@blamejs/exceptd-skills 0.16.10 → 0.16.12

package/data/_indexes/section-offsets.json

@@ -4297,6 +4297,176 @@
           "h3_count": 0
         }
       ]
+    },
+    "vc-wallet-trust": {
+      "path": "skills/vc-wallet-trust/skill.md",
+      "total_bytes": 7626,
+      "total_lines": 85,
+      "frontmatter": {
+        "line_start": 1,
+        "line_end": 50,
+        "byte_start": 0,
+        "byte_end": 1116
+      },
+      "sections": [
+        {
+          "name": "Threat Context (mid-2026)",
+          "normalized_name": "threat-context",
+          "line": 54,
+          "byte_start": 1174,
+          "byte_end": 2038,
+          "bytes": 864,
+          "h3_count": 0
+        },
+        {
+          "name": "Framework Lag Declaration",
+          "normalized_name": "framework-lag-declaration",
+          "line": 58,
+          "byte_start": 2038,
+          "byte_end": 2824,
+          "bytes": 786,
+          "h3_count": 0
+        },
+        {
+          "name": "TTP Mapping",
+          "normalized_name": "ttp-mapping",
+          "line": 62,
+          "byte_start": 2824,
+          "byte_end": 3664,
+          "bytes": 840,
+          "h3_count": 0
+        },
+        {
+          "name": "Exploit Availability Matrix",
+          "normalized_name": "exploit-availability-matrix",
+          "line": 66,
+          "byte_start": 3664,
+          "byte_end": 4457,
+          "bytes": 793,
+          "h3_count": 0
+        },
+        {
+          "name": "Analysis Procedure",
+          "normalized_name": "analysis-procedure",
+          "line": 70,
+          "byte_start": 4457,
+          "byte_end": 5331,
+          "bytes": 874,
+          "h3_count": 0
+        },
+        {
+          "name": "Output Format",
+          "normalized_name": "output-format",
+          "line": 74,
+          "byte_start": 5331,
+          "byte_end": 6089,
+          "bytes": 758,
+          "h3_count": 0
+        },
+        {
+          "name": "Compliance Theater Check",
+          "normalized_name": "compliance-theater-check",
+          "line": 78,
+          "byte_start": 6089,
+          "byte_end": 6850,
+          "bytes": 761,
+          "h3_count": 0
+        },
+        {
+          "name": "Defensive Countermeasure Mapping",
+          "normalized_name": "defensive-countermeasure-mapping",
+          "line": 82,
+          "byte_start": 6850,
+          "byte_end": 7626,
+          "bytes": 776,
+          "h3_count": 0
+        }
+      ]
+    },
+    "mail-server-hardening": {
+      "path": "skills/mail-server-hardening/skill.md",
+      "total_bytes": 7461,
+      "total_lines": 85,
+      "frontmatter": {
+        "line_start": 1,
+        "line_end": 50,
+        "byte_start": 0,
+        "byte_end": 1156
+      },
+      "sections": [
+        {
+          "name": "Threat Context (mid-2026)",
+          "normalized_name": "threat-context",
+          "line": 54,
+          "byte_start": 1199,
+          "byte_end": 2027,
+          "bytes": 828,
+          "h3_count": 0
+        },
+        {
+          "name": "Framework Lag Declaration",
+          "normalized_name": "framework-lag-declaration",
+          "line": 58,
+          "byte_start": 2027,
+          "byte_end": 2736,
+          "bytes": 709,
+          "h3_count": 0
+        },
+        {
+          "name": "TTP Mapping",
+          "normalized_name": "ttp-mapping",
+          "line": 62,
+          "byte_start": 2736,
+          "byte_end": 3583,
+          "bytes": 847,
+          "h3_count": 0
+        },
+        {
+          "name": "Exploit Availability Matrix",
+          "normalized_name": "exploit-availability-matrix",
+          "line": 66,
+          "byte_start": 3583,
+          "byte_end": 4337,
+          "bytes": 754,
+          "h3_count": 0
+        },
+        {
+          "name": "Analysis Procedure",
+          "normalized_name": "analysis-procedure",
+          "line": 70,
+          "byte_start": 4337,
+          "byte_end": 5143,
+          "bytes": 806,
+          "h3_count": 0
+        },
+        {
+          "name": "Output Format",
+          "normalized_name": "output-format",
+          "line": 74,
+          "byte_start": 5143,
+          "byte_end": 5924,
+          "bytes": 781,
+          "h3_count": 0
+        },
+        {
+          "name": "Compliance Theater Check",
+          "normalized_name": "compliance-theater-check",
+          "line": 78,
+          "byte_start": 5924,
+          "byte_end": 6639,
+          "bytes": 715,
+          "h3_count": 0
+        },
+        {
+          "name": "Defensive Countermeasure Mapping",
+          "normalized_name": "defensive-countermeasure-mapping",
+          "line": 82,
+          "byte_start": 6639,
+          "byte_end": 7461,
+          "bytes": 822,
+          "h3_count": 0
+        }
+      ]
     }
   }
 }

