@blamejs/exceptd-skills 0.13.19 → 0.13.21

package/sbom.cdx.json

@@ -1,23 +1,23 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:1b26544f-8d49-4291-bb51-773688342543",
+  "serialNumber": "urn:uuid:e9cd326f-3ca4-4e4f-987e-2d0206d0d1ac",
   "version": 1,
   "metadata": {
-    "timestamp": "2040-06-07T22:53:03.000Z",
+    "timestamp": "2150-04-20T18:11:59.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.13.19"
+        "version": "0.13.21"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.13.19",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.13.21",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.13.19",
-      "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 10 catalogs (312 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 34 jurisdictions, automated gap-detection, pre-computed indexes, Ed25519-signed.",
+      "version": "0.13.21",
+      "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 10 catalogs (312 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 34 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
           "license": {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.13.19",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.13.21",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "58d63d34273199b99863c98e52a8732b166959cd0067ebf28be5313b70d7e2fb"
+          "content": "0008dc2b26d4e59fc6986791da6277d43639c811ac5af5aa10f9b234a155921e"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.13.19"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.13.21"
         },
         {
           "type": "vcs",
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "a1264f7196da88786ce3091f3573ec7d6dad161ce8d7fa530fe4f297c400622c"
+          "content": "c06c6600a1d4cbf20f87d080d9441658f0b4444023a565e1c3fe478fa35edab4"
         },
         {
           "alg": "SHA3-512",
-          "content": "e9b054e7f2b902971f2de812c319d9537f07959aaec0727aafc0935c84af27aff95e463c4b9ff0c5209c263cb8494779d5d05244bb04036f4e525bbcb2fe6b8f"
+          "content": "7b16e8b3b6d2a68892f336bd7b07159c2750e9fca29539cba437bdcae3be48e10c66c1c529c7f9a4fe71f0eab9a79d0a596f740ab5bc9f9d20fb6e51d555f17e"
         }
       ]
     },
@@ -311,11 +311,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "09bd917fe13c23d8a33f6a04978f5c89ea56ee53c8002ad357bd89cfb9ba8981"
+          "content": "49b6010b317edd219def135171ea8f3b1bbf1e00e9c5a08bf7237215ff54e2c3"
         },
         {
           "alg": "SHA3-512",
-          "content": "6d6ac5427d0f38973e4a1ae04a981f64bb253626ec478709568cae712175207c15f97dfc3c0f5767fc36ce43d6c65c60e1962297ee546437a9cba1ea729381b6"
+          "content": "5f12e99b1d780523d5b69a317f6851ffc2a5763fb753703fe2d0799c81964bd020aae7d95ebd4e74320a4f3c69f0c0ce4eb14bf6decdef33f41ea539a2b5fc32"
         }
       ]
     },
@@ -326,11 +326,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "e7cdd8447b271f2f017226cdecb13593348aaccd6e1ab95d13dadb5152c9b568"
+          "content": "a09c83af3f9679a7ea73935726a1ff9de2cab94b4ab6321fc017fc147747d7c3"
         },
         {
           "alg": "SHA3-512",
-          "content": "f8f6f1f9474bb7e2258205834d4f0dd1d8269b0895d9b4dedf9c3fde1bae7dd14e6ea788f342d36b468e63139de272d3a2b13559239119ca3d52919fdb4df9f0"
