@blamejs/exceptd-skills 0.16.12 → 0.16.13

package/data/_indexes/currency.json

@@ -6,7 +6,7 @@
     "decay_formula": "100 base; -30/-20/-10/-5 at 180/90/60/30-day thresholds. forward_watch count does NOT affect the score (it's a maintenance signal, not a staleness one). Label thresholds: ≥90 current, ≥70 acceptable, ≥50 stale, <50 critical_stale."
   },
   "summary": {
-    "current": 44,
+    "current": 45,
     "acceptable": 0,
     "stale": 0,
     "critical_stale": 0,
@@ -238,6 +238,15 @@
       "forward_watch_count": 6,
       "action_required": false
     },
+    {
+      "skill": "network-trust",
+      "last_threat_review": "2026-06-02",
+      "days_since_review": -18,
+      "currency_score": 100,
+      "currency_label": "current",
+      "forward_watch_count": 0,
+      "action_required": false
+    },
     {
       "skill": "ot-ics-security",
       "last_threat_review": "2026-05-11",

package/data/_indexes/frequency.json

@@ -88,10 +88,11 @@
         ]
       },
       "CWE-345": {
-        "count": 2,
+        "count": 3,
         "skills": [
           "idp-incident-response",
-          "mcp-agent-trust"
+          "mcp-agent-trust",
+          "network-trust"
         ]
       },
       "CWE-352": {
@@ -129,11 +130,12 @@
         ]
       },
       "CWE-918": {
-        "count": 5,
+        "count": 6,
         "skills": [
           "api-security",
           "attack-surface-pentest",
           "mcp-agent-trust",
+          "network-trust",
           "sector-telecom",
           "webapp-security"
         ]
@@ -337,14 +339,16 @@
         ]
       },
       "CWE-347": {
-        "count": 1,
+        "count": 2,
         "skills": [
+          "network-trust",
           "vc-wallet-trust"
         ]
       },
       "CWE-290": {
-        "count": 1,
+        "count": 2,
         "skills": [
+          "network-trust",
           "vc-wallet-trust"
         ]
       },
@@ -581,9 +585,10 @@
         ]
       },
       "NIST-800-53-SC-8": {
-        "count": 2,
+        "count": 3,
         "skills": [
           "kernel-lpe-triage",
+          "network-trust",
           "pqc-first"
         ]
       },
@@ -1120,9 +1125,22 @@
         ]
       },
       "NIS2-Art21-network-security": {
+        "count": 2,
+        "skills": [
+          "mail-server-hardening",
+          "network-trust"
+        ]
+      },
+      "ISO-27001-2022-A.8.21": {
         "count": 1,
         "skills": [
-          "mail-server-hardening"
+          "network-trust"
+        ]
+      },
+      "UK-CAF-B4": {
+        "count": 1,
+        "skills": [
+          "network-trust"
         ]
       }
     },
@@ -1386,9 +1404,10 @@
         ]
       },
       "T1556": {
