npm - @blamejs/exceptd-skills - Versions diffs - 0.13.117 → 0.13.118 - Mend

@blamejs/exceptd-skills 0.13.117 → 0.13.118

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/AGENTS.md CHANGED Viewed

@@ -170,7 +170,7 @@ Cross-cutting playbook `framework` is the natural correlation layer — many pla
 | `exceptd attest show <sid>` | Print the attestation body. |
 | `exceptd doctor` | Health checks. `--signatures` verifies Ed25519 chains; `--cves` / `--rfcs` check catalog currency; `--fix` repairs recoverable state; `--ai-config` audits AI-assistant config-file permissions (`~/.claude`, `~/.cursor`, `~/.codeium`, `~/.aider`, `~/.continue`) and flags sensitive files not at mode `0o600` on POSIX (NEW-CTRL-050). |
 | `exceptd lint` | Skill format lint — frontmatter completeness, required body sections, signature presence. |
-| `exceptd refresh --check-advisories` | Poll 15 primary-source advisory feeds — 8 advisory/coordinated-disclosure venues (Qualys TRU, Red Hat RHSA, Ubuntu USN, ZDI, kernel.org commits, oss-security mailing list, JFrog SecOps, CISA current advisories), 4 vendor security research blogs (Microsoft Security Blog, Sysdig, Trail of Bits, Embrace the Red — added in v0.13.14 after DirtyDecrypt fell through the advisory-only set), and 3 sources added in v0.13.17 (BleepingComputer security, The Hacker News, Nightmare-Eclipse GitHub public-events tracker — closes the researcher-GitHub-drop class anchored by MiniPlasma / YellowKey / GreenPlasma / UnDefend, NEW-CTRL-073). Pairs with `lib/cve-regression-watcher.js` (NEW-CTRL-074) which cross-checks poller diffs for historical-CVE references that may indicate silent vendor regression — the class anchored by MiniPlasma re-breaking CVE-2020-17103. Report-only; emits structured `diffs[]` without mutating the catalog. Route promising IDs through `refresh --advisory <CVE-ID> --apply` to enrich. |
+| `exceptd refresh --check-advisories` | Poll 15 primary-source advisory feeds — 8 advisory/coordinated-disclosure venues (Qualys TRU, Red Hat RHSA, Ubuntu USN, ZDI, kernel.org commits, oss-security mailing list, JFrog SecOps, CISA current advisories), 4 vendor security research blogs (Microsoft Security Blog, Sysdig, Trail of Bits, Embrace the Red — added in v0.13.14 after DirtyDecrypt fell through the advisory-only set), and 3 sources added in v0.13.17 (BleepingComputer security, The Hacker News, Nightmare-Eclipse GitLab activity-feed tracker, migrated from GitHub after the account was removed — closes the researcher-drop class anchored by MiniPlasma / YellowKey / GreenPlasma / UnDefend, NEW-CTRL-073). Pairs with `lib/cve-regression-watcher.js` (NEW-CTRL-074) which cross-checks poller diffs for historical-CVE references that may indicate silent vendor regression — the class anchored by MiniPlasma re-breaking CVE-2020-17103. Report-only; emits structured `diffs[]` without mutating the catalog. Route promising IDs through `refresh --advisory <CVE-ID> --apply` to enrich. |
 | `exceptd watchlist` | Default: aggregate every skill's `forward_watch` entries. `--by-skill` inverts grouping. `--alerts` switches to CVE-catalog pattern alerts (5 patterns: `kernel_lpe_with_poc`, `supply_chain_family`, `ai_discovered_kev`, `active_exploitation_unpatched`, `recent_poc_no_kev_yet`); sorts critical-first, then by RWEP. `--org-scan --org <login>` probes GitHub Search for repos matching threat-actor naming patterns ("A Gift From TeamPCP", "Shai-Hulud", "TeamPCP"); custom patterns via repeatable `--pattern <s>`; set `GITHUB_TOKEN` for private-repo + rate-limit headroom (NEW-CTRL-052). |
 All verbs support `--help` for per-verb usage. JSON output by default; `--pretty` for indented.

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,11 @@
 # Changelog
+## 0.13.118 — 2026-05-26
+The researcher-handle tracker behind `refresh --check-advisories` (NEW-CTRL-073) now follows the Nightmare-Eclipse handle on its GitLab public-activity Atom feed instead of the GitHub events API — the handle's GitHub account was removed. The feed count is unchanged and the diff shape is identical: GitLab tag pushes and newly created public projects surface as `researcher-handle-drop` diffs exactly as the GitHub events did, carrying the same `researcher_handle` field. The NEW-CTRL-073 control text is now platform-agnostic (GitHub events or a GitLab activity feed).
+`exceptd --help` is clearer. A Quick start block at the top shows the three commands most workflows begin with — `discover` to see what applies, `brief` to read what a playbook checks, `run` to investigate — plus the plain-language `ask` entry point for when you don't know which playbook fits. The legacy-verb section now separates the five removed verbs (`plan`, `govern`, `direct`, `look`, `ingest` — which error with a pointer to their replacement) from the deprecated aliases that still work, so the help no longer implies a removed verb is available.
 ## 0.13.117 — 2026-05-26
 CVE catalog — RAGFlow RAG-engine. Adds two flaws in RAGFlow (infiniflow/ragflow), a widely deployed open-source Retrieval-Augmented-Generation engine. **CVE-2024-12450** (NVD CVSS 9.8 CRITICAL; huntr CNA 6.5) — the `web_crawl` function does not filter the supplied URL, yielding full-read SSRF against internal addresses, arbitrary local file read via `file://`, and potential remote code execution through an outdated headless Chromium run with the sandbox disabled; fixed in 0.14.0. Reuses the AI-data-pipeline import SSRF control (NEW-CTRL-105) shared with the Dify `RemoteFileUploadApi` and Label Studio data-pipeline SSRFs. **CVE-2025-69286** (GitHub CNA CVSS v4.0 8.9; NVD v3.1 9.8) — the API key and the assistant/agent share token are generated with the same serializer keyed by the tenant id over a timestamp-based UUIDv1, so the two tokens are mutually derivable; an attacker who obtains a shared assistant/agent link derives the owner's personal API key and takes full control of the account (CWE-340); fixed in 0.22.0. Introduces NEW-CTRL-109: an AI app's API keys and share tokens must be generated from a CSPRNG with an unpredictable per-install secret — never derivable from a tenant id, a timestamp, or another token. Adds CWE-340 (Generation of Predictable Numbers or Identifiers) to the CWE catalog. CVE count 406 → 408.

