@blamejs/exceptd-skills 0.15.47 → 0.15.49

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 0.15.49 — 2026-05-30
+
+Internal: a new predeploy gate, `scripts/check-codebase-patterns.js`, enforces code-shape bug classes that recurred across releases. It blocks a library-callable function that writes to stdout and then calls `process.exit()` (which truncates buffered output when the stream is piped — the class the v0.15.47 validate-cves fix addressed) and a stale or reason-less `// allow:` suppression marker, and warns on dynamic `RegExp` construction. The flagged `process.exit` sites across the catalog, playbook, package, and vendor validators were converted to the flush-safe `safeExit` form, and the dynamic-`RegExp` sites carry inline justification markers. A companion advisory, wired into the release `prepare` step, flags when the upstream pattern catalog grows a class exceptd hasn't triaged. No change to the shipped CLI surface, catalogs, or skills.
+
+## 0.15.48 — 2026-05-30
+
+Internal: the release flow is now driven by a phased orchestrator, `scripts/release.js`. Each subcommand (prepare, gates, commit, push, watch, merge, tag, release) runs one idempotent, resumable phase and exits with a script-safe code; the tag phase enforces a GUARD against tag-on-stale-HEAD and version skew between `package.json`, `manifest.json`, and the CHANGELOG heading. No change to the shipped CLI, catalogs, or skills.
+
 ## 0.15.47 — 2026-05-30
 
 A consistency pass on error envelopes and flag handling.

package/data/_indexes/_meta.json

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-30T18:46:17.416Z",
+  "generated_at": "2026-05-30T20:22:06.536Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "913d165fe1132e187dfdb9938d26d905af595901ad839f7adb079ac3c78445d8",
+    "manifest.json": "b2d79207d42e38d82a76c13b827623baa3e951b16cfbcc05250572070eb76aed",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
     "data/attack-techniques.json": "84fad74c8497cab922ed64b814752f54aa4620c2a938cb06642ff1510e1c5cb3",
     "data/cve-catalog.json": "7a5f4e31401505e53330cdc4b54b39f8a8b04459d6b9411676d291c583ae535f",

package/lib/collectors/cicd-pipeline-compromise.js

@@ -73,16 +73,16 @@ function walkWorkflows(root) {
 //   - mapping:     `on:\n  push:\n  pull_request_target:`
 // Heuristic accepts all four.
 function workflowHasTrigger(content, name) {
-  if (new RegExp(`^\\s*on:\\s*['"]?${name}['"]?\\s*(?:#.*)?$`, "m").test(content)) return true;
+  if (new RegExp(`^\\s*on:\\s*['"]?${name}['"]?\\s*(?:#.*)?$`, "m").test(content)) return true; // allow:dynamic-regex — `name` is a hardcoded trigger literal (pull_request_target / issue_comment / pull_request), never operator/file input
   const listMatch = content.match(/^\s*on:\s*\[([^\]]*)\]/m);
-  if (listMatch && new RegExp(`(?:^|,)\\s*['"]?${name}['"]?\\s*(?:,|$)`).test(listMatch[1])) return true;
+  if (listMatch && new RegExp(`(?:^|,)\\s*['"]?${name}['"]?\\s*(?:,|$)`).test(listMatch[1])) return true; // allow:dynamic-regex — `name` is a hardcoded trigger literal, never operator/file input
   // block list AND mapping forms both follow `on:\n` with indented
   // continuation lines. Capture the block and inspect for either
   // `- <name>` (list) or `<name>:` (mapping) within it.
   const blockMatch = content.match(/^\s*on:\s*\n((?:[ \t]+[^\n]+\n?)+)/m);
   if (blockMatch) {
-    if (new RegExp(`^[ \\t]+-\\s+['"]?${name}['"]?\\s*(?:#.*)?\\s*$`, "m").test(blockMatch[1])) return true;
-    if (new RegExp(`^[ \\t]+${name}:`, "m").test(blockMatch[1])) return true;
+    if (new RegExp(`^[ \\t]+-\\s+['"]?${name}['"]?\\s*(?:#.*)?\\s*$`, "m").test(blockMatch[1])) return true; // allow:dynamic-regex — `name` is a hardcoded trigger literal, never operator/file input
+    if (new RegExp(`^[ \\t]+${name}:`, "m").test(blockMatch[1])) return true; // allow:dynamic-regex — `name` is a hardcoded trigger literal, never operator/file input
   }
   return false;
 }

package/lib/lint-skills.js

@@ -40,6 +40,7 @@
 const fs = require('node:fs');
 const path = require('node:path');
 const process = require('node:process');
+const { safeExit } = require('./exit-codes');
 
 const REPO_ROOT = path.resolve(__dirname, '..');
 const MANIFEST_PATH = path.join(REPO_ROOT, 'manifest.json');
@@ -866,7 +867,8 @@ function main() {
   if (strictFail) {
     console.log(`[lint-skills] --strict: ${warned + (airGapWarnings ? airGapWarnings.length : 0)} warning(s) treated as failures.`);
   }
-  process.exit(failed === 0 && orphans.length === 0 && !strictFail ? 0 : 1);
+  safeExit(failed === 0 && orphans.length === 0 && !strictFail ? 0 : 1);
+  return;
 }
 
