npm - @blamejs/exceptd-skills - Versions diffs - 0.12.40 → 0.13.0 - Mend

@blamejs/exceptd-skills 0.12.40 → 0.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (97) hide show

package/AGENTS.md +17 -0
package/ARCHITECTURE.md +7 -4
package/CHANGELOG.md +215 -248
package/CONTEXT.md +2 -2
package/README.md +2 -8
package/agents/threat-researcher.md +2 -2
package/bin/exceptd.js +179 -81
package/data/_indexes/_meta.json +50 -50
package/data/_indexes/activity-feed.json +1 -1
package/data/_indexes/catalog-summaries.json +1 -1
package/data/_indexes/chains.json +485 -13
package/data/_indexes/frequency.json +4 -0
package/data/_indexes/jurisdiction-map.json +15 -4
package/data/_indexes/section-offsets.json +1224 -1224
package/data/_indexes/token-budget.json +170 -170
package/data/atlas-ttps.json +54 -11
package/data/attack-techniques.json +113 -17
package/data/cve-catalog.json +38 -52
package/data/cwe-catalog.json +8 -2
package/data/exploit-availability.json +1 -0
package/data/framework-control-gaps.json +149 -6
package/data/global-frameworks.json +1 -0
package/data/playbooks/ai-api.json +5 -0
package/data/playbooks/cicd-pipeline-compromise.json +970 -0
package/data/playbooks/cloud-iam-incident.json +4 -1
package/data/playbooks/cred-stores.json +10 -0
package/data/playbooks/crypto-codebase.json +13 -0
package/data/playbooks/framework.json +16 -0
package/data/playbooks/hardening.json +4 -0
package/data/playbooks/identity-sso-compromise.json +951 -0
package/data/playbooks/idp-incident.json +3 -0
package/data/playbooks/kernel.json +6 -0
package/data/playbooks/llm-tool-use-exfil.json +963 -0
package/data/playbooks/mcp.json +6 -0
package/data/playbooks/runtime.json +4 -0
package/data/playbooks/sbom.json +13 -0
package/data/playbooks/secrets.json +6 -0
package/data/playbooks/webhook-callback-abuse.json +916 -0
package/data/zeroday-lessons.json +1 -0
package/lib/cross-ref-api.js +33 -13
package/lib/cve-curation.js +12 -1
package/lib/exit-codes.js +29 -0
package/lib/lint-skills.js +25 -3
package/lib/playbook-runner.js +8 -4
package/lib/refresh-external.js +10 -1
package/lib/scoring.js +64 -1
package/lib/sign.js +40 -7
package/lib/verify.js +5 -5
package/manifest.json +83 -83
package/orchestrator/README.md +7 -7
package/orchestrator/index.js +46 -25
package/orchestrator/scheduler.js +2 -2
package/package.json +1 -1
package/sbom.cdx.json +135 -91
package/scripts/check-test-coverage.js +6 -6
package/scripts/predeploy.js +7 -13
package/scripts/refresh-reverse-refs.js +107 -20
package/scripts/refresh-sbom.js +21 -4
package/skills/age-gates-child-safety/skill.md +1 -5
package/skills/ai-attack-surface/skill.md +11 -4
package/skills/ai-c2-detection/skill.md +11 -2
package/skills/ai-risk-management/skill.md +4 -2
package/skills/api-security/skill.md +7 -8
package/skills/attack-surface-pentest/skill.md +2 -2
package/skills/cloud-iam-incident/skill.md +1 -5
package/skills/cloud-security/skill.md +0 -4
package/skills/compliance-theater/skill.md +10 -2
package/skills/container-runtime-security/skill.md +1 -3
package/skills/dlp-gap-analysis/skill.md +3 -4
package/skills/email-security-anti-phishing/skill.md +1 -8
package/skills/exploit-scoring/skill.md +7 -2
package/skills/framework-gap-analysis/skill.md +1 -1
package/skills/fuzz-testing-strategy/skill.md +1 -2
package/skills/global-grc/skill.md +3 -2
package/skills/identity-assurance/skill.md +1 -3
package/skills/idp-incident-response/skill.md +1 -4
package/skills/incident-response-playbook/skill.md +1 -5
package/skills/kernel-lpe-triage/skill.md +2 -2
package/skills/mcp-agent-trust/skill.md +13 -3
package/skills/mlops-security/skill.md +3 -4
package/skills/ot-ics-security/skill.md +0 -3
package/skills/policy-exception-gen/skill.md +11 -3
package/skills/pqc-first/skill.md +4 -2
package/skills/rag-pipeline-security/skill.md +2 -0
package/skills/ransomware-response/skill.md +1 -5
package/skills/researcher/skill.md +4 -3
package/skills/sector-energy/skill.md +0 -4
package/skills/sector-federal-government/skill.md +2 -3
package/skills/sector-financial/skill.md +1 -4
package/skills/sector-healthcare/skill.md +0 -5
package/skills/sector-telecom/skill.md +0 -4
package/skills/security-maturity-tiers/skill.md +1 -2
package/skills/skill-update-loop/skill.md +4 -3
package/skills/supply-chain-integrity/skill.md +4 -3
package/skills/threat-model-currency/skill.md +1 -1
package/skills/threat-modeling-methodology/skill.md +2 -1
package/skills/webapp-security/skill.md +0 -5