+          "content": "653f3d3cdac2fe56ba01fdf2bb3b3c6edfdc29b667f0ddb99f7755aec1adf577618135e3a68667126be121f8d130d7848a1001bd41878af10446e959b5db2626"
         }
       ]
     },
@@ -401,11 +401,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "a478387473633484849b86bea0fc0e71ad5165f3aef582a4340e14d3c7fe7fac"
+          "content": "b63fe398c3de068093871e8bbca11e16b6567fb15482648d0bbce06939c34104"
         },
         {
           "alg": "SHA3-512",
-          "content": "84ca007b6c9ab902317e49bf303f6f073d41b704b78db953ea01f109b349cc22ef1f02194d558b188db01bc71095d7a672cdcd058224e77c7fefd10130e43c30"
+          "content": "e64c9e219f6e77fbb235ed875b1775ff6150bffc49fae5903600b15d3799f0d8a27dd553869646e3d0311c5b7fbe456686d9f7bf7e10c0c4cbc71079bcd943ff"
         }
       ]
     },
@@ -791,11 +791,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "4aeb6dff37b39cef4246f7b2454be009e32a8b2d512229c428c537699a3810d3"
+          "content": "7242a7349ac79a74813bf2b7486b6000c0c877e71cec17e2d68df33bc4007b93"
         },
         {
           "alg": "SHA3-512",
-          "content": "2b8773e3834f174222aa10219f61768dac306365e184e5d500eb52ffcf5a281898e351bf309a8e22d93f378e75ea183ad8264808e7681e696d923d110115e16e"
+          "content": "eaa89dcdafec3f8f3b5bb3f7a34ae6709681dca278a0eacf43fe8c5fb9cc1e533ba64f46df15152316a505572cf891bc20b7682e505474209a0e3e7aa97dea82"
         }
       ]
     },
@@ -844,6 +844,21 @@
         }
       ]
     },
+    {
+      "bom-ref": "file:lib/canonical-eq.js",
+      "type": "file",
+      "name": "lib/canonical-eq.js",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "eb962f83a7b82a4f895553d13191cd933c87d29116591d76c8550c7cb00ebebd"
+        },
+        {
+          "alg": "SHA3-512",
+          "content": "f09e77b2f58aeb0d09c4758738de42d657345a9ef09f28529682f2daa7ebcfb84602eb811a76e85640e45e6ce13274918b994e760099ff457869ccccf740a437"
+        }
+      ]
+    },
     {
       "bom-ref": "file:lib/cross-ref-api.js",
       "type": "file",
@@ -881,11 +896,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "3f6f7d0a9487b0b7b89af7c848559381fea053594f5a1cb0b85e7e63e81c2168"
+          "content": "b5278eddccec3e9cf2c68f8bdd8a142de8f95c61d61826570fa5d293e81055f2"
         },
         {
           "alg": "SHA3-512",
-          "content": "68c34e8db139b94951e3b68f8e6dc8945599ea84a4bed028e2145f45d9cfc84f5e8f05cbdfd06ad3ba95c6dbf974b4bc4641b1a0169167a347cf92762418cf1f"
+          "content": "ba4f8de9981e8a3066b014e52984e9917c4e003a7feebc6098f5cd32ed22a0dca82b97dbfcabf31809e3f5de7145e2cb9f30432c6a30564642a4e798c4f796cd"
         }
       ]
     },
@@ -949,6 +964,21 @@
         }
       ]
     },
+    {
+      "bom-ref": "file:lib/gap-detectors.js",
+      "type": "file",
+      "name": "lib/gap-detectors.js",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "e81dd33acfffe2ff28da4b278bcdc11b7e4616dbc6ff4cd1c92f0f99baf97c8a"
+        },
+        {
+          "alg": "SHA3-512",
+          "content": "a0f8c147fefd6c91640d2fbe0c606c371c4f83c8a2f3b380c8d212ec92d8616ee1da220269b42638d60d75fcc730e822cb29e1e87f408e9dd553eed76b7aee02"
+        }
+      ]
+    },
     {
       "bom-ref": "file:lib/id-validation.js",
       "type": "file",
