@blamejs/exceptd-skills 0.13.0 → 0.13.1

package/orchestrator/index.js

@@ -1085,9 +1085,20 @@ function runWatchlist(rawArgs = []) {
   const { parseFrontmatter, extractFrontmatterBlock } = require('../lib/lint-skills.js');
 
   const byskill = rawArgs.includes('--by-skill');
+  const alertsMode = rawArgs.includes('--alerts');
   const manifestPath = path.join(__dirname, '..', 'manifest.json');
   const repoRoot = path.join(__dirname, '..');
 
+  // v0.13.1: --alerts re-scopes watchlist from "skills forward_watch" to
+  // "CVE-class alert patterns" — surfaces catalog entries matching
+  // high-priority shape rules (kernel-LPE-with-PoC, supply-chain-family,
+  // AI-discovered-KEV, recently-disclosed-with-active-exploitation).
+  // The two modes are mutually exclusive; --alerts short-circuits the
+  // forward-watch aggregation.
+  if (alertsMode) {
+    return runWatchlistAlerts(rawArgs);
+  }
+
   let manifest;
   try {
     manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf8'));
@@ -1200,6 +1211,170 @@ function runWatchlist(rawArgs = []) {
   console.log(`Run with --by-skill to invert the view.`);
 }
 
+/**
+ * v0.13.1 — runWatchlistAlerts surfaces CVE catalog entries matching
+ * high-priority pattern rules. Closes the post-mortem gap from
+ * CVE-2026-46333 (ssh-keysign-pwn) where the toolkit shipped a CVE
+ * matching the kernel-LPE-with-public-PoC shape but had no programmatic
+ * way for an operator to ask "what just landed that needs attention?".
+ *
+ * Patterns are evaluated against every catalog entry; multiple patterns
+ * may fire on the same entry (the report carries the list). The age
+ * filter — pattern.fresh_days — bounds the "recently disclosed" patterns;
+ * older entries already had attention.
+ *
+ * Output (JSON mode):
+ *   {
+ *     ok: true,
+ *     verb: "watchlist",
+ *     mode: "alerts",
+ *     generated_at: "...",
+ *     patterns_evaluated: 5,
+ *     entries_scanned: 39,
+ *     alerts: [
+ *       { cve_id, name, rwep_score, patterns: ["kernel_lpe_class", ...],
+ *         disclosed: "...", source_verified: "...", links: [...] }
+ *     ]
+ *   }
+ */
+function runWatchlistAlerts(rawArgs = []) {
+  const fs = require('fs');
+  const path = require('path');
+  const jsonOut = rawArgs.includes('--json');
+  const cvePath = path.join(__dirname, '..', 'data', 'cve-catalog.json');
+  let catalog;
+  try {
+    catalog = JSON.parse(fs.readFileSync(cvePath, 'utf8'));
+  } catch (err) {
+    console.error(`[watchlist --alerts] cannot read ${cvePath}: ${err.message}`);
+    safeExit(EXIT_CODES.GENERIC_FAILURE);
+    return;
+  }
+
+  // Pattern definitions. Each pattern is a predicate against a single
+  // catalog entry plus a label + severity. Patterns are intentionally
+  // narrow — false-positive flood would defeat the alert purpose.
+  const today = new Date();
+  function daysSince(iso) {
+    if (typeof iso !== 'string') return Infinity;
+    const t = Date.parse(iso + 'T00:00:00Z');
+    if (Number.isNaN(t)) return Infinity;
+    return Math.floor((today - t) / (24 * 60 * 60 * 1000));
+  }
+  const PATTERNS = [
+    {
+      id: 'kernel_lpe_with_poc',
+      severity: 'high',
+      description: 'Linux kernel LPE class with public PoC. The CVE-2026-46333 (ssh-keysign-pwn) / CVE-2026-46300 (Fragnesia) / CVE-2026-31431 (Copy Fail) shape.',
+      match: (e) =>
+        e && typeof e.vector === 'string' &&
+        /kernel|linux|ptrace|pidfd/i.test(`${e.name || ''} ${e.vector}`) &&
+        e.poc_available === true &&
+        (e.rwep_factors?.blast_radius || 0) >= 25,
+    },
+    {
+      id: 'supply_chain_family',
+      severity: 'high',
+      description: 'Malicious package or framework family (npm / PyPI registry-pivot). The MAL- entries + Shai-Hulud class.',
+      match: (e, id) =>
+        id.startsWith('MAL-') ||
+        (typeof e?.type === 'string' && /malicious|supply.chain|registry-pivot/i.test(e.type)),
+    },
+    {
