@blamejs/exceptd-skills 0.16.11 → 0.16.13

package/data/_indexes/section-offsets.json

@@ -4382,6 +4382,176 @@
           "h3_count": 0
         }
       ]
+    },
+    "mail-server-hardening": {
+      "path": "skills/mail-server-hardening/skill.md",
+      "total_bytes": 7461,
+      "total_lines": 85,
+      "frontmatter": {
+        "line_start": 1,
+        "line_end": 50,
+        "byte_start": 0,
+        "byte_end": 1156
+      },
+      "sections": [
+        {
+          "name": "Threat Context (mid-2026)",
+          "normalized_name": "threat-context",
+          "line": 54,
+          "byte_start": 1199,
+          "byte_end": 2027,
+          "bytes": 828,
+          "h3_count": 0
+        },
+        {
+          "name": "Framework Lag Declaration",
+          "normalized_name": "framework-lag-declaration",
+          "line": 58,
+          "byte_start": 2027,
+          "byte_end": 2736,
+          "bytes": 709,
+          "h3_count": 0
+        },
+        {
+          "name": "TTP Mapping",
+          "normalized_name": "ttp-mapping",
+          "line": 62,
+          "byte_start": 2736,
+          "byte_end": 3583,
+          "bytes": 847,
+          "h3_count": 0
+        },
+        {
+          "name": "Exploit Availability Matrix",
+          "normalized_name": "exploit-availability-matrix",
+          "line": 66,
+          "byte_start": 3583,
+          "byte_end": 4337,
+          "bytes": 754,
+          "h3_count": 0
+        },
+        {
+          "name": "Analysis Procedure",
+          "normalized_name": "analysis-procedure",
+          "line": 70,
+          "byte_start": 4337,
+          "byte_end": 5143,
+          "bytes": 806,
+          "h3_count": 0
+        },
+        {
+          "name": "Output Format",
+          "normalized_name": "output-format",
+          "line": 74,
+          "byte_start": 5143,
+          "byte_end": 5924,
+          "bytes": 781,
+          "h3_count": 0
+        },
+        {
+          "name": "Compliance Theater Check",
+          "normalized_name": "compliance-theater-check",
+          "line": 78,
+          "byte_start": 5924,
+          "byte_end": 6639,
+          "bytes": 715,
+          "h3_count": 0
+        },
+        {
+          "name": "Defensive Countermeasure Mapping",
+          "normalized_name": "defensive-countermeasure-mapping",
+          "line": 82,
+          "byte_start": 6639,
+          "byte_end": 7461,
+          "bytes": 822,
+          "h3_count": 0
+        }
+      ]
+    },
+    "network-trust": {
+      "path": "skills/network-trust/skill.md",
+      "total_bytes": 7376,
+      "total_lines": 82,
+      "frontmatter": {
+        "line_start": 1,
+        "line_end": 47,
+        "byte_start": 0,
+        "byte_end": 1087
+      },
+      "sections": [
+        {
+          "name": "Threat Context (mid-2026)",
+          "normalized_name": "threat-context",
+          "line": 51,
+          "byte_start": 1129,
+          "byte_end": 1899,
+          "bytes": 770,
+          "h3_count": 0
+        },
+        {
+          "name": "Framework Lag Declaration",
+          "normalized_name": "framework-lag-declaration",
+          "line": 55,
+          "byte_start": 1899,
+          "byte_end": 2613,
+          "bytes": 714,
+          "h3_count": 0
+        },
+        {
+          "name": "TTP Mapping",
+          "normalized_name": "ttp-mapping",
+          "line": 59,
+          "byte_start": 2613,
+          "byte_end": 3359,
+          "bytes": 746,
+          "h3_count": 0
+        },
+        {
+          "name": "Exploit Availability Matrix",
+          "normalized_name": "exploit-availability-matrix",
+          "line": 63,
+          "byte_start": 3359,
+          "byte_end": 4106,
+          "bytes": 747,
+          "h3_count": 0
+        },
+        {
+          "name": "Analysis Procedure",
+          "normalized_name": "analysis-procedure",
+          "line": 67,
+          "byte_start": 4106,
+          "byte_end": 5016,
+          "bytes": 910,
+          "h3_count": 0
+        },
+        {
+          "name": "Output Format",
+          "normalized_name": "output-format",
+          "line": 71,
+          "byte_start": 5016,
+          "byte_end": 5845,
+          "bytes": 829,
+          "h3_count": 0
+        },
+        {
+          "name": "Compliance Theater Check",
+          "normalized_name": "compliance-theater-check",
+          "line": 75,
+          "byte_start": 5845,
+          "byte_end": 6560,
+          "bytes": 715,
+          "h3_count": 0
+        },
+        {
+          "name": "Defensive Countermeasure Mapping",
+          "normalized_name": "defensive-countermeasure-mapping",
+          "line": 79,
+          "byte_start": 6560,
+          "byte_end": 7376,
+          "bytes": 816,
+          "h3_count": 0
+        }
+      ]
     }
   }
 }

