@blamejs/exceptd-skills 0.16.9 → 0.16.10

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.16.10 — 2026-06-02
+
+RWEP scoring no longer emits a spurious validation warning when a CVE carries the `theoretical` active-exploitation status — a value the catalog vocabulary and the scorer already accept and score. The guided curation questionnaire now prompts for `ai_assisted_weaponization`, a required field it previously skipped, so a curated entry cannot silently omit it. The `prefetch` verb no longer double-counts a global flag, and `lint --strict` is now documented in its own `--help`.
+
 ## 0.16.9 — 2026-06-01
 
 The catalog now covers a set of real, vendor-patched protocol-layer flaws it previously did not name, so scans, triage, and reports surface them with RWEP scoring and behavioral indicators:

package/data/_indexes/_meta.json

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-06-02T05:46:26.678Z",
+  "generated_at": "2026-06-02T13:27:49.467Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "3dab3ebc6c86b2318f956da3e343ad7b470f05dd30e2afbee5a8e3b3a845a926",
+    "manifest.json": "b2f7ad163ce22cedc2a990633761b25d3f436012c20dc162739959f92220161f",
     "data/atlas-ttps.json": "f66b456cf82a3c20575d8479de41f7b11b7ee5693eb1fcf64a67e162ae1b88a2",
     "data/attack-techniques.json": "c39f28e3402ef13ad9b7076819f63fda67a22f97e3e375cfe01c4a4e0beff7c9",
     "data/cve-catalog.json": "8264da4534d39c9493cfcd18acf7e38ed47ce2a81be15afd5a3f4baf1d504929",

package/lib/cve-curation.js

@@ -177,7 +177,7 @@ function severityWord(score) {
 // (b) compute `residual_warnings` after an apply.
 const REQUIRED_SCHEMA_FIELDS = [
   "name", "type", "cvss_score", "cvss_vector", "cisa_kev",
-  "poc_available", "ai_discovered", "active_exploitation",
+  "poc_available", "ai_discovered", "ai_assisted_weaponization", "active_exploitation",
   "affected", "affected_versions", "vector",
   "patch_available", "patch_required_reboot", "live_patch_available",
   "framework_control_gaps", "atlas_refs", "attack_refs",
@@ -285,13 +285,11 @@ function buildQuestionnaire(cveId, draft) {
   // object via loadJsonRaw's ENOENT handling, so the ATT&CK candidate
   // questionnaire branch always returned zero proposals.
   const attack = loadJson("data/attack-techniques.json");
-  const cwe = loadJson("data/cwe-catalog.json");
   const frameworkGaps = loadJson("data/framework-control-gaps.json");
 
   const atlasCandidates = pickCandidates(draftDigest, atlas, "ttp_id", "description");
   const attackCandidates = pickCandidates(draftDigest, attack, "ttp_id", "description");
   // CWE candidates surface as part of the vector question — not its own field.
-  void cwe;
   const frameworkCandidates = pickCandidates(draftDigest, frameworkGaps, "control_id", "description");
 
   // Build the editorial-questions list. Each entry names the catalog field,
@@ -479,7 +477,7 @@ function buildQuestionnaire(cveId, draft) {
  *     poc_description: "...",
  *     ai_discovered: false,
  *     ai_assisted_weaponization: false,
- *     active_exploitation: "confirmed" | "suspected" | "none" | "unknown",
+ *     active_exploitation: "confirmed" | "suspected" | "theoretical" | "none" | "unknown",
  *     vector: "...",
  *     complexity: "...",
  *     patch_available: true,

package/lib/flag-suggest.js

@@ -115,7 +115,7 @@ const VERB_FLAG_ALLOWLIST = Object.freeze({
     'apply', 'dry-run', 'from-cache', 'from-fixture', 'network', 'source',
     'advisory', 'check-advisories', 'force-stale', 'force-stale-acked', 'air-gap', 'swarm',
   ],
-  prefetch: ['source', 'cache-dir', 'max-age', 'force', 'no-network', 'quiet'],
+  prefetch: ['source', 'cache-dir', 'max-age', 'force', 'no-network'],
 });
 
 /**

package/lib/lint-skills.js

@@ -150,6 +150,7 @@ function printHelp() {
     'Usage: node lib/lint-skills.js [--skill <name>] [--quiet]\n' +
       '\n' +
       '  --skill <name>  Lint only the named skill from manifest.json.\n' +
+      '  --strict        Promote warnings to release-blocking failures.\n' +
       '  --quiet         Suppress per-skill PASS output; show failures only.\n' +
       '  --help          Show this message.\n',
   );

package/lib/playbook-runner.js

@@ -1104,7 +1104,7 @@ function analyze(playbookId, directiveId, detectResult, agentSignals = {}, runOp
   // Aliasing: playbooks ship rwep_factor values `public_poc` and
   // `ai_weaponization` for what F5 calls `poc_available` and `ai_factor`.
   // Both spellings resolve here.
-  const _activeExploitationLadder = { confirmed: 1.0, suspected: 0.5, unknown: 0.25, none: 0 };
+  const _activeExploitationLadder = { confirmed: 1.0, suspected: 0.5, unknown: 0.25, theoretical: 0, none: 0 };
   const _factorScale = (factorName, cve, blastScore) => {
     if (!cve) return 0;
     switch (factorName) {
@@ -2595,7 +2595,7 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
     // CSAF 2.0 consumers, while preserving the operator's exact label in the
     // free-form `text` field. (CLEAR≡WHITE; AMBER+STRICT carries AMBER's
     // disclosure scope plus a stricter handling note.)
-    const CSAF_TLP_LABEL = { CLEAR: 'WHITE', 'AMBER+STRICT': 'AMBER', GREEN: 'GREEN', AMBER: 'AMBER', RED: 'RED' };
+    const CSAF_TLP_LABEL = { CLEAR: 'WHITE', GREEN: 'GREEN', AMBER: 'AMBER', 'AMBER+STRICT': 'AMBER', RED: 'RED' };
     const csafDistribution = (runOpts.tlp && allowedTlp.has(runOpts.tlp))
       ? { tlp: { label: CSAF_TLP_LABEL[runOpts.tlp] }, text: `TLP:${runOpts.tlp}` }
       : null;