@@ -1151,11 +1181,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "35b6a6f5a2ae2a833bf0c2ccc21dff47f2f72147f0af7fdd2e484cd0b195334f"
+          "content": "d4da578b2f7d45f3d22eac52c1c9196cd3dbaf23414b5932d1f5c52d713236b8"
         },
         {
           "alg": "SHA3-512",
-          "content": "223e0efb65b0cc18b96ff3267f08170aa1c91c722c5220c6cf26a109eab4c9009330c72507273ad777a8f7ab8de090a9d1d6517797c922cb81a659391777af82"
+          "content": "1f5add189b0d6bfd18cd85b28ff7ce64f1b52fec573098ccfbd71fc9245cbcca624a0cda515315e6881779d46eb0ca27fbefb4eda74cc5ff22c2309a1a97d5de"
         }
       ]
     },
@@ -1339,6 +1369,21 @@
         }
       ]
     },
+    {
+      "bom-ref": "file:lib/version-pins.js",
+      "type": "file",
+      "name": "lib/version-pins.js",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "7cbdc502a689614200f009d74e8d82544bf6b442452dfd970437596742a5e885"
+        },
+        {
+          "alg": "SHA3-512",
+          "content": "eeb9b1cd050195693e425a48967a536f775f016ebe6563c6b6da30b3f90ff436e34e41bd2c860d61f2d343156358193c7c1c7454b4651301e777e37d671039b0"
+        }
+      ]
+    },
     {
       "bom-ref": "file:lib/worker-pool.js",
       "type": "file",
@@ -1354,6 +1399,21 @@
         }
       ]
     },
+    {
+      "bom-ref": "file:lib/xml-tokenizer.js",
+      "type": "file",
+      "name": "lib/xml-tokenizer.js",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "1c2e2a92fe90ce90a7dcb7c95979e1b9c6e18f6bce1cfd160de9ce644fddb889"
+        },
+        {
+          "alg": "SHA3-512",
+          "content": "0bd564faff3173e095ceecff3e9bf70fc6c7ed2a8d4bb8b89b066f33b2a95513488408bc3f5bd6d8571eb1dcfb96710b2b45589b2d22238a04a790be246cb00f"
+        }
+      ]
+    },
     {
       "bom-ref": "file:manifest-snapshot.json",
       "type": "file",
@@ -1391,11 +1451,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "9c6e95ea598a89ca5806a0fda511514667eaa05e8ad9638614e8bba8d793dacf"
+          "content": "b8676a67b642f623974dccf3ba0f1df95836541b7c1dcd0c63cef2b71fa1a88a"
         },
         {
           "alg": "SHA3-512",
-          "content": "e70008672707cb064316b6ffd60f1f6f36a135a11655295f102cab2432bb16ad40d6a58d5b0141f068b9a16e1fbf6fe290b41600bd08af5d17a3d84023346885"
+          "content": "fc5556bf27093bda786f564caaba523dec5d39f92e1b09ce9e5011f8411cf3add4892cd28330ec4f0b08e8bb6ba61c7a1849cc4ecdad64bd8df7b03afc58650d"
         }
       ]
     },
@@ -1511,11 +1571,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "2ba06a35debf730b687928e53e53f6c5952486f607cebde04170cc4dde729f45"
+          "content": "006588fc0995ad3c02a1f035dfd956c0d20c0497284f0c3e30490eb86bcb03a3"
         },
         {
           "alg": "SHA3-512",
-          "content": "86e6fdd1768bd63be0a8b0eec1ed19844815e2904ac9055b2561c1ef57ab99b3e060043af400598d1eed929c3f4d828bb75490f05dd916a0000b1e453b7c37ba"
+          "content": "340f6275b34071790cc40dbcdf3c74afb2ad033ef49eeca3a0778544494e886c930a5e3bab65137302bdfb9cf114e891fccfe06e05ddedcb04718131f3c333f8"
         }
       ]
     },
@@ -1789,6 +1849,21 @@
         }
       ]
     },
+    {
+      "bom-ref": "file:scripts/check-catalog-gap-budget.js",
+      "type": "file",
