@blamejs/exceptd-skills 0.16.22 → 0.16.24

package/ARCHITECTURE.md

@@ -176,7 +176,7 @@ Tracks PoC status, weaponization stage, and AI-assist factor per CVE. Updated wh
 
 ### `data/cwe-catalog.json`
 
-173 CWE entries pinned to **CWE v4.20**. Covers the Top 25 Most Dangerous Software Weaknesses (2024 release) plus AI- and supply-chain-relevant weakness classes (prompt-injection-as-trust-boundary failure, training data integrity, dependency confusion, untrusted artifact ingestion). Each entry records root-cause description, common consequences, mitigation patterns, and the CVEs in `cve-catalog.json` that instantiate the weakness. Skills cite CWE IDs in `cwe_refs` to anchor a finding to a stable weakness taxonomy rather than to a single CVE; the CWE provides the durable root-cause lens that survives across exploit generations.
+177 CWE entries pinned to **CWE v4.20**. Covers the Top 25 Most Dangerous Software Weaknesses (2024 release) plus AI- and supply-chain-relevant weakness classes (prompt-injection-as-trust-boundary failure, training data integrity, dependency confusion, untrusted artifact ingestion). Each entry records root-cause description, common consequences, mitigation patterns, and the CVEs in `cve-catalog.json` that instantiate the weakness. Skills cite CWE IDs in `cwe_refs` to anchor a finding to a stable weakness taxonomy rather than to a single CVE; the CWE provides the durable root-cause lens that survives across exploit generations.
 
 `_meta.cwe_version` pins the version; on a CWE release, audit IDs for renames or deprecations, bump `last_threat_review` on affected skills, and update `_meta`.
 
@@ -213,7 +213,7 @@ cisa_kev              +25  (binary)
 poc_available         +20  (binary)
 ai_assisted_weapon    +15  (binary)
 active_exploitation   +20  (binary)
-blast_radius          +15  (0–15 scaled)
+blast_radius          +30  (0–30 scaled)
 patch_available       -15  (binary)
 live_patch_available  -10  (binary: additional reduction if no reboot required)
 reboot_required       +5   (binary penalty: patch exists but requires reboot)

