@blamejs/exceptd-skills 0.16.23 → 0.16.25

package/lib/collectors/runtime.js

@@ -106,6 +106,21 @@ function isWorldWritable(p) {
   } catch { return false; }
 }
 
+// Classify a world-writable hit against the two deterministic
+// false_positive_checks_required entries for world-writable-in-trusted-path:
+//   [0] sticky-bit (1777-style) dirs/files intentionally permit per-user write
+//   [1] 0-byte stamp / unix-socket / FIFO documented for the application
+// Returns { stickyBit, special } so the caller can both keep only genuine
+// hits and attest exactly the checks it ran.
+function classifyWorldWritable(p) {
+  try {
+    const s = fs.lstatSync(p);
+    const stickyBit = (s.mode & 0o1000) !== 0;
+    const special = s.isSocket() || s.isFIFO() || (s.isFile() && s.size === 0);
+    return { stickyBit, special };
+  } catch { return { stickyBit: false, special: false }; }
+}
+
 function readProcPid(pid, procRoot) {
   // Returns { pid, ppid, uid, exe } or null.
   try {
@@ -240,11 +255,22 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
   const passwdContent = readFileSafe(P.passwd);
   const uid0 = passwdContent ? parsePasswdUidZero(passwdContent) : null;
 
-  // World-writable files under trusted paths.
+  // World-writable files under trusted paths. Split into genuine hits
+  // (regular non-empty files without the sticky bit) and benign carriers
+  // the two false_positive_checks_required entries demote (sticky-bit
+  // per-user-write dirs; 0-byte stamps / sockets / FIFOs). Only the
+  // genuine hits flip the indicator; the split records which FP checks
+  // the collector deterministically ran.
   const worldWritableFiles = [];
+  let sawStickyBitCarrier = false;
+  let sawSpecialCarrier = false;
   for (const tp of P.trustedPaths) {
     for (const f of walkShallow(tp, TRUSTED_PATH_MAX_DEPTH)) {
-      if (isWorldWritable(f)) worldWritableFiles.push(f);
+      if (!isWorldWritable(f)) continue;
+      const { stickyBit, special } = classifyWorldWritable(f);
+      if (stickyBit) { sawStickyBitCarrier = true; continue; }
+      if (special) { sawSpecialCarrier = true; continue; }
+      worldWritableFiles.push(f);
     }
   }
 
@@ -266,7 +292,16 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
     try { fs.readdirSync(tp); return true; } catch { return false; }
   });
   if (anyTpReadable) {
-    signal_overrides["world-writable-in-trusted-path"] = worldWritableFiles.length > 0 ? "hit" : "miss";
+    const wwHit = worldWritableFiles.length > 0;
+    signal_overrides["world-writable-in-trusted-path"] = wwHit ? "hit" : "miss";
+    // Attest the false_positive_checks_required entries the collector
+    // ran against every flagged file: [0] sticky-bit carriers and [1]
+    // 0-byte/socket/FIFO carriers were both stat-inspected and excluded,
+    // so a surviving hit satisfies both. Without this attestation the
+    // runner downgrades a real world-writable hit to inconclusive.
+    if (wwHit) {
+      signal_overrides["world-writable-in-trusted-path__fp_checks"] = { "0": true, "1": true };
+    }
   }
   // orphan-privileged-process: only emit when /proc was walkable
   // AND the scan had enough exe-link visibility to reach a verdict.

