@blamejs/exceptd-skills 0.16.13 → 0.16.15

package/data/_indexes/summary-cards.json

@@ -2101,6 +2101,81 @@
       "last_threat_review": "2026-06-02",
       "path": "skills/network-trust/skill.md",
       "handoff_targets": []
+    },
+    "audit-log-integrity": {
+      "description": "Audit-log integrity for mid-2026 — tamper-evident hash-chaining, off-host signing, compliance-mode WORM immutability, legal-hold-vs-retention enforcement, writer/custodian separation, and deception (honeytoken) coverage that resist the privileged attacker most likely to tamper with the trail",
+      "threat_context_excerpt": "An audit trail is a security control only if it survives the attacker who wants it gone. Anti-forensic tampering (T1070 indicator removal) and stored-data manipulation (T1565.001) target precisely the log that would expose an intrusion, and the most capable adversary is a compromised privileged or insider identity. Logging volume is not integrity: a complete log that a sufficiently privileged credential can rewrite, re-chain, or delete is not a trail. The integrity properties that resist this are a hash chain actually verified on read, entries signed with a key held off the log-writing host, ...",
+      "produces": "Report per integrity property (chain verification, signing, WORM mode, legal-hold gate, writer/custodian separation, deception), marking each enforced / missing / inconclusive (visibility gap). For every missing property, state whether a single compromised privileged or application identity could rewrite or delete the system-of-record trail undetected, and whether any external anchor or honeytoken would catch it. Distinguish a control enforced externally (external WORM/notary, KMS-held key) from an absent one. Provide the prioritised remediation (verify chain + sign off-host, compliance-WORM + ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-345",
+          "CWE-347",
+          "CWE-284",
+          "CWE-778"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.15",
+          "NIS2-Art21-network-security",
+          "SOC2-CC7-anomaly-detection"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T1070",
+          "T1565.001",
+          "T1562.008"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 16,
+      "atlas_count": 0,
+      "attack_count": 3,
+      "framework_gap_count": 4,
+      "cwe_count": 4,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-06-02",
+      "path": "skills/audit-log-integrity/skill.md",
+      "handoff_targets": []
+    },
+    "self-update-integrity": {
+      "description": "Consumer-side self-update and artifact integrity for mid-2026 — signature-verification-before-apply, out-of-band key pinning, anti-rollback/downgrade protection, channel pinning, Subresource Integrity on browser modules, and C2PA / SCITT-TSA transparency verification on received artifacts",
+      "threat_context_excerpt": "The self-update loop is the highest-privilege code path most products ship: it fetches code and runs it as the application. Publisher-side posture — code signing, SBOM, SLSA attestations — is necessary but useless if the receiving client does not enforce it. The consumer-side failures are an update applied without verifying a signature, a signature verified against a key the update channel itself supplied, a signed-but-older version accepted (downgrade / no anti-rollback) that re-opens a patched CVE, an update fetched over an unauthenticated channel as the sole control, browser modules served ...",
+      "produces": "Report per update path, marking each consumer-side control enforced / missing / inconclusive (visibility gap). For every missing control, state whether a channel compromise would yield arbitrary-code execution and across how much of the installed base. Distinguish a control delegated to a verifying mechanism (OS package manager, gated verifier) from an absent one. Provide the prioritised remediation (verify signature against a pinned key before apply, enforce anti-rollback, pin the channel, enforce SRI on modules, verify provenance/transparency) and the negative validation tests that prove eac ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-494",
+          "CWE-829",
+          "CWE-353",
+          "CWE-347"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-53-SR-11",
+          "NIS2-Art21-network-security",
+          "UK-CAF-B4",
+          "AU-ISM-1556"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T1195.002",
+          "T1574"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 16,
+      "atlas_count": 0,
+      "attack_count": 2,
+      "framework_gap_count": 4,
+      "cwe_count": 4,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-06-02",
+      "path": "skills/self-update-integrity/skill.md",
+      "handoff_targets": []
     }
   }
 }

