@blamejs/exceptd-skills 0.12.31 → 0.12.32

package/CHANGELOG.md

@@ -1,5 +1,32 @@
 # Changelog
 
+## 0.12.32 — 2026-05-15
+
+Cycle 11 CLI polish + cycle 12 catalog hardening. The headline closes a silent regression where the 6 CVEs advertised by v0.12.31 were shipped as `_draft: true` and therefore invisible to default `cross-ref-api` queries — operators running `exceptd` against Exchange would have gotten a clean bill on CVE-2026-42897.
+
+### Bugs
+
+**6 CVEs from v0.12.31 promoted from draft to non-draft.** Cycle 12 audit caught the regression: every CVE in cycle 11's intake shipped as `_draft: true`, which `lib/cross-ref-api.js` skips by default. v0.12.31 CHANGELOG advertised "6 new CISA-KEV CVEs" but operators couldn't actually query them. All 6 promoted with `_editorial_promoted: 2026-05-15` provenance; full required fields validated (iocs, vendor_advisories, verification_sources, complexity, affected_versions, RWEP Shape B invariant).
+
+**9 unmatched `framework_control_gaps` keys on the new CVEs now resolve.** `NIS2-Art21-vulnerability-management`, `DORA-Art-9`, `NIST-800-53-AC-3`, `OWASP-LLM-Top-10-2025-LLM05`, `NIST-800-53-AC-6`, `NIS2-Art21-identity-management`, `ISO-27001-2022-A.8.7`, `NIST-800-53-SC-44`, `CIS-Controls-v8-10.1` — referenced by the new CVEs but absent from the framework-gap catalog. All 9 now present with `theater_test` blocks (catalog 109 → 118 entries). Reverse `evidence_cves` links also added on the 6 existing entries (NIST-800-53-SI-2 / SI-3 / etc.) that the new CVEs reference.
+
+**CVE → CWE reverse-references auto-regenerated.** Cycle 9 introduced `npm run refresh-reverse-refs` for the skill direction (manifest → atlas/cwe/d3fend/rfc), but the CWE catalog's `evidence_cves` field — the operator-facing "which CVEs map to this CWE" index — was still hand-maintained and drifted with every CVE intake. The script now also walks `cve.cwe_refs` → `cwe.evidence_cves`. Drafts excluded (they're invisible to default consumers; the reverse direction tracks operator-queryable truth). 14 CWE entries updated on first run. New `tests/reverse-ref-drift.test.js` test pins the contract.
+
+### Features
+
+**`exceptd help <verb>`** now routes to the per-verb help text (`exceptd help run` returns the run-verb help, not the top-level banner). Pre-fix the verb arg was silently dropped. Unknown verbs fall through to top-level help with a stderr note. New `tests/help-verb-attest-list-deprecation.test.js` pins the contract.
+
+**`exceptd attest list` empty-state now names every candidate root.** Pre-fix the human output said "(no attestations under )" with an empty path list when no `.exceptd/` directory existed. New `roots_evaluated[]` field on the JSON output + `[scanned-empty]` / `[not-present]` markers in the human renderer.
+
+**Legacy-verb deprecation banner auto-suppresses across invocations.** Pre-fix the per-process env-var guard reset on every fresh node process, so operators saw the banner on every `exceptd plan` invocation. Now persists suppression via an OS-tempdir marker keyed by exceptd version — banner shows once per version per host, re-shows on upgrade. Explicit `EXCEPTD_DEPRECATION_SHOWN=1` still suppresses even the first display.
+
+### Internal
+
+- 6 matching `data/zeroday-lessons.json` entries authored for the promoted CVEs (rule #6 enforcement: zero-day learning is live for every non-draft catalog entry).
+- Test count 1099 → 1109 (10 new tests across F4/F5/F7 + reverse-ref drift extension + Shape B canonicalization staying green).
+- 14/14 predeploy gates green.
+
+
 ## 0.12.31 — 2026-05-15
 