package/data/_indexes/stale-content.json

@@ -15,7 +15,7 @@
       "severity": "medium",
       "category": "researcher_claim_drift",
       "artifact": "skills/researcher/skill.md",
-      "detail": "claims 41 specialized skills downstream; live count is 42"
+      "detail": "claims 41 specialized skills downstream; live count is 44"
     }
   ]
 }

package/data/_indexes/summary-cards.json

@@ -2023,6 +2023,84 @@
       "last_threat_review": "2026-06-02",
       "path": "skills/vc-wallet-trust/skill.md",
       "handoff_targets": []
+    },
+    "mail-server-hardening": {
+      "description": "Inbound mail-server protocol hardening for mid-2026 — SMTP smuggling, STARTTLS command/response injection, IMAP/POP3/ManageSieve command injection, Sieve redirect exfiltration, open relay, mailbox-DAV traversal/XXE, and cleartext-AUTH (the server-side protocol layer that SPF/DKIM/DMARC do not protect)",
+      "threat_context_excerpt": "A mail server that terminates inbound SMTP, IMAP, POP3, JMAP, or ManageSieve exposes a protocol surface that sender-authentication (SPF/DKIM/DMARC) and transport TLS do not protect. SMTP smuggling (CVE-2023-51764/51765/51766) exploits a server that accepts a non-standard end-of-data sequence to deliver a second message that inherits the outer connection's authentication pass — spoofed mail past DMARC. STARTTLS command/response injection (CVE-2021-38371, CVE-2021-33515) executes attacker plaintext buffered before the handshake. An open relay lends the operator's reputation to spammers. ...",
+      "produces": "Report per listener and protocol, marking each hardening check enforced / missing / inconclusive (visibility gap). For every missing check, state the port, whether it is internet-facing, and whether the gap yields spoofing/relay or mailbox-data exposure. Distinguish a live-listener finding from a documented test fixture or an upstream-proxy-enforced control. Provide the prioritised remediation (enforce standard end-of-data, drain the STARTTLS buffer and gate AUTH on TLS, harden the command parsers, restrict relay and cap Sieve redirect, harden mailbox-DAV and add rate limits) and the negative  ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-77",
+          "CWE-93",
+          "CWE-22",
+          "CWE-611",
+          "CWE-863",
+          "CWE-400"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "NIS2-Art21-network-security",
+          "PCI-DSS-4.0-6.3.3"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T1190",
+          "T1071.003",
+          "T1557"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 18,
+      "atlas_count": 0,
+      "attack_count": 3,
+      "framework_gap_count": 4,
+      "cwe_count": 6,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-06-02",
+      "path": "skills/mail-server-hardening/skill.md",
+      "handoff_targets": []
+    },
+    "network-trust": {
+      "description": "Network-layer trust and adversary-in-the-middle resistance for mid-2026 — DNSSEC validation, DANE/TLSA pinning, TSIG, mTLS private-CA pinning, RFC 9421 HTTP message signatures, DNS-rebinding/SSRF guarding, and authenticated time (NTS) and its effect on certificate validity and TOTP",
+      "threat_context_excerpt": "Below the application, TLS authenticates a certificate against a CA bundle — not the specific peer you intended to reach, and not the DNS answer or the clock that got you there. Adversary-in-the-middle attacks exploit the trust-anchor validation TLS does not perform: forge a DNS answer where DNSSEC is not validated; present a mis-issued-but-CA-valid certificate where DANE/TLSA or an mTLS CA pin is not checked; shift an unauthenticated clock to revive an expired certificate or a TOTP window; or rebind a name from a public to an internal address. The DNSSEC validation surface itself carries ...",
+      "produces": "Report per trust anchor (DNS, peer certificate, time, message signature), marking each enforced / missing / inconclusive (visibility gap). For every missing check, state whether the path is internet-facing and which trust decisions (peer auth, name resolution, cert validity, TOTP) depend on it. Distinguish a genuinely-not-in-scope anchor (no DANE-capable peer, no authoritative zone, fixed pinned IP) from an unvalidated one. Provide the prioritised remediation (validate DNSSEC + guard rebinding, pin peer certificates via DANE/mTLS, authenticate time, require TSIG + verify message signatures, re ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-345",
+          "CWE-918",
+          "CWE-290",
+          "CWE-347"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-53-SC-8",
+          "ISO-27001-2022-A.8.21",
+          "NIS2-Art21-network-security",
+          "UK-CAF-B4"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T1557",
+          "T1071.004",
+          "T1556"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 17,
+      "atlas_count": 0,
+      "attack_count": 3,
+      "framework_gap_count": 4,
+      "cwe_count": 4,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-06-02",
+      "path": "skills/network-trust/skill.md",
+      "handoff_targets": []
     }
   }
 }

