@blamejs/exceptd-skills 0.16.16 → 0.16.18

package/AGENTS.md

@@ -156,7 +156,7 @@ Cross-cutting playbook `framework` is the natural correlation layer — many pla
 
 | Verb | What it does |
 |---|---|
-| `exceptd brief --all` | Grouped-by-scope summary of all 30 playbooks. `--scope <type>` filters. `--directives` expands directive IDs/titles per playbook. `--flat` for non-grouped. `exceptd plan` was removed in v0.13.0; invoking it returns a structured `ok:false` refusal pointing at this command. |
+| `exceptd brief --all` | Grouped-by-scope summary of all 32 playbooks. `--scope <type>` filters. `--directives` expands directive IDs/titles per playbook. `--flat` for non-grouped. `exceptd plan` was removed in v0.13.0; invoking it returns a structured `ok:false` refusal pointing at this command. |
 | `exceptd brief <pb>` | Phase 2 threat-context briefing — threat context, RWEP thresholds, skill chain, token budget, jurisdiction obligations. |
 | `exceptd run <pb> --evidence <file>` | Phases 5-7 (analyze + validate + close) from agent evidence. Auto-detect cwd when no playbook positional. `--vex <file>` drops CycloneDX/OpenVEX `not_affected` CVEs. `--diff-from-latest` for drift mode. `--force-stale` overrides currency hard-block. |
 | `exceptd ai-run <pb>` | Streaming variant of `run` for AI agents; emits phase-by-phase NDJSON. |
@@ -456,6 +456,8 @@ When in doubt, ship the playbook without a collector and open the gap as a follo
 | audit log integrity, tamper evident logging, hash chain, worm, object lock, legal hold, honeytoken, break glass, dual control, anti forensics, separation of duties | audit-log-integrity |
 | self update, auto update, update integrity, anti rollback, downgrade attack, key pinning, subresource integrity, sri, c2pa, scitt, transparency log, update channel | self-update-integrity |
 | multitenancy isolation, cross tenant, tenant isolation, row level security, rls, bola, idor, noisy neighbour, rapid reset, per tenant quota, circuit breaker, denial of service | multitenancy-isolation |
+| decompression bomb, zip bomb, zip slip, redos, catastrophic backtracking, billion laughs, xml entity expansion, parser dos, amplification attack, nested archive, recursion depth | decompression-dos |
+| log injection, crlf injection, log forging, telemetry integrity, secrets in logs, metrics endpoint exposure, otlp exporter, webhook sink, exporter ssrf, observability security | log-injection-telemetry |
 | ot security, ics security, scada, plc, iec 62443, nist 800-82, nerc cip | ot-ics-security |
 | cvd, vdp, bug bounty, iso 29147, iso 30111, csaf, security.txt | coordinated-vuln-disclosure |
 | threat model, stride, pasta, linddun, kill chain, diamond model, unified kill chain | threat-modeling-methodology |

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 0.16.18 — 2026-06-02
+
+New `log-injection-telemetry` playbook and skill audit the integrity and confidentiality of the telemetry pipeline itself, which "we centralize all logs" does not cover: CR/LF log injection that forges or splits entries on every sink except syslog, secrets and PII logged without a redaction pass, unauthenticated `/metrics` and debug endpoints leaking internal state, telemetry exporters shipping to un-inventoried or input-derived destinations (exfiltration), embedded exporter credentials, plaintext or unverified-TLS export, and webhook log sinks usable for SSRF. It maps to ATT&CK T1565.001 / T1530 / T1213 and to NIST 800-53 AU-9 / SI-11, ISO 27001 A.8.15, NIS2 Art.21, UK CAF B4, and AU ISM. CWE-117 (improper output neutralization for logs) is added to the catalog to back it. Run it with `exceptd brief log-injection-telemetry` or `exceptd run log-injection-telemetry`.
+
+## 0.16.17 — 2026-06-02
+
+New `decompression-dos` playbook and skill audit the input-amplification denial-of-service class a single small crafted input can trigger — which input-format validation, a WAF, and autoscaling do not bound: unbounded archive decompression (zip bomb) and nested-archive bombs, Zip Slip path traversal on extraction, XML entity expansion (billion laughs) / XXE, catastrophic-backtracking regular expressions (ReDoS), recursive parsing with no depth limit, and length-field-driven unbounded allocation in binary parsers (ASN.1/DER, CBOR, MIME, protobuf). It maps to ATT&CK T1499 / T1499.001 / T1059 and to NIST 800-53 SI-10 / SC-5, ISO 27001 A.8.26, NIS2 Art.21, UK CAF B4, and AU ISM. Two weaknesses are added to the catalog to back it: CWE-409 (data amplification) and CWE-1333 (inefficient regular-expression complexity). Run it with `exceptd brief decompression-dos` or `exceptd run decompression-dos`.
+
 ## 0.16.16 — 2026-06-02
 
