@blamejs/exceptd-skills 0.13.63 → 0.13.65
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/ARCHITECTURE.md +2 -2
- package/CHANGELOG.md +8 -0
- package/CONTEXT.md +2 -2
- package/README.md +2 -2
- package/data/_indexes/_meta.json +14 -14
- package/data/_indexes/activity-feed.json +157 -157
- package/data/_indexes/catalog-summaries.json +2 -2
- package/data/_indexes/currency.json +46 -46
- package/data/_indexes/handoff-dag.json +9 -5
- package/data/_indexes/section-offsets.json +64 -64
- package/data/_indexes/summary-cards.json +23 -23
- package/data/_indexes/token-budget.json +54 -54
- package/data/cwe-catalog.json +2 -2
- package/data/d3fend-catalog.json +2 -2
- package/manifest.json +184 -93
- package/package.json +1 -1
- package/sbom.cdx.json +59 -44
- package/scripts/audit-cross-skill.js +6 -1
- package/scripts/builders/catalog-summaries.js +2 -2
- package/scripts/sync-manifest-metadata.js +88 -0
- package/skills/age-gates-child-safety/skill.md +1 -1
- package/skills/ai-attack-surface/skill.md +1 -1
- package/skills/ai-c2-detection/skill.md +1 -1
- package/skills/attack-surface-pentest/skill.md +1 -1
- package/skills/defensive-countermeasure-mapping/skill.md +2 -2
- package/skills/dlp-gap-analysis/skill.md +1 -1
- package/skills/mcp-agent-trust/skill.md +1 -1
- package/skills/rag-pipeline-security/skill.md +1 -1
- package/skills/researcher/skill.md +4 -0
package/ARCHITECTURE.md
CHANGED
|
@@ -176,13 +176,13 @@ Tracks PoC status, weaponization stage, and AI-assist factor per CVE. Updated wh
|
|
|
176
176
|
|
|
177
177
|
### `data/cwe-catalog.json`
|
|
178
178
|
|
|
179
|
-
|
|
179
|
+
171 CWE entries pinned to **CWE v4.20**. Covers the Top 25 Most Dangerous Software Weaknesses (2024 release) plus AI- and supply-chain-relevant weakness classes (prompt-injection-as-trust-boundary failure, training data integrity, dependency confusion, untrusted artifact ingestion). Each entry records root-cause description, common consequences, mitigation patterns, and the CVEs in `cve-catalog.json` that instantiate the weakness. Skills cite CWE IDs in `cwe_refs` to anchor a finding to a stable weakness taxonomy rather than to a single CVE; the CWE provides the durable root-cause lens that survives across exploit generations.
|
|
180
180
|
|
|
181
181
|
`_meta.cwe_version` pins the version; on a CWE release, audit IDs for renames or deprecations, bump `last_threat_review` on affected skills, and update `_meta`.
|
|
182
182
|
|
|
183
183
|
### `data/d3fend-catalog.json`
|
|
184
184
|
|
|
185
|
-
468 MITRE D3FEND defensive technique entries pinned to **D3FEND v1.
|
|
185
|
+
468 MITRE D3FEND defensive technique entries pinned to **D3FEND v1.3.0**. Each entry records the defensive technique ID (e.g., `D3-EAL` Executable Allowlisting), the tactic / artifact it defends, the offensive ATLAS / ATT&CK TTPs it counters, defense-in-depth layer position, least-privilege scope assumptions, zero-trust posture compatibility, and AI-pipeline applicability per Hard Rule #9. Skills cite D3FEND IDs in `d3fend_refs` to map offensive findings to a defensive countermeasure rather than to abstract control language. The `defensive-countermeasure-mapping` skill is the canonical consumer; any skill shipped on or after 2026-05-11 includes a Defensive Countermeasure Mapping section referencing this catalog.
|
|
186
186
|
|
|
187
187
|
`_meta.d3fend_version` pins the version; D3FEND ontology additions are tracked in skill `forward_watch` fields.
|
|
188
188
|
|
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,13 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 0.13.65 — 2026-05-24
|
|
4
|
+
|
|
5
|
+
Standards refresh: the MITRE D3FEND and CWE pins are brought current. D3FEND moves from v1.0.0 (June 2024) to v1.3.0 (December 2025) and CWE to 4.20 (April 2026) across the catalog `_meta`, operator docs, skill bodies, and the catalog-summary index. A breaking-change audit against both releases found no renamed or deprecated identifiers among the referenced techniques and weaknesses — D3FEND v1.0→v1.3 is additive, and CWE 4.16→4.20 deprecated nothing — so no skill mapping changed. Also corrected stale catalog counts in the architecture and context docs (CWE 55→171, D3FEND 28→468) and a skill that still cited D3FEND v0.10. A new guard fails the build if any D3FEND or CWE version mention diverges from the catalog pin.
|
|
6
|
+
|
|
7
|
+
## 0.13.64 — 2026-05-24
|
|
8
|
+
|
|
9
|
+
Audit-tooling and metadata consistency. The jurisdiction count now has a single source of truth — it is computed from the framework registry (35: every non-metadata entry, including the international / multi-jurisdiction standards scope) rather than restated by hand in the catalog summary and the cross-skill audit, which had diverged to 34. The researcher routing table gained entries for four skills it previously could not reach: `sector-telecom`, `ransomware-response`, `cloud-iam-incident`, and `idp-incident-response`. The per-skill `forward_watch` and `last_threat_review` fields in the shipped manifest are now synchronized from each skill's frontmatter — 40 stale cached values were corrected, including a forecast note that still dated an ATLAS release to the wrong month — and a guard now fails the build if the manifest cache drifts from frontmatter again. The defensive-countermeasure-mapping skill cites the current MITRE Center for Threat-Informed Defense ATT&CK Mappings crosswalk version (v16.1) and notes that it lags the live ATT&CK v19.0 matrix.
