@blamejs/exceptd-skills 0.12.23 → 0.12.25
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +12 -4
- package/CHANGELOG.md +190 -3
- package/README.md +14 -1
- package/bin/exceptd.js +584 -166
- package/data/_indexes/_meta.json +31 -31
- package/data/_indexes/activity-feed.json +45 -45
- package/data/_indexes/catalog-summaries.json +19 -19
- package/data/_indexes/chains.json +320 -0
- package/data/_indexes/currency.json +9 -9
- package/data/_indexes/frequency.json +39 -2
- package/data/_indexes/jurisdiction-clocks.json +2 -2
- package/data/_indexes/jurisdiction-map.json +3 -1
- package/data/_indexes/section-offsets.json +396 -396
- package/data/_indexes/summary-cards.json +3 -3
- package/data/_indexes/token-budget.json +73 -73
- package/data/atlas-ttps.json +491 -19
- package/data/attack-techniques.json +198 -84
- package/data/cve-catalog.json +1309 -9
- package/data/exploit-availability.json +300 -10
- package/data/framework-control-gaps.json +395 -1
- package/data/global-frameworks.json +44 -19
- package/data/playbooks/containers.json +1 -1
- package/data/playbooks/crypto-codebase.json +1 -1
- package/data/playbooks/framework.json +1 -1
- package/data/playbooks/hardening.json +1 -1
- package/data/playbooks/library-author.json +1 -1
- package/data/playbooks/secrets.json +25 -1
- package/data/rfc-references.json +93 -1
- package/data/zeroday-lessons.json +475 -13
- package/lib/auto-discovery.js +26 -2
- package/lib/exit-codes.js +72 -0
- package/lib/flag-suggest.js +130 -0
- package/lib/id-validation.js +95 -0
- package/lib/lint-skills.js +68 -1
- package/lib/playbook-runner.js +321 -46
- package/lib/prefetch.js +113 -0
- package/lib/refresh-external.js +190 -8
- package/lib/refresh-network.js +35 -8
- package/lib/schemas/cve-catalog.schema.json +31 -4
- package/lib/schemas/playbook.schema.json +51 -0
- package/lib/scoring.js +41 -0
- package/lib/upstream-check-cli.js +16 -1
- package/lib/upstream-check.js +9 -0
- package/lib/verify.js +20 -4
- package/manifest-snapshot.json +1 -1
- package/manifest-snapshot.sha256 +1 -1
- package/manifest.json +59 -59
- package/package.json +8 -2
- package/sbom.cdx.json +6 -6
- package/scripts/check-test-coverage.js +67 -0
- package/scripts/verify-shipped-tarball.js +9 -0
- package/skills/ai-attack-surface/skill.md +11 -2
- package/skills/ai-c2-detection/skill.md +3 -1
- package/skills/ai-risk-management/skill.md +3 -1
- package/skills/api-security/skill.md +4 -0
- package/skills/attack-surface-pentest/skill.md +1 -0
- package/skills/container-runtime-security/skill.md +3 -1
- package/skills/dlp-gap-analysis/skill.md +1 -1
- package/skills/exploit-scoring/skill.md +2 -2
- package/skills/incident-response-playbook/skill.md +1 -1
- package/skills/kernel-lpe-triage/skill.md +6 -1
- package/skills/mcp-agent-trust/skill.md +7 -2
- package/skills/mlops-security/skill.md +1 -1
- package/skills/rag-pipeline-security/skill.md +4 -2
- package/skills/sector-financial/skill.md +1 -1
- package/skills/skill-update-loop/skill.md +1 -1
- package/skills/supply-chain-integrity/skill.md +3 -1
- package/skills/threat-model-currency/skill.md +1 -1
- package/skills/webapp-security/skill.md +2 -0
- package/skills/zeroday-gap-learn/skill.md +2 -2
|
@@ -28,12 +28,13 @@ const ROOT = path.resolve(__dirname, "..");
|
|
|
28
28
|
const { fetchLatestPublished, buildFreshnessReport } = require("./upstream-check.js");
|
|
29
29
|
|
|
30
30
|
function parseArgs(argv) {
|
|
31
|
-
const out = { timeoutMs: 5000, raw: false };
|
|
31
|
+
const out = { timeoutMs: 5000, raw: false, airGap: false };
|
|
32
32
|
for (let i = 2; i < argv.length; i++) {
|
|
33
33
|
const a = argv[i];
|
|
34
34
|
if (a === "--timeout") { out.timeoutMs = parseInt(argv[++i], 10) || 5000; }
|
|
35
35
|
else if (a.startsWith("--timeout=")) { out.timeoutMs = parseInt(a.slice("--timeout=".length), 10) || 5000; }
|
|
36
36
|
else if (a === "--raw") out.raw = true;
|
|
37
|
+
else if (a === "--air-gap") out.airGap = true;
|
|
37
38
|
}
|
|
38
39
|
return out;
|
|
39
40
|
}
|
|
@@ -52,6 +53,20 @@ function readManifest() {
|
|
|
52
53
|
|
|
53
54
|
(async () => {
|
|
54
55
|
const opts = parseArgs(process.argv);
|
|
56
|
+
// Air-gap short-circuit — the registry probe is a network operation. When
|
|
57
|
+
// the operator has declared air-gapped mode (env var OR --air-gap), emit a
|
|
58
|
+
// structured `skipped` envelope and exit 0. Exit 0 because, like the
|
|
59
|
+
// existing "offline" path, missing freshness data is a graceful degradation
|
|
60
|
+
// — it is NOT an error condition for downstream callers.
