@blamejs/exceptd-skills 0.12.40 → 0.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (97) hide show
  1. package/AGENTS.md +17 -0
  2. package/ARCHITECTURE.md +7 -4
  3. package/CHANGELOG.md +215 -248
  4. package/CONTEXT.md +2 -2
  5. package/README.md +2 -8
  6. package/agents/threat-researcher.md +2 -2
  7. package/bin/exceptd.js +179 -81
  8. package/data/_indexes/_meta.json +50 -50
  9. package/data/_indexes/activity-feed.json +1 -1
  10. package/data/_indexes/catalog-summaries.json +1 -1
  11. package/data/_indexes/chains.json +485 -13
  12. package/data/_indexes/frequency.json +4 -0
  13. package/data/_indexes/jurisdiction-map.json +15 -4
  14. package/data/_indexes/section-offsets.json +1224 -1224
  15. package/data/_indexes/token-budget.json +170 -170
  16. package/data/atlas-ttps.json +54 -11
  17. package/data/attack-techniques.json +113 -17
  18. package/data/cve-catalog.json +38 -52
  19. package/data/cwe-catalog.json +8 -2
  20. package/data/exploit-availability.json +1 -0
  21. package/data/framework-control-gaps.json +149 -6
  22. package/data/global-frameworks.json +1 -0
  23. package/data/playbooks/ai-api.json +5 -0
  24. package/data/playbooks/cicd-pipeline-compromise.json +970 -0
  25. package/data/playbooks/cloud-iam-incident.json +4 -1
  26. package/data/playbooks/cred-stores.json +10 -0
  27. package/data/playbooks/crypto-codebase.json +13 -0
  28. package/data/playbooks/framework.json +16 -0
  29. package/data/playbooks/hardening.json +4 -0
  30. package/data/playbooks/identity-sso-compromise.json +951 -0
  31. package/data/playbooks/idp-incident.json +3 -0
  32. package/data/playbooks/kernel.json +6 -0
  33. package/data/playbooks/llm-tool-use-exfil.json +963 -0
  34. package/data/playbooks/mcp.json +6 -0
  35. package/data/playbooks/runtime.json +4 -0
  36. package/data/playbooks/sbom.json +13 -0
  37. package/data/playbooks/secrets.json +6 -0
  38. package/data/playbooks/webhook-callback-abuse.json +916 -0
  39. package/data/zeroday-lessons.json +1 -0
  40. package/lib/cross-ref-api.js +33 -13
  41. package/lib/cve-curation.js +12 -1
  42. package/lib/exit-codes.js +29 -0
  43. package/lib/lint-skills.js +25 -3
  44. package/lib/playbook-runner.js +8 -4
  45. package/lib/refresh-external.js +10 -1
  46. package/lib/scoring.js +64 -1
  47. package/lib/sign.js +40 -7
  48. package/lib/verify.js +5 -5
  49. package/manifest.json +83 -83
  50. package/orchestrator/README.md +7 -7
  51. package/orchestrator/index.js +46 -25
  52. package/orchestrator/scheduler.js +2 -2
  53. package/package.json +1 -1
  54. package/sbom.cdx.json +135 -91
  55. package/scripts/check-test-coverage.js +6 -6
  56. package/scripts/predeploy.js +7 -13
  57. package/scripts/refresh-reverse-refs.js +107 -20
  58. package/scripts/refresh-sbom.js +21 -4
  59. package/skills/age-gates-child-safety/skill.md +1 -5
  60. package/skills/ai-attack-surface/skill.md +11 -4
  61. package/skills/ai-c2-detection/skill.md +11 -2
  62. package/skills/ai-risk-management/skill.md +4 -2
  63. package/skills/api-security/skill.md +7 -8
  64. package/skills/attack-surface-pentest/skill.md +2 -2
  65. package/skills/cloud-iam-incident/skill.md +1 -5
  66. package/skills/cloud-security/skill.md +0 -4
  67. package/skills/compliance-theater/skill.md +10 -2
  68. package/skills/container-runtime-security/skill.md +1 -3
  69. package/skills/dlp-gap-analysis/skill.md +3 -4
  70. package/skills/email-security-anti-phishing/skill.md +1 -8
  71. package/skills/exploit-scoring/skill.md +7 -2
  72. package/skills/framework-gap-analysis/skill.md +1 -1
  73. package/skills/fuzz-testing-strategy/skill.md +1 -2
  74. package/skills/global-grc/skill.md +3 -2
  75. package/skills/identity-assurance/skill.md +1 -3
  76. package/skills/idp-incident-response/skill.md +1 -4
  77. package/skills/incident-response-playbook/skill.md +1 -5
