@blamejs/exceptd-skills 0.14.10 → 0.14.12

package/CHANGELOG.md

@@ -1,5 +1,52 @@
 # Changelog
 
+## 0.14.12 — 2026-05-27
+
+Structured-bundle accuracy:
+- CSAF advisories no longer attribute exploitation to the CISA KEV catalog for a CVE that is confirmed-exploited but not actually in KEV — the "(CISA KEV)" parenthetical is now conditional on the CVE's KEV status.
+- An empty-evidence run emits a `csaf_informational_advisory` instead of a `csaf_security_advisory` with an empty `vulnerabilities` array (Profile 4 expects vulnerabilities; the informational profile does not).
+- SARIF `cve_match` results now carry a `locations` entry. Without it, GitHub Code Scanning silently dropped the highest-severity result class.
+- SARIF and OpenVEX render "not assessed" for an unassessed blast radius instead of the literal "null" / "null/5".
+- `ci --format csaf|sarif|openvex` emits a JSON array of the pure documents instead of an exceptd wrapper carrying a top-level `ok` key (which is invalid in all three formats). Each array element is now a conformant document.
+
+External-source command hardening:
+- `validate-rfcs` / `validate-cves` reject an unknown flag before doing any work, instead of silently defaulting to a live-network run that hangs on a typo'd flag.
+- `cve` and `rfc` now return `ok:false` (not `ok:true`) when the citation fails to stand up — the envelope matched the exit code was already 2, but `ok` was inverted.
+- `refresh`, `prefetch`, and the `scan`/`dispatch`/`currency`/`watchlist` verbs reject unknown flags instead of silently ignoring them; the latter four also emit a top-level `ok` in their `--json` output.
+- `framework-gap` and `skill` honor `--json` on their missing-argument paths (structured error, not plain text), and `skill --json` no longer treats `--json` as the skill name.
+
+`doctor`:
+- `doctor --rfcs` counts the whole RFC catalog (including the CSAF/draft/ISO citation families it previously dropped) with a `by_prefix` breakdown, and its freshness fields read the real catalog file instead of a path that never existed.
+- `doctor --fix` re-verifies signatures after generating a key and signing, so a successful bootstrap reports success (exit 0) rather than carrying the pre-fix "signatures failed" state through to a non-zero exit. It also refuses to generate a key when a fingerprint pin is present without the public key (a corrupted checkout) rather than producing an install that can never verify.
+- `doctor --shipped-tarball` runs the tarball round-trip even when combined with another selective flag (it was silently skipped). `doctor --ai-config` reports a warning when its scan hits the file cap, rather than an unqualified clean pass on an incomplete walk.
+
+Playbook validation hardening (enforcement for future drift; the shipped corpus is unaffected):
+- `domain.attack_refs` are cross-referenced against the ATT&CK catalog (they were unchecked).
+- An air-gap playbook with a network-sourced artifact lacking an `air_gap_alternative` is now rejected (the schema's air-gap conditional was never executed by the validator).
+- Empty `detect.indicators` / `look.artifacts` are rejected; every playbook must map to at least one real TTP (cross-cutting analysis playbooks excepted). Dangling `false_positive_profile` indicator references and invalid `clock_starts` / `frameworks_in_scope` values now fail validation instead of passing as warnings.
+
+RWEP factor validation accepts a numeric string consistently with the scorer (the two surfaces previously disagreed).
+
+## 0.14.11 — 2026-05-27
+
+Security: `reattest <session-id>` now validates the session-id before it is joined into a filesystem path, the same gate the other read verbs use. A `../`-bearing id previously escaped the attestation root — reading a forged attestation and writing a signed replay record outside the root. Such an id is now refused (exit 1) and nothing is written.
+
+Air-gap is now honored on every external-source path that previously leaked. `watchlist --org-scan`, `refresh --network`, and `prefetch` all consulted the network even under `--air-gap` / `EXCEPTD_AIR_GAP=1`; each now refuses (or, for `prefetch`, runs report-only) instead of egressing.
+
+The `sbom` collector no longer reports `lockfile-no-integrity` on every clean repository. It counted the npm lockfile's root entry — which legitimately has no integrity hash — as a missing-integrity dependency, so the indicator fired on any normal `package-lock.json`. It now counts only remote-tarball entries that lack integrity.
+
+The `secrets` collector no longer fires on the published AWS documentation example key (`AKIAIOSFODNN7EXAMPLE`), and a text file skipped for exceeding the size limit is now surfaced in `collector_errors` instead of being dropped silently. Secret/citation/crypto findings now carry the exact line in their evidence locations, so SARIF points at the line rather than the file.
+
+Cache-integrity refusals during `refresh` (sha256 mismatch, tampered or unindexed cache) now exit 4 — the documented "cache precondition failed" code — instead of the generic 1. `refresh --source ""` errors with the valid-source list instead of silently running every source; `cve "  "` (whitespace) is treated as a missing argument; `refresh --advisory "  "` gets the dedicated empty-advisory message. `refresh --help` documents exit 1 and the full meaning of exit 4.
+
+Human-readable output gaps closed across several verbs:
+- `run --all` / `run-all` print a per-playbook summary table instead of dumping the full JSON.
+- `attest diff --against` renders the same one-screen summary the no-argument form already did, rather than raw JSON.
+- A matched CVE renders `KEV=Y`/`KEV=N` (not the raw boolean); a deterministic indicator no longer prints `deterministic/deterministic`; a truncated remediation, an over-long fired-indicator list, and the `ci` framework-gap / jurisdiction-clock rollups now show how much was elided; a preflight warning that carries its text in `message` and a runtime warning that carries only context fields are now shown instead of `(no detail)` / a blank line.
+- `framework-gap <framework> <scenario>` summary line counts only the queried framework's gaps, matching the per-framework body (it previously reported the all-frameworks total).
+- `report executive` writes its progress notice to stderr so piped markdown is clean.
+- The synopsis now describes `watchlist` (the one-shot forward-watch aggregator) and `watch` (the long-running daemon) correctly; the inverted deprecation arrow is gone. `cve`/`rfc` help states their exit-2 contract.
+
 ## 0.14.10 — 2026-05-27
 
