@blamejs/exceptd-skills 0.16.25 → 0.16.29

package/data/atlas-ttps.json

@@ -1,14 +1,14 @@
 {
   "_meta": {
     "schema_version": "1.0.0",
-    "atlas_version": "5.6.0",
-    "atlas_release_date": "2026-05-08",
+    "atlas_version": "2026.05",
+    "atlas_release_date": "2026-05-27",
     "secure_ai_v2_release_date": "2026-05-06",
     "secure_ai_v2_source": "https://ctid.mitre.org/blog/2026/05/06/secure-ai-v2-release",
-    "last_updated": "2026-05-19",
-    "last_threat_review": "2026-05-19",
+    "last_updated": "2026-06-10",
+    "last_threat_review": "2026-06-10",
     "source": "https://atlas.mitre.org",
-    "note": "AI-relevant ATLAS v5.6.0 TTPs with framework_gap field. framework_gap: no framework has a control that addresses this TTP. secure_ai_v2_layer flags entries included in the CTID Secure AI v2 layered set (May 2026); maturity reflects CTID's technique-maturity classification (low / moderate / high).",
+    "note": "AI-relevant ATLAS v2026.05 TTPs with framework_gap field. ATLAS content now follows a YYYY.MM calendar-versioning scheme; v2026.05 adds platform tags (Predictive AI, Generative AI, Agentic AI, Enterprise) to every technique, with no technique-ID removals or renames. framework_gap: no framework has a control that addresses this TTP. secure_ai_v2_layer flags entries included in the CTID Secure AI v2 layered set (May 2026); maturity reflects CTID's technique-maturity classification (low / moderate / high).",
     "tlp": "CLEAR",
     "source_confidence": {
       "scheme": "Admiralty (A-F + 1-6)",
@@ -21,7 +21,7 @@
       "rebuild_after_days": 365,
       "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
     },
-    "bulk_intake_note": " v0.13.18: +137 AML.* techniques from MITRE ATLAS STIX bundle (atlas-navigator-data dist/stix-atlas.json). Now tracking ATLAS v5.6.0 (May 2026 release). Auto-imported entries flagged _auto_imported:true + _intake_method:v0.13.18-bulk-mitre-atlas-stix for downstream curation."
+    "bulk_intake_note": " v0.13.18: +137 AML.* techniques from MITRE ATLAS STIX bundle (atlas-navigator-data dist/stix-atlas.json). Now tracking ATLAS v2026.05 (May 2026 release). Auto-imported entries flagged _auto_imported:true + _intake_method:v0.13.18-bulk-mitre-atlas-stix for downstream curation."
   },
   "AML.T0001": {
     "id": "AML.T0001",
@@ -536,7 +536,7 @@
       "Multiple production AI assistant prompt injection incidents 2025-2026"
     ],
     "framework_gap": true,
-    "framework_gap_detail": "No framework has a control for prompt injection as an access control failure vector. The attack uses the AI service account's authorized permissions — from AC-2's perspective, the access is authorized. MITRE ATLAS v5.6.0 documents the technique; no framework has implemented controls. OWASP LLM Top 10 documents the class; it is not incorporated in any compliance framework.",
+    "framework_gap_detail": "No framework has a control for prompt injection as an access control failure vector. The attack uses the AI service account's authorized permissions — from AC-2's perspective, the access is authorized. MITRE ATLAS v2026.05 documents the technique; no framework has implemented controls. OWASP LLM Top 10 documents the class; it is not incorporated in any compliance framework.",
     "controls_that_partially_help": [
       "NIST-800-53-AC-2",
       "ISO-27001-2022-A.8.28"

package/data/attack-techniques.json

@@ -1,13 +1,13 @@
 {
   "_meta": {
     "schema_version": "1.0.0",
-    "last_updated": "2026-05-19",
-    "last_threat_review": "2026-05-19",
-    "attack_version": "19.0",
-    "attack_version_date": "2026-04-28",
+    "last_updated": "2026-06-10",
+    "last_threat_review": "2026-06-10",
+    "attack_version": "19.1",
+    "attack_version_date": "2026-05-12",
     "tactic_split_note": "ATT&CK v19 split Defense Evasion (TA0005) into Stealth (TA0005) and Defense Impairment (TA0112). Entries here record their post-split tactic; entries whose tactic moved carry `tactic_moved_from: \"Defense Evasion\"` for traceability.",
     "detection_strategies_note": "ATT&CK v18 introduced Detection Strategies as first-class objects (691 strategies, 1739 analytics at v18 release). Entries reference applicable strategy IDs (DSxxxx) where the technique has canonical strategy coverage; absence does not imply lack of detection.",
-    "source": "https://attack.mitre.org — MITRE ATT&CK Enterprise + ICS, v19.0 (April 2026). Only techniques currently referenced by shipped exceptd skills and playbooks. The full ATT&CK matrix is intentionally not duplicated here; this is a resolution catalog for cross-reference validation, not a substitute for attack.mitre.org. See `npm run refresh-attack-techniques` (v0.13.0+) for the full corpus.",
+    "source": "https://attack.mitre.org — MITRE ATT&CK Enterprise + ICS, v19.1 (May 2026). Only techniques currently referenced by shipped exceptd skills and playbooks. The full ATT&CK matrix is intentionally not duplicated here; this is a resolution catalog for cross-reference validation, not a substitute for attack.mitre.org. See `npm run refresh-attack-techniques` (v0.13.0+) for the full corpus.",
     "tlp": "CLEAR",
     "source_confidence": {
       "scheme": "Admiralty (A-F + 1-6)",

