@blamejs/exceptd-skills 0.16.22 → 0.16.24

package/lib/collectors/ai-api.js

@@ -49,6 +49,16 @@ const AI_KEY_PATTERNS = [
   { id: "cohere",       re: /(?:^|\n)\s*(?:export\s+|set\s+-gx\s+)?COHERE_API_KEY\s*[= ]\s*['"]?[A-Za-z0-9-]{30,}/m },
 ];
 
+// Capture the exported value so the false_positive_checks_required entries
+// (placeholder demotion, entropy floor) can be evaluated. The export
+// patterns above end at the prefix; widen to grab the trailing token.
+const AI_KEY_VALUE_RE = {
+  openai: /OPENAI_API_KEY\s*[= ]\s*['"]?(sk-[A-Za-z0-9_-]+)/,
+  anthropic: /ANTHROPIC_API_KEY\s*[= ]\s*['"]?(sk-ant-[A-Za-z0-9_-]+)/,
+  huggingface: /(?:HUGGINGFACE_TOKEN|HF_TOKEN)\s*[= ]\s*['"]?(hf_[A-Za-z0-9]+)/,
+};
+const PLACEHOLDER_RE = /placeholder|example|redacted|dummy|x{4,}|0{6,}|test-/i;
+
 function scanShellRc(content) {
   if (!content) return [];
   const hits = [];
@@ -58,6 +68,31 @@ function scanShellRc(content) {
   return hits;
 }
 
+// Deterministic false_positive_checks_required evaluation for
+// cleartext-api-key-in-dotfile. Returns the satisfiable indices for the
+// exports found across the canonical dotfiles (intersection — an index is
+// only attested if every export satisfies it). Canonical home rc / dotfile
+// paths are never under examples/tests/fixtures, so the path check [1] is
+// always satisfied here.
+function cleartextFpIndices(content) {
+  const sat = new Set(["0", "1", "2"]);
+  let sawAny = false;
+  for (const [vendor, re] of Object.entries(AI_KEY_VALUE_RE)) {
+    const m = content.match(re);
+    if (!m) continue;
+    sawAny = true;
+    const value = m[1];
+    // [0] not a documented placeholder / sk-test- fixture
+    if (PLACEHOLDER_RE.test(value)) sat.delete("0");
+    // [2] entropy floor: OpenAI sk-* >= 48 post-prefix, Anthropic sk-ant-* >= 40,
+    //     HuggingFace hf_* >= 30.
+    const floor = vendor === "openai" ? 48 : vendor === "anthropic" ? 40 : 30;
+    const body = value.replace(/^sk-ant-(?:api03|admin01)-|^sk-(?:proj-|svcacct-|admin-)?|^hf_/, "");
+    if (body.length < floor) sat.delete("2");
+  }
+  return sawAny ? sat : new Set();
+}
+
 function parseAwsCredentials(content) {
   if (!content) return { staticProfiles: [] };
   const lines = content.split(/\r?\n/);
@@ -74,30 +109,43 @@ function parseAwsCredentials(content) {
     profiles[current][kv[1].trim().toLowerCase()] = kv[2].trim();
   }
   const staticProfiles = [];
+  const accessKeyIds = [];
   for (const [name, kv] of Object.entries(profiles)) {
     // long-lived-aws-keys: aws_access_key_id present AND no
     // aws_session_token sibling (STS temporary creds carry the
     // session token; IAM-user long-lived keys do not).
     if (kv["aws_access_key_id"] && !kv["aws_session_token"]) {
       staticProfiles.push(name);
+      accessKeyIds.push(kv["aws_access_key_id"]);
     }
   }
-  return { staticProfiles };
+  return { staticProfiles, accessKeyIds };
 }
 
+// AWS-published sample credential pair — long-lived-aws-keys FP[0] demotes it.
+const AWS_EXAMPLE_KEY_PARTS = new Set([
+  "AKIAIOSFODNN7EXAMPLE",
+  "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
+]);
+
 function parseGcloudAdc(content) {
   if (!content) return { hasServiceAccount: false };
   try {
     const j = JSON.parse(content);
-    return { hasServiceAccount: j?.type === "service_account" };
+    const hasServiceAccount = j?.type === "service_account";
+    return {
+      hasServiceAccount,
+      privateKey: typeof j?.private_key === "string" ? j.private_key : "",
+      clientEmail: typeof j?.client_email === "string" ? j.client_email : "",
+    };
   } catch { return { hasServiceAccount: false }; }
 }
 
