@blamejs/exceptd-skills 0.15.51 → 0.15.53

package/sbom.cdx.json

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:9acfa07c-b6cd-4814-91c7-1c28fa9036c5",
+  "serialNumber": "urn:uuid:347093c0-9155-471a-9a22-58cb926555f2",
   "version": 1,
   "metadata": {
-    "timestamp": "2108-04-22T07:45:00.000Z",
+    "timestamp": "2053-11-17T18:58:08.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.15.51"
+        "version": "0.15.53"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.15.51",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.15.53",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.15.51",
+      "version": "0.15.53",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (427 CVEs / 173 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.15.51",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.15.53",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "286ba553798e8b3455fe13a1541b186417e4a817f9c33575e26cf828a1c08d6e"
+          "content": "5fde4e0c2d0ef764c883ff21dbe1f4c5dbc9e74c675e59c15a6941a7e6d68c70"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.15.51"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.15.53"
         },
         {
           "type": "vcs",
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "dc00c4b9ab8c88da642c093ff93db1017413c78cc05b9018466be6631c71fec5"
+          "content": "3f31b297747c16270e24932a2d762bc06655b2d4d7bc2a5c9943e7eccf2a6839"
         },
         {
           "alg": "SHA3-512",
-          "content": "b05cb2e274f890263a22f70998d287f96470f83443b891c4a2958a9e053af429d53556495b7e5e427f3892223c3f255917560a3610bdea991e058eaf7cf670de"
+          "content": "6489d29205b4185795b070e341e3290de0368f0dafb096907c1a912ccb5576dfb096fa020cff503d24bf830a9f1c3170ca8897daebcef3542ee6af6b6fae86b4"
         }
       ]
     },
@@ -161,11 +161,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "68a43ab8f9495c0af7a10b4f1c7f8fc729aeee2ab5fe523f932bdd62eb971d83"
+          "content": "34dd0f6eab14ad5b2c974b81e7016c841c7849f862b58fcc94fd499a5ed2b8a9"
         },
         {
           "alg": "SHA3-512",
-          "content": "dbf4c6f0414142a42f37a4f977f07d0d5167abe2e899f6775b29039aff8270b094986747a9c875f362945b0fe8a4173260232a51a57af61ec4553ec598039e18"
+          "content": "7f16c6f48c03f0fa2858edeab6388a9c2b6a952e7d40186bac5748e2ca90d4b3b085422416640eff8c02ead3dd8e19071c696c8cf9f8f2dcc13e8b9d725fc36c"
         }
       ]
     },
@@ -281,11 +281,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "cf9b74140298bdee14d4826d11ed9f7d6b1266db8a782d8dce48425e76ec9af5"
+          "content": "d0ca92931278d72229edb9f2526157f2832df1d97cd7e8440a0a841f8b1c664d"
         },
         {
           "alg": "SHA3-512",
-          "content": "0528bbd4277fe3b8f4cb99eeaf35d5e9f310cfd48a0164fa4e4edb03154f1c7302af7d44617d7b6f1d6ab52e301a7772042e4c609693c49b8ce6eb64991419b9"
+          "content": "93377a5256af65b898ffda3586e081e64f6bb3d820305b6995dd37f022857a66e929bec0c167fed5aed5c5b18a8dec7e7e4214b3d5cfacea32e93dc8065f01c0"
         }
       ]
     },
@@ -326,11 +326,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "cb5e305b5488a2a02e177f10e913d22f602d6016109f152903093e9614e0b470"
+          "content": "1aac7e75eae24ece2ef09d1c63977bdd7a1f81a9f11609ebb966109be316426c"
         },
         {
           "alg": "SHA3-512",
-          "content": "a7abc804efd7dfd46056a857ee13e19b8d99cdd46db7390845f4036b1e4b97bce0e00ec3f677322716f6c74b071340561fdf8cfda9b2f5ff3b502353eaf4d135"
+          "content": "24df35aa1e38b1d24d29957e06da86e71cce646d6b21a1e5b326e752803cca5441a0d618a763f5648a10cbda50728d8fc28e94dcee3e54eab4a081ee3ebdb156"
         }
       ]
     },
@@ -731,11 +731,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "c5e35e621cfd1702bd048dca73f0a309323b537aa73680967295a4176da7368b"
+          "content": "1e2f307a7207a260f8c9ab23f95e8eebb4950349d79eceb2af5b8c4df2b37dc4"
         },
