npm - @blamejs/exceptd-skills - Versions diffs - 0.12.41 → 0.13.0 - Mend

@blamejs/exceptd-skills 0.12.41 → 0.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (79) hide show

package/CHANGELOG.md +91 -0
package/bin/exceptd.js +52 -44
package/data/_indexes/_meta.json +47 -47
package/data/_indexes/chains.json +485 -13
package/data/_indexes/jurisdiction-map.json +15 -4
package/data/_indexes/section-offsets.json +1244 -1244
package/data/_indexes/token-budget.json +173 -173
package/data/atlas-ttps.json +54 -11
package/data/attack-techniques.json +113 -17
package/data/cve-catalog.json +17 -24
package/data/cwe-catalog.json +8 -2
package/data/framework-control-gaps.json +13 -3
package/data/playbooks/ai-api.json +5 -0
package/data/playbooks/cicd-pipeline-compromise.json +970 -0
package/data/playbooks/cloud-iam-incident.json +4 -1
package/data/playbooks/cred-stores.json +10 -0
package/data/playbooks/framework.json +16 -0
package/data/playbooks/hardening.json +4 -0
package/data/playbooks/identity-sso-compromise.json +951 -0
package/data/playbooks/idp-incident.json +3 -0
package/data/playbooks/kernel.json +6 -0
package/data/playbooks/llm-tool-use-exfil.json +963 -0
package/data/playbooks/mcp.json +6 -0
package/data/playbooks/runtime.json +4 -0
package/data/playbooks/sbom.json +13 -0
package/data/playbooks/secrets.json +6 -0
package/data/playbooks/webhook-callback-abuse.json +916 -0
package/lib/cross-ref-api.js +33 -13
package/lib/cve-curation.js +12 -1
package/lib/exit-codes.js +29 -0
package/lib/lint-skills.js +24 -2
package/lib/refresh-external.js +10 -1
package/lib/scoring.js +55 -0
package/manifest.json +83 -83
package/orchestrator/index.js +32 -24
package/package.json +1 -1
package/sbom.cdx.json +122 -78
package/scripts/predeploy.js +7 -13
package/scripts/refresh-reverse-refs.js +86 -0
package/scripts/refresh-sbom.js +21 -4
package/skills/age-gates-child-safety/skill.md +1 -5
package/skills/ai-attack-surface/skill.md +11 -4
package/skills/ai-c2-detection/skill.md +11 -2
package/skills/ai-risk-management/skill.md +4 -2
package/skills/api-security/skill.md +7 -8
package/skills/attack-surface-pentest/skill.md +2 -2
package/skills/cloud-iam-incident/skill.md +1 -5
package/skills/cloud-security/skill.md +0 -4
package/skills/compliance-theater/skill.md +10 -2
package/skills/container-runtime-security/skill.md +1 -3
package/skills/dlp-gap-analysis/skill.md +3 -4
package/skills/email-security-anti-phishing/skill.md +1 -8
package/skills/exploit-scoring/skill.md +7 -2
package/skills/framework-gap-analysis/skill.md +1 -1
package/skills/fuzz-testing-strategy/skill.md +1 -2
package/skills/global-grc/skill.md +3 -2
package/skills/identity-assurance/skill.md +1 -3
package/skills/idp-incident-response/skill.md +1 -4
package/skills/incident-response-playbook/skill.md +1 -5
package/skills/kernel-lpe-triage/skill.md +2 -2
package/skills/mcp-agent-trust/skill.md +13 -3
package/skills/mlops-security/skill.md +2 -3
package/skills/ot-ics-security/skill.md +0 -3
package/skills/policy-exception-gen/skill.md +11 -3
package/skills/pqc-first/skill.md +4 -2
package/skills/rag-pipeline-security/skill.md +2 -0
package/skills/ransomware-response/skill.md +1 -5
package/skills/researcher/skill.md +4 -3
package/skills/sector-energy/skill.md +0 -4
package/skills/sector-federal-government/skill.md +2 -3
package/skills/sector-financial/skill.md +1 -4
package/skills/sector-healthcare/skill.md +0 -5
package/skills/sector-telecom/skill.md +0 -4
package/skills/security-maturity-tiers/skill.md +1 -2
package/skills/skill-update-loop/skill.md +4 -3
package/skills/supply-chain-integrity/skill.md +4 -3
package/skills/threat-model-currency/skill.md +1 -1
package/skills/threat-modeling-methodology/skill.md +2 -1
package/skills/webapp-security/skill.md +0 -5

