@blamejs/exceptd-skills 0.12.8 → 0.12.9

package/data/_indexes/token-budget.json

@@ -3,8 +3,8 @@
     "schema_version": "1.0.0",
     "tokenizer_note": "Character-density approximation: 1 token ≈ 4 chars. This is the canonical rule-of-thumb for OpenAI tokenizers on English+technical text. Claude's tokenizer is typically more efficient on prose; treat this as an upper-bound budget for both. Consumers with stricter precision needs should re-tokenize with their own tokenizer.",
     "approx_chars_per_token": 4,
-    "total_chars": 1348369,
-    "total_approx_tokens": 337096,
+    "total_chars": 1369448,
+    "total_approx_tokens": 342364,
     "skill_count": 38
   },
   "skills": {
@@ -65,10 +65,10 @@
     },
     "ai-attack-surface": {
       "path": "skills/ai-attack-surface/skill.md",
-      "bytes": 16309,
-      "chars": 16283,
-      "lines": 286,
-      "approx_tokens": 4071,
+      "bytes": 20062,
+      "chars": 20024,
+      "lines": 311,
+      "approx_tokens": 5006,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {
@@ -101,6 +101,11 @@
           "chars": 1117,
           "approx_tokens": 279
         },
+        "defensive-countermeasure-mapping": {
+          "bytes": 3718,
+          "chars": 3706,
+          "approx_tokens": 927
+        },
         "compliance-theater-check": {
           "bytes": 1086,
           "chars": 1086,
@@ -110,10 +115,10 @@
     },
     "mcp-agent-trust": {
       "path": "skills/mcp-agent-trust/skill.md",
-      "bytes": 19717,
-      "chars": 19655,
-      "lines": 330,
-      "approx_tokens": 4914,
+      "bytes": 23929,
+      "chars": 23861,
+      "lines": 354,
+      "approx_tokens": 5965,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {
@@ -151,6 +156,11 @@
           "chars": 2431,
           "approx_tokens": 608
         },
+        "defensive-countermeasure-mapping": {
+          "bytes": 4201,
+          "chars": 4195,
+          "approx_tokens": 1049
+        },
         "compliance-theater-check": {
           "bytes": 513,
           "chars": 513,
@@ -215,12 +225,17 @@
     },
     "compliance-theater": {
       "path": "skills/compliance-theater/skill.md",
-      "bytes": 27568,
-      "chars": 27506,
-      "lines": 366,
-      "approx_tokens": 6877,
+      "bytes": 28379,
+      "chars": 28313,
+      "lines": 372,
+      "approx_tokens": 7078,
       "approx_chars_per_token": 4,
       "sections": {
+        "frontmatter-scope": {
+          "bytes": 811,
+          "chars": 807,
+          "approx_tokens": 202
+        },
         "threat-context": {
           "bytes": 1804,
           "chars": 1798,
@@ -265,12 +280,17 @@
     },
     "exploit-scoring": {
       "path": "skills/exploit-scoring/skill.md",
-      "bytes": 20459,
-      "chars": 20333,
-      "lines": 332,
-      "approx_tokens": 5083,
+      "bytes": 21077,
+      "chars": 20949,
+      "lines": 338,
+      "approx_tokens": 5237,
       "approx_chars_per_token": 4,
       "sections": {
+        "frontmatter-scope": {
+          "bytes": 618,
+          "chars": 616,
+          "approx_tokens": 154
+        },
         "threat-context": {
           "bytes": 1685,
           "chars": 1677,
@@ -325,10 +345,10 @@
     },
     "rag-pipeline-security": {
       "path": "skills/rag-pipeline-security/skill.md",
-      "bytes": 24124,
-      "chars": 23983,
-      "lines": 298,
-      "approx_tokens": 5996,
+      "bytes": 28775,
+      "chars": 28610,
+      "lines": 324,
+      "approx_tokens": 7153,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {
@@ -362,9 +382,9 @@
           "approx_tokens": 423
         },
         "framework-lag-declaration": {
-          "bytes": 1408,
-          "chars": 1404,
-          "approx_tokens": 351
+          "bytes": 2157,
+          "chars": 2151,
+          "approx_tokens": 538
         },
         "ttp-mapping": {
           "bytes": 3642,
@@ -391,6 +411,11 @@
           "chars": 2624,
           "approx_tokens": 656
         },
+        "defensive-countermeasure-mapping": {
+          "bytes": 3879,
