@blamejs/exceptd-skills 0.12.23 → 0.12.25

package/lib/playbook-runner.js

@@ -47,6 +47,7 @@ const fs = require('fs');
 const path = require('path');
 const os = require('os');
 const crypto = require('crypto');
+const scoring = require('./scoring');
 
 // cross-ref-api wraps catalog reads. If cve-catalog.json is corrupt
 // JSON, cross-ref-api's loadCatalog (post-v0.12.14) catches the parse
@@ -89,6 +90,61 @@ const PLAYBOOK_DIR = process.env.EXCEPTD_PLAYBOOK_DIR || path.join(ROOT, 'data',
 // platform integration, not the runner.
 const _activeRuns = new Set();
 
+// Bounded push into a runtime_errors array with per-kind caps, optional
+// per-kind dedupe, and a total cap. A long-running detect/analyze loop that
+// rejects a malformed catalog entry on every iteration would otherwise let
+// runtime_errors grow unbounded and balloon the bundle output. When the cap
+// fires the helper records a `_truncated` sentinel so downstream consumers
+// see the drop without needing to compare cardinalities.
+//
+//   opts.cap        per-kind cap (default 100)
+//   opts.totalCap   total array cap (default 1000)
+//   opts.dedupeKey  optional fn(entry) returning a string key. When supplied,
+//                   a push with the same (kind, dedupeKey) tuple is skipped.
+//
+// Returns true if the entry was pushed, false otherwise (capped or deduped).
+function pushRunError(arr, entry, opts) {
+  if (!Array.isArray(arr) || !entry || typeof entry !== 'object') return false;
+  opts = opts || {};
+  const cap = typeof opts.cap === 'number' ? opts.cap : 100;
+  const totalCap = typeof opts.totalCap === 'number' ? opts.totalCap : 1000;
+  const kind = entry.kind;
+  if (typeof opts.dedupeKey === 'function' && kind) {
+    const dk = opts.dedupeKey(entry);
+    if (arr.some(e => e && e.kind === kind && opts.dedupeKey(e) === dk)) {
+      return false;
+    }
+  }
+  const total = arr.length;
+  const kindCount = kind ? arr.filter(e => e && e.kind === kind).length : 0;
+  const overTotal = total >= totalCap;
+  const overKind = kind && kindCount >= cap;
+  if (overTotal || overKind) {
+    const reason = overKind ? 'per-kind-cap' : 'total-cap';
+    const existing = arr.find(e => e && e.kind === '_truncated' && e.truncated_kind === (kind || null) && e.reason === reason);
+    if (existing) {
+      existing.dropped = (existing.dropped || 0) + 1;
+    } else {
+      arr.push({ kind: '_truncated', truncated_kind: kind || null, dropped: 1, reason });
+    }
+    return false;
+  }
+  arr.push(entry);
+  return true;
+}
+
+// Unwrap a legacy `{ _regex_eval_error: { source, expr, message } }` record
+// into the flat fields pushRunError dedupes on. Used by evalCondition()'s
+// regex-failure path so per-(source, expr) duplicates collapse to one entry
+// plus a `_truncated` sentinel when the cap fires.