package/README.md CHANGED Viewed

@@ -30,7 +30,7 @@ This platform surfaces what is actually happening right now. Every skill explici
 ## Status
-Pre-1.0. Latest release lives on [GitHub Releases](https://github.com/blamejs/exceptd-skills/releases) and on npm as [`@blamejs/exceptd-skills`](https://www.npmjs.com/package/@blamejs/exceptd-skills) with signed npm provenance attestation and Ed25519-signed skill bodies. The package ships 42 skills across kernel LPE, MCP supply chain, AI-as-C2, prompt injection, post-quantum crypto, SBOM integrity, identity-incident response, and 35 other AI/security domains, plus 10 intelligence catalogs (CVE / ATLAS / ATT&CK / CWE / D3FEND / DLP / RFC / framework gaps / global frameworks / zero-day lessons) covering 35 jurisdictions — the CVE catalog has grown past 400 entries, its size anchored by a v0.13.17 CISA KEV bulk-intake of `dateAdded >= 2024-01-01` actively-exploited vulnerabilities that took it from 68 to 312 in a single pass. 23 investigation playbooks (kernel, MCP, AI-API, framework, SBOM, runtime, hardening, secrets, cred-stores, containers, crypto, plus `webhook-callback-abuse`, `cicd-pipeline-compromise`, `identity-sso-compromise`, `llm-tool-use-exfil`, `post-quantum-migration`, `ai-discovered-cve-triage`, `supply-chain-recovery`, and more), a CLI for discovery and seven-phase investigation runs (`govern → direct → look → detect → analyze → validate → close`), and a nightly auto-refresh job that pulls KEV / NVD / EPSS / GHSA / OSV / IETF deltas plus 15 primary-source advisory + research-blog + tech-press feeds (Qualys TRU, Red Hat RHSA, Ubuntu USN, ZDI, kernel.org, oss-security, JFrog, CISA, Microsoft Security Blog, Sysdig, Trail of Bits, Embrace the Red, BleepingComputer security, The Hacker News, and a GitHub public-events tracker for the Nightmare-Eclipse researcher handle that anchors NEW-CTRL-073) into auto-PRs for editorial review. v0.13.17 also ships `lib/cve-regression-watcher.js` (NEW-CTRL-074) — a complementary detection method that surfaces poller-diff historical-CVE references as candidate silent-regression cases, the class anchored by MiniPlasma (a 2026 PoC drop that re-broke CVE-2020-17103 without any new ID being assigned).
+Pre-1.0. Latest release lives on [GitHub Releases](https://github.com/blamejs/exceptd-skills/releases) and on npm as [`@blamejs/exceptd-skills`](https://www.npmjs.com/package/@blamejs/exceptd-skills) with signed npm provenance attestation and Ed25519-signed skill bodies. The package ships 42 skills across kernel LPE, MCP supply chain, AI-as-C2, prompt injection, post-quantum crypto, SBOM integrity, identity-incident response, and 35 other AI/security domains, plus 10 intelligence catalogs (CVE / ATLAS / ATT&CK / CWE / D3FEND / DLP / RFC / framework gaps / global frameworks / zero-day lessons) covering 35 jurisdictions — the CVE catalog has grown past 400 entries, its size anchored by a v0.13.17 CISA KEV bulk-intake of `dateAdded >= 2024-01-01` actively-exploited vulnerabilities that took it from 68 to 312 in a single pass. 23 investigation playbooks (kernel, MCP, AI-API, framework, SBOM, runtime, hardening, secrets, cred-stores, containers, crypto, plus `webhook-callback-abuse`, `cicd-pipeline-compromise`, `identity-sso-compromise`, `llm-tool-use-exfil`, `post-quantum-migration`, `ai-discovered-cve-triage`, `supply-chain-recovery`, and more), a CLI for discovery and seven-phase investigation runs (`govern → direct → look → detect → analyze → validate → close`), and a nightly auto-refresh job that pulls KEV / NVD / EPSS / GHSA / OSV / IETF deltas plus 15 primary-source advisory + research-blog + tech-press feeds (Qualys TRU, Red Hat RHSA, Ubuntu USN, ZDI, kernel.org, oss-security, JFrog, CISA, Microsoft Security Blog, Sysdig, Trail of Bits, Embrace the Red, BleepingComputer security, The Hacker News, and a GitLab activity-feed tracker for the Nightmare-Eclipse researcher handle that anchors NEW-CTRL-073) into auto-PRs for editorial review. v0.13.17 also ships `lib/cve-regression-watcher.js` (NEW-CTRL-074) — a complementary detection method that surfaces poller-diff historical-CVE references as candidate silent-regression cases, the class anchored by MiniPlasma (a 2026 PoC drop that re-broke CVE-2020-17103 without any new ID being assigned).
 ---
@@ -154,7 +154,7 @@ Air-gapped operation: run `exceptd refresh --prefetch` on a connected host, copy
 Fresh-disclosure workflow (v0.12.0): the nightly auto-PR job pulls KEV / NVD / EPSS / IETF / **GHSA** (added in v0.12.0) / **OSV** (added in v0.12.10). KEV typically takes days; NVD ~10 days; GHSA fires within hours of disclosure and covers npm + PyPI + Maven + Go + NuGet + …; OSV aggregates the OSSF Malicious Packages dataset (`MAL-*` keys) + Snyk + RustSec + Mageia + Ubuntu USN + Go Vuln DB + PYSEC + UVI on top of GHSA — useful for malicious-package compromises that don't have CVEs yet (`exceptd refresh --advisory MAL-2026-3083`). New IDs land as drafts (`_auto_imported: true`, `_draft: true`) that the catalog validator treats as warnings, not errors — operators get the fresh entry immediately, editorial review (framework gaps, IoCs, ATLAS/ATT&CK refs) follows via `exceptd refresh --curate <ID>`. For "I want this advisory today, not tomorrow": `exceptd refresh --advisory <CVE-or-GHSA-or-MAL-or-SNYK-or-RUSTSEC-ID> --apply`.
-Primary-source advisory polling: `exceptd refresh --check-advisories` polls 15 vendor and coordinated-disclosure feeds — 8 advisory/coordinated-disclosure venues (Qualys TRU, Red Hat RHSA, Ubuntu USN, Zero Day Initiative, kernel.org commits, oss-security mailing list, JFrog SecOps, CISA current advisories), 4 vendor security research blogs added in v0.13.14 (Microsoft Security Blog, Sysdig, Trail of Bits, Embrace the Red), and 3 additions in v0.13.17 (BleepingComputer security, The Hacker News, and a GitHub public-events tracker for the Nightmare-Eclipse researcher handle that anchors NEW-CTRL-073). Combined coverage publishes CVE IDs at T+0 to T+1 — typically 3–14 days ahead of NVD enrichment. The command is report-only: it returns a structured `diffs[]` listing each newly-seen CVE ID with its source attributions and advisory URLs, but does not mutate the catalog. v0.13.17 also adds a complementary detection method (NEW-CTRL-074 / `lib/cve-regression-watcher.js`): the watcher cross-checks poller diffs for historical-CVE references (year ≤ currentYear − 2) and surfaces candidate silent-regression cases — the class anchored by MiniPlasma (a 2026 PoC drop that re-broke CVE-2020-17103 without any new ID being assigned). Operators triage the output and route promising IDs through `exceptd refresh --advisory <CVE-ID> --apply`. Pairs naturally with the daily scheduled remote agent below.
+Primary-source advisory polling: `exceptd refresh --check-advisories` polls 15 vendor and coordinated-disclosure feeds — 8 advisory/coordinated-disclosure venues (Qualys TRU, Red Hat RHSA, Ubuntu USN, Zero Day Initiative, kernel.org commits, oss-security mailing list, JFrog SecOps, CISA current advisories), 4 vendor security research blogs added in v0.13.14 (Microsoft Security Blog, Sysdig, Trail of Bits, Embrace the Red), and 3 additions in v0.13.17 (BleepingComputer security, The Hacker News, and a GitLab activity-feed tracker for the Nightmare-Eclipse researcher handle that anchors NEW-CTRL-073). Combined coverage publishes CVE IDs at T+0 to T+1 — typically 3–14 days ahead of NVD enrichment. The command is report-only: it returns a structured `diffs[]` listing each newly-seen CVE ID with its source attributions and advisory URLs, but does not mutate the catalog. v0.13.17 also adds a complementary detection method (NEW-CTRL-074 / `lib/cve-regression-watcher.js`): the watcher cross-checks poller diffs for historical-CVE references (year ≤ currentYear − 2) and surfaces candidate silent-regression cases — the class anchored by MiniPlasma (a 2026 PoC drop that re-broke CVE-2020-17103 without any new ID being assigned). Operators triage the output and route promising IDs through `exceptd refresh --advisory <CVE-ID> --apply`. Pairs naturally with the daily scheduled remote agent below.
 CVE-class alert surfacing: `exceptd watchlist --alerts` matches the live `cve-catalog.json` against five operational patterns (`kernel_lpe_with_poc`, `supply_chain_family`, `ai_discovered_kev`, `active_exploitation_unpatched`, `recent_poc_no_kev_yet`) and returns the matches sorted critical-severity-first, then by RWEP. Use as a fast operational triage on a refreshed catalog without scanning every entry by hand.