package/lib/scoring.js

@@ -108,7 +108,7 @@ function score(cveId, catalog) {
  *   - cisa_kev, poc_available, ai_assisted_weapon, ai_discovered,
  *     patch_available, live_patch_available, reboot_required: boolean
  *     (or null, treated as false with a missing-field warning).
- *   - active_exploitation: 'none' | 'unknown' | 'suspected' | 'confirmed'.
+ *   - active_exploitation: 'none' | 'unknown' | 'suspected' | 'theoretical' | 'confirmed'.
  *   - blast_radius: integer in [0, 30] (clamped at the weight ceiling but
  *     flagged when out-of-range — out-of-range usually means a unit error).
  */
@@ -126,7 +126,7 @@ function validateFactors(factors) {
       warnings.push(`${f}: expected boolean, got ${typeof factors[f]} (${JSON.stringify(factors[f])})`);
     }
   }
-  const aeAllowed = ['none', 'unknown', 'suspected', 'confirmed'];
+  const aeAllowed = ['none', 'unknown', 'suspected', 'theoretical', 'confirmed'];
   if (factors.active_exploitation === undefined || factors.active_exploitation === null) {
     warnings.push("active_exploitation: missing (treated as 'none')");
   } else if (!aeAllowed.includes(factors.active_exploitation)) {
@@ -261,7 +261,7 @@ function deriveRwepFromFactors(factors) {
   if (!factors || typeof factors !== 'object') return 0;
   const values = Object.values(factors);
   if (values.length === 0) return 0;
-  const aeAllowed = new Set(['none', 'unknown', 'suspected', 'confirmed']);
+  const aeAllowed = new Set(['none', 'unknown', 'suspected', 'theoretical', 'confirmed']);
   const hasBooleanOrLadder = values.some(
     (v) => typeof v === 'boolean' || (typeof v === 'string' && aeAllowed.has(v)),
   );

package/lib/validate-playbooks.js

@@ -554,7 +554,6 @@ function checkCrossRefs(playbook, ctx, playbookIds) {
  * `informational: false`.
  */
 function checkMutexReciprocity(playbooks) {
-  const findings = [];
   const mutexMap = new Map();
   for (const pb of playbooks) {
     if (!pb.data || !pb.data._meta || !pb.data._meta.id) continue;
@@ -574,7 +573,6 @@ function checkMutexReciprocity(playbooks) {
       }
     }
   }
-  findings.push(byPlaybook);
   return byPlaybook;
 }
 