package/data/_indexes/token-budget.json

@@ -3,9 +3,9 @@
     "schema_version": "1.0.0",
     "tokenizer_note": "Character-density approximation: 1 token ≈ 4 chars. This is the canonical rule-of-thumb for OpenAI tokenizers on English+technical text. Claude's tokenizer is typically more efficient on prose; treat this as an upper-bound budget for both. Consumers with stricter precision needs should re-tokenize with their own tokenizer.",
     "approx_chars_per_token": 4,
-    "total_chars": 1697609,
-    "total_approx_tokens": 424405,
-    "skill_count": 45
+    "total_chars": 1712869,
+    "total_approx_tokens": 428220,
+    "skill_count": 47
   },
   "skills": {
     "kernel-lpe-triage": {
@@ -2652,6 +2652,106 @@
           "approx_tokens": 204
         }
       }
+    },
+    "audit-log-integrity": {
+      "path": "skills/audit-log-integrity/skill.md",
+      "bytes": 7667,
+      "chars": 7655,
+      "lines": 81,
+      "approx_tokens": 1914,
+      "approx_chars_per_token": 4,
+      "sections": {
+        "threat-context": {
+          "bytes": 838,
+          "chars": 838,
+          "approx_tokens": 210
+        },
+        "framework-lag-declaration": {
+          "bytes": 796,
+          "chars": 794,
+          "approx_tokens": 199
+        },
+        "ttp-mapping": {
+          "bytes": 821,
+          "chars": 813,
+          "approx_tokens": 203
+        },
+        "exploit-availability-matrix": {
+          "bytes": 705,
+          "chars": 705,
+          "approx_tokens": 176
+        },
+        "analysis-procedure": {
+          "bytes": 881,
+          "chars": 881,
+          "approx_tokens": 220
+        },
+        "output-format": {
+          "bytes": 918,
+          "chars": 918,
+          "approx_tokens": 230
+        },
+        "compliance-theater-check": {
+          "bytes": 682,
+          "chars": 682,
+          "approx_tokens": 171
+        },
+        "defensive-countermeasure-mapping": {
+          "bytes": 848,
+          "chars": 848,
+          "approx_tokens": 212
+        }
+      }
+    },
+    "self-update-integrity": {
+      "path": "skills/self-update-integrity/skill.md",
+      "bytes": 7619,
+      "chars": 7605,
+      "lines": 80,
+      "approx_tokens": 1901,
+      "approx_chars_per_token": 4,
+      "sections": {
+        "threat-context": {
+          "bytes": 841,
+          "chars": 837,
+          "approx_tokens": 209
+        },
+        "framework-lag-declaration": {
+          "bytes": 835,
+          "chars": 835,
+          "approx_tokens": 209
+        },
+        "ttp-mapping": {
+          "bytes": 736,
+          "chars": 732,
+          "approx_tokens": 183
+        },
+        "exploit-availability-matrix": {
+          "bytes": 716,
+          "chars": 714,
+          "approx_tokens": 179
+        },
+        "analysis-procedure": {
+          "bytes": 962,
+          "chars": 962,
+          "approx_tokens": 241
+        },
+        "output-format": {
+          "bytes": 785,
+          "chars": 785,
+          "approx_tokens": 196
+        },
+        "compliance-theater-check": {
+          "bytes": 698,
+          "chars": 698,
+          "approx_tokens": 175
+        },
+        "defensive-countermeasure-mapping": {
+          "bytes": 886,
+          "chars": 884,
+          "approx_tokens": 221
+        }
+      }
     }
   }
 }

package/data/_indexes/trigger-table.json

@@ -1785,5 +1785,101 @@
   ],
   "name resolution trust": [
     "network-trust"
+  ],
+  "audit log integrity": [
+    "audit-log-integrity"
+  ],
+  "tamper evident logging": [
+    "audit-log-integrity"
+  ],
+  "hash chain": [
+    "audit-log-integrity"
+  ],
+  "worm": [
+    "audit-log-integrity"
+  ],
+  "object lock": [
+    "audit-log-integrity"
+  ],
+  "immutable storage": [
+    "audit-log-integrity"
+  ],
+  "legal hold": [
+    "audit-log-integrity"
+  ],
+  "retention": [
+    "audit-log-integrity"
+  ],
+  "honeytoken": [
+    "audit-log-integrity"
+  ],
+  "canary token": [
+    "audit-log-integrity"
+  ],
+  "break glass": [
+    "audit-log-integrity"
+  ],
+  "dual control": [
+    "audit-log-integrity"
+  ],
+  "anti forensics": [
+    "audit-log-integrity"
+  ],
+  "log deletion": [
+    "audit-log-integrity"
+  ],
+  "separation of duties": [
+    "audit-log-integrity"
+  ],
+  "audit trail": [
+    "audit-log-integrity"
+  ],
+  "self update": [
+    "self-update-integrity"
+  ],
+  "auto update": [
+    "self-update-integrity"
+  ],
+  "update integrity": [
+    "self-update-integrity"
+  ],
+  "anti rollback": [
+    "self-update-integrity"
+  ],
+  "downgrade attack": [
+    "self-update-integrity"
+  ],
+  "code signing verification": [
+    "self-update-integrity"
+  ],
+  "key pinning": [
+    "self-update-integrity"
+  ],
+  "subresource integrity": [
+    "self-update-integrity"
+  ],
+  "sri": [
+    "self-update-integrity"
+  ],
+  "import map integrity": [
+    "self-update-integrity"
+  ],
+  "c2pa": [
+    "self-update-integrity"
+  ],
+  "content credentials": [
+    "self-update-integrity"
+  ],
+  "scitt": [
+    "self-update-integrity"
+  ],
+  "transparency log": [
+    "self-update-integrity"
+  ],
+  "software supply chain consumer": [
+    "self-update-integrity"
+  ],
+  "update channel": [
+    "self-update-integrity"
   ]
 }

