@blamejs/exceptd-skills 0.12.27 → 0.12.29

package/data/_indexes/section-offsets.json

@@ -3729,6 +3729,100 @@
         }
       ]
     },
+    "ransomware-response": {
+      "path": "skills/ransomware-response/skill.md",
+      "total_bytes": 48211,
+      "total_lines": 375,
+      "frontmatter": {
+        "line_start": 1,
+        "line_end": 70,
+        "byte_start": 0,
+        "byte_end": 3027
+      },
+      "sections": [
+        {
+          "name": "Threat Context (mid-2026)",
+          "normalized_name": "threat-context",
+          "line": 80,
+          "byte_start": 4868,
+          "byte_end": 10227,
+          "bytes": 5359,
+          "h3_count": 0
+        },
+        {
+          "name": "Framework Lag Declaration",
+          "normalized_name": "framework-lag-declaration",
+          "line": 97,
+          "byte_start": 10227,
+          "byte_end": 17022,
+          "bytes": 6795,
+          "h3_count": 0
+        },
+        {
+          "name": "TTP Mapping",
+          "normalized_name": "ttp-mapping",
+          "line": 125,
+          "byte_start": 17022,
+          "byte_end": 19241,
+          "bytes": 2219,
+          "h3_count": 0
+        },
+        {
+          "name": "Exploit Availability Matrix",
+          "normalized_name": "exploit-availability-matrix",
+          "line": 140,
+          "byte_start": 19241,
+          "byte_end": 21833,
+          "bytes": 2592,
+          "h3_count": 0
+        },
+        {
+          "name": "Analysis Procedure",
+          "normalized_name": "analysis-procedure",
+          "line": 160,
+          "byte_start": 21833,
+          "byte_end": 33341,
+          "bytes": 11508,
+          "h3_count": 10
+        },
+        {
+          "name": "Output Format",
+          "normalized_name": "output-format",
+          "line": 222,
+          "byte_start": 33341,
+          "byte_end": 37152,
+          "bytes": 3811,
+          "h3_count": 6
+        },
+        {
+          "name": "Compliance Theater Check",
+          "normalized_name": "compliance-theater-check",
+          "line": 325,
+          "byte_start": 37152,
+          "byte_end": 40939,
+          "bytes": 3787,
+          "h3_count": 0
+        },
+        {
+          "name": "Defensive Countermeasure Mapping",
+          "normalized_name": "defensive-countermeasure-mapping",
+          "line": 341,
+          "byte_start": 40939,
+          "byte_end": 44725,
+          "bytes": 3786,
+          "h3_count": 0
+        },
+        {
+          "name": "Hand-Off / Related Skills",
+          "normalized_name": "hand-off",
+          "line": 360,
+          "byte_start": 44725,
+          "byte_end": 48211,
+          "bytes": 3486,
+          "h3_count": 0
+        }
+      ]
+    },
     "email-security-anti-phishing": {
       "path": "skills/email-security-anti-phishing/skill.md",
       "total_bytes": 26531,
@@ -3916,6 +4010,194 @@
           "h3_count": 0
         }
       ]
+    },
+    "cloud-iam-incident": {
+      "path": "skills/cloud-iam-incident/skill.md",
+      "total_bytes": 44433,
+      "total_lines": 420,
+      "frontmatter": {
+        "line_start": 1,
+        "line_end": 81,
+        "byte_start": 0,
+        "byte_end": 2834
+      },
+      "sections": [
+        {
+          "name": "Threat Context (mid-2026)",
+          "normalized_name": "threat-context",
+          "line": 85,
+          "byte_start": 2877,
+          "byte_end": 8663,
+          "bytes": 5786,
+          "h3_count": 0
+        },
+        {
+          "name": "Framework Lag Declaration",
+          "normalized_name": "framework-lag-declaration",
+          "line": 118,
+          "byte_start": 8663,
+          "byte_end": 14979,
+          "bytes": 6316,
+          "h3_count": 0
+        },
+        {
+          "name": "TTP Mapping",
+          "normalized_name": "ttp-mapping",