 CLI ergonomics + 30-day CVE intake from the cycle 11 audit. Closes a silent-misrouting bug in the CI gate and adds six high-impact CVEs that landed on CISA KEV between 2026-04-15 and 2026-05-15.

package/bin/exceptd.js

@@ -400,6 +400,20 @@ function main() {
   const rest = argv.slice(1);
 
   if (cmd === "help" || cmd === "--help" || cmd === "-h") {
+    // Cycle 11 F4 (v0.12.32): `exceptd help <verb>` previously dropped the
+    // verb argument and printed the top-level help. Route through the same
+    // printPlaybookVerbHelp() that `exceptd <verb> --help` already uses so
+    // operators get a consistent verb-specific help surface regardless of
+    // which way they reached it.
+    if (rest.length > 0 && typeof rest[0] === 'string' && rest[0].length > 0) {
+      const verb = rest[0];
+      if (printPlaybookVerbHelp(verb)) {
+        process.exit(0);
+      }
+      // Verb not found — emit a one-line note pointing at the top-level
+      // help so operators don't silently see the wrong content.
+      process.stderr.write(`[exceptd help] no verb-specific help for "${verb}" — falling through to top-level help. Run \`exceptd help\` for the full verb list.\n`);
+    }
     printHelp();
     process.exit(0);
   }
@@ -449,15 +463,31 @@ function main() {
   // (plan, govern, direct, look, ingest, reattest, list-attestations).
   if (LEGACY_VERB_REPLACEMENTS[cmd] && !process.env.EXCEPTD_DEPRECATION_SHOWN) {
     const ver = readPkgVersion();
-    const haveBrief = ver !== "unknown" && ver.match(/^(\d+)\.(\d+)/) && (parseInt(RegExp.$1, 10) > 0 || parseInt(RegExp.$2, 10) >= 11);
-    process.stderr.write(
-      `[exceptd] DEPRECATION: \`${cmd}\` is a v0.10.x verb. ` +
-      (haveBrief
-        ? `Prefer \`${LEGACY_VERB_REPLACEMENTS[cmd]}\` (available in this install, v${ver}). `
-        : `Upgrade to v0.11.0+ then use \`${LEGACY_VERB_REPLACEMENTS[cmd]}\` (currently installed: v${ver}). `) +
-      `Legacy verbs remain functional through this release; they will be removed in v0.13. ` +
-      `Suppress: export EXCEPTD_DEPRECATION_SHOWN=1.\n`
-    );
+    // Cycle 11 F7 (v0.12.32): persist the suppression across invocations via
+    // an OS-tempdir marker keyed by exceptd version. Pre-fix the env-var
+    // guard reset every fresh node process so operators saw the same banner
+    // on every `exceptd plan` invocation, even after they'd already read it.
+    // Per-version key means a new version (legitimate new content) shows the
+    // banner once; subsequent runs within the same version stay quiet. The
+    // explicit EXCEPTD_DEPRECATION_SHOWN=1 env-var opt-out still suppresses
+    // even the first display, matching the documented contract.
+    const markerDir = require("os").tmpdir();
+    const markerFile = path.join(markerDir, `exceptd-deprecation-shown-v${ver}`);
+    let alreadyShown = false;
+    try { alreadyShown = fs.existsSync(markerFile); } catch { /* tmpdir unwritable; degrade to per-process */ }
+    if (!alreadyShown) {
+      const haveBrief = ver !== "unknown" && ver.match(/^(\d+)\.(\d+)/) && (parseInt(RegExp.$1, 10) > 0 || parseInt(RegExp.$2, 10) >= 11);
+      process.stderr.write(
+        `[exceptd] DEPRECATION: \`${cmd}\` is a v0.10.x verb. ` +
+        (haveBrief
+          ? `Prefer \`${LEGACY_VERB_REPLACEMENTS[cmd]}\` (available in this install, v${ver}). `
+          : `Upgrade to v0.11.0+ then use \`${LEGACY_VERB_REPLACEMENTS[cmd]}\` (currently installed: v${ver}). `) +
+        `Legacy verbs remain functional through this release; they will be removed in v0.13. ` +
+        `This banner shows once per exceptd version per host (re-shown on upgrade). Permanent suppress: export EXCEPTD_DEPRECATION_SHOWN=1.\n`
+      );
+      try { fs.writeFileSync(markerFile, `shown_at=${new Date().toISOString()}\nversion=${ver}\n`); }
+      catch { /* tmpdir unwritable; the env-var guard below keeps the per-process suppression intact */ }
+    }
     process.env.EXCEPTD_DEPRECATION_SHOWN = "1";
   }
 
