npm - @blamejs/exceptd-skills - Versions diffs - 0.14.23 → 0.14.25 - Mend

@blamejs/exceptd-skills 0.14.23 → 0.14.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md +10 -0
package/data/_indexes/_meta.json +2 -2
package/lib/collectors/crypto-codebase.js +19 -6
package/lib/collectors/secrets.js +25 -2
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +16 -16

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,15 @@
 # Changelog
+## 0.14.25 — 2026-05-28
+`secrets` collector `ssh-private-key-block` accuracy:
+- The in-source content scan now requires a complete PEM block — header, base64 body, and closing marker — so a bare `BEGIN … PRIVATE KEY` header used as a detection pattern (a redaction or DLP library's regex literal) or a documentation placeholder no longer registers as an embedded key.
+- File classification is now content-aware for the ambiguous `.pem` / `.key` extensions. A certificate chain (`fullchain.pem`) or a public trust anchor (`bimi-trust-anchors.pem`) is conventionally `.pem` but carries no private key; it is treated as a private-key file only when its content actually contains a `PRIVATE KEY` block. Binary keystores (`.p12` / `.pfx`) and conventionally-named SSH keys (`id_rsa`, …) remain classified by name. A `.pem` or `.key` holding a real private key still fires.
+## 0.14.24 — 2026-05-28
+`crypto-codebase` `hardcoded-key-material` now requires a complete PEM block — a `BEGIN … PRIVATE KEY` header, a base64 body, and a closing `END` marker — before it fires. A bare `BEGIN … PRIVATE KEY` marker carrying no key body is a *detection pattern*, not a leak: a redaction or DLP library's regex literal that matches the key header (to redact keys), or a documentation placeholder such as `privateKeyPem: "<elided>"`, no longer registers as embedded key material. An actual pasted private key still fires.
 ## 0.14.23 — 2026-05-27
 `crypto-codebase` collector accuracy:

package/data/_indexes/_meta.json CHANGED Viewed

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-28T06:42:55.839Z",
+  "generated_at": "2026-05-28T07:52:31.396Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "05121fbd70037a8d62a64593344b0b4dd750ca2c6f8dcce238de00cd0b7a513e",
+    "manifest.json": "d094cfdeab1ad2c007241335b75c50a294ab5d560dc5c68dc5e92bc0871d2c56",
     "data/atlas-ttps.json": "d24bc02859d40ccf1615db75cca68c077585904e41e0d8f6de448121e9b1abb0",
     "data/attack-techniques.json": "fa193f0d2d248176a8beddb641e9fe56ba4faa9e15dc253ff876dbf0c5d58a77",
     "data/cve-catalog.json": "03d8071c7ae244ccda7611c3bc66a5581c21e790d158c2948c3001f55aa5aac9",

package/lib/collectors/crypto-codebase.js CHANGED Viewed

@@ -120,12 +120,25 @@ const BCRYPT_BLOCK_GLOBAL_RE = /\b(?:bcrypt\.(?:hash|hashSync|gen_salt|genSalt|g
 // by either end-of-block or whitespace, not a closing paren.
 const BCRYPT_COST_RE = /(?:cost|rounds)\s*[:=]\s*(\d+)|,\s*(\d+)\s*$/;
-// `hardcoded-key-material` is a SECRET-leak signal, so it must match only
-// private-key blocks. Public keys and certificates are published by design
-// (BIMI trust anchors, release-signing public keys, autoupdate pubkeys); a
-// repo that ships them is doing crypto correctly, so matching `BEGIN PUBLIC
-// KEY` / `BEGIN CERTIFICATE` here only inflates RWEP on well-behaved repos.
-const PEM_PRIVATE_RE = /-----BEGIN (?:RSA |EC |DSA |OPENSSH |ENCRYPTED )?PRIVATE KEY-----/;
+// `hardcoded-key-material` is a SECRET-leak signal, so it must match only an
+// actual embedded private key — a full PEM block: a `BEGIN ... PRIVATE KEY`
+// header, a base64 body, and a matching `END` marker.