+          "line": 147,
+          "byte_start": 14979,
+          "byte_end": 19519,
+          "bytes": 4540,
+          "h3_count": 0
+        },
+        {
+          "name": "Exploit Availability Matrix",
+          "normalized_name": "exploit-availability-matrix",
+          "line": 167,
+          "byte_start": 19519,
+          "byte_end": 22898,
+          "bytes": 3379,
+          "h3_count": 0
+        },
+        {
+          "name": "Analysis Procedure",
+          "normalized_name": "analysis-procedure",
+          "line": 189,
+          "byte_start": 22898,
+          "byte_end": 30523,
+          "bytes": 7625,
+          "h3_count": 12
+        },
+        {
+          "name": "Output Format",
+          "normalized_name": "output-format",
+          "line": 279,
+          "byte_start": 30523,
+          "byte_end": 32721,
+          "bytes": 2198,
+          "h3_count": 15
+        },
+        {
+          "name": "Compliance Theater Check",
+          "normalized_name": "compliance-theater-check",
+          "line": 342,
+          "byte_start": 32721,
+          "byte_end": 37320,
+          "bytes": 4599,
+          "h3_count": 0
+        },
+        {
+          "name": "Defensive Countermeasure Mapping",
+          "normalized_name": "defensive-countermeasure-mapping",
+          "line": 378,
+          "byte_start": 37320,
+          "byte_end": 41396,
+          "bytes": 4076,
+          "h3_count": 0
+        },
+        {
+          "name": "Hand-Off / Related Skills",
+          "normalized_name": "hand-off",
+          "line": 400,
+          "byte_start": 41396,
+          "byte_end": 44433,
+          "bytes": 3037,
+          "h3_count": 0
+        }
+      ]
+    },
+    "idp-incident-response": {
+      "path": "skills/idp-incident-response/skill.md",
+      "total_bytes": 46225,
+      "total_lines": 353,
+      "frontmatter": {
+        "line_start": 1,
+        "line_end": 83,
+        "byte_start": 0,
+        "byte_end": 2814
+      },
+      "sections": [
+        {
+          "name": "Threat Context (mid-2026)",
+          "normalized_name": "threat-context",
+          "line": 87,
+          "byte_start": 2865,
+          "byte_end": 8702,
+          "bytes": 5837,
+          "h3_count": 0
+        },
+        {
+          "name": "Framework Lag Declaration",
+          "normalized_name": "framework-lag-declaration",
+          "line": 107,
+          "byte_start": 8702,
+          "byte_end": 15336,
+          "bytes": 6634,
+          "h3_count": 0
+        },
+        {
+          "name": "TTP Mapping",
+          "normalized_name": "ttp-mapping",
+          "line": 128,
+          "byte_start": 15336,
+          "byte_end": 19417,
+          "bytes": 4081,
+          "h3_count": 0
+        },
+        {
+          "name": "Exploit Availability Matrix",
+          "normalized_name": "exploit-availability-matrix",
+          "line": 145,
+          "byte_start": 19417,
+          "byte_end": 23132,
+          "bytes": 3715,
+          "h3_count": 0
+        },
+        {
+          "name": "Analysis Procedure",
+          "normalized_name": "analysis-procedure",
+          "line": 163,
+          "byte_start": 23132,
+          "byte_end": 30218,
+          "bytes": 7086,
+          "h3_count": 10
+        },
+        {
+          "name": "Output Format",
+          "normalized_name": "output-format",
+          "line": 224,
+          "byte_start": 30218,
+          "byte_end": 33401,
+          "bytes": 3183,
+          "h3_count": 16
+        },
+        {
+          "name": "Compliance Theater Check",
+          "normalized_name": "compliance-theater-check",
+          "line": 293,
+          "byte_start": 33401,
+          "byte_end": 37862,
+          "bytes": 4461,
+          "h3_count": 0
+        },
+        {
