@blamejs/exceptd-skills 0.16.14 → 0.16.15

package/data/_indexes/currency.json

@@ -6,7 +6,7 @@
     "decay_formula": "100 base; -30/-20/-10/-5 at 180/90/60/30-day thresholds. forward_watch count does NOT affect the score (it's a maintenance signal, not a staleness one). Label thresholds: ≥90 current, ≥70 acceptable, ≥50 stale, <50 critical_stale."
   },
   "summary": {
-    "current": 46,
+    "current": 47,
     "acceptable": 0,
     "stale": 0,
     "critical_stale": 0,
@@ -364,6 +364,15 @@
       "forward_watch_count": 4,
       "action_required": false
     },
+    {
+      "skill": "self-update-integrity",
+      "last_threat_review": "2026-06-02",
+      "days_since_review": -18,
+      "currency_score": 100,
+      "currency_label": "current",
+      "forward_watch_count": 0,
+      "action_required": false
+    },
     {
       "skill": "skill-update-loop",
       "last_threat_review": "2026-05-22",

package/data/_indexes/frequency.json

@@ -115,9 +115,10 @@
         ]
       },
       "CWE-494": {
-        "count": 2,
+        "count": 3,
         "skills": [
           "mcp-agent-trust",
+          "self-update-integrity",
           "supply-chain-integrity"
         ]
       },
@@ -249,9 +250,10 @@
         ]
       },
       "CWE-829": {
-        "count": 2,
+        "count": 3,
         "skills": [
           "sector-federal-government",
+          "self-update-integrity",
           "supply-chain-integrity"
         ]
       },
@@ -341,10 +343,11 @@
         ]
       },
       "CWE-347": {
-        "count": 3,
+        "count": 4,
         "skills": [
           "audit-log-integrity",
           "network-trust",
+          "self-update-integrity",
           "vc-wallet-trust"
         ]
       },
@@ -378,6 +381,12 @@
         "skills": [
           "audit-log-integrity"
         ]
+      },
+      "CWE-353": {
+        "count": 1,
+        "skills": [
+          "self-update-integrity"
+        ]
       }
     },
     "d3fend_refs": {
@@ -971,9 +980,10 @@
         ]
       },
       "AU-ISM-1556": {
-        "count": 1,
+        "count": 2,
         "skills": [
-          "sector-telecom"
+          "sector-telecom",
+          "self-update-integrity"
         ]
       },
       "GSMA-NESAS-Deployment": {
@@ -1136,11 +1146,12 @@
         ]
       },
       "NIS2-Art21-network-security": {
-        "count": 3,
+        "count": 4,
         "skills": [
           "audit-log-integrity",
           "mail-server-hardening",
-          "network-trust"
+          "network-trust",
+          "self-update-integrity"
         ]
       },
       "ISO-27001-2022-A.8.21": {
@@ -1150,9 +1161,10 @@
         ]
       },
       "UK-CAF-B4": {
-        "count": 1,
+        "count": 2,
         "skills": [
-          "network-trust"
+          "network-trust",
+          "self-update-integrity"
         ]
       },
       "ISO-27001-2022-A.8.15": {
@@ -1160,6 +1172,12 @@
         "skills": [
           "audit-log-integrity"
         ]
+      },
