@blamejs/exceptd-skills 0.15.44 → 0.15.46

package/data/_indexes/section-offsets.json

@@ -1865,7 +1865,7 @@
     },
     "attack-surface-pentest": {
       "path": "skills/attack-surface-pentest/skill.md",
-      "total_bytes": 33291,
+      "total_bytes": 33158,
       "total_lines": 388,
       "frontmatter": {
         "line_start": 1,
@@ -1888,25 +1888,25 @@
           "normalized_name": "framework-lag-declaration",
           "line": 106,
           "byte_start": 6410,
-          "byte_end": 10973,
-          "bytes": 4563,
+          "byte_end": 10953,
+          "bytes": 4543,
           "h3_count": 0
         },
         {
           "name": "TTP Mapping (MITRE ATLAS v5.6.0 + MITRE ATT&CK v19.0)",
           "normalized_name": "ttp-mapping",
           "line": 124,
-          "byte_start": 10973,
-          "byte_end": 13208,
-          "bytes": 2235,
+          "byte_start": 10953,
+          "byte_end": 13162,
+          "bytes": 2209,
           "h3_count": 0
         },
         {
           "name": "Exploit Availability Matrix",
           "normalized_name": "exploit-availability-matrix",
           "line": 143,
-          "byte_start": 13208,
-          "byte_end": 15663,
+          "byte_start": 13162,
+          "byte_end": 15617,
           "bytes": 2455,
           "h3_count": 0
         },
@@ -1914,17 +1914,17 @@
           "name": "Analysis Procedure",
           "normalized_name": "analysis-procedure",
           "line": 160,
-          "byte_start": 15663,
-          "byte_end": 25366,
-          "bytes": 9703,
+          "byte_start": 15617,
+          "byte_end": 25273,
+          "bytes": 9656,
           "h3_count": 4
         },
         {
           "name": "Output Format",
           "normalized_name": "output-format",
           "line": 281,
-          "byte_start": 25366,
-          "byte_end": 29363,
+          "byte_start": 25273,
+          "byte_end": 29270,
           "bytes": 3997,
           "h3_count": 9
         },
@@ -1932,8 +1932,8 @@
           "name": "Compliance Theater Check",
           "normalized_name": "compliance-theater-check",
           "line": 363,
-          "byte_start": 29363,
-          "byte_end": 31679,
+          "byte_start": 29270,
+          "byte_end": 31586,
           "bytes": 2316,
           "h3_count": 0
         },
@@ -1941,9 +1941,9 @@
           "name": "Defensive Countermeasure Mapping (D3FEND)",
           "normalized_name": "defensive-countermeasure-mapping",
           "line": 377,
-          "byte_start": 31679,
-          "byte_end": 33291,
-          "bytes": 1612,
+          "byte_start": 31586,
+          "byte_end": 33158,
+          "bytes": 1572,
           "h3_count": 0
         }
       ]
@@ -2984,7 +2984,7 @@
     },
     "sector-financial": {
       "path": "skills/sector-financial/skill.md",
-      "total_bytes": 50325,
+      "total_bytes": 50285,
       "total_lines": 401,
       "frontmatter": {
         "line_start": 1,
@@ -3034,16 +3034,16 @@
           "normalized_name": "analysis-procedure",
           "line": 182,
           "byte_start": 26352,
-          "byte_end": 35108,
-          "bytes": 8756,
+          "byte_end": 35068,
+          "bytes": 8716,
           "h3_count": 10
         },
         {
           "name": "Output Format",
           "normalized_name": "output-format",
           "line": 271,
-          "byte_start": 35108,
-          "byte_end": 38515,
+          "byte_start": 35068,
+          "byte_end": 38475,
           "bytes": 3407,
           "h3_count": 15
         },
@@ -3051,8 +3051,8 @@
           "name": "Compliance Theater Check",
           "normalized_name": "compliance-theater-check",
           "line": 335,
-          "byte_start": 38515,
-          "byte_end": 42853,
+          "byte_start": 38475,
+          "byte_end": 42813,
           "bytes": 4338,
           "h3_count": 0
         },
@@ -3060,8 +3060,8 @@
           "name": "Defensive Countermeasure Mapping",
           "normalized_name": "defensive-countermeasure-mapping",
           "line": 370,
-          "byte_start": 42853,
-          "byte_end": 46572,
+          "byte_start": 42813,
+          "byte_end": 46532,
           "bytes": 3719,
           "h3_count": 0
         },
@@ -3069,8 +3069,8 @@
           "name": "Hand-Off / Related Skills",
           "normalized_name": "hand-off",
           "line": 385,
-          "byte_start": 46572,
-          "byte_end": 50325,
+          "byte_start": 46532,
+          "byte_end": 50285,
           "bytes": 3753,
           "h3_count": 0
         }
@@ -4112,7 +4112,7 @@
     },
     "cloud-iam-incident": {
       "path": "skills/cloud-iam-incident/skill.md",
-      "total_bytes": 44474,
+      "total_bytes": 44433,
       "total_lines": 416,
       "frontmatter": {
         "line_start": 1,
@@ -4162,16 +4162,16 @@
           "normalized_name": "analysis-procedure",
           "line": 185,
           "byte_start": 22803,
-          "byte_end": 30428,
-          "bytes": 7625,
+          "byte_end": 30423,
+          "bytes": 7620,
           "h3_count": 12
         },
         {
           "name": "Output Format",
           "normalized_name": "output-format",
           "line": 275,
-          "byte_start": 30428,
-          "byte_end": 32626,
+          "byte_start": 30423,
+          "byte_end": 32621,
           "bytes": 2198,
           "h3_count": 15
         },
@@ -4179,8 +4179,8 @@
           "name": "Compliance Theater Check",
           "normalized_name": "compliance-theater-check",
           "line": 338,
-          "byte_start": 32626,
-          "byte_end": 37225,
+          "byte_start": 32621,
+          "byte_end": 37220,
           "bytes": 4599,
           "h3_count": 0
         },
@@ -4188,17 +4188,17 @@
           "name": "Defensive Countermeasure Mapping",
           "normalized_name": "defensive-countermeasure-mapping",
           "line": 374,
-          "byte_start": 37225,
-          "byte_end": 41301,
-          "bytes": 4076,
+          "byte_start": 37220,
+          "byte_end": 41260,
+          "bytes": 4040,
           "h3_count": 0
         },
         {
           "name": "Hand-Off / Related Skills",
           "normalized_name": "hand-off",
           "line": 396,
-          "byte_start": 41301,
-          "byte_end": 44474,
+          "byte_start": 41260,
+          "byte_end": 44433,
           "bytes": 3173,
           "h3_count": 0
         }

