@blamejs/exceptd-skills 0.13.3 → 0.13.4

package/data/cve-catalog.json

@@ -55,15 +55,16 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.15,
-      "current_floor_enforced_by_test": 0.15,
+      "current_rate": 0.132,
+      "current_floor_enforced_by_test": 0.13,
       "ladder_to_target": [
+        0.13,
         0.15,
         0.2,
         0.3,
         0.4
       ],
-      "floor_correction_note": "v0.12.31 (cycle 11): floor dropped from 0.20 → 0.15 after the cycle-11 intake added six ai_discovered=false entries (PAN-OS, Marimo, Ivanti EPMM, Exchange OWA, Windows LNK APT28, Defender BlueHammer). All six are vendor- or threat-actor-discovered; none carry an AI-tool credit per Hard Rule #1. Catalog observed rate fell from 6/30 (0.200) to 6/36 (0.167); floor is reset below the new observed rate to keep the test honest, and a new 0.15 rung is prepended to the ladder so monotonic non-decreasing is preserved without rewriting prior rungs.",
+      "floor_correction_note": "v0.13.4: floor dropped from 0.15 → 0.13 after the v0.13.4 cleanup removed two stuck-draft CVEs (MAL-2026-ANTHROPIC-MCP-STDIO duplicate of CVE-2026-30623 + CVE-2026-GTIG-AI-2FA embargoed placeholder). The GTIG entry was the only ai_discovered=true of the two; catalog observed rate fell from 6/40 (0.15) to 5/38 (0.132). Floor is reset below the new observed rate to keep the test honest, and a new 0.13 rung is prepended to the ladder so monotonic non-decreasing is preserved without rewriting prior rungs. Prior correction note: v0.12.31 floor dropped 0.20 → 0.15 after the cycle-11 intake added six ai_discovered=false entries.",
       "ladder_note": "Test floor advances when each rung is exceeded with a margin (>= floor + 0.05). Surfaces incremental tightening without coincidence-passing failures.",
       "gap_explanation": "Catalog skews toward 2024 vendor-disclosed CVEs (xz-utils, runc, CRI-O, MLflow, containerd, SolarWinds, Citrix, ConnectWise) and Pwn2Own Ireland 2025 entries (Synacktiv, DEVCORE, Summoning Team, CyCraft) where AI-tooling involvement was either not used or not credited in the public disclosure. The 41% figure in AGENTS.md Hard Rule #7 reflects the broader 2025 zero-day population reported by Google Threat Intelligence Group; catalog membership is curated against a different sampling frame (operational impact + framework-coverage need) and so will lag the population-level rate.",
       "discovery_source_enum": [
@@ -2094,149 +2095,6 @@
     ],
     "related_threats_note": "MAL-2026-TANSTACK-MINI is a Mini-Shai-Hulud-wave incident (Microsoft Security Research, 2026-05-11). The framework was open-sourced 2026-05-12 (MAL-2026-SHAI-HULUD-OSS) — TanStack predates the public release by ~24h. Same threat-actor authorship class; same registry-pivot tradecraft."
   },
-  "MAL-2026-ANTHROPIC-MCP-STDIO": {
-    "_draft": true,
-    "_quarantine": true,
-    "_quarantine_reason": "Duplicate of CVE-2026-30623 (Anthropic MCP SDK stdio command-injection). This entry was the pre-CVE-assignment embargoed placeholder for the OX Security MCP stdio command-injection disclosure (Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok); the embargo lifted with the April 2026 vendor advisory and the issue received CVE-2026-30623. Canonical id: CVE-2026-30623. Retained as _draft: true so the validator treats it as a non-failing draft warning; downstream tooling should filter on _quarantine: true and skip these entries.",
-    "ai_assisted_weaponization": false,
-    "name": "Anthropic SDK MCP STDIO command-injection (embargoed)",
-    "type": "command-injection",
-    "cvss_score": 9,
-    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
-    "cisa_kev": false,
-    "cisa_kev_date": null,
-    "poc_available": false,
-    "poc_description": "Embargoed — operator-supplied configuration parameter reaches subprocess exec argv concatenation.",
-    "ai_discovered": false,
-    "active_exploitation": "unknown",
-    "active_exploitation_notes": "Embargoed disclosure pending vendor advisory.",
-    "affected": "Anthropic MCP-client STDIO transport in published SDK versions handling operator-configured server-spawn commands.",
-    "affected_versions": [
-      "anthropic-sdk pending-vendor-advisory"
-    ],
-    "vector": "MCP-client spawns server subprocess from operator config — argument parsing concatenates user-controlled fields into the exec argv via shell-like splitting rather than argv-array passing.",
-    "complexity": "low",
-    "patch_available": false,
-    "patch_required_reboot": false,
-    "live_patch_available": true,
-    "live_patch_tools": [
-      "Operator-side allowlist of MCP server configurations",
-      "Pin MCP server commands to immutable absolute paths",
-      "Disable user-provided MCP server config until vendor advisory lands"
-    ],
-    "vendor_update_paths": [
-      "Pending Anthropic SDK security release"
-    ],
-    "framework_control_gaps": {
-      "NIST-AI-RMF-MEASURE-2.7": "MCP-client trust boundary not specifically called out — operator-config-as-input is treated as platform-trusted.",
-      "OWASP-LLM-Top-10-2025-LLM05": "Improper output handling on LLM-side; this is the symmetric upstream — improper INPUT handling on transport side.",
-      "ISO-27001-2022-A.8.28": "Secure coding assumed in vendor SDKs without tooling to attest."
-    },
-    "atlas_refs": [
-      "AML.T0040"
-    ],
-    "attack_refs": [
-      "T1059"
-    ],
-    "rwep_score": 25,
-    "rwep_factors": {
-      "cisa_kev": 0,
-      "poc_available": 0,