+      id: 'ai_discovered_kev',
+      severity: 'high',
+      description: 'AI-discovered CVE that also appears on CISA KEV — the operational-reality intersection Hard Rule #7 calls out.',
+      match: (e) => e?.ai_discovered === true && e?.cisa_kev === true,
+    },
+    {
+      id: 'active_exploitation_unpatched',
+      severity: 'critical',
+      description: 'Confirmed in-the-wild exploitation AND no patch available. Defensive-posture-only window.',
+      match: (e) => e?.active_exploitation === 'confirmed' && e?.patch_available !== true,
+    },
+    {
+      id: 'recent_poc_no_kev_yet',
+      severity: 'medium',
+      description: 'CVE with public PoC verified within the last 14 days but not yet on KEV. The "exploitation expected; KEV catch-up pending" window.',
+      match: (e) =>
+        e?.poc_available === true &&
+        e?.cisa_kev !== true &&
+        daysSince(e?.source_verified) <= 14,
+      fresh_only: true,
+    },
+  ];
+
+  const alerts = [];
+  let scanned = 0;
+  for (const [id, entry] of Object.entries(catalog)) {
+    if (id === '_meta') continue;
+    if (!entry || typeof entry !== 'object') continue;
+    scanned++;
+    const matched = [];
+    for (const p of PATTERNS) {
+      try {
+        if (p.match(entry, id)) matched.push({ id: p.id, severity: p.severity });
+      } catch { /* defensive: pattern matcher must not throw on malformed entries */ }
+    }
+    if (matched.length === 0) continue;
+    alerts.push({
+      cve_id: id,
+      name: entry.name || null,
+      rwep_score: entry.rwep_score ?? null,
+      cisa_kev: entry.cisa_kev ?? null,
+      poc_available: entry.poc_available ?? null,
+      active_exploitation: entry.active_exploitation ?? null,
+      patch_available: entry.patch_available ?? null,
+      source_verified: entry.source_verified || null,
+      patterns: matched,
+      links: Array.isArray(entry.verification_sources) ? entry.verification_sources.slice(0, 3) : [],
+    });
+  }
+
+  // Sort: critical-severity matches first, then high, then medium; within
+  // each band, highest RWEP first; finally CVE-id ascending for stability.
+  const severityWeight = { critical: 0, high: 1, medium: 2, low: 3 };
+  alerts.sort((a, b) => {
+    const sa = Math.min(...a.patterns.map((p) => severityWeight[p.severity] ?? 9));
+    const sb = Math.min(...b.patterns.map((p) => severityWeight[p.severity] ?? 9));
+    if (sa !== sb) return sa - sb;
+    const ra = a.rwep_score ?? -1;
+    const rb = b.rwep_score ?? -1;
+    if (ra !== rb) return rb - ra;
+    return a.cve_id.localeCompare(b.cve_id);
+  });
+
+  if (jsonOut) {
+    process.stdout.write(JSON.stringify({
+      ok: true,
+      verb: 'watchlist',
+      mode: 'alerts',
+      generated_at: today.toISOString(),
+      patterns_evaluated: PATTERNS.length,
+      entries_scanned: scanned,
+      alert_count: alerts.length,
+      alerts,
+    }) + '\n');
+    return;
+  }
+
+  console.log(`\nCVE-class Alerts — ${today.toISOString()}`);
+  console.log(`Entries scanned: ${scanned}  patterns evaluated: ${PATTERNS.length}  alerts: ${alerts.length}\n`);
+  if (alerts.length === 0) {
+    console.log('No alert-pattern matches in current catalog.');
+    return;
+  }
+  for (const a of alerts) {
+    const labels = a.patterns.map((p) => `[${p.severity}] ${p.id}`).join(', ');
+    console.log(`${a.cve_id}  RWEP=${a.rwep_score ?? '?'}  KEV=${a.cisa_kev ? 'Y' : 'N'}  PoC=${a.poc_available ? 'Y' : 'N'}  patch=${a.patch_available ? 'Y' : 'N'}  active=${a.active_exploitation ?? '?'}`);
+    console.log(`  ${a.name || '(no name)'}`);
+    console.log(`  patterns: ${labels}`);
+    if (a.links.length > 0) console.log(`  ${a.links[0]}`);
+    console.log('');
+  }
+  console.log('Run with --json to consume programmatically.');
+}
+
 /**
  * Cache-first variant of validateAllCves. For each catalog CVE, reads the
  * NVD + EPSS payload from the prefetch cache (cacheDir/nvd/<id>.json +

