npm - @blamejs/exceptd-skills - Versions diffs - 0.13.47 → 0.13.49 - Mend

@blamejs/exceptd-skills 0.13.47 → 0.13.49

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/CHANGELOG.md +30 -0
package/bin/exceptd.js +100 -25
package/data/_indexes/_meta.json +2 -2
package/lib/collectors/cred-stores.js +18 -0
package/lib/collectors/crypto-codebase.js +3 -0
package/lib/collectors/library-author.js +24 -3
package/lib/collectors/secrets.js +47 -1
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +22 -22

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,35 @@
 # Changelog
+## 0.13.49 — 2026-05-21
+`discover` covers four previously-invisible collectors. CLI UX cleanup across welcome banner, help text, attestation warning.
+### Bugs
+- **`discover` recommends `cicd-pipeline-compromise`, `mcp`, `ai-api`, and `crypto`.** Before, the cwd-aware recommender only knew about 9 of the 13 collectors — `discover` from a repo with `.github/workflows/` never surfaced the CI/CD posture playbook; `mcp` / `ai-api` were invisible even when the operator had MCP client config or shell rc files in their home; `crypto` was absent from the Linux branch alongside `hardening` / `runtime`. New probes: `.github/workflows/*.yml` for CI/CD, `~/.cursor/mcp.json` + `~/.config/claude` + `~/.codeium/windsurf/mcp_config.json` + `~/.gemini/settings.json` for MCP clients, `~/.bashrc` + `~/.zshrc` + `~/.profile` for shell rc, plus `crypto` always on Linux.
+- **`discover` reason text drops the misleading "node lockfile" claim.** A `package.json`-only repo (no `package-lock.json`) used to receive the recommendation reason "git repo + node lockfile" even though the lockfile didn't exist. The reason now says "node project" (and similarly "python project" / "rust project" / "go project"), which is accurate for the broad manifest-OR-lockfile trigger.
+- **`exceptd run --scope code` next-step suggestion is omitted from `discover` when no code-scope playbooks were recommended.** Previously, discover from an empty cwd suggested `exceptd run --scope code` even though no code playbooks applied — operators following the suggestion got every code-scope playbook running against an empty tree and a multi-hundred-KB JSON dump. Now the next-steps list shows `--scope code` only when at least one code-scope recommendation fired.
+- **`exceptd help` section header drops the stale `v0.12.0 canonical surface` pin.** The surface evolves with each release; the header now reads `Canonical verbs` without a frozen version label.
+### Features
+- **Welcome banner enumerates the playbook starting set by trigger rather than by abstract category** (`git repos:`, `GitHub Actions:`, `Linux hosts:`, `AI assistants:`, `containers:`). Each row names the artifact that triggers the recommendation, and the banner explicitly points at `exceptd discover` as the authoritative recommender.
+- **Attestation unsigned warning shrinks to a single line on consumer installs.** Previously every `exceptd run` from a globally-installed package (e.g. `npm install -g`) emitted a 4-line warning prescribing `exceptd doctor --fix` — but consumer installs land the package under `node_modules/` where `.keys/` typically isn't writable by the operator. The collector now detects consumer-install layout (PKG_ROOT under `node_modules/` OR parent dir is `@blamejs`) and prints `[attest] writing unsigned attestation (consumer install — signing is contributor-only).` instead. Contributor checkouts still see the full nudge.
+## 0.13.48 — 2026-05-21
+Collector predicate tightening across `secrets`, `library-author`, `crypto-codebase`, and `cred-stores`.
+### Bugs
+- **`secrets` collector demotes hits scoped exclusively to test / fixture / example paths.** Previously a JWT literal in `fulcio_test.go` or a private-key block in `cosign-test.key` flipped `jwt-token-with-secret-context` / `ssh-private-key-block` to `hit`. The collector now splits hits into production-scope vs. test-scope (segments `/test/` `/tests/` `/spec/` `/fixtures/` `/examples/` `/samples/` `/demo/` `/testdata/`, plus `*.test.<ext>` / `*.spec.<ext>` / `*_test.<ext>` / `*-test[-.]*` filename conventions). The indicator fires only when at least one production-scope hit exists. Test-only hits stay visible in the `secret-regex-scan-text-files` artifact for operator inspection but don't trip the signal. Mirrors the existing `crypto-codebase` demotion pattern.
+- **`library-author` recognises container-native publish workflows.** The previous heuristic only matched npm / pypi / cargo / goreleaser / softprops-action-gh-release publish paths. Workflows using `ko publish` / `cosign sign(-blob)` / `crane push` / `oras push` / `docker push` / `docker/build-push-action` were missed, which falsely flipped `publish-workflow-no-id-token-write` on projects (e.g. sigstore/cosign) that use `id-token: write` for OIDC-based publishing. Now those workflows are recognized as publish-related, AND any workflow declaring `id-token: write` inside a `permissions:` block with executable `steps:` is treated as publish context.
+- **`crypto-codebase` test-path demotion now covers Go's `_test.go` convention.** The previous regex matched only `*.test.<ext>` / `*.spec.<ext>` (dot-separated). Go convention is `foo_test.go` (underscore-separated); those test files were not demoted and false-positive'd indicators like `weak-hash-import` (md5 in a Go test using a "token" variable). Added `(?:^|[\\/])[^\\/]+_test\.[a-z]+$` to the demotion regex.
+### Features
+- **`cred-stores` surfaces a `credentials-file-perms-check` artifact** documenting whether the POSIX-mode-bit check ran (`captured: true` on Linux / macOS) or was skipped (`captured: false, reason: "...skipped on win32..."` on Windows). Previously the `credentials-file-bad-perms` signal was silently absent from `signal_overrides` on Windows, indistinguishable from "indicator not catalogued". Mirrors the `secrets` collector's `world-writable-secret-files` skip pattern.
 ## 0.13.47 — 2026-05-21
 `cicd-pipeline-compromise` collect | run pipe now produces a verdict when the operator opts in to the CI-fleet ownership attestation.