         {
           "alg": "SHA3-512",
-          "content": "919da50a7973dd8f64cd1088ebbc12ae11800b57dc2a65704d29aa373e63db841d392eee45da2a1cd2cfe6df605252bbbe06e303586ba9ebb6bad7a613031dad"
+          "content": "9298e037ccac473c5ac994e5ef4804d93a7abfbb3fa14c836a97c4503de2e9d10b1ad8a2f371115bf17c1f63851fd252214cb183c8655f1f4150b0e3a2dc9248"
         }
       ]
     },
@@ -881,11 +881,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "da169b55e9a96d766f63f6b1b63785f98611a56a1cc78d619ec757ce4d5204f8"
+          "content": "27e0665cd005f7c5b3bee0de927c8b43d7193933b44d8ca0fe832a754f0fd6f7"
         },
         {
           "alg": "SHA3-512",
-          "content": "74c4f21e05eb245de61c810f7094fb877601b6137ab8dc984f2e64feac4c8fb4d05cd871988b105f8894f356e87f6fc3e09ebf0733d8000f6e7c52f6b84ad1dd"
+          "content": "c2a42a955e05a9bde003eaddba6c49fea138c215ca0ad9b0876949743fcbfe3f4753fe063a19339729a289a751bc8572f2e59d007f770ca8d1ab5e66841971e3"
         }
       ]
     },
@@ -1331,11 +1331,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "fc9d13e98934b99981965e61affae0b03bffd8d8a0ee8f6fbb6cb8f33f2cadb5"
+          "content": "bd757082645bbe88e0d03e5d533ee7c5c8e2ea922e31e13e28a336f69cd3a756"
         },
         {
           "alg": "SHA3-512",
-          "content": "4053e54232a55090a53ff765f43bd7c389bdd8ff7d9458c123e1e297ee613f8ed007805588c3e1b6e3857db088d344077ba4d8889efb2129797708ef5f5b58f2"
+          "content": "85c3844a6562a1df8b6b71e54c6fc4788ad62ad918856ceb441c443625032f547c30e39618631f397c49c02708af4e1420bf2ee78885c23248f9c7f8885cef2f"
         }
       ]
     },
@@ -1391,11 +1391,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "8ed8c965f9f1725313333abbc032b0d85a03653cc979781948cc770b88c11659"
+          "content": "b7ace475bc015e13890ed08de28a94195f7672ea7c0dbc08ca2dc62bda78d291"
         },
         {
           "alg": "SHA3-512",
-          "content": "91b4583a35b86beecc84f6c217b5b3bc5a432f4b6c56667c9d83aad774b44fedc00d42186394084828abe7978f1bc645dc213a8aeccfe714f5b6dcdb3273b1fa"
+          "content": "216e86bd9b695771287f29797d07cbef1f7cff4bdffa30749c351ec654e62888c7857a29c48b2fe09809c610f3522219712a322437d92c00bf8b6e8954431c74"
         }
       ]
     },
@@ -1451,11 +1451,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "2f782451d36dc9c6022a49b0eca1ef038304af4aa3fa1f1dced71ebe5bbe1e2e"
+          "content": "ed49d69da4ef5acb4fd827deaaaf280bd6317a5defa96f6fa5696dc96c2929b4"
         },
         {
           "alg": "SHA3-512",
-          "content": "b1c7b066701bcdc650dc09509822ab0d4f9842b562b85d03f3e24c641f1a15fd55a42d09f51b3b056f0c093090ee322298c9f8c322baa434b5742b868d14e564"
+          "content": "cee40245e9bb979c399942241faf038e95adb38ad66b6f3e70ba6034b78f774241310369773bd9ab36ceb0af1fe92e8f8b7e9b9965b3f629ab2847152f892530"
         }
       ]
     },
@@ -1751,11 +1751,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "26f77d56ab70b31946f08cd83c8cd5fc43e807c77955a0e9d4ae9450d32e29c9"
+          "content": "4359446f2ab6bfb0484b716ca15b81755ca4075d941b0c8caa5d2d4ad1c4f0a7"
         },
         {
           "alg": "SHA3-512",
-          "content": "b2bfaea029b51a059fb31a734fa65e73366bf075e38af76723fda119fe9202a17a286b3e20b8e7d12b16e7eed9ef68e13e7b652ddb989d3c5cab30077e7748d2"
+          "content": "26d55c25bbbc0e76e1592fd5633b87858c6cf3ba281e0d6b19ce17761af9468992564c0f040110e541a63492f384e3c982c3afd5f4a05596a08f03e9c93ca2fa"
         }
       ]
     },
@@ -2179,6 +2179,21 @@
         }
       ]
     },
+    {
+      "bom-ref": "file:scripts/check-changelog-extract.js",
+      "type": "file",
+      "name": "scripts/check-changelog-extract.js",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "eeee0adf320e7aefee1ebcfa2283c021ca43c80938aafe1873abcf21b927686d"
+        },
+        {
+          "alg": "SHA3-512",
+          "content": "710b6d5b6d1a60c1934a2bd42c7a64aab24150a14d74368d2f5eea27bd568708ae0daa2ca3c7fdee286faec577a926e5cfbaa1b6740ad3886fc5bf3f7ed026c9"