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.13.0",
+  "version": "0.13.1",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:829585d1-91e2-45de-874d-d62fe48ec566",
+  "serialNumber": "urn:uuid:c9932465-eaaf-45d0-850b-1ac483acd405",
   "version": 1,
   "metadata": {
-    "timestamp": "2095-06-04T21:53:21.000Z",
+    "timestamp": "2133-03-02T22:32:05.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.13.0"
+        "version": "0.13.1"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.13.0",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.13.1",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.13.0",
+      "version": "0.13.1",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.13.0",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.13.1",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "3ea4b95d46e8c9369f369fdadba342d8fc1638d8e43239e4ff3d11678cdd3587"
+          "content": "4b9469db507f7f20a000a34c40f90adbbc98c328f2fc7ddee22843732a024c09"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.13.0"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.13.1"
         },
         {
           "type": "vcs",
@@ -108,7 +108,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "c058721430ec2177c5e8ca4490ba848cef441e9476273cb17825292541c22909"
+          "content": "27fbbfa0da04040c626789c887d0ea570d865bcb9e99ea6ef3fd670c73a39b5b"
         }
       ]
     },
@@ -240,7 +240,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "1301e6d053be91ac41ec38e64c72ac726e478b7fd6482884c3e2219c8fa16173"
+          "content": "0ec427652a9e613f04675beb26dc4c08934ba291e47427972b2a008c151cca78"
         }
       ]
     },
@@ -251,7 +251,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "4afc226cc7359771a54aab1a1ff53c5530d1ef54eabc1d2fbd3b1caeda2f64a6"
+          "content": "0ca33f8b0cf55a43de1290e310096020c4e0d16305bd01bcbe6cb46e0278caa8"
         }
       ]
     },
@@ -262,7 +262,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "d4d2ecc24a0b010d5e83fea9850130278bea120ef130c99dcbb03eff64008f2d"
+          "content": "7fae34cf0abbd09abbbbd6a61ea06e487ddbd57060d3af6a58528c684156cf60"
         }
       ]
     },
@@ -273,7 +273,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "7a8e01c6f5538125b81ddb29f1b658f0fd407682bc2998aafc6b759e3b1afe48"
+          "content": "832d096bd52081fe43c082fd6958f9054d6b6e136df5b3d4cef7efd0ea49a843"
         }
       ]
     },
@@ -317,7 +317,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "2c37446ad38270ebe51c0eaf340b26f19367c4eae47886d6310f16a4185354bf"
+          "content": "5e2baf1e435c5b61b183e3f603636eae4fab34ee800488919c679665882c4f62"
         }
       ]
     },
@@ -570,7 +570,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "27d46a0e09a3edbe97dfbb070c3991348567cf93c86a3e94c767c5ad2dfb653e"
+          "content": "40d666d0932da24b425b01ced0f9c9e5f2e6cfd2082f53861d982919dde56a4a"
         }
       ]
     },
@@ -724,7 +724,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "46bd5c0efe40e5c2bfc95df9df69dc53cf7f10e6537dd575821a5e39ac59dcab"
+          "content": "3624e86150e85a33cb79d62193091fc1409085c3600f222dd65b2aa09ef728a8"
         }
       ]
     },
@@ -805,6 +805,17 @@
         }
       ]
     },
+    {
+      "bom-ref": "file:lib/source-advisories.js",
+      "type": "file",
+      "name": "lib/source-advisories.js",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "678cce9841ee92128e777cc0f355e020bd69c37cbd637be91479858e6a4958fd"
+        }
+      ]
+    },
     {
       "bom-ref": "file:lib/source-ghsa.js",
       "type": "file",
@@ -977,7 +988,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "e4db72d2b307adb316fad1af15322392587c50c4de5b7592c015b93631f6f26b"
+          "content": "4535de4e48530ccb3c5d97402ae9dcf45f0336b838bddb8ab081c6df9632014a"
         }
       ]
     },
@@ -1021,7 +1032,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "0803533bc88268e1aa43dc612f13c8a1f280fb08e4b8dc95d1dd8a57bcf7a3d5"
+          "content": "7c7378f69024b1abb11d2f17978f9023b262ac6a67a82c2eb31d4996c2caee28"
         }
       ]
     },