@blamejs/exceptd-skills 0.14.11 → 0.14.13

package/CHANGELOG.md

@@ -1,5 +1,50 @@
 # Changelog
 
+## 0.14.13 — 2026-05-27
+
+Security: a collector scanning a hostile repository no longer hangs on a crafted file. Three workflow/Dockerfile/manifest scanners (`library-author`, `cicd-pipeline-compromise`, `containers`) had a regex that backtracked catastrophically on a long whitespace line — a single planted file could wedge the scan for minutes. The regexes are fixed and a per-line length cap bounds any future regression.
+
+Deeply-nested evidence is now rejected with an actionable message instead of crashing with an opaque "internal error". The submission canonicalizer (which runs on every `run` to compute the evidence hash) recursed without bound; it now refuses a submission nested beyond 200 levels.
+
+`run --strict-preconditions` now fails (exit 1) when a `skip_phase` precondition is false. Previously such a run skipped the detect phase and exited 0, so a CI gate relying on the flag silently passed despite the detection never running.
+
+Detection no longer silently loses or buries a result:
+- A `signal_overrides` value that isn't a recognized result (e.g. `"maybe"`, a number) now surfaces a `signal_override_unrecognized` runtime error instead of being dropped as if the signal were never supplied.
+- A `not_detected` / `clean` classification override is refused when it would bury a deterministic indicator hit (a deterministic hit is too strong to downgrade to "nothing found"); the run stays inconclusive with an explanatory error. Probabilistic hits remain overridable for the legitimate "I confirmed these are benign" workflow. A refused override is no longer reported as applied.
+
+`run --all` / `run-all` now exits 7 (session-id collision) when a reused `--session-id` collides across the batch, matching the single-run behavior — previously a batch that persisted nothing exited 0 and reported success.
+
+`watch --help` prints usage and exits instead of starting the blocking daemon and hanging the terminal; `collect --help` now prints its synopsis. The `--help` synopsis for the spawned verbs (`watch`, `watchlist`, `report`, `scan`, `dispatch`, `currency`, `validate-cves`, `validate-rfcs`) is filled in.
+
+README corrects the `watch` / `watchlist` documentation (the one-shot aggregator with `--alerts` / `--org-scan` is `watchlist`; `watch` is the long-running daemon) and the `refresh --prefetch` description (it warms the cache by fetching, the opposite of the report-only `--no-network`).
+
+## 0.14.12 — 2026-05-27
+
+Structured-bundle accuracy:
+- CSAF advisories no longer attribute exploitation to the CISA KEV catalog for a CVE that is confirmed-exploited but not actually in KEV — the "(CISA KEV)" parenthetical is now conditional on the CVE's KEV status.
+- An empty-evidence run emits a `csaf_informational_advisory` instead of a `csaf_security_advisory` with an empty `vulnerabilities` array (Profile 4 expects vulnerabilities; the informational profile does not).
+- SARIF `cve_match` results now carry a `locations` entry. Without it, GitHub Code Scanning silently dropped the highest-severity result class.
+- SARIF and OpenVEX render "not assessed" for an unassessed blast radius instead of the literal "null" / "null/5".
+- `ci --format csaf|sarif|openvex` emits a JSON array of the pure documents instead of an exceptd wrapper carrying a top-level `ok` key (which is invalid in all three formats). Each array element is now a conformant document.
+
+External-source command hardening:
+- `validate-rfcs` / `validate-cves` reject an unknown flag before doing any work, instead of silently defaulting to a live-network run that hangs on a typo'd flag.
+- `cve` and `rfc` now return `ok:false` (not `ok:true`) when the citation fails to stand up — the envelope matched the exit code was already 2, but `ok` was inverted.
+- `refresh`, `prefetch`, and the `scan`/`dispatch`/`currency`/`watchlist` verbs reject unknown flags instead of silently ignoring them; the latter four also emit a top-level `ok` in their `--json` output.
+- `framework-gap` and `skill` honor `--json` on their missing-argument paths (structured error, not plain text), and `skill --json` no longer treats `--json` as the skill name.
+
+`doctor`:
+- `doctor --rfcs` counts the whole RFC catalog (including the CSAF/draft/ISO citation families it previously dropped) with a `by_prefix` breakdown, and its freshness fields read the real catalog file instead of a path that never existed.
+- `doctor --fix` re-verifies signatures after generating a key and signing, so a successful bootstrap reports success (exit 0) rather than carrying the pre-fix "signatures failed" state through to a non-zero exit. It also refuses to generate a key when a fingerprint pin is present without the public key (a corrupted checkout) rather than producing an install that can never verify.
+- `doctor --shipped-tarball` runs the tarball round-trip even when combined with another selective flag (it was silently skipped). `doctor --ai-config` reports a warning when its scan hits the file cap, rather than an unqualified clean pass on an incomplete walk.
+
+Playbook validation hardening (enforcement for future drift; the shipped corpus is unaffected):
+- `domain.attack_refs` are cross-referenced against the ATT&CK catalog (they were unchecked).
+- An air-gap playbook with a network-sourced artifact lacking an `air_gap_alternative` is now rejected (the schema's air-gap conditional was never executed by the validator).
+- Empty `detect.indicators` / `look.artifacts` are rejected; every playbook must map to at least one real TTP (cross-cutting analysis playbooks excepted). Dangling `false_positive_profile` indicator references and invalid `clock_starts` / `frameworks_in_scope` values now fail validation instead of passing as warnings.
+
+RWEP factor validation accepts a numeric string consistently with the scorer (the two surfaces previously disagreed).
+
 ## 0.14.11 — 2026-05-27
 