+        }
+      ]
+    },
     {
       "bom-ref": "file:scripts/check-codebase-patterns-currency.js",
       "type": "file",
@@ -2261,11 +2276,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "467d2ae2c73a803edc61ee31f04a7a584da6aaa729940de799a482a37b2be6c3"
+          "content": "d43e59b96a252c1228ca709e3753582fc02d4c32d2766b247a69ee78c0a18e28"
         },
         {
           "alg": "SHA3-512",
-          "content": "4c3638049e850410bebd27ed06f2497fab89be9c5b1917561b9e5ce3a961351c7f3a7076a58b642fb6e72e5aa2597838d77351a13d9eafe725a9e32fba3adfe1"
+          "content": "994eea61e1d84f9f8c9ab77085f855d167b772e31f07ad49f5b4094d7c939f7854595f37902c4a0f360c2ce3ec7754e9db58eee0d7c865dfa2ea20d0e33885e3"
         }
       ]
     },
@@ -2276,11 +2291,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "1d3b7bd15af17a88afb82dada50494433299455e76206b23a895f1ff9ca8a696"
+          "content": "906735e02f452962cc221e129a9d7d08cb645f0b79b48168fea62038c35f6b71"
         },
         {
           "alg": "SHA3-512",
-          "content": "d4c3a7dc1af799ed3d8f28ba47b87a3ef4781cb28f688e76322d15404772e5199cc292bcee979eaefb19d0bb519635353a328412c59fd5baa412548282637ec8"
+          "content": "09590d90712ecec967caf198f33f0ea62b24152dcfda51b1bd0422e64add9cf2f97a5873310d11d654846b83dd92c9c82ca014973ca51888d14607e2b3092e0f"
         }
       ]
     },
@@ -2291,11 +2306,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "ab58a0d6a5f43e94f63161af45b4e436fe50f898e9a44588bdc15103dbc31aa8"
+          "content": "2306d6560552040baf57e9a552c14f2344967338babdc1a4fff8e3b4fc0d4d9b"
         },
         {
           "alg": "SHA3-512",
-          "content": "36a39edf675786de2e7417e6097cd18f03f499ef994b8d728f93f1ca7b657e5c577f2b6ad7360a3470e7fba6287cbc65ae1eb98578c0d4ce689bd9e0f533c398"
+          "content": "12d2a7a167fa40712453f60e5e1f8f57d35a2396e77b40afc38986ddf866984157ed5c312fe6eddb9803df4025e52628d7d636ee123118b64f9eef5b5644cf23"
         }
       ]
     },
@@ -2321,11 +2336,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "4622fd121015535bb0a1b47a7bf57abe3a195b02e42a0be99dfadc9d67a72160"
+          "content": "3e37c0d93dfc1ff3c6fd5e90bb65417f3ebcabd8435925c4292b4ca86bdd11c2"
         },
         {
           "alg": "SHA3-512",
-          "content": "85f755a9228afe24b704d39d58ee11436c8dd663df47e8c7c84da9454c5bad1cf9f166c833a9648517f9c2689730103617b41bec0739c637d91fafb041f7db63"
+          "content": "8c1be019521e12c483cb5e71ee94e6601497c514b09080c2560ca942bb2979f0b08928866213b13fc882105f6aa6e33901fb7edb8cc7dad9a1f03d8bd8a45ce6"
         }
       ]
     },
@@ -2471,11 +2486,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "a5a43d931bcc09f0e5866e5860efd373943e5ce797ff368dc009ea4161d03cd6"
+          "content": "f199cc754f202fa994c1769af5e02a4ef995ee02e87221422b00f945b03e99db"
         },
         {
           "alg": "SHA3-512",
-          "content": "dff963f00485e37546f605542d94d5e8730be9b888d98dd9bc9d256f38b4820d3c3346b1bfdbacedefc4b47d7b07afffdd1b3d7a77ba4cf71593efdd5530b9af"
+          "content": "d504c65cda545acda811997487ca8b6fef3ee5b5447b537f502295d5f6f4266cb2ecb743389b04aa2b6118b021af6f2ce9c6f00e44cf60bd7c06b72456a500f8"
         }
       ]
     },
@@ -2531,11 +2546,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "59a341868f7f362d4138d61cbbf480fa5e293e06399b58b57ea6ff27e4e66d03"
+          "content": "fd04f3e4122b4f3ca7e9a266c763dd4e954710d496da8072f5c2e500a4dbe32c"
         },
         {
           "alg": "SHA3-512",
-          "content": "415dec1034ba285597cf8dcde916b8cb3e9f526a1b7df3cf871c55843de659dcc0dc0cb970e25dbdb646b5da40a7383b8f2cea51d76c8ec1a924fe1913123ff2"
+          "content": "9b606b4d5afcc79a7a39650c3f425af0a8abb21f484e70e5469431a0be26b27969108bd51f167cab23b41d6e0ec7d14b8e6d82d597ca6166942605e15fc016c0"
         }
       ]
     },

