@blamejs/exceptd-skills 0.12.8 → 0.12.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +2 -2
- package/ARCHITECTURE.md +21 -5
- package/CHANGELOG.md +120 -0
- package/README.md +1 -1
- package/bin/exceptd.js +227 -17
- package/data/_indexes/_meta.json +20 -20
- package/data/_indexes/activity-feed.json +17 -17
- package/data/_indexes/catalog-summaries.json +5 -5
- package/data/_indexes/chains.json +90 -11
- package/data/_indexes/frequency.json +2 -0
- package/data/_indexes/section-offsets.json +463 -355
- package/data/_indexes/token-budget.json +113 -53
- package/data/cve-catalog.json +385 -23
- package/data/cwe-catalog.json +34 -0
- package/data/playbooks/library-author.json +14 -0
- package/data/playbooks/mcp.json +1 -0
- package/data/zeroday-lessons.json +223 -1
- package/lib/playbook-runner.js +119 -35
- package/lib/prefetch.js +27 -6
- package/lib/refresh-external.js +81 -18
- package/lib/source-osv.js +493 -0
- package/manifest-snapshot.json +1 -1
- package/manifest.json +51 -51
- package/orchestrator/index.js +1 -1
- package/package.json +1 -1
- package/sbom.cdx.json +6 -6
- package/scripts/check-test-coverage.js +27 -6
- package/scripts/predeploy.js +7 -9
- package/skills/ai-attack-surface/skill.md +25 -0
- package/skills/ai-c2-detection/skill.md +24 -0
- package/skills/compliance-theater/skill.md +6 -0
- package/skills/exploit-scoring/skill.md +6 -0
- package/skills/mcp-agent-trust/skill.md +24 -0
- package/skills/policy-exception-gen/skill.md +6 -0
- package/skills/rag-pipeline-security/skill.md +28 -2
- package/skills/researcher/skill.md +6 -0
- package/skills/security-maturity-tiers/skill.md +6 -0
- package/skills/skill-update-loop/skill.md +6 -0
- package/skills/threat-model-currency/skill.md +4 -0
- package/skills/zeroday-gap-learn/skill.md +6 -0
package/data/_indexes/_meta.json
CHANGED
|
@@ -1,36 +1,36 @@
|
|
|
1
1
|
{
|
|
2
2
|
"schema_version": "1.1.0",
|
|
3
|
-
"generated_at": "2026-05-
|
|
3
|
+
"generated_at": "2026-05-13T17:30:56.669Z",
|
|
4
4
|
"generator": "scripts/build-indexes.js",
|
|
5
5
|
"source_count": 49,
|
|
6
6
|
"source_hashes": {
|
|
7
|
-
"manifest.json": "
|
|
7
|
+
"manifest.json": "b7501793892cdfd22ede52a21ec60629d000a5a562373948dd33c1b840776189",
|
|
8
8
|
"data/atlas-ttps.json": "f3f75ff2778a0a2c7d953a21386bc4f265cb2685ce41242eee45f9e9f2a6add6",
|
|
9
|
-
"data/cve-catalog.json": "
|
|
10
|
-
"data/cwe-catalog.json": "
|
|
9
|
+
"data/cve-catalog.json": "e4ee5a94bfab0109c2dbd9531a1cd3ad96ce37ad4ec36523d699beace5b6d5d4",
|
|
10
|
+
"data/cwe-catalog.json": "9d71498894a74a235d2c9dae97d062499529cb031184a4011172bf6dce9f3c3d",
|
|
11
11
|
"data/d3fend-catalog.json": "d219520c8d3eb61a270b25ea60f64721035e98a8d5d51d1a4e1f1140d9a586f9",
|
|
12
12
|
"data/dlp-controls.json": "8ea8d907aea0a2cfd772b048a62122a322ba3284a5c36a272ad5e9d392564cb5",
|
|
13
13