  78. package/skills/kernel-lpe-triage/skill.md +2 -2
  79. package/skills/mcp-agent-trust/skill.md +13 -3
  80. package/skills/mlops-security/skill.md +3 -4
  81. package/skills/ot-ics-security/skill.md +0 -3
  82. package/skills/policy-exception-gen/skill.md +11 -3
  83. package/skills/pqc-first/skill.md +4 -2
  84. package/skills/rag-pipeline-security/skill.md +2 -0
  85. package/skills/ransomware-response/skill.md +1 -5
  86. package/skills/researcher/skill.md +4 -3
  87. package/skills/sector-energy/skill.md +0 -4
  88. package/skills/sector-federal-government/skill.md +2 -3
  89. package/skills/sector-financial/skill.md +1 -4
  90. package/skills/sector-healthcare/skill.md +0 -5
  91. package/skills/sector-telecom/skill.md +0 -4
  92. package/skills/security-maturity-tiers/skill.md +1 -2
  93. package/skills/skill-update-loop/skill.md +4 -3
  94. package/skills/supply-chain-integrity/skill.md +4 -3
  95. package/skills/threat-model-currency/skill.md +1 -1
  96. package/skills/threat-modeling-methodology/skill.md +2 -1
  97. package/skills/webapp-security/skill.md +0 -5
package/data/playbooks/cloud-iam-incident.json CHANGED
@@ -58,6 +58,9 @@
58
58
  "playbook_id": "sbom",
59
59
  "condition": "compromised_account_has_published_assets == true"
60
60
  }
61
+ ],
62
+ "fed_by": [
63
+ "identity-sso-compromise"
61
64
  ]
62
65
  },
63
66
  "domain": {
@@ -516,7 +519,7 @@
516
519
  {
517
520
  "assumption": "Cloud audit logging is enabled and configured to log all management-plane events for the full 90-day window",
518
521
  "if_false": "If CloudTrail / Cloud Audit Logs / Activity Log is disabled, partially enabled, or short-retention, the look phase is structurally incomplete. Mark `audit-log-coverage-gap` and emit a `cloudtrail_logging_disabled_event` indicator regardless of whether a specific disable event was found — absence is the finding."
519
- },
522
+ },
520
523
  {
521
524
  "assumption": "The investigator's IAM read-only access covers every account in the org / project / management group",
522
525
  "if_false": "Some accounts unreadable. Mark per-account inconclusive; emit a coverage note in the close phase rather than treating absence of evidence as evidence of absence."
package/data/playbooks/cred-stores.json CHANGED
@@ -38,6 +38,16 @@
38
38
  "playbook_id": "runtime",
39
39
  "condition": "finding.severity == 'critical'"
40
40
  }
41
+ ],
42
+ "fed_by": [
43
+ "cicd-pipeline-compromise",
44
+ "cloud-iam-incident",
45
+ "identity-sso-compromise",
46
+ "idp-incident",
47
+ "ransomware",
48
+ "runtime",
49
+ "secrets",
50
+ "webhook-callback-abuse"
41
51
  ]
42
52
  },
43
53
  "domain": {
package/data/playbooks/crypto-codebase.json CHANGED
@@ -381,6 +381,7 @@
381
381
  "id": "package-manifests",
382
382
  "type": "config_file",
383
383
  "source": "Read package.json, pyproject.toml, setup.py, go.mod, Cargo.toml, pom.xml, build.gradle, Gemfile, composer.json, mix.exs at repo root and at every nested package boundary. Use Glob `**/{package.json,pyproject.toml,go.mod,Cargo.toml,pom.xml,build.gradle,Gemfile,composer.json}` excluding `node_modules`, `vendor`, `.venv`, `target`, `dist`, `build`.",
384
+ "air_gap_alternative": "Identical local-filesystem read; no network dependency. Same Glob/Read against the working repo.",
384
385
  "description": "Package manifests — establish the language ecosystems present, declared crypto-adjacent dependencies, and the public API surface.",
385
386
  "required": true
386
387
  },
@@ -388,6 +389,7 @@
388
389
  "id": "lockfiles",
389
390
  "type": "config_file",
390
391
  "source": "Read package-lock.json, yarn.lock, pnpm-lock.yaml, poetry.lock, uv.lock, Pipfile.lock, go.sum, Cargo.lock, composer.lock at repo root and at every package boundary.",
392
+ "air_gap_alternative": "Identical local-filesystem read; no network dependency. Same Read against the working repo.",