package/CHANGELOG.md

@@ -1,5 +1,45 @@
 # Changelog
 
+## 0.16.24 — 2026-06-05
+
+Attestation replay tamper-gating, collector detection integrity, and lock-lifecycle fixes.
+
+### Bugs
+
+A host whose `keys/public.pem` fails the `EXPECTED_FINGERPRINT` pin is now a first-class tamper state on the replay path: `reattest` refuses with exit 6 (TAMPERED) unless `--force-replay`, the same way `attest verify` already refused. Previously the pin mismatch — the exact key-swap attack the pin exists to surface — fell through to a benign "unsigned attestations are an operator config issue" note and the replay proceeded. The sidecar audit classification gains a matching `fingerprint-mismatch` label, and the replay-refusal predicate now lives in one shared helper so a future tamper class has exactly one place to extend.
+
+Piping a collector into a run — `exceptd collect secrets | exceptd run secrets --evidence -` — now classifies real findings as detected instead of silently inconclusive. Collectors flipped false-positive-gated indicators to "hit" without attesting the FP checks they had actually performed, so the engine's honest-downgrade gate demoted every such hit. Eight collectors now perform and attest their deterministic FP checks (example-key demotion, placeholder and entropy floors, context co-occurrence, test-path exclusion, kernel-config reads, sticky-bit/socket classification, registry-tarball and mutable-ref analysis); indicators whose remaining checks genuinely require a network probe or operator judgement stay inconclusive by design, and a guard test enforces that any collector flipping a gated indicator either attests its checks or documents why it abstains.
+
+A run invoked with `--bundle-deterministic` against pathologically nested evidence no longer leaks the playbook's cross-process mutex: the depth-limit refusal threw after the lock was taken but before the release path was armed, so every later run of that playbook on the same host was blocked with a phantom "concurrent run holds the mutex" until the process exited. Attestation creation no longer strands an orphaned, unsigned attestation body holding the session slot when the body lands but its signature sidecar cannot be placed — the slot is released and the create can be retried; the unsafe-filename refusal also now returns its structured envelope instead of crashing. `doctor --ai-config --fix` no longer builds an `icacls` grant from an unset `USERNAME` (which stripped ACL inheritance and then failed on the unresolvable account, locking the file out); it resolves the user via the OS and withholds the automatic fix when no name is resolvable. The watch daemon's lockfile stale-reclaim race now exits 75 (WATCH_LOCK_CONTENTION) like every other contention path instead of a generic failure, and the CVE regression watcher stamps reports with the run's clock rather than a module-load timestamp.
+
+End-to-end detection scenarios now assert that the staged indicator actually fired instead of accepting the operator-supplied verdict alone, one scenario no longer masks the engine's computed classification with an override, and RWEP floors are pinned at the computed values so a per-indicator weight regression trips them. The derived-index builders count `###` headings fence-aware (code-block lines no longer inflate section offsets), emit the documented `dlp_refs` key on CWE chains, and describe their real output shape; the zero-day response report template and remaining docs now state the blast-radius ceiling as 0-30.
+
+## 0.16.23 — 2026-06-05
+
+A broad correctness and hardening pass across the runtime, the data-refresh pipeline, the catalogs, and the release tooling.
+
+### Bugs
+
+Escalation conditions written against the analyze result — `analyze.compliance_theater_check.verdict == 'theater'` and `finding.*` paths — now actually fire: the escalation evaluator previously resolved only the flat context keys, so a playbook's theater-verdict or finding-keyed escalation (for example cloud-iam-incident's notify_legal) could never trigger. The evaluation context now exposes the assembled analyze result and the derived finding shape — the same roots feeds_into conditions already resolve — and the playbook validator rejects any condition rooted at a phase result that can never resolve in its context.
+
+A declared regulatory clock can no longer drop out of a run's close-phase output. A govern obligation with a notification duty but no matching close notification action — fourteen playbooks carried at least one, such as cloud-iam-incident's AU Privacy Act NDB 720-hour window — now yields a synthesized, fully enriched record in `jurisdiction_notifications`, marked `synthesized_from_obligation` and carrying the computed deadline and the obligation's evidence checklist.
+
+`refresh --from-cache` is now actually offline: the GHSA and OSV sources, which have no cache layer, fell through to live network fetches; they now return a structured skip instead. The cache-consume signature gate additionally pins the publisher key fingerprint like every other verification site, auto-discovery verifies each cached payload's sha256 against the signed cache index before deriving draft fields from it, and a KEV de-listing now clears the stale `cisa_kev_date` alongside zeroing the factor.
+
+CLI failure paths emit the documented structured envelope instead of raw stack traces: `exceptd cve` and `exceptd rfc` against a corrupt catalog, curation apply-path write failures (disk full, read-only filesystem), the orchestrator's fatal handler, and framework-gap catalog-read failures under `--json`. `ci --max-rwep` with a missing value now errors instead of silently setting the gate cap to 1. `collect` failure bodies no longer advertise an exit code different from the one the process exits with. The watch daemon's lock-contention exit (75) is documented in `doctor --exit-codes`. Collector artifact summaries emit forward-slash paths on Windows, matching their SARIF evidence locations. Attestation diff and reattest regain their signal-side comparison fallback — it read a playbook path that never exists, so the fallback was dead. The typo-suggester's flag inventory for `run` now includes `--directive`, `--explain`, and `--signal-list`.
+
+The MCP-config scanner now redacts secret-shaped values recursively before anything is emitted or persisted; previously only top-level fields were redacted, so an API key nested inside a server's config object leaked into scan output verbatim.
+
+Four catalog entries carried RWEP factor values contradicting their own flags (CVE-2026-46333, CVE-2009-3459, CVE-2023-43472, and CVE-2026-31635 — the last with two compensating errors that cancelled in the aggregate tolerance). Their factors and scores are corrected, and the validator now checks every stored factor against the weight its source field implies, so compensating per-factor drift can no longer ship. The factor-shape detector also recognizes the catalog's canonical `ai_factor` and `reboot_required` keys, closing a gap where a mixed-shape factor block on exactly those keys passed undetected, and the required-field list the scorer validates against is loaded from the catalog schema itself (it had drifted: five schema-required fields unchecked, one optional field over-required).
+
+The documented RWEP formula understated its heaviest factor: blast radius contributes up to 30 points, not the 15 stated in the README, the architecture notes, and the exploit-scoring skill's formula text. The docs now match the scorer, which was always correct — its worked examples already used 30. The derived skill indexes are rebuilt from skill frontmatter rather than a stale manifest cache, restoring dropped UK CAF and AU ISM control mappings and D3FEND references to the chain and cross-reference surfaces, and the ai-c2-detection skill's CWE-918 link is restored to the manifest and every index built from it. The pinned CWE catalog version in `sources/index.json` was three minor versions behind the shipped catalog and is corrected, with the source-currency guard extended to cover the CWE and D3FEND rows the way it already covered ATT&CK and ATLAS.
+
+The release orchestrator could report a release complete while the publish was unconfirmed — a failed registry query short-circuited the final verification, and a non-success publish workflow only warned. Both now fail the phase: success requires the registry to positively report the just-published version.
+
+### Features
+
+The secret-scanning configuration no longer allowlists the entire playbooks directory by path — targeted patterns cover the legitimate example values instead, so a real credential committed into a playbook file is detectable again. Workflow version comments now match their pinned action SHAs, the publish workflow pins the same exact Node version the gates run on (held in lockstep by a three-way test against CI and the Docker harness), the ATLAS-currency workflow detects stale skills structurally instead of grepping a prose string, and the automated data-refresh PR body describes the structural gate it actually runs. The packaging gate pins every module the CLI requires at launch, the SBOM gate verifies the entry counts embedded in the published description against the live catalogs, skill frontmatter is validated against the shipped schema (previously decorative), and a new guard asserts that every byte-hashed shipped file type carries an LF-forcing `.gitattributes` rule. The catalog inventory in CONTEXT.md and the counts in the package description are pinned by tests so they fail loudly instead of rotting silently.
+
 ## 0.16.22 — 2026-06-05
 
 When the automated external-data refresh applies a CISA KEV listing change to a catalog entry, it now updates the entry's RWEP factor and score in the same write, honouring whichever factor shape the entry stores. Previously only the flag flipped, leaving the stored score failing the factor-sum invariant the catalog enforces — the first real KEV listing the refresh applied surfaced this as a 25-point mismatch. A first listing also now carries its KEV date: the drift check emitted a date change only when the local entry already had one, so a newly listed CVE arrived dated null. The refresh workflow's post-apply gate now runs structural validation (catalog schema and RWEP coherence, cross-references, index freshness, skill lint) instead of the full test suite: the suite's curation-completeness checks assert guarantees that human curation supplies after import, so they gate the automated data PR's merge rather than its creation. The workflow also regenerates the SBOM over freshly applied data and consumes its own just-built prefetch cache on runners that have no signing key.
@@ -2128,6 +2168,8 @@ Documentation accuracy pass. README.md + ARCHITECTURE.md were still pinning ATLA
 **`tests/docs-catalog-counts-pinned.test.js`** — new contract test asserts that README.md and ARCHITECTURE.md text matches the live catalog state for: ATLAS version (`data/atlas-ttps.json._meta.atlas_version`), ATT&CK version (`data/attack-techniques.json._meta.attack_version`), skill count (`manifest.json.skills.length`), D3FEND entry count, CVE catalog count, framework-gap entry count. Any future PR that bumps a catalog without updating the operator-facing docs fails the gate at CI time — eliminates the silent-drift class that v0.12.34 cleaned up.
 