+function _regexErrorPayload(rec) {
+  if (rec && typeof rec === 'object' && rec._regex_eval_error) {
+    const { source, expr, message } = rec._regex_eval_error;
+    return { source, expr, message, _regex_eval_error: rec._regex_eval_error };
+  }
+  return { _regex_eval_error: rec };
+}
+
 // --- catalog access ---
 
 function listPlaybooks() {
@@ -618,11 +674,11 @@ function detect(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
           verdict = 'inconclusive';
           fpChecksUnsatisfied = ind.false_positive_checks_required.slice();
           if (runOpts && Array.isArray(runOpts._runErrors)) {
-            runOpts._runErrors.push({
+            pushRunError(runOpts._runErrors, {
               kind: 'fp_attestation_threw',
               indicator_id: ind.id,
               message: (e && e.message) ? String(e.message) : String(e),
-            });
+            }, { dedupeKey: e => e.indicator_id || '' });
           }
         }
       }
@@ -675,12 +731,12 @@ function detect(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
   const overrideIsInAllowlist = overrideIsString && validOverrides.has(rawOverride);
   if (rawOverride !== undefined && rawOverride !== null && !overrideIsInAllowlist) {
     if (runOpts && Array.isArray(runOpts._runErrors)) {
-      runOpts._runErrors.push({
+      pushRunError(runOpts._runErrors, {
         kind: 'classification_override_invalid',
         supplied: rawOverride,
         allowed: ['detected', 'inconclusive', 'not_detected', 'clean'],
         reason: 'signals.detection_classification must be one of the allowlist values exactly (case-sensitive, no surrounding whitespace). Override ignored; engine-computed classification used.',
-      });
+      }, { dedupeKey: e => String(e.supplied) });
     }
   }
   const override = overrideIsInAllowlist ? rawOverride : undefined;
@@ -706,7 +762,7 @@ function detect(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
       const attempted = override; // record what the operator submitted, not the mapped form
       classification = substituted;
       if (runOpts && Array.isArray(runOpts._runErrors)) {
-        runOpts._runErrors.push({
+        pushRunError(runOpts._runErrors, {
           kind: 'classification_override_blocked',
           attempted,
           substituted,
@@ -714,7 +770,7 @@ function detect(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
           indicators_with_unsatisfied_fp_checks: indicatorResults
             .filter(r => Array.isArray(r.fp_checks_unsatisfied) && r.fp_checks_unsatisfied.length > 0)
             .map(r => ({ id: r.id, fp_checks_unsatisfied_count: r.fp_checks_unsatisfied.length })),
-        });
+        }, { dedupeKey: e => String(e.attempted) });
       }
     }
   } else if (hasDeterministicHit || hasHighConfHit) {
@@ -827,7 +883,7 @@ function analyze(playbookId, directiveId, detectResult, agentSignals = {}, runOp
     try { return xref.byCve(id); }
     catch (e) {
       if (Array.isArray(runOpts._runErrors)) {
-        runOpts._runErrors.push({ kind: 'xref', cve_id: id, message: (e && e.message) ? String(e.message) : String(e) });
+        pushRunError(runOpts._runErrors, { kind: 'xref', cve_id: id, message: (e && e.message) ? String(e.message) : String(e) }, { dedupeKey: e => e.cve_id || '' });
       }
       return { found: false, cve_id: id };
     }
@@ -1037,7 +1093,7 @@ function analyze(playbookId, directiveId, detectResult, agentSignals = {}, runOp
     } else {
       blastRadiusSignal = 'rejected';
       if (Array.isArray(runOpts._runErrors)) {
-        runOpts._runErrors.push({ kind: 'blast_radius_invalid', supplied: raw, reason: 'expected number in [0, 5]' });
+        pushRunError(runOpts._runErrors, { kind: 'blast_radius_invalid', supplied: raw, reason: 'expected number in [0, 5]' }, { dedupeKey: e => String(e.supplied) });
       }
     }
   }
@@ -1143,11 +1199,11 @@ function analyze(playbookId, directiveId, detectResult, agentSignals = {}, runOp
   if (theaterVerdict === 'clean' || theaterVerdict === 'no_theater') theaterVerdict = 'clear';
   if (theaterVerdict !== undefined && theaterVerdict !== null && !_theaterAllowlist.has(theaterVerdict)) {
     if (Array.isArray(runOpts._runErrors)) {
-      runOpts._runErrors.push({
+      pushRunError(runOpts._runErrors, {
         kind: 'theater_verdict_invalid',
         supplied: theaterVerdict,
         allowed: Array.from(_theaterAllowlist),
-      });
+      }, { dedupeKey: e => String(e.supplied) });
     }
     theaterVerdict = undefined;
   }
@@ -1517,7 +1573,7 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
         try { findingShape = analyzeFindingShape(analyzeResult); }
         catch (e) {
           if (Array.isArray(runOpts._runErrors)) {
-            runOpts._runErrors.push({ kind: 'analyze_shape', message: (e && e.message) ? String(e.message) : String(e) });
+            pushRunError(runOpts._runErrors, { kind: 'analyze_shape', message: (e && e.message) ? String(e.message) : String(e) }, { dedupeKey: e => e.message || '' });
           }
           findingShape = {};
         }
@@ -1734,6 +1790,121 @@ function analyzeFindingShape(a) {
   };
 }
 
+// Route a vulnerability identifier to its registry-specific URN namespace.