package/bin/exceptd.js CHANGED Viewed

@@ -334,9 +334,14 @@ If you know what you want:
   exceptd ci --scope code    # CI gate against every code-scoped playbook
 Common starting playbooks
-  code repos:    secrets, sbom, library-author, crypto-codebase
-  Linux hosts:   kernel, hardening, runtime, cred-stores
-  AI / service:  ai-api, mcp, crypto
+  git repos:      secrets, sbom, library-author, crypto-codebase
+  GitHub Actions: cicd-pipeline-compromise (.github/workflows/ present)
+  Linux hosts:    kernel, hardening, runtime, cred-stores, crypto
+  AI assistants:  mcp (MCP client config), ai-api (shell rc + AI key exports)
+  containers:     containers (Dockerfile / docker-compose)
+\`exceptd discover\` is the authoritative recommender — it inspects your
+cwd + host and only suggests the playbooks that actually apply.
 Full reference: exceptd help
 Per-verb help:  exceptd <verb> --help
@@ -349,8 +354,8 @@ function printHelp() {
 Usage: exceptd <command> [args]
        npx @blamejs/exceptd-skills <command> [args]
-v0.12.0 canonical surface
-─────────────────────────
+Canonical verbs
+───────────────
   brief [playbook]           Unified info doc — jurisdictions + threat context
                              + preconditions + artifacts + indicators. Replaces
@@ -4275,18 +4280,28 @@ function maybeSignAttestation(filePath) {
   // Operators who set `.keys/private.pem` get tamper-evident attestations;
   // operators without the keypair get a single nudge per session telling them
   // exactly how to enable signing.
+  //
+  // Consumer installs (`npm install -g`) land PKG_ROOT under
+  // node_modules/ where the operator typically can't write to
+  // .keys/. For those installs the multi-line nudge prescribes a
+  // remediation (doctor --fix) the operator doesn't own — surface a
+  // single-line marker so the unsigned attestation isn't silent, but
+  // skip the call-to-action that doesn't apply.
   if (!fs.existsSync(privKeyPath) && !process.env.EXCEPTD_UNSIGNED_WARNED) {
-    // Cycle 20 A P2 (v0.12.40): operator-facing verb `exceptd doctor --fix`
-    // calls sign.js generate-keypair under the hood. Pre-fix the message
-    // hinted at a node-internal script path that's not on PATH after
-    // `npm install -g`. Surface the doctor route first; cite the lib
-    // script only as the contributor / non-npm-installed fallback.
-    process.stderr.write(
-      "[attest] attestation will be written UNSIGNED (no private key at .keys/private.pem). " +
-      "Operators reading the attestation later can verify the SHA-256 hash but not authenticity. " +
-      "Enable Ed25519 signing: `exceptd doctor --fix` (or for contributor checkouts: `node $(exceptd path)/lib/sign.js generate-keypair`). " +
-      "Suppress this notice: export EXCEPTD_UNSIGNED_WARNED=1.\n"
-    );
+    const pkgRootSegments = PKG_ROOT.split(/[\\/]/);
+    const isConsumerInstall =
+      pkgRootSegments.includes("node_modules") ||
+      path.basename(path.dirname(PKG_ROOT)) === "@blamejs";
+    if (isConsumerInstall) {
+      process.stderr.write("[attest] writing unsigned attestation (consumer install — signing is contributor-only).\n");
+    } else {
+      process.stderr.write(
+        "[attest] attestation will be written UNSIGNED (no private key at .keys/private.pem). " +
+        "Operators reading the attestation later can verify the SHA-256 hash but not authenticity. " +
+        "Enable Ed25519 signing: `exceptd doctor --fix` (or for contributor checkouts: `node $(exceptd path)/lib/sign.js generate-keypair`). " +
+        "Suppress this notice: export EXCEPTD_UNSIGNED_WARNED=1.\n"
+      );
+    }
     process.env.EXCEPTD_UNSIGNED_WARNED = "1";
   }
   try {
@@ -5535,17 +5550,60 @@ function cmdDiscover(runner, args, runOpts, pretty) {
   // Build recommendation set. Dedup by playbook id so multi-trigger rules
   // don't double-list.
   const isRepo = detected.includes(".git/");
-  const hasNode = detected.includes("package.json") || detected.includes("package-lock.json")
+  const hasNodeManifest = detected.includes("package.json");
+  const hasNodeLockfile = detected.includes("package-lock.json")
     || detected.includes("yarn.lock") || detected.includes("pnpm-lock.yaml");
+  const hasNode = hasNodeManifest || hasNodeLockfile;
   const hasPython = detected.includes("pyproject.toml") || detected.includes("requirements.txt")
     || detected.includes("Pipfile");
   const hasRust = detected.includes("Cargo.toml");
   const hasGo = detected.includes("go.mod");
-  const hasLockfile = hasNode || hasPython || hasRust || hasGo;
+  const hasProject = hasNode || hasPython || hasRust || hasGo;
   const hasContainers = detected.includes("Dockerfile") || detected.includes("docker-compose.yml")
     || detected.includes("docker-compose.yaml");
   const isLinux = hostPlatform === "linux";
+  // .github/workflows/ directory probe — surfaces the CI/CD posture
+  // playbook when present.
+  let hasGithubWorkflows = false;
+  try {
+    const wfDir = path.join(cwd, ".github", "workflows");
+    if (fs.existsSync(wfDir) && fs.statSync(wfDir).isDirectory()) {
+      const entries = fs.readdirSync(wfDir).filter(f => /\.(ya?ml)$/i.test(f));
+      if (entries.length > 0) hasGithubWorkflows = true;
+    }
+  } catch { /* swallow */ }
+  // Home-resident MCP client config probe — surfaces the `mcp`
+  // playbook when at least one supported client is configured on
+  // this host. Best-effort: silently skip if home isn't readable.
+  let hasMcpClientConfig = false;
+  const homeForProbe = process.env.HOME || process.env.USERPROFILE || null;
+  if (homeForProbe) {
+    const mcpProbes = [
+      path.join(homeForProbe, ".cursor", "mcp.json"),
+      path.join(homeForProbe, ".config", "claude"),
+      path.join(homeForProbe, ".claude"),
+      path.join(homeForProbe, ".codeium", "windsurf", "mcp_config.json"),
+      path.join(homeForProbe, ".gemini", "settings.json"),
+    ];
+    for (const p of mcpProbes) {
+      try { if (fs.existsSync(p)) { hasMcpClientConfig = true; break; } } catch { /* swallow */ }
+    }
+  }
+  // Shell rc presence — proxy signal for "user has a shell-driven
+  // workflow that might export AI API keys". The ai-api collector
+  // checks rc files + vendor dotfiles regardless; surface the
+  // recommendation when at least one rc file exists.
+  let hasShellRc = false;
+  if (homeForProbe) {
+    const rcProbes = [".bashrc", ".bash_profile", ".zshrc", ".zprofile", ".profile"];
+    for (const f of rcProbes) {
+      try { if (fs.existsSync(path.join(homeForProbe, f))) { hasShellRc = true; break; } } catch { /* swallow */ }
+    }
+  }
   const recs = [];
   const seen = new Set();
   function recommend(id, reason) {
@@ -5554,22 +5612,32 @@ function cmdDiscover(runner, args, runOpts, pretty) {
     recs.push({ id, reason });
   }
-  if (isRepo && hasLockfile) {
+  if (isRepo && hasProject) {
     const langs = [hasNode && "node", hasPython && "python", hasRust && "rust", hasGo && "go"]
       .filter(Boolean).join("/");
-    recommend("secrets", `git repo + ${langs} lockfile → check for committed credentials`);
-    recommend("sbom", `git repo + ${langs} lockfile → SBOM + supply-chain integrity`);
-    recommend("library-author", `git repo + ${langs} lockfile → publisher-side audit`);
-    recommend("crypto-codebase", `git repo + ${langs} lockfile → cryptographic primitive review`);
+    recommend("secrets", `git repo + ${langs} project → check for committed credentials`);
+    recommend("sbom", `git repo + ${langs} project → SBOM + supply-chain integrity`);
+    recommend("library-author", `git repo + ${langs} project → publisher-side audit`);
+    recommend("crypto-codebase", `git repo + ${langs} project → cryptographic primitive review`);
   }
   if (hasContainers) {
     recommend("containers", "Dockerfile / docker-compose present → container security review");
   }
+  if (hasGithubWorkflows) {
+    recommend("cicd-pipeline-compromise", ".github/workflows/ present → CI/CD posture (fork-PR / OIDC / floating-tag)");
+  }
+  if (hasMcpClientConfig) {
+    recommend("mcp", "MCP client config present in home → MCP supply-chain audit");
+  }
+  if (hasShellRc) {
+    recommend("ai-api", "shell rc present in home → AI API key + cred-carrier audit");
+  }
   if (isLinux) {
     recommend("kernel", "Linux host detected → kernel LPE / privilege escalation triage");
     recommend("hardening", "Linux host detected → system hardening review");
     recommend("runtime", "Linux host detected → runtime behavior review");
     recommend("cred-stores", "Linux host detected → credential store review");
+    recommend("crypto", "Linux host detected → host crypto posture (OpenSSL / sshd PQC readiness)");
   }
   // Always include cross-cutting framework correlation.
   recommend("framework", "cross-cutting: framework correlation always applicable");
@@ -5587,12 +5655,19 @@ function cmdDiscover(runner, args, runOpts, pretty) {
     rec.collect_cmd = hasCollector ? `exceptd collect ${rec.id}` : null;
   }
+  // Next-step suggestions are conditional on what discover detected.
+  // From an empty / no-code-detected cwd, suggesting `run --scope code`
+  // would silently run every code-scope playbook against an empty tree
+  // and produce a multi-hundred-KB JSON dump for no useful reason.
+  const recHasCodeScope = recs.some(r => ["secrets", "sbom", "library-author", "crypto-codebase", "containers", "cicd-pipeline-compromise"].includes(r.id));
   const nextSteps = [
     "exceptd brief <playbook>       # learn what a playbook checks",
     "exceptd run <playbook>          # run it",
-    "exceptd run --scope code        # run all code-scoped playbooks (auto-detected)",
-    "exceptd ci --scope code         # CI-gate against all code-scoped playbooks",
   ];
+  if (recHasCodeScope) {
+    nextSteps.push("exceptd run --scope code        # run all code-scoped playbooks (those applicable to this cwd)");
+    nextSteps.push("exceptd ci --scope code         # CI-gate against all code-scoped playbooks");
+  }
   const out = {
     verb: "discover",

