@blamejs/exceptd-skills 0.12.40 → 0.12.41

package/data/cve-catalog.json

@@ -36,6 +36,16 @@
     },
     "vendor_advisory_field_added": "2026-05-11",
     "vendor_advisory_note": "Each CVE carries a structured vendor_advisories array (vendor, advisory_id, url, severity, published_date) for downstream consumers that route by vendor advisory. Unknown advisory IDs are null with the canonical vendor CVE-resolver URL — never fabricated. Existing free-form references are preserved in verification_sources; vendor_advisories is additive.",
+    "active_exploitation_vocabulary": {
+      "values": ["confirmed", "suspected", "theoretical", "none", "unknown"],
+      "definitions": {
+        "confirmed": "Active in-the-wild exploitation observed and attributed",
+        "suspected": "Indicators consistent with exploitation; attribution incomplete",
+        "theoretical": "Working PoC published; no confirmed exploitation",
+        "none": "No exploitation observed; vulnerability disclosed and patched",
+        "unknown": "Insufficient telemetry to classify"
+      }
+    },
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
@@ -1318,7 +1328,7 @@
       "NIST-800-53-SI-2": "30-day critical patch SLA is an exploitation window for a deterministic LPE with a public PoC. Module-unload mitigation is non-reboot and available immediately, but no SI-2 implementation requires it as a compensating control.",
       "ISO-27001-2022-A.8.8": "'Appropriate timescales' undefined; standard 30-day interpretation is unsafe for deterministic LPE with public PoC. No requirement to track kernel-module-blacklist as a compensating control.",
       "NIS2-Art21-patch-management": "Art. 21(2)(c) patch-management measures are undefined for fast-cycle kernel LPEs with public PoC. No guidance on module-blacklist as an interim measure.",
-      "DORA-Art9": "ICT incident management presumes vendor-patch cadence; module-unload as immediate mitigation has no place in the typical DORA evidence pack.",
+      "DORA-Art-9": "ICT incident management presumes vendor-patch cadence; module-unload as immediate mitigation has no place in the typical DORA evidence pack.",
       "UK-CAF-B4": "System security principle is silent on subsystem module disable as a compensating control for unpatched kernel LPE.",
       "AU-ISM-1546": "Essential 8 patch-applications maturity ladder anchors on advisory date, not on PoC availability. ML3 48h is still long for a deterministic public exploit.",
       "ISO-27001-2022-A.5.7": "Threat-intelligence control collects feeds but does not require the operational pivot (module unload) when intel shows a same-family sequel to a previously-patched bug."
@@ -1500,9 +1510,7 @@
     },
     "epss_score": 0.65,
     "epss_date": "2026-05-14",
-    "cwe_refs": [
-      "CWE-403"
-    ],
+    "cwe_refs": [],
     "source_verified": "2026-05-14",
     "verification_sources": [
       "https://nvd.nist.gov/vuln/detail/CVE-2024-21626",
@@ -1626,8 +1634,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1611",
-      "T1547.006"
+      "T1611"
     ],
     "rwep_score": 30,
     "rwep_factors": {
@@ -1689,10 +1696,7 @@
     "atlas_refs": [
       "AML.T0016"
     ],
-    "attack_refs": [
-      "T1083",
-      "T1005"
-    ],
+    "attack_refs": [],
     "rwep_score": 30,
     "rwep_factors": {
       "cisa_kev": 0,
@@ -1834,7 +1838,6 @@
     "epss_score": 0.967,
     "epss_date": "2026-05-14",
     "cwe_refs": [
-      "CWE-119",
       "CWE-787"
     ],
     "source_verified": "2026-05-14",
@@ -1896,9 +1899,7 @@
     },
     "epss_score": 0.973,
     "epss_date": "2026-05-14",
-    "cwe_refs": [
-      "CWE-288"
-    ],
+    "cwe_refs": [],
     "source_verified": "2026-05-14",
     "verification_sources": [
       "https://nvd.nist.gov/vuln/detail/CVE-2024-1709",
@@ -2006,8 +2007,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1525",
-      "T1046"
+      "T1525"
     ],
     "rwep_score": 30,
     "rwep_factors": {
@@ -2022,9 +2022,7 @@
     },
     "epss_score": 0.005,
     "epss_date": "2026-05-14",
-    "cwe_refs": [
-      "CWE-190"
-    ],
+    "cwe_refs": [],
     "source_verified": "2026-05-14",
     "verification_sources": [
       "https://nvd.nist.gov/vuln/detail/CVE-2024-40635",
@@ -2073,8 +2071,7 @@
       "NIS2-Art21-supply-chain": "Generic supply chain controls without npm-ecosystem-specific guidance."
     },
     "atlas_refs": [
-      "AML.T0010",
-      "AML.T0019"
+      "AML.T0010"
     ],
     "attack_refs": [
       "T1195.001",
@@ -2238,8 +2235,7 @@
     "epss_score": null,
     "epss_date": "2026-05-14",
     "cwe_refs": [
-      "CWE-287",
-      "CWE-841"
+      "CWE-287"
     ],
     "source_verified": "2026-05-14",
     "verification_sources": [
@@ -2597,8 +2593,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190",
-      "T1490"
+      "T1190"
     ],
     "rwep_score": 45,
     "rwep_factors": {
@@ -2737,8 +2732,7 @@
       "AML.T0040"
     ],
     "attack_refs": [
-      "T1190",
-      "T1505.003"
+      "T1190"
     ],
     "rwep_score": 40,
     "rwep_factors": {
@@ -2755,7 +2749,6 @@
     "epss_score": null,
     "epss_date": "2026-05-14",
     "cwe_refs": [
-      "CWE-122",
       "CWE-787"
     ],
     "source_verified": "2026-05-14",

