@blamejs/exceptd-skills 0.12.41 → 0.13.1

package/data/zeroday-lessons.json

@@ -1941,5 +1941,183 @@
     "ai_discovery_source": "vendor_research",
     "ai_discovery_date": "2026-05-14",
     "ai_assist_factor": "low"
+  },
+  "CVE-2026-46333": {
+    "name": "ssh-keysign-pwn (Linux kernel ptrace exit-race)",
+    "lesson_date": "2026-05-17",
+    "attack_vector": {
+      "description": "Linux kernel ptrace exit-race: exit_mm() runs before exit_files() during privileged-process shutdown, leaving a microsecond window where task->mm == NULL but the fd table still holds privileged file handles. Pre-fix __ptrace_may_access() skipped its get_dumpable() check when mm == NULL, silently authorizing UID-matched access. Unprivileged attacker races ssh-keysign or chage exit, calls pidfd_getfd(2) to duplicate still-open fds, reads /etc/ssh/ssh_host_*_key or /etc/shadow as root.",
+      "privileges_required": "unprivileged local user with shell access",
+      "complexity": "race-condition with deterministic-on-loop primitive — 100-2000 attempts typically succeed",
+      "ai_factor": "Not AI-discovered. Qualys TRU human research. The underlying flaw was originally proposed in a 2020 Jann Horn patch that was never merged; 6-year dormant logic bug."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Merging the 2020 Jann Horn patch proposal. seccomp profiles blocking pidfd_getfd for unprivileged users. SUID removal from ssh-keysign + chage on hosts where host-based SSH auth + age-warn UX are not required. sysctl kernel.user_ptrace=0 to block unprivileged ptrace system-wide.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Yama ptrace_scope is NOT a compensating control — the bypass is at the kernel access-check layer, not the LSM layer. The 2020 Horn patch would have closed the class entirely."
+      },
+      "detection": {
+        "what_would_have_worked": "auditd rule on pidfd_getfd with auid>=1000 fires on unprivileged invocation. eBPF on tracepoint:syscalls:sys_enter_pidfd_getfd correlated with ssh-keysign / chage execution bursts surfaces the 100-2000-attempt race loop loudly.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Detection only; race is running by the time auditd fires. Mitigates post-exploitation cleanup, not exfil itself."
+      },
+      "response": {
+        "what_would_have_worked": "Rotate SSH host keys + /etc/shadow on hosts with observed pidfd_getfd anomalies in disclosure window. Patch + reboot (kernel point releases 7.0.8 / 6.18.31 / 6.12.89 / 6.6.139 / 6.1.173 / 5.15.207 / 5.10.256). KernelCare livepatch when released.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Host-key rotation is non-trivial in fleet ops — SSH known_hosts trust graph fragments. Most operators patch + accept residual window between disclosure and reboot scheduling."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "30-day critical patch SLA is an exploitation window for a kernel LPE with two public PoCs. Reboot-required nature breaks standard SI-2 maintenance assumptions."
+      },
+      "NIST-800-53-AC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Access enforcement compliance assumes file-permission integrity. ssh-keysign-pwn defeats file permissions via kernel-level access-check skip — AC-3 mode-bit checks are not compensating controls."
+      },
+      "NIST-800-53-AU-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Audit event selection should include pidfd_getfd post-disclosure; pre-disclosure the syscall was rarely on default audit rule sets."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Appropriate timescales undefined; same problem as CVE-2026-43284 / CVE-2026-46300 / CVE-2026-31431."
+      },
+      "NIS2-Art21-patch-management": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Art. 21(2)(c) measures undefined for fast-cycle kernel LPEs. No guidance on sysctl or SUID-removal as interim measures."
+      }
+    },
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-048",
+        "name": "KERNEL-EXIT-RACE-CVE-CLASS-MONITORING",
+        "description": "When a CVE is disclosed in the kernel ptrace / pidfd / fd-table lifecycle class, audit rules SHOULD enable pidfd_getfd / pidfd_open / pidfd_send_signal tracking for auid>=1000 within 24h. The syscall is rare in normal operation; spike volume after a same-class disclosure is high-confidence exploitation signal.",
+        "evidence": "CVE-2026-46333: the 100-2000-attempt exploit loop is loud in audit but most default rule sets do not monitor pidfd_getfd.",
+        "gap_closes": [
+          "NIST-800-53-AU-2",
+          "NIST-800-53-SI-4"
+        ]
+      },
+      {
+        "id": "NEW-CTRL-049",
+        "name": "SUID-MINIMIZATION-FOR-KERNEL-LPE-CARRIER-BINARIES",
+        "description": "Hosts that do not use SSH host-based authentication SHOULD have ssh-keysign de-suid-ed. Hosts that do not use age-warn login UX SHOULD have chage de-suid-ed. Removes the privileged-process carrier even before the kernel patch lands.",
+        "evidence": "CVE-2026-46333: ssh-keysign + chage are the canonical carriers; SUID-removal blocks the exploit at the carrier layer regardless of kernel patch state.",
+        "gap_closes": [
+          "NIST-800-53-CM-6",
+          "NIST-800-53-AC-3"
+        ]
+      }
+    ],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 95,
+      "basis": "Every Linux fleet running OpenSSH + shadow-utils — every default install for the last 6 years. Audit-passing orgs are exposed because the bug is in default-shipped kernels.",
+      "theater_pattern": "patch_management"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "low"
+  },
+  "MAL-2026-SHAI-HULUD-OSS": {
+    "name": "Shai-Hulud worm framework open-source release (TeamPCP)",
+    "lesson_date": "2026-05-17",
+    "attack_vector": {