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.16.9",
+  "version": "0.16.10",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "0H+JfyUVmo/pVFEi5rLENATHjlukPVUqnOWmNPEH77wm8svKGK0aNJ46k6QU5GdHb8c9X9pVJKiuhON6AxDjDw==",
-      "signed_at": "2026-06-02T05:38:21.342Z",
+      "signed_at": "2026-06-02T13:19:53.107Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -123,7 +123,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "PHwHEsoy7ctBYOtlAfAdCDVfsq2Bpk9+qESSF+5dVkDcez2zp2v9Ihsv2vqMEs3QxMndyQ+t7NVezyt5VamSCg==",
-      "signed_at": "2026-06-02T05:38:21.345Z",
+      "signed_at": "2026-06-02T13:19:53.109Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -196,7 +196,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "dD4p7lcRtMyfITOncqLkpOeMy6x6gM0V7UlWHgLEdcxqODb1s75ar1cBtTqDWPbMv6ZAzVo2HJLDK1hVjjU2AQ==",
-      "signed_at": "2026-06-02T05:38:21.345Z",
+      "signed_at": "2026-06-02T13:19:53.109Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -248,7 +248,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "wsw8Mlr/gyw6S7Iaao9BVHdU5LFPWl8WVymW17Lkq9J1Mui0+fCrTg6UbrsaeE3s7EW3TVgzBuK+8EFd1+H5AA==",
-      "signed_at": "2026-06-02T05:38:21.346Z"
+      "signed_at": "2026-06-02T13:19:53.109Z"
     },
     {
       "name": "compliance-theater",
@@ -279,7 +279,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "uVTc1QRKOKcIVDajBz+q2egjiEAyOQaDNsvVI2ghj5FD0VvquoUBBE5Naca2FkaZa790EHWCsVZ4hhdaSQs2DQ==",
-      "signed_at": "2026-06-02T05:38:21.347Z"
+      "signed_at": "2026-06-02T13:19:53.110Z"
     },
     {
       "name": "exploit-scoring",
@@ -308,7 +308,7 @@
       ],
       "last_threat_review": "2026-05-18",
       "signature": "QuNpwnZ6HkCEAXTPC/jLbXSmMIc1JnBczqZAAIZmZj8OcEMVnw9mJYAnU3CxaEI7rvbcMkN2uS5E8yUCm/NiAg==",
-      "signed_at": "2026-06-02T05:38:21.347Z"
+      "signed_at": "2026-06-02T13:19:53.110Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -345,7 +345,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "5rw2i39SxY2WphBbDLEP28wufnbPPE9+PWt54hmaGdwHXr9RLiVt5liL/5xp14sehlVgFsfpR/bg9vy//xV0DA==",
-      "signed_at": "2026-06-02T05:38:21.347Z",
+      "signed_at": "2026-06-02T13:19:53.111Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -405,7 +405,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "Vqu49nzntFWjn9A/QeJzm7q/2xk/cZJ6HFQKtiNi1zgcxzXKm+MlFdkaLgYHWj5/9HJohxyIDyBJQTvcJ20eDQ==",
-      "signed_at": "2026-06-02T05:38:21.348Z",
+      "signed_at": "2026-06-02T13:19:53.111Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -440,7 +440,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "W87VdyVdAxAdcRI6P/8StaV+MS8ZSPKM9HOCK9n/bBO6BM3ZSE3uImVoyJVpAXQlUpUGN+A3lCJZXv64LuxwDg==",
-      "signed_at": "2026-06-02T05:38:21.348Z",
+      "signed_at": "2026-06-02T13:19:53.112Z",
       "cwe_refs": [
         "CWE-1188"
       ],
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "wdVX+edeNekpaIldqkhvtraV6DquLvIsKAjuZVwPQYn3l1vS99HXuFxmNsD7UeMlO3qgC6Dysfsto9EnuH0RBg==",
-      "signed_at": "2026-06-02T05:38:21.348Z",
+      "signed_at": "2026-06-02T13:19:53.112Z",
       "forward_watch": [
         "New AI attack classes as ATLAS v6 publishes",
         "Post-quantum adversary capability timeline",
@@ -513,7 +513,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "b5miTiY0cnxETd2btxorfZBdJKt/fLnQx20sGYUb9zEqGqtm0LMLpghkW68j4/9k48KNyuGMtNWiKTSnodUGBw==",
-      "signed_at": "2026-06-02T05:38:21.349Z"
+      "signed_at": "2026-06-02T13:19:53.112Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -540,7 +540,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "xbkip0AQtWQKAu+O6r/gYECNjezS6O9k9xkkJsYbMlr+j8CdqH3p5/0l+GZmDidImRC/DL07GCnKrk9HRR/yDQ==",
-      "signed_at": "2026-06-02T05:38:21.349Z",
+      "signed_at": "2026-06-02T13:19:53.113Z",
       "forward_watch": [
         "New CISA KEV entries",
         "New ATLAS TTP additions in each ATLAS release",
@@ -604,7 +604,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "li2NnC1oeVIr22ComP5QbcQoh5xpWITuaKpza1s2SsUkH6kGnnt4wFfFAzaC1ORmH9x2cr8hN8kaNANG/eIMBQ==",
-      "signed_at": "2026-06-02T05:38:21.350Z",
+      "signed_at": "2026-06-02T13:19:53.113Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -652,7 +652,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "sZHlJ7ueHPdtzVbR+yXQ5+wKgNyjWsa1LKVg9aWTmg/Onl71DvEILMyJiLpPQjseT56Mnr1DMYJE8xOGlffBAw==",
-      "signed_at": "2026-06-02T05:38:21.350Z"
+      "signed_at": "2026-06-02T13:19:53.113Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -689,7 +689,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "3AwFnEJu6DukPPNep/3SnuPWEuV060fJEQIwThFm7ujmdbFk0/Ii0XwGv1dkvbbK7ymMdOQpp35l4aLONAucDA==",
-      "signed_at": "2026-06-02T05:38:21.350Z",
+      "signed_at": "2026-06-02T13:19:53.114Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -724,7 +724,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "iJWevUBurLvt2v8X+Ch2eHmZkPWpKeAtIpxTIP4MwbUHyco3igDeBywJCyaR2vURYRx8LkzzIMM8DxQM4LAXBQ==",
-      "signed_at": "2026-06-02T05:38:21.351Z"
+      "signed_at": "2026-06-02T13:19:53.114Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -796,7 +796,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Microsoft Edge 4-bug sandbox escape by Orange Tsai (DEVCORE); forward-watch only (browser sandbox, out of current playbook scope); track Microsoft Edge security advisory and KEV add"
       ],
       "signature": "DDMzI+4En4aIkwBUCGW6nj1eEkCyLqHGn2LJ2rnwWfYatjPI1U5HrTZNAN/n9JqWtAzk8F3rmsKehaaz5iNWDA==",
-      "signed_at": "2026-06-02T05:38:21.351Z"