-        "count": 3,
+        "count": 4,
         "skills": [
           "identity-assurance",
+          "network-trust",
           "sector-telecom",
           "vc-wallet-trust"
         ]
@@ -1539,9 +1558,16 @@
         ]
       },
       "T1557": {
+        "count": 2,
+        "skills": [
+          "mail-server-hardening",
+          "network-trust"
+        ]
+      },
+      "T1071.004": {
         "count": 1,
         "skills": [
-          "mail-server-hardening"
+          "network-trust"
         ]
       }
     },
@@ -2283,6 +2309,16 @@
           "supply-chain-integrity"
         ]
       },
+      {
+        "id": "T1556",
+        "count": 4,
+        "skills": [
+          "identity-assurance",
+          "network-trust",
+          "sector-telecom",
+          "vc-wallet-trust"
+        ]
+      },
       {
         "id": "T1068",
         "count": 3,
@@ -2310,15 +2346,6 @@
           "sector-healthcare"
         ]
       },
-      {
-        "id": "T1556",
-        "count": 3,
-        "skills": [
-          "identity-assurance",
-          "sector-telecom",
-          "vc-wallet-trust"
-        ]
-      },
       {
         "id": "T0855",
         "count": 2,
@@ -2450,9 +2477,7 @@
     "cwe_refs": [
       "CWE-20",
       "CWE-284",
-      "CWE-290",
       "CWE-327",
-      "CWE-347",
       "CWE-400",
       "CWE-611",
       "CWE-93"
@@ -2481,12 +2506,12 @@
       "FCC-Cyber-Incident-Notification-2024",
       "FedRAMP-IL5-IAM-Federated",
       "GSMA-NESAS-Deployment",
+      "ISO-27001-2022-A.8.21",
       "ISO-27017-Cloud-IAM",
       "ITU-T-X.805",
       "Immutable-Backup-Recovery",
       "Insurance-Carrier-24h-Notification",
       "NIS2-Annex-I-Telecom",
-      "NIS2-Art21-network-security",
       "NIST-800-53-AC-2-Cross-Account",
       "NIST-800-53-SI-12",
       "OFAC-SDN-Payment-Block",
@@ -2502,6 +2527,7 @@
       "UK-CAF-B2",
       "UK-CAF-B2-Cloud-IAM",
       "UK-CAF-B2-IdP-Tenant",
+      "UK-CAF-B4",
       "UK-CAF-B5",
       "VEX-CSAF-v2.1"
     ],
@@ -2510,6 +2536,7 @@
     ],
     "attack_refs": [
       "T1071.003",
+      "T1071.004",
       "T1098",
       "T1102",
       "T1110",
@@ -2523,7 +2550,6 @@
       "T1552",
       "T1552.005",
       "T1556.007",
-      "T1557",
       "T1566.001",
       "T1566.002",
       "T1566.003",
@@ -3346,7 +3372,6 @@
       "ISO-27001-2022-A.7.10",
       "ISO-27001-2022-A.8.13",
       "ISO-27001-2022-A.8.15",
-      "ISO-27001-2022-A.8.21",
       "ISO-27001-2022-A.8.22",
       "ISO-27001-2022-A.8.24",
       "ISO-27001-2022-A.8.7",
@@ -3408,7 +3433,6 @@
       "SLSA-3",
       "SLSA-v1.0-Source-L3",
       "UK-CAF-A1",
-      "UK-CAF-B4",
       "UK-CAF-C1",
       "UK-CAF-D1"
     ],

