@blamejs/exceptd-skills 0.16.12 → 0.16.14

package/data/_indexes/summary-cards.json

@@ -2063,6 +2063,82 @@
       "last_threat_review": "2026-06-02",
       "path": "skills/mail-server-hardening/skill.md",
       "handoff_targets": []
+    },
+    "network-trust": {
+      "description": "Network-layer trust and adversary-in-the-middle resistance for mid-2026 — DNSSEC validation, DANE/TLSA pinning, TSIG, mTLS private-CA pinning, RFC 9421 HTTP message signatures, DNS-rebinding/SSRF guarding, and authenticated time (NTS) and its effect on certificate validity and TOTP",
+      "threat_context_excerpt": "Below the application, TLS authenticates a certificate against a CA bundle — not the specific peer you intended to reach, and not the DNS answer or the clock that got you there. Adversary-in-the-middle attacks exploit the trust-anchor validation TLS does not perform: forge a DNS answer where DNSSEC is not validated; present a mis-issued-but-CA-valid certificate where DANE/TLSA or an mTLS CA pin is not checked; shift an unauthenticated clock to revive an expired certificate or a TOTP window; or rebind a name from a public to an internal address. The DNSSEC validation surface itself carries ...",
+      "produces": "Report per trust anchor (DNS, peer certificate, time, message signature), marking each enforced / missing / inconclusive (visibility gap). For every missing check, state whether the path is internet-facing and which trust decisions (peer auth, name resolution, cert validity, TOTP) depend on it. Distinguish a genuinely-not-in-scope anchor (no DANE-capable peer, no authoritative zone, fixed pinned IP) from an unvalidated one. Provide the prioritised remediation (validate DNSSEC + guard rebinding, pin peer certificates via DANE/mTLS, authenticate time, require TSIG + verify message signatures, re ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-345",
+          "CWE-918",
+          "CWE-290",
+          "CWE-347"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-53-SC-8",
+          "ISO-27001-2022-A.8.21",
+          "NIS2-Art21-network-security",
+          "UK-CAF-B4"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T1557",
+          "T1071.004",
+          "T1556"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 17,
+      "atlas_count": 0,
+      "attack_count": 3,
+      "framework_gap_count": 4,
+      "cwe_count": 4,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-06-02",
+      "path": "skills/network-trust/skill.md",
+      "handoff_targets": []
+    },
+    "audit-log-integrity": {
+      "description": "Audit-log integrity for mid-2026 — tamper-evident hash-chaining, off-host signing, compliance-mode WORM immutability, legal-hold-vs-retention enforcement, writer/custodian separation, and deception (honeytoken) coverage that resist the privileged attacker most likely to tamper with the trail",
+      "threat_context_excerpt": "An audit trail is a security control only if it survives the attacker who wants it gone. Anti-forensic tampering (T1070 indicator removal) and stored-data manipulation (T1565.001) target precisely the log that would expose an intrusion, and the most capable adversary is a compromised privileged or insider identity. Logging volume is not integrity: a complete log that a sufficiently privileged credential can rewrite, re-chain, or delete is not a trail. The integrity properties that resist this are a hash chain actually verified on read, entries signed with a key held off the log-writing host, ...",
+      "produces": "Report per integrity property (chain verification, signing, WORM mode, legal-hold gate, writer/custodian separation, deception), marking each enforced / missing / inconclusive (visibility gap). For every missing property, state whether a single compromised privileged or application identity could rewrite or delete the system-of-record trail undetected, and whether any external anchor or honeytoken would catch it. Distinguish a control enforced externally (external WORM/notary, KMS-held key) from an absent one. Provide the prioritised remediation (verify chain + sign off-host, compliance-WORM + ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-345",
+          "CWE-347",
+          "CWE-284",
+          "CWE-778"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.15",
+          "NIS2-Art21-network-security",
+          "SOC2-CC7-anomaly-detection"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T1070",
+          "T1565.001",
+          "T1562.008"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 16,
+      "atlas_count": 0,
+      "attack_count": 3,
+      "framework_gap_count": 4,
+      "cwe_count": 4,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-06-02",
+      "path": "skills/audit-log-integrity/skill.md",
+      "handoff_targets": []
     }
   }
 }

