@blamejs/exceptd-skills 0.16.28 → 0.16.30

package/CHANGELOG.md

@@ -1,5 +1,33 @@
 # Changelog
 
+## 0.16.30 — 2026-06-12
+
+The analyze-phase cross-reference layer now returns the correlations it always claimed to. The `byCwe`/`byTtp`/`bySkill` skill links, the per-CVE framework-gap and compliance-theater-test correlations, and the global framework context were reading index and catalog records under field names the data never carried, so every lookup came back empty. They now read the real fields and populate — a CWE resolves its skills, a CVE resolves its framework gaps and theater tests, and the global framework context spans the catalogs it documents.
+
+A malformed or timezone-less operator clock value no longer breaks a run. An unparseable `clock_started_at_<event>` signal previously threw out of the close phase, destroying the entire notification, CSAF, deadline, and attestation output and crashing every later reattest of the stored submission; it now degrades to a pending clock with a surfaced reason. A zone-less timestamp is normalized to UTC deterministically instead of the host's local zone, so a statutory deadline (NIS2 24h, DORA 4h, GDPR 72h) no longer shifts by the host's UTC offset. The analyze- and validate-completion clocks now auto-start under operator consent.
+
+Standards-bundle identifiers are correct across formats. CSAF `product_tree` branches are named from the package, not from a version-range operator sliced out of a catalog version string; SARIF `helpUri` points GHSA, OSV, RUSTSEC, and malicious-package identifiers at their own authority instead of fabricating an NVD CVE link; and the OpenVEX vulnerability `@id` keeps the canonical identifier case its `name` already carries.
+
+`attest diff` closes its remaining tamper-detection gaps. A tampered attestation in a multi-playbook session, and a tampered auto-selected prior attestation, are now detected on every diff path — previously only the explicit `--against` side was verified, so a forged multi-playbook or prior attestation passed at exit 0. Two artifacts that differ only in JSON key order no longer report as changed, and the VEX disposition note no longer lists a fixed disposition as a drop reason.
+
+`prefetch` validates its arguments and cache. An empty or comma-only `--source` is refused instead of silently warming every source; a value-less `--cache-dir`, `--source`, or `--max-age` is refused instead of crashing or silently changing scope; and a future-dated (clock-skewed) cache entry is re-fetched instead of trusted as fresh. `refresh --prefetch` reports a clear error naming the prefetchable sources when handed a live-only one, and auto-refresh no longer silently de-lists a curated CISA-KEV entry — matching the curated-CVSS protection already in place.
+
+RWEP scoring no longer produces a NaN delta or a false "broadly aligned" verdict when a comparison lacks a CVSS score, and custom scoring rejects a non-numeric blast radius the factor validator already rejected. The crypto playbook declares its Linux-only precondition, so a scan on a non-Linux host blocks rather than reporting a false "not detected." Playbook directive overrides and `applies_to` references are validated and cross-referenced, the CVE framework-control-gap cross-reference for orphaned control identifiers is enforced under `--strict`, and `lint` flags an unknown precondition key. The pre-publish scenario harness enforces its stderr guards even when a verb emits non-JSON output, binds assertions to the correct object, and holds a scenario-count floor under the standard test gate. An irrelevant passthrough flag on a read-only verb is now refused rather than silently ignored.
+
+## 0.16.29 — 2026-06-12
+
+A correctness pass across the refresh pipeline, scoring, attestation, the collectors, and offline mode.
+
+`refresh --apply` over the network no longer downgrades a curated CVSS 3.1 score and vector to NVD's legacy v2 metric on older CVEs — the offline cache path already guarded this in 0.16.27, and the live path now applies the same cross-version guard. New-RFC discovery now honors `--air-gap` (it previously queried IETF Datatracker live regardless), and an intrinsically air-gapped playbook — secrets, cred-stores, containers — refuses the `--upstream-check` npm-registry probe without the explicit flag. The `--from-cache` help no longer implies new-RFC discovery is offline; it stays live unless `--air-gap` is also passed.
+
+A CVE that a VEX statement marks fixed no longer inflates a finding's adjusted RWEP through its exploitation, KEV, and proof-of-concept multipliers, and a patched CVE's exploitation status no longer drives the notification draft. Jurisdiction coverage no longer attributes a skill to a jurisdiction from a bare two-letter ISO code that appears only in prose or inside a control identifier; coverage is driven by the regulation-name mapping. The skill-currency staleness check can now reach the warn and critical tiers it gates on — they were unreachable, so the scheduled currency workflow could never flag a skill past its review window; a genuinely abandoned skill now scores into them while a maintained one does not.
+
+`attest diff --against` now verifies the comparison attestation's Ed25519 signature, not only the local side, and refuses a tampered `--against` attestation (exit 6; `--force-replay` overrides). Both sides' verification is recorded in the output.
+
+The collectors no longer raise false findings from `#`-commented YAML — a commented `npm install`, `runs-on: self-hosted`, or `secrets.NPM_TOKEN` is no longer read as the real thing — and a commented `npm publish --provenance` no longer suppresses the missing-build-provenance finding. A documentation or redaction-pattern snippet of a service-account private key no longer registers as an embedded secret. A skill.md with CRLF line endings no longer produces a misleading frontmatter-parse error, and the `run --format` reference now lists `json`, which the runtime already accepts.
+
+The scheduled external-data refresh keeps the package description's entry counts in sync with the data it applies, so an auto-refresh that changes a count no longer fails the SBOM currency check on its pull request.
+
 ## 0.16.28 — 2026-06-10
 