-      "ai_factor": 0,
-      "active_exploitation": 5,
-      "blast_radius": 30,
-      "patch_available": 0,
-      "live_patch_available": -10,
-      "reboot_required": 0
-    },
-    "epss_score": null,
-    "epss_date": "2026-05-14",
-    "cwe_refs": [
-      "CWE-78",
-      "CWE-88"
-    ],
-    "source_verified": "2026-05-14",
-    "verification_sources": [
-      "https://docs.anthropic.com/security",
-      "https://modelcontextprotocol.io/"
-    ],
-    "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Discovered by OX Security research team (Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok); part of the four-exploitation-family April 2026 MCP advisory. Named-human research; no AI-tool credited for the discovery despite the target being an AI SDK. Source: https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors to satisfy Shape B invariant (Σ factors === rwep_score). Prior values used non-canonical weights and/or blast_radius > 30 (over-cap). Stored rwep_score unchanged; factor block now reproducible from canonical RWEP_WEIGHTS + operational fields."
-  },
-  "CVE-2026-GTIG-AI-2FA": {
-    "_draft": true,
-    "_draft_reason": "Placeholder entry — affected product is unnamed under GTIG embargo and affected_versions is set to \"pending-disclosure\". The key itself is not a real CVE identifier (GTIG-tracked, no MITRE assignment yet). Hard Rule #1 fields cannot be verified against a vendor advisory until the embargo lifts and a real CVE id is assigned. Re-triage once GTIG/MITRE publishes the canonical id and affected-product list.",
-    "name": "GTIG-tracked AI-built 2FA-bypass zero-day (placeholder)",
-    "type": "auth-bypass",
-    "cvss_score": 8.1,
-    "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
-    "cisa_kev": false,
-    "cisa_kev_date": null,
-    "poc_available": false,
-    "poc_description": "Embargoed — GTIG 2026-05-11 report references in-the-wild exploitation by a financially motivated threat actor using AI-built exploit code targeting an unnamed enterprise 2FA service.",
-    "ai_discovered": true,
-    "ai_discovery_notes": "First documented case of a fully AI-BUILT zero-day exploit observed in-the-wild.",
-    "ai_assisted_weaponization": true,
-    "ai_assisted_notes": "Per GTIG attribution analysis — exploit code structure consistent with AI-generated output.",
-    "active_exploitation": "confirmed",
-    "affected": "Unnamed enterprise 2FA service per GTIG embargo; placeholder entry pending CVE assignment.",
-    "affected_versions": [
-      "pending-disclosure"
-    ],
-    "vector": "Authentication state-machine confusion — exploit payload bypasses second-factor challenge by manipulating session token at the post-primary-auth / pre-2FA-challenge boundary.",
-    "complexity": "moderate",
-    "patch_available": false,
-    "patch_required_reboot": false,
-    "live_patch_available": true,
-    "live_patch_tools": [
-      "Vendor-side rate-limiting on 2FA challenge endpoint",
-      "Anomaly detection on session-token mutation between auth phases",
-      "Out-of-band MFA fallback"
-    ],
-    "vendor_update_paths": [
-      "Pending vendor advisory"
-    ],
-    "framework_control_gaps": {
-      "NIST-AI-RMF-MEASURE-2.7": "AI-discovered + AI-built exploit class not anchored in any framework.",
-      "NIS2-Art21-incident-handling": "EU NIS2 incident-handling SLA does not differentiate AI-built vs human-built exploit class.",
-      "ISO-27001-2022-A.5.7": "Threat intelligence control does not specifically require AI-attack-development feeds.",
-      "FedRAMP-IA-2": "MFA requirement satisfied on paper; AI-built bypass operates at a layer below the MFA control surface.",
-      "EU-AI-Act-Art-15": "AI Act robustness requirement applies to AI SYSTEMS not to defending against AI-built attacks."
-    },
-    "atlas_refs": [
-      "AML.T0040",
-      "AML.T0051"
-    ],
-    "attack_refs": [
-      "T1078",
-      "T1556"
-    ],
-    "rwep_score": 55,
-    "rwep_factors": {
-      "cisa_kev": 0,
-      "poc_available": 0,
-      "ai_factor": 15,
-      "active_exploitation": 20,
-      "blast_radius": 30,
-      "patch_available": 0,
-      "live_patch_available": -10,
-      "reboot_required": 0
-    },
-    "epss_score": null,
-    "epss_date": "2026-05-14",
-    "cwe_refs": [
-      "CWE-287"
-    ],
-    "source_verified": "2026-05-14",
-    "verification_sources": [
-      "https://cloud.google.com/blog/topics/threat-intelligence/",
-      "https://services.google.com/fh/files/misc/gtig-2026-ai-attack-trends.pdf"
-    ],
-    "last_updated": "2026-05-15",
-    "discovery_attribution_note": "AI-developed zero-day per Google Threat Intelligence Group 2026-05-11 disclosure; first publicly-attributed in-the-wild AI-built zero-day exploit. GTIG assesses with high confidence that an LLM was weaponized to facilitate discovery + weaponization of a 2FA bypass in a popular open-source web administration tool. Source: https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access and https://thehackernews.com/2026/05/hackers-used-ai-to-develop-first-known.html.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors to satisfy Shape B invariant (Σ factors === rwep_score). Prior values used non-canonical weights and/or blast_radius > 30 (over-cap). Stored rwep_score unchanged; factor block now reproducible from canonical RWEP_WEIGHTS + operational fields."
-  },
   "CVE-2026-30623": {
     "ai_assisted_weaponization": false,
     "name": "Anthropic MCP SDK stdio command-injection",