package/data/_indexes/handoff-dag.json

@@ -25,6 +25,7 @@
     "mail-server-hardening",
     "mcp-agent-trust",
     "mlops-security",
+    "network-trust",
     "ot-ics-security",
     "policy-exception-gen",
     "pqc-first",
@@ -517,7 +518,8 @@
       "sector-telecom"
     ],
     "vc-wallet-trust": [],
-    "mail-server-hardening": []
+    "mail-server-hardening": [],
+    "network-trust": []
   },
   "in_degree": {
     "age-gates-child-safety": 1,
@@ -545,6 +547,7 @@
     "mail-server-hardening": 0,
     "mcp-agent-trust": 22,
     "mlops-security": 6,
+    "network-trust": 0,
     "ot-ics-security": 4,
     "policy-exception-gen": 16,
     "pqc-first": 6,
@@ -591,6 +594,7 @@
     "mail-server-hardening": 0,
     "mcp-agent-trust": 7,
     "mlops-security": 10,
+    "network-trust": 0,
     "ot-ics-security": 14,
     "policy-exception-gen": 0,
     "pqc-first": 3,

package/data/_indexes/jurisdiction-map.json

@@ -26,6 +26,7 @@
       "mail-server-hardening",
       "mcp-agent-trust",
       "mlops-security",
+      "network-trust",
       "ot-ics-security",
       "policy-exception-gen",
       "pqc-first",
@@ -47,7 +48,7 @@
       "zeroday-gap-learn"
     ],
     "example_excerpts": {},
-    "skill_count": 44
+    "skill_count": 45
   },
   "UK": {
     "skills": [
@@ -75,6 +76,7 @@
       "kernel-lpe-triage",
       "mcp-agent-trust",
       "mlops-security",
+      "network-trust",
       "ot-ics-security",
       "policy-exception-gen",
       "pqc-first",
@@ -96,7 +98,7 @@
       "zeroday-gap-learn"
     ],
     "example_excerpts": {},
-    "skill_count": 43
+    "skill_count": 44
   },
   "AU": {
     "skills": [
@@ -238,6 +240,7 @@
       "global-grc",
       "identity-assurance",
       "idp-incident-response",
+      "network-trust",
       "sector-energy",
       "sector-federal-government",
       "sector-financial",
@@ -247,7 +250,7 @@
       "zeroday-gap-learn"
     ],
     "example_excerpts": {},
-    "skill_count": 17
+    "skill_count": 18
   },
   "BR": {
     "skills": [

package/data/_indexes/section-offsets.json

@@ -4467,6 +4467,91 @@
           "h3_count": 0
         }
       ]
+    },
+    "network-trust": {
+      "path": "skills/network-trust/skill.md",
+      "total_bytes": 7376,
+      "total_lines": 82,
+      "frontmatter": {
+        "line_start": 1,
+        "line_end": 47,
+        "byte_start": 0,
+        "byte_end": 1087
+      },
+      "sections": [
+        {
+          "name": "Threat Context (mid-2026)",
+          "normalized_name": "threat-context",
+          "line": 51,
+          "byte_start": 1129,
+          "byte_end": 1899,
+          "bytes": 770,
+          "h3_count": 0
+        },
+        {
+          "name": "Framework Lag Declaration",
+          "normalized_name": "framework-lag-declaration",
+          "line": 55,
+          "byte_start": 1899,
+          "byte_end": 2613,
+          "bytes": 714,
+          "h3_count": 0
+        },
+        {
+          "name": "TTP Mapping",
+          "normalized_name": "ttp-mapping",
+          "line": 59,
+          "byte_start": 2613,
+          "byte_end": 3359,
+          "bytes": 746,
+          "h3_count": 0
+        },
+        {
+          "name": "Exploit Availability Matrix",
+          "normalized_name": "exploit-availability-matrix",
+          "line": 63,
+          "byte_start": 3359,
+          "byte_end": 4106,
+          "bytes": 747,
+          "h3_count": 0
+        },
+        {
+          "name": "Analysis Procedure",
+          "normalized_name": "analysis-procedure",
+          "line": 67,
+          "byte_start": 4106,
+          "byte_end": 5016,
+          "bytes": 910,
+          "h3_count": 0
+        },
+        {
+          "name": "Output Format",
+          "normalized_name": "output-format",
+          "line": 71,
+          "byte_start": 5016,
+          "byte_end": 5845,
+          "bytes": 829,
+          "h3_count": 0
+        },
+        {
+          "name": "Compliance Theater Check",
+          "normalized_name": "compliance-theater-check",
+          "line": 75,
+          "byte_start": 5845,
+          "byte_end": 6560,
+          "bytes": 715,
+          "h3_count": 0
+        },
+        {
+          "name": "Defensive Countermeasure Mapping",
+          "normalized_name": "defensive-countermeasure-mapping",
+          "line": 79,
+          "byte_start": 6560,
+          "byte_end": 7376,
+          "bytes": 816,
+          "h3_count": 0
+        }
+      ]
     }
   }
 }

package/data/_indexes/stale-content.json

@@ -15,7 +15,7 @@
       "severity": "medium",
       "category": "researcher_claim_drift",
       "artifact": "skills/researcher/skill.md",
-      "detail": "claims 41 specialized skills downstream; live count is 43"
+      "detail": "claims 41 specialized skills downstream; live count is 44"
     }
   ]
 }