|
|
61
|
+
if (process.env.EXCEPTD_AIR_GAP === "1" || opts.airGap) {
|
|
62
|
+
process.stdout.write(JSON.stringify({
|
|
63
|
+
ok: null,
|
|
64
|
+
skipped: "air-gap",
|
|
65
|
+
reason: "registry probe disabled in air-gap mode",
|
|
66
|
+
source: "upstream-check",
|
|
67
|
+
}) + "\n");
|
|
68
|
+
process.exit(0);
|
|
69
|
+
}
|
|
55
70
|
const registry = await fetchLatestPublished({ timeoutMs: opts.timeoutMs });
|
|
56
71
|
if (opts.raw) {
|
|
57
72
|
process.stdout.write(JSON.stringify(registry) + "\n");
|
package/lib/upstream-check.js
CHANGED
|
@@ -33,6 +33,15 @@ const REQUEST_TIMEOUT_MS = 5000;
|
|
|
33
33
|
* a path to a JSON file with { version, time: { <ver>: ISO } } shape.
|
|
34
34
|
*/
|
|
35
35
|
async function fetchLatestPublished({ timeoutMs = REQUEST_TIMEOUT_MS, pkgName = PKG_NAME } = {}) {
|
|
36
|
+
// Air-gap refusal — registry probes are a network operation and must never
|
|
37
|
+
// be issued when the operator has declared an air-gapped environment.
|
|
38
|
+
// Returning a structured refusal (instead of throwing) lets callers degrade
|
|
39
|
+
// gracefully the same way they handle `offline` — the freshness signal is
|
|
40
|
+
// intentionally absent, not in error.
|
|
41
|
+
if (process.env.EXCEPTD_AIR_GAP === "1") {
|
|
42
|
+
return { ok: false, error: "air-gap-blocked", source: "fetchLatestPublished" };
|
|
43
|
+
}
|
|
44
|
+
|
|
36
45
|
if (process.env.EXCEPTD_REGISTRY_FIXTURE) {
|
|
37
46
|
try {
|
|
38
47
|
const fs = require("fs");
|
package/lib/verify.js
CHANGED
|
@@ -621,6 +621,14 @@ function loadExpectedFingerprintFirstLine(pinPath) {
|
|
|
621
621
|
// as UTF-8 mojibake — the first line never matches a live fingerprint
|
|
622
622
|
// and the operator sees no signal. Refuse them; re-save as UTF-8.
|
|
623
623
|
if ((b0 === 0xFF && b1 === 0xFE) || (b0 === 0xFE && b1 === 0xFF)) return null;
|
|
624
|
+
// UTF-16BE-without-BOM defense: a pin file saved as UTF-16BE on a host
|
|
625
|
+
// whose editor stripped the BOM (or never wrote one) decodes as
|
|
626
|
+
// 0x00 <printable ASCII> 0x00 <printable ASCII>... The leading NUL byte
|
|
627
|
+
// would survive into the utf8 string and the first-line compare would
|
|
628
|
+
// never match a SHA256:... fingerprint. Detect "00 XX" where XX is
|
|
629
|
+
// printable ASCII (0x20-0x7E) and refuse — same remediation: re-save
|
|
630
|
+
// the file as UTF-8.
|
|
631
|
+
if (b0 === 0x00 && b1 >= 0x20 && b1 <= 0x7E) return null;
|
|
624
632
|
}
|
|
625
633
|
let raw = buf.toString('utf8');
|
|
626
634
|
if (raw.length > 0 && raw.charCodeAt(0) === 0xFEFF) raw = raw.slice(1);
|
|
@@ -747,10 +755,18 @@ if (require.main === module) {
|
|
|
747
755
|
);
|
|
748
756
|
} else if (pinResult.status === 'mismatch') {
|
|
749
757
|
if (pinResult.rotationOverride) {
|
|
750
|
-
|
|
751
|
-
`
|
|
752
|
-
|
|
753
|
-
|
|
758
|
+
process.emitWarning(
|
|
759
|
+
`live key fingerprint ${pinResult.actual} differs from pin ${pinResult.expected}; ` +
|
|
760
|
+
`KEYS_ROTATED=1 accepted. Update keys/EXPECTED_FINGERPRINT to lock the new pin.`,
|
|
761
|
+
{ code: 'EXCEPTD_KEYS_ROTATED_OVERRIDE' }
|
|
762
|
+
);
|
|
763
|
+
// Mirror to stderr unconditionally: NODE_NO_WARNINGS=1 silences
|
|
764
|
+
// process.emitWarning, but a key-rotation override is a
|
|
765
|
+
// security-relevant event that must surface in the operator's
|
|
766
|
+
// terminal even when warnings are muted.
|
|
767
|
+
console.error(
|
|
768
|
+
`[verify] KEYS_ROTATED=1 override accepted; live fingerprint ${pinResult.actual} ` +
|
|
769
|
+
`differs from pin ${pinResult.expected}. Update keys/EXPECTED_FINGERPRINT to lock the new pin.`
|
|
754
770
|
);
|
|
755
771
|
} else {
|
|
756
772
|
console.error(
|
package/manifest-snapshot.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
|
|
3
|
-
"_generated_at": "2026-05-
|
|
3
|
+
"_generated_at": "2026-05-15T21:41:39.732Z",
|
|
4
4
|
"atlas_version": "5.1.0",
|
|
5
5
|
"skill_count": 38,
|
|
6
6
|
"skills": [
|
package/manifest-snapshot.sha256
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
|
|
1
|
+
e00285a7e3629aac068b46959038a8e9b1ead1ba7c722796c8c749f2b64ed764 manifest-snapshot.json
|
package/manifest.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "exceptd-security",
|
|
3
|
-
"version": "0.12.