package/data/_indexes/xref.json

@@ -47,6 +47,7 @@
       "webapp-security"
     ],
     "CWE-345": [
+      "audit-log-integrity",
       "idp-incident-response",
       "mcp-agent-trust",
       "network-trust"
@@ -65,6 +66,7 @@
     ],
     "CWE-494": [
       "mcp-agent-trust",
+      "self-update-integrity",
       "supply-chain-integrity"
     ],
     "CWE-77": [
@@ -154,6 +156,7 @@
     ],
     "CWE-829": [
       "sector-federal-government",
+      "self-update-integrity",
       "supply-chain-integrity"
     ],
     "CWE-287": [
@@ -214,10 +217,13 @@
       "idp-incident-response"
     ],
     "CWE-284": [
+      "audit-log-integrity",
       "idp-incident-response"
     ],
     "CWE-347": [
+      "audit-log-integrity",
       "network-trust",
+      "self-update-integrity",
       "vc-wallet-trust"
     ],
     "CWE-290": [
@@ -232,6 +238,12 @@
     ],
     "CWE-400": [
       "mail-server-hardening"
+    ],
+    "CWE-778": [
+      "audit-log-integrity"
+    ],
+    "CWE-353": [
+      "self-update-integrity"
     ]
   },
   "d3fend_refs": {
@@ -354,6 +366,7 @@
   },
   "framework_gaps": {
     "NIST-800-53-SI-2": [
+      "audit-log-integrity",
       "kernel-lpe-triage",
       "mail-server-hardening"
     ],
@@ -500,6 +513,7 @@
     ],
     "SOC2-CC7-anomaly-detection": [
       "ai-c2-detection",
+      "audit-log-integrity",
       "dlp-gap-analysis",
       "email-security-anti-phishing",
       "incident-response-playbook"
@@ -598,7 +612,8 @@
       "sector-telecom"
     ],
     "AU-ISM-1556": [
-      "sector-telecom"
+      "sector-telecom",
+      "self-update-integrity"
     ],
     "GSMA-NESAS-Deployment": [
       "sector-telecom"
@@ -682,14 +697,23 @@
       "vc-wallet-trust"
     ],
     "NIS2-Art21-network-security": [
+      "audit-log-integrity",
       "mail-server-hardening",
-      "network-trust"
+      "network-trust",
+      "self-update-integrity"
     ],
     "ISO-27001-2022-A.8.21": [
       "network-trust"
     ],
     "UK-CAF-B4": [
-      "network-trust"
+      "network-trust",
+      "self-update-integrity"
+    ],
+    "ISO-27001-2022-A.8.15": [
+      "audit-log-integrity"
+    ],
+    "NIST-800-53-SR-11": [
+      "self-update-integrity"
     ]
   },
   "atlas_refs": {
@@ -861,6 +885,7 @@
       "incident-response-playbook"
     ],
     "T1195.002": [
+      "self-update-integrity",
       "supply-chain-integrity"
     ],
     "T1554": [
@@ -955,6 +980,18 @@
     ],
     "T1071.004": [
       "network-trust"
+    ],
+    "T1070": [
+      "audit-log-integrity"
+    ],
+    "T1565.001": [
+      "audit-log-integrity"
+    ],
+    "T1562.008": [
+      "audit-log-integrity"
+    ],
+    "T1574": [
+      "self-update-integrity"
     ]
   },
   "rfc_refs": {

package/data/cwe-catalog.json

@@ -673,6 +673,7 @@
       "CAPEC-19"
     ],
     "skills_referencing": [
+      "audit-log-integrity",
       "idp-incident-response"
     ],
     "evidence_cves": [
@@ -1069,6 +1070,7 @@
       "CAPEC-148"
     ],
     "skills_referencing": [
+      "audit-log-integrity",
       "idp-incident-response",
       "mcp-agent-trust",
       "network-trust"
@@ -1139,7 +1141,9 @@
       "CAPEC-75",
       "CAPEC-39"
     ],
-    "skills_referencing": [],
+    "skills_referencing": [
+      "self-update-integrity"
+    ],
     "evidence_cves": [
       "CVE-2026-32202"
     ],
@@ -1322,6 +1326,7 @@
     ],
     "skills_referencing": [
       "mcp-agent-trust",
+      "self-update-integrity",
       "supply-chain-integrity"
     ],
     "evidence_cves": [
@@ -1752,6 +1757,7 @@
     ],
     "skills_referencing": [
       "sector-federal-government",
+      "self-update-integrity",
       "supply-chain-integrity"
     ],
     "evidence_cves": [
@@ -2575,7 +2581,9 @@
     "last_verified": "2026-05-18",
     "notes": "Added v0.13.17 KEV bulk-import.",
     "skills_referencing": [
+      "audit-log-integrity",
       "network-trust",
+      "self-update-integrity",
       "vc-wallet-trust"
     ]
   },
@@ -3822,7 +3830,10 @@
     "last_verified": "2026-05-19",
     "notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
     "_auto_imported": true,
-    "_intake_method": "v0.13.18-bulk-mitre-cwe-curated"
+    "_intake_method": "v0.13.18-bulk-mitre-cwe-curated",
+    "skills_referencing": [
+      "audit-log-integrity"
+    ]
   },
   "CWE-779": {
     "id": "CWE-779",