@blamejs/exceptd-skills 0.13.43 → 0.13.44

package/AGENTS.md

@@ -372,7 +372,7 @@ This split costs every consumer the same translation work on every invocation. C
 exceptd collect secrets | exceptd run secrets --evidence -
 ```
 
-The collector library is small and grows as playbooks are touched. Twelve reference collectors ship today (`lib/collectors/secrets.js`, `lib/collectors/kernel.js`, `lib/collectors/sbom.js`, `lib/collectors/containers.js`, `lib/collectors/library-author.js`, `lib/collectors/crypto-codebase.js`, `lib/collectors/cred-stores.js`, `lib/collectors/hardening.js`, `lib/collectors/runtime.js`, `lib/collectors/ai-api.js`, `lib/collectors/mcp.js`, `lib/collectors/crypto.js`); the rest are written when each playbook needs them. Until a playbook has a collector, the AI/operator owns evidence collection as before.
+The collector library is small and grows as playbooks are touched. Thirteen reference collectors ship today (`lib/collectors/secrets.js`, `lib/collectors/kernel.js`, `lib/collectors/sbom.js`, `lib/collectors/containers.js`, `lib/collectors/library-author.js`, `lib/collectors/crypto-codebase.js`, `lib/collectors/cred-stores.js`, `lib/collectors/hardening.js`, `lib/collectors/runtime.js`, `lib/collectors/ai-api.js`, `lib/collectors/mcp.js`, `lib/collectors/crypto.js`, `lib/collectors/cicd-pipeline-compromise.js`); the rest are written when each playbook needs them. Until a playbook has a collector, the AI/operator owns evidence collection as before.
 
 ### Precision target for new `look.artifacts[].source` strings
 

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 0.13.44 — 2026-05-21
+
+Thirteenth reference collector.
+
+### Features
+
+- **`lib/collectors/cicd-pipeline-compromise.js`** — consumer-side CI/CD posture collector. Walks `.github/workflows/*.{yml,yaml}` + `.gitlab-ci.yml` + `.circleci/config.yml`, plus `infra/` / `terraform/` / `policies/` / `.aws/` for OIDC trust JSON. Flips five deterministic indicators: `workflow-injection-sink` (`${{ github.event.* }}` interpolated directly inside a `run:` block without env-var indirection — the canonical GHA script-injection class, covers `pull_request.title` / `pull_request.body` / `issue.title` / `issue.body` / `comment.body` / `head_commit.message` / `review.body`), `pull-request-target-with-pr-checkout` (`on: pull_request_target` + `actions/checkout` referencing `github.event.pull_request.head.sha`, `.head.ref`, or `github.head_ref`), `actions-floating-tag-pin` (any third-party `uses: owner/repo@<ref>` where ref isn't a 40-char hex SHA; first-party `actions/*` excluded per playbook), `wildcarded-oidc-sub-claim` (`"token.actions.githubusercontent.com:sub": "*"` or wildcard repo/branch glob in any OIDC trust JSON under the searched roots), `secret-exposed-to-fork-pr` (`pull_request_target` trigger + any `secrets.*` reference other than `GITHUB_TOKEN` in the same workflow). `self-hosted-runner-non-ephemeral` (needs GitHub API runners list), `runner-scoped-signing-key` (needs HSM/KMS inspection) remain AI-driven.
+
 ## 0.13.43 — 2026-05-21
 
 Twelfth reference collector.

package/data/_indexes/_meta.json

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-21T13:39:43.700Z",
+  "generated_at": "2026-05-21T14:25:45.130Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "b56fa964197403bfaeba55f1ae97c663bf447852a6fc0e418965a8faf6eb3387",
+    "manifest.json": "eee433070d0e766d2ea4810837835afd85d8a36b8307c3b4d66051b083c35f0a",
     "data/atlas-ttps.json": "d296c1d3e71807c9279b731f047e57796e85137f186586743a8cdad214b408f9",
     "data/attack-techniques.json": "49b6010b317edd219def135171ea8f3b1bbf1e00e9c5a08bf7237215ff54e2c3",
     "data/cve-catalog.json": "a09c83af3f9679a7ea73935726a1ff9de2cab94b4ab6321fc017fc147747d7c3",

package/lib/collectors/cicd-pipeline-compromise.js

@@ -0,0 +1,340 @@
+"use strict";
+
+/**
+ * lib/collectors/cicd-pipeline-compromise.js
+ *
+ * Companion collector for the `cicd-pipeline-compromise` playbook.
+ * Consumer-side CI/CD posture: walks .github/workflows/*.yml,
+ * .gitlab-ci.yml, .circleci/config.yml, and the project's
+ * infra/terraform/policies dirs for OIDC trust JSON. Flips
+ * deterministic indicators that detect the published-Action and
+ * fork-PR attack classes documented in the playbook.