|
|
3
|
+
"version": "0.12.25",
|
|
4
4
|
"description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
|
|
5
5
|
"homepage": "https://exceptd.com",
|
|
6
6
|
"license": "Apache-2.0",
|
|
@@ -51,8 +51,8 @@
|
|
|
51
51
|
"RFC-7296"
|
|
52
52
|
],
|
|
53
53
|
"last_threat_review": "2026-05-01",
|
|
54
|
-
"signature": "
|
|
55
|
-
"signed_at": "2026-05-
|
|
54
|
+
"signature": "N6H4u/u1fCFE6f/3QVkAr2cumZvLNE+xYBC91CCxKoeaSKm5zqbwzb2mvFDk9XKUegUy5W6npLFGi75yxNMIAg==",
|
|
55
|
+
"signed_at": "2026-05-15T21:41:16.265Z",
|
|
56
56
|
"cwe_refs": [
|
|
57
57
|
"CWE-125",
|
|
58
58
|
"CWE-362",
|
|
@@ -115,8 +115,8 @@
|
|
|
115
115
|
"SOC2-CC6-logical-access"
|
|
116
116
|
],
|
|
117
117
|
"last_threat_review": "2026-05-01",
|
|
118
|
-
"signature": "
|
|
119
|
-
"signed_at": "2026-05-
|
|
118
|
+
"signature": "Xen6ojQGzT4AZUN/WtuQon+gT2UrJyX50nrZwEdxLw5aiz8gDaeMkWo/Bic+h4NFEF7MRd7uDTm0dvKgWnlRBA==",
|
|
119
|
+
"signed_at": "2026-05-15T21:41:16.267Z",
|
|
120
120
|
"cwe_refs": [
|
|
121
121
|
"CWE-1039",
|
|
122
122
|
"CWE-1426",
|
|
@@ -178,8 +178,8 @@
|
|
|
178
178
|
"RFC-9700"
|
|
179
179
|
],
|
|
180
180
|
"last_threat_review": "2026-05-01",
|
|
181
|
-
"signature": "
|
|
182
|
-
"signed_at": "2026-05-
|
|
181
|
+
"signature": "IDhdamTvyWfnz7SvIMrVMz2cwLuiP2/Iw2iYHFNbI1O302XnrGyIVsJcoKZa5QFClBYPiABVt+yI5HEuLxMCBw==",
|
|
182
|
+
"signed_at": "2026-05-15T21:41:16.268Z",
|
|
183
183
|
"cwe_refs": [
|
|
184
184
|
"CWE-22",
|
|
185
185
|
"CWE-345",
|
|
@@ -225,7 +225,7 @@
|
|
|
225
225
|
"framework_gaps": [],
|
|
226
226
|
"last_threat_review": "2026-05-01",
|
|
227
227
|
"signature": "cPRRTsNQT1MYR3cE5O3KdC4MB037EMc0fsMIbOyfOv16sR+DkiXmAhQOjlIC47HngHz3vhLI+rbqItN91VWpBg==",
|
|
228
|
-
"signed_at": "2026-05-
|
|
228
|
+
"signed_at": "2026-05-15T21:41:16.268Z"
|
|
229
229
|
},
|
|
230
230
|
{
|
|
231
231
|
"name": "compliance-theater",
|
|
@@ -256,7 +256,7 @@
|
|
|
256
256
|
],
|
|
257
257
|
"last_threat_review": "2026-05-01",
|
|
258
258
|
"signature": "79NrFMRsqGsipWeE5ETQSVICGO4BjTJYgyir+PSaNVFpkLqLcwZd8Dr1V7iwX0H0fXFL3WpPz35gtrYCEG32BQ==",
|
|
259
|
-
"signed_at": "2026-05-
|
|
259
|
+
"signed_at": "2026-05-15T21:41:16.269Z"
|
|
260
260
|
},
|
|
261
261
|
{
|
|
262
262
|
"name": "exploit-scoring",
|
|
@@ -284,8 +284,8 @@
|
|
|
284
284
|
"CIS-Controls-v8-Control7"
|
|
285
285
|
],
|
|
286
286
|
"last_threat_review": "2026-05-01",
|
|
287
|
-
"signature": "
|
|
288
|
-
"signed_at": "2026-05-
|
|
287
|
+
"signature": "O7YIzAOQtSCFD0pyUdF0otYy9xwksrRGCLnSw5aMMGOs0SYeYA1JsMX5XLxNOQJC8tURC21HgQc/yx22jLtvAw==",
|
|
288
|
+
"signed_at": "2026-05-15T21:41:16.269Z"
|
|
289
289
|
},
|
|
290
290
|
{
|
|
291
291
|
"name": "rag-pipeline-security",
|
|
@@ -321,8 +321,8 @@
|
|
|
321
321
|
"OWASP-LLM-Top-10-2025-LLM08"
|
|
322
322
|
],
|
|
323
323
|
"last_threat_review": "2026-05-01",
|
|
324
|
-
"signature": "
|
|
325
|
-
"signed_at": "2026-05-
|
|
324
|
+
"signature": "ai6ebp9pz7dBigm2rQvQ0SklhDZtHqP3exKtolbEBiN0shQScypJfDBaQN2J3aoOC4dZjjTgIZvGfWLmBxrxBA==",
|
|
325
|
+
"signed_at": "2026-05-15T21:41:16.269Z",
|
|
326
326
|
"cwe_refs": [
|
|
327
327
|
"CWE-1395",
|
|
328
328
|
"CWE-1426"
|
|
@@ -378,8 +378,8 @@
|
|
|
378
378
|
"RFC-9000"
|
|
379
379
|
],
|
|
380
380
|
"last_threat_review": "2026-05-01",
|
|
381
|
-
"signature": "
|
|
382
|
-