+// CVE-/GHSA-/RUSTSEC-/MAL-* identifiers each have a registered URN namespace;
+// unrecognised prefixes route to the `urn:exceptd:advisory:` private
+// namespace so OpenVEX statements still carry a valid IRI per RFC 8141.
+function vulnIdToUrn(id) {
+  const slug = urnSlug(id);
+  if (typeof id !== 'string' || id.length === 0) return `urn:exceptd:advisory:${slug}`;
+  if (/^CVE-/i.test(id)) return `urn:cve:${slug}`;
+  if (/^GHSA-/i.test(id)) return `urn:ghsa:${slug}`;
+  if (/^RUSTSEC-/i.test(id)) return `urn:rustsec:${slug}`;
+  if (/^MAL-/i.test(id)) return `urn:malicious-package:${slug}`;
+  return `urn:exceptd:advisory:${slug}`;
+}
+
+// Build a CSAF product_tree.branches[] tree (vendor → product_name →
+// product_version). Sources of vendor/product/version, in priority order:
+//   (1) catalog entry `affected_products: [{ vendor, product, version }]`
+//   (2) heuristic parse of `affected_components[]` strings — accepts
+//       `vendor/product@version` and `vendor product version` shapes.
+// Unparseable component strings emit a `csaf_branch_unparseable` runtime
+// error and are dropped from the tree. Sort alphabetical at each level so
+// the output is deterministic across runs.
+//
+// Returns `{ branches, productIds }`. productIds is a stable enumeration
+// CSAFPID-0..N keyed by (vendor, product, version) insertion order so other
+// emit paths can reference the leaf products by id later.
+function buildCsafBranches(matchedCves, runOpts) {
+  // Build a (vendor → product → Set<version>) map.
+  const tree = new Map();
+  const addLeaf = (vendor, product, version) => {
+    if (!vendor || !product || !version) return;
+    if (!tree.has(vendor)) tree.set(vendor, new Map());
+    const products = tree.get(vendor);
+    if (!products.has(product)) products.set(product, new Set());
+    products.get(product).add(version);
+  };
+
+  // Heuristic parser. Returns { vendor, product, version } or null.
+  const parseComponentString = (s) => {
+    if (typeof s !== 'string' || !s.trim()) return null;
+    const trimmed = s.trim();
+    // `vendor/product@version`
+    let m = trimmed.match(/^([^/\s@]+)\/([^/\s@]+)@(.+)$/);
+    if (m) return { vendor: m[1], product: m[2], version: m[3].trim() };
+    // `vendor product version` — exactly three whitespace-separated tokens
+    // where the last token starts with a digit or `v\d`.
+    const parts = trimmed.split(/\s+/);
+    if (parts.length >= 3) {
+      const last = parts[parts.length - 1];
+      if (/^v?\d/.test(last)) {
+        return { vendor: parts[0], product: parts.slice(1, -1).join(' '), version: last };
+      }
+    }
+    return null;
+  };
+
+  for (const c of matchedCves || []) {
+    if (Array.isArray(c.affected_products) && c.affected_products.length > 0) {
+      for (const ap of c.affected_products) {
+        if (ap && typeof ap === 'object' && ap.vendor && ap.product && ap.version) {
+          addLeaf(String(ap.vendor), String(ap.product), String(ap.version));
+        }
+      }
+      continue;
+    }
+    const components = Array.isArray(c.affected_components) ? c.affected_components
+      : (Array.isArray(c.affected_versions) ? c.affected_versions : []);
+    for (const comp of components) {
+      const parsed = parseComponentString(comp);
+      if (parsed) {
+        addLeaf(parsed.vendor, parsed.product, parsed.version);
+      } else if (typeof comp === 'string' && comp.trim() && runOpts && Array.isArray(runOpts._runErrors)) {
+        pushRunError(runOpts._runErrors, {
+          kind: 'csaf_branch_unparseable',
+          component: String(comp),
+          cve_id: c.cve_id || null,
+        }, { dedupeKey: e => `${e.cve_id || ''}::${e.component}` });
+      }
+    }
+  }
+
+  // Sort + emit.
