@blamejs/exceptd-skills 0.12.13 → 0.12.16

package/data/playbooks/ai-api.json

@@ -67,7 +67,9 @@
       "T1552.001",
       "T1555"
     ],
-    "cve_refs": [],
+    "cve_refs": [
+      "CVE-2026-30615"
+    ],
     "cwe_refs": [
       "CWE-522",
       "CWE-256",

package/data/playbooks/containers.json

@@ -29,7 +29,9 @@
         "on_fail": "halt"
       }
     ],
-    "mutex": [],
+    "mutex": [
+      "library-author"
+    ],
     "feeds_into": [
       {
         "playbook_id": "kernel",
@@ -38,13 +40,19 @@
       {
         "playbook_id": "secrets",
         "condition": "always"
+      },
+      {
+        "playbook_id": "sbom",
+        "condition": "container-image-layers.length > 0"
       }
     ]
   },
   "domain": {
     "name": "Container runtime posture + manifest review",
     "attack_class": "container-escape",
-    "atlas_refs": [],
+    "atlas_refs": [
+      "AML.T0010"
+    ],
     "attack_refs": [
       "T1611",
       "T1610",
@@ -213,7 +221,7 @@
       ]
     },
     "direct": {
-      "threat_context": "Container escape attack class in 2025-2026 is dominated by the runc / containerd / kubelet CVE chain. CVE-2024-21626 'Leaky Vessels' (runc <1.1.12 working-directory race → fd leak into host) shipped Jan 2024 with public PoC and is the canonical container-escape primitive; subsequent runc/containerd CVEs follow the same pattern (host-resource leakage via misconfigured isolation). Mandiant 2025 IR report: ~22% of cloud-tenant compromises involved a container-escape step. The escape is exquisitely sensitive to manifest posture: privileged: true grants the attacker the full host kernel (LPE without escape); hostPID/hostNetwork/hostIPC grant cross-pod visibility; runAsUser: 0 + writable host mount = direct host write. seccompProfile + AppArmor profile presence is the primary mitigation. Manifests in repos are the attestation-vs-reality battleground — admission controllers reject some but not all anti-patterns, depending on policy maturity.",
+      "threat_context": "Container escape attack class in 2025-2026 is dominated by the runc / containerd / kubelet CVE chain. Public runc / containerd / kubelet escape primitives — including the 2024 'Leaky Vessels' working-directory race class — establish the canonical pattern: host-resource leakage (fd, mount, /proc) via misconfigured isolation. Subsequent CVEs in the runc/containerd/kubelet chain follow the same shape. Mandiant 2025 IR report: ~22% of cloud-tenant compromises involved a container-escape step. The escape is exquisitely sensitive to manifest posture: privileged: true grants the attacker the full host kernel (LPE without escape); hostPID/hostNetwork/hostIPC grant cross-pod visibility; runAsUser: 0 + writable host mount = direct host write. seccompProfile + AppArmor profile presence is the primary mitigation. Manifests in repos are the attestation-vs-reality battleground — admission controllers reject some but not all anti-patterns, depending on policy maturity.",
       "rwep_threshold": {
         "escalate": 85,
         "monitor": 65,

package/data/playbooks/cred-stores.json

@@ -43,7 +43,9 @@
   "domain": {
     "name": "Per-user credential store inventory + identity-assurance posture",
     "attack_class": "identity-abuse",
-    "atlas_refs": [],
+    "atlas_refs": [
+      "AML.T0055"
+    ],
     "attack_refs": [
       "T1078",
       "T1552.001",