+      "description": "Threat-actor open-source release of an operational supply-chain worm under MIT license, paired with a BreachForums-hosted cash-bounty contest for downstream impact. Lowers barrier-to-entry from custom-tradecraft to clone-and-deploy. Framework targets AI-coding-assistant config files (~/.cursor, ~/.codeium, ~/.claude) alongside cloud + registry credentials; adds Claude Code startup hooks for persistence. Self-replicates via maintainer-token-pivot — stolen npm token authenticates as compromised maintainer, publishes malicious versions of other packages owned by the same maintainer.",
+      "privileges_required": "opportunistic — any developer workstation where the package is installed and post-install or require-time activation fires",
+      "complexity": "post-release: low. Pre-release: high (custom tradecraft).",
+      "ai_factor": "TeamPCP self-describes as \"vibe coded\" — AI-coding-assistant-mediated authoring. Defenders should expect rapid variant proliferation accelerated by AI coding assistants."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Maintainer-side: hardware-key-bound npm publish + MFA-required republish + npm-token isolation (publish tokens NOT on developer workstations). Consumer-side: package-pin hash verification, --ignore-scripts for postinstall, internal Verdaccio proxy with manual gating on version-bump risk-scoring. AI-assistant-side: file-permission restriction on ~/.claude/settings.json, ~/.cursor/mcp.json, ~/.codeium/windsurf/mcp_config.json (0600 on POSIX, ACL-restricted on Windows) so unprivileged processes cannot read.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "No single control prevents the attack class. Defense-in-depth across maintainer + registry + consumer + AI-config layers reduces blast radius but does not eliminate."
+      },
+      "detection": {
+        "what_would_have_worked": "Anomaly detection on npm publish events from new IPs, unusual cadence, or unusual package selection per maintainer. Monitor GitHub for repos matching \"A Gift From TeamPCP\" naming pattern OR with commit timestamps in year 2099 OR with agwagwagwa / headdirt / tmechen account contributors. eBPF on file-read events for ~/.aws, ~/.ssh, ~/.cursor, ~/.codeium, ~/.claude from processes spawned by node / npm / yarn / pnpm.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Detection-side is operator-feasible but reactive. By the time anomaly fires, credentials may already be in the attacker-controlled GitHub repo."
+      },
+      "response": {
+        "what_would_have_worked": "Immediate npm token rotation across all developer workstations + maintainer accounts. Audit all published package versions in the disclosure window for any unauthorized publish under compromised credentials. Roll back malicious versions via npm registry security-team channel. Rotate all secrets referenced by AI-assistant config files (MCP server tokens, Anthropic API keys, OpenAI keys).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Response is unbounded — once credentials leak, blast radius is the union of every API the credential can reach."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-218-SSDF-PW.4": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Tooling-trust assumption invalid when maintainer workstation is compromised."
+      },
+      "NIST-800-53-SR-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Supply-chain-tampering controls do not address legitimately-authenticated malicious upstream."
+      },
+      "EU-CRA-Art13": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Vulnerability-handling treats malicious upgrades as outside scope."
+      },
+      "SLSA-v1.0-Build-L3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "L3 provenance is valid for Shai-Hulud-poisoned packages — the build IS provenance-attested under the compromised maintainer identity."
+      }
+    },
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-050",
+        "name": "AI-ASSISTANT-CONFIG-FILE-PERMISSION-LOCKDOWN",
+        "description": "AI-assistant configuration files (~/.claude/, ~/.cursor/, ~/.codeium/, ~/.aider/, ~/.continue/) that carry MCP server tokens or LLM API keys MUST be mode 0600 on POSIX and ACL-restricted to the workstation user on Windows. Default mode on these files is typically 0644; Shai-Hulud reads them at unprivileged process scope. exceptd v0.12.41 hardened attestation sidecars to 0o600 for the same reason; the workstation-config category needs the same defensive posture.",
+        "evidence": "MAL-2026-SHAI-HULUD-OSS framework explicitly reads ~/.cursor/mcp.json + ~/.codeium/windsurf/mcp_config.json + ~/.claude/settings.json as exfil targets.",
+        "gap_closes": [
+          "NIST-800-53-AC-3",
+          "NIST-800-53-CM-6"
+        ]
+      },
+      {
+        "id": "NEW-CTRL-051",
+        "name": "NPM-PUBLISH-TOKEN-WORKSTATION-ISOLATION",
+        "description": "npm publish tokens MUST NOT reside on developer workstations. Publish should require a hardware-key-bound CI/CD pipeline gate (GitHub Actions with OIDC + npm provisioning, or equivalent). Workstation tokens scope to read-only registry pulls.",
+        "evidence": "MAL-2026-SHAI-HULUD-OSS pivot mechanism requires a write-scope npm token on the maintainer workstation.",
+        "gap_closes": [
+          "NIST-800-53-IA-5",
+          "NIST-800-218-SSDF-PW.4"
+        ]
+      },
+      {
+        "id": "NEW-CTRL-052",
+        "name": "GITHUB-REPO-PATTERN-MONITORING-FOR-EXFIL-CHANNELS",
+        "description": "Organizations SHOULD monitor GitHub for repository creation matching known threat-actor naming patterns (\"A Gift From TeamPCP\", \"Shai-Hulud\", future variants). The attacker uses GitHub itself as the exfil channel; the GitHub Search API + Code Search API are sufficient.",
+        "evidence": "MAL-2026-SHAI-HULUD-OSS pattern; pre-2026-05-12 Shai-Hulud waves used \"Shai-Hulud-*\" repo naming.",
+        "gap_closes": [
+          "NIST-800-53-SI-4"
+        ]
+      }
+    ],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "Every npm-consuming engineering org. SLSA + SSDF + SR-3 compliance does not protect against legitimately-authenticated malicious-maintainer publishes.",
+      "theater_pattern": "sbom_and_provenance"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "threat_actor_release",
+    "ai_assist_factor": "high"
   }
 }