+          "name": "Defensive Countermeasure Mapping",
+          "normalized_name": "defensive-countermeasure-mapping",
+          "line": 320,
+          "byte_start": 37862,
+          "byte_end": 42384,
+          "bytes": 4522,
+          "h3_count": 0
+        },
+        {
+          "name": "Hand-Off / Related Skills",
+          "normalized_name": "hand-off",
+          "line": 335,
+          "byte_start": 42384,
+          "byte_end": 46225,
+          "bytes": 3841,
+          "h3_count": 0
+        }
+      ]
     }
   }
 }

package/data/_indexes/stale-content.json

@@ -1,7 +1,7 @@
 {
   "_meta": {
     "schema_version": "1.0.0",
-    "reference_date": "2026-05-01",
+    "reference_date": "2026-05-15",
     "note": "Stale-content snapshot derived from audit-cross-skill checks. Re-runs of build-indexes against the same inputs produce byte-identical output (reference_date is manifest.threat_review_date, not 'now'). audit-cross-skill.js remains the canonical interactive audit.",
     "finding_count": 3,
     "by_severity": {
@@ -15,7 +15,7 @@
       "severity": "medium",
       "category": "badge_drift",
       "artifact": "README.md",
-      "detail": "skills badge shows 38, manifest has 39"
+      "detail": "skills badge shows 38, manifest has 42"
     },
     {
       "severity": "medium",
@@ -27,7 +27,7 @@
       "severity": "medium",
       "category": "researcher_claim_drift",
       "artifact": "skills/researcher/skill.md",
-      "detail": "claims 37 specialized skills downstream; live count is 38"
+      "detail": "claims 37 specialized skills downstream; live count is 41"
     }
   ]
 }

package/data/_indexes/summary-cards.json

@@ -1699,6 +1699,60 @@
         "zeroday-gap-learn"
       ]
     },
+    "ransomware-response": {
+      "description": "Ransomware-specific incident response — OFAC SDN sanctions screening as payment-posture blocker, EU Reg 2014/833 + UK OFSI + AU DFAT + JP MOF cross-jurisdiction sanctions lookups, decryptor availability via No More Ransom + vendor-specific catalogs, cyber-insurance carrier 24h notification, negotiator-engagement legal posture, immutable-backup viability test, PHI exfil-before-encrypt as distinct breach class, parallel jurisdiction clocks",
+      "threat_context_excerpt": "Ransomware is the highest-volume critical-infrastructure incident class and the dominant economic-harm cyber category, and its operational shape changed materially between the 2020-2022 frame and the 2024-2026 frame.",
+      "produces": "The skill produces six ransomware-specific artifacts that augment the parent IR playbook's seven artifacts.\n\n### 1. Encryption Confirmation Record\n\n```\nIncident ID: INC-<YYYY>-<NNNN>\nEncryption confirmed: <yes/no>\nEncrypted-host count: <N>\nFamily fingerprint: <family + confidence>\nRansom note IoCs:\n  - Leak-site URL: <onion address>\n  - Contact identifier: <email/Tox/Session>\n  - Crypto-wallet addresses: <list>\n  - Family signature: <text fingerprint>\nShadow Copy deletion observed: <yes/no + timestamp + invoking process>\nLiving-off-the-land tools observed: <list — PsExec/WMI/PowerShell/AnyDesk ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-287",
+          "CWE-798"
+        ],
+        "d3fend_refs": [
+          "D3-RPA",
+          "D3-NTA",
+          "D3-IOPR",
+          "D3-CSPP"
+        ],
+        "framework_gaps": [
+          "OFAC-SDN-Payment-Block",
+          "Insurance-Carrier-24h-Notification",
+          "EU-Sanctions-Reg-2014-833-Cyber",
+          "Immutable-Backup-Recovery",
+          "Decryptor-Availability-Pre-Decision",
+          "PHI-Exfil-Before-Encrypt-Breach-Class"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T1486",
+          "T1567",
+          "T1078",
+          "T1059"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 22,
+      "atlas_count": 0,
+      "attack_count": 4,
+      "framework_gap_count": 6,