+          "chars": 3857,
+          "approx_tokens": 964
+        },
         "compliance-theater-check": {
           "bytes": 644,
           "chars": 640,
@@ -400,10 +425,10 @@
     },
     "ai-c2-detection": {
       "path": "skills/ai-c2-detection/skill.md",
-      "bytes": 29630,
-      "chars": 29506,
-      "lines": 446,
-      "approx_tokens": 7377,
+      "bytes": 33572,
+      "chars": 33436,
+      "lines": 470,
+      "approx_tokens": 8359,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {
@@ -446,6 +471,11 @@
           "chars": 4070,
           "approx_tokens": 1018
         },
+        "defensive-countermeasure-mapping": {
+          "bytes": 3942,
+          "chars": 3930,
+          "approx_tokens": 983
+        },
         "compliance-theater-check": {
           "bytes": 1390,
           "chars": 1382,
@@ -465,12 +495,17 @@
     },
     "policy-exception-gen": {
       "path": "skills/policy-exception-gen/skill.md",
-      "bytes": 28403,
-      "chars": 28321,
-      "lines": 438,
-      "approx_tokens": 7080,
+      "bytes": 28886,
+      "chars": 28802,
+      "lines": 444,
+      "approx_tokens": 7201,
       "approx_chars_per_token": 4,
       "sections": {
+        "frontmatter-scope": {
+          "bytes": 483,
+          "chars": 481,
+          "approx_tokens": 120
+        },
         "threat-context": {
           "bytes": 2232,
           "chars": 2226,
@@ -515,12 +550,17 @@
     },
     "threat-model-currency": {
       "path": "skills/threat-model-currency/skill.md",
-      "bytes": 24982,
-      "chars": 24882,
-      "lines": 405,
-      "approx_tokens": 6221,
+      "bytes": 25608,
+      "chars": 25506,
+      "lines": 409,
+      "approx_tokens": 6377,
       "approx_chars_per_token": 4,
       "sections": {
+        "frontmatter-scope": {
+          "bytes": 626,
+          "chars": 624,
+          "approx_tokens": 156
+        },
         "purpose": {
           "bytes": 545,
           "chars": 541,
@@ -635,12 +675,17 @@
     },
     "zeroday-gap-learn": {
       "path": "skills/zeroday-gap-learn/skill.md",
-      "bytes": 22177,
-      "chars": 22061,
-      "lines": 351,
-      "approx_tokens": 5515,
+      "bytes": 22718,
+      "chars": 22600,
+      "lines": 357,
+      "approx_tokens": 5650,
       "approx_chars_per_token": 4,
       "sections": {
+        "frontmatter-scope": {
+          "bytes": 541,
+          "chars": 539,
+          "approx_tokens": 135
+        },
         "threat-context": {
           "bytes": 1673,
           "chars": 1665,
@@ -770,12 +815,17 @@
     },
     "skill-update-loop": {
       "path": "skills/skill-update-loop/skill.md",
-      "bytes": 42574,
-      "chars": 42470,
-      "lines": 496,
-      "approx_tokens": 10618,
+      "bytes": 43027,
+      "chars": 42921,
+      "lines": 502,
+      "approx_tokens": 10730,
       "approx_chars_per_token": 4,
       "sections": {
+        "frontmatter-scope": {
+          "bytes": 453,
+          "chars": 451,
+          "approx_tokens": 113
+        },
         "threat-context": {
           "bytes": 1510,
           "chars": 1504,
@@ -835,12 +885,17 @@
     },
     "security-maturity-tiers": {
       "path": "skills/security-maturity-tiers/skill.md",
-      "bytes": 29283,
-      "chars": 29119,
-      "lines": 483,
-      "approx_tokens": 7280,
+      "bytes": 29805,
+      "chars": 29641,
+      "lines": 489,
+      "approx_tokens": 7410,
       "approx_chars_per_token": 4,
       "sections": {
+        "frontmatter-scope": {
+          "bytes": 522,
+          "chars": 522,
+          "approx_tokens": 131
+        },
         "how-to-use-this-skill": {
           "bytes": 411,
           "chars": 409,
@@ -915,12 +970,17 @@
     },
     "researcher": {
       "path": "skills/researcher/skill.md",
-      "bytes": 28472,
-      "chars": 28304,
-      "lines": 311,
-      "approx_tokens": 7076,
+      "bytes": 29009,
+      "chars": 28839,
+      "lines": 317,
+      "approx_tokens": 7210,
       "approx_chars_per_token": 4,