+      "signed_at": "2026-06-02T13:19:53.114Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -856,7 +856,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "dJB0iAstIUbyny+udl3OIkaLScEmqS97LNP73yQ8mxt+0bcqxZjpfXaWLzLuIQblGYvUvz75/H6rO2EJuGd4AQ==",
-      "signed_at": "2026-06-02T05:38:21.351Z"
+      "signed_at": "2026-06-02T13:19:53.115Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -931,7 +931,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "KEAoMji3VcPX/ZXXqVe6OStxSkTssfY9fIRPyPcDYqh50GzOFQ6koNOTBVAiWOvjDjQ38g12xun5srbqgmvRAw==",
-      "signed_at": "2026-06-02T05:38:21.352Z"
+      "signed_at": "2026-06-02T13:19:53.115Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -1010,7 +1010,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM-attestation impact"
       ],
       "signature": "zuW8T0EMbVV83GsUP/W20Use2gBTicBW021T0sY7qsRY/U5qsPWkXYIWp3SdiKLTIKqTEd/0T7LQebjIs2QKCA==",
-      "signed_at": "2026-06-02T05:38:21.352Z"
+      "signed_at": "2026-06-02T13:19:53.115Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1067,7 +1067,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "Qe0Hg9BrX3Zm5pj0n2z/oiHbAXWdA2Dq461zc4izkkUjEX2CZ02rODjCI2ELbrVOU3GC7edxqAxA+5U/ObnHDQ==",
-      "signed_at": "2026-06-02T05:38:21.352Z"
+      "signed_at": "2026-06-02T13:19:53.116Z"
     },
     {
       "name": "identity-assurance",
@@ -1134,7 +1134,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "UV3458QXSkEpenzrOmdlTTfPHUD4hNyKMDHoeZDq/kiFb4mAG0ghQGTTgI9Ru8cJbSmYM1++m9N5TFIJ6JJPBg==",
-      "signed_at": "2026-06-02T05:38:21.353Z"
+      "signed_at": "2026-06-02T13:19:53.116Z"
     },
     {
       "name": "ot-ics-security",
@@ -1190,7 +1190,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "kIVzsPsJ72PzzWQwTuvjoHHoVEDCday5I52M9ohjB3/Ak+zlA8oyWLO/BKb/XuYY4fOApjfxTErSWv5uHQ2zDw==",
-      "signed_at": "2026-06-02T05:38:21.353Z"
+      "signed_at": "2026-06-02T13:19:53.116Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1242,7 +1242,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "bWr27Q1uN9xCe1ib4QulszBa7YIDNkGqo72k5nm2cK98LyPblicD+sO9MnGckAyB22BTN/cIB+FwFMcI5IxvBw==",
-      "signed_at": "2026-06-02T05:38:21.353Z"
+      "signed_at": "2026-06-02T13:19:53.117Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1292,7 +1292,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "Q854yzLqXdOazc6EyQbZzgAlivuq2vGFDVUCrxSldSvx/HX/ZM/uzmJyP7aBG7ZsMHxj6Lmj/H82YQoo1e+NCQ==",
-      "signed_at": "2026-06-02T05:38:21.354Z"
+      "signed_at": "2026-06-02T13:19:53.117Z"
     },
     {
       "name": "webapp-security",
@@ -1366,7 +1366,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "4ccahkJpGJZtwD7EBpnGcN0sEGPMEw8eqV+tvePVS04YAkLgYVWtlkasI/8n0be9xB+77x+Sjj3kIi2j2Lf9CA==",
-      "signed_at": "2026-06-02T05:38:21.354Z",
+      "signed_at": "2026-06-02T13:19:53.117Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments"
       ]
@@ -1419,7 +1419,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "SBB7c3wNYfIdkyOp4g4nW0WP7xS+YokMzg32aaeJdbf14LTGQRzQUvSqb2TCj2HFUSHESOyKT1JpkAfyHLSQBQ==",
-      "signed_at": "2026-06-02T05:38:21.355Z"
+      "signed_at": "2026-06-02T13:19:53.118Z"
     },
     {
       "name": "sector-healthcare",
@@ -1479,7 +1479,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "U04GNLyRas1VmfEsB8khH4iqFZPwx96sPY0Kw9iVsSPU+KTeEFqwgtWK1X1pzgb+T16Pc7HSrCaXDOpTFvQEDw==",
-      "signed_at": "2026-06-02T05:38:21.355Z"
+      "signed_at": "2026-06-02T13:19:53.118Z"
     },
     {
       "name": "sector-financial",
@@ -1560,7 +1560,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "xbylLqNPBuEsFE/MNVeGy/01K6yiJXMxQbzC1F4RWU5aseDGbNy5HrAv2JWI2+Aft05ozreNPjccvu66yJ5EBw==",
-      "signed_at": "2026-06-02T05:38:21.355Z"
+      "signed_at": "2026-06-02T13:19:53.119Z"
     },
     {
       "name": "sector-federal-government",
@@ -1629,7 +1629,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "C9c3JuBhUbwcb7uZpDdy+PNT8sYmYIxzD4uRHu421ePW1aSFJ8fkMvuTzSO8vD/F/jOOg5opM4kov/xSAn+qCg==",
-      "signed_at": "2026-06-02T05:38:21.356Z"
+      "signed_at": "2026-06-02T13:19:53.119Z"
     },
     {
       "name": "sector-energy",
@@ -1694,7 +1694,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "oz8Q5WVaY8au4IjbaZahx/DSaC00Q44ylSL3mDkTerCEpW/EyPUeiLeGxSrWxBCwVFEKSSJvnhJjhvX5lDPcCg==",
-      "signed_at": "2026-06-02T05:38:21.356Z"
+      "signed_at": "2026-06-02T13:19:53.120Z"
     },
     {
       "name": "sector-telecom",
@@ -1780,7 +1780,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "NAtyzfLPXlUuB78Snb9nWmbZalC1CNlIYN9rYhdEmtB/xQGC6vVnThgrEAHlm7v/jMCFuknvEpUHKdscUnUADw==",
-      "signed_at": "2026-06-02T05:38:21.357Z"
+      "signed_at": "2026-06-02T13:19:53.120Z"
     },
     {
       "name": "api-security",
@@ -1849,7 +1849,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "1UTjZNC5Lyrgw93LAizdXVeSmv3jS8YQNT1db5OKsldub50+o1FXmAH4+3MxZozaOGDCX3yXbdDJSJaaSmfuAA==",
-      "signed_at": "2026-06-02T05:38:21.357Z",
+      "signed_at": "2026-06-02T13:19:53.120Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments",
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments",
@@ -1935,7 +1935,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "EdsY4xe7YA8X8m+KZUbq49JwoCXgRKEz2eg3m86O37rvBmpm8ppvl9hrsekygvpBh2VmCHL2dEYiOD8OM2n7CA==",
-      "signed_at": "2026-06-02T05:38:21.357Z"
+      "signed_at": "2026-06-02T13:19:53.121Z"
     },
     {
       "name": "container-runtime-security",
@@ -1997,7 +1997,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "fnLKPLkjjRCJ/F9wdmZ1w1lXmqEJvTYkv6Uu+9OTd5vZTWKz3QMuxKOsas+ctCdOvTaeloqPUUprXx+ZZdDpCg==",
-      "signed_at": "2026-06-02T05:38:21.358Z",
+      "signed_at": "2026-06-02T13:19:53.121Z",
       "forward_watch": [