package/data/exploit-availability.json

@@ -2,6 +2,7 @@
   "_meta": {
     "schema_version": "1.1.0",
     "last_updated": "2026-05-15",
+    "last_threat_review": "2026-05-17",
     "note": "Tracks PoC availability and weaponization stage per CVE. Update when status changes. last_verified must be within 90 days. v1.1.0 (2026-05-15): added ai_discovery_source enum + ai_assist_factor ladder (low|moderate|high|very_high) per AGENTS.md Hard Rule #7.",
     "tlp": "CLEAR",
     "source_confidence": {

package/data/framework-control-gaps.json

@@ -132,8 +132,7 @@
       "AML.T0051"
     ],
     "attack_refs": [
-      "T1059",
-      "T1204"
+      "T1059"
     ],
     "theater_test": {
       "claim": "We hardened user applications per Essential Eight Maturity Level 2; browsers and Office are locked down.",
@@ -2184,7 +2183,10 @@
     "opened_date": "2026-05-15",
     "evidence_cves": [],
     "atlas_refs": [],
-    "attack_refs": [],
+    "attack_refs": [
+      "T1573",
+      "T1600"
+    ],
     "theater_test": {
       "claim": "Our cryptographic suite review meets PCI DSS 4.0.1 12.3.3 annual cadence.",
       "test": "Pull the cryptographic suite inventory and most-recent annual review. Confirm enumeration of in-use algorithms with deprecation status. Confirm a PQC-readiness assessment exists with migration roadmap for long-lived keys (TLS for >5y data, signing for code/SBOM). Theater verdict if PQC is absent from the review, or if deprecated algorithms remain in use without a documented exception.",
@@ -3686,7 +3688,8 @@
     "opened_date": "2026-05-15",
     "evidence_cves": [
       "CVE-2026-0300",
-      "CVE-2026-42897"
+      "CVE-2026-42897",
+      "CVE-2026-46300"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -3945,5 +3948,135 @@
       ],
       "verdict_when_failed": "compliance-theater"
     }
+  },
+  "UK-CAF-B4": {
+    "framework": "UK NCSC Cyber Assessment Framework (CAF)",
+    "control_id": "B4",
+    "control_name": "System security",
+    "designed_for": "Principle B4 — networks and information systems supporting essential functions are protected against attack. Covers secure configuration, secure architecture, and the management of vulnerabilities in deployed systems.",
+    "misses": [
+      "Subsystem-level kernel-module disable as a compensating control for an unpatched deterministic local-privilege-escalation is not enumerated as an interim posture distinct from vendor-patch application",
+      "CAF assumes patch-application timelines tied to advisory dates; deterministic LPEs with public PoC require operational pivots (module unload, syscall filter) that the principle does not name",
+      "Where vendor patch + reboot cycle is multi-day on operationally-sensitive hosts, the absence of a named compensating-control path forces operators to either accept the exposure window or schedule disruptive reboots without policy cover"
+    ],
+    "real_requirement": "B4 implementation must explicitly enumerate compensating-control postures for unpatched deterministic LPEs: kernel-module blacklist (esp4 / esp6 / rxrpc class), syscall filter (seccomp profile narrowing), or live-patch where vendor offers it. Each compensating control must be reversible, monitored, and have a documented conversion-SLA to the vendor binary patch.",
+    "status": "open",
+    "opened_date": "2026-05-17",
+    "evidence_cves": [
+      "CVE-2026-46300"
+    ],
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1068"
+    ],
+    "theater_test": {
+      "claim": "Our UK CAF B4 system-security posture covers unpatched kernel LPEs with documented compensating controls.",
+      "test": "Pull the operator's B4 evidence pack. For the most recent deterministic kernel LPE with public PoC (CVE-2026-46300 / Fragnesia is the reference case), confirm whether the evidence pack names a compensating-control posture (module unload, syscall filter, or live-patch) distinct from the binary-patch path, and whether that posture is monitored and has a conversion-SLA back to the binary patch. Theater verdict if the evidence pack reduces to 'patch within 30 days' without a named interim compensating control, or if the compensating control is deployed without monitoring and SLA.",
+      "evidence_required": [
+        "B4 evidence pack covering the most recent deterministic kernel LPE",
+        "named compensating-control posture (module blacklist, seccomp, live-patch) with monitoring",
+        "conversion-SLA documenting return-to-binary-patch timeline"
+      ],
+      "verdict_when_failed": "compliance-theater"
+    }
+  },
+  "AU-ISM-1546": {
+    "framework": "Australian Government Information Security Manual (ISM)",
+    "control_id": "ISM-1546",
+    "control_name": "Patch operating systems and applications",
+    "designed_for": "Patching operating systems and applications within timeframes set by the Essential Eight Maturity Model — ML1: 1 month for non-critical, 2 weeks for internet-facing; ML2: 2 weeks for non-critical, 48 hours for internet-facing or exploited; ML3: 48 hours for non-critical, 48 hours for internet-facing or exploited.",
+    "misses": [
+      "Patch-application timeframes anchor on advisory date, not on public-PoC availability — a deterministic LPE with a public PoC is exploitable from disclosure-minus-zero regardless of the 48h ML3 window",
+      "The maturity ladder does not differentiate between exploitable-from-disclosure (public PoC + deterministic primitive) and theoretically-exploitable, so the highest-tempo bucket is still slower than the threat",
+      "No requirement to deploy reversible compensating controls (kernel-module blacklist, syscall filter) while the patch cycle proceeds, even when the vendor offers them in the same advisory window"
+    ],
+    "real_requirement": "ISM-1546 implementation must add: (1) a PoC-availability-aware tempo overlay where deterministic LPEs with public PoCs trigger a same-day-mitigation requirement separate from patch SLA, (2) a named compensating-control posture per maturity level (module blacklist at ML1, seccomp at ML2, live-patch at ML3), (3) explicit evidence that the operator inspected the advisory for non-binary mitigation paths before defaulting to the patch-only response.",
+    "status": "open",
+    "opened_date": "2026-05-17",
+    "evidence_cves": [
+      "CVE-2026-46300"
+    ],
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1068"
+    ],
+    "theater_test": {
+      "claim": "Our AU ISM-1546 patch programme meets Essential Eight Maturity Level 3 for kernel-class vulnerabilities.",
+      "test": "Pull the patch-management evidence pack and select the most recent deterministic kernel LPE with public PoC (CVE-2026-46300 / Fragnesia is the reference case). Confirm whether the evidence shows (a) same-day deployment of a named compensating control (module blacklist, seccomp profile, live-patch) distinct from the binary patch, and (b) the operator documented inspection of the advisory for non-binary mitigation before defaulting to the patch SLA. Theater verdict if the evidence collapses to 'patch within 48h' without a named same-day compensating control, or if the compensating control was deployed without advisory-side evidence of evaluation.",
