@blamejs/exceptd-skills 0.13.41 → 0.13.43

package/AGENTS.md

@@ -372,7 +372,7 @@ This split costs every consumer the same translation work on every invocation. C
 exceptd collect secrets | exceptd run secrets --evidence -
 ```
 
-The collector library is small and grows as playbooks are touched. Ten reference collectors ship today (`lib/collectors/secrets.js`, `lib/collectors/kernel.js`, `lib/collectors/sbom.js`, `lib/collectors/containers.js`, `lib/collectors/library-author.js`, `lib/collectors/crypto-codebase.js`, `lib/collectors/cred-stores.js`, `lib/collectors/hardening.js`, `lib/collectors/runtime.js`, `lib/collectors/ai-api.js`); the rest are written when each playbook needs them. Until a playbook has a collector, the AI/operator owns evidence collection as before.
+The collector library is small and grows as playbooks are touched. Twelve reference collectors ship today (`lib/collectors/secrets.js`, `lib/collectors/kernel.js`, `lib/collectors/sbom.js`, `lib/collectors/containers.js`, `lib/collectors/library-author.js`, `lib/collectors/crypto-codebase.js`, `lib/collectors/cred-stores.js`, `lib/collectors/hardening.js`, `lib/collectors/runtime.js`, `lib/collectors/ai-api.js`, `lib/collectors/mcp.js`, `lib/collectors/crypto.js`); the rest are written when each playbook needs them. Until a playbook has a collector, the AI/operator owns evidence collection as before.
 
 ### Precision target for new `look.artifacts[].source` strings
 

package/CHANGELOG.md

@@ -1,5 +1,21 @@
 # Changelog
 
+## 0.13.43 — 2026-05-21
+
+Twelfth reference collector.
+
+### Features
+
+- **`lib/collectors/crypto.js`** — host crypto-posture collector. Linux-only. Reads `openssl version -a` / `openssl list -kem-algorithms` / `openssl list -signature-algorithms` (execFile-shape spawning, never shell-interpolated), parses `/etc/ssh/sshd_config` + `sshd_config.d/*.conf` with Include expansion (same logic the hardening collector uses), and lists the `/etc/ssl/certs` trust-anchor count. Flips five deterministic indicators: `openssl-pre-3-5` (banner is `OpenSSL < 3.5.0` — pre-native-ML-KEM), `ml-kem-absent` (no `mlkem512` / `mlkem768` / `mlkem1024` in `openssl list -kem-algorithms`), `ml-dsa-slh-dsa-absent` (no `ML-DSA` / `SLH-DSA` / `SPHINCS+` / `Falcon` in `openssl list -signature-algorithms`), `sshd-no-pqc-kex` (`KexAlgorithms` line absent OR present-without `sntrup761x25519` / `mlkem768x25519` / `mlkem1024`), `weak-mac-or-cipher` (`MACs` containing `hmac-md5` / `hmac-sha1` without `-etm`, or `Ciphers` containing `arcfour` / `3des-cbc` / `des-cbc` / `blowfish-cbc`). When openssl exec fails AND `/etc/ssh/sshd_config` is unreadable, the indicators stay out of `signal_overrides` so the runner returns inconclusive — same unflipped-when-unreadable semantics as `hardening` / `runtime`. `tls-no-hybrid-group` (needs a live TLS handshake), `rsa-2048-cert-long-life` (cert content + chain walk; sensitivity-horizon comparison is operator review), and `no-crypto-inventory` (governance) remain AI-driven. Path overrides via `args.paths` for synthetic-tempdir tests.
+
+## 0.13.42 — 2026-05-20
+
+Eleventh reference collector.
+
+### Features
+
+- **`lib/collectors/mcp.js`** — inspects MCP client configurations across Cursor (`~/.cursor/mcp.json`), Claude Code (`~/.config/claude/config.json`, `~/.claude/settings.json`), Windsurf (`~/.codeium/windsurf/mcp_config.json`), VS Code Copilot (`~/.config/Code/User/settings.json`, macOS / Windows variants, project-level `.vscode/settings.json`), and Gemini CLI (`~/.gemini/settings.json`). Flips four deterministic indicators: `mcp-version-without-integrity` (any `mcpServers.<name>.command` / `args` containing `@scope/pkg@X.Y.Z` or `pkg==X.Y.Z` without an `integrity` / `sha256` / `sri` sibling), `copilot-yolo-mode-flag` (`chat.tools.autoApprove: true` at user-global / workspace scope OR any per-server `autoApprove: true|"all"` in `chat.mcp.servers`), `mcp-response-ansi-escape` (any 0x1B byte in MCP tool-response logs under `~/.claude/logs/mcp/*.jsonl`, `~/.cursor/logs/mcp*.{jsonl,log}`, `~/.codeium/windsurf/logs/mcp*`), `mcp-response-unicode-tag-smuggling` (any codepoint in U+E0000..U+E007F in the same log scope). Defers `unsigned-mcp-manifest` (sigstore lookup), `vulnerable-windsurf-version` (install detection), `mcp-server-running-as-root` (ps + capabilities), `mcp-server-invoked-from-ci-pipeline` (process-tree env-var correlation) — out of stdlib scope.
+
 ## 0.13.41 — 2026-05-20
 
 Tenth reference collector.

package/data/_indexes/_meta.json

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-21T05:59:31.155Z",
+  "generated_at": "2026-05-21T13:39:43.700Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "baf6b821336ba74ccafa21f09c510e7f581d3157a1aab19ed282f8d975ed8eec",
+    "manifest.json": "b56fa964197403bfaeba55f1ae97c663bf447852a6fc0e418965a8faf6eb3387",
     "data/atlas-ttps.json": "d296c1d3e71807c9279b731f047e57796e85137f186586743a8cdad214b408f9",
     "data/attack-techniques.json": "49b6010b317edd219def135171ea8f3b1bbf1e00e9c5a08bf7237215ff54e2c3",
     "data/cve-catalog.json": "a09c83af3f9679a7ea73935726a1ff9de2cab94b4ab6321fc017fc147747d7c3",

package/lib/collectors/crypto.js

@@ -0,0 +1,270 @@
+"use strict";
+
+/**
+ * lib/collectors/crypto.js
+ *
+ * Companion collector for the `crypto` playbook. Linux-only. Reads
+ * the host's TLS library state (openssl version + KEM / signature
+ * algorithm catalogues) and sshd_config (effective directives after
+ * Include expansion) to flip post-quantum-readiness indicators.