package/lib/cross-ref-api.js

@@ -37,56 +37,76 @@ const _cache = new Map();
 // can inspect.
 const _loadErrors = [];
 
-function _statMtime(p) {
-  try { return fs.statSync(p).mtimeMs; }
-  catch { return null; }
+/**
+ * v0.13.0: cache invalidation is keyed on (mtimeMs, size). Pre-v0.13 it
+ * was mtime-only, but on filesystems with 1-2s mtime granularity
+ * (FAT32, HFS+ pre-APFS, NFSv3, Docker bind-mounts that proxy mtime)
+ * a rapid refresh-then-reload within the same second served stale
+ * cached data. Adding `size` catches every content change that affects
+ * byte count; mtimeMs catches in-place rewrites that preserve byte
+ * count. Together they cover every realistic catalog-mutation path
+ * without the cost of a per-load SHA computation. SHA-based tier is
+ * available via _statContentHash() when callers want full invalidation
+ * (e.g. long-running daemons against append-only catalogs).
+ */
+function _statSignature(p) {
+  try {
+    const s = fs.statSync(p);
+    return { mtime: s.mtimeMs, size: s.size };
+  } catch { return null; }
+}
+
+function _signatureEquals(a, b) {
+  if (a === null && b === null) return true;
+  if (a === null || b === null) return false;
+  return a.mtime === b.mtime && a.size === b.size;
 }
 