+      "name": "scripts/check-catalog-gap-budget.js",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "ef47f63889341675c90bc07d835f5cfab137b83ab44820799de715e4762c1c74"
+        },
+        {
+          "alg": "SHA3-512",
+          "content": "ba197b6fce1c871d80ac2becadb0fff9161b790d78ed5a9409d7100da55e73a6a50ea644771b550bfd9654a69953c8b905fc609d3078d8fe9542d629dde5e9d4"
+        }
+      ]
+    },
     {
       "bom-ref": "file:scripts/check-manifest-snapshot.js",
       "type": "file",
@@ -1856,11 +1931,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "1e8e98cc7ac46a72a57d775d0fa6e96276948eb64c1967c343d33ea6002e54a3"
+          "content": "d126c48bee7da18f03cefba681dcae5b931a0472658e4d7e0227ce3e29461026"
         },
         {
           "alg": "SHA3-512",
-          "content": "4f46bb910321992a3460cd2b12474a95ec2fd3bfbe2d1c75551d2dc65fcb0414c65fa03c802404d659c6a2db2e260f2b313d43259bda0b3dbf9b5680c73d234e"
+          "content": "1ba4ffa94b0bf0bdb7e0bd0b537d016424da070d7c6991b90446dc8991dc005d13d5d306cc69d10ad73f765154eb09716b68cad38ab609069f105974006f4d3e"
         }
       ]
     },
@@ -1886,11 +1961,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "6a7766b986988fd14105d92f3488052333afff8b72eda17460e193ca58b2d60a"
+          "content": "306e02cc802bc1ca6fe98fb1e4e57c895c7f458895cb2acc459dc6f7ba0127c9"
         },
         {
           "alg": "SHA3-512",
-          "content": "8494c74fa0bd122d8f4ad5dbdd7eebd933cd88d79797a330c80e832121fa44b6ff794d65fb08f24a1f3e3858d6c21487a4001194a8b30dccbb82fe85ec60e708"
+          "content": "e851348e5f7bec18a3a2a3757d1f5720cc0892c0bf527304e5e79dfc9931c7309ba6fd53918fcd63c2e7cd880487642af8f06d0b1195e0620e2aa9fadf643ba6"
         }
       ]
     },
@@ -2021,11 +2096,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "6334d3a25d18ff82c638b6176b16b6e4c2fa90e8a59446a28714b721b23e30d9"
+          "content": "4c2d6ba4c75dea4c92409908db8ffcd357b7208f765c532a3ac976a8cf785acf"
         },
         {
           "alg": "SHA3-512",
-          "content": "8808212cedc40fe24fb3f857e7ddc9314ecd93682c8e3529dd36675760324a8669bfb6d448b9ab42ec95db2665459992cf6c40add15ec92149f4acf70ed1a8eb"
+          "content": "29d02c2280fde260d95d215ef68ca4f668906c31d240a174195141b7568bd17a203af50c25d8f0a861d76247ee13984d0843ccab5b5e75f52b6ad77e69f06521"
         }
       ]
     },

package/scripts/audit-catalog-gaps.js

@@ -133,7 +133,12 @@ const SPEC = {
       { field: "control_name", check: (v) => typeof v === "string" && v.length > 0, label: "control_name" },
       { field: "real_requirement", check: (v) => typeof v === "string" && v.length > 20, label: "real_requirement (>20 chars)" },
       { field: "theater_test", check: (v) => v && typeof v.claim === "string" && typeof v.test === "string", label: "theater_test{claim,test}" },
-      { field: "evidence_cves", check: (v) => Array.isArray(v) && v.length > 0, label: "evidence_cves" }
+      // evidence_cves is required UNLESS the entry declares forward_looking:true.
+      // v0.13.19 used per-entry _gap_skip annotations on 84 framework gaps;
+      // v0.13.20 replaces that with a first-class schema field operators can
+      // see in the JSON. The check honors forward_looking via the entry
+      // parameter — see the SCHEMA_FORWARD_LOOKING block in inspect().