"signed_at": "2026-05-
|
|
381
|
+
"signature": "BkDjyCF53MAATVfzERmIhEhi474eWloxD0qyw9Gvw+VFE8aH3pOi+yeCpc0kq0vHAVmAEszwxBKEcuLkJbmSBg==",
|
|
382
|
+
"signed_at": "2026-05-15T21:41:16.270Z",
|
|
383
383
|
"d3fend_refs": [
|
|
384
384
|
"D3-CA",
|
|
385
385
|
"D3-CSPP",
|
|
@@ -414,7 +414,7 @@
|
|
|
414
414
|
"framework_gaps": [],
|
|
415
415
|
"last_threat_review": "2026-05-01",
|
|
416
416
|
"signature": "DxfXhSyoAGUo1emHh0uIIcg324ZreBYxmFdBDVAKOOuPmMlfN4RqNc/JGDSfVmMv5CjgYCUcSmkcYB0A5lk0Cg==",
|
|
417
|
-
"signed_at": "2026-05-
|
|
417
|
+
"signed_at": "2026-05-15T21:41:16.270Z",
|
|
418
418
|
"cwe_refs": [
|
|
419
419
|
"CWE-1188"
|
|
420
420
|
]
|
|
@@ -441,8 +441,8 @@
|
|
|
441
441
|
"attack_refs": [],
|
|
442
442
|
"framework_gaps": [],
|
|
443
443
|
"last_threat_review": "2026-05-01",
|
|
444
|
-
"signature": "
|
|
445
|
-
"signed_at": "2026-05-
|
|
444
|
+
"signature": "rFQ82v+1oAHWixWcGwokKhjZHfXUf6N7EfSgldhQ5Jrbiy3kv5CIbnOCsI6zPWyErSnpKVeBFTabJXnzLrzDCQ==",
|
|
445
|
+
"signed_at": "2026-05-15T21:41:16.271Z"
|
|
446
446
|
},
|
|
447
447
|
{
|
|
448
448
|
"name": "global-grc",
|
|
@@ -474,7 +474,7 @@
|
|
|
474
474
|
"framework_gaps": [],
|
|
475
475
|
"last_threat_review": "2026-05-01",
|
|
476
476
|
"signature": "7yVjZkanFMKDQqXdX4B/7oLc2Rz72xHC1zscYd8F/+e5UAbR7ikK8Bn5EKZt3aBEOhHPAviSQNCMxpZD9U00CA==",
|
|
477
|
-
"signed_at": "2026-05-
|
|
477
|
+
"signed_at": "2026-05-15T21:41:16.271Z"
|
|
478
478
|
},
|
|
479
479
|
{
|
|
480
480
|
"name": "zeroday-gap-learn",
|
|
@@ -500,8 +500,8 @@
|
|
|
500
500
|
"attack_refs": [],
|
|
501
501
|
"framework_gaps": [],
|
|
502
502
|
"last_threat_review": "2026-05-01",
|
|
503
|
-
"signature": "
|
|
504
|
-
"signed_at": "2026-05-
|
|
503
|
+
"signature": "VlPR7yY39hEwDJYYKPgHAOeax9LU0X7eIrR8L7zMFJWS0SdKTalOXXJtD9GppByftnkYAAdryZ8tHQ/KWLtaBQ==",
|
|
504
|
+
"signed_at": "2026-05-15T21:41:16.271Z"
|
|
505
505
|
},
|
|
506
506
|
{
|
|
507
507
|
"name": "pqc-first",
|
|
@@ -553,7 +553,7 @@
|
|
|
553
553
|
],
|
|
554
554
|
"last_threat_review": "2026-05-01",
|
|
555
555
|
"signature": "V+qn5FqUlETfsEjvvi6jZGuQdqLFtFejfgPA6KSYxSlBXBTbOBXP3BGk5S+ba9akIzgbKh1j9VGB1MqsIt56DA==",
|
|
556
|
-
"signed_at": "2026-05-
|
|
556
|
+
"signed_at": "2026-05-15T21:41:16.271Z",
|
|
557
557
|
"cwe_refs": [
|
|
558
558
|
"CWE-327"
|
|
559
559
|
],
|
|
@@ -599,8 +599,8 @@
|
|
|
599
599
|
"Framework publication updates"
|
|
600
600
|
],
|
|
601
601
|
"last_threat_review": "2026-05-01",
|
|
602
|
-
"signature": "
|
|
603
|
-
"signed_at": "2026-05-
|
|
602
|
+
"signature": "WCNz19186cER1eEhCophTIbnL3ltS3FC98I1rfv463aRnuVxPB3sUlD9xHTbxTM2rUABhqKijhdkWiMh2uKxCQ==",
|
|
603
|
+
"signed_at": "2026-05-15T21:41:16.272Z"
|
|
604
604
|
},
|
|
605
605
|
{
|
|
606
606
|
"name": "security-maturity-tiers",
|
|
@@ -637,7 +637,7 @@
|
|
|
637
637
|
],
|
|
638
638
|
"last_threat_review": "2026-05-01",
|
|
639
639
|
"signature": "zjq6ACAHD46xvhvQJKlrCPh5xDCuBuIWBI+QJB8RxcudpC7p7I1pqv+BY8DZdsAgU4tquCU8KC+xlduMIk3/DQ==",
|
|
640
|
-
"signed_at": "2026-05-
|
|
640
|
+
"signed_at": "2026-05-15T21:41:16.272Z",
|
|
641
641
|
"cwe_refs": [
|
|
642
642
|
"CWE-1188"
|
|
643
643
|
]
|
|
@@ -672,7 +672,7 @@
|
|
|
672
672
|
"framework_gaps": [],
|
|
673
673
|
"last_threat_review": "2026-05-11",
|
|
674
674
|
