@blamejs/exceptd-skills 0.16.23 → 0.16.24

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## 0.16.24 — 2026-06-05
+
+Attestation replay tamper-gating, collector detection integrity, and lock-lifecycle fixes.
+
+### Bugs
+
+A host whose `keys/public.pem` fails the `EXPECTED_FINGERPRINT` pin is now a first-class tamper state on the replay path: `reattest` refuses with exit 6 (TAMPERED) unless `--force-replay`, the same way `attest verify` already refused. Previously the pin mismatch — the exact key-swap attack the pin exists to surface — fell through to a benign "unsigned attestations are an operator config issue" note and the replay proceeded. The sidecar audit classification gains a matching `fingerprint-mismatch` label, and the replay-refusal predicate now lives in one shared helper so a future tamper class has exactly one place to extend.
+
+Piping a collector into a run — `exceptd collect secrets | exceptd run secrets --evidence -` — now classifies real findings as detected instead of silently inconclusive. Collectors flipped false-positive-gated indicators to "hit" without attesting the FP checks they had actually performed, so the engine's honest-downgrade gate demoted every such hit. Eight collectors now perform and attest their deterministic FP checks (example-key demotion, placeholder and entropy floors, context co-occurrence, test-path exclusion, kernel-config reads, sticky-bit/socket classification, registry-tarball and mutable-ref analysis); indicators whose remaining checks genuinely require a network probe or operator judgement stay inconclusive by design, and a guard test enforces that any collector flipping a gated indicator either attests its checks or documents why it abstains.
+
+A run invoked with `--bundle-deterministic` against pathologically nested evidence no longer leaks the playbook's cross-process mutex: the depth-limit refusal threw after the lock was taken but before the release path was armed, so every later run of that playbook on the same host was blocked with a phantom "concurrent run holds the mutex" until the process exited. Attestation creation no longer strands an orphaned, unsigned attestation body holding the session slot when the body lands but its signature sidecar cannot be placed — the slot is released and the create can be retried; the unsafe-filename refusal also now returns its structured envelope instead of crashing. `doctor --ai-config --fix` no longer builds an `icacls` grant from an unset `USERNAME` (which stripped ACL inheritance and then failed on the unresolvable account, locking the file out); it resolves the user via the OS and withholds the automatic fix when no name is resolvable. The watch daemon's lockfile stale-reclaim race now exits 75 (WATCH_LOCK_CONTENTION) like every other contention path instead of a generic failure, and the CVE regression watcher stamps reports with the run's clock rather than a module-load timestamp.
+
+End-to-end detection scenarios now assert that the staged indicator actually fired instead of accepting the operator-supplied verdict alone, one scenario no longer masks the engine's computed classification with an override, and RWEP floors are pinned at the computed values so a per-indicator weight regression trips them. The derived-index builders count `###` headings fence-aware (code-block lines no longer inflate section offsets), emit the documented `dlp_refs` key on CWE chains, and describe their real output shape; the zero-day response report template and remaining docs now state the blast-radius ceiling as 0-30.
+
 ## 0.16.23 — 2026-06-05
 
 A broad correctness and hardening pass across the runtime, the data-refresh pipeline, the catalogs, and the release tooling.
@@ -26,6 +40,8 @@ The release orchestrator could report a release complete while the publish was u
 
 The secret-scanning configuration no longer allowlists the entire playbooks directory by path — targeted patterns cover the legitimate example values instead, so a real credential committed into a playbook file is detectable again. Workflow version comments now match their pinned action SHAs, the publish workflow pins the same exact Node version the gates run on (held in lockstep by a three-way test against CI and the Docker harness), the ATLAS-currency workflow detects stale skills structurally instead of grepping a prose string, and the automated data-refresh PR body describes the structural gate it actually runs. The packaging gate pins every module the CLI requires at launch, the SBOM gate verifies the entry counts embedded in the published description against the live catalogs, skill frontmatter is validated against the shipped schema (previously decorative), and a new guard asserts that every byte-hashed shipped file type carries an LF-forcing `.gitattributes` rule. The catalog inventory in CONTEXT.md and the counts in the package description are pinned by tests so they fail loudly instead of rotting silently.
 