 `ci <playbook> --evidence -` no longer reports a false PASS when handed a flat submission. `run` accepts a flat submission (`{ "signal_overrides": {...} }`) and so do operators by habit; `ci` keyed the input by playbook id, found nothing under that key, and evaluated an empty submission — a detected finding came back PASS. A single-positional `ci` invocation now treats a flat (non-bundle-shaped) submission as belonging to that playbook, so `ci` and `run` agree. A real bundle keyed by playbook id is still routed per-key.

package/bin/exceptd.js

@@ -464,7 +464,8 @@ Canonical verbs
                              (citation-hygiene) resolves uncatalogued citations.
   skill <name>               Show context for a specific skill.
   framework-gap <fw> <ref>   Programmatic gap analysis (one framework, one CVE/scenario).
-  watch [--alerts]           Forward-watch aggregator across skills.
+  watchlist [--alerts]       Forward-watch aggregator across skills (one-shot).
+  watch                      Long-running forward-watch daemon (blocks; Ctrl-C).
   report [executive]         Structured posture report.
   path                       Absolute path to the installed package.
   version                    Package version.
@@ -519,7 +520,6 @@ surfaces.
   [DEPRECATED] verify            → doctor --signatures
   [DEPRECATED] validate-cves     → doctor --cves
   [DEPRECATED] validate-rfcs     → doctor --rfcs
-  [DEPRECATED] watchlist         → watch
   [DEPRECATED] prefetch          → refresh --no-network
   [DEPRECATED] build-indexes     → refresh --indexes-only
 