+      { field: "evidence_cves", check: (v, entry) => (entry && entry.forward_looking === true) || (Array.isArray(v) && v.length > 0), label: "evidence_cves (or forward_looking:true)" }
     ],
     refs: []
   },
@@ -175,7 +180,11 @@ function inspect(catalogKey) {
     const skip = e._gap_skip && Array.isArray(e._gap_skip.fields) ? new Set(e._gap_skip.fields) : new Set();
     for (const r of spec.required_context) {
       if (skip.has(r.field)) continue;
-      if (!r.check(e[r.field])) {
+      // Pass the entry as the second argument so per-field checks can
+      // inspect class-level schema flags (forward_looking, etc.). The
+      // legacy check-functions only consumed the value; new ones can
+      // opt into entry-aware evaluation.
+      if (!r.check(e[r.field], e)) {
         report.missing_context.push({ id, field: r.field, label: r.label });
       }
     }
@@ -269,13 +278,42 @@ function emitPretty(report) {
     const pct = r.entries === 0 ? 0 : ((r.auto_imported / r.entries) * 100).toFixed(1);
     lines.push(`  ${r.catalog.padEnd(28)} ${r.auto_imported} / ${r.entries}  (${pct}%)`);
   }
+  // v0.13.21 extended findings sections.
+  const ext = report.extended_findings || {};
+  const extClasses = Object.keys(ext).sort();
+  if (extClasses.length > 0) {
+    lines.push("\nExtended findings (v0.13.21):");
+    for (const cls of extClasses) {
+      const arr = ext[cls];
+      lines.push(`\n  [${cls}] ${arr.length} finding(s)`);
+      for (const f of arr.slice(0, 5)) {
+        const id = f.id || f.target_id || "(no id)";
+        const ctx = f.catalog ? `${f.catalog} ${id}` : id;
+        lines.push(`    ${ctx} — ${f.reason || f.rule || "(no reason)"}`);
+      }
+      if (arr.length > 5) lines.push(`    ... +${arr.length - 5} more`);
+    }
+  }
   return lines.join("\n");
 }
 
-// Valid finding-class names for the `--class` filter. The pretty + JSON
-// emitters always include every section, but counts and strict-exit
-// gating respect the active filter.
-const VALID_CLASSES = new Set(["missing-context", "dangling-ref", "draft-debt"]);
+// Valid finding-class names for the `--class` filter. v0.13.21 added 7
+// extended detection classes for gaps the v0.13.19 detector did not
+// surface (content-quality / temporal-staleness / logical-consistency /
+// cross-ref-completeness / schema-evolution / operator-action-sla /
+// unused-orphan). Each is implemented in lib/gap-detectors.js.
+const VALID_CLASSES = new Set([
+  "missing-context", "dangling-ref", "draft-debt",
+  "content-quality", "temporal-staleness", "logical-consistency",
+  "cross-ref-completeness", "schema-evolution", "operator-action-sla",
+  "unused-orphan"
+]);
+const EXTENDED_CLASS_NAMES = new Set([
+  "content-quality", "temporal-staleness", "logical-consistency",
+  "cross-ref-completeness", "schema-evolution", "operator-action-sla",
+  "unused-orphan"
+]);
+const EXTENDED_DETECTORS = require("../lib/gap-detectors.js");
 
 function main() {
   const opts = parseArgs(process.argv);
@@ -300,27 +338,47 @@ function main() {
   for (const k of Object.keys(SPEC)) if (!allLoaded[k]) allLoaded[k] = loadCatalog(SPEC[k].file);
   const dangling = opts.catalog && opts.catalog !== "cve-catalog" ? [] : inspectRefs(allLoaded);
 
+  // v0.13.21 extended detectors. --catalog scoping mutes them (they're
+  // cross-catalog by nature); --class scoping filters down to one.