+## 0.16.22 — 2026-06-05
+
 When the automated external-data refresh applies a CISA KEV listing change to a catalog entry, it now updates the entry's RWEP factor and score in the same write, honouring whichever factor shape the entry stores. Previously only the flag flipped, leaving the stored score failing the factor-sum invariant the catalog enforces — the first real KEV listing the refresh applied surfaced this as a 25-point mismatch. A first listing also now carries its KEV date: the drift check emitted a date change only when the local entry already had one, so a newly listed CVE arrived dated null. The refresh workflow's post-apply gate now runs structural validation (catalog schema and RWEP coherence, cross-references, index freshness, skill lint) instead of the full test suite: the suite's curation-completeness checks assert guarantees that human curation supplies after import, so they gate the automated data PR's merge rather than its creation. The workflow also regenerates the SBOM over freshly applied data and consumes its own just-built prefetch cache on runners that have no signing key.
 
 ## 0.16.21 — 2026-06-04
@@ -2152,6 +2168,8 @@ Documentation accuracy pass. README.md + ARCHITECTURE.md were still pinning ATLA
 **`tests/docs-catalog-counts-pinned.test.js`** — new contract test asserts that README.md and ARCHITECTURE.md text matches the live catalog state for: ATLAS version (`data/atlas-ttps.json._meta.atlas_version`), ATT&CK version (`data/attack-techniques.json._meta.attack_version`), skill count (`manifest.json.skills.length`), D3FEND entry count, CVE catalog count, framework-gap entry count. Any future PR that bumps a catalog without updating the operator-facing docs fails the gate at CI time — eliminates the silent-drift class that v0.12.34 cleaned up.
 
 
+## 0.12.33 — 2026-05-15
+
 Same-day CVE intake (node-ipc supply-chain compromise) + cleanup of the long-standing `cred-stores` skill-vs-playbook semantic confusion.
 
 ### Features

package/agents/report-generator.md

@@ -36,7 +36,7 @@ Generate structured, audience-appropriate reports from skill outputs. Translates
 ### 2. Technical Assessment Report
 
 **Audience:** Security engineers, DevOps, Platform teams  
-**Template:** `reports/templates/technical-assessment.md`  
+**Template:** No canonical template — assemble from the content list below.  
 **Content:**
 - Full CVE inventory with CVSS + RWEP
 - Specific remediation commands and configurations
@@ -74,7 +74,7 @@ Generate structured, audience-appropriate reports from skill outputs. Translates
 ### 4. Threat Model Update Report
 
 **Audience:** Security architects, threat modeling teams  
-**Template:** `reports/templates/threat-model-update.md`  
+**Template:** No canonical template — assemble from the content list below.  
 **Content:**
 - Currency score before and after update
 - Specific threat classes added