package/skills/mlops-security/skill.md CHANGED Viewed

@@ -20,12 +20,11 @@ triggers:
   - drift detection
   - model monitoring
 data_deps:
-  - cve-catalog.json
   - atlas-ttps.json
-  - framework-control-gaps.json
+  - cve-catalog.json
   - cwe-catalog.json
   - d3fend-catalog.json
-  - rfc-references.json
+  - framework-control-gaps.json
 atlas_refs:
   - AML.T0010
   - AML.T0018

package/skills/ot-ics-security/skill.md CHANGED Viewed

@@ -20,9 +20,6 @@ triggers:
   - purdue
 data_deps:
   - cve-catalog.json
-  - atlas-ttps.json
-  - framework-control-gaps.json
-  - cwe-catalog.json
   - d3fend-catalog.json
 atlas_refs:
   - AML.T0010

package/skills/policy-exception-gen/skill.md CHANGED Viewed

@@ -12,8 +12,9 @@ triggers:
   - zero trust exception
   - compensating control
 data_deps:
-  - framework-control-gaps.json
-  - global-frameworks.json
+  - atlas-ttps.json
+  - cve-catalog.json
+  - exploit-availability.json
 atlas_refs: []
 attack_refs: []
 framework_gaps: []
@@ -22,7 +23,7 @@ forward_watch:
   - EU CRA exceptions for AI pipeline components
   - NIST SP 800-204 series updates for microservices
   - FedRAMP updates for container/serverless authorization
-last_threat_review: "2026-05-01"
+last_threat_review: "2026-05-17"
 ---
 # Policy Exception Generation
@@ -75,6 +76,13 @@ Per-framework lag statements for each exception category in this skill:
 | PCI DSS 4.0 | 12.3.4 (Inventory of system components) | Persistent-asset assumption — fails for autoscaled ephemeral compute. |
 | PCI DSS 4.0 | 1.3 (Network segmentation) | Implicit perimeter-trust model; ZTA evidence shape does not match the language. |
 | NIS2 | Art. 21 (Cybersecurity risk-management measures) | Asset register and patch management language predates serverless; ephemeral nodes cannot be inventoried as the article assumes. |
+| EU DORA | Art. 8 (ICT-related risk and ICT asset management) + Art. 9 (protection and prevention) + Art. 28 (ICT third-party risk) | Financial-entity asset register and patch-management obligations mirror the NIS2 lag: ephemeral compute has no clean register fit, and Art. 28 ICT third-party register is silent on LLM API providers and developer-environment MCP servers. ESAs RTS on subcontracting (JC 2024/53) does not enumerate AI/ML SaaS classes. |
+| EU AI Act (Regulation 2024/1689) | Art. 13 (transparency / instructions for use) + Art. 15 (cybersecurity for high-risk AI) | Drafted around vendor-provided AI systems with documented change-management. External provider model updates that change behavior mid-deployment have no exception language; high-risk AI Art. 15 cybersecurity expectations assume operator control over the model. |
+| UK NCSC CAF | Principle A2 (Risk Management), A4 (Supply Chain), B4 (System Security) | Outcome-based assessment. NCSC Cloud Security Principles and ZT Architecture Design Principles (NCSC 2024) recognize ephemeral and identity-centric architectures, but the CAF outcome statements do not enumerate ZTA / ephemeral / AI-model-update as explicit deviation classes. Exception language must map the operator's compensating-control bundle to the CAF principle's outcome rather than to a prescriptive control. |
+| UK Cyber Essentials Plus | Patch management + Secure Configuration criteria | 14-day patch SLA assumes persistent assets the operator patches. Ephemeral / immutable / provider-patched runtimes (Lambda, Cloud Run, Cloudflare Workers) fall outside the criterion as written. The CE+ assessor expects a documented justification when a service does not fit the standard model. |
+| AU ASD Essential 8 | Patch Applications + Patch Operating Systems + Application Control (ML1-ML3) | Patch-window language assumes a persistent OS / application installation the operator patches. Ephemeral container workloads with immutable images and serverless runtimes break the model. Application Control (allowlisting) does not contemplate AI-coding-assistant tool-use chains where the AI agent dynamically composes the executed action. |
+| AU ASD ISM | ISM-1493 (vulnerability identification and patching) + ISM-1144 (patching frequency) + ISM-1808 (cloud service consumer responsibilities) | ISM-1808 acknowledges cloud shared-responsibility but does not specify exception language for provider-controlled runtimes. ISM-1493 / ISM-1144 patch-frequency controls assume operator-controlled patching. |
+| AU APRA CPS 234 | Para 27 (information security capability) + Para 36 (control testing) | "Capability commensurate with vulnerabilities and threats" language. AI-pipeline and ZTA architectures are not enumerated as in-scope capability classes; an APRA-regulated entity must document the architectural deviation explicitly to avoid a control-testing finding. |
 This skill's exceptions exist precisely because the framework language has not caught up to the architecture. The exceptions do not claim the threat goes away — they document the compensating controls that handle the residual TTPs (see TTP Mapping).