"signature": "/lGgWehCMQUXjI6w4FUa+5wrbyRnct+txvVcXA+D2/ZEkoJKh+J/psO3j5HPf7Hpv+Y5SmkH71CoO+9qilyVDQ==",
|
|
675
|
-
"signed_at": "2026-05-
|
|
675
|
+
"signed_at": "2026-05-15T21:41:16.272Z"
|
|
676
676
|
},
|
|
677
677
|
{
|
|
678
678
|
"name": "attack-surface-pentest",
|
|
@@ -742,8 +742,8 @@
|
|
|
742
742
|
"OWASP WSTG v5.x AI/MCP test cases (currently in working-group draft)",
|
|
743
743
|
"PTES revision incorporating AI-surface enumeration"
|
|
744
744
|
],
|
|
745
|
-
"signature": "
|
|
746
|
-
"signed_at": "2026-05-
|
|
745
|
+
"signature": "RqQMwOKK7xjG9e/Ls4986NOrDwKz/nQmpw1DwNJwV2nlOztyo7MgxUG3kTuLbuW3qCrrkO+CbpBA5nGS1cmKBQ==",
|
|
746
|
+
"signed_at": "2026-05-15T21:41:16.273Z"
|
|
747
747
|
},
|
|
748
748
|
{
|
|
749
749
|
"name": "fuzz-testing-strategy",
|
|
@@ -803,7 +803,7 @@
|
|
|
803
803
|
"OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
|
|
804
804
|
],
|
|
805
805
|
"signature": "+ELdD+1AY5DymBitH7wU65CS60NY1nDoLowJAFn7cE5Gr/5jy9BTkyxsm7PEXaSlXWMOkTf/HQ+uyzyxUVD/Bw==",
|
|
806
|
-
"signed_at": "2026-05-
|
|
806
|
+
"signed_at": "2026-05-15T21:41:16.273Z"
|
|
807
807
|
},
|
|
808
808
|
{
|
|
809
809
|
"name": "dlp-gap-analysis",
|
|
@@ -877,8 +877,8 @@
|
|
|
877
877
|
"MCP gateway / proxy standardisation (Anthropic enterprise MCP gateway, Portkey MCP) — tool-call argument inspection is the missing primary control",
|
|
878
878
|
"Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
|
|
879
879
|
],
|
|
880
|
-
"signature": "
|
|
881
|
-
"signed_at": "2026-05-
|
|
880
|
+
"signature": "vL5XeQOk7vwX0sLMuKghj6XLnXsqKcGpCUNMui9HwqnWyNQwgSRGu+JFqP7ZqpP3SUYRZHcVlWhXeTJHyOtiAA==",
|
|
881
|
+
"signed_at": "2026-05-15T21:41:16.273Z"
|
|
882
882
|
},
|
|
883
883
|
{
|
|
884
884
|
"name": "supply-chain-integrity",
|
|
@@ -954,8 +954,8 @@
|
|
|
954
954
|
"EU CRA (Regulation 2024/2847) — implementing acts for technical documentation and SBOM submission expected through 2027",
|
|
955
955
|
"OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
|
|
956
956
|
],
|
|
957
|
-
"signature": "
|
|
958
|
-
"signed_at": "2026-05-
|
|
957
|
+
"signature": "jp3MxKukV7zW47eX3VcAIMG5WxypMDcfHqwYDodI9YQgTxEojCrRcMSApaoZHTdD3yTQC1JtkXeKxU6K3C5NCg==",
|
|
958
|
+
"signed_at": "2026-05-15T21:41:16.273Z"
|
|
959
959
|
},
|
|
960
960
|
{
|
|
961
961
|
"name": "defensive-countermeasure-mapping",
|
|
@@ -1012,7 +1012,7 @@
|
|
|
1012
1012
|
],
|
|
1013
1013
|
"last_threat_review": "2026-05-11",
|
|
1014
1014
|
"signature": "XZigwq8X/csfrdG10O6Q1V5q0zUqSQGd3QrjRKkZ4fkaodG4mZahYuIQqxc8rU9jjtGAm9LtBXYB+I5csqj9Bw==",
|
|
1015
|
-
"signed_at": "2026-05-
|
|
1015
|
+
"signed_at": "2026-05-15T21:41:16.274Z"
|
|
1016
1016
|
},
|
|
1017
1017
|
{
|
|
1018
1018
|
"name": "identity-assurance",
|
|
@@ -1079,7 +1079,7 @@
|
|
|
1079
1079
|
"d3fend_refs": [],
|
|
1080
1080
|
"last_threat_review": "2026-05-11",
|
|
1081
1081
|
"signature": "k0HrsZMBxiPWB1jl4dRwhv/R5IsqbZ+SLDv1Jx3/sRl51JyXjtm8vyogTNhSwsl5/IkaRakqIPJFRFRl5h/9CQ==",
|
|
1082
|
-
"signed_at": "2026-05-
|
|
1082
|
+
"signed_at": "2026-05-15T21:41:16.274Z"
|
|
1083
1083
|
},
|
|
1084
1084
|
{
|
|
1085
1085
|
"name": "ot-ics-security",
|
|
@@ -1135,7 +1135,7 @@
|
|
|
1135
1135
|
"d3fend_refs": [],
|
|
1136
1136
|
"last_threat_review": "2026-05-11",
|
|
1137
1137
|
"signature": "oHxjumOhk8y86WcwhAX8sSWIlPzt60KfTMn4DCJLeRrrQd5+i54fVADKAdZ3vOqfDN+DexO0uX4f5dLPtacRCQ==",