package/data/_indexes/stale-content.json

@@ -3,12 +3,19 @@
     "schema_version": "1.0.0",
     "reference_date": "2026-05-15",
     "note": "Stale-content snapshot derived from audit-cross-skill checks. Re-runs of build-indexes against the same inputs produce byte-identical output (reference_date is manifest.threat_review_date, not 'now'). audit-cross-skill.js remains the canonical interactive audit.",
-    "finding_count": 0,
+    "finding_count": 1,
     "by_severity": {
       "high": 0,
-      "medium": 0,
+      "medium": 1,
       "low": 0
     }
   },
-  "findings": []
+  "findings": [
+    {
+      "severity": "medium",
+      "category": "researcher_claim_drift",
+      "artifact": "skills/researcher/skill.md",
+      "detail": "claims 41 specialized skills downstream; live count is 43"
+    }
+  ]
 }

package/data/_indexes/summary-cards.json

@@ -1983,6 +1983,86 @@
         "sector-financial",
         "sector-telecom"
       ]
+    },
+    "vc-wallet-trust": {
+      "description": "Verifiable-credential / digital-wallet verifier trust for mid-2026 — SD-JWT-VC, OID4VCI/OID4VP, mdoc (ISO 18013-5), DID resolution, OAuth Token Status List revocation, OpenID Federation trust anchors, and the EUDI wallet (eIDAS 2.0) acceptance path",
+      "threat_context_excerpt": "A credential verifier is a trust boundary: every verifiable credential it accepts grants whatever the credential asserts — age, residency, employment, professional licence, payment authority. With the EU Digital Identity Wallet (eIDAS 2.0) rolling out and ISO 18013-5 mobile driving licences in production, verifiers across payments, age-gating, and onboarding now accept SD-JWT-VC, OID4VP, and mdoc presentations from wallets they do not control. The dominant abuse is not breaking the cryptography but exploiting a missing trust check: an issuer key the verifier never pinned to an anchor, a ...",
+      "produces": "Report per accepted credential format, listing each trust check as enforced / missing / inconclusive (visibility gap). For every missing check, state the credential types and downstream entitlements it gates, whether the verifier is internet-facing, and the resulting blast radius. Distinguish a production-reachable gap from a test-only resolver. Provide the prioritised remediation (pin issuer anchors, enforce revocation fail-closed, bind presentations to nonce+audience, verify mdoc device-auth, enforce an algorithm allowlist, filter to requested claims) and the negative validation tests that p ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-347",
+          "CWE-290",
+          "CWE-863",
+          "CWE-200",
+          "CWE-672"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-63B-rev4",
+          "NIST-800-53-IA-5-Federated",
+          "ISO-27001-2022-A.5.16-Federated",
+          "NIS2-Art-21-Federated-Identity",
+          "UK-CAF-B2"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T1556",
+          "T1606",
+          "T1550"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 18,
+      "atlas_count": 0,
+      "attack_count": 3,
+      "framework_gap_count": 5,
+      "cwe_count": 5,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-06-02",
+      "path": "skills/vc-wallet-trust/skill.md",
+      "handoff_targets": []
+    },
+    "mail-server-hardening": {
+      "description": "Inbound mail-server protocol hardening for mid-2026 — SMTP smuggling, STARTTLS command/response injection, IMAP/POP3/ManageSieve command injection, Sieve redirect exfiltration, open relay, mailbox-DAV traversal/XXE, and cleartext-AUTH (the server-side protocol layer that SPF/DKIM/DMARC do not protect)",
+      "threat_context_excerpt": "A mail server that terminates inbound SMTP, IMAP, POP3, JMAP, or ManageSieve exposes a protocol surface that sender-authentication (SPF/DKIM/DMARC) and transport TLS do not protect. SMTP smuggling (CVE-2023-51764/51765/51766) exploits a server that accepts a non-standard end-of-data sequence to deliver a second message that inherits the outer connection's authentication pass — spoofed mail past DMARC. STARTTLS command/response injection (CVE-2021-38371, CVE-2021-33515) executes attacker plaintext buffered before the handshake. An open relay lends the operator's reputation to spammers. ...",
+      "produces": "Report per listener and protocol, marking each hardening check enforced / missing / inconclusive (visibility gap). For every missing check, state the port, whether it is internet-facing, and whether the gap yields spoofing/relay or mailbox-data exposure. Distinguish a live-listener finding from a documented test fixture or an upstream-proxy-enforced control. Provide the prioritised remediation (enforce standard end-of-data, drain the STARTTLS buffer and gate AUTH on TLS, harden the command parsers, restrict relay and cap Sieve redirect, harden mailbox-DAV and add rate limits) and the negative  ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-77",
+          "CWE-93",
+          "CWE-22",
+          "CWE-611",
+          "CWE-863",
+          "CWE-400"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "NIS2-Art21-network-security",
+          "PCI-DSS-4.0-6.3.3"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T1190",
+          "T1071.003",
+          "T1557"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 18,
+      "atlas_count": 0,
+      "attack_count": 3,
+      "framework_gap_count": 4,
+      "cwe_count": 6,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-06-02",
+      "path": "skills/mail-server-hardening/skill.md",
+      "handoff_targets": []
     }
   }
 }