package/orchestrator/index.js CHANGED Viewed

@@ -27,6 +27,7 @@ const { dispatch, routeQuery, getSkillContext } = require('./dispatcher');
 const { currencyCheck, initPipeline } = require('./pipeline');
 const { bus, EVENT_TYPES } = require('./event-bus');
 const { start: startScheduler, stop: stopScheduler, runCurrencyNow } = require('./scheduler');
+const { EXIT_CODES, safeExit } = require('../lib/exit-codes');
 const cmd = process.argv[2];
 const args = process.argv.slice(3);
@@ -145,7 +146,12 @@ Examples:
   exceptd framework-gap NIST-800-53 CVE-2026-31431
   exceptd framework-gap PCI-DSS-4.0 "prompt injection"
   exceptd framework-gap all CVE-2025-53773 --json`);
-    process.exit(2);
+    // v0.13 exit-code class fix: usage error is GENERIC_FAILURE (1),
+    // not DETECTED_ESCALATE (2). Pre-v0.13 the orchestrator emitted
+    // exit 2 for usage errors, colliding with CI gates that branch on
+    // exit 2 to mean "verb ran + detected escalation-worthy finding".
+    safeExit(EXIT_CODES.GENERIC_FAILURE);
+    return;
   }
   const root = path.join(__dirname, '..');
@@ -155,7 +161,8 @@ Examples:
     cveCatalog = JSON.parse(fs.readFileSync(path.join(root, 'data', 'cve-catalog.json'), 'utf8'));
   } catch (err) {
     console.error(`[framework-gap] cannot read catalog: ${err.message}`);
-    process.exit(2);
+    safeExit(EXIT_CODES.GENERIC_FAILURE);
+    return;
   }
   const requested = args[0].toLowerCase() === 'all'
@@ -292,20 +299,20 @@ async function runDispatch() {
 function runSkillContext(skillName) {
   if (!skillName) {
-    // Cycle 20 A P2 (v0.12.40): operator-facing surface must reference
-    // the canonical `exceptd skill <name>` form, not the orchestrator
-    // path that's an implementation detail. CLAUDE.md global rule:
-    // "no internal narrative in operator-facing artifacts."
     console.error('Usage: exceptd skill <skill-name>');
     console.error('       (Lists available skills: exceptd brief --all)');
-    process.exit(1);
+    safeExit(EXIT_CODES.GENERIC_FAILURE);
+    return;
   }
   const context = getSkillContext(skillName);
   if (!context) {
-    // Unified error shape across the CLI surface — see v0.10.3 bug #18.
-    process.stderr.write(JSON.stringify({ ok: false, error: `Skill not found: ${skillName}`, verb: "skill", hint: "Run `exceptd brief --all` or check skills/ for available skill IDs." }) + "\n");
-    process.exit(1);
+    // v0.13 envelope harmonization: ok:false bodies land on stdout
+    // alongside successful results so a single consumer can parse the
+    // verb's envelope without splitting across two streams.
+    process.stdout.write(JSON.stringify({ ok: false, verb: "skill", error: `Skill not found: ${skillName}`, hint: "Run `exceptd brief --all` or check skills/ for available skill IDs." }) + "\n");
+    safeExit(EXIT_CODES.GENERIC_FAILURE);
+    return;
   }
   console.log(`Skill: ${context.skill.name} v${context.skill.version}`);
@@ -332,7 +339,7 @@ function runPipeline(triggerType, payload) {
     console.log(`  Agent: ${stage.agent_path}`);
   }
   console.log('\nTo run each stage, load the agent definition and follow its instructions:');
-  console.log('  node orchestrator/index.js skill skill-update-loop');
+  console.log('  exceptd skill skill-update-loop');
   return run;
 }
@@ -368,12 +375,18 @@ async function runReport(format) {
   // string. Now: reject with structured JSON error matching other verbs.
   const VALID_REPORT_FORMATS = ['executive', 'technical', 'compliance', 'csaf'];
   if (!VALID_REPORT_FORMATS.includes(format)) {
-    process.stderr.write(JSON.stringify({
+    // v0.13 envelope harmonization: ok:false body on stdout, exit 1
+    // (GENERIC_FAILURE) not 2 (DETECTED_ESCALATE). Pre-v0.13 the
+    // body went to stderr and exit was 2; both broke CI consumers
+    // that expected the dispatch-error vs verb-finding distinction.
+    process.stdout.write(JSON.stringify({
       ok: false,
-      error: `report: format "${format}" not in accepted set ${JSON.stringify(VALID_REPORT_FORMATS)}.`,
       verb: 'report',
+      error: `report: format "${format}" not in accepted set ${JSON.stringify(VALID_REPORT_FORMATS)}.`,
+      accepted_formats: VALID_REPORT_FORMATS,
     }) + '\n');
-    process.exit(2);
+    safeExit(EXIT_CODES.GENERIC_FAILURE);
+    return;
   }