+ *
+ * Skipped indicators (require GitHub API or HSM/KMS access, left
+ * unflipped so the runner returns inconclusive):
+ *
+ *   self-hosted-runner-non-ephemeral    needs GitHub API (runners list)
+ *   runner-scoped-signing-key           needs HSM/KMS inspection
+ *
+ * Interface: see lib/collectors/README.md
+ */
+
+const fs = require("node:fs");
+const path = require("node:path");
+
+const COLLECTOR_ID = "cicd-pipeline-compromise";
+
+function readSafe(p, max = 512 * 1024) {
+  try {
+    const s = fs.statSync(p);
+    if (s.size > max) return null;
+    return fs.readFileSync(p, "utf8");
+  } catch { return null; }
+}
+
+function walkWorkflows(root) {
+  const out = [];
+  const wfDir = path.join(root, ".github", "workflows");
+  if (fs.existsSync(wfDir)) {
+    let entries;
+    try { entries = fs.readdirSync(wfDir, { withFileTypes: true }); }
+    catch { entries = []; }
+    for (const e of entries) {
+      if (!e.isFile()) continue;
+      if (!/\.(ya?ml)$/i.test(e.name)) continue;
+      const full = path.join(wfDir, e.name);
+      const content = readSafe(full);
+      if (content != null) out.push({ full, rel: path.relative(root, full).replace(/\\/g, "/"), content });
+    }
+  }
+  // Also recognise the most common single-file CI YAMLs at repo root.
+  for (const top of [".gitlab-ci.yml", ".circleci/config.yml"]) {
+    const full = path.join(root, top);
+    if (fs.existsSync(full)) {
+      const content = readSafe(full);
+      if (content != null) out.push({ full, rel: top, content });
+    }
+  }
+  return out;
+}
+
+// `on:` trigger detection. Workflows declare triggers via four
+// canonical YAML shapes:
+//   - scalar:     `on: push`
+//   - inline list: `on: [push, pull_request_target]`
+//   - block list:  `on:\n  - push\n  - pull_request_target`
+//   - mapping:     `on:\n  push:\n  pull_request_target:`
+// Heuristic accepts all four.
+function workflowHasTrigger(content, name) {
+  if (new RegExp(`^\\s*on:\\s*['"]?${name}['"]?\\s*(?:#.*)?$`, "m").test(content)) return true;
+  const listMatch = content.match(/^\s*on:\s*\[([^\]]*)\]/m);
+  if (listMatch && new RegExp(`(?:^|,)\\s*['"]?${name}['"]?\\s*(?:,|$)`).test(listMatch[1])) return true;
+  // block list AND mapping forms both follow `on:\n` with indented
+  // continuation lines. Capture the block and inspect for either
+  // `- <name>` (list) or `<name>:` (mapping) within it.
+  const blockMatch = content.match(/^\s*on:\s*\n((?:[ \t]+[^\n]+\n?)+)/m);
+  if (blockMatch) {
+    if (new RegExp(`^[ \\t]+-\\s+['"]?${name}['"]?\\s*(?:#.*)?\\s*$`, "m").test(blockMatch[1])) return true;
+    if (new RegExp(`^[ \\t]+${name}:`, "m").test(blockMatch[1])) return true;
+  }
+  return false;
+}
+
+// Find `actions/checkout` step blocks and return true when any one
+// of them carries a `ref:` line referencing the PR head. Each step
+// block is delimited by the next sibling `- ` at the same
+// indentation (or de-indented line, meaning we've left steps[]).
+// Binding the ref match to the checkout step prevents false hits
+// when another unrelated step references the PR head while the
+// actual checkout is safely fetching the base ref.
+function checkoutBindsPrHead(content) {
+  const lines = content.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i++) {
+    const m = lines[i].match(/^(\s*-\s+)uses:\s*['"]?actions\/checkout@/);
+    if (!m) continue;
+    const baseIndent = m[1].length;
+    let blockEnd = lines.length;
+    for (let j = i + 1; j < lines.length; j++) {
+      const line = lines[j];
+      if (line.trim() === "") continue;
+      const indentM = line.match(/^(\s*)\S/);
+      if (!indentM) continue;
+      const indent = indentM[1].length;
+      // Next sibling step starts with `-` at the same indent, or
+      // any line de-indented past the step base ends the block.
+      if (indent < baseIndent) { blockEnd = j; break; }
+      if (indent === baseIndent && line.trim().startsWith("- ")) { blockEnd = j; break; }
+    }
+    const block = lines.slice(i, blockEnd).join("\n");
+    if (/ref:\s*['"]?\$\{\{\s*github\.event\.pull_request\.head\.(?:sha|ref)/m.test(block) ||
+        /ref:\s*['"]?\$\{\{\s*github\.head_ref\s*\}\}/m.test(block)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+function scanWorkflow(content, rel) {
+  const hits = {
+    "workflow-injection-sink": [],
+    "pull-request-target-with-pr-checkout": [],
+    "actions-floating-tag-pin": [],
+    "secret-exposed-to-fork-pr": [],
+  };
+
+  const hasPRTarget = workflowHasTrigger(content, "pull_request_target");
+  const hasIssueComment = workflowHasTrigger(content, "issue_comment");
+
+  // pull-request-target-with-pr-checkout: PRT trigger AND the
+  // PR-head ref reference is bound to an actions/checkout step
+  // (not to an unrelated step that happens to read head_ref).
+  if (hasPRTarget && checkoutBindsPrHead(content)) {
+    hits["pull-request-target-with-pr-checkout"].push({ file: rel, snippet: "pull_request_target trigger + checkout of PR head" });
+  }
+
+  // workflow-injection-sink: ${{ github.event.<title|body|...> }}
+  // interpolated directly inside a `run:` block. Conservative form:
+  // file-wide presence of one of the dangerous expressions AND the
+  // expression appears outside an `env:` mapping context that would
+  // have made it safe.