|
|
1138
|
-
"signed_at": "2026-05-
|
|
1138
|
+
"signed_at": "2026-05-15T21:41:16.274Z"
|
|
1139
1139
|
},
|
|
1140
1140
|
{
|
|
1141
1141
|
"name": "coordinated-vuln-disclosure",
|
|
@@ -1187,7 +1187,7 @@
|
|
|
1187
1187
|
"NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
|
|
1188
1188
|
],
|
|
1189
1189
|
"signature": "UCiNjncvhkZItmLQA/Sm1/NCsOiLMwdCjfUw+067v4NIxhaMMaqRrAeD3KgMyEtov7m2Hq2kfwYSt5+DQsYDCQ==",
|
|
1190
|
-
"signed_at": "2026-05-
|
|
1190
|
+
"signed_at": "2026-05-15T21:41:16.275Z"
|
|
1191
1191
|
},
|
|
1192
1192
|
{
|
|
1193
1193
|
"name": "threat-modeling-methodology",
|
|
@@ -1237,7 +1237,7 @@
|
|
|
1237
1237
|
"PASTA v2 updates incorporating AI/ML application threats"
|
|
1238
1238
|
],
|
|
1239
1239
|
"signature": "V9kl8Cf8UMjNFyn3D/fSyhWHLeXWlx3WV/jT9jdF9SrjfDqymimuTt2o91cZ2FOEJndAH9V0JGXB13Ohz8K4CQ==",
|
|
1240
|
-
"signed_at": "2026-05-
|
|
1240
|
+
"signed_at": "2026-05-15T21:41:16.275Z"
|
|
1241
1241
|
},
|
|
1242
1242
|
{
|
|
1243
1243
|
"name": "webapp-security",
|
|
@@ -1310,8 +1310,8 @@
|
|
|
1310
1310
|
],
|
|
1311
1311
|
"d3fend_refs": [],
|
|
1312
1312
|
"last_threat_review": "2026-05-11",
|
|
1313
|
-
"signature": "
|
|
1314
|
-
"signed_at": "2026-05-
|
|
1313
|
+
"signature": "ENSL4MJSNXhriKsTVBjg2jTc7JTtb6mxqbfBw/SVVajPMkLMcLBk4Gem9LhZWZ8DSqyWLnFO2d6hlz5q8bjuCg==",
|
|
1314
|
+
"signed_at": "2026-05-15T21:41:16.275Z"
|
|
1315
1315
|
},
|
|
1316
1316
|
{
|
|
1317
1317
|
"name": "ai-risk-management",
|
|
@@ -1360,8 +1360,8 @@
|
|
|
1360
1360
|
],
|
|
1361
1361
|
"d3fend_refs": [],
|
|
1362
1362
|
"last_threat_review": "2026-05-11",
|
|
1363
|
-
"signature": "
|
|
1364
|
-
"signed_at": "2026-05-
|
|
1363
|
+
"signature": "8E82UwKFNraXV/MKAbiUV6gUryYuN+Ff/kiv1aW4/XtriShdTyt/UgRuQJ8LXGXl0jMH8hRJ/xTAV8LOJqexDA==",
|
|
1364
|
+
"signed_at": "2026-05-15T21:41:16.276Z"
|
|
1365
1365
|
},
|
|
1366
1366
|
{
|
|
1367
1367
|
"name": "sector-healthcare",
|
|
@@ -1421,7 +1421,7 @@
|
|
|
1421
1421
|
"d3fend_refs": [],
|
|
1422
1422
|
"last_threat_review": "2026-05-11",
|
|
1423
1423
|
"signature": "BDuLcpTeFp2BNSf1q4rYOhYKNhlgd3o5RZ0Uw9xW5olyYxPbZSgqekQ+6Ggaec09s7y6sqR37GS0vuAMdbrdDQ==",
|
|
1424
|
-
"signed_at": "2026-05-
|
|
1424
|
+
"signed_at": "2026-05-15T21:41:16.276Z"
|
|
1425
1425
|
},
|
|
1426
1426
|
{
|
|
1427
1427
|
"name": "sector-financial",
|
|
@@ -1501,8 +1501,8 @@
|
|
|
1501
1501
|
"OSFI B-13 (Technology and Cyber Risk Management) post-2024 examination findings",
|
|
1502
1502
|
"TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
|
|
1503
1503
|
],
|
|
1504
|
-
"signature": "
|
|
1505
|
-
"signed_at": "2026-05-
|
|
1504
|
+
"signature": "w12QqGBlRDaDVYug9uQVmEbxR7+gX23rOKZSjlt3XcszYDHBCRiP4cBRKMuEguu44DCaQsg+Btu4vAVMlss9Dg==",
|
|
1505
|
+
"signed_at": "2026-05-15T21:41:16.276Z"
|
|
1506
1506
|
},
|
|
1507
1507
|
{
|
|
1508
1508
|
"name": "sector-federal-government",
|
|
@@ -1571,7 +1571,7 @@
|
|
|
1571
1571
|
"Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
|
|
1572
1572
|
],
|
|
1573
1573
|
"signature": "nMsyJ+rp5fM8/VjC7zsZyDjOC4hpxB+noT1VX7W0HBlq5t3SY56cwOGApwES/kBcCuf4qexKY376OxUr93zvCQ==",
|
|
1574
|
-
"signed_at": "2026-05-
|
|
1574
|
+
"signed_at": "2026-05-15T21:41:16.277Z"
|
|
1575
1575
|
},
|
|
1576
1576
|
{
|
|
1577
1577
|
