@blamejs/exceptd-skills 0.13.4 → 0.13.6

package/AGENTS.md

@@ -228,6 +228,22 @@ Recently added (use the IDs in skill prose and operator briefings; full text in
 | `NEW-CTRL-053` | MCP-SERVER-CONFIG-ALLOWLIST | `CVE-2026-30623` (Anthropic MCP SDK stdio injection) | NIST AI RMF MEASURE 2.7, OWASP LLM Top 10 2025 LLM05 |
 | `NEW-CTRL-054` | BACKUP-TIER-NETWORK-ISOLATION | `CVE-2025-59389` (QNAP Hyper Data Protector preauth RCE) | ISO-27001-2022 A.8.13, NIS2 Art.21 business-continuity |
 | `NEW-CTRL-055` | SECURITY-TOOL-INTEGRITY-VERIFICATION | `CVE-2025-11837` (QNAP Malware Remover code-injection) | NIST-800-53 SI-3, ISO-27001-2022 A.8.7, PCI-DSS 4.0 §5.1 |
+| `NEW-CTRL-056` | MOBILE-ENDPOINT-MDM-ENFORCED-KEV-SLA | `CVE-2025-14174` / `CVE-2025-43529` / `CVE-2025-24201` / `CVE-2025-43300` | NIST-800-53 SI-2, ISO-27001-2022 A.8.8, CIS Benchmarks mobile-OS profiles |
+| `NEW-CTRL-057` | BROWSER-MANAGED-UPDATE-NO-DEFERRAL | `CVE-2025-10585` / `CVE-2025-14174` / `CVE-2025-43529` / `CVE-2025-4919` | NIST-800-53 SI-2, CISA KEV SLA, vendor-channel security-release contracts |
+| `NEW-CTRL-058` | CLOUD-CONTROL-PLANE-CROSS-TENANT-CLAIM-VALIDATION | `CVE-2025-55241` (Entra ID Actor-token impersonation) | NIST-800-53 AC-2/AU-2/AC-16, ISO-27001-2022 A.5.16, CIS Cloud Foundations |
+| `NEW-CTRL-059` | SENSITIVE-DATA-IN-LOGS-LINT | `CVE-2025-21085` (Cisco Duo credential leakage) | NIST-800-53 AU-9/SI-12, ISO-27001-2022 A.8.15, PCI-DSS 4.0 §10.5 |
+| `NEW-CTRL-060` | DATABASE-SERVER-SIDE-SCRIPTING-DEFAULT-DENY | `CVE-2025-49844` (Redis RediShell Lua UAF) | NIST-800-53 CM-6/CM-7, ISO-27001-2022 A.8.9, vendor secure-baseline profiles |
+| `NEW-CTRL-061` | IN-MEMORY-DATASTORE-MEMORY-DISCLOSURE-NETWORK-EXPOSURE-AUDIT | `CVE-2025-14847` (MongoBleed) | NIST-800-53 SC-7/SC-28, PCI-DSS 4.0 §1.4, ISO-27001-2022 A.8.20 |
