@blamejs/exceptd-skills 0.16.3 → 0.16.5

package/data/playbooks/llm-tool-use-exfil.json

@@ -669,6 +669,7 @@
             "developer_workflow_can_tolerate_approval_friction == true"
           ],
           "priority": 1,
+          "for_signals": ["auto-approve-on-high-impact-tool","rubber-stamp-approval-pattern","unprompted-tool-chain"],
           "compensating_controls": [
             "approval_decision_recorded_in_audit_log",
             "approval_pattern_baseline_monitored"
@@ -683,6 +684,7 @@
             "model_supports_trust_zone_pattern == true"
           ],
           "priority": 2,
+          "for_signals": ["instruction-coercion-in-tool-response","unprompted-tool-chain"],
           "compensating_controls": [
             "trust_zone_test_battery_in_ci",
             "system_prompt_versioned_in_source_control"
@@ -697,6 +699,7 @@
             "agent_egress_traffic_routable_through_inspection == true"
           ],
           "priority": 2,
+          "for_signals": ["agent-egress-to-non-allowlisted-destination","credential-shadow-in-tool-args"],
           "compensating_controls": [
             "inspection_rules_recorded_in_iac",
             "false_positive_baseline_established"
@@ -711,6 +714,7 @@
             "alternative_content_sources_available_for_removed_externals == true"
           ],
           "priority": 2,
+          "for_signals": ["rag-source-from-untrusted-origin","instruction-coercion-in-tool-response"],
           "compensating_controls": [
             "rag_source_inventory_recorded",
             "integrity_control_evidence_per_source"

package/data/playbooks/mcp.json

@@ -876,6 +876,7 @@
             "auto_update_available == true"
           ],
           "priority": 1,
+          "for_signals": ["vulnerable-windsurf-version"],
           "compensating_controls": [],
           "estimated_time_hours": 0.5
         },
@@ -886,6 +887,7 @@
             "operator_authorized_to_modify_mcp_config == true"
           ],
           "priority": 2,
+          "for_signals": ["unsigned-mcp-manifest","mcp-typosquat-candidate"],
           "compensating_controls": [
             "mcp_egress_network_allowlist",
             "mcp_runs_as_non_root_enforced"
@@ -899,6 +901,7 @@
             "all_authorized_mcp_servers_have_published_signatures == true"
           ],
           "priority": 3,
+          "for_signals": ["mcp-allowlist-missing","mcp-command-provenance-gap"],
           "compensating_controls": [
             "pre-commit hook validates mcp config against signed allowlist",
             "CI gate rejects PRs that introduce unsigned mcp entries"
@@ -912,6 +915,7 @@
             "package_lockfile_exists == true OR sigstore_rekor_entry_available == true"
           ],
           "priority": 4,
+          "for_signals": ["mcp-version-without-integrity"],
           "compensating_controls": [
             "scheduled re-pin job on every authorized MCP package release"
           ],

package/data/playbooks/post-quantum-migration.json

@@ -855,6 +855,7 @@
             "operator_assigns_register_owner == true"
           ],
           "priority": 1,
+          "for_signals": ["no-cryptographic-asset-register","register-incomplete-per-asset-fields","long-retention-classical-only-asset"],
           "compensating_controls": [
             "interim_high_value_asset_prioritisation",
             "vendor_engagement_for_unattested_dependencies"
@@ -869,6 +870,7 @@
             "operator_legal_team_engaged == true"
           ],
           "priority": 2,
+          "for_signals": ["vendor-no-pqc-commitment","policy-without-vendor-sla"],
           "compensating_controls": [
             "alternative_vendor_shortlist_per_dependency",
             "data_minimisation_for_vendor_handled_data"
@@ -883,6 +885,7 @@
             "hybrid_configured_asset_inventory_present == true"
           ],
           "priority": 2,
+          "for_signals": ["no-downgrade-detection"],
           "compensating_controls": [
             "alerting_on_downgrade_threshold_per_service",
             "weekly_downgrade_report_to_security_team"
@@ -897,6 +900,7 @@
             "key_migration_window_within_jurisdiction_deadline == true"
           ],
           "priority": 3,
+          "for_signals": ["hsm-firmware-no-pqc"],
           "compensating_controls": [
             "network_segmentation_for_classical_only_hsm",
             "shortened_retention_for_keys_pending_migration"
@@ -910,6 +914,7 @@
             "operator_jurisdictional_scope_documented == true"
           ],
           "priority": 4,
+          "for_signals": ["regulator-deadline-missing-or-stale"],
           "compensating_controls": [
             "automated_regulator_publication_monitoring",
             "quarterly_deadline_review_with_legal"
@@ -923,6 +928,7 @@
             "firmware_update_channel_exists == true OR end_of_life_communicable_to_customers == true"
           ],
           "priority": 4,
+          "for_signals": ["embedded-tls-stack-classical-only"],
           "compensating_controls": [
             "pqc_gateway_for_classical_only_devices",
             "customer_notification_of_hndl_exposure"