package/data/_indexes/token-budget.json

@@ -3,9 +3,9 @@
     "schema_version": "1.0.0",
     "tokenizer_note": "Character-density approximation: 1 token ≈ 4 chars. This is the canonical rule-of-thumb for OpenAI tokenizers on English+technical text. Claude's tokenizer is typically more efficient on prose; treat this as an upper-bound budget for both. Consumers with stricter precision needs should re-tokenize with their own tokenizer.",
     "approx_chars_per_token": 4,
-    "total_chars": 1682784,
-    "total_approx_tokens": 420699,
-    "skill_count": 43
+    "total_chars": 1697609,
+    "total_approx_tokens": 424405,
+    "skill_count": 45
   },
   "skills": {
     "kernel-lpe-triage": {
@@ -2552,6 +2552,106 @@
           "approx_tokens": 194
         }
       }
+    },
+    "mail-server-hardening": {
+      "path": "skills/mail-server-hardening/skill.md",
+      "bytes": 7461,
+      "chars": 7453,
+      "lines": 85,
+      "approx_tokens": 1863,
+      "approx_chars_per_token": 4,
+      "sections": {
+        "threat-context": {
+          "bytes": 828,
+          "chars": 826,
+          "approx_tokens": 207
+        },
+        "framework-lag-declaration": {
+          "bytes": 709,
+          "chars": 707,
+          "approx_tokens": 177
+        },
+        "ttp-mapping": {
+          "bytes": 847,
+          "chars": 847,
+          "approx_tokens": 212
+        },
+        "exploit-availability-matrix": {
+          "bytes": 754,
+          "chars": 754,
+          "approx_tokens": 189
+        },
+        "analysis-procedure": {
+          "bytes": 806,
+          "chars": 806,
+          "approx_tokens": 202
+        },
+        "output-format": {
+          "bytes": 781,
+          "chars": 781,
+          "approx_tokens": 195
+        },
+        "compliance-theater-check": {
+          "bytes": 715,
+          "chars": 715,
+          "approx_tokens": 179
+        },
+        "defensive-countermeasure-mapping": {
+          "bytes": 822,
+          "chars": 820,
+          "approx_tokens": 205
+        }
+      }
+    },
+    "network-trust": {
+      "path": "skills/network-trust/skill.md",
+      "bytes": 7376,
+      "chars": 7372,
+      "lines": 82,
+      "approx_tokens": 1843,
+      "approx_chars_per_token": 4,
+      "sections": {
+        "threat-context": {
+          "bytes": 770,
+          "chars": 768,
+          "approx_tokens": 192
+        },
+        "framework-lag-declaration": {
+          "bytes": 714,
+          "chars": 714,
+          "approx_tokens": 179
+        },
+        "ttp-mapping": {
+          "bytes": 746,
+          "chars": 746,
+          "approx_tokens": 187
+        },
+        "exploit-availability-matrix": {
+          "bytes": 747,
+          "chars": 747,
+          "approx_tokens": 187
+        },
+        "analysis-procedure": {
+          "bytes": 910,
+          "chars": 910,
+          "approx_tokens": 228
+        },
+        "output-format": {
+          "bytes": 829,
+          "chars": 829,
+          "approx_tokens": 207
+        },
+        "compliance-theater-check": {
+          "bytes": 715,
+          "chars": 715,
+          "approx_tokens": 179
+        },
+        "defensive-countermeasure-mapping": {
+          "bytes": 816,
+          "chars": 816,
+          "approx_tokens": 204
+        }
+      }
     }
   }
 }