 Security: `reattest <session-id>` now validates the session-id before it is joined into a filesystem path, the same gate the other read verbs use. A `../`-bearing id previously escaped the attestation root — reading a forged attestation and writing a signed replay record outside the root. Such an id is now refused (exit 1) and nothing is written.

package/README.md

@@ -116,7 +116,7 @@ npx @blamejs/exceptd-skills path
 That prints the absolute path of the installed package. Point your AI assistant at:
 
 - `<path>/AGENTS.md` — canonical project rules + ground truth for every skill
-- `<path>/data/_indexes/summary-cards.json` — 100-word abstract per skill (12 KB)
+- `<path>/data/_indexes/summary-cards.json` — 100-word abstract per skill (~95 KB)
 - `<path>/data/_indexes/recipes.json` — curated multi-skill chains for common use cases
 
 No clone, no signing keys, no Node 24 required for assistants that read directly from disk. If your assistant needs a local copy as a regular checkout, use `npx degit blamejs/exceptd-skills my-skills` instead.
@@ -156,9 +156,9 @@ Fresh-disclosure workflow (v0.12.0): the nightly auto-PR job pulls KEV / NVD / E
 
 Primary-source advisory polling: `exceptd refresh --check-advisories` polls 15 vendor and coordinated-disclosure feeds — 8 advisory/coordinated-disclosure venues (Qualys TRU, Red Hat RHSA, Ubuntu USN, Zero Day Initiative, kernel.org commits, oss-security mailing list, JFrog SecOps, CISA current advisories), 4 vendor security research blogs added in v0.13.14 (Microsoft Security Blog, Sysdig, Trail of Bits, Embrace the Red), and 3 additions in v0.13.17 (BleepingComputer security, The Hacker News, and a GitLab activity-feed tracker for the Nightmare-Eclipse researcher handle that anchors NEW-CTRL-073). Combined coverage publishes CVE IDs at T+0 to T+1 — typically 3–14 days ahead of NVD enrichment. The command is report-only: it returns a structured `diffs[]` listing each newly-seen CVE ID with its source attributions and advisory URLs, but does not mutate the catalog. v0.13.17 also adds a complementary detection method (NEW-CTRL-074 / `lib/cve-regression-watcher.js`): the watcher cross-checks poller diffs for historical-CVE references (year ≤ currentYear − 2) and surfaces candidate silent-regression cases — the class anchored by MiniPlasma (a 2026 PoC drop that re-broke CVE-2020-17103 without any new ID being assigned). Operators triage the output and route promising IDs through `exceptd refresh --advisory <CVE-ID> --apply`. Pairs naturally with the daily scheduled remote agent below.
 
-CVE-class alert surfacing: `exceptd watch --alerts` matches the live `cve-catalog.json` against five operational patterns (`kernel_lpe_with_poc`, `supply_chain_family`, `ai_discovered_kev`, `active_exploitation_unpatched`, `recent_poc_no_kev_yet`) and returns the matches sorted critical-severity-first, then by RWEP. Use as a fast operational triage on a refreshed catalog without scanning every entry by hand.
+CVE-class alert surfacing: `exceptd watchlist --alerts` matches the live `cve-catalog.json` against five operational patterns (`kernel_lpe_with_poc`, `supply_chain_family`, `ai_discovered_kev`, `active_exploitation_unpatched`, `recent_poc_no_kev_yet`) and returns the matches sorted critical-severity-first, then by RWEP. Use as a fast operational triage on a refreshed catalog without scanning every entry by hand.
 
