@blamejs/exceptd-skills 0.13.20 → 0.13.21

package/CHANGELOG.md

@@ -1,5 +1,36 @@
 # Changelog
 
+## 0.13.21 — 2026-05-19
+
+Seven new catalog-gap detection classes wired into the predeploy gate. The v0.13.19 detector covered missing-context / dangling-ref / draft-debt; the v0.13.20 audit confirmed that left genuine gap classes unsurfaced. v0.13.21 adds the seven cross-cutting classes the prior detector missed and wires them into a budget gate that runs alongside the existing tests + predeploy gates.
+
+### Features
+
+**Seven new detection classes in `lib/gap-detectors.js`:**
+
+- **content-quality** — fields present but content weak. Catches: vector text < 50 chars (likely a stub), placeholder-language sentinels (TBD / TKTK / "pending operator curation" / "[]"), KEV-listed entries with empty vendor_advisories, name-repeated-as-description.
+- **temporal-staleness** — time-based decay. Catches: source_verified > 180d old, last_updated > 365d, CISA-KEV due-date passed without remediation status, epss_date > 90d.
+- **logical-consistency** — internal-state contradictions that pass schema validation but don't make sense. Catches: `cisa_kev:true + cisa_kev_date:null`, `live_patch_available:true + live_patch_tools:[]`, `ai_discovered:true + attribution_note < 30 chars`, `active_exploitation:"confirmed" + verification_sources.length < 2`, `rwep_score declared + rwep_factors empty`.
+- **cross-ref-completeness** — bidirectional reference checks. The v0.13.19 dangling-ref class only verified the forward direction (CVE→CWE resolves); v0.13.21 also verifies the back-reference is present (CWE.evidence_cves includes the citing CVE). Same logic for ATT&CK.cve_refs and framework-control-gaps.evidence_cves.
+- **schema-evolution** — required-since-version checks. Fields the schema requires today were optional on entries added in older releases. Surfaces pre-existing entries the operator should backfill (e.g. pre-v0.12.36 CVEs lacking the `ai_discovered` boolean).
+- **operator-action-sla** — un-curated auto-imports older than the SLA window. Defaults: 60d for `_auto_imported`, 90d for `_draft`.
+- **unused-orphan** — auto-imported catalog entries that no skill / playbook / CVE references. Operator-curated entries are exempt (intentional content); `forward_looking:true` entries are exempt (intentional forward-look content).
+
+**`scripts/check-catalog-gap-budget.js` + predeploy gate.** New predeploy gate runs the seven extended detectors and asserts every class is within its documented budget. Mirrors the budget enforced by `tests/shipped-catalog-integrity.test.js` so a regression surfaces in BOTH the gate-summary table AND the test output. Predeploy summary now reports 16 gates (was 15).
+
+**`tests/gap-detectors.test.js`** — 22 per-detector tests pin each of the seven classes against synthetic catalog inputs. Each pin asserts the detector fires on the shape it's designed to catch AND does NOT fire on the inverse shape (no false positives).
+
+### Bugs
+
+**T1574 ATT&CK back-ref synced.** v0.13.20's CTFMON-mapping fix added T1574 to `BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA.attack_refs[]`, but the reverse-refs pass didn't run before sign + sbom + commit, so `attack-techniques.T1574.cve_refs[]` didn't pick up the back-ref. The v0.13.21 cross-ref-completeness detector surfaced this on first run — fixed via `npm run refresh-reverse-refs`.
+
+### Internal
+
+- `scripts/audit-catalog-gaps.js` CLI extended: `--class <name>` accepts the seven new class names (`content-quality`, `temporal-staleness`, `logical-consistency`, `cross-ref-completeness`, `schema-evolution`, `operator-action-sla`, `unused-orphan`) for scoped audits. JSON + pretty output include an `extended_findings` section grouped by class, with `totals.extended` counts.
+- `tests/shipped-catalog-integrity.test.js` includes a new budget pin for the seven extended classes — a future PR that worsens any class beyond budget fires the test.
+- npm alias: `npm run audit-catalog-gap-budget` runs the budget gate standalone (operator-facing convenience).
