@blamejs/exceptd-skills 0.16.13 → 0.16.14

package/data/_indexes/currency.json

@@ -6,7 +6,7 @@
     "decay_formula": "100 base; -30/-20/-10/-5 at 180/90/60/30-day thresholds. forward_watch count does NOT affect the score (it's a maintenance signal, not a staleness one). Label thresholds: ≥90 current, ≥70 acceptable, ≥50 stale, <50 critical_stale."
   },
   "summary": {
-    "current": 45,
+    "current": 46,
     "acceptable": 0,
     "stale": 0,
     "critical_stale": 0,
@@ -67,6 +67,15 @@
       "forward_watch_count": 5,
       "action_required": false
     },
+    {
+      "skill": "audit-log-integrity",
+      "last_threat_review": "2026-06-02",
+      "days_since_review": -18,
+      "currency_score": 100,
+      "currency_label": "current",
+      "forward_watch_count": 0,
+      "action_required": false
+    },
     {
       "skill": "cloud-iam-incident",
       "last_threat_review": "2026-05-15",

package/data/_indexes/frequency.json

@@ -88,8 +88,9 @@
         ]
       },
       "CWE-345": {
-        "count": 3,
+        "count": 4,
         "skills": [
+          "audit-log-integrity",
           "idp-incident-response",
           "mcp-agent-trust",
           "network-trust"
@@ -333,14 +334,16 @@
         ]
       },
       "CWE-284": {
-        "count": 1,
+        "count": 2,
         "skills": [
+          "audit-log-integrity",
           "idp-incident-response"
         ]
       },
       "CWE-347": {
-        "count": 2,
+        "count": 3,
         "skills": [
+          "audit-log-integrity",
           "network-trust",
           "vc-wallet-trust"
         ]
@@ -369,6 +372,12 @@
         "skills": [
           "mail-server-hardening"
         ]
+      },
+      "CWE-778": {
+        "count": 1,
+        "skills": [
+          "audit-log-integrity"
+        ]
       }
     },
     "d3fend_refs": {
@@ -554,8 +563,9 @@
     },
     "framework_gaps": {
       "NIST-800-53-SI-2": {
-        "count": 2,
+        "count": 3,
         "skills": [
+          "audit-log-integrity",
           "kernel-lpe-triage",
           "mail-server-hardening"
         ]
@@ -789,9 +799,10 @@
         ]
       },
       "SOC2-CC7-anomaly-detection": {
-        "count": 4,
+        "count": 5,
         "skills": [
           "ai-c2-detection",
+          "audit-log-integrity",
           "dlp-gap-analysis",
           "email-security-anti-phishing",
           "incident-response-playbook"
@@ -1125,8 +1136,9 @@
         ]
       },
       "NIS2-Art21-network-security": {
-        "count": 2,
+        "count": 3,
         "skills": [
+          "audit-log-integrity",
           "mail-server-hardening",
           "network-trust"
         ]
@@ -1142,6 +1154,12 @@
         "skills": [
           "network-trust"
         ]
+      },
+      "ISO-27001-2022-A.8.15": {
+        "count": 1,
+        "skills": [
+          "audit-log-integrity"
+        ]
       }
     },
     "atlas_refs": {
@@ -1569,6 +1587,24 @@
         "skills": [
           "network-trust"
         ]
+      },
+      "T1070": {
+        "count": 1,
+        "skills": [
+          "audit-log-integrity"
+        ]
+      },
+      "T1565.001": {
+        "count": 1,
+        "skills": [
+          "audit-log-integrity"
+        ]
+      },
+      "T1562.008": {
+        "count": 1,
+        "skills": [
+          "audit-log-integrity"
+        ]
       }
     },
     "rfc_refs": {
@@ -2061,6 +2097,17 @@
           "sector-healthcare"
         ]
       },
+      {
+        "id": "SOC2-CC7-anomaly-detection",
+        "count": 5,
+        "skills": [
+          "ai-c2-detection",
+          "audit-log-integrity",
+          "dlp-gap-analysis",
+          "email-security-anti-phishing",
+          "incident-response-playbook"
+        ]
+      },
       {
         "id": "FedRAMP-Rev5-Moderate",
         "count": 4,
@@ -2110,16 +2157,6 @@
           "sector-federal-government",
           "supply-chain-integrity"
         ]
-      },
-      {
-        "id": "SOC2-CC6-logical-access",
-        "count": 4,
-        "skills": [
-          "age-gates-child-safety",
-          "ai-attack-surface",
-          "identity-assurance",
-          "sector-financial"
-        ]
       }
     ],
     "atlas_refs": [
@@ -2476,10 +2513,10 @@
   "orphan_adjacent": {
     "cwe_refs": [
       "CWE-20",
-      "CWE-284",
       "CWE-327",
       "CWE-400",
       "CWE-611",
+      "CWE-778",
       "CWE-93"
     ],
     "d3fend_refs": [
@@ -2506,6 +2543,7 @@
       "FCC-Cyber-Incident-Notification-2024",
       "FedRAMP-IL5-IAM-Federated",
       "GSMA-NESAS-Deployment",
+      "ISO-27001-2022-A.8.15",
       "ISO-27001-2022-A.8.21",
       "ISO-27017-Cloud-IAM",
       "ITU-T-X.805",
@@ -2535,6 +2573,7 @@
       "AML.T0040"
     ],
     "attack_refs": [
+      "T1070",
       "T1071.003",
       "T1071.004",
       "T1098",
@@ -2550,6 +2589,8 @@
       "T1552",
       "T1552.005",
       "T1556.007",
+      "T1562.008",
+      "T1565.001",
       "T1566.001",
       "T1566.002",
       "T1566.003",
@@ -2691,7 +2732,6 @@
       "CWE-770",
       "CWE-772",
       "CWE-776",
-      "CWE-778",
       "CWE-779",
       "CWE-807",
       "CWE-822",
@@ -3371,7 +3411,6 @@
       "ISO-27001-2022-A.7.1",
       "ISO-27001-2022-A.7.10",
       "ISO-27001-2022-A.8.13",
-      "ISO-27001-2022-A.8.15",
       "ISO-27001-2022-A.8.22",
       "ISO-27001-2022-A.8.24",
       "ISO-27001-2022-A.8.7",

