@blamejs/exceptd-skills 0.14.0 → 0.14.2

package/lib/citation-resolve.js

@@ -0,0 +1,226 @@
+"use strict";
+
+/**
+ * lib/citation-resolve.js
+ *
+ * Answers "is this CVE/RFC citation valid?" so an agent gets the answer FROM
+ * exceptd instead of researching each citation against NVD / the IETF
+ * datatracker by hand. Offline-first:
+ *
+ *   CVE: local catalog -> resolved cache -> (opt-in) one NVD lookup, cached.
+ *   RFC: local index    -> resolved cache -> (opt-in) one datatracker lookup.
+ *
+ * The resolved cache lives at .cache/upstream/resolved/<kind>/<id>.json with a
+ * 7-day TTL. The FIRST agent to resolve an uncatalogued id pays one network
+ * call and writes the cache; sibling agents (and later offline runs) read it —
+ * turning N agents x M citations of redundant lookups into one lookup per id.
+ *
+ * Network is opt-out: --air-gap / EXCEPTD_AIR_GAP=1 / { noNetwork:true } make
+ * resolution offline-only (catalog + cache), returning status "unknown" with a
+ * reason rather than reaching out. Network-resolved records are transient
+ * (cache only) and are never written into the signed catalog.
+ */
+
+const fs = require("node:fs");
+const path = require("node:path");
+
+const PKG_ROOT = path.join(__dirname, "..");
+const CVE_CATALOG = process.env.EXCEPTD_CVE_CATALOG || path.join(PKG_ROOT, "data", "cve-catalog.json");
+const RFC_INDEX = process.env.EXCEPTD_RFC_INDEX || path.join(PKG_ROOT, "data", "rfc-references.json");
+const RESOLVE_CACHE_DIR = process.env.EXCEPTD_RESOLVE_CACHE_DIR || path.join(PKG_ROOT, ".cache", "upstream", "resolved");
+const CACHE_TTL_MS = 7 * 24 * 60 * 60 * 1000; // matches the prefetch freshness window
+
+const CVE_RE = /^CVE-\d{4}-\d{4,}$/;
+const RFC_RE = /^(?:RFC[-\s]?)?(\d+)$/i;
+
+let _cve = null;
+let _rfc = null;
+function cveCatalog() {
+  if (!_cve) _cve = JSON.parse(fs.readFileSync(CVE_CATALOG, "utf8"));
+  return _cve;
+}
+function rfcIndex() {
+  if (!_rfc) _rfc = JSON.parse(fs.readFileSync(RFC_INDEX, "utf8"));
+  return _rfc;
+}
+
+// --- resolved-id cache (atomic JSON files, TTL-bounded, best-effort) ---
+function cachePath(kind, id) {
+  // Read the env at call time so tests can isolate the cache per-case.
+  const dir = process.env.EXCEPTD_RESOLVE_CACHE_DIR || RESOLVE_CACHE_DIR;
+  const safe = id.replace(/[^A-Za-z0-9._-]/g, "_");
+  return path.join(dir, kind, `${safe}.json`);
+}
+function cacheGet(kind, id) {
+  try {
+    const p = cachePath(kind, id);
+    const st = fs.statSync(p);
+    if (Date.now() - st.mtimeMs > CACHE_TTL_MS) return null;
+    return JSON.parse(fs.readFileSync(p, "utf8"));
+  } catch { return null; }
+}
+function cachePut(kind, id, record) {
+  try {
+    const p = cachePath(kind, id);
+    fs.mkdirSync(path.dirname(p), { recursive: true });
+    const tmp = `${p}.${process.pid}.tmp`;
+    fs.writeFileSync(tmp, JSON.stringify(record));
+    fs.renameSync(tmp, p); // atomic — concurrent agents can't read a half-written file
+  } catch { /* cache is an optimization, never fatal */ }
+}
+
+function isAirGap(opts) {
+  return !!(opts && opts.airGap) || process.env.EXCEPTD_AIR_GAP === "1";
+}
+
+/**
+ * Resolve a CVE citation. Returns { id, kind:"cve", status, from, ... }.
+ * status: published | rejected | disputed | fabricated | nonexistent | unknown
+ * from:   format | catalog | cache | network | offline | error