+      "NIST-800-53-SR-11": {
+        "count": 1,
+        "skills": [
+          "self-update-integrity"
+        ]
       }
     },
     "atlas_refs": {
@@ -1409,8 +1427,9 @@
         ]
       },
       "T1195.002": {
-        "count": 1,
+        "count": 2,
         "skills": [
+          "self-update-integrity",
           "supply-chain-integrity"
         ]
       },
@@ -1605,6 +1624,12 @@
         "skills": [
           "audit-log-integrity"
         ]
+      },
+      "T1574": {
+        "count": 1,
+        "skills": [
+          "self-update-integrity"
+        ]
       }
     },
     "rfc_refs": {
@@ -2139,23 +2164,23 @@
         ]
       },
       {
-        "id": "NIS2-Art21-patch-management",
+        "id": "NIS2-Art21-network-security",
         "count": 4,
         "skills": [
-          "attack-surface-pentest",
-          "kernel-lpe-triage",
-          "ot-ics-security",
-          "sector-energy"
+          "audit-log-integrity",
+          "mail-server-hardening",
+          "network-trust",
+          "self-update-integrity"
         ]
       },
       {
-        "id": "SLSA-v1.0-Build-L3",
+        "id": "NIS2-Art21-patch-management",
         "count": 4,
         "skills": [
-          "container-runtime-security",
-          "mlops-security",
-          "sector-federal-government",
-          "supply-chain-integrity"
+          "attack-surface-pentest",
+          "kernel-lpe-triage",
+          "ot-ics-security",
+          "sector-energy"
         ]
       }
     ],
@@ -2514,6 +2539,7 @@
     "cwe_refs": [
       "CWE-20",
       "CWE-327",
+      "CWE-353",
       "CWE-400",
       "CWE-611",
       "CWE-778",
@@ -2529,7 +2555,6 @@
       "3GPP-TR-33.926",
       "ALL-MCP-TOOL-TRUST",
       "AU-ISM-1546-Cloud-Service-Account",
-      "AU-ISM-1556",
       "AU-ISM-1559-IdP",
       "AWS-Security-Hub-Coverage-Gap",
       "CISA-Snowflake-AA24-IdP-Cloud",
@@ -2552,6 +2577,7 @@
       "NIS2-Annex-I-Telecom",
       "NIST-800-53-AC-2-Cross-Account",
       "NIST-800-53-SI-12",
+      "NIST-800-53-SR-11",
       "OFAC-SDN-Payment-Block",
       "OFAC-Sanctions-Threat-Actor-Negotiation",
       "OWASP-LLM-Top-10-2025-LLM02",
@@ -2565,7 +2591,6 @@
       "UK-CAF-B2",
       "UK-CAF-B2-Cloud-IAM",
       "UK-CAF-B2-IdP-Tenant",
-      "UK-CAF-B4",
       "UK-CAF-B5",
       "VEX-CSAF-v2.1"
     ],
@@ -2580,7 +2605,6 @@
       "T1102",
       "T1110",
       "T1133",
-      "T1195.002",
       "T1213",
       "T1505",
       "T1538",
@@ -2595,6 +2619,7 @@
       "T1566.002",
       "T1566.003",
       "T1568",
+      "T1574",
       "T1580",
       "T1606",
       "T1606.002",
@@ -2677,7 +2702,6 @@
       "CWE-340",
       "CWE-346",
       "CWE-35",
-      "CWE-353",
       "CWE-367",
       "CWE-377",
       "CWE-384",
@@ -3440,7 +3464,6 @@
       "NIST-800-53-SC-5",
       "NIST-800-53-SI-10",
       "NIST-800-53-SI-4",
-      "NIST-800-53-SR-11",
       "NIST-800-53-SR-3",
       "NIST-AI-RMF-MAP-3.4",
       "NIST-AI-RMF-MEASURE-2.7",