package/data/_indexes/_meta.json CHANGED Viewed

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-21T16:44:49.627Z",
+  "generated_at": "2026-05-21T17:42:36.651Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "e206a4bf8b7e84f787bdc8af0b7ca6d41d5a08c3f9a91d612f65e2f29c9c2269",
+    "manifest.json": "188c660ebfd03913aafe0a2d8fc7975081b6a1c786eb0201338e62985b2f51c7",
     "data/atlas-ttps.json": "d296c1d3e71807c9279b731f047e57796e85137f186586743a8cdad214b408f9",
     "data/attack-techniques.json": "49b6010b317edd219def135171ea8f3b1bbf1e00e9c5a08bf7237215ff54e2c3",
     "data/cve-catalog.json": "a09c83af3f9679a7ea73935726a1ff9de2cab94b4ab6321fc017fc147747d7c3",

package/lib/collectors/cred-stores.js CHANGED Viewed

@@ -439,6 +439,24 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
       captured: false,
       reason: "secret-tool / security dump-keychain require interactive auth or platform-specific binaries; out of stdlib collector scope",
     },
+    // Surface the POSIX-mode-bit skip on Windows so operators see the
+    // indicator was considered but skipped, mirroring the secrets
+    // collector's world-writable-secret-files skip artifact. Without
+    // this, credentials-file-bad-perms silently absent from
+    // signal_overrides looks indistinguishable from "indicator not
+    // catalogued".
+    "credentials-file-perms-check": isPosix
+      ? {
+          value: permViolations.length > 0
+            ? `${permViolations.length} carrier(s) with mode != expected: ${permViolations.map(v => `${v.id}=${v.mode_octal}`).join(", ")}`
+            : "all checked carriers at expected mode",
+          captured: true,
+        }
+      : {
+          value: "skipped on win32 — POSIX mode bits not load-bearing",
+          captured: false,
+          reason: "Windows uses ACLs, not POSIX mode bits; credentials-file-bad-perms indicator left to operator-supplied evidence on this platform",
+        },
   };
   if (permViolations.length > 0) {