391
393
  "description": "Lockfiles — concrete versions of crypto-adjacent deps actually shipped to consumers (openssl, sodium, libsodium-wrappers, tweetnacl, noble-curves, noble-hashes, noble-post-quantum, jsrsasign, node-forge, pqcrypto, oqs-rs, kyber-crystals, dilithium, aws-lc-rs, ring, rustls, rust-openssl).",
392
394
  "required": false
393
395
  },
@@ -395,6 +397,7 @@
395
397
  "id": "hash-primitive-call-sites",
396
398
  "type": "file",
397
399
  "source": "Grep across the repo (excluding test/spec/fixture/node_modules/vendor/.venv/target/dist/build) for hash-primitive call sites. Patterns: `crypto.createHash\\(`, `crypto.createHmac\\(`, `hashlib\\.(md5|sha1|sha224|sha256|sha384|sha512|blake2b|blake2s|sha3_)`, `MessageDigest\\.getInstance\\(`, `Digest::(MD5|SHA1|SHA256)`, `hash/md5`, `hash/sha1`, `\"md5\"`, `\"sha1\"`, `\"sha-1\"`, `\"sha256\"`, `\"sha3-256\"`. Use Grep with multiline=true where the algorithm-name string is on a different line from the constructor.",
400
+ "air_gap_alternative": "Identical local-filesystem Grep; no network dependency. Run the same patterns against the working repo.",
398
401
  "description": "Every hash-primitive call site. Distinguish security-context usage (signature input, MAC input, integrity check, password derivation, token derivation) from non-security usage (cache key, ETag, dedup). The non-security distinction must be evidenced inline; absent evidence, treat as security-context.",
399
402
  "required": true
400
403
  },
@@ -402,6 +405,7 @@
402
405
  "id": "cipher-and-kex-call-sites",
403
406
  "type": "file",
404
407
  "source": "Grep for cipher and KEX call sites: `createCipheriv\\(`, `createDecipheriv\\(`, `crypto\\.publicEncrypt\\(`, `crypto\\.privateDecrypt\\(`, `createDiffieHellman\\(`, `createECDH\\(`, `crypto\\.generateKeyPair`, `Cipher\\.getInstance\\(`, `aesgcm`, `ChaCha20Poly1305`, `\\.(seal|open)\\(`, `OpenSSL::Cipher`, hardcoded curve names `\"P-256\"`, `\"secp256r1\"`, `\"prime256v1\"`, `\"P-384\"`, `\"secp384r1\"`, `\"P-521\"`, `\"secp521r1\"`, `\"secp256k1\"`, `\"X25519\"`, `\"X448\"`.",
408
+ "air_gap_alternative": "Identical local-filesystem Grep; no network dependency. Run the same patterns against the working repo.",
405
409
  "description": "Cipher and key-exchange call sites. Identify mode (GCM/CBC/CTR/ECB), curve, key size, IV-generation pattern. ECB mode anywhere is a hard fail. CBC without HMAC is a hard fail. AES-128 without GCM authenticator is a finding.",
406
410
  "required": true
407
411
  },
@@ -409,6 +413,7 @@
409
413
  "id": "signature-call-sites",
410
414
  "type": "file",
411
415
  "source": "Grep for signature operations: `crypto\\.sign\\(`, `crypto\\.verify\\(`, `Signature\\.getInstance\\(`, `\\.sign_pss\\(`, `\\.verify_pss\\(`, `RSA-PSS`, `RSA-PKCS1`, `ECDSA`, `Ed25519`, `Ed448`, `ML-DSA`, `Dilithium`, `SLH-DSA`, `SPHINCS`. Capture key sizes for RSA (look for `modulusLength`, `key_size`, `--rsa-2048` literals), curve choice for ECDSA, hash choice paired with signature (RSA-SHA1 is a hard fail).",
416
+ "air_gap_alternative": "Identical local-filesystem Grep; no network dependency. Run the same patterns against the working repo.",
412
417
  "description": "Signature scheme inventory. RSA-1024 anywhere is a hard fail; RSA-2048 with > 5-year sensitivity requires PQC roadmap; ECDSA-P256 acceptable today but needs hybrid ML-DSA migration plan; bare RSA-PKCS1 (not PSS) for new signatures is a finding.",
413
418
  "required": true
414
419
  },
@@ -416,6 +421,7 @@
416
421
  "id": "kdf-call-sites",
417
422
  "type": "file",
418
423
  "source": "Grep for key-derivation calls: `pbkdf2(Sync)?\\(`, `PBKDF2`, `hashlib\\.pbkdf2_hmac`, `bcrypt\\.(hash|hashSync|compare)`, `scrypt(Sync)?\\(`, `argon2\\.(hash|verify)`, `argon2id`, `hkdf\\(`, `HKDF`, `derive_key`. For each, extract the cost parameters: PBKDF2 iterations, bcrypt cost factor, scrypt N/r/p, argon2 t/m/p.",
