@blamejs/exceptd-skills 0.13.0 → 0.13.2

package/lib/lint-skills.js

@@ -52,6 +52,7 @@ const CWE_REFS_PATH = path.join(DATA_DIR, 'cwe-catalog.json');
 const D3FEND_REFS_PATH = path.join(DATA_DIR, 'd3fend-catalog.json');
 const DLP_REFS_PATH = path.join(DATA_DIR, 'dlp-controls.json');
 const ATTACK_REFS_PATH = path.join(DATA_DIR, 'attack-techniques.json');
+const CVE_CATALOG_PATH = path.join(DATA_DIR, 'cve-catalog.json');
 
 const REQUIRED_FRONTMATTER_FIELDS = [
   'name',
@@ -65,7 +66,13 @@ const REQUIRED_FRONTMATTER_FIELDS = [
   'last_threat_review',
 ];
 
-const OPTIONAL_FRONTMATTER_FIELDS = ['forward_watch', 'rfc_refs', 'cwe_refs', 'd3fend_refs', 'dlp_refs'];
+// v0.13.2: `discovery_mode` documents how the skill is reached by operators.
+// Default (omitted) means the skill is referenced by at least one playbook's
+// direct.skill_chain. `standalone` means the skill is reached via
+// `exceptd brief <name>` or `exceptd ask` routing and is NOT chained — this
+// closes the v0.12 audit gap that 16 skills had no playbook chain pointing
+// at them. Operator intent now explicit; not a sign of orphan-skill drift.
+const OPTIONAL_FRONTMATTER_FIELDS = ['forward_watch', 'rfc_refs', 'cwe_refs', 'd3fend_refs', 'dlp_refs', 'discovery_mode'];
 
 const ALL_KNOWN_FIELDS = new Set([
   ...REQUIRED_FRONTMATTER_FIELDS,
@@ -566,6 +573,39 @@ function lintSkill(entry, ctx) {
     }
   }
 
+  // v0.13.2 — Hard Rule #1 enforcement at the skill-body layer. Every
+  // CVE-* / MAL-* mentioned in skill prose SHOULD resolve to an entry
+  // in data/cve-catalog.json. Hard Rule #1 ("no stale threat intel")
+  // is enforced for catalog ENTRIES by lib/validate-cve-catalog.js —
+  // but a skill body that cites a CVE not in the catalog is the
+  // stale-intel surface Hard Rule #1 calls out at the prose layer.
+  //
+  // v0.13.2 ships these as WARNINGS so the forcing function lands
+  // without breaking existing skill content (2 pre-existing violations:
+  // ransomware-response cites CVE-2024-21762, cloud-iam-incident cites
+  // CVE-2026-21370). v0.14.0 will flip body-cites-unknown-CVE to a
+  // hard error once those two have been triaged.
+  if (ctx.cveCatalog && body && typeof body === 'string') {
+    const cveRefRe = /\b(CVE-(?:19|20)\d{2}-\d{4,7}|MAL-\d{4}-[A-Z0-9-]+)\b/g;
+    const seen = new Set();
+    let m;
+    while ((m = cveRefRe.exec(body)) !== null) {
+      const id = m[1];
+      if (seen.has(id)) continue;
+      seen.add(id);
+      const entry = ctx.cveCatalog[id];
+      if (!entry) {
+        skillWarnings.push(
+          `body cites "${id}" but no such entry in data/cve-catalog.json (Hard Rule #1 — no stale threat intel; will hard-fail in v0.14.0)`,
+        );
+      } else if (entry._draft === true) {
+        skillWarnings.push(
+          `body cites "${id}" which is _draft:true in data/cve-catalog.json — promote to verified before next release or remove from body (Hard Rule #1)`,
+        );
+      }
+    }
+  }
+
   // L3 — Defensive Countermeasure Mapping is required for skills reviewed
   // on or after COUNTERMEASURE_CUTOFF. Pre-cutoff skills are exempt. The
   // section's absence on a post-cutoff skill is a WARNING in v0.12.12 so
@@ -631,6 +671,14 @@ function loadContext() {
     const j = readJson(ATTACK_REFS_PATH);
     for (const k of Object.keys(j)) if (!k.startsWith('_')) attackKeys.add(k);
   }
+  // v0.13.2: load the CVE catalog into context so the Hard Rule #1
+  // body-scan can resolve CVE-* / MAL-* references in skill prose
+  // against the source-of-truth catalog. Loaded as a full object (not
+  // just keys) so the body-scan can also surface `_draft: true` matches
+  // as warnings rather than errors — operators promote drafts on their
+  // own cadence.
+  const cveCatalog = fs.existsSync(CVE_CATALOG_PATH) ? readJson(CVE_CATALOG_PATH) : {};
+
   return {
     atlasKeys,
     frameworkKeys,
@@ -639,6 +687,7 @@ function loadContext() {
     d3fendKeys: loadKeys(D3FEND_REFS_PATH),
     dlpKeys: loadKeys(DLP_REFS_PATH),
     attackKeys,
+    cveCatalog,
   };
 }
 