+      "evidence_required": [
+        "patch-management evidence pack for the reference deterministic LPE",
+        "same-day compensating-control deployment record",
+        "advisory inspection notes documenting non-binary mitigation evaluation"
+      ],
+      "verdict_when_failed": "compliance-theater"
+    }
+  },
+  "ISO-27001-2022-A.5.7": {
+    "framework": "ISO/IEC 27001:2022",
+    "control_id": "A.5.7",
+    "control_name": "Threat intelligence",
+    "designed_for": "Information about information-security threats is collected and analysed to produce threat intelligence. Output feeds risk-management, vulnerability-management, incident-management, and awareness programmes.",
+    "misses": [
+      "Threat intelligence collection is treated as feed ingestion; the control does not require an operational pivot when intel surfaces a same-family sequel to a previously-patched bug (Dirty Frag → Fragnesia is the reference case)",
+      "AI-attack-development feeds (AI-assisted discovery, AI-built exploitation chains, AI-orchestrated supply-chain attacks) are not explicitly enumerated as a feed category, despite being a current-reality threat per Hard Rule #7",
+      "Threat-intelligence-to-action latency is undefined; intel may be 'collected' weeks before the operational response, with no control text requiring conversion-SLA from intel to action"
+    ],
+    "real_requirement": "A.5.7 implementation must add: (1) AI-attack-development feeds as a named feed category (GTIG zero-day attribution, Anthropic / OpenAI / Google threat reports, Zellic / depthfirst / Big Sleep disclosure channels), (2) intel-to-action conversion-SLA per threat category (deterministic LPE same-family sequel: 24h to compensating control), (3) explicit operational-pivot list mapping intel signal to immediate non-patch action (module blacklist, syscall filter, egress block, MFA enforcement).",
+    "status": "open",
+    "opened_date": "2026-05-17",
+    "evidence_cves": [
+      "CVE-2026-46300"
+    ],
+    "atlas_refs": [
+      "AML.T0010"
+    ],
+    "attack_refs": [
+      "T1068"
+    ],
+    "theater_test": {
+      "claim": "Our ISO 27001:2022 A.5.7 threat-intelligence programme drives operational action against current-reality threats including AI-assisted attack development.",
+      "test": "Pull the threat-intelligence feed inventory and the last 12 months of intel-driven action records. Confirm explicit enumeration of AI-attack-development feed sources (GTIG, vendor threat reports, AI-assisted-disclosure outlets). Confirm an intel-to-action conversion-SLA per threat category. Sample the most recent same-family sequel disclosure (Fragnesia following Dirty Frag, or equivalent) and verify a compensating-control action fired within the SLA. Theater verdict if AI-attack-development feeds are absent from the inventory, or if intel-to-action conversion-SLA is undocumented, or if the sampled same-family sequel produced no operational pivot.",
+      "evidence_required": [
+        "threat-intelligence feed inventory with AI-attack-development category",
+        "intel-to-action conversion-SLA per threat category",
+        "operational pivot record for the most recent same-family sequel disclosure"
+      ],
+      "verdict_when_failed": "compliance-theater"
+    }
+  },
+  "NIS2-Art21-supply-chain": {
+    "framework": "EU NIS2 Directive (Directive (EU) 2022/2555)",
+    "control_id": "Art-21-supply-chain",
+    "control_name": "Supply chain security measures",
+    "designed_for": "Article 21(2)(d) — supply-chain security including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers. Covers risk-management measures for the supply chain, including transitive dependencies where systemically relevant.",
+    "misses": [
+      "Generic supply-chain controls do not address ecosystem-specific compromise classes — npm registry account-recovery via expired maintainer-email domain, postinstall vs main-module payload distinction, and registry-account MFA enforcement are not enumerated",
+      "Container-runtime supply chain is not differentiated from application-runtime supply chain — the runtime (containerd, runc, CRI-O) and the workloads it executes have different exposure shapes that the directive collapses",
+      "Maintainer-account integrity is presumed; the directive does not require monitoring of maintainer-email-domain expiry, registry-side MFA enforcement on critical-path packages, or post-publish freshness cooldowns as protective measures"
+    ],
+    "real_requirement": "NIS2 Art. 21 supply-chain measures must add ecosystem-specific controls: (1) container-runtime supply chain enumerated distinct from application supply chain with separate risk-management posture, (2) npm / PyPI / RubyGems / crates.io maintainer-account integrity monitoring (email-domain expiry, MFA enforcement, registry-side anomaly detection), (3) post-publish cooldown periods on consumption of fresh releases from systemically-important upstream maintainers, (4) postinstall vs main-module payload distinction in consumer-side defence (--ignore-scripts is insufficient against main-module payloads), (5) lockfile audit against known-malicious version sets during the active exposure window.",
+    "status": "open",
+    "opened_date": "2026-05-17",
+    "evidence_cves": [
+      "MAL-2026-NODE-IPC-STEALER"
+    ],
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0020"
+    ],
+    "attack_refs": [
+      "T1195.001",
+      "T1195.002"
+    ],
+    "theater_test": {
+      "claim": "Our NIS2 Art. 21 supply-chain security programme covers ecosystem-specific compromise classes including container runtime and registry account-recovery abuse.",
+      "test": "Pull the supply-chain risk-management evidence pack. Confirm container-runtime supply chain is enumerated distinct from application supply chain. Confirm maintainer-account integrity monitoring (email-domain expiry tracking, registry-side MFA enforcement evidence) for critical-path packages. Sample the most recent registry account-recovery incident (MAL-2026-NODE-IPC-STEALER reference case) and verify the consumer-side response covered lockfile audit against the malicious version set during the exposure window. Theater verdict if container runtime and application runtime collapse into a single supply-chain register, or if maintainer-account integrity monitoring is undocumented, or if the sampled incident response did not include lockfile audit within the exposure window.",
+      "evidence_required": [
+        "supply-chain register differentiating container runtime from application runtime",
+        "maintainer-account integrity monitoring records for critical-path packages",
+        "lockfile audit log from the reference registry account-recovery incident"
+      ],
+      "verdict_when_failed": "compliance-theater"
+    }
   }
 }