|
|
10
|
+
|
|
3
11
|
## 0.13.63 — 2026-05-24
|
|
4
12
|
|
|
5
13
|
Metadata accuracy corrections. Five references still cited MITRE ATLAS v5.1.0 — a catalog descriptor and four control-gap / TTP cross-walk notes — while the shipped catalog tracks v5.6.0. The catalog-summary index and one skill's forecast note dated ATLAS v5.6.0 to February 2026; its release date is May 2026 (2026-05-08). The package description counted 10 intelligence catalogs when 11 ship. The researcher skill described 37 downstream skills (itself the 38th); the library ships 42 (41 downstream).
|
package/CONTEXT.md
CHANGED
|
@@ -120,8 +120,8 @@ Skills and playbooks read from `data/`. Authoritative catalog inventory:
|
|
|
120
120
|
| `exploit-availability.json` | 10 | Per-CVE PoC locations, weaponization stage, AI-acceleration factor, live-patch status |
|
|
121
121
|
| `global-frameworks.json` | 35 jurisdictions | Patch SLAs and notification windows across global regulatory regimes |
|
|
122
122
|
| `zeroday-lessons.json` | 10 | Learning-loop entries: zero-day → attack vector → control gap → framework gap → new control |
|
|
123
|
-
| `cwe-catalog.json` |
|
|
124
|
-
| `d3fend-catalog.json` |
|
|
123
|
+
| `cwe-catalog.json` | 171 | CWE v4.20 entries (Top 25 2024 plus AI- and supply-chain-relevant weaknesses) |
|
|
124
|
+
| `d3fend-catalog.json` | 468 | MITRE D3FEND v1.3.0 defensive techniques for offensive → defensive mapping |
|
|
125
125
|
| `rfc-references.json` | 31 | IETF RFC / Internet-Draft references with status, errata count, replaces / replaced-by, `last_verified` dates |
|
|
126
126
|
| `dlp-controls.json` | 22 | DLP control entries indexed by channel, classifier, surface, enforcement mode, evidence type |
|
|
127
127
|
| `playbooks/` | 13 | Playbook specifications (see above) |
|
package/README.md
CHANGED
|
@@ -552,8 +552,8 @@ All skills pull from `data/`. Cross-validated against canonical upstream sources
|
|
|
552
552
|
- `exploit-availability.json` — PoC locations, weaponization status, AI-assist factor
|
|
553
553
|
- `global-frameworks.json` — All major global compliance frameworks (35 jurisdictions) with control inventories and lag scores
|
|
554
554
|
- `zeroday-lessons.json` — Zero-day → control gap → framework gap → new control requirement mappings
|
|
555
|
-
- `cwe-catalog.json` — CWE entries pinned to CWE v4.
|
|
556
|
-
- `d3fend-catalog.json` — MITRE D3FEND defensive technique entries pinned to D3FEND v1.
|
|
555
|
+
- `cwe-catalog.json` — CWE entries pinned to CWE v4.20 (Top 25 + AI- / supply-chain-relevant additions)
|
|
556
|
+
- `d3fend-catalog.json` — MITRE D3FEND defensive technique entries pinned to D3FEND v1.3.0
|
|
557
557
|
- `rfc-references.json` — IETF RFC / Internet-Draft references with status, errata, replaces / replaced-by, `last_verified`
|
|
558
558
|
- `dlp-controls.json` — DLP control entries indexed by channel / classifier / surface / enforcement / evidence
|
|
559
559
|
|
package/data/_indexes/_meta.json
CHANGED
|
@@ -1,15 +1,15 @@
|
|
|
1
1
|
{
|
|
2
2
|
"schema_version": "1.1.0",
|
|
3
|
-
"generated_at": "2026-05-
|
|
3
|
+
"generated_at": "2026-05-24T18:06:30.702Z",
|
|
4
4
|
"generator": "scripts/build-indexes.js",
|
|
5
5
|
"source_count": 54,
|
|
6
6
|
"source_hashes": {
|
|
7
|
-
"manifest.json": "
|
|
7
|
+
"manifest.json": "3d668e206d800377a1ea731e226e36dd4b5aa02f4e608d07cdb87d323b5ad409",
|
|
8
8
|
"data/atlas-ttps.json": "019f12d24dc45ef8f5ae8812dec7c31a9506429a94751aaa559890a007ec6b22",
|
|
9
9
|
"data/attack-techniques.json": "49b6010b317edd219def135171ea8f3b1bbf1e00e9c5a08bf7237215ff54e2c3",
|
|
10
10
|
"data/cve-catalog.json": "a09c83af3f9679a7ea73935726a1ff9de2cab94b4ab6321fc017fc147747d7c3",
|
|
11
|
-
"data/cwe-catalog.json": "
|
|
12
|
-
"data/d3fend-catalog.json": "
|
|
11
|
+
"data/cwe-catalog.json": "4cb1193c4e20ddd3f480a7f421f28e3472b856b0c070761a0fe149a64c90fa8e",
|
|
12
|
+
"data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
|
|
13
13
|
"data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
|
|
14
14
|
"data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
|
|
15
15
|
"data/framework-control-gaps.json": "2f6147edef1cdec29ae755ec42021038145a702d908a1d5cf0a42e2484cbc786",
|
|
@@ -17,13 +17,13 @@
|
|
|
17
17
|
"data/rfc-references.json": "926ea25892e052fc6a8b9952afc1d8e2bd06c4aec223a1a7aa79ef1dfd7b7bb5",
|
|
18
18
|
"data/zeroday-lessons.json": "7242a7349ac79a74813bf2b7486b6000c0c877e71cec17e2d68df33bc4007b93",
|
|
19
19
|
