@blamejs/exceptd-skills 0.16.23 → 0.16.24

package/lib/collectors/runtime.js

@@ -106,6 +106,21 @@ function isWorldWritable(p) {
   } catch { return false; }
 }
 
+// Classify a world-writable hit against the two deterministic
+// false_positive_checks_required entries for world-writable-in-trusted-path:
+//   [0] sticky-bit (1777-style) dirs/files intentionally permit per-user write
+//   [1] 0-byte stamp / unix-socket / FIFO documented for the application
+// Returns { stickyBit, special } so the caller can both keep only genuine
+// hits and attest exactly the checks it ran.
+function classifyWorldWritable(p) {
+  try {
+    const s = fs.lstatSync(p);
+    const stickyBit = (s.mode & 0o1000) !== 0;
+    const special = s.isSocket() || s.isFIFO() || (s.isFile() && s.size === 0);
+    return { stickyBit, special };
+  } catch { return { stickyBit: false, special: false }; }
+}
+
 function readProcPid(pid, procRoot) {
   // Returns { pid, ppid, uid, exe } or null.
   try {
@@ -240,11 +255,22 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
   const passwdContent = readFileSafe(P.passwd);
   const uid0 = passwdContent ? parsePasswdUidZero(passwdContent) : null;
 
-  // World-writable files under trusted paths.
+  // World-writable files under trusted paths. Split into genuine hits
+  // (regular non-empty files without the sticky bit) and benign carriers
+  // the two false_positive_checks_required entries demote (sticky-bit
+  // per-user-write dirs; 0-byte stamps / sockets / FIFOs). Only the
+  // genuine hits flip the indicator; the split records which FP checks
+  // the collector deterministically ran.
   const worldWritableFiles = [];
+  let sawStickyBitCarrier = false;
+  let sawSpecialCarrier = false;
   for (const tp of P.trustedPaths) {
     for (const f of walkShallow(tp, TRUSTED_PATH_MAX_DEPTH)) {
-      if (isWorldWritable(f)) worldWritableFiles.push(f);
+      if (!isWorldWritable(f)) continue;
+      const { stickyBit, special } = classifyWorldWritable(f);
+      if (stickyBit) { sawStickyBitCarrier = true; continue; }
+      if (special) { sawSpecialCarrier = true; continue; }
+      worldWritableFiles.push(f);
     }
   }
 
@@ -266,7 +292,16 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
     try { fs.readdirSync(tp); return true; } catch { return false; }
   });
   if (anyTpReadable) {
-    signal_overrides["world-writable-in-trusted-path"] = worldWritableFiles.length > 0 ? "hit" : "miss";
+    const wwHit = worldWritableFiles.length > 0;
+    signal_overrides["world-writable-in-trusted-path"] = wwHit ? "hit" : "miss";
+    // Attest the false_positive_checks_required entries the collector
+    // ran against every flagged file: [0] sticky-bit carriers and [1]
+    // 0-byte/socket/FIFO carriers were both stat-inspected and excluded,
+    // so a surviving hit satisfies both. Without this attestation the
+    // runner downgrades a real world-writable hit to inconclusive.
+    if (wwHit) {
+      signal_overrides["world-writable-in-trusted-path__fp_checks"] = { "0": true, "1": true };
+    }
   }
   // orphan-privileged-process: only emit when /proc was walkable
   // AND the scan had enough exe-link visibility to reach a verdict.

