@blamejs/exceptd-skills 0.12.31 → 0.12.33

package/scripts/refresh-reverse-refs.js

@@ -38,33 +38,63 @@ const path = require('node:path');
 
 const REPO_ROOT = path.resolve(__dirname, '..');
 const MANIFEST_PATH = path.join(REPO_ROOT, 'manifest.json');
+const CVE_CATALOG_PATH = path.join(REPO_ROOT, 'data', 'cve-catalog.json');
 const DATA_DIR = path.join(REPO_ROOT, 'data');
 
 /* Per-catalog config:
  *   file              relative path under data/
- *   forwardField      manifest.skills[].* array name
+ *   forwardField      source-collection[].* array name
  *   reverseField      per-entry reverse field name in the catalog
+ *   source            'manifest.skills' (default) — walk every skill's forward ref
+ *                     'cve.entries'   — walk every CVE's forward ref (cycle 12 F3
+ *                     extension); contributes CVE-IDs (skipping `_draft: true`
+ *                     entries so the reverse direction tracks operator-queryable
+ *                     truth, not in-progress curation state)
+ *   entryKey          field on the source object used as the reverse-list value
+ *                     ('name' for skills; '<self-id>' for CVE entries via the
+ *                     map key, so the helper substitutes the iterating key)
  */
 const CATALOGS = [
   {
     file: 'atlas-ttps.json',
     forwardField: 'atlas_refs',
     reverseField: 'exceptd_skills',
+    source: 'manifest.skills',
+    entryKey: 'name',
   },
   {
     file: 'cwe-catalog.json',
     forwardField: 'cwe_refs',
     reverseField: 'skills_referencing',
+    source: 'manifest.skills',
+    entryKey: 'name',
   },
   {
     file: 'd3fend-catalog.json',
     forwardField: 'd3fend_refs',
     reverseField: 'skills_referencing',
+    source: 'manifest.skills',
+    entryKey: 'name',
   },
   {
     file: 'rfc-references.json',
     forwardField: 'rfc_refs',
     reverseField: 'skills_referencing',
+    source: 'manifest.skills',
+    entryKey: 'name',
+  },
+  // Cycle 12 F3 (v0.12.32): CVE → CWE reverse direction. CWE entries
+  // declare `evidence_cves` as the operator-facing "which CVEs land here"
+  // index; pre-fix this was hand-maintained and drifted whenever a new
+  // CVE landed without the matching CWE's evidence_cves being updated.
+  // Now mirrors `cve.cwe_refs` → `cwe.evidence_cves` automatically.
+  // Drafts excluded (they're invisible to default consumers anyway).
+  {
+    file: 'cwe-catalog.json',
+    forwardField: 'cwe_refs',
+    reverseField: 'evidence_cves',
+    source: 'cve.entries',
+    entryKey: null, // value is the iterating CVE id
   },
 ];
 
@@ -85,10 +115,33 @@ function buildReverseIndex(skills, forwardField) {
   return index;
 }
 
-function rebuildCatalog(cfg, manifest) {
+// Cycle 12 F3 (v0.12.32): build a reverse index keyed by catalog ID from the
+// CVE catalog's forward refs. Each CVE entry has cwe_refs / attack_refs
+// arrays; the reverse side is the CVE ID, indexed by the catalog entry.
+// Draft entries are skipped — drafts are invisible to default consumers
+// via cross-ref-api, so the reverse direction should track operator-
+// queryable truth, not in-progress curation state.
+function buildCveReverseIndex(cveCatalog, forwardField) {
+  const index = new Map();
+  for (const [cveId, entry] of Object.entries(cveCatalog)) {
+    if (cveId === '_meta') continue;
+    if (!entry || typeof entry !== 'object') continue;
+    if (entry._draft === true) continue;
+    const refs = Array.isArray(entry[forwardField]) ? entry[forwardField] : [];
+    for (const targetId of refs) {
+      if (!index.has(targetId)) index.set(targetId, new Set());
+      index.get(targetId).add(cveId);
+    }
+  }
+  return index;
+}
+
+function rebuildCatalog(cfg, manifest, cveCatalog) {
   const filePath = path.join(DATA_DIR, cfg.file);
   const catalog = readJson(filePath);
-  const index = buildReverseIndex(manifest.skills, cfg.forwardField);
+  const index = cfg.source === 'cve.entries'
+    ? buildCveReverseIndex(cveCatalog, cfg.forwardField)
+    : buildReverseIndex(manifest.skills, cfg.forwardField);
   let changed = 0;
   let added = 0;
   let removed = 0;
@@ -133,6 +186,8 @@ function rebuildCatalog(cfg, manifest) {
 