+- Current shipped-catalog snapshot: content-quality=10, temporal-staleness=255, logical-consistency=0, cross-ref-completeness=0, schema-evolution=0, operator-action-sla=0, unused-orphan=1342. The non-zero classes are operator-curation work items surfaced honestly by the new detectors.
+
 ## 0.13.20 — 2026-05-19
 
 Root-cause refactor addressing every audit class surfaced by the v0.13.17–v0.13.19 self-audit (no-MVP violations, regex-where-logic-is-required, symptom patches, coincidence-pinning tests, uncaught bugs). The audit found I had been patching symptoms instead of fixing root causes; v0.13.20 fixes the actual issues and lets the audit tell the truth about catalog state.

package/data/_indexes/_meta.json

@@ -1,12 +1,12 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-19T17:32:13.024Z",
+  "generated_at": "2026-05-19T20:58:49.735Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "d9f9002ad675655e952674403fb030798e7ad0c98c65e6ad586960d7d7915af9",
+    "manifest.json": "b8676a67b642f623974dccf3ba0f1df95836541b7c1dcd0c63cef2b71fa1a88a",
     "data/atlas-ttps.json": "d296c1d3e71807c9279b731f047e57796e85137f186586743a8cdad214b408f9",
-    "data/attack-techniques.json": "09bd917fe13c23d8a33f6a04978f5c89ea56ee53c8002ad357bd89cfb9ba8981",
+    "data/attack-techniques.json": "49b6010b317edd219def135171ea8f3b1bbf1e00e9c5a08bf7237215ff54e2c3",
     "data/cve-catalog.json": "a09c83af3f9679a7ea73935726a1ff9de2cab94b4ab6321fc017fc147747d7c3",
     "data/cwe-catalog.json": "c56e74b8c9290583b1d6fdd21b54bd65a254c58890c5f683379788ca7b080e9d",
     "data/d3fend-catalog.json": "4271102f8c38999444bcd981c1cf5feb4ad09f8c0b1d9b79df3f1a82f4fb50f0",

package/data/attack-techniques.json

@@ -1833,6 +1833,7 @@
     "name": "Hijack Execution Flow",
     "version": "v19",
     "cve_refs": [
+      "BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
       "CVE-2026-45321"
     ],
     "description_full": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution. There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.",
@@ -5474,9 +5475,7 @@
     "last_verified": "2026-05-19",
     "_auto_imported": true,
     "_intake_method": "v0.13.18-orphan-fill",
-    "cve_refs": [
-      "BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA"
-    ],
+    "cve_refs": [],
     "description_full": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013) The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013) Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and impair defenses provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)",
     "platforms": [
       "Windows"

package/lib/gap-detectors.js

@@ -0,0 +1,555 @@
+"use strict";
+/**
+ * lib/gap-detectors.js
+ *
+ * v0.13.21 — Catalog gap detection beyond the v0.13.19 missing-context /
+ * dangling-ref / draft-debt classes. The audit-catalog-gaps detector
+ * surfaced field-presence holes; this module adds seven cross-cutting
+ * detection classes the prior detector did not cover.
+ *
+ * Each detector is a pure function: takes the loaded catalogs + options,
+ * returns an array of findings. The audit-catalog-gaps CLI composes them
+ * into a unified report; the integrity test exercises them against the
+ * shipped catalogs; --class filters select between them.
+ *
+ * Detection classes:
+ *
+ *   1. content-quality       — fields present but content weak
+ *                              (short, placeholder-language, name-as-
+ *                              description, KEV-listed but no advisories)
+ *
+ *   2. temporal-staleness    — last_verified > 180d, last_updated > 365d,
+ *                              CISA-KEV due-date passed, EPSS stale
+ *
+ *   3. logical-consistency   — internal-state contradictions
+ *                              (cisa_kev:true + date:null, etc.)