package/lib/collectors/crypto-codebase.js CHANGED Viewed

@@ -59,7 +59,10 @@ function isTestPath(rel) {
   for (const seg of TEST_PATH_SEGMENTS) {
     if (norm.includes(seg)) return true;
   }
+  // `foo.test.js`, `bar.spec.py` (dot-separated)
   if (/\.(test|spec)\.[a-z]+$/i.test(rel)) return true;
+  // `foo_test.go` (Go convention), `_test.py` (some Python projects)
+  if (/(?:^|[\\/])[^\\/]+_test\.[a-z]+$/i.test(rel)) return true;
   return false;
 }

package/lib/collectors/library-author.js CHANGED Viewed

@@ -66,9 +66,17 @@ function walkWorkflows(root) {
 }
 function looksLikePublishWorkflow(name, content) {
-  // Heuristic: filename starts with `release`/`publish`/`deploy` OR
-  // the workflow body mentions `npm publish` / `pypi-publish` /
-  // `cargo publish` / `goreleaser` somewhere.
+  // Heuristic: filename starts with `release`/`publish`/`deploy`, OR
+  // the workflow body invokes a known publish/release tool (npm /
+  // pypi / cargo / goreleaser / ko / cosign / crane / oras / docker /
+  // GitHub releases / sigstore-action). The container-native shapes
+  // matter because projects that publish via `ko publish` / `cosign
+  // sign-blob` (sigstore-style) DO use `id-token: write`, and the
+  // narrower npm/pypi/cargo matcher missed those workflows entirely.
+  // Filename `build.*` deliberately omitted — many projects use it
+  // for ordinary CI (lint / test / typecheck), not publishing.
+  // Cosign-style `build.yaml` is still recognized via its body
+  // content (cosign / id-token: write / etc.).
   const lower = name.toLowerCase();
   if (/^(release|publish|deploy)/.test(lower)) return true;
   if (/\bnpm\s+publish\b/.test(content)) return true;
@@ -76,6 +84,19 @@ function looksLikePublishWorkflow(name, content) {
   if (/\bcargo\s+publish\b/.test(content)) return true;
   if (/goreleaser/.test(content)) return true;
   if (/softprops\/action-gh-release/.test(content)) return true;
+  // Container + sigstore release tooling.
+  if (/\bko\s+(?:publish|build|apply|resolve)\b/.test(content)) return true;
+  if (/\bcosign\s+sign(?:-blob)?\b/.test(content)) return true;
+  if (/sigstore\/cosign-installer/.test(content)) return true;
+  if (/\bcrane\s+(?:push|copy|append)\b/.test(content)) return true;
+  if (/\boras\s+(?:push|copy)\b/.test(content)) return true;
+  // GitHub Container Registry / generic docker push paths.
+  if (/docker\/build-push-action/.test(content)) return true;
+  if (/\bdocker\s+push\b/.test(content)) return true;
+  // Sigstore OIDC token issuance is the canonical signal that a
+  // workflow is publishing artifacts — id-token: write inside a
+  // permissions block + the workflow runs more than a test job.
+  if (/id-token:\s*write/.test(content) && /\bsteps:/.test(content)) return true;
   return false;
 }

package/lib/collectors/secrets.js CHANGED Viewed

@@ -30,6 +30,34 @@ const DEFAULT_EXCLUDES = new Set([
   "target", ".idea", ".vscode",
 ]);
+// Path segments that denote test / fixture / example material. Hits
+// scoped exclusively to these paths are downgraded — a private-key
+// block in `cosign-test.key` or a JWT literal in `_test.go` is
+// expected test material, not a real secret. If at least one hit
+// exists outside these paths, the indicator still fires. Mirrors
+// the crypto-codebase collector's isTestPath shape.
+const TEST_PATH_SEGMENTS = [
+  "/test/", "/tests/", "/spec/", "/specs/", "/__tests__/",
+  "/fixtures/", "/fixture/", "/examples/", "/example/",
+  "/sample/", "/samples/", "/demo/", "/demos/",
+  "/testdata/", "/test-data/", "/test_data/",
+];
+function isTestPath(rel) {
+  const norm = "/" + rel.replace(/\\/g, "/").toLowerCase() + "/";
+  for (const seg of TEST_PATH_SEGMENTS) {
+    if (norm.includes(seg)) return true;
+  }
+  // foo.test.js / bar.spec.py — dot-separated convention.
+  if (/\.(test|spec)\.[a-z]+$/i.test(rel)) return true;
+  // foo_test.go (Go) / bar_test.py (some Python) — underscore convention.
+  if (/(?:^|[\\/])[^\\/]+_test\.[a-z]+$/i.test(rel)) return true;
+  // Files whose name itself includes the substring "test" before a
+  // key extension (e.g. cosign-test.key, github-test-token.json).
+  if (/-test[-.][^\\/]*$/i.test(rel)) return true;
+  return false;
+}
 const ENV_FILE_PREDICATE = (name) => {
   if (name === ".env" || name === ".envrc") return true;
   if (name.startsWith(".env.")) return true;
@@ -235,14 +263,32 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
     }
   }
+  // Split hits into production vs test-path. The indicator fires
+  // only when at least one PROD hit exists. Test-only hits stay in
+  // the artifact for operator inspection but don't flip the signal.
   const hitsByIndicator = {};
+  const prodHitsByIndicator = {};
   for (const h of allHits) {
     (hitsByIndicator[h.indicator_id] = hitsByIndicator[h.indicator_id] || []).push(h);
+    if (!isTestPath(h.file)) {
+      (prodHitsByIndicator[h.indicator_id] = prodHitsByIndicator[h.indicator_id] || []).push(h);
+    }
   }
+  // Same split for the file-presence indicators (ssh-private-keys
+  // artifact backs the ssh-private-key-block content scan AND the
+  // ssh-key-bad-perms posture check below). Filter out test-named
+  // private-key files (e.g. cosign-test.key) for the signal too.
+  const prodSshPrivateKeys = sshPrivateKeys.filter(f => !isTestPath(f.rel));
   const signal_overrides = {};
   for (const p of INDICATOR_PATTERNS) {
-    signal_overrides[p.id] = hitsByIndicator[p.id] && hitsByIndicator[p.id].length > 0 ? "hit" : "miss";
+    signal_overrides[p.id] = prodHitsByIndicator[p.id] && prodHitsByIndicator[p.id].length > 0 ? "hit" : "miss";
   }
+  // ssh-private-key-block is also flipped by file presence (a private
+  // key file with the matching magic bytes counts even without a
+  // content scan match — e.g. binary-only key formats). Re-flip when
+  // any non-test private-key file was discovered.
+  if (prodSshPrivateKeys.length > 0) signal_overrides["ssh-private-key-block"] = "hit";
   // world-writable-env-file predicate (per data/playbooks/secrets.json):
   //   restricted to env-files artifact entries
   //   any .env / .env.* / .envrc with mode 0666 or 0664 (group/world writable)