+//
+//   - Public keys and certificates are published by design (BIMI trust
+//     anchors, release-signing public keys, autoupdate pubkeys), so the
+//     header is `PRIVATE KEY` only.
+//   - Requiring the base64 body + `END` marker distinguishes a real pasted
+//     key from a bare marker used as a *detection pattern* (a redaction
+//     library's `/-----BEGIN OPENSSH PRIVATE KEY-----/` regex literal) or a
+//     documentation placeholder (`privateKeyPem: "-----BEGIN PRIVATE KEY-----
+//     ..."`), neither of which carries a body or an `END`.
+//
+// The body class is base64 + whitespace only; `-` is excluded so the run
+// halts at the first `-` of `-----END` — no backtracking, ReDoS-safe. The
+// `-----END` requirement is the primary discriminator (detectors and
+// placeholders have no closing marker); the {20,4000} bound additionally
+// rejects the ~1-char run a bare marker leaves before the next punctuation.
+const PEM_PRIVATE_RE = /-----BEGIN (?:RSA |EC |DSA |OPENSSH |ENCRYPTED )?PRIVATE KEY-----[A-Za-z0-9+/=\s]{20,4000}-----END/;
 const TLS_OLD_PROTO_RE = /(?:secureProtocol\s*:\s*['"](?:TLSv1_method|TLSv1_1_method|SSLv23_method|SSLv3_method)['"]|minVersion\s*:\s*['"]TLSv1(?:\.0|\.1)?['"]|ssl_version\s*=\s*ssl\.PROTOCOL_TLSv1(?:_1)?|MinTlsVersion::TLSv1\b)/i;

package/lib/collectors/secrets.js CHANGED Viewed

@@ -73,6 +73,23 @@ const AUTH_CONFIG_FILES = new Set([
 const SSH_PRIVATE_KEY_FILES = new Set(["id_rsa", "id_ed25519", "id_ecdsa", "id_dsa"]);
 const SSH_PRIVATE_KEY_EXTS = new Set([".pem", ".key", ".p12", ".pfx"]);
+// `.pem` / `.key` are ambiguous: a certificate chain (`fullchain.pem`) or a
+// public trust anchor (`bimi-trust-anchors.pem`) is conventionally `.pem` and
+// carries no private key. A name-only classifier flags these as private keys.
+// `.p12` / `.pfx` are binary keystores (private material by nature) and the
+// id_* names are private SSH keys, so only the PEM extensions are content-gated.
+const PEM_PRIVATE_KEY_MARKER = /-----BEGIN (?:[A-Z0-9]+ )*PRIVATE KEY-----/;
+const CONTENT_GATED_KEY_EXTS = new Set([".pem", ".key"]);
+function carriesPrivateKey(file) {
+  const ext = path.extname(file.name).toLowerCase();
+  if (!CONTENT_GATED_KEY_EXTS.has(ext)) return true; // .p12/.pfx/id_* → private by nature
+  try {
+    if (fs.statSync(file.full).size > MAX_FILE_BYTES) return true; // too big to scan → conservative
+    return PEM_PRIVATE_KEY_MARKER.test(fs.readFileSync(file.full, "utf8"));
+  } catch {
+    return true; // unreadable → conservative (treat as a key)
+  }
+}
 const IAC_EXTS = new Set([".tf", ".tfvars", ".bicep"]);
 const IAC_EXACT = new Set(["terraform.tfstate", "values.yaml", "secret.yaml"]);
@@ -104,7 +121,13 @@ const INDICATOR_PATTERNS = [
   { id: "slack-bot-or-user-token",    re: /\bxox[abposr]-[A-Za-z0-9-]{10,}\b/g },
   { id: "stripe-secret-key",          re: /\b(?:sk|rk)_(?:live|test)_[A-Za-z0-9]{24,}\b/g },
   { id: "jwt-token-with-secret-context", re: /\beyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g },
-  { id: "ssh-private-key-block",      re: /-----BEGIN (?:RSA |EC |OPENSSH |DSA |ENCRYPTED |)PRIVATE KEY-----/g },
+  // Require a complete PEM block — header, base64 body, closing marker —
+  // so a bare `BEGIN ... PRIVATE KEY` header used as a detection pattern (a
+  // redaction/DLP library's regex literal) or a doc placeholder does not
+  // register as an embedded key. `-` is excluded from the body class so the
+  // run halts at the first `-` of `-----END` (no backtracking, ReDoS-safe).