package/data/_indexes/handoff-dag.json

@@ -6,6 +6,7 @@
     "ai-risk-management",
     "api-security",
     "attack-surface-pentest",
+    "audit-log-integrity",
     "cloud-iam-incident",
     "cloud-security",
     "compliance-theater",
@@ -519,7 +520,8 @@
     ],
     "vc-wallet-trust": [],
     "mail-server-hardening": [],
-    "network-trust": []
+    "network-trust": [],
+    "audit-log-integrity": []
   },
   "in_degree": {
     "age-gates-child-safety": 1,
@@ -528,6 +530,7 @@
     "ai-risk-management": 5,
     "api-security": 4,
     "attack-surface-pentest": 13,
+    "audit-log-integrity": 0,
     "cloud-iam-incident": 2,
     "cloud-security": 5,
     "compliance-theater": 30,
@@ -575,6 +578,7 @@
     "ai-risk-management": 13,
     "api-security": 7,
     "attack-surface-pentest": 4,
+    "audit-log-integrity": 0,
     "cloud-iam-incident": 14,
     "cloud-security": 17,
     "compliance-theater": 12,

package/data/_indexes/jurisdiction-map.json

@@ -7,6 +7,7 @@
       "ai-risk-management",
       "api-security",
       "attack-surface-pentest",
+      "audit-log-integrity",
       "cloud-iam-incident",
       "cloud-security",
       "compliance-theater",
@@ -48,7 +49,7 @@
       "zeroday-gap-learn"
     ],
     "example_excerpts": {},
-    "skill_count": 45
+    "skill_count": 46
   },
   "UK": {
     "skills": [