 // Export the minimal frontmatter parser for downstream consumers

package/lib/playbook-runner.js

@@ -3632,7 +3632,7 @@ function evalCondition(expr, ctx, playbook) {
     // analyze() can surface analyze.runtime_errors[] without losing the
     // diagnostic.
     try {
-      return new RegExp(m[2], 'i').test(val);
+      return new RegExp(m[2], 'i').test(val); // allow:dynamic-regex — m[2] is the pattern from a signed-catalog playbook condition (/…/), and construction + .test() are already wrapped in this try/catch to neutralize a malformed/pathological pattern
     } catch (e) {
       const errorRec = { _regex_eval_error: { source: m[1], expr: m[2], message: e && e.message ? String(e.message) : String(e) } };
       // Two sites where ctx may carry an accumulator: runOpts._runErrors

package/lib/sign.js

@@ -77,6 +77,7 @@ const fs = require('fs');
 const path = require('path');
 const crypto = require('crypto');
 const { execFileSync } = require('child_process');
+const { safeExit } = require('./exit-codes');
 
 const ROOT = path.join(__dirname, '..');
 const MANIFEST_PATH = path.join(ROOT, 'manifest.json');
@@ -219,7 +220,7 @@ function signAll() {
   }
   printFingerprintBanner();
 
-  if (errors > 0) process.exit(1);
+  if (errors > 0) { safeExit(1); return; }
 }
 
 /**

package/lib/upstream-check-cli.js

@@ -23,6 +23,7 @@
 
 const path = require("path");
 const fs = require("fs");
+const { safeExit } = require("./exit-codes");
 
 const ROOT = path.resolve(__dirname, "..");
 const { fetchLatestPublished, buildFreshnessReport } = require("./upstream-check.js");
@@ -65,7 +66,8 @@ function readManifest() {
       reason: "registry probe disabled in air-gap mode",
       source: "upstream-check",
     }) + "\n");
-    process.exit(0);
+    safeExit(0);
+    return;
   }
   const registry = await fetchLatestPublished({ timeoutMs: opts.timeoutMs });
   if (opts.raw) {

package/lib/validate-catalog-meta.js

@@ -31,6 +31,7 @@
 const fs = require('node:fs');
 const path = require('node:path');
 const process = require('node:process');
+const { safeExit } = require('./exit-codes');
 
 const REPO_ROOT = path.resolve(__dirname, '..');
 const DATA_DIR = path.join(REPO_ROOT, 'data');
@@ -64,10 +65,12 @@ function parseArgs(argv) {
           '  --quiet   Suppress per-catalog PASS output; show failures only.\n' +
           '  --strict  Promote freshness warnings to errors (used by the predeploy gate).\n',
       );
-      process.exit(0);
+      safeExit(0);
+      return null;
     } else {
       console.error(`Unknown argument: ${a}`);
-      process.exit(2);
+      safeExit(2);
+      return null;
     }
   }
   return opts;
@@ -208,6 +211,7 @@ function validateMeta(catalogPath, opts) {
 
 function main() {
   const opts = parseArgs(process.argv);
+  if (opts === null) return; // parseArgs handled --help / bad-arg and set the exit code
   const files = fs
     .readdirSync(DATA_DIR)
     .filter((f) => f.endsWith('.json'))

package/lib/validate-cve-catalog.js

@@ -26,6 +26,7 @@
 const fs = require('node:fs');
 const path = require('node:path');
 const process = require('node:process');
+const { safeExit } = require('./exit-codes');
 
 const REPO_ROOT = path.resolve(__dirname, '..');
 const SCHEMA_PATH = path.join(REPO_ROOT, 'lib', 'schemas', 'cve-catalog.schema.json');
@@ -82,10 +83,12 @@ function parseArgs(argv) {
           '  --quiet   Suppress per-CVE PASS output; show failures only.\n' +
           '  --strict  Promote advisory warnings to errors (used by the predeploy gate). Off by default.\n',
       );
-      process.exit(0);
+      safeExit(0);
+      return null;
     } else {
       console.error(`Unknown argument: ${a}`);
-      process.exit(2);
+      safeExit(2);
+      return null;
     }
   }
   return opts;
@@ -138,7 +141,7 @@ function validate(value, schema, schemaName, pathStr) {
       errors.push(`${here}: string shorter than minLength ${schema.minLength}`);
     }
     if (schema.pattern !== undefined) {
-      const re = new RegExp(schema.pattern);
+      const re = new RegExp(schema.pattern); // allow:dynamic-regex — bundled schema.pattern, not operator input
       if (!re.test(value)) {
         errors.push(`${here}: string ${JSON.stringify(value)} does not match pattern /${schema.pattern}/`);
       }
@@ -312,6 +315,7 @@ function additionalChecks(key, entry, ctx) {
 