@@ -759,8 +759,8 @@ function main() {
     skill: "exceptd skill <name>          Show the full context document for one skill.",
     "framework-gap": "exceptd framework-gap <framework> <cve-or-scenario>   One-framework gap analysis.",
     "framework-gap-analysis": "exceptd framework-gap <framework> <cve-or-scenario>   One-framework gap analysis.",
-    cve: "exceptd cve <CVE-ID> [--json] [--air-gap|--no-network]   Resolve a CVE: published/rejected/disputed/fabricated/nonexistent (catalog -> cache -> NVD).",
-    rfc: "exceptd rfc <number> [--check \"<title>\"] [--json] [--air-gap]   Resolve an RFC number -> title + status (local index, offline).",
+    cve: "exceptd cve <CVE-ID> [--json] [--air-gap|--no-network]   Resolve a CVE: published/rejected/disputed/fabricated/nonexistent (catalog -> cache -> NVD). Exit 2 when the citation won't stand up (rejected/fabricated/nonexistent/withdrawn).",
+    rfc: "exceptd rfc <number> [--check \"<title>\"] [--json] [--air-gap]   Resolve an RFC number -> title + status (local index, offline). Exit 2 when nonexistent or --check title MISMATCH.",
   };
   if ((effectiveRest.includes("--help") || effectiveRest.includes("-h")) && SPAWN_HELP_USAGE[effectiveCmd]) {
     process.stdout.write(SPAWN_HELP_USAGE[effectiveCmd] + "\n  Full reference: exceptd help\n");
@@ -2858,13 +2858,14 @@ function cmdBrief(runner, args, runOpts, pretty) {
     const required = (obj.artifacts || []).filter(a => a.required);
     const optional = (obj.artifacts || []).filter(a => !a.required);
     lines.push(`\nRequired artifacts (${required.length}): ${required.map(a => a.id).join(", ") || "(none)"}`);
-    if (optional.length) lines.push(`Optional artifacts (${optional.length}): ${optional.map(a => a.id).slice(0, 8).join(", ")}${optional.length > 8 ? ", …" : ""}`);
+    if (optional.length) lines.push(`Optional artifacts (${optional.length}): ${optional.map(a => a.id).slice(0, 8).join(", ")}${optional.length > 8 ? `, … +${optional.length - 8}` : ""}`);
     const indicators = obj.detect_indicators_preview || [];
-    lines.push(`\nIndicators (${indicators.length}): ${indicators.map(i => i.id).slice(0, 8).join(", ")}${indicators.length > 8 ? ", …" : ""}`);
+    lines.push(`\nIndicators (${indicators.length}): ${indicators.map(i => i.id).slice(0, 8).join(", ")}${indicators.length > 8 ? `, … +${indicators.length - 8}` : ""}`);
     if (obj.preconditions?.length) {
       lines.push(`\nPreconditions (${obj.preconditions.length}):`);
       for (const p of obj.preconditions) {
-        lines.push(`  ${p.id} (${p.on_fail}): ${p.description?.slice(0, 80) || p.check}`);
+        const pdesc = p.description || p.check || "";
+        lines.push(`  ${p.id} (${p.on_fail}): ${pdesc.length > 80 ? pdesc.slice(0, 80) + "…" : pdesc}`);
       }
     }
     lines.push(`\nRun: exceptd run ${obj.playbook_id} --evidence <file|-> --json`);
@@ -3859,7 +3860,7 @@ function cmdRun(runner, args, runOpts, pretty) {
       lines.push(`\nMatched CVEs (${cves.length}):`);
       for (const c of cves.slice(0, 6)) {
         const via = Array.isArray(c.correlated_via) && c.correlated_via.length ? `  via ${c.correlated_via[0]}${c.correlated_via.length > 1 ? ` (+${c.correlated_via.length - 1})` : ""}` : "";
-        lines.push(`  ${c.cve_id}  RWEP ${c.rwep}  KEV=${c.cisa_kev}  ${c.active_exploitation || ""}${via}`);
+        lines.push(`  ${c.cve_id}  RWEP ${c.rwep}  KEV=${c.cisa_kev ? "Y" : "N"}  ${c.active_exploitation || ""}${via}`);
       }
       if (cves.length > 6) lines.push(`  … ${cves.length - 6} more`);
     } else if (baseline.length) {
@@ -3872,7 +3873,13 @@ function cmdRun(runner, args, runOpts, pretty) {
     const hits = indicators.filter(i => i.verdict === "hit");
     if (hits.length) {
       lines.push(`\nIndicators that fired (${hits.length}):`);
-      for (const i of hits.slice(0, 8)) lines.push(`  ${i.id}  (${i.confidence}${i.deterministic ? "/deterministic" : ""})`);
+      for (const i of hits.slice(0, 8)) {
+        // Don't double-print "deterministic/deterministic" when confidence is
+        // already the literal "deterministic".
+        const detSuffix = (i.deterministic && i.confidence !== "deterministic") ? "/deterministic" : "";
+        lines.push(`  ${i.id}  (${i.confidence}${detSuffix})`);
+      }
+      if (hits.length > 8) lines.push(`  … ${hits.length - 8} more`);
     }
     // selected_remediation is informational on non-detect runs:
     // validate() always picks the highest-priority remediation path
@@ -3888,7 +3895,8 @@ function cmdRun(runner, args, runOpts, pretty) {
       } else {
         lines.push(`\nRemediation path (informational — verdict=${cls}, no action required now): ${rem.id} (priority ${rem.priority})`);
       }
-      lines.push(`  ${rem.description?.slice(0, 200) || ""}`);
+      const remDesc = rem.description || "";
+      lines.push(`  ${remDesc.length > 200 ? remDesc.slice(0, 200) + "… (full steps: --json)" : remDesc}`);
     }
     // Surface BOTH started and pending notification clocks on detected
     // runs. The detection IS the regulatory event for the obligations
@@ -3940,7 +3948,9 @@ function cmdRun(runner, args, runOpts, pretty) {
       // to the description if `check` is missing too.
       for (const i of issues) {
         const tag = i.on_fail ? `[${i.on_fail}] ` : "";
-        const detail = i.check || i.description || i.reason || "(no detail)";
+        // precondition_warn issues carry their text in `message`; without it in
+        // the fallback chain they rendered "(no detail)".
+        const detail = i.check || i.description || i.reason || i.message || "(no detail)";
         lines.push(`  ${tag}${i.id}: ${detail}`);
       }
     }
@@ -3953,7 +3963,11 @@ function cmdRun(runner, args, runOpts, pretty) {
     if (runtimeErrors.length) {
       lines.push(`\nRuntime warnings (${runtimeErrors.length}):`);
       for (const e of runtimeErrors) {
-        const reason = (e.reason || "").length > 180 ? (e.reason || "").slice(0, 177) + "..." : (e.reason || "");
+        // Some runtime-warning kinds (e.g. csaf_branch_unparseable) carry no
+        // `reason` but do carry context fields (component / cve_id); compose
+        // from those rather than rendering a blank line.
+        const rawReason = e.reason || [e.component, e.cve_id].filter(Boolean).join(" / ") || "(no detail)";
+        const reason = rawReason.length > 180 ? rawReason.slice(0, 177) + "..." : rawReason;
         lines.push(`  [${e.kind || "warning"}] ${reason}`);
         if (e.remediation) lines.push(`    → ${e.remediation}`);
       }
@@ -4242,7 +4256,39 @@ function cmdRunMulti(runner, ids, args, runOpts, pretty, meta) {
     },
     jurisdiction_clock_rollup: jurisdictionClockRollup,
     results,
-  }, pretty);
+  }, pretty, (obj) => {
+    // Per-playbook summary table. Without this renderer a multi-run dumped its
+    // entire (often hundreds-of-KB) JSON even in default human mode.
+    const s = obj.summary;
+    const lines = [];
+    const detectedTotal = s.detected;
+    const icon = s.blocked > 0 ? "[!! BLOCKED]" : detectedTotal > 0 ? "[!! DETECTED]" : "[ok]";
+    lines.push(`run ${obj.trigger || "multi"}: ${obj.playbooks_run.length} playbook(s)  session-id: ${obj.session_id}`);
+    lines.push(`\n${icon}  detected=${detectedTotal}  inconclusive=${s.inconclusive}  clean=${s.total - detectedTotal - s.inconclusive - s.blocked}  blocked=${s.blocked}  total=${s.total}`);
+    const rows = (obj.results || []).map(r => (r && r.ok === false)
+      ? { id: r.playbook_id || "?", verdict: "blocked", rwep: "-", evidence: r.evidence_completeness || "not-evaluated", top: r.blocked_by || r.reason || r.error || "" }
+      : { id: r.playbook_id || "?", verdict: r?.phases?.detect?.classification || r?.verdict || "?", rwep: (r?.rwep_score != null) ? String(r.rwep_score) : "-", evidence: r?.evidence_completeness || "unknown", top: r?.top_finding || "" });
+    const wId = Math.max(8, ...rows.map(r => r.id.length));
+    const wV = Math.max(8, ...rows.map(r => r.verdict.length));