package/data/_indexes/section-offsets.json

@@ -4552,6 +4552,91 @@
           "h3_count": 0
         }
       ]
+    },
+    "audit-log-integrity": {
+      "path": "skills/audit-log-integrity/skill.md",
+      "total_bytes": 7667,
+      "total_lines": 81,
+      "frontmatter": {
+        "line_start": 1,
+        "line_end": 46,
+        "byte_start": 0,
+        "byte_end": 1119
+      },
+      "sections": [
+        {
+          "name": "Threat Context (mid-2026)",
+          "normalized_name": "threat-context",
+          "line": 50,
+          "byte_start": 1178,
+          "byte_end": 2016,
+          "bytes": 838,
+          "h3_count": 0
+        },
+        {
+          "name": "Framework Lag Declaration",
+          "normalized_name": "framework-lag-declaration",
+          "line": 54,
+          "byte_start": 2016,
+          "byte_end": 2812,
+          "bytes": 796,
+          "h3_count": 0
+        },
+        {
+          "name": "TTP Mapping",
+          "normalized_name": "ttp-mapping",
+          "line": 58,
+          "byte_start": 2812,
+          "byte_end": 3633,
+          "bytes": 821,
+          "h3_count": 0
+        },
+        {
+          "name": "Exploit Availability Matrix",
+          "normalized_name": "exploit-availability-matrix",
+          "line": 62,
+          "byte_start": 3633,
+          "byte_end": 4338,
+          "bytes": 705,
+          "h3_count": 0
+        },
+        {
+          "name": "Analysis Procedure",
+          "normalized_name": "analysis-procedure",
+          "line": 66,
+          "byte_start": 4338,
+          "byte_end": 5219,
+          "bytes": 881,
+          "h3_count": 0
+        },
+        {
+          "name": "Output Format",
+          "normalized_name": "output-format",
+          "line": 70,
+          "byte_start": 5219,
+          "byte_end": 6137,
+          "bytes": 918,
+          "h3_count": 0
+        },
+        {
+          "name": "Compliance Theater Check",
+          "normalized_name": "compliance-theater-check",
+          "line": 74,
+          "byte_start": 6137,
+          "byte_end": 6819,
+          "bytes": 682,
+          "h3_count": 0
+        },
+        {
+          "name": "Defensive Countermeasure Mapping",
+          "normalized_name": "defensive-countermeasure-mapping",
+          "line": 78,
+          "byte_start": 6819,
+          "byte_end": 7667,
+          "bytes": 848,
+          "h3_count": 0
+        }
+      ]
     }
   }
 }

package/data/_indexes/stale-content.json

@@ -15,7 +15,7 @@
       "severity": "medium",
       "category": "researcher_claim_drift",
       "artifact": "skills/researcher/skill.md",
-      "detail": "claims 41 specialized skills downstream; live count is 44"
+      "detail": "claims 41 specialized skills downstream; live count is 45"
     }
   ]
 }