package/data/playbooks/crypto-codebase.json

@@ -393,77 +393,77 @@
         },
         {
           "id": "hash-primitive-call-sites",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep across the repo (excluding test/spec/fixture/node_modules/vendor/.venv/target/dist/build) for hash-primitive call sites. Patterns: `crypto.createHash\\(`, `crypto.createHmac\\(`, `hashlib\\.(md5|sha1|sha224|sha256|sha384|sha512|blake2b|blake2s|sha3_)`, `MessageDigest\\.getInstance\\(`, `Digest::(MD5|SHA1|SHA256)`, `hash/md5`, `hash/sha1`, `\"md5\"`, `\"sha1\"`, `\"sha-1\"`, `\"sha256\"`, `\"sha3-256\"`. Use Grep with multiline=true where the algorithm-name string is on a different line from the constructor.",
           "description": "Every hash-primitive call site. Distinguish security-context usage (signature input, MAC input, integrity check, password derivation, token derivation) from non-security usage (cache key, ETag, dedup). The non-security distinction must be evidenced inline; absent evidence, treat as security-context.",
           "required": true
         },
         {
           "id": "cipher-and-kex-call-sites",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for cipher and KEX call sites: `createCipheriv\\(`, `createDecipheriv\\(`, `crypto\\.publicEncrypt\\(`, `crypto\\.privateDecrypt\\(`, `createDiffieHellman\\(`, `createECDH\\(`, `crypto\\.generateKeyPair`, `Cipher\\.getInstance\\(`, `aesgcm`, `ChaCha20Poly1305`, `\\.(seal|open)\\(`, `OpenSSL::Cipher`, hardcoded curve names `\"P-256\"`, `\"secp256r1\"`, `\"prime256v1\"`, `\"P-384\"`, `\"secp384r1\"`, `\"P-521\"`, `\"secp521r1\"`, `\"secp256k1\"`, `\"X25519\"`, `\"X448\"`.",
           "description": "Cipher and key-exchange call sites. Identify mode (GCM/CBC/CTR/ECB), curve, key size, IV-generation pattern. ECB mode anywhere is a hard fail. CBC without HMAC is a hard fail. AES-128 without GCM authenticator is a finding.",
           "required": true
         },
         {
           "id": "signature-call-sites",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for signature operations: `crypto\\.sign\\(`, `crypto\\.verify\\(`, `Signature\\.getInstance\\(`, `\\.sign_pss\\(`, `\\.verify_pss\\(`, `RSA-PSS`, `RSA-PKCS1`, `ECDSA`, `Ed25519`, `Ed448`, `ML-DSA`, `Dilithium`, `SLH-DSA`, `SPHINCS`. Capture key sizes for RSA (look for `modulusLength`, `key_size`, `--rsa-2048` literals), curve choice for ECDSA, hash choice paired with signature (RSA-SHA1 is a hard fail).",
           "description": "Signature scheme inventory. RSA-1024 anywhere is a hard fail; RSA-2048 with > 5-year sensitivity requires PQC roadmap; ECDSA-P256 acceptable today but needs hybrid ML-DSA migration plan; bare RSA-PKCS1 (not PSS) for new signatures is a finding.",
           "required": true
         },
         {
           "id": "kdf-call-sites",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for key-derivation calls: `pbkdf2(Sync)?\\(`, `PBKDF2`, `hashlib\\.pbkdf2_hmac`, `bcrypt\\.(hash|hashSync|compare)`, `scrypt(Sync)?\\(`, `argon2\\.(hash|verify)`, `argon2id`, `hkdf\\(`, `HKDF`, `derive_key`. For each, extract the cost parameters: PBKDF2 iterations, bcrypt cost factor, scrypt N/r/p, argon2 t/m/p.",
           "description": "Key-derivation parameter inventory. Apply OWASP 2023 minimums: PBKDF2-HMAC-SHA256 >= 600,000; PBKDF2-HMAC-SHA512 >= 210,000; bcrypt cost >= 12; scrypt N >= 2^17, r=8, p=1; argon2id m >= 19 MiB (19456 KiB), t >= 2, p >= 1. Any parameter below minimum is a finding.",
           "required": true
         },
         {
           "id": "rng-call-sites",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for RNG sources: `Math\\.random\\(`, `random\\.random\\(`, `random\\.randint\\(`, `random\\.choice\\(`, `rand\\(`, `srand\\(`, `mt_rand\\(`, `secrets\\.(token_|randbits|choice)`, `crypto\\.randomBytes\\(`, `crypto\\.getRandomValues\\(`, `crypto\\.randomUUID\\(`, `os\\.urandom\\(`, `getrandom\\(`, `SecureRandom`, `OsRng`, `ThreadRng`, `/dev/urandom`, `/dev/random`. Capture file_path:line for each.",
           "description": "RNG-source inventory. Production-context Math.random / random.random / rand without cryptographic-RNG fallback is CWE-338. Distinguish test/spec/fixture usage explicitly via path allowlist; production usage requires a cryptographic RNG.",
           "required": true
         },
         {