+ *
+ * Skipped indicators (require operator judgement or live behavioural
+ * data, left unflipped so the runner returns inconclusive rather
+ * than a forced miss):
+ *
+ *   tls-no-hybrid-group         needs a real TLS handshake against
+ *                               a target server
+ *   rsa-2048-cert-long-life     cert content + chain walk; sensitivity-
+ *                               horizon comparison is operator review
+ *   no-crypto-inventory         governance / process indicator
+ *
+ * Interface: see lib/collectors/README.md
+ */
+
+const fs = require("node:fs");
+const path = require("node:path");
+const { spawnSync } = require("node:child_process");
+
+const COLLECTOR_ID = "crypto";
+
+function readFileSafe(p, max = 256 * 1024) {
+  try {
+    const st = fs.statSync(p);
+    if (st.size > max) return null;
+    return fs.readFileSync(p, "utf8");
+  } catch { return null; }
+}
+
+// Same sshd_config Include-expansion logic as the hardening
+// collector: first-match-wins, inline drop-in files in lexical
+// order at the textual position of the `Include` directive.
+function expandSshdConfig(baseContent, configDPath) {
+  if (!baseContent) return "";
+  const out = [];
+  for (const raw of baseContent.split(/\r?\n/)) {
+    const stripped = raw.replace(/#.*$/, "").trim();
+    const m = stripped.match(/^Include\s+(\S+)/i);
+    if (!m) { out.push(raw); continue; }
+    const glob = m[1];
+    let dir = null;
+    if (glob.endsWith("/sshd_config.d/*.conf")) {
+      dir = configDPath;
+    } else {
+      const dirMatch = glob.match(/^(.*)\/\*\.conf$/);
+      if (dirMatch) dir = dirMatch[1];
+    }
+    if (!dir) { out.push(raw); continue; }
+    let entries;
+    try { entries = fs.readdirSync(dir).filter(e => /\.conf$/.test(e)).sort(); }
+    catch { out.push(raw); continue; }
+    for (const e of entries) {
+      const c = readFileSafe(path.join(dir, e));
+      if (c == null) continue;
+      out.push(`# === drop-in: ${e} ===`);
+      out.push(c);
+    }
+  }
+  return out.join("\n");
+}
+
+// First-match-wins parse of KexAlgorithms / MACs / Ciphers /
+// PermitRootLogin from the effective sshd_config content.
+function parseSshdEffective(content) {
+  if (content == null) return { kex: null, macs: null, ciphers: null };
+  const out = { kex: null, macs: null, ciphers: null };
+  for (const raw of content.split(/\r?\n/)) {
+    const line = raw.replace(/#.*$/, "").trim();
+    if (!line) continue;
+    const m1 = line.match(/^KexAlgorithms\s+(\S+)/i);
+    if (m1 && out.kex == null) out.kex = m1[1].toLowerCase();
+    const m2 = line.match(/^MACs\s+(\S+)/i);
+    if (m2 && out.macs == null) out.macs = m2[1].toLowerCase();
+    const m3 = line.match(/^Ciphers\s+(\S+)/i);
+    if (m3 && out.ciphers == null) out.ciphers = m3[1].toLowerCase();
+  }
+  return out;
+}
+
+// Compare OpenSSL banner string against the 3.5.0 native-ML-KEM cutoff.
+// Returns "hit" (< 3.5.0), "miss" (>= 3.5.0), or undefined (banner
+// could not be parsed — collector returns inconclusive).
+function compareOpensslVersion(verStr) {
+  if (!verStr) return undefined;
+  const m = verStr.match(/OpenSSL\s+(\d+)\.(\d+)\.(\d+)/);
+  if (!m) return undefined;
+  const maj = Number(m[1]);
+  const min = Number(m[2]);
+  if (maj < 3) return "hit";
+  if (maj === 3 && min < 5) return "hit";
+  return "miss";
+}
+
+// PQC kex: hit when KexAlgorithms is absent (no PQC by default) OR
+// present-without sntrup761x25519 / mlkem768x25519 / mlkem1024.
+function parsePqcKex(content, hasSshdContent) {
+  if (!hasSshdContent) return undefined;
+  if (content == null) return "hit";
+  return /sntrup761x25519|mlkem768x25519|mlkem1024/.test(content) ? "miss" : "hit";
+}
+
+// Weak mac or cipher: hit when MACs contains hmac-md5 / hmac-sha1
+// (without -etm suffix) OR Ciphers contains arcfour / 3des-cbc /
+// des-cbc / blowfish-cbc / aes-cbc. The playbook treats every CBC
+// mode as weak under modern SSH cipher policy (BEAST / padding
+// oracle / chosen-plaintext considerations) — aes128-cbc /
+// aes192-cbc / aes256-cbc still appear in legacy sshd configs and
+// must be flagged. Both fields absent → undefined (inconclusive).
+function parseWeakMacOrCipher(macs, ciphers) {
+  if (macs == null && ciphers == null) return undefined;
+  const macsWeak = macs && /(?:^|,)(?:hmac-md5(?!-etm)|hmac-sha1(?!-etm))(?:,|$)/.test(macs);
+  const cipherWeak = ciphers && /(?:^|,)(?:aes(?:128|192|256)-cbc|arcfour(?:128|256)?|3des-cbc|des-cbc|blowfish-cbc)(?:,|$)/.test(ciphers);
+  return (macsWeak || cipherWeak) ? "hit" : "miss";
+}
+
+// Either read a path-override fixture (synthetic-tempdir tests) or
+// invoke the named binary via execFile-shape spawning. Never
+// shell-interpolated. ENOENT / EACCES → null; caller surfaces that
+// via collector_errors / unflipped indicators. Some binaries write
+// their banner to stderr (e.g. `ssh -V`); others to stdout
+// (`openssl version`). Prefer stdout, fall back to stderr when
+// stdout is empty so the banner is not lost.
+function readOrSpawn(pathOverride, cmd, args, errors) {
+  if (pathOverride != null) return readFileSafe(pathOverride);
+  const r = spawnSync(cmd, args, {
+    encoding: "utf8",
+    timeout: 5000,
+    stdio: ["ignore", "pipe", "pipe"],
+  });
+  if (r.error) {
+    if (errors) errors.push({ artifact_id: cmd, kind: "spawn_failed", reason: `${cmd}: ${r.error.code || r.error.message}` });
+    return null;
+  }
+  const out = r.stdout || "";
+  const err = r.stderr || "";
+  if (out.length === 0 && err.length === 0) return null;
+  return out.length > 0 ? out : err;
+}
+
+function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
+  const errors = [];
+  const startTime = Date.now();
+  const root = path.resolve(cwd);
+  const paths = args.paths || {};
+  const isLinux = args.forceLinux === true || process.platform === "linux";
+
+  if (!isLinux) {
+    return {
+      precondition_checks: { "linux-platform": false },
+      artifacts: {
+        "openssl-version": { value: "skipped — non-Linux platform", captured: false, reason: `process.platform=${process.platform} (linux required)` },
+        "sshd-config-effective": { value: "skipped — non-Linux platform", captured: false, reason: `process.platform=${process.platform} (linux required)` },
+      },
+      signal_overrides: {},
+      collector_meta: {
+        collector_id: COLLECTOR_ID,
+        collector_version: "2026-05-21",
+        platform: process.platform,
+        captured_at: new Date().toISOString(),
+        cwd: root,
+        duration_ms: Date.now() - startTime,
+      },
+      collector_errors: errors,
+    };
+  }
+
+  // TLS library version + algorithm catalogues.