+      "cwe_count": 2,
+      "d3fend_count": 4,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-15",
+      "path": "skills/ransomware-response/skill.md",
+      "handoff_targets": [
+        "compliance-theater",
+        "coordinated-vuln-disclosure",
+        "framework-gap-analysis",
+        "incident-response-playbook",
+        "sector-financial",
+        "sector-healthcare",
+        "skill-update-loop",
+        "threat-model-currency",
+        "zeroday-gap-learn"
+      ]
+    },
     "email-security-anti-phishing": {
       "description": "Email security + anti-phishing for mid-2026 — SPF/DKIM/DMARC/BIMI/ARC/MTA-STS/TLSRPT, AI-augmented phishing (vishing, deepfake video, hyperpersonalized email), Business Email Compromise, secure email gateways",
       "threat_context_excerpt": "Phishing remained the #1 initial-access vector through 2025 (Verizon DBIR 2025) and into 2026. The structural shift between 2024 and 2026 is **AI-augmentation of the phishing kill-chain** — content generation, voice synthesis, and live deepfake video have all collapsed from \"demonstrated in research\" to \"deployed against treasury, IT-helpdesk, and executive offices.\"",
@@ -1785,6 +1839,150 @@
         "incident-response-playbook",
         "sector-healthcare"
       ]
+    },
+    "cloud-iam-incident": {
+      "description": "Cloud-IAM incident response for AWS / GCP / Azure — account takeover, IAM role assumption abuse, access-key compromise, cross-account assume-role chains, federated-trust attacks, IMDS metadata exfiltration, and Snowflake-AA24-class IdP-to-cloud credential reuse",
+      "threat_context_excerpt": "Cloud-IAM compromise has been the dominant cloud-breach root cause across all three major hyperscalers (AWS, GCP, Azure) from 2024 through mid-2026. The threat surface has shifted materially since 2023 and the conventional defensive posture — Service Control Policies, root-account MFA, posture tools like AWS Security Hub / GCP Security Command Center / Azure Defender for Cloud, and quarterly access reviews — captures progressively less of the actual attack surface as adversary capability evolves.",
+      "produces": "The output is the operator-facing cloud-IAM incident assessment. Every section is mandatory; missing data is reported as \"no evidence\" so absence is auditable. The audit-log coverage table anchors the entire assessment — gaps there propagate to every downstream finding as reduced confidence. Produce this structure verbatim:\n\n```\n## Cloud IAM Incident Assessment\n\n**Assessment Date:** YYYY-MM-DD\n**Account(s) in scope:** [list]\n**Cloud provider(s):** [AWS / GCP / Azure]\n**Regulatory exposure:** [EU GDPR / NIS2 / DORA / UK / NYDFS / AU / SG / JP / CA / ...]\n**Critical or important functions in sco ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-287",
+          "CWE-522",
+          "CWE-798",
+          "CWE-863",
+          "CWE-732",
+          "CWE-269"
+        ],
+        "d3fend_refs": [
+          "D3-MFA",
+          "D3-CBAN",
+          "D3-NTA",
+          "D3-IOPR",
+          "D3-CAA"
+        ],
+        "framework_gaps": [
+          "FedRAMP-IL5-IAM-Federated",
+          "CISA-Snowflake-AA24-IdP-Cloud",
+          "NIST-800-53-AC-2-Cross-Account",
+          "ISO-27017-Cloud-IAM",
+          "SOC2-CC6-Access-Key-Leak-Public-Repo",
+          "AWS-Security-Hub-Coverage-Gap",
+          "UK-CAF-B2-Cloud-IAM",
+          "AU-ISM-1546-Cloud-Service-Account"
+        ],
+        "atlas_refs": [
+          "AML.T0051"
+        ],
+        "attack_refs": [
+          "T1078",
+          "T1078.004",
+          "T1098.001",
+          "T1552.005",
+          "T1580",
+          "T1538"
+        ],
+        "rfc_refs": [
+          "RFC-8693",
+          "RFC-7519",
+          "RFC-8725",
+          "RFC-9068"
+        ],
+        "dlp_refs": []