package/lib/collectors/sbom.js

@@ -354,6 +354,12 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
       const j = JSON.parse(fs.readFileSync(npmLockfile.path, "utf8"));
       let withIntegrity = 0;
       let withoutIntegrity = 0;
+      // Track whether any integrity-less entry is a local-path / workspace /
+      // git ref. lockfile-no-integrity FP[0] demotes those — they legitimately
+      // have no registry integrity hash. A remote-registry tarball without
+      // integrity is the genuine finding.
+      let withoutIntegrityLocalOnly = true;
+      const LOCAL_REF_RE = /^(?:file:|link:|workspace:|git\+ssh:|git\+https:|git:|github:|portal:)/i;
       const walk = (obj) => {
         if (!obj || typeof obj !== "object") return;
         // Only remote-tarball entries (those with a `resolved` URL) are
@@ -362,8 +368,12 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
         // `integrity`, so keying off `version` would false-positive on
         // every clean lockfile. Mirror library-author.js's guard.
         if (obj.resolved != null) {
-          if (obj.integrity != null) withIntegrity++;
-          else withoutIntegrity++;
+          if (obj.integrity != null) {
+            withIntegrity++;
+          } else {
+            withoutIntegrity++;
+            if (!LOCAL_REF_RE.test(String(obj.resolved))) withoutIntegrityLocalOnly = false;
+          }
         }
         for (const v of Object.values(obj)) if (v && typeof v === "object") walk(v);
       };
@@ -373,6 +383,15 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
       // class, not full coverage.
       if (withoutIntegrity > 0) {
         signal_overrides["lockfile-no-integrity"] = "hit";
+        // __fp_checks attestation. [0]: at least one integrity-less entry is a
+        // remote-registry tarball (not exclusively local-path/workspace/git
+        // refs). [1]: the lockfile is the canonical root package-lock.json the
+        // build consumes, not a stale copy under archive/ pre-migration/.
+        const att = {};
+        if (!withoutIntegrityLocalOnly) att["0"] = true;
+        const rel = (npmLockfile.path || "").replace(/\\/g, "/");
+        if (!/\/(?:archive|pre-migration|old|backup|legacy)\//i.test(rel)) att["1"] = true;
+        if (Object.keys(att).length) signal_overrides["lockfile-no-integrity__fp_checks"] = att;
       } else if (withIntegrity > 0) {
         signal_overrides["lockfile-no-integrity"] = "miss";
       }

package/lib/collectors/secrets.js

@@ -112,6 +112,98 @@ const AWS_EXAMPLE_ACCESS_KEY_IDS = new Set([
   "AKIAIOSFODNN7EXAMPLE",
 ]);
 
