replayPath) {
+    // Sidecar signing is best-effort: the unsigned replay record on disk
+    // is still a valid audit-trail entry. Split from the write try{} so a
+    // sign-time failure doesn't mask a successful write.
+    try {
+      maybeSignAttestation(replayPath);
+    } catch (e) {
+      replayPersisted.sidecar_signed = false;
+      replayPersisted.sidecar_sign_error = String((e && e.message) || e);
+    }
+  }
 
   emit({
     ok: true,
@@ -3782,7 +4181,7 @@ function cmdReattest(runner, args, runOpts, pretty) {
     replayed_at: replayedAt,
     replay_classification: replay.phases && replay.phases.detect && replay.phases.detect.classification,
     replay_rwep_adjusted: replay.phases && replay.phases.analyze && replay.phases.analyze.rwep && replay.phases.analyze.rwep.adjusted,
-    // F10: persist the sidecar verify result + the force-replay flag so the
+    // Persist the sidecar verify result + the force-replay flag so the
     // audit trail records whether the replay was authenticated input.
     sidecar_verify: verify,
     // emit a one-token classification label alongside the
@@ -3800,8 +4199,8 @@ function cmdReattest(runner, args, runOpts, pretty) {
     //   'no-public-key'        — infra-missing (operator-side keys/public.pem absent)
     sidecar_verify_class: sidecarVerifyClass,
     force_replay: forceReplay,
-    // KK P1-2: surface the persisted replay-record path (or persistence
-    // failure reason) so an auditor reading the CLI response can locate the
+    // Surface the persisted replay-record path (or persistence failure
+    // reason) so an auditor reading the CLI response can locate the
     // on-disk artifact without re-deriving the filename.
     replay_persisted: replayPersisted,
   }, pretty);
@@ -3819,7 +4218,7 @@ function classifySidecarVerify(verify) {
   if (verify.signed && !verify.verified) return "tampered";
   if (verify.tamper_class === "sidecar-corrupt") return "sidecar-corrupt";
   if (verify.tamper_class === "unsigned-substitution") return "unsigned-substitution";
-  // KK P1-3: algorithm-unsupported is its own class label so log scrapers /
+  // `algorithm-unsupported` is its own class label so log scrapers /
   // dashboards can filter downgrade-bait events without parsing the reason.
   if (verify.tamper_class === "algorithm-unsupported") return "algorithm-unsupported";
   if (typeof verify.reason === "string" && verify.reason.startsWith("attestation explicitly unsigned")) return "explicitly-unsigned";
@@ -3851,14 +4250,18 @@ function cmdAttest(runner, args, runOpts, pretty) {
     return cmdListAttestations(runner, args, runOpts, pretty);
   }
   if (!sessionId) {
-    return emitError(`attest ${subverb}: missing <session-id> positional argument.`, null, pretty);
-  }
-  // R-F7: distinguish "validation rejected" from "valid format but not
-  // found". findSessionDir() returns null for BOTH (regex-rejected ids
-  // collapse to the "no session dir" message), which gives operators a
-  // misleading error — a string with `..` or `/` looks to them like an
-  // existing-session lookup that failed, not a refusal. Call the same
-  // validator up front; emit its specific message when it throws.
+    return emitError(
+      `attest ${subverb}: missing <session-id> positional argument. Inventory prior sessions with \`exceptd attest list\`; or pass \`--latest\` to operate on the most recent.`,
+      { verb: `attest ${subverb}` },
+      pretty
+    );
+  }
+  // Distinguish "validation rejected" from "valid format but not found".