+  const extendedFindings = opts.catalog
+    ? []
+    : EXTENDED_DETECTORS.runAllDetectors(allLoaded, {});
+
   // Apply the --class filter before counts + strict-exit gating.
-  // Missing-context findings on per_catalog and dangling_refs are the
-  // two policed classes; draft-debt is informational-only (the audit
-  // surfaces draft-debt but it does not fail strict mode by design).
-  const filteredPerCatalog = opts.klass === "dangling-ref" || opts.klass === "draft-debt"
+  const filteredPerCatalog = (opts.klass === "dangling-ref" || opts.klass === "draft-debt" ||
+                              EXTENDED_CLASS_NAMES.has(opts.klass))
     ? perCatalog.map((r) => ({ ...r, missing_context: [] }))
     : perCatalog;
-  const filteredDangling = opts.klass === "missing-context" || opts.klass === "draft-debt"
+  const filteredDangling = (opts.klass === "missing-context" || opts.klass === "draft-debt" ||
+                            EXTENDED_CLASS_NAMES.has(opts.klass))
     ? []
     : dangling;
+  const filteredExtended = opts.klass
+    ? (EXTENDED_CLASS_NAMES.has(opts.klass)
+        ? extendedFindings.filter((f) => f.class === opts.klass)
+        : [])
+    : extendedFindings;
+
+  const extendedByClass = {};
+  for (const f of filteredExtended) {
+    if (!extendedByClass[f.class]) extendedByClass[f.class] = [];
+    extendedByClass[f.class].push(f);
+  }
 
   const report = {
     generated_at: TODAY,
     class_filter: opts.klass || null,
     per_catalog: filteredPerCatalog,
     dangling_refs: filteredDangling,
+    extended_findings: extendedByClass,
     totals: {
       catalogs: filteredPerCatalog.length,
       entries: filteredPerCatalog.reduce((n, r) => n + r.entries, 0),
       missing_context: filteredPerCatalog.reduce((n, r) => n + r.missing_context.length, 0),
-      dangling_refs: filteredDangling.length
+      dangling_refs: filteredDangling.length,
+      extended: Object.fromEntries(
+        Object.entries(extendedByClass).map(([cls, arr]) => [cls, arr.length])
+      )
     }
   };
   if (opts.pretty) {
@@ -328,7 +386,10 @@ function main() {
   } else {
     process.stdout.write(JSON.stringify(report, null, 2) + "\n");
   }
-  if (opts.strict && (report.totals.missing_context > 0 || report.totals.dangling_refs > 0)) {
+  const extendedTotal = Object.values(report.totals.extended || {}).reduce((n, v) => n + v, 0);
+  if (opts.strict && (report.totals.missing_context > 0 ||
+                      report.totals.dangling_refs > 0 ||
+                      extendedTotal > 0)) {
     process.exitCode = 1;
   }
 }

package/scripts/check-catalog-gap-budget.js

@@ -0,0 +1,133 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * scripts/check-catalog-gap-budget.js
+ *
+ * Predeploy / CI gate that runs the v0.13.21 extended gap detectors
+ * and asserts no class exceeds its budget. Mirrors the budget in
+ * tests/shipped-catalog-integrity.test.js but runs as a standalone
+ * predeploy gate so the check is visible in the gate summary even
+ * when the broader test suite is skipped (or is the gate that's
+ * failing for an unrelated reason).
+ *
+ * Exit codes:
+ *   0 — every extended class within budget
+ *   1 — at least one class regressed
+ *   2 — internal error
+ *
+ * The budget is intentionally duplicated (here + integrity test) for
+ * fail-loud-at-two-levels. Operators see the regression in BOTH the
+ * test-suite output AND the predeploy gate-summary table.
