@blamejs/exceptd-skills 0.12.27 → 0.12.28

package/AGENTS.md

@@ -353,6 +353,9 @@ Maintainers convert approved requests into skill files. The contributor is credi
 | container security, kubernetes, cis k8s, pod security standards, kyverno, gatekeeper, falco, tetragon, admission policy | container-runtime-security |
 | mlops security, model registry, training data integrity, mlflow, kubeflow, vertex ai, sagemaker, hugging face, model signing, drift detection | mlops-security |
 | incident response, ir playbook, csirt, picerl, nist 800-61, iso 27035, breach notification, bec incident, ai incident | incident-response-playbook |
+| ransomware response, decryptor, no more ransom, ofac sdn, cyber insurance, immutable backup, double extortion, phi exfil before encrypt, lockbit, alphv, akira | ransomware-response |
+| idp incident, okta tenant compromise, entra id, auth0, saml token forgery, oauth consent abuse, federated trust modification, midnight blizzard, scattered spider | idp-incident-response |
+| cloud iam incident, aws account takeover, gcp account takeover, azure account takeover, cross-account assume-role, imds, access key leak, snowflake breach, scim, workload identity | cloud-iam-incident |
 | email security, anti-phishing, dmarc, dkim, spf, bimi, arc, mta-sts, bec, vishing, deepfake phishing | email-security-anti-phishing |
 | age gate, age verification, coppa, cipa, california aadc, uk children's code, kosa, gdpr article 8, dsa article 28, parental consent, csam, child safety, children's online safety | age-gates-child-safety |
 | forward watch, watchlist, upcoming standards, horizon scan | `node orchestrator/index.js watchlist` (add `--by-skill` to invert) |

package/CHANGELOG.md

@@ -1,5 +1,27 @@
 # Changelog
 
+## 0.12.28 — 2026-05-15
+
+Incident-response cluster — three new playbooks and skills covering identity-provider tenant compromise, cloud-IAM account takeover, and ransomware response. The existing `incident-response-playbook` skill stays as the generic PICERL backbone; the new surface adds attack-class-specific depth for the three IR scenarios that dominate 2025-2026 breach reporting.
+
+### Features
+
+**`idp-incident` playbook + `idp-incident-response` skill.** Tenant-compromise response for Okta / Entra ID / Auth0 / Ping / OneLogin. Covers federated-trust modification, OAuth consent abuse, SAML token forgery, cross-tenant relationship abuse, dormant service-account reactivation, and help-desk social engineering. Maps T1078.004, T1098.001, T1556.007, T1606.002, T1199. Eight jurisdiction clocks (GDPR Art.33/34, NIS2 Art.23, DORA Art.19, NYDFS 500.17, CCPA/CPRA, AU NDB, UK GDPR). Detects on unauthorized consent grants from non-corp tenants, anomalous federated-trust additions, MFA factor swaps without password reset, recent high-privilege role assignments, and cross-tenant assumption anomalies — each indicator carries explicit false-positive checks.
+
+**`cloud-iam-incident` playbook + `cloud-iam-incident` skill.** Account-takeover response for AWS / GCP / Azure. Covers cross-account assume-role abuse, IMDS exposure, managed-identity token replay, access-key leakage to public repositories, federated-trust attacks against IAM Identity Center, and crypto-mining detection via GPU-instance creation. Maps T1078.004, T1098.001, T1098.003, T1136.003, T1538, T1552.005, T1562.008, T1580. Ten jurisdiction clocks including SG PDPA, JP APPI, and US-CA. Detects on root-login ASN anomalies, mass IAM-user creation outside IaC, unused-region resource creation, cross-account assume-role anomalies, IMDSv1 legacy access, KMS key-policy self-grants, and S3-bucket public-grant events.
+
+**`ransomware` playbook + `ransomware-response` skill.** Ransomware-specific incident response — extends the generic `incident-response-playbook` with the four decision properties that don't appear in standard IR frameworks: OFAC SDN sanctions check (BLOCKING for payment posture; payment to a sanctioned threat actor is a federal-law violation in the US), decryptor availability (No More Ransom + vendor-specific decryptors), cyber-insurance carrier notification posture (most policies require 24-hour notification), and immutable-backup viability versus replication-only "backups." Sixteen jurisdiction obligations spanning OFAC (0-hour BLOCKING), insurance carrier (24h), NIS2 (24h), DORA (4h), GDPR (72h), SEC 8-K (4 business days), HIPAA, CCPA, NYDFS ransom-event notification, and CIRCIA. Detects on mass file-extension change events, shadow-copy deletion outside maintenance windows, encrypted-file-extension growth rate anomalies, BloodHound-class AD reconnaissance, and large outbound transfers 24-72 hours before encryption (exfil-before-encrypt as distinct breach class).
+
+### Internal
+
+- Skill count 39 → 42 (Ed25519 manifest re-signed).
+- Playbook count 13 → 16 (validator `tests/validate-playbooks.test.js` updated).
+- RFC catalog: added RFC-7591 (OAuth 2.0 Dynamic Client Registration), RFC-8693 (OAuth 2.0 Token Exchange), RFC-9068 (JWT Profile for OAuth 2.0 Access Tokens).
+- ATT&CK techniques added to resolution catalog: T1098.001, T1098.003, T1136.003, T1538, T1562.008, T1580, T1606.002.
+- Framework-control-gaps catalog: 22 new entries covering federated-identity gaps (NIST 800-53 IA-5, ISO 27001 A.5.16-17, SOC 2 CC6, UK CAF B2, AU ISM-1559), cloud-IAM gaps (FedRAMP IL5, NIST AC-2 cross-account, ISO 27017, AWS Security Hub coverage, AU ISM-1546), and ransomware-specific gaps (OFAC SDN payment block, cyber-insurance 24h notification, EU Reg 2014/833 cyber sanctions, immutable-backup recovery, decryptor availability pre-decision, PHI-exfil-before-encrypt breach class).
+- AGENTS.md Quick Skill Reference table extended with the three new skills.
+
+
 ## 0.12.27 — 2026-05-15
 