+| `NEW-CTRL-062` | HTTP2-STREAM-RESET-ACCOUNTING | `CVE-2025-8671` (MadeYouReset) | NIST-800-53 SC-5, ISO-27001-2022 A.8.6, vendor HTTP/2 secure-default profiles |
+| `NEW-CTRL-063` | MULTIMODAL-INFERENCE-INPUT-DECODER-ISOLATION | `CVE-2026-22778` (vLLM heap-overflow RCE) | NIST AI RMF MANAGE 4.1, NIST-800-53 SC-39, OWASP LLM Top 10 2025 LLM10 |
+| `NEW-CTRL-064` | LLM-OUTPUT-DESERIALIZATION-TRUST-ZONE | `CVE-2025-68664` (LangChain LangGrinch) | NIST AI RMF MEASURE 2.7, OWASP LLM Top 10 2025 LLM03/LLM08, NIST-800-53 SI-10 |
+| `NEW-CTRL-065` | AI-MODEL-SERVER-DEFAULT-AUTHENTICATION | `CVE-2026-7482` (Ollama Bleeding Llama) | NIST-800-53 IA-2/AC-3, ISO-27001-2022 A.8.5, NIST AI RMF GOVERN 5.1 |
+| `NEW-CTRL-066` | AGENTIC-IDE-HOST-EXECUTION-SANDBOX | `CVE-2025-55319` (VSCode agentic-AI command-injection) | NIST AI RMF MANAGE 4.1, ISO/IEC 42001 §6.1.4, NIST-800-53 SC-39 |
+| `NEW-CTRL-067` | AI-PLATFORM-CONTROL-PLANE-RBAC-OVERLAY-AUDIT | `CVE-2025-10725` (OpenShift AI privilege escalation) | NIST-800-53 AC-2/AC-6, CIS Kubernetes Benchmark §5, NIST AI RMF GOVERN 1.5 |
+| `NEW-CTRL-068` | HYPERVISOR-VM-ESCAPE-TENANCY-ASSUMPTION | `CVE-2025-22224` / `CVE-2025-22225` / `CVE-2025-22226` (VMSA-2025-0004 ESXi chain) | NIST-800-53 SC-7/SI-2, ISO-27001-2022 A.8.20, CIS VMware ESXi Benchmark |
+| `NEW-CTRL-069` | ECOSYSTEM-PACKAGE-TEMPORAL-TRUST-DRIFT-DETECTION | `MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER` | NIST-800-218 SSDF PW.4, EU CRA Annex I §1(2)(b), SLSA Build L3 |
+| `NEW-CTRL-070` | TYPOSQUAT-INSTALL-TIME-NAME-CONFUSION-GUARD | `MAL-2025-PYPI-COLORAMA-SOLANA-STEALER` | NIST-800-218 SSDF PW.4, NIST-800-53 SI-7, EU CRA Annex I §1(2)(c) |
+| `NEW-CTRL-071` | AI-DISCOVERY-CREDIT-IN-COMPLIANCE-EVIDENCE | `MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP` + `CVE-2025-6965` + `CVE-2025-0133` + ZeroPath quartet | NIST AI RMF MEASURE 2.7, ISO/IEC 42001 §6.1.4 (records of AI use), EU AI Act Art.12 (record-keeping) |
 
