@blamejs/exceptd-skills 0.13.6 → 0.13.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/CHANGELOG.md +16 -0
  2. package/bin/exceptd.js +7 -0
  3. package/data/_indexes/_meta.json +3 -3
  4. package/data/_indexes/activity-feed.json +8 -8
  5. package/data/_indexes/catalog-summaries.json +2 -2
  6. package/data/_indexes/frequency.json +42 -0
  7. package/data/framework-control-gaps.json +1208 -2
  8. package/lib/refresh-external.js +23 -1
  9. package/manifest.json +44 -44
  10. package/package.json +1 -1
  11. package/sbom.cdx.json +13 -13
package/CHANGELOG.md CHANGED
@@ -1,5 +1,21 @@
1
1
  # Changelog
2
2
 
3
+ ## 0.13.7 — 2026-05-18
4
+
5
+ Catalog cross-reference closure + two test-isolation fixes that surfaced after the v0.13.6 expansion.
6
+
7
+ ### Bugs
8
+
9
+ **`exceptd doctor --ai-config` now matches the canonical Windsurf MCP config path.** The audit walker uses `SENSITIVE_PATTERNS` to identify files that need mode 0o600. Prior regex `/\.mcp_config\.json$/` required a literal `.` before `mcp_config.json` — so `~/.codeium/windsurf/mcp_config.json` (the real-world install path, no leading dot) was silently skipped. New regex `^mcp_config\.json$` covers the bare filename while `\.mcp_config\.json$` is kept for vendor-prefixed variants like `default.mcp_config.json`.
10
+
11
+ **`refresh-external --from-fixture` no longer falls through to live RSS for the advisories source.** Fixture mode populated frozen payloads for kev / epss / nvd / rfc / pins / ghsa / osv but left the advisories poller (Qualys / RHSA / USN / ZDI / kernel.org / oss-security / JFrog / CISA) unfixturized — it called `fetch()` against the real RSS endpoints. Back-to-back fixture-mode runs (sequential vs `--swarm`) hit moving upstream data within the 10-15s test window and the `swarm and sequential reports diverge` assertion fired intermittently on macOS runners. The fixture loader now reads `tests/fixtures/refresh/advisories.json` into `ctx.fixtures.advisories` so all 8 feeds resolve to frozen content. New regression pin verifies `8/8 feeds reachable` from the fixture instead of any live count.
12
+
13
+ ### Features
14
+
15
+ **42 new framework-control-gap entries** close every orphan forward reference introduced by the v0.13.6 catalog expansion. Coverage spans NIST 800-53 (IA-8, AU-9, SC-5), ISO 27001:2022 (A.5.21, A.8.9, A.8.15, A.8.21, A.8.24), PCI DSS 4.0 (2.2.3, 3.5, 6.2.4, 6.3.2, 10.5), OWASP LLM Top 10 (LLM01, LLM02, LLM05, LLM06, LLM07), OWASP API / Top 10 / SAMM, FedRAMP (AC-3, AC-4, SC-4, SC-7), EU AI Act Art.10 + Art.15, ISO/IEC 42001-AIMS (root + A.6.2.5), CIS Controls v8 7.4, ENISA mobile / IoT secure baselines, GDPR Art.32, NIS2 Art.21 availability, ATLAS AML.T0048, DORA Art.10, SLSA-3, OpenSSF Scorecard PinnedDependenciesID, NIST 800-218 SSDF (PO.4.2, PW.7.1). Each entry carries operator-facing `designed_for` / `misses[]` / `real_requirement` text and at least one evidence CVE from the v0.13.6 additions. `framework-control-gaps.json` total: 142 → 184.
16
+
17
+ The high-leverage closures: `EU-AI-Act-Art15` (10 CVE anchors covering inference-server bundled-codec RCE, agentic-IDE command-injection, managed-AI-service SSRF, AI-platform overlay privesc, serialization-injection); `SLSA-3` (sleeper-package temporal-trust failure mode that L3-correct provenance alone does not catch); `ISO-IEC-42001-AIMS-A.6.2.5` (AIMS lifecycle gates extended to IDE-resident agentic primitives and managed-AI-platform overlays).