+ *
+ *   4. cross-ref-completeness — bidirectional references
+ *                               (CVE→CWE present but CWE.evidence_cves
+ *                               missing the back-ref)
+ *
+ *   5. schema-evolution      — required-since-version fields missing
+ *                              on older entries
+ *
+ *   6. operator-action-sla   — auto-imported entries older than the
+ *                              curation-SLA without operator action
+ *
+ *   7. unused-orphan         — catalog entries no skill / playbook /
+ *                              CVE references — dead-weight content
+ *
+ * Why pure functions: each detector is independently testable against
+ * synthetic catalog inputs, and the integration is just `Array.concat`
+ * over the seven results. Composing in audit-catalog-gaps.js stays
+ * thin.
+ */
+
+// Sentinel strings that indicate placeholder / curation-pending content.
+// Adding new sentinels here makes them findable across every text-heavy
+// field without changing the call sites.
+const PLACEHOLDER_SENTINELS = [
+  /pending operator curation/i,
+  /refer to vendor advisory for IOC list/i,
+  /bulk-imported KEV entry, IOCs not extracted/i,
+  /\bTBD\b/,
+  /\bTKTK\b/,
+  /\bcoming soon\b/i,
+  /^\s*\[\s*\]\s*$/,
+  /\bplaceholder\b/i
+];
+
+function hasPlaceholderLanguage(str) {
+  if (typeof str !== "string" || str.length === 0) return false;
+  for (const re of PLACEHOLDER_SENTINELS) {
+    if (re.test(str)) return true;
+  }
+  return false;
+}
+
+// ---------- 1. content-quality ----------
+//
+// Fields present but content weak. Each rule is per-catalog + per-field
+// because the "what's weak" depends on the field's semantic role.
+
+function contentQualityFindings(loaded) {
+  const out = [];
+  const cve = loaded["cve-catalog"];
+  if (!cve) return out;
+
+  for (const id of Object.keys(cve)) {
+    if (id === "_meta") continue;
+    const e = cve[id];
+    if (!e) continue;
+
+    // Vector text: < 50 chars or placeholder-language indicates the
+    // operator didn't actually describe the primitive. Hard Rule #1
+    // implicit: every CVE needs a real exploitation-vector description.
+    if (typeof e.vector === "string" && e.vector.length > 0 && e.vector.length < 50) {
+      out.push({ class: "content-quality", catalog: "cve-catalog", id,
+        field: "vector", reason: `vector is ${e.vector.length} chars (< 50 threshold) — likely a stub` });
+    }
+    if (typeof e.vector === "string" && hasPlaceholderLanguage(e.vector)) {
+      out.push({ class: "content-quality", catalog: "cve-catalog", id,
+        field: "vector", reason: "vector contains placeholder-language sentinel" });
+    }
+
+    // poc_description with placeholder language while poc_available:true
+    // is a contradiction — the project claims PoC exists but didn't
+    // document where.
+    if (e.poc_available === true && hasPlaceholderLanguage(e.poc_description)) {
+      out.push({ class: "content-quality", catalog: "cve-catalog", id,
+        field: "poc_description", reason: "poc_available:true but description carries placeholder sentinel" });
+    }
+
+    // KEV-listed CVEs MUST have vendor_advisories[] non-empty — the
+    // KEV listing implies CISA has linked vendor advisory metadata.
+    // Empty vendor_advisories is an operator-curation gap.
+    if (e.cisa_kev === true && (!Array.isArray(e.vendor_advisories) || e.vendor_advisories.length === 0)) {
+      out.push({ class: "content-quality", catalog: "cve-catalog", id,
+        field: "vendor_advisories", reason: "cisa_kev:true but vendor_advisories is empty" });
+    }
+
+    // Name reused as description (catalog noise — operator didn't
+    // write a real description, just echoed the name).
+    if (typeof e.name === "string" && typeof e.description === "string"
+        && e.name === e.description && e.name.length > 0) {
+      out.push({ class: "content-quality", catalog: "cve-catalog", id,
+        field: "description", reason: "description is just the name repeated" });
+    }
+  }
+  return out;
+}
+
+// ---------- 2. temporal-staleness ----------
+//
+// Time-based decay. Catalog entries get stale as the threat-intelligence
+// landscape shifts. Surfacing stale entries gives operators a re-verify
+// work-queue.