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Container Toolkit container escape ($50K award) by chompie / IBM X-Force XOR; high-severity container/hypervisor boundary break; track patch and KEV add post-embargo"
       ]
@@ -2071,7 +2071,7 @@
         "MITRE ATLAS v5.6.0 (released May 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
       "signature": "t3dkdpTX04zvjitEeOJThpgjurLd1UO9GOut4LXSZgY3ULhfknI4zT7G5+m2RSZZTo7yyeZrwpg+7vEg9K6mAw==",
-      "signed_at": "2026-06-02T05:38:21.358Z"
+      "signed_at": "2026-06-02T13:19:53.122Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2133,7 +2133,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "+1kmtA6rAvIyDjjy+cJHK6BcfylyVsa5cUjRFijlFR9GsQfB93JnmkEJOqML50pdlcxtJI3yUodHpL3/YJGtCA==",
-      "signed_at": "2026-06-02T05:38:21.359Z"
+      "signed_at": "2026-06-02T13:19:53.122Z"
     },
     {
       "name": "ransomware-response",
@@ -2213,7 +2213,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "h48ASCz63aBfHzLKxMVDADMuT4atriK0iE6bJeVzZTsx/e8+hyv4fLP7+zYxT9Oe0Gss3v/Xy+t+Wd9uwzV+Aw==",
-      "signed_at": "2026-06-02T05:38:21.359Z"
+      "signed_at": "2026-06-02T13:19:53.122Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2266,7 +2266,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "FVBn4ex2qPIo9SHMVJ6tntoz4tVwjbIq3m6wDjjZyv2JODlS+90GBYCOkNamxxkmw/6de6SMs0YHQiF/xjo/DQ==",
-      "signed_at": "2026-06-02T05:38:21.359Z"
+      "signed_at": "2026-06-02T13:19:53.123Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2334,7 +2334,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "ZHVdGWCcfG98tSVB0b9mwrsYwv71V3uUEl+6ss7omSQhmNvqV5s6MAZM5YladBt9MK/8T/zBrTYN4gAonOP+BQ==",
-      "signed_at": "2026-06-02T05:38:21.360Z"
+      "signed_at": "2026-06-02T13:19:53.123Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2414,7 +2414,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "r9ii4nb3HJELdtKCGF5qy9PHOiot3GC24yfxfGAKlLENHkdRvRkvvL99eV/6RXyfUaMyrnc2Te8tPQcNu5bsDg==",
-      "signed_at": "2026-06-02T05:38:21.360Z",
+      "signed_at": "2026-06-02T13:19:53.123Z",
       "forward_watch": [
         "AWS IAM Identity Center session-policy refresh and step-up-on-admin enforcement (anticipated 2026-H2 release)",
         "GCP Workload Identity Federation principal-set attribute mapping tightening (post-2026 Q3 Federation hardening guide)",
@@ -2508,7 +2508,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "9mfDtMApMAg9V/lmwpniNxo/6gNZoOEoYDfyFvyWvKrPMtc7H9F8uz06FVoARe/J49saAKTVXOurNE1D/KtpCQ==",
-      "signed_at": "2026-06-02T05:38:21.360Z",
+      "signed_at": "2026-06-02T13:19:53.124Z",
       "forward_watch": [
         "Entra ID conditional access evolution post-Midnight Blizzard — Microsoft's 2025-2026 commitments on legacy-tenant MFA enforcement and OAuth-app consent gating",
         "Okta IPSIE (Interoperability Profile for Secure Identity in the Enterprise) OpenID Foundation working-group output and adoption timeline",
@@ -2526,6 +2526,6 @@
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "hW45T3BHJnmyURDqY+OF6bc2AnaT/ECyyNZA31VQEKyqg0QsEtTY2Cb1znzf2Bjolx47T0dUptAamW36T0ZDCg=="
+    "signature_base64": "Zt8w2qUTGhNEKc89TDxD35uHvQGwjSzPDCVx1PwUa7i5ur/2bKGXI47z3d8+Wuw3382RTy8yN0d/gYtrionwDA=="
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.16.9",
+  "version": "0.16.10",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (427 CVEs / 173 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:7cbe47c5-3d4f-4160-a176-1967c9b23f78",
+  "serialNumber": "urn:uuid:8bb2d8cc-10a2-40a8-a3e7-67aba4a5fe06",
   "version": 1,
   "metadata": {
-    "timestamp": "2092-04-26T17:49:57.000Z",
+    "timestamp": "2100-04-09T18:45:32.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.16.9"
+        "version": "0.16.10"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.16.9",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.16.10",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.16.9",
+      "version": "0.16.10",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (427 CVEs / 173 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.16.9",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.16.10",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "a878765de519ea80b2e3045ac8934e38b30d87bbc11eb7b3ad1f63bfdf6b9b74"
+          "content": "6645aae260375bdfd45fef3a154848cb7b71634e0cb8a5063beacce54ed78dc6"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.16.9"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.16.10"
         },
         {
           "type": "vcs",
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "4e6bb9d2ecea4da80bb73e0d5f3540dbe1d5eb6f7fa4e3671d04080930b55b0e"
+          "content": "00756e446fca3d66af2838dee91d30f591e5f8a179c97683eaebe4b3495a27d6"
         },
         {
           "alg": "SHA3-512",
-          "content": "da628d1b4e0df048c16efdd0fc3c6be5699c1a425bfa03be4fa00d0483850398270d47f991757c77ac1971dc9677d1c37141a372adb3bd0f58f28bc27fed478a"
+          "content": "ebe3f08786809489c762ec4cc294b9f78124013d44ce82e77c2fb501cd49b0c1692c380881829e4e301a2c786fcbf2edf871d480fd006ef3dc72b0f1f3bfe66a"
         }
       ]
     },
@@ -1166,11 +1166,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "3af0fa9ef45578fb8eb63f448c20ef5a6f347fbbee948e812de8e03960ef0efa"
+          "content": "069a323205aa0ee280661b9bd1b85bb4d35ea547f7f5dfdd24ea545d14ef492f"
         },
         {
           "alg": "SHA3-512",
-          "content": "51304eff2510afd251adbf0a16b6ef049d9df7d9e8670a6412443b083fb68559ed63666df8486a1e1c044c00ace4735237d227ab0c4a264fe6edcc1467462e44"
+          "content": "ff9b24c9197e80129933c1f2b89e820ebdbd401ef50b9e255723de04c959f81b0abef396bca24f0e8236b9048ff7fd516219a12f753d8297120d7ebe1af1c9de"