"skills/kernel-lpe-triage/skill.md": "08b3e9815ba481c57c80f5fc0ccbf5bb7cbb41f570c235ba6ff9596b8c07354d",
|
|
20
|
-
"skills/ai-attack-surface/skill.md": "
|
|
21
|
-
"skills/mcp-agent-trust/skill.md": "
|
|
20
|
+
"skills/ai-attack-surface/skill.md": "c4c1eb22a38ca7a959b5725222bab8fbd4f4044a548a93f3e288e6f698334b72",
|
|
21
|
+
"skills/mcp-agent-trust/skill.md": "89ac89084391d2341b6513fefb1be2d36b93de1c130f057696219c1c59440f13",
|
|
22
22
|
"skills/framework-gap-analysis/skill.md": "17249909697a9c61b71f6885a1f4888ab1e727909ddb487ed82aeef535884a4f",
|
|
23
23
|
"skills/compliance-theater/skill.md": "d656444bb1987f43ae61374f210977d0c1f247f54d7318fdd639dd0cfdbef392",
|
|
24
24
|
"skills/exploit-scoring/skill.md": "f55e9aa4985ebad8a2a12092c937deb6939a639dc1e16e2214ecfa1c9b9402c4",
|
|
25
|
-
"skills/rag-pipeline-security/skill.md": "
|
|
26
|
-
"skills/ai-c2-detection/skill.md": "
|
|
25
|
+
"skills/rag-pipeline-security/skill.md": "792c6f48a7ff06785c24258cac1714068feafefb3f8f05e6c62ddce2f2f9128d",
|
|
26
|
+
"skills/ai-c2-detection/skill.md": "de83dc284dc4f85a8a383c0b715ec7b9ea127ec49c3227bf4c72344bad4008ed",
|
|
27
27
|
"skills/policy-exception-gen/skill.md": "238074319b57399c75d76439ef1ff67153b5a3207adf1556f3ca1e68cfe7cfaa",
|
|
28
28
|
"skills/threat-model-currency/skill.md": "4295c0efe31dcbec1a7bc96b8ce05d41414d918cbfc7fb7dffb2be7e4d873ae3",
|
|
29
29
|
"skills/global-grc/skill.md": "57ca729034e9d33c527d869c1c4aa82fe37e496878a3cbcd9e5043cb62b7105d",
|
|
@@ -31,12 +31,12 @@
|
|
|
31
31
|
"skills/pqc-first/skill.md": "3b41b59eb4e8480b691ff17185f42b9fbfd7665e369fc210feba496688cc77aa",
|
|
32
32
|
"skills/skill-update-loop/skill.md": "f7cd18df293b90c0d2afb6ba8b87664419becea6b63221f03efaf09c69586025",
|
|
33
33
|
"skills/security-maturity-tiers/skill.md": "2e46c9332a5a6190d4605ba7bc653410659be19fab50c78c0a6732f84ebdb300",
|
|
34
|
-
"skills/researcher/skill.md": "
|
|
35
|
-
"skills/attack-surface-pentest/skill.md": "
|
|
34
|
+
"skills/researcher/skill.md": "dc8ceab8f69af370abb1165ed14ead6f3e9d236a8f703165eba52014ebfd43ab",
|
|
35
|
+
"skills/attack-surface-pentest/skill.md": "6174a20b777a82c83941ef64d27e8c7e4091649358930ac1ba564a0ad4d9399f",
|
|
36
36
|
"skills/fuzz-testing-strategy/skill.md": "86e7bf537e4313b932acaba6282a4514336066a740bdbee4e7cbea2d2ef05b54",
|
|
37
|
-
"skills/dlp-gap-analysis/skill.md": "
|
|
37
|
+
"skills/dlp-gap-analysis/skill.md": "d59a136aa6478b069975b2406c4e3be4b227273641b054852ebc6eedeebd3754",
|
|
38
38
|
"skills/supply-chain-integrity/skill.md": "90e930ef5d4cc5a54653844098d3549c3760b1a4aba5c48db1bd4eb24bea8d1b",
|
|
39
|
-
"skills/defensive-countermeasure-mapping/skill.md": "
|
|
39
|
+
"skills/defensive-countermeasure-mapping/skill.md": "dd89c729e7bbfa3c9455dec9b986455dec3c720249c559d2195179a5cbbb2933",
|
|
40
40
|
"skills/identity-assurance/skill.md": "f3c29ce17aaa426b65b58238e5bc9ccabcda23a8d350e597840e5d6d664aa102",
|
|
41
41
|
"skills/ot-ics-security/skill.md": "0acb7c105c87c523720bc19fdb4b6922cbf4f63054396e38b498528cfde02d76",
|
|
42
42
|
"skills/coordinated-vuln-disclosure/skill.md": "dc7a29a0d503d7e3a55ba9afd963630329397577ca4e6be124c0263c315acca3",
|
|
@@ -55,7 +55,7 @@
|
|
|
55
55
|
"skills/incident-response-playbook/skill.md": "9c219de36c7d702dff8504a25e2f1b07459716ea2ed02f49d751f91dbeca1b01",
|
|
56
56
|
"skills/ransomware-response/skill.md": "471b714c42717d43f81b2b582cd8e89ca8d3140de2ddc06cce15f012a0e19be1",
|
|
57
57
|
"skills/email-security-anti-phishing/skill.md": "250f266908f51f99a4cb3aec0d5dacfcf91fac9f3d95e5a117429a40ed2ff45a",
|
|
58
|
-
"skills/age-gates-child-safety/skill.md": "
|
|
58
|
+
"skills/age-gates-child-safety/skill.md": "639b79a2724415afe9e4469202f806e5bec022c0946c9496d4e17ed73aabbe21",
|
|
59
59
|
"skills/cloud-iam-incident/skill.md": "5ec3800a0049b2123aff67bfab4ff28491a86d2daeb712283e5e88b10c3d5d7b",
|
|
60
60
|
"skills/idp-incident-response/skill.md": "e67a2576e7f1c3bf89f499f5c977bc470ef29e8b3e3e45f4cb5bd45a82674282"
|
|
61
61
|
},
|
|
@@ -78,7 +78,7 @@
|
|
|
78
78
|
"handoff_dag_nodes": 42,
|
|
79
79
|
"summary_cards": 42,
|
|
80
80
|
"section_offsets_skills": 42,
|
|
81
|
-
"token_budget_total_approx":
|
|
81
|
+
"token_budget_total_approx": 418252,
|
|
82
82
|
"recipes": 8,
|
|
83
83
|
"jurisdiction_clocks": 29,
|
|
84
84
|
"did_ladders": 8,
|
|
@@ -5,6 +5,69 @@
|
|
|
5
5
|
"event_count": 54
|
|
6
6
|
},
|
|
7
7
|
"events": [
|
|
8
|
+
{
|
|
9
|
+
"date": "2026-05-22",
|
|
10
|
+
"type": "skill_review",
|
|
11
|
+