+  // findSessionDir() returns null for BOTH (regex-rejected ids collapse to
+  // the "no session dir" message), which gives operators a misleading
+  // error — a string with `..` or `/` looks to them like an existing-
+  // session lookup that failed, not a refusal. Call the same validator
+  // up front; emit its specific message when it throws.
   try { validateSessionIdForRead(sessionId); }
   catch (e) {
     return emitError(`attest ${subverb}: ${e.message}`, { session_id_input: typeof sessionId === "string" ? sessionId.slice(0, 80) : typeof sessionId }, pretty);
@@ -3869,13 +4272,24 @@ function cmdAttest(runner, args, runOpts, pretty) {
   }
 
   const files = fs.readdirSync(dir).filter(f => f.endsWith(".json") && !f.endsWith(".sig"));
-  const attestations = files.map(f => {
-    try { return JSON.parse(fs.readFileSync(path.join(dir, f), "utf8")); }
-    catch { return null; }
-  }).filter(Boolean);
+  // Partition session-dir JSON files by parsed `kind` field. Replay records
+  // (written by `cmdReattest`) live alongside attestations under the same
+  // session directory but represent audit-trail entries, not separate
+  // sessions. Gate on the parsed payload — not filename prefix — so a
+  // renamed file cannot smuggle a replay into the attestations[] list.
+  const attestations = [];
+  const replays = [];
+  for (const f of files) {
+    let parsed;
+    try { parsed = JSON.parse(fs.readFileSync(path.join(dir, f), "utf8")); }
+    catch { continue; }
+    if (!parsed) continue;
+    if (parsed.kind === "replay") replays.push(parsed);
+    else attestations.push(parsed);
+  }
 
   if (subverb === "show") {
-    emit({ session_id: sessionId, attestations }, pretty);
+    emit({ session_id: sessionId, attestations, attestation_replays: replays }, pretty);
     return;
   }
 
@@ -3890,10 +4304,37 @@ function cmdAttest(runner, args, runOpts, pretty) {
         return emitError(`attest diff --against ${args.against}: no session dir found.`, null, pretty);
       }
       const otherFiles = fs.readdirSync(otherDir).filter(f => f.endsWith(".json") && !f.endsWith(".sig"));
-      if (otherFiles.length === 0) {
+      // Pick the comparison target deterministically:
+      //   1. Prefer attestation.json (the canonical write-path filename).
+      //   2. Otherwise, walk every non-replay JSON in the dir, sort by
+      //      parsed.captured_at descending, and take the newest.
+      //   3. Replay records (kind === "replay") are audit-trail entries,
+      //      not attestations — skip them so a replay file sorted ahead of
+      //      attestation.json cannot shadow the real attestation in the
+      //      diff.
+      let other = null;
+      const otherAttestationPath = path.join(otherDir, "attestation.json");
+      if (fs.existsSync(otherAttestationPath)) {
+        try {
+          const parsed = JSON.parse(fs.readFileSync(otherAttestationPath, "utf8"));
+          if (parsed && parsed.kind !== "replay") other = parsed;
+        } catch { /* fall through to scan */ }
+      }
+      if (!other) {
+        const candidates = [];
+        for (const f of otherFiles) {
+          try {
+            const parsed = JSON.parse(fs.readFileSync(path.join(otherDir, f), "utf8"));
+            if (!parsed || parsed.kind === "replay") continue;
+            candidates.push(parsed);
+          } catch { /* skip malformed */ }
+        }
+        candidates.sort((a, b) => (b.captured_at || "").localeCompare(a.captured_at || ""));
+        other = candidates[0] || null;
+      }
+      if (!other) {
         return emitError(`attest diff --against ${args.against}: no attestations under that session id.`, null, pretty);
       }
-      const other = JSON.parse(fs.readFileSync(path.join(otherDir, otherFiles[0]), "utf8"));
       const self = attestations[0];
       emit({
         verb: "attest diff",
@@ -3954,15 +4395,14 @@ function cmdAttest(runner, args, runOpts, pretty) {
     // tampered attestation.json and overwrote .sig with the unsigned stub).
     const privKeyPath = path.join(PKG_ROOT, ".keys", "private.pem");
     const hasPrivKey = fs.existsSync(privKeyPath);
-    const results = files.map(f => {
+
+    // Sidecar-verify helper shared by both the attestations[] and
+    // replay-records[] partitions. Centralising the per-file verify
+    // logic means a future tamper-class addition lands in one place
+    // instead of two parallel branches.