       "sections": {
+        "frontmatter-scope": {
+          "bytes": 537,
+          "chars": 535,
+          "approx_tokens": 134
+        },
         "threat-context": {
           "bytes": 2945,
           "chars": 2937,

package/data/cve-catalog.json

@@ -1,7 +1,7 @@
 {
   "_meta": {
     "schema_version": "1.0.0",
-    "last_updated": "2026-05-11",
+    "last_updated": "2026-05-13",
     "source": "NVD + CISA KEV + vendor advisories — see sources/index.json",
     "required_fields": [
       "type",
@@ -43,8 +43,9 @@
     "cvss_score": 7.8,
     "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
     "cisa_kev": true,
-    "cisa_kev_date": "2026-03-15",
-    "cisa_kev_due_date": "2026-04-05",
+    "cisa_kev_date": "2026-05-01",
+    "cisa_kev_due_date": "2026-05-15",
+    "cisa_kev_date_correction_note": "v0.12.9 (2026-05-13): catalog previously stored 2026-03-15 / due 2026-04-05. CISA KEV JSON authoritative is dateAdded 2026-05-01 / dueDate 2026-05-15 (source: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json filtered for CVE-2026-31431). The catalog was running six weeks ahead of the real KEV listing; downstream framework-SLA computations were anchored on a date that hadn't yet been authoritative.",
     "poc_available": true,
     "poc_description": "Public exploit script — single-stage, 732 bytes, no race condition, deterministic root escalation from any unprivileged user or container",
     "ai_discovered": true,
@@ -91,11 +92,13 @@
       "live_patch_available": -10,
       "reboot_required": 5
     },
-    "epss_score": 0.94,
-    "epss_percentile": 0.99,
-    "epss_date": "2026-05-11",
+    "epss_score": 0.0257,
+    "epss_percentile": 0.8569,
+    "epss_date": "2026-05-13",
     "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-31431",
-    "source_verified": "2026-05-01",
+    "epss_correction_note": "v0.12.9: refreshed from live FIRST API. Catalog previously stored 0.94 / 0.99 (estimate for newly-published CVE; EPSS model cold-start). Live values reflect post-disclosure exploitation telemetry through 2026-05-13.",
+    "cwe_refs": ["CWE-669"],
+    "source_verified": "2026-05-13",
     "verification_sources": [
       "https://nvd.nist.gov/vuln/detail/CVE-2026-31431",
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
@@ -180,8 +183,11 @@
   "CVE-2026-43284": {
     "name": "Dirty Frag (ESP/IPsec component)",
     "type": "LPE",
-    "cvss_score": 7.8,
-    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
+    "cvss_correction_note": "v0.12.9 (2026-05-13): catalog previously stored 7.8 / Scope:U. NVD secondary CVSS block authoritative is 8.8 / Scope:C (Scope: Changed — kernel→user-namespace breakout is in-scope, which supports the container-escape framing). Source: https://nvd.nist.gov/vuln/detail/CVE-2026-43284. The lower-scored block remains valid for compatibility readers; the higher block is the operational risk floor.",
+    "cvss_score_alternate": 7.8,
+    "cvss_vector_alternate": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
     "cisa_kev": false,
     "cisa_kev_date": null,
     "poc_available": true,
@@ -222,11 +228,13 @@
       "live_patch_available": 0,
       "reboot_required": 5
     },
-    "epss_score": 0.18,
-    "epss_percentile": 0.88,
-    "epss_date": "2026-05-11",
+    "epss_score": 0.00007,
+    "epss_percentile": 0.0051,
+    "epss_date": "2026-05-13",
     "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-43284",
-    "source_verified": "2026-05-01",
+    "epss_correction_note": "v0.12.9: refreshed from live FIRST API. Previous values (0.18 / 0.88) were estimates for the newly-published CVE; cold-start EPSS routinely overstates newly-cataloged kernel CVEs.",
+    "cwe_refs": ["CWE-123"],
+    "source_verified": "2026-05-13",
     "verification_sources": [
       "https://nvd.nist.gov/vuln/detail/CVE-2026-43284"
     ],
@@ -346,11 +354,13 @@
       "live_patch_available": 0,
       "reboot_required": 5
     },
-    "epss_score": 0.07,
-    "epss_percentile": 0.75,
-    "epss_date": "2026-05-11",