package/bin/exceptd.js CHANGED Viewed

@@ -354,6 +354,19 @@ function printHelp() {
 Usage: exceptd <command> [args]
        npx @blamejs/exceptd-skills <command> [args]
+Quick start
+───────────
+  New here? These three cover most workflows:
+    exceptd discover            Scan this directory; list the playbooks that apply.
+    exceptd brief <playbook>    What a playbook checks — threat context + indicators.
+    exceptd run <playbook>      Investigate it (add --ci for a pass/fail exit gate).
+  Not sure which playbook fits? Describe the problem in plain language:
+    exceptd ask "someone may have tampered with our npm packages"
 Canonical verbs
 ───────────────
@@ -448,18 +461,25 @@ Canonical verbs
                              Sources: kev|epss|nvd|rfc|pins|ghsa (v0.12.0).
                                                     ghsa drafts pass validator as warnings.
-v0.10.x compatibility (will be removed in v0.13)
-────────────────────────────────────────────────
+Removed verbs (refused — these now error with a pointer to the replacement)
+───────────────────────────────────────────────────────────────────────────
+Already gone. Invoking one prints a refusal naming its replacement. Listed
+here so old scripts know where each moved:
+  [REMOVED] plan              → brief --all
+  [REMOVED] govern <pb>       → brief <pb> --phase govern
+  [REMOVED] direct <pb>       → brief <pb> --phase direct
+  [REMOVED] look <pb>         → brief <pb> --phase look
+  [REMOVED] ingest            → run
+Deprecated aliases (still work — prefer the canonical verb)
+───────────────────────────────────────────────────────────
-These verbs still work but emit a one-time deprecation banner. The
-[DEPRECATED] prefix is included so \`exceptd help | grep '^  [a-z]'\`
-doesn't surface them in the active-verbs list. Migrate to v0.11:
+These still run but emit a one-time deprecation banner. The [DEPRECATED]
+prefix keeps them out of the active-verbs list that
+\`exceptd help | grep '^  [a-z]'\` surfaces. Each maps to a canonical verb:
-  [DEPRECATED] plan              → brief --all
-  [DEPRECATED] govern <pb>       → brief <pb> --phase govern
-  [DEPRECATED] direct <pb>       → brief <pb> --phase direct
-  [DEPRECATED] look <pb>         → brief <pb> --phase look
-  [DEPRECATED] ingest            → run
   [DEPRECATED] reattest <sid>    → attest diff <sid>
   [DEPRECATED] list-attestations → attest list
   [DEPRECATED] scan              → discover --scan-only

package/data/_indexes/_meta.json CHANGED Viewed

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-26T23:43:42.161Z",
+  "generated_at": "2026-05-27T00:21:07.706Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "3388678960393068730d472d6ecf7c761caaca1de75fffc3019bf15ff157bd88",
+    "manifest.json": "c9b4af4a90b3da6eadec358254afe012cfd6c9a4df9944a8f15e92c52afcfd4d",
     "data/atlas-ttps.json": "8dca8b3a370632548b3d7f465686ac6b47a26920bf6f618db401e349af2a33e2",
     "data/attack-techniques.json": "5bdfa22b5a9b4880e5340e70546cd6812750fcaf19697342b0a2bc8658fb2356",
     "data/cve-catalog.json": "5b37ab9f4863738df042a6a71126d99cd403ffdf0c18b2a0ae3de8c08f98dffa",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "4a0987b9646258d0fcd8df28d82f0bacd8dfb49e19faeca7a5ccd4e151c01bc1",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "66ef2e1f444a2cf0c2700a754f0a66030bb8a91d9e68394b9537ea1fe8b904fe",
-    "data/zeroday-lessons.json": "0118bf69f5cab53065ade77389c13e5b20211fa20185d0786322789c9dafd7dc",
+    "data/zeroday-lessons.json": "b660d756c816913cfd24211b41d8b67b70881283b028d1b44b6903a6cda8b796",
     "skills/kernel-lpe-triage/skill.md": "08b3e9815ba481c57c80f5fc0ccbf5bb7cbb41f570c235ba6ff9596b8c07354d",
     "skills/ai-attack-surface/skill.md": "c4c1eb22a38ca7a959b5725222bab8fbd4f4044a548a93f3e288e6f698334b72",
     "skills/mcp-agent-trust/skill.md": "89ac89084391d2341b6513fefb1be2d36b93de1c130f057696219c1c59440f13",

package/data/zeroday-lessons.json CHANGED Viewed

@@ -6640,8 +6640,8 @@
     "new_control_requirements": [
       {
         "id": "NEW-CTRL-073",
-        "name": "RESEARCHER-HANDLE-GITHUB-RELEASE-TRACKER",
-        "description": "When a researcher handle is named in any catalog entry's discovery_attribution_note or poc_description, their public GitHub releases must be polled by the threat-intake pipeline. The handle becomes a known signal source after a single catalog-grade drop and warrants prioritized surfacing of subsequent drops.",
+        "name": "RESEARCHER-HANDLE-ACTIVITY-TRACKER",
+        "description": "When a researcher handle is named in any catalog entry's discovery_attribution_note or poc_description, their public code-platform activity (GitHub events or a GitLab activity feed) must be polled by the threat-intake pipeline. The handle becomes a known signal source after a single catalog-grade drop and warrants prioritized surfacing of subsequent drops.",
         "evidence": "CVE-2020-17103-REREGRESSION-2026, BUG-2026-NIGHTMARE-ECLIPSE-YELLOWKEY, BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA, BUG-2026-NIGHTMARE-ECLIPSE-UNDEFEND all share the Nightmare-Eclipse / Chaotic Eclipse handle whose prior drop (BlueHammer / CVE-2026-33825) is already in the catalog. The 12-feed intake polled the right RSS sources but had no handle-tracker, so four catalog-grade drops accumulated unobserved over 5 weeks.",
         "gap_closes": [
           "NIST-800-53-SI-5",
@@ -6699,7 +6699,7 @@
     "new_control_requirements": [
       {
         "id": "NEW-CTRL-073",
-        "name": "RESEARCHER-HANDLE-GITHUB-RELEASE-TRACKER",
+        "name": "RESEARCHER-HANDLE-ACTIVITY-TRACKER",
         "description": "Same handle-tracker control as MiniPlasma — Nightmare-Eclipse drop.",
         "evidence": "Same researcher; same intake-pipeline gap.",
         "gap_closes": [
@@ -6740,7 +6740,7 @@
     "new_control_requirements": [
       {
         "id": "NEW-CTRL-073",
-        "name": "RESEARCHER-HANDLE-GITHUB-RELEASE-TRACKER",
+        "name": "RESEARCHER-HANDLE-ACTIVITY-TRACKER",
         "description": "Same handle-tracker control — Nightmare-Eclipse drop.",
         "evidence": "Same researcher; same intake-pipeline gap.",
         "gap_closes": [
@@ -6792,7 +6792,7 @@
       },
       {
         "id": "NEW-CTRL-073",
-        "name": "RESEARCHER-HANDLE-GITHUB-RELEASE-TRACKER",
+        "name": "RESEARCHER-HANDLE-ACTIVITY-TRACKER",
         "description": "Same handle-tracker control — Nightmare-Eclipse April-cluster drop.",
         "evidence": "Same researcher; same intake-pipeline gap.",
         "gap_closes": [

package/lib/source-advisories.js CHANGED Viewed

@@ -169,10 +169,11 @@ const FEEDS = [
     description: 'The Hacker News RSS — canonical tech-press venue for PoC drops + zero-day weaponization writeups. Anchored MiniPlasma 2026-05-14 writeup which the 12-feed set missed. CVE-ID extraction same as bleepingcomputer-security. v0.13.17.',
   },
   {
-    name: 'nightmare-eclipse-github',
-    url: 'https://api.github.com/users/Nightmare-Eclipse/events/public',
-    kind: 'github-events',
-    description: 'GitHub public-events feed for the Nightmare-Eclipse / Chaotic Eclipse researcher handle. Anchored the BlueHammer (CVE-2026-33825) + MiniPlasma cluster — the handle is the canonical signal source for unpatched Windows LPE / BitLocker / Defender drops since April 2026. NEW-CTRL-073 handle-tracker class; additional handles registered as their drops land in the catalog. v0.13.17.',
+    name: 'nightmare-eclipse-gitlab',
+    url: 'https://gitlab.com/Nightmare-Eclipse.atom',
+    kind: 'gitlab-activity',
+    researcher_handle: 'Nightmare-Eclipse',
+    description: 'GitLab public-activity Atom feed for the Nightmare-Eclipse / Chaotic Eclipse researcher handle, migrated from GitHub after the account was removed. Anchored the BlueHammer (CVE-2026-33825) + MiniPlasma cluster — the handle is the canonical signal source for unpatched Windows LPE / BitLocker / Defender drops since April 2026. NEW-CTRL-073 handle-tracker class; additional handles registered as their drops land in the catalog.',
   },
 ];
@@ -275,6 +276,54 @@ function parseGitHubEvents(body, feed) {
   return out;
 }
+/**
+ * GitLab public-activity parser — NEW-CTRL-073 researcher-handle tracker.
+ *
+ * GitLab publishes a public activity Atom feed at
+ * https://gitlab.com/<handle>.atom. Each <entry> describes one activity
+ * (pushed a tag, created a project/repository, pushed commits). We parse it
+ * with the shared Atom tokenizer and classify the entry title into the same
+ * event_type vocabulary the GitHub tracker emits, so the handle-drop diff in
+ * checkFeed fires identically across both sources. researcher_handle comes
+ * from the feed's explicit field (authoritative; the .atom URL also carries
+ * the handle as a fallback). This is the migration target after the handle's
+ * GitHub account was removed — the .atom feed needs no API token and the
+ * existing parseRssAtom tokenizer already handles its XML.
+ */
+function parseGitLabActivity(body, feed) {
+  const errors = [];
+  const entries = parseRssAtom(body, errors);
+  const handle = feed.researcher_handle
+    || (feed.url.match(/gitlab\.com\/([^/.]+)\.atom/) || [])[1]
+    || null;
+  return entries.map((it) => {
+    const t = `${it.title || ''}`;
+    let event_type = 'ActivityEvent';
+    if (/pushed (?:new )?tag|created tag|released/i.test(t)) event_type = 'ReleaseEvent';
+    else if (/created (?:repository|project)|imported project/i.test(t)) event_type = 'PublicEvent';
+    else if (/pushed (?:new commits|to)/i.test(t)) event_type = 'PushEvent';
+    else if (/created branch/i.test(t)) event_type = 'CreateEvent';
+    // Project path: GitLab activity titles read "<handle> pushed to project
+    // <ns>/<repo>"; the entry link path is the secondary source.
+    let repo_name = '';
+    const titleM = t.match(/project\s+(\S+\/\S+)/i);
+    if (titleM) repo_name = titleM[1];
+    else {
+      const linkM = (it.link || '').match(/gitlab\.com\/([^?#]+?)(?:\/-\/|$)/);
+      if (linkM) repo_name = linkM[1];
+    }
+    return {
+      title: it.title || '',
+      link: it.link || feed.url,
+      published: it.published || '',
+      body: it.body || it.title || '',
+      researcher_handle: handle,
+      event_type,
+      repo_name,
+    };
+  });
+}
 /**
  * Fetch a feed body. In fixture / cache modes, read from disk.
  */
@@ -316,6 +365,9 @@ async function checkFeed(feed, ctx) {
   } else if (feed.kind === 'github-events') {
     items = parseGitHubEvents(res.body, feed);
     items = items.map((it) => ({ ...it, cve_ids: extractCveIds(`${it.title} ${it.body} ${it.link}`) }));
+  } else if (feed.kind === 'gitlab-activity') {
+    items = parseGitLabActivity(res.body, feed);
+    items = items.map((it) => ({ ...it, cve_ids: extractCveIds(`${it.title} ${it.body} ${it.link}`) }));
   } else {
     items = parseRssAtom(res.body);
     items = items.map((it) => ({ ...it, cve_ids: extractCveIds(`${it.title} ${it.body} ${it.link}`) }));
@@ -352,7 +404,7 @@ async function checkFeed(feed, ctx) {
     // researcher publishes alias name, vendor advisory + CVE assignment
     // arrive days / weeks later). The diff carries handle + event_type
     // so downstream triage can prioritise without waiting for an ID.
-    if (feed.kind === 'github-events' && it.cve_ids.length === 0 && (it.event_type === 'ReleaseEvent' || it.event_type === 'PublicEvent')) {
+    if ((feed.kind === 'github-events' || feed.kind === 'gitlab-activity') && it.cve_ids.length === 0 && (it.event_type === 'ReleaseEvent' || it.event_type === 'PublicEvent')) {
       diffs.push({
         id: `HANDLE:${it.researcher_handle || feed.name}:${it.repo_name || 'unknown'}@${(it.published || '').slice(0, 10)}`,
         source: feed.name,
@@ -463,6 +515,7 @@ module.exports = {
   FEEDS,
   extractCveIds,
   parseRssAtom,
+  parseGitLabActivity,
   parseCsafIndex,
   parseGitHubEvents,
 };

package/manifest.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.13.117",
+  "version": "0.13.118",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "lXhZgoIrrVloO3XaTvo/43AxZn4mwErstd7DR0O/oVhD3AOGODM4HqrageYEou9WKOdMEGP5mJNTjJsXdP5NDA==",
-      "signed_at": "2026-05-26T23:40:55.119Z",
+      "signed_at": "2026-05-27T00:18:18.127Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -123,7 +123,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "ztSKk/zFMFbT12qRcEeBKpydBn7fTT86KxMmor0DTCoKQWk5fJ0fSInfP1XMSB6rFk4/SuSjKVxQRMKVJ5a+Cg==",
-      "signed_at": "2026-05-26T23:40:55.120Z",
+      "signed_at": "2026-05-27T00:18:18.128Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -196,7 +196,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "K6QdPHNK5c4K5QFjrW0QsUhjp71D7SOisSoulwPNSvKRdi2rY+yg0kdckijBMkLMsVPyUvcC9giu93mKJ1OZDg==",
-      "signed_at": "2026-05-26T23:40:55.121Z",
+      "signed_at": "2026-05-27T00:18:18.129Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -248,7 +248,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "Qd3SBWmUAaaT++e1Ry2wBIz/dCBmNBMl0+4Rb0etvJLES0fIBEAkU1mTbgNZnT5XOg9J5twdUpymWtmKnDDQCQ==",
-      "signed_at": "2026-05-26T23:40:55.121Z"
+      "signed_at": "2026-05-27T00:18:18.129Z"
     },
     {
       "name": "compliance-theater",
@@ -279,7 +279,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "F2Shxae0ua0gPtvwzTRVzzHaIgJcFDRT3/akLUAZ4aaMQhkleKkcTaTpkjp+pTVEdPfLeLGNCeAOMs+whVYOBg==",
-      "signed_at": "2026-05-26T23:40:55.122Z"
+      "signed_at": "2026-05-27T00:18:18.130Z"
     },
     {
       "name": "exploit-scoring",
@@ -308,7 +308,7 @@
       ],
       "last_threat_review": "2026-05-18",
       "signature": "NA1hoQycvQhSUoG5rwlXX0mOVmGxoXRVezkELGEA2nZOdGis4gXkHT3O6Sfw7zxE4JuMrsCb65TEeOWk9WEPDg==",
-      "signed_at": "2026-05-26T23:40:55.122Z"
+      "signed_at": "2026-05-27T00:18:18.130Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -345,7 +345,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "W3pS8lnaCP96TQzsJpG5d5yv5IwgaQyS4Z2Ctcz5BOJf6LbajSIgeDgTZ4f4Bhr5m4E7KsgWGjZS4x7Fwd33BQ==",
-      "signed_at": "2026-05-26T23:40:55.122Z",
+      "signed_at": "2026-05-27T00:18:18.131Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -405,7 +405,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "/WDGygh1Ck4yWlBWDGtEUVCqKB8d+UaJXoAoBXujtt+GAl8JbMNpaN1TvI0WkEltQ9dTxaAzSn20/eVDqv8iDQ==",
-      "signed_at": "2026-05-26T23:40:55.123Z",
+      "signed_at": "2026-05-27T00:18:18.131Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -440,7 +440,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "za1NKBpy9LC91F/ESO/qhUfmvVr8GNItQOjR5OJLeHm+2dQ9HHiFWQK2eo53V/n/0uhubuggURA3yS6kJuWwBg==",
-      "signed_at": "2026-05-26T23:40:55.123Z",
+      "signed_at": "2026-05-27T00:18:18.131Z",
       "cwe_refs": [
         "CWE-1188"
       ],
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "xiHAhhdufm9hCKU8PLiPE0MX65ej2F4OZwtlWLGLCiie9/km+Kiqbt192LcMvr94v83C98pb9wIaqFsFWft6AQ==",
-      "signed_at": "2026-05-26T23:40:55.123Z",
+      "signed_at": "2026-05-27T00:18:18.132Z",
       "forward_watch": [
         "New AI attack classes as ATLAS v6 publishes",
         "Post-quantum adversary capability timeline",
@@ -513,7 +513,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "oYsSk35N2Uzq7MRofACykylcVwkgPhI4luWZ14vmQT+gUKLyZiKVOUJbe1+7lGl6BYPRN0sUDQ0f7S5Eu5w2Ag==",
-      "signed_at": "2026-05-26T23:40:55.124Z"
+      "signed_at": "2026-05-27T00:18:18.132Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -540,7 +540,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "igRqYyU1unRFH40BsPyAR62SPrk8QZv8dPGb8S9O9EvLCNOZAzm3t+HdT/NKqzWHwrpomOzkkkyLfYI/0qTUDA==",
-      "signed_at": "2026-05-26T23:40:55.124Z",
+      "signed_at": "2026-05-27T00:18:18.133Z",
       "forward_watch": [
         "New CISA KEV entries",
         "New ATLAS TTP additions in each ATLAS release",
@@ -604,7 +604,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "i/17u4kJiSpcZAz7LnTyRePFugQOstQ1P4kVoe0oGf4E2/j8oIN9U9DccjUn/YHZhKWIJ2AILG/DMhvMrr3bBg==",
-      "signed_at": "2026-05-26T23:40:55.124Z",
+      "signed_at": "2026-05-27T00:18:18.133Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -652,7 +652,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "QuOVaQ4E2Sl39TClbhZ7HA9XrYAyRrDL44HY3RTE7aWLue0hV2cxaBt40ALGmHS++631QGFDlZTLZI77Tr6nAA==",
-      "signed_at": "2026-05-26T23:40:55.125Z"
+      "signed_at": "2026-05-27T00:18:18.133Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -689,7 +689,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "8Px1s2lDj10/Q6erwEQlXgUHM1+OTruUR8qAHPX7Oo3k/l69N6P9sm0PsafS9wDFtj9l5C/OiLiFgzMlMt6vBw==",
-      "signed_at": "2026-05-26T23:40:55.125Z",
+      "signed_at": "2026-05-27T00:18:18.134Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -724,7 +724,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "urRcataVWg6/utyEkSiOWoNxTL8sABRjPR7ShyDfZGnAozFph/yDktSoaPVxQDXwu9EfJE+qhUW5OYR/yJECBQ==",