package/data/framework-control-gaps.json

@@ -468,7 +468,7 @@
       "Treating 'Top 25 addressed' as a compliance signal creates a compliance-theatre risk for organisations with significant AI surface",
       "No cross-walk requirement to ATLAS TTPs — CWE addresses weaknesses; ATLAS addresses adversary techniques. Both are needed for AI coverage"
     ],
-    "real_requirement": "Programmes that claim 'Top 25 addressed' as compliance evidence must additionally: (1) enumerate AI-relevant CWEs outside the Top 25 (CWE-1426 Improper Output Validation, CWE-1039 Inadequate Detection of Adversarial Input, CWE-1230 Exposure of Sensitive Info Through Metadata) with explicit treatment, (2) cross-walk to ATLAS v5.6.0 TTPs for adversarial coverage, (3) re-baseline against the next-published Top 25 with delta analysis. Aligns with EU CRA Annex I, UK NCSC, AU ISM, ISO 27001 A.8.28.",
+    "real_requirement": "Programmes that claim 'Top 25 addressed' as compliance evidence must additionally: (1) enumerate AI-relevant CWEs outside the Top 25 (CWE-1426 Improper Output Validation, CWE-1039 Inadequate Detection of Adversarial Input, CWE-1230 Exposure of Sensitive Info Through Metadata) with explicit treatment, (2) cross-walk to ATLAS v2026.05 TTPs for adversarial coverage, (3) re-baseline against the next-published Top 25 with delta analysis. Aligns with EU CRA Annex I, UK NCSC, AU ISM, ISO 27001 A.8.28.",
     "status": "open",
     "opened_date": "2026-05-11",
     "evidence_cves": [],
@@ -1804,7 +1804,7 @@
       "LLM-API-as-C2 (SesameOp pattern, ATLAS AML.T0096) is not in the clause 6.1.2 example threat list — risk register templates omit it",
       "No requirement to link AI risk register entries to specific TTP IDs (ATLAS / ATT&CK) — risks remain framework-internal abstractions"
     ],
-    "real_requirement": "Clause 6.1.2 risk registers must (1) ingest ATLAS v5.6.0 TTPs as enumerated AI-specific threat sources, (2) cross-reference jurisdictional obligations (EU AI Act Annex III, NIS2 Art. 21, DORA Art. 28, UK CAF B4, AU ISM AI annex, ISO 27001:2022 A.5.7), (3) include AI-API-as-C2 and prompt-injection-as-RCE as named scenarios, (4) be re-run on threat-intel triggers, not only on calendar cycles.",
+    "real_requirement": "Clause 6.1.2 risk registers must (1) ingest ATLAS v2026.05 TTPs as enumerated AI-specific threat sources, (2) cross-reference jurisdictional obligations (EU AI Act Annex III, NIS2 Art. 21, DORA Art. 28, UK CAF B4, AU ISM AI annex, ISO 27001:2022 A.5.7), (3) include AI-API-as-C2 and prompt-injection-as-RCE as named scenarios, (4) be re-run on threat-intel triggers, not only on calendar cycles.",
     "status": "open",
     "opened_date": "2026-05-11",
     "evidence_cves": [],
@@ -7145,7 +7145,7 @@
     }
   },
   "ATLAS-AML.T0048": {
-    "framework": "MITRE ATLAS v5.6.0",
+    "framework": "MITRE ATLAS v2026.05",
     "control_id": "AML.T0048",
     "control_name": "External Harms — ML Supply Chain Compromise (bundled-codec / inference-server class)",
     "designed_for": "ATLAS AML.T0048 catalogues external harms from ML supply-chain compromise, including malicious model weights, poisoned training data, and compromised ML libraries. The technique-level guidance covers detection and mitigation at the model-artifact and library-consumption layer.",

package/lib/auto-discovery.js

@@ -31,6 +31,7 @@ const fs = require("fs");
 const path = require("path");
 const crypto = require("crypto");
 const { scoreCustom, RWEP_WEIGHTS, ACTIVE_EXPLOITATION_LADDER } = require("./scoring");
+const { selectNvdCvss } = require("./cvss");
 