 function parseKubeStaticToken(content) {
-  if (!content) return false;
+  if (!content) return { found: false };
   // Same shape as cred-stores: token under user:, not auth-provider.
   const userKvRe = /^(\s+)(token|token-data)\s*:\s*(\S[^\n]*)/gm;
-  let staticFound = false;
+  let tokenValue = null;
   for (const m of content.matchAll(userKvRe)) {
     const upto = content.slice(0, m.index);
     const lastUserAt = upto.lastIndexOf("\n  user:");
@@ -105,12 +153,17 @@ function parseKubeStaticToken(content) {
     if (lastAuthProviderAt > lastUserAt) continue;
     const value = m[3];
     if (!value || value.startsWith("null")) continue;
-    staticFound = true;
+    tokenValue = value.trim();
     break;
   }
-  return staticFound;
+  // Cluster server URL — FP[0] demotes local-only clusters.
+  const serverM = content.match(/^\s*server:\s*(\S+)/m);
+  return { found: tokenValue !== null, tokenValue, serverUrl: serverM ? serverM[1] : "" };
 }
 
+const LOCAL_CLUSTER_RE = /https?:\/\/(?:127\.0\.0\.1|localhost|\[::1\])[:/]|\.kind\b|minikube|k3d|docker-for-desktop|docker-desktop/i;
+const CI_RUNNER_PATH_RE = /(?:^|[\\/])(?:home[\\/]runner|github[\\/]workspace|builds|workspace)[\\/]/i;
+
 function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
   const errors = [];
   const startTime = Date.now();
@@ -140,6 +193,7 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
 
   const allKeyCarriers = [...shellRcs, ...dotfileKeys];
   const cleartextHitsByFile = {};
+  let cleartextFp = null;
   for (const p of allKeyCarriers) {
     if (!fileExists(p)) continue;
     const c = readSafe(p);
@@ -147,6 +201,11 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
     const hits = scanShellRc(c);
     if (hits.length > 0) {
       cleartextHitsByFile[path.relative(home, p)] = hits;
+      const fp = cleartextFpIndices(c);
+      if (fp.size) {
+        if (cleartextFp === null) cleartextFp = new Set(fp);
+        else for (const idx of [...cleartextFp]) if (!fp.has(idx)) cleartextFp.delete(idx);
+      }
     }
   }
   const cleartextAnyHit = Object.keys(cleartextHitsByFile).length > 0;
@@ -163,7 +222,8 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
 
   const kubeCfgPath = (env && env.KUBECONFIG) || path.join(home, ".kube", "config");
   const kubeContent = fileExists(kubeCfgPath) ? readSafe(kubeCfgPath) : null;
-  const kubeStaticToken = parseKubeStaticToken(kubeContent);
+  const kubeParsed = parseKubeStaticToken(kubeContent);
+  const kubeStaticToken = kubeParsed.found;
 
   const signal_overrides = {
     "cleartext-api-key-in-dotfile": cleartextAnyHit ? "hit" : "miss",
@@ -172,6 +232,51 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
     "kubeconfig-with-static-token": kubeStaticToken ? "hit" : "miss",
   };
 
