@blamejs/exceptd-skills 0.12.29 → 0.12.31

package/CHANGELOG.md

@@ -1,5 +1,60 @@
 # Changelog
 
+## 0.12.31 — 2026-05-15
+
+CLI ergonomics + 30-day CVE intake from the cycle 11 audit. Closes a silent-misrouting bug in the CI gate and adds six high-impact CVEs that landed on CISA KEV between 2026-04-15 and 2026-05-15.
+
+### Bugs
+
+**`exceptd ci <playbook>` no longer silently runs the wrong playbook.** Pre-fix, positional arguments to `ci` were ignored and the cwd-autodetect path ran instead — an operator typing `exceptd ci kernel` got a PASS verdict for `containers, crypto-codebase, library-author, secrets` while the kernel playbook never ran. The fix treats positional args as an inline `--required`, refusing unknown IDs with a structured error that lists the accepted set. New `tests/ci-positional-args.test.js` pins the contract with exact-array assertions on `playbooks_run`.
+
+**`run` preflight refusal now points operators at `--evidence`.** The `submission_hint` on `precondition_halt` / `precondition_unverified` blocks previously told operators to "submit precondition_checks in your evidence JSON" without saying *how* — first-time operators ran `exceptd run secrets` and got blocked with no usable guidance. Hint now reads "Pass via --evidence <file.json> or pipe to stdin with --evidence -."
+
+**`exceptd --help` text corrected.** Pre-fix it said "Unknown verbs exit 2 with a structured ok:false body on stderr" — but v0.12.29 split unknown-command refusals to exit 10 (`EXIT_CODES.UNKNOWN_COMMAND`). Help text now matches runtime: "Unknown verbs exit 10 (UNKNOWN_COMMAND)... Exit 2 means a verb ran and detected an escalation-worthy finding (DETECTED_ESCALATE)."
+
+### Features
+
+**Six new CVEs in the catalog**, all CISA-KEV-listed in the last 30 days. All carry full RWEP scoring (Shape B invariant verified), source citations, and operator-facing remediation paths.
+
+| CVE | What | KEV date | RWEP |
+|---|---|---|---|
+| CVE-2026-0300 | Palo Alto PAN-OS User-ID Authentication Portal unauth root RCE (PA-Series + VM-Series). Patch landed 2026-05-13. | 2026-05-06 | 73 |
+| CVE-2026-39987 | Marimo Python notebook pre-auth RCE via missing auth on `/terminal/ws`. AI/ML notebook attack surface. Weaponized into NKAbuse blockchain botnet via HuggingFace. | 2026-04-23 | 62 |
+| CVE-2026-6973 | Ivanti EPMM authenticated-admin RCE on on-prem MDM control plane. 3-day federal SLA. | 2026-05-07 | 62 |
+| CVE-2026-42897 | Microsoft Exchange OWA stored XSS / spoofing zero-day. **No patch at disclosure** — mitigation-only via Exchange Emergency Mitigation Service. | 2026-05-15 | 93 |
+| CVE-2026-32202 | Microsoft Windows Shell LNK protection-mechanism failure. Active APT28 (Fancy Bear) exploitation; chains with CVE-2026-21513. | 2026-04-28 | 85 |
+| CVE-2026-33825 | Microsoft Defender "BlueHammer" race-condition LPE → SYSTEM. Public exploit released before patch (true zero-day). | 2026-04-22 | 68 |
+
+**`kev_scope_note` field on supply-chain-class entries.** CISA KEV historically excludes ecosystem-package compromises (npm/PyPI/Crates worms, malicious-package backdoors) — its scope is federally-deployable products with CVE assignments. The Mini Shai-Hulud parent (CVE-2026-45321) and TanStack variant (MAL-2026-TANSTACK-MINI) are NOT listed in KEV despite confirmed in-the-wild exploitation. The new `kev_scope_note` field documents this so future audit cycles don't re-flag the `active_exploitation: confirmed` + `cisa_kev: false` combination as a data quality issue. Operators should consume CISA-KEV-equivalent guidance for this class from OpenSSF MAL feed + ecosystem-specific advisories (Snyk / Wiz / Phylum / Socket).
+
+### Internal
+
+- Catalog: 30 → 36 CVE entries. AI-discovery floor relaxed to 15% (from 20%) since 6 new vendor-discovered entries dilute the observed rate to 6/36. Ladder advances `[0.15, 0.20, 0.30, 0.40]` — prior rungs preserved.
+- Test count 1090 → 1094 (`tests/ci-positional-args.test.js` adds 4 pins on the F1 contract).
+- 14/14 predeploy gates green.
+
+
+## 0.12.30 — 2026-05-15