+  const opensslVer = readOrSpawn(paths.opensslVersionOutput, "openssl", ["version", "-a"], errors);
+  const opensslKem = readOrSpawn(paths.opensslKemOutput, "openssl", ["list", "-kem-algorithms"], errors);
+  const opensslSig = readOrSpawn(paths.opensslSignatureOutput, "openssl", ["list", "-signature-algorithms"], errors);
+  const sshVer = readOrSpawn(paths.sshVersionOutput, "ssh", ["-V"], errors);
+
+  // sshd_config: read base + expand Include directives. The base
+  // can come from a path override (tests stage a synthetic file
+  // tree); otherwise read /etc/ssh/sshd_config directly.
+  const sshdConfigPath = paths.sshdConfig || "/etc/ssh/sshd_config";
+  const sshdConfigDPath = paths.sshdConfigD || "/etc/ssh/sshd_config.d";
+  const sshdBase = readFileSafe(sshdConfigPath);
+  const sshdEffective = sshdBase ? expandSshdConfig(sshdBase, sshdConfigDPath) : null;
+  const sshdParsed = parseSshdEffective(sshdEffective);
+
+  // Flip indicators only when the underlying source was readable.
+  // Unreadable openssl / sshd_config → indicator stays out of
+  // signal_overrides so the runner returns inconclusive rather than
+  // asserting a clean posture without evidence.
+  const signal_overrides = {};
+
+  const verSig = compareOpensslVersion(opensslVer);
+  if (verSig !== undefined) signal_overrides["openssl-pre-3-5"] = verSig;
+
+  if (opensslKem !== null) {
+    const hasMLKEM = /mlkem(?:512|768|1024)/i.test(opensslKem);
+    signal_overrides["ml-kem-absent"] = hasMLKEM ? "miss" : "hit";
+  }
+  if (opensslSig !== null) {
+    const hasPQCsig = /ml-?dsa|slh-?dsa|sphincs|falcon/i.test(opensslSig);
+    signal_overrides["ml-dsa-slh-dsa-absent"] = hasPQCsig ? "miss" : "hit";
+  }
+
+  const kexSig = parsePqcKex(sshdParsed.kex, sshdEffective !== null);
+  if (kexSig !== undefined) signal_overrides["sshd-no-pqc-kex"] = kexSig;
+
+  const weakSig = sshdEffective !== null
+    ? parseWeakMacOrCipher(sshdParsed.macs, sshdParsed.ciphers)
+    : undefined;
+  if (weakSig !== undefined) signal_overrides["weak-mac-or-cipher"] = weakSig;
+
+  // certificate-store: list count of *.pem / *.crt under the
+  // standard trust roots. Path overridable for tests.
+  let certStoreSummary;
+  const certStoreRoot = paths.certStore || "/etc/ssl/certs";
+  try {
+    const certEntries = fs.readdirSync(certStoreRoot).filter(e => /\.(pem|crt)$/i.test(e));
+    certStoreSummary = { value: `${certEntries.length} cert file(s) under ${certStoreRoot}`, captured: true };
+  } catch {
+    certStoreSummary = { value: `${certStoreRoot} unreadable`, captured: false, reason: "trust-anchor directory not readable" };
+  }
+
+  const artifacts = {
+    "openssl-version": opensslVer
+      ? { value: (opensslVer.split(/\r?\n/, 1)[0] || "").trim(), captured: true }
+      : { value: "openssl version banner unavailable", captured: false, reason: "openssl binary missing or non-readable" },
+    "openssl-kem-algorithms": opensslKem !== null
+      ? { value: opensslKem.slice(0, 2048), captured: true }
+      : { value: "openssl list -kem-algorithms unavailable", captured: false, reason: "openssl list exec failed or fixture absent" },
+    "openssl-signature-algorithms": opensslSig !== null
+      ? { value: opensslSig.slice(0, 2048), captured: true }
+      : { value: "openssl list -signature-algorithms unavailable", captured: false, reason: "openssl list exec failed or fixture absent" },
+    "openssl-providers": { value: "not captured by this collector — see openssl-version banner for provider line", captured: false, reason: "openssl list -providers depends on runtime config; deferred to operator evidence" },
+    "ssh-version": sshVer
+      ? { value: sshVer.trim().split(/\r?\n/, 1)[0], captured: true }
+      : { value: "ssh -V unavailable", captured: false, reason: "ssh binary missing or non-readable" },
+    "sshd-config-effective": sshdEffective !== null
+      ? {
+          value: [
+            `KexAlgorithms=${sshdParsed.kex ?? "(unset)"}`,
+            `MACs=${sshdParsed.macs ?? "(unset)"}`,
+            `Ciphers=${sshdParsed.ciphers ?? "(unset)"}`,
+          ].join("; "),
+          captured: true,
+        }
+      : { value: `${sshdConfigPath} unreadable or absent`, captured: false, reason: "no sshd_config — host may not run sshd" },
+    "certificate-store": certStoreSummary,
+  };
+
+  return {
+    precondition_checks: { "linux-platform": true },
+    artifacts,
+    signal_overrides,
+    collector_meta: {
+      collector_id: COLLECTOR_ID,
+      collector_version: "2026-05-21",
+      platform: process.platform,
+      captured_at: new Date().toISOString(),
+      cwd: root,
+      duration_ms: Date.now() - startTime,
+    },
+    collector_errors: errors,
+  };
+}
+
+module.exports = { playbook_id: COLLECTOR_ID, collect };

package/lib/collectors/mcp.js

@@ -0,0 +1,312 @@
+"use strict";
+
+/**
+ * lib/collectors/mcp.js
+ *
+ * Companion collector for the `mcp` playbook. Reads MCP client
+ * config files (Cursor, Claude Code, Windsurf, VS Code Copilot,
+ * Gemini CLI) and tool-response logs, flipping deterministic
+ * indicators related to:
+ *   - mcp-version-without-integrity (pinned version without
+ *     sha256 / sri-integrity sibling)
+ *   - copilot-yolo-mode-flag (chat.tools.autoApprove true)
+ *   - mcp-response-ansi-escape (0x1B in tool response)
+ *   - mcp-response-unicode-tag-smuggling (U+E0000..U+E007F)
+ *
+ * Defers:
+ *   - unsigned-mcp-manifest (needs npm/pip package directory walk
+ *     + sigstore lookup; out of stdlib scope)
+ *   - vulnerable-windsurf-version (needs Windsurf install detection)
+ *   - mcp-server-running-as-root (needs ps + capabilities)
+ *   - mcp-server-invoked-from-ci-pipeline (needs process-tree
+ *     env-var inspection)
+ *
+ * Interface: see lib/collectors/README.md
+ */
+
+const fs = require("node:fs");
+const path = require("node:path");
+const os = require("node:os");
+
+const COLLECTOR_ID = "mcp";
+
+function readSafe(full, max = 1024 * 1024) {
+  try {
+    const s = fs.statSync(full);
+    if (s.size > max) return null;
+    return fs.readFileSync(full, "utf8");
+  } catch { return null; }
+}
+
+function readJson(full) {
+  const c = readSafe(full);
+  if (c == null) return null;
+  try { return JSON.parse(c); } catch { return null; }
+}
+
+function fileExists(full) {
+  try { return fs.statSync(full).isFile(); } catch { return false; }
+}
+
+// Per-vendor config locations. We try each and capture which were
+// present so the artifact field tells the operator what scope the
+// collector actually exercised.