+ */
+
+const path = require("path");
+const fs = require("fs");
+const ROOT = path.join(__dirname, "..");
+
+let D;
+try {
+  D = require(path.join(ROOT, "lib", "gap-detectors.js"));
+} catch (e) {
+  console.error("[check-catalog-gap-budget] failed to load lib/gap-detectors.js:", e.message);
+  process.exit(2);
+}
+
+function loadAll() {
+  const data = path.join(ROOT, "data");
+  const read = (name) => JSON.parse(fs.readFileSync(path.join(data, name), "utf8"));
+  return {
+    "cve-catalog": read("cve-catalog.json"),
+    "cwe-catalog": read("cwe-catalog.json"),
+    "attack-techniques": read("attack-techniques.json"),
+    "atlas-ttps": read("atlas-ttps.json"),
+    "d3fend-catalog": read("d3fend-catalog.json"),
+    "rfc-references": read("rfc-references.json"),
+    "framework-control-gaps": read("framework-control-gaps.json"),
+    "zeroday-lessons": read("zeroday-lessons.json")
+  };
+}
+
+// Per-class regression budgets. Kept in sync with the canonical version
+// in tests/shipped-catalog-integrity.test.js.
+const BUDGET = {
+  "content-quality": 12,
+  "temporal-staleness": 260,
+  "logical-consistency": 5,
+  "cross-ref-completeness": 5,
+  "schema-evolution": 0,
+  "operator-action-sla": 0,
+  "unused-orphan": 1400
+};
+
+function main() {
+  const all = D.runAllDetectors(loadAll(), {});
+  const byClass = {};
+  for (const f of all) byClass[f.class] = (byClass[f.class] || 0) + 1;
+  const regressions = [];
+
+  // Fail-closed contract (codex P2 PR #61): every class actually
+  // emitted by the detector must have a budget entry. If a future
+  // 8th detector lands without a budget update, the gate fires with
+  // an unbudgeted-class error instead of silently passing.
+  const unbudgeted = [];
+  for (const cls of Object.keys(byClass)) {
+    if (!(cls in BUDGET)) {
+      unbudgeted.push({ class: cls, count: byClass[cls] });
+    }
+  }
+  // Inverse check: every class declared by the detector module's
+  // canonical class list must appear in BUDGET (covers the case where
+  // a new class produces zero findings on this run but still needs
+  // an explicit budget so a future regression caps fail-closed).
+  const missingBudget = [];
+  if (Array.isArray(D.DETECTOR_CLASSES)) {
+    for (const cls of D.DETECTOR_CLASSES) {
+      if (!(cls in BUDGET)) missingBudget.push(cls);
+    }
+  }
+
+  for (const cls of Object.keys(BUDGET)) {
+    const actual = byClass[cls] || 0;
+    const allowed = BUDGET[cls];
+    if (actual > allowed) {
+      regressions.push({ class: cls, allowed, actual, delta: actual - allowed });
+    }
+  }
+  const summary = Object.keys(BUDGET).map((cls) => {
+    const actual = byClass[cls] || 0;
+    const allowed = BUDGET[cls];
+    const mark = actual > allowed ? "✗" : "✓";
+    return `  ${mark} ${cls.padEnd(28)} actual=${actual}  budget=${allowed}`;
+  }).join("\n");
+  console.log("[check-catalog-gap-budget] extended detection classes:");
+  console.log(summary);
+
+  if (unbudgeted.length > 0) {
+    console.error("\n[check-catalog-gap-budget] UNBUDGETED detector classes — fail-closed:");
+    for (const u of unbudgeted) {
+      console.error(`  ${u.class}: ${u.count} finding(s), no BUDGET entry`);
+    }
+    console.error("Add an explicit budget entry in both:");
+    console.error("  scripts/check-catalog-gap-budget.js");
+    console.error("  tests/shipped-catalog-integrity.test.js");
+    process.exit(1);
+  }
+  if (missingBudget.length > 0) {
+    console.error("\n[check-catalog-gap-budget] BUDGET missing entries for declared classes:");
+    for (const c of missingBudget) console.error(`  ${c}: declared by lib/gap-detectors.js DETECTOR_CLASSES, no BUDGET entry`);
+    process.exit(1);
+  }
+  if (regressions.length > 0) {
+    console.error("\n[check-catalog-gap-budget] REGRESSION beyond budget:");
+    for (const r of regressions) {
+      console.error(`  ${r.class}: actual=${r.actual} > budget=${r.allowed} (delta +${r.delta})`);
+    }
+    console.error("\nClose the gap in this PR (preferred) or update BUDGET in both:");
+    console.error("  scripts/check-catalog-gap-budget.js");
+    console.error("  tests/shipped-catalog-integrity.test.js");
+    process.exit(1);
+  }
+  console.log("[check-catalog-gap-budget] all classes within budget; every class is budgeted.");
+}
+
+main();

package/scripts/check-test-coverage.js

@@ -329,6 +329,15 @@ function extractPlaybookIds(content) {
   return { indicators: ind, artifacts: arts };
 }
 
+// Canonical-form recursive equality replaces JSON.stringify comparison.