-GitHub repo-pattern monitoring: `exceptd watch --org-scan --org <login>` probes GitHub Search for repositories matching known threat-actor naming patterns ("A Gift From TeamPCP", "Shai-Hulud", "TeamPCP") scoped to one org. Custom patterns via repeatable `--pattern <s>`. Implements the canonical detection for the Shai-Hulud / TeamPCP supply-chain framework class — the attacker uses GitHub itself as the exfil channel. Set `GITHUB_TOKEN` for private-repo coverage and rate-limit headroom; public-repo search works without auth.
+GitHub repo-pattern monitoring: `exceptd watchlist --org-scan --org <login>` probes GitHub Search for repositories matching known threat-actor naming patterns ("A Gift From TeamPCP", "Shai-Hulud", "TeamPCP") scoped to one org. Custom patterns via repeatable `--pattern <s>`. Implements the canonical detection for the Shai-Hulud / TeamPCP supply-chain framework class — the attacker uses GitHub itself as the exfil channel. Set `GITHUB_TOKEN` for private-repo coverage and rate-limit headroom; public-repo search works without auth.
 
 AI-assistant config-file audit: `exceptd doctor --ai-config` walks `~/.claude`, `~/.cursor`, `~/.codeium`, `~/.aider`, and `~/.continue`, flagging sensitive files (`settings.json`, `mcp.json`, `*.mcp_config.json`, `api_key*`, `*.token`, `*.credentials`) not at mode 0600 on POSIX. On Windows the mode bits aren't load-bearing; each finding is surfaced with an info-level "manual ACL review" note. Catches the AI-config-credential-exfil class that the Shai-Hulud framework targets. Opt-in — does not run as part of the default no-flag `doctor` pass.
 
@@ -329,6 +329,21 @@ exceptd doctor                        One-shot health check.
                                       note for each sensitive file on Windows.
                                       Opt-in; not part of the default doctor
                                       pass.
+  --fix                               Auto-remediate signing gaps: regenerate
+                                      the local Ed25519 private key when
+                                      keys/public.pem exists but .keys/private.pem
+                                      is absent. No-op when the key is present.
+  --registry-check                    Probe the npm registry for the latest
+                                      published version + days-since-publish.
+                                      Off by default; --air-gap suppresses it.
+  --collectors                        Enumerate the per-playbook collector layer:
+                                      which playbooks ship a collector, which are
+                                      policy-skipped, and which are unwired.
+  --shipped-tarball                   Run the pack + extract + verify round-trip
+                                      against the tarball operators receive, not
+                                      just the source tree.
+  --exit-codes                        Print the canonical exit-code table as
+                                      JSON for CI / scripting consumers.
 
 exceptd ci                            One-shot CI gate. Exit codes: 0 PASS,
                                       1 framework error, 2 detected/escalate
@@ -382,8 +397,12 @@ exceptd refresh                       Refresh upstream catalogs + indexes.
                                       Replaces prefetch + refresh + build-indexes.
   --apply                             Write diffs back + rebuild indexes.
   --from-cache [<dir>]                Read from prefetch cache.
-  --prefetch                          Populate the offline cache (alias for
-                                      --no-network).
+  --prefetch                          Warm the offline cache by fetching every
+                                      upstream artifact now (network required).
+                                      Run on a connected host, then point
+                                      --from-cache at the result on the air-gap.
+  --no-network                        Report-only dry-run: list what would be
+                                      fetched without touching the network.
   --network                           (v0.11.14) Fetch latest signed catalog
                                       snapshot from npm tarball, verify against
                                       local public.pem, swap data/ in place.
@@ -417,9 +436,10 @@ Packages dataset (`MAL-*` keys). New IDs land as drafts that the catalog
 validator treats as warnings, not errors — editorial review (framework
 gaps, IoCs, ATLAS/ATT&CK refs) is still required.
 
-exceptd watch                         Default mode: aggregate every skill's
+exceptd watchlist                     Default mode: aggregate every skill's
                                       forward_watch entries (upcoming standards,
-                                      RFC publications, new TTPs to monitor).
+                                      RFC publications, new TTPs to monitor) in
+                                      one shot.
                                       `--by-skill` inverts the grouping.
   --alerts                            Switch to CVE-catalog pattern alerts.
                                       Five patterns ship:
@@ -448,6 +468,15 @@ exceptd watch                         Default mode: aggregate every skill's
                                       limit; without it, public-repo search
                                       only.
 