package/bin/exceptd.js

@@ -4449,7 +4449,7 @@ function persistAttestation(args) {
   if (!/^[A-Za-z0-9._-]{1,64}\.json$/.test(filename || "")) {
     return {
       ok: false,
-      error: `Refusing to persist attestation with unsafe filename: ${JSON.stringify(filename).slice(0, 80)}.`,
+      error: `Refusing to persist attestation with unsafe filename: ${String(JSON.stringify(filename)).slice(0, 80)}.`,
       existingPath: null,
     };
   }
@@ -4526,7 +4526,17 @@ function persistAttestation(args) {
             fs.renameSync(jsonTmp, filePath);
           }
           // Slot won — place the sidecar (sigPath is fresh on a create).
-          fs.renameSync(sigTmp, sigPath);
+          try {
+            fs.renameSync(sigTmp, sigPath);
+          } catch (sigErr) {
+            // The body landed but its sidecar did not. Left in place, the
+            // orphaned unsigned body would hold the slot forever: every
+            // retry collides with EEXIST and verification reports the
+            // attestation unsigned. Release the slot before rethrowing so
+            // the create can be retried cleanly.
+            try { fs.unlinkSync(filePath); } catch { /* best-effort slot release */ }
+            throw sigErr;
+          }
           try { fs.unlinkSync(jsonTmp); } catch { /* hard-link path leaves a second name */ }
         } else {
           // Force-overwrite, under the persist lock: atomic replace of both.
@@ -4913,7 +4923,12 @@ function verifyAttestationSidecar(attFile) {
   if (pubKey) {
     const pinError = assertExpectedFingerprint(pubKey);
     if (pinError) {
-      return { file: attFile, signed: false, verified: false, reason: pinError };
+      // A pin mismatch means the host's public key is NOT the published
+      // one — verification against it would prove nothing. Carry a tamper
+      // class so consumers (reattest's refusal predicate, the sidecar
+      // classifier) treat this as tamper evidence, not a benign
+      // unsigned-attestation config state.
+      return { file: attFile, signed: false, verified: false, tamper_class: "fingerprint-mismatch", reason: pinError };
     }
   }
   if (!fs.existsSync(sigPath)) {
@@ -5137,25 +5152,7 @@ function cmdReattest(runner, args, runOpts, pretty) {
   // tampering. `verified === false && signed === true` is the real tamper
   // signal.
   const verify = verifyAttestationSidecar(attFile);
-  // Collapse tamper-class detection. Any non-benign sidecar state
-  // (signed-but-invalid, sidecar-corrupt, unsigned-substitution) refuses
-  // replay unless --force-replay is set. A predicate of only
-  // `verify.signed && !verify.verified` would miss corrupt-JSON sidecars
-  // and substituted "unsigned" sidecars on a host WITH a private key —
-  // both of which let replay proceed against forged input.
-  const isSignedTamper = verify.signed && !verify.verified;
-  const isClassTamper = !verify.signed && (
-    verify.tamper_class === "sidecar-corrupt"
-    || verify.tamper_class === "unsigned-substitution"
-    // Extend tamper-class refusal to algorithm-unsupported sidecars —
-    // anything other than "Ed25519" or "unsigned". Without explicit
-    // refusal, a sidecar that throws inside crypto.verify (e.g.
-    // signature_base64 missing on a downgrade-bait shape) emerges as
-    // signed:true + verified:false through the catch block by accident.
-    // The strict pre-check surfaces the class directly; refuse on it too.
-    || verify.tamper_class === "algorithm-unsupported"
-  );
-  if ((isSignedTamper || isClassTamper) && !args["force-replay"]) {
+  if (isTamperedSidecarVerify(verify) && !args["force-replay"]) {
     process.stderr.write(`[exceptd reattest] TAMPERED: attestation at ${attFile} failed Ed25519 verification (${verify.reason}). Refusing to replay against forged input. Pass --force-replay to override (the replay output records sidecar_verify so the audit trail captures the override).\n`);
     const body = {
       ok: false,
@@ -5170,7 +5167,7 @@ function cmdReattest(runner, args, runOpts, pretty) {
     process.exitCode = EXIT_CODES.TAMPERED;
     return;
   }
-  if ((isSignedTamper || isClassTamper) && args["force-replay"]) {
+  if (isTamperedSidecarVerify(verify) && args["force-replay"]) {
     process.stderr.write(`[exceptd reattest] WARNING: --force-replay overriding failed signature verification on ${attFile} (${verify.reason}). The replay output records sidecar_verify so the override is audit-visible.\n`);
   } else if (!verify.signed && verify.reason && verify.reason.includes("no .sig sidecar") && !args["force-replay"]) {
     // missing-sidecar is NOT benign. The previous flow accepted
@@ -5456,6 +5453,39 @@ function cmdReattest(runner, args, runOpts, pretty) {
  * sidecar_verify object so auditors can filter override events by class
  * without regexing the human-readable reason string.
  */
+/**
+ * Tamper predicate over a verifyAttestationSidecar() result. Collapses
+ * tamper-class detection: any non-benign sidecar state refuses replay
+ * unless --force-replay is set. A predicate of only
+ * `verify.signed && !verify.verified` would miss corrupt-JSON sidecars,
+ * substituted "unsigned" sidecars on a host WITH a private key,
+ * downgrade-bait algorithm shapes, and a keys/public.pem failing the
+ * EXPECTED_FINGERPRINT pin — each of which would let replay proceed
+ * against forged input. Keeping the class list HERE (one shared helper)
+ * means a new tamper class added to the verifier has exactly one refusal
+ * site to extend.
+ */
+function isTamperedSidecarVerify(verify) {
+  if (!verify || typeof verify !== "object") return false;
+  const isSignedTamper = verify.signed && !verify.verified;
+  const isClassTamper = !verify.signed && (
+    verify.tamper_class === "sidecar-corrupt"
+    || verify.tamper_class === "unsigned-substitution"
+    // Anything other than "Ed25519" or "unsigned": a sidecar that throws
+    // inside crypto.verify (e.g. signature_base64 missing on a
+    // downgrade-bait shape) would otherwise emerge as signed:true +
+    // verified:false through the catch block by accident. The strict
+    // pre-check surfaces the class directly; refuse on it too.
+    || verify.tamper_class === "algorithm-unsupported"
+    // A keys/public.pem that fails the EXPECTED_FINGERPRINT pin is the
+    // key-swap attack the pin exists for — verification "against" the
+    // swapped key proves nothing, so replay refuses exactly like the
+    // other tamper classes (attest verify already refuses on this).
+    || verify.tamper_class === "fingerprint-mismatch"
+  );
+  return Boolean(isSignedTamper || isClassTamper);
+}
+
 function classifySidecarVerify(verify) {
   if (!verify || typeof verify !== "object") return "unknown";
   if (verify.signed && verify.verified) return "verified";
@@ -5465,6 +5495,7 @@ function classifySidecarVerify(verify) {
   // `algorithm-unsupported` is its own class label so log scrapers /
   // dashboards can filter downgrade-bait events without parsing the reason.
   if (verify.tamper_class === "algorithm-unsupported") return "algorithm-unsupported";
+  if (verify.tamper_class === "fingerprint-mismatch") return "fingerprint-mismatch";
   if (typeof verify.reason === "string" && verify.reason.startsWith("attestation explicitly unsigned")) return "explicitly-unsigned";
   if (typeof verify.reason === "string" && verify.reason.includes("no .sig sidecar")) return "no-sidecar";
   if (typeof verify.reason === "string" && verify.reason.includes("no public key")) return "no-public-key";
@@ -6944,6 +6975,14 @@ function cmdDoctor(runner, args, runOpts, pretty) {
             // /grant:r <USER>:F` to strip inherited entries.
             const aclCheck = checkWindowsAcl(childAbs);
             if (aclCheck.ok) continue;
+            // Resolve the grant principal defensively: an unset USERNAME
+            // would otherwise interpolate "undefined:F", and icacls applies
+            // /inheritance:r BEFORE failing on the unresolvable account —
+            // stripping every inherited entry and locking the file out.
+            // os.userInfo() works even when the env var is absent.
+            const aclUser = process.env.USERNAME || (() => {
+              try { return require('os').userInfo().username; } catch { return null; }
+            })();
             findings.push({
               path: `${displayRoot}/${childRel}`,
               mode: null,
@@ -6951,7 +6990,9 @@ function cmdDoctor(runner, args, runOpts, pretty) {
               issue: 'broader_than_user_only_acl',
               acl_extra_principals: aclCheck.extraPrincipals,
               hint: `icacls "${childAbs}" /inheritance:r /grant:r %USERNAME%:F  # NEW-CTRL-050: AI-assistant configs holding MCP tokens / API keys must restrict ACL to the workstation user`,
-              fix_command: ['icacls', childAbs, '/inheritance:r', '/grant:r', `${process.env.USERNAME}:F`],
+              ...(aclUser
+                ? { fix_command: ['icacls', childAbs, '/inheritance:r', '/grant:r', `${aclUser}:F`] }
+                : { fix_unavailable: 'current user name unresolvable (USERNAME unset); apply the hint manually' }),
             });
             continue;
           }
@@ -9021,4 +9062,10 @@ function cmdCi(runner, args, runOpts, pretty) {
 
