@blamejs/exceptd-skills 0.13.20 → 0.13.22

package/CHANGELOG.md

@@ -1,5 +1,52 @@
 # Changelog
 
+## 0.13.22 — 2026-05-19
+
+`ci` is now usable at the terminal without piping through `jq`.
+
+### Features
+
+- **Human-readable `ci` output by default.** Pre-0.13.22 the default `ci` output was 1000+ lines of indented JSON on every run. Now the default is a one-screen digest: verdict line, per-playbook table (id / verdict / rwep / evidence-completeness / top-finding), session-level warnings, scope-selection rules, framework gap rollup, and fail reasons. Pass `--json` or `--pretty` to get the structured body for automation.
+- **Per-result hoisted summary fields.** Every `run()` result now carries `verdict`, `rwep_score`, `top_finding`, `summary_line`, and `evidence_completeness` (one of `complete` / `partial` / `missing` / `unknown` / `not-evaluated`) at the top level. Machine-readable consumers no longer walk `phases.analyze.rwep.adjusted` and `phases.detect.classification` separately to extract the headline numbers.
+- **`indicators_evaluated` + `indicators_known` per result.** Surface how many of the playbook's known indicators were actually exercised by the operator's evidence, so a result that returns `verdict=inconclusive` with `indicators_evaluated=0` is distinguishable from one that evaluated every indicator and found no hits.
+- **Session-level warning de-duplication.** `ci` runs that span N playbooks no longer emit the same `bundle_publisher_unclaimed` warning N times. The summary now carries `runtime_warnings` and `runtime_warnings_count` with one entry per unique (kind, reason) across the session.
+- **Scope-inclusion transparency.** When `ci --scope <type>` is used, the summary now lists `scope_request` plus `scope_inclusion_rules` explaining that cross-cutting playbooks are always added and (for `--scope code`) that `sbom` is auto-included on repos with a lockfile.
+
+### Bugs
+
+- **Blocked results now carry `playbook_id`.** Previously, a playbook that halted at preflight returned `{ ok:false, blocked_by, reason }` with no playbook identifier — operators iterating `results[]` for failure rows had to correlate by array index. Now every result, blocked or not, carries `playbook_id` at the top level.
+
+## 0.13.21 — 2026-05-19
+
+Seven new catalog-gap detection classes wired into the predeploy gate. The v0.13.19 detector covered missing-context / dangling-ref / draft-debt; the v0.13.20 audit confirmed that left genuine gap classes unsurfaced. v0.13.21 adds the seven cross-cutting classes the prior detector missed and wires them into a budget gate that runs alongside the existing tests + predeploy gates.
+
+### Features
+
+**Seven new detection classes in `lib/gap-detectors.js`:**
+
+- **content-quality** — fields present but content weak. Catches: vector text < 50 chars (likely a stub), placeholder-language sentinels (TBD / TKTK / "pending operator curation" / "[]"), KEV-listed entries with empty vendor_advisories, name-repeated-as-description.
+- **temporal-staleness** — time-based decay. Catches: source_verified > 180d old, last_updated > 365d, CISA-KEV due-date passed without remediation status, epss_date > 90d.
+- **logical-consistency** — internal-state contradictions that pass schema validation but don't make sense. Catches: `cisa_kev:true + cisa_kev_date:null`, `live_patch_available:true + live_patch_tools:[]`, `ai_discovered:true + attribution_note < 30 chars`, `active_exploitation:"confirmed" + verification_sources.length < 2`, `rwep_score declared + rwep_factors empty`.
+- **cross-ref-completeness** — bidirectional reference checks. The v0.13.19 dangling-ref class only verified the forward direction (CVE→CWE resolves); v0.13.21 also verifies the back-reference is present (CWE.evidence_cves includes the citing CVE). Same logic for ATT&CK.cve_refs and framework-control-gaps.evidence_cves.
+- **schema-evolution** — required-since-version checks. Fields the schema requires today were optional on entries added in older releases. Surfaces pre-existing entries the operator should backfill (e.g. pre-v0.12.36 CVEs lacking the `ai_discovered` boolean).
+- **operator-action-sla** — un-curated auto-imports older than the SLA window. Defaults: 60d for `_auto_imported`, 90d for `_draft`.
+- **unused-orphan** — auto-imported catalog entries that no skill / playbook / CVE references. Operator-curated entries are exempt (intentional content); `forward_looking:true` entries are exempt (intentional forward-look content).
+
+**`scripts/check-catalog-gap-budget.js` + predeploy gate.** New predeploy gate runs the seven extended detectors and asserts every class is within its documented budget. Mirrors the budget enforced by `tests/shipped-catalog-integrity.test.js` so a regression surfaces in BOTH the gate-summary table AND the test output. Predeploy summary now reports 16 gates (was 15).
+
+**`tests/gap-detectors.test.js`** — 22 per-detector tests pin each of the seven classes against synthetic catalog inputs. Each pin asserts the detector fires on the shape it's designed to catch AND does NOT fire on the inverse shape (no false positives).
+
+### Bugs
+
+**T1574 ATT&CK back-ref synced.** v0.13.20's CTFMON-mapping fix added T1574 to `BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA.attack_refs[]`, but the reverse-refs pass didn't run before sign + sbom + commit, so `attack-techniques.T1574.cve_refs[]` didn't pick up the back-ref. The v0.13.21 cross-ref-completeness detector surfaced this on first run — fixed via `npm run refresh-reverse-refs`.
+
+### Internal
+
+- `scripts/audit-catalog-gaps.js` CLI extended: `--class <name>` accepts the seven new class names (`content-quality`, `temporal-staleness`, `logical-consistency`, `cross-ref-completeness`, `schema-evolution`, `operator-action-sla`, `unused-orphan`) for scoped audits. JSON + pretty output include an `extended_findings` section grouped by class, with `totals.extended` counts.
+- `tests/shipped-catalog-integrity.test.js` includes a new budget pin for the seven extended classes — a future PR that worsens any class beyond budget fires the test.
+- npm alias: `npm run audit-catalog-gap-budget` runs the budget gate standalone (operator-facing convenience).
+- Current shipped-catalog snapshot: content-quality=10, temporal-staleness=255, logical-consistency=0, cross-ref-completeness=0, schema-evolution=0, operator-action-sla=0, unused-orphan=1342. The non-zero classes are operator-curation work items surfaced honestly by the new detectors.
+
 ## 0.13.20 — 2026-05-19
 