 When you cite a `NEW-CTRL-*` ID in a skill body, the lint reads the upstream `zeroday-lessons.json` entry as the authoritative source for the requirement text — do not paraphrase the description in the skill body, link to the ID instead.
 

package/CHANGELOG.md

@@ -1,5 +1,63 @@
 # Changelog
 
+## 0.13.6 — 2026-05-18
+
+CVE catalog expansion (38 → 67 entries) covering threat classes the catalog previously did not address, plus a `doctor` undercount fix.
+
+### Features
+
+**29 new catalog entries** across the under-represented classes:
+
+- **Browsers (4)** — Chrome V8 TAG-disclosed zero-day `CVE-2025-10585`, WebKit DarkSword chain `CVE-2025-14174` + `CVE-2025-43529`, Firefox SpiderMonkey Pwn2Own `CVE-2025-4919`.
+- **Mobile OS (3)** — WebKit Glass Cage iOS chain `CVE-2025-24201`, ImageIO zero-click root `CVE-2025-43300`, Android POSIX-CPU-timer race `CVE-2025-38352`.
+- **Identity providers (2)** — Entra ID cross-tenant Actor-token impersonation `CVE-2025-55241` (CVSS 10.0), Cisco Duo log credential disclosure `CVE-2025-21085`.
+- **Database engines (3)** — PostgreSQL psql ACE `CVE-2025-1094` (BeyondTrust / Treasury breaches), Redis RediShell Lua UAF `CVE-2025-49844` (CVSS 10.0), MongoBleed memory disclosure `CVE-2025-14847`.
+- **HTTP/2 (1)** — MadeYouReset stream-reset DoS `CVE-2025-8671` (Rapid Reset successor, 2.8M+ vulnerable instances).
+- **AI model serving (4)** — vLLM heap-overflow RCE `CVE-2026-22778`, Ollama Bleeding Llama `CVE-2026-7482`, LangChain LangGrinch `CVE-2025-68664`, Big Sleep SQLite zero-day `CVE-2025-6965`.
+- **VMware ESXi (3)** — `CVE-2025-22224` / `CVE-2025-22225` / `CVE-2025-22226` (VMSA-2025-0004, ransomware-active VM-escape chain).
+- **Malicious packages (3)** — ultralytics XMRig `MAL-2024-PYPI-ULTRALYTICS-XMRIG` (60M-download AI library), RubyGems + Go sleeper `MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER`, PyPI colorama Solana stealer `MAL-2025-PYPI-COLORAMA-SOLANA-STEALER`.
+- **AI-discovery anchors (6)** — XBOW Palo Alto GlobalProtect `CVE-2025-0133` (HackerOne #1 Q2 2025), ZeroPath cluster (`CVE-2025-59529` / `CVE-2025-55319` / `CVE-2025-53767` / `CVE-2025-10725`), Big Sleep FFmpeg + ImageMagick tranche `MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP`.
+
+Every entry carries the full RWEP factor set, named verification sources, vendor advisory references, and a matching `data/zeroday-lessons.json` lesson. AI-discovered rate climbs 5/38 (0.132) → 12/67 (0.179), clearing the next ladder rung toward the Hard Rule #7 target of 0.40.
+
+**16 new control requirements** mint `NEW-CTRL-056` through `NEW-CTRL-071`, named in `AGENTS.md` with the surfacing zero-day and gap-closed framework controls. Coverage spans mobile MDM SLA enforcement, browser managed-update no-deferral, cloud-control-plane cross-tenant claim validation, sensitive-data-in-logs lint, database server-side scripting default-deny, in-memory datastore memory-disclosure exposure audit, HTTP/2 stream-reset accounting, multimodal inference decoder isolation, LLM-output deserialization trust zone, AI-model-server default auth, agentic-IDE host-execution sandbox, AI-platform control-plane RBAC overlay, hypervisor tenancy assumption, ecosystem-package temporal trust drift, typosquat install-time guard, and AI-discovery credit in compliance evidence.
+
+**ATT&CK + ATLAS catalogs extended** to back the new entries: 8 new ATT&CK techniques (T1005, T1189, T1496, T1498, T1499.001, T1499.002, T1539, T1657) and 3 new ATLAS TTPs (AML.T0007 Discover ML Artifacts, AML.T0011 User Execution, AML.T0047 LLM Meta Prompt Extraction).
+
+### Bugs
+
+**`exceptd doctor` no longer undercounts the catalog.** The prior implementation parsed `validate-cves` text output, which only counts `CVE-*` prefixes — `MAL-*` (malicious-package) entries were silently dropped from the total. An operator reading `CVE catalog: 34 entries` on a 38-entry catalog would conclude that the Shai-Hulud / TanStack worm intelligence had been removed when it was present all along. The check now reads `data/cve-catalog.json` directly and reports the combined total with the per-prefix breakdown: `CVE catalog: 67 entries (60 CVE + 7 MAL), drift 0`. The `validate-cves` text output gains a clarifying suffix noting that the count is CVE-IDs queued for NVD validation and that the combined catalog total lives under `exceptd doctor`.
+
+## 0.13.5 — 2026-05-18
+
+Three new playbooks, two cross-cutting CLI behaviours, and a deterministic schema gate on `active_exploitation` vocabulary.
+
+### Features
+
+**Three new playbooks bring the canonical set to 23.**