+  // Per-indicator __fp_checks attestation. Each canonical-path credential
+  // store the collector reads is never under an examples/tests/fixtures path,
+  // so the path-based FP checks are satisfied; value-based checks (placeholder,
+  // entropy, sample-credential, cluster-locality) are evaluated deterministically.
+  // Network / sts-validity checks are left unattested so the runner still
+  // downgrades those. Without this, a real cleartext key or static token
+  // surfaced by `collect` is downgraded to inconclusive after `run`.
+  if (cleartextAnyHit && cleartextFp && cleartextFp.size) {
+    const att = {};
+    for (const idx of cleartextFp) att[idx] = true;
+    signal_overrides["cleartext-api-key-in-dotfile__fp_checks"] = att;
+  }
+  if (longLivedAws) {
+    const att = {};
+    // [0] none of the access-key ids are the AWS-published sample pair
+    if (!(awsParsed.accessKeyIds || []).some((k) => AWS_EXAMPLE_KEY_PARTS.has(k))) att["0"] = true;
+    // [1] ~/.aws/credentials is a canonical home path, not an examples/test path
+    att["1"] = true;
+    // [2] sts get-caller-identity needs network — left unattested.
+    if (Object.keys(att).length) signal_overrides["long-lived-aws-keys__fp_checks"] = att;
+  }
+  if (gcloudParsed.hasServiceAccount) {
+    const att = {};
+    // [0] private_key is a real PEM body (>= 1000 chars), not PLACEHOLDER/REDACTED
+    const pk = gcloudParsed.privateKey || "";
+    if (pk.length >= 1000 && !/PLACEHOLDER|REDACTED/i.test(pk)) att["0"] = true;
+    // [1] client_email is a real *@*.gserviceaccount.com (not example/test)
+    const ce = gcloudParsed.clientEmail || "";
+    if (/@[^@\s]+\.gserviceaccount\.com$/i.test(ce) && !/@example\.com$|@test\./i.test(ce)) att["1"] = true;
+    // [2] canonical ADC path (not under examples/) AND no GOOGLE_APPLICATION_CREDENTIALS
+    //     redirecting away from it
+    if (!(env && env.GOOGLE_APPLICATION_CREDENTIALS)) att["2"] = true;
+    if (Object.keys(att).length) signal_overrides["gcp-service-account-json__fp_checks"] = att;
+  }
+  if (kubeStaticToken) {
+    const att = {};
+    // [0] cluster server URL is not a local-only dev cluster
+    if (kubeParsed.serverUrl && !LOCAL_CLUSTER_RE.test(kubeParsed.serverUrl)) att["0"] = true;
+    // [1] token is not a short kind/minikube bootstrap-token shape
+    if (kubeParsed.tokenValue && kubeParsed.tokenValue.length >= 40 && !/^[a-z0-9]{6}\.[a-z0-9]{16}$/.test(kubeParsed.tokenValue)) att["1"] = true;
+    // [2] kubeconfig is not inside a CI runner workspace
+    if (!CI_RUNNER_PATH_RE.test(kubeCfgPath)) att["2"] = true;
+    if (Object.keys(att).length) signal_overrides["kubeconfig-with-static-token__fp_checks"] = att;
+  }
+
   const artifacts = {
     "shell-rc-files": {
       value: cleartextAnyHit

package/lib/collectors/citation-hygiene.js

@@ -421,6 +421,33 @@ function collect({ cwd = process.cwd() } = {}) {
     signal_overrides["cve-citation-needs-external-verification"] = "inconclusive";
   }
 
+  // __fp_checks attestation for the FP-gated indicators the collector decides
+  // deterministically. Each hit already excludes illustrative (template /
+  // fixture / doc-snippet) paths and is keyed off the shipped catalogs, so the
+  // path / catalog-cross-reference / same-citation checks the collector ran
+  // are attested; surrounding-text-acknowledgement remains operator judgement.
+  // Without this the runner downgrades a real bad citation to inconclusive.
+  if (signal_overrides["fabricated-cve-id"] === "hit") {
+    // [0] not under a fixture / regex-example / doc-snippet path (illustrative
+    //     paths are excluded before the hit). [1] placeholder forms (CVE-TBD /
+    //     pending) never match the numeric citation regex, so a fired hit is
+    //     not a placeholder.
+    signal_overrides["fabricated-cve-id__fp_checks"] = { "0": true, "1": true };
+  }
+  if (signal_overrides["rejected-or-disputed-cve"] === "hit") {
+    // [1] the catalog note marks THIS exact identifier rejected/disputed.
+    // [2] the identifier is present in the catalog (absence does not fire).
+    // [0] inline dispute-acknowledgement in surrounding prose is operator
+    //     judgement — left unattested.
+    signal_overrides["rejected-or-disputed-cve__fp_checks"] = { "1": true, "2": true };
+  }
+  if (signal_overrides["rfc-number-title-mismatch"] === "hit") {
+    // [0] a paraphrase / nickname (no title claim) does not fire. [1] numbers
+    // absent from the shipped RFC index do not fire. [2] the stated title is
+    // extracted from the SAME citation line.
+    signal_overrides["rfc-number-title-mismatch__fp_checks"] = { "0": true, "1": true, "2": true };
+  }
+
   const summarize = (list) => {
     if (list.length === 0) return "0 hits";
     const head = list.slice(0, 5).map((h) => {

package/lib/collectors/crypto-codebase.js

@@ -405,6 +405,31 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
   if (noMlKemImpl !== undefined) signal_overrides["no-ml-kem-implementation"] = noMlKemImpl;
   if (fipsTheater !== undefined) signal_overrides["fips-claim-without-runtime-activation"] = fipsTheater;
 
