@blamejs/exceptd-skills 0.13.4 → 0.13.5

package/CHANGELOG.md

@@ -1,5 +1,35 @@
 # Changelog
 
+## 0.13.5 — 2026-05-18
+
+Three new playbooks, two cross-cutting CLI behaviours, and a deterministic schema gate on `active_exploitation` vocabulary.
+
+### Features
+
+**Three new playbooks bring the canonical set to 23.**
+
+- **`post-quantum-migration`** — the operational migration programme (distinct from `crypto`, which is handshake-level). Covers per-asset cryptographic register, vendor-SLA tracking, regulator-deadline orchestration (CNSA 2.0, OMB M-23-02, NIS2 Art.21(2)(h), DORA Art.9, EU CRA Annex I, BSI TR-02102, ACSC ISM-1546), and HNDL exposure-window analysis. Nine indicators including `no-cryptographic-asset-register`, `hsm-firmware-no-pqc` (Thales/Entrust/CloudHSM migration blocker), `long-retention-classical-only-asset`, and `embedded-tls-stack-classical-only`. 13 framework-gap mappings (NIST SC-12/SC-13, ISO A.8.24/A.8.25, PCI 3.6/4.2.1, NIS2/DORA/EU CRA, UK CAF, AU ISM, MAS TRM, JP NISC, HIPAA). Feeds into `crypto` + `framework` + `sbom`.
+
+- **`ai-discovered-cve-triage`** — operator-side response to AI-discovered CVE arrival. Anchors on CVE-2026-31431 (Copy Fail, Theori+Xint), CVE-2026-46300 (Fragnesia, Zellic AI-agentic), CVE-2026-42945 (NGINX Rift, depthfirst — first publicly-attributed AI-discovered nginx CVE), the GTIG 41% AI-zero-day statistic, and Hard Rule #7. Seven indicators including `ai-discovery-attribution-band-c-unverified` (don't apply +15 ai_factor on unverified claims), `ai-discovery-feed-coverage-incomplete` (operator pipeline misses Theori/depthfirst/Zellic/GTIG/Project Zero AI sources), and `asset-unpatched-past-rwep-sla` (RWEP-derived SLA: 4h ≥ 90, 24h 75–89, 72h 60–74). Feeds into `framework` + `kernel` + `sbom` + `runtime`.
+
+- **`supply-chain-recovery`** — post-compromise recovery workflow (distinct from `sbom`, which is pre-incident hygiene). Anchors on Shai-Hulud (Sep 2025 / Nov 2025 / May 2026 waves), MAL-2026-SHAI-HULUD-OSS (TeamPCP open-sourced 2026-05-12), MAL-2026-TANSTACK-MINI (42 `@tanstack/*` packages), MAL-2026-NODE-IPC-STEALER, and CVE-2026-45321. Encodes NEW-CTRL-050 (exhaustive maintainer-credential rotation), NEW-CTRL-051 (install-window audit), NEW-CTRL-052 (AI-assistant config exfil as first-class — `~/.cursor`, `~/.codeium`, `~/.claude`). Eight indicators including `ai-assistant-config-mutated` (Shai-Hulud startup-hook persistence), `outbound-exfil-during-window`, `operator-published-package-republish` (downstream notification mandatory), `long-lived-token-in-compromised-ci-log`. Feeds into `cred-stores` + `idp-incident-response` + `sbom` + `mcp` + `framework`.
+
+**`exceptd watchlist --org-scan --output-format markdown`.** Adds GitHub-flavored markdown table output for PR / issue / advisory body consumption. Accepted values: `json` | `markdown` | `human` (default). The legacy `--json` shorthand remains accepted (equivalent to `--output-format json`). Invalid values exit non-zero with the accepted-set in the error envelope.
+
+**`exceptd doctor --ai-config --fix` now repairs Windows ACLs.** The POSIX path applied `chmod 0600`; on Windows the audit reported the gap as "manual review." The Windows path now invokes `icacls /inheritance:r /grant:r` to restrict to the current user + SYSTEM + Administrators. The audit check itself (without `--fix`) parses `icacls <path>` and reports any extra principals.
+
+**Skill chain: MCP findings inside a CI runner escalate to `cicd-pipeline-compromise`.** New deterministic indicator `mcp-server-invoked-from-ci-pipeline` keys on `GITHUB_ACTIONS` / `GITLAB_CI` / `BUILDKITE` / `JENKINS_URL` / `CIRCLECI` / `RUNNER_OS` env vars and known runner workdirs (`/_work/`, `/builds/`, `/var/jenkins_home/workspace/`, `/var/lib/buildkite-agent/builds/`). When paired with any other high-confidence MCP signal, the finding feeds into `cicd-pipeline-compromise` for OIDC / signing-key / publish-channel scope handling. Without this arc, MCP findings in CI received local-dev close-out only, under-counting publish-channel blast radius.
+
+### Bugs
+
+**`cve-catalog.schema.json` `active_exploitation` enum now matches `_meta.active_exploitation_vocabulary`.** The schema enumerated four values (`confirmed` / `suspected` / `none` / `unknown`); the meta vocabulary listed five (adding `theoretical`). Catalog entries written against the meta vocabulary that used `theoretical` were silently rejected at validation time. Schema now lists five values; `validate-cve-catalog.js` adds a cross-check that fails the gate if the two surfaces ever drift again.
+
+### Internal
+
+- Test count baseline updated for the +3 playbook delta and the new `--output-format` test cases.
+- `validate-cve-catalog.js` schema-vs-meta enum cross-check is a hard predeploy gate.
+- All 23 playbooks pass `validate-playbooks` and `lint-skills` warning-free.
+
 ## 0.13.4 — 2026-05-18
 