+
+function daysSince(iso, now) {
+  if (typeof iso !== "string" || !/^\d{4}-\d{2}-\d{2}/.test(iso)) return null;
+  const t = Date.parse(iso);
+  if (Number.isNaN(t)) return null;
+  return Math.floor((now.getTime() - t) / (1000 * 60 * 60 * 24));
+}
+
+function temporalStalenessFindings(loaded, opts = {}) {
+  const now = opts.now || new Date();
+  const STALE_VERIFIED_DAYS = opts.stale_verified_days || 180;
+  const STALE_UPDATED_DAYS = opts.stale_updated_days || 365;
+  const STALE_EPSS_DAYS = opts.stale_epss_days || 90;
+  const out = [];
+  const cve = loaded["cve-catalog"];
+  if (!cve) return out;
+
+  for (const id of Object.keys(cve)) {
+    if (id === "_meta") continue;
+    const e = cve[id];
+    if (!e) continue;
+
+    const sinceVerified = daysSince(e.source_verified || e.last_verified, now);
+    if (sinceVerified !== null && sinceVerified > STALE_VERIFIED_DAYS) {
+      out.push({ class: "temporal-staleness", catalog: "cve-catalog", id,
+        field: "source_verified", reason: `source_verified is ${sinceVerified}d old (threshold ${STALE_VERIFIED_DAYS}d)` });
+    }
+    const sinceUpdated = daysSince(e.last_updated, now);
+    if (sinceUpdated !== null && sinceUpdated > STALE_UPDATED_DAYS) {
+      out.push({ class: "temporal-staleness", catalog: "cve-catalog", id,
+        field: "last_updated", reason: `last_updated is ${sinceUpdated}d old (threshold ${STALE_UPDATED_DAYS}d)` });
+    }
+
+    // CISA KEV due-date passed without remediation status — surfaces
+    // operationally-stale entries the operator should re-verify.
+    if (e.cisa_kev === true && typeof e.cisa_kev_due_date === "string") {
+      const sinceDue = daysSince(e.cisa_kev_due_date, now);
+      if (sinceDue !== null && sinceDue > 0) {
+        out.push({ class: "temporal-staleness", catalog: "cve-catalog", id,
+          field: "cisa_kev_due_date", reason: `CISA KEV due date passed ${sinceDue}d ago; verify remediation status` });
+      }
+    }
+
+    // EPSS score has its own currency clock — FIRST recalculates daily.
+    if (typeof e.epss_score === "number" && typeof e.epss_date === "string") {
+      const sinceEpss = daysSince(e.epss_date, now);
+      if (sinceEpss !== null && sinceEpss > STALE_EPSS_DAYS) {
+        out.push({ class: "temporal-staleness", catalog: "cve-catalog", id,
+          field: "epss_date", reason: `epss_date is ${sinceEpss}d old (threshold ${STALE_EPSS_DAYS}d); refresh via 'exceptd refresh --source epss'` });
+      }
+    }
+  }
+  return out;
+}
+
+// ---------- 3. logical-consistency ----------
+//
+// Internal-state rules that must hold across multiple fields. These are
+// the bugs that pass schema validation (every required field is present)
+// but the field combinations don't make sense.
+
+function logicalConsistencyFindings(loaded) {
+  const out = [];
+  const cve = loaded["cve-catalog"];
+  if (!cve) return out;
+
+  for (const id of Object.keys(cve)) {
+    if (id === "_meta") continue;
+    const e = cve[id];
+    if (!e) continue;
+
+    // cisa_kev:true with null cisa_kev_date — KEV listing has a
+    // dateAdded field in CISA's authoritative JSON; null means we
+    // failed to record it at intake time.
+    if (e.cisa_kev === true && (e.cisa_kev_date == null || e.cisa_kev_date === "")) {
+      out.push({ class: "logical-consistency", catalog: "cve-catalog", id,
+        rule: "cisa_kev_date_present_when_kev_true",
+        reason: "cisa_kev:true requires cisa_kev_date (CISA's dateAdded)" });
+    }
+
+    // live_patch_available:true with empty live_patch_tools[] — the
+    // RWEP live_patch_available factor only fires when tools list
+    // names a real live-patch path; the boolean alone is a lie.