 
+## 0.12.33 — 2026-05-15
+
 Same-day CVE intake (node-ipc supply-chain compromise) + cleanup of the long-standing `cred-stores` skill-vs-playbook semantic confusion.
 
 ### Features

package/CONTEXT.md

@@ -113,18 +113,18 @@ Skills and playbooks read from `data/`. Authoritative catalog inventory:
 
 | File | Entries | Purpose |
 |------|---------|---------|
-| `cve-catalog.json` | 10 | CVEs with CVSS, RWEP score, EPSS estimates, CISA KEV flags, PoC and live-patch availability |
-| `atlas-ttps.json` | 15 | MITRE ATLAS v5.6.0 (May 2026) techniques with framework gap flags |
-| `attack-techniques.json` | 79 | MITRE ATT&CK techniques with framework coverage mappings |
-| `framework-control-gaps.json` | 62 | Framework control gap entries: designed-for vs. what each control misses |
-| `exploit-availability.json` | 10 | Per-CVE PoC locations, weaponization stage, AI-acceleration factor, live-patch status |
+| `cve-catalog.json` | 439 | CVEs with CVSS, RWEP score, EPSS estimates, CISA KEV flags, PoC and live-patch availability |
+| `atlas-ttps.json` | 170 | MITRE ATLAS v5.6.0 (May 2026) techniques with framework gap flags |
+| `attack-techniques.json` | 805 | MITRE ATT&CK techniques with framework coverage mappings |
+| `framework-control-gaps.json` | 194 | Framework control gap entries: designed-for vs. what each control misses |
+| `exploit-availability.json` | 28 | Per-CVE PoC locations, weaponization stage, AI-acceleration factor, live-patch status |
 | `global-frameworks.json` | 35 jurisdictions | Patch SLAs and notification windows across global regulatory regimes |
-| `zeroday-lessons.json` | 10 | Learning-loop entries: zero-day → attack vector → control gap → framework gap → new control |
-| `cwe-catalog.json` | 171 | CWE v4.20 entries (Top 25 2024 plus AI- and supply-chain-relevant weaknesses) |
+| `zeroday-lessons.json` | 439 | Learning-loop entries: zero-day → attack vector → control gap → framework gap → new control |
+| `cwe-catalog.json` | 177 | CWE v4.20 entries (Top 25 2024 plus AI- and supply-chain-relevant weaknesses) |
 | `d3fend-catalog.json` | 468 | MITRE D3FEND v1.3.0 defensive techniques for offensive → defensive mapping |
-| `rfc-references.json` | 31 | IETF RFC / Internet-Draft references with status, errata count, replaces / replaced-by, `last_verified` dates |
+| `rfc-references.json` | 8888 | IETF RFC / Internet-Draft references with status, errata count, replaces / replaced-by, `last_verified` dates |
 | `dlp-controls.json` | 22 | DLP control entries indexed by channel, classifier, surface, enforcement mode, evidence type |
-| `playbooks/` | 13 | Playbook specifications (see above) |
+| `playbooks/` | 33 | Playbook specifications (see above) |
 | `_indexes/` | 17 derived files | Pre-computed indexes built by `npm run build-indexes` |
 
 ---

package/README.md

@@ -1,8 +1,8 @@
 <div align="center">
 
 <picture>
-  <source media="(prefers-color-scheme: dark)" srcset="public/img/logo/exceptd-logo-dark.svg">
-  <img src="public/img/logo/exceptd-logo-primary.svg" alt="exceptd" width="220" />
+  <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/blamejs/exceptd-skills/main/public/img/logo/exceptd-logo-dark.svg">
+  <img src="https://raw.githubusercontent.com/blamejs/exceptd-skills/main/public/img/logo/exceptd-logo-primary.svg" alt="exceptd" width="220" />
 </picture>
 
 # exceptd Security
@@ -77,7 +77,7 @@ Generate defensible policy exceptions for architectural realities frameworks don
 ### Risk Intelligence
 
 **[exploit-scoring](skills/exploit-scoring/skill.md)**
-Real-World Exploit Priority (RWEP) scoring beyond CVSS. Factors: CISA KEV status (0.25), public PoC (0.20), AI-assisted weaponization (0.15), active exploitation (0.20), patch availability (-0.15), live-patch availability (-0.10), blast radius (0.15). Pre-calculated RWEP scores for all CVEs in `data/cve-catalog.json`. Outputs RWEP alongside CVSS with plain-language priority guidance.
+Real-World Exploit Priority (RWEP) scoring beyond CVSS. Factors: CISA KEV status (0.25), public PoC (0.20), AI-assisted weaponization (0.15), active exploitation (0.20), patch availability (-0.15), live-patch availability (-0.10), blast radius (0.30). Pre-calculated RWEP scores for all CVEs in `data/cve-catalog.json`. Outputs RWEP alongside CVSS with plain-language priority guidance.
 