|
"data/exploit-availability.json": "7dad52f459c324c40aa4df7cd9157f6a19f670fdfb9d8f687d777c9d99798668",
|
|
14
14
|
"data/framework-control-gaps.json": "8804a10bf77e987453ea76ae717153118dc5cc625f42e98f78213b08fa144f73",
|
|
15
15
|
"data/global-frameworks.json": "84fd19061f052e4ccf66308a7b8d3fd38e00325e97e9e5e19e4d9b302c128957",
|
|
16
16
|
"data/rfc-references.json": "583360bae01e324d752bd28a7d344b4276478381426428d683fc82b0ac19d64a",
|
|
17
|
-
"data/zeroday-lessons.json": "
|
|
17
|
+
"data/zeroday-lessons.json": "d670e73dfd5237ceb71a56326676d90c05387b9547f8ed6f3a60a153854b444b",
|
|
18
18
|
"skills/kernel-lpe-triage/skill.md": "e8b8601cd3b66d25150bf17f2edd2ef18f10ca6d81ee62aaf874432ee5bdc4b3",
|
|
19
|
-
"skills/ai-attack-surface/skill.md": "
|
|
20
|
-
"skills/mcp-agent-trust/skill.md": "
|
|
19
|
+
"skills/ai-attack-surface/skill.md": "2775fe50d58d6437fb629b2f796714ef76ff7b86d271ee5bbd4064b9ca0b0ef6",
|
|
20
|
+
"skills/mcp-agent-trust/skill.md": "de17a4eee67096c737f2eb5972828445021e674fe6c28434cca34d290825739c",
|
|
21
21
|
"skills/framework-gap-analysis/skill.md": "86c86761b91d04bcd1ec684fb3d65cf5c2881fde59b03d33fa59baddbbf64d31",
|
|
22
|
-
"skills/compliance-theater/skill.md": "
|
|
23
|
-
"skills/exploit-scoring/skill.md": "
|
|
24
|
-
"skills/rag-pipeline-security/skill.md": "
|
|
25
|
-
"skills/ai-c2-detection/skill.md": "
|
|
26
|
-
"skills/policy-exception-gen/skill.md": "
|
|
27
|
-
"skills/threat-model-currency/skill.md": "
|
|
22
|
+
"skills/compliance-theater/skill.md": "e05a1df149b241421e86d81adcf4eae42697721f3a9ea8ffc54dd79cc03bd67b",
|
|
23
|
+
"skills/exploit-scoring/skill.md": "d51a5b7b614eb8d7fe539ec1943cfb6f0387e95cfe4eec39102564a9f93ac363",
|
|
24
|
+
"skills/rag-pipeline-security/skill.md": "061d9dd18fd930cddc11fdfa063847b9688d24fe785278e4d01f529f494d797c",
|
|
25
|
+
"skills/ai-c2-detection/skill.md": "a92158c113f7aa6a45be721727fda2957bbe9c52139e396e54f4bfa6a721a821",
|
|
26
|
+
"skills/policy-exception-gen/skill.md": "a6103dd567405f02ba767ee1ce2432c2c564688389efc789cf05cd61c4c8774c",
|
|
27
|
+
"skills/threat-model-currency/skill.md": "438a5f8e193a2684c37fc329ab3ab6e0d4a0365a4a04cb9e6a14fc8ddc15dfc7",
|
|
28
28
|
"skills/global-grc/skill.md": "a9f4477368e260609793b77275e65e255b5c8067b7ae777047a70f3edb373e50",
|
|
29
|
-
"skills/zeroday-gap-learn/skill.md": "
|
|
29
|
+
"skills/zeroday-gap-learn/skill.md": "581ad3600287195d4e669627bcb3e07241375c11f0d68b73faad114a9e946d42",
|
|
30
30
|
"skills/pqc-first/skill.md": "5b4300d71890c16b1de31d380859babaa3631729cedb0c0a397a1ff097524773",
|
|
31
|
-
"skills/skill-update-loop/skill.md": "
|
|
32
|
-
"skills/security-maturity-tiers/skill.md": "
|
|
33
|
-
"skills/researcher/skill.md": "
|
|
31
|
+
"skills/skill-update-loop/skill.md": "6956359babb31e6c21e9ca3e4331b895700747a28559f8cee5d81fee9d1d8a02",
|
|
32
|
+