 **Patch: opt-in `--bundle-deterministic` mode for reproducible CSAF + OpenVEX + close-envelope bytes. Closes cycle 6 III P2-E + cycle 7 CCC bundle-non-determinism finding.**

package/data/_indexes/_meta.json

@@ -1,20 +1,20 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-15T22:38:59.213Z",
+  "generated_at": "2026-05-15T23:31:25.676Z",
   "generator": "scripts/build-indexes.js",
-  "source_count": 51,
+  "source_count": 54,
   "source_hashes": {
-    "manifest.json": "9862095ee05729021d2dd51765c370ed24377e73c536b237817ef7ce4a7ba437",
+    "manifest.json": "41d91731d616c0e2514783212f7eb32761298ab40cde66aa6076724aff729190",
     "data/atlas-ttps.json": "db52a797f6ba7c9a61fd7b1225ebbc268ddf21abe29a106c4246c2ed2e617b86",
-    "data/attack-techniques.json": "6b45448aa42cc6664376c93da73356624708e935c12589ee8c776a10215bce3a",
+    "data/attack-techniques.json": "51f60819aef36e960fd768e44dcc725e137781534fbbb028e5ef6baa21defa1d",
     "data/cve-catalog.json": "a2acad16f5e3856b07019fa00110e9dcb38ec5cc71b318d0e164bfcba7f4f644",
     "data/cwe-catalog.json": "19893d2a7139d86ff3fcf296b0e6cda10e357727a1d1ffb56af282104e99157a",
     "data/d3fend-catalog.json": "d219520c8d3eb61a270b25ea60f64721035e98a8d5d51d1a4e1f1140d9a586f9",
     "data/dlp-controls.json": "8ea8d907aea0a2cfd772b048a62122a322ba3284a5c36a272ad5e9d392564cb5",
     "data/exploit-availability.json": "a9eeda95d24b56c28a0d0178fc601b531653e2ba7dc857160b35ad23ad6c7471",
-    "data/framework-control-gaps.json": "e87790cae8839dc5d73632d7d875d12cffa2ad741a9002ec7851e1ae04df54c4",
+    "data/framework-control-gaps.json": "8d6cbf6c8fc38060c5cea9f300a61b4d0cbbda5e490983bd6780d0b0ae841e5a",
     "data/global-frameworks.json": "0168825497e03f079274c9da2e5529310a2ba5bd7c7da7c93acd0b66ed845b8a",
-    "data/rfc-references.json": "863f1ad7a36c020d11eb7bffea49ca1df89b10d43f3986118cdc5a5712308115",
+    "data/rfc-references.json": "a11de1bcff62b8f5e0bb8ce47a9b3fa26cf733ba283a8f1c9c4185d74efaad3e",
     "data/zeroday-lessons.json": "d960e5f8ca7a83c10194cd60207e13046a7eee1b8793e2f3de79475db283f800",
     "skills/kernel-lpe-triage/skill.md": "8e94bfd38d6db47342fbbe95a0c8df8f7c38743982c13e9de6a1c59cd3783d33",
     "skills/ai-attack-surface/skill.md": "13e543fc92b9b27cdb647dce96a9eeb44919e0fa92ec41e8265a9981a23e7b79",