 Refreshes the pinned MITRE threat-framework versions. MITRE ATLAS is now pinned to v2026.05: its content moved to a YYYY.MM calendar-versioning scheme, and the release adds platform tags (Predictive AI, Generative AI, Agentic AI, Enterprise) to every technique. MITRE ATT&CK is pinned to v19.1, a point release of typo and data corrections over v19.0. Both bumps were audited against every ATLAS and ATT&CK technique ID the catalog cites: none was removed, renamed, or revoked, so all existing references remain valid.

package/README.md

@@ -228,7 +228,7 @@ exceptd run [playbook]                Phases 4-7. Auto-detects cwd context when
   --evidence-dir <dir>                Per-playbook submission files (cron-friendly).
   --scope <type> | --all              Multi-playbook run.
   --vex <file>                        CycloneDX / OpenVEX filter (drop not_affected).
-  --format <fmt> ...                  csaf-2.0 | sarif | openvex | markdown | summary.
+  --format <fmt> ...                  csaf-2.0 | sarif | openvex | markdown | summary | json.
                                       Repeatable. CSAF is primary; extras go to
                                       close.evidence_package.bundles_by_format.
   --diff-from-latest                  Drift vs prior attestation for same playbook.

package/bin/exceptd.js

@@ -884,7 +884,14 @@ function emit(obj, pretty, humanRenderer) {
   // the body. Per-site `verb: "<name>"` is set at the call site; this
   // helper guarantees the `ok` field's presence but does not synthesize
   // verb (the caller knows its own name).
-  if (obj && typeof obj === 'object' && !('ok' in obj)) {
+  //
+  // Arrays are excluded: spreading an array into an object literal would
+  // produce numeric string keys ({"0":…,"1":…}) plus a spurious ok:true
+  // envelope, corrupting array-shaped output. Array bodies (standard
+  // documents like SARIF results / OpenVEX statements) pass through
+  // verbatim — matching the verbatim-write path those documents already
+  // use, which deliberately strips the envelope rather than injecting it.
+  if (obj && typeof obj === 'object' && !Array.isArray(obj) && !('ok' in obj)) {
     obj = { ok: true, ...obj };
   }
   const wantJson = !!global.__exceptdWantJson || !!process.env.EXCEPTD_RAW_JSON;
@@ -1747,6 +1754,33 @@ function dispatchPlaybook(cmd, argv) {
     runOpts.operator_consent = { acked_at: new Date().toISOString(), explicit: true };
   }
 