package/data/_indexes/summary-cards.json

@@ -2101,6 +2101,44 @@
       "last_threat_review": "2026-06-02",
       "path": "skills/network-trust/skill.md",
       "handoff_targets": []
+    },
+    "audit-log-integrity": {
+      "description": "Audit-log integrity for mid-2026 — tamper-evident hash-chaining, off-host signing, compliance-mode WORM immutability, legal-hold-vs-retention enforcement, writer/custodian separation, and deception (honeytoken) coverage that resist the privileged attacker most likely to tamper with the trail",
+      "threat_context_excerpt": "An audit trail is a security control only if it survives the attacker who wants it gone. Anti-forensic tampering (T1070 indicator removal) and stored-data manipulation (T1565.001) target precisely the log that would expose an intrusion, and the most capable adversary is a compromised privileged or insider identity. Logging volume is not integrity: a complete log that a sufficiently privileged credential can rewrite, re-chain, or delete is not a trail. The integrity properties that resist this are a hash chain actually verified on read, entries signed with a key held off the log-writing host, ...",
+      "produces": "Report per integrity property (chain verification, signing, WORM mode, legal-hold gate, writer/custodian separation, deception), marking each enforced / missing / inconclusive (visibility gap). For every missing property, state whether a single compromised privileged or application identity could rewrite or delete the system-of-record trail undetected, and whether any external anchor or honeytoken would catch it. Distinguish a control enforced externally (external WORM/notary, KMS-held key) from an absent one. Provide the prioritised remediation (verify chain + sign off-host, compliance-WORM + ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-345",
+          "CWE-347",
+          "CWE-284",
+          "CWE-778"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.15",
+          "NIS2-Art21-network-security",
+          "SOC2-CC7-anomaly-detection"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T1070",
+          "T1565.001",
+          "T1562.008"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 16,
+      "atlas_count": 0,
+      "attack_count": 3,
+      "framework_gap_count": 4,
+      "cwe_count": 4,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-06-02",
+      "path": "skills/audit-log-integrity/skill.md",
+      "handoff_targets": []
     }
   }
 }

package/data/_indexes/token-budget.json

@@ -3,9 +3,9 @@
     "schema_version": "1.0.0",
     "tokenizer_note": "Character-density approximation: 1 token ≈ 4 chars. This is the canonical rule-of-thumb for OpenAI tokenizers on English+technical text. Claude's tokenizer is typically more efficient on prose; treat this as an upper-bound budget for both. Consumers with stricter precision needs should re-tokenize with their own tokenizer.",
     "approx_chars_per_token": 4,
-    "total_chars": 1697609,
-    "total_approx_tokens": 424405,
-    "skill_count": 45
+    "total_chars": 1705264,
+    "total_approx_tokens": 426319,
+    "skill_count": 46
   },
   "skills": {
     "kernel-lpe-triage": {
@@ -2652,6 +2652,56 @@
           "approx_tokens": 204
         }
       }
+    },
+    "audit-log-integrity": {
+      "path": "skills/audit-log-integrity/skill.md",
+      "bytes": 7667,
+      "chars": 7655,
+      "lines": 81,
+      "approx_tokens": 1914,
+      "approx_chars_per_token": 4,
+      "sections": {
+        "threat-context": {
+          "bytes": 838,
+          "chars": 838,
+          "approx_tokens": 210
+        },
+        "framework-lag-declaration": {
+          "bytes": 796,
+          "chars": 794,
+          "approx_tokens": 199
+        },
+        "ttp-mapping": {
+          "bytes": 821,
+          "chars": 813,
+          "approx_tokens": 203
+        },
+        "exploit-availability-matrix": {
+          "bytes": 705,
+          "chars": 705,
+          "approx_tokens": 176
+        },
+        "analysis-procedure": {
+          "bytes": 881,
+          "chars": 881,
+          "approx_tokens": 220
+        },
+        "output-format": {
+          "bytes": 918,
+          "chars": 918,
+          "approx_tokens": 230
+        },
+        "compliance-theater-check": {
+          "bytes": 682,
+          "chars": 682,
+          "approx_tokens": 171
+        },
+        "defensive-countermeasure-mapping": {
+          "bytes": 848,
+          "chars": 848,
+          "approx_tokens": 212
+        }
+      }
     }
   }
 }