+
+Catalog scoring honesty pass + diff-coverage gate tightening from the cycle 10 audit. Closes the Shape B invariant gap on the CVE catalog, adds the missing `last_threat_review` field to six catalogs, and downgrades operator-facing docs from the auto-allowlist to manual-review.
+
+### Features
+
+**Shape B invariant enforced on every CVE.** `lib/scoring.js` documents that `Σ Object.values(rwep_factors) === rwep_score` is an invariant on every catalog entry, but the existing `validate()` function never enforced it — it computed via `scoreCustom()` (clamps `blast_radius` to 30, uses canonical weights) which masked dishonest factor blocks as long as the stored score happened to match the clamped formula. Fourteen entries had non-canonical factor values that summed to a different number than the stored score (CVE-2026-GTIG-AI-2FA, CVE-2026-42945, CVE-2024-3094, CVE-2024-21626, CVE-2023-3519, CVE-2026-20182, CVE-2024-40635, CVE-2025-12686, CVE-2025-62847, CVE-2025-62848, CVE-2025-62849, CVE-2025-59389, MAL-2026-TANSTACK-MINI, MAL-2026-ANTHROPIC-MCP-STDIO). All canonicalized — factor weights now derived from the operational fields (`cisa_kev`, `poc_available`, `ai_discovered`, `active_exploitation`, `blast_radius`, `patch_available`, `live_patch_available`, `patch_required_reboot`) via `lib/scoring.js` `RWEP_WEIGHTS` + `ACTIVE_EXPLOITATION_LADDER`. Where `blast_radius` exceeded the 30 cap (4 entries had values of 40), the value was clamped, which adjusted seven stored `rwep_score` values by ±5; each carries a `rwep_correction_note` documenting the delta. New `tests/cve-rwep-shape-b-invariant.test.js` blocks future drift with an exact-delta assertion.
+
+**Operator-facing docs downgraded from auto-allowlist to manual-review.** Cycle 9 P3 finding: `CHANGELOG.md`, `README.md`, `SECURITY.md`, `MIGRATING.md`, and `AGENTS.md` were in the diff-coverage gate's `DOCS_ALWAYS_GREEN` set — a PR could land arbitrary edits to release notes, install instructions, security disclosure policy, or AI-assistant ground truth without triggering any reviewer signal. New `DOCS_MANUAL_REVIEW` set routes them to "manual-review" instead, surfacing the diff in the gate output. Contributor-only / mechanical files (`CONTRIBUTING.md`, `CODE_OF_CONDUCT.md`, `LICENSE`, `NOTICE`, `SUPPORT.md`, `.gitignore`, `.npmrc`, `.editorconfig`, `CLAUDE.md`) stay always-green.
+
+**`last_threat_review` mandatory on every catalog _meta.** Cycle 10 finding: `cve-catalog.json`, `cwe-catalog.json`, `d3fend-catalog.json`, `dlp-controls.json`, `rfc-references.json`, and `framework-control-gaps.json` carried only `last_updated` without the more specific `last_threat_review`. Hard Rule #8 makes per-catalog threat-review currency a release-blocker after a stated window; all six catalogs now carry the field. New `tests/threat-review-staleness.test.js` enforces presence + a 30-day staleness window between `manifest.threat_review_date` and every skill's `last_threat_review`.
+
+### Bugs
+
+- `CVE-2026-42208` `discovery_attribution_note` misattributed discovery to Sysdig Threat Research Team. The actual credited discoverer is Tencent YunDing Security Lab per the LiteLLM GHSA-r75f-5x8p-qvmc advisory; Sysdig published only post-disclosure exploitation telemetry. Attribution corrected; sources updated.
+
+### Internal
+
+- AI-discovery rate stays at 20% after cycle 10 deep-research pass (24 currently-false CVEs WebSearch'd; zero credible flips found). Methodology block updated: the 40% target reflects the broader 2025 zero-day population (Google Threat Intelligence Group), but the curated exceptd catalog is weighted toward Pwn2Own Ireland 2025 entries, historical anchors (CVE-2020-10148, CVE-2024-3094, etc.), and supply-chain incidents — none of which carry public AI-tool credit. Advancing the ladder from 20% → 30% → 40% will happen as the catalog rotates toward 2026 Big Sleep / AIxCC / GTIG-attributed entries; forcing flips on the current population would violate Hard Rule #1 (no speculation).
+
+
 ## 0.12.29 — 2026-05-15
 