 **[threat-model-currency](skills/threat-model-currency/skill.md)**
 Score how current an organization's threat model is against 2026 threat reality. Checklist of 14 current threat classes against documented model coverage. Outputs: currency percentage, specific missing threat classes, recommended additions with ATLAS/ATT&CK references, prioritized update roadmap.

package/agents/report-generator.md

@@ -36,7 +36,7 @@ Generate structured, audience-appropriate reports from skill outputs. Translates
 ### 2. Technical Assessment Report
 
 **Audience:** Security engineers, DevOps, Platform teams  
-**Template:** `reports/templates/technical-assessment.md`  
+**Template:** No canonical template — assemble from the content list below.  
 **Content:**
 - Full CVE inventory with CVSS + RWEP
 - Specific remediation commands and configurations
@@ -74,7 +74,7 @@ Generate structured, audience-appropriate reports from skill outputs. Translates
 ### 4. Threat Model Update Report
 
 **Audience:** Security architects, threat modeling teams  
-**Template:** `reports/templates/threat-model-update.md`  
+**Template:** No canonical template — assemble from the content list below.  
 **Content:**
 - Currency score before and after update
 - Specific threat classes added

package/agents/skill-updater.md

@@ -96,7 +96,7 @@ For each affected skill:
 ## Quality Rules
 
 - Never write to data files without a source-validator approval
-- Never modify the interpretation of a framework control without a framework-analyst package
+- Never modify the interpretation of a framework control without a threat-researcher handoff package containing the framework gap update, verified by source-validator
 - Never delete entries from zeroday-lessons.json or framework-control-gaps.json — mark as superseded, not deleted
 - Always update `last_threat_review` in skill frontmatter after changes
 - If a RWEP score changes by more than 15 points: flag for review rather than auto-applying

package/agents/source-validator.md

@@ -2,14 +2,13 @@
 
 ## Role
 
-Cross-check all claims in a threat-researcher or framework-analyst handoff package against primary sources. Flag unverifiable claims. Produce a verification report that the skill-updater uses to decide what to accept.
+Cross-check all claims in a threat-researcher handoff package against primary sources. Flag unverifiable claims. Produce a verification report that the skill-updater uses to decide what to accept.
 
 This agent is the quality gate. It prevents bad data from entering the skill catalog.
 
 ## When to spawn
 
-- After threat-researcher produces an intelligence package
-- After framework-analyst produces a gap update
+- After threat-researcher produces an intelligence package (including a framework gap update)
 - On-demand audit of existing data/cve-catalog.json entries
 - Before any new skill that contains specific CVE or TTP claims is merged
 
@@ -53,7 +52,7 @@ This agent is the quality gate. It prevents bad data from entering the skill cat
   "agent": "source-validator",
   "run_id": "[matches threat-researcher run_id]",
   "timestamp": "[ISO 8601]",
-  "input_from": "threat-researcher | framework-analyst",
+  "input_from": "threat-researcher",
   "verification_results": {
     "passed": [
       {

package/agents/threat-researcher.md

@@ -145,5 +145,5 @@ Research and validate new threat intelligence — CVEs, attack campaigns, new AT
 
 - Does not write directly to data files — that is the skill-updater's job after source-validator approval
 - Does not include direct exploit links in output
-- Does not make compliance recommendations — that is the framework-analyst's job
+- Does not apply framework gap updates itself — gap findings ship as part of the handoff package; the skill-updater applies them after source-validator approval
 - Does not score risk — RWEP calculation is in lib/scoring.js

package/bin/exceptd.js

@@ -1776,8 +1776,9 @@ function dispatchPlaybook(cmd, argv) {
   } catch (e) {
     // v0.11.14 (#131): when the operator typed a skill name (kernel-lpe-triage)
     // and got "Playbook not found," surface the playbooks that load that skill.
-    // 13 playbooks vs 38 skills with many-to-many: operators routinely confuse
-    // the two because the website (and AGENTS.md) describe both as runnable.
+    // Playbooks and skills are a many-to-many mapping: operators routinely
+    // confuse the two because the website (and AGENTS.md) describe both as
+    // runnable.
     const m = e && e.message && e.message.match(/^Playbook not found: ([^\s(]+)/);
     if (m) {
       const wanted = m[1];
@@ -2448,10 +2449,10 @@ async function cmdCollect(runner, args, runOpts, pretty) {
   let mod;
   try { mod = require(collectorPath); }
   catch (e) {
-    return emitError(`collect: failed to load collector ${path.relative(PKG_ROOT, collectorPath)}: ${e.message}`, { verb: "collect", playbook_id: playbookId, exit_code: 2 }, pretty);
+    return emitError(`collect: failed to load collector ${path.relative(PKG_ROOT, collectorPath)}: ${e.message}`, { verb: "collect", playbook_id: playbookId }, pretty);
   }
   if (typeof mod.collect !== "function") {
-    return emitError(`collect: collector at ${path.relative(PKG_ROOT, collectorPath)} does not export a collect() function`, { verb: "collect", playbook_id: playbookId, exit_code: 2 }, pretty);
+    return emitError(`collect: collector at ${path.relative(PKG_ROOT, collectorPath)} does not export a collect() function`, { verb: "collect", playbook_id: playbookId }, pretty);
   }
 