"artifact": "framework-gap-analysis",
|
|
12
|
+
"path": "skills/framework-gap-analysis/skill.md",
|
|
13
|
+
"note": "Feed a framework control ID and threat scenario — receive the gap between what the control covers and what current TTPs require"
|
|
14
|
+
},
|
|
15
|
+
{
|
|
16
|
+
"date": "2026-05-22",
|
|
17
|
+
"type": "skill_review",
|
|
18
|
+
"artifact": "compliance-theater",
|
|
19
|
+
"path": "skills/compliance-theater/skill.md",
|
|
20
|
+
"note": "Detect where an organization passes an audit but remains exposed — seven documented compliance theater patterns"
|
|
21
|
+
},
|
|
22
|
+
{
|
|
23
|
+
"date": "2026-05-22",
|
|
24
|
+
"type": "skill_review",
|
|
25
|
+
"artifact": "rag-pipeline-security",
|
|
26
|
+
"path": "skills/rag-pipeline-security/skill.md",
|
|
27
|
+
"note": "RAG-specific threat model — embedding manipulation, vector store poisoning, retrieval filter bypass, indirect prompt injection"
|
|
28
|
+
},
|
|
29
|
+
{
|
|
30
|
+
"date": "2026-05-22",
|
|
31
|
+
"type": "skill_review",
|
|
32
|
+
"artifact": "policy-exception-gen",
|
|
33
|
+
"path": "skills/policy-exception-gen/skill.md",
|
|
34
|
+
"note": "Generate defensible policy exceptions for architectural realities — ephemeral infra, AI pipelines, ZTA, no-reboot patching"
|
|
35
|
+
},
|
|
36
|
+
{
|
|
37
|
+
"date": "2026-05-22",
|
|
38
|
+
"type": "skill_review",
|
|
39
|
+
"artifact": "pqc-first",
|
|
40
|
+
"path": "skills/pqc-first/skill.md",
|
|
41
|
+
"note": "Post-quantum cryptography first mentality — hard version gates (OpenSSL 3.5+), algorithm sunset tracking, HNDL assessment, loopback learning for NIST/IETF evolution"
|
|
42
|
+
},
|
|
43
|
+
{
|
|
44
|
+
"date": "2026-05-22",
|
|
45
|
+
"type": "skill_review",
|
|
46
|
+
"artifact": "skill-update-loop",
|
|
47
|
+
"path": "skills/skill-update-loop/skill.md",
|
|
48
|
+
"note": "Meta-skill for keeping all exceptd skills current — CISA KEV triggers, ATLAS version updates, framework amendments, forward_watch resolution, currency scoring"
|
|
49
|
+
},
|
|
50
|
+
{
|
|
51
|
+
"date": "2026-05-22",
|
|
52
|
+
"type": "skill_review",
|
|
53
|
+
"artifact": "mlops-security",
|
|
54
|
+
"path": "skills/mlops-security/skill.md",
|
|
55
|
+
"note": "MLOps pipeline security for mid-2026 — training data integrity, model registry signing, deployment pipeline provenance, inference serving hardening, drift detection, feedback loop integrity; covers MLflow / Kubeflow / Vertex AI / SageMaker / Azure ML / Hugging Face"
|
|
56
|
+
},
|
|
57
|
+
{
|
|
58
|
+
"date": "2026-05-22",
|
|
59
|
+
"type": "skill_review",
|
|
60
|
+
"artifact": "incident-response-playbook",
|
|
61
|
+
"path": "skills/incident-response-playbook/skill.md",
|
|
62
|
+
"note": "Incident response playbook design for mid-2026 — NIST 800-61r3, ISO 27035, ATT&CK-driven detection, PICERL phases, AI-class incident handling (prompt injection breach, model exfiltration, AI-API C2), cross-jurisdiction breach notification timing"
|
|
63
|
+
},
|
|
64
|
+
{
|
|
65
|
+
"date": "2026-05-22",
|
|
66
|
+
"type": "skill_review",
|
|
67
|
+
"artifact": "ransomware-response",
|
|
68
|
+
"path": "skills/ransomware-response/skill.md",
|
|
69
|
+
"note": "Ransomware-specific incident response — OFAC SDN sanctions screening as payment-posture blocker, EU Reg 2014/833 + UK OFSI + AU DFAT + JP MOF cross-jurisdiction sanctions lookups, decryptor availability via No More Ransom + vendor-specific catalogs, cyber-insurance carrier 24h notification, negotiator-engagement legal posture, immutable-backup viability test, PHI exfil-before-encrypt as distinct breach class, parallel jurisdiction clocks"
|
|
70
|
+
},
|
|
8
71
|
{
|
|
9
72
|
"date": "2026-05-19",
|
|
10
73
|
"type": "catalog_update",
|
|
@@ -45,6 +108,41 @@
|
|
|
45
108
|
"schema_version": "1.0.0",
|
|
46
109
|
"entry_count": 7476
|
|
47
110
|
},
|
|
111
|
+
{
|
|
112
|
+
"date": "2026-05-18",
|
|
113
|
+
"type": "skill_review",
|
|
114
|
+
"artifact": "exploit-scoring",
|
|
115
|
+
"path": "skills/exploit-scoring/skill.md",
|
|
116
|
+
"note": "Real-World Exploit Priority (RWEP) scoring — CVSS plus KEV, PoC, AI-acceleration, blast radius, live-patch factors"
|
|
117
|
+
},
|
|
118
|
+
{
|
|
119
|
+
"date": "2026-05-18",
|
|
120
|
+
"type": "skill_review",
|
|
121
|
+
"artifact": "threat-model-currency",
|
|
122
|
+
"path": "skills/threat-model-currency/skill.md",
|
|
123
|
+
"note": "Score how current an org's threat model is against 2026 reality — 14-item checklist, currency percentage, prioritized update roadmap"