 // Stored rwep_factors must reproduce the stored rwep_score.
 // `buildScoringInputs` is the single source of truth for both — it captures
@@ -187,16 +188,13 @@ function readCachedJson(cacheDir, source, id) {
 function extractNvdMetrics(payload) {
   const vuln = payload?.vulnerabilities?.[0]?.cve;
   if (!vuln) return null;
-  const m = vuln.metrics || {};
-  const ordered = [
-    ...(m.cvssMetricV31 || []),
-    ...(m.cvssMetricV30 || []),
-    ...(m.cvssMetricV2 || []),
-  ];
-  const primary = ordered.find((x) => x.type === "Primary") || ordered[0];
+  // Prefer the newest CVSS version (Primary within it) and normalize a bare
+  // v2 vector to its canonical prefix so an auto-imported draft never carries
+  // an unprefixed vector that the strict catalog validator would reject.
+  const up = selectNvdCvss(vuln.metrics);
   return {
-    cvss_score: typeof primary?.cvssData?.baseScore === "number" ? primary.cvssData.baseScore : null,
-    cvss_vector: primary?.cvssData?.vectorString || null,
+    cvss_score: up ? up.baseScore : null,
+    cvss_vector: up ? up.vector : null,
     description: (vuln.descriptions || []).find((d) => d.lang === "en")?.value || null,
     cwe_refs: ((vuln.weaknesses || [])
       .flatMap((w) => (w.description || []))
@@ -559,6 +557,14 @@ function extractAcronymFromGroupUri(uri) {
  * @param {object} opts  { cap?: number, sinceDays?: number }
  */
 async function discoverNewRfcs(ctx, opts = {}) {
+  // Air-gap: new-RFC discovery queries IETF Datatracker live (~one call per
+  // project working group). Refuse the egress under --air-gap so a fully
+  // offline run makes no network calls — the other discovery paths guard the
+  // same way. --from-cache alone (network-available host, e.g. the scheduled
+  // refresh) still discovers live; add --air-gap for a truly offline run.
+  if ((ctx && ctx.airGap === true) || process.env.EXCEPTD_AIR_GAP === "1") {
+    return { diffs: [], errors: 0, spilled: 0, summary: "RFC discovery: skipped under air-gap (no live Datatracker query)" };
+  }
   const cap = opts.cap ?? DEFAULT_CAP;
   const sinceDays = opts.sinceDays ?? 180;
   const cutoff = new Date(Date.now() - sinceDays * 86_400_000).toISOString().slice(0, 10);

package/lib/collectors/library-author.js

@@ -88,7 +88,7 @@ function looksLikePublishWorkflow(name, content) {
   // filename-prefix checks above are unaffected. A `#` inside a quoted string
   // is rare in workflow YAML and not load-bearing for these command probes
   // (stripping can only REMOVE comment text, never create a false match).
-  const code = content.replace(/#.*$/gm, '');
+  const code = stripYamlComments(content);
 
   // Explicit publish-shape commands — these are commitments to push
   // artifacts, not setup / scaffolding.
@@ -133,7 +133,22 @@ function hasIdTokenWriteAnyScope(content) {
   return /\bid-token:\s*write\b/.test(content);
 }
 
+// Strip YAML line-comments so a `#`-commented MENTION of a publish-shape
+// token / command / runner is not read as the real thing. The classifier
+// (looksLikePublishWorkflow) already does this; the indicator probes — and the
+// provenance / SBOM-capability probes in collect() — must use the same view,
+// or a comment produces a false (often deterministic) hit, and in the
+// provenance direction a commented `--provenance` would suppress a real gap
+// (a false negative on a security-relevant posture check).
+function stripYamlComments(content) {
+  return content.replace(/#.*$/gm, "");
+}
+
 function scanPublishWorkflow(content, rel) {
+  // Whole-content probes below run against a comment-stripped view. The
+  // `uses:` line scan stays on the raw lines — its anchored regex already
+  // rejects `#`-prefixed lines, so a commented `uses:` cannot match.
+  const code = stripYamlComments(content);
   const hits = {
     "publish-workflow-uses-static-token": [],
     "publish-workflow-no-id-token-write": [],
@@ -148,11 +163,13 @@ function scanPublishWorkflow(content, rel) {
   // NPM_TOKEN / PYPI_TOKEN / CARGO_TOKEN / RUBYGEMS_API_KEY /
   // GEM_HOST_API_KEY; expand to cover the common variants for each
   // ecosystem.
-  const usesStaticToken = /\bsecrets\.(NPM_TOKEN|PYPI_TOKEN|PYPI_API_TOKEN|CARGO_TOKEN|CARGO_REGISTRY_TOKEN|RUBYGEMS_API_KEY|GEM_HOST_API_KEY|MAVEN_TOKEN|MAVEN_CENTRAL_TOKEN|GH_TOKEN)\b/.test(content);
+  const usesStaticToken = /\bsecrets\.(NPM_TOKEN|PYPI_TOKEN|PYPI_API_TOKEN|CARGO_TOKEN|CARGO_REGISTRY_TOKEN|RUBYGEMS_API_KEY|GEM_HOST_API_KEY|MAVEN_TOKEN|MAVEN_CENTRAL_TOKEN|GH_TOKEN)\b/.test(code);
   // OIDC is available when THIS publish file declares `id-token: write` at
   // any scope (workflow or job). Scoped to the file by design — a sibling
-  // workflow's OIDC does not authenticate this publish job.
-  const hasIdTokenWrite = hasIdTokenWriteAnyScope(content);
+  // workflow's OIDC does not authenticate this publish job. Read from the
+  // comment-stripped view so a commented `id-token: write` cannot falsely
+  // satisfy the capability (which would suppress the static-token finding).
+  const hasIdTokenWrite = hasIdTokenWriteAnyScope(code);
   if (usesStaticToken && !hasIdTokenWrite) {
     hits["publish-workflow-uses-static-token"].push({ file: rel, line: 0, snippet: "publish workflow uses a static long-lived token (NPM_TOKEN / PYPI / Cargo / Maven) without id-token: write for OIDC" });
   }
@@ -186,15 +203,15 @@ function scanPublishWorkflow(content, rel) {
   // non-frozen-install: workflow uses `npm install` instead of `npm ci`,
   // or `pip install <pkg>` without `--require-hashes`, or `cargo
   // install` without `--locked`.
-  if (/\bnpm\s+install\b/.test(content) && !/\bnpm\s+ci\b/.test(content)) {
+  if (/\bnpm\s+install\b/.test(code) && !/\bnpm\s+ci\b/.test(code)) {
     hits["release-workflow-non-frozen-install"].push({ file: rel, line: 0, snippet: "publish workflow uses `npm install` rather than `npm ci` — lockfile is not enforced" });
   }
-  if (/\bcargo\s+(?:build|install)\b/.test(content) && !/--locked\b/.test(content) && !/--frozen\b/.test(content)) {
+  if (/\bcargo\s+(?:build|install)\b/.test(code) && !/--locked\b/.test(code) && !/--frozen\b/.test(code)) {
     hits["release-workflow-non-frozen-install"].push({ file: rel, line: 0, snippet: "cargo build/install without --locked / --frozen" });
   }
 