         }
       ]
     },
@@ -1226,11 +1226,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "601eedde3731699669bd3b99f53ea1c06bf50c43f09ce49f68da86339d1eaae3"
+          "content": "eb1a3820bba3203967c6057f12cd594e18f3044d966e1c7c1ba17757d902559f"
         },
         {
           "alg": "SHA3-512",
-          "content": "5e2ec6e21f88650c45a802486027091c95e4f4f9a1b8c43af15eaf2ac3b38fe632e7f9fcafde417705693c58587e17228fcec606459596792b168191fca2401a"
+          "content": "1a0acc79ebea7cb9d80cde43503c14f14342ccffda834752c2f29215aacfba46a9d120e78c544cd389e6023ccaa519b829dc82eb4f4de6ed1d4ca2ce2ee06e97"
         }
       ]
     },
@@ -1301,11 +1301,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "aa2c68cf9479becaaf9583f8a36c257f0d7550a49a8ecb9d1ddcdfede76d21af"
+          "content": "0ce41dee14acf7998866f5adb63502b614b5501acf8f88c37cd277c96b91a87c"
         },
         {
           "alg": "SHA3-512",
-          "content": "1f3c09e2469da54138c896a25807a3ee1ca74813670d0e14b7adb151466fc3e391227a535779379d59c681225747685081f3a38a9a9a64d021c8ac961d2d16d0"
+          "content": "58f6d75ff97f64633937bef489fdfefd6cf331115109cab30b2064cf3aebfaaddde6c973fa71b31bb44f06ecb485751ee9137e11f528a61b329b4699d53a4041"
         }
       ]
     },
@@ -1316,11 +1316,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "279c195af8a5c5304e4e3b99a06deb8c96b6de037b7df218f1426a3a3dd31328"
+          "content": "68bc62828f28047b5f09da9e5fa3c2cc3ed98d965c1a43dbf51b9fa7e45ec1a1"
         },
         {
           "alg": "SHA3-512",
-          "content": "62c93cead7f0749b9ec8462735a16ebef7ba85f8bd1a88e583e68a78486d96baa1372aabc1f958d5fb3237a9d82d05d05ba449ea94110c540f36fbee8c720a4e"
+          "content": "c05800e93846fb755ded51be74047d84d032eeff9f5a0b818b1abc16f76c7032181ded4d5cf054d0387c3d7f2d71095f55a7a42c7f4c2764ec0115300ce75c85"
         }
       ]
     },
@@ -1451,11 +1451,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "ed49d69da4ef5acb4fd827deaaaf280bd6317a5defa96f6fa5696dc96c2929b4"
+          "content": "70fda3a2033d461f3ef1ac7e4bf259c9fe78090f1a1f5c09eb72dbf927e59955"
         },
         {
           "alg": "SHA3-512",
-          "content": "cee40245e9bb979c399942241faf038e95adb38ad66b6f3e70ba6034b78f774241310369773bd9ab36ceb0af1fe92e8f8b7e9b9965b3f629ab2847152f892530"
+          "content": "8547b087e1881cf58a55fd0aab186441f508ad226be0ab4aa3efd13a0e864af776f29576e25df9b4324ec7a4712bb3476faac5ed63a226a6ff71d225c297c969"
         }
       ]
     },
@@ -1631,11 +1631,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "b6a9cc3871cd272304fe55c7b979b8efe4d458217f7faadd750b3235a23cd986"
+          "content": "fe42cfd0758cb2709dc7dad91c4e47b495d6ebf984b00ace2422de34e744d35f"
         },
         {
           "alg": "SHA3-512",
-          "content": "a0e8c965e7cfbfa5d6db032579de719d0aec55536f9c9fa734c0deef5367298b67b89f809fe34d9049bf3dda03834212865d95df4c1aeda23c1653483d67046e"
+          "content": "a06a61b0f278a5973c0e4d6398d1688a574dec3442ca9823d0b4c5f37d1cb1cab47e8575580051b56e34829f8e22195ded1f4f57bdc3925ca32edae3e4c8839f"
         }
       ]
     },
@@ -1751,11 +1751,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "3dab3ebc6c86b2318f956da3e343ad7b470f05dd30e2afbee5a8e3b3a845a926"
+          "content": "b2f7ad163ce22cedc2a990633761b25d3f436012c20dc162739959f92220161f"
         },
         {
           "alg": "SHA3-512",
-          "content": "21f67b36206d0202a8c25045ded464d5cc36d7d97e5e4146ccce28ca08e31609fd579a4c65cbec27b10a03b61a84e80172c20886e1890052e92b80d306126f4b"
+          "content": "342cee9e227424456314cbbdf150ee9a4077ea00d2ae87d58e5301d80492af5cf7f38f1d0aa7f66751c77e7345ddefb40bb5f2ba58921d665985654dce7cfa0c"
         }
       ]
     },
@@ -2201,11 +2201,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "7cb063cd9a7179fa0e279273766be15011ea977e9b6601dd3cd4ca696d27abe1"
+          "content": "7ef5ed5d9a6dd68b2d43419d7fa2d0408eb8b57b69588e51db136aa0f29e82a6"
         },
         {
           "alg": "SHA3-512",
-          "content": "d96a6d849df087061fde018299c2c1c96f3c92738a8f650c53bdef1148e10a92f77be29568a0145f4eaa522489843ac84a43d96bd48e4b66a5ab02d8d3c3c5f7"
+          "content": "b96dad01e1385bc17bb1fa54d2f0d86558063856c12401fca1d96a01869de984b87cf5c54ded025a5f93762c109385ef6aed5552abff36070e281810ae063db8"
         }
       ]
     },
@@ -2216,11 +2216,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "576480c2ad29550a06e5a3e48b7dae04aadc1b505d76e3a5b1db9179d61263c4"
+          "content": "bd449efbfde0263c17aa1d2cf4ff57f39f8221e78a7f8eb62392b522acc7f3b8"
         },
         {
           "alg": "SHA3-512",
-          "content": "e3370698400f8b807680cebda861e73acedbf1602c9a7c2a8372c2285b2f88650a9d6e2931ebdb2cb229ad23e7c592787dea15a91adea5b4a854c6fc6842d38a"
+          "content": "1a7ecda566d16f89d15d721ca491962344fe9f011c27126f48cde5fb887405d5be5a28dac1892add97fd7316ab2204aa69020ede2bc1c43db4d988b45c1f1dea"
         }
       ]
     },
@@ -2486,11 +2486,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "f199cc754f202fa994c1769af5e02a4ef995ee02e87221422b00f945b03e99db"
+          "content": "1e140b2a035043d72cfb1a46e57751bbb2d4b3d39ecc73b48c28625b260e17f3"
         },
         {
           "alg": "SHA3-512",
-          "content": "d504c65cda545acda811997487ca8b6fef3ee5b5447b537f502295d5f6f4266cb2ecb743389b04aa2b6118b021af6f2ce9c6f00e44cf60bd7c06b72456a500f8"
+          "content": "f027c768c24cd0c5a4aff871afe82482a7ee655a56a69ab0d95662609a95fb28a31a3b4aa1108f879bdbf59ce097a6536e931c128105a7d93436e6eed59bfd82"
         }
       ]
     },