 if (require.main === module) main();
 
-module.exports = { COMMANDS, PKG_ROOT, PLAYBOOK_VERBS, persistAttestation };
+module.exports = {
+  COMMANDS, PKG_ROOT, PLAYBOOK_VERBS, persistAttestation,
+  // internal helpers exposed for tests
+  _isTamperedSidecarVerify: isTamperedSidecarVerify,
+  _classifySidecarVerify: classifySidecarVerify,
+  _verifyAttestationSidecar: verifyAttestationSidecar,
+};

package/data/_indexes/_meta.json

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-06-05T18:16:18.337Z",
+  "generated_at": "2026-06-05T22:20:42.479Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 63,
   "source_hashes": {
-    "manifest.json": "21596a8c5ccaf4893d6762e847de34652724f8a34503722e44642c3a613eb9e7",
+    "manifest.json": "fe65c62f46bbb3c069247eb19169ac4ab99bf0354e3e9cfe432782bf402a918a",
     "data/atlas-ttps.json": "f66b456cf82a3c20575d8479de41f7b11b7ee5693eb1fcf64a67e162ae1b88a2",
     "data/attack-techniques.json": "c39f28e3402ef13ad9b7076819f63fda67a22f97e3e375cfe01c4a4e0beff7c9",
     "data/cve-catalog.json": "51d8425a49e5cc0375d0a154a83a16816e99c3141a5bbafe6383607ca11be240",