package/lib/collectors/sbom.js

@@ -354,6 +354,12 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
       const j = JSON.parse(fs.readFileSync(npmLockfile.path, "utf8"));
       let withIntegrity = 0;
       let withoutIntegrity = 0;
+      // Track whether any integrity-less entry is a local-path / workspace /
+      // git ref. lockfile-no-integrity FP[0] demotes those — they legitimately
+      // have no registry integrity hash. A remote-registry tarball without
+      // integrity is the genuine finding.
+      let withoutIntegrityLocalOnly = true;
+      const LOCAL_REF_RE = /^(?:file:|link:|workspace:|git\+ssh:|git\+https:|git:|github:|portal:)/i;
       const walk = (obj) => {
         if (!obj || typeof obj !== "object") return;
         // Only remote-tarball entries (those with a `resolved` URL) are
@@ -362,8 +368,12 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
         // `integrity`, so keying off `version` would false-positive on
         // every clean lockfile. Mirror library-author.js's guard.
         if (obj.resolved != null) {
-          if (obj.integrity != null) withIntegrity++;
-          else withoutIntegrity++;
+          if (obj.integrity != null) {
+            withIntegrity++;
+          } else {
+            withoutIntegrity++;
+            if (!LOCAL_REF_RE.test(String(obj.resolved))) withoutIntegrityLocalOnly = false;
+          }
         }
         for (const v of Object.values(obj)) if (v && typeof v === "object") walk(v);
       };
@@ -373,6 +383,15 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
       // class, not full coverage.
       if (withoutIntegrity > 0) {
         signal_overrides["lockfile-no-integrity"] = "hit";
+        // __fp_checks attestation. [0]: at least one integrity-less entry is a
+        // remote-registry tarball (not exclusively local-path/workspace/git
+        // refs). [1]: the lockfile is the canonical root package-lock.json the
+        // build consumes, not a stale copy under archive/ pre-migration/.
+        const att = {};
+        if (!withoutIntegrityLocalOnly) att["0"] = true;
+        const rel = (npmLockfile.path || "").replace(/\\/g, "/");
+        if (!/\/(?:archive|pre-migration|old|backup|legacy)\//i.test(rel)) att["1"] = true;
+        if (Object.keys(att).length) signal_overrides["lockfile-no-integrity__fp_checks"] = att;
       } else if (withIntegrity > 0) {
         signal_overrides["lockfile-no-integrity"] = "miss";
       }

package/lib/collectors/secrets.js

@@ -112,6 +112,98 @@ const AWS_EXAMPLE_ACCESS_KEY_IDS = new Set([
   "AKIAIOSFODNN7EXAMPLE",
 ]);
 