package/scripts/check-codebase-patterns-currency.js

@@ -30,7 +30,7 @@ const ROOT = path.resolve(__dirname, "..");
 // Every key here was classified (adopted / already-owned / helper-dependent /
 // out-of-scope). A class appearing upstream but absent here is NEW and wants
 // triage. Refresh this list (and re-triage the delta) when this check fires.
-const UPSTREAM_TRIAGED = Object.freeze([
+const UPSTREAM_TRIAGED = Object.freeze([ // keep-sorted
   "ai-disclosure-on-request-without-requested-gate",
   "archive-gz-without-safedecompress",
   "archive-wrap-partial-recipient",
@@ -59,7 +59,6 @@ const UPSTREAM_TRIAGED = Object.freeze([
   "math-random-noncrypto",
   "nfinity",
   "no-number-money-arithmetic",
-  "numeric-opt-no-bounds-check",
   "primitive-unreachable",
   "process-exit",
   "raw-byte-literal",

package/scripts/check-codebase-patterns.js

@@ -19,6 +19,11 @@
  *       VALID_ALLOW_CLASSES, or is missing the `— <reason>` tail. A typo'd
  *       marker suppresses nothing, so the underlying violation would ship
  *       unflagged — this meta-guard keeps the marker mechanism trustworthy.
+ *   - unsorted-marked-array : a flat string array tagged `// keep-sorted` that
+ *       drifted out of alphabetical order. Opt-in — only marked arrays are
+ *       checked, so a one-time allowlist sort becomes a standing guarantee.
+ *   - misaligned-marked-run : a `// keep-aligned` const/weight table whose
+ *       `=`/`:` assignment columns are not all equal. Opt-in, same shape.
  *
  * Exceptions live at the violation site, not in this file:
  *   - file-level, in the first 50 lines:  // codebase-patterns:allow-file <class> — <reason>
@@ -42,6 +47,8 @@ const VALID_ALLOW_CLASSES = Object.freeze({
   "process-exit-after-stdout-write": true,
   "dynamic-regex": true,
   "bidi-codepoint-literal": true,
+  "unsorted-marked-array": true,
+  "misaligned-marked-run": true,
 });
 
 const EXCLUDE_DIRS = new Set([
@@ -272,6 +279,91 @@ function detectOrphanAllowClass(files) {
   return hits;
 }
 