+  // Private-key *files* (.pem/.key) are detected separately by file presence.
+  { id: "ssh-private-key-block",      re: /-----BEGIN (?:RSA |EC |OPENSSH |DSA |ENCRYPTED |)PRIVATE KEY-----[A-Za-z0-9+/=\s]{20,4000}-----END/g },
   { id: "openai-api-key",             re: /\bsk-(?:proj-|svcacct-|admin-|)[A-Za-z0-9_-]{20,}\b/g },
   { id: "anthropic-api-key",          re: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/g },
 ];
@@ -230,7 +253,7 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
     const c = classify(f);
     if (c.isEnv) envFiles.push(f);
     if (c.isAuthConfig) authConfigFiles.push(f);
-    if (c.isSshKey) sshPrivateKeys.push(f);
+    if (c.isSshKey && carriesPrivateKey(f)) sshPrivateKeys.push(f);
     if (c.isIac) iacFiles.push(f);
     if (c.isText) textFiles.push(f);
   }

package/manifest.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.14.23",
+  "version": "0.14.25",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "lXhZgoIrrVloO3XaTvo/43AxZn4mwErstd7DR0O/oVhD3AOGODM4HqrageYEou9WKOdMEGP5mJNTjJsXdP5NDA==",
-      "signed_at": "2026-05-28T06:39:14.382Z",
+      "signed_at": "2026-05-28T07:49:01.010Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -123,7 +123,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "ztSKk/zFMFbT12qRcEeBKpydBn7fTT86KxMmor0DTCoKQWk5fJ0fSInfP1XMSB6rFk4/SuSjKVxQRMKVJ5a+Cg==",
-      "signed_at": "2026-05-28T06:39:14.384Z",
+      "signed_at": "2026-05-28T07:49:01.012Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -196,7 +196,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "K6QdPHNK5c4K5QFjrW0QsUhjp71D7SOisSoulwPNSvKRdi2rY+yg0kdckijBMkLMsVPyUvcC9giu93mKJ1OZDg==",
-      "signed_at": "2026-05-28T06:39:14.384Z",
+      "signed_at": "2026-05-28T07:49:01.012Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -248,7 +248,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "zbr8CbOe2rIPuxj2bCl8mVc3YgLsRHnx3/UU7MmyMLNg4c13q6LEBglC1A7cjhfblfHsX/1rxNLaukDzc65lAw==",
-      "signed_at": "2026-05-28T06:39:14.385Z"
+      "signed_at": "2026-05-28T07:49:01.013Z"
     },
     {
       "name": "compliance-theater",
@@ -279,7 +279,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "F2Shxae0ua0gPtvwzTRVzzHaIgJcFDRT3/akLUAZ4aaMQhkleKkcTaTpkjp+pTVEdPfLeLGNCeAOMs+whVYOBg==",
-      "signed_at": "2026-05-28T06:39:14.385Z"
+      "signed_at": "2026-05-28T07:49:01.013Z"
     },
     {
       "name": "exploit-scoring",
@@ -308,7 +308,7 @@
       ],
       "last_threat_review": "2026-05-18",
       "signature": "NA1hoQycvQhSUoG5rwlXX0mOVmGxoXRVezkELGEA2nZOdGis4gXkHT3O6Sfw7zxE4JuMrsCb65TEeOWk9WEPDg==",
-      "signed_at": "2026-05-28T06:39:14.386Z"
+      "signed_at": "2026-05-28T07:49:01.014Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -345,7 +345,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "W3pS8lnaCP96TQzsJpG5d5yv5IwgaQyS4Z2Ctcz5BOJf6LbajSIgeDgTZ4f4Bhr5m4E7KsgWGjZS4x7Fwd33BQ==",
-      "signed_at": "2026-05-28T06:39:14.386Z",
+      "signed_at": "2026-05-28T07:49:01.014Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -405,7 +405,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "/WDGygh1Ck4yWlBWDGtEUVCqKB8d+UaJXoAoBXujtt+GAl8JbMNpaN1TvI0WkEltQ9dTxaAzSn20/eVDqv8iDQ==",
