@blamejs/exceptd-skills 0.16.21 → 0.16.23

package/lib/exit-codes.js

@@ -27,6 +27,7 @@ const EXIT_CODES = Object.freeze({
   LOCK_CONTENTION: 8,
   STORAGE_EXHAUSTED: 9,
   UNKNOWN_COMMAND: 10,
+  WATCH_LOCK_CONTENTION: 75,
 });
 
 /**
@@ -45,6 +46,7 @@ const EXIT_CODE_DESCRIPTIONS = Object.freeze({
   8: { name: 'LOCK_CONTENTION', summary: 'Concurrent invocation holds the per-playbook attestation lock; retry after the busy run releases.' },
   9: { name: 'STORAGE_EXHAUSTED', summary: 'Disk full, quota exceeded, or read-only filesystem prevented attestation write (ENOSPC, EDQUOT, EROFS).' },
   10: { name: 'UNKNOWN_COMMAND', summary: 'Unknown verb / dispatcher refused the requested command. Distinct from DETECTED_ESCALATE (2) which means a verb ran and detected an escalation-worthy finding.' },
+  75: { name: 'WATCH_LOCK_CONTENTION', summary: 'Watch daemon lock is held by a live process; retry after it exits (sysexits EX_TEMPFAIL). Distinct from LOCK_CONTENTION (8), the per-playbook attestation lock.' },
 });
 
 /**

package/lib/flag-suggest.js

@@ -75,7 +75,7 @@ const VERB_FLAG_ALLOWLIST = Object.freeze({
     'publisher-namespace', 'vex', 'diff-from-latest', 'all', 'scope',
     'strict-preconditions', 'ci', 'block-on-jurisdiction-clock', 'upstream-check',
     'session-key', 'tlp', 'bundle-deterministic', 'bundle-epoch',
-    'include-judgement-shaped', 'format',
+    'include-judgement-shaped', 'format', 'directive', 'explain', 'signal-list',
   ],
   ci: [
     'evidence', 'evidence-dir', 'session-id', 'force-overwrite', 'attestation-root',

package/lib/lint-skills.js

@@ -44,6 +44,8 @@ const { safeExit } = require('./exit-codes');
 
 const REPO_ROOT = path.resolve(__dirname, '..');
 const MANIFEST_PATH = path.join(REPO_ROOT, 'manifest.json');
+const FRONTMATTER_SCHEMA_PATH = path.join(__dirname, 'schemas', 'skill-frontmatter.schema.json');
+const FRONTMATTER_SCHEMA = JSON.parse(fs.readFileSync(FRONTMATTER_SCHEMA_PATH, 'utf8'));
 const SKILLS_DIR = path.join(REPO_ROOT, 'skills');
 const DATA_DIR = path.join(REPO_ROOT, 'data');
 const ATLAS_PATH = path.join(DATA_DIR, 'atlas-ttps.json');
@@ -234,6 +236,20 @@ function unquote(s) {
     if ((first === '"' && last === '"') || (first === "'" && last === "'")) {
       return s.slice(1, -1);
     }
+    // Quoted scalar followed by an inline comment, e.g.
+    //   "standalone"  # why this skill is standalone
+    // The value is the quoted content; everything after the closing quote is a
+    // YAML comment. Only applied when the trailing segment is whitespace + `#`
+    // so a mid-string `#` inside an unquoted value is never mistaken for one.
+    if (first === '"' || first === "'") {
+      const close = s.indexOf(first, 1);
+      if (close > 0) {
+        const tail = s.slice(close + 1);
+        if (/^\s+#/.test(tail)) {
+          return s.slice(1, close);
+        }
+      }
+    }
   }
   return s;
 }
@@ -253,6 +269,53 @@ function extractFrontmatterBlock(content) {
   return { frontmatter: raw.replace(/^\r?\n/, ''), body: bodyStart, frontmatterRaw: raw };
 }
 