package/manifest.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.13.47",
+  "version": "0.13.49",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "lXhZgoIrrVloO3XaTvo/43AxZn4mwErstd7DR0O/oVhD3AOGODM4HqrageYEou9WKOdMEGP5mJNTjJsXdP5NDA==",
-      "signed_at": "2026-05-21T16:32:59.757Z",
+      "signed_at": "2026-05-21T17:36:00.089Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -117,7 +117,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "vSVqu4wBm+d68ujZmM6Rto/HzViCkE0gPUcv/MYE/bjFiqamf/s0On4kTOo1KIveV9cOwYNxiItaGEWlVkRFDg==",
-      "signed_at": "2026-05-21T16:32:59.759Z",
+      "signed_at": "2026-05-21T17:36:00.091Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -180,7 +180,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "RIgXKvolQjgJdnlrDnVOd90IOY1B7VHHZD/YJQRzouL+wUeOLclPrdK/EgEuFyiu7lR4bi+Pl6aGB9G9tOxYCQ==",
-      "signed_at": "2026-05-21T16:32:59.760Z",
+      "signed_at": "2026-05-21T17:36:00.091Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -226,7 +226,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "RYOxeq/o3uTwTWq4H7RcdH2Aclg9UyCERfUH9Frwkzncsowg7LgxpaEDc3swTCv73HMEGbU8wVbXguZ4JxHUCQ==",
-      "signed_at": "2026-05-21T16:32:59.760Z"
+      "signed_at": "2026-05-21T17:36:00.092Z"
     },
     {
       "name": "compliance-theater",
@@ -257,7 +257,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "DneJCPKCPcoe6nQ82XptqSqNfSRdt1orKaO+o7K36YCciDrzwJb+1BuBLusPDtpcdDaGY0y0e+AqiTYJklhBAQ==",
-      "signed_at": "2026-05-21T16:32:59.761Z"
+      "signed_at": "2026-05-21T17:36:00.092Z"
     },
     {
       "name": "exploit-scoring",
@@ -286,7 +286,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "NA1hoQycvQhSUoG5rwlXX0mOVmGxoXRVezkELGEA2nZOdGis4gXkHT3O6Sfw7zxE4JuMrsCb65TEeOWk9WEPDg==",
-      "signed_at": "2026-05-21T16:32:59.761Z"
+      "signed_at": "2026-05-21T17:36:00.093Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -323,7 +323,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "XgrzcA2brPhXrSTxrcLnJec0OpgGYJBoSTUlJ10UdePHffxqb9LTVGnfbmEk1ykQifXREZexui2bG7X/+eFfCQ==",
-      "signed_at": "2026-05-21T16:32:59.762Z",
+      "signed_at": "2026-05-21T17:36:00.094Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -380,7 +380,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "9+hZlZOqZdeACUmamQk66L5levZhhwnFXuYRhdT6Mce99eQaKT7wNfWq12hXQztkRcVRKaFH+a01zwJQwsRQCA==",
-      "signed_at": "2026-05-21T16:32:59.762Z",
+      "signed_at": "2026-05-21T17:36:00.094Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -415,7 +415,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "ciqhVloMWWXEigPZvvwoV2c54tEqsDqsoc+sS/mNTFFJk2H+tz2+XUrgfEPRuYw0FeyNB6/+27pL2NpKHzUqAg==",
-      "signed_at": "2026-05-21T16:32:59.762Z",
+      "signed_at": "2026-05-21T17:36:00.095Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -443,7 +443,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "xiHAhhdufm9hCKU8PLiPE0MX65ej2F4OZwtlWLGLCiie9/km+Kiqbt192LcMvr94v83C98pb9wIaqFsFWft6AQ==",
-      "signed_at": "2026-05-21T16:32:59.763Z"
+      "signed_at": "2026-05-21T17:36:00.095Z"
     },
     {
       "name": "global-grc",
@@ -475,7 +475,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "oYsSk35N2Uzq7MRofACykylcVwkgPhI4luWZ14vmQT+gUKLyZiKVOUJbe1+7lGl6BYPRN0sUDQ0f7S5Eu5w2Ag==",
-      "signed_at": "2026-05-21T16:32:59.763Z"
+      "signed_at": "2026-05-21T17:36:00.095Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -502,7 +502,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "igRqYyU1unRFH40BsPyAR62SPrk8QZv8dPGb8S9O9EvLCNOZAzm3t+HdT/NKqzWHwrpomOzkkkyLfYI/0qTUDA==",
-      "signed_at": "2026-05-21T16:32:59.764Z"
+      "signed_at": "2026-05-21T17:36:00.096Z"
     },
     {
       "name": "pqc-first",
@@ -554,7 +554,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "vhc3wuQEro/86s1ro2b/KakUXg8QVnySYTBqA7ebzv9oeR2HYO5bvGEJp3oOHWtL37JDqcCAHYadSN/qxIyCCA==",
-      "signed_at": "2026-05-21T16:32:59.764Z",
+      "signed_at": "2026-05-21T17:36:00.096Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -601,7 +601,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "MS35nWm8djfJGn4OOoT0JKJ2aO+Dkbb6wOOWJYvNZlRKT3UGA59o2gxg1JOnD20hb/RwxtkmCujhl2tuYSR+AQ==",
-      "signed_at": "2026-05-21T16:32:59.764Z"
+      "signed_at": "2026-05-21T17:36:00.097Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -638,7 +638,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "8Px1s2lDj10/Q6erwEQlXgUHM1+OTruUR8qAHPX7Oo3k/l69N6P9sm0PsafS9wDFtj9l5C/OiLiFgzMlMt6vBw==",
-      "signed_at": "2026-05-21T16:32:59.765Z",