+  const productIds = [];
+  let pidCounter = 0;
+  const vendors = Array.from(tree.keys()).sort();
+  const branches = vendors.map(vendor => {
+    const products = tree.get(vendor);
+    const productNames = Array.from(products.keys()).sort();
+    return {
+      category: 'vendor',
+      name: vendor,
+      branches: productNames.map(product => {
+        const versions = Array.from(products.get(product)).sort();
+        return {
+          category: 'product_name',
+          name: product,
+          branches: versions.map(version => {
+            const pid = `CSAFPID-${pidCounter++}`;
+            productIds.push({ vendor, product, version, product_id: pid });
+            return {
+              category: 'product_version',
+              name: version,
+              product: {
+                name: `${vendor}/${product}@${version}`,
+                product_id: pid,
+              },
+            };
+          }),
+        };
+      }),
+    };
+  });
+  return { branches, productIds };
+}
+
 // Slugify a string into a URN-safe segment ([a-z0-9_-]+ per RFC 8141 NSS).
 // Empty input → 'unknown' so we never emit zero-length segments.
 function urnSlug(s) {
@@ -1866,6 +2037,50 @@ function sanitizeOperatorText(s) {
   return cps.slice(0, 256).join('');
 }
 
+/**
+ * Build a single evidence bundle in the requested machine-readable format.
+ *
+ * Positional contract — the seven phase functions cache the closure over
+ * `playbook`, `analyze`, and `validate` so consumers don't reach into the
+ * runner's intermediate state. Library callers that bypass close() (e.g.
+ * external dashboards re-rendering a stored attestation) MUST honor the
+ * same parameter order, names, and types.
+ *
+ * @param {string}   format        Output dialect. One of: 'csaf-2.0',
+ *                                 'sarif' / 'sarif-2.1.0', 'openvex' /
+ *                                 'openvex-0.2.0', 'summary', 'markdown'.
+ *                                 Unknown values return a stub with
+ *                                 supported_formats so callers can branch.
+ * @param {object}   playbook      Playbook record loaded via loadPlaybook().
+ *                                 Provides _meta.id / version, domain.name,
+ *                                 phases.look.artifacts (for SARIF
+ *                                 locations), and feeds_into / mutex.
+ * @param {object}   analyze      Output of analyze(). Carries matched_cves,
+ *                                 _detect_indicators, framework_gap_mapping,
+ *                                 rwep, blast_radius_score,
+ *                                 _detect_classification.
+ * @param {object}   validate     Output of validate(). Carries
+ *                                 selected_remediation, remediation_paths,
+ *                                 evidence_requirements,
+ *                                 residual_risk_statement.
+ * @param {object}   agentSignals Agent-submitted signals (signal_overrides
+ *                                 merged + cleaned). Drives the OpenVEX
+ *                                 vex_status:'fixed' attestation trail and
+ *                                 the CSAF cvss_v3 score-block gate.
+ * @param {string}   sessionId    Run session id (threaded from run()).
+ *                                 Becomes part of CSAF tracking.id,
+ *                                 OpenVEX @id, and the on-disk attestation
+ *                                 file name so all three correlate.
+ * @param {string=}  issuedAt     Optional ISO 8601 timestamp. Pinning this
+ *                                 across multi-format emits keeps CSAF /
+ *                                 OpenVEX / SARIF agreed on milliseconds;
+ *                                 each call would otherwise crystallise a
+ *                                 fresh Date.now().
+ * @param {object=}  runOpts      Operator / library knobs. Recognised
+ *                                 fields: operator, publisherNamespace,
+ *                                 csafStatus, tlp, _runErrors accumulator.
+ * @returns {object}              The requested format's document body.
+ */
 function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals, sessionId, issuedAt, runOpts) {
   runOpts = runOpts || {};
   const playbookSlug = urnSlug(playbook._meta.id);
@@ -1977,14 +2192,11 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
         idEntry = csafIdsFor(c.cve_id);
         if (idEntry == null) {
           if (Array.isArray(runOpts._runErrors)) {
-            const alreadyMissing = runOpts._runErrors.some(e => e && e.kind === 'bundle_cve_id_missing');
-            if (!alreadyMissing) {
-              runOpts._runErrors.push({
-                kind: 'bundle_cve_id_missing',
-                reason: 'A matched_cves[] entry has no string cve_id (null / undefined / non-string). The CSAF vulnerability entry was omitted to avoid emitting literal "null" / "undefined" text under vulnerabilities[].ids[].',
-                remediation: 'Inspect the CVE catalog feed that produced this match; the upstream record is missing its identifier and should be refreshed or excluded.'