+// Array-item pattern constraints already enforced above by dedicated regexes
+// (ATLAS_ID_RE / ATTACK_ID_RE / JSON_FILENAME_RE) with their own error wording.
+// The schema-driven pass below skips these so a field is never reported twice.
+const SCHEMA_PATTERN_HANDLED_ELSEWHERE = new Set(['atlas_refs', 'attack_refs', 'data_deps']);
+
+/* Enforce the enum and array-item pattern constraints declared in
+ * lib/schemas/skill-frontmatter.schema.json, so the shipped schema is the
+ * source of truth rather than a decorative artifact. Covers the schema's
+ * `enum` constraints (e.g. discovery_mode) and the `items.pattern` format
+ * checks on ref arrays (cwe_refs / d3fend_refs / dlp_refs / rfc_refs) that the
+ * hand-coded checks did not apply. Returns errors in the existing
+ * `frontmatter.<field> ...` voice. */
+function schemaConstraintErrors(fm, schema) {
+  const errors = [];
+  const props = (schema && schema.properties) || {};
+  for (const [field, spec] of Object.entries(props)) {
+    if (!(field in fm)) continue;
+    const value = fm[field];
+
+    if (Array.isArray(spec.enum) && typeof value === 'string') {
+      if (!spec.enum.includes(value)) {
+        errors.push(
+          `frontmatter.${field} "${value}" is not one of ${JSON.stringify(spec.enum)}`,
+        );
+      }
+    }
+
+    if (
+      spec.type === 'array' &&
+      spec.items &&
+      typeof spec.items.pattern === 'string' &&
+      !SCHEMA_PATTERN_HANDLED_ELSEWHERE.has(field) &&
+      Array.isArray(value)
+    ) {
+      const itemRe = new RegExp(spec.items.pattern); // allow:dynamic-regex — bundled schema.pattern, not operator input
+      for (const item of value) {
+        if (typeof item !== 'string' || !itemRe.test(item)) {
+          errors.push(
+            `frontmatter.${field} entry ${JSON.stringify(item)} does not match the schema pattern /${spec.items.pattern}/`,
+          );
+        }
+      }
+    }
+  }
+  return errors;
+}
+
 /* Validate frontmatter object against the codified schema rules. */
 function validateFrontmatter(fm, skillName) {
   const errors = [];
@@ -387,6 +450,10 @@ function validateFrontmatter(fm, skillName) {
     }
   }
 
+  // Drive enum + ref-pattern enforcement from the published schema so the
+  // shipped artifact and this gate cannot diverge.
+  errors.push(...schemaConstraintErrors(fm, FRONTMATTER_SCHEMA));
+
   return { errors, warnings };
 }
 
@@ -886,6 +953,9 @@ module.exports = {
   COUNTERMEASURE_SECTION,
   COUNTERMEASURE_CUTOFF,
   MIN_SECTION_BODY_WORDS,
+  validateFrontmatter,
+  schemaConstraintErrors,
+  FRONTMATTER_SCHEMA,
 };
 
 if (require.main === module) {

package/lib/playbook-runner.js

@@ -48,6 +48,7 @@ const path = require('path');
 const os = require('os');
 const crypto = require('crypto');
 const scoring = require('./scoring');
+const { assertIdComponent } = require('./id-validation');
 const codepointClass = require('../vendor/blamejs/codepoint-class.js');
 
 // cross-ref-api wraps catalog reads. If cve-catalog.json is corrupt
@@ -170,6 +171,9 @@ function listPlaybooks() {
 }
 
 function loadPlaybook(playbookId) {
+  // Traversal defense co-located with the path.join — every caller gets it,
+  // not just the CLI dispatcher's pre-validation wrapper.
+  assertIdComponent(playbookId, 'playbook');
   const p = path.join(PLAYBOOK_DIR, `${playbookId}.json`);
   if (!fs.existsSync(p)) throw new Error(`Playbook not found: ${playbookId} (expected ${p})`);
   return JSON.parse(fs.readFileSync(p, 'utf8'));
@@ -1104,7 +1108,7 @@ function analyze(playbookId, directiveId, detectResult, agentSignals = {}, runOp
   // Aliasing: playbooks ship rwep_factor values `public_poc` and
   // `ai_weaponization` for what F5 calls `poc_available` and `ai_factor`.
   // Both spellings resolve here.
-  const _activeExploitationLadder = { confirmed: 1.0, suspected: 0.5, unknown: 0.25, theoretical: 0, none: 0 };
+  const _activeExploitationLadder = scoring.ACTIVE_EXPLOITATION_LADDER;
   const _factorScale = (factorName, cve, blastScore) => {
     if (!cve) return 0;
     switch (factorName) {
@@ -1288,17 +1292,16 @@ function analyze(playbookId, directiveId, detectResult, agentSignals = {}, runOp
   // not compute new gaps here, just attaches the playbook-declared ones.
   const frameworkGaps = an.framework_gap_mapping || [];
 