+
+- **`post-quantum-migration`** — the operational migration programme (distinct from `crypto`, which is handshake-level). Covers per-asset cryptographic register, vendor-SLA tracking, regulator-deadline orchestration (CNSA 2.0, OMB M-23-02, NIS2 Art.21(2)(h), DORA Art.9, EU CRA Annex I, BSI TR-02102, ACSC ISM-1546), and HNDL exposure-window analysis. Nine indicators including `no-cryptographic-asset-register`, `hsm-firmware-no-pqc` (Thales/Entrust/CloudHSM migration blocker), `long-retention-classical-only-asset`, and `embedded-tls-stack-classical-only`. 13 framework-gap mappings (NIST SC-12/SC-13, ISO A.8.24/A.8.25, PCI 3.6/4.2.1, NIS2/DORA/EU CRA, UK CAF, AU ISM, MAS TRM, JP NISC, HIPAA). Feeds into `crypto` + `framework` + `sbom`.
+
+- **`ai-discovered-cve-triage`** — operator-side response to AI-discovered CVE arrival. Anchors on CVE-2026-31431 (Copy Fail, Theori+Xint), CVE-2026-46300 (Fragnesia, Zellic AI-agentic), CVE-2026-42945 (NGINX Rift, depthfirst — first publicly-attributed AI-discovered nginx CVE), the GTIG 41% AI-zero-day statistic, and Hard Rule #7. Seven indicators including `ai-discovery-attribution-band-c-unverified` (don't apply +15 ai_factor on unverified claims), `ai-discovery-feed-coverage-incomplete` (operator pipeline misses Theori/depthfirst/Zellic/GTIG/Project Zero AI sources), and `asset-unpatched-past-rwep-sla` (RWEP-derived SLA: 4h ≥ 90, 24h 75–89, 72h 60–74). Feeds into `framework` + `kernel` + `sbom` + `runtime`.
+
+- **`supply-chain-recovery`** — post-compromise recovery workflow (distinct from `sbom`, which is pre-incident hygiene). Anchors on Shai-Hulud (Sep 2025 / Nov 2025 / May 2026 waves), MAL-2026-SHAI-HULUD-OSS (TeamPCP open-sourced 2026-05-12), MAL-2026-TANSTACK-MINI (42 `@tanstack/*` packages), MAL-2026-NODE-IPC-STEALER, and CVE-2026-45321. Encodes NEW-CTRL-050 (exhaustive maintainer-credential rotation), NEW-CTRL-051 (install-window audit), NEW-CTRL-052 (AI-assistant config exfil as first-class — `~/.cursor`, `~/.codeium`, `~/.claude`). Eight indicators including `ai-assistant-config-mutated` (Shai-Hulud startup-hook persistence), `outbound-exfil-during-window`, `operator-published-package-republish` (downstream notification mandatory), `long-lived-token-in-compromised-ci-log`. Feeds into `cred-stores` + `idp-incident-response` + `sbom` + `mcp` + `framework`.
+
+**`exceptd watchlist --org-scan --output-format markdown`.** Adds GitHub-flavored markdown table output for PR / issue / advisory body consumption. Accepted values: `json` | `markdown` | `human` (default). The legacy `--json` shorthand remains accepted (equivalent to `--output-format json`). Invalid values exit non-zero with the accepted-set in the error envelope.
+
+**`exceptd doctor --ai-config --fix` now repairs Windows ACLs.** The POSIX path applied `chmod 0600`; on Windows the audit reported the gap as "manual review." The Windows path now invokes `icacls /inheritance:r /grant:r` to restrict to the current user + SYSTEM + Administrators. The audit check itself (without `--fix`) parses `icacls <path>` and reports any extra principals.
+
+**Skill chain: MCP findings inside a CI runner escalate to `cicd-pipeline-compromise`.** New deterministic indicator `mcp-server-invoked-from-ci-pipeline` keys on `GITHUB_ACTIONS` / `GITLAB_CI` / `BUILDKITE` / `JENKINS_URL` / `CIRCLECI` / `RUNNER_OS` env vars and known runner workdirs (`/_work/`, `/builds/`, `/var/jenkins_home/workspace/`, `/var/lib/buildkite-agent/builds/`). When paired with any other high-confidence MCP signal, the finding feeds into `cicd-pipeline-compromise` for OIDC / signing-key / publish-channel scope handling. Without this arc, MCP findings in CI received local-dev close-out only, under-counting publish-channel blast radius.
+
+### Bugs
+
+**`cve-catalog.schema.json` `active_exploitation` enum now matches `_meta.active_exploitation_vocabulary`.** The schema enumerated four values (`confirmed` / `suspected` / `none` / `unknown`); the meta vocabulary listed five (adding `theoretical`). Catalog entries written against the meta vocabulary that used `theoretical` were silently rejected at validation time. Schema now lists five values; `validate-cve-catalog.js` adds a cross-check that fails the gate if the two surfaces ever drift again.
+
+### Internal
+
+- Test count baseline updated for the +3 playbook delta and the new `--output-format` test cases.
+- `validate-cve-catalog.js` schema-vs-meta enum cross-check is a hard predeploy gate.
+- All 23 playbooks pass `validate-playbooks` and `lint-skills` warning-free.
+
 ## 0.13.4 — 2026-05-18
 