           "id": "hardcoded-key-material",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for hardcoded crypto material: PEM markers `-----BEGIN (RSA |EC |DSA |PRIVATE |PUBLIC |CERTIFICATE )?(PRIVATE|PUBLIC) KEY-----`, SSH key prefixes `ssh-rsa AAAA`, `ssh-ed25519 AAAA`, `ecdsa-sha2-nistp256 AAAA`, hex-blob heuristics for keys (>= 64 hex chars on a single literal line), base64-encoded blobs >= 256 chars in source files. Cross-reference with the `secrets` playbook for the exfil-secret angle; here the focus is library-author shipping defaults that look like keys (e.g. example certs, demo keys, sample HMAC seeds that downstream consumers fail to rotate).",
           "description": "Hardcoded key material shipped with the library. Library-author angle: any 'demo' or 'example' key that downstream consumers fail to rotate becomes a universal-default vulnerability (cf. embedded-router demo keys, Wi-Fi default WPA keys, IoT bootloader signing keys).",
           "required": false
         },
         {
           "id": "tls-config-construction",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for in-code TLS context construction: `tls\\.createSecureContext`, `tls\\.createServer`, `https\\.createServer`, `ssl\\.SSLContext\\(`, `ssl\\.create_default_context`, `rustls::ServerConfig`, `rustls::ClientConfig`, `tls\\.Config\\{`, `SSL_CTX_new`, options like `minVersion`, `maxVersion`, `secureProtocol`, `ciphers`, `ecdhCurve`, `sigalgs`, `groups`, `ALPNProtocols`.",
           "description": "In-code TLS configuration. Library authors that construct TLS contexts internally must default to TLS 1.3 minimum, X25519MLKEM768 group preference (when openssl >= 3.5 detected), modern cipher list. Hardcoded `secureProtocol: 'TLSv1_method'` or `minVersion: 'TLSv1'` is a hard fail.",
           "required": false
         },
         {
           "id": "pqc-adoption-signals",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for PQC adoption: `ml[-_]?kem`, `ml[-_]?dsa`, `slh[-_]?dsa`, `kyber`, `dilithium`, `sphincs`, `falcon`, `kemEncapsulate`, `kemDecapsulate`, `EVP_KEM_`, `OQS_KEM_`, `oqsprovider`, `liboqs`, `noble-post-quantum`, `pqcrypto::`, `aws-lc-rs::pqc`, `circl/sign/dilithium`, `circl/kem/kyber`.",
           "description": "PQC adoption signals. If `pqc-readiness-gap` directive runs, this artifact is the primary input. Distinguish concrete cryptographic operations from configuration strings, feature-flag names, and comments.",
           "required": false
         },
         {
           "id": "fips-provider-activation",
-          "type": "file_path",
+          "type": "file",
           "source": "Grep for FIPS-mode activation: `OSSL_PROVIDER_load.*fips`, `crypto\\.setFips\\(`, `openssl::provider::Provider::load_default`, `Provider::load.*\"fips\"`, openssl.cnf or fipsmodule.cnf files in the repo, environment-variable references to `OPENSSL_FIPS`, `OPENSSL_CONF`. Capture whether the activation is conditional (e.g. only if env var set) or unconditional.",
           "description": "FIPS-provider activation evidence. The `fips-validation-status` directive uses this to distinguish runtime FIPS activation from link-time FIPS claims.",
           "required": false
         },
         {
           "id": "vendored-crypto-tree",
-          "type": "file_path",
+          "type": "file",
           "source": "Glob for vendored crypto: `vendor/**/{crypto,openssl,sodium,nacl,kyber,dilithium,sphincs,curve25519,blake2,sha3,argon2}*`, `third_party/**/*crypto*`, `crates/**/*crypto*` (excluding the package's own crypto module). Look for upstream-reference files: `UPSTREAM`, `ORIGIN`, `PROVENANCE.md`, `.upstream-commit`, integrity hashes in lockfiles.",
           "description": "Vendored cryptographic primitives. Library authors sometimes vendor crypto to reduce dep tree or for licensing reasons. Without provenance + integrity audit, vendored crypto is a supply-chain backdoor opportunity.",
           "required": false
         },
         {
           "id": "ci-crypto-tests",
-          "type": "file_path",
+          "type": "file",
           "source": "Glob for CI configs: `.github/workflows/**/*.yml`, `.gitlab-ci.yml`, `.circleci/config.yml`, `azure-pipelines.yml`, `Jenkinsfile`. Grep for crypto-test invocations, FIPS-test runs, constant-time analysis tools (`dudect`, `valgrind --tool=memcheck` on secret-dependent code, `ctgrind`).",
           "description": "Build-time crypto verification. Absence of constant-time tests on vendored PQC primitives is a finding for the `pqc-readiness-gap` directive.",
           "required": false