+exceptd watch                         Long-running forward-watch daemon. Blocks
+                                      and listens for KEV additions, ATLAS
+                                      updates, CVE drops, and framework
+                                      amendments, with scheduled currency /
+                                      validation checks. Ctrl-C (or SIGTERM /
+                                      SIGHUP / SIGBREAK) to stop. For one-shot
+                                      aggregation, pattern alerts, or org-scan,
+                                      use `exceptd watchlist`.
+
 exceptd skill <name>                  Show context for one skill.
 exceptd framework-gap <FW> <ref>      One framework + one CVE/scenario, JSON
                                       or human. (Operates outside the seven-
@@ -455,7 +484,8 @@ exceptd framework-gap <FW> <ref>      One framework + one CVE/scenario, JSON
 exceptd path                          Absolute path to the installed package.
 exceptd version                       Package version.
 exceptd help                          This help.
-exceptd <verb> --help                 Per-verb usage with flag descriptions.
+exceptd <verb> --help                 Most verbs print per-verb usage with flag
+                                      descriptions.
 ```
 
 ### Legacy v0.10.x verbs

package/bin/exceptd.js

@@ -761,6 +761,16 @@ function main() {
     "framework-gap-analysis": "exceptd framework-gap <framework> <cve-or-scenario>   One-framework gap analysis.",
     cve: "exceptd cve <CVE-ID> [--json] [--air-gap|--no-network]   Resolve a CVE: published/rejected/disputed/fabricated/nonexistent (catalog -> cache -> NVD). Exit 2 when the citation won't stand up (rejected/fabricated/nonexistent/withdrawn).",
     rfc: "exceptd rfc <number> [--check \"<title>\"] [--json] [--air-gap]   Resolve an RFC number -> title + status (local index, offline). Exit 2 when nonexistent or --check title MISMATCH.",
+    // watch MUST be here: without the interception `watch --help` falls through
+    // to spawning the blocking daemon, hanging the operator's terminal.
+    watch: "exceptd watch          Long-running forward-watch daemon (blocks; Ctrl-C to stop). For a one-shot aggregator use `exceptd watchlist`.",
+    watchlist: "exceptd watchlist [--alerts] [--org-scan --org <login>] [--by-skill] [--json]   One-shot forward-watch aggregator across skills.",
+    report: "exceptd report [executive] [--json]   Structured posture report.",
+    scan: "exceptd scan [--json]          [legacy] Working-directory CVE/KEV scan (orchestrator). See `exceptd discover`.",
+    dispatch: "exceptd dispatch [--json]      [legacy] Scan + route findings to skills (orchestrator). See `exceptd discover`.",
+    currency: "exceptd currency [--json]      [legacy] Skill threat-currency report. See `exceptd doctor --currency`.",
+    "validate-cves": "exceptd validate-cves [--offline|--air-gap] [--json]   Validate the CVE catalog against upstream (offline-first).",
+    "validate-rfcs": "exceptd validate-rfcs [--offline|--air-gap] [--json]   Validate the RFC index against upstream (offline-first).",
   };
   if ((effectiveRest.includes("--help") || effectiveRest.includes("-h")) && SPAWN_HELP_USAGE[effectiveCmd]) {
     process.stdout.write(SPAWN_HELP_USAGE[effectiveCmd] + "\n  Full reference: exceptd help\n");
@@ -2314,6 +2324,20 @@ Exit codes:
 Output: verb, session_id, playbooks_run, summary{total, detected,
 max_rwep_observed, jurisdiction_clocks_started, verdict, fail_reasons[]},
 results[].`,
+    collect: `collect <playbook> [--cwd <dir>] [--resolve] [--air-gap] [--json]
+
+Scan the working directory (or --cwd <dir>) and emit an evidence submission
+for <playbook>, ready to pipe into \`run\`:
+
+  exceptd collect <playbook> | exceptd run <playbook> --evidence -
+
+Flags:
+  --cwd <dir>             Scan <dir> instead of the current directory.
+  --resolve               (citation-hygiene) resolve uncatalogued CVE/RFC
+                          citations found during the scan.
+  --air-gap               Do not touch the network during collection.
+  --json                  Raw JSON (default when piped; collect output is the
+                          submission, not a human digest).`,
     brief: `brief [playbook] — unified info doc (v0.11.0).
 
 Collapses the three info-only phases plan + govern + direct + look into a
@@ -3553,8 +3577,13 @@ function cmdRun(runner, args, runOpts, pretty) {
   // behavior where warn-level issues stay informational. CI gates wanting
