@blamejs/exceptd-skills 0.13.20 → 0.13.21

package/scripts/audit-catalog-gaps.js

@@ -278,13 +278,42 @@ function emitPretty(report) {
     const pct = r.entries === 0 ? 0 : ((r.auto_imported / r.entries) * 100).toFixed(1);
     lines.push(`  ${r.catalog.padEnd(28)} ${r.auto_imported} / ${r.entries}  (${pct}%)`);
   }
+  // v0.13.21 extended findings sections.
+  const ext = report.extended_findings || {};
+  const extClasses = Object.keys(ext).sort();
+  if (extClasses.length > 0) {
+    lines.push("\nExtended findings (v0.13.21):");
+    for (const cls of extClasses) {
+      const arr = ext[cls];
+      lines.push(`\n  [${cls}] ${arr.length} finding(s)`);
+      for (const f of arr.slice(0, 5)) {
+        const id = f.id || f.target_id || "(no id)";
+        const ctx = f.catalog ? `${f.catalog} ${id}` : id;
+        lines.push(`    ${ctx} — ${f.reason || f.rule || "(no reason)"}`);
+      }
+      if (arr.length > 5) lines.push(`    ... +${arr.length - 5} more`);
+    }
+  }
   return lines.join("\n");
 }
 
-// Valid finding-class names for the `--class` filter. The pretty + JSON
-// emitters always include every section, but counts and strict-exit
-// gating respect the active filter.
-const VALID_CLASSES = new Set(["missing-context", "dangling-ref", "draft-debt"]);
+// Valid finding-class names for the `--class` filter. v0.13.21 added 7
+// extended detection classes for gaps the v0.13.19 detector did not
+// surface (content-quality / temporal-staleness / logical-consistency /
+// cross-ref-completeness / schema-evolution / operator-action-sla /
+// unused-orphan). Each is implemented in lib/gap-detectors.js.
+const VALID_CLASSES = new Set([
+  "missing-context", "dangling-ref", "draft-debt",
+  "content-quality", "temporal-staleness", "logical-consistency",
+  "cross-ref-completeness", "schema-evolution", "operator-action-sla",
+  "unused-orphan"
+]);
+const EXTENDED_CLASS_NAMES = new Set([
+  "content-quality", "temporal-staleness", "logical-consistency",
+  "cross-ref-completeness", "schema-evolution", "operator-action-sla",
+  "unused-orphan"
+]);
+const EXTENDED_DETECTORS = require("../lib/gap-detectors.js");
 
 function main() {
   const opts = parseArgs(process.argv);
@@ -309,27 +338,47 @@ function main() {
   for (const k of Object.keys(SPEC)) if (!allLoaded[k]) allLoaded[k] = loadCatalog(SPEC[k].file);
   const dangling = opts.catalog && opts.catalog !== "cve-catalog" ? [] : inspectRefs(allLoaded);
 
+  // v0.13.21 extended detectors. --catalog scoping mutes them (they're
+  // cross-catalog by nature); --class scoping filters down to one.
+  const extendedFindings = opts.catalog
+    ? []
+    : EXTENDED_DETECTORS.runAllDetectors(allLoaded, {});
+
   // Apply the --class filter before counts + strict-exit gating.
-  // Missing-context findings on per_catalog and dangling_refs are the
-  // two policed classes; draft-debt is informational-only (the audit
-  // surfaces draft-debt but it does not fail strict mode by design).
-  const filteredPerCatalog = opts.klass === "dangling-ref" || opts.klass === "draft-debt"
+  const filteredPerCatalog = (opts.klass === "dangling-ref" || opts.klass === "draft-debt" ||
+                              EXTENDED_CLASS_NAMES.has(opts.klass))
     ? perCatalog.map((r) => ({ ...r, missing_context: [] }))
     : perCatalog;
-  const filteredDangling = opts.klass === "missing-context" || opts.klass === "draft-debt"
+  const filteredDangling = (opts.klass === "missing-context" || opts.klass === "draft-debt" ||
+                            EXTENDED_CLASS_NAMES.has(opts.klass))
     ? []
     : dangling;
+  const filteredExtended = opts.klass
+    ? (EXTENDED_CLASS_NAMES.has(opts.klass)
+        ? extendedFindings.filter((f) => f.class === opts.klass)
+        : [])
+    : extendedFindings;
+
+  const extendedByClass = {};
+  for (const f of filteredExtended) {
+    if (!extendedByClass[f.class]) extendedByClass[f.class] = [];
+    extendedByClass[f.class].push(f);
+  }
 