package/data/_indexes/summary-cards.json

@@ -2063,6 +2063,44 @@
       "last_threat_review": "2026-06-02",
       "path": "skills/mail-server-hardening/skill.md",
       "handoff_targets": []
+    },
+    "network-trust": {
+      "description": "Network-layer trust and adversary-in-the-middle resistance for mid-2026 — DNSSEC validation, DANE/TLSA pinning, TSIG, mTLS private-CA pinning, RFC 9421 HTTP message signatures, DNS-rebinding/SSRF guarding, and authenticated time (NTS) and its effect on certificate validity and TOTP",
+      "threat_context_excerpt": "Below the application, TLS authenticates a certificate against a CA bundle — not the specific peer you intended to reach, and not the DNS answer or the clock that got you there. Adversary-in-the-middle attacks exploit the trust-anchor validation TLS does not perform: forge a DNS answer where DNSSEC is not validated; present a mis-issued-but-CA-valid certificate where DANE/TLSA or an mTLS CA pin is not checked; shift an unauthenticated clock to revive an expired certificate or a TOTP window; or rebind a name from a public to an internal address. The DNSSEC validation surface itself carries ...",
+      "produces": "Report per trust anchor (DNS, peer certificate, time, message signature), marking each enforced / missing / inconclusive (visibility gap). For every missing check, state whether the path is internet-facing and which trust decisions (peer auth, name resolution, cert validity, TOTP) depend on it. Distinguish a genuinely-not-in-scope anchor (no DANE-capable peer, no authoritative zone, fixed pinned IP) from an unvalidated one. Provide the prioritised remediation (validate DNSSEC + guard rebinding, pin peer certificates via DANE/mTLS, authenticate time, require TSIG + verify message signatures, re ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-345",
+          "CWE-918",
+          "CWE-290",
+          "CWE-347"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-53-SC-8",
+          "ISO-27001-2022-A.8.21",
+          "NIS2-Art21-network-security",
+          "UK-CAF-B4"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T1557",
+          "T1071.004",
+          "T1556"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 17,
+      "atlas_count": 0,
+      "attack_count": 3,
+      "framework_gap_count": 4,
+      "cwe_count": 4,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-06-02",
+      "path": "skills/network-trust/skill.md",
+      "handoff_targets": []
     }
   }
 }

package/data/_indexes/token-budget.json

@@ -3,9 +3,9 @@
     "schema_version": "1.0.0",
     "tokenizer_note": "Character-density approximation: 1 token ≈ 4 chars. This is the canonical rule-of-thumb for OpenAI tokenizers on English+technical text. Claude's tokenizer is typically more efficient on prose; treat this as an upper-bound budget for both. Consumers with stricter precision needs should re-tokenize with their own tokenizer.",
     "approx_chars_per_token": 4,
-    "total_chars": 1690237,
-    "total_approx_tokens": 422562,
-    "skill_count": 44
+    "total_chars": 1697609,
+    "total_approx_tokens": 424405,
+    "skill_count": 45
   },
   "skills": {
     "kernel-lpe-triage": {
@@ -2602,6 +2602,56 @@
           "approx_tokens": 205
         }
       }
+    },
+    "network-trust": {
+      "path": "skills/network-trust/skill.md",
+      "bytes": 7376,
+      "chars": 7372,
+      "lines": 82,
+      "approx_tokens": 1843,
+      "approx_chars_per_token": 4,
+      "sections": {
+        "threat-context": {
+          "bytes": 770,
+          "chars": 768,
+          "approx_tokens": 192
+        },
+        "framework-lag-declaration": {
+          "bytes": 714,
+          "chars": 714,
+          "approx_tokens": 179
+        },
+        "ttp-mapping": {
+          "bytes": 746,
+          "chars": 746,
+          "approx_tokens": 187
+        },
+        "exploit-availability-matrix": {
+          "bytes": 747,
+          "chars": 747,
+          "approx_tokens": 187
+        },
+        "analysis-procedure": {
+          "bytes": 910,
+          "chars": 910,
+          "approx_tokens": 228
+        },
+        "output-format": {
+          "bytes": 829,
+          "chars": 829,
+          "approx_tokens": 207
+        },
+        "compliance-theater-check": {
+          "bytes": 715,
+          "chars": 715,
+          "approx_tokens": 179
+        },
+        "defensive-countermeasure-mapping": {
+          "bytes": 816,
+          "chars": 816,
+          "approx_tokens": 204
+        }
+      }
     }
   }
 }