   // "fail on any unverified precondition" pass this flag.
   if (args["strict-preconditions"] && result && Array.isArray(result.preflight_issues)) {
+    // precondition_skip MUST be included: a false skip_phase precondition
+    // means detect never ran, so a CI gate relying on --strict-preconditions
+    // ("any precondition_check returning false fails the run", per --help) would
+    // otherwise silently pass (verdict:skipped, exit 0) — the exact gap the
+    // flag exists to close.
     const warnIssues = result.preflight_issues.filter(i =>
-      i.kind === "precondition_unverified" || i.kind === "precondition_warn"
+      i.kind === "precondition_unverified" || i.kind === "precondition_warn" || i.kind === "precondition_skip"
     );
     if (warnIssues.length > 0) {
       // v0.12.12: surface the contract violation in the emitted body so
@@ -4303,9 +4332,19 @@ function cmdRunMulti(runner, ids, args, runOpts, pretty, meta) {
   // remediation without parsing the body.
   const anyLockBusy = results.some(r => r.attestation_persist && r.attestation_persist.lock_contention === true);
   const anyStorageExhausted = results.some(r => r.attestation_persist && r.attestation_persist.storage_exhausted === true);
+  // A persist failure that is neither lock-contention nor storage-exhaustion is
+  // a session-id collision (the single-run path exits 7 for the same
+  // condition). Pre-fix a batch where every attestation refused to overwrite
+  // exited 0, so a re-run with a reused --session-id silently persisted nothing
+  // while reporting success. Surface it with the same code as the single-run
+  // path so a CI gate sees it.
+  const anySessionCollision = results.some(r =>
+    r.attestation_persist && r.attestation_persist.ok === false
+    && !r.attestation_persist.lock_contention && !r.attestation_persist.storage_exhausted);
   const anyBlocked = results.some(r => r.ok === false);
   if (anyLockBusy) { process.exitCode = EXIT_CODES.LOCK_CONTENTION; return; }
   if (anyStorageExhausted) { process.exitCode = EXIT_CODES.STORAGE_EXHAUSTED; return; }
+  if (anySessionCollision) { process.exitCode = EXIT_CODES.SESSION_ID_COLLISION; return; }
   if (anyBlocked) { process.exitCode = EXIT_CODES.GENERIC_FAILURE; return; }
 }
 
@@ -6469,7 +6508,11 @@ function cmdDoctor(runner, args, runOpts, pretty) {
   const onlyAiConfig = !!args["ai-config"];
   const onlyCollectors = !!args.collectors;
   const anySelected = onlySigs || onlyCurrency || onlyCves || onlyRfcs || onlyAiConfig || onlyCollectors;
-  const runSigs = !anySelected || onlySigs;
+  // --shipped-tarball lives inside the signatures check, so it must imply it.
+  // Pre-fix, `doctor --shipped-tarball --cves` made runSigs false (a selective
+  // flag was set, but not --signatures), silently skipping the tarball
+  // round-trip while the operator believed it ran.
+  const runSigs = !anySelected || onlySigs || !!args["shipped-tarball"];
   const runCurrency = !anySelected || onlyCurrency;
   const runCves = !anySelected || onlyCves;
   const runRfcs = !anySelected || onlyRfcs;
@@ -6670,23 +6713,34 @@ function cmdDoctor(runner, args, runOpts, pretty) {
         timeout: 30000,
       });
       const text = (res.stdout || "") + (res.stderr || "");
-      const rfcRows = (text.match(/^RFC-\d+/gm) || []).length;
       const driftMatch = text.match(/drift[:\s]+(\d+)/i);
       const ok = res.status === 0;
-      // Audit 3 B.7: surface the RFC catalog file's mtime + age so
-      // operators can answer "is the offline RFC index fresh?" without
-      // running a separate refresh.
+      // Count the catalog directly (same approach the CVE subcheck uses) rather
+      // than scraping `^RFC-\d+` table rows from the validate-rfcs output. The
+      // text scrape dropped every non-RFC family (CSAF / DRAFT / ISO entries),
+      // undercounting the catalog and hiding those citation families. Read the
+      // canonical file and emit a by_prefix breakdown.
+      const rfcCatalogPath = path.join(PKG_ROOT, "data", "rfc-references.json");
+      let rfcTotal = 0;
+      const byPrefix = {};
       let rfcMtime = null;
       let rfcAgeDays = null;
       try {
-        const rfcPath = path.join(PKG_ROOT, "data", "rfc-index.json");
-        const st = fs.statSync(rfcPath);
+        const catalog = JSON.parse(fs.readFileSync(rfcCatalogPath, "utf8"));
+        for (const k of Object.keys(catalog)) {
+          if (k.startsWith("_")) continue;
+          rfcTotal++;
+          const prefix = (k.match(/^[A-Za-z]+/) || ["?"])[0].toUpperCase();