+    const verifySidecar = (f) => {
       const sigPath = path.join(dir, f + ".sig");
       if (!fs.existsSync(sigPath)) return { file: f, signed: false, verified: false, reason: "no .sig sidecar" };
-      // wrap JSON.parse so a corrupt sidecar surfaces as a
-      // structured tamper-class result (signed:false, verified:false,
-      // tamper_class:"sidecar-corrupt") rather than throwing into the outer
-      // dispatcher catch → exit 1. Pre-fix, a corrupt .sig produced a
-      // generic exit-1 with no `results` array — operators piping through
-      // `set -e` saw "command failed" with no tamper signal.
       let sigDoc;
       try { sigDoc = JSON.parse(fs.readFileSync(sigPath, "utf8")); }
       catch (e) {
@@ -3975,7 +4415,6 @@ function cmdAttest(runner, args, runOpts, pretty) {
         };
       }
       if (sigDoc.algorithm === "unsigned") {
-        // substitution detection.
         if (hasPrivKey) {
           return {
             file: f,
@@ -3987,11 +4426,6 @@ function cmdAttest(runner, args, runOpts, pretty) {
         }
         return { file: f, signed: false, verified: false, reason: "attestation explicitly unsigned (no private key when written)" };
       }
-      // KK P1-3: strict algorithm check (mirrors verifyAttestationSidecar).
-      // Anything that isn't exactly "Ed25519" or "unsigned" is refused as
-      // tamper-class. Pre-fix null / "RSA-PSS" / arrays fell through to
-      // crypto.verify with Ed25519 defaults, producing either an opaque
-      // verify-throw or a downgrade-bait acceptance path.
       if (sigDoc.algorithm !== "Ed25519") {
         return {
           file: f,
@@ -4002,8 +4436,6 @@ function cmdAttest(runner, args, runOpts, pretty) {
         };
       }
       if (!pubKey) return { file: f, signed: true, verified: false, reason: "no public key at keys/public.pem to verify against" };
-      // C: normalize before crypto.verify — mirrors the signer
-      // path so the verify pair is byte-stable across CRLF / BOM churn.
       const rawContent = fs.readFileSync(path.join(dir, f), "utf8");
       const content = normalizeAttestationBytes(rawContent);
       try {
@@ -4014,33 +4446,58 @@ function cmdAttest(runner, args, runOpts, pretty) {
       } catch (e) {
         return { file: f, signed: true, verified: false, reason: `verify error: ${e.message}` };
       }
-    });
-    // R-F1: when ANY result is signed-but-failed-verify, surface ok:false
-    // AND set exit 6 for parity with cmdReattest's TAMPERED code. Pre-fix,
-    // `attest verify` emitted {verb, session_id, results} without ok:false
-    // and exited 0 — operators piping through `set -e` saw no failure
-    // signal even when an attestation had been forged. emit()'s ok:false
-    // → exitCode = 1 auto-promotion would stop at 1; tamper is distinct
-    // from generic failure, so explicitly raise to 6 (cmdReattest's code).
-    //
-    // 2: extend the tamper predicate to cover the new
-    // tamper_class variants. Pre-fix the predicate was `r.signed && !r.verified`
-    // which missed (a) corrupt-JSON sidecars (signed:false) and (b) "unsigned"
-    // sidecar substitution on hosts with a private key (signed:false). Both
-    // are tamper-class events and must promote to exit 6.
-    const tampered = results.some(r =>
+    };
+
+    // Partition session-dir files by the parsed `kind` field so the verify
+    // output cleanly separates attestations from replay records. Mixing
+    // both into a single `results` array let a replay-record tamper event
+    // promote exit 6 against the operator's expectation that the
+    // attestation itself was the integrity-critical artifact. With the
+    // partition: attestation tamper → exit 6 (operator must investigate);
+    // replay-record tamper → audit-trail warning only (exit stays 0 so
+    // CI gates don't fail on a corrupted audit log they can simply
+    // regenerate via `reattest`).