package/data/playbooks/crypto.json

@@ -339,7 +339,7 @@
         },
         {
           "id": "libssl-libraries",
-          "type": "file_path",
+          "type": "file",
           "source": "ldconfig -p | grep -E 'libssl|libcrypto|libtls' AND find /usr/lib /usr/local/lib -name 'libssl*' -o -name 'libcrypto*' 2>/dev/null",
           "description": "Installed TLS libraries — catches non-default OpenSSL builds, vendored libcrypto, LibreSSL, BoringSSL.",
           "required": false

package/data/playbooks/hardening.json

@@ -35,7 +35,9 @@
         "on_fail": "warn"
       }
     ],
-    "mutex": [],
+    "mutex": [
+      "kernel"
+    ],
     "feeds_into": [
       {
         "playbook_id": "kernel",

package/data/playbooks/kernel.json

@@ -45,7 +45,9 @@
         "on_fail": "warn"
       }
     ],
-    "mutex": [],
+    "mutex": [
+      "hardening"
+    ],
     "feeds_into": [
       {
         "playbook_id": "sbom",

package/data/playbooks/library-author.json

@@ -43,7 +43,10 @@
         "on_fail": "warn"
       }
     ],
-    "mutex": ["secrets"],
+    "mutex": [
+      "secrets",
+      "containers"
+    ],
     "feeds_into": [
       {
         "playbook_id": "sbom",
@@ -563,14 +566,14 @@
         },
         {
           "id": "signing-key-material",
-          "type": "file_path",
+          "type": "file",
           "source": "Locate: cosign.pub, *.pem (public-key signing artifacts), keys/public.pem, .well-known/openpgpkey/, sigstore-cosign metadata in workflow",
           "description": "Public signing material committed to the repo or referenced from the release workflow.",
           "required": false
         },
         {
           "id": "intoto-attestations",
-          "type": "file_path",
+          "type": "file",
           "source": "Glob: *.intoto.jsonl, *.sigstore, *.sbom.json.sig, *.cdx.json.sig, attestations directory; AND for npm packages: GET https://registry.npmjs.org/${pkg} and inspect dist.attestations",
           "description": "in-toto / Sigstore / SLSA provenance attestations attached to releases.",
           "required": false,
@@ -592,7 +595,7 @@
         },
         {
           "id": "vendored-code",
-          "type": "file_path",
+          "type": "file",
           "source": "List directories: vendor/, third_party/, external/, deps/, internal/vendor/; AND for each: locate provenance manifest (vendor.json, THIRD_PARTY_PROVENANCE.md, modules.txt for Go vendored)",
           "description": "Vendored / bundled third-party code carried in the publisher's own release.",
           "required": false
@@ -644,7 +647,7 @@
         },
         {
           "id": "skill-signing-infrastructure",
-          "type": "file_path",
+          "type": "file",
           "source": "If repo ships skills / plugins / extensions: locate lib/sign.js, lib/verify.js, scripts/sign-skills.*, signatures/, keys/, AND read package.json scripts for sign/verify entries",
           "description": "Specific to AI-tool / plugin / skill publishers: Ed25519 / cosign signing scaffolding.",
           "required": false
@@ -786,7 +789,11 @@
           "description": "Mutable action reference — upstream owner can substitute action code under the same tag.",
           "confidence": "deterministic",
           "deterministic": true,
-          "attack_ref": "T1195.001"
+          "attack_ref": "T1195.001",
+          "false_positive_checks_required": [
+            "If Dependabot is configured (.github/dependabot.yml with package-ecosystem: github-actions, schedule >= weekly) AND the repo has a recent (within last 60 days) Dependabot PR updating action SHAs — the mutable-ref window is bounded; demote to lower-confidence finding (not miss; tag-pinning is still strictly safer than SHA-pinning-with-Dependabot).",
+            "If every mutable ref points to a github-owned action (actions/*, github/*) the supply-chain risk is materially lower than third-party action refs; tag-with-rationale-in-comment is acceptable for github-owned. Demote third-party-only mutable refs above github-owned ones in reporting."
+          ]
         },
         {
           "id": "package-json-provenance-missing",
@@ -839,11 +846,15 @@
         },
         {
           "id": "tag-protection-absent",
-          "type": "api_response",
+          "type": "api_call_sequence",
           "value": "Within the branch-tag-protection artifact: gh api repos/${owner}/${repo}/tags/protection returns empty array OR 404 AND the release-workflows artifact contains a publish workflow that triggers on push tags: ['v*']",
           "description": "Release tags unprotected (theater #6) — any branch can push v* and trigger publish.",
           "confidence": "deterministic",
-          "deterministic": true
+          "deterministic": true,
+          "false_positive_checks_required": [
+            "If repository rulesets (newer model) protect the tag pattern v*.*.* with delete + non-fast-forward + update blocked AND zero bypass actors — the legacy tag-protection-rules API may return empty while protection is in place. Cross-check the rulesets API before flagging.",
+            "If the repository is read-only / archived (archived: true via the repo API) — tag protection is moot; demote to miss."
+          ]
         },
         {
           "id": "release-tag-not-signed",
@@ -871,7 +882,7 @@
         },
         {
           "id": "no-security-txt",
-          "type": "api_response",
+          "type": "api_call_sequence",
           "value": "If product has a primary domain: HTTP 404 / connection failure on /.well-known/security.txt",
           "description": "No RFC 9116 machine-discoverable disclosure path (theater #10).",
           "confidence": "deterministic",
@@ -879,7 +890,7 @@
         },
         {
           "id": "private-vuln-reporting-disabled",
-          "type": "api_response",
+          "type": "api_call_sequence",
           "value": "gh api repos/${owner}/${repo} --jq '.security_and_analysis.private_vulnerability_reporting.status' returns 'disabled'",
           "description": "GitHub private vulnerability reporting off — no OIDC-authenticated disclosure intake.",
           "confidence": "deterministic",