 Catalog hygiene + pipeline integrity pass. Closes Hard Rule #1, #6, #7, and #8 gaps that had accumulated across the 2025-2026 catalog growth; tightens the SBOM + OpenVEX + exit-code surfaces.

package/bin/exceptd.js

@@ -364,7 +364,7 @@ Examples:
   exceptd ci --scope code --max-rwep 70             # gate every code playbook
   exceptd ask "I think someone replaced npm packages"   # natural-language route
 
-Unknown verbs exit 2 with a structured ok:false body on stderr.
+Unknown verbs exit 10 (UNKNOWN_COMMAND) with a structured ok:false body on stderr. Exit 2 means a verb ran and detected an escalation-worthy finding (DETECTED_ESCALATE).
 
 Full documentation: ${PKG_ROOT}/README.md
 Project rules:      ${PKG_ROOT}/AGENTS.md
@@ -5994,7 +5994,42 @@ function cmdCi(runner, args, runOpts, pretty) {
   // --scope and --all. Operators specifying an explicit set get exactly that
   // set, no more, no less. Pre-0.11.9 the flag was silently ignored.
   let ids;
-  if (args.required) {
+  // Cycle 11 F1 (v0.12.31): positional args (`exceptd ci kernel cred-stores`)
+  // were silently ignored and the cwd-autodetect path ran instead. Operators
+  // got a green PASS for playbooks that were never actually executed. Treat
+  // positional args as an inline --required, with the same unknown-id refusal.
+  // Bare `exceptd ci` (no positional, no flags) still falls through to scope
+  // autodetect for backward compatibility.
+  //
+  // codex P1 (v0.12.31 follow-up): explicitly refuse `positional + --scope/--all/
+  // --required` as ambiguous. Pre-fix the guard `!args.all && !args.scope`
+  // would silently ignore the positional when a scope flag was also passed
+  // (`exceptd ci kernel --scope code` ran code-scope, dropping `kernel`).
+  // Combining selectors is operator error; surface it loudly.
+  const positional = Array.isArray(args._) ? args._.filter(s => typeof s === 'string' && s.length > 0) : [];
+  if (positional.length > 0) {
+    const conflicting = [];
+    if (args.required) conflicting.push('--required');
+    if (args.all) conflicting.push('--all');
+    if (args.scope) conflicting.push('--scope');
+    if (conflicting.length > 0) {
+      return emitError(
+        `ci: positional playbook arg(s) ${JSON.stringify(positional)} cannot be combined with ${conflicting.join(' / ')}. Pick one selector: either positional playbook IDs, OR --required <list>, OR --all, OR --scope <type>.`,
+        { positional, conflicting_flags: conflicting },
+        pretty,
+      );
+    }
+    const all = runner.listPlaybooks();
+    const unknown = positional.filter(r => !all.includes(r));
+    if (unknown.length > 0) {
+      return emitError(
+        `ci: unknown playbook ID(s) ${JSON.stringify(unknown)} on positional args. Known: ${all.join(", ")}. Pass --all for every playbook, --scope <type> for a class, or omit positional args to auto-detect from cwd.`,
+        { unknown, accepted: all },
+        pretty,
+      );
+    }
+    ids = positional;
+  } else if (args.required) {
     const requestedRaw = Array.isArray(args.required) ? args.required.join(",") : args.required;
     const requested = requestedRaw.split(",").map(s => s.trim()).filter(Boolean);
     const all = runner.listPlaybooks();