+ */
+async function resolveCve(id, opts = {}) {
+  const cveId = String(id || "").toUpperCase();
+  const base = { id: cveId, kind: "cve" };
+
+  if (!CVE_RE.test(cveId)) {
+    return { ...base, status: "fabricated", from: "format",
+      reason: "not the canonical CVE-YYYY-NNNN form — a non-numeric tail is a fabricated identifier" };
+  }
+
+  // 1. curated catalog (offline, authoritative for the ids it covers)
+  const entry = cveCatalog()[cveId];
+  if (entry && typeof entry === "object") {
+    return {
+      ...base,
+      status: entry.status || "published",
+      cvss: entry.cvss_score ?? null,
+      kev: entry.cisa_kev ?? null,
+      product: entry.name || entry.type || null,
+      exploitation: entry.active_exploitation ?? null,
+      from: "catalog",
+    };
+  }
+
+  // 2. resolved cache (offline, warmed by a prior agent's lookup)
+  const cached = cacheGet("cve", cveId);
+  if (cached) return { ...cached, from: "cache" };
+
+  // 3. offline / air-gap: cannot resolve uncatalogued ids without network
+  if (isAirGap(opts)) {
+    return { ...base, status: "unknown", from: "offline",
+      reason: "air-gap: not in local catalog and no cached resolution — verify against NVD when online" };
+  }
+  if (opts.noNetwork) {
+    return { ...base, status: "unknown", from: "offline",
+      reason: "not in local catalog and no cached resolution (network disabled)" };
+  }
+
+  // 4. resolve once via NVD, then cache for sibling agents.
+  // opts._validateCve is a test seam (inject a fake validator); production uses
+  // the real NVD-backed validator.
+  let validateCve = opts._validateCve;
+  if (!validateCve) {
+    try { ({ validateCve } = require("../sources/validators/cve-validator.js")); }
+    catch { return { ...base, status: "unknown", from: "error", reason: "cve validator unavailable" }; }
+  }
+  let v;
+  try { v = await validateCve(cveId, {}); }
+  catch (e) { return { ...base, status: "unknown", from: "error", reason: e.message }; }
+
+  if (v.status === "unreachable") {
+    return { ...base, status: "unknown", from: "offline", reason: "NVD unreachable — retry online" };
+  }
+  // NVD is the authority for a CVE's existence and lifecycle. validateCve only
+  // returns "unreachable" when EVERY source fails — if NVD is down but KEV/EPSS
+  // answer, it returns match/drift with sources.nvd.reachable === false. Do NOT
+  // declare "published" on KEV/EPSS alone during an NVD outage; that would
+  // falsely validate an unconfirmed (or nonexistent) identifier.
+  const nvd = v.fetched && v.fetched.sources && v.fetched.sources.nvd;
+  if (!nvd || nvd.reachable !== true) {
+    return { ...base, status: "unknown", from: "offline",
+      reason: "NVD unreachable — CVE existence/status unconfirmed; retry online" };
+  }
+  let status;
+  if (v.status === "rejected") status = "rejected";
+  else if (v.status === "missing" || nvd.found !== true) status = "nonexistent";
+  else if ((v.fetched?.cve_tags || []).some(t => /disputed/i.test(t)) || /disputed/i.test(v.fetched?.nvd_vuln_status || "")) status = "disputed";
+  else status = "published";
+
+  const record = {
+    id: cveId, kind: "cve", status,
+    cvss: v.fetched?.cvss_score ?? null,
+    kev: v.fetched?.in_kev ?? null,
+    // NVD English description — carries the product/scope a citation must match,