+function vendorConfigPaths(home) {
+  return {
+    cursor: [path.join(home, ".cursor", "mcp.json")],
+    "claude-code": [
+      path.join(home, ".config", "claude", "config.json"),
+      path.join(home, ".claude", "settings.json"),
+    ],
+    windsurf: [path.join(home, ".codeium", "windsurf", "mcp_config.json")],
+    "vscode-copilot": [
+      // user-global locations
+      path.join(home, ".config", "Code", "User", "settings.json"),
+      path.join(home, "Library", "Application Support", "Code", "User", "settings.json"),
+      path.join(home, "AppData", "Roaming", "Code", "User", "settings.json"),
+      path.join(home, ".vscode", "settings.json"),
+    ],
+    gemini: [path.join(home, ".gemini", "settings.json")],
+  };
+}
+
+// Walk mcpServers entries across vendor config shapes. Returns
+// [{ vendor, file, name, command, args }].
+function collectMcpServers(configsByVendor) {
+  const out = [];
+  for (const [vendor, files] of Object.entries(configsByVendor)) {
+    for (const f of files) {
+      const j = readJson(f);
+      if (!j) continue;
+      // Cursor / Claude Code / Windsurf: { mcpServers: { <name>: {...} } }
+      // VS Code Copilot: { chat: { mcp: { servers: { <name>: {...} } } } }
+      // Gemini: { mcpServers: { <name>: {...} } }
+      const containers = [
+        j.mcpServers,
+        j["chat.mcp.servers"],
+        j?.chat?.mcp?.servers,
+      ].filter(c => c && typeof c === "object");
+      for (const c of containers) {
+        for (const [name, entry] of Object.entries(c)) {
+          if (!entry || typeof entry !== "object") continue;
+          out.push({
+            vendor, file: f, name,
+            command: entry.command,
+            args: Array.isArray(entry.args) ? entry.args : [],
+            integrity: entry.integrity || entry.sha256 || entry.sri || null,
+          });
+        }
+      }
+    }
+  }
+  return out;
+}
+
+// A pinned version is the @1.2.3 / @v1.2.3 / =1.2.3 trailer on a
+// package spec in args[] or command. We look for shapes that
+// downstream operators care about: `npx -y @vendor/pkg@1.2.3`,
+// `uvx pkg==1.2.3`, `pip install pkg==1.2.3`, etc.
+function isPinnedNoIntegrity(server) {
+  if (server.integrity) return false;
+  const tokens = [server.command, ...server.args].filter(Boolean);
+  for (const tok of tokens) {
+    if (typeof tok !== "string") continue;
+    // npm package@version (excluding scope name@version)
+    if (/@[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+@\d+\.\d+\.\d+\b/.test(tok)) return true;
+    if (/\bpip\s+install\b/.test(tok)) continue;
+    if (/==\d+\.\d+\.\d+/.test(tok)) return true;
+  }
+  return false;
+}
+
+// VS Code yolo-mode flag: chat.tools.autoApprove === true OR any
+// per-tool autoApprove === true.
+function hasYoloMode(j) {
+  if (!j || typeof j !== "object") return false;
+  if (j["chat.tools.autoApprove"] === true) return true;
+  if (j?.chat?.tools?.autoApprove === true) return true;
+  // Per-server autoApprove flags in chat.mcp.servers.<name>.autoApprove
+  const servers = j["chat.mcp.servers"] || j?.chat?.mcp?.servers;
+  if (servers && typeof servers === "object") {
+    for (const e of Object.values(servers)) {
+      if (e && (e.autoApprove === true || e.autoApprove === "all")) return true;
+    }
+  }
+  return false;
+}
+
+// ANSI escape: any 0x1B byte in tool response content.
+function hasAnsiEscape(content) {
+  return content.indexOf("\x1b") !== -1;
+}
+
+// Unicode tag smuggling: codepoints in U+E0000..U+E007F. These are
+// invisible in normal renders but carry instruction-coercion
+// payloads through MCP responses.
+function hasUnicodeTagSmuggling(content) {
+  for (let i = 0; i < content.length; i++) {
+    const code = content.codePointAt(i);
+    if (code >= 0xE0000 && code <= 0xE007F) return true;
+    // Surrogate pair — skip the low surrogate slot.
+    if (code > 0xFFFF) i++;
+  }
+  return false;
+}
+
+function findMcpLogs(home) {
+  // Candidate log directories per vendor. Caller scans each for
+  // *.jsonl / *.log files. Directories like ~/.claude/logs/mcp/ are
+  // already MCP-scoped by path; we accept every log file inside.
+  // Generic log directories (~/.cursor/logs/) are filtered to
+  // filenames containing "mcp".
+  const dirs = [
+    { path: path.join(home, ".claude", "logs", "mcp"), filterByName: false },
+    { path: path.join(home, ".cursor", "logs"), filterByName: true },
+    { path: path.join(home, ".codeium", "windsurf", "logs"), filterByName: true },
+  ];
+  const out = [];
+  for (const { path: d, filterByName } of dirs) {
+    let entries;
+    try { entries = fs.readdirSync(d, { withFileTypes: true }); } catch { continue; }
+    for (const e of entries) {
+      if (!e.isFile()) continue;
+      if (!/\.(jsonl|log)$/i.test(e.name)) continue;
+      if (filterByName && !/mcp/i.test(e.name)) continue;
+      out.push(path.join(d, e.name));
+    }
+  }
+  return out;
+}
+
+function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
+  const errors = [];
+  const startTime = Date.now();
+  const root = path.resolve(cwd);
+  const home = (env && env.HOME) || (env && env.USERPROFILE) || os.homedir();
+
+  // Vendor MCP configs.
+  const configsByVendor = vendorConfigPaths(home);
+  const servers = collectMcpServers(configsByVendor);
+  const pinnedNoIntegrity = servers.filter(isPinnedNoIntegrity);
+
+  // VS Code yolo-mode across the candidate VS Code settings files.