package/data/playbooks/ransomware.json

@@ -947,6 +947,7 @@
             "forensic_acquisition_tooling_available == true"
           ],
           "priority": 1,
+          "for_signals": ["mass-file-extension-change-event","shadow-copy-deletion-no-iac-ticket","encrypted-file-extension-growth-rate","cobaltstrike-beacon-signature","large-outbound-transfer-pre-encryption","bloodhound-class-ad-recon","ad-admin-count-modification-event"],
           "compensating_controls": [
             "out-of-band-comms-on-signal-or-wickr",
             "incident-commander-named",

package/data/playbooks/runtime.json

@@ -685,6 +685,7 @@
             "ops_authorization_for_chmod == true"
           ],
           "priority": 1,
+          "for_signals": ["non-baseline-suid"],
           "compensating_controls": [
             "suid-baseline-tracked",
             "edr-alerts-on-suid-creation"
@@ -699,6 +700,7 @@
             "automation_account_owner_authorization == true"
           ],
           "priority": 1,
+          "for_signals": ["sudoers-nopasswd-wildcard"],
           "compensating_controls": [
             "sudoers-change-recorded",
             "automation-account-inventory-updated"
@@ -712,6 +714,7 @@
             "deterministic_implant_indicator_fired == true"
           ],
           "priority": 1,
+          "for_signals": ["duplicate-uid-zero","orphan-privileged-process","cron-or-timer-outside-policy"],
           "compensating_controls": [
             "host-isolated-from-network",
             "memory-snapshot-captured-pre-removal"
@@ -726,6 +729,7 @@
             "service_owner_identified == true"
           ],
           "priority": 2,
+          "for_signals": ["listening-socket-unknown-bind"],
           "compensating_controls": [
             "host-firewall-rule-added",
             "service-inventory-updated"

package/data/playbooks/sbom.json

@@ -1261,6 +1261,7 @@
             "operator_authorized_for_package_upgrade == true"
           ],
           "priority": 1,
+          "for_signals": ["package-matches-catalogued-cve","kev-listed-match","windsurf-vulnerable-version"],
           "compensating_controls": [
             "restart_affected_services_post_upgrade",
             "regression_test_post_upgrade"
@@ -1274,6 +1275,7 @@
             "ci_pipeline_modifiable == true"
           ],
           "priority": 2,
+          "for_signals": ["lockfile-no-integrity"],
           "compensating_controls": [
             "lockfile_review_in_pr_template"
           ],
@@ -1298,6 +1300,7 @@
             "sbom_tooling_supports_transitive == true"
           ],
           "priority": 4,
+          "for_signals": ["transitive-deps-incomplete-sbom"],
           "compensating_controls": [
             "sbom_completeness_gate_in_ci"
           ],
@@ -1310,6 +1313,7 @@
             "security_team_capacity_for_vex == true"
           ],
           "priority": 5,
+          "for_signals": ["matched-cve-without-vex"],
           "compensating_controls": [
             "vex_template_in_security_playbook"
           ],
@@ -1323,6 +1327,7 @@
             "ci_or_pre-commit_modifiable == true"
           ],
           "priority": 6,
+          "for_signals": ["ai-code-no-provenance"],
           "compensating_controls": [
             "pr_review_for_ai_emitted_code",
             "ai_code_review_checklist"
@@ -1336,6 +1341,7 @@
             "ml_loader_modifiable == true OR ml_inference_pipeline_owned == true"
           ],
           "priority": 7,
+          "for_signals": ["model-weight-unsigned-and-executable-format"],
           "compensating_controls": [
             "model_inventory_review",
             "non-safetensors_models_quarantined"

package/data/playbooks/secrets.json

@@ -754,6 +754,7 @@
             "rotation_ownership_identified == true"
           ],
           "priority": 1,
+          "for_signals": ["aws-access-key-id","aws-secret-access-key","gcp-service-account-json","github-personal-access-token","github-fine-grained-pat","slack-bot-or-user-token","stripe-secret-key","jwt-token-with-secret-context","ssh-private-key-block","openai-api-key","anthropic-api-key"],
           "compensating_controls": [
             "session-revocation",
             "cloudtrail-or-audit-log-review-for-misuse-window"
@@ -767,6 +768,7 @@
             "file_owner_is_current_user OR has_sudo == true"
           ],
           "priority": 2,
+          "for_signals": ["world-writable-env-file","ssh-key-bad-perms"],
           "compensating_controls": [
             "perm-change-recorded"
           ],