package/data/_indexes/trigger-table.json

@@ -1680,5 +1680,110 @@
   ],
   "dcql": [
     "vc-wallet-trust"
+  ],
+  "mail server hardening": [
+    "mail-server-hardening"
+  ],
+  "smtp smuggling": [
+    "mail-server-hardening"
+  ],
+  "starttls injection": [
+    "mail-server-hardening"
+  ],
+  "open relay": [
+    "mail-server-hardening"
+  ],
+  "imap command injection": [
+    "mail-server-hardening"
+  ],
+  "managesieve": [
+    "mail-server-hardening"
+  ],
+  "sieve redirect": [
+    "mail-server-hardening"
+  ],
+  "mailbox dav": [
+    "mail-server-hardening"
+  ],
+  "caldav": [
+    "mail-server-hardening"
+  ],
+  "carddav": [
+    "mail-server-hardening"
+  ],
+  "pop3": [
+    "mail-server-hardening"
+  ],
+  "mx hardening": [
+    "mail-server-hardening"
+  ],
+  "rfc 5321": [
+    "mail-server-hardening"
+  ],
+  "rfc 9051": [
+    "mail-server-hardening"
+  ],
+  "rfc 5804": [
+    "mail-server-hardening"
+  ],
+  "mail protocol": [
+    "mail-server-hardening"
+  ],
+  "inbound mail": [
+    "mail-server-hardening"
+  ],
+  "smtp listener": [
+    "mail-server-hardening"
+  ],
+  "network trust": [
+    "network-trust"
+  ],
+  "adversary in the middle": [
+    "network-trust"
+  ],
+  "aitm": [
+    "network-trust"
+  ],
+  "dnssec": [
+    "network-trust"
+  ],
+  "dane": [
+    "network-trust"
+  ],
+  "tlsa": [
+    "network-trust"
+  ],
+  "tsig": [
+    "network-trust"
+  ],
+  "mtls pinning": [
+    "network-trust"
+  ],
+  "certificate pinning": [
+    "network-trust"
+  ],
+  "http message signature": [
+    "network-trust"
+  ],
+  "rfc 9421": [
+    "network-trust"
+  ],
+  "dns rebinding": [
+    "network-trust"
+  ],
+  "nts": [
+    "network-trust"
+  ],
+  "authenticated time": [
+    "network-trust"
+  ],
+  "ntp spoofing": [
+    "network-trust"
+  ],
+  "public suffix list": [
+    "network-trust"
+  ],
+  "name resolution trust": [
+    "network-trust"
   ]
 }