+    "epss_score": 0.0001,
+    "epss_percentile": 0.0115,
+    "epss_date": "2026-05-13",
     "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-43500",
-    "source_verified": "2026-05-01",
+    "epss_correction_note": "v0.12.9: refreshed from live FIRST API (cold-start cleanup).",
+    "cwe_refs": ["CWE-787"],
+    "source_verified": "2026-05-13",
     "verification_sources": [
       "https://nvd.nist.gov/vuln/detail/CVE-2026-43500"
     ],
@@ -553,10 +563,11 @@
     "last_updated": "2026-05-13"
   },
   "CVE-2026-30615": {
-    "name": "Windsurf MCP Zero-Interaction RCE",
+    "name": "Windsurf MCP Local-Vector RCE via Adversarial Tool Response",
     "type": "RCE-supply-chain",
-    "cvss_score": 9.8,
-    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_score": 8.0,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
+    "cvss_correction_note": "v0.12.9 (2026-05-13): catalog previously stored CVSS 9.8 / AV:N. NVD authoritative is 8.0 / AV:L (local attack vector; attacker must control HTML content the Windsurf MCP client processes — not a network-vector zero-interaction RCE as initially cataloged). Source: https://nvd.nist.gov/vuln/detail/CVE-2026-30615 (published 2026-04-15, last_modified 2026-04-27, vulnStatus: Deferred). Recompute RWEP with blast_radius reduced from 30→20 to reflect local-vector + Scope:U.",
     "cisa_kev": false,
     "cisa_kev_date": null,
     "poc_available": true,
@@ -722,10 +733,11 @@
       "reboot_required": 0
     },
     "rwep_notes": "RWEP cap of 30 on blast_radius understates the real exposure (42 packages, ~150M+ weekly downloads combined). Operationally treat as P0; the formula caps blast_radius regardless of magnitude. Once CISA KEV-lists this CVE, the +25 boost will lift score to 70 (P1 territory).",
-    "epss_score": 0.78,
-    "epss_percentile": 0.97,
+    "epss_score": 0.00039,
+    "epss_percentile": 0.1179,
     "epss_date": "2026-05-13",
     "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-45321",
+    "epss_correction_note": "v0.12.9: refreshed from live FIRST API. Previous values (0.78 / 0.97) were cold-start estimates inconsistent with confirmed in-wild exploitation; the qualitative narrative (rwep_notes above) remains the authoritative risk signal — raw EPSS underreports newly-disclosed worm payload classes.",
     "source_verified": "2026-05-13",
     "verification_sources": [
       "https://nvd.nist.gov/vuln/detail/CVE-2026-45321",

package/data/playbooks/mcp.json

@@ -94,6 +94,7 @@
       "T1190"
     ],
     "cve_refs": [
+      "CVE-2025-53773",
       "CVE-2026-30615",
       "CVE-2026-45321"
     ],

package/lib/playbook-runner.js

@@ -418,26 +418,118 @@ function analyze(playbookId, directiveId, detectResult, agentSignals = {}) {
   const an = resolvedPhase(playbook, directiveId, 'analyze');
   const directive = findDirective(playbook, directiveId);
 
-  // Match catalogued CVEs from the domain.cve_refs list. The agent submits
-  // signal values; engine joins to the catalog for RWEP context.
-  // VEX filter (agentSignals.vex_filter): a set of CVE IDs the operator
-  // has formally declared not_affected via a CycloneDX/OpenVEX statement.
-  // We drop those from matched_cves before scoring, and surface them
-  // separately so the analyze response still records the disposition.
+  // Resolve catalogued CVEs from the domain.cve_refs list. This list is the
+  // playbook's CVE scan-coverage enumeration — every CVE this playbook can
+  // detect. By itself it is NOT a statement that the operator is affected by
+  // any of these CVEs; affected-ness requires evidence correlation in detect.
+  //
+  // Two distinct sets are computed below:
+  //
+  //   catalogBaselineCves — every CVE the playbook scans for, with full
+  //       per-CVE catalog context (RWEP / KEV / CVSS / AI-discovery /
+  //       active-exploitation / patch state). Always populated when the
+  //       playbook has domain.cve_refs. Each entry carries correlated_via=null
+  //       and a `note` flagging it as catalog-only.