-  // escalation criteria
+  // escalation criteria are evaluated AFTER the analyze result is assembled
+  // (below the result literal) so conditions can reference `analyze.*` and
+  // `finding.*` paths — the same roots close()'s feeds_into context
+  // resolves. The flat keys (rwep, blast_radius_score, theater_verdict,
+  // agent signals) remain available unchanged.
   const escalations = [];
   const runtimeErrors = []; // E3: collect regex-eval errors during analyze
   const evalCtxRoot = { _runErrors: runOpts._runErrors || runtimeErrors };
-  for (const ec of an.escalation_criteria || []) {
-    if (evalCondition(ec.condition, { rwep: adjustedRwep, blast_radius_score: blastRadiusScore, theater_verdict: theaterVerdict, ...agentSignals, ...evalCtxRoot }, playbook)) {
-      escalations.push({ condition: ec.condition, action: ec.action, target_playbook: ec.target_playbook || null });
-    }
-  }
 
-  return {
+  const result = {
     phase: 'analyze',
     playbook_id: playbookId,
     directive_id: directiveId,
@@ -1370,6 +1373,26 @@ function analyze(playbookId, directiveId, detectResult, agentSignals = {}, runOp
     // observations submitted.
     signal_origins_with_collisions: Array.isArray(agentSignals?._signal_origins_collisions) ? agentSignals._signal_origins_collisions.slice() : (Array.isArray(detectResult?._signal_origins_collisions) ? detectResult._signal_origins_collisions.slice() : [])
   };
+
+  // analyzeFindingShape is a pure transform but defensive-wrap it (same as
+  // close()) so a malformed analyze result can't abort escalation handling.
+  let findingShape;
+  try { findingShape = analyzeFindingShape(result); }
+  catch (e) {
+    if (Array.isArray(runOpts._runErrors)) {
+      pushRunError(runOpts._runErrors, { kind: 'analyze_shape', message: (e && e.message) ? String(e.message) : String(e) }, { dedupeKey: x => x.message || '' });
+    }
+    findingShape = {};
+  }
+  for (const ec of an.escalation_criteria || []) {
+    if (evalCondition(ec.condition, { rwep: adjustedRwep, blast_radius_score: blastRadiusScore, theater_verdict: theaterVerdict, analyze: result, finding: findingShape, ...agentSignals, ...evalCtxRoot }, playbook)) {
+      escalations.push({ condition: ec.condition, action: ec.action, target_playbook: ec.target_playbook || null });
+    }
+  }
+  // Escalation evaluation may have appended regex-eval diagnostics; refresh
+  // the snapshot so analyze.runtime_errors reflects them.
+  result.runtime_errors = (runOpts._runErrors && runOpts._runErrors.length) ? runOpts._runErrors.slice() : (runtimeErrors.length ? runtimeErrors.slice() : []);
+  return result;
 }
 
 /**
@@ -1638,7 +1661,7 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
   // upstream `govern.jurisdiction_obligations` has the real data — carry it
   // forward. `notification_deadline` is published as an alias for `deadline`
   // (matches the field name compliance teams expect on a notification record).
-  const notificationActions = (c.notification_actions || []).map(na => {
+  const enrichNotification = (na) => {
     const obligation = (g.jurisdiction_obligations || []).find(o =>
       `${o.jurisdiction}/${o.regulation} ${o.window_hours}h` === na.obligation_ref
     );
@@ -1704,7 +1727,29 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
         return { draft_notification: draft, missing_interpolation_vars: missing };
       })(),
     };
-  });
+  };
+  const notificationActions = (c.notification_actions || []).map(enrichNotification);
+
+  // A govern obligation that declares a notification duty but has no
+  // matching close.notification_actions entry would otherwise never surface
+  // in the phase-7 record set — its regulatory clock stays invisible to
+  // operators reading jurisdiction_notifications. Synthesize a record for
+  // each uncovered notify-type obligation so the deadline is computed and
+  // visible. The synthesized entry carries no draft template (the playbook
+  // declared none) and is marked synthesized_from_obligation so operators
+  // can tell it apart from a playbook-authored action.
+  const coveredObligationRefs = new Set((c.notification_actions || []).map(na => na.obligation_ref));
+  for (const o of (g.jurisdiction_obligations || [])) {
+    if (!String(o.obligation || '').startsWith('notify')) continue;
+    const ref = `${o.jurisdiction}/${o.regulation} ${o.window_hours}h`;
+    if (coveredObligationRefs.has(ref)) continue;
+    notificationActions.push(enrichNotification({
+      obligation_ref: ref,
+      recipient: null,
+      draft_notification: null,
+      synthesized_from_obligation: true,
+    }));
+  }
 