package/data/global-frameworks.json

@@ -3,6 +3,7 @@
     "schema_version": "1.3.0",
     "version": "1.3.0",
     "last_updated": "2026-05-15",
+    "last_threat_review": "2026-05-17",
     "note": "Multi-jurisdiction framework registry. patch_sla in hours. notification_sla in hours. source field must be primary regulatory source. v1.3.0 expansion: NO, MX, AR, TR, TH, PH, US_CALIFORNIA top-level jurisdictions added; EU member-state sub-regulator blocks added for Germany (BSI), France (ANSSI), Spain (AEPD + AESIA), Italy (ACN + AgID); EU-level technical body ENISA added as cross-cutting reference. v1.2.0 expansion: IL, CH, HK, TW, ID, VN, US_NYDFS added; JP expanded with APPI/PPC, FISC, NISC, METI, Economic Security Promotion Act, AI Strategy Council guidance. v1.1.0 expansion: BR, CN, ZA, AE, SA, NZ, KR, CL added; IN and CA enriched with data-protection law entries (DPDPA, Quebec Law 25, PIPEDA).",
     "tlp": "CLEAR",
     "source_confidence": {

package/data/playbooks/crypto-codebase.json

@@ -381,6 +381,7 @@
           "id": "package-manifests",
           "type": "config_file",
           "source": "Read package.json, pyproject.toml, setup.py, go.mod, Cargo.toml, pom.xml, build.gradle, Gemfile, composer.json, mix.exs at repo root and at every nested package boundary. Use Glob `**/{package.json,pyproject.toml,go.mod,Cargo.toml,pom.xml,build.gradle,Gemfile,composer.json}` excluding `node_modules`, `vendor`, `.venv`, `target`, `dist`, `build`.",
+          "air_gap_alternative": "Identical local-filesystem read; no network dependency. Same Glob/Read against the working repo.",
           "description": "Package manifests — establish the language ecosystems present, declared crypto-adjacent dependencies, and the public API surface.",
           "required": true
         },
@@ -388,6 +389,7 @@
           "id": "lockfiles",
           "type": "config_file",
           "source": "Read package-lock.json, yarn.lock, pnpm-lock.yaml, poetry.lock, uv.lock, Pipfile.lock, go.sum, Cargo.lock, composer.lock at repo root and at every package boundary.",
+          "air_gap_alternative": "Identical local-filesystem read; no network dependency. Same Read against the working repo.",
           "description": "Lockfiles — concrete versions of crypto-adjacent deps actually shipped to consumers (openssl, sodium, libsodium-wrappers, tweetnacl, noble-curves, noble-hashes, noble-post-quantum, jsrsasign, node-forge, pqcrypto, oqs-rs, kyber-crystals, dilithium, aws-lc-rs, ring, rustls, rust-openssl).",
           "required": false
         },
@@ -395,6 +397,7 @@
           "id": "hash-primitive-call-sites",
           "type": "file",
           "source": "Grep across the repo (excluding test/spec/fixture/node_modules/vendor/.venv/target/dist/build) for hash-primitive call sites. Patterns: `crypto.createHash\\(`, `crypto.createHmac\\(`, `hashlib\\.(md5|sha1|sha224|sha256|sha384|sha512|blake2b|blake2s|sha3_)`, `MessageDigest\\.getInstance\\(`, `Digest::(MD5|SHA1|SHA256)`, `hash/md5`, `hash/sha1`, `\"md5\"`, `\"sha1\"`, `\"sha-1\"`, `\"sha256\"`, `\"sha3-256\"`. Use Grep with multiline=true where the algorithm-name string is on a different line from the constructor.",
+          "air_gap_alternative": "Identical local-filesystem Grep; no network dependency. Run the same patterns against the working repo.",
           "description": "Every hash-primitive call site. Distinguish security-context usage (signature input, MAC input, integrity check, password derivation, token derivation) from non-security usage (cache key, ETag, dedup). The non-security distinction must be evidenced inline; absent evidence, treat as security-context.",
           "required": true
         },
@@ -402,6 +405,7 @@
           "id": "cipher-and-kex-call-sites",
           "type": "file",
           "source": "Grep for cipher and KEX call sites: `createCipheriv\\(`, `createDecipheriv\\(`, `crypto\\.publicEncrypt\\(`, `crypto\\.privateDecrypt\\(`, `createDiffieHellman\\(`, `createECDH\\(`, `crypto\\.generateKeyPair`, `Cipher\\.getInstance\\(`, `aesgcm`, `ChaCha20Poly1305`, `\\.(seal|open)\\(`, `OpenSSL::Cipher`, hardcoded curve names `\"P-256\"`, `\"secp256r1\"`, `\"prime256v1\"`, `\"P-384\"`, `\"secp384r1\"`, `\"P-521\"`, `\"secp521r1\"`, `\"secp256k1\"`, `\"X25519\"`, `\"X448\"`.",