"name": "sector-energy",
|
|
@@ -1636,7 +1636,7 @@
|
|
|
1636
1636
|
"ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
|
|
1637
1637
|
],
|
|
1638
1638
|
"signature": "L1moEqEGkBkqY/3ohJcfqrlJn40UurDCyb2MOP/IwTAeZD+QbVZ17/drdsydkJ6qSXPiyiE6u8HDfZsDS13NBQ==",
|
|
1639
|
-
"signed_at": "2026-05-
|
|
1639
|
+
"signed_at": "2026-05-15T21:41:16.277Z"
|
|
1640
1640
|
},
|
|
1641
1641
|
{
|
|
1642
1642
|
"name": "api-security",
|
|
@@ -1704,8 +1704,8 @@
|
|
|
1704
1704
|
],
|
|
1705
1705
|
"d3fend_refs": [],
|
|
1706
1706
|
"last_threat_review": "2026-05-11",
|
|
1707
|
-
"signature": "
|
|
1708
|
-
"signed_at": "2026-05-
|
|
1707
|
+
"signature": "JHGu5OI35payaFR1At3XZIX4HnflgF3lI9vk/XsHpu0loWHtbTiA/SrNzTuWO+be8aIfd36uNz7WnJNwBTCHDA==",
|
|
1708
|
+
"signed_at": "2026-05-15T21:41:16.278Z"
|
|
1709
1709
|
},
|
|
1710
1710
|
{
|
|
1711
1711
|
"name": "cloud-security",
|
|
@@ -1786,7 +1786,7 @@
|
|
|
1786
1786
|
"CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
|
|
1787
1787
|
],
|
|
1788
1788
|
"signature": "UEn0305KAEqIfYOdzadLBdPG/PJ+3sJ/8ubvPFNcXfqXp2uOWTfqGUqY65PApA992VEEa1RBQt5R7Nyhd/OjDQ==",
|
|
1789
|
-
"signed_at": "2026-05-
|
|
1789
|
+
"signed_at": "2026-05-15T21:41:16.278Z"
|
|
1790
1790
|
},
|
|
1791
1791
|
{
|
|
1792
1792
|
"name": "container-runtime-security",
|
|
@@ -1847,8 +1847,8 @@
|
|
|
1847
1847
|
],
|
|
1848
1848
|
"d3fend_refs": [],
|
|
1849
1849
|
"last_threat_review": "2026-05-11",
|
|
1850
|
-
"signature": "
|
|
1851
|
-
"signed_at": "2026-05-
|
|
1850
|
+
"signature": "lPd9tHAskNapjrWwFWhsb8ntAL0xovDCIGElsOCyjcafzby4ArwRw5Lq28sfNloJZAhMN+AWj+lDdFytiUQHCQ==",
|
|
1851
|
+
"signed_at": "2026-05-15T21:41:16.278Z"
|
|
1852
1852
|
},
|
|
1853
1853
|
{
|
|
1854
1854
|
"name": "mlops-security",
|
|
@@ -1918,8 +1918,8 @@
|
|
|
1918
1918
|
"EU AI Act high-risk technical-file implementing acts (2026-2027) — operational requirements for Article 10 / 13 / 15 documentation may pin ML-BOM or model-signing",
|
|
1919
1919
|
"MITRE ATLAS v5.2 — track AML.T0010 sub-technique expansion and any new MLOps-pipeline-specific TTPs"
|
|
1920
1920
|
],
|
|
1921
|
-
"signature": "
|
|
1922
|
-
"signed_at": "2026-05-
|
|
1921
|
+
"signature": "U+HyElcP007FIblXUE/nFpj/rZ5z3VohsvxRCWEuuJDLdOnsXYEadb7ccr3X7S4aRG2MC4T2KtVtgbKIuO5QDw==",
|
|
1922
|
+
"signed_at": "2026-05-15T21:41:16.278Z"
|
|
1923
1923
|
},
|
|
1924
1924
|
{
|
|
1925
1925
|
"name": "incident-response-playbook",
|
|
@@ -1980,8 +1980,8 @@
|
|
|
1980
1980
|
"IL INCD Incident Response Process v4 (slated for 2026-2027) consolidating AI-incident sub-class",
|
|
1981
1981
|
"NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
|
|
1982
1982
|
],
|
|
1983
|
-
"signature": "
|
|
1984
|
-
"signed_at": "2026-05-
|
|
1983
|
+
"signature": "XB3TVjNRBlqqbIhatFoYtTJHTS51nVt9k7DVrb2roUflLDjbCnaTbrpztA2oqJyyxwgnLlX+K7NW8oYOYEMeCg==",
|
|
1984
|
+
"signed_at": "2026-05-15T21:41:16.279Z"
|
|
1985
1985
|
},
|
|
1986
1986
|
{
|
|
1987
1987
|
"name": "email-security-anti-phishing",
|
|
@@ -2034,7 +2034,7 @@
|
|
|
2034
2034
|
"d3fend_refs": [],
|
|
2035
2035
|
"last_threat_review": "2026-05-11",
|
|
2036
2036
|
"signature": "RiCryJEd66T2NNcSo/mZTd3sGWDycE3C37guLJanLdVL5co35DrPFmIl8qy3ZM/y+Wzg5vpny8VKgr1//1/bCA==",
|
|
2037
|
-
"signed_at": "2026-05-
|
|
2037
|
+
"signed_at": "2026-05-15T21:41:16.279Z"