18
+
3
19
  ## 0.13.6 — 2026-05-18
4
20
 
5
21
  CVE catalog expansion (38 → 67 entries) covering threat classes the catalog previously did not address, plus a `doctor` undercount fix.
package/bin/exceptd.js CHANGED
@@ -5557,9 +5557,16 @@ function cmdDoctor(runner, args, runOpts, pretty) {
5557
5557
  { dir: '.continue', display: '~/.continue' },
5558
5558
  ];
5559
5559
  // Files within those dirs that warrant the strict-mode check.
5560
+ // v0.13.7: prior `/\.mcp_config\.json$/` regex required a literal `.`
5561
+ // before `mcp_config.json`, so the real-world Windsurf install path
5562
+ // (`~/.codeium/windsurf/mcp_config.json` — no leading dot) was
5563
+ // silently missed by the audit. `^mcp_config\.json$` now matches the
5564
+ // bare filename, and the trailing `.mcp_config.json` form is kept
5565
+ // for vendor variants that prefix with a tag (e.g. `default.mcp_config.json`).
5560
5566
  const SENSITIVE_PATTERNS = [
5561
5567
  /^settings\.json$/,
5562
5568
  /^mcp\.json$/,
5569
+ /^mcp_config\.json$/,
5563
5570
  /\.mcp_config\.json$/,
5564
5571
  /^api_key/,
5565
5572
  /\.token$/,
package/data/_indexes/_meta.json CHANGED
@@ -1,10 +1,10 @@
1
1
  {
2
2
  "schema_version": "1.1.0",
3
- "generated_at": "2026-05-18T07:02:32.618Z",
3
+ "generated_at": "2026-05-18T14:18:03.242Z",
4
4
  "generator": "scripts/build-indexes.js",
5
5
  "source_count": 54,
6
6
  "source_hashes": {
7
- "manifest.json": "fac154a4d63a13c1289d3498abab8d28433c30b79393e63f49c6a2ce21f7922e",
7
+ "manifest.json": "dc4472e1476028be9f69537ae5b19998b32eeaa6951bacf570898ed4abdef2d1",
8
8
  "data/atlas-ttps.json": "c2aee9c70ec24cf48f1ea4daf170aa6e7b93292888239c46a8ec9e522ee32119",
9
9
  "data/attack-techniques.json": "29cd5690040c7153dbf293b7e3a99b72fc897b0495478e369f7ce7004b8d64f4",
10
10
  "data/cve-catalog.json": "b3731361d298483648264215fd8dbfca36d0f4e2ead4aebf7c49718e12038e1f",
@@ -12,7 +12,7 @@
12
12
  "data/d3fend-catalog.json": "a1fc2827ceb344669e148d55197dbf1b0e5b20bcc618e90517639c17d67ee82d",
13
13
  "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
14
14
  "data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
15
- "data/framework-control-gaps.json": "d49c75de55e6e1dabec46e6e975619489a2093b0be53c2a0b654e5c1826fbe46",
15
+ "data/framework-control-gaps.json": "a8bb654f6ed2fba5290dc6acac73ee423c1afcb2dca27bce3303adc3ee40f791",
16
16
  "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
17
17
  "data/rfc-references.json": "e253a548c8a829d178d5aea601e268724b85c936ccbfa51c2e5d80c5f8efe2b0",
18
18
  "data/zeroday-lessons.json": "bb3fec080f649a5968f8d0c6d69ca4d32fb120de0f7d07b1f5058184d4d3ff3a",