+  // Per-indicator __fp_checks attestation for the FP-gated call-site
+  // indicators. Every surviving hit is in a non-test source file (isTest is
+  // excluded before the scan) and, for weak-hash, flows into a security sink
+  // (scanWeakHash). The remaining false_positive_checks_required entries are
+  // legacy-protocol-shim / feature-flag / later-override judgements the
+  // collector does not make, so they stay unattested and the runner keeps
+  // those indicators inconclusive. Without attesting what it DID check, the
+  // collector's real call-site hits are downgraded to inconclusive after run.
+  if (signal_overrides["weak-hash-import"] === "hit") {
+    // [0] not under test + non-security-file demotion; [2] hash flows to an
+    // authn/integrity sink. [1] legacy-protocol shim is operator judgement.
+    signal_overrides["weak-hash-import__fp_checks"] = { "0": true, "2": true };
+  }
+  if (signal_overrides["weak-cipher-mode"] === "hit") {
+    // [0] not under test/KAT-vector path; [2] construction is in a scanned
+    // (production) source file. [1] legacy-protocol-parser scope is operator.
+    signal_overrides["weak-cipher-mode__fp_checks"] = { "0": true, "2": true };
+  }
+  if (signal_overrides["tls-old-protocol"] === "hit") {
+    // [0] the hit is in non-test production code, not a test asserting the
+    // library REJECTS the legacy protocol. [1] feature-flag-default-off and
+    // [2] later-override are not inspected by the collector.
+    signal_overrides["tls-old-protocol__fp_checks"] = { "0": true };
+  }
+
   const summarize = (id) => {
     const list = hits[id];
     if (list.length === 0) return "0 hits";

package/lib/collectors/kernel.js

@@ -109,6 +109,18 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
     }
   }
 
+  // Running-kernel build config (/boot/config-$(uname -r)) backs the
+  // CONFIG_* false_positive_checks_required entries: a sysctl is moot if the
+  // feature is compiled out of the kernel. Best-effort — unreadable on many
+  // hardened hosts.
+  let kernelConfig = null;
+  if (linuxPlatform && unameR.ok) {
+    try {
+      const fs = require("node:fs");
+      kernelConfig = fs.readFileSync(`/boot/config-${unameR.value}`, "utf8");
+    } catch { /* config not readable — CONFIG_* checks stay unattested */ }
+  }
+
   // Signal overrides: we can't decide kver-in-affected-range without
   // the CVE-affected-version catalog (the runner does that
   // correlation). But we CAN flip the deterministic indicators that
@@ -127,13 +139,31 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
       // unpriv-userns-enabled: clone == 1 means enabled (risky).
       if (parsed.unprivileged_userns_clone != null) {
         const v = parseInt(parsed.unprivileged_userns_clone, 10);
-        signal_overrides["unpriv-userns-enabled"] = (v === 1) ? "hit" : "miss";
+        const hit = v === 1;
+        signal_overrides["unpriv-userns-enabled"] = hit ? "hit" : "miss";
+        // FP[1]: CONFIG_USER_NS=y — the sysctl is live only when userns is
+        // compiled in. Attested when /boot/config confirms it. FP[0]
+        // (rootless-runtime exception + LSM enforcement) is operator
+        // judgement and stays unattested.
+        if (hit && kernelConfig && /^CONFIG_USER_NS=y$/m.test(kernelConfig)) {
+          signal_overrides["unpriv-userns-enabled__fp_checks"] = { "1": true };
+        }
       }
       // unpriv-bpf-allowed: bpf_disabled == 0 means unprivileged BPF
       // is allowed (risky).
       if (parsed.unprivileged_bpf_disabled != null) {
         const v = parseInt(parsed.unprivileged_bpf_disabled, 10);
-        signal_overrides["unpriv-bpf-allowed"] = (v === 0) ? "hit" : "miss";
+        const hit = v === 0;
+        signal_overrides["unpriv-bpf-allowed"] = hit ? "hit" : "miss";
+        // FP[0]: CONFIG_BPF_SYSCALL=y AND CONFIG_BPF_JIT=y — the sysctl is
+        // moot if BPF is compiled out. Attested when /boot/config confirms
+        // both. FP[1] (enforcing LSM bpf() restriction) is operator
+        // judgement and stays unattested.
+        if (hit && kernelConfig &&
+            /^CONFIG_BPF_SYSCALL=y$/m.test(kernelConfig) &&
+            /^CONFIG_BPF_JIT=y$/m.test(kernelConfig)) {
+          signal_overrides["unpriv-bpf-allowed__fp_checks"] = { "0": true };
+        }
       }
     }
   }

package/lib/collectors/library-author.js

@@ -496,6 +496,36 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
     signal_overrides["lockfile-missing-integrity"] = lockfileMissingIntegrity;
   }
 