"skills/security-maturity-tiers/skill.md": "92470f55e07027974359a5f3945e4bce6b849fc7fb849ab543f2d457393db98b",
|
|
33
|
+
"skills/researcher/skill.md": "1d1ad5a264f964cc9042058b492a4706fb2e8d26885b1137fef790325c5805d8",
|
|
34
34
|
"skills/attack-surface-pentest/skill.md": "40f5a6a6c80e6084a1c09fb0085d0083f4970385bf76098015e57fc17ad7b326",
|
|
35
35
|
"skills/fuzz-testing-strategy/skill.md": "83b1929a0d1e09a58908b91125ebc91ff14323ab9acc9bab6c4b04903b69b837",
|
|
36
36
|
"skills/dlp-gap-analysis/skill.md": "61149c692de109d5cfd00cada60478539f28374380b5ce17017603d71967ab58",
|
|
@@ -67,13 +67,13 @@
|
|
|
67
67
|
"dlp_refs": 0
|
|
68
68
|
},
|
|
69
69
|
"trigger_table_entries": 453,
|
|
70
|
-
"chains_cve_entries":
|
|
71
|
-
"chains_cwe_entries":
|
|
70
|
+
"chains_cve_entries": 8,
|
|
71
|
+
"chains_cwe_entries": 53,
|
|
72
72
|
"jurisdictions_indexed": 29,
|
|
73
73
|
"handoff_dag_nodes": 38,
|
|
74
74
|
"summary_cards": 38,
|
|
75
75
|
"section_offsets_skills": 38,
|
|
76
|
-
"token_budget_total_approx":
|
|
76
|
+
"token_budget_total_approx": 342364,
|
|
77
77
|
"recipes": 8,
|
|
78
78
|
"jurisdiction_clocks": 29,
|
|
79
79
|
"did_ladders": 8,
|
|
@@ -13,13 +13,21 @@
|
|
|
13
13
|
"schema_version": "1.0.0",
|
|
14
14
|
"entry_count": 15
|
|
15
15
|
},
|
|
16
|
+
{
|
|
17
|
+
"date": "2026-05-13",
|
|
18
|
+
"type": "catalog_update",
|
|
19
|
+
"artifact": "data/cve-catalog.json",
|
|
20
|
+
"path": "data/cve-catalog.json",
|
|
21
|
+
"schema_version": "1.0.0",
|
|
22
|
+
"entry_count": 9
|
|
23
|
+
},
|
|
16
24
|
{
|
|
17
25
|
"date": "2026-05-13",
|
|
18
26
|
"type": "catalog_update",
|
|
19
27
|
"artifact": "data/cwe-catalog.json",
|
|
20
28
|
"path": "data/cwe-catalog.json",
|
|
21
29
|
"schema_version": "1.0.0",
|
|
22
|
-
"entry_count":
|
|
30
|
+
"entry_count": 53
|
|
23
31
|
},
|
|
24
32
|
{
|
|
25
33
|
"date": "2026-05-13",
|
|
@@ -29,6 +37,14 @@
|
|
|
29
37
|
"schema_version": "1.0.0",
|
|
30
38
|
"entry_count": 28
|
|
31
39
|
},
|
|
40
|
+
{
|
|
41
|
+
"date": "2026-05-13",
|
|
42
|
+
"type": "catalog_update",
|
|
43
|
+
"artifact": "data/zeroday-lessons.json",
|
|
44
|
+
"path": "data/zeroday-lessons.json",
|
|
45
|
+
"schema_version": "1.0.0",
|
|
46
|
+
"entry_count": 9
|
|
47
|
+
},
|
|
32
48
|
{
|
|
33
49
|
"date": "2026-05-11",
|
|
34
50
|
"type": "skill_review",
|
|
@@ -190,14 +206,6 @@
|
|
|
190
206
|
"path": "skills/age-gates-child-safety/skill.md",
|
|
191
207
|
"note": "Age-related gates and child online safety for mid-2026 — COPPA + CIPA + California AADC + GDPR Art. 8 + DSA Art. 28 + UK Online Safety Act + UK Children's Code + AU Online Safety Act + IN DPDPA child provisions + KOSA pending; age verification standards (IEEE 2089-2021, OpenID Connect age claims); AI product age policies"
|
|
192
208
|
},
|
|
193
|
-
{
|
|
194
|
-
"date": "2026-05-11",
|
|
195
|
-