package/data/_indexes/handoff-dag.json

@@ -39,6 +39,7 @@
     "sector-healthcare",
     "sector-telecom",
     "security-maturity-tiers",
+    "self-update-integrity",
     "skill-update-loop",
     "supply-chain-integrity",
     "threat-model-currency",
@@ -521,7 +522,8 @@
     "vc-wallet-trust": [],
     "mail-server-hardening": [],
     "network-trust": [],
-    "audit-log-integrity": []
+    "audit-log-integrity": [],
+    "self-update-integrity": []
   },
   "in_degree": {
     "age-gates-child-safety": 1,
@@ -563,6 +565,7 @@
     "sector-healthcare": 6,
     "sector-telecom": 2,
     "security-maturity-tiers": 1,
+    "self-update-integrity": 0,
     "skill-update-loop": 3,
     "supply-chain-integrity": 17,
     "threat-model-currency": 6,
@@ -611,6 +614,7 @@
     "sector-healthcare": 13,
     "sector-telecom": 0,
     "security-maturity-tiers": 3,
+    "self-update-integrity": 0,
     "skill-update-loop": 21,
     "supply-chain-integrity": 4,
     "threat-model-currency": 5,

package/data/_indexes/jurisdiction-map.json

@@ -40,6 +40,7 @@
       "sector-healthcare",
       "sector-telecom",
       "security-maturity-tiers",
+      "self-update-integrity",
       "skill-update-loop",
       "supply-chain-integrity",
       "threat-model-currency",
@@ -49,7 +50,7 @@
       "zeroday-gap-learn"
     ],
     "example_excerpts": {},
-    "skill_count": 46
+    "skill_count": 47
   },
   "UK": {
     "skills": [
@@ -90,6 +91,7 @@
       "sector-healthcare",
       "sector-telecom",
       "security-maturity-tiers",
+      "self-update-integrity",
       "skill-update-loop",
       "supply-chain-integrity",
       "threat-model-currency",
@@ -99,7 +101,7 @@
       "zeroday-gap-learn"
     ],
     "example_excerpts": {},
-    "skill_count": 44
+    "skill_count": 45
   },
   "AU": {
     "skills": [
@@ -139,6 +141,7 @@
       "sector-healthcare",
       "sector-telecom",
       "security-maturity-tiers",
+      "self-update-integrity",
       "skill-update-loop",
       "supply-chain-integrity",
       "threat-model-currency",
@@ -147,7 +150,7 @@
       "zeroday-gap-learn"
     ],
     "example_excerpts": {},
-    "skill_count": 42
+    "skill_count": 43
   },
   "SG": {
     "skills": [
@@ -247,11 +250,12 @@
       "sector-financial",
       "sector-healthcare",
       "sector-telecom",
+      "self-update-integrity",
       "skill-update-loop",
       "zeroday-gap-learn"
     ],
     "example_excerpts": {},
-    "skill_count": 18
+    "skill_count": 19
   },
   "BR": {
     "skills": [

package/data/_indexes/section-offsets.json

@@ -4637,6 +4637,91 @@
           "h3_count": 0
         }
       ]
+    },
+    "self-update-integrity": {
+      "path": "skills/self-update-integrity/skill.md",
+      "total_bytes": 7619,
+      "total_lines": 80,
+      "frontmatter": {
+        "line_start": 1,
+        "line_end": 45,
+        "byte_start": 0,
+        "byte_end": 1109
+      },
+      "sections": [
+        {
+          "name": "Threat Context (mid-2026)",
+          "normalized_name": "threat-context",
+          "line": 49,
+          "byte_start": 1160,
+          "byte_end": 2001,
+          "bytes": 841,
+          "h3_count": 0
+        },
+        {
+          "name": "Framework Lag Declaration",
+          "normalized_name": "framework-lag-declaration",
+          "line": 53,
+          "byte_start": 2001,
+          "byte_end": 2836,
+          "bytes": 835,
+          "h3_count": 0
+        },
+        {
+          "name": "TTP Mapping",
+          "normalized_name": "ttp-mapping",
+          "line": 57,
+          "byte_start": 2836,
+          "byte_end": 3572,
+          "bytes": 736,
+          "h3_count": 0
+        },
+        {
+          "name": "Exploit Availability Matrix",
+          "normalized_name": "exploit-availability-matrix",
+          "line": 61,
+          "byte_start": 3572,
+          "byte_end": 4288,
+          "bytes": 716,
+          "h3_count": 0
+        },
+        {
+          "name": "Analysis Procedure",
+          "normalized_name": "analysis-procedure",
+          "line": 65,
+          "byte_start": 4288,
+          "byte_end": 5250,
+          "bytes": 962,
+          "h3_count": 0
+        },
+        {
+          "name": "Output Format",
+          "normalized_name": "output-format",
+          "line": 69,
+          "byte_start": 5250,
+          "byte_end": 6035,
+          "bytes": 785,
+          "h3_count": 0
+        },
+        {
+          "name": "Compliance Theater Check",
+          "normalized_name": "compliance-theater-check",
+          "line": 73,
+          "byte_start": 6035,
+          "byte_end": 6733,
+          "bytes": 698,
+          "h3_count": 0
+        },
+        {
+          "name": "Defensive Countermeasure Mapping",
+          "normalized_name": "defensive-countermeasure-mapping",
+          "line": 77,
+          "byte_start": 6733,
+          "byte_end": 7619,
+          "bytes": 886,
+          "h3_count": 0
+        }
+      ]
     }
   }
 }