package/data/_indexes/trigger-table.json

@@ -1785,5 +1785,53 @@
   ],
   "name resolution trust": [
     "network-trust"
+  ],
+  "audit log integrity": [
+    "audit-log-integrity"
+  ],
+  "tamper evident logging": [
+    "audit-log-integrity"
+  ],
+  "hash chain": [
+    "audit-log-integrity"
+  ],
+  "worm": [
+    "audit-log-integrity"
+  ],
+  "object lock": [
+    "audit-log-integrity"
+  ],
+  "immutable storage": [
+    "audit-log-integrity"
+  ],
+  "legal hold": [
+    "audit-log-integrity"
+  ],
+  "retention": [
+    "audit-log-integrity"
+  ],
+  "honeytoken": [
+    "audit-log-integrity"
+  ],
+  "canary token": [
+    "audit-log-integrity"
+  ],
+  "break glass": [
+    "audit-log-integrity"
+  ],
+  "dual control": [
+    "audit-log-integrity"
+  ],
+  "anti forensics": [
+    "audit-log-integrity"
+  ],
+  "log deletion": [
+    "audit-log-integrity"
+  ],
+  "separation of duties": [
+    "audit-log-integrity"
+  ],
+  "audit trail": [
+    "audit-log-integrity"
   ]
 }

package/data/_indexes/xref.json

@@ -47,6 +47,7 @@
       "webapp-security"
     ],
     "CWE-345": [
+      "audit-log-integrity",
       "idp-incident-response",
       "mcp-agent-trust",
       "network-trust"
@@ -214,9 +215,11 @@
       "idp-incident-response"
     ],
     "CWE-284": [
+      "audit-log-integrity",
       "idp-incident-response"
     ],
     "CWE-347": [
+      "audit-log-integrity",
       "network-trust",
       "vc-wallet-trust"
     ],
@@ -232,6 +235,9 @@
     ],
     "CWE-400": [
       "mail-server-hardening"
+    ],
+    "CWE-778": [
+      "audit-log-integrity"
     ]
   },
   "d3fend_refs": {
@@ -354,6 +360,7 @@
   },
   "framework_gaps": {
     "NIST-800-53-SI-2": [
+      "audit-log-integrity",
       "kernel-lpe-triage",
       "mail-server-hardening"
     ],
@@ -500,6 +507,7 @@
     ],
     "SOC2-CC7-anomaly-detection": [
       "ai-c2-detection",
+      "audit-log-integrity",
       "dlp-gap-analysis",
       "email-security-anti-phishing",
       "incident-response-playbook"
@@ -682,6 +690,7 @@
       "vc-wallet-trust"
     ],
     "NIS2-Art21-network-security": [
+      "audit-log-integrity",
       "mail-server-hardening",
       "network-trust"
     ],
@@ -690,6 +699,9 @@
     ],
     "UK-CAF-B4": [
       "network-trust"
+    ],
+    "ISO-27001-2022-A.8.15": [
+      "audit-log-integrity"
     ]
   },
   "atlas_refs": {
@@ -955,6 +967,15 @@
     ],
     "T1071.004": [
       "network-trust"
+    ],
+    "T1070": [
+      "audit-log-integrity"
+    ],
+    "T1565.001": [
+      "audit-log-integrity"
+    ],
+    "T1562.008": [
+      "audit-log-integrity"
     ]
   },
   "rfc_refs": {

package/data/cwe-catalog.json

@@ -673,6 +673,7 @@
       "CAPEC-19"
     ],
     "skills_referencing": [
+      "audit-log-integrity",
       "idp-incident-response"
     ],
     "evidence_cves": [
@@ -1069,6 +1070,7 @@
       "CAPEC-148"
     ],
     "skills_referencing": [
+      "audit-log-integrity",
       "idp-incident-response",
       "mcp-agent-trust",
       "network-trust"
@@ -2575,6 +2577,7 @@
     "last_verified": "2026-05-18",
     "notes": "Added v0.13.17 KEV bulk-import.",
     "skills_referencing": [
+      "audit-log-integrity",
       "network-trust",
       "vc-wallet-trust"
     ]
@@ -3822,7 +3825,10 @@
     "last_verified": "2026-05-19",
     "notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
     "_auto_imported": true,
-    "_intake_method": "v0.13.18-bulk-mitre-cwe-curated"
+    "_intake_method": "v0.13.18-bulk-mitre-cwe-curated",
+    "skills_referencing": [
+      "audit-log-integrity"
+    ]
   },
   "CWE-779": {
     "id": "CWE-779",