"type": "catalog_update",
|
|
196
|
-
"artifact": "data/cve-catalog.json",
|
|
197
|
-
"path": "data/cve-catalog.json",
|
|
198
|
-
"schema_version": "1.0.0",
|
|
199
|
-
"entry_count": 6
|
|
200
|
-
},
|
|
201
209
|
{
|
|
202
210
|
"date": "2026-05-11",
|
|
203
211
|
"type": "catalog_update",
|
|
@@ -343,14 +351,6 @@
|
|
|
343
351
|
"schema_version": "1.0.0",
|
|
344
352
|
"entry_count": 59
|
|
345
353
|
},
|
|
346
|
-
{
|
|
347
|
-
"date": "2026-05-01",
|
|
348
|
-
"type": "catalog_update",
|
|
349
|
-
"artifact": "data/zeroday-lessons.json",
|
|
350
|
-
"path": "data/zeroday-lessons.json",
|
|
351
|
-
"schema_version": "1.0.0",
|
|
352
|
-
"entry_count": 6
|
|
353
|
-
},
|
|
354
354
|
{
|
|
355
355
|
"date": "2026-05-01",
|
|
356
356
|
"type": "manifest_review",
|
|
@@ -31,7 +31,7 @@
|
|
|
31
31
|
"path": "data/cve-catalog.json",
|
|
32
32
|
"purpose": "Per-CVE record (CVSS, EPSS, CISA KEV, RWEP, AI-discovery, vendor advisories, framework gaps, ATLAS/ATT&CK mappings). Cross-validated against NVD + CISA KEV + FIRST EPSS via validate-cves.",
|
|
33
33
|
"schema_version": "1.0.0",
|
|
34
|
-
"last_updated": "2026-05-
|
|
34
|
+
"last_updated": "2026-05-13",
|
|
35
35
|
"tlp": "CLEAR",
|
|
36
36
|
"source_confidence_default": "A1",
|
|
37
37
|
"freshness_policy": {
|
|
@@ -40,7 +40,7 @@
|
|
|
40
40
|
"rebuild_after_days": 365,
|
|
41
41
|
"note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
|
|
42
42
|
},
|
|
43
|
-
"entry_count":
|
|
43
|
+
"entry_count": 9,
|
|
44
44
|
"sample_keys": [
|
|
45
45
|
"CVE-2026-31431",
|
|
46
46
|
"CVE-2026-43284",
|
|
@@ -62,7 +62,7 @@
|
|
|
62
62
|
"rebuild_after_days": 365,
|
|
63
63
|
"note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
|
|
64
64
|
},
|
|
65
|
-
"entry_count":
|
|
65
|
+
"entry_count": 53,
|
|
66
66
|
"sample_keys": [
|
|
67
67
|
"CWE-787",
|
|
68
68
|
"CWE-79",
|
|
@@ -207,7 +207,7 @@
|
|
|
207
207
|
"path": "data/zeroday-lessons.json",
|
|
208
208
|
"purpose": "Distilled lessons from notable zero-days and campaigns (SesameOp, Copy Fail, Dirty Frag, Copilot RCE, Windsurf MCP). Each entry: technique, distinguishing characteristic, what it means for the framework lag.",
|
|
209
209
|
"schema_version": "1.0.0",
|
|
210
|
-
"last_updated": "2026-05-
|
|
210
|
+
"last_updated": "2026-05-13",
|
|
211
211
|
"tlp": "CLEAR",
|
|
212
212
|
"source_confidence_default": "B2",
|
|
213
213
|
"freshness_policy": {
|
|
@@ -216,7 +216,7 @@
|
|
|
216
216
|
"rebuild_after_days": 365,
|
|
217
217
|
"note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
|
|
218
218
|
},
|
|
219
|
-
"entry_count":
|
|
219
|
+
"entry_count": 9,
|
|
220
220
|
"sample_keys": [
|
|
221
221
|
"CVE-2026-31431",
|
|
222
222
|
"CVE-2025-53773",
|
|
@@ -12,8 +12,8 @@
|
|
|
12
12
|
"rwep": 90,
|
|
13
13
|
"cvss": 7.8,
|
|
14
14
|
"cisa_kev": true,
|
|
15
|
-
"epss_score": 0.