 Warning-cleanup pass + catalog hygiene + docs surfacing. The post-v0.13.3 state had ~43 skill lint warnings and 20 cosmetic playbook warnings that operators saw on every predeploy run; this release drives both to zero. README and AGENTS catch up with the v0.13.0 → v0.13.3 operator surface.

package/bin/exceptd.js

@@ -251,6 +251,63 @@ const RENAMED_VERBS_HINT = {
   "build-indexes": "refresh --indexes-only",
 };
 
+/**
+ * v0.13.5: Windows ACL audit helper for `doctor --ai-config`. Replaces
+ * the v0.13.3 "manual review" placeholder with a real check.
+ *
+ * Runs `icacls <path>` and parses the output for any principal beyond
+ * the current user. Anything other than the running USERNAME, NT
+ * AUTHORITY\SYSTEM, and BUILTIN\Administrators on the ACL counts as
+ * "broader than user-only" — typical offenders are inherited entries
+ * for BUILTIN\Users, Authenticated Users, or Everyone.
+ *
+ * Returns { ok: boolean, extraPrincipals: string[], error?: string }.
+ * On non-Windows hosts (defensive — only invoked from the win32 branch
+ * in cmdDoctor anyway), returns { ok: true, extraPrincipals: [] }.
+ */
+function checkWindowsAcl(targetPath) {
+  if (process.platform !== 'win32') return { ok: true, extraPrincipals: [] };
+  const childProc = require('child_process');
+  const user = (process.env.USERNAME || '').toLowerCase();
+  // Principals that are EXPECTED on every Windows ACL and don't count
+  // as "broader than user-only" — admins legitimately need access for
+  // system maintenance; SYSTEM is required for backup/restore.
+  const ALLOWED_PRINCIPAL_SUFFIXES = [
+    `\\${user}`,
+    'nt authority\\system',
+    'builtin\\administrators',
+    'administrators',
+  ];
+  let stdout;
+  try {
+    stdout = childProc.execFileSync('icacls', [targetPath], {
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'pipe'],
+      timeout: 5000,
+    });
+  } catch (e) {
+    return { ok: false, extraPrincipals: [], error: (e && e.message) || String(e) };
+  }
+  const extraPrincipals = [];
+  // icacls output format: each principal on its own line, prefixed by
+  // whitespace and ending with permission bits in parens. Lines for
+  // the file itself (target path) and the "Successfully processed"
+  // footer are skipped.
+  for (const rawLine of stdout.split(/\r?\n/)) {
+    const line = rawLine.trim();
+    if (!line) continue;
+    if (line.toLowerCase().startsWith('successfully processed')) continue;
+    // The first line is the path; principal lines start with NT AUTHORITY,
+    // BUILTIN, or a domain\user. Match `name:(perms)` shape.
+    const m = line.match(/^([^:()]+?):\(/);
+    if (!m) continue;
+    const principal = m[1].trim().toLowerCase();
+    const isAllowed = ALLOWED_PRINCIPAL_SUFFIXES.some((suffix) => principal.endsWith(suffix));
+    if (!isAllowed) extraPrincipals.push(m[1].trim());
+  }
+  return { ok: extraPrincipals.length === 0, extraPrincipals };
+}
+
 function readPkgVersion() {
   try {
     return JSON.parse(fs.readFileSync(path.join(PKG_ROOT, "package.json"), "utf8")).version;
@@ -5338,19 +5395,36 @@ function cmdDoctor(runner, args, runOpts, pretty) {
   if (runCves) {
     try {
       const orchPath = path.join(PKG_ROOT, "orchestrator", "index.js");
-      // validate-cves doesn't emit JSON; parse text for row count + drift.
+      // validate-cves doesn't emit JSON; parse text for drift signal.
       const res = spawnSync(process.execPath, [orchPath, "validate-cves", "--offline"], {
         encoding: "utf8",
         cwd: PKG_ROOT,
         timeout: 30000,
       });
       const text = (res.stdout || "") + (res.stderr || "");
-      const totalMatch = text.match(/(\d+)\s+CVEs?\s+in\s+catalog/i);
       const driftMatch = text.match(/drift[:\s]+(\d+)/i);
       const ok = res.status === 0;
+      // v0.13.6: total comes from the catalog file directly. The
+      // validate-cves text-scrape only ever counted CVE-* prefixes, so
+      // MAL-* (malicious package) entries silently dropped from the
+      // doctor report — operators reading "34 entries" assumed the
+      // Shai-Hulud / TanStack worm intel had been removed when it was
+      // present all along. Read the catalog and report both totals.
+      let total = null;
+      let cve_count = null;
+      let mal_count = null;
+      try {
+        const catalog = require(path.join(PKG_ROOT, "data", "cve-catalog.json"));
+        const keys = Object.keys(catalog).filter((k) => !k.startsWith("_"));
+        cve_count = keys.filter((k) => k.startsWith("CVE-")).length;
+        mal_count = keys.filter((k) => k.startsWith("MAL-")).length;
+        total = keys.length;
+      } catch { /* fall through with nulls */ }
       checks.cves = {
         ok,
-        total: totalMatch ? Number(totalMatch[1]) : null,
+        total,
+        cve_count,
+        mal_count,
         drift: driftMatch ? Number(driftMatch[1]) : 0,