+          "air_gap_alternative": "Identical local-filesystem Grep; no network dependency. Run the same patterns against the working repo.",
           "description": "Cipher and key-exchange call sites. Identify mode (GCM/CBC/CTR/ECB), curve, key size, IV-generation pattern. ECB mode anywhere is a hard fail. CBC without HMAC is a hard fail. AES-128 without GCM authenticator is a finding.",
           "required": true
         },
@@ -409,6 +413,7 @@
           "id": "signature-call-sites",
           "type": "file",
           "source": "Grep for signature operations: `crypto\\.sign\\(`, `crypto\\.verify\\(`, `Signature\\.getInstance\\(`, `\\.sign_pss\\(`, `\\.verify_pss\\(`, `RSA-PSS`, `RSA-PKCS1`, `ECDSA`, `Ed25519`, `Ed448`, `ML-DSA`, `Dilithium`, `SLH-DSA`, `SPHINCS`. Capture key sizes for RSA (look for `modulusLength`, `key_size`, `--rsa-2048` literals), curve choice for ECDSA, hash choice paired with signature (RSA-SHA1 is a hard fail).",
+          "air_gap_alternative": "Identical local-filesystem Grep; no network dependency. Run the same patterns against the working repo.",
           "description": "Signature scheme inventory. RSA-1024 anywhere is a hard fail; RSA-2048 with > 5-year sensitivity requires PQC roadmap; ECDSA-P256 acceptable today but needs hybrid ML-DSA migration plan; bare RSA-PKCS1 (not PSS) for new signatures is a finding.",
           "required": true
         },
@@ -416,6 +421,7 @@
           "id": "kdf-call-sites",
           "type": "file",
           "source": "Grep for key-derivation calls: `pbkdf2(Sync)?\\(`, `PBKDF2`, `hashlib\\.pbkdf2_hmac`, `bcrypt\\.(hash|hashSync|compare)`, `scrypt(Sync)?\\(`, `argon2\\.(hash|verify)`, `argon2id`, `hkdf\\(`, `HKDF`, `derive_key`. For each, extract the cost parameters: PBKDF2 iterations, bcrypt cost factor, scrypt N/r/p, argon2 t/m/p.",
+          "air_gap_alternative": "Identical local-filesystem Grep; no network dependency. Run the same patterns against the working repo.",
           "description": "Key-derivation parameter inventory. Apply OWASP 2023 minimums: PBKDF2-HMAC-SHA256 >= 600,000; PBKDF2-HMAC-SHA512 >= 210,000; bcrypt cost >= 12; scrypt N >= 2^17, r=8, p=1; argon2id m >= 19 MiB (19456 KiB), t >= 2, p >= 1. Any parameter below minimum is a finding.",
           "required": true
         },
@@ -423,6 +429,7 @@
           "id": "rng-call-sites",
           "type": "file",
           "source": "Grep for RNG sources: `Math\\.random\\(`, `random\\.random\\(`, `random\\.randint\\(`, `random\\.choice\\(`, `rand\\(`, `srand\\(`, `mt_rand\\(`, `secrets\\.(token_|randbits|choice)`, `crypto\\.randomBytes\\(`, `crypto\\.getRandomValues\\(`, `crypto\\.randomUUID\\(`, `os\\.urandom\\(`, `getrandom\\(`, `SecureRandom`, `OsRng`, `ThreadRng`, `/dev/urandom`, `/dev/random`. Capture file_path:line for each.",
+          "air_gap_alternative": "Identical local-filesystem Grep; no network dependency. Run the same patterns against the working repo.",
           "description": "RNG-source inventory. Production-context Math.random / random.random / rand without cryptographic-RNG fallback is CWE-338. Distinguish test/spec/fixture usage explicitly via path allowlist; production usage requires a cryptographic RNG.",
           "required": true
         },
@@ -430,6 +437,7 @@
           "id": "hardcoded-key-material",
           "type": "file",
           "source": "Grep for hardcoded crypto material: PEM markers `-----BEGIN (RSA |EC |DSA |PRIVATE |PUBLIC |CERTIFICATE )?(PRIVATE|PUBLIC) KEY-----`, SSH key prefixes `ssh-rsa AAAA`, `ssh-ed25519 AAAA`, `ecdsa-sha2-nistp256 AAAA`, hex-blob heuristics for keys (>= 64 hex chars on a single literal line), base64-encoded blobs >= 256 chars in source files. Cross-reference with the `secrets` playbook for the exfil-secret angle; here the focus is library-author shipping defaults that look like keys (e.g. example certs, demo keys, sample HMAC seeds that downstream consumers fail to rotate).",
+          "air_gap_alternative": "Identical local-filesystem Grep; no network dependency. Run the same patterns against the working repo.",
           "description": "Hardcoded key material shipped with the library. Library-author angle: any 'demo' or 'example' key that downstream consumers fail to rotate becomes a universal-default vulnerability (cf. embedded-router demo keys, Wi-Fi default WPA keys, IoT bootloader signing keys).",