+  if (hasPRTarget || hasIssueComment || workflowHasTrigger(content, "pull_request")) {
+    const dangerousExprs = [
+      /\$\{\{\s*github\.event\.pull_request\.(?:title|body|head\.ref)\s*\}\}/,
+      /\$\{\{\s*github\.event\.issue\.(?:title|body)\s*\}\}/,
+      /\$\{\{\s*github\.event\.comment\.body\s*\}\}/,
+      /\$\{\{\s*github\.event\.head_commit\.message\s*\}\}/,
+      /\$\{\{\s*github\.event\.review\.body\s*\}\}/,
+    ];
+    const lines = content.split(/\r?\n/);
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      // Quick filter: dangerous expression on this line?
+      const matchedExpr = dangerousExprs.find(re => re.test(line));
+      if (!matchedExpr) continue;
+      // If the dangerous expr is inside an `env:` mapping (key: value
+      // shape on a YAML env block), the shell sees it as a variable
+      // and it's not an injection sink. Walk back up to 3 lines to
+      // find the nearest preceding YAML key indicator.
+      const ctx = lines.slice(Math.max(0, i - 3), i + 1).join("\n");
+      const isEnvBinding = /^\s+[A-Z_][A-Z0-9_]*:\s*['"]?\$\{\{\s*github\.event/m.test(ctx);
+      // Detect `run:` proximity. The expression must land inside a
+      // run-block; otherwise it's an `env:` binding or `with:` arg.
+      const inRun = /^\s+run:/m.test(ctx) || /^\s+\|/m.test(ctx) || lines[i].trim().startsWith("- run:");
+      if (inRun && !isEnvBinding) {
+        hits["workflow-injection-sink"].push({ file: rel, line: i + 1, snippet: line.trim().slice(0, 160) });
+        break;
+      }
+    }
+  }
+
+  // actions-floating-tag-pin: `uses: <owner>/<repo>@<ref>` where ref
+  // isn't a 40-char hex SHA AND owner isn't `actions` (first-party
+  // GitHub repos excluded by the playbook predicate). Excludes local
+  // composite actions (`uses: ./`).
+  const lines2 = content.split(/\r?\n/);
+  for (let i = 0; i < lines2.length; i++) {
+    const m = lines2[i].match(/^\s*-?\s*uses:\s*['"]?([^'"\s#]+)['"]?/);
+    if (!m) continue;
+    const refStr = m[1];
+    if (refStr.startsWith("./") || refStr.startsWith("docker://")) continue;
+    const atIdx = refStr.lastIndexOf("@");
+    if (atIdx === -1) continue;
+    const slash = refStr.indexOf("/");
+    if (slash === -1) continue;
+    const owner = refStr.slice(0, slash);
+    if (owner === "actions") continue; // first-party
+    const rev = refStr.slice(atIdx + 1);
+    if (!/^[0-9a-f]{40}$/i.test(rev)) {
+      hits["actions-floating-tag-pin"].push({ file: rel, line: i + 1, snippet: lines2[i].trim() });
+    }
+  }
+
+  // secret-exposed-to-fork-pr: pull_request_target trigger + the
+  // workflow references `secrets.X` for any X other than GITHUB_TOKEN.
+  // Pull-request-from-forks (without target) requires runtime info
+  // to detect fork status — left to operator evidence.
+  if (hasPRTarget) {
+    const secretsRefs = content.match(/\$\{\{\s*secrets\.([A-Z_][A-Z0-9_]*)\s*\}\}/g) || [];
+    const nonDefault = secretsRefs.filter(r => !/secrets\.GITHUB_TOKEN/.test(r));
+    if (nonDefault.length > 0) {
+      hits["secret-exposed-to-fork-pr"].push({ file: rel, snippet: `pull_request_target + ${nonDefault.length} secrets.* reference(s)` });
+    }
+  }
+
+  return hits;
+}
+
+function scanOidcPolicies(root) {
+  // Walk infra/ + terraform/ + policies/ (depth 4) for *.json that
+  // names token.actions.githubusercontent.com AND has a wildcarded
+  // sub-claim. The playbook lists `repo:<org>/*:*`, `repo:*:*`, and
+  // bare `*` as wildcard shapes.
+  const rootDirs = ["infra", "terraform", "policies", ".aws", ".github"].map(d => path.join(root, d));
+  const finds = [];
+  function walk(dir, depth) {
+    if (depth > 4 || finds.length > 5) return;
+    let entries;
+    try { entries = fs.readdirSync(dir, { withFileTypes: true }); }
+    catch { return; }
+    for (const e of entries) {
+      if (e.name === "node_modules" || e.name === ".git") continue;
+      const full = path.join(dir, e.name);
+      if (e.isDirectory()) { walk(full, depth + 1); continue; }
+      if (!e.isFile() || !/\.json$/i.test(e.name)) continue;
+      const text = readSafe(full);
+      if (!text) continue;
+      if (!/token\.actions\.githubusercontent\.com/.test(text)) continue;
+      // sub-claim wildcards. Cover the three shapes the playbook lists.