+// AWS-published sample secret-access-key (paired with AKIAIOSFODNN7EXAMPLE
+// throughout the AWS docs). aws-secret-access-key false_positive_checks_required[1]
+// demotes this exact value.
+const AWS_EXAMPLE_SECRET_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY";
+
+// Placeholder/fixture substrings the API-key indicators' FP[0] checks demote.
+// A literal `PLACEHOLDER` / `EXAMPLE` / `XXXX` run / a `dummy`/`test` infix
+// marks documentation material rather than a live credential.
+const PLACEHOLDER_RE = /placeholder|example|redacted|dummy|x{4,}|0{6,}|1234567890/i;
+
+// Path segments the per-indicator FP path checks treat as documentation /
+// fixture material in addition to TEST_PATH_SEGMENTS (which already covers
+// /examples/, /fixtures/, /test/ etc.). The secret indicators' FP prose adds
+// /docs/ and quickstart/snippet paths.
+const DOC_PATH_SEGMENTS = [
+  "/docs/", "/doc/", "/sdk-quickstart/", "/quickstart/", "/docs-snippet/",
+];
+
+function isDocOrTestPath(rel) {
+  if (isTestPath(rel)) return true;
+  const norm = "/" + rel.replace(/\\/g, "/").toLowerCase() + "/";
+  return DOC_PATH_SEGMENTS.some((seg) => norm.includes(seg));
+}
+
+// Per-indicator deterministic false_positive_checks_required evaluation.
+// Returns the set of FP-check indices (as strings) the collector can attest
+// for a single hit — i.e. the checks it actually ran and that the hit
+// survives. Indices requiring network reachability or operator judgement are
+// deliberately omitted so the runner honestly downgrades to inconclusive.
+// `value` is the matched credential, `file` the relative path, `window` a
+// few-line context slice around the match.
+function fpIndicesSatisfied(indicatorId, value, file, window) {
+  const sat = new Set();
+  const notDocPath = !isDocOrTestPath(file);
+  switch (indicatorId) {
+    case "aws-secret-access-key": {
+      // [0] co-occurrence with an AKIA*/ASIA*/AGPA*/AIDA* id in a 10-line window
+      if (/\b(?:AKIA|ASIA|AGPA|AIDA)[0-9A-Z]{12,}\b/.test(window)) sat.add("0");
+      // [1] not the AWS-published sample secret
+      if (value !== AWS_EXAMPLE_SECRET_KEY) sat.add("1");
+      // [2] not under examples/ docs/ fixtures/ / a test snapshot
+      if (notDocPath) sat.add("2");
+      break;
+    }
+    case "slack-bot-or-user-token": {
+      // [0] not a placeholder / published doc fixture
+      if (!PLACEHOLDER_RE.test(value)) sat.add("0");
+      // [1] conforms to a current Slack token shape: at least three
+      //     dash-separated segments after the xox? prefix
+      if (value.split("-").length >= 4) sat.add("1");
+      // [2] not under examples/ docs/ fixtures/
+      if (notDocPath) sat.add("2");
+      break;
+    }
+    case "stripe-secret-key": {
+      // [0] not a sk_test_ published sample (deterministic only for the
+      //     test prefix; live keys are handled by [2])
+      if (!(value.startsWith("sk_test_") && PLACEHOLDER_RE.test(value))) sat.add("0");
+      // [1] not under examples/ fixtures/ docs/ / a quickstart template
+      if (notDocPath) sat.add("1");
+      // [2] the live-validity probe applies only to sk_live_*; a sk_test_
+      //     key carries no live financial exposure, so the check is moot and
+      //     the collector can attest it deterministically. sk_live_* still
+      //     needs operator-authorised network validation — left unattested.
+      if (value.startsWith("sk_test_") || value.startsWith("rk_test_")) sat.add("2");
+      break;
+    }
+    case "openai-api-key": {
+      // [0] not a placeholder / sk-test- / sk-dummy- fixture
+      if (!PLACEHOLDER_RE.test(value) && !/^sk-(?:test|dummy)-/i.test(value)) sat.add("0");
+      // [1] post-prefix length meets the entropy floor (>= 48 chars)
+      if (value.replace(/^sk-(?:proj-|svcacct-|admin-)?/, "").length >= 48) sat.add("1");
+      // [2] vendor disambiguation — sk-ant-* is Anthropic, not OpenAI
+      if (!/^sk-ant-/i.test(value)) sat.add("2");
+      break;
+    }
+    case "anthropic-api-key": {
+      // [0] not a placeholder / sk-ant-test- fixture
+      if (!PLACEHOLDER_RE.test(value) && !/^sk-ant-test-/i.test(value)) sat.add("0");
+      // [1] not under examples/ fixtures/ sdk-quickstart/ docs-snippet/
+      if (notDocPath) sat.add("1");
+      // [2] post-prefix length meets the entropy floor (>= 80 chars after
+      //     sk-ant-(api03|admin01)-)
+      if (value.replace(/^sk-ant-(?:api03|admin01)-/, "").length >= 80) sat.add("2");
+      break;
+    }
+    default:
+      break;
+  }
+  return sat;
+}
+
 const INDICATOR_PATTERNS = [
   { id: "aws-access-key-id",          re: /\bAKIA[0-9A-Z]{16}\b/g },
   { id: "aws-secret-access-key",      re: /\baws_secret_access_key\s*[=:]\s*['"]?([A-Za-z0-9/+=]{40})['"]?/gi },
@@ -209,6 +301,13 @@ function scanContent(full, rel) {
       // Demote AWS-published example access-key IDs (e.g. the docs' canonical
       // AKIAIOSFODNN7EXAMPLE). A README quoting the AWS docs must not hit.
       if (p.id === "aws-access-key-id" && AWS_EXAMPLE_ACCESS_KEY_IDS.has(m[0])) continue;
+      // The captured credential is group 1 when the pattern brackets it
+      // (aws_secret_access_key=<value>); otherwise the whole match.
+      const value = m[1] != null ? m[1] : m[0];
+      // ±600-byte context window (a deterministic proxy for "nearby lines")
+      // used by the co-occurrence FP check.
+      const winStart = Math.max(0, m.index - 600);
+      const window = buf.slice(winStart, m.index + 600);
       hits.push({
         indicator_id: p.id,
         file: rel,
@@ -217,6 +316,9 @@ function scanContent(full, rel) {
         // (SARIF startLine) instead of a bare file-level location.
         line: lineFromOffset(buf, m.index),
         redacted_match: redactMatch(m[0]),
+        // The false_positive_checks_required indices this hit deterministically
+        // survives — attested so the runner doesn't downgrade hit → inconclusive.
+        fp_satisfied: fpIndicesSatisfied(p.id, value, rel, window),
       });
       if (++count >= 5) break; // cap per-indicator-per-file
     }
@@ -310,6 +412,29 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
   for (const p of INDICATOR_PATTERNS) {
     signal_overrides[p.id] = prodHitsByIndicator[p.id] && prodHitsByIndicator[p.id].length > 0 ? "hit" : "miss";
   }
+  // Per-indicator __fp_checks attestation. For each FP-gated indicator that
+  // fired, attest the false_positive_checks_required indices the collector
+  // deterministically ran AND that EVERY surviving hit satisfies (the
+  // intersection — an index is only universally true if no hit fails it).
+  // Network / operator-judgement indices are never in the set, so the runner
+  // still downgrades indicators that carry one. Without this, a real secret
+  // surfaced by `collect` is downgraded to inconclusive after `run`.
+  for (const p of INDICATOR_PATTERNS) {
+    if (signal_overrides[p.id] !== "hit") continue;
+    const hits = prodHitsByIndicator[p.id] || [];
+    if (!hits.length || !hits[0].fp_satisfied) continue;
+    let common = null;
+    for (const h of hits) {
+      const s = h.fp_satisfied || new Set();
+      if (common === null) { common = new Set(s); continue; }
+      for (const idx of [...common]) if (!s.has(idx)) common.delete(idx);
+    }
+    if (common && common.size) {
+      const att = {};
+      for (const idx of common) att[idx] = true;
+      signal_overrides[`${p.id}__fp_checks`] = att;
+    }
+  }
   // ssh-private-key-block is also flipped by file presence (a private
   // key file with the matching magic bytes counts even without a
   // content scan match — e.g. binary-only key formats). Re-flip when