   // exception_generation — evaluate trigger.
   let exception = null;
@@ -3741,7 +3786,7 @@ function evalCondition(expr, ctx, playbook) {
     // analyze() can surface analyze.runtime_errors[] without losing the
     // diagnostic.
     try {
-      return new RegExp(m[2], 'i').test(val); // allow:dynamic-regex — m[2] is the pattern from a signed-catalog playbook condition (/…/), and construction + .test() are already wrapped in this try/catch to neutralize a malformed/pathological pattern
+      return new RegExp(m[2], 'i').test(val); // allow:dynamic-regex — m[2] comes from an Ed25519-signed catalog playbook condition (/…/), so the pattern cannot be attacker-controlled without breaking the signature; the try/catch covers construction-time syntax errors only (it does NOT defend against catastrophic backtracking — do not reuse this shape for operator-supplied patterns)
     } catch (e) {
       const errorRec = { _regex_eval_error: { source: m[1], expr: m[2], message: e && e.message ? String(e.message) : String(e) } };
       // Two sites where ctx may carry an accumulator: runOpts._runErrors
@@ -3955,4 +4000,7 @@ module.exports = {
   _lockFilePath: lockFilePath,
   _vulnIdToUrn: vulnIdToUrn,
   _worstActiveExploitation: worstActiveExploitation,
+  // Re-exported from scoring so parity between the catalog scorer and the
+  // runtime evaluator is checkable (and enforced by a test) at the seam.
+  _activeExploitationLadder: scoring.ACTIVE_EXPLOITATION_LADDER,
 };

package/lib/prefetch.js

@@ -386,9 +386,32 @@ function verifyIndexSignature(cacheDir) {
   }
   const pubPath = path.join(ROOT, "keys", "public.pem");
   if (!fs.existsSync(pubPath)) return { status: "invalid", reason: "keys/public.pem absent — cannot verify cache signature" };
+  const pubPem = fs.readFileSync(pubPath, "utf8");
+  // Consult keys/EXPECTED_FINGERPRINT BEFORE crypto.verify, the same external
+  // trust anchor every other signature-verifying ingest site enforces. A
+  // host-local keys/public.pem swap paired with an attacker-signed
+  // _index.json.sig would otherwise authenticate against the attacker's own
+  // key (the signature verifies against whatever public.pem is present). The
+  // pin is the off-host anchor that closes that gap; honor KEYS_ROTATED=1 for
+  // legitimate rotations and warn-and-continue when no pin file is present.
+  try {
+    const { publicKeyFingerprint, checkExpectedFingerprint } = require("./verify.js");
+    const pinResult = checkExpectedFingerprint(publicKeyFingerprint(pubPem));
+    if (pinResult.status === "mismatch" && !pinResult.rotationOverride) {
+      return {
+        status: "invalid",
+        reason: `fingerprint-mismatch: live=${pinResult.actual} pin=${pinResult.expected} — keys/public.pem does not match keys/EXPECTED_FINGERPRINT. If this is an intentional rotation, set KEYS_ROTATED=1 and update the pin.`,
+      };
+    }
+  } catch {
+    // verify.js unavailable (partial install). The caller (loadCtx) already
+    // treats a verifier-unavailable signature path as a hard refusal unless
+    // --force-stale, so falling through to the signature check below keeps
+    // behavior no weaker than before the pin was added.
+  }
   const idx = JSON.parse(fs.readFileSync(indexPath, "utf8"));
   const bytes = canonicalIndexBytes(idx);
-  const pubKey = crypto.createPublicKey(fs.readFileSync(pubPath, "utf8"));
+  const pubKey = crypto.createPublicKey(pubPem);
   let sigBytes;
   try { sigBytes = Buffer.from(sidecar.signature_base64, "base64"); }
   catch (e) { return { status: "invalid", reason: `signature_base64 decode: ${e.message}` }; }