+// ---- opt-in readability detectors (preventative) -------------------------
+// These fire ONLY on sites that explicitly opt in via a marker, so unmarked
+// code is never flagged. They turn a one-time cleanup (sorting an allowlist,
+// aligning a const table) into a standing guarantee: mark the cleaned site and
+// the gate keeps it clean.
+
+// `// keep-sorted` marks a flat string-literal array that must stay
+// alphabetically sorted (e.g. an allowlist). Only arrays whose opening line
+// carries the marker are checked; arrays containing object/nested elements are
+// skipped (not a flat string list).
+function scanUnsortedMarkedArray(rel, lines) {
+  const hits = [];
+  for (let i = 0; i < lines.length; i++) {
+    if (!/\/\/\s*keep-sorted\b/.test(lines[i])) continue;
+    const openIdx = lines[i].indexOf("[");
+    if (openIdx === -1) continue;
+    let depth = 0, started = false, body = "";
+    for (let j = i; j < lines.length; j++) {
+      const seg = (j === i) ? lines[j].slice(openIdx) : lines[j];
+      for (const ch of seg) {
+        if (ch === "[") { depth++; started = true; }
+        else if (ch === "]") { depth--; }
+      }
+      body += " " + seg;
+      if (started && depth <= 0) break;
+    }
+    if (/[{]/.test(body)) continue; // object/nested elements — not a flat string array
+    const strs = [];
+    const re = /(['"])((?:\\.|(?!\1).)*)\1/g;
+    let m;
+    while ((m = re.exec(body)) !== null) strs.push(m[2]);
+    if (strs.length < 2) continue;
+    const sorted = [...strs].sort((a, b) => (a < b ? -1 : a > b ? 1 : 0));
+    if (strs.join("") !== sorted.join("")) {
+      const k = strs.findIndex((s, idx) => idx > 0 && strs[idx - 1] > s);
+      hits.push({ file: rel, line: i + 1, content: lines[i].trim(), why: `marked // keep-sorted but "${strs[k]}" is out of alphabetical order` });
+    }
+  }
+  return hits;
+}
+function detectUnsortedMarkedArray(files) {
+  const hits = [];
+  for (const rel of (files || filesUnder(["bin/exceptd.js", "lib", "orchestrator", "scripts"]))) {
+    if (rel === "scripts/check-codebase-patterns.js") continue; // holds the detector + its own marker prose
+    hits.push(...scanUnsortedMarkedArray(rel, readLines(rel)));
+  }
+  return hits;
+}
+
+// `// keep-aligned` marks a contiguous run of `IDENT = value` / `IDENT: value`
+// lines (a const/weight table) whose assignment columns must all line up. The
+// run is the lines immediately after the marker, until a blank or non-assignment
+// line. Opt-in, so only deliberately-aligned tables are enforced.
+function scanMisalignedMarkedRun(rel, lines) {
+  const hits = [];
+  for (let i = 0; i < lines.length; i++) {
+    if (!/\/\/\s*keep-aligned\b/.test(lines[i])) continue;
+    const run = [];
+    for (let j = i + 1; j < lines.length; j++) {
+      if (/^\s*$/.test(lines[j])) break;
+      const code = stripLineComment(lines[j]).replace(/\s+$/, "");
+      const m = code.match(/^(\s*[A-Za-z_$][\w$.'"-]*\s*)([:=])\s/);
+      if (!m) break;
+      run.push({ lineNo: j + 1, col: m[1].length, op: m[2], content: lines[j].trim() });
+    }
+    if (run.length < 2) continue;
+    const op = run[0].op;
+    const cols = run.filter((r) => r.op === op).map((r) => r.col);
+    const target = Math.max(...cols);
+    const bad = run.find((r) => r.op === op && r.col !== target);
+    if (bad) {
+      hits.push({ file: rel, line: bad.lineNo, content: bad.content, why: `marked // keep-aligned but the '${op}' columns are not all equal` });
+    }
+  }
+  return hits;
+}
+function detectMisalignedMarkedRun(files) {
+  const hits = [];
+  for (const rel of (files || filesUnder(["bin/exceptd.js", "lib", "orchestrator", "scripts"]))) {
+    if (rel === "scripts/check-codebase-patterns.js") continue;
+    hits.push(...scanMisalignedMarkedRun(rel, readLines(rel)));
+  }
+  return hits;
+}
+
 const CLASSES = [
   {
     id: "process-exit-after-stdout-write",
@@ -282,9 +374,21 @@ const CLASSES = [
   {
     id: "dynamic-regex",
     run: detectDynamicRegex,
-    warnOnly: true, // flip to false next release once the known sites carry markers
+    warnOnly: false,
     hint: "RegExp from operator input is a ReDoS sink — anchor + length-cap, or `// allow:dynamic-regex — <reason>` when the pattern is a trusted bundled schema",
   },
+  {
+    id: "unsorted-marked-array",
+    run: detectUnsortedMarkedArray,
+    warnOnly: false,
+    hint: "a flat string array tagged `// keep-sorted` drifted out of alphabetical order — re-sort it, or drop the marker if the order is intentional",
+  },
+  {
+    id: "misaligned-marked-run",
+    run: detectMisalignedMarkedRun,
+    warnOnly: false,
+    hint: "a `// keep-aligned` const/weight table has uneven assignment columns — realign the `=`/`:` columns, or drop the marker",
+  },
   {
     id: "bidi-codepoint-literal",
     run: detectBidiCodepointLiteral,
@@ -331,6 +435,10 @@ module.exports = {
   detectDynamicRegex,
   detectBidiCodepointLiteral,
   detectOrphanAllowClass,
+  detectUnsortedMarkedArray,
+  detectMisalignedMarkedRun,
+  scanUnsortedMarkedArray,
+  scanMisalignedMarkedRun,
   filesUnder,
 };
 

package/scripts/release.js

@@ -11,7 +11,7 @@
  *
  * Usage:
  *   node scripts/release.js prepare [--minor]   # bump + sign + indexes + snapshot + sbom + baseline
- *   node scripts/release.js gates               # npm test + 18-gate predeploy
+ *   node scripts/release.js gates               # npm test + 20-gate predeploy
  *   node scripts/release.js commit              # release branch + signed commit
  *   node scripts/release.js push                # push branch + open PR
  *   node scripts/release.js watch               # CI watch + flag unresolved review threads
@@ -576,7 +576,7 @@ function cmdHelp() {
   console.log("");
   console.log("Usage:");
   console.log("  node scripts/release.js prepare [--minor]   # bump + sign + indexes + snapshot + sbom + baseline");
-  console.log("  node scripts/release.js gates               # npm test + 18-gate predeploy");
+  console.log("  node scripts/release.js gates               # npm test + 20-gate predeploy");
   console.log("  node scripts/release.js commit              # release branch + signed commit");
   console.log("  node scripts/release.js push                # push branch + open PR");
   console.log("  node scripts/release.js watch               # CI watch + flag unresolved review threads");