package/lib/refresh-external.js

@@ -637,6 +637,12 @@ const OSV_SOURCE = {
   },
 };
 
+// v0.13.1: ADVISORIES_SOURCE polls Qualys TRU + RHSA + USN + ZDI primary
+// feeds and surfaces CVE IDs not yet in the catalog. Report-only — no
+// auto-catalog mutation. Closes the post-mortem gap on CVE-2026-46333
+// (ssh-keysign-pwn) where the existing NVD-based pollers lagged by 3+ days.
+const { ADVISORIES_SOURCE } = require('./source-advisories');
+
 const ALL_SOURCES = {
   kev: KEV_SOURCE,
   epss: EPSS_SOURCE,
@@ -645,6 +651,7 @@ const ALL_SOURCES = {
   pins: PINS_SOURCE,
   ghsa: GHSA_SOURCE,
   osv: OSV_SOURCE,
+  advisories: ADVISORIES_SOURCE,
 };
 
 // --- Cache-mode helpers ------------------------------------------------

package/lib/source-advisories.js

@@ -0,0 +1,281 @@
+'use strict';
+
+/**
+ * lib/source-advisories.js — primary-source advisory-feed polling.
+ *
+ * Why this exists. The post-mortem on CVE-2026-46333 (ssh-keysign-pwn,
+ * disclosed 2026-05-14, missed by the toolkit at T+0 through T+3) found
+ * that the existing source set (kev, epss, nvd, rfc, pins, ghsa, osv)
+ * sits at the END of the disclosure pipeline. Qualys → kernel.org commit
+ * → distro advisory → NVD enrichment is sequential; the existing pollers
+ * only see the last step, which lags by 3-14 days.
+ *
+ * The 4 feeds below sit much earlier in the pipeline:
+ *
+ *   Qualys TRU RSS    — Qualys-disclosed CVEs at T+0 (the originator of
+ *                       the ssh-keysign-pwn class of disclosure)
+ *   Red Hat RHSA RSS  — RHEL security advisories at T+1, often before NVD
+ *   Ubuntu USN RSS    — Ubuntu security notices at T+1, often before NVD
+ *   ZDI advisories    — Zero Day Initiative + Pwn2Own disclosures at T+0
+ *
+ * Behaviour. Each call returns a structured REPORT — not a catalog mutation.
+ * Operators consume the report via `exceptd refresh --check-advisories` and
+ * decide which advisories warrant a `refresh --advisory <CVE-ID>` auto-import
+ * to seed a draft entry. The report is informational; nothing is auto-written
+ * to the catalog. This is the conservative-by-default contract: primary-source
+ * surfacing must not silently mutate the catalog without operator triage.
+ *
+ * Output shape:
+ *   {
+ *     status: 'ok' | 'partial' | 'unreachable',
+ *     diffs: [
+ *       { id: 'CVE-2026-46333', source: 'qualys', advisory_url: '...',
+ *         disclosed_at: '2026-05-14', title: '...', in_catalog: false }
+ *     ],
+ *     summary: '4/4 feeds reachable; 3 new CVE references found'
+ *   }
+ *
+ * Each diff is read-only — there is no `applyDiff` that writes the catalog.
+ * That's by design: a fresh advisory from a primary source has insufficient
+ * fields to satisfy Hard Rule #1 (CVSS / KEV / PoC / AI-discovery /
+ * active-exploitation / patch-availability). The operator routes the
+ * promising ones through `refresh --advisory <CVE-ID>` which goes through
+ * the existing GHSA / OSV / NVD enrichment path (those pollers are mature).
+ *
+ * Cache mode (--from-cache <dir>): expected cache layout is