package/lib/refresh-external.js

@@ -294,6 +294,33 @@ const KEV_SOURCE = {
           continue;
         }
         catalog[d.id][d.field] = d.after;
+        // A cisa_kev flip changes the entry's RWEP: the KEV factor carries
+        // RWEP_WEIGHTS.cisa_kev points, and the catalog invariant requires
+        // rwep_score to equal the factor sum. Writing the flag without the
+        // factor + score left entries failing scoring.validate() (stored 45
+        // vs computed 70 on the first real KEV listing the refresh applied).
+        if (d.field === "cisa_kev") {
+          const entry = catalog[d.id];
+          if (entry.rwep_factors && typeof entry.rwep_factors === "object") {
+            const scoring = require("./scoring");
+            // Match the stored factor shape: Shape A keeps the boolean,
+            // Shape B (the catalog norm) stores the post-weight contribution.
+            entry.rwep_factors.cisa_kev =
+              typeof entry.rwep_factors.cisa_kev === "boolean"
+                ? !!d.after
+                : (d.after ? scoring.RWEP_WEIGHTS.cisa_kev : 0);
+            entry.rwep_score = scoring.deriveRwepFromFactors(entry.rwep_factors);
+          }
+          // A de-listing (true→false) leaves the listing date orphaned: the
+          // CVE is no longer KEV-listed, so its dateAdded is stale intel.
+          // The upstream diff producer only emits a cisa_kev_date diff when
+          // upstream has a date, which a de-listed CVE no longer does — so
+          // nothing else clears it. Drop the now-meaningless date fields here.
+          if (d.after === false) {
+            if ("cisa_kev_date" in entry) entry.cisa_kev_date = null;
+            if ("cisa_kev_due_date" in entry) entry.cisa_kev_due_date = null;
+          }
+        }
         catalog[d.id].last_verified = TODAY;
         updated++;
       }
@@ -595,9 +622,17 @@ const GHSA_SOURCE = {
   async fetchDiff(ctx) {
     if (ctx.fixtures?.ghsa) return synthesizeFromFixture(ctx, "ghsa");
     if (ctx.cacheDir) {
-      // Cache parity: ghsa cache layout is .cache/upstream/ghsa/<published-date>.json
-      // GHSA has no cache layer yet — fall through to live fetch. (Unlike NVD
-      // and RFC, GHSA does not honor the air-gap --from-cache path.)
+      // --from-cache is the offline ingest path: every source reads only
+      // local cache files, never the network. GHSA has no cache layer, so
+      // there is nothing to read offline. Skip it with a structured status
+      // instead of falling through to the live api.github.com fetch, which
+      // would silently egress on a host the operator believes is isolated.
+      return {
+        status: "unreachable",
+        diffs: [],
+        errors: 0,
+        summary: "GHSA: no cache layer; skipped in --from-cache mode (would require a live network call)",
+      };
     }
     const ghsa = require("./source-ghsa");
     return ghsa.buildDiff(ctx);
@@ -652,6 +687,18 @@ const OSV_SOURCE = {
   applies_to: "data/cve-catalog.json",
   async fetchDiff(ctx) {
     if (ctx.fixtures?.osv) return synthesizeFromFixture(ctx, "osv");
+    if (ctx.cacheDir) {
+      // --from-cache is the offline ingest path. OSV resolves advisories by
+      // live id lookup (ctx.osv_ids) and has no cache layer, so skip it with
+      // a structured status rather than risk a live osv.dev fetch on a host
+      // the operator believes is isolated.
+      return {
+        status: "unreachable",
+        diffs: [],
+        errors: 0,
+        summary: "OSV: no cache layer; skipped in --from-cache mode (would require a live network call)",
+      };
+    }
     const osv = require("./source-osv");
     return osv.buildDiff(ctx);
   },
@@ -830,8 +877,12 @@ function kevDiffFromCache(ctx) {
       diffs.push({ id, field: "cisa_kev", before: entry.cisa_kev, after: upstream, severity: "high" });
     }
     const upDate = kevDates.get(id) || null;
-    if (upDate && entry.cisa_kev_date && entry.cisa_kev_date !== upDate) {
-      diffs.push({ id, field: "cisa_kev_date", before: entry.cisa_kev_date, after: upDate, severity: "low" });
+    // First listings arrive with a null local date — emit the date diff
+    // whenever upstream has one that the local entry lacks or contradicts,
+    // so the flag flip and its listing date apply together (the strict
+    // catalog validator requires KEV-listed entries to carry the date).
+    if (upDate && (entry.cisa_kev_date || null) !== upDate) {
+      diffs.push({ id, field: "cisa_kev_date", before: entry.cisa_kev_date ?? null, after: upDate, severity: "low" });
     }
   }
   return { status: "ok", diffs, errors: 0, summary: `${diffs.length} KEV diffs (from cache)` };

package/lib/rfc-cli.js

@@ -83,4 +83,11 @@ const { resolveRfc } = require("./citation-resolve.js");
   }
   // A mismatched or nonexistent citation is a non-zero exit for gates.
   if (fails) process.exitCode = 2;
-})();
+})().catch((err) => {
+  // A corrupt/unreadable RFC index (or any unexpected throw inside the async
+  // body) becomes a rejected promise. Emit the documented {ok:false,error}
+  // envelope rather than crashing with a raw stack trace, and signal failure
+  // via exitCode so the event loop drains stderr before exit.
+  process.stderr.write(JSON.stringify({ ok: false, verb: "rfc", error: String((err && err.message) || err) }) + "\n");
+  process.exitCode = 1;
+});

package/lib/scoring.js

@@ -39,13 +39,12 @@
  * ----------------------------------------------------------------------------
  */
 