   return {
     file: cfg.file,
+    source: cfg.source,
+    reverseField: cfg.reverseField,
     changed,
     added,
     removed,
@@ -143,14 +198,15 @@ function rebuildCatalog(cfg, manifest) {
 
 function main() {
   const manifest = readJson(MANIFEST_PATH);
+  const cveCatalog = readJson(CVE_CATALOG_PATH);
   const results = [];
   for (const cfg of CATALOGS) {
-    results.push(rebuildCatalog(cfg, manifest));
+    results.push(rebuildCatalog(cfg, manifest, cveCatalog));
   }
   for (const r of results) {
     process.stdout.write(
-      `${r.file}: ${r.changed} entries changed ` +
-        `(+${r.added} / -${r.removed} skill refs), ` +
+      `${r.file} (${r.source || 'skills'} → ${r.reverseField}): ${r.changed} entries changed ` +
+        `(+${r.added} / -${r.removed} refs), ` +
         `${r.unchanged} unchanged` +
         (r.orphans.length
           ? `, ${r.orphans.length} orphan forward ref(s) [${r.orphans.join(', ')}]`
@@ -163,6 +219,7 @@ function main() {
 module.exports = {
   CATALOGS,
   buildReverseIndex,
+  buildCveReverseIndex,
   rebuildCatalog,
 };
 

package/skills/cloud-iam-incident/skill.md

@@ -402,7 +402,7 @@ Per AGENTS.md optional 8th section. Maps cloud-IAM offensive findings to MITRE D
 After producing the cloud-IAM incident assessment, chain into the following skills.
 
 - **`cloud-security`** — for CSP-specific IAM construct inventory, posture-tool integration, and shared-responsibility framing. This skill scopes the IAM-incident-response workflow; `cloud-security` covers the broader cloud-posture surface.
-- **`cred-stores`** — for KMS / Cloud KMS / Key Vault posture, access-key rotation hygiene, and any compromised principal whose blast radius >= 4.
+- **`cred-stores`** *(playbook chain, not a skill)* — `_meta.feeds_into` on this playbook routes blast-radius >= 4 findings into the `cred-stores` playbook for KMS / Cloud KMS / Key Vault posture and access-key rotation hygiene. Hand-off is via the playbook chain, not a skill load.
 - **`identity-assurance`** — for AAL / IAL / FAL framing on human-principal MFA posture, federated-identity assurance levels, and step-up authentication coverage on cloud admin actions.
 - **`framework-gap-analysis`** — for the per-jurisdiction reconciliation called for in Output Format "Cross-Jurisdiction Framework Gap Summary."
 - **`compliance-theater`** — to extend the five theater tests above with general-purpose theater detection across the wider GRC posture.

package/skills/idp-incident-response/skill.md

@@ -337,7 +337,7 @@ Per AGENTS.md optional 8th section (required for skills shipped on or after 2026
 After producing the IdP-tenant compromise assessment, chain into the following skills.
 