           "required": false
         },
@@ -437,6 +445,7 @@
           "id": "tls-config-construction",
           "type": "file",
           "source": "Grep for in-code TLS context construction: `tls\\.createSecureContext`, `tls\\.createServer`, `https\\.createServer`, `ssl\\.SSLContext\\(`, `ssl\\.create_default_context`, `rustls::ServerConfig`, `rustls::ClientConfig`, `tls\\.Config\\{`, `SSL_CTX_new`, options like `minVersion`, `maxVersion`, `secureProtocol`, `ciphers`, `ecdhCurve`, `sigalgs`, `groups`, `ALPNProtocols`.",
+          "air_gap_alternative": "Identical local-filesystem Grep; no network dependency. Run the same patterns against the working repo.",
           "description": "In-code TLS configuration. Library authors that construct TLS contexts internally must default to TLS 1.3 minimum, X25519MLKEM768 group preference (when openssl >= 3.5 detected), modern cipher list. Hardcoded `secureProtocol: 'TLSv1_method'` or `minVersion: 'TLSv1'` is a hard fail.",
           "required": false
         },
@@ -444,6 +453,7 @@
           "id": "pqc-adoption-signals",
           "type": "file",
           "source": "Grep for PQC adoption: `ml[-_]?kem`, `ml[-_]?dsa`, `slh[-_]?dsa`, `kyber`, `dilithium`, `sphincs`, `falcon`, `kemEncapsulate`, `kemDecapsulate`, `EVP_KEM_`, `OQS_KEM_`, `oqsprovider`, `liboqs`, `noble-post-quantum`, `pqcrypto::`, `aws-lc-rs::pqc`, `circl/sign/dilithium`, `circl/kem/kyber`.",
+          "air_gap_alternative": "Identical local-filesystem Grep; no network dependency. Run the same patterns against the working repo.",
           "description": "PQC adoption signals. If `pqc-readiness-gap` directive runs, this artifact is the primary input. Distinguish concrete cryptographic operations from configuration strings, feature-flag names, and comments.",
           "required": false
         },
@@ -451,6 +461,7 @@
           "id": "fips-provider-activation",
           "type": "file",
           "source": "Grep for FIPS-mode activation: `OSSL_PROVIDER_load.*fips`, `crypto\\.setFips\\(`, `openssl::provider::Provider::load_default`, `Provider::load.*\"fips\"`, openssl.cnf or fipsmodule.cnf files in the repo, environment-variable references to `OPENSSL_FIPS`, `OPENSSL_CONF`. Capture whether the activation is conditional (e.g. only if env var set) or unconditional.",
+          "air_gap_alternative": "Identical local-filesystem Grep; no network dependency. Run the same patterns against the working repo.",
           "description": "FIPS-provider activation evidence. The `fips-validation-status` directive uses this to distinguish runtime FIPS activation from link-time FIPS claims.",
           "required": false
         },
@@ -458,6 +469,7 @@
           "id": "vendored-crypto-tree",
           "type": "file",
           "source": "Glob for vendored crypto: `vendor/**/{crypto,openssl,sodium,nacl,kyber,dilithium,sphincs,curve25519,blake2,sha3,argon2}*`, `third_party/**/*crypto*`, `crates/**/*crypto*` (excluding the package's own crypto module). Look for upstream-reference files: `UPSTREAM`, `ORIGIN`, `PROVENANCE.md`, `.upstream-commit`, integrity hashes in lockfiles.",
+          "air_gap_alternative": "Identical local-filesystem Glob; no network dependency. Run the same patterns against the working repo.",
           "description": "Vendored cryptographic primitives. Library authors sometimes vendor crypto to reduce dep tree or for licensing reasons. Without provenance + integrity audit, vendored crypto is a supply-chain backdoor opportunity.",
           "required": false
         },
@@ -465,6 +477,7 @@
           "id": "ci-crypto-tests",
           "type": "file",
           "source": "Glob for CI configs: `.github/workflows/**/*.yml`, `.gitlab-ci.yml`, `.circleci/config.yml`, `azure-pipelines.yml`, `Jenkinsfile`. Grep for crypto-test invocations, FIPS-test runs, constant-time analysis tools (`dudect`, `valgrind --tool=memcheck` on secret-dependent code, `ctgrind`).",
+          "air_gap_alternative": "Identical local-filesystem Glob + Grep; no network dependency. Run the same patterns against the working repo.",
           "description": "Build-time crypto verification. Absence of constant-time tests on vendored PQC primitives is a finding for the `pqc-readiness-gap` directive.",
           "required": false
         }