package/data/playbooks/mcp.json

@@ -440,7 +440,7 @@
         },
         {
           "id": "mcp-tool-response-log",
-          "type": "log_pattern",
+          "type": "log",
           "source": "AI client MCP-protocol logs: ~/.claude/logs/mcp/*.jsonl (Claude Code), ~/.cursor/logs/mcp-*.log (Cursor), ~/.codeium/windsurf/logs/mcp_*.log (Windsurf)",
           "description": "v0.12.6: Verbatim tools/list and tools/call response capture. The only artifact that lets ANSI-escape, Unicode-Tag-smuggling, instruction-coercion-grammar, and sensitive-path-reference indicators fire. If client doesn't log MCP responses, mark inconclusive and recommend enabling MCP request/response verbose logging in client settings.",
           "required": false

package/data/playbooks/runtime.json

@@ -68,7 +68,9 @@
       "T1068",
       "T1548.003"
     ],
-    "cve_refs": [],
+    "cve_refs": [
+      "CVE-2026-31431"
+    ],
     "cwe_refs": [
       "CWE-269",
       "CWE-732",

package/data/playbooks/sbom.json

@@ -499,7 +499,7 @@
         },
         {
           "id": "model-weight-files",
-          "type": "file_path",
+          "type": "file",
           "source": "find $HOME ~/.cache/huggingface ~/.cache/torch /var/lib/model-store -type f \\( -name '*.pt' -o -name '*.ckpt' -o -name '*.bin' -o -name '*.safetensors' -o -name '*.gguf' \\) 2>/dev/null AND for each: file <path> AND attempt to identify Sigstore signature / OpenSSF model-signing attestation",
           "description": "Model weight artifacts — needed for AI-supply-chain analysis (ATLAS AML.T0018).",
           "required": false
@@ -528,7 +528,7 @@
         },
         {
           "id": "tanstack-payload-sweep",
-          "type": "file_path",
+          "type": "file",
           "source": "find node_modules -path '*/@tanstack/*' \\( -name 'router_init.js' -o -name 'router_runtime.js' \\) 2>/dev/null",
           "description": "CVE-2026-45321 IoC sweep — payload markers inside any installed @tanstack/* package. Captures both flat npm and pnpm-style nested layouts.",
           "required": false

package/data/playbooks/secrets.json

@@ -35,7 +35,9 @@
         "on_fail": "warn"
       }
     ],
-    "mutex": [],
+    "mutex": [
+      "library-author"
+    ],
     "feeds_into": [
       {
         "playbook_id": "cred-stores",