-      "signed_at": "2026-05-28T06:39:14.386Z",
+      "signed_at": "2026-05-28T07:49:01.014Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -440,7 +440,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "za1NKBpy9LC91F/ESO/qhUfmvVr8GNItQOjR5OJLeHm+2dQ9HHiFWQK2eo53V/n/0uhubuggURA3yS6kJuWwBg==",
-      "signed_at": "2026-05-28T06:39:14.387Z",
+      "signed_at": "2026-05-28T07:49:01.015Z",
       "cwe_refs": [
         "CWE-1188"
       ],
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "1853tUUOO35GCXP4vn4qYdBDCdGJu2/WXCNOShhEt69G6BUoq9C3gYGjKWwEPxRKjwjyMtb2nmsL2BZFHRIADw==",
-      "signed_at": "2026-05-28T06:39:14.387Z",
+      "signed_at": "2026-05-28T07:49:01.015Z",
       "forward_watch": [
         "New AI attack classes as ATLAS v6 publishes",
         "Post-quantum adversary capability timeline",
@@ -513,7 +513,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "ZoFh0msOLToS9Xntp9e6zAcg8mE5TOsm7Tq9EYybKL7midjQ5z+aue1Uhp4+xjMRRqVtj8F2W0PvIBTYkYlyAg==",
-      "signed_at": "2026-05-28T06:39:14.387Z"
+      "signed_at": "2026-05-28T07:49:01.015Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -540,7 +540,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "igRqYyU1unRFH40BsPyAR62SPrk8QZv8dPGb8S9O9EvLCNOZAzm3t+HdT/NKqzWHwrpomOzkkkyLfYI/0qTUDA==",
-      "signed_at": "2026-05-28T06:39:14.388Z",
+      "signed_at": "2026-05-28T07:49:01.016Z",
       "forward_watch": [
         "New CISA KEV entries",
         "New ATLAS TTP additions in each ATLAS release",
@@ -604,7 +604,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "XJFnPtu9tG23qlHGUJulQ0/Vu/p41qFrQng0fE3+GpCPD35+oipdlDXvf9zFo6A6i4OVj601qNuXKh9/kfcHDw==",
-      "signed_at": "2026-05-28T06:39:14.388Z",
+      "signed_at": "2026-05-28T07:49:01.016Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -652,7 +652,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "QuOVaQ4E2Sl39TClbhZ7HA9XrYAyRrDL44HY3RTE7aWLue0hV2cxaBt40ALGmHS++631QGFDlZTLZI77Tr6nAA==",
-      "signed_at": "2026-05-28T06:39:14.388Z"
+      "signed_at": "2026-05-28T07:49:01.016Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -689,7 +689,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "8Px1s2lDj10/Q6erwEQlXgUHM1+OTruUR8qAHPX7Oo3k/l69N6P9sm0PsafS9wDFtj9l5C/OiLiFgzMlMt6vBw==",
-      "signed_at": "2026-05-28T06:39:14.389Z",
+      "signed_at": "2026-05-28T07:49:01.017Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -724,7 +724,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "urRcataVWg6/utyEkSiOWoNxTL8sABRjPR7ShyDfZGnAozFph/yDktSoaPVxQDXwu9EfJE+qhUW5OYR/yJECBQ==",
-      "signed_at": "2026-05-28T06:39:14.389Z"
+      "signed_at": "2026-05-28T07:49:01.017Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -796,7 +796,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Microsoft Edge 4-bug sandbox escape by Orange Tsai (DEVCORE); forward-watch only (browser sandbox, out of current playbook scope); track Microsoft Edge security advisory and KEV add"
       ],
       "signature": "C7lv65/Ecm8JJgSKxrX5lxx0YFzKWtrIQSKp+vy50I5e8945s1JmifGUUrnQwRQhq/Pkv7EmfiH5XSO8h75bDg==",
-      "signed_at": "2026-05-28T06:39:14.389Z"