   const report = {
     generated_at: TODAY,
     class_filter: opts.klass || null,
     per_catalog: filteredPerCatalog,
     dangling_refs: filteredDangling,
+    extended_findings: extendedByClass,
     totals: {
       catalogs: filteredPerCatalog.length,
       entries: filteredPerCatalog.reduce((n, r) => n + r.entries, 0),
       missing_context: filteredPerCatalog.reduce((n, r) => n + r.missing_context.length, 0),
-      dangling_refs: filteredDangling.length
+      dangling_refs: filteredDangling.length,
+      extended: Object.fromEntries(
+        Object.entries(extendedByClass).map(([cls, arr]) => [cls, arr.length])
+      )
     }
   };
   if (opts.pretty) {
@@ -337,7 +386,10 @@ function main() {
   } else {
     process.stdout.write(JSON.stringify(report, null, 2) + "\n");
   }
-  if (opts.strict && (report.totals.missing_context > 0 || report.totals.dangling_refs > 0)) {
+  const extendedTotal = Object.values(report.totals.extended || {}).reduce((n, v) => n + v, 0);
+  if (opts.strict && (report.totals.missing_context > 0 ||
+                      report.totals.dangling_refs > 0 ||
+                      extendedTotal > 0)) {
     process.exitCode = 1;
   }
 }