424
+ "air_gap_alternative": "Identical local-filesystem Grep; no network dependency. Run the same patterns against the working repo.",
419
425
  "description": "Key-derivation parameter inventory. Apply OWASP 2023 minimums: PBKDF2-HMAC-SHA256 >= 600,000; PBKDF2-HMAC-SHA512 >= 210,000; bcrypt cost >= 12; scrypt N >= 2^17, r=8, p=1; argon2id m >= 19 MiB (19456 KiB), t >= 2, p >= 1. Any parameter below minimum is a finding.",
420
426
  "required": true
421
427
  },
@@ -423,6 +429,7 @@
423
429
  "id": "rng-call-sites",
424
430
  "type": "file",
425
431
  "source": "Grep for RNG sources: `Math\\.random\\(`, `random\\.random\\(`, `random\\.randint\\(`, `random\\.choice\\(`, `rand\\(`, `srand\\(`, `mt_rand\\(`, `secrets\\.(token_|randbits|choice)`, `crypto\\.randomBytes\\(`, `crypto\\.getRandomValues\\(`, `crypto\\.randomUUID\\(`, `os\\.urandom\\(`, `getrandom\\(`, `SecureRandom`, `OsRng`, `ThreadRng`, `/dev/urandom`, `/dev/random`. Capture file_path:line for each.",
432
+ "air_gap_alternative": "Identical local-filesystem Grep; no network dependency. Run the same patterns against the working repo.",
426
433
  "description": "RNG-source inventory. Production-context Math.random / random.random / rand without cryptographic-RNG fallback is CWE-338. Distinguish test/spec/fixture usage explicitly via path allowlist; production usage requires a cryptographic RNG.",
427
434
  "required": true
428
435
  },
@@ -430,6 +437,7 @@
430
437
  "id": "hardcoded-key-material",
431
438
  "type": "file",
432
439
  "source": "Grep for hardcoded crypto material: PEM markers `-----BEGIN (RSA |EC |DSA |PRIVATE |PUBLIC |CERTIFICATE )?(PRIVATE|PUBLIC) KEY-----`, SSH key prefixes `ssh-rsa AAAA`, `ssh-ed25519 AAAA`, `ecdsa-sha2-nistp256 AAAA`, hex-blob heuristics for keys (>= 64 hex chars on a single literal line), base64-encoded blobs >= 256 chars in source files. Cross-reference with the `secrets` playbook for the exfil-secret angle; here the focus is library-author shipping defaults that look like keys (e.g. example certs, demo keys, sample HMAC seeds that downstream consumers fail to rotate).",
440
+ "air_gap_alternative": "Identical local-filesystem Grep; no network dependency. Run the same patterns against the working repo.",
433
441
  "description": "Hardcoded key material shipped with the library. Library-author angle: any 'demo' or 'example' key that downstream consumers fail to rotate becomes a universal-default vulnerability (cf. embedded-router demo keys, Wi-Fi default WPA keys, IoT bootloader signing keys).",
434
442
  "required": false
435
443
  },
@@ -437,6 +445,7 @@
437
445
  "id": "tls-config-construction",
438
446
  "type": "file",
439
447
  "source": "Grep for in-code TLS context construction: `tls\\.createSecureContext`, `tls\\.createServer`, `https\\.createServer`, `ssl\\.SSLContext\\(`, `ssl\\.create_default_context`, `rustls::ServerConfig`, `rustls::ClientConfig`, `tls\\.Config\\{`, `SSL_CTX_new`, options like `minVersion`, `maxVersion`, `secureProtocol`, `ciphers`, `ecdhCurve`, `sigalgs`, `groups`, `ALPNProtocols`.",
448
+ "air_gap_alternative": "Identical local-filesystem Grep; no network dependency. Run the same patterns against the working repo.",
440
449
  "description": "In-code TLS configuration. Library authors that construct TLS contexts internally must default to TLS 1.3 minimum, X25519MLKEM768 group preference (when openssl >= 3.5 detected), modern cipher list. Hardcoded `secureProtocol: 'TLSv1_method'` or `minVersion: 'TLSv1'` is a hard fail.",
441
450
  "required": false
442
451
  },
@@ -444,6 +453,7 @@
444
453
  "id": "pqc-adoption-signals",
445
454
  "type": "file",
446
455
