@blamejs/exceptd-skills 0.14.28 → 0.15.1

package/data/cve-catalog.json

@@ -2279,7 +2279,30 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Discovered by Rory McNamara of Snyk Security Labs as part of the four-vulnerability Leaky Vessels disclosure (CVE-2024-21626 + CVE-2024-23651/23652/23653) published January 2024. Named human researcher; no AI-tool credited. Source: https://labs.snyk.io/resources/leaky-vessels-docker-runc-container-breakout-vulnerabilities/.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: +5 (75 -> 80)."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: +5 (75 -> 80).",
+    "vendor_advisories": [
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-21626",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21626",
+        "severity": "high",
+        "published_date": "2024-01-31"
+      },
+      {
+        "vendor": "Snyk",
+        "advisory_id": null,
+        "url": "https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/",
+        "severity": "high",
+        "published_date": "2024-01-31"
+      },
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": "CVE-2024-21626",
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "high",
+        "published_date": "2024-04-08"
+      }
+    ]
   },
   "CVE-2024-3094": {
     "ai_assisted_weaponization": false,
@@ -2349,7 +2372,30 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Discovered by Andres Freund (Microsoft engineer, PostgreSQL developer) on 2024-03-28 via a 0.5-second SSH-login latency regression traced to liblzma symbol resolution; reported to oss-security. Named human researcher; no AI tooling involved. Source: https://en.wikipedia.org/wiki/XZ_Utils_backdoor.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors to satisfy Shape B invariant (Σ factors === rwep_score). Prior values used non-canonical weights and/or blast_radius > 30 (over-cap). Stored rwep_score unchanged; factor block now reproducible from canonical RWEP_WEIGHTS + operational fields."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors to satisfy Shape B invariant (Σ factors === rwep_score). Prior values used non-canonical weights and/or blast_radius > 30 (over-cap). Stored rwep_score unchanged; factor block now reproducible from canonical RWEP_WEIGHTS + operational fields.",
+    "vendor_advisories": [
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-3094",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3094",
+        "severity": "critical",
+        "published_date": "2024-03-29"
+      },
+      {
+        "vendor": "openwall oss-security",
+        "advisory_id": null,
+        "url": "https://www.openwall.com/lists/oss-security/2024/03/29/4",
+        "severity": "critical",
+        "published_date": "2024-03-29"
+      },
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": "CVE-2024-3094",
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "critical",
+        "published_date": "2024-04-03"
+      }
+    ]
   },
   "CVE-2024-3154": {
     "ai_assisted_weaponization": false,
@@ -2536,7 +2582,23 @@
       "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Discovered during the SUNBURST incident-response investigation by FireEye / Mandiant analysts (publicly attributed to the Mandiant team rather than a single researcher) and corroborated by SolarWinds engineering. Documented in CISA AA20-352A and the CERT/CC VU#843464. Named human teams; pre-AI-tooling era for vendor-side attribution. Source: https://kb.cert.org/vuls/id/843464."
+    "discovery_attribution_note": "Discovered during the SUNBURST incident-response investigation by FireEye / Mandiant analysts (publicly attributed to the Mandiant team rather than a single researcher) and corroborated by SolarWinds engineering. Documented in CISA AA20-352A and the CERT/CC VU#843464. Named human teams; pre-AI-tooling era for vendor-side attribution. Source: https://kb.cert.org/vuls/id/843464.",
+    "vendor_advisories": [
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2020-10148",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10148",
+        "severity": "critical",
+        "published_date": "2020-12-29"
+      },
+      {
+        "vendor": "CISA",
+        "advisory_id": "AA20-352A",
+        "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a",
+        "severity": "critical",
+        "published_date": "2020-12-17"
+      }
+    ]
   },
   "CVE-2023-3519": {
     "ai_assisted_weaponization": false,
@@ -2599,7 +2661,23 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Independent security researchers via Citrix coordinated disclosure (CTX561482, 2023-07-18); no individual researcher named in the Citrix advisory. NSA/CISA AA23-201A documents in-wild exploitation by Chinese state-sponsored actors. No AI-tool credited. Source: https://support.citrix.com/article/CTX561482/ and https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: +5 (75 -> 80)."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: +5 (75 -> 80).",
+    "vendor_advisories": [
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2023-3519",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3519",
+        "severity": "critical",
+        "published_date": "2023-07-19"
+      },
+      {
+        "vendor": "Citrix",
+        "advisory_id": "CTX561482",
+        "url": "https://support.citrix.com/article/CTX561482",
+        "severity": "critical",
+        "published_date": "2023-07-18"
+      }
+    ]
   },
   "CVE-2024-1709": {
     "ai_assisted_weaponization": false,
@@ -2659,7 +2737,30 @@
       "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Discovered by ConnectWise security engineering and externally reported by Huntress + GreyNoise via in-wild exploitation telemetry within 24 hours of the 2024-02 Patch Tuesday. No individual researcher byline; vendor-internal discovery. No AI-tool credited. Source: https://www.upguard.com/blog/screenconnect-cve-2024."
+    "discovery_attribution_note": "Discovered by ConnectWise security engineering and externally reported by Huntress + GreyNoise via in-wild exploitation telemetry within 24 hours of the 2024-02 Patch Tuesday. No individual researcher byline; vendor-internal discovery. No AI-tool credited. Source: https://www.upguard.com/blog/screenconnect-cve-2024.",
+    "vendor_advisories": [
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-1709",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1709",
+        "severity": "critical",
+        "published_date": "2024-02-19"
+      },
+      {
+        "vendor": "ConnectWise",
+        "advisory_id": null,
+        "url": "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8",
+        "severity": "critical",
+        "published_date": "2024-02-19"
+      },
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": "CVE-2024-1709",
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "critical",
+        "published_date": "2024-02-22"
+      }
+    ]
   },
   "CVE-2026-20182": {
     "ai_assisted_weaponization": false,
@@ -2721,7 +2822,30 @@
     ],
     "last_updated": "2026-05-15",
     "discovery_attribution_note": "Discovered by Stephen Fewer (Senior Principal Security Researcher) and Jonah Burgess (Senior Security Researcher), both at Rapid7, while researching the related CVE-2026-20127 vdaemon authentication-bypass. Named human researchers; no AI-tool credited. Source: https://www.rapid7.com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed/.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: 0."
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: 0.",
+    "vendor_advisories": [
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-20182",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20182",
+        "severity": "critical",
+        "published_date": null
+      },
+      {
+        "vendor": "Cisco",
+        "advisory_id": null,
+        "url": "https://sec.cloudapps.cisco.com/security/center/publicationListing.x",
+        "severity": "critical",
+        "published_date": null
+      },
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": "CVE-2026-20182",
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "critical",
+        "published_date": "2026-05-14"
+      }
+    ]
   },
   "CVE-2024-40635": {
     "ai_assisted_weaponization": false,
@@ -4418,7 +4542,30 @@
     ],
     "_draft": false,
     "last_updated": "2026-05-17",
-    "discovery_attribution_note": "Vendor-internal discovery by Fortinet PSIRT, disclosed 2024-02-08 via advisory FG-IR-24-015. No external researcher byline. CISA KEV-listed 2024-02-09 with a 7-day federal remediation deadline. Post-exploitation symlink-persistence technique documented in Fortinet's 2025-04-11 advisory after operators reported residual filesystem access on devices patched after compromise."
+    "discovery_attribution_note": "Vendor-internal discovery by Fortinet PSIRT, disclosed 2024-02-08 via advisory FG-IR-24-015. No external researcher byline. CISA KEV-listed 2024-02-09 with a 7-day federal remediation deadline. Post-exploitation symlink-persistence technique documented in Fortinet's 2025-04-11 advisory after operators reported residual filesystem access on devices patched after compromise.",
+    "vendor_advisories": [
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-21762",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21762",
+        "severity": "critical",
+        "published_date": "2024-02-08"
+      },
+      {
+        "vendor": "Fortinet",
+        "advisory_id": "FG-IR-24-015",
+        "url": "https://www.fortiguard.com/psirt/FG-IR-24-015",
+        "severity": "critical",
+        "published_date": "2024-02-08"
+      },
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": "CVE-2024-21762",
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "critical",
+        "published_date": "2024-02-09"
+      }
+    ]
   },
   "CVE-2025-10585": {
     "id": "CVE-2025-10585",

package/data/zeroday-lessons.json

@@ -17,7 +17,7 @@
       "rebuild_after_days": 365,
       "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
     },
-    "entry_count": 68
+    "entry_count": 422
   },
   "CVE-2026-31431": {
     "name": "Copy Fail",

package/lib/gap-detectors.js

@@ -158,8 +158,14 @@ function temporalStalenessFindings(loaded, opts = {}) {
     }
 
     // CISA KEV due-date passed without remediation status — surfaces
-    // operationally-stale entries the operator should re-verify.
-    if (e.cisa_kev === true && typeof e.cisa_kev_due_date === "string") {
+    // operationally-stale CURATED entries the operator should re-verify.
+    // Auto-imported drafts are excluded: a KEV due-date passing with wall-clock
+    // time on the un-curated bulk-import backlog is expected (and grows the
+    // count purely by calendar drift, which would mechanically breach the
+    // budget gate on a no-op release). The finding is actionable only once the
+    // entry is curated, so it is scoped to non-draft entries.
+    const isDraft = e._auto_imported === true || e._draft === true;
+    if (!isDraft && e.cisa_kev === true && typeof e.cisa_kev_due_date === "string") {
       const sinceDue = daysSince(e.cisa_kev_due_date, now);
       if (sinceDue !== null && sinceDue > 0) {
         out.push({ class: "temporal-staleness", catalog: "cve-catalog", id,

package/lib/lint-skills.js

@@ -119,7 +119,7 @@ const KEBAB_RE = /^[a-z0-9][a-z0-9-]*[a-z0-9]$/;
 const JSON_FILENAME_RE = /^[A-Za-z0-9._-]+\.json$/;
 
 function parseArgs(argv) {
-  const opts = { skill: null, quiet: false };
+  const opts = { skill: null, quiet: false, strict: false };
   for (let i = 2; i < argv.length; i++) {
     const a = argv[i];
     if (a === '--skill') {
@@ -128,6 +128,11 @@ function parseArgs(argv) {
       opts.skill = a.slice('--skill='.length);
     } else if (a === '--quiet' || a === '-q') {
       opts.quiet = true;
+    } else if (a === '--strict') {
+      // Promote warnings (header-only sections, unresolved draft refs,
+      // playbook air-gap gaps) to release-blocking failures. Used by the
+      // predeploy gate so a warned regression cannot scroll past.
+      opts.strict = true;
     } else if (a === '--help' || a === '-h') {
       printHelp();
       process.exit(0);
@@ -856,7 +861,13 @@ function main() {
   console.log(
     `\n${passed}/${total} skills passed${warnSummary}${failed ? `, ${failed} failed` : ''}${orphanSummary}${airGapSummary}.`,
   );
-  process.exit(failed === 0 && orphans.length === 0 ? 0 : 1);
+  // --strict treats any warning (per-skill or playbook air-gap) as a
+  // release-blocking failure so a warned regression cannot ship silently.
+  const strictFail = opts.strict && (warned > 0 || (airGapWarnings && airGapWarnings.length > 0));
+  if (strictFail) {
+    console.log(`[lint-skills] --strict: ${warned + (airGapWarnings ? airGapWarnings.length : 0)} warning(s) treated as failures.`);
+  }
+  process.exit(failed === 0 && orphans.length === 0 && !strictFail ? 0 : 1);
 }
 