+    if (e.live_patch_available === true
+        && (!Array.isArray(e.live_patch_tools) || e.live_patch_tools.length === 0)) {
+      out.push({ class: "logical-consistency", catalog: "cve-catalog", id,
+        rule: "live_patch_tools_required_when_available",
+        reason: "live_patch_available:true but live_patch_tools is empty — RWEP factor would mis-fire" });
+    }
+
+    // ai_discovered:true requires named AI tool in attribution_note
+    // (Hard Rule #1 enforcement). The schema-validator catches
+    // discovery_source==unknown but not the attribution-text absence.
+    if (e.ai_discovered === true) {
+      const note = e.ai_discovery_notes || e.discovery_attribution_note || "";
+      if (typeof note !== "string" || note.length < 30) {
+        out.push({ class: "logical-consistency", catalog: "cve-catalog", id,
+          rule: "ai_discovery_attribution_text_required",
+          reason: "ai_discovered:true but attribution text is missing or too short to name the AI tool" });
+      }
+    }
+
+    // active_exploitation:"confirmed" with empty verification_sources
+    // is a credibility gap — exploitation claims need sourcing.
+    if (e.active_exploitation === "confirmed"
+        && (!Array.isArray(e.verification_sources) || e.verification_sources.length < 2)) {
+      out.push({ class: "logical-consistency", catalog: "cve-catalog", id,
+        rule: "confirmed_exploitation_needs_sources",
+        reason: `active_exploitation:"confirmed" requires >= 2 verification_sources; have ${(e.verification_sources || []).length}` });
+    }
+
+    // rwep_score declared but rwep_factors empty — score is unsupported.
+    if (typeof e.rwep_score === "number"
+        && (!e.rwep_factors || Object.keys(e.rwep_factors).length === 0)) {
+      out.push({ class: "logical-consistency", catalog: "cve-catalog", id,
+        rule: "rwep_factors_required_when_score_set",
+        reason: "rwep_score declared but rwep_factors is empty — score is unjustified" });
+    }
+  }
+  return out;
+}
+
+// ---------- 4. cross-ref-completeness ----------
+//
+// Bidirectional reference checks. Pre-v0.13.21, the dangling-ref class
+// only verified the forward direction (CVE.cwe_refs[] resolves into
+// cwe-catalog). This class verifies the BACK-reference is present too
+// (CWE.evidence_cves[] includes the CVE that cited it).
+
+function crossRefCompletenessFindings(loaded) {
+  const out = [];
+  const cve = loaded["cve-catalog"];
+  const cwe = loaded["cwe-catalog"];
+  const att = loaded["attack-techniques"];
+  const fwc = loaded["framework-control-gaps"];
+
+  // Build forward-ref maps: target-id → set of CVE-IDs that cite it.
+  const cveByCwe = new Map();
+  const cveByAttack = new Map();
+  const cveByFwc = new Map();
+
+  for (const cid of Object.keys(cve || {})) {
+    if (cid === "_meta") continue;
+    const e = cve[cid];
+    if (!e) continue;
+    // Drafts excluded — auto-imported entries don't yet have curated
+    // refs.
+    if (e._auto_imported) continue;
+    for (const c of (e.cwe_refs || [])) {
+      if (!cveByCwe.has(c)) cveByCwe.set(c, new Set());
+      cveByCwe.get(c).add(cid);
+    }
+    for (const a of (e.attack_refs || [])) {
+      if (!cveByAttack.has(a)) cveByAttack.set(a, new Set());
+      cveByAttack.get(a).add(cid);
+    }
+    for (const k of Object.keys(e.framework_control_gaps || {})) {
+      if (!cveByFwc.has(k)) cveByFwc.set(k, new Set());
+      cveByFwc.get(k).add(cid);
+    }
+  }
+
+  // CWE: every CVE-citation must be in the CWE entry's evidence_cves.