+      "signed_at": "2026-05-21T17:36:00.097Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -673,7 +673,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "WAu5fRirzSOcnnZsTx2d/JJZwa/LPpXCi+31qATTGLmoNuhyy81k3ooPe9kCM3E0CLMtvTePg9DagYqBninZDQ==",
-      "signed_at": "2026-05-21T16:32:59.765Z"
+      "signed_at": "2026-05-21T17:36:00.097Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -744,7 +744,7 @@
         "PTES revision incorporating AI-surface enumeration"
       ],
       "signature": "7eEwCXFd9pDKUw7yCUbRJSjfzozE44dwwwemCQUPm8JBPztLltibD9bL/RszSbYyCrYJmVb5Drncz2cGe62gCw==",
-      "signed_at": "2026-05-21T16:32:59.765Z"
+      "signed_at": "2026-05-21T17:36:00.098Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -804,7 +804,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "Z7ypCUnXx8JpLtgxxB6RHNi39w74AmrGY1N4ofAGCXhkuM2EaFVm1AU0dvl9UQ1bVLfHKEDGqMO/TwlIY7RABg==",
-      "signed_at": "2026-05-21T16:32:59.766Z"
+      "signed_at": "2026-05-21T17:36:00.098Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -879,7 +879,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "fgxG344JGYBWWWwFXZ1IzGipWKP7EyBhrsvsbsb0CCGXfv/MvNHVNI6G0zQddCsWX1JeQbhZT3Vk8v1uJKDTDA==",
-      "signed_at": "2026-05-21T16:32:59.766Z"
+      "signed_at": "2026-05-21T17:36:00.098Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -956,7 +956,7 @@
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
       "signature": "pcLrM98A3vUSZRjwNAk0aZ9umvOwB41XCLLsCOy/IebB2F/06oIrGUKkMHtHwm4pTVPShMMcKdZQQ3jz30FnCg==",
-      "signed_at": "2026-05-21T16:32:59.766Z"
+      "signed_at": "2026-05-21T17:36:00.099Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1013,7 +1013,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "gqF8eU3VBrZhO2WnlcqKa7wm1d2mmWtvpbmx0kNCgHojNV+qEt+Ij84RO6bZvaUqhfYPWizWL79Fa4DL0curAQ==",
-      "signed_at": "2026-05-21T16:32:59.767Z"
+      "signed_at": "2026-05-21T17:36:00.099Z"
     },
     {
       "name": "identity-assurance",
@@ -1080,7 +1080,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "Wv5hGMeHjlaQK1zwicVCA7AvdKgJBgvcjdpGM9Ywahh9tagAKhbkOjybowDQZzu7OZ3bDkbh6pBYc1Sdwr6NAA==",
-      "signed_at": "2026-05-21T16:32:59.767Z"
+      "signed_at": "2026-05-21T17:36:00.099Z"
     },
     {
       "name": "ot-ics-security",
@@ -1136,7 +1136,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "8t5qKHd3yWi57dvG36YQkLN/X9bQWqtEiYjay4IfSmqhJpM/xXPaQVKNGz3wscrO8OLKUZ0OaX7Mj5kzpgBKBQ==",
-      "signed_at": "2026-05-21T16:32:59.768Z"
+      "signed_at": "2026-05-21T17:36:00.100Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1188,7 +1188,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "GDGt4UPqBa04PjlpSmpyihGzd3OgfBN7jaAK5tfwp+LRSs3ygKOdbeivUCCHNagTY1hE6hG2Ou40ADfBFuXeAg==",
-      "signed_at": "2026-05-21T16:32:59.768Z"
+      "signed_at": "2026-05-21T17:36:00.100Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1238,7 +1238,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "rFBpOQEJUPpl+v88Lw/WqVJRhTl80vy0VbPAbzQj3Q0suJRRrJg368I9uKu5LXIBKFDvKxnGIcIzbGg9NUtaCA==",
-      "signed_at": "2026-05-21T16:32:59.768Z"
+      "signed_at": "2026-05-21T17:36:00.100Z"
     },
     {
       "name": "webapp-security",
@@ -1312,7 +1312,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ux85YI4t2mVHOyt744Yin1HHy+z11JIFygjKfFfQOBBl5QVV3A267jeIy7utix85irMcpZm/T3yx/ooqiK2tBA==",
-      "signed_at": "2026-05-21T16:32:59.769Z"
+      "signed_at": "2026-05-21T17:36:00.101Z"
     },
     {
       "name": "ai-risk-management",
@@ -1362,7 +1362,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "IIXnkZ5ZNqFwOto5KfytADTLLZLoyXNZACD1ORZ40P1HUAQxe6u2uyXFzzsfuob4Uy06jNkRGr2FFgCphUH1Cw==",
-      "signed_at": "2026-05-21T16:32:59.769Z"
+      "signed_at": "2026-05-21T17:36:00.101Z"
     },
     {
       "name": "sector-healthcare",
@@ -1422,7 +1422,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "AhF9KF8ZBlDteciV+F8IBSmFVYCvQOn44GmD4rZjgLoPxfIv/QE1/vSkK32zyqDKtHWkLSXExbkkPkxA/V6dDw==",
-      "signed_at": "2026-05-21T16:32:59.770Z"
+      "signed_at": "2026-05-21T17:36:00.102Z"
     },
     {
       "name": "sector-financial",
@@ -1503,7 +1503,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "HQgZvb4ReziEz5rNFr8i/O8/rJEZR+iHRROT7m/D2QUqhrcNISPkYXENsUZlG8xapzy/Ik92ehkseyj4hdmhCQ==",
-      "signed_at": "2026-05-21T16:32:59.770Z"
+      "signed_at": "2026-05-21T17:36:00.102Z"
     },
     {
       "name": "sector-federal-government",
@@ -1572,7 +1572,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "linxmsXZiOYtcs71sSWgGCrvb8xQfmxmtTY5PRvZJ0/8FgJulo0tQtejzexYG775s7XhjAmGsDP238BQTQ8ADA==",