+    // so an agent can confirm status=published applies to the right product
+    // without a second manual NVD lookup.
+    product: v.fetched?.description ?? null,
+    nvd_vuln_status: v.fetched?.nvd_vuln_status ?? null,
+    cve_tags: v.fetched?.cve_tags || [],
+    source: "nvd",
+    resolved_at: new Date().toISOString(),
+  };
+  cachePut("cve", cveId, record);
+  return { ...record, from: "network" };
+}
+
+/**
+ * Resolve an RFC citation. Returns { id, kind:"rfc", number, title, rfc_status,
+ * found, from, ... }. The local index covers the whole current RFC series, so
+ * number->title resolution is fully offline. Obsoleted/historic RFCs are
+ * excluded from the index, so a not-found number is either obsoleted or
+ * nonexistent; the optional network step disambiguates.
+ */
+async function resolveRfc(id, opts = {}) {
+  const raw = String(id || "").trim();
+  const m = raw.match(RFC_RE);
+  const base = { id: raw, kind: "rfc" };
+  if (!m) {
+    return { ...base, found: false, status: "unknown", from: "format",
+      reason: "not an RFC number — expected `RFC <n>` or a bare number" };
+  }
+  const num = Number(m[1]);
+  const key = `RFC-${num}`;
+
+  // 1. local index (offline, whole current series)
+  const entry = rfcIndex()[key];
+  if (entry && typeof entry === "object") {
+    return {
+      ...base, number: num, found: true,
+      title: entry.title || null,
+      rfc_status: entry.status || null,
+      published: entry.published || null,
+      obsoleted_by: entry.obsoleted_by || null,
+      from: "index",
+    };
+  }
+
+  // 2. resolved cache
+  const cached = cacheGet("rfc", String(num));
+  if (cached) return { ...cached, from: "cache" };
+
+  // 3. offline: report the ambiguity rather than guessing
+  if (isAirGap(opts) || opts.noNetwork) {
+    return { ...base, number: num, found: false, status: "unknown", from: "offline",
+      reason: "not in the local RFC index — likely obsoleted/historic (excluded from the index) or nonexistent; verify at datatracker.ietf.org when online" };
+  }
+
+  // 4. disambiguate obsoleted vs nonexistent via the datatracker, once + cached
+  let validateRfc;
+  try { ({ validateRfc } = require("../sources/validators/rfc-validator.js")); }
+  catch { return { ...base, number: num, found: false, status: "unknown", from: "error", reason: "rfc validator unavailable" }; }
+  let v;
+  try { v = await validateRfc(key, {}); }
+  catch (e) { return { ...base, number: num, found: false, status: "unknown", from: "error", reason: e.message }; }
+  if (v.status === "unreachable") {
+    return { ...base, number: num, found: false, status: "unknown", from: "offline", reason: "datatracker unreachable — retry online" };
+  }
+  const record = v.status === "missing"
+    ? { id: raw, kind: "rfc", number: num, found: false, status: "nonexistent", source: "datatracker", resolved_at: new Date().toISOString() }
+    : { id: raw, kind: "rfc", number: num, found: true, status: "obsoleted-or-historic",
+        title: v.fetched?.title || null, source: "datatracker", resolved_at: new Date().toISOString(),
+        note: "resolves at the datatracker but is absent from the local index (obsoleted/historic RFCs are excluded)" };
+  cachePut("rfc", String(num), record);
+  return { ...record, from: "network" };
+}
+
+module.exports = { resolveCve, resolveRfc };

