@blamejs/exceptd-skills 0.16.16 → 0.16.18

package/data/_indexes/section-offsets.json

@@ -4807,6 +4807,176 @@
           "h3_count": 0
         }
       ]
+    },
+    "decompression-dos": {
+      "path": "skills/decompression-dos/skill.md",
+      "total_bytes": 7711,
+      "total_lines": 84,
+      "frontmatter": {
+        "line_start": 1,
+        "line_end": 49,
+        "byte_start": 0,
+        "byte_end": 1186
+      },
+      "sections": [
+        {
+          "name": "Threat Context (mid-2026)",
+          "normalized_name": "threat-context",
+          "line": 53,
+          "byte_start": 1241,
+          "byte_end": 2037,
+          "bytes": 796,
+          "h3_count": 0
+        },
+        {
+          "name": "Framework Lag Declaration",
+          "normalized_name": "framework-lag-declaration",
+          "line": 57,
+          "byte_start": 2037,
+          "byte_end": 2868,
+          "bytes": 831,
+          "h3_count": 0
+        },
+        {
+          "name": "TTP Mapping",
+          "normalized_name": "ttp-mapping",
+          "line": 61,
+          "byte_start": 2868,
+          "byte_end": 3698,
+          "bytes": 830,
+          "h3_count": 0
+        },
+        {
+          "name": "Exploit Availability Matrix",
+          "normalized_name": "exploit-availability-matrix",
+          "line": 65,
+          "byte_start": 3698,
+          "byte_end": 4388,
+          "bytes": 690,
+          "h3_count": 0
+        },
+        {
+          "name": "Analysis Procedure",
+          "normalized_name": "analysis-procedure",
+          "line": 69,
+          "byte_start": 4388,
+          "byte_end": 5310,
+          "bytes": 922,
+          "h3_count": 0
+        },
+        {
+          "name": "Output Format",
+          "normalized_name": "output-format",
+          "line": 73,
+          "byte_start": 5310,
+          "byte_end": 6198,
+          "bytes": 888,
+          "h3_count": 0
+        },
+        {
+          "name": "Compliance Theater Check",
+          "normalized_name": "compliance-theater-check",
+          "line": 77,
+          "byte_start": 6198,
+          "byte_end": 6868,
+          "bytes": 670,
+          "h3_count": 0
+        },
+        {
+          "name": "Defensive Countermeasure Mapping",
+          "normalized_name": "defensive-countermeasure-mapping",
+          "line": 81,
+          "byte_start": 6868,
+          "byte_end": 7711,
+          "bytes": 843,
+          "h3_count": 0
+        }
+      ]
+    },
+    "log-injection-telemetry": {
+      "path": "skills/log-injection-telemetry/skill.md",
+      "total_bytes": 7725,
+      "total_lines": 81,
+      "frontmatter": {
+        "line_start": 1,
+        "line_end": 46,
+        "byte_start": 0,
+        "byte_end": 1119
+      },
+      "sections": [
+        {
+          "name": "Threat Context (mid-2026)",
+          "normalized_name": "threat-context",
+          "line": 50,
+          "byte_start": 1191,
+          "byte_end": 2072,
+          "bytes": 881,
+          "h3_count": 0
+        },
+        {
+          "name": "Framework Lag Declaration",
+          "normalized_name": "framework-lag-declaration",
+          "line": 54,
+          "byte_start": 2072,
+          "byte_end": 2895,
+          "bytes": 823,
+          "h3_count": 0
+        },
+        {
+          "name": "TTP Mapping",
+          "normalized_name": "ttp-mapping",
+          "line": 58,
+          "byte_start": 2895,
+          "byte_end": 3660,
+          "bytes": 765,
+          "h3_count": 0
+        },
+        {
+          "name": "Exploit Availability Matrix",
+          "normalized_name": "exploit-availability-matrix",
+          "line": 62,
+          "byte_start": 3660,
+          "byte_end": 4390,
+          "bytes": 730,
+          "h3_count": 0
+        },
+        {
+          "name": "Analysis Procedure",
+          "normalized_name": "analysis-procedure",
+          "line": 66,
+          "byte_start": 4390,
+          "byte_end": 5301,
+          "bytes": 911,
+          "h3_count": 0
+        },
+        {
+          "name": "Output Format",
+          "normalized_name": "output-format",
+          "line": 70,
+          "byte_start": 5301,
+          "byte_end": 6137,
+          "bytes": 836,
+          "h3_count": 0
+        },
+        {
+          "name": "Compliance Theater Check",
+          "normalized_name": "compliance-theater-check",
+          "line": 74,
+          "byte_start": 6137,
+          "byte_end": 6877,
+          "bytes": 740,
+          "h3_count": 0
+        },
+        {
+          "name": "Defensive Countermeasure Mapping",
+          "normalized_name": "defensive-countermeasure-mapping",
+          "line": 78,
+          "byte_start": 6877,
+          "byte_end": 7725,
+          "bytes": 848,
+          "h3_count": 0
+        }
+      ]
     }
   }
 }