 New `multitenancy-isolation` playbook and skill audit two linked failure classes on shared multitenant infrastructure that "we have authorization" and "the cloud autoscales" do not cover. Isolation: a tenant identifier trusted from a client-controlled field, queries not scoped at the data layer (no row-level security), an RLS policy bypassable by the request connection's role, and cache/pub-sub/queue keys not namespaced by tenant — each a cross-tenant data path from a single authenticated account. Availability: HTTP/2 Rapid Reset (CVE-2023-44487) uncapped, no per-tenant rate/byte quota (noisy-neighbour), unbounded per-request allocation, distributed locks without fencing, and missing circuit breakers. It maps to ATT&CK T1078/T1499/T1499.001/T1530 and to NIST 800-53 AC-3/SC-6, ISO 27001 A.8.31, NIS2 Art.21, UK CAF B4, AU ISM, and SOC 2 CC6. Run it with `exceptd brief multitenancy-isolation` or `exceptd run multitenancy-isolation`.

package/README.md

@@ -14,7 +14,7 @@
 [![CI](https://img.shields.io/github/actions/workflow/status/blamejs/exceptd-skills/ci.yml?branch=main&label=CI)](https://github.com/blamejs/exceptd-skills/actions/workflows/ci.yml)
 [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/blamejs/exceptd-skills/badge)](https://scorecard.dev/viewer/?uri=github.com/blamejs/exceptd-skills)
 [![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0)
-[![Skills](https://img.shields.io/badge/skills-48-d946ef)](#skill-inventory)
+[![Skills](https://img.shields.io/badge/skills-50-d946ef)](#skill-inventory)
 [![ATLAS](https://img.shields.io/badge/MITRE%20ATLAS-v5.6.0-d946ef)](https://atlas.mitre.org)
 [![ATT&CK](https://img.shields.io/badge/MITRE%20ATT%26CK-v19.0-d946ef)](https://attack.mitre.org)
 [![Ed25519-signed](https://img.shields.io/badge/skills-Ed25519--signed-2ea043)](AGENTS.md)
@@ -30,7 +30,7 @@ This platform surfaces what is actually happening right now. Every skill explici
 