+  for (const [cweId, citingSet] of cveByCwe.entries()) {
+    const entry = cwe && cwe[cweId];
+    if (!entry) continue; // dangling-ref class handles this
+    const evidence = new Set(Array.isArray(entry.evidence_cves) ? entry.evidence_cves : []);
+    const missing = [];
+    for (const cid of citingSet) if (!evidence.has(cid)) missing.push(cid);
+    if (missing.length > 0) {
+      out.push({ class: "cross-ref-completeness", source: "cve-catalog", target: "cwe-catalog",
+        target_id: cweId, reason: `CWE entry's evidence_cves missing ${missing.length} CVE(s) that cite it: ${missing.slice(0, 3).join(", ")}` });
+    }
+  }
+
+  // Same back-ref check for ATT&CK and framework-control-gaps.
+  for (const [attId, citingSet] of cveByAttack.entries()) {
+    const entry = att && att[attId];
+    if (!entry) continue;
+    const evidence = new Set(Array.isArray(entry.cve_refs) ? entry.cve_refs : []);
+    const missing = [];
+    for (const cid of citingSet) if (!evidence.has(cid)) missing.push(cid);
+    if (missing.length > 0) {
+      out.push({ class: "cross-ref-completeness", source: "cve-catalog", target: "attack-techniques",
+        target_id: attId, reason: `ATT&CK entry's cve_refs missing ${missing.length} CVE(s) that cite it: ${missing.slice(0, 3).join(", ")}` });
+    }
+  }
+  for (const [fwId, citingSet] of cveByFwc.entries()) {
+    const entry = fwc && fwc[fwId];
+    if (!entry) continue;
+    const evidence = new Set(Array.isArray(entry.evidence_cves) ? entry.evidence_cves : []);
+    const missing = [];
+    for (const cid of citingSet) if (!evidence.has(cid)) missing.push(cid);
+    if (missing.length > 0) {
+      out.push({ class: "cross-ref-completeness", source: "cve-catalog", target: "framework-control-gaps",
+        target_id: fwId, reason: `framework-gap entry's evidence_cves missing ${missing.length} CVE(s) that cite it: ${missing.slice(0, 3).join(", ")}` });
+    }
+  }
+  return out;
+}
+
+// ---------- 5. schema-evolution ----------
+//
+// Required-since-version checks. Fields the schema requires today were
+// optional on entries added in older releases. The audit surfaces those
+// pre-existing entries so operator-curation can backfill.
+
+const REQUIRED_SINCE = {
+  "cve-catalog": [
+    { field: "ai_discovered", since: "0.12.36", check: (v) => typeof v === "boolean" },
+    { field: "ai_assisted_weaponization", since: "0.12.36", check: (v) => typeof v === "boolean" },
+    { field: "rwep_factors", since: "0.12.36", check: (v) => v && Object.keys(v).length > 0 }
+  ]
+};
+
+function schemaEvolutionFindings(loaded) {
+  const out = [];
+  for (const catalogKey of Object.keys(REQUIRED_SINCE)) {
+    const cat = loaded[catalogKey];
+    if (!cat) continue;
+    for (const id of Object.keys(cat)) {
+      if (id === "_meta") continue;
+      const e = cat[id];
+      if (!e) continue;
+      for (const r of REQUIRED_SINCE[catalogKey]) {
+        if (!r.check(e[r.field])) {
+          out.push({ class: "schema-evolution", catalog: catalogKey, id,
+            field: r.field, since: r.since,
+            reason: `${r.field} required since v${r.since}; missing on this entry` });
+        }
+      }
+    }
+  }
+  return out;
+}
+
+// ---------- 6. operator-action-sla ----------
+//
+// Auto-imported entries are intake-class events. The catalog allows them
+// to ship un-curated (operators add detail later) but past a threshold
+// the un-curated state IS the problem.