+    const attResults = [];
+    const replayResults = [];
+    for (const f of files) {
+      let parsed = null;
+      try { parsed = JSON.parse(fs.readFileSync(path.join(dir, f), "utf8")); }
+      catch { /* unparseable JSON — treat as attestation so tamper detection still surfaces */ }
+      const verdict = verifySidecar(f);
+      if (parsed && parsed.kind === "replay") {
+        replayResults.push(Object.assign({ replayed_at: parsed.replayed_at || null }, verdict));
+      } else {
+        attResults.push(Object.assign({ captured_at: parsed && parsed.captured_at || null }, verdict));
+      }
+    }
+    // Deterministic ordering so the output diffs cleanly across runs.
+    attResults.sort((a, b) => (a.captured_at || "").localeCompare(b.captured_at || ""));
+    replayResults.sort((a, b) => (a.replayed_at || "").localeCompare(b.replayed_at || ""));
+
+    const tamperPredicate = (r) =>
       (r.signed && !r.verified)
       || r.tamper_class === "sidecar-corrupt"
       || r.tamper_class === "unsigned-substitution"
-      // KK P1-3: a sidecar whose algorithm field is not "Ed25519" or
-      // "unsigned" is a downgrade-bait substitution; promote to exit 6.
-      || r.tamper_class === "algorithm-unsupported"
-    );
-    const body = { verb: "attest verify", session_id: sessionId, results };
-    if (tampered) {
+      || r.tamper_class === "algorithm-unsupported";
+    const attTampered = attResults.some(tamperPredicate);
+    const replayTampered = replayResults.some(tamperPredicate);
+
+    const body = {
+      verb: "attest verify",
+      session_id: sessionId,
+      results: attResults,
+      replay_results: replayResults,
+    };
+    if (attTampered) {
       body.ok = false;
       body.error = "attest verify: one or more attestations failed Ed25519 verification — possible post-hoc tampering";
-      process.exitCode = 6;
+      process.exitCode = EXIT_CODES.TAMPERED;
+    } else if (replayTampered) {
+      // Replay-record tamper is an audit-trail signal but not an
+      // attestation-integrity violation; surface a warning so operators
+      // see the corruption without promoting the exit code.
+      body.replay_tamper = true;
+      body.warnings = ["one or more replay records failed Ed25519 verification — audit-trail corruption suspected, regenerate via reattest"];
     }
     emit(body, pretty);
     return;
@@ -4442,6 +4899,14 @@ function cmdDoctor(runner, args, runOpts, pretty) {
   const wantJson = !!args.json || !!args.pretty;
   const indent = !!args.pretty;
 
+  // `doctor --exit-codes` dumps the canonical exit-code table as JSON so
+  // operator-facing docs cannot drift from runtime behavior. Short-circuit
+  // before the regular health checks since the dump is informational.
+  if (args["exit-codes"]) {
+    emit({ verb: "doctor", exit_codes: listExitCodes() }, pretty);
+    return;
+  }
+
   // Selective subchecks. If any of the four flags is passed, run only those.
   // If none are passed, run all four plus signing-status.
   const onlySigs = !!args.signatures;
@@ -4651,6 +5116,17 @@ function cmdDoctor(runner, args, runOpts, pretty) {
   // workflows aren't disturbed. Routed through a child process to keep
   // cmdDoctor synchronous + bound the network timeout cleanly.
   if (args["registry-check"]) {
+    // Refuse network egress when air-gap mode is active. Surface as a
+    // skipped check (informational), not an error — the operator opted
+    // into air-gap and would otherwise see a confusing network-error
+    // result from the upstream-check probe.
+    if (runOpts && runOpts.airGap) {
+      checks.registry = {
+        ok: null,
+        skipped: "air-gap",
+        reason: "registry probe disabled in air-gap mode",
+      };
+    } else {
     try {
       const cliPath = path.join(PKG_ROOT, "lib", "upstream-check-cli.js");
       const res = spawnSync(process.execPath, [cliPath, "--timeout", "5000"], {
@@ -4678,6 +5154,7 @@ function cmdDoctor(runner, args, runOpts, pretty) {
     } catch (e) {
       checks.registry = { ok: false, severity: "warn", error: e.message };
     }
+    }
   }
 
   // Walk every check and split: errors (severity error/missing/fail) vs warnings
@@ -4736,10 +5213,15 @@ function cmdDoctor(runner, args, runOpts, pretty) {
   lines.push("exceptd doctor");
   function mark(c, render) {
     if (!c) return;
-    // Three states: ok / warn / error. Bug #61 (v0.11.2) — warn must not be
-    // shown as ok and must count toward the summary so the bottom line
-    // matches the visible icons above.