package/data/playbooks/supply-chain-recovery.json

@@ -908,6 +908,7 @@
             "rotation_runbook_documented == true OR ad_hoc_rotation_acceptable_within_4h == true"
           ],
           "priority": 1,
+          "for_signals": ["credential-store-touched-during-window","long-lived-token-in-compromised-ci-log","outbound-exfil-during-window"],
           "compensating_controls": [
             "rotation_recorded_in_secret_store_audit_log",
             "synthetic_test_validates_new_credential",
@@ -923,6 +924,7 @@
             "host_isolation_authority == true"
           ],
           "priority": 1,
+          "for_signals": ["compromised-install-on-host"],
           "compensating_controls": [
             "host_isolation_during_audit",
             "fresh_workstation_provisioning_for_affected_developers"
@@ -937,6 +939,7 @@
             "operator_can_re_authenticate_ai_assistant == true"
           ],
           "priority": 1,
+          "for_signals": ["ai-assistant-config-mutated"],
           "compensating_controls": [
             "ai_assistant_baseline_attestation",
             "weekly_ai_assistant_config_drift_scan"
@@ -951,6 +954,7 @@
             "operator_can_file_advisories == true"
           ],
           "priority": 2,
+          "for_signals": ["operator-published-package-republish"],
           "compensating_controls": [
             "advisory_filed_within_24h",
             "yank_or_deprecate_within_4h",
@@ -966,6 +970,7 @@
             "slsa_l3_pipeline_operational == true"
           ],
           "priority": 3,
+          "for_signals": ["no-provenance-revocation-filed"],
           "compensating_controls": [
             "provenance_revocation_filed",
             "clean_release_provenance_attested"
@@ -979,6 +984,7 @@
             "ir_plan_ownership_attested == true"
           ],
           "priority": 4,
+          "for_signals": ["ir-plan-missing-supply-chain-recovery"],
           "compensating_controls": [
             "ir_team_training_recorded",
             "feed_ingestion_attested"

package/data/playbooks/webhook-callback-abuse.json

@@ -653,6 +653,7 @@
             "downstream_consumers_can_be_updated_in_rotation_window == true"
           ],
           "priority": 1,
+          "for_signals": ["leaked-incoming-webhook-url","webhook-secret-shared-across-apps","long-lived-callback-token-in-ci-log"],
           "compensating_controls": [
             "rotation_recorded_in_secret_store_audit_log",
             "synthetic_event_validates_new_secret"
@@ -667,6 +668,7 @@
             "deploy_window_within_72h == true"
           ],
           "priority": 2,
+          "for_signals": ["missing-webhook-signature-validation","missing-webhook-replay-window","missing-state-parameter"],
           "compensating_controls": [
             "behaviour_test_added_to_ci",
             "deploy_recorded_in_change_management"
@@ -681,6 +683,7 @@
             "downstream_app_can_tolerate_temporary_callback_outage == true"
           ],
           "priority": 3,
+          "for_signals": ["wildcard-redirect-uri"],
           "compensating_controls": [
             "redirect_uri_allowlist_recorded_in_secret_store",
             "callback_handler_logs_rejected_origins"

package/lib/playbook-runner.js

@@ -1421,6 +1421,19 @@ function vexFilterFromDoc(doc) {
   return out;
 }
 
+// Cap a summary line at `max` chars on a word boundary, appending an ellipsis
+// so a truncated line is visibly marked rather than cut mid-token. A raw
+// .slice() left blocked-preflight summaries ending mid-word ("...and conne")
+// with no signal that anything was dropped (the full text remains in the JSON
+// envelope's reason/remediation fields).
+function capSummary(s, max = 240) {
+  if (typeof s !== 'string' || s.length <= max) return s;
+  const slice = s.slice(0, max - 1);
+  const lastSpace = slice.lastIndexOf(' ');
+  const base = lastSpace > max - 40 ? slice.slice(0, lastSpace) : slice;
+  return base.replace(/[\s—.,;:-]+$/, '') + '…';
+}
+
 // --- phase 6: validate ---
 