package/data/_indexes/stale-content.json

@@ -15,7 +15,7 @@
       "severity": "medium",
       "category": "researcher_claim_drift",
       "artifact": "skills/researcher/skill.md",
-      "detail": "claims 41 specialized skills downstream; live count is 45"
+      "detail": "claims 41 specialized skills downstream; live count is 46"
     }
   ]
 }

package/data/_indexes/summary-cards.json

@@ -2139,6 +2139,43 @@
       "last_threat_review": "2026-06-02",
       "path": "skills/audit-log-integrity/skill.md",
       "handoff_targets": []
+    },
+    "self-update-integrity": {
+      "description": "Consumer-side self-update and artifact integrity for mid-2026 — signature-verification-before-apply, out-of-band key pinning, anti-rollback/downgrade protection, channel pinning, Subresource Integrity on browser modules, and C2PA / SCITT-TSA transparency verification on received artifacts",
+      "threat_context_excerpt": "The self-update loop is the highest-privilege code path most products ship: it fetches code and runs it as the application. Publisher-side posture — code signing, SBOM, SLSA attestations — is necessary but useless if the receiving client does not enforce it. The consumer-side failures are an update applied without verifying a signature, a signature verified against a key the update channel itself supplied, a signed-but-older version accepted (downgrade / no anti-rollback) that re-opens a patched CVE, an update fetched over an unauthenticated channel as the sole control, browser modules served ...",
+      "produces": "Report per update path, marking each consumer-side control enforced / missing / inconclusive (visibility gap). For every missing control, state whether a channel compromise would yield arbitrary-code execution and across how much of the installed base. Distinguish a control delegated to a verifying mechanism (OS package manager, gated verifier) from an absent one. Provide the prioritised remediation (verify signature against a pinned key before apply, enforce anti-rollback, pin the channel, enforce SRI on modules, verify provenance/transparency) and the negative validation tests that prove eac ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-494",
+          "CWE-829",
+          "CWE-353",
+          "CWE-347"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-53-SR-11",
+          "NIS2-Art21-network-security",
+          "UK-CAF-B4",
+          "AU-ISM-1556"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T1195.002",
+          "T1574"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 16,
+      "atlas_count": 0,
+      "attack_count": 2,
+      "framework_gap_count": 4,
+      "cwe_count": 4,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-06-02",
+      "path": "skills/self-update-integrity/skill.md",
+      "handoff_targets": []
     }
   }
 }

package/data/_indexes/token-budget.json

@@ -3,9 +3,9 @@
     "schema_version": "1.0.0",
     "tokenizer_note": "Character-density approximation: 1 token ≈ 4 chars. This is the canonical rule-of-thumb for OpenAI tokenizers on English+technical text. Claude's tokenizer is typically more efficient on prose; treat this as an upper-bound budget for both. Consumers with stricter precision needs should re-tokenize with their own tokenizer.",
     "approx_chars_per_token": 4,
-    "total_chars": 1705264,
-    "total_approx_tokens": 426319,
-    "skill_count": 46
+    "total_chars": 1712869,
+    "total_approx_tokens": 428220,
+    "skill_count": 47
   },
   "skills": {
     "kernel-lpe-triage": {
@@ -2702,6 +2702,56 @@
           "approx_tokens": 212
         }
       }
+    },
+    "self-update-integrity": {
+      "path": "skills/self-update-integrity/skill.md",
+      "bytes": 7619,
+      "chars": 7605,
+      "lines": 80,
+      "approx_tokens": 1901,
+      "approx_chars_per_token": 4,
+      "sections": {
+        "threat-context": {
+          "bytes": 841,
+          "chars": 837,
+          "approx_tokens": 209
+        },
+        "framework-lag-declaration": {
+          "bytes": 835,
+          "chars": 835,
+          "approx_tokens": 209
+        },
+        "ttp-mapping": {
+          "bytes": 736,
+          "chars": 732,
+          "approx_tokens": 183
+        },
+        "exploit-availability-matrix": {
+          "bytes": 716,
+          "chars": 714,
+          "approx_tokens": 179
+        },
+        "analysis-procedure": {
+          "bytes": 962,
+          "chars": 962,
+          "approx_tokens": 241
+        },
+        "output-format": {
+          "bytes": 785,
+          "chars": 785,
+          "approx_tokens": 196
+        },
+        "compliance-theater-check": {
+          "bytes": 698,
+          "chars": 698,
+          "approx_tokens": 175
+        },
+        "defensive-countermeasure-mapping": {
+          "bytes": 886,
+          "chars": 884,
+          "approx_tokens": 221
+        }
+      }
     }
   }
 }