+    const wR = Math.max(4, ...rows.map(r => r.rwep.length));
+    const wE = Math.max(8, ...rows.map(r => r.evidence.length));
+    const pad = (str, w) => (str + " ".repeat(w)).slice(0, w);
+    lines.push("");
+    lines.push(`  ${pad("playbook", wId)}  ${pad("verdict", wV)}  ${pad("rwep", wR)}  ${pad("evidence", wE)}  finding`);
+    lines.push(`  ${"-".repeat(wId)}  ${"-".repeat(wV)}  ${"-".repeat(wR)}  ${"-".repeat(wE)}  -------`);
+    for (const row of rows) {
+      const finding = row.top.length > 80 ? row.top.slice(0, 77) + "..." : row.top;
+      lines.push(`  ${pad(row.id, wId)}  ${pad(row.verdict, wV)}  ${pad(row.rwep, wR)}  ${pad(row.evidence, wE)}  ${finding}`);
+    }
+    const clocks = obj.jurisdiction_clock_rollup || [];
+    if (clocks.length) {
+      lines.push(`\nJurisdiction clocks (${clocks.length}):`);
+      for (const n of clocks.slice(0, 5)) lines.push(`  ${n.jurisdiction || "?"}/${n.regulation || "?"} → deadline ${n.deadline || "?"}`);
+      if (clocks.length > 5) lines.push(`  … ${clocks.length - 5} more (--json for all)`);
+    }
+    lines.push(`\nFull structured results: --json or --pretty`);
+    return lines.join("\n");
+  });
   // v0.11.9 (#100): cmdRunMulti exits non-zero when any individual run
   // returned ok:false. Pre-0.11.9 the aggregate result had {ok:false} in
   // the body but exit code stayed 0 — CI gates couldn't distinguish "ran
@@ -5076,6 +5122,15 @@ function cmdReattest(runner, args, runOpts, pretty) {
     attFile = found.file;
   }
   if (!sessionId) return emitError("reattest: missing <session-id>. Pass a session-id or --latest [--playbook <id>] [--since <ISO>].", null, pretty);
+  // Validate the session-id BEFORE it is joined into a filesystem path. The
+  // other read verbs (attest show/verify/diff --against) gate on this; reattest
+  // did not, so `findSessionDir` returning null let the `||` fallback join an
+  // unvalidated `../`-bearing id straight onto the attestation root — escaping
+  // it to read a forged attestation and write a signed replay record outside
+  // the root. Ids resolved from the store via the latest-match path are already
+  // safe; an operator-supplied id is the one that must be checked.
+  try { validateSessionIdForRead(sessionId); }
+  catch (e) { return emitError(`reattest: ${e.message}`, { session_id_input: typeof sessionId === "string" ? sessionId.slice(0, 80) : typeof sessionId }, pretty); }
   const dir = findSessionDir(sessionId, runOpts) || path.join(resolveAttestationRoot(runOpts), sessionId);
   if (!attFile) attFile = path.join(dir, "attestation.json");
   if (!fs.existsSync(attFile)) {
@@ -5437,6 +5492,31 @@ function classifySidecarVerify(verify) {
  *   show <session-id>     Emit the full (unredacted) attestation. Convenience
  *                         alias for `cat .exceptd/attestations/<sid>/attestation.json`.
  */
+// Shared one-screen renderer for `attest diff` (both the --against and the
+// no-against/most-recent-prior branches). Reads only fields off the emitted
+// object so both call sites render identically; the sidecar line is shown only
+// when a sidecar verification was performed (the --against path may omit it).
+function renderAttestDiff(obj) {
+  const lines = [];
+  lines.push(`attest diff: ${obj.a_session}${obj.a_playbook ? ` (${obj.a_playbook})` : ""}`);
+  lines.push(`  vs ${obj.b_session}${obj.b_captured ? ` (captured ${obj.b_captured})` : ""}`);
+  const icon = obj.status === "unchanged" ? "[ok]" : "[!]";
+  lines.push(`  ${icon}  status=${obj.status}  evidence_hash=${(obj.a_evidence_hash || "").slice(0, 12)}...`);
+  const ad = obj.artifact_diff || {};
+  const sd = obj.signal_override_diff || {};
+  lines.push(`  artifact diff:  ${ad.added?.length ?? 0} added, ${ad.removed?.length ?? 0} removed, ${ad.changed?.length ?? 0} changed, ${ad.unchanged_count ?? 0} unchanged (of ${ad.total_compared ?? 0})`);
+  lines.push(`  signal diff:    ${sd.changed?.length ?? 0} changed, ${sd.unchanged_count ?? 0} unchanged (of ${sd.total_compared ?? 0})`);
+  if (obj.sidecar_verify) {
+    const sv = obj.sidecar_verify;
+    let sidecarClass = "verified";
+    if (!sv.signed && sv.reason && sv.reason.includes("explicitly unsigned")) sidecarClass = "explicitly-unsigned";
+    else if (!sv.signed && sv.reason && sv.reason.includes("no .sig sidecar")) sidecarClass = "no-sidecar";
+    else if (sv.signed && !sv.verified) sidecarClass = "tamper-detected";
+    else if (!sv.signed) sidecarClass = "no-public-key";
+    lines.push(`  sidecar verify: ${sidecarClass}`);
+  }
+  return lines.join("\n");
+}
 function cmdAttest(runner, args, runOpts, pretty) {
   const subverb = args._[0];
   const sessionId = args._[1];
@@ -5574,12 +5654,14 @@ function cmdAttest(runner, args, runOpts, pretty) {
       emit({
         verb: "attest diff",
         a_session: sessionId,
+        a_playbook: self.playbook_id,
         b_session: args.against,
         a_captured: self.captured_at,
         b_captured: other.captured_at,
         a_evidence_hash: self.evidence_hash,
         b_evidence_hash: other.evidence_hash,
         status: self.evidence_hash === other.evidence_hash ? "unchanged" : "drifted",
+        sidecar_verify: verifyAttestationSidecar(path.join(dir, "attestation.json")),
         // v0.11.8 (#102): normalize submissions before diffing so flat-shape
         // (observations + verdict) submissions emit meaningful artifact_diff
         // counts. Pre-0.11.8 (self.submission||{}).artifacts was undefined
@@ -5593,7 +5675,7 @@ function cmdAttest(runner, args, runOpts, pretty) {
           normalizedSignalOverrides(self.submission, runner, self.playbook_id),
           normalizedSignalOverrides(other.submission, runner, other.playbook_id)
         ),
-      }, pretty);
+      }, pretty, renderAttestDiff);
       return;
     }
     // No --against: find the most-recent prior attestation for the
@@ -5628,6 +5710,7 @@ function cmdAttest(runner, args, runOpts, pretty) {
     emit({
       verb: "attest diff",
       a_session: sessionId,
+      a_playbook: self.playbook_id,
       b_session: prior.sessionId,
       a_captured: self.captured_at,
       b_captured: other.captured_at,
@@ -5643,28 +5726,7 @@ function cmdAttest(runner, args, runOpts, pretty) {
         normalizedSignalOverrides(self.submission, runner, self.playbook_id),
         normalizedSignalOverrides(other.submission, runner, other.playbook_id),
       ),
-    }, pretty, (obj) => {
-      // Human renderer for the no-against `attest diff` path. Same
-      // one-screen shape the old cmdReattest renderer used so the
-      // operator sees the verdict + drift summary + sidecar class.
-      const lines = [];
-      lines.push(`attest diff: ${obj.a_session} (${self.playbook_id})`);
-      lines.push(`  vs prior: ${obj.b_session} (captured ${obj.b_captured})`);
-      const icon = obj.status === "unchanged" ? "[ok]" : "[!]";
-      lines.push(`  ${icon}  status=${obj.status}  evidence_hash=${(obj.a_evidence_hash || "").slice(0, 12)}...`);
-      const ad = obj.artifact_diff || {};
-      const sd = obj.signal_override_diff || {};
-      lines.push(`  artifact diff:  ${ad.added?.length ?? 0} added, ${ad.removed?.length ?? 0} removed, ${ad.changed?.length ?? 0} changed, ${ad.unchanged_count ?? 0} unchanged (of ${ad.total_compared ?? 0})`);
-      lines.push(`  signal diff:    ${sd.changed?.length ?? 0} changed, ${sd.unchanged_count ?? 0} unchanged (of ${sd.total_compared ?? 0})`);
-      const sv = obj.sidecar_verify || {};
-      let sidecarClass = "verified";
-      if (!sv.signed && sv.reason && sv.reason.includes("explicitly unsigned")) sidecarClass = "explicitly-unsigned";
-      else if (!sv.signed && sv.reason && sv.reason.includes("no .sig sidecar")) sidecarClass = "no-sidecar";
-      else if (sv.signed && !sv.verified) sidecarClass = "tamper-detected";
-      else if (!sv.signed) sidecarClass = "no-public-key";
-      lines.push(`  sidecar verify: ${sidecarClass}`);
-      return lines.join("\n");
-    });
+    }, pretty, renderAttestDiff);
     return;
   }
 
@@ -6407,7 +6469,11 @@ function cmdDoctor(runner, args, runOpts, pretty) {
   const onlyAiConfig = !!args["ai-config"];
   const onlyCollectors = !!args.collectors;
   const anySelected = onlySigs || onlyCurrency || onlyCves || onlyRfcs || onlyAiConfig || onlyCollectors;
-  const runSigs = !anySelected || onlySigs;
+  // --shipped-tarball lives inside the signatures check, so it must imply it.
+  // Pre-fix, `doctor --shipped-tarball --cves` made runSigs false (a selective
+  // flag was set, but not --signatures), silently skipping the tarball
+  // round-trip while the operator believed it ran.
+  const runSigs = !anySelected || onlySigs || !!args["shipped-tarball"];
   const runCurrency = !anySelected || onlyCurrency;
   const runCves = !anySelected || onlyCves;
   const runRfcs = !anySelected || onlyRfcs;
@@ -6608,23 +6674,34 @@ function cmdDoctor(runner, args, runOpts, pretty) {
         timeout: 30000,
       });
       const text = (res.stdout || "") + (res.stderr || "");
-      const rfcRows = (text.match(/^RFC-\d+/gm) || []).length;
       const driftMatch = text.match(/drift[:\s]+(\d+)/i);
       const ok = res.status === 0;
-      // Audit 3 B.7: surface the RFC catalog file's mtime + age so
-      // operators can answer "is the offline RFC index fresh?" without
-      // running a separate refresh.
+      // Count the catalog directly (same approach the CVE subcheck uses) rather
+      // than scraping `^RFC-\d+` table rows from the validate-rfcs output. The
+      // text scrape dropped every non-RFC family (CSAF / DRAFT / ISO entries),
+      // undercounting the catalog and hiding those citation families. Read the
+      // canonical file and emit a by_prefix breakdown.
+      const rfcCatalogPath = path.join(PKG_ROOT, "data", "rfc-references.json");
+      let rfcTotal = 0;
+      const byPrefix = {};
       let rfcMtime = null;
       let rfcAgeDays = null;
       try {
-        const rfcPath = path.join(PKG_ROOT, "data", "rfc-index.json");
-        const st = fs.statSync(rfcPath);
+        const catalog = JSON.parse(fs.readFileSync(rfcCatalogPath, "utf8"));
+        for (const k of Object.keys(catalog)) {
+          if (k.startsWith("_")) continue;
+          rfcTotal++;
+          const prefix = (k.match(/^[A-Za-z]+/) || ["?"])[0].toUpperCase();
+          byPrefix[prefix] = (byPrefix[prefix] || 0) + 1;
+        }
+        const st = fs.statSync(rfcCatalogPath);
         rfcMtime = st.mtime.toISOString();
         rfcAgeDays = Math.floor((Date.now() - st.mtimeMs) / 86400000);
-      } catch { /* file may not exist on contributor checkouts */ }
+      } catch { /* file may be absent on exotic installs — total stays 0 */ }
       checks.rfcs = {
         ok,
-        total: rfcRows,
+        total: rfcTotal,
+        by_prefix: byPrefix,
         drift: driftMatch ? Number(driftMatch[1]) : 0,
         index_last_modified: rfcMtime,
         index_age_days: rfcAgeDays,
@@ -6906,9 +6983,14 @@ function cmdDoctor(runner, args, runOpts, pretty) {
       }
     }
 
+    // A truncated walk (hit the file/depth cap) means the audit is INCOMPLETE —
+    // a sensitive file beyond the cap would be unseen. Don't report an
+    // unqualified clean pass: downgrade to a warn so automation can branch on
+    // incompleteness even when zero findings surfaced within the cap.
+    const baseSeverity = errorFindings.length > 0 && fixesFailed > 0 ? 'warn' : (errorFindings.length > 0 && !args.fix ? 'warn' : 'info');
     checks.ai_config = {
-      ok: errorFindings.length === 0 || (args.fix && fixesFailed === 0),
-      severity: errorFindings.length > 0 && fixesFailed > 0 ? 'warn' : (errorFindings.length > 0 && !args.fix ? 'warn' : 'info'),
+      ok: (errorFindings.length === 0 || (args.fix && fixesFailed === 0)) && !walkAborted,
+      severity: walkAborted && baseSeverity === 'info' ? 'warn' : baseSeverity,
       scanned_dirs: scannedDirs,
       scanned_files: scannedFiles,
       walk_truncated: walkAborted,
@@ -7027,8 +7109,8 @@ function cmdDoctor(runner, args, runOpts, pretty) {
   // global `npm install -g` reported `failed_checks: ["signing"]` with
   // `warnings_count: 0`, contradicting the [!! warn] text-mode icon.
   const { bucketChecks } = require(path.join(PKG_ROOT, "lib", "doctor-bucketing.js"));
-  const { warnList, errorList } = bucketChecks(checks);
-  const allGreen = errorList.length === 0 && warnList.length === 0;
+  let { warnList, errorList } = bucketChecks(checks);
+  let allGreen = errorList.length === 0 && warnList.length === 0;
   // Audit 3 B.11: surface the local version on the default doctor output
   // so operators answer both "is my install healthy?" AND "which version
   // am I running?" without having to invoke `exceptd version` separately.
@@ -7065,10 +7147,21 @@ function cmdDoctor(runner, args, runOpts, pretty) {
   // `exceptd doctor` (signatures check) reports 0/N passing.
   if (args.fix && checks.signing && !checks.signing.private_key_present) {
     const pubKeyExists = fs.existsSync(path.join(PKG_ROOT, "keys", "public.pem"));
+    const fingerprintPinExists = fs.existsSync(path.join(PKG_ROOT, "keys", "EXPECTED_FINGERPRINT"));
     if (pubKeyExists) {
       out.summary.fix_attempted = "ed25519_keypair_generation_declined";
       out.summary.fix_decline_reason = "keys/public.pem already exists but no matching private key. Generating a fresh keypair would overwrite the public key and orphan every shipped signature. If you intend to establish a new signing identity, run `node $(exceptd path)/lib/sign.js generate-keypair --rotate` followed by sign-all.";
       process.stderr.write("[doctor --fix] refused: keys/public.pem present without matching private key. Pass --rotate via the underlying lib/sign.js if a new identity is intended.\n");
+    } else if (fingerprintPinExists) {
+      // A committed EXPECTED_FINGERPRINT without keys/public.pem signals an
+      // intended committed signing identity on a corrupted/partial checkout.
+      // Generating a fresh keypair here would write a public.pem whose
+      // fingerprint can never match the pin, leaving verify.js permanently
+      // refusing (fingerprint-mismatch) while --fix claimed success. Decline
+      // and tell the operator to restore the real public key.
+      out.summary.fix_attempted = "ed25519_keypair_generation_declined";
+      out.summary.fix_decline_reason = "keys/EXPECTED_FINGERPRINT is present but keys/public.pem is missing — this is a corrupted checkout of a project with a committed signing identity, not a fresh contributor checkout. Generating a keypair would produce a public key whose fingerprint cannot match the pin, so verify would refuse forever. Restore keys/public.pem from version control instead (git checkout -- keys/public.pem).";
+      process.stderr.write("[doctor --fix] refused: keys/EXPECTED_FINGERPRINT present without keys/public.pem. Restore the committed public key (git checkout -- keys/public.pem) rather than generating a new identity.\n");
     } else {
       process.stderr.write("[doctor --fix] generating Ed25519 keypair...\n");
       const r = require("child_process").spawnSync(process.execPath, [path.join(PKG_ROOT, "lib", "sign.js"), "generate-keypair"], {
@@ -7126,6 +7219,37 @@ function cmdDoctor(runner, args, runOpts, pretty) {
     }
   }
 
+  // After a --fix that re-signed skills (keypair generation OR re-sign), the
+  // captured `checks.signatures` is STALE — it was the verify.js result taken
+  // before any key existed. Re-verify now and recompute the buckets, so a
+  // successful --fix reports success (and exits 0) instead of carrying the
+  // pre-fix "signatures FAILED" through to failed_checks + a non-zero exit.
+  if (args.fix
+      && (out.summary.fix_applied === "ed25519_keypair_generated_and_skills_signed"
+          || out.summary.fix_applied === "skills_resigned_against_current_keypair")) {
+    try {
+      const verifyPath = path.join(PKG_ROOT, "lib", "verify.js");
+      const rv = spawnSync(process.execPath, [verifyPath], { encoding: "utf8", cwd: PKG_ROOT, timeout: 30000 });
+      const rvText = (rv.stdout || "") + (rv.stderr || "");
+      const rvMatch = rvText.match(/(\d+)\/(\d+)\s+skills?\s+passed/i);
+      const rvFp = rvText.match(/SHA256:\s*([A-Za-z0-9+/=]+)/);
+      const rvOk = rv.status === 0;
+      checks.signatures = {
+        ok: rvOk,
+        skills_passed: rvMatch ? Number(rvMatch[1]) : null,
+        skills_total: rvMatch ? Number(rvMatch[2]) : null,
+        fingerprint_sha256: rvFp ? rvFp[1] : null,
+        ...(rvOk ? {} : { exit_code: rv.status, raw: rvText.slice(0, 500) }),
+      };
+      out.checks = checks;
+      ({ warnList, errorList } = bucketChecks(checks));
+      allGreen = errorList.length === 0 && warnList.length === 0;
+      out.summary.failed_checks = errorList;
+      out.summary.warning_checks = warnList;
+      out.summary.all_green = allGreen;
+    } catch { /* re-verify best-effort; leave the pre-fix state if it throws */ }
+  }
+
   // Audit 3 B.3: --fix was passed but nothing to fix. Pre-fix this was
   // silently a no-op — operators couldn't distinguish "we tried and were
   // already healthy" from "we tried and failed silently." Now surfaces a
@@ -8481,9 +8605,15 @@ function cmdCi(runner, args, runOpts, pretty) {
     }
     process.stdout.write(lines.join("\n") + "\n");
   } else if (fmt === "csaf" || fmt === "sarif" || fmt === "openvex") {
-    // Aggregate the per-run bundles_by_format if present.
+    // Aggregate the per-run bundles_by_format if present. ci spans N playbooks,
+    // so there is no single conformant CSAF/SARIF/OpenVEX document — emit a JSON
+    // ARRAY of the pure documents. Critically, do NOT wrap them in an exceptd
+    // envelope carrying a top-level `ok` key: that key is invalid in all three
+    // standard formats, so a downstream CSAF/SARIF/OpenVEX consumer pointed at
+    // `ci --format` output got a non-conformant top-level shape. Each array
+    // element is now a verbatim, conformant document.
     const bundles = results.map(r => r.phases?.close?.evidence_package?.bundles_by_format?.[fmt === "csaf" ? "csaf-2.0" : fmt]).filter(Boolean);
-    emit({ verb: "ci", session_id: sessionId, format: fmt, bundles_count: bundles.length, bundles }, pretty);
+    process.stdout.write(JSON.stringify(bundles, null, pretty ? 2 : 0) + "\n");
   } else if (fmt && fmt !== "json") {
     // v0.11.4 (#76): garbage format rejected with structured error, not silent empty stdout.
     // Route through emitError so the body propagates exit codes via the
@@ -8576,17 +8706,21 @@ function cmdCi(runner, args, runOpts, pretty) {
       // Jurisdiction clocks.
       if (s.jurisdiction_clocks_started > 0) {
         lines.push(`\nJurisdiction clocks started: ${s.jurisdiction_clocks_started}`);
-        for (const n of (s.jurisdiction_clock_rollup || []).slice(0, 5)) {
+        const clocks = s.jurisdiction_clock_rollup || [];
+        for (const n of clocks.slice(0, 5)) {
           lines.push(`  ${n.jurisdiction || "?"}/${n.regulation || "?"} → deadline ${n.deadline || "?"}`);
         }
+        if (clocks.length > 5) lines.push(`  … ${clocks.length - 5} more (--json for all)`);
       }
 