 Root-cause refactor addressing every audit class surfaced by the v0.13.17–v0.13.19 self-audit (no-MVP violations, regex-where-logic-is-required, symptom patches, coincidence-pinning tests, uncaught bugs). The audit found I had been patching symptoms instead of fixing root causes; v0.13.20 fixes the actual issues and lets the audit tell the truth about catalog state.

package/bin/exceptd.js

@@ -6814,6 +6814,46 @@ function cmdCi(runner, args, runOpts, pretty) {
     clock_started_reasons: clockStartedReasons,
   };
 
+  // v0.13.22 B5: Each `run()` call independently surfaces session-level
+  // runtime conditions (e.g. bundle_publisher_unclaimed) into its own
+  // phases.analyze.runtime_errors. On a ci run that spans 9 playbooks, the
+  // operator saw the same warning 9 times. Dedupe across results by
+  // (kind, reason) so a session-level condition surfaces once at the ci
+  // summary level — operators read one row, not N copies.
+  const warningSeen = new Set();
+  const runtimeWarningsDedup = [];
+  for (const r of results) {
+    const errs = r?.phases?.analyze?.runtime_errors || [];
+    for (const e of errs) {
+      const key = `${e.kind || ""}::${e.reason || ""}`;
+      if (warningSeen.has(key)) continue;
+      warningSeen.add(key);
+      runtimeWarningsDedup.push({
+        kind: e.kind || null,
+        reason: e.reason || null,
+        remediation: e.remediation || null,
+      });
+    }
+  }
+  summary.runtime_warnings = runtimeWarningsDedup;
+  summary.runtime_warnings_count = runtimeWarningsDedup.length;
+
+  // v0.13.22 B8 (transparency): document why each playbook was selected.
+  // --scope <s> always adds cross-cutting; --scope code on a repo with a
+  // lockfile also adds sbom. The selection rule was buried in code; surface
+  // it in the summary so operators reading the JSON / pretty trailer can
+  // see what was scoped vs. auto-included.
+  if (scope) {
+    summary.scope_request = scope;
+    summary.scope_inclusion_rules = [
+      `--scope ${scope} selected playbooks with _meta.scope === "${scope}"`,
+      `cross-cutting playbooks are always added (apply to every scope by design)`,
+    ];
+    if (scope === "code") {
+      summary.scope_inclusion_rules.push("--scope code also adds sbom when the cwd is a git repo with a lockfile");
+    }
+  }
+
   // v0.11.4 (#72): ci --format <fmt> previously emitted the full bundle
   // regardless of flag. Now honors the same shortcuts as `run --format`:
   //   summary  → one-line JSON of session + verdict + counts
@@ -6856,7 +6896,106 @@ function cmdCi(runner, args, runOpts, pretty) {
     );
     return;
   } else {
-    emit({ verb: "ci", session_id: sessionId, playbooks_run: ids, summary, results }, pretty);
+    // v0.13.22 B3+B4+B6: human renderer for `ci` default output. Pre-0.13.22
+    // the only output was indented JSON (or compact JSON when not TTY) —
+    // operators running `exceptd ci` at the terminal saw 1000+ lines of JSON
+    // for a 9-playbook scan and had to grep for the verdict by hand.
+    //
+    // Renderer shape (one screen for a typical 9-playbook scope):
+    //   - one verdict line (PASS/FAIL/BLOCKED + counts)
+    //   - per-playbook row: id | verdict | rwep | evidence | top_finding
+    //   - deduped session-level runtime warnings (B5)
+    //   - scope inclusion rules (B8 transparency) when --scope was used
+    //   - footer pointing at --json / --format for the structured body
+    emit({ verb: "ci", session_id: sessionId, playbooks_run: ids, summary, results }, pretty, (obj) => {
+      const s = obj.summary;
+      const lines = [];
+      lines.push(`ci: ${obj.playbooks_run.length} playbook(s)  session-id: ${obj.session_id}`);
+      const verdictIcon = s.verdict === "PASS"
+        ? "[ok]"
+        : s.verdict === "BLOCKED"
+          ? "[!! BLOCKED]"
+          : s.verdict === "CLOCK_STARTED"