package/data/_indexes/trigger-table.json

@@ -1833,5 +1833,53 @@
   ],
   "audit trail": [
     "audit-log-integrity"
+  ],
+  "self update": [
+    "self-update-integrity"
+  ],
+  "auto update": [
+    "self-update-integrity"
+  ],
+  "update integrity": [
+    "self-update-integrity"
+  ],
+  "anti rollback": [
+    "self-update-integrity"
+  ],
+  "downgrade attack": [
+    "self-update-integrity"
+  ],
+  "code signing verification": [
+    "self-update-integrity"
+  ],
+  "key pinning": [
+    "self-update-integrity"
+  ],
+  "subresource integrity": [
+    "self-update-integrity"
+  ],
+  "sri": [
+    "self-update-integrity"
+  ],
+  "import map integrity": [
+    "self-update-integrity"
+  ],
+  "c2pa": [
+    "self-update-integrity"
+  ],
+  "content credentials": [
+    "self-update-integrity"
+  ],
+  "scitt": [
+    "self-update-integrity"
+  ],
+  "transparency log": [
+    "self-update-integrity"
+  ],
+  "software supply chain consumer": [
+    "self-update-integrity"
+  ],
+  "update channel": [
+    "self-update-integrity"
   ]
 }

package/data/_indexes/xref.json

@@ -66,6 +66,7 @@
     ],
     "CWE-494": [
       "mcp-agent-trust",
+      "self-update-integrity",
       "supply-chain-integrity"
     ],
     "CWE-77": [
@@ -155,6 +156,7 @@
     ],
     "CWE-829": [
       "sector-federal-government",
+      "self-update-integrity",
       "supply-chain-integrity"
     ],
     "CWE-287": [
@@ -221,6 +223,7 @@
     "CWE-347": [
       "audit-log-integrity",
       "network-trust",
+      "self-update-integrity",
       "vc-wallet-trust"
     ],
     "CWE-290": [
@@ -238,6 +241,9 @@
     ],
     "CWE-778": [
       "audit-log-integrity"
+    ],
+    "CWE-353": [
+      "self-update-integrity"
     ]
   },
   "d3fend_refs": {
@@ -606,7 +612,8 @@
       "sector-telecom"
     ],
     "AU-ISM-1556": [
-      "sector-telecom"
+      "sector-telecom",
+      "self-update-integrity"
     ],
     "GSMA-NESAS-Deployment": [
       "sector-telecom"
@@ -692,16 +699,21 @@
     "NIS2-Art21-network-security": [
       "audit-log-integrity",
       "mail-server-hardening",
-      "network-trust"
+      "network-trust",
+      "self-update-integrity"
     ],
     "ISO-27001-2022-A.8.21": [
       "network-trust"
     ],
     "UK-CAF-B4": [
-      "network-trust"
+      "network-trust",
+      "self-update-integrity"
     ],
     "ISO-27001-2022-A.8.15": [
       "audit-log-integrity"
+    ],
+    "NIST-800-53-SR-11": [
+      "self-update-integrity"
     ]
   },
   "atlas_refs": {
@@ -873,6 +885,7 @@
       "incident-response-playbook"
     ],
     "T1195.002": [
+      "self-update-integrity",
       "supply-chain-integrity"
     ],
     "T1554": [
@@ -976,6 +989,9 @@
     ],
     "T1562.008": [
       "audit-log-integrity"
+    ],
+    "T1574": [
+      "self-update-integrity"
     ]
   },
   "rfc_refs": {