|
|
124
|
+
},
|
|
125
|
+
{
|
|
126
|
+
"date": "2026-05-18",
|
|
127
|
+
"type": "skill_review",
|
|
128
|
+
"artifact": "zeroday-gap-learn",
|
|
129
|
+
"path": "skills/zeroday-gap-learn/skill.md",
|
|
130
|
+
"note": "Run the zero-day learning loop — CVE to attack vector to control gap to framework gap to new control requirement"
|
|
131
|
+
},
|
|
132
|
+
{
|
|
133
|
+
"date": "2026-05-18",
|
|
134
|
+
"type": "skill_review",
|
|
135
|
+
"artifact": "api-security",
|
|
136
|
+
"path": "skills/api-security/skill.md",
|
|
137
|
+
"note": "API security for mid-2026 — OWASP API Top 10 2023, AI-API specific (rate limits, prompt-shape egress, MCP HTTP transport), GraphQL + gRPC + REST + WebSocket attack surfaces, API gateway posture, BOLA/BFLA/SSRF/Mass Assignment"
|
|
138
|
+
},
|
|
139
|
+
{
|
|
140
|
+
"date": "2026-05-18",
|
|
141
|
+
"type": "skill_review",
|
|
142
|
+
"artifact": "email-security-anti-phishing",
|
|
143
|
+
"path": "skills/email-security-anti-phishing/skill.md",
|
|
144
|
+
"note": "Email security + anti-phishing for mid-2026 — SPF/DKIM/DMARC/BIMI/ARC/MTA-STS/TLSRPT, AI-augmented phishing (vishing, deepfake video, hyperpersonalized email), Business Email Compromise, secure email gateways"
|
|
145
|
+
},
|
|
48
146
|
{
|
|
49
147
|
"date": "2026-05-18",
|
|
50
148
|
"type": "catalog_update",
|
|
@@ -69,6 +167,62 @@
|
|
|
69
167
|
"schema_version": "1.1.0",
|
|
70
168
|
"entry_count": 312
|
|
71
169
|
},
|
|
170
|
+
{
|
|
171
|
+
"date": "2026-05-17",
|
|
172
|
+
"type": "skill_review",
|
|
173
|
+
"artifact": "ai-attack-surface",
|
|
174
|
+
"path": "skills/ai-attack-surface/skill.md",
|
|
175
|
+
"note": "Comprehensive AI/ML attack surface assessment mapped to MITRE ATLAS v5.6.0 with gap flags"
|
|
176
|
+
},
|
|
177
|
+
{
|
|
178
|
+
"date": "2026-05-17",
|
|
179
|
+
"type": "skill_review",
|
|
180
|
+
"artifact": "mcp-agent-trust",
|
|
181
|
+
"path": "skills/mcp-agent-trust/skill.md",
|
|
182
|
+
"note": "Enumerate MCP trust boundary failures — tool allowlisting, signed manifests, bearer auth, zero-interaction RCE"
|
|
183
|
+
},
|
|
184
|
+
{
|
|
185
|
+
"date": "2026-05-17",
|
|
186
|
+
"type": "skill_review",
|
|
187
|
+
"artifact": "ai-c2-detection",
|
|
188
|
+
"path": "skills/ai-c2-detection/skill.md",
|
|
189
|
+
"note": "Detect adversary use of AI APIs as covert C2 — SesameOp pattern, PROMPTFLUX/PROMPTSTEAL behavioral signatures"
|
|
190
|
+
},
|
|
191
|
+
{
|
|
192
|
+
"date": "2026-05-15",
|
|
193
|
+
"type": "skill_review",
|
|
194
|
+
"artifact": "kernel-lpe-triage",
|
|
195
|
+
"path": "skills/kernel-lpe-triage/skill.md",
|
|
196
|
+
"note": "Assess Linux kernel LPE exposure — Copy Fail, Dirty Frag, live-patch vs. reboot remediation"
|
|
197
|
+
},
|
|
198
|
+
{
|
|
199
|
+
"date": "2026-05-15",
|
|
200
|
+
"type": "skill_review",
|
|
201
|
+
"artifact": "dlp-gap-analysis",
|
|
202
|
+
"path": "skills/dlp-gap-analysis/skill.md",
|
|
203
|
+
"note": "DLP gap analysis for mid-2026 — legacy DLP misses LLM prompts, MCP tool args, RAG retrievals, embedding-store exfil, and code-completion telemetry. Audit channels, classifiers, protected surfaces, enforcement actions, and evidence trails against modern threat reality and cross-jurisdictional privacy regimes"
|
|
204
|
+
},
|
|
205
|
+
{
|
|
206
|
+
"date": "2026-05-15",
|
|
207
|
+
"type": "skill_review",
|
|
208
|
+
"artifact": "supply-chain-integrity",
|
|
209
|
+
"path": "skills/supply-chain-integrity/skill.md",
|
|
210
|
+
"note": "Supply-chain integrity for mid-2026 — SLSA L3+, in-toto attestations, Sigstore signing, SBOM (CycloneDX/SPDX), VEX via CSAF 2.0, AI-generated code provenance, model weights as supply-chain artifacts"
|
|
211
|
+
},
|
|
212
|
+
{
|
|
213
|
+
"date": "2026-05-15",
|
|
214
|
+
"type": "skill_review",
|
|
215
|
+
"artifact": "ai-risk-management",
|
|
216
|
+
"path": "skills/ai-risk-management/skill.md",
|
|
217
|
+
"note": "AI governance and risk management for mid-2026 — ISO/IEC 23894 risk process, ISO/IEC 42001 management system, NIST AI RMF, EU AI Act high-risk obligations, AI impact assessments, AI red-team programs, AI incident lifecycle"
|
|
218
|
+
},
|
|
219
|
+
{
|
|
220
|
+
"date": "2026-05-15",
|
|
221
|
+
"type": "skill_review",
|
|
222
|
+
"artifact": "sector-financial",
|
|
223
|
+
"path": "skills/sector-financial/skill.md",
|
|
224
|
+