+
+function operatorActionSlaFindings(loaded, opts = {}) {
+  const now = opts.now || new Date();
+  const AUTO_IMPORT_SLA_DAYS = opts.auto_import_sla_days || 60;
+  const DRAFT_SLA_DAYS = opts.draft_sla_days || 90;
+  const out = [];
+  const cve = loaded["cve-catalog"];
+  if (!cve) return out;
+
+  for (const id of Object.keys(cve)) {
+    if (id === "_meta") continue;
+    const e = cve[id];
+    if (!e) continue;
+    if (e._auto_imported === true) {
+      const age = daysSince(e.last_updated, now);
+      if (age !== null && age > AUTO_IMPORT_SLA_DAYS) {
+        out.push({ class: "operator-action-sla", catalog: "cve-catalog", id,
+          reason: `_auto_imported entry is ${age}d old (SLA ${AUTO_IMPORT_SLA_DAYS}d); operator-curation pending` });
+      }
+    }
+    if (e._draft === true) {
+      const age = daysSince(e.last_updated, now);
+      if (age !== null && age > DRAFT_SLA_DAYS) {
+        out.push({ class: "operator-action-sla", catalog: "cve-catalog", id,
+          reason: `_draft entry is ${age}d old (SLA ${DRAFT_SLA_DAYS}d); promote-or-quarantine SLA breached` });
+      }
+    }
+  }
+  return out;
+}
+
+// ---------- 7. unused-orphan ----------
+//
+// Entries that no skill / playbook / CVE references — dead-weight
+// content the operator can either repurpose or remove.
+
+// Build reference sets from skills/*.md frontmatter + body and from
+// data/playbooks/*.json content. Pre-v0.13.21 follow-up (codex P1 PR
+// #61): unusedOrphanFindings defaulted these to empty sets, which
+// flagged D3FEND / CWE / ATT&CK IDs referenced in skill bodies as
+// "unused orphans" — false positive. v0.13.21+ builds the reference
+// sets internally when the caller doesn't supply them.
+//
+// The regex is permissive — any CWE-NNN / T1234[.456] / AML.TNNNN /
+// D3-XX / RFC-NNN token in a skill body or playbook JSON counts as a
+// reference. We deliberately scan the FULL text, not just structured
+// fields, because skill bodies cite IDs in prose ("see CWE-79") as
+// often as in frontmatter.
+const REFERENCE_TOKEN_RE = /\b(?:CWE-\d+|T\d{4}(?:\.\d{3})?|AML\.T\d{4}(?:\.\d{3})?|D3-[A-Z]+(?:-[A-Z]+)*|RFC-\d+)\b/g;
+
+function buildExternalRefs(rootPath) {
+  // Lazy require — `path` + `fs` are already in scope at module level.
+  // Tolerate the absence of either directory (synthetic-test contexts
+  // may not have a skills/ tree). Returns { skillRefs, playbookRefs }
+  // as Sets of stringified IDs.
+  if (!rootPath) {
+    const path = require("path");
+    rootPath = path.join(__dirname, "..");
+  }
+  const path = require("path");
+  const fs = require("fs");
+  const skillRefs = new Set();
+  const playbookRefs = new Set();
+  const skillsDir = path.join(rootPath, "skills");
+  if (fs.existsSync(skillsDir)) {
+    for (const skillName of fs.readdirSync(skillsDir)) {
+      const skillPath = path.join(skillsDir, skillName, "skill.md");
+      if (!fs.existsSync(skillPath)) continue;
+      const text = fs.readFileSync(skillPath, "utf8");
+      const matches = text.match(REFERENCE_TOKEN_RE);
+      if (matches) for (const m of matches) skillRefs.add(m);
+    }
+  }
+  const playbooksDir = path.join(rootPath, "data", "playbooks");
+  if (fs.existsSync(playbooksDir)) {
+    for (const pbName of fs.readdirSync(playbooksDir)) {
+      if (!pbName.endsWith(".json")) continue;
+      const text = fs.readFileSync(path.join(playbooksDir, pbName), "utf8");
+      const matches = text.match(REFERENCE_TOKEN_RE);
+      if (matches) for (const m of matches) playbookRefs.add(m);
+    }
+  }
+  return { skillRefs, playbookRefs };
+}
+
+function unusedOrphanFindings(loaded, opts = {}) {
+  const out = [];
+  // Auto-populate skill/playbook refs when the caller didn't supply
+  // them. The composing runAllDetectors() also auto-populates via
+  // _autoLoadRefs unless tests pin explicit empty sets.