package/data/_indexes/token-budget.json

@@ -3,9 +3,9 @@
     "schema_version": "1.0.0",
     "tokenizer_note": "Character-density approximation: 1 token ≈ 4 chars. This is the canonical rule-of-thumb for OpenAI tokenizers on English+technical text. Claude's tokenizer is typically more efficient on prose; treat this as an upper-bound budget for both. Consumers with stricter precision needs should re-tokenize with their own tokenizer.",
     "approx_chars_per_token": 4,
-    "total_chars": 1690237,
-    "total_approx_tokens": 422562,
-    "skill_count": 44
+    "total_chars": 1705264,
+    "total_approx_tokens": 426319,
+    "skill_count": 46
   },
   "skills": {
     "kernel-lpe-triage": {
@@ -2602,6 +2602,106 @@
           "approx_tokens": 205
         }
       }
+    },
+    "network-trust": {
+      "path": "skills/network-trust/skill.md",
+      "bytes": 7376,
+      "chars": 7372,
+      "lines": 82,
+      "approx_tokens": 1843,
+      "approx_chars_per_token": 4,
+      "sections": {
+        "threat-context": {
+          "bytes": 770,
+          "chars": 768,
+          "approx_tokens": 192
+        },
+        "framework-lag-declaration": {
+          "bytes": 714,
+          "chars": 714,
+          "approx_tokens": 179
+        },
+        "ttp-mapping": {
+          "bytes": 746,
+          "chars": 746,
+          "approx_tokens": 187
+        },
+        "exploit-availability-matrix": {
+          "bytes": 747,
+          "chars": 747,
+          "approx_tokens": 187
+        },
+        "analysis-procedure": {
+          "bytes": 910,
+          "chars": 910,
+          "approx_tokens": 228
+        },
+        "output-format": {
+          "bytes": 829,
+          "chars": 829,
+          "approx_tokens": 207
+        },
+        "compliance-theater-check": {
+          "bytes": 715,
+          "chars": 715,
+          "approx_tokens": 179
+        },
+        "defensive-countermeasure-mapping": {
+          "bytes": 816,
+          "chars": 816,
+          "approx_tokens": 204
+        }
+      }
+    },
+    "audit-log-integrity": {
+      "path": "skills/audit-log-integrity/skill.md",
+      "bytes": 7667,
+      "chars": 7655,
+      "lines": 81,
+      "approx_tokens": 1914,
+      "approx_chars_per_token": 4,
+      "sections": {
+        "threat-context": {
+          "bytes": 838,
+          "chars": 838,
+          "approx_tokens": 210
+        },
+        "framework-lag-declaration": {
+          "bytes": 796,
+          "chars": 794,
+          "approx_tokens": 199
+        },
+        "ttp-mapping": {
+          "bytes": 821,
+          "chars": 813,
+          "approx_tokens": 203
+        },
+        "exploit-availability-matrix": {
+          "bytes": 705,
+          "chars": 705,
+          "approx_tokens": 176
+        },
+        "analysis-procedure": {
+          "bytes": 881,
+          "chars": 881,
+          "approx_tokens": 220
+        },
+        "output-format": {
+          "bytes": 918,
+          "chars": 918,
+          "approx_tokens": 230
+        },
+        "compliance-theater-check": {
+          "bytes": 682,
+          "chars": 682,
+          "approx_tokens": 171
+        },
+        "defensive-countermeasure-mapping": {
+          "bytes": 848,
+          "chars": 848,
+          "approx_tokens": 212
+        }
+      }
     }
   }
 }

package/data/_indexes/trigger-table.json

@@ -1734,5 +1734,104 @@
   ],
   "smtp listener": [
     "mail-server-hardening"
+  ],
+  "network trust": [
+    "network-trust"
+  ],
+  "adversary in the middle": [
+    "network-trust"
+  ],
+  "aitm": [
+    "network-trust"
+  ],
+  "dnssec": [
+    "network-trust"
+  ],
+  "dane": [
+    "network-trust"
+  ],
+  "tlsa": [
+    "network-trust"
+  ],
+  "tsig": [
+    "network-trust"
+  ],
+  "mtls pinning": [
+    "network-trust"
+  ],
+  "certificate pinning": [
+    "network-trust"
+  ],
+  "http message signature": [
+    "network-trust"
+  ],
+  "rfc 9421": [
+    "network-trust"
+  ],
+  "dns rebinding": [
+    "network-trust"
+  ],
+  "nts": [
+    "network-trust"
+  ],
+  "authenticated time": [
+    "network-trust"
+  ],
+  "ntp spoofing": [
+    "network-trust"
+  ],
+  "public suffix list": [
+    "network-trust"
+  ],
+  "name resolution trust": [
+    "network-trust"
+  ],
+  "audit log integrity": [
+    "audit-log-integrity"
+  ],
+  "tamper evident logging": [
+    "audit-log-integrity"
+  ],
+  "hash chain": [
+    "audit-log-integrity"
+  ],
+  "worm": [
+    "audit-log-integrity"
+  ],
+  "object lock": [
+    "audit-log-integrity"
+  ],
+  "immutable storage": [
+    "audit-log-integrity"
+  ],
+  "legal hold": [
+    "audit-log-integrity"
+  ],
+  "retention": [
+    "audit-log-integrity"
+  ],
+  "honeytoken": [
+    "audit-log-integrity"
+  ],
+  "canary token": [
+    "audit-log-integrity"
+  ],
+  "break glass": [
+    "audit-log-integrity"
+  ],
+  "dual control": [
+    "audit-log-integrity"
+  ],
+  "anti forensics": [
+    "audit-log-integrity"
+  ],
+  "log deletion": [
+    "audit-log-integrity"
+  ],
+  "separation of duties": [
+    "audit-log-integrity"
+  ],
+  "audit trail": [
+    "audit-log-integrity"
   ]
 }