+          byPrefix[prefix] = (byPrefix[prefix] || 0) + 1;
+        }
+        const st = fs.statSync(rfcCatalogPath);
         rfcMtime = st.mtime.toISOString();
         rfcAgeDays = Math.floor((Date.now() - st.mtimeMs) / 86400000);
-      } catch { /* file may not exist on contributor checkouts */ }
+      } catch { /* file may be absent on exotic installs — total stays 0 */ }
       checks.rfcs = {
         ok,
-        total: rfcRows,
+        total: rfcTotal,
+        by_prefix: byPrefix,
         drift: driftMatch ? Number(driftMatch[1]) : 0,
         index_last_modified: rfcMtime,
         index_age_days: rfcAgeDays,
@@ -6968,9 +7022,14 @@ function cmdDoctor(runner, args, runOpts, pretty) {
       }
     }
 
+    // A truncated walk (hit the file/depth cap) means the audit is INCOMPLETE —
+    // a sensitive file beyond the cap would be unseen. Don't report an
+    // unqualified clean pass: downgrade to a warn so automation can branch on
+    // incompleteness even when zero findings surfaced within the cap.
+    const baseSeverity = errorFindings.length > 0 && fixesFailed > 0 ? 'warn' : (errorFindings.length > 0 && !args.fix ? 'warn' : 'info');
     checks.ai_config = {
-      ok: errorFindings.length === 0 || (args.fix && fixesFailed === 0),
-      severity: errorFindings.length > 0 && fixesFailed > 0 ? 'warn' : (errorFindings.length > 0 && !args.fix ? 'warn' : 'info'),
+      ok: (errorFindings.length === 0 || (args.fix && fixesFailed === 0)) && !walkAborted,
+      severity: walkAborted && baseSeverity === 'info' ? 'warn' : baseSeverity,
       scanned_dirs: scannedDirs,
       scanned_files: scannedFiles,
       walk_truncated: walkAborted,
@@ -7089,8 +7148,8 @@ function cmdDoctor(runner, args, runOpts, pretty) {
   // global `npm install -g` reported `failed_checks: ["signing"]` with
   // `warnings_count: 0`, contradicting the [!! warn] text-mode icon.
   const { bucketChecks } = require(path.join(PKG_ROOT, "lib", "doctor-bucketing.js"));
-  const { warnList, errorList } = bucketChecks(checks);
-  const allGreen = errorList.length === 0 && warnList.length === 0;
+  let { warnList, errorList } = bucketChecks(checks);
+  let allGreen = errorList.length === 0 && warnList.length === 0;
   // Audit 3 B.11: surface the local version on the default doctor output
   // so operators answer both "is my install healthy?" AND "which version
   // am I running?" without having to invoke `exceptd version` separately.
@@ -7127,10 +7186,21 @@ function cmdDoctor(runner, args, runOpts, pretty) {
   // `exceptd doctor` (signatures check) reports 0/N passing.
   if (args.fix && checks.signing && !checks.signing.private_key_present) {
     const pubKeyExists = fs.existsSync(path.join(PKG_ROOT, "keys", "public.pem"));
+    const fingerprintPinExists = fs.existsSync(path.join(PKG_ROOT, "keys", "EXPECTED_FINGERPRINT"));
     if (pubKeyExists) {
       out.summary.fix_attempted = "ed25519_keypair_generation_declined";
       out.summary.fix_decline_reason = "keys/public.pem already exists but no matching private key. Generating a fresh keypair would overwrite the public key and orphan every shipped signature. If you intend to establish a new signing identity, run `node $(exceptd path)/lib/sign.js generate-keypair --rotate` followed by sign-all.";
       process.stderr.write("[doctor --fix] refused: keys/public.pem present without matching private key. Pass --rotate via the underlying lib/sign.js if a new identity is intended.\n");
+    } else if (fingerprintPinExists) {
+      // A committed EXPECTED_FINGERPRINT without keys/public.pem signals an
+      // intended committed signing identity on a corrupted/partial checkout.
+      // Generating a fresh keypair here would write a public.pem whose
+      // fingerprint can never match the pin, leaving verify.js permanently
+      // refusing (fingerprint-mismatch) while --fix claimed success. Decline
+      // and tell the operator to restore the real public key.
+      out.summary.fix_attempted = "ed25519_keypair_generation_declined";
+      out.summary.fix_decline_reason = "keys/EXPECTED_FINGERPRINT is present but keys/public.pem is missing — this is a corrupted checkout of a project with a committed signing identity, not a fresh contributor checkout. Generating a keypair would produce a public key whose fingerprint cannot match the pin, so verify would refuse forever. Restore keys/public.pem from version control instead (git checkout -- keys/public.pem).";
+      process.stderr.write("[doctor --fix] refused: keys/EXPECTED_FINGERPRINT present without keys/public.pem. Restore the committed public key (git checkout -- keys/public.pem) rather than generating a new identity.\n");