-const CVE_SCHEMA_REQUIRED = [
-  'type', 'cvss_score', 'cvss_vector', 'cisa_kev', 'poc_available',
-  'ai_discovered', 'active_exploitation', 'affected', 'patch_available',
-  'patch_required_reboot', 'live_patch_available', 'live_patch_tools',
-  'rwep_score', 'rwep_factors', 'atlas_refs', 'attack_refs',
-  'source_verified', 'verification_sources', 'last_updated'
-];
+// Required-field list is loaded from the catalog schema's entry-level
+// `required` array so the two can never drift. (live_patch_tools is
+// deliberately NOT hard-required here — it is schema-optional, and the
+// live_patch_available => live_patch_tools implication is enforced
+// separately below.)
+const CVE_SCHEMA_REQUIRED = require('./schemas/cve-catalog.schema.json').required;
 
 // blast_radius range is 0-30; represents breadth of affected population.
 // AI-discovered and AI-assisted-weaponization both contribute the ai_factor (+15).
@@ -383,7 +382,12 @@ function compare(cveId, catalog, opts) {
  */
 function detectFactorShape(factors) {
   if (!factors || typeof factors !== 'object') return 'unknown';
-  const boolFields = ['cisa_kev', 'poc_available', 'ai_assisted_weaponization', 'ai_discovered', 'active_exploitation', 'patch_available', 'live_patch_available', 'patch_required_reboot'];
+  // Keys inspected for shape evidence. Covers BOTH spellings per factor:
+  // the Shape A (raw boolean) names AND the Shape B (post-weight) names the
+  // schema requires on rwep_factors — ai_factor and reboot_required — so a
+  // post-weight integer on either canonical key registers as Shape B
+  // evidence instead of slipping past the mixed-shape detector.
+  const boolFields = ['cisa_kev', 'poc_available', 'ai_assisted_weaponization', 'ai_discovered', 'ai_factor', 'active_exploitation', 'patch_available', 'live_patch_available', 'patch_required_reboot', 'reboot_required'];
   let sawBool = false;
   let sawWeightedInt = false;
   for (const [k, v] of Object.entries(factors)) {
@@ -440,6 +444,30 @@ function validate(catalog) {
     if (shape === 'mixed') {
       errors.push(`${cveId}: rwep_factors mixes Shape A (booleans) with Shape B (post-weight integers) — sum invariant cannot hold. Convert factors to a single shape.`);
     }
+    // Per-factor coherence: in a Shape B (post-weight) block every stored
+    // contribution must equal the weight implied by its source field.
+    // Without this, two compensating per-factor errors cancel inside the
+    // ±5 aggregate tolerance below and a factor block that contradicts the
+    // entry's own flags ships unnoticed. blast_radius is exempt — it is the
+    // one judgment-set factor with no deriving source field.
+    if (shape === 'B') {
+      const f = entry.rwep_factors;
+      const aeMultiplier = ACTIVE_EXPLOITATION_LADDER[entry.active_exploitation] ?? 0;
+      const implied = {
+        cisa_kev: entry.cisa_kev === true ? RWEP_WEIGHTS.cisa_kev : 0,
+        poc_available: entry.poc_available === true ? RWEP_WEIGHTS.poc_available : 0,
+        ai_factor: (entry.ai_assisted_weaponization === true || entry.ai_discovered === true) ? RWEP_WEIGHTS.ai_factor : 0,
+        active_exploitation: RWEP_WEIGHTS.active_exploitation * aeMultiplier,
+        patch_available: entry.patch_available === true ? RWEP_WEIGHTS.patch_available : 0,
+        live_patch_available: entry.live_patch_available === true ? RWEP_WEIGHTS.live_patch_available : 0,
+        reboot_required: entry.patch_required_reboot === true ? RWEP_WEIGHTS.reboot_required : 0,
+      };
+      for (const [k, want] of Object.entries(implied)) {
+        if (k in f && typeof f[k] === 'number' && f[k] !== want) {
+          errors.push(`${cveId}: rwep_factors.${k} is ${f[k]} but the entry's source fields imply ${want}`);
+        }
+      }
+    }
     const calculatedRwep = scoreCustom({
       cisa_kev: entry.cisa_kev,
       poc_available: entry.poc_available,

package/lib/validate-cve-catalog.js

@@ -313,6 +313,23 @@ function additionalChecks(key, entry, ctx) {
   return warnings;
 }
 