+      "signed_at": "2026-05-28T07:49:01.017Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -856,7 +856,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "Z7ypCUnXx8JpLtgxxB6RHNi39w74AmrGY1N4ofAGCXhkuM2EaFVm1AU0dvl9UQ1bVLfHKEDGqMO/TwlIY7RABg==",
-      "signed_at": "2026-05-28T06:39:14.390Z"
+      "signed_at": "2026-05-28T07:49:01.018Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -931,7 +931,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "IgEnpHOhCftAyfUNdKsjbrd169T9pJkk/rRM2ZEna+H18y7p5x48+1kME2sJMZjJuyAdQFBJi8PJXZFwLGI+DQ==",
-      "signed_at": "2026-05-28T06:39:14.390Z"
+      "signed_at": "2026-05-28T07:49:01.018Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -1010,7 +1010,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM-attestation impact"
       ],
       "signature": "pcLrM98A3vUSZRjwNAk0aZ9umvOwB41XCLLsCOy/IebB2F/06oIrGUKkMHtHwm4pTVPShMMcKdZQQ3jz30FnCg==",
-      "signed_at": "2026-05-28T06:39:14.390Z"
+      "signed_at": "2026-05-28T07:49:01.018Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1067,7 +1067,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "G5q5elh7Q7eu2xcwTVQJGDTGfvZR0OGQaLSLJPb2wjzCHFF8PWuZfCHZdjjqisiRzRWPyLlzgfHeMJqOdy7cBw==",
-      "signed_at": "2026-05-28T06:39:14.391Z"
+      "signed_at": "2026-05-28T07:49:01.019Z"
     },
     {
       "name": "identity-assurance",
@@ -1134,7 +1134,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "Wv5hGMeHjlaQK1zwicVCA7AvdKgJBgvcjdpGM9Ywahh9tagAKhbkOjybowDQZzu7OZ3bDkbh6pBYc1Sdwr6NAA==",
-      "signed_at": "2026-05-28T06:39:14.391Z"
+      "signed_at": "2026-05-28T07:49:01.019Z"
     },
     {
       "name": "ot-ics-security",
@@ -1190,7 +1190,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "8t5qKHd3yWi57dvG36YQkLN/X9bQWqtEiYjay4IfSmqhJpM/xXPaQVKNGz3wscrO8OLKUZ0OaX7Mj5kzpgBKBQ==",
-      "signed_at": "2026-05-28T06:39:14.391Z"
+      "signed_at": "2026-05-28T07:49:01.019Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1242,7 +1242,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "GDGt4UPqBa04PjlpSmpyihGzd3OgfBN7jaAK5tfwp+LRSs3ygKOdbeivUCCHNagTY1hE6hG2Ou40ADfBFuXeAg==",
-      "signed_at": "2026-05-28T06:39:14.392Z"
+      "signed_at": "2026-05-28T07:49:01.020Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1292,7 +1292,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "t6IgW+ciQMuY5uvLD0HDDB/U1TjZmgAy76bvH0526QcqPMCz27CWX3cdyJ6nxpg3rYrx93xAawu0opw/ZZckCw==",
-      "signed_at": "2026-05-28T06:39:14.392Z"
+      "signed_at": "2026-05-28T07:49:01.020Z"
     },
     {
       "name": "webapp-security",
@@ -1366,7 +1366,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ux85YI4t2mVHOyt744Yin1HHy+z11JIFygjKfFfQOBBl5QVV3A267jeIy7utix85irMcpZm/T3yx/ooqiK2tBA==",
-      "signed_at": "2026-05-28T06:39:14.392Z",
+      "signed_at": "2026-05-28T07:49:01.020Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments"
       ]
@@ -1419,7 +1419,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "IIXnkZ5ZNqFwOto5KfytADTLLZLoyXNZACD1ORZ40P1HUAQxe6u2uyXFzzsfuob4Uy06jNkRGr2FFgCphUH1Cw==",
-      "signed_at": "2026-05-28T06:39:14.393Z"
+      "signed_at": "2026-05-28T07:49:01.021Z"
     },
     {
       "name": "sector-healthcare",