   // runs-on-self-hosted: any `runs-on: self-hosted` line.
-  if (/runs-on:\s*['"]?(?:self-hosted|\[?\s*self-hosted)/i.test(content)) {
+  if (/runs-on:\s*['"]?(?:self-hosted|\[?\s*self-hosted)/i.test(code)) {
     hits["publish-workflow-runs-on-self-hosted"].push({ file: rel, line: 0, snippet: "publish workflow runs on a self-hosted runner — non-ephemeral execution context" });
   }
 
@@ -265,7 +282,7 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
     try {
       const j = JSON.parse(pkgManifest.content);
       const manifestOptIn = j?.publishConfig?.provenance === true;
-      const workflowOptIn = publishWorkflows.some(w => /npm\s+publish[^\n]*--provenance\b/.test(w.content));
+      const workflowOptIn = publishWorkflows.some(w => /npm\s+publish[^\n]*--provenance\b/.test(stripYamlComments(w.content)));
       provenanceMissing = (manifestOptIn || workflowOptIn) ? "miss" : "hit";
     } catch (e) {
       errors.push({ artifact_id: "package-manifest", kind: "parse_failed", reason: `package.json: ${e.message}` });
@@ -414,7 +431,7 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
   // signed-attestation capability exists at release and the indicator
   // should not fire on the absence of a committed artifact.
   const releaseSbomCapable = publishWorkflows.some(w => {
-    const c = w.content;
+    const c = stripYamlComments(w.content);
     return (
       // SBOM-generation tooling invoked in the workflow.
       /cyclonedx/i.test(c) ||

package/lib/collectors/secrets.js

@@ -207,7 +207,14 @@ function fpIndicesSatisfied(indicatorId, value, file, window) {
 const INDICATOR_PATTERNS = [
   { id: "aws-access-key-id",          re: /\bAKIA[0-9A-Z]{16}\b/g },
   { id: "aws-secret-access-key",      re: /\baws_secret_access_key\s*[=:]\s*['"]?([A-Za-z0-9/+=]{40})['"]?/gi },
-  { id: "gcp-service-account-json",   re: /"type"\s*:\s*"service_account"[\s\S]{0,1200}?"private_key"\s*:\s*"-----BEGIN PRIVATE KEY-----/g },
+  // Require a full PEM block (header, base64 body, closing marker) — not just
+  // the `-----BEGIN PRIVATE KEY-----` header — so a service-account JSON shown
+  // as a doc placeholder or a redaction/DLP library's detection-pattern literal
+  // does not register as a real embedded key. A real key is JSON-encoded with
+  // `\n` escapes, so the body class includes backslash; `-` is excluded so the
+  // run halts at `-----END` (no backtracking, ReDoS-safe). Mirrors
+  // ssh-private-key-block below.
+  { id: "gcp-service-account-json",   re: /"type"\s*:\s*"service_account"[\s\S]{0,1200}?"private_key"\s*:\s*"-----BEGIN PRIVATE KEY-----[A-Za-z0-9+/=\s\\]{40,4000}-----END/g },
   { id: "github-personal-access-token", re: /\bghp_[A-Za-z0-9]{36}\b/g },
   { id: "github-fine-grained-pat",    re: /\bgithub_pat_[A-Za-z0-9_]{82}\b/g },
   { id: "slack-bot-or-user-token",    re: /\bxox[abposr]-[A-Za-z0-9-]{10,}\b/g },

