@blamejs/exceptd-skills 0.15.45 → 0.15.47

package/lib/lint-skills.js

@@ -91,14 +91,13 @@ const REQUIRED_SECTIONS = [
 
 // L3 — Defensive Countermeasure Mapping became a required section for skills
 // reviewed on or after this cutoff (documented in AGENTS.md). Pre-cutoff
-// skills remain exempt to preserve patch-class compatibility; v0.13.0 may
-// broaden the cutoff.
+// skills remain exempt to preserve patch-class compatibility.
 const COUNTERMEASURE_SECTION = 'Defensive Countermeasure Mapping';
 const COUNTERMEASURE_CUTOFF = '2026-05-11';
 
 // L1 — Minimum number of words of body text between a section heading and the
 // next heading (or EOF) for the section to count as populated. Header-only
-// sections surface as WARNINGS in v0.12.12; v0.13.0 will tighten to failure.
+// sections surface as warnings; promoted to failures under --strict.
 const MIN_SECTION_BODY_WORDS = 20;
 
 const PLACEHOLDER_PATTERNS = [
@@ -396,8 +395,8 @@ function validateFrontmatter(fm, skillName) {
  *                    in the body (case-insensitive). Hard failure.
  *   - headerOnly[] — sections whose heading exists but whose body between
  *                    that heading and the next heading is shorter than
- *                    MIN_SECTION_BODY_WORDS words. Warning in v0.12.12;
- *                    v0.13.0 will tighten. */
+ *                    MIN_SECTION_BODY_WORDS words. A warning by default;
+ *                    promoted to an error under --strict. */
 function findMissingSections(body, requiredSections) {
   const sections = requiredSections || REQUIRED_SECTIONS;
   const lines = body.split(/\r?\n/);
@@ -563,16 +562,16 @@ function lintSkill(entry, ctx) {
     }
   }
 
-  // L2 — attack_refs cross-catalog resolution. Surface as WARNINGS in
-  // v0.12.12 to preserve patch-class compatibility; v0.13.0 will flip to
-  // hard failures. If data/attack-techniques.json is missing entirely the
-  // ctx.attackKeys set is null — skip the check (the gate degrades to its
-  // pre-v0.12.12 behavior).
+  // L2 — attack_refs cross-catalog resolution. Surface as warnings by
+  // default (preserving patch-class compatibility); promoted to hard
+  // failures under --strict (the predeploy gate). If
+  // data/attack-techniques.json is missing entirely the ctx.attackKeys set
+  // is null — skip the check (the gate degrades gracefully).
   if (Array.isArray(fm.attack_refs) && ctx.attackKeys) {
     for (const ref of fm.attack_refs) {
       if (!ctx.attackKeys.has(ref)) {
         skillWarnings.push(
-          `attack_refs: "${ref}" not present in data/attack-techniques.json (will hard-fail in v0.13.0)`,
+          `attack_refs: "${ref}" not present in data/attack-techniques.json (an error under --strict)`,
         );
       }
     }
@@ -617,18 +616,18 @@ function lintSkill(entry, ctx) {
 
   // L3 — Defensive Countermeasure Mapping is required for skills reviewed
   // on or after COUNTERMEASURE_CUTOFF. Pre-cutoff skills are exempt. The
-  // section's absence on a post-cutoff skill is a WARNING in v0.12.12 so
-  // existing skills can add the section gradually; v0.13.0 will flip to
-  // a hard failure.
+  // section's absence on a post-cutoff skill is a warning by default so
+  // existing skills can add the section gradually; promoted to a hard
+  // failure under --strict.
   const { missing, headerOnly } = findMissingSections(body, REQUIRED_SECTIONS);
   for (const s of missing) {
     skillErrors.push(`body: missing required section "${s}"`);
   }
   for (const ho of headerOnly) {
-    // L1 — Header-only sections are WARNINGS in v0.12.12; v0.13.0 will
-    // tighten to failure.
+    // L1 — Header-only sections are warnings by default; promoted to a
+    // failure under --strict.
     skillWarnings.push(
-      `body: section "${ho.section}" has only ${ho.wordCount} words of body text (need >= ${MIN_SECTION_BODY_WORDS}); will hard-fail in v0.13.0`,
+      `body: section "${ho.section}" has only ${ho.wordCount} words of body text (need >= ${MIN_SECTION_BODY_WORDS}); an error under --strict`,
     );
   }
   if (
@@ -639,12 +638,12 @@ function lintSkill(entry, ctx) {
     const cmResult = findMissingSections(body, [COUNTERMEASURE_SECTION]);
     if (cmResult.missing.length > 0) {
       skillWarnings.push(
-        `body: missing required section "${COUNTERMEASURE_SECTION}" (required for skills with last_threat_review >= ${COUNTERMEASURE_CUTOFF}; will hard-fail in v0.13.0)`,
+        `body: missing required section "${COUNTERMEASURE_SECTION}" (required for skills with last_threat_review >= ${COUNTERMEASURE_CUTOFF}; an error under --strict)`,
       );
     } else {
       for (const ho of cmResult.headerOnly) {
         skillWarnings.push(
-          `body: section "${ho.section}" has only ${ho.wordCount} words of body text (need >= ${MIN_SECTION_BODY_WORDS}); will hard-fail in v0.13.0`,
+          `body: section "${ho.section}" has only ${ho.wordCount} words of body text (need >= ${MIN_SECTION_BODY_WORDS}); an error under --strict`,
         );
       }
     }