         ...(ok ? {} : { exit_code: res.status, raw: text.slice(0, 500) }),
       };
@@ -5510,15 +5584,23 @@ function cmdDoctor(runner, args, runOpts, pretty) {
           let st;
           try { st = fs.statSync(childAbs); } catch { continue; }
           if (process.platform === 'win32') {
-            // Windows POSIX mode bits don't carry meaningful ACL info.
-            // Flag every sensitive file with a manual-review note rather
-            // than emit a noisy permission claim that's likely wrong.
+            // v0.13.5: real ACL check via icacls. Replaces the v0.13.3
+            // "manual review" info-level placeholder. Confirms only the
+            // current-user SID has any read entry. Anything else (Users,
+            // Everyone, Authenticated Users, BUILTIN\Users, etc.) on the
+            // ACL counts as "broader than user-only" and surfaces as a
+            // warn finding. The `--fix` path applies `icacls /inheritance:r
+            // /grant:r <USER>:F` to strip inherited entries.
+            const aclCheck = checkWindowsAcl(childAbs);
+            if (aclCheck.ok) continue;
             findings.push({
               path: `${displayRoot}/${childRel}`,
               mode: null,
-              severity: 'info',
-              issue: 'win32_acl_check_not_implemented',
-              hint: 'On Windows the POSIX mode bits are not load-bearing. Use icacls to confirm only the current user has read access. Tracked for v0.14+.',
+              severity: 'warn',
+              issue: 'broader_than_user_only_acl',
+              acl_extra_principals: aclCheck.extraPrincipals,
+              hint: `icacls "${childAbs}" /inheritance:r /grant:r %USERNAME%:F  # NEW-CTRL-050: AI-assistant configs holding MCP tokens / API keys must restrict ACL to the workstation user`,
+              fix_command: ['icacls', childAbs, '/inheritance:r', '/grant:r', `${process.env.USERNAME}:F`],
             });
             continue;
           }
@@ -5530,6 +5612,8 @@ function cmdDoctor(runner, args, runOpts, pretty) {
               severity: 'warn',
               issue: 'group_or_other_readable',
               hint: `chmod 600 '${childAbs}'  # NEW-CTRL-050: AI-assistant configs holding MCP tokens / API keys must be 0600 to defeat unprivileged exfil`,
+              fix_chmod: 0o600,
+              fix_abs_path: childAbs,
             });
           }
         }
@@ -5543,9 +5627,49 @@ function cmdDoctor(runner, args, runOpts, pretty) {
       }
     }
     const errorFindings = findings.filter((f) => f.severity === 'warn');
+
+    // v0.13.5: --fix path. When `doctor --ai-config --fix` is invoked
+    // AND warn-severity findings exist, apply the per-finding fix
+    // command (chmod 600 on POSIX; icacls /inheritance:r /grant:r on
+    // Windows). The fix attempt is recorded per-finding so the report
+    // surfaces which fixes landed vs which failed.
+    let fixesApplied = 0;
+    let fixesFailed = 0;
+    if (args.fix && errorFindings.length > 0) {
+      const childProc = require('child_process');
+      for (const f of errorFindings) {
+        if (f.fix_chmod && f.fix_abs_path) {
+          try {
+            fs.chmodSync(f.fix_abs_path, f.fix_chmod);
+            f.fix_status = 'chmod_applied';
+            fixesApplied++;
+          } catch (e) {
+            f.fix_status = 'chmod_failed';
+            f.fix_error = e.message;
+            fixesFailed++;
+          }
+          continue;
+        }
+        if (f.fix_command) {
+          try {
+            childProc.execFileSync(f.fix_command[0], f.fix_command.slice(1), {
+              stdio: ['ignore', 'ignore', 'pipe'],
+              timeout: 5000,
+            });
+            f.fix_status = 'icacls_applied';
+            fixesApplied++;
+          } catch (e) {
+            f.fix_status = 'icacls_failed';
+            f.fix_error = (e && e.message) || String(e);
+            fixesFailed++;
+          }
+        }
+      }
+    }
+
     checks.ai_config = {
-      ok: errorFindings.length === 0,
-      severity: errorFindings.length > 0 ? 'warn' : 'info',
+      ok: errorFindings.length === 0 || (args.fix && fixesFailed === 0),
+      severity: errorFindings.length > 0 && fixesFailed > 0 ? 'warn' : (errorFindings.length > 0 && !args.fix ? 'warn' : 'info'),
       scanned_dirs: scannedDirs,
       scanned_files: scannedFiles,
       directories_inspected: AI_CONFIG_DIRS.map((d) => d.display),
@@ -5553,8 +5677,9 @@ function cmdDoctor(runner, args, runOpts, pretty) {
       findings,
       platform: process.platform,
       control_reference: 'NEW-CTRL-050 (MAL-2026-SHAI-HULUD-OSS lesson)',
+      ...(args.fix ? { fix_applied: fixesApplied, fix_failed: fixesFailed } : {}),
     };
-    if (errorFindings.length > 0) issues.push('ai_config');
+    if (errorFindings.length > 0 && (!args.fix || fixesFailed > 0)) issues.push('ai_config');
   }
 