+  // Relevance guard for PASSTHROUGH_FLAGS that are meaningful on only a subset
+  // of verbs. PASSTHROUGH_FLAGS short-circuits the typo loop above so it never
+  // reaches the cross-verb guidance fall-through — which meant a run-class flag
+  // (e.g. --max-rwep, consumed only by `ci`) parked there was silently dropped
+  // (exit 0, output unchanged) when supplied to an info-only verb, instead of
+  // refused with the same "pass it on a run-class verb" guidance the bundle
+  // flags (--csaf-status / --tlp / --ack) already give. Each entry maps the
+  // flag to the verbs that actually consume it; supplying it elsewhere is an
+  // irrelevant-flag refusal.
+  const SINGLE_VERB_PASSTHROUGH = {
+    "max-rwep": ["ci"],
+    "diff-from-latest": ["run"],
+    "upstream-check": ["run"],
+  };
+  for (const [flag, relevantVerbs] of Object.entries(SINGLE_VERB_PASSTHROUGH)) {
+    // A value-less boolean flag parses as `true`; a value-bearing one as its
+    // string. Either way, presence (not absence) is what we gate on. `false`
+    // never occurs from the parser but is treated as "not supplied" for safety.
+    if (args[flag] === undefined || args[flag] === false) continue;
+    if (relevantVerbs.includes(cmd)) continue;
+    return emitError(
+      `${cmd}: --${flag} is irrelevant on this verb (nothing here consumes it). --${flag} only applies to: ${relevantVerbs.slice().sort().join(", ")}. Re-invoke without --${flag}, or pass it on \`exceptd ${relevantVerbs[0]} …\`.`,
+      { verb: cmd, flag, error_class: "irrelevant-flag", accepted_verbs: relevantVerbs.slice().sort() },
+      pretty
+    );
+  }
+
   let runner;
   try {
     runner = loadRunner();
@@ -2675,6 +2709,18 @@ function cmdLint(runner, args, runOpts, pretty) {
     p => !(((submission.precondition_checks || {}).hasOwnProperty(p)) || ((normalized.precondition_checks || {}).hasOwnProperty(p)))
   );
 