package/data/_indexes/token-budget.json

@@ -3,9 +3,9 @@
     "schema_version": "1.0.0",
     "tokenizer_note": "Character-density approximation: 1 token ≈ 4 chars. This is the canonical rule-of-thumb for OpenAI tokenizers on English+technical text. Claude's tokenizer is typically more efficient on prose; treat this as an upper-bound budget for both. Consumers with stricter precision needs should re-tokenize with their own tokenizer.",
     "approx_chars_per_token": 4,
-    "total_chars": 1675166,
-    "total_approx_tokens": 418794,
-    "skill_count": 42
+    "total_chars": 1690237,
+    "total_approx_tokens": 422562,
+    "skill_count": 44
   },
   "skills": {
     "kernel-lpe-triage": {
@@ -2502,6 +2502,106 @@
           "approx_tokens": 986
         }
       }
+    },
+    "vc-wallet-trust": {
+      "path": "skills/vc-wallet-trust/skill.md",
+      "bytes": 7626,
+      "chars": 7618,
+      "lines": 85,
+      "approx_tokens": 1905,
+      "approx_chars_per_token": 4,
+      "sections": {
+        "threat-context": {
+          "bytes": 864,
+          "chars": 862,
+          "approx_tokens": 216
+        },
+        "framework-lag-declaration": {
+          "bytes": 786,
+          "chars": 786,
+          "approx_tokens": 197
+        },
+        "ttp-mapping": {
+          "bytes": 840,
+          "chars": 840,
+          "approx_tokens": 210
+        },
+        "exploit-availability-matrix": {
+          "bytes": 793,
+          "chars": 791,
+          "approx_tokens": 198
+        },
+        "analysis-procedure": {
+          "bytes": 874,
+          "chars": 874,
+          "approx_tokens": 219
+        },
+        "output-format": {
+          "bytes": 758,
+          "chars": 758,
+          "approx_tokens": 190
+        },
+        "compliance-theater-check": {
+          "bytes": 761,
+          "chars": 761,
+          "approx_tokens": 190
+        },
+        "defensive-countermeasure-mapping": {
+          "bytes": 776,
+          "chars": 774,
+          "approx_tokens": 194
+        }
+      }
+    },
+    "mail-server-hardening": {
+      "path": "skills/mail-server-hardening/skill.md",
+      "bytes": 7461,
+      "chars": 7453,
+      "lines": 85,
+      "approx_tokens": 1863,
+      "approx_chars_per_token": 4,
+      "sections": {
+        "threat-context": {
+          "bytes": 828,
+          "chars": 826,
+          "approx_tokens": 207
+        },
+        "framework-lag-declaration": {
+          "bytes": 709,
+          "chars": 707,
+          "approx_tokens": 177
+        },
+        "ttp-mapping": {
+          "bytes": 847,
+          "chars": 847,
+          "approx_tokens": 212
+        },
+        "exploit-availability-matrix": {
+          "bytes": 754,
+          "chars": 754,
+          "approx_tokens": 189
+        },
+        "analysis-procedure": {
+          "bytes": 806,
+          "chars": 806,
+          "approx_tokens": 202
+        },
+        "output-format": {
+          "bytes": 781,
+          "chars": 781,
+          "approx_tokens": 195
+        },
+        "compliance-theater-check": {
+          "bytes": 715,
+          "chars": 715,
+          "approx_tokens": 179
+        },
+        "defensive-countermeasure-mapping": {
+          "bytes": 822,
+          "chars": 820,
+          "approx_tokens": 205
+        }
+      }
     }
   }
 }