+// AWS-published sample secret-access-key (paired with AKIAIOSFODNN7EXAMPLE
+// throughout the AWS docs). aws-secret-access-key false_positive_checks_required[1]
+// demotes this exact value.
+const AWS_EXAMPLE_SECRET_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY";
+
+// Placeholder/fixture substrings the API-key indicators' FP[0] checks demote.
+// A literal `PLACEHOLDER` / `EXAMPLE` / `XXXX` run / a `dummy`/`test` infix
+// marks documentation material rather than a live credential.
+const PLACEHOLDER_RE = /placeholder|example|redacted|dummy|x{4,}|0{6,}|1234567890/i;
+
+// Path segments the per-indicator FP path checks treat as documentation /
+// fixture material in addition to TEST_PATH_SEGMENTS (which already covers
+// /examples/, /fixtures/, /test/ etc.). The secret indicators' FP prose adds
+// /docs/ and quickstart/snippet paths.
+const DOC_PATH_SEGMENTS = [
+  "/docs/", "/doc/", "/sdk-quickstart/", "/quickstart/", "/docs-snippet/",
+];
+
+function isDocOrTestPath(rel) {
+  if (isTestPath(rel)) return true;
+  const norm = "/" + rel.replace(/\\/g, "/").toLowerCase() + "/";
+  return DOC_PATH_SEGMENTS.some((seg) => norm.includes(seg));
+}
+
+// Per-indicator deterministic false_positive_checks_required evaluation.
+// Returns the set of FP-check indices (as strings) the collector can attest
+// for a single hit — i.e. the checks it actually ran and that the hit
+// survives. Indices requiring network reachability or operator judgement are
+// deliberately omitted so the runner honestly downgrades to inconclusive.
+// `value` is the matched credential, `file` the relative path, `window` a
+// few-line context slice around the match.
+function fpIndicesSatisfied(indicatorId, value, file, window) {
+  const sat = new Set();
+  const notDocPath = !isDocOrTestPath(file);
+  switch (indicatorId) {
+    case "aws-secret-access-key": {
+      // [0] co-occurrence with an AKIA*/ASIA*/AGPA*/AIDA* id in a 10-line window
+      if (/\b(?:AKIA|ASIA|AGPA|AIDA)[0-9A-Z]{12,}\b/.test(window)) sat.add("0");
+      // [1] not the AWS-published sample secret
+      if (value !== AWS_EXAMPLE_SECRET_KEY) sat.add("1");
+      // [2] not under examples/ docs/ fixtures/ / a test snapshot
+      if (notDocPath) sat.add("2");
+      break;
+    }
+    case "slack-bot-or-user-token": {
+      // [0] not a placeholder / published doc fixture
+      if (!PLACEHOLDER_RE.test(value)) sat.add("0");
+      // [1] conforms to a current Slack token shape: at least three
+      //     dash-separated segments after the xox? prefix
+      if (value.split("-").length >= 4) sat.add("1");
+      // [2] not under examples/ docs/ fixtures/
+      if (notDocPath) sat.add("2");
+      break;
+    }
+    case "stripe-secret-key": {
+      // [0] not a sk_test_ published sample (deterministic only for the
+      //     test prefix; live keys are handled by [2])
+      if (!(value.startsWith("sk_test_") && PLACEHOLDER_RE.test(value))) sat.add("0");
+      // [1] not under examples/ fixtures/ docs/ / a quickstart template
+      if (notDocPath) sat.add("1");
+      // [2] the live-validity probe applies only to sk_live_*; a sk_test_
+      //     key carries no live financial exposure, so the check is moot and
+      //     the collector can attest it deterministically. sk_live_* still
+      //     needs operator-authorised network validation — left unattested.
+      if (value.startsWith("sk_test_") || value.startsWith("rk_test_")) sat.add("2");
+      break;
+    }
+    case "openai-api-key": {
+      // [0] not a placeholder / sk-test- / sk-dummy- fixture
+      if (!PLACEHOLDER_RE.test(value) && !/^sk-(?:test|dummy)-/i.test(value)) sat.add("0");
+      // [1] post-prefix length meets the entropy floor (>= 48 chars)
+      if (value.replace(/^sk-(?:proj-|svcacct-|admin-)?/, "").length >= 48) sat.add("1");
+      // [2] vendor disambiguation — sk-ant-* is Anthropic, not OpenAI
+      if (!/^sk-ant-/i.test(value)) sat.add("2");
+      break;
+    }
+    case "anthropic-api-key": {
+      // [0] not a placeholder / sk-ant-test- fixture
+      if (!PLACEHOLDER_RE.test(value) && !/^sk-ant-test-/i.test(value)) sat.add("0");
+      // [1] not under examples/ fixtures/ sdk-quickstart/ docs-snippet/
+      if (notDocPath) sat.add("1");
+      // [2] post-prefix length meets the entropy floor (>= 80 chars after
+      //     sk-ant-(api03|admin01)-)
+      if (value.replace(/^sk-ant-(?:api03|admin01)-/, "").length >= 80) sat.add("2");
+      break;
+    }
+    default:
+      break;
+  }
+  return sat;
+}
+
 const INDICATOR_PATTERNS = [
   { id: "aws-access-key-id",          re: /\bAKIA[0-9A-Z]{16}\b/g },
   { id: "aws-secret-access-key",      re: /\baws_secret_access_key\s*[=:]\s*['"]?([A-Za-z0-9/+=]{40})['"]?/gi },
@@ -209,6 +301,13 @@ function scanContent(full, rel) {
       // Demote AWS-published example access-key IDs (e.g. the docs' canonical
       // AKIAIOSFODNN7EXAMPLE). A README quoting the AWS docs must not hit.
       if (p.id === "aws-access-key-id" && AWS_EXAMPLE_ACCESS_KEY_IDS.has(m[0])) continue;
+      // The captured credential is group 1 when the pattern brackets it
+      // (aws_secret_access_key=<value>); otherwise the whole match.
+      const value = m[1] != null ? m[1] : m[0];
+      // ±600-byte context window (a deterministic proxy for "nearby lines")
+      // used by the co-occurrence FP check.
+      const winStart = Math.max(0, m.index - 600);
+      const window = buf.slice(winStart, m.index + 600);
       hits.push({
         indicator_id: p.id,
         file: rel,
@@ -217,6 +316,9 @@ function scanContent(full, rel) {
         // (SARIF startLine) instead of a bare file-level location.
         line: lineFromOffset(buf, m.index),
         redacted_match: redactMatch(m[0]),
+        // The false_positive_checks_required indices this hit deterministically
+        // survives — attested so the runner doesn't downgrade hit → inconclusive.
+        fp_satisfied: fpIndicesSatisfied(p.id, value, rel, window),
       });
       if (++count >= 5) break; // cap per-indicator-per-file
     }
@@ -310,6 +412,29 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
   for (const p of INDICATOR_PATTERNS) {
     signal_overrides[p.id] = prodHitsByIndicator[p.id] && prodHitsByIndicator[p.id].length > 0 ? "hit" : "miss";
   }
+  // Per-indicator __fp_checks attestation. For each FP-gated indicator that
+  // fired, attest the false_positive_checks_required indices the collector
+  // deterministically ran AND that EVERY surviving hit satisfies (the
+  // intersection — an index is only universally true if no hit fails it).
+  // Network / operator-judgement indices are never in the set, so the runner
+  // still downgrades indicators that carry one. Without this, a real secret
+  // surfaced by `collect` is downgraded to inconclusive after `run`.
+  for (const p of INDICATOR_PATTERNS) {
+    if (signal_overrides[p.id] !== "hit") continue;
+    const hits = prodHitsByIndicator[p.id] || [];
+    if (!hits.length || !hits[0].fp_satisfied) continue;
+    let common = null;
+    for (const h of hits) {
+      const s = h.fp_satisfied || new Set();
+      if (common === null) { common = new Set(s); continue; }
+      for (const idx of [...common]) if (!s.has(idx)) common.delete(idx);
+    }
+    if (common && common.size) {
+      const att = {};
+      for (const idx of common) att[idx] = true;
+      signal_overrides[`${p.id}__fp_checks`] = att;
+    }
+  }
   // ssh-private-key-block is also flipped by file presence (a private
   // key file with the matching magic bytes counts even without a
   // content scan match — e.g. binary-only key formats). Re-flip when