+ *   <dir>/advisories/<feed>.xml — caller passes `ctx.cacheDir`.
+ * Fixture mode: `ctx.fixtures.advisories = { qualys: '<xml>', ... }`.
+ */
+
+const path = require('path');
+const fs = require('fs');
+
+const TODAY = new Date().toISOString().slice(0, 10);
+
+// Feed registry. Each entry has a kind (rss | json), a URL, and a parser.
+// Parsers return [{ cve_ids: [...], title, link, published }, ...].
+const FEEDS = [
+  {
+    name: 'qualys',
+    url: 'https://blog.qualys.com/category/vulnerability-research/feed',
+    kind: 'rss',
+    description: 'Qualys Threat Research Unit blog — originator of high-impact disclosures (ssh-keysign-pwn class)',
+  },
+  {
+    name: 'rhsa',
+    url: 'https://access.redhat.com/security/data/csaf/v2/advisories/2026/index.txt',
+    kind: 'csaf-index',
+    description: 'Red Hat CSAF v2 advisory index — RHEL security advisories with NVD-class enrichment at T+1',
+  },
+  {
+    name: 'usn',
+    url: 'https://ubuntu.com/security/notices/rss.xml',
+    kind: 'rss',
+    description: 'Ubuntu USN RSS — Ubuntu security notices, typically published 1-2 days post-disclosure',
+  },
+  {
+    name: 'zdi',
+    url: 'https://www.zerodayinitiative.com/rss/published/',
+    kind: 'rss',
+    description: 'Zero Day Initiative — vendor-acknowledged advisories from ZDI + Pwn2Own pipeline',
+  },
+];
+
+// Permissive CVE-ID matcher. The official format is CVE-YYYY-NNNN+ but
+// some feeds embed CVEs in arbitrary surrounding markup AND occasionally
+// emit lowercase "cve-yyyy-nnnn" in URLs or filenames. Case-insensitive
+// match, then uppercase + dedupe in extractCveIds().
+const CVE_RE = /CVE-(?:19|20)\d{2}-\d{4,7}/gi;
+
+/**
+ * Extract CVE IDs from a string blob. De-duplicates within the blob.
+ */
+function extractCveIds(text) {
+  if (typeof text !== 'string' || text.length === 0) return [];
+  const matches = text.match(CVE_RE);
+  if (!matches) return [];
+  return [...new Set(matches.map((s) => s.toUpperCase()))];
+}
+
+/**
+ * Lightweight RSS / Atom parser. Avoids pulling in a dependency for what
+ * is effectively `<item>` / `<entry>` extraction + `<title>` / `<link>` /
+ * `<pubDate>` / `<published>` / `<description>` / `<content>` text grabs.
+ *
+ * Returns [{ title, link, published, body }, ...].
+ */
+function parseRssAtom(xml) {
+  if (typeof xml !== 'string') return [];
+  const items = [];
+  // Try Atom <entry>...</entry> first.
+  const atomEntryRe = /<entry\b[\s\S]*?<\/entry>/g;
+  const rssItemRe = /<item\b[\s\S]*?<\/item>/g;
+  const blocks = (xml.match(atomEntryRe) || xml.match(rssItemRe) || []);
+  for (const block of blocks) {
+    const title = matchInner(block, 'title') || '';
+    const link = matchInner(block, 'link') || matchAttr(block, 'link', 'href') || '';
+    const published = matchInner(block, 'pubDate') || matchInner(block, 'published') || matchInner(block, 'updated') || '';
+    const description = matchInner(block, 'description') || matchInner(block, 'content') || matchInner(block, 'summary') || '';