-    const icon = c.ok && c.severity !== "warn" ? "[ok]" : (c.severity === "warn" ? "[!! warn]" : "[!! fail]");
+    // Four states: ok / warn / error / skipped. `skipped` is informational
+    // (e.g. air-gap mode disabled the network probe) and renders as
+    // [info] so it doesn't read like a failure to operators scanning the
+    // checklist. Three pre-existing states retained.
+    let icon;
+    if (c.skipped) icon = "[info]";
+    else if (c.ok && c.severity !== "warn") icon = "[ok]";
+    else if (c.severity === "warn") icon = "[!! warn]";
+    else icon = "[!! fail]";
     lines.push(`  ${icon} ${render(c)}`);
   }
   mark(checks.signatures, c =>
@@ -4836,8 +5318,9 @@ function cmdListAttestations(runner, args, runOpts, pretty) {
   // Prior behavior silently accepted any string and lexically compared to
   // captured_at, producing 0-result or full-result depending on the string.
   if (args.since != null) {
-    // R-F10: regex BEFORE Date.parse — bare integers like "99" would
-    // otherwise parse as the year 1999 and silently filter wrong eras.
+    // ISO-8601 shape regex BEFORE Date.parse — bare integers like "99"
+    // would otherwise parse as the year 1999 and silently filter wrong
+    // eras.
     const sinceErr = validateIsoSince(args.since);
     if (sinceErr) return emitError(`attest list: ${sinceErr}`, null, pretty);
   }
@@ -4858,6 +5341,11 @@ function cmdListAttestations(runner, args, runOpts, pretty) {
       for (const f of files) {
         try {
           const j = JSON.parse(fs.readFileSync(path.join(sdir, f), "utf8"));
+          // replay-<isoZ>.json records share the session dir with
+          // attestation.json but are not separate sessions. Gate on the
+          // parsed `kind` field rather than filename so a rename cannot
+          // smuggle a replay record into the listing.
+          if (j && j.kind === "replay") continue;
           // v0.12.14: normalized array-set filter (see top of fn).
           if (playbookFilter && !playbookFilter.has(j.playbook_id)) continue;
           if (args.since && (j.captured_at || "") < args.since) continue;
@@ -4919,12 +5407,13 @@ function cmdAiRun(runner, args, runOpts, pretty) {
   if (!playbookId) {
     return emitError("ai-run: missing <playbook> positional argument.", null, pretty);
   }
+  if (refuseInvalidPlaybookId("ai-run", playbookId, pretty)) return;
   let pb;
   try { pb = runner.loadPlaybook(playbookId); }
   catch (e) { return emitError(`ai-run: ${e.message}`, { playbook: playbookId }, pretty); }
   const directiveId = args.directive || (pb.directives[0] && pb.directives[0].id);
   if (!directiveId) {
-    return emitError(`ai-run: playbook ${playbookId} has no directives.`, null, pretty);
+    return refuseNoDirectives("ai-run", playbookId, pretty);
   }
 
   // Compute the informational phases up front — both stream and no-stream
@@ -4935,7 +5424,7 @@ function cmdAiRun(runner, args, runOpts, pretty) {
     directPhase = runner.direct(playbookId, directiveId);
     lookPhase = runner.look(playbookId, directiveId, runOpts);
   } catch (e) {
-    // v0.12.12 (T8): process.exit(1) immediately after a stdout write can
+    // process.exit(1) immediately after a stdout write can
     // truncate buffered output under piped consumers (same class as v0.11.10
     // #100). Use exitCode+return so the JSONL error frame drains. Also write
     // the framed error event so the stdout-only JSONL contract holds — host
@@ -4984,7 +5473,7 @@ function cmdAiRun(runner, args, runOpts, pretty) {
       try { payload = readEvidence(args.evidence); }
       catch (e) { return emitError(`ai-run: failed to read --evidence: ${e.message}`, null, pretty); }
     } else if (hasReadableStdin()) {
-      // EE P1-7: hasReadableStdin() probes via fstat before falling into
+      // hasReadableStdin() probes via fstat before falling into
       // readFileSync(0). Wrapped-stdin test harnesses (isTTY===undefined,
       // size===0) would otherwise hang here.