   // --cwd <path> overrides process.cwd(). Validated as an existing
@@ -2476,7 +2477,7 @@ async function cmdCollect(runner, args, runOpts, pretty) {
   } catch (e) {
     return emitError(
       `collect: collector for "${playbookId}" threw an unhandled exception: ${e.message}. File a bug — collectors must catch their own errors and surface them via collector_errors[].`,
-      { verb: "collect", playbook_id: playbookId, stack: e.stack || null, exit_code: 2 },
+      { verb: "collect", playbook_id: playbookId, stack: e.stack || null },
       pretty,
     );
   }
@@ -2538,7 +2539,7 @@ async function cmdCollect(runner, args, runOpts, pretty) {
     } catch (e) {
       return emitError(
         `collect: --resolve failed for "${playbookId}": ${e.message}`,
-        { verb: "collect", playbook_id: playbookId, exit_code: 2 },
+        { verb: "collect", playbook_id: playbookId },
         pretty,
       );
     }
@@ -4448,7 +4449,7 @@ function persistAttestation(args) {
   if (!/^[A-Za-z0-9._-]{1,64}\.json$/.test(filename || "")) {
     return {
       ok: false,
-      error: `Refusing to persist attestation with unsafe filename: ${JSON.stringify(filename).slice(0, 80)}.`,
+      error: `Refusing to persist attestation with unsafe filename: ${String(JSON.stringify(filename)).slice(0, 80)}.`,
       existingPath: null,
     };
   }
@@ -4525,7 +4526,17 @@ function persistAttestation(args) {
             fs.renameSync(jsonTmp, filePath);
           }
           // Slot won — place the sidecar (sigPath is fresh on a create).
-          fs.renameSync(sigTmp, sigPath);
+          try {
+            fs.renameSync(sigTmp, sigPath);
+          } catch (sigErr) {
+            // The body landed but its sidecar did not. Left in place, the
+            // orphaned unsigned body would hold the slot forever: every
+            // retry collides with EEXIST and verification reports the
+            // attestation unsigned. Release the slot before rethrowing so
+            // the create can be retried cleanly.
+            try { fs.unlinkSync(filePath); } catch { /* best-effort slot release */ }
+            throw sigErr;
+          }
           try { fs.unlinkSync(jsonTmp); } catch { /* hard-link path leaves a second name */ }
         } else {
           // Force-overwrite, under the persist lock: atomic replace of both.
@@ -4912,7 +4923,12 @@ function verifyAttestationSidecar(attFile) {
   if (pubKey) {
     const pinError = assertExpectedFingerprint(pubKey);
     if (pinError) {
-      return { file: attFile, signed: false, verified: false, reason: pinError };
+      // A pin mismatch means the host's public key is NOT the published
+      // one — verification against it would prove nothing. Carry a tamper
+      // class so consumers (reattest's refusal predicate, the sidecar
+      // classifier) treat this as tamper evidence, not a benign
+      // unsigned-attestation config state.
+      return { file: attFile, signed: false, verified: false, tamper_class: "fingerprint-mismatch", reason: pinError };
     }
   }
   if (!fs.existsSync(sigPath)) {
@@ -5136,25 +5152,7 @@ function cmdReattest(runner, args, runOpts, pretty) {
   // tampering. `verified === false && signed === true` is the real tamper
   // signal.
   const verify = verifyAttestationSidecar(attFile);
-  // Collapse tamper-class detection. Any non-benign sidecar state
-  // (signed-but-invalid, sidecar-corrupt, unsigned-substitution) refuses
-  // replay unless --force-replay is set. A predicate of only
-  // `verify.signed && !verify.verified` would miss corrupt-JSON sidecars
-  // and substituted "unsigned" sidecars on a host WITH a private key —
-  // both of which let replay proceed against forged input.
-  const isSignedTamper = verify.signed && !verify.verified;
-  const isClassTamper = !verify.signed && (
-    verify.tamper_class === "sidecar-corrupt"
-    || verify.tamper_class === "unsigned-substitution"
-    // Extend tamper-class refusal to algorithm-unsupported sidecars —
-    // anything other than "Ed25519" or "unsigned". Without explicit
-    // refusal, a sidecar that throws inside crypto.verify (e.g.
-    // signature_base64 missing on a downgrade-bait shape) emerges as
-    // signed:true + verified:false through the catch block by accident.
-    // The strict pre-check surfaces the class directly; refuse on it too.
-    || verify.tamper_class === "algorithm-unsupported"
-  );
-  if ((isSignedTamper || isClassTamper) && !args["force-replay"]) {
+  if (isTamperedSidecarVerify(verify) && !args["force-replay"]) {
     process.stderr.write(`[exceptd reattest] TAMPERED: attestation at ${attFile} failed Ed25519 verification (${verify.reason}). Refusing to replay against forged input. Pass --force-replay to override (the replay output records sidecar_verify so the audit trail captures the override).\n`);
     const body = {
       ok: false,
@@ -5169,7 +5167,7 @@ function cmdReattest(runner, args, runOpts, pretty) {
     process.exitCode = EXIT_CODES.TAMPERED;
     return;
   }
-  if ((isSignedTamper || isClassTamper) && args["force-replay"]) {
+  if (isTamperedSidecarVerify(verify) && args["force-replay"]) {
     process.stderr.write(`[exceptd reattest] WARNING: --force-replay overriding failed signature verification on ${attFile} (${verify.reason}). The replay output records sidecar_verify so the override is audit-visible.\n`);
   } else if (!verify.signed && verify.reason && verify.reason.includes("no .sig sidecar") && !args["force-replay"]) {
     // missing-sidecar is NOT benign. The previous flow accepted
@@ -5455,6 +5453,39 @@ function cmdReattest(runner, args, runOpts, pretty) {
  * sidecar_verify object so auditors can filter override events by class
  * without regexing the human-readable reason string.
  */
+/**