 - **`identity-assurance`** — for AAL3 / FIDO2 / WebAuthn admin-tier authentication implementation detail, IAL2/IAL3 for high-value workforce identity, FAL constructs for federation, and the cryptographic posture (RFC 7519 JWT, RFC 8725 JWT BCP, RFC 7591 OAuth Dynamic Client Registration, RFC 9421 HTTP Message Signatures) that IdP-tenant control-plane operations reference but framework controls do not specify.
-- **`cred-stores`** — for downstream containment: rotate management-API tokens, downstream service-account credentials, session tokens; audit Vault / Secrets Manager / KMS for IdP-derived credentials. Blast-radius >= 4 findings feed directly into `cred-stores`.
+- **`cred-stores`** *(playbook chain, not a skill)* — `_meta.feeds_into` on this playbook routes blast-radius >= 4 findings into the `cred-stores` playbook for downstream containment: rotate management-API tokens, downstream service-account credentials, session tokens; audit Vault / Secrets Manager / KMS for IdP-derived credentials. Hand-off is via the playbook chain, not a skill load.
 - **`framework-gap-analysis`** — for per-jurisdiction reconciliation of IdP-tenant control-plane coverage gaps across NIST + ISO + SOC 2 + UK CAF + AU ISM + AU E8 + NIS2 + DORA + NYDFS.
 - **`compliance-theater`** — to extend the seven theater tests above with general-purpose theater detection across the wider GRC posture (CISO certification independence, audit-attestation evidence currency, change-control register completeness).
 - **`coordinated-vuln-disclosure`** — for DORA Art.19 4-hour clock orchestration, NIS2 Art.23 24-hour clock, GDPR Art.33 72-hour clock, NYDFS 500.17 72-hour clock, AU NDB 30-day clock, and the multi-regulator notification when a single IdP-tenant incident triggers multiple clocks across jurisdictions.

package/skills/ransomware-response/skill.md

@@ -362,8 +362,8 @@ Ransomware response consumes defensive controls across multiple D3FEND categorie
 Ransomware response is a sub-flow of `incident-response-playbook` with ransomware-specific decision properties. Route to the following on the indicated trigger:
 
 - **`incident-response-playbook`** — *parent IR playbook.* All PICERL phase scaffolding, jurisdictional notification matrix, post-incident review template, evidence preservation, and cross-skill hand-off graph are owned by the parent. This skill extends — does not duplicate — the parent.
-- **`cred-stores`** — *credential-blast-radius trigger.* When ransomware analysis surfaces lateral movement via valid accounts (T1078) and the blast radius extends to credential stores (AD krbtgt, privileged service accounts, SSO break-glass, OAuth grants, AI-agent service accounts), hand off for credential rotation scope determination and rotation orchestration. The playbook `feeds_into` chain encodes this trigger.
-- **`framework`** — *compliance-theater trigger.* When the four ransomware compliance-theater tests in this skill produce a `theater` verdict for the org's pre-incident posture, hand off for cross-framework gap analysis. The playbook `feeds_into` chain encodes this trigger.
+- **`cred-stores`** *(playbook chain, not a skill)* — *credential-blast-radius trigger.* When ransomware analysis surfaces lateral movement via valid accounts (T1078) and the blast radius extends to credential stores (AD krbtgt, privileged service accounts, SSO break-glass, OAuth grants, AI-agent service accounts), the `_meta.feeds_into` chain on this playbook routes into the `cred-stores` playbook for credential rotation scope determination and rotation orchestration. Hand-off is via the playbook chain, not a skill load.
+- **`framework`** *(playbook chain, not a skill)* — *compliance-theater trigger.* When the four ransomware compliance-theater tests in this skill produce a `theater` verdict for the org's pre-incident posture, the `_meta.feeds_into` chain on this playbook routes into the `framework` playbook for cross-framework gap analysis. Hand-off is via the playbook chain, not a skill load. (The `framework-gap-analysis` skill below is a distinct surface — that one IS a real skill and is loaded directly.)
 - **`sector-healthcare`** — *PHI exfil-before-encrypt trigger.* When PHI is in the exfiltrated scope, hand off for HIPAA Breach Notification Rule sequencing (45 CFR 164.400-414), state AG notification matrix, and business-associate cascade. State-specific extensions to the 60-day federal clock are routed through this skill.
 - **`sector-financial`** — *financial-entity trigger.* When the affected entity is a DORA-in-scope financial entity, hand off for the 4h initial notification chain to competent authority + ECB / EIOPA / ESMA; for NYDFS 500.17 the 24h ransom-payment notification (if payment is made and sanctions screening cleared) is routed through this skill.
 - **`framework-gap-analysis`** — *control-gap filing.* When the ransomware response surfaces that one of the four ransomware-specific decision properties (sanctions / decryptor / insurance / immutability / exfil-before-encrypt) failed to operationalize during the incident, file the gap entry against the relevant framework controls (NIST IR-4, ISO A.5.26, SOC 2 CC7.4, HIPAA 164.308(a)(7), AU E8 Backup, UK CAF D1).