   // Walk every check and split: errors (severity error/missing/fail) vs warnings
@@ -5685,11 +5810,14 @@ function cmdDoctor(runner, args, runOpts, pretty) {
       ? `skill currency: all green (${c.total_skills ?? "?"} skills)`
       : `skill currency: ${c.stale_skills?.length || "?"} stale, ${c.critical_count ?? 0} critical`
   );
-  mark(checks.cves, c =>
-    c.ok
-      ? `CVE catalog: ${c.total ?? "?"} entries, drift ${c.drift ?? 0}`
-      : `CVE catalog FAILED (exit=${c.exit_code ?? "?"})`
-  );
+  mark(checks.cves, c => {
+    if (!c.ok) return `CVE catalog FAILED (exit=${c.exit_code ?? "?"})`;
+    const total = c.total ?? "?";
+    const breakdown = (c.cve_count != null && c.mal_count != null)
+      ? ` (${c.cve_count} CVE + ${c.mal_count} MAL)`
+      : "";
+    return `CVE catalog: ${total} entries${breakdown}, drift ${c.drift ?? 0}`;
+  });
   mark(checks.rfcs, c =>
     c.ok
       ? `RFC catalog: ${c.total ?? "?"} entries, drift ${c.drift ?? 0}`

package/data/_indexes/_meta.json

@@ -1,21 +1,21 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-18T04:13:12.063Z",
+  "generated_at": "2026-05-18T07:02:32.618Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "0d7cc1e5a718515519e81b973126f0fe316ad8252e4c8e04f54934ea575a9b80",
-    "data/atlas-ttps.json": "2b021f47355365d1ba59078dfa582397c7a64c2b4ebea4657ea260a66b76daf6",
-    "data/attack-techniques.json": "76461dbec048c5e072435d57e3a04b780e3992dab9f316b1b52608e0a997e355",
-    "data/cve-catalog.json": "4b8c05074744f9e099c776e0f9c3afd2b978fc52d702bc8805c3b5bfecdbafcb",
+    "manifest.json": "fac154a4d63a13c1289d3498abab8d28433c30b79393e63f49c6a2ce21f7922e",
+    "data/atlas-ttps.json": "c2aee9c70ec24cf48f1ea4daf170aa6e7b93292888239c46a8ec9e522ee32119",
+    "data/attack-techniques.json": "29cd5690040c7153dbf293b7e3a99b72fc897b0495478e369f7ce7004b8d64f4",
+    "data/cve-catalog.json": "b3731361d298483648264215fd8dbfca36d0f4e2ead4aebf7c49718e12038e1f",
     "data/cwe-catalog.json": "4a0036f9ec17af29e0df111ac77b94f8be6a52742bfd89ff3583096d23b75e35",
     "data/d3fend-catalog.json": "a1fc2827ceb344669e148d55197dbf1b0e5b20bcc618e90517639c17d67ee82d",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
     "data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
-    "data/framework-control-gaps.json": "994bf3203f3a2c80fe21194d00f67ecffa77b80193ba3f4b046e9d38e7b09f0f",
+    "data/framework-control-gaps.json": "d49c75de55e6e1dabec46e6e975619489a2093b0be53c2a0b654e5c1826fbe46",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "e253a548c8a829d178d5aea601e268724b85c936ccbfa51c2e5d80c5f8efe2b0",
-    "data/zeroday-lessons.json": "3d4c18977f2100f200e209dc55331931a5d0adc54af35879fc58f1b43deac56f",
+    "data/zeroday-lessons.json": "bb3fec080f649a5968f8d0c6d69ca4d32fb120de0f7d07b1f5058184d4d3ff3a",
     "skills/kernel-lpe-triage/skill.md": "08b3e9815ba481c57c80f5fc0ccbf5bb7cbb41f570c235ba6ff9596b8c07354d",
     "skills/ai-attack-surface/skill.md": "d1361c53c8360999e1ec6a403bcbfaa53d0afc11689e8781d26081196dd079d4",
     "skills/mcp-agent-trust/skill.md": "19a6b54375808e59143070011328d8c936836845bca4a484108738bbef290694",
@@ -72,7 +72,7 @@
       "dlp_refs": 0
     },
     "trigger_table_entries": 538,
-    "chains_cve_entries": 34,
+    "chains_cve_entries": 59,
     "chains_cwe_entries": 55,
     "jurisdictions_indexed": 29,
     "handoff_dag_nodes": 42,