+ * Tamper predicate over a verifyAttestationSidecar() result. Collapses
+ * tamper-class detection: any non-benign sidecar state refuses replay
+ * unless --force-replay is set. A predicate of only
+ * `verify.signed && !verify.verified` would miss corrupt-JSON sidecars,
+ * substituted "unsigned" sidecars on a host WITH a private key,
+ * downgrade-bait algorithm shapes, and a keys/public.pem failing the
+ * EXPECTED_FINGERPRINT pin — each of which would let replay proceed
+ * against forged input. Keeping the class list HERE (one shared helper)
+ * means a new tamper class added to the verifier has exactly one refusal
+ * site to extend.
+ */
+function isTamperedSidecarVerify(verify) {
+  if (!verify || typeof verify !== "object") return false;
+  const isSignedTamper = verify.signed && !verify.verified;
+  const isClassTamper = !verify.signed && (
+    verify.tamper_class === "sidecar-corrupt"
+    || verify.tamper_class === "unsigned-substitution"
+    // Anything other than "Ed25519" or "unsigned": a sidecar that throws
+    // inside crypto.verify (e.g. signature_base64 missing on a
+    // downgrade-bait shape) would otherwise emerge as signed:true +
+    // verified:false through the catch block by accident. The strict
+    // pre-check surfaces the class directly; refuse on it too.
+    || verify.tamper_class === "algorithm-unsupported"
+    // A keys/public.pem that fails the EXPECTED_FINGERPRINT pin is the
+    // key-swap attack the pin exists for — verification "against" the
+    // swapped key proves nothing, so replay refuses exactly like the
+    // other tamper classes (attest verify already refuses on this).
+    || verify.tamper_class === "fingerprint-mismatch"
+  );
+  return Boolean(isSignedTamper || isClassTamper);
+}
+
 function classifySidecarVerify(verify) {
   if (!verify || typeof verify !== "object") return "unknown";
   if (verify.signed && verify.verified) return "verified";
@@ -5464,6 +5495,7 @@ function classifySidecarVerify(verify) {
   // `algorithm-unsupported` is its own class label so log scrapers /
   // dashboards can filter downgrade-bait events without parsing the reason.
   if (verify.tamper_class === "algorithm-unsupported") return "algorithm-unsupported";
+  if (verify.tamper_class === "fingerprint-mismatch") return "fingerprint-mismatch";
   if (typeof verify.reason === "string" && verify.reason.startsWith("attestation explicitly unsigned")) return "explicitly-unsigned";
   if (typeof verify.reason === "string" && verify.reason.includes("no .sig sidecar")) return "no-sidecar";
   if (typeof verify.reason === "string" && verify.reason.includes("no public key")) return "no-public-key";
@@ -6045,7 +6077,7 @@ function _playbookSignalCatalog(runner, playbookId) {
   try {
     const pb = runner.loadPlaybook ? runner.loadPlaybook(playbookId) : null;
     if (!pb) return null;
-    const inds = (pb.phases?.look?.indicators || []).filter(i => i && i.id);
+    const inds = (pb.phases?.detect?.indicators || []).filter(i => i && i.id);
     if (inds.length === 0) return null;
     return Object.fromEntries(inds.map(i => [i.id, 'inconclusive']));
   } catch { return null; }
@@ -6943,6 +6975,14 @@ function cmdDoctor(runner, args, runOpts, pretty) {
             // /grant:r <USER>:F` to strip inherited entries.
             const aclCheck = checkWindowsAcl(childAbs);
             if (aclCheck.ok) continue;
+            // Resolve the grant principal defensively: an unset USERNAME
+            // would otherwise interpolate "undefined:F", and icacls applies
+            // /inheritance:r BEFORE failing on the unresolvable account —
+            // stripping every inherited entry and locking the file out.
+            // os.userInfo() works even when the env var is absent.
+            const aclUser = process.env.USERNAME || (() => {
+              try { return require('os').userInfo().username; } catch { return null; }
+            })();
             findings.push({
               path: `${displayRoot}/${childRel}`,
               mode: null,
@@ -6950,7 +6990,9 @@ function cmdDoctor(runner, args, runOpts, pretty) {
               issue: 'broader_than_user_only_acl',
               acl_extra_principals: aclCheck.extraPrincipals,
               hint: `icacls "${childAbs}" /inheritance:r /grant:r %USERNAME%:F  # NEW-CTRL-050: AI-assistant configs holding MCP tokens / API keys must restrict ACL to the workstation user`,
-              fix_command: ['icacls', childAbs, '/inheritance:r', '/grant:r', `${process.env.USERNAME}:F`],
+              ...(aclUser
+                ? { fix_command: ['icacls', childAbs, '/inheritance:r', '/grant:r', `${aclUser}:F`] }
+                : { fix_unavailable: 'current user name unresolvable (USERNAME unset); apply the hint manually' }),
             });
             continue;
           }
@@ -8369,6 +8411,17 @@ function cmdAsk(runner, args, runOpts, pretty) {
  */
 function cmdCi(runner, args, runOpts, pretty) {
   const scope = args.scope;
+  // A value-less `--max-rwep` parses as boolean true and would coerce to
+  // Number(true) === 1 — a finite, non-negative cap that slips past the
+  // numeric guard below and silently sets an extraordinarily strict gate.
+  // Treat the forgotten value as a usage error, same as a non-numeric one.
+  if (args["max-rwep"] === true) {
+    return emitError(
+      "ci: --max-rwep requires a non-negative number.",
+      { verb: "ci", flag: "max-rwep" },
+      pretty,
+    );
+  }
   const maxRwep = args["max-rwep"] !== undefined ? Number(args["max-rwep"]) : null;
   // Reject a non-numeric / negative cap rather than silently coercing it.
   // `--max-rwep abc` previously became Number→NaN→0, degenerating the gate to
@@ -9009,4 +9062,10 @@ function cmdCi(runner, args, runOpts, pretty) {
 