 Warning-cleanup pass + catalog hygiene + docs surfacing. The post-v0.13.3 state had ~43 skill lint warnings and 20 cosmetic playbook warnings that operators saw on every predeploy run; this release drives both to zero. README and AGENTS catch up with the v0.13.0 → v0.13.3 operator surface.

package/bin/exceptd.js

@@ -251,6 +251,63 @@ const RENAMED_VERBS_HINT = {
   "build-indexes": "refresh --indexes-only",
 };
 
+/**
+ * v0.13.5: Windows ACL audit helper for `doctor --ai-config`. Replaces
+ * the v0.13.3 "manual review" placeholder with a real check.
+ *
+ * Runs `icacls <path>` and parses the output for any principal beyond
+ * the current user. Anything other than the running USERNAME, NT
+ * AUTHORITY\SYSTEM, and BUILTIN\Administrators on the ACL counts as
+ * "broader than user-only" — typical offenders are inherited entries
+ * for BUILTIN\Users, Authenticated Users, or Everyone.
+ *
+ * Returns { ok: boolean, extraPrincipals: string[], error?: string }.
+ * On non-Windows hosts (defensive — only invoked from the win32 branch
+ * in cmdDoctor anyway), returns { ok: true, extraPrincipals: [] }.
+ */
+function checkWindowsAcl(targetPath) {
+  if (process.platform !== 'win32') return { ok: true, extraPrincipals: [] };
+  const childProc = require('child_process');
+  const user = (process.env.USERNAME || '').toLowerCase();
+  // Principals that are EXPECTED on every Windows ACL and don't count
+  // as "broader than user-only" — admins legitimately need access for
+  // system maintenance; SYSTEM is required for backup/restore.
+  const ALLOWED_PRINCIPAL_SUFFIXES = [
+    `\\${user}`,
+    'nt authority\\system',
+    'builtin\\administrators',
+    'administrators',
+  ];
+  let stdout;
+  try {
+    stdout = childProc.execFileSync('icacls', [targetPath], {
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'pipe'],
+      timeout: 5000,
+    });
+  } catch (e) {
+    return { ok: false, extraPrincipals: [], error: (e && e.message) || String(e) };
+  }
+  const extraPrincipals = [];
+  // icacls output format: each principal on its own line, prefixed by
+  // whitespace and ending with permission bits in parens. Lines for
+  // the file itself (target path) and the "Successfully processed"
+  // footer are skipped.
+  for (const rawLine of stdout.split(/\r?\n/)) {
+    const line = rawLine.trim();
+    if (!line) continue;
+    if (line.toLowerCase().startsWith('successfully processed')) continue;
+    // The first line is the path; principal lines start with NT AUTHORITY,
+    // BUILTIN, or a domain\user. Match `name:(perms)` shape.
+    const m = line.match(/^([^:()]+?):\(/);
+    if (!m) continue;
+    const principal = m[1].trim().toLowerCase();
+    const isAllowed = ALLOWED_PRINCIPAL_SUFFIXES.some((suffix) => principal.endsWith(suffix));
+    if (!isAllowed) extraPrincipals.push(m[1].trim());
+  }
+  return { ok: extraPrincipals.length === 0, extraPrincipals };
+}
+
 function readPkgVersion() {
   try {
     return JSON.parse(fs.readFileSync(path.join(PKG_ROOT, "package.json"), "utf8")).version;
@@ -5510,15 +5567,23 @@ function cmdDoctor(runner, args, runOpts, pretty) {
           let st;
           try { st = fs.statSync(childAbs); } catch { continue; }
           if (process.platform === 'win32') {
-            // Windows POSIX mode bits don't carry meaningful ACL info.
-            // Flag every sensitive file with a manual-review note rather
-            // than emit a noisy permission claim that's likely wrong.
+            // v0.13.5: real ACL check via icacls. Replaces the v0.13.3
+            // "manual review" info-level placeholder. Confirms only the
+            // current-user SID has any read entry. Anything else (Users,
+            // Everyone, Authenticated Users, BUILTIN\Users, etc.) on the
+            // ACL counts as "broader than user-only" and surfaces as a
+            // warn finding. The `--fix` path applies `icacls /inheritance:r
+            // /grant:r <USER>:F` to strip inherited entries.
+            const aclCheck = checkWindowsAcl(childAbs);
+            if (aclCheck.ok) continue;
             findings.push({
               path: `${displayRoot}/${childRel}`,
               mode: null,
-              severity: 'info',
-              issue: 'win32_acl_check_not_implemented',