package/scripts/check-changelog-extract.js

@@ -0,0 +1,158 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * Release-notes extraction + quality gate.
+ *
+ * The release workflow (.github/workflows/release.yml) publishes the GitHub
+ * Release body by awk-extracting the `## <version> ...` CHANGELOG section
+ * between the version heading and the next `## ` heading, falling back to a
+ * generic "Release of v<version>." line if the extract is empty. This gate
+ * runs that SAME extraction locally before tag-push, and additionally lints
+ * the extracted notes for operator-facing quality, so a malformed or
+ * internal-narrative-laced section fails here rather than shipping as the
+ * public release body.
+ *
+ * Two layers:
+ *   1. EXTRACT  — the `## <version> — <date>` section exists, is non-empty
+ *                 (won't trigger the workflow's "Release of v…" fallback),
+ *                 the heading version matches package.json, and the heading
+ *                 carries an ISO date.
+ *   2. LINT     — the extracted body is operator-facing-clean: no internal
+ *                 phase/pass/slice/sweep narrative, no agent-dispatch /
+ *                 conversation residue, no tautological "all tests pass"
+ *                 noise. (Mirrors the operator-facing discipline; the release
+ *                 body is the most public surface there is.)
+ *
+ * Exit: process.exitCode 0 on pass, 1 on any failure. Functions are exported
+ * for fixture-based testing (no subprocess needed).
+ *
+ * Usage:
+ *   node scripts/check-changelog-extract.js             # uses package.json version
+ *   node scripts/check-changelog-extract.js <version>   # explicit MAJOR.MINOR.PATCH
+ */
+
+const fs = require('node:fs');
+const path = require('node:path');
+
+const ROOT = path.resolve(__dirname, '..');
+const CHANGELOG = path.join(ROOT, 'CHANGELOG.md');
+const PACKAGE_JSON = path.join(ROOT, 'package.json');
+
+// Replicates the release.yml awk: capture lines AFTER the `## <version> `
+// heading up to (not including) the next `## ` heading. The trailing space in
+// the heading match mirrors the workflow's `"^## " v " "` so a shorter version
+// heading can't accidentally match a longer one that shares its prefix.
+function extractSection(text, version) {
+  const lines = text.split(/\r?\n/);
+  const out = [];
+  let capturing = false;
+  const startRe = new RegExp('^## ' + version.replace(/\./g, '\\.') + ' ');
+  for (const ln of lines) {
+    if (capturing) {
+      if (/^## /.test(ln)) break;
+      out.push(ln);
+      continue;
+    }
+    if (startRe.test(ln)) capturing = true;
+  }
+  // Trim leading/trailing blank lines (awk keeps them; the body is the same
+  // either way, but trimming makes the non-empty test honest).
+  while (out.length && out[0].trim() === '') out.shift();
+  while (out.length && out[out.length - 1].trim() === '') out.pop();
+  return out;
+}
+
+// Returns the `## <version> — <date>` heading line for the version, or null.
+function headingLine(text, version) {
+  const re = new RegExp('^## ' + version.replace(/\./g, '\\.') + ' ');
+  return text.split(/\r?\n/).find((l) => re.test(l)) || null;
+}
+
+// Operator-facing forbidden patterns. Tight, high-confidence internal-narrative
+// markers only — must not false-positive on legitimate operator prose (e.g. a
+// bare "phase" in "multi-phase attack" is fine; "Phase 9" is the tell). Each
+// entry: { id, re, why }.
+const FORBIDDEN = [
+  { id: 'phase-number', re: /\bphase\s+\d/i, why: 'internal phase number (operators have no roadmap)' },
+  { id: 'pass-number', re: /\b(?:audit|curation|drift|fix|bug)?[- ]?pass\s+\d/i, why: 'internal pass/batch number' },
+  { id: 'slice-number', re: /\bslice\s+\d/i, why: 'internal slice number' },