 if (require.main === module) main();
 
-module.exports = { COMMANDS, PKG_ROOT, PLAYBOOK_VERBS, persistAttestation };
+module.exports = {
+  COMMANDS, PKG_ROOT, PLAYBOOK_VERBS, persistAttestation,
+  // internal helpers exposed for tests
+  _isTamperedSidecarVerify: isTamperedSidecarVerify,
+  _classifySidecarVerify: classifySidecarVerify,
+  _verifyAttestationSidecar: verifyAttestationSidecar,
+};

package/data/_indexes/_meta.json

@@ -1,14 +1,14 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-06-05T14:37:44.664Z",
+  "generated_at": "2026-06-05T22:20:42.479Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 63,
   "source_hashes": {
-    "manifest.json": "0d633a546c8d60d593625a6ddc140c6bd6a8c1f940ea29cf0dc4dfddb72b6b39",
+    "manifest.json": "fe65c62f46bbb3c069247eb19169ac4ab99bf0354e3e9cfe432782bf402a918a",
     "data/atlas-ttps.json": "f66b456cf82a3c20575d8479de41f7b11b7ee5693eb1fcf64a67e162ae1b88a2",
     "data/attack-techniques.json": "c39f28e3402ef13ad9b7076819f63fda67a22f97e3e375cfe01c4a4e0beff7c9",
-    "data/cve-catalog.json": "8264da4534d39c9493cfcd18acf7e38ed47ce2a81be15afd5a3f4baf1d504929",
-    "data/cwe-catalog.json": "feadd8497221c097d8237fb93d9557c4dbdd70434097da8debd6f5e50ede1b24",
+    "data/cve-catalog.json": "51d8425a49e5cc0375d0a154a83a16816e99c3141a5bbafe6383607ca11be240",
+    "data/cwe-catalog.json": "b398003b68b0d9539d13a5536e933005149fd05f3d33978297c870987542cd86",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
     "data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
@@ -21,7 +21,7 @@
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",
     "skills/framework-gap-analysis/skill.md": "c2da8cc184ac4277309896bf4fe6afe23c419575b297734a8fc168f42d1805e9",
     "skills/compliance-theater/skill.md": "02b51b932ded4b9b74844ecf842ee3f4d6b09699ebe9cdba457e2c9b7da10ebd",
-    "skills/exploit-scoring/skill.md": "2bb77e1f667bc47c6ab1c7715071d9fe8da2697f9bbbf7914c7e9fd231ad67f1",
+    "skills/exploit-scoring/skill.md": "628f4853e8d6b6ac2ad8ad159f1c9d74c392727f4ebf9bc1d7d8e43074b08a3a",
     "skills/rag-pipeline-security/skill.md": "49b1910e996f01df1382714f9307ead98028fb5b6911bb9022cb8e5c0edf0723",
     "skills/ai-c2-detection/skill.md": "08fee5607e4972a3c0e1e31d58d4ddfeffeae1302df22416f3e24c20229fb782",
     "skills/policy-exception-gen/skill.md": "c549f48c2e44759a74c2c6306f0eb34ea26152fb2a3b0e7e96505d5b174f1bd4",
@@ -73,21 +73,21 @@
   "index_stats": {
     "xref_entries": {
       "cwe_refs": 53,
-      "d3fend_refs": 21,
-      "framework_gaps": 87,
+      "d3fend_refs": 22,
+      "framework_gaps": 96,
       "atlas_refs": 10,
       "attack_refs": 51,
-      "rfc_refs": 23,
+      "rfc_refs": 35,
       "dlp_refs": 0
     },
-    "trigger_table_entries": 685,
+    "trigger_table_entries": 688,
     "chains_cve_entries": 426,
     "chains_cwe_entries": 177,
     "jurisdictions_indexed": 29,
     "handoff_dag_nodes": 51,
     "summary_cards": 51,
     "section_offsets_skills": 51,
-    "token_budget_total_approx": 435954,
+    "token_budget_total_approx": 435955,
     "recipes": 8,
     "jurisdiction_clocks": 29,
     "did_ladders": 8,