"note": "Financial services cybersecurity for mid-2026 — EU DORA TLPT, PSD2 RTS-SCA, SWIFT CSCF v2026, NYDFS 23 NYCRR 500, FFIEC CAT, MAS TRM, APRA CPS 234, IL BoI Directive 361, OSFI B-13; Threat-Led Pen Testing schemes TIBER-EU + CBEST + iCAST"
|
|
225
|
+
},
|
|
72
226
|
{
|
|
73
227
|
"date": "2026-05-15",
|
|
74
228
|
"type": "skill_review",
|
|
@@ -79,9 +233,9 @@
|
|
|
79
233
|
{
|
|
80
234
|
"date": "2026-05-15",
|
|
81
235
|
"type": "skill_review",
|
|
82
|
-
"artifact": "
|
|
83
|
-
"path": "skills/
|
|
84
|
-
"note": "
|
|
236
|
+
"artifact": "container-runtime-security",
|
|
237
|
+
"path": "skills/container-runtime-security/skill.md",
|
|
238
|
+
"note": "Container + Kubernetes runtime security for mid-2026 — CIS K8s Benchmark, NSA/CISA Hardening, Pod Security Standards, Kyverno/Gatekeeper admission, Sigstore policy-controller, eBPF runtime detection (Falco/Tetragon), AI inference workload hardening"
|
|
85
239
|
},
|
|
86
240
|
{
|
|
87
241
|
"date": "2026-05-15",
|
|
@@ -141,20 +295,6 @@
|
|
|
141
295
|
"path": "skills/fuzz-testing-strategy/skill.md",
|
|
142
296
|
"note": "Continuous fuzzing as a security control — coverage-guided fuzz (AFL++/libFuzzer), AI-assisted fuzz, OSS-Fuzz integration, kernel fuzz (syzkaller), AI-API fuzz, integration into CI/CD as compliance evidence"
|
|
143
297
|
},
|
|
144
|
-
{
|
|
145
|
-
"date": "2026-05-11",
|
|
146
|
-
"type": "skill_review",
|
|
147
|
-
"artifact": "dlp-gap-analysis",
|
|
148
|
-
"path": "skills/dlp-gap-analysis/skill.md",
|
|
149
|
-
"note": "DLP gap analysis for mid-2026 — legacy DLP misses LLM prompts, MCP tool args, RAG retrievals, embedding-store exfil, and code-completion telemetry. Audit channels, classifiers, protected surfaces, enforcement actions, and evidence trails against modern threat reality and cross-jurisdictional privacy regimes"
|
|
150
|
-
},
|
|
151
|
-
{
|
|
152
|
-
"date": "2026-05-11",
|
|
153
|
-
"type": "skill_review",
|
|
154
|
-
"artifact": "supply-chain-integrity",
|
|
155
|
-
"path": "skills/supply-chain-integrity/skill.md",
|
|
156
|
-
"note": "Supply-chain integrity for mid-2026 — SLSA L3+, in-toto attestations, Sigstore signing, SBOM (CycloneDX/SPDX), VEX via CSAF 2.0, AI-generated code provenance, model weights as supply-chain artifacts"
|
|
157
|
-
},
|
|
158
298
|
{
|
|
159
299
|
"date": "2026-05-11",
|
|
160
300
|
"type": "skill_review",
|
|
@@ -197,13 +337,6 @@
|
|
|
197
337
|
"path": "skills/webapp-security/skill.md",
|
|
198
338
|
"note": "Web application security for mid-2026 — OWASP Top 10 2025, OWASP ASVS v5, CWE root-cause coverage, AI-generated code weakness drift, server-rendered vs SPA tradeoffs, defense-in-depth across the request lifecycle"
|
|
199
339
|
},
|
|
200
|
-
{
|
|
201
|
-
"date": "2026-05-11",
|
|
202
|
-
"type": "skill_review",
|
|
203
|
-
"artifact": "ai-risk-management",
|
|
204
|
-
"path": "skills/ai-risk-management/skill.md",
|
|
205
|
-
"note": "AI governance and risk management for mid-2026 — ISO/IEC 23894 risk process, ISO/IEC 42001 management system, NIST AI RMF, EU AI Act high-risk obligations, AI impact assessments, AI red-team programs, AI incident lifecycle"
|
|
206
|
-
},
|
|
207
340
|
{
|
|
208
341
|
"date": "2026-05-11",
|
|
209
342
|
"type": "skill_review",
|
|
@@ -211,13 +344,6 @@
|
|
|
211
344
|
"path": "skills/sector-healthcare/skill.md",
|
|
212
345
|
"note": "Healthcare sector cybersecurity for mid-2026 — HIPAA + HITRUST + HL7 FHIR security, medical device cyber (FDA + EU MDR), AI-in-healthcare under EU AI Act + FDA AI/ML SaMD guidance, patient data flows through LLM clinical tools"
|
|
213
346
|
},
|
|
214
|
-
{
|
|
215
|
-
"date": "2026-05-11",
|
|
216
|
-
"type": "skill_review",
|
|
217
|
-
"artifact": "sector-financial",
|
|
218
|
-
"path": "skills/sector-financial/skill.md",
|
|
219
|
-
"note": "Financial services cybersecurity for mid-2026 — EU DORA TLPT, PSD2 RTS-SCA, SWIFT CSCF v2026, NYDFS 23 NYCRR 500, FFIEC CAT, MAS TRM, APRA CPS 234, IL BoI Directive 361, OSFI B-13; Threat-Led Pen Testing schemes TIBER-EU + CBEST + iCAST"
|
|
220
|
-
},
|
|
221
347
|
{
|
|
222
348
|
"date": "2026-05-11",
|
|
223
349
|
"type": "skill_review",
|
|
@@ -232,13 +358,6 @@
|
|
|
232
358
|
"path": "skills/sector-energy/skill.md",
|
|
233
359
|
"note": "Electric power + oil & gas + water/wastewater + renewable-integration cybersecurity for mid-2026 — NERC CIP v6/v7, NIST 800-82r3, TSA Pipeline SD-2021-02C, AWWA cyber, EU NIS2 energy + NCCS-G (cross-border electricity), AU AESCSF + SOCI, ENISA energy sector"
|
|
234
360
|
},
|
|
235
|
-
{
|
|