+  // __fp_checks attestation for publish-workflow-action-refs-mutable. Both
+  // false_positive_checks_required entries are deterministic from the repo:
+  //   [0] Dependabot configured for github-actions on a weekly+ schedule
+  //       demotes the finding — attest survival when no such config exists.
+  //   [1] every mutable ref pointing to a github-owned action is lower risk —
+  //       attest survival when at least one mutable ref is third-party.
+  if (signal_overrides["publish-workflow-action-refs-mutable"] === "hit") {
+    let dependabotActions = false;
+    try {
+      const dbContent =
+        readSafe(path.join(root, ".github", "dependabot.yml")) ||
+        readSafe(path.join(root, ".github", "dependabot.yaml")) || "";
+      dependabotActions = /package-ecosystem:\s*['"]?github-actions/i.test(dbContent) &&
+        /\binterval:\s*['"]?(?:daily|weekly)/i.test(dbContent);
+    } catch { /* no dependabot config */ }
+    const mutableRefSnippets = (workflowHits["publish-workflow-action-refs-mutable"] || []).map(h => h.snippet || "");
+    const refOf = (s) => {
+      const m = s.match(/uses:\s*['"]?([^'"\s]+)/);
+      return m ? m[1] : "";
+    };
+    const anyThirdParty = mutableRefSnippets.some(s => {
+      const r = refOf(s);
+      return r && !/^(?:actions|github)\//i.test(r);
+    });
+    const att = {};
+    if (!dependabotActions) att["0"] = true;
+    if (anyThirdParty) att["1"] = true;
+    if (Object.keys(att).length) signal_overrides["publish-workflow-action-refs-mutable__fp_checks"] = att;
+  }
+
   // Per-indicator file locations for the publish-workflow indicators
   // flipped to "hit", so a SARIF result points at the workflow file (and,
   // for mutable action refs, the offending `uses:` line). The other

package/lib/collectors/runtime.js

@@ -106,6 +106,21 @@ function isWorldWritable(p) {
   } catch { return false; }
 }
 
+// Classify a world-writable hit against the two deterministic
+// false_positive_checks_required entries for world-writable-in-trusted-path:
+//   [0] sticky-bit (1777-style) dirs/files intentionally permit per-user write
+//   [1] 0-byte stamp / unix-socket / FIFO documented for the application
+// Returns { stickyBit, special } so the caller can both keep only genuine
+// hits and attest exactly the checks it ran.
+function classifyWorldWritable(p) {
+  try {
+    const s = fs.lstatSync(p);
+    const stickyBit = (s.mode & 0o1000) !== 0;
+    const special = s.isSocket() || s.isFIFO() || (s.isFile() && s.size === 0);
+    return { stickyBit, special };
+  } catch { return { stickyBit: false, special: false }; }
+}
+
 function readProcPid(pid, procRoot) {
   // Returns { pid, ppid, uid, exe } or null.
   try {
@@ -240,11 +255,22 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
   const passwdContent = readFileSafe(P.passwd);
   const uid0 = passwdContent ? parsePasswdUidZero(passwdContent) : null;
 
-  // World-writable files under trusted paths.
+  // World-writable files under trusted paths. Split into genuine hits
+  // (regular non-empty files without the sticky bit) and benign carriers
+  // the two false_positive_checks_required entries demote (sticky-bit
+  // per-user-write dirs; 0-byte stamps / sockets / FIFOs). Only the
+  // genuine hits flip the indicator; the split records which FP checks
+  // the collector deterministically ran.
   const worldWritableFiles = [];
+  let sawStickyBitCarrier = false;
+  let sawSpecialCarrier = false;
   for (const tp of P.trustedPaths) {
     for (const f of walkShallow(tp, TRUSTED_PATH_MAX_DEPTH)) {
-      if (isWorldWritable(f)) worldWritableFiles.push(f);
+      if (!isWorldWritable(f)) continue;
+      const { stickyBit, special } = classifyWorldWritable(f);
+      if (stickyBit) { sawStickyBitCarrier = true; continue; }
+      if (special) { sawSpecialCarrier = true; continue; }
+      worldWritableFiles.push(f);
     }
   }
 