|
|
16
|
-
"epss_percentile": 0.
|
|
15
|
+
"epss_score": 0.0257,
|
|
16
|
+
"epss_percentile": 0.8569,
|
|
17
17
|
"referencing_skills": [
|
|
18
18
|
"kernel-lpe-triage",
|
|
19
19
|
"exploit-scoring",
|
|
@@ -271,10 +271,10 @@
|
|
|
271
271
|
"CVE-2026-43284": {
|
|
272
272
|
"name": "Dirty Frag (ESP/IPsec component)",
|
|
273
273
|
"rwep": 38,
|
|
274
|
-
"cvss":
|
|
274
|
+
"cvss": 8.8,
|
|
275
275
|
"cisa_kev": false,
|
|
276
|
-
"epss_score": 0.
|
|
277
|
-
"epss_percentile": 0.
|
|
276
|
+
"epss_score": 0.00007,
|
|
277
|
+
"epss_percentile": 0.0051,
|
|
278
278
|
"referencing_skills": [
|
|
279
279
|
"kernel-lpe-triage",
|
|
280
280
|
"pqc-first",
|
|
@@ -483,8 +483,8 @@
|
|
|
483
483
|
"rwep": 32,
|
|
484
484
|
"cvss": 7.6,
|
|
485
485
|
"cisa_kev": false,
|
|
486
|
-
"epss_score": 0.
|
|
487
|
-
"epss_percentile": 0.
|
|
486
|
+
"epss_score": 0.0001,
|
|
487
|
+
"epss_percentile": 0.0115,
|
|
488
488
|
"referencing_skills": [
|
|
489
489
|
"kernel-lpe-triage",
|
|
490
490
|
"pqc-first",
|
|
@@ -1251,9 +1251,9 @@
|
|
|
1251
1251
|
}
|
|
1252
1252
|
},
|
|
1253
1253
|
"CVE-2026-30615": {
|
|
1254
|
-
"name": "Windsurf MCP
|
|
1254
|
+
"name": "Windsurf MCP Local-Vector RCE via Adversarial Tool Response",
|
|
1255
1255
|
"rwep": 35,
|
|
1256
|
-
"cvss":
|
|
1256
|
+
"cvss": 8,
|
|
1257
1257
|
"cisa_kev": false,
|
|
1258
1258
|
"epss_score": 0.14,
|
|
1259
1259
|
"epss_percentile": 0.86,
|
|
@@ -1756,8 +1756,59 @@
|
|
|
1756
1756
|
"rwep": 45,
|
|
1757
1757
|
"cvss": 9.6,
|
|
1758
1758
|
"cisa_kev": false,
|
|
1759
|
-
"epss_score": 0.
|
|
1760
|
-
"epss_percentile": 0.