236
|
-
"date": "2026-05-11",
|
|
237
|
-
"type": "skill_review",
|
|
238
|
-
"artifact": "api-security",
|
|
239
|
-
"path": "skills/api-security/skill.md",
|
|
240
|
-
"note": "API security for mid-2026 — OWASP API Top 10 2023, AI-API specific (rate limits, prompt-shape egress, MCP HTTP transport), GraphQL + gRPC + REST + WebSocket attack surfaces, API gateway posture, BOLA/BFLA/SSRF/Mass Assignment"
|
|
241
|
-
},
|
|
242
361
|
{
|
|
243
362
|
"date": "2026-05-11",
|
|
244
363
|
"type": "skill_review",
|
|
@@ -246,34 +365,6 @@
|
|
|
246
365
|
"path": "skills/cloud-security/skill.md",
|
|
247
366
|
"note": "Cloud security for mid-2026 — CSPM/CWPP/CNAPP posture, CSA CCM v4, AWS/Azure/GCP shared responsibility, cloud workload identity federation, runtime security with eBPF, AI workloads on cloud"
|
|
248
367
|
},
|
|
249
|
-
{
|
|
250
|
-
"date": "2026-05-11",
|
|
251
|
-
"type": "skill_review",
|
|
252
|
-
"artifact": "container-runtime-security",
|
|
253
|
-
"path": "skills/container-runtime-security/skill.md",
|
|
254
|
-
"note": "Container + Kubernetes runtime security for mid-2026 — CIS K8s Benchmark, NSA/CISA Hardening, Pod Security Standards, Kyverno/Gatekeeper admission, Sigstore policy-controller, eBPF runtime detection (Falco/Tetragon), AI inference workload hardening"
|
|
255
|
-
},
|
|
256
|
-
{
|
|
257
|
-
"date": "2026-05-11",
|
|
258
|
-
"type": "skill_review",
|
|
259
|
-
"artifact": "mlops-security",
|
|
260
|
-
"path": "skills/mlops-security/skill.md",
|
|
261
|
-
"note": "MLOps pipeline security for mid-2026 — training data integrity, model registry signing, deployment pipeline provenance, inference serving hardening, drift detection, feedback loop integrity; covers MLflow / Kubeflow / Vertex AI / SageMaker / Azure ML / Hugging Face"
|
|
262
|
-
},
|
|
263
|
-
{
|
|
264
|
-
"date": "2026-05-11",
|
|
265
|
-
"type": "skill_review",
|
|
266
|
-
"artifact": "incident-response-playbook",
|
|
267
|
-
"path": "skills/incident-response-playbook/skill.md",
|
|
268
|
-
"note": "Incident response playbook design for mid-2026 — NIST 800-61r3, ISO 27035, ATT&CK-driven detection, PICERL phases, AI-class incident handling (prompt injection breach, model exfiltration, AI-API C2), cross-jurisdiction breach notification timing"
|
|
269
|
-
},
|
|
270
|
-
{
|
|
271
|
-
"date": "2026-05-11",
|
|
272
|
-
"type": "skill_review",
|
|
273
|
-
"artifact": "email-security-anti-phishing",
|
|
274
|
-
"path": "skills/email-security-anti-phishing/skill.md",
|
|
275
|
-
"note": "Email security + anti-phishing for mid-2026 — SPF/DKIM/DMARC/BIMI/ARC/MTA-STS/TLSRPT, AI-augmented phishing (vishing, deepfake video, hyperpersonalized email), Business Email Compromise, secure email gateways"
|
|
276
|
-
},
|
|
277
368
|
{
|
|
278
369
|
"date": "2026-05-11",
|
|
279
370
|
"type": "skill_review",
|
|
@@ -289,76 +380,6 @@
|
|
|
289
380
|
"schema_version": "1.0.0",
|
|
290
381
|
"entry_count": 22
|
|
291
382
|
},
|
|
292
|
-
{
|
|
293
|
-
"date": "2026-05-01",
|
|
294
|
-
"type": "skill_review",
|
|
295
|
-
"artifact": "kernel-lpe-triage",
|
|
296
|
-
"path": "skills/kernel-lpe-triage/skill.md",
|
|
297
|
-
"note": "Assess Linux kernel LPE exposure — Copy Fail, Dirty Frag, live-patch vs. reboot remediation"
|
|
298
|
-
},
|
|
299
|
-
{
|
|
300
|
-
"date": "2026-05-01",
|
|
301
|
-
"type": "skill_review",
|
|
302
|
-
"artifact": "ai-attack-surface",
|
|
303
|
-
"path": "skills/ai-attack-surface/skill.md",
|
|
304
|
-
"note": "Comprehensive AI/ML attack surface assessment mapped to MITRE ATLAS v5.6.0 with gap flags"
|
|
305
|
-
},
|
|
306
|
-
{
|
|
307
|
-
"date": "2026-05-01",
|
|
308
|
-
"type": "skill_review",
|
|
309
|
-
"artifact": "mcp-agent-trust",
|
|
310
|
-
"path": "skills/mcp-agent-trust/skill.md",
|
|
311
|
-
"note": "Enumerate MCP trust boundary failures — tool allowlisting, signed manifests, bearer auth, zero-interaction RCE"
|
|
312
|
-
},
|
|
313
|
-
{
|
|
314
|
-
"date": "2026-05-01",
|
|
315
|
-
"type": "skill_review",
|
|
316
|
-
"artifact": "framework-gap-analysis",
|
|
317
|
-
"path": "skills/framework-gap-analysis/skill.md",
|
|
318
|
-
"note": "Feed a framework control ID and threat scenario — receive the gap between what the control covers and what current TTPs require"
|
|
319
|
-
},
|
|
320
|
-
{
|
|
321
|
-
"date": "2026-05-01",
|
|
322
|
-
"type": "skill_review",
|
|
323
|
-
"artifact": "compliance-theater",
|
|
324
|
-
"path": "skills/compliance-theater/skill.md",
|
|
325
|
-