-      "signed_at": "2026-05-21T16:32:59.771Z"
+      "signed_at": "2026-05-21T17:36:00.103Z"
     },
     {
       "name": "sector-energy",
@@ -1637,7 +1637,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "JjBfc0ovta560Clk0x3QGRM5osFJDwcvpy3rT7QEGdCIL827jzE8QCow1C8deXq+4JhY2sA/d7/8IsxikdlkCg==",
-      "signed_at": "2026-05-21T16:32:59.771Z"
+      "signed_at": "2026-05-21T17:36:00.103Z"
     },
     {
       "name": "sector-telecom",
@@ -1723,7 +1723,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "JWVxKFoKrbX4d+Tko1d4OBdwyg25MfFFKn4CT6E/CzH+YwnU3T6Y76uBQIKg3+gIGTvPduqyvQwQQ5FxKDuPBw==",
-      "signed_at": "2026-05-21T16:32:59.771Z"
+      "signed_at": "2026-05-21T17:36:00.103Z"
     },
     {
       "name": "api-security",
@@ -1792,7 +1792,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "BmCRCestWqr55+fCynEhtAl5NWLT+xLTkpwS0Icp3SaoZOw/ce3Y6TtqjHRSKn4CBJq7YDiLRWxmhO3MStvOAA==",
-      "signed_at": "2026-05-21T16:32:59.772Z"
+      "signed_at": "2026-05-21T17:36:00.104Z"
     },
     {
       "name": "cloud-security",
@@ -1873,7 +1873,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "/DV3pmZwrRySrk1OCbyI+0BQESacjupJfUX3eC2NGtXuYOBro0vndIP+z27heFxumnjU3a9sfla7/U9X+pqnDw==",
-      "signed_at": "2026-05-21T16:32:59.772Z"
+      "signed_at": "2026-05-21T17:36:00.104Z"
     },
     {
       "name": "container-runtime-security",
@@ -1935,7 +1935,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "E2UGSf9ATyYgzBr8uM/0ubOUmDqo1jVA7f9mVxv6LHfWGCNuQNXDyuNou9VAmUCeeXEeUYIi3AFjXkJqpOkxDA==",
-      "signed_at": "2026-05-21T16:32:59.772Z"
+      "signed_at": "2026-05-21T17:36:00.104Z"
     },
     {
       "name": "mlops-security",
@@ -2006,7 +2006,7 @@
         "MITRE ATLAS v5.6.0 (released February 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: ATLAS v5.5 / v6.0 — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
       "signature": "BGNE6ZQWBA1LmsUFe8tU0L67iGDSrFqiuqaZD2f1KqfcyqqzQfMs9PWNHFzxxaJmXeKlm87eU8lgELF0bX+RBA==",
-      "signed_at": "2026-05-21T16:32:59.773Z"
+      "signed_at": "2026-05-21T17:36:00.105Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2068,7 +2068,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "FkZQerh3VHVJAwIcCktDyMRh5KE2+Em/i0ek8zEz7JG/PXtQx8ujHWTh3VjZbOLhPNtdB2qxgXOIAYIofaVOAQ==",
-      "signed_at": "2026-05-21T16:32:59.773Z"
+      "signed_at": "2026-05-21T17:36:00.105Z"
     },
     {
       "name": "ransomware-response",
@@ -2148,7 +2148,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "n3UToNuN3A1HgLvcuqmIx8vrZY71+r/79waK92jG+rSX4uYOzkmxMUpROrE5K9bDwMezNBHdjWv8Uul6zugyDQ==",
-      "signed_at": "2026-05-21T16:32:59.774Z"
+      "signed_at": "2026-05-21T17:36:00.105Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2201,7 +2201,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "rK+WnuS+9tqEABmwc0jO/PEmxcLjG1/tmUb897HsClQeKzf+TQOlwBE+OsbtuKxpjYNwur62Xxs3TxObkwm8Cw==",
-      "signed_at": "2026-05-21T16:32:59.774Z"
+      "signed_at": "2026-05-21T17:36:00.106Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2269,7 +2269,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "+OO0RhQ303RJV7kaH38IuZpLeQbapep6Ds4Re/WEZu0FHBwKSlwvF7jbtP7KQ57xldJYn/xZm2jaszyOacMfDg==",
-      "signed_at": "2026-05-21T16:32:59.775Z"
+      "signed_at": "2026-05-21T17:36:00.106Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2349,7 +2349,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "e/kij7GtKaytROyIj7V5RH+FC9WtmVFzrmG2kIlNDNn29ep/CRNlIQKwXLpzo/81AIf634pmdr1qy/+vwIuUDA==",
-      "signed_at": "2026-05-21T16:32:59.775Z"
+      "signed_at": "2026-05-21T17:36:00.107Z"
     },
     {
       "name": "idp-incident-response",
@@ -2430,11 +2430,11 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "ew9Kglc9fAZzbn0ZIfGP7WSK/j4eV2VhSvpy+s5bEfNEVYIMa2kZjnGBapgUsyGDLes9H9K2ovjQyX17+GKiBw==",
-      "signed_at": "2026-05-21T16:32:59.775Z"
+      "signed_at": "2026-05-21T17:36:00.107Z"
     }
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "qkKqW3EHhuVNY9gKPnQRU+CSezvT9b9LS3T4jx+YhNKaPydIUeUs5UsdPJDP+0Wo1ztFSCAcgQLrIYjLo2xVDw=="
+    "signature_base64": "fh1K2ANMsPzZTwxkm31oVK6WRuY7P0h/LpomKgFhakAA4qDAfTVAy6lk1PcaqIMgX6okxOwMgcdKQFHC0XQuBw=="
   }
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.13.47",
+  "version": "0.13.49",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 10 catalogs (312 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 34 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json CHANGED Viewed