package/data/_indexes/stale-content.json

@@ -15,7 +15,7 @@
       "severity": "medium",
       "category": "researcher_claim_drift",
       "artifact": "skills/researcher/skill.md",
-      "detail": "claims 41 specialized skills downstream; live count is 47"
+      "detail": "claims 41 specialized skills downstream; live count is 49"
     }
   ]
 }

package/data/_indexes/summary-cards.json

@@ -2216,6 +2216,86 @@
       "last_threat_review": "2026-06-02",
       "path": "skills/multitenancy-isolation/skill.md",
       "handoff_targets": []
+    },
+    "decompression-dos": {
+      "description": "Decompression-bomb, parser-DoS, and ReDoS resistance for mid-2026 — decompression size/ratio caps, Zip Slip path confinement, XML entity-expansion disabling, linear-time regex on untrusted input, parse-depth limits, and length-field allocation bounds against single-input amplification denial of service",
+      "threat_context_excerpt": "Amplification denial of service turns a tiny, structurally-valid input into ruinous server work. A 42 KB zip bomb expands to petabytes; a few lines of nested XML entities expand to gigabytes (the billion-laughs attack); a crafted string pins a CPU core for seconds-to-minutes on a backtracking regular expression (ReDoS); a binary parser that reads a declared 2 GB length field allocates a 2 GB buffer from a 10-byte message. A Zip Slip archive entry named `../../x` escapes the extraction directory to overwrite a binary on the execution path. Input-format validation passes all of these because ...",
+      "produces": "Report per parser/decompression path, marking each resource bound enforced / missing / inconclusive (visibility gap). For every missing bound, state whether the ingest is internet-facing and whether a single crafted input could exhaust the instance (or, for Zip Slip, write outside the target). Distinguish a bound enforced at a lower layer (streaming runtime, RE2 engine, size-limited proxy) from an absent one, and a path that ingests only trusted fixed-size input from one that ingests attacker input. Provide the prioritised remediation (cap decompression size/ratio/nesting, confine extraction p ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-409",
+          "CWE-1333",
+          "CWE-400",
+          "CWE-776",
+          "CWE-22",
+          "CWE-834",
+          "CWE-770"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-53-SI-2",
+          "NIS2-Art21-network-security",
+          "UK-CAF-B4",
+          "AU-ISM-1556"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T1499",
+          "T1499.001",
+          "T1059"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 16,
+      "atlas_count": 0,
+      "attack_count": 3,
+      "framework_gap_count": 4,
+      "cwe_count": 7,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-06-02",
+      "path": "skills/decompression-dos/skill.md",
+      "handoff_targets": []
+    },
+    "log-injection-telemetry": {
+      "description": "Telemetry-pipeline integrity for mid-2026 — CR/LF log-injection neutralization across every sink, secret/PII redaction before shipping, authenticated metrics endpoints, and exporter destination allowlisting, secret-store credentials, verified TLS, and webhook SSRF guarding",
+      "threat_context_excerpt": "The telemetry pipeline is both an integrity target and a confidentiality leak that \"we centralize all logs\" does not address. Integrity: un-sanitized CR/LF in interpolated log values lets an attacker forge or split log entries — injecting fake lines, breaking the log parser, or hiding their own actions — corrupting the observability record incident response depends on. Confidentiality: secrets and PII logged without a redaction pass persist in every downstream sink (SIEM, cloud log service); an unauthenticated /metrics or debug endpoint leaks internal topology and operational state; exporters ...",
+      "produces": "Report per sink/exporter/endpoint, marking each control enforced / missing / inconclusive (visibility gap). For every missing control, state whether it leaks secrets/PII across sinks, allows forging the audit record, or enables exfil/SSRF from the telemetry process, and whether the surface is internet-reachable. Distinguish a control enforced at a lower layer (a sanitizing collector/sidecar, a private scrape network) from an absent one. Provide the prioritised remediation (neutralize CR/LF + redact per sink, authenticate/private metrics, allowlist exporters with secret-store credentials over v ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-117",
+          "CWE-532",
+          "CWE-918",
+          "CWE-200"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.15",
+          "NIS2-Art21-network-security",
+          "UK-CAF-B4",
+          "AU-ISM-1556"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T1565.001",
+          "T1530",
+          "T1213"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 15,
+      "atlas_count": 0,
+      "attack_count": 3,
+      "framework_gap_count": 5,
+      "cwe_count": 4,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-06-02",
+      "path": "skills/log-injection-telemetry/skill.md",
+      "handoff_targets": []
     }
   }
 }