package/data/zeroday-lessons.json

@@ -2,6 +2,7 @@
   "_meta": {
     "schema_version": "1.1.0",
     "last_updated": "2026-05-15",
+    "last_threat_review": "2026-05-17",
     "purpose": "Zero-day learning loop output. Each entry maps a CVE to: attack vector, defense chain analysis, framework coverage, new control requirements generated, and exposure scoring. v1.1.0 (2026-05-15): every entry now carries ai_discovered_zeroday boolean + ai_discovery_source enum + ai_discovery_date + ai_assist_factor ladder, per AGENTS.md Hard Rule #7.",
     "note": "Never delete entries. Closed gaps are marked status: closed. History is data.",
     "tlp": "CLEAR",

package/lib/lint-skills.js

@@ -759,7 +759,7 @@ function main() {
     for (const o of orphans) {
       console.log(`FAIL  <orphan>`);
       console.log(`        - skill.md exists on disk but not in manifest: ${o}`);
-      console.log(`          fix: re-run \`node lib/sign.js sign-all\` after adding it to manifest.json, OR delete the orphan directory`);
+      console.log(`          fix: re-run sign-all (\`node $(exceptd path)/lib/sign.js sign-all\` from a contributor checkout) after adding it to manifest.json, OR delete the orphan directory`);
     }
     // P4 — air-gap completeness lint over data/playbooks/*.json.
     airGapWarnings = lintPlaybookAirGap();

package/lib/playbook-runner.js

@@ -1679,7 +1679,7 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
     evidencePackage.signature_algorithm = 'HMAC-SHA256-session-key';
   } else if (evidencePackage && evidencePackage.signed) {
     evidencePackage.signature = null;
-    evidencePackage.signature_pending = 'No session_key provided. Sign with Ed25519 via `node lib/sign.js sign-evidence <bundle.json>` post-emit.';
+    evidencePackage.signature_pending = 'No session_key provided. Sign with Ed25519 via `node $(exceptd path)/lib/sign.js sign-evidence <bundle.json>` post-emit (contributor checkout) or `exceptd doctor --fix` to enable signing.';
   }
 
   // learning_loop lesson
@@ -2830,13 +2830,17 @@ function normalizeSubmission(submission, playbook) {
   // which confuses detect()'s indicator-id lookup. Strip and log instead.
   if (submission.signal_overrides !== undefined && submission.signal_overrides !== null
       && (typeof submission.signal_overrides !== 'object' || Array.isArray(submission.signal_overrides))) {
-    if (!submission._runErrors) submission._runErrors = [];
-    pushRunError(submission._runErrors, {
+    // Clone before mutating _runErrors so a frozen / shared input
+    // submission isn't modified in place. Pre-fix a caller passing a
+    // frozen submission (Object.freeze for safety, or a shared reference
+    // across parallel runs) threw uncaught on the _runErrors push.
+    const carry = Array.isArray(submission._runErrors) ? submission._runErrors.slice() : [];
+    pushRunError(carry, {
       kind: 'signal_overrides_invalid',
       supplied_type: Array.isArray(submission.signal_overrides) ? 'array' : typeof submission.signal_overrides,
       reason: 'signal_overrides must be a plain object mapping indicator-id → verdict.'
     }, { dedupeKey: e => String(e.supplied_type) });
-    submission = { ...submission, signal_overrides: {} };
+    submission = { ...submission, signal_overrides: {}, _runErrors: carry };
   }
 
   // v0.11.3 #71 fix: the CLI may inject `signals._bundle_formats` before

package/lib/scoring.js

@@ -300,7 +300,15 @@ function compare(cveId, catalog, opts) {
   // SLA is insufficient. ±10 is the tightest classifier that still treats
   // ordinary CVSS rounding noise as alignment.
   let explanation = '';
-  if (delta > 10) {
+  // Surface the "no scoring signal" case distinctly from "broadly
+  // aligned". Pre-fix a CVE with rwep_score: 0 AND cvss_score: 0 (e.g.
+  // catalog entry created before scoring backfill) printed "broadly
+  // aligned" — coincidence-passing per the field-present-not-populated
+  // pitfall. Now the operator sees a specific signal pointing at the
+  // catalog gap rather than a false sense of alignment.
+  if ((rwep == null || rwep === 0) && (cvss == null || cvss === 0)) {
+    explanation = 'No scoring signal — both RWEP and CVSS are zero/null. Investigate the catalog entry; this CVE has no usable risk score.';
+  } else if (delta > 10) {
     explanation = `RWEP significantly higher than CVSS equivalent. Factors driving delta: `;
     const driving = [];
     if (entry.cisa_kev) driving.push('CISA KEV (+25)');

package/lib/sign.js

@@ -101,6 +101,22 @@ function generateKeypair({ rotate = false } = {}) {
     process.exit(1);
   }
 