package/lib/cvss.js

@@ -0,0 +1,108 @@
+"use strict";
+/**
+ * lib/cvss.js
+ *
+ * Shared CVSS metric-selection and vector-normalization helpers for every
+ * site that ingests NIST NVD scoring (the cache-backed refresh diff, the
+ * live per-CVE validator, and the KEV auto-discovery importer).
+ *
+ * Two properties of NVD's data make naive ingestion lossy:
+ *
+ *   1. NVD tags the legacy CVSS v2 metric as `type: "Primary"` on pre-v3
+ *      CVEs, while a modern v3.1 re-score (often supplied by a CNA) rides as
+ *      `type: "Secondary"`. Selecting a metric by `type === "Primary"` alone
+ *      therefore picks the *older* v2 score over a newer v3.1 one — silently
+ *      downgrading a curated v3.1 entry to v2 on every refresh.
+ *
+ *   2. NVD's `cvssMetricV2` entries carry a bare base vector
+ *      ("AV:N/AC:L/Au:N/C:C/I:C/A:C") with no "CVSS:2.0/" prefix, whereas
+ *      v3.x/v4.0 carry the prefix. The catalog schema (and
+ *      validate-cve-catalog --strict) require the canonical "CVSS:<x.y>/"
+ *      prefix, so writing a bare v2 vector produces an invalid entry.
+ *
+ * `selectNvdCvss` resolves (1) by preferring the newest CVSS version present
+ * and choosing Primary only *within* that version; it resolves (2) by
+ * normalizing the returned vector. Callers additionally guard against
+ * cross-version downgrades using `cvssVersionOf` on the locally-curated
+ * vector.
+ *
+ * Zero npm deps. Node stdlib only.
+ */
+
+// A bare (unprefixed) CVSS v2 base vector. v2 is the only version NVD emits
+// without a "CVSS:x/" prefix, and its grammar carries the Au: (Authentication)
+// metric that v3/v4 dropped — the unambiguous discriminator for a bare v2.
+const BARE_V2_RE = /^AV:[NAL]\/AC:[HML]\/Au:[MSN]\//;
+
+// The four canonical version prefixes the catalog accepts (mirrors
+// validate-cve-catalog.js STRICT_CVSS_PATTERN).
+const PREFIXED_RE = /^CVSS:(2\.0|3\.0|3\.1|4\.0)\//;
+
+/**
+ * The CVSS version a vector declares, as a comparable number (2.0 < 3.0 < 3.1
+ * < 4.0). Recognizes the four canonical "CVSS:x.y/" prefixes plus NVD's bare
+ * v2 base vector. Returns null for anything unrecognized so callers can treat
+ * an unknown version as "do not block" rather than mis-suppressing a diff.
+ *
+ * @param {string} vector
+ * @returns {number|null}
+ */
+function cvssVersionOf(vector) {
+  if (typeof vector !== "string" || vector.length === 0) return null;
+  const m = vector.match(PREFIXED_RE);
+  if (m) return Number(m[1]);
+  if (BARE_V2_RE.test(vector)) return 2.0;
+  return null;
+}
+
+/**
+ * Ensure a vector carries a canonical "CVSS:x.y/" prefix. A bare v2 base
+ * vector is prefixed with "CVSS:2.0/"; already-prefixed vectors (and anything
+ * unrecognized) pass through unchanged. The output of a recognized vector
+ * always satisfies validate-cve-catalog --strict.
+ *
+ * @param {string} vector
+ * @returns {string}
+ */
+function normalizeCvssVector(vector) {
+  if (typeof vector !== "string" || vector.length === 0) return vector;
+  if (PREFIXED_RE.test(vector)) return vector;
+  if (BARE_V2_RE.test(vector)) return `CVSS:2.0/${vector}`;
+  return vector;
+}
+
+/**
+ * Select the most authoritative CVSS metric from an NVD `metrics` object.
+ * Prefers the newest CVSS version present (4.0 > 3.1 > 3.0 > 2.0); within the
+ * chosen version prefers NVD's "Primary" analyst score over a "Secondary"
+ * (CNA) one, falling back to the first entry when no Primary exists in that
+ * version. The returned vector is normalized to the canonical prefix form.
+ *
+ * @param {object} metrics  The `vulnerabilities[0].cve.metrics` object.
+ * @returns {{version:number|null, baseScore:number|null, vector:string|null, source:string|null}|null}
+ */
+function selectNvdCvss(metrics) {
+  const m = metrics || {};
+  const buckets = [
+    [4.0, m.cvssMetricV40],
+    [3.1, m.cvssMetricV31],
+    [3.0, m.cvssMetricV30],
+    [2.0, m.cvssMetricV2],
+  ];
+  for (const [bucketVersion, bucket] of buckets) {
+    const arr = Array.isArray(bucket) ? bucket : [];
+    if (arr.length === 0) continue;
+    const chosen = arr.find((x) => x && x.type === "Primary") || arr[0];
+    const data = chosen && chosen.cvssData ? chosen.cvssData : null;
+    const declared = data && data.version != null ? Number(data.version) : null;
+    return {
+      version: Number.isFinite(declared) ? declared : bucketVersion,
+      baseScore: typeof data?.baseScore === "number" ? data.baseScore : null,
+      vector: data?.vectorString ? normalizeCvssVector(data.vectorString) : null,
+      source: chosen && chosen.source ? chosen.source : null,
+    };
+  }
+  return null;
+}
+
+module.exports = { cvssVersionOf, normalizeCvssVector, selectNvdCvss };

package/lib/lint-skills.js

@@ -175,7 +175,12 @@ function readJson(p) {
  * accept malformed frontmatter.
  */
 function parseFrontmatter(text) {
-  const lines = text.split(/\r?\n/);
+  // Strip a trailing CR per line: split(/\r?\n/) consumes interior CRLFs, but a
+  // dangling `\r` survives on the final frontmatter line (the close marker
+  // consumed the `\n`, not the `\r`). `.` does not match `\r`, so that line's
+  // value would fail the per-line regex with a misleading "Could not parse
+  // frontmatter line N" on an otherwise valid CRLF skill.md.
+  const lines = text.split(/\r?\n/).map((l) => l.replace(/\r$/, ''));
   const result = {};
   // Track every top-level key we've already assigned. YAML's last-wins
   // semantics would let a tampered skill set name twice