 function validate(playbookId, directiveId, analyzeResult, agentSignals = {}, runOpts = {}) {
@@ -1433,8 +1446,16 @@ function validate(playbookId, directiveId, analyzeResult, agentSignals = {}, run
   // Pick the highest-priority remediation_path whose preconditions are all
   // either satisfied by agentSignals or marked unverified=allow.
   const paths = (v.remediation_paths || []).slice().sort((a, b) => a.priority - b.priority);
-  let selected = null;
+  // Indicators that actually fired this run — used to prefer a remediation
+  // that addresses the finding (via its for_signals linkage) over the bare
+  // priority-1 default when no path's preconditions are verified.
+  const firedSignalIds = new Set(
+    (analyzeResult._detect_indicators || []).filter(i => i.verdict === 'hit').map(i => i.id)
+  );
+  const addressesFired = (p) =>
+    Array.isArray(p.for_signals) && p.for_signals.some(s => firedSignalIds.has(s));
   const considered = [];
+  const satisfiedIds = new Set();
   for (const p of paths) {
     const pcResult = (p.preconditions || []).map(expr => ({
       expr,
@@ -1442,12 +1463,24 @@ function validate(playbookId, directiveId, analyzeResult, agentSignals = {}, run
       submitted: agentSignals[expressionKey(expr)] !== undefined
     }));
     const allSatisfied = pcResult.every(x => x.satisfied);
-    considered.push({ id: p.id, priority: p.priority, all_satisfied: allSatisfied, preconditions: pcResult });
-    if (allSatisfied && !selected) selected = p;
-  }
-  // Always at least propose the highest-priority path even if preconditions
-  // weren't verified — the agent can surface that to the operator.
-  if (!selected && paths.length) selected = paths[0];
+    if (allSatisfied) satisfiedIds.add(p.id);
+    considered.push({ id: p.id, priority: p.priority, all_satisfied: allSatisfied, addresses_fired_signal: addressesFired(p), preconditions: pcResult });
+  }
+  // Precedence (paths is priority-sorted, so `find` returns the highest-priority
+  // match). Relevance to a fired indicator outranks a satisfied-but-unrelated
+  // path: recommending a ready-to-apply remediation that does NOT address the
+  // finding (just because its preconditions happen to hold) was the original
+  // defect — for_signals must beat it.
+  //   1. addresses a fired indicator AND preconditions satisfied (relevant + ready)
+  //   2. addresses a fired indicator (relevant; operator must meet its preconditions)
+  //   3. preconditions satisfied (no fired-signal-linked path — actionable fallback)
+  //   4. priority-1 (nothing else — at least propose the top path)
+  const selected =
+    paths.find(p => addressesFired(p) && satisfiedIds.has(p.id))
+    || paths.find(addressesFired)
+    || paths.find(p => satisfiedIds.has(p.id))
+    || paths[0]
+    || null;
 