package/data/_indexes/token-budget.json

@@ -3,9 +3,9 @@
     "schema_version": "1.0.0",
     "tokenizer_note": "Character-density approximation: 1 token ≈ 4 chars. This is the canonical rule-of-thumb for OpenAI tokenizers on English+technical text. Claude's tokenizer is typically more efficient on prose; treat this as an upper-bound budget for both. Consumers with stricter precision needs should re-tokenize with their own tokenizer.",
     "approx_chars_per_token": 4,
-    "total_chars": 1720649,
-    "total_approx_tokens": 430165,
-    "skill_count": 48
+    "total_chars": 1736061,
+    "total_approx_tokens": 434018,
+    "skill_count": 50
   },
   "skills": {
     "kernel-lpe-triage": {
@@ -2802,6 +2802,106 @@
           "approx_tokens": 206
         }
       }
+    },
+    "decompression-dos": {
+      "path": "skills/decompression-dos/skill.md",
+      "bytes": 7711,
+      "chars": 7703,
+      "lines": 84,
+      "approx_tokens": 1926,
+      "approx_chars_per_token": 4,
+      "sections": {
+        "threat-context": {
+          "bytes": 796,
+          "chars": 794,
+          "approx_tokens": 199
+        },
+        "framework-lag-declaration": {
+          "bytes": 831,
+          "chars": 831,
+          "approx_tokens": 208
+        },
+        "ttp-mapping": {
+          "bytes": 830,
+          "chars": 828,
+          "approx_tokens": 207
+        },
+        "exploit-availability-matrix": {
+          "bytes": 690,
+          "chars": 688,
+          "approx_tokens": 172
+        },
+        "analysis-procedure": {
+          "bytes": 922,
+          "chars": 922,
+          "approx_tokens": 231
+        },
+        "output-format": {
+          "bytes": 888,
+          "chars": 888,
+          "approx_tokens": 222
+        },
+        "compliance-theater-check": {
+          "bytes": 670,
+          "chars": 670,
+          "approx_tokens": 168
+        },
+        "defensive-countermeasure-mapping": {
+          "bytes": 843,
+          "chars": 843,
+          "approx_tokens": 211
+        }
+      }
+    },
+    "log-injection-telemetry": {
+      "path": "skills/log-injection-telemetry/skill.md",
+      "bytes": 7725,
+      "chars": 7709,
+      "lines": 81,
+      "approx_tokens": 1927,
+      "approx_chars_per_token": 4,
+      "sections": {
+        "threat-context": {
+          "bytes": 881,
+          "chars": 877,
+          "approx_tokens": 219
+        },
+        "framework-lag-declaration": {
+          "bytes": 823,
+          "chars": 823,
+          "approx_tokens": 206
+        },
+        "ttp-mapping": {
+          "bytes": 765,
+          "chars": 759,
+          "approx_tokens": 190
+        },
+        "exploit-availability-matrix": {
+          "bytes": 730,
+          "chars": 728,
+          "approx_tokens": 182
+        },
+        "analysis-procedure": {
+          "bytes": 911,
+          "chars": 909,
+          "approx_tokens": 227
+        },
+        "output-format": {
+          "bytes": 836,
+          "chars": 836,
+          "approx_tokens": 209
+        },
+        "compliance-theater-check": {
+          "bytes": 740,
+          "chars": 740,
+          "approx_tokens": 185
+        },
+        "defensive-countermeasure-mapping": {
+          "bytes": 848,
+          "chars": 848,
+          "approx_tokens": 212
+        }
+      }
     }
   }
 }