package/lib/collectors/citation-hygiene.js

@@ -34,6 +34,14 @@ const { codeExcludeSet, isLinkedWorktreeDir } = require("./scan-excludes");
 
 const COLLECTOR_ID = "citation-hygiene";
 
+// Opt-in resolver (`exceptd collect citation-hygiene --resolve`). Lets the
+// collector resolve the citations the offline catalog can't confirm — once,
+// through the shared cache — instead of parking them as inconclusive for an
+// agent to research. Required lazily so a plain collect() never loads it.
+function loadResolver() {
+  return require("../citation-resolve.js");
+}
+
 const DEFAULT_MAX_DEPTH = 8;
 const EXCLUDES = codeExcludeSet();
 
@@ -445,6 +453,10 @@ function collect({ cwd = process.cwd() } = {}) {
     },
     artifacts,
     signal_overrides,
+    // The citations the offline catalog could not confirm. `applyResolution`
+    // (opt-in --resolve) consumes this to resolve + flip them; on a plain
+    // collect it documents what still needs verification.
+    needs_verification: needsVerify,
     collector_meta: {
       collector_id: COLLECTOR_ID,
       collector_version: "2026-05-26",
@@ -462,4 +474,72 @@ function collect({ cwd = process.cwd() } = {}) {
   };
 }
 
-module.exports = { playbook_id: COLLECTOR_ID, collect };
+/**
+ * Resolve the citations a plain collect() left as needs-verification, flipping
+ * the parked signals from inconclusive to a real verdict. Opt-in: only invoked
+ * for `exceptd collect citation-hygiene --resolve`. Each uncatalogued CVE goes
+ * through the shared resolver (catalog -> cache -> one NVD lookup, cached), so a
+ * fan-out resolves each id once. Honors air-gap (resolver returns unknown).
+ *
+ * Mutates a shallow copy of the submission's signal_overrides and records a
+ * resolution summary artifact. Returns the updated submission.
+ *
+ * @param {object} submission  the object returned by collect()
+ * @param {object} [opts]      { airGap?: boolean, _resolveCve?, _resolveRfc? }
+ * @returns {Promise<object>}
+ */
+async function applyResolution(submission, opts = {}) {
+  if (!submission || typeof submission !== "object") return submission;
+  const nv = submission.needs_verification || {};
+  const cveList = Array.isArray(nv.cve_not_in_catalog) ? nv.cve_not_in_catalog : [];
+  const rfcList = Array.isArray(nv.rfc_not_in_index) ? nv.rfc_not_in_index : [];
+  const resolver = (opts._resolveCve && opts._resolveRfc)
+    ? { resolveCve: opts._resolveCve, resolveRfc: opts._resolveRfc }
+    : loadResolver();
+  const airGap = !!opts.airGap;
+
+  const signals = { ...(submission.signal_overrides || {}) };
+  const resolved = { cve: [], rfc: [] };
+  let cveUnknown = 0;
+  let rejectedHit = false;
+  let fabricatedHit = false;
+
+  for (const item of cveList) {
+    const id = String(item.citation || "").trim();
+    const r = await resolver.resolveCve(id, { airGap });
+    resolved.cve.push({ citation: id, file: item.file, status: r.status, from: r.from, product: r.product || null });
+    if (r.status === "rejected" || r.status === "disputed") rejectedHit = true;
+    else if (r.status === "nonexistent" || r.status === "fabricated") fabricatedHit = true;
+    else if (r.status === "unknown") cveUnknown++;
+    // published -> resolved-clean (no flip)
+  }
+  if (rejectedHit) signals["rejected-or-disputed-cve"] = "hit";
+  if (fabricatedHit) signals["fabricated-cve-id"] = "hit";
+  // The needs-verification signal: a clean miss once every parked CVE was
+  // classified, inconclusive while any remain unresolvable (NVD unreachable /
+  // air-gap), and absent when there was nothing to verify.
+  if (cveList.length > 0) {
+    signals["cve-citation-needs-external-verification"] = cveUnknown > 0 ? "inconclusive" : "miss";
+  }
+
+  for (const item of rfcList) {
+    const cite = String(item.citation || "");
+    const num = (cite.match(/(\d+)/) || [])[1];
+    const r = await resolver.resolveRfc(num || cite, { airGap });
+    resolved.rfc.push({ citation: cite, file: item.file, status: r.status, found: r.found, from: r.from, title: r.title || null });
+  }
+
+  const out = { ...submission, signal_overrides: signals };
+  out.artifacts = { ...(submission.artifacts || {}) };
+  const fmt = (arr) => arr.length === 0 ? "0" : arr.map(x => `${x.citation}=${x.status}`).join(", ");
+  out.artifacts["citation-resolution"] = {
+    value: `Resolved ${resolved.cve.length} uncatalogued CVE citation(s): ${fmt(resolved.cve)}. ` +
+      `Resolved ${resolved.rfc.length} not-in-index RFC citation(s): ${fmt(resolved.rfc)}.` +
+      (airGap ? " (air-gap: network resolution skipped — catalog/cache only.)" : ""),
+    captured: true,
+  };
+  out.resolution = resolved;
+  return out;
+}
+
+module.exports = { playbook_id: COLLECTOR_ID, collect, applyResolution };

package/lib/cve-cli.js

@@ -0,0 +1,51 @@
+#!/usr/bin/env node
+"use strict";
+
+/**
+ * lib/cve-cli.js — `exceptd cve <CVE-ID>` resolver.
+ *
+ * Catalog -> resolved cache -> one NVD lookup (cached). Tells an agent whether
+ * a cited CVE is published / rejected / disputed / fabricated / nonexistent
+ * without it researching NVD by hand. Network is opt-out (--air-gap /
+ * --no-network / EXCEPTD_AIR_GAP=1).
+ */
+
+const { resolveCve } = require("./citation-resolve.js");
+
+(async () => {
+  const argv = process.argv.slice(2);
+  const flags = new Set(argv.filter((a) => a.startsWith("--")));
+  const id = argv.find((a) => !a.startsWith("--"));
+  const pretty = flags.has("--pretty");
+  const json = flags.has("--json") || pretty;
+
+  if (!id) {
+    process.stderr.write(
+      JSON.stringify({ ok: false, verb: "cve", error: "usage: exceptd cve <CVE-ID> [--json|--pretty] [--air-gap|--no-network]" }) + "\n"
+    );
+    process.exitCode = 1;
+    return;
+  }
+
+  const r = await resolveCve(id, { airGap: flags.has("--air-gap"), noNetwork: flags.has("--no-network") });
+  const body = { ok: true, verb: "cve", ...r };
+
+  if (json) {
+    process.stdout.write(JSON.stringify(body, null, pretty ? 2 : 0) + "\n");
+  } else {
+    const bits = [];
+    bits.push(`${r.id}: ${String(r.status).toUpperCase()}`);
+    if (r.cvss != null) bits.push(`CVSS ${r.cvss}`);
+    if (r.kev != null) bits.push(`KEV=${r.kev}`);
+    if (r.product) bits.push(r.product);
+    let line = bits.join("  ·  ") + `  (${r.from})`;
+    if (r.nvd_vuln_status) line += `\n  NVD vulnStatus: ${r.nvd_vuln_status}`;
+    if (Array.isArray(r.cve_tags) && r.cve_tags.length) line += `\n  NVD tags: ${r.cve_tags.join(", ")}`;
+    if (r.reason) line += `\n  ${r.reason}`;
+    process.stdout.write(line + "\n");
+  }
+  // A citation that won't stand up is a non-zero exit so a CI/script gate trips.
+  if (r.status === "rejected" || r.status === "fabricated" || r.status === "nonexistent" || r.status === "withdrawn") {
+    process.exitCode = 2;
+  }
+})();

package/lib/flag-suggest.js

@@ -114,7 +114,7 @@ const VERB_FLAG_ALLOWLIST = Object.freeze({
   ],
   doctor: ['signatures', 'cves', 'rfcs', 'fix', 'registry-check', 'exit-codes', 'shipped-tarball', 'ai-config', 'currency', 'collectors'],
   lint: ['evidence'],
-  collect: ['cwd', 'attest-ownership'],
+  collect: ['cwd', 'attest-ownership', 'resolve'],
   refresh: [
     'apply', 'dry-run', 'from-cache', 'from-fixture', 'network', 'source',
     'advisory', 'check-advisories', 'force-stale', 'force-stale-acked', 'air-gap', 'swarm',