+  let yoloHit = false;
+  let yoloFile = null;
+  for (const f of configsByVendor["vscode-copilot"]) {
+    const j = readJson(f);
+    if (j && hasYoloMode(j)) { yoloHit = true; yoloFile = f; break; }
+  }
+  // Project-level .vscode/settings.json under cwd
+  if (!yoloHit) {
+    const projVsc = path.join(root, ".vscode", "settings.json");
+    const j = readJson(projVsc);
+    if (j && hasYoloMode(j)) { yoloHit = true; yoloFile = projVsc; }
+  }
+
+  // MCP response log scan for ANSI / unicode-tag smuggling.
+  const logFiles = findMcpLogs(home);
+  let ansiHit = false;
+  let unicodeTagHit = false;
+  let ansiSourceFile = null;
+  let unicodeTagSourceFile = null;
+  let logBytesScanned = 0;
+  for (const f of logFiles) {
+    const c = readSafe(f, 4 * 1024 * 1024);
+    if (c == null) continue;
+    logBytesScanned += c.length;
+    if (!ansiHit && hasAnsiEscape(c)) { ansiHit = true; ansiSourceFile = f; }
+    if (!unicodeTagHit && hasUnicodeTagSmuggling(c)) {
+      unicodeTagHit = true; unicodeTagSourceFile = f;
+    }
+    if (ansiHit && unicodeTagHit) break;
+  }
+  const logsScanned = logFiles.length > 0;
+
+  const signal_overrides = {
+    "mcp-version-without-integrity": pinnedNoIntegrity.length > 0 ? "hit" : "miss",
+    "copilot-yolo-mode-flag": yoloHit ? "hit" : "miss",
+  };
+  // ANSI / unicode-tag indicators: only emit when we actually
+  // scanned at least one log file. If no logs exist, leave the
+  // indicators unflipped (the operator may not have enabled MCP
+  // logging — the runner returns inconclusive).
+  if (logsScanned) {
+    signal_overrides["mcp-response-ansi-escape"] = ansiHit ? "hit" : "miss";
+    signal_overrides["mcp-response-unicode-tag-smuggling"] = unicodeTagHit ? "hit" : "miss";
+  }
+
+  const artifacts = {
+    "cursor-mcp-config": {
+      value: fileExists(configsByVendor.cursor[0])
+        ? `${configsByVendor.cursor[0]} present`
+        : "absent",
+      captured: true,
+    },
+    "claude-code-mcp-config": {
+      value: configsByVendor["claude-code"].filter(fileExists).join(", ") || "absent",
+      captured: true,
+    },
+    "windsurf-mcp-config": {
+      value: fileExists(configsByVendor.windsurf[0]) ? "present" : "absent",
+      captured: true,
+    },
+    "vscode-copilot-mcp-config": {
+      value: configsByVendor["vscode-copilot"].filter(fileExists).map(f => path.relative(home, f)).join(", ") || "absent",
+      captured: true,
+    },
+    "gemini-cli-mcp-config": {
+      value: fileExists(configsByVendor.gemini[0]) ? "present" : "absent",
+      captured: true,
+    },
+    "mcp-server-inventory": {
+      value: `${servers.length} server(s) across ${new Set(servers.map(s => s.vendor)).size} vendor(s); ${pinnedNoIntegrity.length} pinned without integrity`,
+      captured: true,
+    },
+    "vscode-copilot-yolo-mode": {
+      value: yoloHit ? `chat.tools.autoApprove flag set in ${path.relative(home, yoloFile || "")}` : "scanned VS Code settings; auto-approve flag not set",
+      captured: true,
+    },
+    "mcp-tool-response-log": {
+      value: logsScanned
+        ? `${logFiles.length} log file(s), ${logBytesScanned} byte(s) scanned; ansi_hit=${ansiHit} (${ansiSourceFile ? path.relative(home, ansiSourceFile) : ""}); unicode_tag_hit=${unicodeTagHit} (${unicodeTagSourceFile ? path.relative(home, unicodeTagSourceFile) : ""})`
+        : "no MCP log files found at the canonical paths",
+      captured: logsScanned,
+      reason: logsScanned ? undefined : "MCP client logging may be disabled; ansi-escape / unicode-tag indicators left unflipped (inconclusive)",
+    },
+    "mcp-process-list": {
+      value: "skipped — process-list capture deferred to operator/AI evidence",
+      captured: false,
+      reason: "mcp-server-running-as-root / mcp-server-invoked-from-ci-pipeline need ps + env-var inspection that's out of stdlib scope",
+    },
+    "mcp-manifest-signatures": {
+      value: "skipped — sigstore lookup deferred to operator/AI evidence",
+      captured: false,
+      reason: "unsigned-mcp-manifest needs package-directory + sigstore-rekor / in-toto attestation lookup that's out of stdlib scope",
+    },
+  };
+
+  return {
+    precondition_checks: {
+      "home-dir-readable": fs.existsSync(home),
+    },
+    artifacts,
+    signal_overrides,
+    collector_meta: {
+      collector_id: COLLECTOR_ID,
+      collector_version: "2026-05-20",
+      platform: process.platform,
+      captured_at: new Date().toISOString(),
+      cwd: root,
+      home,
+      duration_ms: Date.now() - startTime,
+      vendors_with_config: Object.entries(configsByVendor)
+        .filter(([_, files]) => files.some(fileExists))
+        .map(([v]) => v),
+      servers_found: servers.length,
+      logs_scanned: logFiles.length,
+    },
+    collector_errors: errors,
+  };
+}
+
+module.exports = { playbook_id: COLLECTOR_ID, collect };

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.13.41",
+  "version": "0.13.43",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "lXhZgoIrrVloO3XaTvo/43AxZn4mwErstd7DR0O/oVhD3AOGODM4HqrageYEou9WKOdMEGP5mJNTjJsXdP5NDA==",
-      "signed_at": "2026-05-21T05:58:40.487Z",
+      "signed_at": "2026-05-21T13:36:49.117Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -117,7 +117,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "vSVqu4wBm+d68ujZmM6Rto/HzViCkE0gPUcv/MYE/bjFiqamf/s0On4kTOo1KIveV9cOwYNxiItaGEWlVkRFDg==",
-      "signed_at": "2026-05-21T05:58:40.488Z",
+      "signed_at": "2026-05-21T13:36:49.119Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -180,7 +180,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "RIgXKvolQjgJdnlrDnVOd90IOY1B7VHHZD/YJQRzouL+wUeOLclPrdK/EgEuFyiu7lR4bi+Pl6aGB9G9tOxYCQ==",