       // Drain stdin for any evidence event.
@@ -5018,7 +5507,11 @@ function cmdAiRun(runner, args, runOpts, pretty) {
     try {
       result = runner.run(playbookId, directiveId, submission, runOpts);
     } catch (e) {
-      return emitError(`ai-run: runner threw: ${e.message}`, { playbook: playbookId }, pretty);
+      return emitError(
+        `ai-run: internal error (${e && e.message ? e.message : String(e)}). Re-run with --pretty for context; file at https://github.com/blamejs/exceptd-skills/issues if reproducible.`,
+        { playbook: playbookId, verb: "ai-run" },
+        pretty
+      );
     }
     if (!result || result.ok === false) {
       // v0.12.12: same exit-after-write anti-pattern as the pre-stream
@@ -5056,21 +5549,26 @@ function cmdAiRun(runner, args, runOpts, pretty) {
       if (!persistResult.ok && !args["force-overwrite"]) {
         // Collision without --force-overwrite. AI agents typically pass
         // unique session ids each run, so this path is rare but surface
-        // it cleanly via the same JSONL contract. Preserve LOCK_CONTENTION
-        // exit 8 set by persistAttestation when --force-overwrite hit the
-        // lockfile race — don't clobber with exit 3.
+        // it cleanly via the same JSONL contract. Three exit-code classes
+        // (LOCK_CONTENTION / STORAGE_EXHAUSTED / SESSION_ID_COLLISION) so
+        // a host-AI driver can branch on remediation without parsing the
+        // reason string.
         const eventBody = {
           event: "error", reason: persistResult.error,
           existing_attestation: persistResult.existingPath,
         };
         if (persistResult.lock_contention) {
           eventBody.lock_contention = true;
-          eventBody.exit_code = 8;
+          eventBody.exit_code = EXIT_CODES.LOCK_CONTENTION;
         }
-        process.stdout.write(JSON.stringify(eventBody) + "\n");
-        if (!persistResult.lock_contention) {
-          process.exitCode = 3;
+        if (persistResult.storage_exhausted) {
+          eventBody.storage_exhausted = true;
+          eventBody.exit_code = EXIT_CODES.STORAGE_EXHAUSTED;
         }
+        process.stdout.write(JSON.stringify(eventBody) + "\n");
+        if (persistResult.lock_contention) process.exitCode = EXIT_CODES.LOCK_CONTENTION;
+        else if (persistResult.storage_exhausted) process.exitCode = EXIT_CODES.STORAGE_EXHAUSTED;
+        else process.exitCode = EXIT_CODES.SESSION_ID_COLLISION;
         return;
       }
     }
@@ -5174,12 +5672,18 @@ function cmdAiRun(runner, args, runOpts, pretty) {
                             existing_attestation: persistResult.existingPath };
         if (persistResult.lock_contention) {
           eventBody.lock_contention = true;
-          eventBody.exit_code = 8;
+          eventBody.exit_code = EXIT_CODES.LOCK_CONTENTION;
           writeLine(eventBody);
-          return finish(8);
+          return finish(EXIT_CODES.LOCK_CONTENTION);
+        }
+        if (persistResult.storage_exhausted) {
+          eventBody.storage_exhausted = true;
+          eventBody.exit_code = EXIT_CODES.STORAGE_EXHAUSTED;
+          writeLine(eventBody);
+          return finish(EXIT_CODES.STORAGE_EXHAUSTED);
         }
         writeLine(eventBody);
-        return finish(3);
+        return finish(EXIT_CODES.SESSION_ID_COLLISION);
       }
     }
     writeLine({ event: "done", ok: true, session_id: result.session_id, evidence_hash: result.evidence_hash });
@@ -5478,9 +5982,9 @@ function cmdCi(runner, args, runOpts, pretty) {
   const results = [];
   let fail = false;
   let failReasons = [];
-  // F18: track jurisdiction-clock signals separately from generic FAIL so the
-  // exit code can distinguish "detected/escalated" (2) from "regulatory clock
-  // running, operator must notify" (5). Pre-fix the two collapsed into exit 2.