 ## Status
 
-Pre-1.0. Latest release lives on [GitHub Releases](https://github.com/blamejs/exceptd-skills/releases) and on npm as [`@blamejs/exceptd-skills`](https://www.npmjs.com/package/@blamejs/exceptd-skills) with signed npm provenance attestation and Ed25519-signed skill bodies. The package ships 48 skills across kernel LPE, MCP supply chain, AI-as-C2, prompt injection, post-quantum crypto, SBOM integrity, identity-incident response, and 35 other AI/security domains, plus 11 intelligence catalogs (CVE / ATLAS / ATT&CK / CWE / D3FEND / DLP / RFC / framework gaps / global frameworks / zero-day lessons / exploit availability) covering 35 jurisdictions; the CVE catalog holds 439 actively-exploited and high-priority entries, each carrying behavioral indicators, an ATT&CK technique mapping, and a defense-chain zero-day lesson. 30 investigation playbooks (kernel, MCP, AI-API, framework, SBOM, runtime, hardening, secrets, cred-stores, containers, crypto, plus `webhook-callback-abuse`, `cicd-pipeline-compromise`, `identity-sso-compromise`, `llm-tool-use-exfil`, `post-quantum-migration`, `ai-discovered-cve-triage`, `supply-chain-recovery`, `citation-hygiene`, `vc-wallet-trust`, `mail-server-hardening`, `network-trust`, `audit-log-integrity`, `self-update-integrity`, `multitenancy-isolation`, and more), a CLI for discovery and investigation built around `discover → brief → run → attest` (each run executes the playbook's seven-phase contract), and a nightly auto-refresh job that pulls KEV / NVD / EPSS / GHSA / OSV / IETF deltas plus 15 primary-source advisory, research-blog, and tech-press feeds (Qualys TRU, Red Hat RHSA, Ubuntu USN, ZDI, kernel.org, oss-security, JFrog, CISA, Microsoft Security Blog, Sysdig, Trail of Bits, Embrace the Red, BleepingComputer security, and The Hacker News) into auto-PRs for editorial review, alongside a silent-regression watcher that flags historical CVEs re-broken without a new identifier.
+Pre-1.0. Latest release lives on [GitHub Releases](https://github.com/blamejs/exceptd-skills/releases) and on npm as [`@blamejs/exceptd-skills`](https://www.npmjs.com/package/@blamejs/exceptd-skills) with signed npm provenance attestation and Ed25519-signed skill bodies. The package ships 50 skills across kernel LPE, MCP supply chain, AI-as-C2, prompt injection, post-quantum crypto, SBOM integrity, identity-incident response, and 35 other AI/security domains, plus 11 intelligence catalogs (CVE / ATLAS / ATT&CK / CWE / D3FEND / DLP / RFC / framework gaps / global frameworks / zero-day lessons / exploit availability) covering 35 jurisdictions; the CVE catalog holds 439 actively-exploited and high-priority entries, each carrying behavioral indicators, an ATT&CK technique mapping, and a defense-chain zero-day lesson. 32 investigation playbooks (kernel, MCP, AI-API, framework, SBOM, runtime, hardening, secrets, cred-stores, containers, crypto, plus `webhook-callback-abuse`, `cicd-pipeline-compromise`, `identity-sso-compromise`, `llm-tool-use-exfil`, `post-quantum-migration`, `ai-discovered-cve-triage`, `supply-chain-recovery`, `citation-hygiene`, `vc-wallet-trust`, `mail-server-hardening`, `network-trust`, `audit-log-integrity`, `self-update-integrity`, `multitenancy-isolation`, `decompression-dos`, `log-injection-telemetry`, and more), a CLI for discovery and investigation built around `discover → brief → run → attest` (each run executes the playbook's seven-phase contract), and a nightly auto-refresh job that pulls KEV / NVD / EPSS / GHSA / OSV / IETF deltas plus 15 primary-source advisory, research-blog, and tech-press feeds (Qualys TRU, Red Hat RHSA, Ubuntu USN, ZDI, kernel.org, oss-security, JFrog, CISA, Microsoft Security Blog, Sysdig, Trail of Bits, Embrace the Red, BleepingComputer security, and The Hacker News) into auto-PRs for editorial review, alongside a silent-regression watcher that flags historical CVEs re-broken without a new identifier.
 