+  { id: 'sweep-number', re: /\bsweep\s+\d/i, why: 'internal sweep number' },
+  { id: 'tier-letter', re: /\bTier-[ABC]\b/, why: 'internal tier label' },
+  { id: 'agent-dispatch', re: /\b(?:sub-?agent|parallel agent|agent dispatch|fan(?:ned)?[ -]out|multi-agent)\b/i, why: 'implementation detail (agent/parallelization)' },
+  { id: 'conversation-residue', re: /\b(?:as discussed|per your|operator-confirmed|as you (?:noted|requested)|per the conversation|PR feedback:)\b/i, why: 'conversation residue (invisible to the reader)' },
+  { id: 'process-narrative', re: /\b(?:audit-derived|post-phase-\d|as part of the \d|the \d+-gap closure)\b/i, why: 'internal-process narrative' },
+  { id: 'tautological-green', re: /\b(?:all tests (?:pass|passing|green)|CI green|smoke \+ e2e (?:clean|pass)|tests? (?:are )?passing)\b/i, why: 'tautological pass/green claim (noise — the release exists)' },
+];
+
+function lintOperatorClean(sectionLines) {
+  const findings = [];
+  sectionLines.forEach((ln, i) => {
+    for (const rule of FORBIDDEN) {
+      const m = ln.match(rule.re);
+      if (m) findings.push({ rule: rule.id, why: rule.why, line: i + 1, match: m[0], text: ln.trim().slice(0, 100) });
+    }
+  });
+  return findings;
+}
+
+function readPackageVersion() {
+  return JSON.parse(fs.readFileSync(PACKAGE_JSON, 'utf8')).version;
+}
+
+function main() {
+  const version = process.argv[2] || readPackageVersion();
+  if (!/^\d+\.\d+\.\d+$/.test(version)) {
+    console.error('[check-changelog-extract] FAIL: bad version ' + JSON.stringify(version) + ' (expected MAJOR.MINOR.PATCH)');
+    process.exitCode = 1;
+    return;
+  }
+
+  let text;
+  try { text = fs.readFileSync(CHANGELOG, 'utf8'); }
+  catch (e) {
+    console.error('[check-changelog-extract] FAIL: cannot read CHANGELOG.md: ' + (e && e.message || e));
+    process.exitCode = 1;
+    return;
+  }
+
+  const heading = headingLine(text, version);
+  if (!heading) {
+    console.error('[check-changelog-extract] FAIL: no `## ' + version + ' …` heading in CHANGELOG.md — the release workflow extract would be empty and fall back to "Release of v' + version + '."');
+    process.exitCode = 1;
+    return;
+  }
+  // Heading must carry an ISO date: `## <version> — YYYY-MM-DD`.
+  if (!new RegExp('^## ' + version.replace(/\./g, '\\.') + ' [—-] \\d{4}-\\d{2}-\\d{2}\\s*$').test(heading)) {
+    console.error('[check-changelog-extract] FAIL: heading does not match `## ' + version + ' — YYYY-MM-DD`:');
+    console.error('[check-changelog-extract]   got: ' + JSON.stringify(heading));
+    process.exitCode = 1;
+    return;
+  }
+
+  const section = extractSection(text, version);
+  if (section.length === 0) {
+    console.error('[check-changelog-extract] FAIL: v' + version + ' section is empty — the release body would fall back to the generic "Release of v' + version + '." line.');
+    process.exitCode = 1;
+    return;
+  }
+
+  const findings = lintOperatorClean(section);
+  if (findings.length > 0) {
+    console.error('[check-changelog-extract] FAIL: v' + version + ' release notes carry ' + findings.length + ' operator-facing violation(s):');
+    for (const f of findings) {
+      console.error('  • [' + f.rule + '] "' + f.match + '" — ' + f.why);
+      console.error('      ' + f.text);
+    }
+    console.error('[check-changelog-extract] The CHANGELOG section IS the public GitHub Release body. Describe the change, not how you arrived at it.');
+    process.exitCode = 1;
+    return;
+  }
+
+  console.log('[check-changelog-extract] OK — v' + version + ' release notes extract cleanly (' + section.length + ' line(s)) and pass the operator-facing lint.');
+  process.exitCode = 0;
+}
+
+module.exports = { extractSection, headingLine, lintOperatorClean, FORBIDDEN };
+
+if (require.main === module) main();