@@ -1949,7 +1979,15 @@ Flags (selected — see \`exceptd run --help\` for the full list):
   --bundle-deterministic  Emit byte-stable bundles across the multi-run set.
   --bundle-epoch <ISO>    Frozen epoch for --bundle-deterministic.`,
   };
-  process.stdout.write((cmds[verb] || `${verb} — no per-verb help available; see \`exceptd help\` for the full list.`) + "\n");
+  // Cycle 11 F4 (v0.12.32): return whether a verb-specific help block was
+  // found so the `exceptd help <verb>` caller can decide whether to fall
+  // through to the top-level help (verb unknown) or stop here (verb known).
+  if (cmds[verb]) {
+    process.stdout.write(cmds[verb] + "\n");
+    return true;
+  }
+  process.stdout.write(`${verb} — no per-verb help available; see \`exceptd help\` for the full list.\n`);
+  return false;
 }
 
 /**
@@ -5399,9 +5437,14 @@ function cmdListAttestations(runner, args, runOpts, pretty) {
   }
   // Enumerate sessions across both v0.11.0 default root and legacy cwd-
   // relative root, so operators with prior attestations still see them.
-  const roots = [resolveAttestationRoot(runOpts), path.join(process.cwd(), ".exceptd", "attestations")];
+  // Cycle 11 F5 (v0.12.32): also track candidate roots that didn't exist
+  // so operators can tell whether the directory was scanned-and-empty or
+  // simply never created. Pre-fix the human output said "(no attestations
+  // under )" with no path — operators couldn't see where the verb looked.
+  const roots = [...new Set([resolveAttestationRoot(runOpts), path.join(process.cwd(), ".exceptd", "attestations")])];
   const entries = [];
   const seenRoots = new Set();
+  const rootsEvaluated = roots.map(r => ({ root: r, exists: fs.existsSync(r) }));
   for (const root of roots) {
     if (seenRoots.has(root) || !fs.existsSync(root)) continue;
     seenRoots.add(root);
@@ -5442,11 +5485,24 @@ function cmdListAttestations(runner, args, runOpts, pretty) {
     count: entries.length,
     filter: { playbook: playbookFilter ? [...playbookFilter] : null, since: args.since || null },
     roots_searched: [...seenRoots],
+    // Cycle 11 F5 (v0.12.32): every candidate root + whether it existed,
+    // so JSON consumers can distinguish scanned-and-empty from never-created.
+    // The human renderer below also surfaces this rather than printing
+    // "(no attestations under )" with an empty path list.
+    roots_evaluated: rootsEvaluated,
   }, pretty, (obj) => {
     // v0.11.6 (#95) human renderer for attest list: one row per session.
     const lines = [`attest list — ${obj.count} attestation(s)`];
     if (obj.count === 0) {
-      lines.push(`  (no attestations under ${obj.roots_searched.join(' or ')})`);
+      const evald = obj.roots_evaluated || [];
+      if (evald.length === 0) {
+        lines.push(`  (no attestation root resolved; set EXCEPTD_HOME or run from a project with .exceptd/)`);
+      } else {
+        lines.push(`  candidate roots evaluated:`);
+        for (const r of evald) {
+          lines.push(`    ${r.exists ? '[scanned-empty]' : '[not-present]'} ${r.root}`);
+        }
+      }
       return lines.join("\n");
     }
     lines.push(`  ${"session-id".padEnd(20)}  ${"playbook".padEnd(16)}  ${"captured-at".padEnd(20)}  evidence-hash`);