package/data/_indexes/trigger-table.json

@@ -1926,9 +1926,100 @@
     "multitenancy-isolation"
   ],
   "resource exhaustion": [
+    "decompression-dos",
     "multitenancy-isolation"
   ],
   "denial of service": [
     "multitenancy-isolation"
+  ],
+  "decompression bomb": [
+    "decompression-dos"
+  ],
+  "zip bomb": [
+    "decompression-dos"
+  ],
+  "zip slip": [
+    "decompression-dos"
+  ],
+  "redos": [
+    "decompression-dos"
+  ],
+  "regular expression denial of service": [
+    "decompression-dos"
+  ],
+  "catastrophic backtracking": [
+    "decompression-dos"
+  ],
+  "billion laughs": [
+    "decompression-dos"
+  ],
+  "xml entity expansion": [
+    "decompression-dos"
+  ],
+  "xxe": [
+    "decompression-dos"
+  ],
+  "parser dos": [
+    "decompression-dos"
+  ],
+  "amplification attack": [
+    "decompression-dos"
+  ],
+  "nested archive": [
+    "decompression-dos"
+  ],
+  "recursion depth": [
+    "decompression-dos"
+  ],
+  "length field allocation": [
+    "decompression-dos"
+  ],
+  "input amplification": [
+    "decompression-dos"
+  ],
+  "log injection": [
+    "log-injection-telemetry"
+  ],
+  "crlf injection": [
+    "log-injection-telemetry"
+  ],
+  "log forging": [
+    "log-injection-telemetry"
+  ],
+  "telemetry integrity": [
+    "log-injection-telemetry"
+  ],
+  "secrets in logs": [
+    "log-injection-telemetry"
+  ],
+  "log redaction": [
+    "log-injection-telemetry"
+  ],
+  "metrics endpoint exposure": [
+    "log-injection-telemetry"
+  ],
+  "prometheus exposure": [
+    "log-injection-telemetry"
+  ],
+  "otlp exporter": [
+    "log-injection-telemetry"
+  ],
+  "cloudwatch": [
+    "log-injection-telemetry"
+  ],
+  "webhook sink": [
+    "log-injection-telemetry"
+  ],
+  "exporter ssrf": [
+    "log-injection-telemetry"
+  ],
+  "observability security": [
+    "log-injection-telemetry"
+  ],
+  "log sink": [
+    "log-injection-telemetry"
+  ],
+  "telemetry exfiltration": [
+    "log-injection-telemetry"
   ]
 }