package/skills/pqc-first/skill.md CHANGED Viewed

@@ -18,8 +18,10 @@ triggers:
   - fips 204
   - fips 205
 data_deps:
-  - cve-catalog.json
-  - framework-control-gaps.json
+  - atlas-ttps.json
+  - exploit-availability.json
+  - global-frameworks.json
+  - rfc-references.json
 atlas_refs: []
 attack_refs: []
 framework_gaps:

package/skills/rag-pipeline-security/skill.md CHANGED Viewed

@@ -12,6 +12,8 @@ triggers:
   - vector poisoning
 data_deps:
   - atlas-ttps.json
+  - d3fend-catalog.json
+  - exploit-availability.json
   - framework-control-gaps.json
 atlas_refs:
   - AML.T0020

package/skills/ransomware-response/skill.md CHANGED Viewed

@@ -26,12 +26,8 @@ triggers:
   - double extortion
   - data theft before encryption
 data_deps:
-  - cve-catalog.json
-  - atlas-ttps.json
-  - framework-control-gaps.json
-  - global-frameworks.json
-  - cwe-catalog.json
   - d3fend-catalog.json
+  - framework-control-gaps.json
   - zeroday-lessons.json
 atlas_refs: []
 attack_refs:

package/skills/researcher/skill.md CHANGED Viewed

@@ -14,12 +14,13 @@ triggers:
   - threat intel triage
   - exceptd research
 data_deps:
-  - cve-catalog.json
   - atlas-ttps.json
-  - framework-control-gaps.json
-  - zeroday-lessons.json
+  - cve-catalog.json
+  - d3fend-catalog.json
   - exploit-availability.json
+  - framework-control-gaps.json
   - global-frameworks.json
+  - zeroday-lessons.json
 atlas_refs: []
 attack_refs: []
 framework_gaps: []

package/skills/sector-energy/skill.md CHANGED Viewed

@@ -20,10 +20,6 @@ triggers:
   - smart meter security
 data_deps:
   - cve-catalog.json
-  - atlas-ttps.json
-  - framework-control-gaps.json
-  - global-frameworks.json
-  - cwe-catalog.json
   - d3fend-catalog.json
 atlas_refs: []
 attack_refs:

package/skills/sector-federal-government/skill.md CHANGED Viewed

@@ -21,11 +21,10 @@ triggers:
   - stateramp
 data_deps:
   - cve-catalog.json
-  - atlas-ttps.json
-  - framework-control-gaps.json
-  - global-frameworks.json
   - cwe-catalog.json
   - d3fend-catalog.json
+  - exploit-availability.json
+  - framework-control-gaps.json
 atlas_refs: []
 attack_refs:
   - T1190