+      const subWildcard =
+        /"token\.actions\.githubusercontent\.com:sub"\s*:\s*"\*"/.test(text) ||
+        /"token\.actions\.githubusercontent\.com:sub"\s*:\s*"repo:\*[^"]*"/.test(text) ||
+        /"token\.actions\.githubusercontent\.com:sub"\s*:\s*"repo:[^"]*\/\*:[^"]*"/.test(text);
+      if (subWildcard) finds.push({ file: path.relative(root, full).replace(/\\/g, "/"), snippet: "OIDC sub-claim wildcarded across repos or branches" });
+    }
+  }
+  for (const rd of rootDirs) if (fs.existsSync(rd)) walk(rd, 0);
+  return finds;
+}
+
+function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
+  const errors = [];
+  const startTime = Date.now();
+  const root = path.resolve(cwd);
+
+  // cwd-is-repo precondition: .git directory present. Outside a
+  // repo we have no workflows / no OIDC trust JSON to walk.
+  const cwdIsRepo = fs.existsSync(path.join(root, ".git"));
+  if (!cwdIsRepo) {
+    return {
+      precondition_checks: { "cwd-is-repo": false },
+      artifacts: {
+        "workflow-yaml-inventory": { value: "skipped — cwd is not a git repository", captured: false, reason: "no .git directory at cwd" },
+      },
+      signal_overrides: {},
+      collector_meta: {
+        collector_id: COLLECTOR_ID,
+        collector_version: "2026-05-21",
+        platform: process.platform,
+        captured_at: new Date().toISOString(),
+        cwd: root,
+        duration_ms: Date.now() - startTime,
+      },
+      collector_errors: errors,
+    };
+  }
+
+  const workflows = walkWorkflows(root);
+  const aggregateHits = {
+    "workflow-injection-sink": [],
+    "pull-request-target-with-pr-checkout": [],
+    "actions-floating-tag-pin": [],
+    "secret-exposed-to-fork-pr": [],
+  };
+  for (const w of workflows) {
+    const h = scanWorkflow(w.content, w.rel);
+    for (const [k, v] of Object.entries(h)) aggregateHits[k].push(...v);
+  }
+
+  const oidcWildcards = scanOidcPolicies(root);
+
+  const signal_overrides = {
+    "workflow-injection-sink": aggregateHits["workflow-injection-sink"].length > 0 ? "hit" : "miss",
+    "pull-request-target-with-pr-checkout": aggregateHits["pull-request-target-with-pr-checkout"].length > 0 ? "hit" : "miss",
+    "actions-floating-tag-pin": aggregateHits["actions-floating-tag-pin"].length > 0 ? "hit" : "miss",
+    "secret-exposed-to-fork-pr": aggregateHits["secret-exposed-to-fork-pr"].length > 0 ? "hit" : "miss",
+    "wildcarded-oidc-sub-claim": oidcWildcards.length > 0 ? "hit" : "miss",
+  };
+
+  const artifacts = {
+    "workflow-yaml-inventory": {
+      value: workflows.length ? workflows.map(w => w.rel).join(", ") : "no workflow files found at cwd",
+      captured: true,
+    },
+    "oidc-trust-policy-inventory": {
+      value: oidcWildcards.length
+        ? `${oidcWildcards.length} wildcarded sub-claim(s): ${oidcWildcards.map(f => f.file).join(", ")}`
+        : "no wildcarded OIDC sub-claim found in infra / terraform / policies",
+      captured: true,
+    },
+    "actions-sha-pinning": {
+      value: `${aggregateHits["actions-floating-tag-pin"].length} non-SHA third-party uses: reference(s) across ${workflows.length} workflow(s)`,
+      captured: true,
+    },
+    "fork-pr-workflow-exposure": {
+      value: `${aggregateHits["pull-request-target-with-pr-checkout"].length} workflow(s) check out PR head under pull_request_target`,
+      captured: true,
+    },
+    "runner-secrets-inventory": {
+      value: `${aggregateHits["secret-exposed-to-fork-pr"].length} workflow(s) reference non-default secrets under pull_request_target`,
+      captured: true,
+    },
+    "self-hosted-runner-registrations": {
+      value: "not captured by this collector — requires GitHub API (runners list)",
+      captured: false,
+      reason: "GH runners API access needed; deferred to operator evidence",
+    },
+    "signing-key-locations": {
+      value: "not captured by this collector — requires HSM/KMS or runtime inspection",
+      captured: false,
+      reason: "HSM/KMS access needed; deferred to operator evidence",
+    },
+  };
+
+  return {
+    precondition_checks: { "cwd-is-repo": true },
+    artifacts,
+    signal_overrides,
+    collector_meta: {
+      collector_id: COLLECTOR_ID,
+      collector_version: "2026-05-21",
+      platform: process.platform,
+      captured_at: new Date().toISOString(),