+      },
+      "trigger_count": 18,
+      "atlas_count": 1,
+      "attack_count": 6,
+      "framework_gap_count": 8,
+      "cwe_count": 6,
+      "d3fend_count": 5,
+      "rfc_count": 4,
+      "last_threat_review": "2026-05-15",
+      "path": "skills/cloud-iam-incident/skill.md",
+      "handoff_targets": [
+        "ai-attack-surface",
+        "cloud-security",
+        "compliance-theater",
+        "coordinated-vuln-disclosure",
+        "dlp-gap-analysis",
+        "framework-gap-analysis",
+        "identity-assurance",
+        "incident-response-playbook",
+        "mcp-agent-trust",
+        "policy-exception-gen",
+        "sector-federal-government",
+        "sector-financial",
+        "sector-healthcare",
+        "supply-chain-integrity"
+      ]
+    },
+    "idp-incident-response": {
+      "description": "Identity-provider incident response for mid-2026 — Okta, Entra ID, Auth0, Ping, OneLogin tenant compromise, federated-trust abuse, OAuth app consent abuse, Midnight Blizzard and Scattered Spider TTPs against the IdP control plane",
+      "threat_context_excerpt": "Identity-provider tenants are the highest-blast-radius single object in a modern cloud estate. The IdP issues every authentication outcome, federates every OAuth scope, and serves as the source-of-truth for privileged-role assignment across the downstream SaaS / cloud / on-prem fleet. 2023-2026 incident-response data shows five recurring themes, each of which now drives both attacker tradecraft and the framework-lag conversation.",
+      "produces": "The output is the operator-facing IdP-tenant compromise assessment. Every section is mandatory; empty tables remain present with a \"no evidence\" row to make absence auditable. The jurisdiction-clock snapshot anchors every subsequent timestamp; downstream tooling parses the deadline column for SLA enforcement. Produce this structure verbatim:\n\n```\n## IdP-Tenant Compromise Assessment\n\n**Assessment Date:** YYYY-MM-DD\n**Tenant ID (hashed):** [hashed_tenant_identifier]\n**IdP Vendor:** [Okta / Entra ID / Auth0 / Ping / OneLogin / hybrid]\n**Regulatory exposure:** [EU DORA / EU NIS2 / EU GDPR / UK / U ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-287",
+          "CWE-863",
+          "CWE-269",
+          "CWE-284",
+          "CWE-522",
+          "CWE-345"
+        ],
+        "d3fend_refs": [
+          "D3-MFA",
+          "D3-CBAN",
+          "D3-NTA",
+          "D3-IOPR"
+        ],
+        "framework_gaps": [
+          "NIST-800-53-IA-5-Federated",
+          "ISO-27001-2022-A.5.16-Federated",
+          "SOC2-CC6-OAuth-Consent",
+          "UK-CAF-B2-IdP-Tenant",
+          "AU-ISM-1559-IdP",
+          "NIS2-Art-21-Federated-Identity",
+          "DORA-Art-19-IdP-4h",
+          "OFAC-Sanctions-Threat-Actor-Negotiation"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T1078.004",
+          "T1556.007",
+          "T1098.001",
+          "T1606.002",
+          "T1199"
+        ],
+        "rfc_refs": [
+          "RFC-7519",
+          "RFC-8725",
+          "RFC-7591",
+          "RFC-9421"
+        ],
+        "dlp_refs": []
+      },
+      "trigger_count": 24,
+      "atlas_count": 0,
+      "attack_count": 5,
+      "framework_gap_count": 8,
+      "cwe_count": 6,
+      "d3fend_count": 4,
+      "rfc_count": 4,
+      "last_threat_review": "2026-05-15",
+      "path": "skills/idp-incident-response/skill.md",
+      "handoff_targets": [
+        "ai-attack-surface",
+        "compliance-theater",
+        "coordinated-vuln-disclosure",
+        "dlp-gap-analysis",
+        "framework-gap-analysis",
+        "identity-assurance",
+        "incident-response-playbook",
+        "mcp-agent-trust",
+        "policy-exception-gen",
+        "sector-federal-government",
+        "sector-financial",
+        "sector-telecom"
+      ]
     }
   }
 }