package/lib/cve-regression-watcher.js

@@ -63,7 +63,6 @@ const path = require('path');
 const fs = require('fs');
 
 const CVE_ID_RE = /^CVE-((?:19|20)\d{2})-\d{4,7}$/;
-const TODAY = new Date().toISOString().slice(0, 10);
 
 /**
  * Extract the year from a CVE-YYYY-NNN identifier. Returns null for non-CVE
@@ -274,7 +273,11 @@ function findRegressionCandidates(diffs, catalog, opts) {
     candidates,
     historical_id_threshold_year: thresholdYear,
     evaluated_diffs: evaluated,
-    generated_at: TODAY,
+    // Stamp from the same clock that derives the threshold year, so both
+    // date-derived report fields share one instant. Falls back to call-time
+    // `new Date()` (via the `now` default) when no clock is injected — never
+    // a module-load constant, which would go stale in a long-lived process.
+    generated_at: now.toISOString().slice(0, 10),
     control_ref: 'NEW-CTRL-074',
   };
 }

package/lib/playbook-runner.js

@@ -3425,9 +3425,22 @@ function run(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
   if (runOpts.session_id) {
     sessionId = runOpts.session_id;
   } else if (runOpts.bundleDeterministic) {
-    const submissionDigest = crypto.createHash('sha256')
-      .update(canonicalStringify(extractSubmissionForHash(agentSubmission)))
-      .digest('hex');
+    let submissionDigest;
+    try {
+      submissionDigest = crypto.createHash('sha256')
+        .update(canonicalStringify(extractSubmissionForHash(agentSubmission)))
+        .digest('hex');
+    } catch (e) {
+      // canonicalStringify deliberately throws (EVIDENCE_TOO_DEEP) on
+      // pathological nesting. The mutex lockfile and the _activeRuns entry
+      // are already held here, but the protecting try/finally below has
+      // not opened yet — release both before rethrowing, or the leaked
+      // lockfile blocks every subsequent run of this playbook for as long
+      // as this PID lives.
+      _activeRuns.delete(playbookId);
+      releaseLock(lockPath);
+      throw e;
+    }
     sessionId = crypto.createHash('sha256')
       .update(`${playbookId}\0${submissionDigest}\0${getEngineVersion()}`)
       .digest('hex')