-              });
-            }
+            pushRunError(runOpts._runErrors, {
+              kind: 'bundle_cve_id_missing',
+              reason: 'A matched_cves[] entry has no string cve_id (null / undefined / non-string). The CSAF vulnerability entry was omitted to avoid emitting literal "null" / "undefined" text under vulnerabilities[].ids[].',
+              remediation: 'Inspect the CVE catalog feed that produced this match; the upstream record is missing its identifier and should be refreshed or excluded.'
+            }, { dedupeKey: () => 'singleton' });
           }
           return null;
         }
@@ -2004,17 +2216,25 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
       // for non-3.x vectors and surface a runtime_error so operators can
       // see why their CVSS data didn't make it through.
       const hasCvss = typeof c.cvss_score === 'number' && typeof c.cvss_vector === 'string' && c.cvss_vector.length > 0;
-      const vectorVersion = hasCvss ? csafCvssVersionFromVector(c.cvss_vector) : null;
-      const cvssV3Eligible = hasCvss && (vectorVersion === '3.0' || vectorVersion === '3.1');
+      // Strict CVSS 3.1 parse (lib/scoring.parseCvss31Vector). The pre-fix
+      // permissive regex accepted any CVSS:X.Y/... prefix and would emit a
+      // cvss_v3 block keyed off a malformed vector — strict validators
+      // (BSI CSAF Validator, ENISA dashboard) then reject the whole
+      // document. Strict parse failures surface as a `csaf_cvss_invalid`
+      // runtime_error, the cvss_v3 block is omitted, and the rest of the
+      // vulnerability entry (product_status, remediations, etc.) survives.
+      let strictParse = null;
+      if (hasCvss) {
+        strictParse = scoring.parseCvss31Vector(c.cvss_vector);
+      }
+      const vectorVersion = hasCvss ? (strictParse && strictParse.version) : null;
+      const cvssV3Eligible = !!(hasCvss && strictParse && strictParse.ok);
       if (hasCvss && !cvssV3Eligible && Array.isArray(runOpts._runErrors)) {
-        const alreadyUnsup = runOpts._runErrors.some(e => e && e.kind === 'bundle_cvss_v3_version_unsupported');
-        if (!alreadyUnsup) {
-          runOpts._runErrors.push({
-            kind: 'bundle_cvss_v3_version_unsupported',
-            reason: `Catalog entry carries CVSS vector with version ${vectorVersion}; CSAF 2.0 cvss_v3 block only accepts versions 3.0 / 3.1. The score block was omitted from this vulnerability to keep the document valid against strict CSAF validators.`,
-            remediation: 'Backfill a CVSS 3.1 vector against this CVE in the catalog, or wait for CSAF 2.1 (cvss_v4 support) — exceptd targets CSAF 2.0 today.'
-          });
-        }
+        pushRunError(runOpts._runErrors, {
+          kind: 'csaf_cvss_invalid',
+          cve_id: c.cve_id,
+          reason: (strictParse && strictParse.reason) || 'cvss_vector failed strict CVSS 3.1 parse',
+        }, { dedupeKey: e => e.cve_id || 'unknown' });
       }
       const scores = cvssV3Eligible ? [{
         products: [productId],
@@ -2106,14 +2326,11 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
     // De-dupe: only push once per bundle-build pass (multi-format emit
     // builds CSAF once via memoization, so this fires at most once per run).
     if (publisherNamespaceSource === 'fallback' && Array.isArray(runOpts._runErrors)) {
-      const already = runOpts._runErrors.some(e => e && e.kind === 'bundle_publisher_unclaimed');
-      if (!already) {
-        runOpts._runErrors.push({
-          kind: 'bundle_publisher_unclaimed',
-          reason: 'CSAF document.publisher.namespace fell back to urn:exceptd:operator:unknown because no --publisher-namespace and no URL-shaped --operator were supplied. Operator attribution is unclaimed on this advisory.',
-          remediation: 'Re-run with --publisher-namespace <https-url> (or a URL-shaped --operator).'