+  // Symmetric to unknownArtifactKeys/unknownSignalKeys: flag precondition_checks
+  // keys the playbook does not declare. Pre-fix, the flat `observations` shape
+  // surfaced a foreign precondition id (e.g. crypto collector attesting
+  // `linux-platform`, which belongs to kernel/runtime/hardening) as an
+  // unknown_observation_key, but the nested `precondition_checks` shape every
+  // collector actually emits was never checked — so collector↔playbook
+  // precondition-id drift was silent on the canonical collect→lint path.
+  const unknownPreconditionKeys = [...new Set([
+    ...Object.keys(submission.precondition_checks || {}),
+    ...Object.keys(normalized.precondition_checks || {}),
+  ])].filter(k => !knownPreconditions.has(k));
+
   const issues = [];
   // v0.11.6 (#94): missing_required_artifact downgraded from error to warn.
   // The runner doesn't refuse a submission missing required artifacts — it
@@ -2698,6 +2744,15 @@ function cmdLint(runner, args, runOpts, pretty) {
   for (const p of unsuppliedPreconditions) {
     issues.push({ severity: "info", kind: "precondition_unverified", precondition_id: p, hint: `Add submission.precondition_checks.${p} = true|false (or under observations in the flat shape).` });
   }
+  for (const k of unknownPreconditionKeys) {
+    const recognized = [...knownPreconditions];
+    issues.push({
+      severity: "warn",
+      kind: "unknown_precondition_key",
+      precondition_id: k,
+      hint: `Not in playbook ${playbookId} _meta.preconditions[].${recognized.length ? ` Recognized: ${recognized.slice(0, 10).join(", ")}.` : " This playbook declares no preconditions."} A collector emitting a foreign precondition id (e.g. the crypto collector attesting \`linux-platform\`, which belongs to kernel/runtime/hardening) means the attestation will not satisfy any real gate.`,
+    });
+  }
   for (const k of unknownObservationKeys) {
     issues.push({ severity: "warn", kind: "unknown_observation_key", key: k });
   }
@@ -3406,8 +3461,10 @@ function cmdRun(runner, args, runOpts, pretty) {
     // Audit 3 A.6: --air-gap must refuse the registry probe. The
     // upstream-check helper has no air-gap awareness of its own; the
     // central refusal lives here so any future caller of --upstream-check
-    // inherits it.
-    if (runOpts.airGap || process.env.EXCEPTD_AIR_GAP === "1") {
+    // inherits it. Mirror the line-3444 hoist: an intrinsically air-gapped
+    // playbook (_meta.air_gap_mode — secrets / cred-stores / containers) must
+    // refuse the egress too, even without the explicit --air-gap flag.
+    if (runOpts.airGap || process.env.EXCEPTD_AIR_GAP === "1" || pb._meta?.air_gap_mode) {
       upstreamCheck = {
         ok: false,
         source: "air-gap",
@@ -4932,6 +4989,31 @@ function verifyAttestationSidecar(attFile) {
     }
   }
   if (!fs.existsSync(sigPath)) {
+    // A missing sidecar is benign ONLY when none was ever expected (the
+    // attestation was written on a keyless host and no peer in the same
+    // session is signed). When a sig SHOULD exist — a signing key is present,
+    // or a signed peer attestation sits beside this one — an absent sidecar is
+    // a deletion-to-evade-tamper signal. Carry the tamper_class so `attest
+    // diff` and `reattest` refuse a forged attestation whose .sig was stripped,
+    // matching `attest verify`. The keyless case stays benign so keyless CI is
+    // unaffected.
+    const privKeyPath = path.join(PKG_ROOT, ".keys", "private.pem");
+    let expected = fs.existsSync(privKeyPath);
+    if (!expected) {
+      try {
+        const dir = path.dirname(attFile);
+        for (const sf of fs.readdirSync(dir)) {
+          if (!sf.endsWith(".sig")) continue;
+          try {
+            const sd = JSON.parse(fs.readFileSync(path.join(dir, sf), "utf8"));
+            if (sd && sd.algorithm === "Ed25519") { expected = true; break; }
+          } catch { /* skip unparseable sidecar */ }
+        }
+      } catch { /* dir unreadable — fall through to benign */ }
+    }
+    if (expected) {
+      return { file: attFile, signed: false, verified: false, reason: "no .sig sidecar, but one was expected (signing key present or a signed peer attestation exists) — sidecar deletion suspected", tamper_class: "sidecar-missing" };
+    }
     return { file: attFile, signed: false, verified: false, reason: "no .sig sidecar" };
   }
   let sigDoc;
@@ -5016,6 +5098,39 @@ function verifyAttestationSidecar(attFile) {
   }
 }
 