   // v0.11.1 feature #55: `report csaf` emits a CSAF 2.0 envelope covering
@@ -693,7 +706,8 @@ async function runValidateCves(rawArgs = []) {
     catalog = JSON.parse(fs.readFileSync(catalogPath, 'utf8'));
   } catch (err) {
     console.error(`[validate-cves] cannot read ${catalogPath}: ${err.message}`);
-    process.exit(2);
+    safeExit(EXIT_CODES.GENERIC_FAILURE);
+    return;
   }
   // --since <ISO|YYYY-MM-DD>: scope-limit validation to CVEs whose
@@ -863,7 +877,7 @@ async function runValidateCves(rawArgs = []) {
   }
   if (driftFound > 0) {
     console.log(`\n[validate-cves] DRIFT DETECTED on ${driftFound} CVE(s). Update data/cve-catalog.json and bump source_verified.`);
-    if (!noFail) process.exit(1);
+    if (!noFail) { safeExit(EXIT_CODES.GENERIC_FAILURE); return; }
   } else {
     console.log('[validate-cves] No drift detected against reachable sources.');
   }
@@ -914,7 +928,8 @@ async function runValidateRfcs(rawArgs = []) {
     refs = JSON.parse(fs.readFileSync(refsPath, 'utf8'));
   } catch (err) {
     console.error(`[validate-rfcs] cannot read ${refsPath}: ${err.message}`);
-    process.exit(2);
+    safeExit(EXIT_CODES.GENERIC_FAILURE);
+    return;
   }
   // --since <ISO|YYYY-MM-DD>: scope-limit (parity with validate-cves).
@@ -1043,7 +1058,7 @@ async function runValidateRfcs(rawArgs = []) {
   console.log();
   if (driftFound > 0) {
     console.log(`[validate-rfcs] DRIFT DETECTED on ${driftFound} entry(ies). Update data/rfc-references.json and bump last_verified.`);
-    if (!noFail) process.exit(1);
+    if (!noFail) { safeExit(EXIT_CODES.GENERIC_FAILURE); return; }
   } else if (unreachable > 0) {
     console.log(`[validate-rfcs] ${unreachable} entry(ies) unreachable. Network/IETF Datatracker is intermittent — re-run later.`);
   } else if (!offline && validator) {
@@ -1078,7 +1093,8 @@ function runWatchlist(rawArgs = []) {
     manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf8'));
   } catch (err) {
     console.error(`[watchlist] cannot read ${manifestPath}: ${err.message}`);
-    process.exit(2);
+    safeExit(EXIT_CODES.GENERIC_FAILURE);
+    return;
   }
   // Exclude entries that are explicitly marked `status: "deprecated"` so
@@ -1125,7 +1141,12 @@ function runWatchlist(rawArgs = []) {
   const jsonOut = rawArgs.includes('--json');
   if (jsonOut) {
+    // v0.13.0 envelope harmonization: top-level `ok: true` so every
+    // verb's JSON body shares the contract whether emitted by
+    // bin/exceptd.js emit() (which auto-defaults `ok`) or by the
+    // orchestrator dispatch (which writes stdout directly).
     const out = {
+      ok: true,
       generated_at: new Date().toISOString(),
       skills_scanned: skills.length,
       parse_errors: parseErrors,
@@ -1378,11 +1399,11 @@ Environment variables:
   EXCEPTD_SCAN_TARGETS Directories to scan for MCP configs
 Examples:
-  node orchestrator/index.js scan
-  node orchestrator/index.js skill kernel-lpe-triage
-  node orchestrator/index.js currency
-  node orchestrator/index.js report executive
-  node orchestrator/index.js watch
+  exceptd scan
+  exceptd skill kernel-lpe-triage
+  exceptd currency
+  exceptd report executive
+  exceptd watch
 `);
 }
@@ -1394,7 +1415,7 @@ Examples:
 if (require.main === module) {
   main().catch(err => {
     console.error('[orchestrator] Fatal:', err.message);
-    process.exit(1);
+    process.exitCode = 1;
   });
 }

package/orchestrator/scheduler.js CHANGED Viewed

@@ -277,12 +277,12 @@ function runMonthlyCveValidation() {
   console.log(`[scheduler] Monthly CVE validation reminder — ${timestamp}`);
   console.log('[scheduler] Action: Verify all data/cve-catalog.json entries against NVD and CISA KEV.');
   console.log('[scheduler] Action: Update last_verified dates in data/exploit-availability.json.');
-  console.log('[scheduler] Run: node orchestrator/index.js validate-cves');
+  console.log('[scheduler] Run: exceptd validate-cves');
   return {
     task: 'monthly_cve_validation',
     timestamp,
-    action: 'Run node orchestrator/index.js validate-cves to check all CVE entries'
+    action: 'Run `exceptd validate-cves` to check all CVE entries'
   };
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.12.40",
+  "version": "0.13.0",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
   "keywords": [
     "ai-security",