-        });
-      }
+      pushRunError(runOpts._runErrors, {
+        kind: 'bundle_publisher_unclaimed',
+        reason: 'CSAF document.publisher.namespace fell back to urn:exceptd:operator:unknown because no --publisher-namespace and no URL-shaped --operator were supplied. Operator attribution is unclaimed on this advisory.',
+        remediation: 'Re-run with --publisher-namespace <https-url> (or a URL-shaped --operator).'
+      }, { dedupeKey: () => 'singleton' });
     }
 
     // thread the validated --operator name into
@@ -2141,6 +2358,16 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
       ? runOpts.csafStatus
       : 'interim';
 
+    // CSAF §3.1.4 `distribution.tlp`. Optional. When the operator supplies
+    // `--tlp <label>` (threaded as runOpts.tlp), emit
+    // distribution.tlp.label + distribution.text. CSAF allows omission of
+    // the whole distribution block when no level is declared; the
+    // pre-fix runner had no surface for this at all.
+    const allowedTlp = new Set(['CLEAR', 'GREEN', 'AMBER', 'AMBER+STRICT', 'RED']);
+    const csafDistribution = (runOpts.tlp && allowedTlp.has(runOpts.tlp))
+      ? { tlp: { label: runOpts.tlp }, text: `TLP:${runOpts.tlp}` }
+      : null;
+
     return {
       document: {
         category: 'csaf_security_advisory',
@@ -2148,6 +2375,7 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
         publisher: publisherBlock,
         title: `exceptd finding: ${playbook.domain.name} (${analyze.matched_cves.length} CVE(s), ${indicatorHits.length} indicator hit(s), ${(analyze.framework_gap_mapping || []).length} framework gap(s))`,
         notes: [...namespaceFallbackNote, ...gapNotes],
+        ...(csafDistribution ? { distribution: csafDistribution } : {}),
         tracking: {
           // F2/F9: CSAF tracking.id binds to the run's session_id (threaded
           // from run() via close()) so attestation file names, OpenVEX
@@ -2169,7 +2397,19 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
           revision_history: [{ number: '1', date: now, summary: 'Initial finding emission' }]
         }
       },
-      product_tree: { full_product_names: fullProductNames },
+      product_tree: (function () {
+        // Synthesize a 3-level branches tree (vendor → product → version)
+        // from catalog data. CSAF §3.1.5.1 makes branches[] strongly
+        // recommended for csaf_security_advisory documents because NVD /
+        // ENISA / Red Hat dashboards render the affected-product list off
+        // the branches tree, not full_product_names[]. The pre-fix tree
+        // emitted only the synthetic exceptd-target product and operators
+        // browsing the rendered advisory saw no real-world vendor surface.
+        const { branches } = buildCsafBranches(analyze.matched_cves || [], runOpts);
+        const tree = { full_product_names: fullProductNames };
+        if (branches.length > 0) tree.branches = branches;
+        return tree;
+      })(),
       vulnerabilities: [...cveVulns, ...indicatorVulns],
       exceptd_extension: {
         classification: analyze._detect_classification,
@@ -2273,7 +2513,7 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
           rules: [...cveRules, ...indicatorRules, ...gapRules],
         } },
         results: [...cveResults, ...indicatorResults, ...gapResults],
-        invocations: [{ executionSuccessful: true, properties: stripNulls({
+        invocations: [{ executionSuccessful: (analyze._detect_classification !== 'inconclusive'), properties: stripNulls({
           // Apply the stripNulls contract here too — the `remediation`
           // field is null for any run that didn't surface a
           // selected_remediation, and SARIF viewers render null property
@@ -2336,13 +2576,27 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
     // operator declared `vex_status: fixed` on the matched CVE.
     const cveStatements = analyze.matched_cves.map(c => {
       const stmt = {
-        vulnerability: { '@id': `urn:cve:${urnSlug(c.cve_id)}`, name: c.cve_id },
+        vulnerability: { '@id': vulnIdToUrn(c.cve_id), name: c.cve_id },
         products: [productEntry],
         timestamp: issued,
         impact_statement: `RWEP ${c.rwep}. Blast radius ${analyze.blast_radius_score}/5.`,
       };
       if (c.vex_status === 'fixed') {
         stmt.status = 'fixed';
+        // OpenVEX 0.2.0 §4.1: `fixed` is an operator-attested resolution,
+        // not a global vendor flag. Augment the impact_statement with an
+        // evidence trail so downstream supply-chain consumers can chase
+        // the attestation back to the operator's submitted evidence.