package/lib/cve-regression-watcher.js

@@ -63,7 +63,6 @@ const path = require('path');
 const fs = require('fs');
 
 const CVE_ID_RE = /^CVE-((?:19|20)\d{2})-\d{4,7}$/;
-const TODAY = new Date().toISOString().slice(0, 10);
 
 /**
  * Extract the year from a CVE-YYYY-NNN identifier. Returns null for non-CVE
@@ -274,7 +273,11 @@ function findRegressionCandidates(diffs, catalog, opts) {
     candidates,
     historical_id_threshold_year: thresholdYear,
     evaluated_diffs: evaluated,
-    generated_at: TODAY,
+    // Stamp from the same clock that derives the threshold year, so both
+    // date-derived report fields share one instant. Falls back to call-time
+    // `new Date()` (via the `now` default) when no clock is injected — never
+    // a module-load constant, which would go stale in a long-lived process.
+    generated_at: now.toISOString().slice(0, 10),
     control_ref: 'NEW-CTRL-074',
   };
 }

package/lib/playbook-runner.js

@@ -3425,9 +3425,22 @@ function run(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
   if (runOpts.session_id) {
     sessionId = runOpts.session_id;
   } else if (runOpts.bundleDeterministic) {
-    const submissionDigest = crypto.createHash('sha256')
-      .update(canonicalStringify(extractSubmissionForHash(agentSubmission)))
-      .digest('hex');
+    let submissionDigest;
+    try {
+      submissionDigest = crypto.createHash('sha256')
+        .update(canonicalStringify(extractSubmissionForHash(agentSubmission)))
+        .digest('hex');
+    } catch (e) {
+      // canonicalStringify deliberately throws (EVIDENCE_TOO_DEEP) on
+      // pathological nesting. The mutex lockfile and the _activeRuns entry
+      // are already held here, but the protecting try/finally below has
+      // not opened yet — release both before rethrowing, or the leaked
+      // lockfile blocks every subsequent run of this playbook for as long
+      // as this PID lives.
+      _activeRuns.delete(playbookId);
+      releaseLock(lockPath);
+      throw e;
+    }
     sessionId = crypto.createHash('sha256')
       .update(`${playbookId}\0${submissionDigest}\0${getEngineVersion()}`)
       .digest('hex')