package/data/_indexes/_meta.json

@@ -1,21 +1,21 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-16T02:59:12.590Z",
+  "generated_at": "2026-05-16T04:00:50.186Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "72fc4315f17ce55e5637d0d3124e1cd7a51e54bd73dd273e7cb67d700bf9533f",
+    "manifest.json": "4fdf61fee00b774deaec5cc6cc8d2241d9f073b3b9ee58e990565f5fe336e342",
     "data/atlas-ttps.json": "259e76e4252c7a56c17bbe96982a5e37ac89131c2d37a547fe38d64dcacfd763",
     "data/attack-techniques.json": "51f60819aef36e960fd768e44dcc725e137781534fbbb028e5ef6baa21defa1d",
-    "data/cve-catalog.json": "1ab6ce2036ca9865c680aa2c934757fbd6dd7646e4012a7eab8f70d9ea0222c3",
-    "data/cwe-catalog.json": "f4bdc070b94d5b829f541aab34e21f86b133e9750ce9bef2d0b3e141c880bd33",
+    "data/cve-catalog.json": "f2bb3210f29fecaaedf2fa71ded77b545ad57bfcb36d3e2678b93b6592893b01",
+    "data/cwe-catalog.json": "e843729d4d1b688abadeab51ef261f16161eb25b05b7a44f5bc995f60525e089",
     "data/d3fend-catalog.json": "35f076cd65d82ac97db90b72e884ec7ab2895c052567ee7d0c579c1965e6baaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
     "data/exploit-availability.json": "a9eeda95d24b56c28a0d0178fc601b531653e2ba7dc857160b35ad23ad6c7471",
-    "data/framework-control-gaps.json": "d7e40e7d5edcdcb1573905a9a01ef31962030b4a16e0a138a4c733f00c8701d1",
+    "data/framework-control-gaps.json": "f88c5757553e3626981546ad1772189c6d40f9ddc24f730def949414cbab9cd0",
     "data/global-frameworks.json": "0168825497e03f079274c9da2e5529310a2ba5bd7c7da7c93acd0b66ed845b8a",
     "data/rfc-references.json": "e253a548c8a829d178d5aea601e268724b85c936ccbfa51c2e5d80c5f8efe2b0",
-    "data/zeroday-lessons.json": "d960e5f8ca7a83c10194cd60207e13046a7eee1b8793e2f3de79475db283f800",
+    "data/zeroday-lessons.json": "d9b9c13b0bb5bc18c933b5e2f41c9422c4a2d1f639e20a0f2979f94a2494f1e3",
     "skills/kernel-lpe-triage/skill.md": "8e94bfd38d6db47342fbbe95a0c8df8f7c38743982c13e9de6a1c59cd3783d33",
     "skills/ai-attack-surface/skill.md": "13e543fc92b9b27cdb647dce96a9eeb44919e0fa92ec41e8265a9981a23e7b79",
     "skills/mcp-agent-trust/skill.md": "3cec1dce668deec44cb7330e165e89cee8379dd90833519004d566baf72c038c",

package/data/_indexes/activity-feed.json

@@ -63,7 +63,7 @@
       "artifact": "data/framework-control-gaps.json",
       "path": "data/framework-control-gaps.json",
       "schema_version": "1.0.0",
-      "entry_count": 109
+      "entry_count": 118
     },
     {
       "date": "2026-05-15",
@@ -87,7 +87,7 @@
       "artifact": "data/zeroday-lessons.json",
       "path": "data/zeroday-lessons.json",
       "schema_version": "1.1.0",
-      "entry_count": 15
+      "entry_count": 21
     },
     {
       "date": "2026-05-15",

package/data/_indexes/catalog-summaries.json

@@ -172,7 +172,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 109,
+      "entry_count": 118,
       "sample_keys": [
         "ALL-AI-PIPELINE-INTEGRITY",
         "ALL-MCP-TOOL-TRUST",
@@ -238,7 +238,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 15,
+      "entry_count": 21,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",