package/data/_indexes/activity-feed.json

@@ -112,35 +112,35 @@
       "type": "skill_review",
       "artifact": "compliance-theater",
       "path": "skills/compliance-theater/skill.md",
-      "note": "Detect where an organization passes an audit but remains exposed — seven documented compliance theater patterns"
+      "note": "Detect where an organization passes an audit but remains exposed — seven documented compliance theater patterns with specific detection tests"
     },
     {
       "date": "2026-05-22",
       "type": "skill_review",
       "artifact": "rag-pipeline-security",
       "path": "skills/rag-pipeline-security/skill.md",
-      "note": "RAG-specific threat model — embedding manipulation, vector store poisoning, retrieval filter bypass, indirect prompt injection"
+      "note": "RAG-specific threat model — embedding manipulation, vector store poisoning, retrieval filter bypass, indirect prompt injection — no current framework coverage"
     },
     {
       "date": "2026-05-22",
       "type": "skill_review",
       "artifact": "policy-exception-gen",
       "path": "skills/policy-exception-gen/skill.md",
-      "note": "Generate defensible policy exceptions for architectural realities — ephemeral infra, AI pipelines, ZTA, no-reboot patching"
+      "note": "Generate defensible policy exceptions for architectural realities — ephemeral infra, AI pipelines, ZTA, no-reboot patching, with compensating controls and auditor-ready justification"
     },
     {
       "date": "2026-05-22",
       "type": "skill_review",
       "artifact": "pqc-first",
       "path": "skills/pqc-first/skill.md",
-      "note": "Post-quantum cryptography first mentality — hard version gates (OpenSSL 3.5+), algorithm sunset tracking, HNDL assessment, loopback learning for NIST/IETF evolution"
+      "note": "Post-quantum cryptography first mentality — hard version gates, algorithm sunset tracking, loopback learning for NIST/IETF standards evolution"
     },
     {
       "date": "2026-05-22",
       "type": "skill_review",
       "artifact": "skill-update-loop",
       "path": "skills/skill-update-loop/skill.md",
-      "note": "Meta-skill for keeping all exceptd skills current — CISA KEV triggers, ATLAS version updates, framework amendments, forward_watch resolution, currency scoring"
+      "note": "Meta-skill for keeping all exceptd skills current — fires on new CVEs, ATLAS updates, framework changes, and forward_watch triggers"
     },
     {
       "date": "2026-05-22",
@@ -161,7 +161,7 @@
       "type": "skill_review",
       "artifact": "ransomware-response",
       "path": "skills/ransomware-response/skill.md",
-      "note": "Ransomware-specific incident response — OFAC SDN sanctions screening as payment-posture blocker, EU Reg 2014/833 + UK OFSI + AU DFAT + JP MOF cross-jurisdiction sanctions lookups, decryptor availability via No More Ransom + vendor-specific catalogs, cyber-insurance carrier 24h notification, negotiator-engagement legal posture, immutable-backup viability test, PHI exfil-before-encrypt as distinct breach class, parallel jurisdiction clocks"
+      "note": "Ransomware-specific incident response — OFAC sanctions screening as payment-posture blocker, EU Reg 2014/833 + UK OFSI + AU DFAT + JP MOF cross-jurisdiction sanctions lookups, decryptor availability via No More Ransom + vendor-specific catalogs, cyber-insurance carrier 24h notification, negotiator-engagement legal posture, immutable-backup viability test, PHI exfil-before-encrypt as distinct breach class, parallel jurisdiction clocks (NIS2 24h / DORA 4h / GDPR 72h / SEC 8-K 96h / HIPAA 60d / CIRCIA 72h / NYDFS 500.17 24h ransom-payment)"
     },
     {
       "date": "2026-05-19",
@@ -235,7 +235,7 @@
       "type": "skill_review",
       "artifact": "ai-attack-surface",
       "path": "skills/ai-attack-surface/skill.md",
-      "note": "Comprehensive AI/ML attack surface assessment mapped to MITRE ATLAS v5.6.0 with gap flags"
+      "note": "Comprehensive AI/ML attack surface assessment mapped to MITRE ATLAS v5.6.0 with explicit framework gap flags"
     },
     {
       "date": "2026-05-17",
@@ -249,14 +249,14 @@
       "type": "skill_review",
       "artifact": "ai-c2-detection",
       "path": "skills/ai-c2-detection/skill.md",
-      "note": "Detect adversary use of AI APIs as covert C2 — SesameOp pattern, PROMPTFLUX/PROMPTSTEAL behavioral signatures"
+      "note": "Detect adversary use of AI APIs as covert C2 — SesameOp pattern, PROMPTFLUX/PROMPTSTEAL behavioral signatures, response playbook"
     },
     {
       "date": "2026-05-15",
       "type": "skill_review",
       "artifact": "kernel-lpe-triage",
       "path": "skills/kernel-lpe-triage/skill.md",
-      "note": "Assess Linux kernel LPE exposure — Copy Fail, Dirty Frag, live-patch vs. reboot remediation"
+      "note": "Assess Linux kernel LPE exposure — Copy Fail, Dirty Frag, Fragnesia, live-patch vs. reboot remediation paths, framework gap declarations"
     },
     {
       "date": "2026-05-15",
@@ -291,7 +291,7 @@
       "type": "skill_review",
       "artifact": "sector-telecom",
       "path": "skills/sector-telecom/skill.md",
-      "note": "Telecom and 5G security for mid-2026 — Salt Typhoon, Volt Typhoon, CALEA / IPA-LI gateway compromise, signaling-protocol abuse (SS7 / Diameter / GTP), 5G N6 / N9 isolation, gNB / DU / CU integrity, OEM-equipment supply-chain compromise, AI-RAN / O-RAN security"
+      "note": "Telecom and 5G security for mid-2026 — Salt Typhoon, Volt Typhoon, CALEA / IPA-LI gateway compromise, signaling-protocol abuse (SS7 / Diameter / GTP), 5G N6 / N9 isolation, gNB / DU / CU integrity, OEM-equipment supply-chain compromise, AI-RAN / O-RAN security; FCC CPNI + 4-business-day notification, NIS2 Annex I telecom essential entities, UK TSA 2021 + Ofcom, AU SOCI / TSSR, GSMA NESAS, 3GPP TR 33.926 + TS 33.501, ITU-T X.805."
     },
     {
       "date": "2026-05-15",
@@ -305,7 +305,7 @@
       "type": "skill_review",
       "artifact": "cloud-iam-incident",
       "path": "skills/cloud-iam-incident/skill.md",
-      "note": "Cloud-IAM incident response for AWS / GCP / Azure — account takeover, IAM role assumption abuse, access-key compromise, cross-account assume-role chains, federated-trust attacks, IMDS metadata exfiltration, and Snowflake-AA24-class IdP-to-cloud credential reuse"
+      "note": "Cloud-IAM incident response for AWS / GCP / Azure — account takeover, IAM role assumption abuse, access-key compromise, cross-account assume-role chains, federated-trust attacks (IAM Identity Center / Workload Identity Federation / Azure managed identity), IMDS metadata exfiltration, and Snowflake-AA24-class IdP-to-cloud credential reuse"
     },
     {
       "date": "2026-05-15",
@@ -455,7 +455,7 @@
       "type": "skill_review",
       "artifact": "security-maturity-tiers",
       "path": "skills/security-maturity-tiers/skill.md",
-      "note": "Three-tier implementation roadmap — MVP (ship this week), Practical (scalable today), Overkill (defense-in-depth)"
+      "note": "Three-tier implementation roadmap — MVP you can ship today, practical best practices useable now, overkill gold standard for defense-in-depth"
     }
   ]
 }