package/scripts/check-catalog-gap-budget.js

@@ -0,0 +1,133 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * scripts/check-catalog-gap-budget.js
+ *
+ * Predeploy / CI gate that runs the v0.13.21 extended gap detectors
+ * and asserts no class exceeds its budget. Mirrors the budget in
+ * tests/shipped-catalog-integrity.test.js but runs as a standalone
+ * predeploy gate so the check is visible in the gate summary even
+ * when the broader test suite is skipped (or is the gate that's
+ * failing for an unrelated reason).
+ *
+ * Exit codes:
+ *   0 — every extended class within budget
+ *   1 — at least one class regressed
+ *   2 — internal error
+ *
+ * The budget is intentionally duplicated (here + integrity test) for
+ * fail-loud-at-two-levels. Operators see the regression in BOTH the
+ * test-suite output AND the predeploy gate-summary table.
+ */
+
+const path = require("path");
+const fs = require("fs");
+const ROOT = path.join(__dirname, "..");
+
+let D;
+try {
+  D = require(path.join(ROOT, "lib", "gap-detectors.js"));
+} catch (e) {
+  console.error("[check-catalog-gap-budget] failed to load lib/gap-detectors.js:", e.message);
+  process.exit(2);
+}
+
+function loadAll() {
+  const data = path.join(ROOT, "data");
+  const read = (name) => JSON.parse(fs.readFileSync(path.join(data, name), "utf8"));
+  return {
+    "cve-catalog": read("cve-catalog.json"),
+    "cwe-catalog": read("cwe-catalog.json"),
+    "attack-techniques": read("attack-techniques.json"),
+    "atlas-ttps": read("atlas-ttps.json"),
+    "d3fend-catalog": read("d3fend-catalog.json"),
+    "rfc-references": read("rfc-references.json"),
+    "framework-control-gaps": read("framework-control-gaps.json"),
+    "zeroday-lessons": read("zeroday-lessons.json")
+  };
+}
+
+// Per-class regression budgets. Kept in sync with the canonical version
+// in tests/shipped-catalog-integrity.test.js.
+const BUDGET = {
+  "content-quality": 12,
+  "temporal-staleness": 260,
+  "logical-consistency": 5,
+  "cross-ref-completeness": 5,
+  "schema-evolution": 0,
+  "operator-action-sla": 0,
+  "unused-orphan": 1400
+};
+
+function main() {
+  const all = D.runAllDetectors(loadAll(), {});
+  const byClass = {};
+  for (const f of all) byClass[f.class] = (byClass[f.class] || 0) + 1;
+  const regressions = [];
+
+  // Fail-closed contract (codex P2 PR #61): every class actually
+  // emitted by the detector must have a budget entry. If a future
+  // 8th detector lands without a budget update, the gate fires with
+  // an unbudgeted-class error instead of silently passing.
+  const unbudgeted = [];
+  for (const cls of Object.keys(byClass)) {
+    if (!(cls in BUDGET)) {
+      unbudgeted.push({ class: cls, count: byClass[cls] });
+    }
+  }
+  // Inverse check: every class declared by the detector module's
+  // canonical class list must appear in BUDGET (covers the case where
+  // a new class produces zero findings on this run but still needs
+  // an explicit budget so a future regression caps fail-closed).
+  const missingBudget = [];
+  if (Array.isArray(D.DETECTOR_CLASSES)) {
+    for (const cls of D.DETECTOR_CLASSES) {
+      if (!(cls in BUDGET)) missingBudget.push(cls);
+    }
+  }
+
+  for (const cls of Object.keys(BUDGET)) {
+    const actual = byClass[cls] || 0;
+    const allowed = BUDGET[cls];
+    if (actual > allowed) {
+      regressions.push({ class: cls, allowed, actual, delta: actual - allowed });
+    }
+  }
+  const summary = Object.keys(BUDGET).map((cls) => {
+    const actual = byClass[cls] || 0;
+    const allowed = BUDGET[cls];
+    const mark = actual > allowed ? "✗" : "✓";
+    return `  ${mark} ${cls.padEnd(28)} actual=${actual}  budget=${allowed}`;
+  }).join("\n");
+  console.log("[check-catalog-gap-budget] extended detection classes:");
+  console.log(summary);
+
+  if (unbudgeted.length > 0) {
+    console.error("\n[check-catalog-gap-budget] UNBUDGETED detector classes — fail-closed:");
+    for (const u of unbudgeted) {
+      console.error(`  ${u.class}: ${u.count} finding(s), no BUDGET entry`);
+    }
+    console.error("Add an explicit budget entry in both:");
+    console.error("  scripts/check-catalog-gap-budget.js");
+    console.error("  tests/shipped-catalog-integrity.test.js");
+    process.exit(1);
+  }
+  if (missingBudget.length > 0) {
+    console.error("\n[check-catalog-gap-budget] BUDGET missing entries for declared classes:");
+    for (const c of missingBudget) console.error(`  ${c}: declared by lib/gap-detectors.js DETECTOR_CLASSES, no BUDGET entry`);
+    process.exit(1);
+  }
+  if (regressions.length > 0) {
+    console.error("\n[check-catalog-gap-budget] REGRESSION beyond budget:");
+    for (const r of regressions) {
+      console.error(`  ${r.class}: actual=${r.actual} > budget=${r.allowed} (delta +${r.delta})`);
+    }
+    console.error("\nClose the gap in this PR (preferred) or update BUDGET in both:");
+    console.error("  scripts/check-catalog-gap-budget.js");
+    console.error("  tests/shipped-catalog-integrity.test.js");
+    process.exit(1);
+  }
+  console.log("[check-catalog-gap-budget] all classes within budget; every class is budgeted.");
+}
+
+main();

package/scripts/predeploy.js

@@ -193,6 +193,20 @@ const GATES = [
     // shares the integrity-tier framing with manifest-snapshot etc.
     ciJobName: "Data integrity (catalog + manifest snapshot)",
   },
+  {
+    // v0.13.21: catalog-gap budget gate. Runs the seven extended
+    // detection classes added in v0.13.21 (content-quality,
+    // temporal-staleness, logical-consistency, cross-ref-completeness,
+    // schema-evolution, operator-action-sla, unused-orphan) against
+    // the shipped catalog and fails if any class regresses beyond its
+    // documented budget. Mirrors the budget enforced by
+    // tests/shipped-catalog-integrity.test.js so the regression
+    // surfaces in BOTH the gate-summary table AND the test output.
+    name: "Catalog-gap budget (v0.13.21 extended detection classes)",
+    command: process.execPath,
+    args: [path.join(ROOT, "scripts", "check-catalog-gap-budget.js")],
+    ciJobName: "Data integrity (catalog + manifest snapshot)",
+  },
 ];
 
 function runGate(gate) {