package/data/_indexes/activity-feed.json CHANGED
@@ -13,6 +13,14 @@
13
13
  "schema_version": "1.0.0",
14
14
  "entry_count": 67
15
15
  },
16
+ {
17
+ "date": "2026-05-18",
18
+ "type": "catalog_update",
19
+ "artifact": "data/framework-control-gaps.json",
20
+ "path": "data/framework-control-gaps.json",
21
+ "schema_version": "1.0.0",
22
+ "entry_count": 184
23
+ },
16
24
  {
17
25
  "date": "2026-05-18",
18
26
  "type": "catalog_update",
@@ -73,14 +81,6 @@
73
81
  "schema_version": "1.1.0",
74
82
  "entry_count": 28
75
83
  },
76
- {
77
- "date": "2026-05-15",
78
- "type": "catalog_update",
79
- "artifact": "data/framework-control-gaps.json",
80
- "path": "data/framework-control-gaps.json",
81
- "schema_version": "1.0.0",
82
- "entry_count": 142
83
- },
84
84
  {
85
85
  "date": "2026-05-15",
86
86
  "type": "catalog_update",
package/data/_indexes/catalog-summaries.json CHANGED
@@ -163,7 +163,7 @@
163
163
  "path": "data/framework-control-gaps.json",
164
164
  "purpose": "Per-control framework gap declarations: SI-2, A.8.8, PCI 6.3.3, etc. Each entry names the control, the lag, the evidence CVE, and remediation guidance.",
165
165
  "schema_version": "1.0.0",
166
- "last_updated": "2026-05-15",
166
+ "last_updated": "2026-05-18",
167
167
  "tlp": "CLEAR",
168
168
  "source_confidence_default": "A1",
169
169
  "freshness_policy": {
@@ -172,7 +172,7 @@
172
172
  "rebuild_after_days": 365,
173
173
  "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
174
174
  },
175
- "entry_count": 142,
175
+ "entry_count": 184,
176
176
  "sample_keys": [
177
177
  "ALL-AI-PIPELINE-INTEGRITY",
178
178
  "ALL-MCP-TOOL-TRUST",
package/data/_indexes/frequency.json CHANGED
@@ -2519,6 +2519,7 @@
2519
2519
  "D3-SFA"
2520
2520
  ],
2521
2521
  "framework_gaps": [
2522
+ "ATLAS-AML.T0048",
2522
2523
  "AU-Essential-8-App-Hardening",
2523
2524
  "AU-Essential-8-Backup",
2524
2525
  "AU-Essential-8-MFA",
@@ -2526,55 +2527,96 @@
2526
2527
  "AU-ISM-1546",
2527
2528
  "AU-ISM-1808",
2528
2529
  "CIS-Controls-v8-10.1",
2530
+ "CIS-Controls-v8-7.4",
2529
2531
  "CIS-Controls-v8-Control6",
2530
2532
  "CIS-Kubernetes-Benchmark-4.2.13",
2531
2533
  "CIS-Kubernetes-Benchmark-5.3",
2532
2534
  "CIS-Kubernetes-Benchmark-5.7",
2533
2535
  "DORA-Art-9",
2536
+ "DORA-Art10",
2534
2537
  "DORA-Art28",
2535
2538
  "DORA-IA-CTPP-Oversight",
2536
2539
  "DORA-ITS-TLPT",
2537
2540
  "DORA-RTS-Incident-Classification",
2538
2541
  "DORA-RTS-Subcontracting",
2542
+ "ENISA-IoT-security-baseline",
2543
+ "ENISA-mobile-secure-baseline",
2539
2544
  "EU-AI-Act-Annex-IX-Conformity",
2540
2545
  "EU-AI-Act-Art-15",
2541
2546