 ---
 
@@ -144,7 +144,7 @@ exceptd help
 First run — verify the signing chain and pin the public-key fingerprint for out-of-band checks:
 
 ```bash
-exceptd doctor --signatures            # verify Ed25519 chains (48/48 expected)
+exceptd doctor --signatures            # verify Ed25519 chains (50/50 expected)
 cat $(exceptd path)/keys/EXPECTED_FINGERPRINT   # pin fingerprint for OOB verify
 ```
 
@@ -162,7 +162,7 @@ GitHub repo-pattern monitoring: `exceptd watchlist --org-scan --org <login>` pro
 
 AI-assistant config-file audit: `exceptd doctor --ai-config` walks `~/.claude`, `~/.cursor`, `~/.codeium`, `~/.aider`, and `~/.continue`, flagging sensitive files (`settings.json`, `mcp.json`, `*.mcp_config.json`, `api_key*`, `*.token`, `*.credentials`) not at mode 0600 on POSIX. On Windows the mode bits aren't load-bearing; each finding is surfaced with an info-level "manual ACL review" note. Catches the AI-config-credential-exfil class that the Shai-Hulud framework targets. Opt-in — does not run as part of the default no-flag `doctor` pass.
 
-Evidence-collection layer: `exceptd collect <playbook>` invokes a companion script under `lib/collectors/<playbook>.js` that walks cwd, applies the catalogued regex set, stats permissions, and emits the submission JSON in the same shape `exceptd run --evidence -` accepts. 14 of 30 playbooks have collectors today (`ai-api`, `cicd-pipeline-compromise`, `citation-hygiene`, `containers`, `cred-stores`, `crypto`, `crypto-codebase`, `hardening`, `kernel`, `library-author`, `mcp`, `runtime`, `sbom`, `secrets`); the remaining 16 are policy-skipped per AGENTS.md (judgement-shaped incident / governance / pure-analyze playbooks where AI-driven evidence collection is the design). Canonical operator pipe: `exceptd collect <pb> | exceptd run <pb> --evidence -`. `exceptd doctor --collectors` enumerates the layer; `exceptd discover` tags applicable playbooks with `[collector]` when one ships. `cicd-pipeline-compromise` requires `--attest-ownership` on the collect call (the playbook's `operator-owns-ci-fleet` precondition is opt-in to prevent unauthorized CI assessments).
+Evidence-collection layer: `exceptd collect <playbook>` invokes a companion script under `lib/collectors/<playbook>.js` that walks cwd, applies the catalogued regex set, stats permissions, and emits the submission JSON in the same shape `exceptd run --evidence -` accepts. 14 of 32 playbooks have collectors today (`ai-api`, `cicd-pipeline-compromise`, `citation-hygiene`, `containers`, `cred-stores`, `crypto`, `crypto-codebase`, `hardening`, `kernel`, `library-author`, `mcp`, `runtime`, `sbom`, `secrets`); the remaining 18 are policy-skipped per AGENTS.md (judgement-shaped incident / governance / pure-analyze playbooks where AI-driven evidence collection is the design). Canonical operator pipe: `exceptd collect <pb> | exceptd run <pb> --evidence -`. `exceptd doctor --collectors` enumerates the layer; `exceptd discover` tags applicable playbooks with `[collector]` when one ships. `cicd-pipeline-compromise` requires `--attest-ownership` on the collect call (the playbook's `operator-owns-ci-fleet` precondition is opt-in to prevent unauthorized CI assessments).
 
 Daily scheduled threat intake: a `routine: exceptd-threat-intake` (claude.ai remote agent) runs daily at 14:00 UTC. Sequence: `npm install` → `refresh --check-advisories` → `watchlist --alerts` → `refresh --apply` → `refresh --advisory <CVE-ID>` for up to 5 new CVE IDs from the primary-source feeds → re-sign + rebuild-indexes if the catalog mutated → commit on `intake/<YYYY-MM-DD>` branch with the full diff in the report. Closes the cadence gap that previously left fresh disclosures dependent on operator-triggered intake. Operator-managed at <https://claude.ai/code/routines>.
 
