npm - @blamejs/exceptd-skills - Versions diffs - 0.12.11 → 0.12.15 - Mend

@blamejs/exceptd-skills 0.12.11 → 0.12.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (91) hide show

package/CHANGELOG.md +243 -0
package/bin/exceptd.js +299 -48
package/data/_indexes/_meta.json +49 -48
package/data/_indexes/activity-feed.json +13 -5
package/data/_indexes/catalog-summaries.json +51 -29
package/data/_indexes/chains.json +3238 -3210
package/data/_indexes/frequency.json +3 -0
package/data/_indexes/jurisdiction-map.json +5 -3
package/data/_indexes/section-offsets.json +712 -685
package/data/_indexes/theater-fingerprints.json +1 -1
package/data/_indexes/token-budget.json +355 -340
package/data/atlas-ttps.json +144 -129
package/data/attack-techniques.json +339 -0
package/data/cve-catalog.json +515 -475
package/data/cwe-catalog.json +1081 -759
package/data/exploit-availability.json +63 -15
package/data/framework-control-gaps.json +867 -843
package/data/rfc-references.json +276 -276
package/keys/EXPECTED_FINGERPRINT +1 -0
package/lib/auto-discovery.js +21 -4
package/lib/cross-ref-api.js +39 -6
package/lib/cve-curation.js +505 -47
package/lib/lint-skills.js +217 -15
package/lib/playbook-runner.js +1224 -183
package/lib/prefetch.js +121 -8
package/lib/refresh-external.js +261 -95
package/lib/refresh-network.js +208 -18
package/lib/schemas/manifest.schema.json +16 -0
package/lib/scoring.js +83 -7
package/lib/sign.js +112 -3
package/lib/source-ghsa.js +219 -37
package/lib/source-osv.js +381 -122
package/lib/validate-catalog-meta.js +64 -9
package/lib/validate-cve-catalog.js +213 -7
package/lib/validate-indexes.js +88 -37
package/lib/validate-playbooks.js +469 -0
package/lib/verify.js +313 -16
package/manifest-snapshot.json +1 -1
package/manifest-snapshot.sha256 +1 -0
package/manifest.json +73 -73
package/orchestrator/dispatcher.js +21 -1
package/orchestrator/event-bus.js +52 -8
package/orchestrator/index.js +279 -20
package/orchestrator/pipeline.js +63 -2
package/orchestrator/scanner.js +32 -10
package/orchestrator/scheduler.js +196 -20
package/package.json +3 -1
package/sbom.cdx.json +9 -9
package/scripts/check-manifest-snapshot.js +32 -0
package/scripts/check-sbom-currency.js +65 -3
package/scripts/check-test-coverage.js +142 -19
package/scripts/predeploy.js +110 -40
package/scripts/refresh-manifest-snapshot.js +55 -4
package/scripts/validate-vendor-online.js +169 -0
package/scripts/verify-shipped-tarball.js +106 -3
package/skills/ai-attack-surface/skill.md +18 -10
package/skills/ai-c2-detection/skill.md +7 -2
package/skills/ai-risk-management/skill.md +5 -4
package/skills/api-security/skill.md +3 -3
package/skills/attack-surface-pentest/skill.md +5 -5
package/skills/cloud-security/skill.md +1 -1
package/skills/compliance-theater/skill.md +8 -8
package/skills/container-runtime-security/skill.md +1 -1
package/skills/dlp-gap-analysis/skill.md +5 -1
package/skills/email-security-anti-phishing/skill.md +1 -1
package/skills/exploit-scoring/skill.md +18 -18
package/skills/framework-gap-analysis/skill.md +6 -6
package/skills/global-grc/skill.md +3 -2
package/skills/identity-assurance/skill.md +2 -2
package/skills/incident-response-playbook/skill.md +4 -4
package/skills/kernel-lpe-triage/skill.md +21 -2
package/skills/mcp-agent-trust/skill.md +17 -10
package/skills/mlops-security/skill.md +2 -1
package/skills/ot-ics-security/skill.md +1 -1
package/skills/policy-exception-gen/skill.md +3 -3
package/skills/pqc-first/skill.md +1 -1
package/skills/rag-pipeline-security/skill.md +7 -3
package/skills/researcher/skill.md +20 -3
package/skills/sector-energy/skill.md +1 -1
package/skills/sector-federal-government/skill.md +1 -1
package/skills/sector-financial/skill.md +3 -3
package/skills/sector-healthcare/skill.md +2 -2
package/skills/security-maturity-tiers/skill.md +7 -7
package/skills/skill-update-loop/skill.md +19 -3
package/skills/supply-chain-integrity/skill.md +1 -1
package/skills/threat-model-currency/skill.md +11 -11
package/skills/threat-modeling-methodology/skill.md +3 -3
package/skills/webapp-security/skill.md +1 -1
package/skills/zeroday-gap-learn/skill.md +51 -7
package/vendor/blamejs/_PROVENANCE.json +4 -1
package/vendor/blamejs/worker-pool.js +38 -0

