@blamejs/exceptd-skills 0.12.11 → 0.12.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (91) hide show
  1. package/CHANGELOG.md +243 -0
  2. package/bin/exceptd.js +299 -48
  3. package/data/_indexes/_meta.json +49 -48
  4. package/data/_indexes/activity-feed.json +13 -5
  5. package/data/_indexes/catalog-summaries.json +51 -29
  6. package/data/_indexes/chains.json +3238 -3210
  7. package/data/_indexes/frequency.json +3 -0
  8. package/data/_indexes/jurisdiction-map.json +5 -3
  9. package/data/_indexes/section-offsets.json +712 -685
  10. package/data/_indexes/theater-fingerprints.json +1 -1
  11. package/data/_indexes/token-budget.json +355 -340
  12. package/data/atlas-ttps.json +144 -129
  13. package/data/attack-techniques.json +339 -0
  14. package/data/cve-catalog.json +515 -475
  15. package/data/cwe-catalog.json +1081 -759
  16. package/data/exploit-availability.json +63 -15
  17. package/data/framework-control-gaps.json +867 -843
  18. package/data/rfc-references.json +276 -276
  19. package/keys/EXPECTED_FINGERPRINT +1 -0
  20. package/lib/auto-discovery.js +21 -4
  21. package/lib/cross-ref-api.js +39 -6
  22. package/lib/cve-curation.js +505 -47
  23. package/lib/lint-skills.js +217 -15
  24. package/lib/playbook-runner.js +1224 -183
  25. package/lib/prefetch.js +121 -8
  26. package/lib/refresh-external.js +261 -95
  27. package/lib/refresh-network.js +208 -18
  28. package/lib/schemas/manifest.schema.json +16 -0
  29. package/lib/scoring.js +83 -7
  30. package/lib/sign.js +112 -3
  31. package/lib/source-ghsa.js +219 -37
  32. package/lib/source-osv.js +381 -122
  33. package/lib/validate-catalog-meta.js +64 -9
  34. package/lib/validate-cve-catalog.js +213 -7
  35. package/lib/validate-indexes.js +88 -37
  36. package/lib/validate-playbooks.js +469 -0
  37. package/lib/verify.js +313 -16
  38. package/manifest-snapshot.json +1 -1
  39. package/manifest-snapshot.sha256 +1 -0
  40. package/manifest.json +73 -73
  41. package/orchestrator/dispatcher.js +21 -1
  42. package/orchestrator/event-bus.js +52 -8
  43. package/orchestrator/index.js +279 -20
  44. package/orchestrator/pipeline.js +63 -2
  45. package/orchestrator/scanner.js +32 -10
  46. package/orchestrator/scheduler.js +196 -20
  47. package/package.json +3 -1
  48. package/sbom.cdx.json +9 -9
  49. package/scripts/check-manifest-snapshot.js +32 -0
  50. package/scripts/check-sbom-currency.js +65 -3
  51. package/scripts/check-test-coverage.js +142 -19
  52. package/scripts/predeploy.js +110 -40
  53. package/scripts/refresh-manifest-snapshot.js +55 -4
  54. package/scripts/validate-vendor-online.js +169 -0
  55. package/scripts/verify-shipped-tarball.js +106 -3
  56. package/skills/ai-attack-surface/skill.md +18 -10
  57. package/skills/ai-c2-detection/skill.md +7 -2
  58. package/skills/ai-risk-management/skill.md +5 -4
  59. package/skills/api-security/skill.md +3 -3
  60. package/skills/attack-surface-pentest/skill.md +5 -5
  61. package/skills/cloud-security/skill.md +1 -1
  62. package/skills/compliance-theater/skill.md +8 -8
  63. package/skills/container-runtime-security/skill.md +1 -1
  64. package/skills/dlp-gap-analysis/skill.md +5 -1
  65. package/skills/email-security-anti-phishing/skill.md +1 -1
  66. package/skills/exploit-scoring/skill.md +18 -18
  67. package/skills/framework-gap-analysis/skill.md +6 -6
  68. package/skills/global-grc/skill.md +3 -2
  69. package/skills/identity-assurance/skill.md +2 -2
  70. package/skills/incident-response-playbook/skill.md +4 -4
  71. package/skills/kernel-lpe-triage/skill.md +21 -2
  72. package/skills/mcp-agent-trust/skill.md +17 -10