@@ -281,7 +281,7 @@ exceptd collect <playbook>            Walk cwd + invoke the companion collector
                                       under lib/collectors/<playbook>.js. Emits
                                       a submission JSON ready to pipe into
                                       `exceptd run <playbook> --evidence -`.
-                                      14/30 playbooks have collectors; the rest
+                                      14/32 playbooks have collectors; the rest
                                       are AI-driven by design (incident /
                                       governance / pure-analyze — see
                                       AGENTS.md).

package/bin/exceptd.js

@@ -3119,10 +3119,12 @@ function refuseNoDirectives(verb, playbookId, pretty) {
 const POLICY_SKIPPED_PLAYBOOKS = new Set([
   "ai-discovered-cve-triage",
   "audit-log-integrity",
+  "decompression-dos",
   "cloud-iam-incident",
   "idp-incident",
   "identity-sso-compromise",
   "llm-tool-use-exfil",
+  "log-injection-telemetry",
   "mail-server-hardening",
   "multitenancy-isolation",
   "network-trust",
@@ -7069,6 +7071,7 @@ function cmdDoctor(runner, args, runOpts, pretty) {
         "post-quantum-migration", "webhook-callback-abuse",
         "vc-wallet-trust", "mail-server-hardening", "network-trust",
         "audit-log-integrity", "self-update-integrity", "multitenancy-isolation",
+        "decompression-dos", "log-injection-telemetry",
       ];
       const playbookFiles = fs.readdirSync(playbookDir)
         .filter(f => f.endsWith(".json") && !f.startsWith("_"))

package/data/_indexes/_meta.json

@@ -1,14 +1,14 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-06-02T18:38:28.884Z",
+  "generated_at": "2026-06-02T19:37:59.782Z",
   "generator": "scripts/build-indexes.js",
-  "source_count": 60,
+  "source_count": 62,
   "source_hashes": {
-    "manifest.json": "9156c60052b185a8d265bbb53d586ed6be9b1387b2aa2cdb77186bed997d5fbd",
+    "manifest.json": "2833faf5965d078166553874a1bf42b944e2ff4d1738eddf50806eaba56e1eb7",
     "data/atlas-ttps.json": "f66b456cf82a3c20575d8479de41f7b11b7ee5693eb1fcf64a67e162ae1b88a2",
     "data/attack-techniques.json": "c39f28e3402ef13ad9b7076819f63fda67a22f97e3e375cfe01c4a4e0beff7c9",
     "data/cve-catalog.json": "8264da4534d39c9493cfcd18acf7e38ed47ce2a81be15afd5a3f4baf1d504929",
-    "data/cwe-catalog.json": "11e035b62bf760eb7ea5e408b7364f737f3b3510612d6a65948c8d8ab1085587",
+    "data/cwe-catalog.json": "62d9e55c9f887047fd2781ba2e81ad98e3a08ab51e173d0cd3262aee3d5eb940",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
     "data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
@@ -63,13 +63,15 @@
     "skills/network-trust/skill.md": "d1c2fd6ce0bd74e508a41a61c8618cc5c979eaea2702ca97003ce46ba8c9dfa8",
     "skills/audit-log-integrity/skill.md": "72485e8df55dea8df80b675f04f32de2d32b8ee17d5e0aa96e61cd9bcb831193",
     "skills/self-update-integrity/skill.md": "305d4841d7434e18812be4b8646eb7a4f7f4416e3646aad3b6e7152d16f0c8af",
-    "skills/multitenancy-isolation/skill.md": "60d7db9cbac49b307c7062a3b27a3cef8aab8cc774176c428075981fbc18758f"
+    "skills/multitenancy-isolation/skill.md": "60d7db9cbac49b307c7062a3b27a3cef8aab8cc774176c428075981fbc18758f",
+    "skills/decompression-dos/skill.md": "53fd0a90ccc0e7ac6056e9c9fd40f3ab3342d30739399079b5e644eef6405d88",
+    "skills/log-injection-telemetry/skill.md": "69c4e65c6f78703b923c2455a5ecf5a6d79fcc28d56fff57acb2605639231104"
   },
-  "skill_count": 48,
+  "skill_count": 50,
   "catalog_count": 11,
   "index_stats": {
     "xref_entries": {
-      "cwe_refs": 46,
+      "cwe_refs": 52,
       "d3fend_refs": 21,
       "framework_gaps": 87,
       "atlas_refs": 10,
@@ -77,21 +79,21 @@
       "rfc_refs": 23,
       "dlp_refs": 0
     },
-    "trigger_table_entries": 639,
+    "trigger_table_entries": 669,
     "chains_cve_entries": 426,
-    "chains_cwe_entries": 174,
+    "chains_cwe_entries": 177,
     "jurisdictions_indexed": 29,
-    "handoff_dag_nodes": 48,
-    "summary_cards": 48,
-    "section_offsets_skills": 48,
-    "token_budget_total_approx": 430165,
+    "handoff_dag_nodes": 50,
+    "summary_cards": 50,
+    "section_offsets_skills": 50,
+    "token_budget_total_approx": 434018,
     "recipes": 8,
     "jurisdiction_clocks": 29,
     "did_ladders": 8,
     "theater_fingerprints": 7,
     "currency_action_required": 0,
     "frequency_fields": 7,
-    "activity_feed_events": 60,
+    "activity_feed_events": 62,
     "catalog_summaries": 11,
     "stale_content_findings": 1
   },