 function loadCatalog(filename) {
   const full = path.join(DATA_DIR, filename);
-  const mtime = _statMtime(full);
+  const sig = _statSignature(full);
   const cached = _cache.get(filename);
-  if (cached && (mtime === null || cached.mtime === mtime)) {
+  if (cached && (sig === null || _signatureEquals(cached.sig, sig))) {
     return cached.value;
   }
   if (!fs.existsSync(full)) {
-    _cache.set(filename, { value: {}, mtime });
+    _cache.set(filename, { value: {}, sig });
     return {};
   }
   try {
     const parsed = JSON.parse(fs.readFileSync(full, 'utf8'));
-    _cache.set(filename, { value: parsed, mtime });
+    _cache.set(filename, { value: parsed, sig });
     return parsed;
   } catch (e) {
     _loadErrors.push({ kind: 'catalog', file: filename, error: e.message });
     const stub = {};
     Object.defineProperty(stub, '_loadError', { value: e.message, enumerable: false });
-    _cache.set(filename, { value: stub, mtime });
+    _cache.set(filename, { value: stub, sig });
     return stub;
   }
 }
 
 function loadIndex(filename) {
   const full = path.join(INDEX_DIR, filename);
-  const mtime = _statMtime(full);
+  const sig = _statSignature(full);
   const key = 'idx:' + filename;
   const cached = _cache.get(key);
-  if (cached && (mtime === null || cached.mtime === mtime)) {
+  if (cached && (sig === null || _signatureEquals(cached.sig, sig))) {
     return cached.value;
   }
   if (!fs.existsSync(full)) {
-    _cache.set(key, { value: {}, mtime });
+    _cache.set(key, { value: {}, sig });
     return {};
   }
   try {
     const parsed = JSON.parse(fs.readFileSync(full, 'utf8'));
-    _cache.set(key, { value: parsed, mtime });
+    _cache.set(key, { value: parsed, sig });
     return parsed;
   } catch (e) {
     _loadErrors.push({ kind: 'index', file: filename, error: e.message });
     const stub = {};
     Object.defineProperty(stub, '_loadError', { value: e.message, enumerable: false });
-    _cache.set(key, { value: stub, mtime });
+    _cache.set(key, { value: stub, sig });
     return stub;
   }
 }

package/lib/cve-curation.js

@@ -637,7 +637,18 @@ function applyAnswersUnderLock(cveId, catalog, catalogPath, answers) {
 
 function writeJsonAtomic(p, obj) {
   const tmpPath = `${p}.tmp.${process.pid}.${Math.random().toString(36).slice(2, 10)}`;
-  fs.writeFileSync(tmpPath, JSON.stringify(obj, null, 2) + "\n", "utf8");
+  // v0.13.0: fsync the tmp file before rename so a power loss between
+  // write and rename leaves the durable destination intact. Without
+  // fsync the data sits in the OS page cache and the rename succeeds
+  // atomically, but the renamed file may be zero-length / partial on
+  // crash. Open + write + fsync + close + rename is the durable idiom.
+  const fd = fs.openSync(tmpPath, 'w');
+  try {
+    fs.writeSync(fd, JSON.stringify(obj, null, 2) + "\n", 0, "utf8");
+    fs.fsyncSync(fd);
+  } finally {
+    fs.closeSync(fd);
+  }
   try {
     fs.renameSync(tmpPath, p);
   } catch (err) {

package/lib/exit-codes.js

@@ -66,9 +66,38 @@ function listExitCodes() {
   }));
 }
 
+/**
+ * Set the process exit code WITHOUT calling process.exit(). Returns to the
+ * caller so any pending stdout/stderr writes drain on natural event-loop
+ * shutdown.
+ *
+ * `process.exit(N)` terminates the process synchronously, which truncates
+ * buffered async stdout when stdout is piped (CI, test harnesses, --json
+ * consumers). The v0.11.10 CI #100 fix established the exitCode-then-return
+ * idiom for that reason; every subsequent regression that re-introduced
+ * bare process.exit() in the dispatch surface was the same class of bug.
+ *
+ * Callers SHOULD prefer this helper for any exit-after-stdout-write path.
+ * Long-running daemons / tests that need synchronous termination can still
+ * use process.exit() directly — that's intentional and not what this guards.
+ *
+ * @param {number} code Exit code (use the EXIT_CODES constants)
+ * @returns {void}
+ */
+function safeExit(code) {
+  // Only override exitCode when it isn't already set to a non-zero value —
+  // matches the emit() ok:false fallback contract so a caller that already
+  // set BLOCKED (4) before emit() doesn't get overwritten by a later
+  // GENERIC_FAILURE (1).
+  if (!process.exitCode || process.exitCode === 0) {
+    process.exitCode = code;
+  }
+}
+
 module.exports = {
   EXIT_CODES,
   EXIT_CODE_DESCRIPTIONS,
   exitCodeName,
   listExitCodes,
+  safeExit,
 };