+  // Track jurisdiction-clock signals separately from generic FAIL so the
+  // exit code can distinguish "detected/escalated" (2) from "regulatory
+  // clock running, operator must notify" (5).
   let clockStartedFail = false;
   let clockStartedReasons = [];
 
@@ -5534,11 +6038,10 @@ function cmdCi(runner, args, runOpts, pretty) {
       failReasons.push(`${id}: rwep_delta=${rwepAdj - rwepBase} >= cap=${cap} (classification=inconclusive; operator evidence raised the score)`);
     }
     if (blockOnClock && clockStarted) {
-      // F18: separate "clock started" from generic FAIL. Pre-fix this collapsed
-      // into exit 2 (FAIL), so operators couldn't distinguish "playbook
-      // detected" from "regulatory clock running." Tracked separately and
-      // exit 5 (CLOCK_STARTED) is selected below, taking precedence over
-      // FAIL but not BLOCKED.
+      // Separate "clock started" from generic FAIL: exit 5 (CLOCK_STARTED)
+      // is selected below, taking precedence over FAIL but not BLOCKED, so
+      // operators can distinguish "playbook detected" from "regulatory
+      // clock running."
       clockStartedFail = true;
       clockStartedReasons.push(`${id}: jurisdiction clock started`);
     }
@@ -5558,7 +6061,7 @@ function cmdCi(runner, args, runOpts, pretty) {
   const inconclusiveCount = results.filter(r => r.phases?.detect?.classification === "inconclusive").length;
   const totalForVerdict = results.length;
   const noEvidenceAllInconclusive = !suppliedEvidenceForVerdict && totalForVerdict > 0 && inconclusiveCount === totalForVerdict;
-  // F18: precedence — BLOCKED > CLOCK_STARTED > FAIL > NO_EVIDENCE > PASS.
+  // Precedence: BLOCKED > CLOCK_STARTED > FAIL > NO_EVIDENCE > PASS.
   // CLOCK_STARTED outranks FAIL because the operator explicitly opted into
   // the clock gate (--block-on-jurisdiction-clock); when that gate fires,
   // they want the regulatory-deadline signal even if a detected finding
@@ -5614,11 +6117,11 @@ function cmdCi(runner, args, runOpts, pretty) {
       .filter(n => n && n.clock_started_at != null).length,
     framework_gap_rollup: frameworkGapRollup,
     framework_gap_count: frameworkGapRollup.length,
-    // F13: dedupe jurisdiction-clock notifications across playbooks; see
-    // buildJurisdictionClockRollup. Multi-playbook ci runs were producing
-    // one notification entry per contributing playbook (often 8+) when a
-    // single notification per (jurisdiction, regulation, obligation,
-    // window) was the right shape.
+    // Dedupe jurisdiction-clock notifications across playbooks; see
+    // buildJurisdictionClockRollup. Without this, multi-playbook ci runs
+    // produce one notification entry per contributing playbook (often 8+)
+    // when a single notification per (jurisdiction, regulation,
+    // obligation, window) is the right shape.
     jurisdiction_clock_rollup: buildJurisdictionClockRollup(results),
     verdict: computedVerdict,
     fail_reasons: failReasons,
@@ -5653,9 +6156,14 @@ function cmdCi(runner, args, runOpts, pretty) {
     emit({ verb: "ci", session_id: sessionId, format: fmt, bundles_count: bundles.length, bundles }, pretty);
   } else if (fmt && fmt !== "json") {
     // v0.11.4 (#76): garbage format rejected with structured error, not silent empty stdout.