package/data/_indexes/xref.json

@@ -42,12 +42,14 @@
     "CWE-22": [
       "api-security",
       "attack-surface-pentest",
+      "mail-server-hardening",
       "mcp-agent-trust",
       "webapp-security"
     ],
     "CWE-345": [
       "idp-incident-response",
-      "mcp-agent-trust"
+      "mcp-agent-trust",
+      "network-trust"
     ],
     "CWE-352": [
       "api-security",
@@ -67,6 +69,7 @@
     ],
     "CWE-77": [
       "api-security",
+      "mail-server-hardening",
       "mcp-agent-trust",
       "webapp-security"
     ],
@@ -74,6 +77,7 @@
       "api-security",
       "attack-surface-pentest",
       "mcp-agent-trust",
+      "network-trust",
       "sector-telecom",
       "webapp-security"
     ],
@@ -196,6 +200,7 @@
       "cloud-iam-incident",
       "identity-assurance",
       "idp-incident-response",
+      "mail-server-hardening",
       "sector-financial",
       "vc-wallet-trust",
       "webapp-security"
@@ -212,10 +217,21 @@
       "idp-incident-response"
     ],
     "CWE-347": [
+      "network-trust",
       "vc-wallet-trust"
     ],
     "CWE-290": [
+      "network-trust",
       "vc-wallet-trust"
+    ],
+    "CWE-93": [
+      "mail-server-hardening"
+    ],
+    "CWE-611": [
+      "mail-server-hardening"
+    ],
+    "CWE-400": [
+      "mail-server-hardening"
     ]
   },
   "d3fend_refs": {
@@ -338,14 +354,17 @@
   },
   "framework_gaps": {
     "NIST-800-53-SI-2": [
-      "kernel-lpe-triage"
+      "kernel-lpe-triage",
+      "mail-server-hardening"
     ],
     "ISO-27001-2022-A.8.8": [
       "coordinated-vuln-disclosure",
-      "kernel-lpe-triage"
+      "kernel-lpe-triage",
+      "mail-server-hardening"
     ],
     "PCI-DSS-4.0-6.3.3": [
-      "kernel-lpe-triage"
+      "kernel-lpe-triage",
+      "mail-server-hardening"
     ],
     "NIS2-Art21-patch-management": [
       "attack-surface-pentest",
@@ -355,6 +374,7 @@
     ],
     "NIST-800-53-SC-8": [
       "kernel-lpe-triage",
+      "network-trust",
       "pqc-first"
     ],
     "CIS-Controls-v8-Control7": [
@@ -660,6 +680,16 @@
     ],
     "UK-CAF-B2": [
       "vc-wallet-trust"
+    ],
+    "NIS2-Art21-network-security": [
+      "mail-server-hardening",
+      "network-trust"
+    ],
+    "ISO-27001-2022-A.8.21": [
+      "network-trust"
+    ],
+    "UK-CAF-B4": [
+      "network-trust"
     ]
   },
   "atlas_refs": {
@@ -762,6 +792,7 @@
       "cloud-security",
       "container-runtime-security",
       "fuzz-testing-strategy",
+      "mail-server-hardening",
       "mcp-agent-trust",
       "ot-ics-security",
       "sector-energy",
@@ -838,6 +869,7 @@
     ],
     "T1556": [
       "identity-assurance",
+      "network-trust",
       "sector-telecom",
       "vc-wallet-trust"
     ],
@@ -913,6 +945,16 @@
     ],
     "T1550": [
       "vc-wallet-trust"
+    ],
+    "T1071.003": [
+      "mail-server-hardening"
+    ],
+    "T1557": [
+      "mail-server-hardening",
+      "network-trust"
+    ],
+    "T1071.004": [
+      "network-trust"
     ]
   },
   "rfc_refs": {