package/skills/sector-financial/skill.md CHANGED Viewed

@@ -22,12 +22,9 @@ triggers:
   - tlpt
 data_deps:
   - cve-catalog.json
-  - atlas-ttps.json
-  - framework-control-gaps.json
-  - global-frameworks.json
-  - cwe-catalog.json
   - d3fend-catalog.json
   - dlp-controls.json
+  - framework-control-gaps.json
 atlas_refs:
   - AML.T0096
   - AML.T0017

package/skills/sector-healthcare/skill.md CHANGED Viewed

@@ -19,12 +19,7 @@ triggers:
   - patient data
 data_deps:
   - cve-catalog.json
-  - atlas-ttps.json
-  - framework-control-gaps.json
-  - global-frameworks.json
-  - cwe-catalog.json
   - d3fend-catalog.json
-  - dlp-controls.json
 atlas_refs:
   - AML.T0051
   - AML.T0017

package/skills/sector-telecom/skill.md CHANGED Viewed

@@ -27,11 +27,7 @@ triggers:
   - itu-t x.805
 data_deps:
   - cve-catalog.json
-  - atlas-ttps.json
   - framework-control-gaps.json
-  - global-frameworks.json
-  - cwe-catalog.json
-  - d3fend-catalog.json
 atlas_refs:
   - AML.T0040
 attack_refs:

package/skills/security-maturity-tiers/skill.md CHANGED Viewed

@@ -16,9 +16,8 @@ triggers:
   - defense in depth
   - how do we get from here to there
 data_deps:
+  - atlas-ttps.json
   - cve-catalog.json
-  - framework-control-gaps.json
-  - global-frameworks.json
 atlas_refs: []
 attack_refs: []
 framework_gaps: []

package/skills/skill-update-loop/skill.md CHANGED Viewed

@@ -14,13 +14,14 @@ triggers:
   - atlas update
   - framework update
 data_deps:
-  - cve-catalog.json
   - atlas-ttps.json
+  - cve-catalog.json
+  - d3fend-catalog.json
+  - exploit-availability.json
   - framework-control-gaps.json
   - global-frameworks.json
-  - zeroday-lessons.json
-  - exploit-availability.json
   - rfc-references.json
+  - zeroday-lessons.json
 atlas_refs: []
 attack_refs: []
 framework_gaps: []

package/skills/supply-chain-integrity/skill.md CHANGED Viewed

@@ -19,11 +19,12 @@ triggers:
   - csaf
 data_deps:
   - cve-catalog.json
-  - atlas-ttps.json
-  - framework-control-gaps.json
-  - rfc-references.json
   - cwe-catalog.json
   - d3fend-catalog.json
+  - exploit-availability.json
+  - framework-control-gaps.json
+  - global-frameworks.json
+  - rfc-references.json
 atlas_refs:
   - AML.T0010
   - AML.T0018

package/skills/threat-model-currency/skill.md CHANGED Viewed

@@ -12,7 +12,7 @@ triggers:
 data_deps:
   - atlas-ttps.json
   - cve-catalog.json
-  - framework-control-gaps.json
+  - global-frameworks.json
 atlas_refs: []
 attack_refs: []
 framework_gaps: []

package/skills/threat-modeling-methodology/skill.md CHANGED Viewed

@@ -18,10 +18,11 @@ triggers:
   - trust boundary
 data_deps:
   - atlas-ttps.json
-  - framework-control-gaps.json
   - cve-catalog.json
   - cwe-catalog.json
   - d3fend-catalog.json
+  - framework-control-gaps.json
+  - zeroday-lessons.json
 atlas_refs: []
 attack_refs: []
 framework_gaps:

package/skills/webapp-security/skill.md CHANGED Viewed

@@ -19,12 +19,7 @@ triggers:
   - broken access control
   - ai generated code
 data_deps:
-  - cve-catalog.json
-  - atlas-ttps.json
   - framework-control-gaps.json
-  - cwe-catalog.json
-  - d3fend-catalog.json
-  - rfc-references.json
 atlas_refs:
   - AML.T0051
 attack_refs: