@blamejs/exceptd-skills 0.13.2 → 0.13.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (64) hide show
  1. package/AGENTS.md +41 -4
  2. package/CHANGELOG.md +73 -0
  3. package/README.md +79 -13
  4. package/bin/exceptd.js +105 -1
  5. package/data/_indexes/_meta.json +47 -47
  6. package/data/_indexes/activity-feed.json +3 -3
  7. package/data/_indexes/catalog-summaries.json +3 -3
  8. package/data/_indexes/chains.json +125 -32
  9. package/data/_indexes/frequency.json +12 -0
  10. package/data/_indexes/handoff-dag.json +127 -57
  11. package/data/_indexes/section-offsets.json +541 -487
  12. package/data/_indexes/summary-cards.json +34 -34
  13. package/data/_indexes/token-budget.json +329 -299
  14. package/data/attack-techniques.json +2 -0
  15. package/data/cve-catalog.json +99 -146
  16. package/data/cwe-catalog.json +1 -0
  17. package/data/exploit-availability.json +0 -27
  18. package/data/framework-control-gaps.json +409 -0
  19. package/data/zeroday-lessons.json +71 -89
  20. package/lib/lint-skills.js +17 -13
  21. package/lib/schemas/playbook.schema.json +5 -0
  22. package/lib/source-advisories.js +26 -0
  23. package/manifest.json +82 -82
  24. package/orchestrator/index.js +147 -2
  25. package/package.json +1 -1
  26. package/sbom.cdx.json +61 -61
  27. package/skills/age-gates-child-safety/skill.md +2 -0
  28. package/skills/ai-attack-surface/skill.md +2 -0
  29. package/skills/ai-c2-detection/skill.md +2 -0
  30. package/skills/ai-risk-management/skill.md +2 -0
  31. package/skills/api-security/skill.md +16 -4
  32. package/skills/attack-surface-pentest/skill.md +2 -0
  33. package/skills/cloud-iam-incident/skill.md +1 -1
  34. package/skills/cloud-security/skill.md +2 -0
  35. package/skills/compliance-theater/skill.md +28 -2
  36. package/skills/container-runtime-security/skill.md +2 -0
  37. package/skills/coordinated-vuln-disclosure/skill.md +1 -1
  38. package/skills/defensive-countermeasure-mapping/skill.md +2 -0
  39. package/skills/dlp-gap-analysis/skill.md +2 -0
  40. package/skills/email-security-anti-phishing/skill.md +14 -4
  41. package/skills/exploit-scoring/skill.md +30 -1
  42. package/skills/framework-gap-analysis/skill.md +28 -1
  43. package/skills/fuzz-testing-strategy/skill.md +4 -2
  44. package/skills/global-grc/skill.md +2 -0
  45. package/skills/identity-assurance/skill.md +2 -0
  46. package/skills/kernel-lpe-triage/skill.md +2 -0
  47. package/skills/mcp-agent-trust/skill.md +4 -0
  48. package/skills/mlops-security/skill.md +2 -0
  49. package/skills/ot-ics-security/skill.md +2 -0
  50. package/skills/policy-exception-gen/skill.md +28 -1
  51. package/skills/pqc-first/skill.md +2 -0
  52. package/skills/rag-pipeline-security/skill.md +2 -0
  53. package/skills/researcher/skill.md +2 -0
  54. package/skills/sector-energy/skill.md +2 -0
  55. package/skills/sector-federal-government/skill.md +2 -0
  56. package/skills/sector-financial/skill.md +2 -0
  57. package/skills/sector-healthcare/skill.md +2 -0
  58. package/skills/security-maturity-tiers/skill.md +2 -0
  59. package/skills/skill-update-loop/skill.md +2 -0
  60. package/skills/supply-chain-integrity/skill.md +2 -0
  61. package/skills/threat-model-currency/skill.md +37 -1
  62. package/skills/threat-modeling-methodology/skill.md +2 -0
  63. package/skills/webapp-security/skill.md +2 -0
  64. package/skills/zeroday-gap-learn/skill.md +33 -1
package/manifest.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "exceptd-security",
3
- "version": "0.13.2",
3
+ "version": "0.13.4",
4
4
  "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
5
5
  "homepage": "https://exceptd.com",
6
6
  "license": "Apache-2.0",
@@ -52,8 +52,8 @@
52
52
  "RFC-7296"
53
53
  ],
54
54
  "last_threat_review": "2026-05-01",
55
- "signature": "ZS8UdA+c6vWovG2EsBP2X2xd43uSC33/LPq6SZtYEEQto4zuzLNH+pcL74oE2V5mie03r+5YdisQYtV5g+ANCQ==",
56
- "signed_at": "2026-05-18T02:19:03.449Z",
55
+ "signature": "lXhZgoIrrVloO3XaTvo/43AxZn4mwErstd7DR0O/oVhD3AOGODM4HqrageYEou9WKOdMEGP5mJNTjJsXdP5NDA==",
56
+ "signed_at": "2026-05-18T04:12:28.341Z",
57
57
  "cwe_refs": [
58
58
  "CWE-125",
59
59
  "CWE-362",
@@ -116,8 +116,8 @@
116
116
  "SOC2-CC6-logical-access"
117
117
  ],
118
118
  "last_threat_review": "2026-05-01",
119
- "signature": "l5PS3EMYS5+e4EBeYOaWTeKLcmeWDuqxRjDQFD4m7n1uRdCPziTEkHkEAVxSuBp1aKhbOvShTFpXXtTgZ0nhBg==",
120
- "signed_at": "2026-05-18T02:19:03.451Z",
119
+ "signature": "OI+pADcTrRHZB8UTq9G89cNPvvYf1A+4rR+oJGTCVGXWoxPY9+bKW7FqCPQBb+rnxde/gwBX0+vxN/Nn7XwgDA==",
120
+ "signed_at": "2026-05-18T04:12:28.346Z",
121
121
  "cwe_refs": [
122
122
  "CWE-1039",
123
123
  "CWE-1426",
@@ -179,8 +179,8 @@
179
179
  "RFC-9700"
180
180
  ],
181
181
  "last_threat_review": "2026-05-01",
182
- "signature": "KXUDBx+nPn+85iFh7+zMIllAdkjUWbhgXpaot5/yliZwKzVmFFPjQF/xZm8gdZLFkskyO5M0MS/MqjowPvAHBw==",
183
- "signed_at": "2026-05-18T02:19:03.451Z",
182
+ "signature": "fqnvFL75sJgJJV6LUt6qHld4PsMJiPB1r+M905mkr8mUkByE0pPZfK1voS/r/wh2O1+1j2zzo0OkAw0pCk37Aw==",
183
+ "signed_at": "2026-05-18T04:12:28.346Z",
184
184
  "cwe_refs": [
185
185
  "CWE-22",
186
186
  "CWE-345",
@@ -225,8 +225,8 @@
225
225
  "attack_refs": [],
226
226
  "framework_gaps": [],
227
227
  "last_threat_review": "2026-05-01",
228
- "signature": "Jn4HdauaKGzLGB4lmqgS7ntrrkKykfHrths/mlJegHgjoRsauVK/+S3VN82YxRcnTa1gOYd08hMUV7FnKRs6Cg==",
229
- "signed_at": "2026-05-18T02:19:03.452Z"
228
+ "signature": "g+vvEyHA4LllzMLuyY2Cc6h7hSWeQbfDqGx629Yb3/kQ8MsQW0moypnxUMA50KBetKMd0+WfnbC4H1DvxJtgAg==",
229
+ "signed_at": "2026-05-18T04:12:28.347Z"
230
230
  },
231
231
  {
232
232
  "name": "compliance-theater",
@@ -256,8 +256,8 @@
256
256
  "CMMC-2.0-Level-2"
257
257
  ],
258
258
  "last_threat_review": "2026-05-01",
259
- "signature": "byFyQfZFeQ9mhH4+DxNWyM2lBVDcZiEx+vDPSJpjmblb61T3KIK70PWb9KhUKO//9RBwnb7Bz9KbltruhaB3DA==",
260
- "signed_at": "2026-05-18T02:19:03.452Z"
259
+ "signature": "N7vMeWMdMutAAZ49QoPW7lMA1WRjnTRezh9oLBUfAgetZBcHHd14Rg9uqWTkCjilXxhw/fyQrWPjraD2IRg4AQ==",
260
+ "signed_at": "2026-05-18T04:12:28.348Z"
261
261
  },
262
262
  {
263
263
  "name": "exploit-scoring",
@@ -285,8 +285,8 @@
285
285
  "CIS-Controls-v8-Control7"
286
286
  ],
287
287
  "last_threat_review": "2026-05-01",
288
- "signature": "6nar8a3phaFK55Xpgw0XEBz3k4WrtRfW79JfKjgeKRc1FqljMaqmNxb3ftOCFy0CgMEu/lULuubGXFqp0DpcDA==",
289
- "signed_at": "2026-05-18T02:19:03.452Z"
288
+ "signature": "9DFiNgH4Nl21B90MjL5Z9eJ74Z8zR60n+EZ6RStCTe6YcLg7P5K8iiuQ4u6q0hxsVewKZmS60SqZL9UEpeGgCg==",
289
+ "signed_at": "2026-05-18T04:12:28.348Z"
290
290
  },
291
291
  {
292
292
  "name": "rag-pipeline-security",
@@ -322,8 +322,8 @@
322
322
  "OWASP-LLM-Top-10-2025-LLM08"
323
323
  ],
324
324
  "last_threat_review": "2026-05-01",
325
- "signature": "8BOfZgS2fm9KeEYZwwUc4JUSVxnLAgQ3UrViUcGlrA1NMcJz92mw7QGGhTx+PUn4yoPTGelxGz6MF5mEqpfDAQ==",
326
- "signed_at": "2026-05-18T02:19:03.453Z",
325
+ "signature": "AijYcd8FuFEDdcx+mzIHVpQ0uh5LpYDZ0rIgbudM6WIvsSDRkBmE65gI8uKgHYdGTEAQGLkamkLaTtdwcx0YAQ==",
326
+ "signed_at": "2026-05-18T04:12:28.350Z",
327
327
  "cwe_refs": [
328
328
  "CWE-1395",
329
329
  "CWE-1426"
@@ -379,8 +379,8 @@
379
379
  "RFC-9000"
380
380
  ],
381
381
  "last_threat_review": "2026-05-01",
382
- "signature": "o5CamxRHrwbM+R7lQzEoKxHBTFbo76C3Uf8/Qx3cbLlrXczvI6K9a1KfWIoOq/8UoTuQy7dB6lZge0H+94gbBw==",
383
- "signed_at": "2026-05-18T02:19:03.454Z",
382
+ "signature": "ba7EtmQAML+H+wn7UyH7yGnK30gT79SlxwO+jKCaSBzctOZ/OVex3wFVz/Yi9kPPPJ6Z5EEhBl6rWJrCr4uOBg==",
383
+ "signed_at": "2026-05-18T04:12:28.351Z",
384
384
  "d3fend_refs": [
385
385
  "D3-CA",
386
386
  "D3-CSPP",
@@ -414,8 +414,8 @@
414
414
  "attack_refs": [],
415
415
  "framework_gaps": [],
416
416
  "last_threat_review": "2026-05-01",
417
- "signature": "02UBMUa3Wox2vXhKVr+2m0Lq5+sY3azliVeAyNSM2p8tw7Fj/HzKQwsgBVAfTM+5yqDzaIMCmup9UAgn4FYbAw==",
418
- "signed_at": "2026-05-18T02:19:03.454Z",
417
+ "signature": "V7v4r2RzeD7ICZUABLfSQTEmSQUlWegiXoo1iGvnrmQtw/nquZNRPTa3QsKQD1i7IxEg7NmJhCX6NLEz4eV0Dg==",
418
+ "signed_at": "2026-05-18T04:12:28.352Z",
419
419
  "cwe_refs": [
420
420
  "CWE-1188"
421
421
  ]
@@ -442,8 +442,8 @@
442
442
  "attack_refs": [],
443
443
  "framework_gaps": [],
444
444
  "last_threat_review": "2026-05-01",
445
- "signature": "IVCHD1LCPV8l+kc7i0EuTFkI91l3X9bQnxb8esfs0oJ+C2tCADickTyzlwhpSDdv3icGya9rOk984vBXxLjtDA==",
446
- "signed_at": "2026-05-18T02:19:03.454Z"
445
+ "signature": "xjtEOaQiBjq7XBD7nCpU59egkLNgBDwfvY7GMxEe+wOyUM4GBMHK2O3khanVEaCgWfu1NNoTMPsDCejJ+D64Ag==",
446
+ "signed_at": "2026-05-18T04:12:28.353Z"
447
447
  },
448
448
  {
449
449
  "name": "global-grc",
@@ -474,8 +474,8 @@
474
474
  "attack_refs": [],
475
475
  "framework_gaps": [],
476
476
  "last_threat_review": "2026-05-01",
477
- "signature": "VcWZd1hN1fxw3BmLqcNP1giz9yiAQEDI928Y9ECOV1bPQvt/zZpONoLg4K7f13HyfoO192mssEcAOTQgnGxQDA==",
478
- "signed_at": "2026-05-18T02:19:03.455Z"
477
+ "signature": "oYsSk35N2Uzq7MRofACykylcVwkgPhI4luWZ14vmQT+gUKLyZiKVOUJbe1+7lGl6BYPRN0sUDQ0f7S5Eu5w2Ag==",
478
+ "signed_at": "2026-05-18T04:12:28.353Z"
479
479
  },
480
480
  {
481
481
  "name": "zeroday-gap-learn",
@@ -501,8 +501,8 @@
501
501
  "attack_refs": [],
502
502
  "framework_gaps": [],
503
503
  "last_threat_review": "2026-05-01",
504
- "signature": "LOg96wT5l+hjplhMcO/pwZKvQCsTXbjjXVSGBnt6I++8yx9Y/yqqewXNoM2SiqBK20WtXlcR/pPheWBCv++fDQ==",
505
- "signed_at": "2026-05-18T02:19:03.455Z"
504
+ "signature": "01faIrHr8xeZU0USNoWiDQBUqu/yu7KHskZdi48q5eg811Tu6YwCopHezIoeuPabaH46M8Qve8ll/7qGpFGEBA==",
505
+ "signed_at": "2026-05-18T04:12:28.354Z"
506
506
  },
507
507
  {
508
508
  "name": "pqc-first",
@@ -553,8 +553,8 @@
553
553
  "CRQC timeline estimate changes"
554
554
  ],
555
555
  "last_threat_review": "2026-05-01",
556
- "signature": "BoFVxwiopgnmDY8AJ0j5KzRkwQQOzdizisTsZOLHBE2BUixr/B6FV8S3AIN3rvS9YixL48rbt8rdAz0j0HDCAw==",
557
- "signed_at": "2026-05-18T02:19:03.455Z",
556
+ "signature": "vhc3wuQEro/86s1ro2b/KakUXg8QVnySYTBqA7ebzv9oeR2HYO5bvGEJp3oOHWtL37JDqcCAHYadSN/qxIyCCA==",
557
+ "signed_at": "2026-05-18T04:12:28.354Z",
558
558
  "cwe_refs": [
559
559
  "CWE-327"
560
560
  ],
@@ -600,8 +600,8 @@
600
600
  "Framework publication updates"
601
601
  ],
602
602
  "last_threat_review": "2026-05-01",
603
- "signature": "LvwHc4LPAo3u1D94umZ6AFr6IaEkAMqAVJVoq4oiIKwT0qdOSfYRcACp+5AU18S5hIwiM0QgMiSnTwtPOUmyCw==",
604
- "signed_at": "2026-05-18T02:19:03.456Z"
603
+ "signature": "8P1I6i7N0sFHloR/hY4NIWictk5Irrze4xPjVQEH5BtBrS2OCCq/YzCpUuS+XexhWiIpyLo2CA1ecbllnWlNBQ==",
604
+ "signed_at": "2026-05-18T04:12:28.355Z"
605
605
  },
606
606
  {
607
607
  "name": "security-maturity-tiers",
@@ -637,8 +637,8 @@
637
637
  "PQC tooling maturity shifting overkill to practical"
638
638
  ],
639
639
  "last_threat_review": "2026-05-01",
640
- "signature": "nZNIznYPxcs2mAjruwejfH2HrlW0SVDQ2Q2Ethh35uJBZkK7twgCDSJKVPbvR5ftaVdslDrq5o6Xhcwf7rWJDw==",
641
- "signed_at": "2026-05-18T02:19:03.456Z",
640
+ "signature": "SdTtvkaxdgcHkm8ph7YX+2VMihw2iBMy434JGf5TxCFQq1AfNsQcowK+7FPDquEM47a1KTvS3ytxaJxpHuOqDw==",
641
+ "signed_at": "2026-05-18T04:12:28.355Z",
642
642
  "cwe_refs": [
643
643
  "CWE-1188"
644
644
  ]
@@ -672,8 +672,8 @@
672
672
  "attack_refs": [],
673
673
  "framework_gaps": [],
674
674
  "last_threat_review": "2026-05-11",
675
- "signature": "49BxLraoRRpTRaZV7maw4/e8TOZzRNZgfM1wPuG8elb6dpG98LooRqV1WDLuKAP/7ShqicjNTpr1wyBGTFJ7CQ==",
676
- "signed_at": "2026-05-18T02:19:03.456Z"
675
+ "signature": "WAu5fRirzSOcnnZsTx2d/JJZwa/LPpXCi+31qATTGLmoNuhyy81k3ooPe9kCM3E0CLMtvTePg9DagYqBninZDQ==",
676
+ "signed_at": "2026-05-18T04:12:28.356Z"
677
677
  },
678
678
  {
679
679
  "name": "attack-surface-pentest",
@@ -743,8 +743,8 @@
743
743
  "OWASP WSTG v5.x AI/MCP test cases (currently in working-group draft)",
744
744
  "PTES revision incorporating AI-surface enumeration"
745
745
  ],
746
- "signature": "/p8RImZYTSneXWjgwqMbuJN4XKROGWxzVzz3fwldev/qEhUZi3ptW/nZ/OZF0hgrO/04Xbm9p5fHzOshNYCODQ==",
747
- "signed_at": "2026-05-18T02:19:03.456Z"
746
+ "signature": "pKVlOkHybXjj5Llpm4VQtz+b/qTxE2vWsoDx/aie5z0rA2qWMmNNiWZl+b8/oO4Ghu2TIOdy/+cX4YlTrIg7DA==",
747
+ "signed_at": "2026-05-18T04:12:28.356Z"
748
748
  },
749
749
  {
750
750
  "name": "fuzz-testing-strategy",
@@ -803,8 +803,8 @@
803
803
  "syzkaller eBPF and io_uring surface expansion as new kernel attack surfaces ship",
804
804
  "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
805
805
  ],
806
- "signature": "mMZmXMzXPTZHmfK/j8jd32U1wio5NoGHosJ8yy2aYY8mHCVOS1zhKYvCXSzfAe9GAjeJf+zNZCe239tWDBnNBQ==",
807
- "signed_at": "2026-05-18T02:19:03.457Z"
806
+ "signature": "uf8JFFve9Q7QXdyO8yc11SBFndVGEKQkMKTSZEJSCzj33HRvMGhV184JSpHUy5Vce284HUcVC1R73aOjbc0iBg==",
807
+ "signed_at": "2026-05-18T04:12:28.356Z"
808
808
  },
809
809
  {
810
810
  "name": "dlp-gap-analysis",
@@ -878,8 +878,8 @@
878
878
  "MCP gateway / proxy standardisation (Anthropic enterprise MCP gateway, Portkey MCP) — tool-call argument inspection is the missing primary control",
879
879
  "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
880
880
  ],
881
- "signature": "lXBKwsA1ouEI8CLFW9AQMwTaR2HTtz/tZC3qEs13XL8IOBpl6OwZj6GkDCWuT1SK4enOgpmKHypaNGJ/vtGQBg==",
882
- "signed_at": "2026-05-18T02:19:03.457Z"
881
+ "signature": "y6N/9z4AwGPfhcNWVk1zEVSMBpn+3YTmIaIXAin4Q9yREAupKDey3ch9s+Y2LjFSS/SLLzh4H/Y8rDs2bKxFCg==",
882
+ "signed_at": "2026-05-18T04:12:28.357Z"
883
883
  },
884
884
  {
885
885
  "name": "supply-chain-integrity",
@@ -955,8 +955,8 @@
955
955
  "EU CRA (Regulation 2024/2847) — implementing acts for technical documentation and SBOM submission expected through 2027",
956
956
  "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
957
957
  ],
958
- "signature": "6r0zv9/tNfZd/NKSc8z1+4p/6R80EwbelY+mr5zLrwEc/ViD0E8G9SbE2dLuWg4V0EoIMLrWJ/b9RQGSaOYvBQ==",
959
- "signed_at": "2026-05-18T02:19:03.457Z"
958
+ "signature": "c3OewLIMenKMWba5eKOwfa1OD8pp6tU9o+xFC/KbIcIPUhtZAO+R5/uoOhZXiwhjmg2GzHU2f8ROpBP3p0dxBA==",
959
+ "signed_at": "2026-05-18T04:12:28.357Z"
960
960
  },
961
961
  {
962
962
  "name": "defensive-countermeasure-mapping",
@@ -1012,8 +1012,8 @@
1012
1012
  "D3-SCP"
1013
1013
  ],
1014
1014
  "last_threat_review": "2026-05-11",
1015
- "signature": "dNw1zQ61gvG7y0WlF7n4heuMgDBfe59Yr2Kr/HfOb9jkc5grPipDXEeGko0xcJuZ3WVeu/OjRnPVDJkorBIHAg==",
1016
- "signed_at": "2026-05-18T02:19:03.458Z"
1015
+ "signature": "gqF8eU3VBrZhO2WnlcqKa7wm1d2mmWtvpbmx0kNCgHojNV+qEt+Ij84RO6bZvaUqhfYPWizWL79Fa4DL0curAQ==",
1016
+ "signed_at": "2026-05-18T04:12:28.357Z"
1017
1017
  },
1018
1018
  {
1019
1019
  "name": "identity-assurance",
@@ -1079,8 +1079,8 @@
1079
1079
  ],
1080
1080
  "d3fend_refs": [],
1081
1081
  "last_threat_review": "2026-05-11",
1082
- "signature": "zx3uucOcICwlEUJytEMnHsfqTpOSK+Zsv4/Z3hX6AUtUvh5Bi6pgAQYkX45Y6fk5K+QEGR5Vkiecv/9R+UakCw==",
1083
- "signed_at": "2026-05-18T02:19:03.458Z"
1082
+ "signature": "Wv5hGMeHjlaQK1zwicVCA7AvdKgJBgvcjdpGM9Ywahh9tagAKhbkOjybowDQZzu7OZ3bDkbh6pBYc1Sdwr6NAA==",
1083
+ "signed_at": "2026-05-18T04:12:28.358Z"
1084
1084
  },
1085
1085
  {
1086
1086
  "name": "ot-ics-security",
@@ -1135,8 +1135,8 @@
1135
1135
  ],
1136
1136
  "d3fend_refs": [],
1137
1137
  "last_threat_review": "2026-05-11",
1138
- "signature": "Lsn7F3sOedjUvUH7/EmGFVUrhpwW6Bkx/EtTCEU69EPHFV6kMCMlqFyRuHKV8vjZpp1x6o2RZgD0oW54T2ufCw==",
1139
- "signed_at": "2026-05-18T02:19:03.458Z"
1138
+ "signature": "2Z8iAEf+dzdBpE6InLL6hHT7aGUNHJOlgyddDsdNb+xxjC2TJz+sXIRsHHhpaPuFMVf38VJSD5SqL1cwB+5lDw==",
1139
+ "signed_at": "2026-05-18T04:12:28.358Z"
1140
1140
  },
1141
1141
  {
1142
1142
  "name": "coordinated-vuln-disclosure",
@@ -1187,8 +1187,8 @@
1187
1187
  "UK NCSC Vulnerability Disclosure Toolkit revisions and AU ISM CVD guidance updates",
1188
1188
  "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
1189
1189
  ],
1190
- "signature": "f1w8AOT3bw+IeaAkg+vubUf7+Gx+/zTuQyIKOxQTbF9m1HGIE/SJQlWZST9ALtlH1BN4gJK5WPRmloX6LzQYBw==",
1191
- "signed_at": "2026-05-18T02:19:03.459Z"
1190
+ "signature": "TITt0dI7T6nifFEdiOaGSDzIdrpjBCtuwyNcQdZm4P/nm1yLPI2+7T3SXWNeCTfZuMGiBBhuGETuawH21lBBBA==",
1191
+ "signed_at": "2026-05-18T04:12:28.359Z"
1192
1192
  },
1193
1193
  {
1194
1194
  "name": "threat-modeling-methodology",
@@ -1237,8 +1237,8 @@
1237
1237
  "LINDDUN-GO and LINDDUN-PRO updates incorporating LLM privacy threats",
1238
1238
  "PASTA v2 updates incorporating AI/ML application threats"
1239
1239
  ],
1240
- "signature": "nA1GtYV23HnOWNtsSp4kLsIMyszAWdLntkgcT7hwVddHybgTKb/Scj+WyVv7vfM6l9n2+2rk3GgptZKaRF/aBg==",
1241
- "signed_at": "2026-05-18T02:19:03.459Z"
1240
+ "signature": "0c5JzFhjzSU+Em8pWkez62TtAs2ePLnY0Na/dz9CxkU5A7U0s4B7bynpXuz8DxsQZd75/o4BkaYQegp7d/ktBw==",
1241
+ "signed_at": "2026-05-18T04:12:28.359Z"
1242
1242
  },
1243
1243
  {
1244
1244
  "name": "webapp-security",
@@ -1311,8 +1311,8 @@
1311
1311
  ],
1312
1312
  "d3fend_refs": [],
1313
1313
  "last_threat_review": "2026-05-11",
1314
- "signature": "oEBU+4xdW24VOlpsD+Gi8hMDDZK/Z4S8dWqnNRioth7rNwll42LWvfUyrgrxi5U0ucZtLHLRZGJHcMPkPC5bDQ==",
1315
- "signed_at": "2026-05-18T02:19:03.459Z"
1314
+ "signature": "vIm/lDjC/bx7tHXWWEK2foOmiqdr7UuUuWPo75h6yV9ZteEF6kzNpWPbQ1KRThUm+2/XOBT+iwJ5Ecf2WDpDAQ==",
1315
+ "signed_at": "2026-05-18T04:12:28.359Z"
1316
1316
  },
1317
1317
  {
1318
1318
  "name": "ai-risk-management",
@@ -1361,8 +1361,8 @@
1361
1361
  ],
1362
1362
  "d3fend_refs": [],
1363
1363
  "last_threat_review": "2026-05-11",
1364
- "signature": "AqZYnDlvr5EUu/WVFa0ffW77/QYSF7JDzi8jV/+7EynQ7vFPnJbaQQ93aVw91mXQHF5DEqRgeLb30yr++KcVBg==",
1365
- "signed_at": "2026-05-18T02:19:03.459Z"
1364
+ "signature": "IIXnkZ5ZNqFwOto5KfytADTLLZLoyXNZACD1ORZ40P1HUAQxe6u2uyXFzzsfuob4Uy06jNkRGr2FFgCphUH1Cw==",
1365
+ "signed_at": "2026-05-18T04:12:28.360Z"
1366
1366
  },
1367
1367
  {
1368
1368
  "name": "sector-healthcare",
@@ -1421,8 +1421,8 @@
1421
1421
  ],
1422
1422
  "d3fend_refs": [],
1423
1423
  "last_threat_review": "2026-05-11",
1424
- "signature": "53kKCGnBk6b88Q0Mf34CkowBH1osOYTpUf0wkMK70CAOCna2qYaBTTnYVHamV2+DsE6IC9W+JIzmPWcl3jC5BA==",
1425
- "signed_at": "2026-05-18T02:19:03.460Z"
1424
+ "signature": "2JPsumXuTOrUhEGcfb03Q69zcW1hw+MTlNoycZ7RSNCHDw7jKaDlEfYmg0Px/aJp2hIt9qDGFq+cpYdfL+tfAQ==",
1425
+ "signed_at": "2026-05-18T04:12:28.360Z"
1426
1426
  },
1427
1427
  {
1428
1428
  "name": "sector-financial",
@@ -1502,8 +1502,8 @@
1502
1502
  "OSFI B-13 (Technology and Cyber Risk Management) post-2024 examination findings",
1503
1503
  "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
1504
1504
  ],
1505
- "signature": "64PrvGD26sxvxzfmMBsCGpocascDDurGSNMJrdJJ5IS4rj5aXS6oQCBw0pDDasJvwaQdkrOiQ/RoEQoEQnRkDg==",
1506
- "signed_at": "2026-05-18T02:19:03.460Z"
1505
+ "signature": "xz0p47mECulSsdRdioeqi6K7KEnyXd+SWNtFra8JQh7g88CV9ycQeSPTTjiNpWaPreDAmYhRM83jupC7EEdUAg==",
1506
+ "signed_at": "2026-05-18T04:12:28.361Z"
1507
1507
  },
1508
1508
  {
1509
1509
  "name": "sector-federal-government",
@@ -1571,8 +1571,8 @@
1571
1571
  "EU Cybersecurity Certification Scheme on Common Criteria (EUCC) operational — first certificates issued 2024; high-assurance level for government use cases ramping",
1572
1572
  "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
1573
1573
  ],
1574
- "signature": "6BEcpzMRaY7yuQvZuz/Y52xq3EO690jZq8q0ABBT8ujCuBBmBGqAz4Ml1F6hlMVCZ3Jjl2AFHP5tnNNRmkD3Dg==",
1575
- "signed_at": "2026-05-18T02:19:03.461Z"
1574
+ "signature": "PebiIg9j8Lm8yF8wIH2w7Pj75B5NaqQYcRZJ16RtKHC37tEG6THbo714JOaek45ifTMBhzNPwZ6Cy32ae4VdAQ==",
1575
+ "signed_at": "2026-05-18T04:12:28.362Z"
1576
1576
  },
1577
1577
  {
1578
1578
  "name": "sector-energy",
@@ -1636,8 +1636,8 @@
1636
1636
  "MadIoT-class research on consumer-IoT-driven grid frequency manipulation moving from proof-of-concept to attributed campaigns",
1637
1637
  "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
1638
1638
  ],
1639
- "signature": "RhKFw5oVfDljrAe7bzY9d/IfmF3oyT85WVaqpHAHbNcrWpxNrX1sIE4+Sf4Uj3njI8/2fMgk4HN3oZv9aA6nCQ==",
1640
- "signed_at": "2026-05-18T02:19:03.461Z"
1639
+ "signature": "4KOVUlWWuhOWIV8ilCEOOuKV/s9CbIvNo4crB1oSf+G5KQ8KkUHxEn6KzEJX/NAwk5bOA1k58XykXvUun2YJDQ==",
1640
+ "signed_at": "2026-05-18T04:12:28.362Z"
1641
1641
  },
1642
1642
  {
1643
1643
  "name": "sector-telecom",
@@ -1723,7 +1723,7 @@
1723
1723
  "O-RAN SFG / WG11 security specifications"
1724
1724
  ],
1725
1725
  "signature": "JWVxKFoKrbX4d+Tko1d4OBdwyg25MfFFKn4CT6E/CzH+YwnU3T6Y76uBQIKg3+gIGTvPduqyvQwQQ5FxKDuPBw==",
1726
- "signed_at": "2026-05-18T02:19:03.462Z"
1726
+ "signed_at": "2026-05-18T04:12:28.363Z"
1727
1727
  },
1728
1728
  {
1729
1729
  "name": "api-security",
@@ -1791,8 +1791,8 @@
1791
1791
  ],
1792
1792
  "d3fend_refs": [],
1793
1793
  "last_threat_review": "2026-05-11",
1794
- "signature": "ACPV5cQskL0TR4SK9eKev6jCNEWj+d6zE+BOB7QHXAcungz3K5qugDTkz3NjEHefebiFi8GW8VPuchA8vRYODg==",
1795
- "signed_at": "2026-05-18T02:19:03.462Z"
1794
+ "signature": "LgEIz6dmHxnlV3ay8BxqH7nXt+lWB8AsWcf5fPI40uuljs8+/dWNb4dCuB5s4SWRPX/64LoAXMOyzBvlt7QNCw==",
1795
+ "signed_at": "2026-05-18T04:12:28.363Z"
1796
1796
  },
1797
1797
  {
1798
1798
  "name": "cloud-security",
@@ -1872,8 +1872,8 @@
1872
1872
  "eBPF-based runtime detection coverage of confidential-computing enclaves (AWS Nitro Enclaves, Azure Confidential VMs, GCP Confidential Space) — partial visibility is a tracked detection gap",
1873
1873
  "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
1874
1874
  ],
1875
- "signature": "9eHXut2agJm6+Z7r6zRD8Rbokj1yTeSeFh9BIoZCE9KrntlnAVU0Y0jl+JRBHOptWh4z04bOW1eAhy0vjl+lAQ==",
1876
- "signed_at": "2026-05-18T02:19:03.462Z"
1875
+ "signature": "fu8QqobbuyqDqmuo3iAigJmH2wUzS5AbMNNB7BrY8qAQ2KGHmrVIn4p53vUjF58bEzo6W2qAIldHla5p1sQCDw==",
1876
+ "signed_at": "2026-05-18T04:12:28.364Z"
1877
1877
  },
1878
1878
  {
1879
1879
  "name": "container-runtime-security",
@@ -1934,8 +1934,8 @@
1934
1934
  ],
1935
1935
  "d3fend_refs": [],
1936
1936
  "last_threat_review": "2026-05-11",
1937
- "signature": "gTi2joMM9bqqXQ+R7oqL0MUtz1sOettl0mOXrQS5jTnZ9TDwrg3E/PbuanQjPDC8aLRFRgPdi/EN2Rtp5Zj+Dg==",
1938
- "signed_at": "2026-05-18T02:19:03.462Z"
1937
+ "signature": "Z9KNlVRL9UWtObXDr3FmfdG+bBQGaUKEAv8WbZPRhwQUafx1mNp/h7CLsASeOQmGime00XN7fbO25oA18vYVAA==",
1938
+ "signed_at": "2026-05-18T04:12:28.364Z"
1939
1939
  },
1940
1940
  {
1941
1941
  "name": "mlops-security",
@@ -2005,8 +2005,8 @@
2005
2005
  "EU AI Act high-risk technical-file implementing acts (2026-2027) — operational requirements for Article 10 / 13 / 15 documentation may pin ML-BOM or model-signing",
2006
2006
  "MITRE ATLAS v5.4.0 (released February 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: ATLAS v5.5 / v6.0 — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
2007
2007
  ],
2008
- "signature": "ZNk3SKNnmFy8DHYJd0PMGWg9Aj8yOyh96p6rNdYllojEIO5G+Lj6fdCPOOopAEu4ta3pO9+EAfYuw3QUbpfVAg==",
2009
- "signed_at": "2026-05-18T02:19:03.463Z"
2008
+ "signature": "2xuFDRLVjmzsbuipOc0HlUCjQ9B5lbB3L2fh5sPD9l0KqHmV1w1MuU9293ODxdTtqhSEJKkA5ghlbr8esFnlBw==",
2009
+ "signed_at": "2026-05-18T04:12:28.365Z"
2010
2010
  },
2011
2011
  {
2012
2012
  "name": "incident-response-playbook",
@@ -2068,7 +2068,7 @@
2068
2068
  "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
2069
2069
  ],
2070
2070
  "signature": "6/9Ehyx49Rr/o5Tp9oQ3cfHa2WhKYtLXJp0akoDbRC1RSCxZVbkKaW7/5/IkdgCQMiJivI/Q0g0Bq/5q/UUZAA==",
2071
- "signed_at": "2026-05-18T02:19:03.463Z"
2071
+ "signed_at": "2026-05-18T04:12:28.365Z"
2072
2072
  },
2073
2073
  {
2074
2074
  "name": "ransomware-response",
@@ -2148,7 +2148,7 @@
2148
2148
  ],
2149
2149
  "last_threat_review": "2026-05-15",
2150
2150
  "signature": "+5FiwJFRq08x2oXejTO1Nw6Cd+EzOcrwAG2xNrngJ8vHPDXqFgGAjTAJuXrNl7QblTfSLQ+xvoAziBly56/eDg==",
2151
- "signed_at": "2026-05-18T02:19:03.463Z"
2151
+ "signed_at": "2026-05-18T04:12:28.366Z"
2152
2152
  },
2153
2153
  {
2154
2154
  "name": "email-security-anti-phishing",
@@ -2200,8 +2200,8 @@
2200
2200
  "cwe_refs": [],
2201
2201
  "d3fend_refs": [],
2202
2202
  "last_threat_review": "2026-05-11",
2203
- "signature": "x0FNJsYCoKz73KUaCUxl1jdps0W1x3pfb/oFrljgUxdr48d0HuHLWmsZz7ZtiK4AC8Kc9CB+TB16IRjlCzsxAA==",
2204
- "signed_at": "2026-05-18T02:19:03.464Z"
2203
+ "signature": "rK+WnuS+9tqEABmwc0jO/PEmxcLjG1/tmUb897HsClQeKzf+TQOlwBE+OsbtuKxpjYNwur62Xxs3TxObkwm8Cw==",
2204
+ "signed_at": "2026-05-18T04:12:28.366Z"
2205
2205
  },
2206
2206
  {
2207
2207
  "name": "age-gates-child-safety",
@@ -2268,8 +2268,8 @@
2268
2268
  "France SREN (Securing and Regulating the Digital Space) Act 2024 — ARCOM age-verification referential for adult content services; double-anonymity model under deployment",
2269
2269
  "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
2270
2270
  ],
2271
- "signature": "OaxxkpowZXLeaBKUr3iNbGSEE2zyCYZ32cHLOumEOmBwLYN8LMsqqPUmM32XxVBOeopCbMM7ayZRF7geRQHhAg==",
2272
- "signed_at": "2026-05-18T02:19:03.464Z"
2271
+ "signature": "5BXLeR3lzvdRs2nSzN/rOE17ur2sMa44gQvY8+OWvazm5Vh6lNAaDDDoExB2/hlg6k7v1KIKwA1MPAKj6qB/CQ==",
2272
+ "signed_at": "2026-05-18T04:12:28.366Z"
2273
2273
  },
2274
2274
  {
2275
2275
  "name": "cloud-iam-incident",
@@ -2348,8 +2348,8 @@
2348
2348
  "D3-CAA"
2349
2349
  ],
2350
2350
  "last_threat_review": "2026-05-15",
2351
- "signature": "6O5peFBKz4XFasajnzMIF8Zjdb84bd361WHRGx6WiddKNfu687Q9qAanvzujxPmzYA1qiGGJJkujT+6y8T/WCQ==",
2352
- "signed_at": "2026-05-18T02:19:03.464Z"
2351
+ "signature": "e/kij7GtKaytROyIj7V5RH+FC9WtmVFzrmG2kIlNDNn29ep/CRNlIQKwXLpzo/81AIf634pmdr1qy/+vwIuUDA==",
2352
+ "signed_at": "2026-05-18T04:12:28.367Z"
2353
2353
  },
2354
2354
  {
2355
2355
  "name": "idp-incident-response",
@@ -2430,11 +2430,11 @@
2430
2430
  ],
2431
2431
  "last_threat_review": "2026-05-15",
2432
2432
  "signature": "ew9Kglc9fAZzbn0ZIfGP7WSK/j4eV2VhSvpy+s5bEfNEVYIMa2kZjnGBapgUsyGDLes9H9K2ovjQyX17+GKiBw==",
2433
- "signed_at": "2026-05-18T02:19:03.465Z"
2433
+ "signed_at": "2026-05-18T04:12:28.367Z"
2434
2434
  }
2435
2435
  ],
2436
2436
  "manifest_signature": {
2437
2437
  "algorithm": "Ed25519",
2438
- "signature_base64": "N5sCZtaEC7UPJ07A2594/LJlkpKporgiAFW95RrGZRwXTo3AWexPbxf1XQILLGHu634DML0ke+WAeUyrgYIkCQ=="
2438
+ "signature_base64": "MT8RjCVGxIBE2fIDlYWq1xae65fI9wtzA7jpLhFutVuqQSvc7ZZb0T2ZAFB1gF4I4OBR4wSIzoYb0y97FEeIAQ=="
2439
2439
  }
2440
2440
  }
package/orchestrator/index.js CHANGED
@@ -1093,6 +1093,7 @@ function runWatchlist(rawArgs = []) {
1093
1093
 
1094
1094
  const byskill = rawArgs.includes('--by-skill');
1095
1095
  const alertsMode = rawArgs.includes('--alerts');
1096
+ const orgScanMode = rawArgs.includes('--org-scan');
1096
1097
  const manifestPath = path.join(__dirname, '..', 'manifest.json');
1097
1098
  const repoRoot = path.join(__dirname, '..');
1098
1099
 
@@ -1100,12 +1101,22 @@ function runWatchlist(rawArgs = []) {
1100
1101
  // "CVE-class alert patterns" — surfaces catalog entries matching
1101
1102
  // high-priority shape rules (kernel-LPE-with-PoC, supply-chain-family,
1102
1103
  // AI-discovered-KEV, recently-disclosed-with-active-exploitation).
1103
- // The two modes are mutually exclusive; --alerts short-circuits the
1104
- // forward-watch aggregation.
1104
+ // The modes are mutually exclusive; the first matching flag wins.
1105
1105
  if (alertsMode) {
1106
1106
  return runWatchlistAlerts(rawArgs);
1107
1107
  }
1108
1108
 
1109
+ // v0.13.3: --org-scan probes GitHub for repository naming patterns
1110
+ // associated with known threat actors (per NEW-CTRL-052 from the
1111
+ // MAL-2026-SHAI-HULUD-OSS zeroday-lessons entry). The Shai-Hulud
1112
+ // worm uses GitHub itself as the exfil channel — repos named
1113
+ // "A Gift From TeamPCP", "Shai-Hulud-*", or with future variants
1114
+ // hold the stolen credentials. Operators can run this against
1115
+ // their own GitHub org to surface exfil staging in their tenant.
1116
+ if (orgScanMode) {
1117
+ return runWatchlistOrgScan(rawArgs);
1118
+ }
1119
+
1109
1120
  let manifest;
1110
1121
  try {
1111
1122
  manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf8'));
@@ -1589,6 +1600,140 @@ Examples:
1589
1600
  `);
1590
1601
  }
1591
1602
 
1603
+ /**
1604
+ * v0.13.3 — runWatchlistOrgScan: GitHub repo-pattern monitoring per
1605
+ * NEW-CTRL-052 (MAL-2026-SHAI-HULUD-OSS zeroday-lessons). The Shai-Hulud
1606
+ * worm uses GitHub itself as the exfil channel; the canonical naming
1607
+ * pattern is "A Gift From TeamPCP", commit-timestamps falsified to
1608
+ * 2099-01-01, and contributor accounts agwagwagwa / headdirt / tmechen.
1609
+ *
1610
+ * Operators run this against their GitHub org (--org <login> or
1611
+ * GITHUB_ORG env var) to surface exfil staging within their tenant.
1612
+ * Uses the GitHub Search API (unauthenticated for public-repo search;
1613
+ * GITHUB_TOKEN env var lifts the rate limit + enables private-repo
1614
+ * coverage). Report-only — never modifies repos.
1615
+ *
1616
+ * Flags / env:
1617
+ * --org <login> GitHub org / user to scope the search to (required)
1618
+ * --pattern <s> (repeatable) additional naming-pattern strings (defaults below)
1619
+ * --json structured JSON output
1620
+ * GITHUB_TOKEN env var lifts rate limit + private-repo search coverage
1621
+ */
1622
+ async function runWatchlistOrgScan(rawArgs = []) {
1623
+ const jsonOut = rawArgs.includes('--json');
1624
+ // Extract --org <login>. Accept --org=foo too.
1625
+ let org = null;
1626
+ for (let i = 0; i < rawArgs.length; i++) {
1627
+ if (rawArgs[i] === '--org' && rawArgs[i + 1]) { org = rawArgs[i + 1]; break; }
1628
+ if (rawArgs[i].startsWith('--org=')) { org = rawArgs[i].slice('--org='.length); break; }
1629
+ }
1630
+ if (!org) org = process.env.GITHUB_ORG || null;
1631
+ if (!org) {
1632
+ process.stdout.write(JSON.stringify({
1633
+ ok: false,
1634
+ verb: 'watchlist',
1635
+ mode: 'org-scan',
1636
+ error: 'watchlist --org-scan requires --org <login> (or GITHUB_ORG env var). Example: exceptd watchlist --org-scan --org blamejs',
1637
+ }) + '\n');
1638
+ safeExit(EXIT_CODES.GENERIC_FAILURE);
1639
+ return;
1640
+ }
1641
+ // Custom patterns via --pattern <s> (repeatable). Default set from
1642
+ // the MAL-2026-SHAI-HULUD-OSS catalog entry + NEW-CTRL-052 evidence.
1643
+ const customPatterns = [];
1644
+ for (let i = 0; i < rawArgs.length; i++) {
1645
+ if (rawArgs[i] === '--pattern' && rawArgs[i + 1]) customPatterns.push(rawArgs[i + 1]);
1646
+ if (rawArgs[i].startsWith('--pattern=')) customPatterns.push(rawArgs[i].slice('--pattern='.length));
1647
+ }
1648
+ const DEFAULT_PATTERNS = [
1649
+ { id: 'shai-hulud-classic', q: 'Shai-Hulud', severity: 'critical', source: 'MAL-2026-SHAI-HULUD-OSS (pre-source-release naming)' },
1650
+ { id: 'teampcp-gift', q: 'A Gift From TeamPCP', severity: 'critical', source: 'MAL-2026-SHAI-HULUD-OSS (post-2026-05-12 release naming)' },
1651
+ { id: 'teampcp-bare', q: 'TeamPCP', severity: 'high', source: 'MAL-2026-SHAI-HULUD-OSS threat actor reference' },
1652
+ ];
1653
+ const patterns = [
1654
+ ...DEFAULT_PATTERNS,
1655
+ ...customPatterns.map((q, i) => ({ id: `custom-${i + 1}`, q, severity: 'medium', source: 'operator --pattern' })),
1656
+ ];
1657
+
1658
+ // GitHub Search API: GET /search/code?q=<query>+org:<login>
1659
+ // and GET /search/repositories?q=<query>+org:<login>. Both return
1660
+ // the same shape (items[] with name, html_url, owner, created_at).
1661
+ const token = process.env.GITHUB_TOKEN || '';
1662
+ const matches = [];
1663
+ let rateLimited = false;
1664
+ let unauth = !token;
1665
+ if (typeof fetch !== 'function') {
1666
+ process.stdout.write(JSON.stringify({
1667
+ ok: false,
1668
+ verb: 'watchlist',
1669
+ mode: 'org-scan',
1670
+ error: 'fetch() not available — Node 18+ required.',
1671
+ }) + '\n');
1672
+ safeExit(EXIT_CODES.GENERIC_FAILURE);
1673
+ return;
1674
+ }
1675
+ for (const p of patterns) {
1676
+ const url = `https://api.github.com/search/repositories?q=${encodeURIComponent(p.q + ' org:' + org)}&per_page=100`;
1677
+ const headers = { 'User-Agent': 'exceptd-watchlist-org-scan/0.13.3 (+https://exceptd.com)', 'Accept': 'application/vnd.github+json' };
1678
+ if (token) headers.Authorization = `Bearer ${token}`;
1679
+ try {
1680
+ const ac = new AbortController();
1681
+ const timer = setTimeout(() => ac.abort(), 10000);
1682
+ const r = await fetch(url, { headers, signal: ac.signal });
1683
+ clearTimeout(timer);
1684
+ if (r.status === 403 || r.status === 429) {
1685
+ rateLimited = true;
1686
+ continue;
1687
+ }
1688
+ if (!r.ok) continue;
1689
+ const body = await r.json();
1690
+ for (const item of body.items || []) {
1691
+ matches.push({
1692
+ pattern_id: p.id,
1693
+ severity: p.severity,
1694
+ source: p.source,
1695
+ repo: item.full_name,
1696
+ url: item.html_url,
1697
+ private: item.private,
1698
+ created_at: item.created_at,
1699
+ updated_at: item.updated_at,
1700
+ stars: item.stargazers_count || 0,
1701
+ });
1702
+ }
1703
+ } catch { /* network failure — best effort */ }
1704
+ }
1705
+ const generated_at = new Date().toISOString();
1706
+ if (jsonOut) {
1707
+ process.stdout.write(JSON.stringify({
1708
+ ok: !rateLimited,
1709
+ verb: 'watchlist',
1710
+ mode: 'org-scan',
1711
+ generated_at,
1712
+ org,
1713
+ patterns_evaluated: patterns.length,
1714
+ match_count: matches.length,
1715
+ matches,
1716
+ rate_limited: rateLimited,
1717
+ unauthenticated: unauth,
1718
+ control_reference: 'NEW-CTRL-052 (MAL-2026-SHAI-HULUD-OSS lesson)',
1719
+ }) + '\n');
1720
+ return;
1721
+ }
1722
+ console.log(`\nGitHub Org-Scan — ${generated_at}`);
1723
+ console.log(`Org: ${org} patterns: ${patterns.length} matches: ${matches.length}`);
1724
+ if (unauth) console.log('(unauthenticated — set GITHUB_TOKEN for private-repo coverage + higher rate limit)');
1725
+ if (rateLimited) console.log('WARNING: GitHub rate limit hit on at least one query. Re-run with GITHUB_TOKEN set.');
1726
+ if (matches.length === 0) {
1727
+ console.log('No threat-actor-pattern repos found.');
1728
+ return;
1729
+ }
1730
+ for (const m of matches) {
1731
+ console.log(`[${m.severity}] ${m.repo} ${m.private ? '(private)' : ''} created ${m.created_at}`);
1732
+ console.log(` pattern: ${m.pattern_id} (${m.source})`);
1733
+ console.log(` ${m.url}`);
1734
+ }
1735
+ }
1736
+
1592
1737
  // Only run the CLI when this file is executed directly. Earlier versions
1593
1738
  // invoked main() at import time too, which meant `require('./orchestrator')`
1594
1739
  // would trigger a full CLI dispatch (and printHelp) inside the importing
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@blamejs/exceptd-skills",
3
- "version": "0.13.2",
3
+ "version": "0.13.4",
4
4
  "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
5
5
  "keywords": [
6
6
  "ai-security",