package/lib/playbook-runner.js

@@ -1191,10 +1191,21 @@ function analyze(playbookId, directiveId, detectResult, agentSignals = {}, runOp
   // `factor_cve_source: 'evidence' | 'domain' | 'none'` so operators see
   // which fallback was used.
   let factorCveSource = 'none';
-  let factorCve = matchedCves[0] || null;
+  // Prefer an RWEP-eligible (non-VEX-fixed) matched CVE to drive factor
+  // scaling — a vendor-patched CVE must not inflate adjusted RWEP via its
+  // exploitation / KEV / PoC multipliers. Do NOT fall back to matchedCves[0]:
+  // when EVERY evidence-correlated CVE is VEX-fixed (rwepEligible empty but
+  // matchedCves non-empty) the finding is remediated, so factor scaling must be
+  // suppressed entirely — base is already 0 and the fired factors must not
+  // raise the adjusted score (a vendor-fixed CVE's KEV/exploitation/PoC would
+  // otherwise lift it above 0). The domain-CVE and class-weight fallbacks below
+  // are skipped in that case too, so every fired factor scales by 0 via
+  // _factorScale(factor, null, …).
+  const allMatchedVexFixed = matchedCves.length > 0 && rwepEligible.length === 0;
+  let factorCve = rwepEligible[0] || null;
   if (factorCve) {
     factorCveSource = 'evidence';
-  } else if (workingCatalogCves.length > 0) {
+  } else if (!allMatchedVexFixed && workingCatalogCves.length > 0) {
     // Highest rwep_score from domain refs.
     factorCve = workingCatalogCves.reduce((worst, c) =>
       (typeof c.rwep_score === 'number' && (!worst || c.rwep_score > worst.rwep_score)) ? c : worst,
@@ -1211,7 +1222,7 @@ function analyze(playbookId, directiveId, detectResult, agentSignals = {}, runOp
   // semantics for this case only: apply the declared weight as-is
   // (factor_scale=1, legacy semantics). The factor_cve_source annotation
   // surfaces 'class' so operators see which mode the run used.
-  const _classScaleFallback = !factorCve;
+  const _classScaleFallback = !factorCve && !allMatchedVexFixed;
   let adjustedRwep = baseRwep;
   const rwepBreakdown = [];
   for (const input of an.rwep_inputs || []) {
@@ -1972,7 +1983,9 @@ function analyzeFindingShape(a) {
     // CVEs. A .find() lookup would return the first truthy entry — e.g.
     // 'suspected' on CVE #1 when CVE #2 is 'confirmed' — under-stating
     // the threat in notification drafts.
-    active_exploitation: worstActiveExploitation(matched),
+    // Exclude VEX-fixed (vendor-patched) CVEs: a notification draft must not
+    // assert active exploitation sourced from an already-remediated CVE.
+    active_exploitation: worstActiveExploitation(matched.filter(c => c.vex_status !== 'fixed')),
     rwep_adjusted: rwepAdjusted,
     rwep_base: a.rwep?.base ?? 0,
     // Severity surface for playbook conditions.

package/lib/prefetch.js

@@ -108,7 +108,7 @@ const SOURCES = {
 };
 
 function parseArgs(argv) {
-  const out = { maxAgeMs: 24 * 3600 * 1000, source: null, force: false, noNetwork: false, cacheDir: DEFAULT_CACHE, quiet: false, help: false };
+  const out = { maxAgeMs: 24 * 3600 * 1000, source: null, force: false, noNetwork: false, cacheDir: DEFAULT_CACHE, quiet: false, help: false, maxErrors: 0 };
   for (let i = 2; i < argv.length; i++) {
     const a = argv[i];
     if (a === "--force") out.force = true;
@@ -121,6 +121,12 @@ function parseArgs(argv) {
     else if (a.startsWith("--max-age=")) out.maxAgeMs = parseDuration(a.slice("--max-age=".length));
     else if (a === "--cache-dir") out.cacheDir = path.resolve(argv[++i]);
     else if (a.startsWith("--cache-dir=")) out.cacheDir = path.resolve(a.slice("--cache-dir=".length));
+    // Per-entry fetch-error tolerance. An integer is an absolute budget; an
+    // "<N>%" string is a fraction of the planned fetch count. A malformed
+    // value is recorded as an arg error so main() refuses with exit 2 rather
+    // than silently falling back to an unbounded tolerance.
+    else if (a === "--max-errors") { try { out.maxErrors = parseErrorThreshold(argv[++i]); } catch (e) { out._argError = e.message; } }
+    else if (a.startsWith("--max-errors=")) { try { out.maxErrors = parseErrorThreshold(a.slice("--max-errors=".length)); } catch (e) { out._argError = e.message; } }
     // Any remaining --flag is an unrecognized typo. Record it; main() refuses
     // before any network work rather than silently dropping it.
     else if (typeof a === "string" && a.startsWith("--")) {
@@ -145,6 +151,73 @@ function parseDuration(s) {
   return n * mult;
 }
 