package/data/_indexes/trigger-table.json

@@ -1626,5 +1626,113 @@
   ],
   "tenant compromise": [
     "idp-incident-response"
+  ],
+  "verifiable credential": [
+    "vc-wallet-trust"
+  ],
+  "digital wallet": [
+    "vc-wallet-trust"
+  ],
+  "sd-jwt-vc": [
+    "vc-wallet-trust"
+  ],
+  "oid4vp": [
+    "vc-wallet-trust"
+  ],
+  "oid4vci": [
+    "vc-wallet-trust"
+  ],
+  "mdoc": [
+    "vc-wallet-trust"
+  ],
+  "mdl": [
+    "vc-wallet-trust"
+  ],
+  "iso 18013-5": [
+    "vc-wallet-trust"
+  ],
+  "eudi wallet": [
+    "vc-wallet-trust"
+  ],
+  "eidas 2.0": [
+    "vc-wallet-trust"
+  ],
+  "did:web": [
+    "vc-wallet-trust"
+  ],
+  "status list": [
+    "vc-wallet-trust"
+  ],
+  "credential revocation": [
+    "vc-wallet-trust"
+  ],
+  "openid federation": [
+    "vc-wallet-trust"
+  ],
+  "trust anchor": [
+    "vc-wallet-trust"
+  ],
+  "credential verifier": [
+    "vc-wallet-trust"
+  ],
+  "presentation exchange": [
+    "vc-wallet-trust"
+  ],
+  "dcql": [
+    "vc-wallet-trust"
+  ],
+  "mail server hardening": [
+    "mail-server-hardening"
+  ],
+  "smtp smuggling": [
+    "mail-server-hardening"
+  ],
+  "starttls injection": [
+    "mail-server-hardening"
+  ],
+  "open relay": [
+    "mail-server-hardening"
+  ],
+  "imap command injection": [
+    "mail-server-hardening"
+  ],
+  "managesieve": [
+    "mail-server-hardening"
+  ],
+  "sieve redirect": [
+    "mail-server-hardening"
+  ],
+  "mailbox dav": [
+    "mail-server-hardening"
+  ],
+  "caldav": [
+    "mail-server-hardening"
+  ],
+  "carddav": [
+    "mail-server-hardening"
+  ],
+  "pop3": [
+    "mail-server-hardening"
+  ],
+  "mx hardening": [
+    "mail-server-hardening"
+  ],
+  "rfc 5321": [
+    "mail-server-hardening"
+  ],
+  "rfc 9051": [
+    "mail-server-hardening"
+  ],
+  "rfc 5804": [
+    "mail-server-hardening"
+  ],
+  "mail protocol": [
+    "mail-server-hardening"
+  ],
+  "inbound mail": [
+    "mail-server-hardening"
+  ],
+  "smtp listener": [
+    "mail-server-hardening"
   ]
 }