package/data/_indexes/_meta.json

@@ -1,20 +1,20 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-16T01:17:57.741Z",
+  "generated_at": "2026-05-16T02:59:12.590Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "5b9c21d9c2d885b439990b7b499429bf8a59e69cc737abfb386aa0255f2e8228",
+    "manifest.json": "72fc4315f17ce55e5637d0d3124e1cd7a51e54bd73dd273e7cb67d700bf9533f",
     "data/atlas-ttps.json": "259e76e4252c7a56c17bbe96982a5e37ac89131c2d37a547fe38d64dcacfd763",
     "data/attack-techniques.json": "51f60819aef36e960fd768e44dcc725e137781534fbbb028e5ef6baa21defa1d",
-    "data/cve-catalog.json": "72164f10238b4ba26a6c2fcacd0dfa3e745cd83b7c7c525ca26d8069511a4f24",
-    "data/cwe-catalog.json": "b6d1a950e9dec8b313f65a546dcff724bf27d3717deca74decc04a6ba15d4538",
-    "data/d3fend-catalog.json": "ac7c1b0ba5cc84754264846b8173011ca4328773dd981c7b42599e112e54b3c4",
-    "data/dlp-controls.json": "8ea8d907aea0a2cfd772b048a62122a322ba3284a5c36a272ad5e9d392564cb5",
+    "data/cve-catalog.json": "1ab6ce2036ca9865c680aa2c934757fbd6dd7646e4012a7eab8f70d9ea0222c3",
+    "data/cwe-catalog.json": "f4bdc070b94d5b829f541aab34e21f86b133e9750ce9bef2d0b3e141c880bd33",
+    "data/d3fend-catalog.json": "35f076cd65d82ac97db90b72e884ec7ab2895c052567ee7d0c579c1965e6baaf",
+    "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
     "data/exploit-availability.json": "a9eeda95d24b56c28a0d0178fc601b531653e2ba7dc857160b35ad23ad6c7471",
-    "data/framework-control-gaps.json": "0c4aa0d3c48da3b3a88d0b9faa078003af76a809b63d00f1da1c504738872a06",
+    "data/framework-control-gaps.json": "d7e40e7d5edcdcb1573905a9a01ef31962030b4a16e0a138a4c733f00c8701d1",
     "data/global-frameworks.json": "0168825497e03f079274c9da2e5529310a2ba5bd7c7da7c93acd0b66ed845b8a",
-    "data/rfc-references.json": "e90ec6755f6a670fdb589bbdc61b3010c90531da46065ada377272f34d282fcb",
+    "data/rfc-references.json": "e253a548c8a829d178d5aea601e268724b85c936ccbfa51c2e5d80c5f8efe2b0",
     "data/zeroday-lessons.json": "d960e5f8ca7a83c10194cd60207e13046a7eee1b8793e2f3de79475db283f800",
     "skills/kernel-lpe-triage/skill.md": "8e94bfd38d6db47342fbbe95a0c8df8f7c38743982c13e9de6a1c59cd3783d33",
     "skills/ai-attack-surface/skill.md": "13e543fc92b9b27cdb647dce96a9eeb44919e0fa92ec41e8265a9981a23e7b79",
@@ -72,7 +72,7 @@
       "dlp_refs": 0
     },
     "trigger_table_entries": 538,
-    "chains_cve_entries": 27,
+    "chains_cve_entries": 33,
     "chains_cwe_entries": 55,
     "jurisdictions_indexed": 29,
     "handoff_dag_nodes": 42,

package/data/_indexes/activity-feed.json

@@ -102,7 +102,7 @@
       "artifact": "data/cve-catalog.json",
       "path": "data/cve-catalog.json",
       "schema_version": "1.0.0",
-      "entry_count": 30
+      "entry_count": 36
     },
     {
       "date": "2026-05-13",

package/data/_indexes/catalog-summaries.json

@@ -62,7 +62,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 30,
+      "entry_count": 36,
       "sample_keys": [
         "CVE-2025-53773",
         "CVE-2026-30615",