|
|
1759
|
+
"epss_score": 0.00039,
|
|
1760
|
+
"epss_percentile": 0.1179,
|
|
1761
|
+
"referencing_skills": [],
|
|
1762
|
+
"chain": {
|
|
1763
|
+
"cwes": [],
|
|
1764
|
+
"atlas": [],
|
|
1765
|
+
"d3fend": [],
|
|
1766
|
+
"framework_gaps": [],
|
|
1767
|
+
"attack_refs": [],
|
|
1768
|
+
"rfc_refs": []
|
|
1769
|
+
}
|
|
1770
|
+
},
|
|
1771
|
+
"MAL-2026-3083": {
|
|
1772
|
+
"name": "Elementary-Data PyPI Worm (Forged Release via GitHub Actions Script Injection)",
|
|
1773
|
+
"rwep": 45,
|
|
1774
|
+
"cvss": 9.3,
|
|
1775
|
+
"cisa_kev": false,
|
|
1776
|
+
"epss_score": null,
|
|
1777
|
+
"epss_percentile": null,
|
|
1778
|
+
"referencing_skills": [],
|
|
1779
|
+
"chain": {
|
|
1780
|
+
"cwes": [],
|
|
1781
|
+
"atlas": [],
|
|
1782
|
+
"d3fend": [],
|
|
1783
|
+
"framework_gaps": [],
|
|
1784
|
+
"attack_refs": [],
|
|
1785
|
+
"rfc_refs": []
|
|
1786
|
+
}
|
|
1787
|
+
},
|
|
1788
|
+
"CVE-2026-42208": {
|
|
1789
|
+
"name": "BerriAI LiteLLM Proxy Auth SQL Injection",
|
|
1790
|
+
"rwep": 65,
|
|
1791
|
+
"cvss": 9.8,
|
|
1792
|
+
"cisa_kev": true,
|
|
1793
|
+
"epss_score": 0.37368,
|
|
1794
|
+
"epss_percentile": 0.9722,
|
|
1795
|
+
"referencing_skills": [],
|
|
1796
|
+
"chain": {
|
|
1797
|
+
"cwes": [],
|
|
1798
|
+
"atlas": [],
|
|
1799
|
+
"d3fend": [],
|
|
1800
|
+
"framework_gaps": [],
|
|
1801
|
+
"attack_refs": [],
|
|
1802
|
+
"rfc_refs": []
|
|
1803
|
+
}
|
|
1804
|
+
},
|
|
1805
|
+
"CVE-2026-39884": {
|
|
1806
|
+
"name": "Flux159 mcp-server-kubernetes Argument Injection via port_forward",
|
|
1807
|
+
"rwep": 20,
|
|
1808
|
+
"cvss": 8.3,
|
|
1809
|
+
"cisa_kev": false,
|
|
1810
|
+
"epss_score": 0.00039,
|
|
1811
|
+
"epss_percentile": 0.11727,
|
|
1761
1812
|
"referencing_skills": [],
|
|
1762
1813
|
"chain": {
|
|
1763
1814
|
"cwes": [],
|
|
@@ -7386,5 +7437,33 @@
|
|
|
7386
7437
|
"rfc_refs": []
|
|
7387
7438
|
},
|
|
7388
7439
|
"related_cves": []
|
|
7440
|
+
},
|
|
7441
|
+
"CWE-506": {
|
|
7442
|
+
"name": "Embedded Malicious Code",
|
|
7443
|
+
"category": "Supply Chain",
|
|
7444
|
+
"referencing_skills": [],
|
|
7445
|
+
"skill_count": 0,
|
|
7446
|
+
"chain": {
|
|
7447
|
+
"atlas": [],
|
|
7448
|
+
"attack_refs": [],
|
|
7449
|
+
"framework_gaps": [],
|
|
7450
|
+
"d3fend": [],
|
|
7451
|
+
"rfc_refs": []
|
|
7452
|
+
},
|
|
7453
|
+
"related_cves": []
|
|
7454
|
+
},
|
|
7455
|
+
"CWE-88": {
|
|
7456
|
+
"name": "Improper Neutralization of Argument Delimiters in a Command",
|
|
7457
|
+
"category": "Injection",
|
|
7458
|
+
"referencing_skills": [],
|
|
7459
|
+
"skill_count": 0,
|
|
7460
|
+
"chain": {
|
|
7461
|
+
"atlas": [],
|
|
7462
|
+
"attack_refs": [],
|
|
7463
|
+
"framework_gaps": [],
|
|
7464
|
+
"d3fend": [],
|
|
7465
|
+
"rfc_refs": []
|
|
7466
|
+
},
|
|
7467
|
+
"related_cves": []
|
|
7389
7468
|
}
|
|
7390
7469
|
}
|