package/data/_indexes/token-budget.json

@@ -3,8 +3,8 @@
     "schema_version": "1.0.0",
     "tokenizer_note": "Character-density approximation: 1 token ≈ 4 chars. This is the canonical rule-of-thumb for OpenAI tokenizers on English+technical text. Claude's tokenizer is typically more efficient on prose; treat this as an upper-bound budget for both. Consumers with stricter precision needs should re-tokenize with their own tokenizer.",
     "approx_chars_per_token": 4,
-    "total_chars": 1673904,
-    "total_approx_tokens": 418479,
+    "total_chars": 1673692,
+    "total_approx_tokens": 418426,
     "skill_count": 42
   },
   "skills": {
@@ -1080,10 +1080,10 @@
     },
     "attack-surface-pentest": {
       "path": "skills/attack-surface-pentest/skill.md",
-      "bytes": 33291,
-      "chars": 33148,
+      "bytes": 33158,
+      "chars": 33017,
       "lines": 388,
-      "approx_tokens": 8287,
+      "approx_tokens": 8254,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {
@@ -1092,14 +1092,14 @@
           "approx_tokens": 1173
         },
         "framework-lag-declaration": {
-          "bytes": 4563,
-          "chars": 4553,
-          "approx_tokens": 1138
+          "bytes": 4543,
+          "chars": 4533,
+          "approx_tokens": 1133
         },
         "ttp-mapping": {
-          "bytes": 2235,
-          "chars": 2214,
-          "approx_tokens": 554
+          "bytes": 2209,
+          "chars": 2188,
+          "approx_tokens": 547
         },
         "exploit-availability-matrix": {
           "bytes": 2455,
@@ -1107,9 +1107,9 @@
           "approx_tokens": 610
         },
         "analysis-procedure": {
-          "bytes": 9703,
-          "chars": 9651,
-          "approx_tokens": 2413
+          "bytes": 9656,
+          "chars": 9606,
+          "approx_tokens": 2402
         },
         "output-format": {
           "bytes": 3997,
@@ -1122,9 +1122,9 @@
           "approx_tokens": 576
         },
         "defensive-countermeasure-mapping": {
-          "bytes": 1612,
-          "chars": 1610,
-          "approx_tokens": 403
+          "bytes": 1572,
+          "chars": 1570,
+          "approx_tokens": 393
         }
       }
     },
@@ -1735,10 +1735,10 @@
     },
     "sector-financial": {
       "path": "skills/sector-financial/skill.md",
-      "bytes": 50325,
-      "chars": 50160,
+      "bytes": 50285,
+      "chars": 50120,
       "lines": 401,
-      "approx_tokens": 12540,
+      "approx_tokens": 12530,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {
@@ -1762,9 +1762,9 @@
           "approx_tokens": 724
         },
         "analysis-procedure": {
-          "bytes": 8756,
-          "chars": 8726,
-          "approx_tokens": 2182
+          "bytes": 8716,
+          "chars": 8686,
+          "approx_tokens": 2172
         },
         "output-format": {
           "bytes": 3407,
@@ -2395,10 +2395,10 @@
     },
     "cloud-iam-incident": {
       "path": "skills/cloud-iam-incident/skill.md",
-      "bytes": 44474,
-      "chars": 44316,
+      "bytes": 44433,
+      "chars": 44275,
       "lines": 416,
-      "approx_tokens": 11079,
+      "approx_tokens": 11069,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {
@@ -2422,9 +2422,9 @@
           "approx_tokens": 842
         },
         "analysis-procedure": {
-          "bytes": 7625,
-          "chars": 7601,
-          "approx_tokens": 1900
+          "bytes": 7620,
+          "chars": 7596,
+          "approx_tokens": 1899
         },
         "output-format": {
           "bytes": 2198,
@@ -2437,9 +2437,9 @@
           "approx_tokens": 1146
         },
         "defensive-countermeasure-mapping": {
-          "bytes": 4076,
-          "chars": 4068,
-          "approx_tokens": 1017
+          "bytes": 4040,
+          "chars": 4032,
+          "approx_tokens": 1008
         },
         "hand-off": {
           "bytes": 3173,

package/data/cve-catalog.json

@@ -1,7 +1,7 @@
 {
   "_meta": {
     "schema_version": "1.0.0",
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-30",
     "source": "NVD + CISA KEV + vendor advisories — see sources/index.json",
     "required_fields": [
       "type",
@@ -90,7 +90,7 @@
       ],
       "note": "Catalog keys are CVE-* by default. For pre-CVE-assignment advisories under active operational impact, the project accepts OSV-native identifier shapes as the canonical key, with cross-references retained in `aliases`: MAL-* (OSSF Malicious Packages dataset — published into OSV.dev; primary key for malicious-package compromises), GHSA-* (GitHub Advisory Database; primary key when the package is on GitHub and no CVE has issued yet), and SNYK-* (Snyk advisory dataset; primary key for advisories Snyk catalogued before OSV/GHSA ingested them). When MITRE issues a CVE, the entry is renamed in lockstep with the matching zeroday-lessons key; the previous identifier is retained in `aliases` so historical references continue to resolve. Precedent: MAL-2026-3083 added 2026-05-13 (the elementary-data PyPI worm, 1.1M monthly downloads, OSV/OSSF-cataloged before any CVE issued). EPSS coverage does not extend to non-CVE identifiers; epss_score is null with a documenting epss_note on such entries. Upstream pull from OSV.dev: `exceptd refresh --source osv` (added v0.12.10)."
     },
-    "last_threat_review": "2026-05-15"
+    "last_threat_review": "2026-05-30"
   },
   "CVE-2025-0282": {
     "ai_assisted_weaponization": false,

package/lib/flag-suggest.js

@@ -10,8 +10,10 @@
  * distance ≤ 2 AND ≤ floor(flag.length / 2).
  *
  * Per-verb allowlists are the canonical CLI surface. Adding a new flag to a
- * verb means appending to the allowlist here AND updating the printPlaybookVerbHelp
- * block; a test asserts the two sets agree.
+ * verb means appending to the allowlist here AND updating the
+ * printPlaybookVerbHelp block; keep the two in sync. doctor maintains its own
+ * KNOWN_DOCTOR_FLAGS set in bin/exceptd.js — keep VERB_FLAG_ALLOWLIST.doctor
+ * aligned with it (tests/lib-flag-suggest.test.js pins the shared flags).
  */
 
 function editDistance(a, b) {
@@ -66,7 +68,7 @@ function suggestFlag(flag, allowlist) {
  * (e.g. `pretty`, `json`, `help`) live under '_global'.
  */
 const VERB_FLAG_ALLOWLIST = Object.freeze({
-  _global: ['help', 'pretty', 'json', 'verbose'],
+  _global: ['help', 'pretty', 'json', 'verbose', 'quiet'],
   run: [
     'evidence', 'evidence-dir', 'session-id', 'force-overwrite', 'attestation-root',
     'mode', 'air-gap', 'force-stale', 'operator', 'ack', 'csaf-status',
@@ -96,12 +98,6 @@ const VERB_FLAG_ALLOWLIST = Object.freeze({
     'mode', 'force-stale', 'tlp',
     'bundle-deterministic', 'bundle-epoch',
   ],
-  ingest: [
-    'evidence', 'session-id', 'force-overwrite', 'attestation-root', 'operator',
-    'ack', 'csaf-status', 'publisher-namespace', 'air-gap', 'force-stale',
-    'strict-preconditions',
-    'bundle-deterministic', 'bundle-epoch',
-  ],
   brief: ['all', 'scope', 'directives', 'flat', 'phase'],
   discover: ['scan-only', 'scope', 'cwd'],
   ask: [],
@@ -112,7 +108,7 @@ const VERB_FLAG_ALLOWLIST = Object.freeze({
   reattest: [
     'playbook', 'since', 'latest', 'force-replay', 'attestation-root',
   ],
-  doctor: ['signatures', 'cves', 'rfcs', 'fix', 'registry-check', 'exit-codes', 'shipped-tarball', 'ai-config', 'currency', 'collectors'],
+  doctor: ['signatures', 'cves', 'rfcs', 'fix', 'registry-check', 'exit-codes', 'shipped-tarball', 'ai-config', 'currency', 'collectors', 'air-gap'],
   lint: ['evidence'],
   collect: ['cwd', 'attest-ownership', 'resolve'],
   refresh: [

package/lib/lint-skills.js

@@ -91,14 +91,13 @@ const REQUIRED_SECTIONS = [
 
 // L3 — Defensive Countermeasure Mapping became a required section for skills
 // reviewed on or after this cutoff (documented in AGENTS.md). Pre-cutoff
-// skills remain exempt to preserve patch-class compatibility; v0.13.0 may
-// broaden the cutoff.
+// skills remain exempt to preserve patch-class compatibility.
 const COUNTERMEASURE_SECTION = 'Defensive Countermeasure Mapping';
 const COUNTERMEASURE_CUTOFF = '2026-05-11';
 
 // L1 — Minimum number of words of body text between a section heading and the
 // next heading (or EOF) for the section to count as populated. Header-only
-// sections surface as WARNINGS in v0.12.12; v0.13.0 will tighten to failure.
+// sections surface as warnings; promoted to failures under --strict.
 const MIN_SECTION_BODY_WORDS = 20;
 
 const PLACEHOLDER_PATTERNS = [
@@ -396,8 +395,8 @@ function validateFrontmatter(fm, skillName) {
  *                    in the body (case-insensitive). Hard failure.
  *   - headerOnly[] — sections whose heading exists but whose body between
  *                    that heading and the next heading is shorter than
- *                    MIN_SECTION_BODY_WORDS words. Warning in v0.12.12;
- *                    v0.13.0 will tighten. */
+ *                    MIN_SECTION_BODY_WORDS words. A warning by default;
+ *                    promoted to an error under --strict. */
 function findMissingSections(body, requiredSections) {
   const sections = requiredSections || REQUIRED_SECTIONS;
   const lines = body.split(/\r?\n/);
@@ -563,16 +562,16 @@ function lintSkill(entry, ctx) {
     }
   }
 
-  // L2 — attack_refs cross-catalog resolution. Surface as WARNINGS in
-  // v0.12.12 to preserve patch-class compatibility; v0.13.0 will flip to
-  // hard failures. If data/attack-techniques.json is missing entirely the
-  // ctx.attackKeys set is null — skip the check (the gate degrades to its
-  // pre-v0.12.12 behavior).
+  // L2 — attack_refs cross-catalog resolution. Surface as warnings by
+  // default (preserving patch-class compatibility); promoted to hard
+  // failures under --strict (the predeploy gate). If
+  // data/attack-techniques.json is missing entirely the ctx.attackKeys set
+  // is null — skip the check (the gate degrades gracefully).
   if (Array.isArray(fm.attack_refs) && ctx.attackKeys) {
     for (const ref of fm.attack_refs) {
       if (!ctx.attackKeys.has(ref)) {
         skillWarnings.push(
-          `attack_refs: "${ref}" not present in data/attack-techniques.json (will hard-fail in v0.13.0)`,
+          `attack_refs: "${ref}" not present in data/attack-techniques.json (an error under --strict)`,
         );
       }
     }
@@ -617,18 +616,18 @@ function lintSkill(entry, ctx) {
 