-      "signed_at": "2026-05-26T23:40:55.125Z"
+      "signed_at": "2026-05-27T00:18:18.134Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -796,7 +796,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Microsoft Edge 4-bug sandbox escape by Orange Tsai (DEVCORE); forward-watch only (browser sandbox, out of current playbook scope); track Microsoft Edge security advisory and KEV add"
       ],
       "signature": "C7lv65/Ecm8JJgSKxrX5lxx0YFzKWtrIQSKp+vy50I5e8945s1JmifGUUrnQwRQhq/Pkv7EmfiH5XSO8h75bDg==",
-      "signed_at": "2026-05-26T23:40:55.126Z"
+      "signed_at": "2026-05-27T00:18:18.134Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -856,7 +856,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "Z7ypCUnXx8JpLtgxxB6RHNi39w74AmrGY1N4ofAGCXhkuM2EaFVm1AU0dvl9UQ1bVLfHKEDGqMO/TwlIY7RABg==",
-      "signed_at": "2026-05-26T23:40:55.126Z"
+      "signed_at": "2026-05-27T00:18:18.135Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -931,7 +931,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "IgEnpHOhCftAyfUNdKsjbrd169T9pJkk/rRM2ZEna+H18y7p5x48+1kME2sJMZjJuyAdQFBJi8PJXZFwLGI+DQ==",
-      "signed_at": "2026-05-26T23:40:55.126Z"
+      "signed_at": "2026-05-27T00:18:18.135Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -1010,7 +1010,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM-attestation impact"
       ],
       "signature": "pcLrM98A3vUSZRjwNAk0aZ9umvOwB41XCLLsCOy/IebB2F/06oIrGUKkMHtHwm4pTVPShMMcKdZQQ3jz30FnCg==",
-      "signed_at": "2026-05-26T23:40:55.127Z"
+      "signed_at": "2026-05-27T00:18:18.135Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1067,7 +1067,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "G5q5elh7Q7eu2xcwTVQJGDTGfvZR0OGQaLSLJPb2wjzCHFF8PWuZfCHZdjjqisiRzRWPyLlzgfHeMJqOdy7cBw==",
-      "signed_at": "2026-05-26T23:40:55.127Z"
+      "signed_at": "2026-05-27T00:18:18.136Z"
     },
     {
       "name": "identity-assurance",
@@ -1134,7 +1134,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "Wv5hGMeHjlaQK1zwicVCA7AvdKgJBgvcjdpGM9Ywahh9tagAKhbkOjybowDQZzu7OZ3bDkbh6pBYc1Sdwr6NAA==",
-      "signed_at": "2026-05-26T23:40:55.127Z"
+      "signed_at": "2026-05-27T00:18:18.136Z"
     },
     {
       "name": "ot-ics-security",
@@ -1190,7 +1190,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "8t5qKHd3yWi57dvG36YQkLN/X9bQWqtEiYjay4IfSmqhJpM/xXPaQVKNGz3wscrO8OLKUZ0OaX7Mj5kzpgBKBQ==",
-      "signed_at": "2026-05-26T23:40:55.127Z"
+      "signed_at": "2026-05-27T00:18:18.136Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1242,7 +1242,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "GDGt4UPqBa04PjlpSmpyihGzd3OgfBN7jaAK5tfwp+LRSs3ygKOdbeivUCCHNagTY1hE6hG2Ou40ADfBFuXeAg==",
-      "signed_at": "2026-05-26T23:40:55.128Z"
+      "signed_at": "2026-05-27T00:18:18.137Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1292,7 +1292,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "rFBpOQEJUPpl+v88Lw/WqVJRhTl80vy0VbPAbzQj3Q0suJRRrJg368I9uKu5LXIBKFDvKxnGIcIzbGg9NUtaCA==",
-      "signed_at": "2026-05-26T23:40:55.128Z"
+      "signed_at": "2026-05-27T00:18:18.137Z"
     },
     {
       "name": "webapp-security",
@@ -1366,7 +1366,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ux85YI4t2mVHOyt744Yin1HHy+z11JIFygjKfFfQOBBl5QVV3A267jeIy7utix85irMcpZm/T3yx/ooqiK2tBA==",
-      "signed_at": "2026-05-26T23:40:55.128Z",
+      "signed_at": "2026-05-27T00:18:18.137Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments"
       ]
@@ -1419,7 +1419,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "IIXnkZ5ZNqFwOto5KfytADTLLZLoyXNZACD1ORZ40P1HUAQxe6u2uyXFzzsfuob4Uy06jNkRGr2FFgCphUH1Cw==",
-      "signed_at": "2026-05-26T23:40:55.129Z"
+      "signed_at": "2026-05-27T00:18:18.138Z"
     },
     {
       "name": "sector-healthcare",
@@ -1479,7 +1479,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "AhF9KF8ZBlDteciV+F8IBSmFVYCvQOn44GmD4rZjgLoPxfIv/QE1/vSkK32zyqDKtHWkLSXExbkkPkxA/V6dDw==",
-      "signed_at": "2026-05-26T23:40:55.129Z"
+      "signed_at": "2026-05-27T00:18:18.138Z"
     },
     {
       "name": "sector-financial",
@@ -1560,7 +1560,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "HQgZvb4ReziEz5rNFr8i/O8/rJEZR+iHRROT7m/D2QUqhrcNISPkYXENsUZlG8xapzy/Ik92ehkseyj4hdmhCQ==",
-      "signed_at": "2026-05-26T23:40:55.130Z"
+      "signed_at": "2026-05-27T00:18:18.139Z"
     },
     {
       "name": "sector-federal-government",
@@ -1629,7 +1629,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "linxmsXZiOYtcs71sSWgGCrvb8xQfmxmtTY5PRvZJ0/8FgJulo0tQtejzexYG775s7XhjAmGsDP238BQTQ8ADA==",
-      "signed_at": "2026-05-26T23:40:55.130Z"
+      "signed_at": "2026-05-27T00:18:18.139Z"
     },
     {
       "name": "sector-energy",
@@ -1694,7 +1694,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "JjBfc0ovta560Clk0x3QGRM5osFJDwcvpy3rT7QEGdCIL827jzE8QCow1C8deXq+4JhY2sA/d7/8IsxikdlkCg==",