+/**
+ * Resolve the A-side ("self") attestation for `attest diff` to its actual
+ * on-disk file, NOT a hardcoded attestation.json.
+ *
+ * The two diff branches (`--against` and the auto-prior default) both need
+ * the A-side's real signed file to route its sidecar through the tamper
+ * refusal. A single-`run` / `reattest` session writes attestation.json; a
+ * multi-playbook (run-all) session writes per-playbook `<id>.json` +
+ * `<id>.json.sig` with no attestation.json. Selection mirrors the B-side
+ * resolution: prefer attestation.json when present, else the newest by
+ * captured_at. Returns { parsed, file } or null when no attestation exists.
+ *
+ * `attestations[i]` is paired with `files[i]` (the partition loop pushes
+ * them in lockstep), so this never has to re-read the directory.
+ */
+function resolveSelfAttestation(dir, attestations, files) {
+  if (!Array.isArray(attestations) || attestations.length === 0) return null;
+  const canonicalPath = path.join(dir, "attestation.json");
+  const canonicalIdx = files.indexOf(canonicalPath);
+  if (canonicalIdx !== -1) {
+    return { parsed: attestations[canonicalIdx], file: files[canonicalIdx] };
+  }
+  // No canonical attestation.json (run-all session) — pick the newest entry
+  // by captured_at, keeping its paired path so the sidecar verify is exact.
+  let best = { parsed: attestations[0], file: files[0] };
+  for (let i = 1; i < attestations.length; i++) {
+    const cur = attestations[i].captured_at || "";
+    const bestCap = best.parsed.captured_at || "";
+    if (cur.localeCompare(bestCap) > 0) best = { parsed: attestations[i], file: files[i] };
+  }
+  return best;
+}
+
 /**
  * `attest prune --all-older-than <ISO>` — GC for attestation growth.
  *
@@ -5482,6 +5597,12 @@ function isTamperedSidecarVerify(verify) {
     // swapped key proves nothing, so replay refuses exactly like the
     // other tamper classes (attest verify already refuses on this).
     || verify.tamper_class === "fingerprint-mismatch"
+    // A sidecar that should exist (a signing key is present, or a signed peer
+    // attestation sits in the same session) but is absent is a
+    // deletion-to-evade-tamper signal — refuse exactly as reattest and attest
+    // verify already do, so a forged attestation can't dodge the diff gate by
+    // stripping its .sig.
+    || verify.tamper_class === "sidecar-missing"
   );
   return Boolean(isSignedTamper || isClassTamper);
 }
@@ -5599,14 +5720,22 @@ function cmdAttest(runner, args, runOpts, pretty) {
   // sessions. Gate on the parsed payload — not filename prefix — so a
   // renamed file cannot smuggle a replay into the attestations[] list.
   const attestations = [];
+  const attestationFiles = [];
   const replays = [];
   for (const f of files) {
     let parsed;
-    try { parsed = JSON.parse(fs.readFileSync(path.join(dir, f), "utf8")); }
+    const fp = path.join(dir, f);
+    try { parsed = JSON.parse(fs.readFileSync(fp, "utf8")); }
     catch { continue; }
     if (!parsed) continue;
     if (parsed.kind === "replay") replays.push(parsed);
-    else attestations.push(parsed);
+    // Track the on-disk path alongside the parsed attestation so the A-side
+    // sidecar verify resolves the ACTUAL signed file. A multi-playbook
+    // (run-all) session writes per-playbook `<id>.json` + `<id>.json.sig`
+    // and NEVER an attestation.json — so a hardcoded attestation.json path
+    // would point at a non-existent file and silently report "no .sig
+    // sidecar", letting a forged run-all A-side pass diff at exit 0.
+    else { attestations.push(parsed); attestationFiles.push(fp); }
   }
 