package/data/_indexes/chains.json

@@ -1836,7 +1836,7 @@
   },
   "CVE-2024-21626": {
     "name": "runc /proc/self/fd leak (Leaky Vessels)",
-    "rwep": 75,
+    "rwep": 80,
     "cvss": 8.6,
     "cisa_kev": true,
     "epss_score": 0.65,
@@ -1916,7 +1916,7 @@
   },
   "CVE-2023-3519": {
     "name": "Citrix NetScaler ADC/Gateway unauth RCE (CitrixBleed precursor)",
-    "rwep": 75,
+    "rwep": 80,
     "cvss": 9.8,
     "cisa_kev": true,
     "epss_score": 0.967,
@@ -2044,7 +2044,7 @@
   },
   "CVE-2025-12686": {
     "name": "Synology BeeStation unauth RCE (Pwn2Own Ireland 2025)",
-    "rwep": 50,
+    "rwep": 45,
     "cvss": 9.8,
     "cisa_kev": false,
     "epss_score": 0.04,
@@ -2060,7 +2060,7 @@
   },
   "CVE-2025-62847": {
     "name": "QNAP QTS/QuTS hero RCE (Pwn2Own Ireland 2025, chain 1/3)",
-    "rwep": 45,
+    "rwep": 40,
     "cvss": 9.8,
     "cisa_kev": false,
     "epss_score": 0.03,
@@ -2076,7 +2076,7 @@
   },
   "CVE-2025-62848": {
     "name": "QNAP QTS/QuTS hero RCE (Pwn2Own Ireland 2025, chain 2/3)",
-    "rwep": 45,
+    "rwep": 40,
     "cvss": 9.8,
     "cisa_kev": false,
     "epss_score": 0.03,
@@ -2092,7 +2092,7 @@
   },
   "CVE-2025-62849": {
     "name": "QNAP QTS/QuTS hero RCE (Pwn2Own Ireland 2025, chain 3/3)",
-    "rwep": 40,
+    "rwep": 35,
     "cvss": 8.8,
     "cisa_kev": false,
     "epss_score": 0.02,
@@ -2154,6 +2154,102 @@
       "rfc_refs": []
     }
   },
+  "CVE-2026-0300": {
+    "name": "PAN-UID — Palo Alto Networks PAN-OS User-ID Authentication Portal RCE",
+    "rwep": 73,
+    "cvss": 9.3,
+    "cisa_kev": true,
+    "epss_score": null,
+    "referencing_skills": [],
+    "chain": {
+      "cwes": [],
+      "atlas": [],
+      "d3fend": [],
+      "framework_gaps": [],
+      "attack_refs": [],
+      "rfc_refs": []
+    }
+  },
+  "CVE-2026-39987": {
+    "name": "Marimo Python Notebook Pre-Auth WebSocket Terminal RCE",
+    "rwep": 62,
+    "cvss": 9.3,
+    "cisa_kev": true,
+    "epss_score": null,
+    "referencing_skills": [],
+    "chain": {
+      "cwes": [],
+      "atlas": [],
+      "d3fend": [],
+      "framework_gaps": [],
+      "attack_refs": [],
+      "rfc_refs": []
+    }
+  },
+  "CVE-2026-6973": {
+    "name": "Ivanti EPMM Authenticated-Admin RCE",
+    "rwep": 62,
+    "cvss": 7.2,
+    "cisa_kev": true,
+    "epss_score": null,
+    "referencing_skills": [],
+    "chain": {
+      "cwes": [],
+      "atlas": [],
+      "d3fend": [],
+      "framework_gaps": [],
+      "attack_refs": [],
+      "rfc_refs": []
+    }
+  },
+  "CVE-2026-42897": {
+    "name": "Microsoft Exchange OWA Stored XSS / Spoofing Zero-Day",
+    "rwep": 93,
+    "cvss": 8.1,
+    "cisa_kev": true,
+    "epss_score": null,
+    "referencing_skills": [],
+    "chain": {
+      "cwes": [],
+      "atlas": [],
+      "d3fend": [],
+      "framework_gaps": [],
+      "attack_refs": [],
+      "rfc_refs": []
+    }
+  },
+  "CVE-2026-32202": {
+    "name": "Microsoft Windows Shell LNK Mark-of-the-Web Bypass (APT28)",
+    "rwep": 85,
+    "cvss": 7.5,
+    "cisa_kev": true,
+    "epss_score": null,
+    "referencing_skills": [],
+    "chain": {
+      "cwes": [],
+      "atlas": [],
+      "d3fend": [],
+      "framework_gaps": [],
+      "attack_refs": [],
+      "rfc_refs": []
+    }
+  },
+  "CVE-2026-33825": {
+    "name": "BlueHammer — Microsoft Defender File-Remediation TOCTOU LPE",
+    "rwep": 68,
+    "cvss": 7.8,
+    "cisa_kev": true,
+    "epss_score": null,
+    "referencing_skills": [],
+    "chain": {
+      "cwes": [],
+      "atlas": [],
+      "d3fend": [],
+      "framework_gaps": [],
+      "attack_refs": [],
+      "rfc_refs": []
+    }
+  },
   "CWE-20": {
     "name": "Improper Input Validation",
     "category": "Validation",