+    items.push({ title: stripCdata(title), link: stripCdata(link), published: stripCdata(published), body: stripCdata(description) });
+  }
+  return items;
+}
+
+function matchInner(block, tag) {
+  const re = new RegExp(`<${tag}[^>]*>([\\s\\S]*?)<\\/${tag}>`, 'i');
+  const m = block.match(re);
+  return m ? m[1].trim() : null;
+}
+
+function matchAttr(block, tag, attr) {
+  const re = new RegExp(`<${tag}[^>]*\\b${attr}=["']([^"']+)["']`, 'i');
+  const m = block.match(re);
+  return m ? m[1] : null;
+}
+
+function stripCdata(s) {
+  if (typeof s !== 'string') return '';
+  return s.replace(/<!\[CDATA\[([\s\S]*?)\]\]>/g, '$1').replace(/<[^>]+>/g, ' ').replace(/\s+/g, ' ').trim();
+}
+
+/**
+ * CSAF index parser — Red Hat ships a plain-text index of advisory JSON
+ * files under data/csaf/v2/advisories/YYYY/index.txt. Each line is a
+ * relative filename. We don't fetch the per-advisory JSON in v0.13.1
+ * (would blow the polling budget); we surface the advisory IDs that
+ * mention CVE-YYYY-NNNN inline.
+ */
+function parseCsafIndex(text) {
+  if (typeof text !== 'string') return [];
+  const lines = text.split(/\r?\n/).filter((l) => l.trim().length > 0);
+  return lines.map((line) => {
+    const cves = extractCveIds(line);
+    return { title: line.trim(), link: '', published: '', body: '', cves_from_filename: cves };
+  });
+}
+
+/**
+ * Fetch a feed body. In fixture / cache modes, read from disk.
+ */
+async function fetchFeed(feed, ctx) {
+  if (ctx.fixtures && ctx.fixtures.advisories && ctx.fixtures.advisories[feed.name]) {
+    return { ok: true, body: ctx.fixtures.advisories[feed.name] };
+  }
+  if (ctx.cacheDir) {
+    const ext = feed.kind === 'csaf-index' ? '.txt' : '.xml';
+    const p = path.join(ctx.cacheDir, 'advisories', `${feed.name}${ext}`);
+    if (!fs.existsSync(p)) return { ok: false, error: `cache miss: ${p}` };
+    return { ok: true, body: fs.readFileSync(p, 'utf8') };
+  }
+  if (typeof fetch !== 'function') return { ok: false, error: 'fetch() not available — Node 18+ required' };
+  try {
+    const ac = new AbortController();
+    const timer = setTimeout(() => ac.abort(), 8000);
+    const r = await fetch(feed.url, { signal: ac.signal, headers: { 'User-Agent': 'exceptd-advisories-poller/0.13.1 (+https://exceptd.com)' } });
+    clearTimeout(timer);
+    if (!r.ok) return { ok: false, error: `HTTP ${r.status}` };
+    return { ok: true, body: await r.text() };
+  } catch (e) {
+    return { ok: false, error: e.message || String(e) };
+  }
+}
+
+/**
+ * Walk one feed: fetch, parse, extract CVE IDs, compare to local catalog.
+ * Returns { diffs, errors, status }.
+ */
+async function checkFeed(feed, ctx) {
+  const res = await fetchFeed(feed, ctx);
+  if (!res.ok) return { diffs: [], errors: 1, status: 'unreachable', _why: res.error };
+  let items;
+  if (feed.kind === 'csaf-index') {
+    items = parseCsafIndex(res.body);
+    // Flatten cves_from_filename onto cve_ids field uniformly.
+    items = items.map((it) => ({ ...it, cve_ids: it.cves_from_filename || [] }));
+  } else {
+    items = parseRssAtom(res.body);