-      "signed_at": "2026-05-21T05:58:40.489Z",
+      "signed_at": "2026-05-21T13:36:49.119Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -226,7 +226,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "RYOxeq/o3uTwTWq4H7RcdH2Aclg9UyCERfUH9Frwkzncsowg7LgxpaEDc3swTCv73HMEGbU8wVbXguZ4JxHUCQ==",
-      "signed_at": "2026-05-21T05:58:40.489Z"
+      "signed_at": "2026-05-21T13:36:49.120Z"
     },
     {
       "name": "compliance-theater",
@@ -257,7 +257,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "DneJCPKCPcoe6nQ82XptqSqNfSRdt1orKaO+o7K36YCciDrzwJb+1BuBLusPDtpcdDaGY0y0e+AqiTYJklhBAQ==",
-      "signed_at": "2026-05-21T05:58:40.489Z"
+      "signed_at": "2026-05-21T13:36:49.120Z"
     },
     {
       "name": "exploit-scoring",
@@ -286,7 +286,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "NA1hoQycvQhSUoG5rwlXX0mOVmGxoXRVezkELGEA2nZOdGis4gXkHT3O6Sfw7zxE4JuMrsCb65TEeOWk9WEPDg==",
-      "signed_at": "2026-05-21T05:58:40.490Z"
+      "signed_at": "2026-05-21T13:36:49.121Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -323,7 +323,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "XgrzcA2brPhXrSTxrcLnJec0OpgGYJBoSTUlJ10UdePHffxqb9LTVGnfbmEk1ykQifXREZexui2bG7X/+eFfCQ==",
-      "signed_at": "2026-05-21T05:58:40.490Z",
+      "signed_at": "2026-05-21T13:36:49.121Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -380,7 +380,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "9+hZlZOqZdeACUmamQk66L5levZhhwnFXuYRhdT6Mce99eQaKT7wNfWq12hXQztkRcVRKaFH+a01zwJQwsRQCA==",
-      "signed_at": "2026-05-21T05:58:40.491Z",
+      "signed_at": "2026-05-21T13:36:49.121Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -415,7 +415,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "ciqhVloMWWXEigPZvvwoV2c54tEqsDqsoc+sS/mNTFFJk2H+tz2+XUrgfEPRuYw0FeyNB6/+27pL2NpKHzUqAg==",
-      "signed_at": "2026-05-21T05:58:40.491Z",
+      "signed_at": "2026-05-21T13:36:49.122Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -443,7 +443,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "xiHAhhdufm9hCKU8PLiPE0MX65ej2F4OZwtlWLGLCiie9/km+Kiqbt192LcMvr94v83C98pb9wIaqFsFWft6AQ==",
-      "signed_at": "2026-05-21T05:58:40.491Z"
+      "signed_at": "2026-05-21T13:36:49.122Z"
     },
     {
       "name": "global-grc",
@@ -475,7 +475,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "oYsSk35N2Uzq7MRofACykylcVwkgPhI4luWZ14vmQT+gUKLyZiKVOUJbe1+7lGl6BYPRN0sUDQ0f7S5Eu5w2Ag==",
-      "signed_at": "2026-05-21T05:58:40.492Z"
+      "signed_at": "2026-05-21T13:36:49.122Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -502,7 +502,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "igRqYyU1unRFH40BsPyAR62SPrk8QZv8dPGb8S9O9EvLCNOZAzm3t+HdT/NKqzWHwrpomOzkkkyLfYI/0qTUDA==",
-      "signed_at": "2026-05-21T05:58:40.492Z"
+      "signed_at": "2026-05-21T13:36:49.123Z"
     },
     {
       "name": "pqc-first",
@@ -554,7 +554,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "vhc3wuQEro/86s1ro2b/KakUXg8QVnySYTBqA7ebzv9oeR2HYO5bvGEJp3oOHWtL37JDqcCAHYadSN/qxIyCCA==",
-      "signed_at": "2026-05-21T05:58:40.492Z",
+      "signed_at": "2026-05-21T13:36:49.123Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -601,7 +601,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "MS35nWm8djfJGn4OOoT0JKJ2aO+Dkbb6wOOWJYvNZlRKT3UGA59o2gxg1JOnD20hb/RwxtkmCujhl2tuYSR+AQ==",
-      "signed_at": "2026-05-21T05:58:40.493Z"
+      "signed_at": "2026-05-21T13:36:49.123Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -638,7 +638,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "8Px1s2lDj10/Q6erwEQlXgUHM1+OTruUR8qAHPX7Oo3k/l69N6P9sm0PsafS9wDFtj9l5C/OiLiFgzMlMt6vBw==",
-      "signed_at": "2026-05-21T05:58:40.493Z",
+      "signed_at": "2026-05-21T13:36:49.124Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -673,7 +673,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "WAu5fRirzSOcnnZsTx2d/JJZwa/LPpXCi+31qATTGLmoNuhyy81k3ooPe9kCM3E0CLMtvTePg9DagYqBninZDQ==",
-      "signed_at": "2026-05-21T05:58:40.493Z"
+      "signed_at": "2026-05-21T13:36:49.124Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -744,7 +744,7 @@
         "PTES revision incorporating AI-surface enumeration"
       ],
       "signature": "7eEwCXFd9pDKUw7yCUbRJSjfzozE44dwwwemCQUPm8JBPztLltibD9bL/RszSbYyCrYJmVb5Drncz2cGe62gCw==",
-      "signed_at": "2026-05-21T05:58:40.493Z"
+      "signed_at": "2026-05-21T13:36:49.124Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -804,7 +804,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "Z7ypCUnXx8JpLtgxxB6RHNi39w74AmrGY1N4ofAGCXhkuM2EaFVm1AU0dvl9UQ1bVLfHKEDGqMO/TwlIY7RABg==",
-      "signed_at": "2026-05-21T05:58:40.494Z"
+      "signed_at": "2026-05-21T13:36:49.125Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -879,7 +879,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "fgxG344JGYBWWWwFXZ1IzGipWKP7EyBhrsvsbsb0CCGXfv/MvNHVNI6G0zQddCsWX1JeQbhZT3Vk8v1uJKDTDA==",
-      "signed_at": "2026-05-21T05:58:40.494Z"
+      "signed_at": "2026-05-21T13:36:49.125Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -956,7 +956,7 @@
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
       "signature": "pcLrM98A3vUSZRjwNAk0aZ9umvOwB41XCLLsCOy/IebB2F/06oIrGUKkMHtHwm4pTVPShMMcKdZQQ3jz30FnCg==",
-      "signed_at": "2026-05-21T05:58:40.494Z"
+      "signed_at": "2026-05-21T13:36:49.125Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1013,7 +1013,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "gqF8eU3VBrZhO2WnlcqKa7wm1d2mmWtvpbmx0kNCgHojNV+qEt+Ij84RO6bZvaUqhfYPWizWL79Fa4DL0curAQ==",
-      "signed_at": "2026-05-21T05:58:40.495Z"
+      "signed_at": "2026-05-21T13:36:49.126Z"