-              hint: 'On Windows the POSIX mode bits are not load-bearing. Use icacls to confirm only the current user has read access. Tracked for v0.14+.',
+              severity: 'warn',
+              issue: 'broader_than_user_only_acl',
+              acl_extra_principals: aclCheck.extraPrincipals,
+              hint: `icacls "${childAbs}" /inheritance:r /grant:r %USERNAME%:F  # NEW-CTRL-050: AI-assistant configs holding MCP tokens / API keys must restrict ACL to the workstation user`,
+              fix_command: ['icacls', childAbs, '/inheritance:r', '/grant:r', `${process.env.USERNAME}:F`],
             });
             continue;
           }
@@ -5530,6 +5595,8 @@ function cmdDoctor(runner, args, runOpts, pretty) {
               severity: 'warn',
               issue: 'group_or_other_readable',
               hint: `chmod 600 '${childAbs}'  # NEW-CTRL-050: AI-assistant configs holding MCP tokens / API keys must be 0600 to defeat unprivileged exfil`,
+              fix_chmod: 0o600,
+              fix_abs_path: childAbs,
             });
           }
         }
@@ -5543,9 +5610,49 @@ function cmdDoctor(runner, args, runOpts, pretty) {
       }
     }
     const errorFindings = findings.filter((f) => f.severity === 'warn');
+
+    // v0.13.5: --fix path. When `doctor --ai-config --fix` is invoked
+    // AND warn-severity findings exist, apply the per-finding fix
+    // command (chmod 600 on POSIX; icacls /inheritance:r /grant:r on
+    // Windows). The fix attempt is recorded per-finding so the report
+    // surfaces which fixes landed vs which failed.
+    let fixesApplied = 0;
+    let fixesFailed = 0;
+    if (args.fix && errorFindings.length > 0) {
+      const childProc = require('child_process');
+      for (const f of errorFindings) {
+        if (f.fix_chmod && f.fix_abs_path) {
+          try {
+            fs.chmodSync(f.fix_abs_path, f.fix_chmod);
+            f.fix_status = 'chmod_applied';
+            fixesApplied++;
+          } catch (e) {
+            f.fix_status = 'chmod_failed';
+            f.fix_error = e.message;
+            fixesFailed++;
+          }
+          continue;
+        }
+        if (f.fix_command) {
+          try {
+            childProc.execFileSync(f.fix_command[0], f.fix_command.slice(1), {
+              stdio: ['ignore', 'ignore', 'pipe'],
+              timeout: 5000,
+            });
+            f.fix_status = 'icacls_applied';
+            fixesApplied++;
+          } catch (e) {
+            f.fix_status = 'icacls_failed';
+            f.fix_error = (e && e.message) || String(e);
+            fixesFailed++;
+          }
+        }
+      }
+    }
+
     checks.ai_config = {
-      ok: errorFindings.length === 0,
-      severity: errorFindings.length > 0 ? 'warn' : 'info',
+      ok: errorFindings.length === 0 || (args.fix && fixesFailed === 0),
+      severity: errorFindings.length > 0 && fixesFailed > 0 ? 'warn' : (errorFindings.length > 0 && !args.fix ? 'warn' : 'info'),
       scanned_dirs: scannedDirs,
       scanned_files: scannedFiles,
       directories_inspected: AI_CONFIG_DIRS.map((d) => d.display),
@@ -5553,8 +5660,9 @@ function cmdDoctor(runner, args, runOpts, pretty) {
       findings,
       platform: process.platform,
       control_reference: 'NEW-CTRL-050 (MAL-2026-SHAI-HULUD-OSS lesson)',
+      ...(args.fix ? { fix_applied: fixesApplied, fix_failed: fixesFailed } : {}),
     };
-    if (errorFindings.length > 0) issues.push('ai_config');
+    if (errorFindings.length > 0 && (!args.fix || fixesFailed > 0)) issues.push('ai_config');
   }
 
   // Walk every check and split: errors (severity error/missing/fail) vs warnings

package/data/_indexes/_meta.json

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-18T04:13:12.063Z",
+  "generated_at": "2026-05-18T04:58:08.316Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "0d7cc1e5a718515519e81b973126f0fe316ad8252e4c8e04f54934ea575a9b80",
+    "manifest.json": "6bbf4f4d9540c2539d6f2635b39ba42f963e3a2238e9e8b6569d0cc65719b813",
     "data/atlas-ttps.json": "2b021f47355365d1ba59078dfa582397c7a64c2b4ebea4657ea260a66b76daf6",
     "data/attack-techniques.json": "76461dbec048c5e072435d57e3a04b780e3992dab9f316b1b52608e0a997e355",
     "data/cve-catalog.json": "4b8c05074744f9e099c776e0f9c3afd2b978fc52d702bc8805c3b5bfecdbafcb",