package/scripts/check-test-coverage.README.md

@@ -44,7 +44,7 @@ exports). Missing references become findings.
 Changes in these locations are accepted without a covering test:
 
 - `*.md` outside `data/`, `.gitignore`, `.npmrc`, `.editorconfig`
-- `CHANGELOG.md` / `README.md` / `CONTRIBUTING.md` / `SECURITY.md` / `LICENSE` / `NOTICE` / `CODE_OF_CONDUCT.md` / `AGENTS.md` / `CLAUDE.md`
+- `CHANGELOG.md` / `README.md` / `CONTRIBUTING.md` / `SECURITY.md` / `LICENSE` / `NOTICE` / `CODE_OF_CONDUCT.md` / `AGENTS.md`
 - Whitespace-only diffs (detected via `git diff --ignore-all-space --ignore-blank-lines`)
 - Any file under `tests/` (no test-of-tests recursion)
 - `skills/<name>/skill.md` (signature gate already covers content integrity)

package/scripts/check-test-coverage.js

@@ -198,7 +198,7 @@ function readMaybe(p) {
 // / .editorconfig are tooling). Edits here never need a regression test.
 const DOCS_ALWAYS_GREEN = new Set([
   "CONTRIBUTING.md", "LICENSE", "NOTICE", "CODE_OF_CONDUCT.md",
-  "CLAUDE.md", "SUPPORT.md", ".gitignore", ".npmrc", ".editorconfig",
+  "SUPPORT.md", ".gitignore", ".npmrc", ".editorconfig",
 ]);
 
 // Operator-facing docs (release notes, install instructions, security
@@ -497,7 +497,7 @@ function coversCveIoc(corpus, cveId) {
 
 // --- Class-level lint: ban coincidence-passing notEqual(r.status, 0) --------
 //
-// CLAUDE.md anti-coincidence rule: every exit-code assertion must pin the
+// Anti-coincidence rule: every exit-code assertion must pin the
 // EXACT code. `assert.notEqual(r.status, 0)` silently passes when an
 // unrelated failure produces ANY non-zero exit, hiding the regression the
 // test was meant to catch. This lint walks tests/*.test.js and rejects the
@@ -635,7 +635,7 @@ function analyze(opts) {
       file: f.file,
       kind: "coincidence-assert",
       surface: f.snippet,
-      change: `line ${f.line}: pin to exact exit code; see CLAUDE.md anti-coincidence rule. Opt out only with \`// allow-notEqual: <reason>\` on the same line for genuine refusal-pins.`,
+      change: `line ${f.line}: pin to exact exit code (anti-coincidence rule). Opt out only with \`// allow-notEqual: <reason>\` on the same line for genuine refusal-pins.`,
     });
   }
 

package/scripts/check-version-tags.js

@@ -34,6 +34,7 @@
 
 const fs = require("node:fs");
 const path = require("node:path");
+const { execFileSync } = require("node:child_process");
 
 const ROOT = path.join(__dirname, "..");
 const BASELINE_PATH = path.join(ROOT, "tests", ".version-tag-baseline.json");
@@ -64,10 +65,33 @@ const COMMENT_EXEMPT = new Set([
   "CHANGELOG.md",
   "lib/version-pins.js",
   "scripts/check-version-tags.js",
-  // Gitignored local-only contributor docs — never shipped.
-  "CLAUDE.md",
+  // The release-notes-extract gate test asserts version-based CHANGELOG
+  // extraction + the shorter-vs-longer prefix-collision guard, so its fixtures
+  // MUST embed real `## X.Y.Z` headings (e.g. 0.15.5 vs 0.15.50) — load-bearing
+  // test data, not sprinkled release tags.
+  "tests/check-changelog-extract.test.js",
 ]);
 