+  //
+  //   matchedCves       — CVEs the operator's submitted evidence actually
+  //       correlates to. Correlation paths:
+  //         (a) An indicator fired (verdict === 'hit') whose attack_ref or
+  //             atlas_ref intersects the CVE's attack_refs / atlas_refs in
+  //             the catalog.
+  //         (b) An agentSignal explicitly references the CVE id with a
+  //             truthy value (`agentSignals[cveId] === true`) or with a
+  //             string value 'hit' / 'detected' / 'affected'.
+  //       Each entry carries correlated_via=<reason string> so downstream
+  //       consumers (CSAF / SARIF / OpenVEX / human renderer) can show the
+  //       provenance, and so an empty matchedCves means "no evidence
+  //       correlated to operator's submission" rather than "playbook has
+  //       no CVEs of interest."
+  //
+  // VEX filter (agentSignals.vex_filter): a set of CVE IDs the operator has
+  // formally declared not_affected via CycloneDX/OpenVEX. VEX-dropped CVEs
+  // are removed from BOTH arrays (they're not affected — neither correlated
+  // nor part of effective scan coverage for this run).
   const cveRefs = playbook.domain.cve_refs || [];
   const vexFilter = agentSignals.vex_filter instanceof Set ? agentSignals.vex_filter
     : (Array.isArray(agentSignals.vex_filter) ? new Set(agentSignals.vex_filter) : null);
-  const allMatches = cveRefs.map(id => xref.byCve(id)).filter(r => r.found);
-  const matchedCves = vexFilter
-    ? allMatches.filter(c => !vexFilter.has(c.cve_id))
-    : allMatches;
+  const allCves = cveRefs.map(id => xref.byCve(id)).filter(r => r.found);
+  const catalogBaselineCves = vexFilter
+    ? allCves.filter(c => !vexFilter.has(c.cve_id))
+    : allCves;
   const vexDropped = vexFilter
-    ? allMatches.filter(c => vexFilter.has(c.cve_id)).map(c => c.cve_id)
+    ? allCves.filter(c => vexFilter.has(c.cve_id)).map(c => c.cve_id)
     : [];
 
-  // RWEP composition: start from the catalogue's per-CVE rwep_score (already
-  // baked from KEV + PoC + AI-disc + active-exploitation + blast-radius), then
-  // adjust by playbook's rwep_inputs based on detect hits + agent signals.
+  // Build correlation map: cve_id -> array of "indicator_hit:<id>" / "signal:<id>" reasons.
+  const correlationsByCve = new Map();
+  const addCorrelation = (cveId, reason) => {
+    if (!correlationsByCve.has(cveId)) correlationsByCve.set(cveId, []);
+    const arr = correlationsByCve.get(cveId);
+    if (!arr.includes(reason)) arr.push(reason);
+  };
+  // (a) indicator-hit → CVE via shared attack_ref / atlas_ref.
+  const playbookDetect = resolvedPhase(playbook, directiveId, 'detect');
+  const indicatorRefs = new Map(); // indicator.id -> { attack_ref, atlas_ref }
+  for (const ind of (playbookDetect.indicators || [])) {
+    indicatorRefs.set(ind.id, { attack_ref: ind.attack_ref || null, atlas_ref: ind.atlas_ref || null });
+  }
+  const firedIndicators = (detectResult.indicators || []).filter(i => i.verdict === 'hit');
+  for (const fired of firedIndicators) {
+    const refs = indicatorRefs.get(fired.id) || { attack_ref: fired.attack_ref || null, atlas_ref: fired.atlas_ref || null };
+    if (!refs.attack_ref && !refs.atlas_ref) continue;
+    for (const c of catalogBaselineCves) {
+      const attackHit = refs.attack_ref && Array.isArray(c.attack_refs) && c.attack_refs.includes(refs.attack_ref);
+      const atlasHit = refs.atlas_ref && Array.isArray(c.atlas_refs) && c.atlas_refs.includes(refs.atlas_ref);
+      if (attackHit || atlasHit) addCorrelation(c.cve_id, `indicator_hit:${fired.id}`);
+    }
+  }
+  // (b) agentSignals explicitly referencing a CVE id.