       // Framework gap rollup.
       if (s.framework_gap_count > 0) {
         lines.push(`\nFramework gaps (${s.framework_gap_count}):`);
-        for (const g of (s.framework_gap_rollup || []).slice(0, 5)) {
+        const fgaps = s.framework_gap_rollup || [];
+        for (const g of fgaps.slice(0, 5)) {
           lines.push(`  ${g.framework || "?"} :: ${g.claimed_control || "?"}  (${g.playbooks.length} playbook(s))`);
         }
+        if (fgaps.length > 5) lines.push(`  … ${fgaps.length - 5} more (--json for all)`);
       }
 
       // Fail reasons.
@@ -8608,17 +8742,21 @@ function cmdCi(runner, args, runOpts, pretty) {
       //   CLOCK_STARTED  → notification clock running; see deadline above.
       //   PASS           → nothing to do.
       const blockedRows = (obj.results || []).filter(r => r && r.ok === false);
-      const lintCmd = (id) => `  exceptd lint ${id} -                          # paste {} on stdin, get exact JSON paths`;
+      // Pad the playbook id to a common width so the trailing `#` comments line
+      // up across variable-length ids instead of using a fixed space run.
+      const lintCmd = (id, w) => `  exceptd lint ${(id + " ".repeat(w)).slice(0, w)} -   # paste {} on stdin, get exact JSON paths`;
       if (s.verdict === "BLOCKED" && blockedRows.length) {
         lines.push(`\nNext steps (unblock the ${blockedRows.length} halted playbook(s)):`);
-        for (const row of blockedRows.slice(0, 4)) {
-          lines.push(lintCmd(row.playbook_id || "?"));
+        const shown = blockedRows.slice(0, 4);
+        const wLint = Math.max(...shown.map(r => (r.playbook_id || "?").length));
+        for (const row of shown) {
+          lines.push(lintCmd(row.playbook_id || "?", wLint));
         }
         lines.push(`  exceptd run <playbook> --evidence <file>     # re-run after filling in evidence`);
       } else if (s.verdict === "NO_EVIDENCE") {
         const firstId = (obj.results[0] && obj.results[0].playbook_id) || (obj.playbooks_run[0]) || "<playbook>";
         lines.push(`\nNext steps (every playbook ran inconclusive — no evidence supplied):`);
-        lines.push(lintCmd(firstId));
+        lines.push(lintCmd(firstId, firstId.length));
         lines.push(`  exceptd ci --scope <type> --evidence-dir <dir>  # gate again with real submissions`);
       } else if (s.verdict === "FAIL") {
         // FAIL fires in two distinct shapes:

package/data/_indexes/_meta.json

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-27T19:33:19.529Z",
+  "generated_at": "2026-05-27T21:30:21.745Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "4d13f4f27b890997b5da18055a4bb0eac69a60b24b33dad97616c9fea8ba50d0",
+    "manifest.json": "9dfc540e93aa24c5c61de5a568ac4ed94a21c04cddea458bb647c17ee3a4ec48",
     "data/atlas-ttps.json": "d24bc02859d40ccf1615db75cca68c077585904e41e0d8f6de448121e9b1abb0",
     "data/attack-techniques.json": "fa193f0d2d248176a8beddb641e9fe56ba4faa9e15dc253ff876dbf0c5d58a77",
     "data/cve-catalog.json": "3d451dda7ac0c7d57a4075ae4bafd3148c6184b35dc1bc59d8b81d1f2641e430",

package/lib/citation-resolve.js

@@ -116,7 +116,10 @@ function isAirGap(opts) {
  * from:   format | catalog | cache | network | offline | error
  */
 async function resolveCve(id, opts = {}) {
-  const cveId = String(id || "").toUpperCase();
+  // Trim before the format test — matches resolveRfc — so a whitespace-only
+  // identifier is "fabricated/malformed" (empty form) rather than a literal
+  // whitespace string fed straight into CVE_RE.
+  const cveId = String(id || "").trim().toUpperCase();
   const base = { id: cveId, kind: "cve" };
 
   if (!CVE_RE.test(cveId)) {

package/lib/collectors/cicd-pipeline-compromise.js

@@ -21,7 +21,13 @@
 
 const fs = require("node:fs");
 const path = require("node:path");
-const { isLinkedWorktreeDir, buildEvidenceLocations } = require("./scan-excludes");
+const { codeExcludeSet, isLinkedWorktreeDir, buildEvidenceLocations } = require("./scan-excludes");
+
+// Shared code-scope name exclusions (dependency caches, build output, VCS +
+// agent scratch). Threaded into the OIDC-policy descent so a trust JSON in a
+// build-output dir (e.g. `dist/`) is not scanned — consistent with the other
+// tree-walking collectors.
+const OIDC_WALK_EXCLUDES = codeExcludeSet();
 
 const COLLECTOR_ID = "cicd-pipeline-compromise";
 
@@ -218,7 +224,7 @@ function scanOidcPolicies(root) {
     try { entries = fs.readdirSync(dir, { withFileTypes: true }); }
     catch { return; }
     for (const e of entries) {
-      if (e.name === "node_modules" || e.name === ".git") continue;
+      if (OIDC_WALK_EXCLUDES.has(e.name)) continue;
       const full = path.join(dir, e.name);
       if (e.isDirectory()) {
         // Skip linked git worktrees (gitdir-pointer `.git` file), e.g.