@@ -266,7 +292,16 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
     try { fs.readdirSync(tp); return true; } catch { return false; }
   });
   if (anyTpReadable) {
-    signal_overrides["world-writable-in-trusted-path"] = worldWritableFiles.length > 0 ? "hit" : "miss";
+    const wwHit = worldWritableFiles.length > 0;
+    signal_overrides["world-writable-in-trusted-path"] = wwHit ? "hit" : "miss";
+    // Attest the false_positive_checks_required entries the collector
+    // ran against every flagged file: [0] sticky-bit carriers and [1]
+    // 0-byte/socket/FIFO carriers were both stat-inspected and excluded,
+    // so a surviving hit satisfies both. Without this attestation the
+    // runner downgrades a real world-writable hit to inconclusive.
+    if (wwHit) {
+      signal_overrides["world-writable-in-trusted-path__fp_checks"] = { "0": true, "1": true };
+    }
   }
   // orphan-privileged-process: only emit when /proc was walkable
   // AND the scan had enough exe-link visibility to reach a verdict.

package/lib/collectors/sbom.js

@@ -354,6 +354,12 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
       const j = JSON.parse(fs.readFileSync(npmLockfile.path, "utf8"));
       let withIntegrity = 0;
       let withoutIntegrity = 0;
+      // Track whether any integrity-less entry is a local-path / workspace /
+      // git ref. lockfile-no-integrity FP[0] demotes those — they legitimately
+      // have no registry integrity hash. A remote-registry tarball without
+      // integrity is the genuine finding.
+      let withoutIntegrityLocalOnly = true;
+      const LOCAL_REF_RE = /^(?:file:|link:|workspace:|git\+ssh:|git\+https:|git:|github:|portal:)/i;
       const walk = (obj) => {
         if (!obj || typeof obj !== "object") return;
         // Only remote-tarball entries (those with a `resolved` URL) are
@@ -362,8 +368,12 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
         // `integrity`, so keying off `version` would false-positive on
         // every clean lockfile. Mirror library-author.js's guard.
         if (obj.resolved != null) {
-          if (obj.integrity != null) withIntegrity++;
-          else withoutIntegrity++;
+          if (obj.integrity != null) {
+            withIntegrity++;
+          } else {
+            withoutIntegrity++;
+            if (!LOCAL_REF_RE.test(String(obj.resolved))) withoutIntegrityLocalOnly = false;
+          }
         }
         for (const v of Object.values(obj)) if (v && typeof v === "object") walk(v);
       };
@@ -373,6 +383,15 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
       // class, not full coverage.
       if (withoutIntegrity > 0) {
         signal_overrides["lockfile-no-integrity"] = "hit";
+        // __fp_checks attestation. [0]: at least one integrity-less entry is a
+        // remote-registry tarball (not exclusively local-path/workspace/git
+        // refs). [1]: the lockfile is the canonical root package-lock.json the
+        // build consumes, not a stale copy under archive/ pre-migration/.
+        const att = {};
+        if (!withoutIntegrityLocalOnly) att["0"] = true;
+        const rel = (npmLockfile.path || "").replace(/\\/g, "/");
+        if (!/\/(?:archive|pre-migration|old|backup|legacy)\//i.test(rel)) att["1"] = true;
+        if (Object.keys(att).length) signal_overrides["lockfile-no-integrity__fp_checks"] = att;
       } else if (withIntegrity > 0) {
         signal_overrides["lockfile-no-integrity"] = "miss";
       }

package/lib/collectors/scan-excludes.js

@@ -148,7 +148,10 @@ function walkTree(root, opts = {}) {
         // `seen` check is needed. This is the hot path — it runs once per
         // file in the tree and is now syscall-free beyond the parent
         // readdir.
-        out.push({ full, rel: path.relative(root, full), name: entry.name });
+        // Emit forward-slash rel paths on every platform so artifact
+        // summaries match the SARIF evidence_locations (which normalize the
+        // same way) — on Windows path.relative returns backslash separators.
+        out.push({ full, rel: path.relative(root, full).split(path.sep).join("/"), name: entry.name });
       }
     }
   }

package/lib/collectors/secrets.js

@@ -112,6 +112,98 @@ const AWS_EXAMPLE_ACCESS_KEY_IDS = new Set([
   "AKIAIOSFODNN7EXAMPLE",
 ]);
 