package/data/_indexes/activity-feed.json

@@ -5,6 +5,22 @@
     "event_count": 54
   },
   "events": [
+    {
+      "date": "2026-05-18",
+      "type": "catalog_update",
+      "artifact": "data/cve-catalog.json",
+      "path": "data/cve-catalog.json",
+      "schema_version": "1.0.0",
+      "entry_count": 67
+    },
+    {
+      "date": "2026-05-18",
+      "type": "catalog_update",
+      "artifact": "data/zeroday-lessons.json",
+      "path": "data/zeroday-lessons.json",
+      "schema_version": "1.1.0",
+      "entry_count": 67
+    },
     {
       "date": "2026-05-15",
       "type": "skill_review",
@@ -39,7 +55,7 @@
       "artifact": "data/atlas-ttps.json",
       "path": "data/atlas-ttps.json",
       "schema_version": "1.0.0",
-      "entry_count": 30
+      "entry_count": 33
     },
     {
       "date": "2026-05-15",
@@ -47,7 +63,7 @@
       "artifact": "data/attack-techniques.json",
       "path": "data/attack-techniques.json",
       "schema_version": "1.0.0",
-      "entry_count": 98
+      "entry_count": 106
     },
     {
       "date": "2026-05-15",
@@ -81,14 +97,6 @@
       "schema_version": "1.0.0",
       "entry_count": 41
     },
-    {
-      "date": "2026-05-15",
-      "type": "catalog_update",
-      "artifact": "data/zeroday-lessons.json",
-      "path": "data/zeroday-lessons.json",
-      "schema_version": "1.1.0",
-      "entry_count": 38
-    },
     {
       "date": "2026-05-15",
       "type": "manifest_review",
@@ -96,14 +104,6 @@
       "path": "manifest.json",
       "note": "manifest threat_review_date — 42 skills, 11 catalogs"
     },
-    {
-      "date": "2026-05-13",
-      "type": "catalog_update",
-      "artifact": "data/cve-catalog.json",
-      "path": "data/cve-catalog.json",
-      "schema_version": "1.0.0",
-      "entry_count": 38
-    },
     {
       "date": "2026-05-13",
       "type": "catalog_update",

package/data/_indexes/catalog-summaries.json

@@ -18,7 +18,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 30,
+      "entry_count": 33,
       "sample_keys": [
         "AML.T0001",
         "AML.T0040",
@@ -40,7 +40,7 @@
         "rebuild_after_days": 365,
         "note": "Catalog must be rebuilt against the upstream ATT&CK release whenever MITRE publishes a new version. AGENTS.md external-data version-pinning rule requires the bump to be intentional, not silent. ATT&CK ships semi-annually (April + October); audit on each release for tactic moves, technique splits, and new Detection Strategies."
       },
-      "entry_count": 98,
+      "entry_count": 106,
       "sample_keys": [
         "T0001",
         "T0017",
@@ -53,7 +53,7 @@
       "path": "data/cve-catalog.json",
       "purpose": "Per-CVE record (CVSS, EPSS, CISA KEV, RWEP, AI-discovery, vendor advisories, framework gaps, ATLAS/ATT&CK mappings). Cross-validated against NVD + CISA KEV + FIRST EPSS via validate-cves.",
       "schema_version": "1.0.0",
-      "last_updated": "2026-05-13",
+      "last_updated": "2026-05-18",
       "tlp": "CLEAR",
       "source_confidence_default": "A1",
       "freshness_policy": {
@@ -62,7 +62,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 38,
+      "entry_count": 67,
       "sample_keys": [
         "CVE-2025-53773",
         "CVE-2026-30615",
@@ -229,7 +229,7 @@
       "path": "data/zeroday-lessons.json",
       "purpose": "Distilled lessons from notable zero-days and campaigns (SesameOp, Copy Fail, Dirty Frag, Copilot RCE, Windsurf MCP). Each entry: technique, distinguishing characteristic, what it means for the framework lag.",
       "schema_version": "1.1.0",
-      "last_updated": "2026-05-15",
+      "last_updated": "2026-05-18",
       "tlp": "CLEAR",
       "source_confidence_default": "B2",
       "freshness_policy": {
@@ -238,7 +238,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 38,
+      "entry_count": 67,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",