package/data/exploit-availability.json

@@ -287,33 +287,6 @@
     "last_verified": "2026-05-15",
     "verification_source": "TanStack security advisory 2026-05-11, npm advisories"
   },
-  "MAL-2026-ANTHROPIC-MCP-STDIO": {
-    "poc_status": "private",
-    "poc_description": "Embargoed reproduction in vendor channel; operator-side mitigations published while CVE assignment is pending.",
-    "weaponization_stage": "partially_weaponized",
-    "ai_discovery_confirmed": false,
-    "ai_discovery_source": "vendor_research",
-    "ai_assist_factor": "moderate",
-    "ai_assisted_weaponization": false,
-    "exploit_complexity": "low",
-    "active_exploitation": "unknown",
-    "last_verified": "2026-05-15",
-    "verification_source": "Anthropic security channel, MCP project advisory"
-  },
-  "CVE-2026-GTIG-AI-2FA": {
-    "poc_status": "private",
-    "poc_description": "Embargoed per GTIG. AI-built exploit code observed in-the-wild against an unnamed enterprise 2FA service.",
-    "weaponization_stage": "fully_weaponized",
-    "ai_discovery_confirmed": true,
-    "ai_discovery_source": "threat_actor_ai_built",
-    "ai_assist_factor": "very_high",
-    "ai_discovery_notes": "First documented case of a fully AI-BUILT zero-day exploit observed in-the-wild — threat actor used a frontier LLM to construct the auth-state-confusion payload.",
-    "ai_assisted_weaponization": true,
-    "exploit_complexity": "moderate",
-    "active_exploitation": "confirmed",
-    "last_verified": "2026-05-15",
-    "verification_source": "GTIG 2026-05-11 report, Google Cloud Threat Intelligence"
-  },
   "CVE-2026-30623": {
     "poc_status": "public",
     "poc_description": "Public advisory documents the argv-string concatenation in MCP-client stdio transport; researcher-published PoC chains operator-config to shell-meta injection.",