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:251fa007-6fc7-4558-bcc4-079d9d52c351",
+  "serialNumber": "urn:uuid:3d203982-8322-49a5-9822-36f3e578614d",
   "version": 1,
   "metadata": {
-    "timestamp": "2045-09-26T16:12:55.000Z",
+    "timestamp": "2058-07-01T11:14:10.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.13.47"
+        "version": "0.13.49"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.13.47",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.13.49",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.13.47",
+      "version": "0.13.49",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 10 catalogs (312 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 34 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.13.47",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.13.49",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "e97a2a2d55c00e8699dc0ba5d2b785e67d6de04ad7ee47707c5a6cf388b0952d"
+          "content": "0cc0239379aa675d66a79fd4927e165df684aa8b16274779c1ade7cea6ef988f"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.13.47"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.13.49"
         },
         {
           "type": "vcs",
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "f6e135db6cf29df6a3ab3efaa0e542579a5f0d96fd7ac06f3a8108bc6f65c132"
+          "content": "d93a2bbbafc6fe57f582c4ef06504eb172d09ed556281bcdb429d0b4d386eb00"
         },
         {
           "alg": "SHA3-512",
-          "content": "cc2f080a037f639d8694dc824592a1132755513f8b18ceb1041a283be27e9b50170122edacea4f9fb89828d3300342277a0bfbb363aa09964e26ed2c855433df"
+          "content": "9339c6c17243ad1b2f9821f3f31c722cabc896377eaa254606207a4438ddaaf9a4342745fdddfc512721b78a3e4ee21b20cf814f7d6602656e1ae3a0ad526ba6"
         }
       ]
     },
@@ -281,11 +281,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "0f798de4d3727d4cb33993a35c370557f9068e1cf2a32a2e850b54c606028751"
+          "content": "605b1d6cbaf1e8fea9937c0f41f9cc17a630300bd3dd8a3c425fe1885775d380"
         },
         {
           "alg": "SHA3-512",
-          "content": "d592cb61c7cf31c447657b35010d7d2c54b04e56da63b4beba7307324e68ccd6e97bbd88b72dd2c88fb83041f0ac93c58da7000bbc59ecf0d3f3a2c4436cf1f5"
+          "content": "6dd90b9c957cfeb05c626e3ed175a5700f534dd4422b812f66cb72856f23d371d0d8eb2801a76f5a445ba17e4750259791ccd3bd7a8648e92f8e31a962245ff6"
         }
       ]
     },
@@ -926,11 +926,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "3844551461b3ee675627c08b03a99a0944a6783ee7f389eb2c2080af38878cc6"
+          "content": "ca9fe6c5613c36cd7b7b016863f76b6081284847d7a519b54354e8b428542eb4"
         },
         {
           "alg": "SHA3-512",
-          "content": "71612bf63aca6d387c3ad57f0b19c55486defd506de48e09b9f2c71b35bf2331cb7d9c0f7608e87954fe67256d9be150ab7eba4daaa4ee418e300a7e90133a77"
+          "content": "07658edb8e5d00b7fd2a67c0d3166074251521d7821210f8f28226fd02108c7b8a8980f0ff573b82350bef2afe2d5f53d02dbee8aae41be01db7f6fbf4ae6d19"
         }
       ]
     },
@@ -941,11 +941,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "fdf7a4b18ea536c39aad7f7c4b7a95c0d00d0b284224527b540bcfa69e91f5b3"
+          "content": "abc9ed4ffe582d4f1ab32fe4d964ae29c59bba0ef8fcfab6c94097e8f82569a7"
         },
         {
           "alg": "SHA3-512",
-          "content": "166586d799505c55ea8802ba2b7c3520b07f8fd115326262a9e9fb70fd4fe8b8d31edf87d466532f66aa80c066400406a2622ec63dbb8dcc8182fce059ea2a16"
+          "content": "a110cb3d582c78e6fb0793371606d38a0ed62cd0d84b9d454878931113485a10a9729283205256365bb43f96d6daee5f727777c673d8701a0ca8da5c8b99b973"
         }
       ]
     },
@@ -1001,11 +1001,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "2bcebd3e3c5329f4d18f46c2f659f0b6473a453105eb9aa87f0bb1b82203fac3"
+          "content": "3b9eb4b785889d4b1416d4bcf3e234bfdad635297d460cf64d934e257d139704"
         },
         {
           "alg": "SHA3-512",
-          "content": "03dbd138a13daf6b6ecd70a70bef555ef464e59a9fee4642fcce5d48053ec7955aec217db4b4b30241248166a51d7c0f23ef46975e4e5f3c0fb366abd9f70e8d"
+          "content": "11c1d492d7e15da9e5e3f5ffce72cb1e002970a5a23be650da8506a61447bf988bc2da8deea9300ffe2e81ceb4f39abf9d48ea2b2224712835675cbc39d1a4d2"
         }
       ]
     },
@@ -1061,11 +1061,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "3488120e9c8715f090dcacdb91aa216522f64c4f450af96befbd515c7067d945"
+          "content": "33456838e7363a51fcd69738fc1aa286ee30e53ed7049d64d672ca1994008e71"
         },
         {
           "alg": "SHA3-512",
-          "content": "8a0412500d66216a58464d714f44935c113a117236b5ccb077b0243cc630d5954cf04d19b13d481a30093ca02cf450284911eb22a4c58cb5cffdc610a4ec0809"
+          "content": "f310033529ffa980515daa40c155b309a56263a05214723df5567db709e22372a5caa772ba1ff0a4cd4e4ff1e398ecf4f81f15c186729fbe7c3d0e123ba16be9"
         }
       ]
     },
@@ -1661,11 +1661,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "e206a4bf8b7e84f787bdc8af0b7ca6d41d5a08c3f9a91d612f65e2f29c9c2269"
+          "content": "188c660ebfd03913aafe0a2d8fc7975081b6a1c786eb0201338e62985b2f51c7"
         },
         {
           "alg": "SHA3-512",
-          "content": "c8121e1f6295182604b5a9b9b2f96eb6508cf5888984f9e77464fac89ad69d0fc93d121ba82891d994eb5ee11b10c6e8472b290c4c56ee4606c77fa40c7a5902"
+          "content": "7e656d60bdf6fa0eb35ca9925fb04c04b5e1658f860ee1c8ab561e03c889c85d55a6aabefb8639207f24b6d8f170230e353b2eb5efbbe9f00927f146197c0692"
         }
       ]
     },