-      "signed_at": "2026-05-26T23:40:55.130Z"
+      "signed_at": "2026-05-27T00:18:18.140Z"
     },
     {
       "name": "sector-telecom",
@@ -1780,7 +1780,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "JWVxKFoKrbX4d+Tko1d4OBdwyg25MfFFKn4CT6E/CzH+YwnU3T6Y76uBQIKg3+gIGTvPduqyvQwQQ5FxKDuPBw==",
-      "signed_at": "2026-05-26T23:40:55.130Z"
+      "signed_at": "2026-05-27T00:18:18.140Z"
     },
     {
       "name": "api-security",
@@ -1849,7 +1849,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "BmCRCestWqr55+fCynEhtAl5NWLT+xLTkpwS0Icp3SaoZOw/ce3Y6TtqjHRSKn4CBJq7YDiLRWxmhO3MStvOAA==",
-      "signed_at": "2026-05-26T23:40:55.131Z",
+      "signed_at": "2026-05-27T00:18:18.140Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments",
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments",
@@ -1935,7 +1935,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "/DV3pmZwrRySrk1OCbyI+0BQESacjupJfUX3eC2NGtXuYOBro0vndIP+z27heFxumnjU3a9sfla7/U9X+pqnDw==",
-      "signed_at": "2026-05-26T23:40:55.131Z"
+      "signed_at": "2026-05-27T00:18:18.141Z"
     },
     {
       "name": "container-runtime-security",
@@ -1997,7 +1997,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "E2UGSf9ATyYgzBr8uM/0ubOUmDqo1jVA7f9mVxv6LHfWGCNuQNXDyuNou9VAmUCeeXEeUYIi3AFjXkJqpOkxDA==",
-      "signed_at": "2026-05-26T23:40:55.131Z",
+      "signed_at": "2026-05-27T00:18:18.141Z",
       "forward_watch": [
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Container Toolkit container escape ($50K award) by chompie / IBM X-Force XOR; high-severity container/hypervisor boundary break; track patch and KEV add post-embargo"
       ]
@@ -2071,7 +2071,7 @@
         "MITRE ATLAS v5.6.0 (released May 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
       "signature": "IL+DlRCDJN/p08iiJCFkasKcoyjcB0uWrJ6ORLjQcS1HrUa5Xt62QxVjYPHzaevlm5y36ZdmfESqsZJmzK3lCg==",
-      "signed_at": "2026-05-26T23:40:55.132Z"
+      "signed_at": "2026-05-27T00:18:18.141Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2133,7 +2133,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "MmjLjlmOMLjhJJ4ZfR8MYlHam+ZB+eSqfh6Nv+DecaG4O5zeo9DBP/iL3cbyDVZxmhnhivgJild2ccYeWTeZAg==",
-      "signed_at": "2026-05-26T23:40:55.132Z"
+      "signed_at": "2026-05-27T00:18:18.142Z"
     },
     {
       "name": "ransomware-response",
@@ -2213,7 +2213,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "ssueL03g9fWlhXpTe+IiY5l7RqQkunN4DTN5QETKE+VOX+qggdjAR8PONxk77ol4xWYmHrM/VcH8CNtXUEvgBA==",
-      "signed_at": "2026-05-26T23:40:55.132Z"
+      "signed_at": "2026-05-27T00:18:18.142Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2266,7 +2266,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "rK+WnuS+9tqEABmwc0jO/PEmxcLjG1/tmUb897HsClQeKzf+TQOlwBE+OsbtuKxpjYNwur62Xxs3TxObkwm8Cw==",
-      "signed_at": "2026-05-26T23:40:55.133Z"
+      "signed_at": "2026-05-27T00:18:18.143Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2334,7 +2334,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "Rgho5TOFUL1txOzcVR0kASCNdovSU4yt99JlGilJlJRyg0A+BdeeQYrZrhPF6Vx2reUAVG0BeHfcZtSbi+cwCg==",
-      "signed_at": "2026-05-26T23:40:55.133Z"
+      "signed_at": "2026-05-27T00:18:18.143Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2414,7 +2414,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "e/kij7GtKaytROyIj7V5RH+FC9WtmVFzrmG2kIlNDNn29ep/CRNlIQKwXLpzo/81AIf634pmdr1qy/+vwIuUDA==",
-      "signed_at": "2026-05-26T23:40:55.133Z",
+      "signed_at": "2026-05-27T00:18:18.143Z",
       "forward_watch": [
         "AWS IAM Identity Center session-policy refresh and step-up-on-admin enforcement (anticipated 2026-H2 release)",
         "GCP Workload Identity Federation principal-set attribute mapping tightening (post-2026 Q3 Federation hardening guide)",
@@ -2508,7 +2508,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "ew9Kglc9fAZzbn0ZIfGP7WSK/j4eV2VhSvpy+s5bEfNEVYIMa2kZjnGBapgUsyGDLes9H9K2ovjQyX17+GKiBw==",
-      "signed_at": "2026-05-26T23:40:55.134Z",
+      "signed_at": "2026-05-27T00:18:18.144Z",
       "forward_watch": [
         "Entra ID conditional access evolution post-Midnight Blizzard — Microsoft's 2025-2026 commitments on legacy-tenant MFA enforcement and OAuth-app consent gating",
         "Okta IPSIE (Interoperability Profile for Secure Identity in the Enterprise) OpenID Foundation working-group output and adoption timeline",
@@ -2526,6 +2526,6 @@
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "TeYunG3NTB9qu3tWHt96R4IPUQL5qxqW7Rb7qP958a8z8YQqBSJAFWAHilW0+sMoNt6f4iXSPuFWtlQrjHtTAA=="
+    "signature_base64": "0Hu7OAc4qOKePF0hH8WyYUxS3id1UhN2cD6b12UytkCe76eYPXEXxQPUnB9piUKpLwYUnqbwdN7VpN0dqC67Bw=="
   }
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.13.117",
+  "version": "0.13.118",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (406 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json CHANGED Viewed