+            ? "[!! CLOCK]"
+            : s.verdict === "NO_EVIDENCE"
+              ? "[i  NO_EVIDENCE]"
+              : "[!! FAIL]";
+      lines.push(`\n${verdictIcon}  verdict=${s.verdict}  detected=${s.detected}  inconclusive=${s.inconclusive}  clean=${s.not_detected}  blocked=${s.blocked}  max_rwep=${s.max_rwep_observed}`);
+
+      // Per-playbook table.
+      const rows = (obj.results || []).map(r => {
+        if (r && r.ok === false) {
+          return {
+            id: r.playbook_id || "?",
+            verdict: "blocked",
+            rwep: "-",
+            evidence: r.evidence_completeness || "not-evaluated",
+            top: r.blocked_by || r.reason || r.error || "",
+          };
+        }
+        const cls = r?.phases?.detect?.classification || r?.verdict || "?";
+        return {
+          id: r.playbook_id || "?",
+          verdict: cls,
+          rwep: (r?.rwep_score != null) ? String(r.rwep_score) : "-",
+          evidence: r?.evidence_completeness || "unknown",
+          top: r?.top_finding || "",
+        };
+      });
+      const wId = Math.max(8, ...rows.map(r => r.id.length));
+      const wV = Math.max(8, ...rows.map(r => r.verdict.length));
+      const wR = Math.max(4, ...rows.map(r => r.rwep.length));
+      const wE = Math.max(8, ...rows.map(r => r.evidence.length));
+      const pad = (s, w) => (s + " ".repeat(w)).slice(0, w);
+      lines.push("");
+      lines.push(`  ${pad("playbook", wId)}  ${pad("verdict", wV)}  ${pad("rwep", wR)}  ${pad("evidence", wE)}  finding`);
+      lines.push(`  ${"-".repeat(wId)}  ${"-".repeat(wV)}  ${"-".repeat(wR)}  ${"-".repeat(wE)}  -------`);
+      for (const row of rows) {
+        const finding = row.top.length > 80 ? row.top.slice(0, 77) + "..." : row.top;
+        lines.push(`  ${pad(row.id, wId)}  ${pad(row.verdict, wV)}  ${pad(row.rwep, wR)}  ${pad(row.evidence, wE)}  ${finding}`);
+      }
+
+      // Session-level deduped runtime warnings (B5).
+      if (s.runtime_warnings && s.runtime_warnings.length) {
+        lines.push(`\nSession warnings (${s.runtime_warnings_count}):`);
+        for (const w of s.runtime_warnings) {
+          const reason = (w.reason || "").length > 200 ? (w.reason || "").slice(0, 197) + "..." : (w.reason || "");
+          lines.push(`  [${w.kind || "warning"}] ${reason}`);
+          if (w.remediation) lines.push(`    → ${w.remediation}`);
+        }
+      }
+
+      // Scope inclusion (B8 transparency).
+      if (s.scope_inclusion_rules && s.scope_inclusion_rules.length) {
+        lines.push(`\nScope selection (${s.scope_request}):`);
+        for (const rule of s.scope_inclusion_rules) lines.push(`  - ${rule}`);
+      }
+
+      // Jurisdiction clocks.
+      if (s.jurisdiction_clocks_started > 0) {
+        lines.push(`\nJurisdiction clocks started: ${s.jurisdiction_clocks_started}`);
+        for (const n of (s.jurisdiction_clock_rollup || []).slice(0, 5)) {
+          lines.push(`  ${n.jurisdiction || "?"}/${n.regulation || "?"} → deadline ${n.deadline || "?"}`);
+        }
+      }
+
+      // Framework gap rollup.
+      if (s.framework_gap_count > 0) {
+        lines.push(`\nFramework gaps (${s.framework_gap_count}):`);
+        for (const g of (s.framework_gap_rollup || []).slice(0, 5)) {
+          lines.push(`  ${g.framework || "?"} :: ${g.claimed_control || "?"}  (${g.playbooks.length} playbook(s))`);
+        }
+      }
+
+      // Fail reasons.
+      if (s.fail_reasons && s.fail_reasons.length) {
+        lines.push(`\nFail reasons:`);
+        for (const r of s.fail_reasons) lines.push(`  - ${r}`);
+      }
+
+      lines.push(`\nFull structured result: --json (or --pretty for indented JSON).`);
+      return lines.join("\n");
+    });
   }
   // v0.11.14 (#134): exit-code matrix with BLOCKED before FAIL.
   // Pre-0.11.14 the `if (fail)` check fired first for blocked runs (because