+      cwd: root,
+      duration_ms: Date.now() - startTime,
+      workflows_scanned: workflows.length,
+    },
+    collector_errors: errors,
+  };
+}
+
+module.exports = { playbook_id: COLLECTOR_ID, collect };

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.13.43",
+  "version": "0.13.44",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "lXhZgoIrrVloO3XaTvo/43AxZn4mwErstd7DR0O/oVhD3AOGODM4HqrageYEou9WKOdMEGP5mJNTjJsXdP5NDA==",
-      "signed_at": "2026-05-21T13:36:49.117Z",
+      "signed_at": "2026-05-21T14:14:25.595Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -117,7 +117,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "vSVqu4wBm+d68ujZmM6Rto/HzViCkE0gPUcv/MYE/bjFiqamf/s0On4kTOo1KIveV9cOwYNxiItaGEWlVkRFDg==",
-      "signed_at": "2026-05-21T13:36:49.119Z",
+      "signed_at": "2026-05-21T14:14:25.597Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -180,7 +180,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "RIgXKvolQjgJdnlrDnVOd90IOY1B7VHHZD/YJQRzouL+wUeOLclPrdK/EgEuFyiu7lR4bi+Pl6aGB9G9tOxYCQ==",
-      "signed_at": "2026-05-21T13:36:49.119Z",
+      "signed_at": "2026-05-21T14:14:25.598Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -226,7 +226,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "RYOxeq/o3uTwTWq4H7RcdH2Aclg9UyCERfUH9Frwkzncsowg7LgxpaEDc3swTCv73HMEGbU8wVbXguZ4JxHUCQ==",
-      "signed_at": "2026-05-21T13:36:49.120Z"
+      "signed_at": "2026-05-21T14:14:25.598Z"
     },
     {
       "name": "compliance-theater",
@@ -257,7 +257,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "DneJCPKCPcoe6nQ82XptqSqNfSRdt1orKaO+o7K36YCciDrzwJb+1BuBLusPDtpcdDaGY0y0e+AqiTYJklhBAQ==",
-      "signed_at": "2026-05-21T13:36:49.120Z"
+      "signed_at": "2026-05-21T14:14:25.599Z"
     },
     {
       "name": "exploit-scoring",
@@ -286,7 +286,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "NA1hoQycvQhSUoG5rwlXX0mOVmGxoXRVezkELGEA2nZOdGis4gXkHT3O6Sfw7zxE4JuMrsCb65TEeOWk9WEPDg==",
-      "signed_at": "2026-05-21T13:36:49.121Z"
+      "signed_at": "2026-05-21T14:14:25.599Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -323,7 +323,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "XgrzcA2brPhXrSTxrcLnJec0OpgGYJBoSTUlJ10UdePHffxqb9LTVGnfbmEk1ykQifXREZexui2bG7X/+eFfCQ==",
-      "signed_at": "2026-05-21T13:36:49.121Z",
+      "signed_at": "2026-05-21T14:14:25.600Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -380,7 +380,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "9+hZlZOqZdeACUmamQk66L5levZhhwnFXuYRhdT6Mce99eQaKT7wNfWq12hXQztkRcVRKaFH+a01zwJQwsRQCA==",
-      "signed_at": "2026-05-21T13:36:49.121Z",
+      "signed_at": "2026-05-21T14:14:25.600Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -415,7 +415,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "ciqhVloMWWXEigPZvvwoV2c54tEqsDqsoc+sS/mNTFFJk2H+tz2+XUrgfEPRuYw0FeyNB6/+27pL2NpKHzUqAg==",
-      "signed_at": "2026-05-21T13:36:49.122Z",
+      "signed_at": "2026-05-21T14:14:25.600Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -443,7 +443,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "xiHAhhdufm9hCKU8PLiPE0MX65ej2F4OZwtlWLGLCiie9/km+Kiqbt192LcMvr94v83C98pb9wIaqFsFWft6AQ==",
-      "signed_at": "2026-05-21T13:36:49.122Z"
+      "signed_at": "2026-05-21T14:14:25.601Z"
     },
     {
       "name": "global-grc",
@@ -475,7 +475,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "oYsSk35N2Uzq7MRofACykylcVwkgPhI4luWZ14vmQT+gUKLyZiKVOUJbe1+7lGl6BYPRN0sUDQ0f7S5Eu5w2Ag==",
-      "signed_at": "2026-05-21T13:36:49.122Z"
+      "signed_at": "2026-05-21T14:14:25.601Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -502,7 +502,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "igRqYyU1unRFH40BsPyAR62SPrk8QZv8dPGb8S9O9EvLCNOZAzm3t+HdT/NKqzWHwrpomOzkkkyLfYI/0qTUDA==",
-      "signed_at": "2026-05-21T13:36:49.123Z"
+      "signed_at": "2026-05-21T14:14:25.602Z"
     },
     {
       "name": "pqc-first",
@@ -554,7 +554,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "vhc3wuQEro/86s1ro2b/KakUXg8QVnySYTBqA7ebzv9oeR2HYO5bvGEJp3oOHWtL37JDqcCAHYadSN/qxIyCCA==",
-      "signed_at": "2026-05-21T13:36:49.123Z",
+      "signed_at": "2026-05-21T14:14:25.602Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -601,7 +601,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "MS35nWm8djfJGn4OOoT0JKJ2aO+Dkbb6wOOWJYvNZlRKT3UGA59o2gxg1JOnD20hb/RwxtkmCujhl2tuYSR+AQ==",