package/lib/rfc-cli.js

@@ -0,0 +1,68 @@
+#!/usr/bin/env node
+"use strict";
+
+/**
+ * lib/rfc-cli.js — `exceptd rfc <number>` resolver.
+ *
+ * Local index (whole current RFC series, offline) -> resolved cache -> one
+ * datatracker lookup to disambiguate obsoleted-vs-nonexistent. Resolves an RFC
+ * number to its title + status so an agent can confirm a citation (e.g. "is
+ * RFC 9404 the Sieve spec?") without the datatracker. Optional --check
+ * "<claimed title>" reports whether the claimed title matches.
+ */
+
+const { resolveRfc } = require("./citation-resolve.js");
+
+(async () => {
+  const argv = process.argv.slice(2);
+  const flags = new Set(argv.filter((a) => a.startsWith("--")));
+  const positionals = argv.filter((a) => !a.startsWith("--"));
+  const id = positionals[0];
+  const pretty = flags.has("--pretty");
+  const json = flags.has("--json") || pretty;
+
+  // --check "<claimed title>" : the next non-flag token after the number.
+  let claimedTitle = null;
+  const checkIdx = argv.indexOf("--check");
+  if (checkIdx !== -1 && argv[checkIdx + 1] && !argv[checkIdx + 1].startsWith("--")) {
+    claimedTitle = argv[checkIdx + 1];
+  }
+
+  if (!id) {
+    process.stderr.write(
+      JSON.stringify({ ok: false, verb: "rfc", error: "usage: exceptd rfc <number> [--check \"<claimed title>\"] [--json|--pretty] [--air-gap|--no-network]" }) + "\n"
+    );
+    process.exitCode = 1;
+    return;
+  }
+
+  const r = await resolveRfc(id, { airGap: flags.has("--air-gap"), noNetwork: flags.has("--no-network") });
+
+  let titleMatch = null;
+  if (claimedTitle && r.title) {
+    const norm = (s) => s.toLowerCase().replace(/[^a-z0-9]+/g, " ").trim();
+    const a = norm(claimedTitle), b = norm(r.title);
+    titleMatch = a.length > 0 && (b.includes(a) || a.includes(b));
+  }
+  const body = { ok: true, verb: "rfc", ...r, ...(claimedTitle ? { claimed_title: claimedTitle, title_match: titleMatch } : {}) };
+
+  if (json) {
+    process.stdout.write(JSON.stringify(body, null, pretty ? 2 : 0) + "\n");
+  } else {
+    let line;
+    if (r.found && r.title) {
+      line = `RFC ${r.number}: ${r.title}`;
+      if (r.rfc_status) line += `  (${r.rfc_status})`;
+      if (r.obsoleted_by) line += `\n  obsoleted by: ${r.obsoleted_by}`;
+      if (claimedTitle) line += `\n  claimed "${claimedTitle}" -> ${titleMatch ? "MATCH" : "MISMATCH"}`;
+    } else {
+      line = `RFC ${r.number ?? r.id}: ${String(r.status).toUpperCase()}`;
+      if (r.note) line += `\n  ${r.note}`;
+      if (r.reason) line += `\n  ${r.reason}`;
+    }
+    line += `  (${r.from})`;
+    process.stdout.write(line + "\n");
+  }
+  // A mismatched or nonexistent citation is a non-zero exit for gates.
+  if (r.status === "nonexistent" || titleMatch === false) process.exitCode = 2;
+})();