+// Return the list of catalogs whose hand-maintained _meta.entry_count disagrees
+// with the live count of non-metadata top-level keys. Catalogs without a numeric
+// _meta.entry_count (or absent/null catalogs) are skipped, so any loaded catalog
+// that adopts the field is covered without editing this function.
+function entryCountMismatches(catalogs) {
+  const failures = [];
+  for (const { name, catalog: cat } of catalogs) {
+    if (cat && cat._meta && typeof cat._meta.entry_count === 'number') {
+      const actual = Object.keys(cat).filter((k) => !k.startsWith('_')).length;
+      if (cat._meta.entry_count !== actual) {
+        failures.push({ name, declared: cat._meta.entry_count, actual });
+      }
+    }
+  }
+  return failures;
+}
+
 function main() {
   const opts = parseArgs(process.argv);
   if (opts === null) return; // parseArgs handled --help / bad-arg and set the exit code
@@ -374,24 +391,28 @@ function main() {
   // Guard hand-maintained _meta.entry_count fields against silent drift. The
   // framework-control-gaps counter once declared 184 while the file held 192
   // and nothing caught it; the zeroday-lessons counter drifted to 68 while the
-  // file held 422 because only framework-control-gaps was gated. This now
-  // checks EVERY loaded catalog that declares a numeric _meta.entry_count, so a
-  // new catalog with the field is covered automatically.
+  // file held 422 because only framework-control-gaps was gated. This checks
+  // EVERY loaded catalog that declares a numeric _meta.entry_count, so a new
+  // catalog with the field is covered automatically. The covered set is derived
+  // from the catalogs main() already loaded, not a fixed allowlist.
   const ENTRY_COUNT_CATALOGS = [
-    { name: 'framework-control-gaps', catalog: frameworks },
+    { name: 'cve-catalog', catalog },
     { name: 'zeroday-lessons', catalog: lessons },
+    { name: 'atlas-ttps', catalog: atlas },
+    { name: 'cwe-catalog', catalog: cwe },
+    { name: 'attack-techniques', catalog: attack },
+    { name: 'd3fend-catalog', catalog: d3fend },
+    { name: 'framework-control-gaps', catalog: frameworks },
   ];
-  for (const { name, catalog: cat } of ENTRY_COUNT_CATALOGS) {
-    if (cat && cat._meta && typeof cat._meta.entry_count === 'number') {
-      const actual = Object.keys(cat).filter((k) => !k.startsWith('_')).length;
-      if (cat._meta.entry_count !== actual) {
-        process.stderr.write(
-          `[validate-cve-catalog] FAIL: ${name} _meta.entry_count (${cat._meta.entry_count}) ` +
-          `!= actual entry count (${actual}). Update _meta.entry_count to ${actual}.\n`,
-        );
-        process.exit(1);
-      }
+  const entryCountFailures = entryCountMismatches(ENTRY_COUNT_CATALOGS);
+  if (entryCountFailures.length > 0) {
+    for (const f of entryCountFailures) {
+      process.stderr.write(
+        `[validate-cve-catalog] FAIL: ${f.name} _meta.entry_count (${f.declared}) ` +
+        `!= actual entry count (${f.actual}). Update _meta.entry_count to ${f.actual}.\n`,
+      );
     }
+    process.exit(1);
   }
 
   let failed = 0;
@@ -496,6 +517,7 @@ module.exports = {
   looksLikePublicExploitSource,
   isUsableDate,
   additionalChecks,
+  entryCountMismatches,
   PUBLIC_EXPLOIT_URL_PATTERNS,
   STRICT_CVSS_PATTERN,
 };

package/lib/validate-package.js

@@ -40,6 +40,14 @@ const REQUIRED_PATHS = [
   "manifest-snapshot.json",
   "sbom.cdx.json",
   "bin/exceptd.js",
+  // Modules require()d at the top of bin/exceptd.js on every invocation —
+  // dropping any of these from the tarball bricks the CLI at launch with a
+  // module-not-found, so they are pinned explicitly rather than relied on via
+  // the directory-level files[] entries.
+  "lib/exit-codes.js",
+  "lib/id-validation.js",
+  "lib/flag-suggest.js",
+  "vendor/blamejs/codepoint-class.js",
   "lib/refresh-external.js",
   "lib/job-queue.js",
   "lib/prefetch.js",

package/lib/validate-playbooks.js

@@ -475,6 +475,48 @@ function checkCrossRefs(playbook, ctx, playbookIds) {
     }
   }
 