+        // Short-hash is deterministic for the same (cve_id, signals)
+        // input — re-emitting the bundle for the same submission yields
+        // the same trail.
+        const trailSrc = canonicalStringify({
+          cve_id: c.cve_id,
+          vex_status: 'fixed',
+          signals: agentSignals && typeof agentSignals === 'object' ? agentSignals : {},
+        });
+        const shortHash = crypto.createHash('sha256').update(trailSrc).digest('hex').slice(0, 16);
+        stmt.impact_statement = `${stmt.impact_statement} Operator verified fixed via evidence_hash=${shortHash}.`;
       } else {
         stmt.status = 'affected';
         stmt.action_statement = actionStatementFor(c.live_patch_available
@@ -2467,11 +2721,11 @@ function normalizeSubmission(submission, playbook) {
   if (submission.signal_overrides !== undefined && submission.signal_overrides !== null
       && (typeof submission.signal_overrides !== 'object' || Array.isArray(submission.signal_overrides))) {
     if (!submission._runErrors) submission._runErrors = [];
-    submission._runErrors.push({
+    pushRunError(submission._runErrors, {
       kind: 'signal_overrides_invalid',
       supplied_type: Array.isArray(submission.signal_overrides) ? 'array' : typeof submission.signal_overrides,
       reason: 'signal_overrides must be a plain object mapping indicator-id → verdict.'
-    });
+    }, { dedupeKey: e => String(e.supplied_type) });
     submission = { ...submission, signal_overrides: {} };
   }
 
@@ -2761,8 +3015,18 @@ function run(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
     // regex failure in the run. De-dupe by JSON shape so the analyze-time
     // snapshot doesn't double-count.
     if (runErrors.length && phases.analyze) {
-      const existing = new Set((phases.analyze.runtime_errors || []).map(e => JSON.stringify(e)));
-      const additions = runErrors.filter(e => !existing.has(JSON.stringify(e)));
+      // `_truncated` sentinels are pushed by pushRunError when a per-kind
+      // or total cap fires. They aggregate via in-place `dropped` increments,
+      // so the same sentinel object is BOTH in the analyze snapshot AND in
+      // the late-push `runErrors` ref. Skip them on the dedupe-merge pass
+      // to keep the snapshot's authoritative dropped-count, rather than
+      // double-stamping a second sentinel with the same `dropped` value.
+      const existing = new Set(
+        (phases.analyze.runtime_errors || [])
+          .filter(e => !(e && e.kind === '_truncated'))
+          .map(e => JSON.stringify(e))
+      );
+      const additions = runErrors.filter(e => !(e && e.kind === '_truncated') && !existing.has(JSON.stringify(e)));
       if (additions.length) {
         phases.analyze.runtime_errors = (phases.analyze.runtime_errors || []).concat(additions);
       }
@@ -2949,8 +3213,19 @@ function evalCondition(expr, ctx, playbook) {
       // Two sites where ctx may carry an accumulator: runOpts._runErrors
       // (threaded from run()) or ctx._runErrors directly. Prefer the runOpts
       // form; fall back to ctx.
-      if (ctx && Array.isArray(ctx._runErrors)) ctx._runErrors.push(errorRec);
-      else if (playbook && Array.isArray(playbook._runErrors)) playbook._runErrors.push(errorRec);
+      // Tag with a `kind` so pushRunError can apply per-kind cap + dedupe
+      // (same source+expr regex error firing N times per playbook would
+      // otherwise spam runtime_errors). The original `_regex_eval_error`
+      // payload is preserved for backward compatibility.
+      const taggedErr = { kind: 'regex_eval_error', ..._regexErrorPayload(errorRec) };
+      const target = (ctx && Array.isArray(ctx._runErrors)) ? ctx._runErrors
+        : (playbook && Array.isArray(playbook._runErrors)) ? playbook._runErrors
+        : null;
+      if (target) {
+        pushRunError(target, taggedErr, {
+          dedupeKey: x => `${x.source || ''}::${x.expr || ''}`,
+        });
+      }
       return false;
     }
   }