     } else {
       process.stderr.write("[doctor --fix] generating Ed25519 keypair...\n");
       const r = require("child_process").spawnSync(process.execPath, [path.join(PKG_ROOT, "lib", "sign.js"), "generate-keypair"], {
@@ -7188,6 +7258,37 @@ function cmdDoctor(runner, args, runOpts, pretty) {
     }
   }
 
+  // After a --fix that re-signed skills (keypair generation OR re-sign), the
+  // captured `checks.signatures` is STALE — it was the verify.js result taken
+  // before any key existed. Re-verify now and recompute the buckets, so a
+  // successful --fix reports success (and exits 0) instead of carrying the
+  // pre-fix "signatures FAILED" through to failed_checks + a non-zero exit.
+  if (args.fix
+      && (out.summary.fix_applied === "ed25519_keypair_generated_and_skills_signed"
+          || out.summary.fix_applied === "skills_resigned_against_current_keypair")) {
+    try {
+      const verifyPath = path.join(PKG_ROOT, "lib", "verify.js");
+      const rv = spawnSync(process.execPath, [verifyPath], { encoding: "utf8", cwd: PKG_ROOT, timeout: 30000 });
+      const rvText = (rv.stdout || "") + (rv.stderr || "");
+      const rvMatch = rvText.match(/(\d+)\/(\d+)\s+skills?\s+passed/i);
+      const rvFp = rvText.match(/SHA256:\s*([A-Za-z0-9+/=]+)/);
+      const rvOk = rv.status === 0;
+      checks.signatures = {
+        ok: rvOk,
+        skills_passed: rvMatch ? Number(rvMatch[1]) : null,
+        skills_total: rvMatch ? Number(rvMatch[2]) : null,
+        fingerprint_sha256: rvFp ? rvFp[1] : null,
+        ...(rvOk ? {} : { exit_code: rv.status, raw: rvText.slice(0, 500) }),
+      };
+      out.checks = checks;
+      ({ warnList, errorList } = bucketChecks(checks));
+      allGreen = errorList.length === 0 && warnList.length === 0;
+      out.summary.failed_checks = errorList;
+      out.summary.warning_checks = warnList;
+      out.summary.all_green = allGreen;
+    } catch { /* re-verify best-effort; leave the pre-fix state if it throws */ }
+  }
+
   // Audit 3 B.3: --fix was passed but nothing to fix. Pre-fix this was
   // silently a no-op — operators couldn't distinguish "we tried and were
   // already healthy" from "we tried and failed silently." Now surfaces a
@@ -8543,9 +8644,15 @@ function cmdCi(runner, args, runOpts, pretty) {
     }
     process.stdout.write(lines.join("\n") + "\n");
   } else if (fmt === "csaf" || fmt === "sarif" || fmt === "openvex") {
-    // Aggregate the per-run bundles_by_format if present.
+    // Aggregate the per-run bundles_by_format if present. ci spans N playbooks,
+    // so there is no single conformant CSAF/SARIF/OpenVEX document — emit a JSON
+    // ARRAY of the pure documents. Critically, do NOT wrap them in an exceptd
+    // envelope carrying a top-level `ok` key: that key is invalid in all three
+    // standard formats, so a downstream CSAF/SARIF/OpenVEX consumer pointed at
+    // `ci --format` output got a non-conformant top-level shape. Each array
+    // element is now a verbatim, conformant document.
     const bundles = results.map(r => r.phases?.close?.evidence_package?.bundles_by_format?.[fmt === "csaf" ? "csaf-2.0" : fmt]).filter(Boolean);
-    emit({ verb: "ci", session_id: sessionId, format: fmt, bundles_count: bundles.length, bundles }, pretty);
+    process.stdout.write(JSON.stringify(bundles, null, pretty ? 2 : 0) + "\n");
   } else if (fmt && fmt !== "json") {
     // v0.11.4 (#76): garbage format rejected with structured error, not silent empty stdout.
     // Route through emitError so the body propagates exit codes via the

package/data/_indexes/_meta.json

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-27T20:36:13.795Z",
+  "generated_at": "2026-05-27T22:17:04.450Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "3db842fa75688111c96edd57712b9447a3df84cb250df1e052ac45b38aff74f2",
+    "manifest.json": "a1f0cb852fd487d12bd1a304d36eb175f3ee36a26e37a1ca9cb25d9c576d2afc",
     "data/atlas-ttps.json": "d24bc02859d40ccf1615db75cca68c077585904e41e0d8f6de448121e9b1abb0",
     "data/attack-techniques.json": "fa193f0d2d248176a8beddb641e9fe56ba4faa9e15dc253ff876dbf0c5d58a77",
     "data/cve-catalog.json": "3d451dda7ac0c7d57a4075ae4bafd3148c6184b35dc1bc59d8b81d1f2641e430",

package/lib/collectors/cicd-pipeline-compromise.js

@@ -180,7 +180,12 @@ function scanWorkflow(content, rel) {
   // composite actions (`uses: ./`).
   const lines2 = content.split(/\r?\n/);
   for (let i = 0; i < lines2.length; i++) {