-    // v0.12.14: exitCode + return; matches the emitError class fix.
-    process.stderr.write(JSON.stringify({ ok: false, error: `ci: --format "${fmt}" not in accepted set ["summary","markdown","csaf-2.0","sarif","openvex","json"].`, verb: "ci" }) + "\n");
-    process.exitCode = 2;
+    // Route through emitError so the body propagates exit codes via the
+    // emit() ok:false contract. ci-format-typo is operator-decision class
+    // (GENERIC_FAILURE), not DETECTED_ESCALATE.
+    emitError(
+      `ci: --format "${fmt}" not in accepted set ["summary","markdown","csaf-2.0","sarif","openvex","json"].`,
+      { verb: "ci" },
+      pretty
+    );
     return;
   } else {
     emit({ verb: "ci", session_id: sessionId, playbooks_run: ids, summary, results }, pretty);
@@ -5678,30 +6186,30 @@ function cmdCi(runner, args, runOpts, pretty) {
   // actually evaluate signals, so it can't be a true detection.
   if (summary.blocked > 0) {
     const blockedReasons = failReasons.filter(r => r.includes("blocked"));
-    process.stderr.write(`[exceptd ci] BLOCKED: ${summary.blocked}/${summary.total} playbook(s) halted before detect. Exit 4. Reasons:\n  ${blockedReasons.join("\n  ")}\n`);
-    process.exitCode = 4;
+    process.stderr.write(`[exceptd ci] BLOCKED: ${summary.blocked}/${summary.total} playbook(s) halted before detect. Exit ${EXIT_CODES.BLOCKED}. Reasons:\n  ${blockedReasons.join("\n  ")}\n`);
+    process.exitCode = EXIT_CODES.BLOCKED;
     return;
   }
-  // F18: precedence BLOCKED > CLOCK_STARTED > FAIL. The operator opted into
+  // Precedence: BLOCKED > CLOCK_STARTED > FAIL. The operator opted into
   // --block-on-jurisdiction-clock; when a clock fires, that's the gate
   // result they want to see at the exit-code layer. Per-playbook detected
   // findings remain in the body for them to investigate.
   if (clockStartedFail) {
-    process.stderr.write(`[exceptd ci] CLOCK_STARTED: ${clockStartedReasons.join("; ")}. Exit 5.\n`);
-    process.exitCode = 5;
+    process.stderr.write(`[exceptd ci] CLOCK_STARTED: ${clockStartedReasons.join("; ")}. Exit ${EXIT_CODES.JURISDICTION_CLOCK_STARTED}.\n`);
+    process.exitCode = EXIT_CODES.JURISDICTION_CLOCK_STARTED;
     return;
   }
   if (fail) {
     process.stderr.write(`[exceptd ci] FAIL: ${failReasons.join("; ")}\n`);
     // v0.11.11: exitCode + return so emit()'s stdout flushes.
-    process.exitCode = 2;
+    process.exitCode = EXIT_CODES.DETECTED_ESCALATE;
     return;
   }
   const suppliedEvidence = args.evidence || args["evidence-dir"];
   const allInconclusive = summary.inconclusive === summary.total && summary.total > 0;
   if (!suppliedEvidence && allInconclusive) {
-    process.stderr.write(`[exceptd ci] WARN: no --evidence supplied and all ${summary.total} playbook(s) returned inconclusive. CI exit 3 = "ran but never had real data." Pass --evidence <file> or --evidence-dir <dir> for a real gate.\n`);
-    process.exitCode = 3;
+    process.stderr.write(`[exceptd ci] WARN: no --evidence supplied and all ${summary.total} playbook(s) returned inconclusive. CI exit ${EXIT_CODES.RAN_NO_EVIDENCE} = "ran but never had real data." Pass --evidence <file> or --evidence-dir <dir> for a real gate.\n`);
+    process.exitCode = EXIT_CODES.RAN_NO_EVIDENCE;
   }
 }