@@ -1479,7 +1479,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "AhF9KF8ZBlDteciV+F8IBSmFVYCvQOn44GmD4rZjgLoPxfIv/QE1/vSkK32zyqDKtHWkLSXExbkkPkxA/V6dDw==",
-      "signed_at": "2026-05-28T06:39:14.393Z"
+      "signed_at": "2026-05-28T07:49:01.021Z"
     },
     {
       "name": "sector-financial",
@@ -1560,7 +1560,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "HQgZvb4ReziEz5rNFr8i/O8/rJEZR+iHRROT7m/D2QUqhrcNISPkYXENsUZlG8xapzy/Ik92ehkseyj4hdmhCQ==",
-      "signed_at": "2026-05-28T06:39:14.393Z"
+      "signed_at": "2026-05-28T07:49:01.022Z"
     },
     {
       "name": "sector-federal-government",
@@ -1629,7 +1629,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "linxmsXZiOYtcs71sSWgGCrvb8xQfmxmtTY5PRvZJ0/8FgJulo0tQtejzexYG775s7XhjAmGsDP238BQTQ8ADA==",
-      "signed_at": "2026-05-28T06:39:14.394Z"
+      "signed_at": "2026-05-28T07:49:01.022Z"
     },
     {
       "name": "sector-energy",
@@ -1694,7 +1694,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "JjBfc0ovta560Clk0x3QGRM5osFJDwcvpy3rT7QEGdCIL827jzE8QCow1C8deXq+4JhY2sA/d7/8IsxikdlkCg==",
-      "signed_at": "2026-05-28T06:39:14.394Z"
+      "signed_at": "2026-05-28T07:49:01.023Z"
     },
     {
       "name": "sector-telecom",
@@ -1780,7 +1780,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "QpfWU8d2FFbo/Kt0Be2jcyDM9JPhKOiwKSi+RWmtPa2SrBVzFNYdC3T23fQXxHDEC2iyApEbXnwk8KN4d6PuBQ==",
-      "signed_at": "2026-05-28T06:39:14.394Z"
+      "signed_at": "2026-05-28T07:49:01.023Z"
     },
     {
       "name": "api-security",
@@ -1849,7 +1849,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "BmCRCestWqr55+fCynEhtAl5NWLT+xLTkpwS0Icp3SaoZOw/ce3Y6TtqjHRSKn4CBJq7YDiLRWxmhO3MStvOAA==",
-      "signed_at": "2026-05-28T06:39:14.395Z",
+      "signed_at": "2026-05-28T07:49:01.023Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments",
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments",
@@ -1935,7 +1935,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "/DV3pmZwrRySrk1OCbyI+0BQESacjupJfUX3eC2NGtXuYOBro0vndIP+z27heFxumnjU3a9sfla7/U9X+pqnDw==",
-      "signed_at": "2026-05-28T06:39:14.395Z"
+      "signed_at": "2026-05-28T07:49:01.024Z"
     },
     {
       "name": "container-runtime-security",
@@ -1997,7 +1997,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "E2UGSf9ATyYgzBr8uM/0ubOUmDqo1jVA7f9mVxv6LHfWGCNuQNXDyuNou9VAmUCeeXEeUYIi3AFjXkJqpOkxDA==",
-      "signed_at": "2026-05-28T06:39:14.395Z",
+      "signed_at": "2026-05-28T07:49:01.024Z",
       "forward_watch": [
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Container Toolkit container escape ($50K award) by chompie / IBM X-Force XOR; high-severity container/hypervisor boundary break; track patch and KEV add post-embargo"
       ]
@@ -2071,7 +2071,7 @@
         "MITRE ATLAS v5.6.0 (released May 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
       "signature": "IL+DlRCDJN/p08iiJCFkasKcoyjcB0uWrJ6ORLjQcS1HrUa5Xt62QxVjYPHzaevlm5y36ZdmfESqsZJmzK3lCg==",
-      "signed_at": "2026-05-28T06:39:14.396Z"
+      "signed_at": "2026-05-28T07:49:01.024Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2133,7 +2133,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "MmjLjlmOMLjhJJ4ZfR8MYlHam+ZB+eSqfh6Nv+DecaG4O5zeo9DBP/iL3cbyDVZxmhnhivgJild2ccYeWTeZAg==",