@@ -53,36 +53,39 @@
     "skills/container-runtime-security/skill.md": "f06260f0c468d6a4f0409294899017edab45c98d71db1fedd7a630fe6a7bf53a",
     "skills/mlops-security/skill.md": "e6a296fc67724aa3b026c0039f44867b44cf0926eade4fe616bfd0a4c77310bf",
     "skills/incident-response-playbook/skill.md": "8ef7ce1246dc1329b6df3cc9de8d79d35e2c02c703dcef20f35b312b1c24fd52",
+    "skills/ransomware-response/skill.md": "ffe07ba8c196aabceb69b07dafa7a9c3ca2ec8e5ce079107f4eec82512a01be1",
     "skills/email-security-anti-phishing/skill.md": "b5a7693b3ddbd6cd83303d092bc5e324db431245d25c4945d9f65fcffa1995e7",
-    "skills/age-gates-child-safety/skill.md": "c741d7dca9da0abb09bdebb8a02e803ce4ae9fb9a6904fb8df3ec19cae83917d"
+    "skills/age-gates-child-safety/skill.md": "c741d7dca9da0abb09bdebb8a02e803ce4ae9fb9a6904fb8df3ec19cae83917d",
+    "skills/cloud-iam-incident/skill.md": "35a9dd108679103c0eca54ea0c5b8f3db0a199975f87e20660b2c3a11440f40b",
+    "skills/idp-incident-response/skill.md": "39b5b492914e9092fe1c0b2be5af83d4ed869939996b6a201f2d0cd8142ab8f3"
   },
-  "skill_count": 39,
+  "skill_count": 42,
   "catalog_count": 11,
   "index_stats": {
     "xref_entries": {
-      "cwe_refs": 34,
-      "d3fend_refs": 20,
-      "framework_gaps": 58,
+      "cwe_refs": 36,
+      "d3fend_refs": 21,
+      "framework_gaps": 80,
       "atlas_refs": 10,
-      "attack_refs": 32,
-      "rfc_refs": 20,
+      "attack_refs": 39,
+      "rfc_refs": 23,
       "dlp_refs": 0
     },
-    "trigger_table_entries": 475,
+    "trigger_table_entries": 538,
     "chains_cve_entries": 27,
     "chains_cwe_entries": 55,
     "jurisdictions_indexed": 29,
-    "handoff_dag_nodes": 39,
-    "summary_cards": 39,
-    "section_offsets_skills": 39,
-    "token_budget_total_approx": 362735,
+    "handoff_dag_nodes": 42,
+    "summary_cards": 42,
+    "section_offsets_skills": 42,
+    "token_budget_total_approx": 397336,
     "recipes": 8,
     "jurisdiction_clocks": 29,
     "did_ladders": 8,
     "theater_fingerprints": 7,
     "currency_action_required": 0,
     "frequency_fields": 7,
-    "activity_feed_events": 51,
+    "activity_feed_events": 54,
     "catalog_summaries": 11,
     "stale_content_findings": 3
   },