package/data/framework-control-gaps.json

@@ -4600,8 +4600,8 @@
     "designed_for": "MEASURE function 2.7 — evaluating AI system security and resilience including assessment of risks from adversarial inputs, data poisoning, model extraction, and supply chain compromise. Anchored on the assumption that AI-system security is a measurable property of the deployed system within the boundaries the deployer controls (the model, the training corpus, the inference endpoint).",
     "misses": [
       "MEASURE 2.7 scopes security evaluation to the AI system itself and does not enumerate the ML-pipeline asset chain (tracking servers, experiment registries, artifact stores like MLflow CVE-2023-43472) as in-scope measurement surface, leaving the path-traversal / unauthenticated-access exposure class outside the framework's measurement frame",
-      "MCP-client trust boundary is not specifically addressed — MEASURE 2.7 does not require evaluation of operator-supplied MCP configuration as adversarial input, even though MCP STDIO command-injection (CVE-2026-30623, MAL-2026-ANTHROPIC-MCP-STDIO reference cases) demonstrates operator-config-as-input is an exploitable surface",
-      "AI-discovered + AI-built exploit classes (GTIG-tracked AI-built 2FA bypass reference case) are not anchored in any MEASURE 2.7 evaluation methodology — the framework treats AI offensive capability as out-of-scope rather than as a category requiring continuous threat-model refresh against the deployed AI system's defensive measurements"
+      "MCP-client trust boundary is not specifically addressed — MEASURE 2.7 does not require evaluation of operator-supplied MCP configuration as adversarial input, even though MCP STDIO command-injection (CVE-2026-30623 reference case) demonstrates operator-config-as-input is an exploitable surface",
+      "AI-discovered + AI-built exploit classes are not anchored in any MEASURE 2.7 evaluation methodology — the framework treats AI offensive capability as out-of-scope rather than as a category requiring continuous threat-model refresh against the deployed AI system's defensive measurements"
     ],
     "real_requirement": "MEASURE 2.7 implementations must extend the security-evaluation scope to: (1) the complete ML-pipeline asset chain including tracking servers, experiment registries, and artifact stores with explicit authentication-and-path-canonicalization testing, (2) MCP-client trust-boundary evaluation treating operator-supplied configuration as adversarial input with command-injection testing on the STDIO / SSE transports, (3) continuous threat-model refresh against AI-discovered and AI-built exploit classes with a defined cadence for refreshing measurement methodology when GTIG / Project Zero / equivalent surface AI-offensive-capability advances.",
     "status": "open",