package/data/_indexes/trigger-table.json

@@ -1734,5 +1734,56 @@
   ],
   "smtp listener": [
     "mail-server-hardening"
+  ],
+  "network trust": [
+    "network-trust"
+  ],
+  "adversary in the middle": [
+    "network-trust"
+  ],
+  "aitm": [
+    "network-trust"
+  ],
+  "dnssec": [
+    "network-trust"
+  ],
+  "dane": [
+    "network-trust"
+  ],
+  "tlsa": [
+    "network-trust"
+  ],
+  "tsig": [
+    "network-trust"
+  ],
+  "mtls pinning": [
+    "network-trust"
+  ],
+  "certificate pinning": [
+    "network-trust"
+  ],
+  "http message signature": [
+    "network-trust"
+  ],
+  "rfc 9421": [
+    "network-trust"
+  ],
+  "dns rebinding": [
+    "network-trust"
+  ],
+  "nts": [
+    "network-trust"
+  ],
+  "authenticated time": [
+    "network-trust"
+  ],
+  "ntp spoofing": [
+    "network-trust"
+  ],
+  "public suffix list": [
+    "network-trust"
+  ],
+  "name resolution trust": [
+    "network-trust"
   ]
 }

package/data/_indexes/xref.json

@@ -48,7 +48,8 @@
     ],
     "CWE-345": [
       "idp-incident-response",
-      "mcp-agent-trust"
+      "mcp-agent-trust",
+      "network-trust"
     ],
     "CWE-352": [
       "api-security",
@@ -76,6 +77,7 @@
       "api-security",
       "attack-surface-pentest",
       "mcp-agent-trust",
+      "network-trust",
       "sector-telecom",
       "webapp-security"
     ],
@@ -215,9 +217,11 @@
       "idp-incident-response"
     ],
     "CWE-347": [
+      "network-trust",
       "vc-wallet-trust"
     ],
     "CWE-290": [
+      "network-trust",
       "vc-wallet-trust"
     ],
     "CWE-93": [
@@ -370,6 +374,7 @@
     ],
     "NIST-800-53-SC-8": [
       "kernel-lpe-triage",
+      "network-trust",
       "pqc-first"
     ],
     "CIS-Controls-v8-Control7": [
@@ -677,7 +682,14 @@
       "vc-wallet-trust"
     ],
     "NIS2-Art21-network-security": [
-      "mail-server-hardening"
+      "mail-server-hardening",
+      "network-trust"
+    ],
+    "ISO-27001-2022-A.8.21": [
+      "network-trust"
+    ],
+    "UK-CAF-B4": [
+      "network-trust"
     ]
   },
   "atlas_refs": {
@@ -857,6 +869,7 @@
     ],
     "T1556": [
       "identity-assurance",
+      "network-trust",
       "sector-telecom",
       "vc-wallet-trust"
     ],
@@ -937,7 +950,11 @@
       "mail-server-hardening"
     ],
     "T1557": [
-      "mail-server-hardening"
+      "mail-server-hardening",
+      "network-trust"
+    ],
+    "T1071.004": [
+      "network-trust"
     ]
   },
   "rfc_refs": {

package/data/cwe-catalog.json

@@ -1070,7 +1070,8 @@
     ],
     "skills_referencing": [
       "idp-incident-response",
-      "mcp-agent-trust"
+      "mcp-agent-trust",
+      "network-trust"
     ],
     "evidence_cves": [
       "CVE-2023-51764",
@@ -1904,6 +1905,7 @@
       "api-security",
       "attack-surface-pentest",
       "mcp-agent-trust",
+      "network-trust",
       "sector-telecom",
       "webapp-security"
     ],
@@ -2573,6 +2575,7 @@
     "last_verified": "2026-05-18",
     "notes": "Added v0.13.17 KEV bulk-import.",
     "skills_referencing": [
+      "network-trust",
       "vc-wallet-trust"
     ]
   },
@@ -2936,6 +2939,7 @@
     "last_verified": "2026-05-18",
     "notes": "Added v0.13.17 KEV bulk-import round 2.",
     "skills_referencing": [
+      "network-trust",
       "vc-wallet-trust"
     ]
   },