package/data/_indexes/xref.json

@@ -42,6 +42,7 @@
     "CWE-22": [
       "api-security",
       "attack-surface-pentest",
+      "decompression-dos",
       "mail-server-hardening",
       "mcp-agent-trust",
       "webapp-security"
@@ -78,6 +79,7 @@
     "CWE-918": [
       "api-security",
       "attack-surface-pentest",
+      "log-injection-telemetry",
       "mcp-agent-trust",
       "network-trust",
       "sector-telecom",
@@ -139,6 +141,7 @@
       "api-security",
       "cloud-security",
       "dlp-gap-analysis",
+      "log-injection-telemetry",
       "sector-healthcare",
       "vc-wallet-trust",
       "webapp-security"
@@ -238,6 +241,7 @@
       "mail-server-hardening"
     ],
     "CWE-400": [
+      "decompression-dos",
       "mail-server-hardening",
       "multitenancy-isolation"
     ],
@@ -251,10 +255,29 @@
       "multitenancy-isolation"
     ],
     "CWE-770": [
+      "decompression-dos",
       "multitenancy-isolation"
     ],
     "CWE-668": [
       "multitenancy-isolation"
+    ],
+    "CWE-409": [
+      "decompression-dos"
+    ],
+    "CWE-1333": [
+      "decompression-dos"
+    ],
+    "CWE-776": [
+      "decompression-dos"
+    ],
+    "CWE-834": [
+      "decompression-dos"
+    ],
+    "CWE-117": [
+      "log-injection-telemetry"
+    ],
+    "CWE-532": [
+      "log-injection-telemetry"
     ]
   },
   "d3fend_refs": {
@@ -378,7 +401,9 @@
   "framework_gaps": {
     "NIST-800-53-SI-2": [
       "audit-log-integrity",
+      "decompression-dos",
       "kernel-lpe-triage",
+      "log-injection-telemetry",
       "mail-server-hardening"
     ],
     "ISO-27001-2022-A.8.8": [
@@ -623,6 +648,8 @@
       "sector-telecom"
     ],
     "AU-ISM-1556": [
+      "decompression-dos",
+      "log-injection-telemetry",
       "multitenancy-isolation",
       "sector-telecom",
       "self-update-integrity"
@@ -710,6 +737,8 @@
     ],
     "NIS2-Art21-network-security": [
       "audit-log-integrity",
+      "decompression-dos",
+      "log-injection-telemetry",
       "mail-server-hardening",
       "multitenancy-isolation",
       "network-trust",
@@ -719,12 +748,15 @@
       "network-trust"
     ],
     "UK-CAF-B4": [
+      "decompression-dos",
+      "log-injection-telemetry",
       "multitenancy-isolation",
       "network-trust",
       "self-update-integrity"
     ],
     "ISO-27001-2022-A.8.15": [
-      "audit-log-integrity"
+      "audit-log-integrity",
+      "log-injection-telemetry"
     ],
     "NIST-800-53-SR-11": [
       "self-update-integrity"
@@ -822,6 +854,7 @@
     "T1059": [
       "ai-attack-surface",
       "attack-surface-pentest",
+      "decompression-dos",
       "mcp-agent-trust",
       "ransomware-response",
       "webapp-security"
@@ -893,11 +926,13 @@
     "T1530": [
       "cloud-security",
       "dlp-gap-analysis",
+      "log-injection-telemetry",
       "multitenancy-isolation",
       "sector-healthcare"
     ],
     "T1213": [
-      "dlp-gap-analysis"
+      "dlp-gap-analysis",
+      "log-injection-telemetry"
     ],
     "T1041": [
       "dlp-gap-analysis",
@@ -1004,7 +1039,8 @@
       "audit-log-integrity"
     ],
     "T1565.001": [
-      "audit-log-integrity"
+      "audit-log-integrity",
+      "log-injection-telemetry"
     ],
     "T1562.008": [
       "audit-log-integrity"
@@ -1013,9 +1049,11 @@
       "self-update-integrity"
     ],
     "T1499": [
+      "decompression-dos",
       "multitenancy-isolation"
     ],
     "T1499.001": [
+      "decompression-dos",
       "multitenancy-isolation"
     ]
   },