+  // Refuse to silently overwrite an existing public key when no private key
+  // is present. This is the v0.11.x signature-regression class: a host with
+  // a working pubkey but missing privkey running generate-keypair would
+  // produce a fresh pubkey divergent from every shipped signature. Operators
+  // running `exceptd doctor --fix` on a stock install would replace the
+  // shipped keys/public.pem with one whose private half exists only on
+  // their machine — every subsequent verify against shipped signatures fails.
+  // Force the operator to be explicit via --rotate (which signals intent to
+  // re-sign).
+  if (fs.existsSync(PUBLIC_KEY_PATH) && !rotate) {
+    console.error('[sign] Public key already exists at keys/public.pem but no matching private key.');
+    console.error('[sign] Refusing to overwrite the public key — that would orphan every existing signature.');
+    console.error('[sign] If you are setting up a fresh signing identity, pass --rotate to confirm. After --rotate you must re-sign all skills with sign-all.');
+    process.exit(1);
+  }
+
   fs.mkdirSync(KEYS_DIR, { recursive: true, mode: 0o700 });
   fs.mkdirSync(PUBLIC_KEYS_DIR, { recursive: true });
 
@@ -115,20 +131,35 @@ function generateKeypair({ rotate = false } = {}) {
   // on win32, fs.writeFileSync `mode` does not produce
   // a POSIX-style restrictive ACL. Tighten via icacls so other desktop
   // users on the same workstation / CI runner can't read the key.
-  restrictWindowsAcl(PRIVATE_KEY_PATH);
+  const aclHardened = restrictWindowsAcl(PRIVATE_KEY_PATH);
 
   if (rotate) {
-    console.log('[sign] Keypair rotated. All existing signatures are now invalid — run: node lib/sign.js sign-all');
+    console.log('[sign] Keypair rotated. All existing signatures are now invalid — re-sign with sign-all.');
   } else {
     console.log('[sign] Ed25519 keypair generated.');
     console.log(`  Private key: .keys/private.pem (gitignored — do not commit)`);
     console.log(`  Public key:  keys/public.pem (tracked — commit this)`);
   }
+  if (process.platform === 'win32') {
+    console.log(`  Windows ACL hardened: ${aclHardened ? 'yes' : 'NO — other desktop users on this machine may be able to read the private key'}`);
+  }
 
   console.log('\nNext steps:');
-  console.log('  1. node lib/sign.js sign-all    — sign all current skills');
-  console.log('  2. node lib/verify.js           — confirm all signatures');
-  console.log('  3. git add keys/public.pem && git commit -m "add signing public key"');
+  if (rotate) {
+    // After --rotate the private key IS present, so `doctor --fix`'s
+    // missing-key path won't fire. Tell the operator to re-sign
+    // directly. (doctor --fix v0.12.41+ also detects this case and
+    // chains sign-all, so either path converges.)
+    console.log('  1. exceptd doctor --fix     — detects post-rotate stale signatures and chains sign-all');
+    console.log('     (or: node $(exceptd path)/lib/sign.js sign-all   — re-sign directly)');
+    console.log('  2. exceptd doctor           — confirm signatures verify against the new public key');
+    console.log('  3. git add keys/public.pem && git commit -m "rotate signing public key"');
+  } else {
+    console.log('  1. exceptd doctor --fix     — chains sign-all after first key generation');
+    console.log('  2. exceptd doctor           — confirm signatures verify');
+    console.log('  3. git add keys/public.pem && git commit -m "add signing public key"');
+  }
+  return { aclHardened };
 }
 
 /**
@@ -380,11 +411,11 @@ function signCanonicalManifest(manifest, privateKey) {
  * @param {string} targetPath absolute path of the private key file
  */
 function restrictWindowsAcl(targetPath) {
-  if (process.platform !== 'win32') return;
+  if (process.platform !== 'win32') return true;
   const user = process.env.USERNAME;
   if (!user) {
     console.warn('[sign] WARN: USERNAME env var not set — skipping Windows ACL hardening on ' + targetPath);
-    return;
+    return false;
   }
   try {
     execFileSync('icacls', [
@@ -393,6 +424,7 @@ function restrictWindowsAcl(targetPath) {
       '/grant:r',
       `${user}:F`,
     ], { stdio: ['ignore', 'ignore', 'pipe'] });
+    return true;
   } catch (err) {
     console.warn(
       '[sign] WARN: icacls hardening failed on ' + targetPath + ': ' +
@@ -400,6 +432,7 @@ function restrictWindowsAcl(targetPath) {
       ' — the key was written but ACL inheritance was not stripped. ' +
       'Other desktop users on this machine may be able to read it.'
     );
+    return false;
   }
 }