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:22de764c-d633-46d7-a075-802b2df984fa",
+  "serialNumber": "urn:uuid:99b19080-e49c-4648-ab4b-e5f93aea5e54",
   "version": 1,
   "metadata": {
-    "timestamp": "2044-07-15T21:17:00.000Z",
+    "timestamp": "2107-09-18T08:08:32.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.13.117"
+        "version": "0.13.118"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.13.117",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.13.118",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.13.117",
+      "version": "0.13.118",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (406 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.13.117",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.13.118",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "985bf49c2172f805b97cd2fa86a392eb353fc917a7d52e1d189a28a1f63f26f8"
+          "content": "d51fe0ea81f881abdf08942be86da6f77b96e196e384cdea56a876d01c18b548"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.13.117"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.13.118"
         },
         {
           "type": "vcs",
@@ -86,11 +86,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "76ce2fe9bafe6488775f69afae5fce015101e38b6c61c8978a196c26c6f3a63c"
+          "content": "0ec673f44c7b80e8b775b3e6db07a679a12177e2245a0068e393352671a5b841"
         },
         {
           "alg": "SHA3-512",
-          "content": "5b1624ea5458aad9470b1d0696f9307b8ab964e818966b5590fd7437412e02fd88b897af0f4cc1d734590edff26c7f1ffc87597c81d82f4dcc6ee18e66b010a0"
+          "content": "7a6a6b8c606e30804b1e2452124b824d50a174e67c9470814f1c541c1db7cc3bd9b5f6ff03980f8c2c0add8526710a8c82654c934f1a89df608c49cd910f57b1"
         }
       ]
     },
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "93ecf2521036c71c1e0b19dbf5c65b4fd10a5c981789e62430870c2f840fc2a4"
+          "content": "ffbbc1097116a155a897cadcf2c5c4b4ddcff07143d57117ba226eefe993ce12"
         },
         {
           "alg": "SHA3-512",
-          "content": "1b865537f456a7ef482f7509cb35a5133986843d169667f9042c2874d3c95d6785d876e08f281a431d8e81313a18dd62501b297f5f7d5457c66111b3f15da129"
+          "content": "9ca688da9504bb80f6459c51d843c3c99b41416517a7361e2ab9ff484939190a8791d9ecb2e820bcd6e8448087f54598a70e4e6fb42dc6f5c24c805e1715ebe2"
         }
       ]
     },
@@ -176,11 +176,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "10c5858ec4d9cff0862651c1d876242b62ca6dd18a8d1807dce44c3aafa2303c"
+          "content": "2d16cbfc6ff8e1c2a435bcb3903445792a2fb794a595a63fdb9fe6ac4c1fd644"
         },
         {
           "alg": "SHA3-512",
-          "content": "713bbf149a46a960432d1583202dbf223d0c7874f06613db109c4166adc2ec1a4523061a059ecd4c6c267cbfbb417fc95bc2a6787bb304e50a9ac8fdc326a9a9"
+          "content": "93b6d2a34c7560b23232e05ab349bd13c10110100cc32dc670301a9d794f247008603d9e2824541aa6b637a6e90e7e03726341e6dcad2f5a79f274676379d46d"
         }
       ]
     },
@@ -281,11 +281,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "5c9ce8eadb9b392d565d598bf49efadeb7e8c029c2e182ac53c9de2d8631ff3f"
+          "content": "80af79165a79ce43ed0acf5e9b49f0087814457d4ed486466d75c7746794ce7f"
         },
         {
           "alg": "SHA3-512",
-          "content": "a358a3c9fdfc04c202f33568dcc3f046700f87b0210114a2cea8fe82178dc4c8f1d96301b0c6f34b01f675bfaf2d03ac36fdb96b45c26a9873006da099f4eb9c"
+          "content": "5e7e4f9b67c4bbb1db9435cf7af7f11b689722129768bf60320b2aea6dc072e69208733a46f043357c279bc9eb3982b0c6ad06745dab7998a96d299fcf842137"
         }
       ]
     },
@@ -791,11 +791,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "0118bf69f5cab53065ade77389c13e5b20211fa20185d0786322789c9dafd7dc"
+          "content": "b660d756c816913cfd24211b41d8b67b70881283b028d1b44b6903a6cda8b796"
         },
         {
           "alg": "SHA3-512",
-          "content": "fd40ce3846fa1be9402d30ae9dd9f2e109f2d3e8f6d438f419168b60bc4ebb51f3df0617c57dc2f90088c87784009773e3e230cb3ab949e95cb479404adc6e93"
+          "content": "b6af1fbbfdd81b9557a2d86693e5b357a2b3eb8187ffab69e79b165863bc9cc33a9021117ab868715bd3fe0e349b61e2a4e79276d7204feccebdc0df20784c8e"
         }
       ]
     },
@@ -1391,11 +1391,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "d4da578b2f7d45f3d22eac52c1c9196cd3dbaf23414b5932d1f5c52d713236b8"
+          "content": "8d4b4ce296a23314d9d1fdbbd8347e2ee6752319ea09c2424ed1df011aa01544"
         },
         {
           "alg": "SHA3-512",
-          "content": "1f5add189b0d6bfd18cd85b28ff7ce64f1b52fec573098ccfbd71fc9245cbcca624a0cda515315e6881779d46eb0ca27fbefb4eda74cc5ff22c2309a1a97d5de"
+          "content": "f2bb166bcea14b62f41d71744cb17569124b928b68c564e86399c58ffe20c2c8160c572642e25e5f460937b090e92e49a73b2b81ac63ea2244cbfbe914e876e4"
         }
       ]
     },
@@ -1661,11 +1661,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "3388678960393068730d472d6ecf7c761caaca1de75fffc3019bf15ff157bd88"
+          "content": "c9b4af4a90b3da6eadec358254afe012cfd6c9a4df9944a8f15e92c52afcfd4d"
         },
         {
           "alg": "SHA3-512",
-          "content": "e5ebb812e9cd0cf1e1e8553928176a1583318c7a61c038ce60ab7b47d072b526ffe004e71f8978b10e27ec12094c7955bcccd21526212d5fbfe01ed27d7a427d"
+          "content": "05b9e9916f71b56c0527ccff3d96ea77869ebacc3a090ad237000ba111a33b561948d2de4e1024462dd967be46981236ceef9ae9838b50ad2ddf2411085c362d"
         }
       ]
     },