+    items = items.map((it) => ({ ...it, cve_ids: extractCveIds(`${it.title} ${it.body} ${it.link}`) }));
+  }
+  const diffs = [];
+  for (const it of items) {
+    for (const cveId of it.cve_ids) {
+      const inCatalog = !!ctx.cveCatalog[cveId];
+      if (!inCatalog) {
+        diffs.push({
+          id: cveId,
+          source: feed.name,
+          advisory_url: it.link || feed.url,
+          disclosed_at: it.published || null,
+          title: it.title.slice(0, 200),
+          in_catalog: false,
+        });
+      }
+    }
+  }
+  return { diffs, errors: 0, status: 'ok' };
+}
+
+/**
+ * The exported SOURCE definition, matching the shape ALL_SOURCES expects.
+ */
+const ADVISORIES_SOURCE = {
+  name: 'advisories',
+  description: 'Primary-source advisory feeds (Qualys TRU, Red Hat RHSA, Ubuntu USN, Zero Day Initiative / ZDI) — surfaces CVE IDs disclosed at T+0 to T+1 that lag NVD enrichment. Report-only — does not auto-write the catalog.',
+  applies_to: 'data/cve-catalog.json',
+  async fetchDiff(ctx) {
+    const results = await Promise.all(FEEDS.map((feed) => checkFeed(feed, ctx)));
+    const allDiffs = [];
+    let unreachable = 0;
+    for (const r of results) {
+      allDiffs.push(...r.diffs);
+      if (r.status === 'unreachable') unreachable++;
+    }
+    // Deduplicate by CVE-ID across feeds — multiple advisories for the
+    // same CVE collapse to one entry with sources[] array of contributing
+    // feed names.
+    const byCve = new Map();
+    for (const d of allDiffs) {
+      if (!byCve.has(d.id)) {
+        byCve.set(d.id, { ...d, sources: [d.source], advisory_urls: [d.advisory_url] });
+      } else {
+        const existing = byCve.get(d.id);
+        if (!existing.sources.includes(d.source)) existing.sources.push(d.source);
+        if (!existing.advisory_urls.includes(d.advisory_url)) existing.advisory_urls.push(d.advisory_url);
+      }
+    }
+    const diffs = Array.from(byCve.values()).map((d) => {
+      delete d.source;
+      delete d.advisory_url;
+      return d;
+    });
+    const status =
+      unreachable === 0 ? 'ok' :
+      unreachable === FEEDS.length ? 'unreachable' : 'partial';
+    return {
+      status,
+      diffs,
+      errors: unreachable,
+      summary: `${FEEDS.length - unreachable}/${FEEDS.length} feeds reachable; ${diffs.length} new CVE references found across primary advisory sources`,
+    };
+  },
+  // Report-only: no applyDiff. Operators route promising CVE IDs through
+  // `exceptd refresh --advisory <CVE-ID>` (GHSA / OSV / NVD enrichment).
+  applyDiff(_ctx, _diffs) {
+    return {
+      updated: 0,
+      added: 0,
+      drift_updated: 0,
+      errors: [],
+      note: 'ADVISORIES_SOURCE is report-only. Route promising IDs through `exceptd refresh --advisory <CVE-ID>` to auto-import a draft via the GHSA / OSV / NVD enrichment pipeline.',
+    };
+  },
+};
+
+module.exports = {
+  ADVISORIES_SOURCE,
+  // Exposed for tests + future schedule-agent reuse:
+  FEEDS,
+  extractCveIds,
+  parseRssAtom,
+  parseCsafIndex,
+};