+// Parse a --max-errors value into either an absolute integer budget or a
+// percentage marker ("<N>%"). Throws on anything else so a typo can't degrade
+// into an unbounded tolerance.
+function parseErrorThreshold(s) {
+  const str = String(s == null ? "" : s).trim();
+  const m = str.match(/^(\d+)(%?)$/);
+  if (!m) throw new Error(`prefetch: invalid --max-errors "${s}" (expected an integer or a percentage like "50" or "5%")`);
+  return m[2] === "%" ? `${m[1]}%` : Number(m[1]);
+}
+
+// Total entries a run planned to fetch (fetched + skipped-fresh + errored).
+// The denominator for a percentage error budget.
+function plannedCount(result) {
+  if (!result) return 0;
+  return (result.fetched || 0) + (result.skipped_fresh || 0) + (result.errors || 0);
+}
+
+// Resolve a --max-errors value (absolute number, "<N>%" string, or null) into
+// an absolute count against the planned total.
+function errorBudget(maxErrors, planned) {
+  if (maxErrors == null) return 0;
+  if (typeof maxErrors === "number") return Number.isFinite(maxErrors) ? maxErrors : 0;
+  const m = String(maxErrors).match(/^(\d+)%$/);
+  if (m) return Math.floor((Number(m[1]) / 100) * (planned || 0));
+  const n = Number(maxErrors);
+  return Number.isFinite(n) ? n : 0;
+}
+
+// Decide prefetch's 0-vs-1 exit code from a completed run. Per-entry fetch
+// errors are counted only after the job queue exhausts its retries, so they
+// are genuine failures — but a best-effort cache warm should tolerate a few
+// transient upstream misses. `opts.maxErrors` is the budget (default 0, so any
+// error exits 1 — the strict contract a manual operator expects). Fatal
+// errors (bad flags, an unhandled throw) are handled in main() and exit 2.
+function exitCodeForResult(result, opts = {}) {
+  const errors = (result && result.errors) || 0;
+  if (errors === 0) return 0;
+  // A source that landed no usable entries this run — nothing freshly fetched
+  // and nothing already fresh in the cache, yet errors recorded — is entirely
+  // unreachable, and the refresh would silently skip it. A dead KEV feed is
+  // only one error (well under any global budget) but means the run missed
+  // every new KEV flag. Fail regardless of the budget so a single fully-dead
+  // feed can't pass quietly.
+  const bySource = (result && result.by_source) || {};
+  for (const s of Object.values(bySource)) {
+    if (s && (s.errors || 0) > 0 && (s.fetched || 0) === 0 && (s.skipped_fresh || 0) === 0) {
+      return 1;
+    }
+  }
+  const budget = errorBudget(opts.maxErrors, plannedCount(result));
+  return errors > budget ? 1 : 0;
+}
+
+// One-line run summary. When a run has errors, names the per-source counts so
+// "1 error(s)" in a --quiet log is actionable instead of a blind count.
+function formatSummary(result, opts = {}) {
+  let line = `prefetch summary: ${result.fetched} fetched, ${result.skipped_fresh} fresh, ${result.errors} error(s)`;
+  if (result.errors > 0 && result.by_source) {
+    const parts = Object.entries(result.by_source)
+      .filter(([, s]) => s && s.errors > 0)
+      .map(([name, s]) => `${name}=${s.errors}`);
+    if (parts.length) line += ` [${parts.join(", ")}]`;
+  }
+  if (opts.noNetwork) line += " (dry-run)";
+  return line;
+}
+
 function printHelp() {
   console.log(`prefetch — warm a local cache of every upstream artifact this project consumes.
 
@@ -589,7 +662,10 @@ async function prefetch(options = {}) {
       .catch((err) => {
         result.errors++;
         result.by_source[item.source].errors++;
-        log(`  [${item.source}] ${item.id} — error: ${err.message}`);
+        // Errors go to stderr unconditionally — they are diagnostics, not the
+        // per-entry success chatter --quiet suppresses. A CI run with --quiet
+        // still surfaces which source/id failed.
+        console.error(`  [${item.source}] ${item.id} — error: ${err.message}`);
       });
   });
 
@@ -618,7 +694,7 @@ async function prefetch(options = {}) {
   // (the noisy part) but the operator still needs one line confirming success.
   // Without this, --quiet + --no-network was zero output even on dry-run
   // success, leaving operators unsure if the command had run at all.
-  console.log(`prefetch summary: ${result.fetched} fetched, ${result.skipped_fresh} fresh, ${result.errors} error(s)${opts.noNetwork ? " (dry-run)" : ""}`);
+  console.log(formatSummary(result, { noNetwork: opts.noNetwork }));
   return result;
 }
 
@@ -683,7 +759,7 @@ function readCached(cacheDir, source, id, opts = {}) {
 // message's known list.
 const PREFETCH_KNOWN_FLAGS = Object.freeze([
   "--force", "--no-network", "--dry-run", "--air-gap", "--quiet", "--help", "-h",
-  "--source", "--max-age", "--cache-dir",
+  "--source", "--max-age", "--cache-dir", "--max-errors",
 ]);
 
 async function main() {
@@ -693,6 +769,19 @@ async function main() {
     return;
   }
 