+  for (const c of catalogBaselineCves) {
+    const sig = agentSignals[c.cve_id];
+    if (sig === true || sig === 'hit' || sig === 'detected' || sig === 'affected') {
+      addCorrelation(c.cve_id, `signal:${c.cve_id}`);
+    }
+  }
+
+  const matchedCves = catalogBaselineCves.filter(c => correlationsByCve.has(c.cve_id));
+
+  // Per-CVE shape — identical between matched_cves and catalog_baseline_cves
+  // so consumers can iterate either without branching. matched_cves entries
+  // carry a non-null correlated_via array; catalog_baseline_cves entries
+  // carry correlated_via:null and a `note` clarifying the field's intent.
+  const cveShape = (c, correlatedVia) => ({
+    cve_id: c.cve_id,
+    rwep: c.rwep_score,
+    cvss_score: c.entry?.cvss_score ?? null,
+    cvss_vector: c.entry?.cvss_vector ?? null,
+    cisa_kev: c.cisa_kev,
+    cisa_kev_date: c.entry?.cisa_kev_date ?? null,
+    cisa_kev_due_date: c.entry?.cisa_kev_due_date ?? null,
+    poc_available: c.entry?.poc_available ?? null,
+    ai_discovered: c.ai_discovered,
+    ai_assisted_weaponization: c.entry?.ai_assisted_weaponization ?? null,
+    active_exploitation: c.active_exploitation,
+    patch_available: c.entry?.patch_available ?? null,
+    patch_required_reboot: c.entry?.patch_required_reboot ?? null,
+    live_patch_available: c.entry?.live_patch_available ?? null,
+    epss_score: c.entry?.epss_score ?? null,
+    epss_date: c.entry?.epss_date ?? null,
+    atlas_refs: c.atlas_refs,
+    attack_refs: c.attack_refs,
+    affected_versions: c.entry?.affected_versions ?? null,
+    correlated_via: correlatedVia,
+  });
+
+  const matchedCveEntries = matchedCves.map(c => cveShape(c, correlationsByCve.get(c.cve_id)));
+  const catalogBaselineEntries = catalogBaselineCves.map(c => ({
+    ...cveShape(c, null),
+    note: 'Catalog-baseline entry — this CVE is in the playbook\'s scan coverage but no submitted evidence correlated to it. Not a statement that the operator is affected.',
+  }));
+
+  // RWEP composition: start from the per-CVE rwep_score of evidence-correlated
+  // matches (NOT catalog baseline) so RWEP base reflects what the operator's
+  // evidence actually surfaced. Adjust by playbook's rwep_inputs based on
+  // detect hits + agent signals.
   const baseRwep = matchedCves.length ? Math.max(...matchedCves.map(c => c.rwep_score)) : 0;
   let adjustedRwep = baseRwep;
   const rwepBreakdown = [];
@@ -495,27 +587,19 @@ function analyze(playbookId, directiveId, detectResult, agentSignals = {}) {
     // Pull every required field from the catalog entry; null is only emitted
     // when the catalog itself lacks the value, never when we just forgot to
     // forward it. EPSS is included because validate-cves --live populates it.
-    matched_cves: matchedCves.map(c => ({
-      cve_id: c.cve_id,
-      rwep: c.rwep_score,
-      cvss_score: c.entry?.cvss_score ?? null,
-      cvss_vector: c.entry?.cvss_vector ?? null,
-      cisa_kev: c.cisa_kev,
-      cisa_kev_date: c.entry?.cisa_kev_date ?? null,
-      cisa_kev_due_date: c.entry?.cisa_kev_due_date ?? null,
-      poc_available: c.entry?.poc_available ?? null,
-      ai_discovered: c.ai_discovered,
-      ai_assisted_weaponization: c.entry?.ai_assisted_weaponization ?? null,
-      active_exploitation: c.active_exploitation,
-      patch_available: c.entry?.patch_available ?? null,
-      patch_required_reboot: c.entry?.patch_required_reboot ?? null,
-      live_patch_available: c.entry?.live_patch_available ?? null,
-      epss_score: c.entry?.epss_score ?? null,
-      epss_date: c.entry?.epss_date ?? null,
-      atlas_refs: c.atlas_refs,
-      attack_refs: c.attack_refs,
-      affected_versions: c.entry?.affected_versions ?? null,
-    })),
+    //
+    // matched_cves — evidence-correlated only. Each entry has a non-null
+    // correlated_via[] array naming the indicator hits or agent signals that
+    // tied the operator's submission to this CVE. Empty array means the
+    // playbook's scan coverage saw no matching evidence in this run.