 function main() {
   const opts = parseArgs(process.argv);
+  if (opts === null) return; // parseArgs handled --help / bad-arg and set the exit code
   const schema = readJson(SCHEMA_PATH);
   const catalog = readJson(CATALOG_PATH);
   const lessons = readJson(LESSONS_PATH);

package/lib/validate-package.js

@@ -19,6 +19,7 @@
 const fs = require("fs");
 const path = require("path");
 const { spawnSync } = require("child_process");
+const { safeExit } = require("./exit-codes");
 
 const ROOT = path.join(__dirname, "..");
 const ABS = (p) => path.join(ROOT, p);
@@ -154,12 +155,14 @@ function main() {
       `${packInfo.files.length} files, ` +
       `${sizeMB} MB packed / ${unpackedMB} MB unpacked.\n`
     );
-    process.exit(0);
+    safeExit(0);
+    return;
   }
 
   process.stderr.write(`[validate-package] FAILED — ${issues.length} issue(s):\n`);
   for (const i of issues) process.stderr.write(`  • ${i}\n`);
-  process.exit(1);
+  safeExit(1);
+  return;
 }
 
 if (require.main === module) main();

package/lib/validate-playbooks.js

@@ -70,6 +70,7 @@
 const fs = require('node:fs');
 const path = require('node:path');
 const process = require('node:process');
+const { safeExit } = require('./exit-codes');
 
 const REPO_ROOT = path.resolve(__dirname, '..');
 const SCHEMA_PATH = path.join(REPO_ROOT, 'lib', 'schemas', 'playbook.schema.json');
@@ -94,10 +95,12 @@ function parseArgs(argv) {
           '  --quiet   Suppress per-playbook PASS output; show failures only.\n' +
           '  --strict  Treat warnings as errors (used by the predeploy gate).\n',
       );
-      process.exit(0);
+      safeExit(0);
+      return null;
     } else {
       console.error(`Unknown argument: ${a}`);
-      process.exit(2);
+      safeExit(2);
+      return null;
     }
   }
   return opts;
@@ -161,7 +164,7 @@ function validate(value, schema, schemaName, pathStr) {
       err(`${here}: string shorter than minLength ${schema.minLength}`);
     }
     if (schema.pattern !== undefined) {
-      const re = new RegExp(schema.pattern);
+      const re = new RegExp(schema.pattern); // allow:dynamic-regex — bundled schema.pattern, not operator input
       if (!re.test(value)) {
         err(`${here}: string ${JSON.stringify(value)} does not match pattern /${schema.pattern}/`);
       }
@@ -559,6 +562,7 @@ function checkMutexReciprocity(playbooks) {
 
 function main() {
   const opts = parseArgs(process.argv);
+  if (opts === null) return; // parseArgs handled --help / bad-arg and set the exit code
   const schema = readJson(SCHEMA_PATH);
   const ctx = loadContext();
   const playbooks = loadPlaybooks();
@@ -617,7 +621,8 @@ function main() {
       (warned ? `, ${warned} with warnings` : '') +
       (errored ? `, ${errored} failed` : '') + '.',
   );
-  process.exit(errored === 0 ? 0 : 1);
+  safeExit(errored === 0 ? 0 : 1);
+  return;
 }
 
 module.exports = {

package/lib/validate-vendor.js

@@ -20,6 +20,7 @@
 const fs = require("fs");
 const path = require("path");
 const crypto = require("crypto");
+const { safeExit } = require("./exit-codes");
 
 const ROOT = path.join(__dirname, "..");
 const PROV = path.join(ROOT, "vendor", "blamejs", "_PROVENANCE.json");
@@ -71,13 +72,15 @@ function main() {
   if (issues.length === 0) {
     const fileCount = Object.keys(prov.files || {}).length;
     console.log(`[validate-vendor] vendor tree current — ${fileCount} file(s) validated against pin ${prov.pinned_commit?.slice(0, 12) || "?"}.`);
-    process.exit(0);
+    safeExit(0);
+    return;
   }
 
   console.error("[validate-vendor] vendor tree DRIFT:");
   for (const i of issues) console.error("  • " + i);
   console.error("[validate-vendor] re-vendor instructions: vendor/blamejs/README.md");
-  process.exit(1);
+  safeExit(1);
+  return;
 }
 
 if (require.main === module) main();

package/lib/verify.js

@@ -520,7 +520,7 @@ function validateAgainstSchema(value, schema, here, root) {
       errors.push(`${here}: string shorter than minLength ${effectiveSchema.minLength}`);
     }
     if (effectiveSchema.pattern !== undefined) {
-      const re = new RegExp(effectiveSchema.pattern);
+      const re = new RegExp(effectiveSchema.pattern); // allow:dynamic-regex — bundled schema.pattern, not operator input
       if (!re.test(value)) {
         errors.push(`${here}: string ${JSON.stringify(value)} does not match pattern /${effectiveSchema.pattern}/`);
       }