package/data/_indexes/activity-feed.json

@@ -2,7 +2,7 @@
   "_meta": {
     "schema_version": "1.0.0",
     "note": "Per-artifact 'last changed' feed sorted descending by date. Skill events from manifest.last_threat_review; catalog events from data/<catalog>.json _meta.last_updated.",
-    "event_count": 51
+    "event_count": 54
   },
   "events": [
     {
@@ -12,6 +12,27 @@
       "path": "skills/sector-telecom/skill.md",
       "note": "Telecom and 5G security for mid-2026 — Salt Typhoon, Volt Typhoon, CALEA / IPA-LI gateway compromise, signaling-protocol abuse (SS7 / Diameter / GTP), 5G N6 / N9 isolation, gNB / DU / CU integrity, OEM-equipment supply-chain compromise, AI-RAN / O-RAN security"
     },
+    {
+      "date": "2026-05-15",
+      "type": "skill_review",
+      "artifact": "ransomware-response",
+      "path": "skills/ransomware-response/skill.md",
+      "note": "Ransomware-specific incident response — OFAC SDN sanctions screening as payment-posture blocker, EU Reg 2014/833 + UK OFSI + AU DFAT + JP MOF cross-jurisdiction sanctions lookups, decryptor availability via No More Ransom + vendor-specific catalogs, cyber-insurance carrier 24h notification, negotiator-engagement legal posture, immutable-backup viability test, PHI exfil-before-encrypt as distinct breach class, parallel jurisdiction clocks"
+    },
+    {
+      "date": "2026-05-15",
+      "type": "skill_review",
+      "artifact": "cloud-iam-incident",
+      "path": "skills/cloud-iam-incident/skill.md",
+      "note": "Cloud-IAM incident response for AWS / GCP / Azure — account takeover, IAM role assumption abuse, access-key compromise, cross-account assume-role chains, federated-trust attacks, IMDS metadata exfiltration, and Snowflake-AA24-class IdP-to-cloud credential reuse"
+    },
+    {
+      "date": "2026-05-15",
+      "type": "skill_review",
+      "artifact": "idp-incident-response",
+      "path": "skills/idp-incident-response/skill.md",
+      "note": "Identity-provider incident response for mid-2026 — Okta, Entra ID, Auth0, Ping, OneLogin tenant compromise, federated-trust abuse, OAuth app consent abuse, Midnight Blizzard and Scattered Spider TTPs against the IdP control plane"
+    },
     {
       "date": "2026-05-15",
       "type": "catalog_update",
@@ -26,7 +47,7 @@
       "artifact": "data/attack-techniques.json",
       "path": "data/attack-techniques.json",
       "schema_version": "1.0.0",
-      "entry_count": 91
+      "entry_count": 98
     },
     {
       "date": "2026-05-15",
@@ -42,7 +63,7 @@
       "artifact": "data/framework-control-gaps.json",
       "path": "data/framework-control-gaps.json",
       "schema_version": "1.0.0",
-      "entry_count": 87
+      "entry_count": 109
     },
     {
       "date": "2026-05-15",
@@ -58,7 +79,7 @@
       "artifact": "data/rfc-references.json",
       "path": "data/rfc-references.json",
       "schema_version": "1.0.0",
-      "entry_count": 38
+      "entry_count": 41
     },
     {
       "date": "2026-05-15",
@@ -371,7 +392,7 @@
       "type": "manifest_review",
       "artifact": "manifest.json",
       "path": "manifest.json",
-      "note": "manifest threat_review_date — 39 skills, 11 catalogs"
+      "note": "manifest threat_review_date — 42 skills, 11 catalogs"
     }
   ]
 }

package/data/_indexes/catalog-summaries.json

@@ -40,7 +40,7 @@
         "rebuild_after_days": 365,
         "note": "Catalog must be rebuilt against the upstream ATT&CK release whenever MITRE publishes a new version. AGENTS.md external-data version-pinning rule requires the bump to be intentional, not silent. ATT&CK ships semi-annually (April + October); audit on each release for tactic moves, technique splits, and new Detection Strategies."
       },
-      "entry_count": 91,
+      "entry_count": 98,
       "sample_keys": [
         "T0001",
         "T0017",
@@ -172,7 +172,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 87,
+      "entry_count": 109,
       "sample_keys": [
         "ALL-AI-PIPELINE-INTEGRITY",
         "ALL-MCP-TOOL-TRUST",
@@ -216,7 +216,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 38,
+      "entry_count": 41,
       "sample_keys": [
         "RFC-4301",
         "RFC-4303",