     },
     {
       "name": "identity-assurance",
@@ -1080,7 +1080,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "Wv5hGMeHjlaQK1zwicVCA7AvdKgJBgvcjdpGM9Ywahh9tagAKhbkOjybowDQZzu7OZ3bDkbh6pBYc1Sdwr6NAA==",
-      "signed_at": "2026-05-21T05:58:40.495Z"
+      "signed_at": "2026-05-21T13:36:49.126Z"
     },
     {
       "name": "ot-ics-security",
@@ -1136,7 +1136,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "8t5qKHd3yWi57dvG36YQkLN/X9bQWqtEiYjay4IfSmqhJpM/xXPaQVKNGz3wscrO8OLKUZ0OaX7Mj5kzpgBKBQ==",
-      "signed_at": "2026-05-21T05:58:40.495Z"
+      "signed_at": "2026-05-21T13:36:49.126Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1188,7 +1188,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "GDGt4UPqBa04PjlpSmpyihGzd3OgfBN7jaAK5tfwp+LRSs3ygKOdbeivUCCHNagTY1hE6hG2Ou40ADfBFuXeAg==",
-      "signed_at": "2026-05-21T05:58:40.496Z"
+      "signed_at": "2026-05-21T13:36:49.127Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1238,7 +1238,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "rFBpOQEJUPpl+v88Lw/WqVJRhTl80vy0VbPAbzQj3Q0suJRRrJg368I9uKu5LXIBKFDvKxnGIcIzbGg9NUtaCA==",
-      "signed_at": "2026-05-21T05:58:40.496Z"
+      "signed_at": "2026-05-21T13:36:49.127Z"
     },
     {
       "name": "webapp-security",
@@ -1312,7 +1312,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ux85YI4t2mVHOyt744Yin1HHy+z11JIFygjKfFfQOBBl5QVV3A267jeIy7utix85irMcpZm/T3yx/ooqiK2tBA==",
-      "signed_at": "2026-05-21T05:58:40.496Z"
+      "signed_at": "2026-05-21T13:36:49.127Z"
     },
     {
       "name": "ai-risk-management",
@@ -1362,7 +1362,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "IIXnkZ5ZNqFwOto5KfytADTLLZLoyXNZACD1ORZ40P1HUAQxe6u2uyXFzzsfuob4Uy06jNkRGr2FFgCphUH1Cw==",
-      "signed_at": "2026-05-21T05:58:40.497Z"
+      "signed_at": "2026-05-21T13:36:49.128Z"
     },
     {
       "name": "sector-healthcare",
@@ -1422,7 +1422,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "AhF9KF8ZBlDteciV+F8IBSmFVYCvQOn44GmD4rZjgLoPxfIv/QE1/vSkK32zyqDKtHWkLSXExbkkPkxA/V6dDw==",
-      "signed_at": "2026-05-21T05:58:40.497Z"
+      "signed_at": "2026-05-21T13:36:49.128Z"
     },
     {
       "name": "sector-financial",
@@ -1503,7 +1503,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "HQgZvb4ReziEz5rNFr8i/O8/rJEZR+iHRROT7m/D2QUqhrcNISPkYXENsUZlG8xapzy/Ik92ehkseyj4hdmhCQ==",
-      "signed_at": "2026-05-21T05:58:40.498Z"
+      "signed_at": "2026-05-21T13:36:49.129Z"
     },
     {
       "name": "sector-federal-government",
@@ -1572,7 +1572,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "linxmsXZiOYtcs71sSWgGCrvb8xQfmxmtTY5PRvZJ0/8FgJulo0tQtejzexYG775s7XhjAmGsDP238BQTQ8ADA==",
-      "signed_at": "2026-05-21T05:58:40.498Z"
+      "signed_at": "2026-05-21T13:36:49.129Z"
     },
     {
       "name": "sector-energy",
@@ -1637,7 +1637,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "JjBfc0ovta560Clk0x3QGRM5osFJDwcvpy3rT7QEGdCIL827jzE8QCow1C8deXq+4JhY2sA/d7/8IsxikdlkCg==",
-      "signed_at": "2026-05-21T05:58:40.498Z"
+      "signed_at": "2026-05-21T13:36:49.130Z"
     },
     {
       "name": "sector-telecom",
@@ -1723,7 +1723,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "JWVxKFoKrbX4d+Tko1d4OBdwyg25MfFFKn4CT6E/CzH+YwnU3T6Y76uBQIKg3+gIGTvPduqyvQwQQ5FxKDuPBw==",
-      "signed_at": "2026-05-21T05:58:40.498Z"
+      "signed_at": "2026-05-21T13:36:49.130Z"
     },
     {
       "name": "api-security",
@@ -1792,7 +1792,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "BmCRCestWqr55+fCynEhtAl5NWLT+xLTkpwS0Icp3SaoZOw/ce3Y6TtqjHRSKn4CBJq7YDiLRWxmhO3MStvOAA==",
-      "signed_at": "2026-05-21T05:58:40.499Z"
+      "signed_at": "2026-05-21T13:36:49.130Z"
     },
     {
       "name": "cloud-security",
@@ -1873,7 +1873,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "/DV3pmZwrRySrk1OCbyI+0BQESacjupJfUX3eC2NGtXuYOBro0vndIP+z27heFxumnjU3a9sfla7/U9X+pqnDw==",
-      "signed_at": "2026-05-21T05:58:40.499Z"
+      "signed_at": "2026-05-21T13:36:49.131Z"
     },
     {
       "name": "container-runtime-security",
@@ -1935,7 +1935,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "E2UGSf9ATyYgzBr8uM/0ubOUmDqo1jVA7f9mVxv6LHfWGCNuQNXDyuNou9VAmUCeeXEeUYIi3AFjXkJqpOkxDA==",
-      "signed_at": "2026-05-21T05:58:40.499Z"
+      "signed_at": "2026-05-21T13:36:49.131Z"
     },
     {
       "name": "mlops-security",
@@ -2006,7 +2006,7 @@
         "MITRE ATLAS v5.6.0 (released February 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: ATLAS v5.5 / v6.0 — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
       "signature": "BGNE6ZQWBA1LmsUFe8tU0L67iGDSrFqiuqaZD2f1KqfcyqqzQfMs9PWNHFzxxaJmXeKlm87eU8lgELF0bX+RBA==",
-      "signed_at": "2026-05-21T05:58:40.500Z"
+      "signed_at": "2026-05-21T13:36:49.131Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2068,7 +2068,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "FkZQerh3VHVJAwIcCktDyMRh5KE2+Em/i0ek8zEz7JG/PXtQx8ujHWTh3VjZbOLhPNtdB2qxgXOIAYIofaVOAQ==",
-      "signed_at": "2026-05-21T05:58:40.500Z"
+      "signed_at": "2026-05-21T13:36:49.132Z"
     },
     {
       "name": "ransomware-response",
@@ -2148,7 +2148,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "n3UToNuN3A1HgLvcuqmIx8vrZY71+r/79waK92jG+rSX4uYOzkmxMUpROrE5K9bDwMezNBHdjWv8Uul6zugyDQ==",
-      "signed_at": "2026-05-21T05:58:40.500Z"
+      "signed_at": "2026-05-21T13:36:49.132Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2201,7 +2201,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "rK+WnuS+9tqEABmwc0jO/PEmxcLjG1/tmUb897HsClQeKzf+TQOlwBE+OsbtuKxpjYNwur62Xxs3TxObkwm8Cw==",
-      "signed_at": "2026-05-21T05:58:40.501Z"