   if (subverb === "show") {
@@ -5641,29 +5770,32 @@ function cmdAttest(runner, args, runOpts, pretty) {
       //      attestation.json cannot shadow the real attestation in the
       //      diff.
       let other = null;
+      let otherPath = null;
       const otherAttestationPath = path.join(otherDir, "attestation.json");
       if (fs.existsSync(otherAttestationPath)) {
         try {
           const parsed = JSON.parse(fs.readFileSync(otherAttestationPath, "utf8"));
-          if (parsed && parsed.kind !== "replay") other = parsed;
+          if (parsed && parsed.kind !== "replay") { other = parsed; otherPath = otherAttestationPath; }
         } catch { /* fall through to scan */ }
       }
       if (!other) {
         const candidates = [];
         for (const f of otherFiles) {
           try {
-            const parsed = JSON.parse(fs.readFileSync(path.join(otherDir, f), "utf8"));
+            const fp = path.join(otherDir, f);
+            const parsed = JSON.parse(fs.readFileSync(fp, "utf8"));
             if (!parsed || parsed.kind === "replay") continue;
-            candidates.push(parsed);
+            candidates.push({ parsed, file: fp });
           } catch { /* skip malformed */ }
         }
-        candidates.sort((a, b) => (b.captured_at || "").localeCompare(a.captured_at || ""));
-        other = candidates[0] || null;
+        candidates.sort((a, b) => (b.parsed.captured_at || "").localeCompare(a.parsed.captured_at || ""));
+        if (candidates[0]) { other = candidates[0].parsed; otherPath = candidates[0].file; }
       }
       if (!other) {
         return emitError(`attest diff --against ${args.against}: no attestations under that session id.`, null, pretty);
       }
-      const self = attestations[0];
+      const selfResolved = resolveSelfAttestation(dir, attestations, attestationFiles);
+      const self = selfResolved && selfResolved.parsed;
       if (!self) {
         // Session dir contains only replay records, no attestation —
         // diff has nothing to compare on the A side.
@@ -5673,6 +5805,36 @@ function cmdAttest(runner, args, runOpts, pretty) {
           pretty
         );
       }
+      // Verify BOTH attestations' sidecars — the --against (B-side) drives the
+      // drift verdict as much as the A-side, so a forged comparison attestation
+      // must be refused too, not silently diffed under an A-only green sidecar
+      // line. Mirrors reattest's tamper-refusal contract (exit TAMPERED unless
+      // --force-replay); surfaces a_/b_sidecar_verify either way. The A-side
+      // verifies its RESOLVED file (selfResolved.file) so a run-all session,
+      // whose real signed sidecar is `<id>.json.sig` not attestation.json.sig,
+      // is checked against its actual signature rather than a missing path.
+      const aSidecarVerify = verifyAttestationSidecar(selfResolved.file);
+      const bSidecarVerify = otherPath
+        ? verifyAttestationSidecar(otherPath)
+        : { file: null, signed: false, verified: false, reason: "no B-side attestation file resolved" };
+      const aTampered = isTamperedSidecarVerify(aSidecarVerify);
+      const bTampered = isTamperedSidecarVerify(bSidecarVerify);
+      if ((aTampered || bTampered) && !args["force-replay"]) {
+        const sides = [aTampered && "A-side", bTampered && "--against (B-side)"].filter(Boolean).join(" + ");
+        process.stderr.write(`[exceptd attest diff] TAMPERED: ${sides} attestation failed Ed25519 verification. Refusing to diff against forged input. Pass --force-replay to override (the output records a_sidecar_verify + b_sidecar_verify).\n`);
+        emit({
+          ok: false,
+          error: `attest diff: ${sides} attestation failed signature verification — refusing to diff`,
+          verb: "attest diff",
+          a_session: sessionId,
+          b_session: args.against,
+          a_sidecar_verify: aSidecarVerify,
+          b_sidecar_verify: bSidecarVerify,
+          hint: "If a sidecar was intentionally removed/rotated and you have inspected the attestation, pass --force-replay.",
+        }, pretty);
+        process.exitCode = EXIT_CODES.TAMPERED;
+        return;
+      }
       emit({
         verb: "attest diff",
         a_session: sessionId,