"note": "Detect where an organization passes an audit but remains exposed — seven documented compliance theater patterns"
|
|
326
|
-
},
|
|
327
|
-
{
|
|
328
|
-
"date": "2026-05-01",
|
|
329
|
-
"type": "skill_review",
|
|
330
|
-
"artifact": "exploit-scoring",
|
|
331
|
-
"path": "skills/exploit-scoring/skill.md",
|
|
332
|
-
"note": "Real-World Exploit Priority (RWEP) scoring — CVSS plus KEV, PoC, AI-acceleration, blast radius, live-patch factors"
|
|
333
|
-
},
|
|
334
|
-
{
|
|
335
|
-
"date": "2026-05-01",
|
|
336
|
-
"type": "skill_review",
|
|
337
|
-
"artifact": "rag-pipeline-security",
|
|
338
|
-
"path": "skills/rag-pipeline-security/skill.md",
|
|
339
|
-
"note": "RAG-specific threat model — embedding manipulation, vector store poisoning, retrieval filter bypass, indirect prompt injection"
|
|
340
|
-
},
|
|
341
|
-
{
|
|
342
|
-
"date": "2026-05-01",
|
|
343
|
-
"type": "skill_review",
|
|
344
|
-
"artifact": "ai-c2-detection",
|
|
345
|
-
"path": "skills/ai-c2-detection/skill.md",
|
|
346
|
-
"note": "Detect adversary use of AI APIs as covert C2 — SesameOp pattern, PROMPTFLUX/PROMPTSTEAL behavioral signatures"
|
|
347
|
-
},
|
|
348
|
-
{
|
|
349
|
-
"date": "2026-05-01",
|
|
350
|
-
"type": "skill_review",
|
|
351
|
-
"artifact": "policy-exception-gen",
|
|
352
|
-
"path": "skills/policy-exception-gen/skill.md",
|
|
353
|
-
"note": "Generate defensible policy exceptions for architectural realities — ephemeral infra, AI pipelines, ZTA, no-reboot patching"
|
|
354
|
-
},
|
|
355
|
-
{
|
|
356
|
-
"date": "2026-05-01",
|
|
357
|
-
"type": "skill_review",
|
|
358
|
-
"artifact": "threat-model-currency",
|
|
359
|
-
"path": "skills/threat-model-currency/skill.md",
|
|
360
|
-
"note": "Score how current an org's threat model is against 2026 reality — 14-item checklist, currency percentage, prioritized update roadmap"
|
|
361
|
-
},
|
|
362
383
|
{
|
|
363
384
|
"date": "2026-05-01",
|
|
364
385
|
"type": "skill_review",
|
|
@@ -366,27 +387,6 @@
|
|
|
366
387
|
"path": "skills/global-grc/skill.md",
|
|
367
388
|
"note": "Multi-jurisdiction GRC mapping — EU (GDPR/NIS2/DORA/EU AI Act/CRA), UK, AU, SG, JP, IN, CA, ISO 27001:2022, CSA CCM v4"
|
|
368
389
|
},
|
|
369
|
-
{
|
|
370
|
-
"date": "2026-05-01",
|
|
371
|
-
"type": "skill_review",
|
|
372
|
-
"artifact": "zeroday-gap-learn",
|
|
373
|
-
"path": "skills/zeroday-gap-learn/skill.md",
|
|
374
|
-
"note": "Run the zero-day learning loop — CVE to attack vector to control gap to framework gap to new control requirement"
|
|
375
|
-
},
|
|
376
|
-
{
|
|
377
|
-
"date": "2026-05-01",
|
|
378
|
-
"type": "skill_review",
|
|
379
|
-
"artifact": "pqc-first",
|
|
380
|
-
"path": "skills/pqc-first/skill.md",
|
|
381
|
-
"note": "Post-quantum cryptography first mentality — hard version gates (OpenSSL 3.5+), algorithm sunset tracking, HNDL assessment, loopback learning for NIST/IETF evolution"
|
|
382
|
-
},
|
|
383
|
-
{
|
|
384
|
-
"date": "2026-05-01",
|
|
385
|
-
"type": "skill_review",
|
|
386
|
-
"artifact": "skill-update-loop",
|
|
387
|
-
"path": "skills/skill-update-loop/skill.md",
|
|
388
|
-
"note": "Meta-skill for keeping all exceptd skills current — CISA KEV triggers, ATLAS version updates, framework amendments, forward_watch resolution, currency scoring"
|
|
389
|
-
},
|
|
390
390
|
{
|
|
391
391
|
"date": "2026-05-01",
|
|
392
392
|
"type": "skill_review",
|
|
@@ -95,7 +95,7 @@
|
|
|
95
95
|
},
|
|
96
96
|
"d3fend-catalog.json": {
|
|
97
97
|
"path": "data/d3fend-catalog.json",
|
|
98
|
-
"purpose": "MITRE D3FEND countermeasures (D3-xxx) keyed by id, with tactic + name. Pinned to D3FEND v1.
|
|
98
|
+
"purpose": "MITRE D3FEND countermeasures (D3-xxx) keyed by id, with tactic + name. Pinned to D3FEND v1.3.0 release.",
|
|
99
99
|
"schema_version": "1.0.0",
|
|
100
100
|
"last_updated": "2026-05-19",
|
|
101
101
|
"tlp": "CLEAR",
|
|
@@ -183,7 +183,7 @@
|
|
|
183
183
|
},
|
|
184
184
|
"global-frameworks.json": {
|
|
185
185
|
"path": "data/global-frameworks.json",
|
|
186
|
-
"purpose": "Multi-jurisdiction framework registry:
|
|
186
|
+
"purpose": "Multi-jurisdiction framework registry: per-jurisdiction applicable frameworks × patch_sla / notification_sla / critical_controls / framework_gaps (jurisdiction count is reported by entry_count, not duplicated here). Cross-cutting authority for jurisdiction-clocks index.",
|
|
187
187
|
"schema_version": "1.3.0",
|
|
188
188
|
"last_updated": "2026-05-15",
|
|
189
189
|
"tlp": "CLEAR",
|