+      "signed_at": "2026-05-21T13:36:49.132Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2269,7 +2269,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "+OO0RhQ303RJV7kaH38IuZpLeQbapep6Ds4Re/WEZu0FHBwKSlwvF7jbtP7KQ57xldJYn/xZm2jaszyOacMfDg==",
-      "signed_at": "2026-05-21T05:58:40.501Z"
+      "signed_at": "2026-05-21T13:36:49.133Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2349,7 +2349,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "e/kij7GtKaytROyIj7V5RH+FC9WtmVFzrmG2kIlNDNn29ep/CRNlIQKwXLpzo/81AIf634pmdr1qy/+vwIuUDA==",
-      "signed_at": "2026-05-21T05:58:40.501Z"
+      "signed_at": "2026-05-21T13:36:49.133Z"
     },
     {
       "name": "idp-incident-response",
@@ -2430,11 +2430,11 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "ew9Kglc9fAZzbn0ZIfGP7WSK/j4eV2VhSvpy+s5bEfNEVYIMa2kZjnGBapgUsyGDLes9H9K2ovjQyX17+GKiBw==",
-      "signed_at": "2026-05-21T05:58:40.502Z"
+      "signed_at": "2026-05-21T13:36:49.133Z"
     }
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "hR1NLS5mN1goInEizRpPOjO5xkg3wB4zsmciSo3/UIgmS10Qa0WJNTWX52o032ZLC4Dxn4snJ60zlx1vKuvhBQ=="
+    "signature_base64": "fBH0Bn3i2Zd9wSqpmXxFtFMNP/LLblr6K7GqjP5S9M7bObYHCPe9n/+kkPaKFmD8JeFRe5aupw2v42LEY/jQAg=="
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.13.41",
+  "version": "0.13.43",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 10 catalogs (312 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 34 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:4fd52afb-0580-4176-b3f6-4f7c125d7e1e",
+  "serialNumber": "urn:uuid:84eca508-82ac-48fd-a76a-8da0f63e8cd0",
   "version": 1,
   "metadata": {
-    "timestamp": "2068-06-10T23:17:15.000Z",
+    "timestamp": "2096-09-01T08:34:16.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.13.41"
+        "version": "0.13.43"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.13.41",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.13.43",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.13.41",
+      "version": "0.13.43",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 10 catalogs (312 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 34 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.13.41",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.13.43",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "2170da0695dce4c96c204240cfce3133f147737709260c42e828be6778099cf9"
+          "content": "ccd1718b7ea2dde128a031519a09bdea00d381b3a47b615f6e48f743ba584d79"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.13.41"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.13.43"
         },
         {
           "type": "vcs",
@@ -86,11 +86,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "f11900411cb9b38926cd06bd0fc3a5f9a976992e7fd10fc256430c86a01c2ff4"
+          "content": "746ea19ed2019d0b1b838f4a8f2a58ee2b23c51869d52ff28ef5cfad65352d27"
         },
         {
           "alg": "SHA3-512",
-          "content": "7aacca7daeb4c211da11f0bc01844d39601fe2e6d4104653b9ef6ff6f0646261e4d9e1681c789154ed3ca454abf3bc8f255c9bfc741ef2498b2898f144fc5b4a"
+          "content": "c21665a68dd2c69befeec2abef4e884a1337304c46ac1e9e838428cfbccfb5fc80bde52654ad9b6ccb309af97d86903f0c8a17eb8770038b3af6552b66dd4923"
         }
       ]
     },
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "25679cb7c885f4c94779172be8505d09229eb9a09b279d95c75b710bc30b8e02"
+          "content": "1e83723db6d7acb8b6b331125e0beeb40632bde827672734274b504feca480c2"
         },
         {
           "alg": "SHA3-512",
-          "content": "7aebbb9fb903f3ec6892214943ce47b894f31800e6cfadcd16b748faa687e71146812c2181003aa9f437cd7b5f80943574319ec974d8a686232bbdeb76bb45ee"
+          "content": "3ccd524f1dbf0d26089d7b9475a15168a387eb76deafb25dc5b93ceec27a30addd30cf59046f1069a712ff07cd817a223de2b356e070f1625a5c357db0a9ed0b"
         }
       ]
     },
@@ -934,6 +934,21 @@
         }
       ]
     },
+    {
+      "bom-ref": "file:lib/collectors/crypto.js",
+      "type": "file",
+      "name": "lib/collectors/crypto.js",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "0ffbe135ebd17e6c462b9a569a6ece0472c1ccd3f5ee1385bd6583fd5f65f102"
+        },
+        {
+          "alg": "SHA3-512",
+          "content": "df63bb0ea76f83fe77f1c6ab559bab5948f0e4bf003192760a3bfe39bbf3764f36fcfe9a22ca029011bcc0d8684530f4133cd942ac942facf1c947b8c5b6cf93"
+        }
+      ]
+    },
     {
       "bom-ref": "file:lib/collectors/hardening.js",
       "type": "file",
@@ -979,6 +994,21 @@
         }
       ]
     },
+    {
+      "bom-ref": "file:lib/collectors/mcp.js",
+      "type": "file",
+      "name": "lib/collectors/mcp.js",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "1b6f614c62b528e159eb325f2e4326749d89f96add26c2133a63fb3e7746382b"
+        },
+        {
+          "alg": "SHA3-512",
+          "content": "78816fe42de6d9773b91dfd68abba8c8681f099a8a12e300a3f1b0b4e63f8f43cf4c0260e9404df61bbe18c7ae4960ff61e5dc17be61e065ac576a9605b06413"
+        }
+      ]
+    },
     {
       "bom-ref": "file:lib/collectors/runtime.js",
       "type": "file",
@@ -1616,11 +1646,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "baf6b821336ba74ccafa21f09c510e7f581d3157a1aab19ed282f8d975ed8eec"
+          "content": "b56fa964197403bfaeba55f1ae97c663bf447852a6fc0e418965a8faf6eb3387"
         },
         {
           "alg": "SHA3-512",
-          "content": "e0a13900f9bd00255a766fa39d8ae79952c6c4c9cea0798bdacfe943f2b52350e5b0f32b261a850b54d67d2fbe50ed3e0608fd4669f95253bc93da7e1518c895"
+          "content": "7bb61363bcfa3d898bef149c9707ac69c4728b4ac2f826c7f21382519b2c9c268633e8e69c5a062f1ef228d8094471d87981043143cc4f1181acc399de6f2992"
         }
       ]
     },