@@ -5683,7 +5845,9 @@ function cmdAttest(runner, args, runOpts, pretty) {
         a_evidence_hash: self.evidence_hash,
         b_evidence_hash: other.evidence_hash,
         status: self.evidence_hash === other.evidence_hash ? "unchanged" : "drifted",
-        sidecar_verify: verifyAttestationSidecar(path.join(dir, "attestation.json")),
+        sidecar_verify: aSidecarVerify,
+        a_sidecar_verify: aSidecarVerify,
+        b_sidecar_verify: bSidecarVerify,
         // v0.11.8 (#102): normalize submissions before diffing so flat-shape
         // (observations + verdict) submissions emit meaningful artifact_diff
         // counts. Pre-0.11.8 (self.submission||{}).artifacts was undefined
@@ -5703,7 +5867,8 @@ function cmdAttest(runner, args, runOpts, pretty) {
     // No --against: find the most-recent prior attestation for the
     // SAME playbook as `sessionId` and diff against that. Pure
     // comparison — no replay.
-    const self = attestations[0];
+    const selfResolved = resolveSelfAttestation(dir, attestations, attestationFiles);
+    const self = selfResolved && selfResolved.parsed;
     if (!self) {
       return emitError(
         `attest diff ${sessionId}: no attestation found in session dir.`,
@@ -5728,7 +5893,35 @@ function cmdAttest(runner, args, runOpts, pretty) {
     }
     const other = prior.parsed;
     const status = self.evidence_hash === other.evidence_hash ? "unchanged" : "drifted";
-    const sidecarVerify = verifyAttestationSidecar(path.join(dir, "attestation.json"));
+    // Verify BOTH sidecars and apply the same dual-side tamper refusal as the
+    // --against branch. Pre-fix this branch verified only the A-side and never
+    // the auto-selected prior, so a forged prior (or a forged run-all A-side,
+    // which the hardcoded attestation.json path missed entirely) produced a
+    // drift verdict at exit 0 under a green sidecar line. The A-side uses its
+    // RESOLVED file; the B-side uses the prior's actual on-disk path
+    // (prior.file), so a run-all prior is checked against its real signature.
+    const aSidecarVerify = verifyAttestationSidecar(selfResolved.file);
+    const bSidecarVerify = prior.file
+      ? verifyAttestationSidecar(prior.file)
+      : { file: null, signed: false, verified: false, reason: "no prior attestation file resolved" };
+    const aTampered = isTamperedSidecarVerify(aSidecarVerify);
+    const bTampered = isTamperedSidecarVerify(bSidecarVerify);
+    if ((aTampered || bTampered) && !args["force-replay"]) {
+      const sides = [aTampered && "A-side", bTampered && "prior (B-side)"].filter(Boolean).join(" + ");
+      process.stderr.write(`[exceptd attest diff] TAMPERED: ${sides} attestation failed Ed25519 verification. Refusing to diff against forged input. Pass --force-replay to override (the output records a_sidecar_verify + b_sidecar_verify).\n`);
+      emit({
+        ok: false,
+        error: `attest diff: ${sides} attestation failed signature verification — refusing to diff`,
+        verb: "attest diff",
+        a_session: sessionId,
+        b_session: prior.sessionId,
+        a_sidecar_verify: aSidecarVerify,
+        b_sidecar_verify: bSidecarVerify,
+        hint: "If a sidecar was intentionally removed/rotated and you have inspected the attestation, pass --force-replay.",
+      }, pretty);
+      process.exitCode = EXIT_CODES.TAMPERED;
+      return;
+    }
     emit({
       verb: "attest diff",
       a_session: sessionId,
@@ -5739,7 +5932,11 @@ function cmdAttest(runner, args, runOpts, pretty) {
       a_evidence_hash: self.evidence_hash,
       b_evidence_hash: other.evidence_hash,
       status,
-      sidecar_verify: sidecarVerify,
+      // Retain `sidecar_verify` (A-side) for back-compat; add a_/b_ pair so the
+      // default branch's output shape matches the --against branch.
+      sidecar_verify: aSidecarVerify,
+      a_sidecar_verify: aSidecarVerify,
+      b_sidecar_verify: bSidecarVerify,
       artifact_diff: diffArtifacts(
         normalizedArtifacts(self.submission, runner, self.playbook_id),
         normalizedArtifacts(other.submission, runner, other.playbook_id),
@@ -6136,10 +6333,43 @@ function normalizedSignalOverrides(submission, runner, playbookId) {
   return _playbookSignalCatalog(runner, playbookId) || {};
 }
 