-      "signed_at": "2026-05-28T06:39:14.396Z"
+      "signed_at": "2026-05-28T07:49:01.025Z"
     },
     {
       "name": "ransomware-response",
@@ -2213,7 +2213,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "ssueL03g9fWlhXpTe+IiY5l7RqQkunN4DTN5QETKE+VOX+qggdjAR8PONxk77ol4xWYmHrM/VcH8CNtXUEvgBA==",
-      "signed_at": "2026-05-28T06:39:14.397Z"
+      "signed_at": "2026-05-28T07:49:01.025Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2266,7 +2266,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "oAFeZmci6BN7Xlu0oOThrazZNBQBIWeCQnoZDqjXo9cs1hIe/6ZijSEr3R3hFQSXH3c1KAbhPw+InR9Gc0HIBQ==",
-      "signed_at": "2026-05-28T06:39:14.397Z"
+      "signed_at": "2026-05-28T07:49:01.026Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2334,7 +2334,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "Rgho5TOFUL1txOzcVR0kASCNdovSU4yt99JlGilJlJRyg0A+BdeeQYrZrhPF6Vx2reUAVG0BeHfcZtSbi+cwCg==",
-      "signed_at": "2026-05-28T06:39:14.397Z"
+      "signed_at": "2026-05-28T07:49:01.026Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2414,7 +2414,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "e/kij7GtKaytROyIj7V5RH+FC9WtmVFzrmG2kIlNDNn29ep/CRNlIQKwXLpzo/81AIf634pmdr1qy/+vwIuUDA==",
-      "signed_at": "2026-05-28T06:39:14.398Z",
+      "signed_at": "2026-05-28T07:49:01.026Z",
       "forward_watch": [
         "AWS IAM Identity Center session-policy refresh and step-up-on-admin enforcement (anticipated 2026-H2 release)",
         "GCP Workload Identity Federation principal-set attribute mapping tightening (post-2026 Q3 Federation hardening guide)",
@@ -2508,7 +2508,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "ew9Kglc9fAZzbn0ZIfGP7WSK/j4eV2VhSvpy+s5bEfNEVYIMa2kZjnGBapgUsyGDLes9H9K2ovjQyX17+GKiBw==",
-      "signed_at": "2026-05-28T06:39:14.398Z",
+      "signed_at": "2026-05-28T07:49:01.027Z",
       "forward_watch": [
         "Entra ID conditional access evolution post-Midnight Blizzard — Microsoft's 2025-2026 commitments on legacy-tenant MFA enforcement and OAuth-app consent gating",
         "Okta IPSIE (Interoperability Profile for Secure Identity in the Enterprise) OpenID Foundation working-group output and adoption timeline",
@@ -2526,6 +2526,6 @@
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "tbLFtO6OmwPP+RKY4FrAk40nKyk3eAYpXRDIF6+hqreFGDOe3kJcP85clpGBpXH9beSLn2dNFj7ncRLj+pJCAg=="
+    "signature_base64": "+lu9rAdNIa6WaWYwWAUC44Ux4Qcu0qLcdtXwiNMys9xl0FZNia95lJAOVTJN5HAaIY3AxIXXZIDBKgqH8oOtBA=="
   }
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.14.23",
+  "version": "0.14.25",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (406 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json CHANGED Viewed

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:82ac7ebe-fe55-43ba-b4ce-7f98e43018c7",
+  "serialNumber": "urn:uuid:71baaf42-a789-4344-acbb-b65d6bb2996d",
   "version": 1,
   "metadata": {
-    "timestamp": "2095-06-22T08:05:18.000Z",
+    "timestamp": "2086-06-19T00:39:30.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.14.23"