|
|
2038
2038
|
},
|
|
2039
2039
|
{
|
|
2040
2040
|
"name": "age-gates-child-safety",
|
|
@@ -2102,11 +2102,11 @@
|
|
|
2102
2102
|
"US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
|
|
2103
2103
|
],
|
|
2104
2104
|
"signature": "MMWvg3lIf5ygm31zyf1E43t3W9MfRbMBBPrqlj1wOa8AxVJL8LICnAXfmyJ/TNJXwpF+rfZeDdoxXkql8wmtBA==",
|
|
2105
|
-
"signed_at": "2026-05-
|
|
2105
|
+
"signed_at": "2026-05-15T21:41:16.280Z"
|
|
2106
2106
|
}
|
|
2107
2107
|
],
|
|
2108
2108
|
"manifest_signature": {
|
|
2109
2109
|
"algorithm": "Ed25519",
|
|
2110
|
-
"signature_base64": "
|
|
2110
|
+
"signature_base64": "8ZKhK6UE1u8hbZKZWxMqLFd8AFWjAJQzGVoxF3/CQPKIrUlOKjlkb5M/ghy13meJPgHFJrlLy2a2QjJT2pG0BQ=="
|
|
2111
2111
|
}
|
|
2112
2112
|
}
|
package/package.json
CHANGED
|
@@ -1,16 +1,19 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@blamejs/exceptd-skills",
|
|
3
|
-
"version": "0.12.
|
|
3
|
+
"version": "0.12.25",
|
|
4
4
|
"description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"ai-security",
|
|
7
7
|
"ai-skills",
|
|
8
8
|
"atlas",
|
|
9
9
|
"att-ck",
|
|
10
|
+
"attestation",
|
|
10
11
|
"compliance",
|
|
12
|
+
"csaf-2.0",
|
|
11
13
|
"cve",
|
|
12
14
|
"cwe",
|
|
13
15
|
"d3fend",
|
|
16
|
+
"ed25519",
|
|
14
17
|
"framework-gap",
|
|
15
18
|
"grc",
|
|
16
19
|
"kev",
|
|
@@ -18,8 +21,11 @@
|
|
|
18
21
|
"mcp",
|
|
19
22
|
"nist",
|
|
20
23
|
"nvd",
|
|
24
|
+
"openvex",
|
|
21
25
|
"prompt-injection",
|
|
26
|
+
"provenance",
|
|
22
27
|
"rwep",
|
|
28
|
+
"sarif",
|
|
23
29
|
"security-research",
|
|
24
30
|
"skills",
|
|
25
31
|
"supply-chain",
|
|
@@ -37,7 +43,7 @@
|
|
|
37
43
|
"license": "Apache-2.0",
|
|
38
44
|
"author": "blamejs contributors",
|
|
39
45
|
"engines": {
|
|
40
|
-
"node": ">=
|
|
46
|
+
"node": ">=22.11.0"
|
|
41
47
|
},
|
|
42
48
|
"bin": {
|
|
43
49
|
"exceptd": "bin/exceptd.js"
|
package/sbom.cdx.json
CHANGED
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
{
|
|
2
2
|
"bomFormat": "CycloneDX",
|
|
3
3
|
"specVersion": "1.6",
|
|
4
|
-
"serialNumber": "urn:uuid:
|
|
4
|
+
"serialNumber": "urn:uuid:a9017f34-6f9a-492e-9a7a-8a078a936f7a",
|
|
5
5
|
"version": 1,
|
|
6
6
|
"metadata": {
|
|
7
|
-
"timestamp": "2026-05-
|
|
7
|
+
"timestamp": "2026-05-15T21:41:40.722Z",
|
|
8
8
|
"tools": [
|
|
9
9
|
{
|
|
10
10
|
"name": "hand-written",
|
|
@@ -13,10 +13,10 @@
|
|
|
13
13
|
}
|
|
14
14
|
],
|
|
15
15
|
"component": {
|
|
16
|
-
"bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.12.
|
|
16
|
+
"bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.12.25",
|
|
17
17
|
"type": "application",
|
|
18
18
|
"name": "@blamejs/exceptd-skills",
|
|
19
|
-
"version": "0.12.
|
|
19
|
+
"version": "0.12.25",
|
|
20
20
|
"description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
|
|
21
21
|
"licenses": [
|
|
22
22
|
{
|
|
@@ -25,11 +25,11 @@
|
|
|
25
25
|
}
|
|
26
26
|
}
|
|
27
27
|
],
|
|
28
|
-
"purl": "pkg:npm/%40blamejs/exceptd-skills@0.12.
|
|
28
|
+
"purl": "pkg:npm/%40blamejs/exceptd-skills@0.12.25",
|
|
29
29
|
"externalReferences": [
|
|
30
30
|
{
|
|
31
31
|
"type": "distribution",
|
|
32
|
-
"url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.12.
|
|
32
|
+
"url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.12.25"
|
|
33
33
|
},
|
|
34
34
|
{
|
|
35
35
|
"type": "vcs",
|