package/lib/schemas/cve-catalog.schema.json

@@ -92,6 +92,19 @@
       "enum": ["confirmed", "suspected", "theoretical", "none", "unknown"],
       "description": "v0.13.5: enum reconciled with the _meta.active_exploitation_vocabulary block (5 values). 'theoretical' added — distinct from 'suspected' because it captures the 'PoC exists but no observation in the wild' state without committing to a probability claim."
     },
+    "status": {
+      "type": "string",
+      "enum": ["published", "rejected", "disputed", "withdrawn", "reserved", "unknown"],
+      "description": "Assignment lifecycle status (distinct from active_exploitation). 'rejected'/'disputed' come from NVD vulnStatus/cveTags; 'withdrawn' from OSV/GHSA. Optional — absent means 'published' is assumed. Lets a citation check read a structured field instead of grepping free-text notes. Pair with status_source + status_verified for provenance."
+    },
+    "status_source": {
+      "type": "string",
+      "description": "Provenance of `status` (e.g. 'nvd:vulnStatus', 'osv:withdrawn', 'ghsa:withdrawn_at', 'curated')."
+    },
+    "status_verified": {
+      "type": "string",
+      "description": "ISO-8601 timestamp the status was last confirmed against its source."
+    },
     "affected": {
       "type": "string",
       "minLength": 1,

package/lib/source-ghsa.js

@@ -364,6 +364,9 @@ function normalizeAdvisory(adv) {
       _draft_reason: "Imported from GHSA on " + new Date().toISOString().slice(0, 10) + ". Editorial fields (framework_control_gaps, atlas_refs, attack_refs, iocs, vector, complexity, rwep_factors) require human review. Run `exceptd run sbom --evidence -` against an affected repo to gather IoCs; consult MITRE ATLAS + ATT&CK catalogs for refs.",
       _source_ghsa_id: adv.ghsa_id || null,
       _source_published_at: adv.published_at || null,
+      // GitHub sets `withdrawn_at` when an advisory is retracted. Surface it as
+      // structured status so a withdrawn advisory is flagged, not imported as live.
+      ...(adv.withdrawn_at ? { status: "withdrawn", status_source: "ghsa:withdrawn_at", status_verified: new Date().toISOString().slice(0, 10) } : {}),
       last_updated: new Date().toISOString().slice(0, 10),
     },
   };

package/lib/source-osv.js

@@ -810,6 +810,10 @@ function normalizeAdvisory(rec) {
       _draft_reason: "Imported from OSV.dev on " + today + ". Editorial fields (framework_control_gaps, atlas_refs, attack_refs, iocs, vector, complexity, rwep_factors) require human review. Run `exceptd run sbom --evidence -` against an affected repo to gather IoCs; consult MITRE ATLAS + ATT&CK catalogs for refs.",
       _source_osv_id: rec.id,
       _source_published_at: rec.published || null,
+      // OSV sets a top-level `withdrawn` timestamp when a record is retracted.
+      // Surface it as structured status so a citation check (and the resolver)
+      // can flag a withdrawn advisory instead of importing it as if live.
+      ...(rec.withdrawn ? { status: "withdrawn", status_source: "osv:withdrawn", status_verified: today } : {}),
       last_updated: modified || today,
     },
   };

package/lib/validate-package.js

@@ -7,7 +7,7 @@
  *
  *   - includes every required file from package.json `files`
  *   - excludes every forbidden file (secrets, tests, caches, dev artifacts)
- *   - is under the size budget (currently 5 MB)
+ *   - is under the size budget (currently 7 MB)
  *   - `bin/exceptd.js` has the expected shebang
  *   - the bin target listed in package.json exists on disk
  *
@@ -22,7 +22,12 @@ const { spawnSync } = require("child_process");
 
 const ROOT = path.join(__dirname, "..");
 const ABS = (p) => path.join(ROOT, p);
-const SIZE_BUDGET_BYTES = 5 * 1024 * 1024;          // 5 MB published-tarball cap
+// Published-tarball cap. Guards against accidental bloat (a vendored
+// node_modules, a committed binary — tens of MB), not the curated data that
+// legitimately grows each release: the CVE catalog gains entries and the RFC
+// index spans the full series. Packed size crossed 5 MB through that gradual
+// growth; 7 MB restores headroom while still catching a gross-bloat accident.
+const SIZE_BUDGET_BYTES = 7 * 1024 * 1024;
 
 const REQUIRED_PATHS = [
   "package.json",