   // L3 — Defensive Countermeasure Mapping is required for skills reviewed
   // on or after COUNTERMEASURE_CUTOFF. Pre-cutoff skills are exempt. The
-  // section's absence on a post-cutoff skill is a WARNING in v0.12.12 so
-  // existing skills can add the section gradually; v0.13.0 will flip to
-  // a hard failure.
+  // section's absence on a post-cutoff skill is a warning by default so
+  // existing skills can add the section gradually; promoted to a hard
+  // failure under --strict.
   const { missing, headerOnly } = findMissingSections(body, REQUIRED_SECTIONS);
   for (const s of missing) {
     skillErrors.push(`body: missing required section "${s}"`);
   }
   for (const ho of headerOnly) {
-    // L1 — Header-only sections are WARNINGS in v0.12.12; v0.13.0 will
-    // tighten to failure.
+    // L1 — Header-only sections are warnings by default; promoted to a
+    // failure under --strict.
     skillWarnings.push(
-      `body: section "${ho.section}" has only ${ho.wordCount} words of body text (need >= ${MIN_SECTION_BODY_WORDS}); will hard-fail in v0.13.0`,
+      `body: section "${ho.section}" has only ${ho.wordCount} words of body text (need >= ${MIN_SECTION_BODY_WORDS}); an error under --strict`,
     );
   }
   if (
@@ -639,12 +638,12 @@ function lintSkill(entry, ctx) {
     const cmResult = findMissingSections(body, [COUNTERMEASURE_SECTION]);
     if (cmResult.missing.length > 0) {
       skillWarnings.push(
-        `body: missing required section "${COUNTERMEASURE_SECTION}" (required for skills with last_threat_review >= ${COUNTERMEASURE_CUTOFF}; will hard-fail in v0.13.0)`,
+        `body: missing required section "${COUNTERMEASURE_SECTION}" (required for skills with last_threat_review >= ${COUNTERMEASURE_CUTOFF}; an error under --strict)`,
       );
     } else {
       for (const ho of cmResult.headerOnly) {
         skillWarnings.push(
-          `body: section "${ho.section}" has only ${ho.wordCount} words of body text (need >= ${MIN_SECTION_BODY_WORDS}); will hard-fail in v0.13.0`,
+          `body: section "${ho.section}" has only ${ho.wordCount} words of body text (need >= ${MIN_SECTION_BODY_WORDS}); an error under --strict`,
         );
       }
     }

package/lib/playbook-runner.js

@@ -74,7 +74,7 @@ try {
 
 // Probe the catalog (parse it, surface any load error) LAZILY on first need
 // rather than at module load. The probe parses the ~2.6MB CVE catalog (~8.5ms);
-// doing it eagerly charged that to every cheap verb (brief/plan/look/ask/lint/
+// doing it eagerly charged that to every cheap verb (brief/ask/lint/
 // discover) that never analyzes. run() calls this before the analyze path, so
 // a corrupt catalog still surfaces as blocked_by:'catalog_corrupt' before
 // analyze — just not on verbs that don't touch the catalog. Memoized: probes
@@ -1829,7 +1829,11 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
 // Severity ladder for active_exploitation. The worst-of reduction lets
 // analyzeFindingShape report the most-exploited CVE in the matched set, not
 // the first-encountered one. Higher index = worse.
-const ACTIVE_EXPLOITATION_RANK = { none: 0, unknown: 1, suspected: 2, confirmed: 3 };
+// `theoretical` (PoC exists, no in-the-wild use) must rank between `none` and
+// `unknown`; omitting it made `?? -1` lose to the -1 start, so an all-theoretical
+// matched set wrongly reduced to 'unknown' and a theoretical+none set dropped
+// the theoretical entry entirely. This vocabulary is first-class in scoring.js.
+const ACTIVE_EXPLOITATION_RANK = { none: 0, theoretical: 1, unknown: 2, suspected: 3, confirmed: 4 };
 
 function worstActiveExploitation(matchedCves) {
   let worst = null;
@@ -1840,7 +1844,9 @@ function worstActiveExploitation(matchedCves) {
     const rank = ACTIVE_EXPLOITATION_RANK[v] ?? -1;
     if (rank > worstRank) { worst = v; worstRank = rank; }
   }
-  return worst || 'unknown';
+  // Empty / all-unrecognized matched set → 'none' (a draft must not assert
+  // 'unknown' exploitation it never observed).
+  return worst || 'none';
 }
 