+    matched_cves: matchedCveEntries,
+    // catalog_baseline_cves — every CVE the playbook scans for, with the
+    // same per-CVE shape but correlated_via=null and a note explaining the
+    // field is scan-coverage metadata, NOT an operator-affected list. Use
+    // this when surfacing "what CVEs does this playbook check for?" Use
+    // matched_cves when surfacing "what CVEs is the operator actually
+    // affected by based on submitted evidence?"
+    catalog_baseline_cves: catalogBaselineEntries,
     rwep: { base: baseRwep, adjusted: adjustedRwep, breakdown: rwepBreakdown, threshold: directive ? resolvedPhase(playbook, directiveId, 'direct').rwep_threshold : null },
     blast_radius_score: blastRadiusScore,
     blast_radius_basis: blastRubric.find(r => r.blast_radius_score === blastRadiusScore) || null,

package/lib/prefetch.js

@@ -80,15 +80,24 @@ const SOURCES = {
       .filter(Boolean),
   },
   pins: {
-    description: "MITRE GitHub releases for ATLAS / ATT&CK / D3FEND / CWE pin checks",
+    description: "MITRE GitHub releases for ATLAS / ATT&CK pin checks",
     rate: { tokens: 30, windowMs: 60 * 60_000 },   // anon: 60/h, leave headroom
     rate_with_key: { tokens: 500, windowMs: 60 * 60_000 },
     concurrency: 2,
+    // D3FEND and CWE were previously listed here but neither project
+    // publishes via GitHub Releases — D3FEND distributes the ontology
+    // from d3fend/d3fend-ontology without tagged releases, and CWE
+    // ships its catalog as XML/JSON downloads from cwe.mitre.org rather
+    // than a GitHub repo. The old api.github.com URLs (mitre/cwe and
+    // d3fend/d3fend-data) returned HTTP 404 on every refresh, surfacing
+    // as "2 error(s)" in the prefetch summary. Pin currency for those
+    // two frameworks is tracked via lib/upstream-check.js against
+    // cwe.mitre.org and d3fend.mitre.org respectively; the prefetch
+    // registry only contains sources that actually have a GitHub
+    // Releases feed to poll.
     expand: () => [
       { id: "mitre-atlas__atlas-data__releases", url: "https://api.github.com/repos/mitre-atlas/atlas-data/releases?per_page=5" },
       { id: "mitre-attack__attack-stix-data__releases", url: "https://api.github.com/repos/mitre-attack/attack-stix-data/releases?per_page=5" },
-      { id: "d3fend__d3fend-data__releases", url: "https://api.github.com/repos/d3fend/d3fend-data/releases?per_page=5" },
-      { id: "mitre__cwe__releases", url: "https://api.github.com/repos/mitre/cwe/releases?per_page=5" },
     ],
   },
 };
@@ -364,14 +373,26 @@ async function main() {
   const opts = parseArgs(process.argv);
   if (opts.help) {
     printHelp();
-    process.exit(0);
+    return;
   }
+  // Why process.exitCode and not process.exit():
+  // On Windows + Node 25 (libuv), calling process.exit() synchronously
+  // while in-flight fetch / AbortController teardown is still mid-close
+  // produced `Assertion failed: !(handle->flags & UV_HANDLE_CLOSING),
+  // file src\win\async.c, line 76` followed by exit 3221226505
+  // (STATUS_STACK_BUFFER_OVERRUN). The summary line had already
+  // flushed, so operators saw the crash *after* their summary —
+  // contractually correct but visibly noisy. Letting the event loop
+  // drain naturally — via exitCode + return — lets undici's connection
+  // pool and the AbortController signal listeners finish teardown
+  // before the process exits, eliminating the assertion. Same pattern
+  // documented in CLAUDE.md for v0.11.11's `ci` #100 regression.
   try {
     const result = await prefetch(opts);
-    process.exit(result.errors > 0 ? 1 : 0);
+    process.exitCode = result.errors > 0 ? 1 : 0;
   } catch (err) {
     console.error(`prefetch: fatal: ${err.message}`);
-    process.exit(2);
+    process.exitCode = 2;
   }
 }