package/data/_indexes/xref.json

@@ -47,8 +47,10 @@
       "webapp-security"
     ],
     "CWE-345": [
+      "audit-log-integrity",
       "idp-incident-response",
-      "mcp-agent-trust"
+      "mcp-agent-trust",
+      "network-trust"
     ],
     "CWE-352": [
       "api-security",
@@ -76,6 +78,7 @@
       "api-security",
       "attack-surface-pentest",
       "mcp-agent-trust",
+      "network-trust",
       "sector-telecom",
       "webapp-security"
     ],
@@ -212,12 +215,16 @@
       "idp-incident-response"
     ],
     "CWE-284": [
+      "audit-log-integrity",
       "idp-incident-response"
     ],
     "CWE-347": [
+      "audit-log-integrity",
+      "network-trust",
       "vc-wallet-trust"
     ],
     "CWE-290": [
+      "network-trust",
       "vc-wallet-trust"
     ],
     "CWE-93": [
@@ -228,6 +235,9 @@
     ],
     "CWE-400": [
       "mail-server-hardening"
+    ],
+    "CWE-778": [
+      "audit-log-integrity"
     ]
   },
   "d3fend_refs": {
@@ -350,6 +360,7 @@
   },
   "framework_gaps": {
     "NIST-800-53-SI-2": [
+      "audit-log-integrity",
       "kernel-lpe-triage",
       "mail-server-hardening"
     ],
@@ -370,6 +381,7 @@
     ],
     "NIST-800-53-SC-8": [
       "kernel-lpe-triage",
+      "network-trust",
       "pqc-first"
     ],
     "CIS-Controls-v8-Control7": [
@@ -495,6 +507,7 @@
     ],
     "SOC2-CC7-anomaly-detection": [
       "ai-c2-detection",
+      "audit-log-integrity",
       "dlp-gap-analysis",
       "email-security-anti-phishing",
       "incident-response-playbook"
@@ -677,7 +690,18 @@
       "vc-wallet-trust"
     ],
     "NIS2-Art21-network-security": [
-      "mail-server-hardening"
+      "audit-log-integrity",
+      "mail-server-hardening",
+      "network-trust"
+    ],
+    "ISO-27001-2022-A.8.21": [
+      "network-trust"
+    ],
+    "UK-CAF-B4": [
+      "network-trust"
+    ],
+    "ISO-27001-2022-A.8.15": [
+      "audit-log-integrity"
     ]
   },
   "atlas_refs": {
@@ -857,6 +881,7 @@
     ],
     "T1556": [
       "identity-assurance",
+      "network-trust",
       "sector-telecom",
       "vc-wallet-trust"
     ],
@@ -937,7 +962,20 @@
       "mail-server-hardening"
     ],
     "T1557": [
-      "mail-server-hardening"
+      "mail-server-hardening",
+      "network-trust"
+    ],
+    "T1071.004": [
+      "network-trust"
+    ],
+    "T1070": [
+      "audit-log-integrity"
+    ],
+    "T1565.001": [
+      "audit-log-integrity"
+    ],
+    "T1562.008": [
+      "audit-log-integrity"
     ]
   },
   "rfc_refs": {

package/data/cwe-catalog.json

@@ -673,6 +673,7 @@
       "CAPEC-19"
     ],
     "skills_referencing": [
+      "audit-log-integrity",
       "idp-incident-response"
     ],
     "evidence_cves": [
@@ -1069,8 +1070,10 @@
       "CAPEC-148"
     ],
     "skills_referencing": [
+      "audit-log-integrity",
       "idp-incident-response",
-      "mcp-agent-trust"
+      "mcp-agent-trust",
+      "network-trust"
     ],
     "evidence_cves": [
       "CVE-2023-51764",
@@ -1904,6 +1907,7 @@
       "api-security",
       "attack-surface-pentest",
       "mcp-agent-trust",
+      "network-trust",
       "sector-telecom",
       "webapp-security"
     ],
@@ -2573,6 +2577,8 @@
     "last_verified": "2026-05-18",
     "notes": "Added v0.13.17 KEV bulk-import.",
     "skills_referencing": [
+      "audit-log-integrity",
+      "network-trust",
       "vc-wallet-trust"
     ]
   },
@@ -2936,6 +2942,7 @@
     "last_verified": "2026-05-18",
     "notes": "Added v0.13.17 KEV bulk-import round 2.",
     "skills_referencing": [
+      "network-trust",
       "vc-wallet-trust"
     ]
   },
@@ -3818,7 +3825,10 @@
     "last_verified": "2026-05-19",
     "notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
     "_auto_imported": true,
-    "_intake_method": "v0.13.18-bulk-mitre-cwe-curated"
+    "_intake_method": "v0.13.18-bulk-mitre-cwe-curated",
+    "skills_referencing": [
+      "audit-log-integrity"
+    ]
   },
   "CWE-779": {
     "id": "CWE-779",