package/lib/refresh-external.js

@@ -109,13 +109,17 @@ function parseArgs(argv) {
     // older than 7d or one that was prefetched without a signing keypair.
     // EXCEPTD_FORCE_STALE=1 mirrors for non-interactive automation.
     else if (a === "--force-stale") out.forceStale = true;
-    // Aliases that bin/exceptd.js may pass through or translate; accept them
-    // here so the unknown-flag guard below doesn't false-reject a legitimate
-    // operator invocation. (--no-network / --indexes-only / --network /
-    // --curate / --prefetch are normally rewritten upstream, but tolerate
-    // them when refresh-external is invoked directly.)
+    // --prefetch / --no-network are prefetch-cache operations. Capture them so
+    // main() can delegate to lib/prefetch.js (the same routing bin/exceptd.js
+    // performs) when this script is invoked directly — otherwise the help
+    // text's "report-only, no cache write" promise for --no-network is a lie
+    // on the direct path, which would fall through to the live refresh loop.
+    else if (a === "--no-network") { out.noNetwork = true; }
+    else if (a === "--prefetch") { out.prefetch = true; }
+    // Remaining bin-translated aliases are tolerated as no-ops at this layer
+    // so the unknown-flag guard below doesn't false-reject them.
     else if (
-      a === "--no-network" || a === "--prefetch" || a === "--indexes-only" ||
+      a === "--indexes-only" ||
       a === "--network" || a === "--curate" || a === "--force-stale-acked"
     ) { /* accepted, no-op at this layer */ }
     // Any remaining --flag is an unrecognized typo. Record it; refuse after
@@ -148,8 +152,10 @@ Modes:
                      place. Same trust anchor as \`npm update -g\`, only the
                      data slice changes — useful when you want fresher
                      intel without re-resolving CLI/lib code.
-  --prefetch         (alias: --no-network) populate the cache for offline use.
-                     Equivalent to \`exceptd prefetch\`.
+  --prefetch         populate the cache for offline use. Equivalent to
+                     \`exceptd prefetch\`.
+  --no-network       report-only: list what would be fetched, WITHOUT writing
+                     the cache (the dry-run opposite of --prefetch).
   --from-cache [<p>] read from prefetch cache (default .cache/upstream).
                      Combine with --apply to upsert against cached data
                      entirely offline. Cache must be pre-populated via --prefetch.
@@ -1099,15 +1105,16 @@ function loadCtx(opts) {
     const abs = path.resolve(opts.fromCache);
     ctx.cacheDir = abs;
     if (!fs.existsSync(abs)) {
-      // v0.11.14 (#129): operators following the website's air-gap workflow
-      // hit this with an unhelpful "path does not exist" stack trace. The
-      // cache is populated by `exceptd refresh --no-network` (which routes
-      // to prefetch). Tell them exactly that, and emit a structured JSON
-      // error to stderr instead of a fatal stack trace.
+      // Operators following the air-gap workflow hit this with an unhelpful
+      // "path does not exist" stack trace. The cache is populated by
+      // `exceptd refresh --prefetch` (which routes to prefetch) — NOT by
+      // `--no-network`, which is the report-only dry run that writes nothing.
+      // Tell them exactly that, and emit a structured JSON error to stderr
+      // instead of a fatal stack trace.
       const err = new Error(
         `refresh: --from-cache path does not exist: ${abs}\n` +
-        `Hint: the cache is populated by running \`exceptd refresh --no-network\` (or \`exceptd refresh --prefetch\`) ` +
-        `on a connected host first. Air-gap workflow: (1) on connected host: \`exceptd refresh --no-network\`, ` +
+        `Hint: the cache is populated by running \`exceptd refresh --prefetch\` ` +
+        `on a connected host first. Air-gap workflow: (1) on connected host: \`exceptd refresh --prefetch\`, ` +
         `(2) copy .cache/upstream/ across the boundary, (3) on offline host: \`exceptd refresh --from-cache --apply\`.`
       );
       err._exceptd_hint = true;
@@ -1526,6 +1533,24 @@ async function main() {
     return;
   }
 
+  // `--prefetch` / `--no-network` are prefetch-cache operations. The operator
+  // path (bin/exceptd.js) routes them to lib/prefetch.js; when this script is
+  // invoked directly, delegate the SAME way so behavior matches the help text:
+  // --prefetch populates the cache, --no-network is a report-only dry run that
+  // writes nothing. Without this, the direct path fell through to the live
+  // refresh loop and could egress + write refresh-report.json despite
+  // --no-network.
+  if (opts.prefetch || opts.noNetwork) {
+    const { spawnSync } = require("child_process");
+    const pfArgs = [require.resolve("./prefetch.js")];
+    if (opts.noNetwork) pfArgs.push("--no-network");
+    if (opts.source) pfArgs.push("--source", opts.source);
+    if (opts.quiet) pfArgs.push("--quiet");
+    const r = spawnSync(process.execPath, pfArgs, { stdio: "inherit" });
+    process.exitCode = r.status == null ? 1 : r.status;
+    return;
+  }
+
   // v0.12.0: `--advisory <id>` short-circuits the normal source loop and
   // seeds a single CVE catalog entry from GHSA. Exits non-zero ("draft
   // written, please review") so CI pipelines surface the needed editorial