package/data/_indexes/xref.json

@@ -13,7 +13,8 @@
       "kernel-lpe-triage"
     ],
     "CWE-672": [
-      "kernel-lpe-triage"
+      "kernel-lpe-triage",
+      "vc-wallet-trust"
     ],
     "CWE-787": [
       "attack-surface-pentest",
@@ -41,6 +42,7 @@
     "CWE-22": [
       "api-security",
       "attack-surface-pentest",
+      "mail-server-hardening",
       "mcp-agent-trust",
       "webapp-security"
     ],
@@ -66,6 +68,7 @@
     ],
     "CWE-77": [
       "api-security",
+      "mail-server-hardening",
       "mcp-agent-trust",
       "webapp-security"
     ],
@@ -133,6 +136,7 @@
       "cloud-security",
       "dlp-gap-analysis",
       "sector-healthcare",
+      "vc-wallet-trust",
       "webapp-security"
     ],
     "CWE-1357": [
@@ -194,7 +198,9 @@
       "cloud-iam-incident",
       "identity-assurance",
       "idp-incident-response",
+      "mail-server-hardening",
       "sector-financial",
+      "vc-wallet-trust",
       "webapp-security"
     ],
     "CWE-1037": [
@@ -207,6 +213,21 @@
     ],
     "CWE-284": [
       "idp-incident-response"
+    ],
+    "CWE-347": [
+      "vc-wallet-trust"
+    ],
+    "CWE-290": [
+      "vc-wallet-trust"
+    ],
+    "CWE-93": [
+      "mail-server-hardening"
+    ],
+    "CWE-611": [
+      "mail-server-hardening"
+    ],
+    "CWE-400": [
+      "mail-server-hardening"
     ]
   },
   "d3fend_refs": {
@@ -329,14 +350,17 @@
   },
   "framework_gaps": {
     "NIST-800-53-SI-2": [
-      "kernel-lpe-triage"
+      "kernel-lpe-triage",
+      "mail-server-hardening"
     ],
     "ISO-27001-2022-A.8.8": [
       "coordinated-vuln-disclosure",
-      "kernel-lpe-triage"
+      "kernel-lpe-triage",
+      "mail-server-hardening"
     ],
     "PCI-DSS-4.0-6.3.3": [
-      "kernel-lpe-triage"
+      "kernel-lpe-triage",
+      "mail-server-hardening"
     ],
     "NIS2-Art21-patch-management": [
       "attack-surface-pentest",
@@ -534,7 +558,8 @@
       "supply-chain-integrity"
     ],
     "NIST-800-63B-rev4": [
-      "identity-assurance"
+      "identity-assurance",
+      "vc-wallet-trust"
     ],
     "PSD2-RTS-SCA": [
       "identity-assurance",
@@ -622,10 +647,12 @@
       "cloud-iam-incident"
     ],
     "NIST-800-53-IA-5-Federated": [
-      "idp-incident-response"
+      "idp-incident-response",
+      "vc-wallet-trust"
     ],
     "ISO-27001-2022-A.5.16-Federated": [
-      "idp-incident-response"
+      "idp-incident-response",
+      "vc-wallet-trust"
     ],
     "SOC2-CC6-OAuth-Consent": [
       "idp-incident-response"
@@ -637,13 +664,20 @@
       "idp-incident-response"
     ],
     "NIS2-Art-21-Federated-Identity": [
-      "idp-incident-response"
+      "idp-incident-response",
+      "vc-wallet-trust"
     ],
     "DORA-Art-19-IdP-4h": [
       "idp-incident-response"
     ],
     "OFAC-Sanctions-Threat-Actor-Negotiation": [
       "idp-incident-response"
+    ],
+    "UK-CAF-B2": [
+      "vc-wallet-trust"
+    ],
+    "NIS2-Art21-network-security": [
+      "mail-server-hardening"
     ]
   },
   "atlas_refs": {
@@ -746,6 +780,7 @@
       "cloud-security",
       "container-runtime-security",
       "fuzz-testing-strategy",
+      "mail-server-hardening",
       "mcp-agent-trust",
       "ot-ics-security",
       "sector-energy",
@@ -822,7 +857,8 @@
     ],
     "T1556": [
       "identity-assurance",
-      "sector-telecom"
+      "sector-telecom",
+      "vc-wallet-trust"
     ],
     "T1110": [
       "identity-assurance"
@@ -890,6 +926,18 @@
     ],
     "T1606.002": [
       "idp-incident-response"
+    ],
+    "T1606": [
+      "vc-wallet-trust"
+    ],
+    "T1550": [
+      "vc-wallet-trust"
+    ],
+    "T1071.003": [
+      "mail-server-hardening"
+    ],
+    "T1557": [
+      "mail-server-hardening"
     ]
   },
   "rfc_refs": {