+// Git-ignored files (a contributor's local-only working docs, scratch) are
+// never scanned — the gate enforces on the would-be-shipped surface, with no
+// need to name individual local-only files. Untracked-but-NOT-ignored files
+// ARE still scanned: a new file a contributor is about to commit is exactly
+// what the gate must catch. Computed via `git check-ignore` over the walked set.
+function gitIgnoredSet(relPaths) {
+  if (!relPaths.length) return new Set();
+  try {
+    const out = execFileSync("git", ["check-ignore", "--stdin"], {
+      cwd: ROOT, input: relPaths.join("\n"), encoding: "utf8", maxBuffer: 64 * 1024 * 1024,
+    });
+    return new Set(out.split(/\r?\n/).filter(Boolean));
+  } catch (e) {
+    // `git check-ignore --stdin` exits 1 when NO path is ignored (not an
+    // error); any paths it did match are on stdout. Absent that, none ignored.
+    const out = e && e.stdout ? String(e.stdout) : "";
+    return new Set(out.split(/\r?\n/).filter(Boolean));
+  }
+}
+
 // Pattern: project version like `v0.13.22` or bare `0.13.22`. Matches
 // our pre-1.0 release range. External package versions like ATLAS
 // `v5.6.0` or CycloneDX `1.6` don't match because the major is 0.
@@ -119,9 +143,14 @@ function countCommentViolations(rel) {
 
 function scanCurrent() {
   const files = walk(ROOT);
+  const ignored = gitIgnoredSet(files);
   const byFile = {};
   const filenameViolations = [];
   for (const rel of files) {
+    // Skip git-ignored, local-only files (a contributor's private working notes
+    // that `git clone` never ships). Untracked-but-not-ignored files are still
+    // scanned — a new file about to be committed is what the gate guards.
+    if (ignored.has(rel)) continue;
     if (FILENAME_VERSION_RE.test(rel)) filenameViolations.push(rel);
     const n = countCommentViolations(rel);
     if (n > 0) byFile[rel] = n;

package/scripts/predeploy.js

@@ -249,6 +249,19 @@ const GATES = [
     args: [path.join(ROOT, "scripts", "check-codebase-patterns.js")],
     ciJobName: "Data integrity (catalog + manifest snapshot)",
   },
+  {
+    // Release-notes extract + quality gate. Runs the same `## <version>`
+    // CHANGELOG extraction the release workflow publishes as the GitHub
+    // Release body, and lints it for operator-facing quality (no internal
+    // phase/pass/slice narrative, no agent-dispatch / conversation residue,
+    // no tautological green claims). A malformed or internal-narrative section
+    // fails here rather than shipping as the public release body / falling
+    // back to the generic "Release of v<version>." line.
+    name: "Release-notes extract + operator-facing lint (CHANGELOG section)",
+    command: process.execPath,
+    args: [path.join(ROOT, "scripts", "check-changelog-extract.js")],
+    ciJobName: "Data integrity (catalog + manifest snapshot)",
+  },
 ];
 
 function runGate(gate) {

package/scripts/release.js

@@ -254,6 +254,11 @@ function cmdPrepare(opts) {
     process.exit(2);
   }
 
+  // The `## <next>` heading exists; confirm the section extracts cleanly and
+  // passes the operator-facing lint (the release workflow publishes it verbatim
+  // as the GitHub Release body). Fail fast here rather than at the gates phase.
+  _run("node", ["scripts/check-changelog-extract.js", next]);
+
   _writeJsonVersion("package.json", next);
   _writeJsonVersion("manifest.json", next);
   _ok("bumped package.json + manifest.json → " + next);

package/scripts/verify-shipped-tarball.js

@@ -344,7 +344,7 @@ try {
     // itself report 0/38 on any tree where line-ending normalization
     // touched the source between sign and pack — a Windows contributor
     // with `core.autocrlf=true`, or a tool like Prettier between sign and
-    // pack. CLAUDE.md flags this as the recurring CRLF-bypass class.
+    // pack. This is the recurring CRLF/line-ending-bypass class.
     const rawContent = fs.readFileSync(skillPath);
     const normalizedContent = normalizeSkillBytes(rawContent);
     const ok = crypto.verify(null, normalizedContent, pubKey, Buffer.from(s.signature, "base64"));