+  // A malformed --max-errors value is a usage error — refuse with exit 2
+  // (prefetch's usage-error convention) rather than running with an
+  // unintended tolerance.
+  if (opts._argError) {
+    process.stderr.write(JSON.stringify({
+      ok: false,
+      verb: "prefetch",
+      error: opts._argError,
+    }) + "\n");
+    process.exitCode = 2;
+    return;
+  }
+
   // Reject unknown flags BEFORE any network work. A swallowed typo (e.g.
   // `--max-aeg 12h`) previously fell through to a default full-cache fetch.
   // Exit 2 matches prefetch's existing usage-error convention (invalid
@@ -723,7 +812,7 @@ async function main() {
   // the `ci` #100 stdout-flush regression.
   try {
     const result = await prefetch(opts);
-    process.exitCode = result.errors > 0 ? 1 : 0;
+    process.exitCode = exitCodeForResult(result, opts);
   } catch (err) {
     console.error(`prefetch: fatal: ${err.message}`);
     process.exitCode = 2;
@@ -736,6 +825,9 @@ module.exports = {
   prefetch,
   readCached,
   parseArgs,
+  parseErrorThreshold,
+  exitCodeForResult,
+  formatSummary,
   SOURCES,
   DEFAULT_CACHE,
   // Ed25519 _index.json signing + verification. Exported so

package/lib/refresh-external.js

@@ -38,6 +38,7 @@
 const fs = require("fs");
 const path = require("path");
 const { execFileSync } = require("child_process");
+const { selectNvdCvss, cvssVersionOf } = require("./cvss");
 
 const ROOT = path.join(__dirname, "..");
 const ABS = (p) => path.join(ROOT, p);
@@ -157,8 +158,9 @@ Modes:
   --no-network       report-only: list what would be fetched, WITHOUT writing
                      the cache (the dry-run opposite of --prefetch).
   --from-cache [<p>] read from prefetch cache (default .cache/upstream).
-                     Combine with --apply to upsert against cached data
-                     entirely offline. Cache must be pre-populated via --prefetch.
+                     Combine with --apply to upsert against cached data. New-RFC
+                     discovery still queries IETF Datatracker live; add --air-gap
+                     for a fully offline run. Cache must be pre-populated via --prefetch.
   --source kev,epss  scope to a comma-separated list (kev|epss|nvd|rfc|pins|ghsa|osv)
   --check-advisories poll primary-source advisory feeds (Qualys TRU, RHSA, USN,
                      ZDI, kernel.org, oss-security, vendor research blogs) and
@@ -932,17 +934,27 @@ function nvdDiffFromCache(ctx) {
     if (!payload) { errors++; continue; }
     const vuln = payload.vulnerabilities?.[0]?.cve;
     if (!vuln) continue;
-    const m = vuln.metrics || {};
-    const ordered = [...(m.cvssMetricV31 || []), ...(m.cvssMetricV30 || []), ...(m.cvssMetricV2 || [])];
-    const primary = ordered.find((x) => x.type === "Primary") || ordered[0];
-    const upScore = typeof primary?.cvssData?.baseScore === "number" ? primary.cvssData.baseScore : null;
-    const upVector = primary?.cvssData?.vectorString || null;
+    // Prefer the newest CVSS version NVD publishes (Primary within that
+    // version), and normalize a bare v2 vector to its canonical prefix.
+    const up = selectNvdCvss(vuln.metrics);
+    if (!up) continue;
     const local = ctx.cveCatalog[id];
-    if (upScore != null && local.cvss_score != null && Math.abs(upScore - local.cvss_score) > 0.05) {
-      diffs.push({ id, field: "cvss_score", before: local.cvss_score, after: upScore, severity: "high" });
-    }
-    if (upVector && local.cvss_vector && upVector !== local.cvss_vector) {
-      diffs.push({ id, field: "cvss_vector", before: local.cvss_vector, after: upVector, severity: "medium" });
+    // Never regress a curated higher-version CVSS to an older upstream metric.
+    // NVD keeps many pre-2016 CVEs at v2 only (or tags v2 "Primary" over a
+    // v3.1 "Secondary"); the catalog has been curated to v3.1. When the
+    // selected upstream metric is an older CVSS version than the curated one,
+    // suppress both the score and the vector diff. A same-version drift (a
+    // genuine NVD re-score) still flows through.
+    const localVersion = cvssVersionOf(local.cvss_vector);
+    const isDowngrade =
+      up.version != null && localVersion != null && up.version < localVersion;
+    if (!isDowngrade) {
+      if (up.baseScore != null && local.cvss_score != null && Math.abs(up.baseScore - local.cvss_score) > 0.05) {
+        diffs.push({ id, field: "cvss_score", before: local.cvss_score, after: up.baseScore, severity: "high" });
+      }
+      if (up.vector && local.cvss_vector && up.vector !== local.cvss_vector) {
+        diffs.push({ id, field: "cvss_vector", before: local.cvss_vector, after: up.vector, severity: "medium" });
+      }
     }
   }
   const status = errors === 0 ? "ok" : errors === cves.length ? "unreachable" : "partial";
@@ -1728,4 +1740,4 @@ if (require.main === module) {
   });
 }
 
-module.exports = { ALL_SOURCES, loadCtx, parseArgs, seedSingleAdvisory, withCatalogLock, writeJsonAtomic };
+module.exports = { ALL_SOURCES, loadCtx, parseArgs, seedSingleAdvisory, withCatalogLock, writeJsonAtomic, nvdDiffFromCache };