+// Pre-v0.13.20 the comparator was JSON.stringify(before.iocs) !==
+// JSON.stringify(after.iocs) — non-canonical: key order, trailing
+// whitespace, and numeric format differences all flagged as "changed"
+// when the operator made no semantic change. Symptoms were patched
+// twice with skip rules (_auto_imported, _iocs_stub) instead of fixing
+// the comparator. v0.13.20 fixes the root cause.
+const { canonicalEqual } = require("../lib/canonical-eq");
+
 function extractCveIocChanges(beforeStr, afterStr) {
   const before = safeParse(beforeStr) || {};
   const after = safeParse(afterStr) || {};
@@ -336,27 +345,16 @@ function extractCveIocChanges(beforeStr, afterStr) {
   const ids = new Set([...Object.keys(before), ...Object.keys(after)]);
   for (const id of ids) {
     if (!/^CVE-\d{4}-\d+/.test(id)) continue;
-    // v0.13.18: skip bulk-imported entries. Auto-imported rows carry stub
-    // IoCs by design; their per-entry IoCs are not the operator-curated
-    // surface the diff-coverage gate is designed to police.
+    // v0.13.18 retained skip rule: bulk-imported rows whose IoCs are
+    // stub-by-design on both sides — pure intake-class events, not
+    // operator curation. Removing this would surface every fresh KEV
+    // bulk-import as a per-CVE iocs-modified finding.
     const beforeAuto = !!(before[id] && before[id]._auto_imported);
     const afterAuto  = !!(after[id]  && after[id]._auto_imported);
     if (beforeAuto && afterAuto) continue;
-    // v0.13.19: also skip operator-curated rows whose IoCs are flagged
-    // as stubs (`_iocs_stub: true` — generic placeholder added by the
-    // gap-fix pass when an entry was missing iocs entirely). When an
-    // operator later curates real IoCs the diff-coverage check fires
-    // normally because the curation step removes _iocs_stub.
-    const beforeStub = !!(before[id] && before[id]._iocs_stub);
-    const afterStub  = !!(after[id]  && after[id]._iocs_stub);
-    // Existing entry going stub→curated (afterStub=false, beforeStub=true)
-    // is what we WANT to flag for review. Existing entry going non-stub→
-    // stub or stub→stub or absent→stub are all auto-fill events the
-    // diff-coverage gate should not police.
-    if (afterStub) continue;
-    const b = JSON.stringify((before[id] && before[id].iocs) || null);
-    const a = JSON.stringify((after[id] && after[id].iocs) || null);
-    if (b !== a) changed.add(id);
+    const bIocs = (before[id] && before[id].iocs) || null;
+    const aIocs = (after[id]  && after[id].iocs)  || null;
+    if (!canonicalEqual(bIocs, aIocs)) changed.add(id);
   }
   return changed;
 }