 // Export the minimal frontmatter parser for downstream consumers

package/lib/playbook-runner.js

@@ -2912,8 +2912,6 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
         rwep_adjusted: analyze.rwep?.adjusted || 0,
         rwep_threshold_escalate: analyze.rwep?.threshold?.escalate || null,
         blast_radius_score: analyze.blast_radius_score || 0,
-        feeds_into: null,  // populated by close()
-        jurisdiction_clocks_active: null,  // populated by close()
         remediation_recommended: validate.selected_remediation?.id || null,
       }
     };

package/lib/validate-cve-catalog.js

@@ -272,6 +272,21 @@ function additionalChecks(key, entry, ctx) {
     }
   }
 
+  // V5 — KEV status must carry its date (AGENTS.md Hard Rule #1: a KEV flag
+  // without a date is an incomplete threat-intel claim; RWEP scoring and the
+  // jurisdiction-clock SLAs key off the KEV listing date). cisa_kev=true with a
+  // null/missing/invalid cisa_kev_date is flagged; promoted to a hard error
+  // under --strict (predeploy). 0 violations in the shipped catalog today.
+  if (entry.cisa_kev === true) {
+    const d = entry.cisa_kev_date;
+    const dateOk = typeof d === 'string' && isUsableDate(d).ok;
+    if (!dateOk) {
+      warnings.push(
+        `${key}: cisa_kev=true but cisa_kev_date is ${JSON.stringify(d)} (KEV status must carry a valid listing date — Hard Rule #1)`,
+      );
+    }
+  }
+
   // V4 — Impossible-date guard.
   for (const f of DATE_FIELDS) {
     const v = entry[f];
@@ -352,18 +367,26 @@ function main() {
     }
   }
 
-  // Guard the hand-maintained framework-control-gaps _meta.entry_count against
-  // silent drift (it declared 184 while the file held 192 — 8 entries were
-  // added without bumping the counter, and nothing caught it). Assert the
-  // declared count equals the actual non-_meta entry count.
-  if (frameworks && frameworks._meta && typeof frameworks._meta.entry_count === 'number') {
-    const actualGapCount = Object.keys(frameworks).filter((k) => !k.startsWith('_')).length;
-    if (frameworks._meta.entry_count !== actualGapCount) {
-      process.stderr.write(
-        `[validate-cve-catalog] FAIL: framework-control-gaps _meta.entry_count (${frameworks._meta.entry_count}) ` +
-        `!= actual entry count (${actualGapCount}). Update _meta.entry_count to ${actualGapCount}.\n`,
-      );
-      process.exit(1);
+  // Guard hand-maintained _meta.entry_count fields against silent drift. The
+  // framework-control-gaps counter once declared 184 while the file held 192
+  // and nothing caught it; the zeroday-lessons counter drifted to 68 while the
+  // file held 422 because only framework-control-gaps was gated. This now
+  // checks EVERY loaded catalog that declares a numeric _meta.entry_count, so a
+  // new catalog with the field is covered automatically.
+  const ENTRY_COUNT_CATALOGS = [
+    { name: 'framework-control-gaps', catalog: frameworks },
+    { name: 'zeroday-lessons', catalog: lessons },
+  ];
+  for (const { name, catalog: cat } of ENTRY_COUNT_CATALOGS) {
+    if (cat && cat._meta && typeof cat._meta.entry_count === 'number') {
+      const actual = Object.keys(cat).filter((k) => !k.startsWith('_')).length;
+      if (cat._meta.entry_count !== actual) {
+        process.stderr.write(
+          `[validate-cve-catalog] FAIL: ${name} _meta.entry_count (${cat._meta.entry_count}) ` +
+          `!= actual entry count (${actual}). Update _meta.entry_count to ${actual}.\n`,
+        );
+        process.exit(1);
+      }
     }
   }