  "EU-AI-Act-Art-53-GPAI",
2542
2547
  "EU-AI-Act-Art-55-Systemic",
2548
+ "EU-AI-Act-Art10",
2549
+ "EU-AI-Act-Art15",
2543
2550
  "EU-AI-Act-GPAI-CoP",
2544
2551
  "EU-CRA-Art13",
2552
+ "FedRAMP-AC-3",
2553
+ "FedRAMP-AC-4",
2554
+ "FedRAMP-SC-4",
2555
+ "FedRAMP-SC-7",
2556
+ "GDPR-Art32",
2545
2557
  "HIPAA-Security-Rule-2026-NPRM-164.308",
2546
2558
  "HIPAA-Security-Rule-2026-NPRM-164.310",
2547
2559
  "HIPAA-Security-Rule-2026-NPRM-164.312",
2548
2560
  "HIPAA-Security-Rule-2026-NPRM-164.314",
2549
2561
  "ISO-27001-2022-A.5.15",
2562
+ "ISO-27001-2022-A.5.21",
2550
2563
  "ISO-27001-2022-A.5.7",
2551
2564
  "ISO-27001-2022-A.8.13",
2565
+ "ISO-27001-2022-A.8.15",
2566
+ "ISO-27001-2022-A.8.21",
2552
2567
  "ISO-27001-2022-A.8.22",
2568
+ "ISO-27001-2022-A.8.24",
2553
2569
  "ISO-27001-2022-A.8.7",
2570
+ "ISO-27001-2022-A.8.9",
2571
+ "ISO-IEC-42001-AIMS",
2572
+ "ISO-IEC-42001-AIMS-A.6.2.5",
2573
+ "NIS2-Art21-availability",
2554
2574
  "NIS2-Art21-business-continuity",
2555
2575
  "NIS2-Art21-identity-management",
2556
2576
  "NIS2-Art21-incident-handling",
2557
2577
  "NIS2-Art21-network-security",
2558
2578
  "NIS2-Art21-supply-chain",
2559
2579
  "NIS2-Art21-vulnerability-management",
2580
+ "NIST-800-218-SSDF-PO.4.2",
2560
2581
  "NIST-800-218-SSDF-PW.4",
2582
+ "NIST-800-218-SSDF-PW.7.1",
2561
2583
  "NIST-800-53-AC-3",
2562
2584
  "NIST-800-53-AC-6",
2585
+ "NIST-800-53-AU-9",
2563
2586
  "NIST-800-53-IA-2",
2587
+ "NIST-800-53-IA-8",
2564
2588
  "NIST-800-53-SC-39",
2565
2589
  "NIST-800-53-SC-44",
2590
+ "NIST-800-53-SC-5",
2566
2591
  "NIST-800-53-SI-10",
2567
2592
  "NIST-800-53-SR-3",
2568
2593
  "NIST-AI-RMF-MAP-3.4",
2569
2594
  "NIST-AI-RMF-MEASURE-2.7",
2595
+ "OWASP-API-Security-Top-10-API4:2023",
2596
+ "OWASP-API-Security-Top-10-API8:2023",
2570
2597
  "OWASP-LLM-Top-10-2025-LLM05",
2598
+ "OWASP-LLM-Top-10-LLM01",
2599
+ "OWASP-LLM-Top-10-LLM02",
2600
+ "OWASP-LLM-Top-10-LLM05",
2601
+ "OWASP-LLM-Top-10-LLM06",
2602
+ "OWASP-LLM-Top-10-LLM07",
2571
2603
  "OWASP-ML-Top-10-2023-ML06",
2604
+ "OWASP-SAMM-Code-Review",
2605
+ "OWASP-Top-10-2021-A03",
2572
2606
  "OWASP-Top-10-2021-A06",
2607
+ "OWASP-Top-10-2021-A10",
2608
+ "OpenSSF-Scorecard-PinnedDependenciesID",
2609
+ "PCI-DSS-4.0-10.5",
2610
+ "PCI-DSS-4.0-2.2.3",
2611
+ "PCI-DSS-4.0-3.5",
2573
2612
  "PCI-DSS-4.0-5.1",
2613
+ "PCI-DSS-4.0-6.2.4",
2614
+ "PCI-DSS-4.0-6.3.2",
2574
2615
  "PCI-DSS-4.0.1-11.6.1",
2575
2616
  "PCI-DSS-4.0.1-12.10.7",
2576
2617
  "PCI-DSS-4.0.1-12.3.3",
2577
2618
  "PCI-DSS-4.0.1-6.4.3",
2619
+ "SLSA-3",
2578
2620
  "SLSA-v1.0-Source-L3",
2579
2621
  "UK-CAF-A1",
2580
2622
  "UK-CAF-B2",