package/lib/playbook-runner.js

@@ -74,7 +74,7 @@ try {
 
 // Probe the catalog (parse it, surface any load error) LAZILY on first need
 // rather than at module load. The probe parses the ~2.6MB CVE catalog (~8.5ms);
-// doing it eagerly charged that to every cheap verb (brief/plan/look/ask/lint/
+// doing it eagerly charged that to every cheap verb (brief/ask/lint/
 // discover) that never analyzes. run() calls this before the analyze path, so
 // a corrupt catalog still surfaces as blocked_by:'catalog_corrupt' before
 // analyze — just not on verbs that don't touch the catalog. Memoized: probes
@@ -1829,7 +1829,11 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
 // Severity ladder for active_exploitation. The worst-of reduction lets
 // analyzeFindingShape report the most-exploited CVE in the matched set, not
 // the first-encountered one. Higher index = worse.
-const ACTIVE_EXPLOITATION_RANK = { none: 0, unknown: 1, suspected: 2, confirmed: 3 };
+// `theoretical` (PoC exists, no in-the-wild use) must rank between `none` and
+// `unknown`; omitting it made `?? -1` lose to the -1 start, so an all-theoretical
+// matched set wrongly reduced to 'unknown' and a theoretical+none set dropped
+// the theoretical entry entirely. This vocabulary is first-class in scoring.js.
+const ACTIVE_EXPLOITATION_RANK = { none: 0, theoretical: 1, unknown: 2, suspected: 3, confirmed: 4 };
 
 function worstActiveExploitation(matchedCves) {
   let worst = null;
@@ -1840,7 +1844,9 @@ function worstActiveExploitation(matchedCves) {
     const rank = ACTIVE_EXPLOITATION_RANK[v] ?? -1;
     if (rank > worstRank) { worst = v; worstRank = rank; }
   }
-  return worst || 'unknown';
+  // Empty / all-unrecognized matched set → 'none' (a draft must not assert
+  // 'unknown' exploitation it never observed).
+  return worst || 'none';
 }
 
 // Severity ladder derived from rwep_adjusted. Playbooks reference
@@ -3838,4 +3844,6 @@ module.exports = {
   _acquireLockDiagnostic: acquireLockDiagnostic,
   _releaseLock: releaseLock,
   _lockFilePath: lockFilePath,
+  _vulnIdToUrn: vulnIdToUrn,
+  _worstActiveExploitation: worstActiveExploitation,
 };

package/lib/validate-catalog-meta.js

@@ -62,7 +62,7 @@ function parseArgs(argv) {
         'Usage: node lib/validate-catalog-meta.js [--quiet] [--strict]\n' +
           '\n' +
           '  --quiet   Suppress per-catalog PASS output; show failures only.\n' +
-          '  --strict  Promote v0.13.0-preview warnings (freshness) to errors.\n',
+          '  --strict  Promote freshness warnings to errors (used by the predeploy gate).\n',
       );
       process.exit(0);
     } else {
@@ -165,11 +165,12 @@ function validateMeta(catalogPath, opts) {
 