+  let skillRefs = opts.skillRefs;
+  let playbookRefs = opts.playbookRefs;
+  if (!skillRefs && !playbookRefs && opts._autoLoadRefs !== false) {
+    const refs = buildExternalRefs(opts._rootPath);
+    skillRefs = refs.skillRefs;
+    playbookRefs = refs.playbookRefs;
+  }
+  skillRefs = skillRefs || new Set();
+  playbookRefs = playbookRefs || new Set();
+  const cve = loaded["cve-catalog"];
+  const cveRefIds = new Set();
+  for (const id of Object.keys(cve || {})) {
+    if (id === "_meta") continue;
+    const e = cve[id];
+    if (!e) continue;
+    for (const r of (e.cwe_refs || [])) cveRefIds.add(r);
+    for (const r of (e.attack_refs || [])) cveRefIds.add(r);
+    for (const r of (e.atlas_refs || [])) cveRefIds.add(r);
+    for (const k of Object.keys(e.framework_control_gaps || {})) cveRefIds.add(k);
+  }
+  const isReferenced = (id) => skillRefs.has(id) || playbookRefs.has(id) || cveRefIds.has(id);
+
+  // CWE / ATT&CK / ATLAS / D3FEND / framework-gap entries that nothing
+  // references are orphans. Operator-curated entries get a longer
+  // grace period (intentional forward-looking content); auto-imported
+  // entries with no reference are clearer waste.
+  for (const catKey of ["cwe-catalog", "attack-techniques", "atlas-ttps", "d3fend-catalog", "framework-control-gaps"]) {
+    const cat = loaded[catKey];
+    if (!cat) continue;
+    for (const id of Object.keys(cat)) {
+      if (id === "_meta") continue;
+      const e = cat[id];
+      if (!e) continue;
+      if (e._auto_imported !== true) continue; // only flag auto-imported orphans
+      if (e.forward_looking === true) continue; // legitimate forward-looking
+      if (isReferenced(id)) continue;
+      out.push({ class: "unused-orphan", catalog: catKey, id,
+        reason: "auto-imported entry with zero references from skills / playbooks / CVE entries — consider quarantine or curation" });
+    }
+  }
+  return out;
+}
+
+// ---------- Composite ----------
+
+function runAllDetectors(loaded, opts = {}) {
+  // Pre-populate external reference sets ONCE and thread them through
+  // every detector that needs them. Avoids re-scanning skills/ +
+  // playbooks/ per detector and keeps the same reference set
+  // consistent across the composed run.
+  const orphanOpts = { ...opts };
+  if (!orphanOpts.skillRefs && !orphanOpts.playbookRefs && opts._autoLoadRefs !== false) {
+    const refs = buildExternalRefs(opts._rootPath);
+    orphanOpts.skillRefs = refs.skillRefs;
+    orphanOpts.playbookRefs = refs.playbookRefs;
+  }
+  return [
+    ...contentQualityFindings(loaded),
+    ...temporalStalenessFindings(loaded, opts),
+    ...logicalConsistencyFindings(loaded),
+    ...crossRefCompletenessFindings(loaded),
+    ...schemaEvolutionFindings(loaded),
+    ...operatorActionSlaFindings(loaded, opts),
+    ...unusedOrphanFindings(loaded, orphanOpts)
+  ];
+}
+
+// Canonical list of detection classes runAllDetectors can emit. The
+// budget gate asserts class-set equality against this list so a future
+// 8th detector added without a budget entry fails-closed (codex P2
+// PR #61).
+const DETECTOR_CLASSES = [
+  "content-quality",
+  "temporal-staleness",
+  "logical-consistency",
+  "cross-ref-completeness",
+  "schema-evolution",
+  "operator-action-sla",
+  "unused-orphan"
+];
+
+module.exports = {
+  hasPlaceholderLanguage,
+  daysSince,
+  contentQualityFindings,
+  temporalStalenessFindings,
+  logicalConsistencyFindings,
+  crossRefCompletenessFindings,
+  schemaEvolutionFindings,
+  operatorActionSlaFindings,
+  unusedOrphanFindings,
+  runAllDetectors,
+  buildExternalRefs,
+  DETECTOR_CLASSES,
+  REQUIRED_SINCE,
+  PLACEHOLDER_SENTINELS,
+  REFERENCE_TOKEN_RE
+};