package/data/_indexes/_meta.json

@@ -1,12 +1,12 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-19T17:32:13.024Z",
+  "generated_at": "2026-05-19T22:22:02.165Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "d9f9002ad675655e952674403fb030798e7ad0c98c65e6ad586960d7d7915af9",
+    "manifest.json": "068eb6c464d8999f41906bd3ea080b6b579d6dc15c3c1b05c1caf94adb72cd27",
     "data/atlas-ttps.json": "d296c1d3e71807c9279b731f047e57796e85137f186586743a8cdad214b408f9",
-    "data/attack-techniques.json": "09bd917fe13c23d8a33f6a04978f5c89ea56ee53c8002ad357bd89cfb9ba8981",
+    "data/attack-techniques.json": "49b6010b317edd219def135171ea8f3b1bbf1e00e9c5a08bf7237215ff54e2c3",
     "data/cve-catalog.json": "a09c83af3f9679a7ea73935726a1ff9de2cab94b4ab6321fc017fc147747d7c3",
     "data/cwe-catalog.json": "c56e74b8c9290583b1d6fdd21b54bd65a254c58890c5f683379788ca7b080e9d",
     "data/d3fend-catalog.json": "4271102f8c38999444bcd981c1cf5feb4ad09f8c0b1d9b79df3f1a82f4fb50f0",

package/data/attack-techniques.json

@@ -1833,6 +1833,7 @@
     "name": "Hijack Execution Flow",
     "version": "v19",
     "cve_refs": [
+      "BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
       "CVE-2026-45321"
     ],
     "description_full": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution. There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.",
@@ -5474,9 +5475,7 @@
     "last_verified": "2026-05-19",
     "_auto_imported": true,
     "_intake_method": "v0.13.18-orphan-fill",
-    "cve_refs": [
-      "BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA"
-    ],
+    "cve_refs": [],
     "description_full": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013) The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013) Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and impair defenses provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)",
     "platforms": [
       "Windows"