  73. package/skills/mlops-security/skill.md +2 -1
  74. package/skills/ot-ics-security/skill.md +1 -1
  75. package/skills/policy-exception-gen/skill.md +3 -3
  76. package/skills/pqc-first/skill.md +1 -1
  77. package/skills/rag-pipeline-security/skill.md +7 -3
  78. package/skills/researcher/skill.md +20 -3
  79. package/skills/sector-energy/skill.md +1 -1
  80. package/skills/sector-federal-government/skill.md +1 -1
  81. package/skills/sector-financial/skill.md +3 -3
  82. package/skills/sector-healthcare/skill.md +2 -2
  83. package/skills/security-maturity-tiers/skill.md +7 -7
  84. package/skills/skill-update-loop/skill.md +19 -3
  85. package/skills/supply-chain-integrity/skill.md +1 -1
  86. package/skills/threat-model-currency/skill.md +11 -11
  87. package/skills/threat-modeling-methodology/skill.md +3 -3
  88. package/skills/webapp-security/skill.md +1 -1
  89. package/skills/zeroday-gap-learn/skill.md +51 -7
  90. package/vendor/blamejs/_PROVENANCE.json +4 -1
  91. package/vendor/blamejs/worker-pool.js +38 -0
package/vendor/blamejs/worker-pool.js CHANGED
@@ -87,6 +87,20 @@ function _validateScriptPath(scriptPath) {
87
87
  throw _err("workerpool/bad-script-path",
88
88
  "workerPool.create: scriptPath must be a filesystem path, not an eval/data URL");
89
89
  }
90
+ // On Windows path.isAbsolute() accepts UNC + extended-length + device
91
+ // namespace forms (e.g. `\\server\share`, `\\?\UNC\server\share`,
92
+ // `\\?\C:\path`, `\\.\PhysicalDrive0`). The worker pool only supports
93
+ // local-filesystem scripts; reject these prefixes so a hostile or
94
+ // mistyped path can't get a Worker thread to follow a network share or
95
+ // device namespace.
96
+ if (process.platform === "win32") {
97
+ // \\.\, \\?\, \\?\UNC\, or any other \\<server>\<share> form.
98
+ if (/^\\\\[.?]\\/.test(scriptPath) || /^\\\\\?\\UNC\\/i.test(scriptPath) || /^\\\\[^\\?.]/.test(scriptPath)) {
99
+ throw _err("workerpool/bad-script-path",
100
+ "workerPool.create: scriptPath must not use UNC / extended-length / device namespace prefixes on win32; got " +
101
+ JSON.stringify(scriptPath));
102
+ }
103
+ }
90
104
  }
91
105
 
92
106
  function _emitAudit(_action, _outcome, _metadata) {
@@ -94,6 +108,30 @@ function _emitAudit(_action, _outcome, _metadata) {
94
108
  // Preserved as a function so the rest of the file matches upstream shape.
95
109
  }
96
110
 
111
+ /**
112
+ * Create a worker pool.
113
+ *
114
+ * Lifecycle. Worker threads spawned by the pool hold the parent's event
115
+ * loop open until they are explicitly terminated. Pool timers are NOT
116
+ * unref'd (intentional: timeouts must fire even when no other work is
117
+ * pending). Consumers MUST call `terminate()` when the pool is no longer
118
+ * needed, or wrap their usage in a try/finally:
119
+ *
120
+ * const pool = workerPool.create(scriptPath);
121
+ * try {
122
+ * await pool.run(message);
123
+ * } finally {
124
+ * await pool.terminate();
125
+ * }
126
+ *
127
+ * Failing to call terminate() causes the host process to hang after main()
128
+ * returns. The pool does not auto-recycle on idle, and no GC reachability
129
+ * heuristic will reclaim a live Worker thread.
130
+ *
131
+ * @param {string} scriptPath Absolute filesystem path to the worker script.
132
+ * @param {{ size?: number, onExit?: Function, maxQueueDepth?: number, taskTimeoutMs?: number }} [opts]
133
+ * @returns {{ run: Function, drain: Function, terminate: Function, stats: Function }}
134
+ */
97
135
  function create(scriptPath, opts) {
98
136
  opts = opts || {};
99
137
  _validateOptsWhitelist(opts, ["size", "onExit", "maxQueueDepth", "taskTimeoutMs"], "workerPool.create");