     /* freshness enforcement. When both meta.last_updated and
      * freshness_policy.stale_after_days are present, surface a warning if
-     * (now - last_updated) > stale_after_days. Patch-class release emits at
-     * WARN level (does not fail validation); v0.13.0 will flip to an error.
+     * (now - last_updated) > stale_after_days. Emitted at WARN level by
+     * default (does not fail validation).
      *
      * Optional `opts.strict` (or `opts.errorOnStale`) promotes the warning
-     * to an error today; predeploy keeps the warning posture.
+     * to an error; the predeploy gate runs --strict, plain validation keeps
+     * the warning posture.
      */
     if (
       typeof meta.last_updated === 'string' &&
@@ -185,7 +186,7 @@ function validateMeta(catalogPath, opts) {
           const msg =
             `_meta freshness: last_updated ${meta.last_updated} is ${ageDays} days old ` +
             `(stale_after_days = ${fp.stale_after_days}); refresh the catalog or bump _meta.last_updated. ` +
-            `Will hard-fail in v0.13.0.`;
+            `Promoted to an error under --strict.`;
           if (opts && (opts.strict || opts.errorOnStale)) {
             errors.push(msg);
           } else {

package/lib/validate-cve-catalog.js

@@ -40,8 +40,8 @@ const FRAMEWORK_GAPS_PATH = path.join(REPO_ROOT, 'data', 'framework-control-gaps
 // v0.12.12 — patterns that mark a verification_sources URL as a public exploit
 // or PoC location. When poc_available: true AND a verification source matches
 // one of these, the entry must carry an `iocs` block per AGENTS.md Hard Rule
-// #14. Surfaced as WARNING-only for v0.12.12 so drafts and pre-IoC entries
-// don't break patch-class compatibility; v0.13.0 will tighten to error.
+// #14. Surfaced as a warning by default so drafts and pre-IoC entries don't
+// break patch-class compatibility; promoted to an error under --strict.
 const PUBLIC_EXPLOIT_URL_PATTERNS = [
   /github\.com\/.+\/(exploits?|poc|pocs)\b/i,
   /\bexploit-?db\.com\b/i,
@@ -53,8 +53,8 @@ const PUBLIC_EXPLOIT_URL_PATTERNS = [
 
 // v0.12.12 — Tightened CVSS-vector prefix. Schema's existing pattern accepts
 // any "CVSS:<digits>/"; the strict pattern below admits only known CVSS
-// versions (2.0 / 3.0 / 3.1 / 4.0). Emitted as WARNING for v0.12.12; v0.13.0
-// will tighten the schema itself.
+// versions (2.0 / 3.0 / 3.1 / 4.0). Emitted as a warning by default;
+// promoted to an error under --strict.
 const STRICT_CVSS_PATTERN = /^CVSS:(2\.0|3\.[01]|4\.0)\//;
 
 // v0.12.12 — Impossible-date guard. Reject obviously bogus year ranges
@@ -80,7 +80,7 @@ function parseArgs(argv) {
         'Usage: node lib/validate-cve-catalog.js [--quiet] [--strict]\n' +
           '\n' +
           '  --quiet   Suppress per-CVE PASS output; show failures only.\n' +
-          '  --strict  Promote v0.13.0-preview warnings to errors. Off by default.\n',
+          '  --strict  Promote advisory warnings to errors (used by the predeploy gate). Off by default.\n',
       );
       process.exit(0);
     } else {
@@ -244,7 +244,7 @@ function additionalChecks(key, entry, ctx) {
   }
 
   // V2 — Cross-catalog reference resolution. Unresolved refs are warnings
-  // for v0.12.x; v0.13.0 will flip to hard failures. V2 expansion
+  // by default; promoted to hard failures under --strict. V2 expansion
   // extends the walk from cwe_refs only to attack_refs, atlas_refs,
   // d3fend_refs, AND framework_control_gaps.
   const REF_FIELDS = [
@@ -266,7 +266,7 @@ function additionalChecks(key, entry, ctx) {
       if (typeof ref !== 'string') continue;
       if (!set.has(ref)) {
         warnings.push(
-          `${key}: ${field} entry "${ref}" not in ${file} (will hard-fail in v0.13.0)`,
+          `${key}: ${field} entry "${ref}" not in ${file} (an error under --strict)`,
         );
       }
     }
@@ -302,7 +302,7 @@ function additionalChecks(key, entry, ctx) {
   if (typeof entry.cvss_vector === 'string' && entry.cvss_vector.length > 0) {
     if (!STRICT_CVSS_PATTERN.test(entry.cvss_vector)) {
       warnings.push(
-        `${key}: cvss_vector ${JSON.stringify(entry.cvss_vector)} does not match the strict prefix /^CVSS:(2.0|3.0|3.1|4.0)\\//. Schema tolerates this in v0.12.12; v0.13.0 will tighten the schema.`,
+        `${key}: cvss_vector ${JSON.stringify(entry.cvss_vector)} does not match the strict prefix /^CVSS:(2.0|3.0|3.1|4.0)\\//. A warning by default; promoted to an error under --strict.`,
       );
     }
   }