-      "signed_at": "2026-05-21T13:36:49.123Z"
+      "signed_at": "2026-05-21T14:14:25.603Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -638,7 +638,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "8Px1s2lDj10/Q6erwEQlXgUHM1+OTruUR8qAHPX7Oo3k/l69N6P9sm0PsafS9wDFtj9l5C/OiLiFgzMlMt6vBw==",
-      "signed_at": "2026-05-21T13:36:49.124Z",
+      "signed_at": "2026-05-21T14:14:25.604Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -673,7 +673,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "WAu5fRirzSOcnnZsTx2d/JJZwa/LPpXCi+31qATTGLmoNuhyy81k3ooPe9kCM3E0CLMtvTePg9DagYqBninZDQ==",
-      "signed_at": "2026-05-21T13:36:49.124Z"
+      "signed_at": "2026-05-21T14:14:25.604Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -744,7 +744,7 @@
         "PTES revision incorporating AI-surface enumeration"
       ],
       "signature": "7eEwCXFd9pDKUw7yCUbRJSjfzozE44dwwwemCQUPm8JBPztLltibD9bL/RszSbYyCrYJmVb5Drncz2cGe62gCw==",
-      "signed_at": "2026-05-21T13:36:49.124Z"
+      "signed_at": "2026-05-21T14:14:25.604Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -804,7 +804,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "Z7ypCUnXx8JpLtgxxB6RHNi39w74AmrGY1N4ofAGCXhkuM2EaFVm1AU0dvl9UQ1bVLfHKEDGqMO/TwlIY7RABg==",
-      "signed_at": "2026-05-21T13:36:49.125Z"
+      "signed_at": "2026-05-21T14:14:25.605Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -879,7 +879,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "fgxG344JGYBWWWwFXZ1IzGipWKP7EyBhrsvsbsb0CCGXfv/MvNHVNI6G0zQddCsWX1JeQbhZT3Vk8v1uJKDTDA==",
-      "signed_at": "2026-05-21T13:36:49.125Z"
+      "signed_at": "2026-05-21T14:14:25.605Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -956,7 +956,7 @@
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
       "signature": "pcLrM98A3vUSZRjwNAk0aZ9umvOwB41XCLLsCOy/IebB2F/06oIrGUKkMHtHwm4pTVPShMMcKdZQQ3jz30FnCg==",
-      "signed_at": "2026-05-21T13:36:49.125Z"
+      "signed_at": "2026-05-21T14:14:25.605Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1013,7 +1013,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "gqF8eU3VBrZhO2WnlcqKa7wm1d2mmWtvpbmx0kNCgHojNV+qEt+Ij84RO6bZvaUqhfYPWizWL79Fa4DL0curAQ==",
-      "signed_at": "2026-05-21T13:36:49.126Z"
+      "signed_at": "2026-05-21T14:14:25.606Z"
     },
     {
       "name": "identity-assurance",
@@ -1080,7 +1080,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "Wv5hGMeHjlaQK1zwicVCA7AvdKgJBgvcjdpGM9Ywahh9tagAKhbkOjybowDQZzu7OZ3bDkbh6pBYc1Sdwr6NAA==",
-      "signed_at": "2026-05-21T13:36:49.126Z"
+      "signed_at": "2026-05-21T14:14:25.606Z"
     },
     {
       "name": "ot-ics-security",
@@ -1136,7 +1136,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "8t5qKHd3yWi57dvG36YQkLN/X9bQWqtEiYjay4IfSmqhJpM/xXPaQVKNGz3wscrO8OLKUZ0OaX7Mj5kzpgBKBQ==",
-      "signed_at": "2026-05-21T13:36:49.126Z"
+      "signed_at": "2026-05-21T14:14:25.606Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1188,7 +1188,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "GDGt4UPqBa04PjlpSmpyihGzd3OgfBN7jaAK5tfwp+LRSs3ygKOdbeivUCCHNagTY1hE6hG2Ou40ADfBFuXeAg==",
-      "signed_at": "2026-05-21T13:36:49.127Z"
+      "signed_at": "2026-05-21T14:14:25.607Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1238,7 +1238,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "rFBpOQEJUPpl+v88Lw/WqVJRhTl80vy0VbPAbzQj3Q0suJRRrJg368I9uKu5LXIBKFDvKxnGIcIzbGg9NUtaCA==",
-      "signed_at": "2026-05-21T13:36:49.127Z"
+      "signed_at": "2026-05-21T14:14:25.607Z"
     },
     {
       "name": "webapp-security",
@@ -1312,7 +1312,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ux85YI4t2mVHOyt744Yin1HHy+z11JIFygjKfFfQOBBl5QVV3A267jeIy7utix85irMcpZm/T3yx/ooqiK2tBA==",
-      "signed_at": "2026-05-21T13:36:49.127Z"
+      "signed_at": "2026-05-21T14:14:25.607Z"
     },
     {
       "name": "ai-risk-management",
@@ -1362,7 +1362,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "IIXnkZ5ZNqFwOto5KfytADTLLZLoyXNZACD1ORZ40P1HUAQxe6u2uyXFzzsfuob4Uy06jNkRGr2FFgCphUH1Cw==",
-      "signed_at": "2026-05-21T13:36:49.128Z"
+      "signed_at": "2026-05-21T14:14:25.608Z"
     },
     {
       "name": "sector-healthcare",
@@ -1422,7 +1422,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "AhF9KF8ZBlDteciV+F8IBSmFVYCvQOn44GmD4rZjgLoPxfIv/QE1/vSkK32zyqDKtHWkLSXExbkkPkxA/V6dDw==",