   // selected_remediation selection logic:
   //   1. Iterate remediation_paths sorted by priority ASC (lower number =
@@ -1546,11 +1579,14 @@ function computeRegressionNextRun(triggers) {
     const parsed = parseInterval(t.interval, now);
     if (!parsed) continue;
     if (parsed.event) {
-      eventTriggers.push({ interval: t.interval, trigger: t.trigger || t.event || null });
+      // Shipped playbooks key the trigger string as `condition`; `trigger` /
+      // `event` are accepted for external/fixture submissions. Reading only
+      // the latter two left regression_event_triggers[].trigger always null.
+      eventTriggers.push({ interval: t.interval, trigger: t.trigger || t.event || t.condition || null });
       continue;
     }
     if (parsed.unparseable) {
-      unparseable.push({ interval: parsed.unparseable, trigger: t.trigger || null });
+      unparseable.push({ interval: parsed.unparseable, trigger: t.trigger || t.event || t.condition || null });
       continue;
     }
     if (parsed.date && (!soonest || parsed.date < soonest)) soonest = parsed.date;
@@ -3271,7 +3307,7 @@ function run(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
     // playbooks_run[] by array index. `verdict:"blocked"` +
     // `summary_line` keep the flat result-envelope shape consistent
     // across both branches.
-    const summaryLine = `${playbookId}: blocked at preflight (${pre.blocked_by || 'unknown'}) — ${pre.reason || ''}`.slice(0, 240);
+    const summaryLine = capSummary(`${playbookId}: blocked at preflight (${pre.blocked_by || 'unknown'}) — ${pre.reason || ''}`);
     return {
       ok: false,
       playbook_id: playbookId,
@@ -3487,14 +3523,23 @@ function run(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
         && phases.detect.classification !== 'not_detected'
         && phases.detect.classification !== 'inconclusive'
         && phases.detect.classification !== 'pending') {
-      // Only on a real detection verdict: surface the dominant FIRED
-      // indicator's id (the signal that drove the verdict). Gating on the
-      // verdict keeps a stray hit on an inconclusive/not-detected run from
-      // advertising a finding. Prefer a deterministic or high-confidence hit;
-      // fall back to the first hit.
+      // Only on a real detection verdict: surface the FIRED indicator that
+      // best explains the result. Gating on the verdict keeps a stray hit on
+      // an inconclusive/not-detected run from advertising a finding. Prefer the
+      // indicator that actually drove the RWEP score — the greatest
+      // weight_applied among fired, weight-bearing rwep_inputs — so the
+      // headline names the finding that produced the number shown beside it.
+      // Fall back to the dominant fired indicator (deterministic/high
+      // confidence), then the first hit, when no weighted signal fired.
+      const breakdown = (phases.analyze.rwep && Array.isArray(phases.analyze.rwep.breakdown))
+        ? phases.analyze.rwep.breakdown : [];
+      const driver = breakdown
+        .filter((b) => b.fired && typeof b.weight_applied === 'number' && b.weight_applied > 0)
+        .sort((a, b) => b.weight_applied - a.weight_applied)[0];
       const hits = phases.detect.indicators.filter((i) => i.verdict === 'hit');
       const dominant = hits.find((i) => i.deterministic === true || i.confidence === 'high') || hits[0];
-      if (dominant && dominant.id) topFinding = dominant.id;
+      if (driver && driver.signal_id) topFinding = driver.signal_id;
+      else if (dominant && dominant.id) topFinding = dominant.id;
     }
     // Evidence completeness: indicators-evaluated vs indicators-known
     // distinguishes "ran fully and found nothing" from "couldn't
@@ -3534,6 +3579,13 @@ function run(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
       evidence_hash: evidenceHash,
       submission_digest: submissionDigest,
       preflight_issues: pre.issues,
+      // Non-fatal collector notices (e.g. a file skipped for exceeding the
+      // scan size limit) surfaced from the submission so a `collect | run`
+      // consumer can see what the collector could not scan. Advisory only:
+      // never affects verdict, rwep, or evidence_completeness.
+      ...(Array.isArray(agentSubmission.collector_errors) && agentSubmission.collector_errors.length
+        ? { collector_warnings: agentSubmission.collector_errors }
+        : {}),
       // Source provenance for precondition_checks. Shape:
       //   { '<pc-id>': 'submission' | 'runOpts' | 'merged', ... }
       precondition_check_source: pcSource,

package/lib/schemas/playbook.schema.json

@@ -521,6 +521,11 @@
                     "examples": [["live_patch_available == true"], ["reboot_window_within_4h == true"], ["compensating_control_deployed == true"]]
                   },
                   "priority": { "type": "integer", "minimum": 1, "description": "Lower number is preferred. 1 is the recommended path when its preconditions hold." },
+                  "for_signals": {
+                    "type": "array",
+                    "items": { "type": "string" },
+                    "description": "Optional. detect.indicators ids this remediation addresses. When no path's preconditions are satisfied, selected_remediation prefers the highest-priority path whose for_signals includes a fired indicator, so the recommendation matches the finding instead of always defaulting to priority-1. Omit (or leave empty) for generic/fallback paths."
+                  },
                   "compensating_controls": { "type": "array", "items": { "type": "string" } },
                   "estimated_time_hours": { "type": "number" }
                 }

package/lib/validate-playbooks.js

@@ -419,6 +419,24 @@ function checkCrossRefs(playbook, ctx, playbookIds) {
     }
   }
 
+  // validate.remediation_paths[].for_signals[] must reference real indicator
+  // ids. A dangling ref silently never matches, so selected_remediation falls
+  // back to priority-1 without surfacing the intended finding-specific link —
+  // exactly the kind of "looks wired, does nothing" drift this gate exists to
+  // catch. Warning severity (promoted to a hard error under --strict, matching
+  // the false_positive_profile precedent above).
+  const validatePhase = phases.validate || {};
+  for (const [i, rp] of (validatePhase.remediation_paths || []).entries()) {
+    if (!rp || typeof rp !== 'object' || !Array.isArray(rp.for_signals)) continue;
+    for (const sig of rp.for_signals) {
+      if (!indIds.has(sig)) {
+        warn(
+          `phases.validate.remediation_paths[${i}] (${rp.id || 'unknown'}).for_signals: unresolved "${sig}" — no matching phases.detect.indicators[].id`,
+        );
+      }
+    }
+  }
+
   // rwep_threshold ordering. Hard error — a misordered threshold actively
   // breaks the scoring path.
   const rwep = direct.rwep_threshold || {};