-    const m = lines2[i].match(/^\s*-?\s*uses:\s*['"]?([^'"\s#]+)['"]?/);
+    // A real `uses:` line is never multiple KB. Skip overlong lines so a
+    // crafted whitespace run can't drive regex backtracking.
+    if (lines2[i].length > 4096) continue;
+    // `^[ \t]*(?:-[ \t]*)?` anchors the indentation once, then an optional
+    // `- ` list marker — no overlapping `\s*` runs that backtrack.
+    const m = lines2[i].match(/^[ \t]*(?:-[ \t]*)?uses:\s*['"]?([^'"\s#]+)['"]?/);
     if (!m) continue;
     const refStr = m[1];
     if (refStr.startsWith("./") || refStr.startsWith("docker://")) continue;

package/lib/collectors/containers.js

@@ -222,6 +222,9 @@ function scanCompose(content, rel) {
 
   for (let i = 0; i < lines.length; i++) {
     const line = lines[i];
+    // A real compose line is never multiple KB. Skip overlong lines so a
+    // crafted whitespace run can't drive regex backtracking.
+    if (line.length > 4096) continue;
     if (/^\s*#/.test(line)) continue;
     if (/^\s*privileged:\s*true\b/i.test(line)) hits["compose-privileged"].push({ file: rel, line: i + 1, snippet: line.trim() });
     // compose-host-network: per playbook, fires on any of
@@ -268,6 +271,9 @@ function scanK8s(content, rel) {
 
   for (let i = 0; i < lines.length; i++) {
     const line = lines[i];
+    // A real manifest line is never multiple KB. Skip overlong lines so a
+    // crafted whitespace run can't drive regex backtracking.
+    if (line.length > 4096) continue;
     if (/^\s*#/.test(line)) continue;
     if (/^\s*privileged:\s*true\b/i.test(line)) hits["k8s-privileged"].push({ file: rel, line: i + 1, snippet: line.trim() });
     if (/^\s*(hostNetwork|hostPID|hostIPC):\s*true\b/.test(line)) hits["k8s-host-namespaces"].push({ file: rel, line: i + 1, snippet: line.trim() });
@@ -287,7 +293,9 @@ function scanK8s(content, rel) {
     }
     // image: ...:latest OR image: ... (no tag, defaults to latest)
     // Allow optional leading `-` from a YAML list item: `- image: ...`.
-    const imageMatch = line.match(/^\s*-?\s*image:\s*['"]?([^'"@\s]+)(?:@[^'"]+)?['"]?\s*$/);
+    // `^[ \t]*(?:-[ \t]*)?` anchors the indentation once, then an optional
+    // `- ` list marker — no overlapping `\s*` runs that backtrack.
+    const imageMatch = line.match(/^[ \t]*(?:-[ \t]*)?image:\s*['"]?([^'"@\s]+)(?:@[^'"]+)?['"]?\s*$/);
     if (imageMatch) {
       const ref = imageMatch[1];
       const tagMatch = ref.match(/:([^/]+)$/);

package/lib/collectors/library-author.js

@@ -157,8 +157,13 @@ function scanPublishWorkflow(content, rel) {
   const lines = content.split(/\r?\n/);
   for (let i = 0; i < lines.length; i++) {
     const line = lines[i];
+    // A real `uses:` line is never multiple KB. Skip overlong lines so a
+    // crafted whitespace run can't drive regex backtracking.
+    if (line.length > 4096) continue;
     // Allow optional leading `-` from a YAML list item: `- uses: ...`.
-    const m = line.match(/^\s*-?\s*uses:\s*['"]?([^'"\s]+)['"]?\s*$/);
+    // `^[ \t]*(?:-[ \t]*)?` anchors the indentation once, then an optional
+    // `- ` list marker — no overlapping `\s*` runs that backtrack.
+    const m = line.match(/^[ \t]*(?:-[ \t]*)?uses:\s*['"]?([^'"\s]+)['"]?\s*$/);
     if (!m) continue;
     const ref = m[1];
     if (ref.startsWith("./") || ref.startsWith("./.github/")) continue; // local

package/lib/cve-cli.js

@@ -45,7 +45,12 @@ const { resolveCve } = require("./citation-resolve.js");
   }
 
   const r = await resolveCve(id, { airGap: flags.has("--air-gap"), noNetwork: flags.has("--no-network") });
-  const body = { ok: true, verb: "cve", ...r };
+  // A citation that won't stand up exits non-zero so a CI/script gate trips.
+  // Derive `ok` from the same set of statuses that drive the exit code — a
+  // non-zero exit must carry ok:false, never the inverted ok:true the
+  // envelope previously hardcoded.
+  const fails = r.status === "rejected" || r.status === "fabricated" || r.status === "nonexistent" || r.status === "withdrawn";
+  const body = { verb: "cve", ...r, ok: !fails };
 
   if (json) {
     process.stdout.write(JSON.stringify(body, null, pretty ? 2 : 0) + "\n");
@@ -61,8 +66,7 @@ const { resolveCve } = require("./citation-resolve.js");
     if (r.reason) line += `\n  ${r.reason}`;
     process.stdout.write(line + "\n");
   }
-  // A citation that won't stand up is a non-zero exit so a CI/script gate trips.
-  if (r.status === "rejected" || r.status === "fabricated" || r.status === "nonexistent" || r.status === "withdrawn") {
+  if (fails) {
     process.exitCode = 2;
   }
 })();