 // Severity ladder derived from rwep_adjusted. Playbooks reference
@@ -3838,4 +3844,6 @@ module.exports = {
   _acquireLockDiagnostic: acquireLockDiagnostic,
   _releaseLock: releaseLock,
   _lockFilePath: lockFilePath,
+  _vulnIdToUrn: vulnIdToUrn,
+  _worstActiveExploitation: worstActiveExploitation,
 };

package/lib/refresh-external.js

@@ -206,7 +206,8 @@ Sources (default = all):
   osv   (v0.12.10) OSV.dev aggregator — OSSF Malicious Packages (MAL-*) + Snyk
         + GHSA + RustSec + Mageia + Go Vuln DB + Ubuntu USN. Unauthenticated.
         Use --advisory MAL-* / RUSTSEC-* / SNYK-* / USN-* to seed a single
-        draft. Bulk import via package watchlist is a v0.13 follow-up.
+        draft. One advisory ID per invocation; there is no bulk or
+        package-watchlist import.
 
 Air-gap workflow:
   1. On a connected host:   \`exceptd refresh --prefetch\`
@@ -595,7 +596,8 @@ const GHSA_SOURCE = {
     if (ctx.fixtures?.ghsa) return synthesizeFromFixture(ctx, "ghsa");
     if (ctx.cacheDir) {
       // Cache parity: ghsa cache layout is .cache/upstream/ghsa/<published-date>.json
-      // For v0.12.0 we fall through to live fetch — caching is a v0.13 follow-up.
+      // GHSA has no cache layer yet — fall through to live fetch. (Unlike NVD
+      // and RFC, GHSA does not honor the air-gap --from-cache path.)
     }
     const ghsa = require("./source-ghsa");
     return ghsa.buildDiff(ctx);

package/lib/source-osv.js

@@ -372,7 +372,9 @@ async function fetchAdvisoryById(id, opts = {}) {
 
 /**
  * List advisories for a package, optionally filtered to a specific version.
- * v0.12.10 ships the network path; bulk-import callers are a v0.13 follow-up.
+ * The single-package network path is implemented; there is no bulk /
+ * package-watchlist import caller — advisories are seeded one at a time via
+ * `refresh --advisory <id>`.
  */
 async function fetchAdvisoriesForPackage(name, ecosystem, version, opts = {}) {
   if (!name || !ecosystem) {

package/lib/validate-catalog-meta.js

@@ -62,7 +62,7 @@ function parseArgs(argv) {
         'Usage: node lib/validate-catalog-meta.js [--quiet] [--strict]\n' +
           '\n' +
           '  --quiet   Suppress per-catalog PASS output; show failures only.\n' +
-          '  --strict  Promote v0.13.0-preview warnings (freshness) to errors.\n',
+          '  --strict  Promote freshness warnings to errors (used by the predeploy gate).\n',
       );
       process.exit(0);
     } else {
@@ -165,11 +165,12 @@ function validateMeta(catalogPath, opts) {
 
     /* freshness enforcement. When both meta.last_updated and
      * freshness_policy.stale_after_days are present, surface a warning if
-     * (now - last_updated) > stale_after_days. Patch-class release emits at
-     * WARN level (does not fail validation); v0.13.0 will flip to an error.
+     * (now - last_updated) > stale_after_days. Emitted at WARN level by
+     * default (does not fail validation).
      *
      * Optional `opts.strict` (or `opts.errorOnStale`) promotes the warning
-     * to an error today; predeploy keeps the warning posture.
+     * to an error; the predeploy gate runs --strict, plain validation keeps
+     * the warning posture.
      */
     if (
       typeof meta.last_updated === 'string' &&
@@ -185,7 +186,7 @@ function validateMeta(catalogPath, opts) {
           const msg =
             `_meta freshness: last_updated ${meta.last_updated} is ${ageDays} days old ` +
             `(stale_after_days = ${fp.stale_after_days}); refresh the catalog or bump _meta.last_updated. ` +
-            `Will hard-fail in v0.13.0.`;
+            `Promoted to an error under --strict.`;
           if (opts && (opts.strict || opts.errorOnStale)) {
             errors.push(msg);
           } else {