+/**
+ * Order-insensitive JSON serializer for the per-field artifact comparison.
+ * Object keys are sorted recursively so two artifacts that differ ONLY in
+ * key insertion order compare equal — matching the key-sorted canonical form
+ * that evidence_hash (and therefore top-level `status`) already uses. Without
+ * this, a side stored as nested `{captured, value}` (raw operator order) vs a
+ * side normalized to `{value, captured}` serialized unequal under
+ * JSON.stringify, so `artifact_diff.changed[]` reported a false "changed"
+ * while `status` said "unchanged" — a self-contradicting diff. Depth-bounded
+ * to defend against adversarial/cyclic input; callers treat a throw as
+ * "cannot canonicalize" and fall back to raw stringify (diff output is
+ * non-fatal context, never a gate).
+ */
+function stableArtifactStringify(v, depth = 0) {
+  if (depth > 200) throw new Error("artifact too deep to canonicalize");
+  if (v === null || typeof v !== "object") return JSON.stringify(v);
+  if (Array.isArray(v)) {
+    return "[" + v.map((x) => stableArtifactStringify(x, depth + 1)).join(",") + "]";
+  }
+  const keys = Object.keys(v).sort();
+  return "{" + keys.map((k) => JSON.stringify(k) + ":" + stableArtifactStringify(v[k], depth + 1)).join(",") + "}";
+}
+
+function artifactsDiffer(av, bv) {
+  try {
+    return stableArtifactStringify(av) !== stableArtifactStringify(bv);
+  } catch {
+    // Canonicalization bailed (too deep / cyclic) — fall back to the
+    // order-sensitive comparison rather than masking a real difference.
+    return JSON.stringify(av) !== JSON.stringify(bv);
+  }
+}
+
 /**
  * Per-artifact diff between two submissions. Returns { added, removed, changed }
- * keyed by artifact id. Used by `attest diff` (bug #34 fix) so operators get
- * field-level context instead of a binary evidence_hash signal.
+ * keyed by artifact id. Used by `attest diff` so operators get field-level
+ * context instead of a binary evidence_hash signal.
  */
 function diffArtifacts(a, b) {
   a = a || {}; b = b || {};
@@ -6154,7 +6384,7 @@ function diffArtifacts(a, b) {
       out.added.push({ id, captured: !!bv.captured, value_preview: previewValue(bv.value) });
     } else if (av && !bv) {
       out.removed.push({ id, captured: !!av.captured, value_preview: previewValue(av.value) });
-    } else if (av && bv && JSON.stringify(av) !== JSON.stringify(bv)) {
+    } else if (av && bv && artifactsDiffer(av, bv)) {
       out.changed.push({
         id,
         a_captured: !!av.captured, b_captured: !!bv.captured,
@@ -9068,4 +9298,7 @@ module.exports = {
   _isTamperedSidecarVerify: isTamperedSidecarVerify,
   _classifySidecarVerify: classifySidecarVerify,
   _verifyAttestationSidecar: verifyAttestationSidecar,
+  _emit: emit,
+  _diffArtifacts: diffArtifacts,
+  _resolveSelfAttestation: resolveSelfAttestation,
 };

package/data/_indexes/_meta.json

@@ -1,10 +1,11 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-06-10T16:38:38.784Z",
+  "generated_at": "2026-06-13T06:23:47.498Z",
   "generator": "scripts/build-indexes.js",
-  "source_count": 63,
+  "source_count": 64,
   "source_hashes": {
-    "manifest.json": "21f2f84671301efb38afbaad51f8d06fa46137747d078d94c439defa669c114b",
+    "manifest.json": "70fea689545e1145b6e4e55621b07083d54e657372d1293406697cbcdd216fbb",
+    "README.md": "e7b854e7db9a364a1b368b5084b4f0c2a8282f0459ce39800ac1d1dabdc06074",
     "data/atlas-ttps.json": "29f3447ac5c45f42f50b3ed8a46010c2b8ecbcc8094bb19b5db57ba4707b396c",
     "data/attack-techniques.json": "6506db66fdd69bb3564e12aef8f727edddc55d0e6e99f60833a200a57e8ee65e",
     "data/cve-catalog.json": "51d8425a49e5cc0375d0a154a83a16816e99c3141a5bbafe6383607ca11be240",