+// AWS-published sample secret-access-key (paired with AKIAIOSFODNN7EXAMPLE
+// throughout the AWS docs). aws-secret-access-key false_positive_checks_required[1]
+// demotes this exact value.
+const AWS_EXAMPLE_SECRET_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY";
+
+// Placeholder/fixture substrings the API-key indicators' FP[0] checks demote.
+// A literal `PLACEHOLDER` / `EXAMPLE` / `XXXX` run / a `dummy`/`test` infix
+// marks documentation material rather than a live credential.
+const PLACEHOLDER_RE = /placeholder|example|redacted|dummy|x{4,}|0{6,}|1234567890/i;
+
+// Path segments the per-indicator FP path checks treat as documentation /
+// fixture material in addition to TEST_PATH_SEGMENTS (which already covers
+// /examples/, /fixtures/, /test/ etc.). The secret indicators' FP prose adds
+// /docs/ and quickstart/snippet paths.
+const DOC_PATH_SEGMENTS = [
+  "/docs/", "/doc/", "/sdk-quickstart/", "/quickstart/", "/docs-snippet/",
+];
+
+function isDocOrTestPath(rel) {
+  if (isTestPath(rel)) return true;
+  const norm = "/" + rel.replace(/\\/g, "/").toLowerCase() + "/";
+  return DOC_PATH_SEGMENTS.some((seg) => norm.includes(seg));
+}
+
+// Per-indicator deterministic false_positive_checks_required evaluation.
+// Returns the set of FP-check indices (as strings) the collector can attest
+// for a single hit — i.e. the checks it actually ran and that the hit
+// survives. Indices requiring network reachability or operator judgement are
+// deliberately omitted so the runner honestly downgrades to inconclusive.
+// `value` is the matched credential, `file` the relative path, `window` a
+// few-line context slice around the match.
+function fpIndicesSatisfied(indicatorId, value, file, window) {
+  const sat = new Set();
+  const notDocPath = !isDocOrTestPath(file);
+  switch (indicatorId) {
+    case "aws-secret-access-key": {
+      // [0] co-occurrence with an AKIA*/ASIA*/AGPA*/AIDA* id in a 10-line window
+      if (/\b(?:AKIA|ASIA|AGPA|AIDA)[0-9A-Z]{12,}\b/.test(window)) sat.add("0");
+      // [1] not the AWS-published sample secret
+      if (value !== AWS_EXAMPLE_SECRET_KEY) sat.add("1");
+      // [2] not under examples/ docs/ fixtures/ / a test snapshot
+      if (notDocPath) sat.add("2");
+      break;
+    }
+    case "slack-bot-or-user-token": {
+      // [0] not a placeholder / published doc fixture
+      if (!PLACEHOLDER_RE.test(value)) sat.add("0");
+      // [1] conforms to a current Slack token shape: at least three
+      //     dash-separated segments after the xox? prefix
+      if (value.split("-").length >= 4) sat.add("1");
+      // [2] not under examples/ docs/ fixtures/
+      if (notDocPath) sat.add("2");
+      break;
+    }
+    case "stripe-secret-key": {
+      // [0] not a sk_test_ published sample (deterministic only for the
+      //     test prefix; live keys are handled by [2])
+      if (!(value.startsWith("sk_test_") && PLACEHOLDER_RE.test(value))) sat.add("0");
+      // [1] not under examples/ fixtures/ docs/ / a quickstart template
+      if (notDocPath) sat.add("1");
+      // [2] the live-validity probe applies only to sk_live_*; a sk_test_
+      //     key carries no live financial exposure, so the check is moot and
+      //     the collector can attest it deterministically. sk_live_* still
+      //     needs operator-authorised network validation — left unattested.
+      if (value.startsWith("sk_test_") || value.startsWith("rk_test_")) sat.add("2");
+      break;
+    }
+    case "openai-api-key": {
+      // [0] not a placeholder / sk-test- / sk-dummy- fixture
+      if (!PLACEHOLDER_RE.test(value) && !/^sk-(?:test|dummy)-/i.test(value)) sat.add("0");
+      // [1] post-prefix length meets the entropy floor (>= 48 chars)
+      if (value.replace(/^sk-(?:proj-|svcacct-|admin-)?/, "").length >= 48) sat.add("1");
+      // [2] vendor disambiguation — sk-ant-* is Anthropic, not OpenAI
+      if (!/^sk-ant-/i.test(value)) sat.add("2");
+      break;
+    }
+    case "anthropic-api-key": {
+      // [0] not a placeholder / sk-ant-test- fixture
+      if (!PLACEHOLDER_RE.test(value) && !/^sk-ant-test-/i.test(value)) sat.add("0");