package/lib/validate-playbooks.js

@@ -42,8 +42,8 @@
  *     jurisdiction_obligations an explicit `id` field; the shipped playbooks
  *     reference them by this composite string).
  *   - _meta.mutex is symmetric across the whole playbook set: if A lists B,
- *     B must list A. Asymmetry surfaces as a warning in v0.12.16 (and will
- *     flip to error in v0.13.0) — see checkMutexReciprocity().
+ *     B must list A. Asymmetry surfaces as a warning by default (promoted to
+ *     an error under --strict) — see checkMutexReciprocity().
  *
  * Finding severity:
  *   - error   — structural problems that block the runner (missing required
@@ -51,9 +51,9 @@
  *               duplicate indicator id).
  *   - warning — schema-shape drift the runner can still tolerate (enum
  *               vocabulary lag, cross-catalog refs introduced after the
- *               playbook last shipped). v0.12.12 surfaces these to the
- *               operator without failing the gate; v0.13.0 will flip them
- *               to hard errors via predeploy `informational: false`.
+ *               playbook last shipped). Surfaced to the operator without
+ *               failing the gate by default; promoted to hard errors under
+ *               --strict (predeploy `informational: false`).
  *
  * Exit code: 0 if no errors (warnings allowed), 1 if any errors, 2 on
  *            argv error.
@@ -61,8 +61,8 @@
  * Usage:
  *   node lib/validate-playbooks.js          validate every playbook
  *   node lib/validate-playbooks.js --quiet  only print FAIL playbooks + summary
- *   node lib/validate-playbooks.js --strict treat warnings as errors (v0.13.0
- *                                           preview).
+ *   node lib/validate-playbooks.js --strict treat warnings as errors (used by
+ *                                           the predeploy gate).
  */
 
 'use strict';
@@ -92,7 +92,7 @@ function parseArgs(argv) {
         'Usage: node lib/validate-playbooks.js [--quiet] [--strict]\n' +
           '\n' +
           '  --quiet   Suppress per-playbook PASS output; show failures only.\n' +
-          '  --strict  Treat warnings as errors (v0.13.0 preview).\n',
+          '  --strict  Treat warnings as errors (used by the predeploy gate).\n',
       );
       process.exit(0);
     } else {
@@ -129,8 +129,8 @@ function typeMatches(value, expected) {
  * shaped as { severity, message }. Severity defaults to 'error'; enum
  * mismatches and unknown additional properties under
  * additionalProperties:false are downgraded to 'warning' so vocabulary drift
- * between the schema and shipped playbooks does not hard-fail v0.12.12.
- * v0.13.0 will flip via --strict / predeploy informational:false. */
+ * between the schema and shipped playbooks does not hard-fail by default.
+ * Promoted to errors under --strict / predeploy informational:false. */
 function validate(value, schema, schemaName, pathStr) {
   const findings = [];
   const here = pathStr || schemaName;
@@ -222,7 +222,7 @@ function validate(value, schema, schemaName, pathStr) {
         findings.push(...validate(v, addlSchema, schemaName, `${here}.${k}`));
       } else if (!allowAdditional) {
         // Drift between schema and shipped data: surface as warning, not
-        // an error. v0.13.0 will flip these.
+        // an error. Promoted to an error under --strict.
         err(`${here}: unexpected property "${k}"`, 'warning');
       }
     }
@@ -528,8 +528,8 @@ function checkCrossRefs(playbook, ctx, playbookIds) {
  * undeclared side is started first.
  *
  * Emits one warning per asymmetric pair (keyed off the side that declares
- * the edge). v0.12.16 keeps this at warning severity per the patch-class
- * cadence; v0.13.0 will flip it to error via --strict / predeploy
+ * the edge). Kept at warning severity by default per the patch-class
+ * cadence; promoted to an error under --strict / predeploy
  * `informational: false`.
  */
 function checkMutexReciprocity(playbooks) {
@@ -547,7 +547,7 @@ function checkMutexReciprocity(playbooks) {
       const otherSet = mutexMap.get(other);
       if (!otherSet) continue; // unresolved-id warning is already emitted by checkCrossRefs
       if (!otherSet.has(id)) {
-        const msg = `_meta.mutex: asymmetric mutex with "${other}" — "${other}" does not list "${id}" in its _meta.mutex. v0.13.0 will flip this to a hard error.`;
+        const msg = `_meta.mutex: asymmetric mutex with "${other}" — "${other}" does not list "${id}" in its _meta.mutex. Promoted to a hard error under --strict.`;
         if (!byPlaybook.has(id)) byPlaybook.set(id, []);
         byPlaybook.get(id).push(msg);
       }