package/lib/lint-skills.js

@@ -243,6 +243,11 @@ function extractFrontmatterBlock(content) {
 /* Validate frontmatter object against the codified schema rules. */
 function validateFrontmatter(fm, skillName) {
   const errors = [];
+  // v0.13.0: validateFrontmatter now ALSO surfaces warnings (e.g. the
+  // last_threat_review 180-day soft cap). Return signature changes from
+  // `string[]` to `{ errors: string[], warnings: string[] }` — callers
+  // updated accordingly.
+  const warnings = [];
 
   for (const key of Object.keys(fm)) {
     if (!ALL_KNOWN_FIELDS.has(key)) {
@@ -351,10 +356,25 @@ function validateFrontmatter(fm, skillName) {
       errors.push(
         `frontmatter.last_threat_review "${fm.last_threat_review}" is not an ISO date (YYYY-MM-DD)`,
       );
+    } else {
+      // v0.13.0: Hard Rule #8 forcing function — refuse skills whose
+      // last_threat_review is older than the staleness threshold.
+      // 180-day soft cap (warn), 365-day hard cap (fail). Operators on
+      // older releases who don't refresh fall off the supported window.
+      const days = Math.floor((Date.now() - Date.parse(fm.last_threat_review + 'T00:00:00Z')) / (24 * 60 * 60 * 1000));
+      if (days > 365) {
+        errors.push(
+          `frontmatter.last_threat_review "${fm.last_threat_review}" is ${days} days old — Hard Rule #8 staleness gate (hard fail at >365 days). Refresh the threat review against current intel and bump the date.`,
+        );
+      } else if (days > 180) {
+        warnings.push(
+          `frontmatter.last_threat_review "${fm.last_threat_review}" is ${days} days old — Hard Rule #8 staleness warning (warn at >180 days, hard fail at >365). Schedule a review.`,
+        );
+      }
     }
   }
 
-  return errors;
+  return { errors, warnings };
 }
 
 /* L1 — Heading-anchored section detection.
@@ -460,7 +480,9 @@ function lintSkill(entry, ctx) {
     return { name: entry.name, errors: skillErrors, warnings: skillWarnings };
   }
 
-  skillErrors.push(...validateFrontmatter(fm, entry.name));
+  const fmResult = validateFrontmatter(fm, entry.name);
+  skillErrors.push(...fmResult.errors);
+  skillWarnings.push(...fmResult.warnings);
 
   if (Array.isArray(fm.data_deps)) {
     for (const dep of fm.data_deps) {

package/lib/refresh-external.js

@@ -637,6 +637,12 @@ const OSV_SOURCE = {
   },
 };
 
+// v0.13.1: ADVISORIES_SOURCE polls Qualys TRU + RHSA + USN + ZDI primary
+// feeds and surfaces CVE IDs not yet in the catalog. Report-only — no
+// auto-catalog mutation. Closes the post-mortem gap on CVE-2026-46333
+// (ssh-keysign-pwn) where the existing NVD-based pollers lagged by 3+ days.
+const { ADVISORIES_SOURCE } = require('./source-advisories');
+
 const ALL_SOURCES = {
   kev: KEV_SOURCE,
   epss: EPSS_SOURCE,
@@ -645,6 +651,7 @@ const ALL_SOURCES = {
   pins: PINS_SOURCE,
   ghsa: GHSA_SOURCE,
   osv: OSV_SOURCE,
+  advisories: ADVISORIES_SOURCE,
 };
 