-      "signed_at": "2026-05-21T13:36:49.128Z"
+      "signed_at": "2026-05-21T14:14:25.609Z"
     },
     {
       "name": "sector-financial",
@@ -1503,7 +1503,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "HQgZvb4ReziEz5rNFr8i/O8/rJEZR+iHRROT7m/D2QUqhrcNISPkYXENsUZlG8xapzy/Ik92ehkseyj4hdmhCQ==",
-      "signed_at": "2026-05-21T13:36:49.129Z"
+      "signed_at": "2026-05-21T14:14:25.610Z"
     },
     {
       "name": "sector-federal-government",
@@ -1572,7 +1572,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "linxmsXZiOYtcs71sSWgGCrvb8xQfmxmtTY5PRvZJ0/8FgJulo0tQtejzexYG775s7XhjAmGsDP238BQTQ8ADA==",
-      "signed_at": "2026-05-21T13:36:49.129Z"
+      "signed_at": "2026-05-21T14:14:25.610Z"
     },
     {
       "name": "sector-energy",
@@ -1637,7 +1637,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "JjBfc0ovta560Clk0x3QGRM5osFJDwcvpy3rT7QEGdCIL827jzE8QCow1C8deXq+4JhY2sA/d7/8IsxikdlkCg==",
-      "signed_at": "2026-05-21T13:36:49.130Z"
+      "signed_at": "2026-05-21T14:14:25.611Z"
     },
     {
       "name": "sector-telecom",
@@ -1723,7 +1723,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "JWVxKFoKrbX4d+Tko1d4OBdwyg25MfFFKn4CT6E/CzH+YwnU3T6Y76uBQIKg3+gIGTvPduqyvQwQQ5FxKDuPBw==",
-      "signed_at": "2026-05-21T13:36:49.130Z"
+      "signed_at": "2026-05-21T14:14:25.611Z"
     },
     {
       "name": "api-security",
@@ -1792,7 +1792,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "BmCRCestWqr55+fCynEhtAl5NWLT+xLTkpwS0Icp3SaoZOw/ce3Y6TtqjHRSKn4CBJq7YDiLRWxmhO3MStvOAA==",
-      "signed_at": "2026-05-21T13:36:49.130Z"
+      "signed_at": "2026-05-21T14:14:25.611Z"
     },
     {
       "name": "cloud-security",
@@ -1873,7 +1873,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "/DV3pmZwrRySrk1OCbyI+0BQESacjupJfUX3eC2NGtXuYOBro0vndIP+z27heFxumnjU3a9sfla7/U9X+pqnDw==",
-      "signed_at": "2026-05-21T13:36:49.131Z"
+      "signed_at": "2026-05-21T14:14:25.612Z"
     },
     {
       "name": "container-runtime-security",
@@ -1935,7 +1935,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "E2UGSf9ATyYgzBr8uM/0ubOUmDqo1jVA7f9mVxv6LHfWGCNuQNXDyuNou9VAmUCeeXEeUYIi3AFjXkJqpOkxDA==",
-      "signed_at": "2026-05-21T13:36:49.131Z"
+      "signed_at": "2026-05-21T14:14:25.612Z"
     },
     {
       "name": "mlops-security",
@@ -2006,7 +2006,7 @@
         "MITRE ATLAS v5.6.0 (released February 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: ATLAS v5.5 / v6.0 — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
       "signature": "BGNE6ZQWBA1LmsUFe8tU0L67iGDSrFqiuqaZD2f1KqfcyqqzQfMs9PWNHFzxxaJmXeKlm87eU8lgELF0bX+RBA==",
-      "signed_at": "2026-05-21T13:36:49.131Z"
+      "signed_at": "2026-05-21T14:14:25.613Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2068,7 +2068,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "FkZQerh3VHVJAwIcCktDyMRh5KE2+Em/i0ek8zEz7JG/PXtQx8ujHWTh3VjZbOLhPNtdB2qxgXOIAYIofaVOAQ==",
-      "signed_at": "2026-05-21T13:36:49.132Z"
+      "signed_at": "2026-05-21T14:14:25.613Z"
     },
     {
       "name": "ransomware-response",
@@ -2148,7 +2148,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "n3UToNuN3A1HgLvcuqmIx8vrZY71+r/79waK92jG+rSX4uYOzkmxMUpROrE5K9bDwMezNBHdjWv8Uul6zugyDQ==",
-      "signed_at": "2026-05-21T13:36:49.132Z"
+      "signed_at": "2026-05-21T14:14:25.614Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2201,7 +2201,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "rK+WnuS+9tqEABmwc0jO/PEmxcLjG1/tmUb897HsClQeKzf+TQOlwBE+OsbtuKxpjYNwur62Xxs3TxObkwm8Cw==",
-      "signed_at": "2026-05-21T13:36:49.132Z"
+      "signed_at": "2026-05-21T14:14:25.614Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2269,7 +2269,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "+OO0RhQ303RJV7kaH38IuZpLeQbapep6Ds4Re/WEZu0FHBwKSlwvF7jbtP7KQ57xldJYn/xZm2jaszyOacMfDg==",
-      "signed_at": "2026-05-21T13:36:49.133Z"
+      "signed_at": "2026-05-21T14:14:25.615Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2349,7 +2349,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "e/kij7GtKaytROyIj7V5RH+FC9WtmVFzrmG2kIlNDNn29ep/CRNlIQKwXLpzo/81AIf634pmdr1qy/+vwIuUDA==",
-      "signed_at": "2026-05-21T13:36:49.133Z"
+      "signed_at": "2026-05-21T14:14:25.615Z"
     },
     {
       "name": "idp-incident-response",