package/data/zeroday-lessons.json

@@ -916,95 +916,6 @@
     "ai_discovery_date": "2024-03-29",
     "ai_assist_factor": "low"
   },
-  "CVE-2026-GTIG-AI-2FA": {
-    "name": "GTIG-tracked AI-built 2FA-bypass zero-day",
-    "lesson_date": "2026-05-15",
-    "attack_vector": {
-      "description": "Authentication state-machine confusion in an unnamed enterprise 2FA service. Exploit payload bypasses the second-factor challenge by manipulating session token at the post-primary-auth / pre-2FA-challenge boundary. Notable as the first documented AI-BUILT (not just AI-discovered) zero-day observed in-the-wild — threat actor used a frontier LLM to construct the exploit payload.",
-      "privileges_required": "remote unauthenticated, requires valid primary-auth credentials (assumed phished or credential-stuffed)",
-      "complexity": "moderate to develop, low to use",
-      "ai_factor": "First documented AI-BUILT ITW zero-day per GTIG 2026-05-11. Threat actor lacked the engineering capacity to construct the payload independently; LLM-generated exploit code shows characteristic structure, comments, and idiomatic patterns. Compresses time-to-weaponize by approximately 20x relative to human-only development for this class."
-    },
-    "defense_chain": {
-      "prevention": {
-        "what_would_have_worked": "Out-of-band MFA (FIDO2 / passkey / push-with-number-match) that does not share a session-token boundary with the bypass surface. Hardware-anchored binding of primary-auth and 2FA challenge into a single signed assertion.",
-        "was_this_required": false,
-        "framework_requiring_it": null,
-        "adequacy": "Phishing-resistant MFA (NIST AAL3) would have blocked this class. Most organizations still operate at AAL2 with SMS or TOTP."
-      },
-      "detection": {
-        "what_would_have_worked": "Session-token mutation anomaly detection between auth phases — alert when the session-state machine receives an unexpected transition.",
-        "was_this_required": false,
-        "framework_requiring_it": null,
-        "adequacy": "Anomaly detection on auth-state transitions is not a standard control category in any framework. Most identity providers don't expose the necessary telemetry."
-      },
-      "response": {
-        "what_would_have_worked": "Vendor-side rate-limiting on the 2FA challenge endpoint + temporary global rollback of the 2FA flow to require fresh primary-auth.",
-        "was_this_required": false,
-        "framework_requiring_it": null,
-        "adequacy": "Embargoed CVE — public response capability constrained by disclosure timing."
-      }
-    },
-    "framework_coverage": {
-      "NIST-AI-RMF-MEASURE-2.7": {
-        "covered": false,
-        "adequate": false,
-        "gap": "AI-discovered + AI-built exploit class not anchored in any framework — neither NIST AI RMF nor ISO 42001 require AI-attack-development monitoring as a control category."
-      },
-      "NIS2-Art21-incident-handling": {
-        "covered": true,
-        "adequate": false,
-        "gap": "EU NIS2 incident-handling SLA does not differentiate AI-built vs human-built exploit class — but the AI-built class compresses time-to-weaponize by ~20x and time-to-mass-deployment by ~50x."
-      },
-      "FedRAMP-IA-2": {
-        "covered": true,
-        "adequate": false,
-        "gap": "MFA requirement satisfied on paper; AI-built bypass operates at a layer below the MFA control surface."
-      },
-      "EU-AI-Act-Art-15": {
-        "covered": false,
-        "adequate": false,
-        "gap": "AI Act robustness requirement applies to AI SYSTEMS not to defending against AI-built attacks on non-AI systems."
-      },
-      "ALL-FRAMEWORKS": {
-        "covered": false,
-        "adequate": false,
-        "gap": "No framework anchors on AI-attack-development as an operational threat that requires distinct controls. ATLAS documents the techniques but compliance frameworks haven't picked them up."
-      }
-    },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-022",
-        "name": "AI-ATTACK-DEVELOPMENT-MONITORING",
-        "description": "Threat intelligence functions must subscribe to AI-attack-development feeds (GTIG, MITRE ATLAS, anthropic-internal threat reports). Treat AI-built exploit class as compressing the standard 30-day CISA KEV response window to 24 hours.",
-        "evidence": "CVE-2026-GTIG-AI-2FA — first documented AI-built ITW zero-day per GTIG 2026-05-11. Time from disclosure to mass-exploitation observed at ~10x faster than comparable non-AI-built cases.",
-        "gap_closes": [
-          "NIST-AI-RMF-MEASURE-2.7",
-          "ISO-27001-2022-A.5.7",
-          "NIS2-Art21-incident-handling"
-        ]
-      },
-      {
-        "id": "NEW-CTRL-023",
-        "name": "PHISHING-RESISTANT-MFA-MANDATE",
-        "description": "AAL3 phishing-resistant MFA (FIDO2 / passkey / hardware-anchored push-with-number-match) required for all administrative and privileged access. SMS, TOTP, and push-to-approve are insufficient against AI-built session-confusion attacks.",
-        "evidence": "CVE-2026-GTIG-AI-2FA — bypass operates at the session-state-machine layer; AAL3 anchors the second factor to the primary-auth assertion cryptographically.",
-        "gap_closes": [
-          "FedRAMP-IA-2",
-          "NIST-800-63-AAL3"
-        ]
-      }
-    ],
-    "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 92,
-      "basis": "Most organizations operate at AAL2 with TOTP or SMS. AI-built attack class compresses development time by 20x — defenders have not yet caught up.",
-      "theater_pattern": "mfa_aal2_satisfies_paper_aal3"
-    },
-    "ai_discovered_zeroday": true,
-    "ai_discovery_source": "threat_actor_ai_built",
-    "ai_discovery_date": "2026-05-11",
-    "ai_assist_factor": "very_high"
-  },
   "CVE-2026-42945": {
     "name": "NGINX Rift",
     "lesson_date": "2026-05-15",

package/lib/schemas/playbook.schema.json

@@ -119,6 +119,11 @@
               "condition": { "type": "string", "examples": ["finding.severity == 'critical'", "theater_score < 60", "always"] }
             }
           }
+        },
+        "fed_by": {
+          "type": "array",
+          "description": "v0.13.0: reverse direction of feeds_into. Auto-populated by scripts/refresh-reverse-refs.js — operators reading this playbook see what chains INTO it without grepping every other playbook. Plain array of playbook ids; condition is recorded on the SOURCE playbook's feeds_into entry, not duplicated here.",
+          "items": { "type": "string" }
         }
       }
     },