+  // Escalation / feeds_into condition path-root resolvability. The
+  // analyze-phase escalation context resolves the flat keys (rwep,
+  // blast_radius_score, theater_verdict, agent signals) plus the `analyze`
+  // and `finding` roots; close()'s feeds_into context additionally resolves
+  // `validate` and `theater_score`. A dotted path rooted at any OTHER phase
+  // name can never resolve at evaluation time — the condition would
+  // silently never fire — so it is rejected here. Bare (un-dotted)
+  // identifiers are agent-signal names, an open vocabulary, and are not
+  // checked.
+  const conditionPathRoots = (cond) => {
+    if (typeof cond !== 'string') return [];
+    const stripped = cond.replace(/'[^']*'|"[^"]*"|\/[^/\n]*\//g, ' ');
+    const roots = [];
+    const re = /(?<![.\w])([A-Za-z_][A-Za-z0-9_]*)(?:\.[A-Za-z_][A-Za-z0-9_]*)+/g;
+    let m;
+    while ((m = re.exec(stripped)) !== null) roots.push(m[1]);
+    return roots;
+  };
+  const PHASE_NAME_ROOTS = new Set(['govern', 'direct', 'look', 'detect', 'analyze', 'validate', 'close']);
+  const ESCALATION_OK_ROOTS = new Set(['analyze', 'finding']);
+  const FEEDS_OK_ROOTS = new Set(['analyze', 'validate', 'finding']);
+  for (const [i, ec] of (((phases.analyze || {}).escalation_criteria) || []).entries()) {
+    if (!ec || typeof ec !== 'object') continue;
+    for (const root of conditionPathRoots(ec.condition)) {
+      if (PHASE_NAME_ROOTS.has(root) && !ESCALATION_OK_ROOTS.has(root)) {
+        err(
+          `phases.analyze.escalation_criteria[${i}].condition: path root "${root}." is not resolvable in the escalation context (phase-result roots available there: analyze, finding) — the condition would never fire`,
+        );
+      }
+    }
+  }
+  for (const [i, f] of (meta.feeds_into || []).entries()) {
+    if (!f || typeof f !== 'object') continue;
+    for (const root of conditionPathRoots(f.condition)) {
+      if (PHASE_NAME_ROOTS.has(root) && !FEEDS_OK_ROOTS.has(root)) {
+        err(
+          `_meta.feeds_into[${i}].condition: path root "${root}." is not resolvable in the feeds_into context (phase-result roots available there: analyze, validate, finding) — the condition would never fire`,
+        );
+      }
+    }
+  }
+
   // Air-gap completeness. When _meta.air_gap_mode is true the runner refuses
   // to touch the network, so every artifact whose source is a network call
   // (https://, http://, gh api, gh release, curl, wget, fetch) MUST carry a

package/lib/verify.js

@@ -602,13 +602,14 @@ function validateAgainstSchema(value, schema, here, root) {
  * and returns the first non-comment / non-empty line. Returns null if
  * the file is unreadable / empty.
  *
- * Shared across four sites so every loader normalises identically:
+ * Shared across five sites so every loader normalises identically:
  *   - lib/verify.js              (manifest signature gate)
  *   - lib/refresh-network.js     (refresh-network pre-swap gate)
  *   - scripts/verify-shipped-tarball.js (predeploy gate)
  *   - bin/exceptd.js             (attestation pin)
- * tests/normalize-contract.test.js asserts byte-identical output across all
- * four sites under a BOM + CRLF fuzz corpus.
+ *   - lib/prefetch.js            (cache-consume index signature pin)
+ * tests/normalize-contract.test.js asserts byte-identical output across the
+ * sites under a BOM + CRLF fuzz corpus.
  */
 function loadExpectedFingerprintFirstLine(pinPath) {
   let buf;

package/manifest-snapshot.json

@@ -1,6 +1,6 @@
 {
   "_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
-  "_generated_at": "2026-06-02T19:58:16.286Z",
+  "_generated_at": "2026-06-05T18:14:35.343Z",
   "atlas_version": "5.6.0",
   "skill_count": 51,
   "skills": [
@@ -155,7 +155,9 @@
         "RFC-9421",
         "RFC-9458"
       ],
-      "cwe_refs": [],
+      "cwe_refs": [
+        "CWE-918"
+      ],
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",