+      // [1] not under examples/ fixtures/ sdk-quickstart/ docs-snippet/
+      if (notDocPath) sat.add("1");
+      // [2] post-prefix length meets the entropy floor (>= 80 chars after
+      //     sk-ant-(api03|admin01)-)
+      if (value.replace(/^sk-ant-(?:api03|admin01)-/, "").length >= 80) sat.add("2");
+      break;
+    }
+    default:
+      break;
+  }
+  return sat;
+}
+
 const INDICATOR_PATTERNS = [
   { id: "aws-access-key-id",          re: /\bAKIA[0-9A-Z]{16}\b/g },
   { id: "aws-secret-access-key",      re: /\baws_secret_access_key\s*[=:]\s*['"]?([A-Za-z0-9/+=]{40})['"]?/gi },
@@ -209,6 +301,13 @@ function scanContent(full, rel) {
       // Demote AWS-published example access-key IDs (e.g. the docs' canonical
       // AKIAIOSFODNN7EXAMPLE). A README quoting the AWS docs must not hit.
       if (p.id === "aws-access-key-id" && AWS_EXAMPLE_ACCESS_KEY_IDS.has(m[0])) continue;
+      // The captured credential is group 1 when the pattern brackets it
+      // (aws_secret_access_key=<value>); otherwise the whole match.
+      const value = m[1] != null ? m[1] : m[0];
+      // ±600-byte context window (a deterministic proxy for "nearby lines")
+      // used by the co-occurrence FP check.
+      const winStart = Math.max(0, m.index - 600);
+      const window = buf.slice(winStart, m.index + 600);
       hits.push({
         indicator_id: p.id,
         file: rel,
@@ -217,6 +316,9 @@ function scanContent(full, rel) {
         // (SARIF startLine) instead of a bare file-level location.
         line: lineFromOffset(buf, m.index),
         redacted_match: redactMatch(m[0]),
+        // The false_positive_checks_required indices this hit deterministically
+        // survives — attested so the runner doesn't downgrade hit → inconclusive.
+        fp_satisfied: fpIndicesSatisfied(p.id, value, rel, window),
       });
       if (++count >= 5) break; // cap per-indicator-per-file
     }
@@ -310,6 +412,29 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
   for (const p of INDICATOR_PATTERNS) {
     signal_overrides[p.id] = prodHitsByIndicator[p.id] && prodHitsByIndicator[p.id].length > 0 ? "hit" : "miss";
   }
+  // Per-indicator __fp_checks attestation. For each FP-gated indicator that
+  // fired, attest the false_positive_checks_required indices the collector
+  // deterministically ran AND that EVERY surviving hit satisfies (the
+  // intersection — an index is only universally true if no hit fails it).
+  // Network / operator-judgement indices are never in the set, so the runner
+  // still downgrades indicators that carry one. Without this, a real secret
+  // surfaced by `collect` is downgraded to inconclusive after `run`.
+  for (const p of INDICATOR_PATTERNS) {
+    if (signal_overrides[p.id] !== "hit") continue;
+    const hits = prodHitsByIndicator[p.id] || [];
+    if (!hits.length || !hits[0].fp_satisfied) continue;
+    let common = null;
+    for (const h of hits) {
+      const s = h.fp_satisfied || new Set();
+      if (common === null) { common = new Set(s); continue; }
+      for (const idx of [...common]) if (!s.has(idx)) common.delete(idx);
+    }
+    if (common && common.size) {
+      const att = {};
+      for (const idx of common) att[idx] = true;
+      signal_overrides[`${p.id}__fp_checks`] = att;
+    }
+  }
   // ssh-private-key-block is also flipped by file presence (a private
   // key file with the matching magic bytes counts even without a
   // content scan match — e.g. binary-only key formats). Re-flip when

package/lib/cve-cli.js

@@ -69,4 +69,12 @@ const { resolveCve } = require("./citation-resolve.js");
   if (fails) {
     process.exitCode = 2;
   }
-})();
+})().catch((err) => {
+  // A corrupt/unreadable catalog (or any unexpected throw inside the async
+  // body) becomes a rejected promise. Emit the same single-line
+  // {ok:false,error} envelope the verb promises rather than crashing with a
+  // raw stack trace, and signal failure via exitCode so the event loop drains
+  // stderr before exit.
+  process.stderr.write(JSON.stringify({ ok: false, verb: "cve", error: String((err && err.message) || err) }) + "\n");
+  process.exitCode = 1;
+});