  "source": "Grep for PQC adoption: `ml[-_]?kem`, `ml[-_]?dsa`, `slh[-_]?dsa`, `kyber`, `dilithium`, `sphincs`, `falcon`, `kemEncapsulate`, `kemDecapsulate`, `EVP_KEM_`, `OQS_KEM_`, `oqsprovider`, `liboqs`, `noble-post-quantum`, `pqcrypto::`, `aws-lc-rs::pqc`, `circl/sign/dilithium`, `circl/kem/kyber`.",
456
+ "air_gap_alternative": "Identical local-filesystem Grep; no network dependency. Run the same patterns against the working repo.",
447
457
  "description": "PQC adoption signals. If `pqc-readiness-gap` directive runs, this artifact is the primary input. Distinguish concrete cryptographic operations from configuration strings, feature-flag names, and comments.",
448
458
  "required": false
449
459
  },
@@ -451,6 +461,7 @@
451
461
  "id": "fips-provider-activation",
452
462
  "type": "file",
453
463
  "source": "Grep for FIPS-mode activation: `OSSL_PROVIDER_load.*fips`, `crypto\\.setFips\\(`, `openssl::provider::Provider::load_default`, `Provider::load.*\"fips\"`, openssl.cnf or fipsmodule.cnf files in the repo, environment-variable references to `OPENSSL_FIPS`, `OPENSSL_CONF`. Capture whether the activation is conditional (e.g. only if env var set) or unconditional.",
464
+ "air_gap_alternative": "Identical local-filesystem Grep; no network dependency. Run the same patterns against the working repo.",
454
465
  "description": "FIPS-provider activation evidence. The `fips-validation-status` directive uses this to distinguish runtime FIPS activation from link-time FIPS claims.",
455
466
  "required": false
456
467
  },
@@ -458,6 +469,7 @@
458
469
  "id": "vendored-crypto-tree",
459
470
  "type": "file",
460
471
  "source": "Glob for vendored crypto: `vendor/**/{crypto,openssl,sodium,nacl,kyber,dilithium,sphincs,curve25519,blake2,sha3,argon2}*`, `third_party/**/*crypto*`, `crates/**/*crypto*` (excluding the package's own crypto module). Look for upstream-reference files: `UPSTREAM`, `ORIGIN`, `PROVENANCE.md`, `.upstream-commit`, integrity hashes in lockfiles.",
472
+ "air_gap_alternative": "Identical local-filesystem Glob; no network dependency. Run the same patterns against the working repo.",
461
473
  "description": "Vendored cryptographic primitives. Library authors sometimes vendor crypto to reduce dep tree or for licensing reasons. Without provenance + integrity audit, vendored crypto is a supply-chain backdoor opportunity.",
462
474
  "required": false
463
475
  },
@@ -465,6 +477,7 @@
465
477
  "id": "ci-crypto-tests",
466
478
  "type": "file",
467
479
  "source": "Glob for CI configs: `.github/workflows/**/*.yml`, `.gitlab-ci.yml`, `.circleci/config.yml`, `azure-pipelines.yml`, `Jenkinsfile`. Grep for crypto-test invocations, FIPS-test runs, constant-time analysis tools (`dudect`, `valgrind --tool=memcheck` on secret-dependent code, `ctgrind`).",
480
+ "air_gap_alternative": "Identical local-filesystem Glob + Grep; no network dependency. Run the same patterns against the working repo.",
468
481
  "description": "Build-time crypto verification. Absence of constant-time tests on vendored PQC primitives is a finding for the `pqc-readiness-gap` directive.",
469
482
  "required": false
470
483
  }
package/data/playbooks/framework.json CHANGED
@@ -44,6 +44,22 @@
44
44
  "playbook_id": "sbom",
45
45
  "condition": "any compliance_theater_check.verdict == 'theater' AND blast_radius_score >= 4"
46
46
  }
47
+ ],
48
+ "fed_by": [
49
+ "ai-api",
50
+ "cicd-pipeline-compromise",
51
+ "cloud-iam-incident",
52
+ "crypto",
53
+ "crypto-codebase",
54
+ "identity-sso-compromise",
55
+ "idp-incident",
56
+ "kernel",
57
+ "library-author",
58
+ "llm-tool-use-exfil",
59
+ "mcp",
60
+ "ransomware",
61
+ "sbom",
62
+ "webhook-callback-abuse"
47
63
  ]
48
64
  },
49
65
  "domain": {
package/data/playbooks/hardening.json CHANGED
@@ -47,6 +47,10 @@
47
47
  "playbook_id": "runtime",
48
48
  "condition": "finding.severity >= 'high'"
49
49
  }
50
+ ],
51
+ "fed_by": [
52
+ "cicd-pipeline-compromise",
53
+ "runtime"
50
54
  ]
51
55
  },
52
56
  "domain": {