+        "version": "0.14.25"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.14.23",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.14.25",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.14.23",
+      "version": "0.14.25",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (406 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.14.23",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.14.25",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "dcd2dc3508aa70b410a878f95f43c1025a784b40a02486e87d573c48b00e8a86"
+          "content": "e5f9fa917d4b1b8291bdfc94d6daf7852fdb673c43d13153e17c63f673e73fea"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.14.23"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.14.25"
         },
         {
           "type": "vcs",
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "e0a7f63b094c8915e3c1da67399c686ae7d6437a67e5be88b6b9becae729df6b"
+          "content": "291175668eef3c1a18d782dd7c8ad2da5221c98ad8909c3f196d958260c52cbb"
         },
         {
           "alg": "SHA3-512",
-          "content": "5ff5ae0bade1d6ad68c2188ab700ca1ba8f4ee4b759d964a6cb630407075cb9b6c58ea26d98fc681dc2c5f44de6a1f5e63b4ee52ddce606361fea0b113fd3297"
+          "content": "506eb20abb3a9a7ea751ec9faf3f62e499112e2435c80a81ca82fc3c3436cc8a5e950736b733d968ca6f30ab091c00f66ebbe4ff6dda5cee81e8581b3b54ab1c"
         }
       ]
     },
@@ -986,11 +986,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "03ae837a5143973a4691693d0cca1d668d59d7faff06d5209b354cf1f6f95cbb"
+          "content": "fab85a30545da2a8c11f0f0c237d5542a5a69ed51e8247838d62194a8744be45"
         },
         {
           "alg": "SHA3-512",
-          "content": "ac9efe26a2fa11c88ca5e4271c5035ef45c7f4a9e80191db58b9b2acf76861bb36582c056b09bf7b959d6cdf66af828dbaf15c3bd52d2e541cd5783d78a31a62"
+          "content": "d089026d4d16a36dcd20dd912ac2907d83df4ca3be31ac3d68c27a9e98de4460adb90640e4cc5ce082384fb9933f0d2b3c43b247c8247f6614086e24a6deab1c"
         }
       ]
     },
@@ -1121,11 +1121,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "3fb88752e34869fec0d16bafcff3cff0f8b6391303b708b2a49269243292bd30"
+          "content": "1a9efca30ac6136044868fe427552e4b861ec61a6d3f95c2831b8ca4dbf73e05"
         },
         {
           "alg": "SHA3-512",
-          "content": "ee158088d12cb2f4dc8de6509dbfb113602b18e191ca31350787795b373bce346985649c10ff2a6d7c61b828bca5a2ffa2555403ac682ebeeb946ef3164382ca"
+          "content": "02fd06bcc00b5de4cb08c5a55392a4936c793db466595911c9de38717f18fa11af9cdceb01983dd6e56f287f5ccd8cbffc52ba40b99ff7b6ac81f9a7a8fca81d"
         }
       ]
     },
@@ -1751,11 +1751,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "05121fbd70037a8d62a64593344b0b4dd750ca2c6f8dcce238de00cd0b7a513e"
+          "content": "d094cfdeab1ad2c007241335b75c50a294ab5d560dc5c68dc5e92bc0871d2c56"
         },
         {
           "alg": "SHA3-512",
-          "content": "e221c4e2f2d64bb9c9bc468635f543487d02ce28e59cdd76016028af4902bf515ed98e6789ec9b2f0cbfab35e9041e54f24d69198a25ac8690db0d793bb6fd17"
+          "content": "387c0aca1f0c2045f6ac630b1a8fc4ecdca038359a2103c0f2e32e3a57f8c89de3fad33ba1163231428724c7934c03fece9972405aed3cab4f02dd3e7731e797"
         }
       ]
     },