@@ -2430,11 +2430,11 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "ew9Kglc9fAZzbn0ZIfGP7WSK/j4eV2VhSvpy+s5bEfNEVYIMa2kZjnGBapgUsyGDLes9H9K2ovjQyX17+GKiBw==",
-      "signed_at": "2026-05-21T13:36:49.133Z"
+      "signed_at": "2026-05-21T14:14:25.615Z"
     }
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "fBH0Bn3i2Zd9wSqpmXxFtFMNP/LLblr6K7GqjP5S9M7bObYHCPe9n/+kkPaKFmD8JeFRe5aupw2v42LEY/jQAg=="
+    "signature_base64": "yzoa4nQKqqtR5YIwboVmjqBZe16FBPqLjiMLIlnOfPwls5DkBUnZVrClvq04gc7nWDyzxrSkj0ZDhT3WkMc7CA=="
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.13.43",
+  "version": "0.13.44",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 10 catalogs (312 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 34 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:84eca508-82ac-48fd-a76a-8da0f63e8cd0",
+  "serialNumber": "urn:uuid:b68630e1-862f-416e-9970-9a04675a7b54",
   "version": 1,
   "metadata": {
-    "timestamp": "2096-09-01T08:34:16.000Z",
+    "timestamp": "2123-01-15T16:20:49.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.13.43"
+        "version": "0.13.44"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.13.43",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.13.44",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.13.43",
+      "version": "0.13.44",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 10 catalogs (312 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 34 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.13.43",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.13.44",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "ccd1718b7ea2dde128a031519a09bdea00d381b3a47b615f6e48f743ba584d79"
+          "content": "06a310132e91fa95c1f50c6e78a4f2f2916cc22f46b49eb58b8644d2d27c49ef"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.13.43"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.13.44"
         },
         {
           "type": "vcs",
@@ -86,11 +86,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "746ea19ed2019d0b1b838f4a8f2a58ee2b23c51869d52ff28ef5cfad65352d27"
+          "content": "76ce2fe9bafe6488775f69afae5fce015101e38b6c61c8978a196c26c6f3a63c"
         },
         {
           "alg": "SHA3-512",
-          "content": "c21665a68dd2c69befeec2abef4e884a1337304c46ac1e9e838428cfbccfb5fc80bde52654ad9b6ccb309af97d86903f0c8a17eb8770038b3af6552b66dd4923"
+          "content": "5b1624ea5458aad9470b1d0696f9307b8ab964e818966b5590fd7437412e02fd88b897af0f4cc1d734590edff26c7f1ffc87597c81d82f4dcc6ee18e66b010a0"
         }
       ]
     },
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "1e83723db6d7acb8b6b331125e0beeb40632bde827672734274b504feca480c2"
+          "content": "3268d2f2fe6cf4ee67c0c07df0daffc94499c37c5dd2d1225d7a853af7e70808"
         },
         {
           "alg": "SHA3-512",
-          "content": "3ccd524f1dbf0d26089d7b9475a15168a387eb76deafb25dc5b93ceec27a30addd30cf59046f1069a712ff07cd817a223de2b356e070f1625a5c357db0a9ed0b"
+          "content": "35a0de028e257c7ff3541ef4d4015e7ebe0e4c89b772348e7fc6908203ef94b97cdf1eca7981ebdaa7396b791e86de1edfa71d1183750d1ae8138e05d52b56e3"
         }
       ]
     },
@@ -889,6 +889,21 @@
         }
       ]
     },
+    {
+      "bom-ref": "file:lib/collectors/cicd-pipeline-compromise.js",
+      "type": "file",
+      "name": "lib/collectors/cicd-pipeline-compromise.js",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "132922cdbe7cb211fef1c3f4e4dab9b167ffaebb14483ba2d63652fbee15d200"
+        },
+        {
+          "alg": "SHA3-512",
+          "content": "2d8a56dbad0c5828008fcbdf861db9d28e7a07fef65e0f7c9c663814bda49facc355221d45778155247e49febec4a73f6a62936d9d74feefb7a0ee0905fca744"
+        }
+      ]
+    },
     {
       "bom-ref": "file:lib/collectors/containers.js",
       "type": "file",
@@ -1646,11 +1661,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "b56fa964197403bfaeba55f1ae97c663bf447852a6fc0e418965a8faf6eb3387"
+          "content": "eee433070d0e766d2ea4810837835afd85d8a36b8307c3b4d66051b083c35f0a"
         },
         {
           "alg": "SHA3-512",
-          "content": "7bb61363bcfa3d898bef149c9707ac69c4728b4ac2f826c7f21382519b2c9c268633e8e69c5a062f1ef228d8094471d87981043143cc4f1181acc399de6f2992"
+          "content": "30ef6fac362e41a84b9828fe29664016259352b56aad18d79c14ef21944473f303fc2aa4904ad8e2bb39e25490fd0ee1c95335e627237a14ec4cdd9bbdb581c4"
         }
       ]
     },