package/data/_indexes/activity-feed.json CHANGED Viewed

@@ -2,7 +2,7 @@
   "_meta": {
     "schema_version": "1.0.0",
     "note": "Per-artifact 'last changed' feed sorted descending by date. Skill events from manifest.last_threat_review; catalog events from data/<catalog>.json _meta.last_updated.",
-    "event_count": 49
+    "event_count": 50
   },
   "events": [
     {
@@ -13,6 +13,14 @@
       "schema_version": "1.0.0",
       "entry_count": 15
     },
+    {
+      "date": "2026-05-13",
+      "type": "catalog_update",
+      "artifact": "data/attack-techniques.json",
+      "path": "data/attack-techniques.json",
+      "schema_version": "1.0.0",
+      "entry_count": 79
+    },
     {
       "date": "2026-05-13",
       "type": "catalog_update",
@@ -27,7 +35,7 @@
       "artifact": "data/cwe-catalog.json",
       "path": "data/cwe-catalog.json",
       "schema_version": "1.0.0",
-      "entry_count": 53
+      "entry_count": 55
     },
     {
       "date": "2026-05-13",
@@ -341,7 +349,7 @@
       "artifact": "data/exploit-availability.json",
       "path": "data/exploit-availability.json",
       "schema_version": "1.0.0",
-      "entry_count": 5
+      "entry_count": 9
     },
     {
       "date": "2026-05-01",
@@ -349,14 +357,14 @@
       "artifact": "data/framework-control-gaps.json",
       "path": "data/framework-control-gaps.json",
       "schema_version": "1.0.0",
-      "entry_count": 61
+      "entry_count": 62
     },
     {
       "date": "2026-05-01",
       "type": "manifest_review",
       "artifact": "manifest.json",
       "path": "manifest.json",
-      "note": "manifest threat_review_date — 38 skills, 10 catalogs"
+      "note": "manifest threat_review_date — 38 skills, 11 catalogs"
     }
   ]
 }

package/data/_indexes/catalog-summaries.json CHANGED Viewed

@@ -2,7 +2,7 @@
   "_meta": {
     "schema_version": "1.0.0",
     "note": "Per-catalog compact summary so AI consumers can discover available data without loading every _meta block. Purpose strings are curated in scripts/builders/catalog-summaries.js.",
-    "catalog_count": 10
+    "catalog_count": 11
   },
   "catalogs": {
     "atlas-ttps.json": {
@@ -20,11 +20,33 @@
       },
       "entry_count": 15,
       "sample_keys": [
-        "AML.T0043",
         "AML.T0010",
         "AML.T0016",
         "AML.T0017",
-        "AML.T0018"
+        "AML.T0018",
+        "AML.T0020"
+      ]
+    },
+    "attack-techniques.json": {
+      "path": "data/attack-techniques.json",
+      "purpose": null,
+      "schema_version": "1.0.0",
+      "last_updated": "2026-05-13",
+      "tlp": "CLEAR",
+      "source_confidence_default": "A1",
+      "freshness_policy": {
+        "default_review_cadence_days": 90,
+        "stale_after_days": 180,
+        "rebuild_after_days": 365,
+        "note": "Catalog must be rebuilt against the upstream ATT&CK release whenever MITRE publishes a new version. AGENTS.md hard rule #8 requires the bump to be intentional, not silent."
+      },
+      "entry_count": 79,
+      "sample_keys": [
+        "T0001",
+        "T0017",
+        "T0051",
+        "T0096",
+        "T0853"
       ]
     },
     "cve-catalog.json": {
@@ -42,11 +64,11 @@
       },
       "entry_count": 9,
       "sample_keys": [
-        "CVE-2026-31431",
-        "CVE-2026-43284",
-        "CVE-2026-43500",
         "CVE-2025-53773",
-        "CVE-2026-30615"
+        "CVE-2026-30615",
+        "CVE-2026-31431",
+        "CVE-2026-39884",
+        "CVE-2026-42208"
       ]
     },
     "cwe-catalog.json": {
@@ -62,13 +84,13 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 53,
+      "entry_count": 55,
       "sample_keys": [
-        "CWE-787",
-        "CWE-79",
-        "CWE-89",
-        "CWE-416",
-        "CWE-20"
+        "CWE-20",
+        "CWE-22",
+        "CWE-77",
+        "CWE-78",
+        "CWE-79"
       ]
     },
     "d3fend-catalog.json": {
@@ -128,13 +150,13 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 5,
+      "entry_count": 9,
       "sample_keys": [
-        "CVE-2026-31431",
-        "CVE-2026-43284",
-        "CVE-2026-43500",
         "CVE-2025-53773",
-        "CVE-2026-30615"
+        "CVE-2026-30615",
+        "CVE-2026-31431",
+        "CVE-2026-39884",
+        "CVE-2026-42208"
       ]
     },
     "framework-control-gaps.json": {
@@ -150,13 +172,13 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 61,
+      "entry_count": 62,
       "sample_keys": [
-        "NIST-800-53-SI-2",
-        "NIST-800-53-SC-8",
-        "NIST-800-53-AC-2",
-        "NIST-800-53-SI-3",
-        "NIST-800-53-SA-12"
+        "ALL-AI-PIPELINE-INTEGRITY",
+        "ALL-MCP-TOOL-TRUST",
+        "ALL-PROMPT-INJECTION-ACCESS-CONTROL",
+        "AU-Essential-8-App-Hardening",
+        "AU-Essential-8-Backup"
       ]
     },
     "global-frameworks.json": {
@@ -196,11 +218,11 @@
       },
       "entry_count": 31,
       "sample_keys": [
-        "RFC-8446",
-        "DRAFT-IETF-TLS-ECDHE-MLKEM",
-        "DRAFT-IETF-TLS-HYBRID-DESIGN",
-        "RFC-9180",
-        "RFC-9458"
+        "RFC-4301",
+        "RFC-4303",
+        "RFC-6376",
+        "RFC-6545",
+        "RFC-6546"
       ]
     },
     "zeroday-lessons.json": {