package/data/_indexes/activity-feed.json

@@ -2,7 +2,7 @@
   "_meta": {
     "schema_version": "1.0.0",
     "note": "Per-artifact 'last changed' feed sorted descending by date. Skill events from manifest.last_threat_review; catalog events from data/<catalog>.json _meta.last_updated.",
-    "event_count": 60
+    "event_count": 62
   },
   "events": [
     {
@@ -47,6 +47,20 @@
       "path": "skills/multitenancy-isolation/skill.md",
       "note": "Application multitenancy isolation and availability/DoS resilience for mid-2026 — principal-bound tenant identity, data-layer row-level-security under a non-bypass role, cross-tenant cache/queue namespacing, per-tenant rate/byte quotas, HTTP/2 Rapid Reset caps, bounded allocation, distributed-lock fencing, and circuit breakers"
     },
+    {
+      "date": "2026-06-02",
+      "type": "skill_review",
+      "artifact": "decompression-dos",
+      "path": "skills/decompression-dos/skill.md",
+      "note": "Decompression-bomb, parser-DoS, and ReDoS resistance for mid-2026 — decompression size/ratio caps, Zip Slip path confinement, XML entity-expansion disabling, linear-time regex on untrusted input, parse-depth limits, and length-field allocation bounds against single-input amplification denial of service"
+    },
+    {
+      "date": "2026-06-02",
+      "type": "skill_review",
+      "artifact": "log-injection-telemetry",
+      "path": "skills/log-injection-telemetry/skill.md",
+      "note": "Telemetry-pipeline integrity for mid-2026 — CR/LF log-injection neutralization across every sink, secret/PII redaction before shipping, authenticated metrics endpoints, and exporter destination allowlisting, secret-store credentials, verified TLS, and webhook SSRF guarding"
+    },
     {
       "date": "2026-06-01",
       "type": "catalog_update",
@@ -61,7 +75,7 @@
       "artifact": "data/cwe-catalog.json",
       "path": "data/cwe-catalog.json",
       "schema_version": "1.0.0",
-      "entry_count": 174
+      "entry_count": 177
     },
     {
       "date": "2026-06-01",
@@ -314,7 +328,7 @@
       "type": "manifest_review",
       "artifact": "manifest.json",
       "path": "manifest.json",
-      "note": "manifest threat_review_date — 48 skills, 11 catalogs"
+      "note": "manifest threat_review_date — 50 skills, 11 catalogs"
     },
     {
       "date": "2026-05-11",

package/data/_indexes/catalog-summaries.json

@@ -84,7 +84,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 174,
+      "entry_count": 177,
       "sample_keys": [
         "CWE-20",
         "CWE-22",