 // --- Cache-mode helpers ------------------------------------------------
@@ -1066,7 +1073,16 @@ function loadCtx(opts) {
 // worker threads) never collide on the same scratch path.
 function writeJsonAtomic(p, obj) {
   const tmpPath = `${p}.tmp.${process.pid}.${Math.random().toString(36).slice(2, 10)}`;
-  fs.writeFileSync(tmpPath, JSON.stringify(obj, null, 2) + "\n", "utf8");
+  // v0.13.0: fsync the tmp file before rename so a power loss between
+  // write and rename leaves the durable destination intact. See the
+  // matching helper in lib/cve-curation.js for the rationale.
+  const fd = fs.openSync(tmpPath, 'w');
+  try {
+    fs.writeSync(fd, JSON.stringify(obj, null, 2) + "\n", 0, "utf8");
+    fs.fsyncSync(fd);
+  } finally {
+    fs.closeSync(fd);
+  }
   try {
     fs.renameSync(tmpPath, p);
   } catch (err) {

package/lib/scoring.js

@@ -346,6 +346,54 @@ function compare(cveId, catalog, opts) {
   return out;
 }
 
+/**
+ * v0.13.0: detect rwep_factors shape. The catalog historically stored
+ * factors in two distinct shapes that look identical at the field level:
+ *
+ *   Shape A (raw):    `{ cisa_kev: true, blast_radius: 30, ... }`
+ *     - booleans + integers in their natural form
+ *     - score derives from `scoreCustom(factors)` which applies weights
+ *
+ *   Shape B (post-weight): `{ cisa_kev: 25, blast_radius: 30, ... }`
+ *     - integers in their post-weight contribution (cisa_kev: 25 not true)
+ *     - score = sum of values; no second weight pass
+ *
+ * Mixing shapes inside ONE entry silently breaks the sum invariant —
+ * a CVE with `cisa_kev: true, blast_radius: 30` reports rwep 30 (just
+ * blast_radius summed) when the operator-intended score is 55 (KEV + br).
+ * Until v0.13 nothing caught this; v0.13 adds shape detection that fires
+ * an error when the entry mixes booleans with non-trivial numeric weights.
+ *
+ * Returns 'A' for raw, 'B' for post-weight, 'unknown' for empty/edge
+ * cases, or 'mixed' for the violating case.
+ */
+function detectFactorShape(factors) {
+  if (!factors || typeof factors !== 'object') return 'unknown';
+  const boolFields = ['cisa_kev', 'poc_available', 'ai_assisted_weaponization', 'ai_discovered', 'active_exploitation', 'patch_available', 'live_patch_available', 'patch_required_reboot'];
+  let sawBool = false;
+  let sawWeightedInt = false;
+  for (const [k, v] of Object.entries(factors)) {
+    if (k === 'blast_radius') continue; // always integer in both shapes
+    if (typeof v === 'boolean' || v === null) {
+      sawBool = true;
+    } else if (typeof v === 'number' && Math.abs(v) >= 5 && boolFields.includes(k)) {
+      // Field that's nominally boolean carrying a numeric weight (e.g. 25,
+      // 20, 15) — Shape B signature.
+      sawWeightedInt = true;
+    } else if (typeof v === 'number' && (v === 0 || v === 1) && boolFields.includes(k)) {
+      // 0/1 on a boolean-named field could be either shape; ambiguous, ignore.
+      continue;
+    } else if (typeof v === 'string' && boolFields.includes(k)) {
+      // String values (e.g. active_exploitation: 'confirmed') are Shape A.
+      sawBool = true;
+    }
+  }
+  if (sawBool && sawWeightedInt) return 'mixed';
+  if (sawWeightedInt) return 'B';
+  if (sawBool) return 'A';
+  return 'unknown';
+}
+
 function validate(catalog) {
   const errors = [];
   for (const [cveId, entry] of Object.entries(catalog)) {
@@ -371,6 +419,13 @@ function validate(catalog) {
     if (entry.live_patch_available && (!entry.live_patch_tools || entry.live_patch_tools.length === 0)) {
       errors.push(`${cveId}: live_patch_available=true but live_patch_tools is empty`);
     }
+    // v0.13.0: detect Shape A / Shape B / mixed factor shape. A 'mixed'
+    // shape would silently break the sum invariant; refuse it. See
+    // detectFactorShape() doc above for the failure mode.
+    const shape = detectFactorShape(entry.rwep_factors);
+    if (shape === 'mixed') {
+      errors.push(`${cveId}: rwep_factors mixes Shape A (booleans) with Shape B (post-weight integers) — sum invariant cannot hold. Convert factors to a single shape.`);
+    }
     const calculatedRwep = scoreCustom({
       cisa_kev: entry.cisa_kev,
       poc_available: entry.poc_available,