@blamejs/exceptd-skills 0.16.17 → 0.16.19

package/data/_indexes/section-offsets.json

@@ -4892,6 +4892,176 @@
           "h3_count": 0
         }
       ]
+    },
+    "log-injection-telemetry": {
+      "path": "skills/log-injection-telemetry/skill.md",
+      "total_bytes": 7725,
+      "total_lines": 81,
+      "frontmatter": {
+        "line_start": 1,
+        "line_end": 46,
+        "byte_start": 0,
+        "byte_end": 1119
+      },
+      "sections": [
+        {
+          "name": "Threat Context (mid-2026)",
+          "normalized_name": "threat-context",
+          "line": 50,
+          "byte_start": 1191,
+          "byte_end": 2072,
+          "bytes": 881,
+          "h3_count": 0
+        },
+        {
+          "name": "Framework Lag Declaration",
+          "normalized_name": "framework-lag-declaration",
+          "line": 54,
+          "byte_start": 2072,
+          "byte_end": 2895,
+          "bytes": 823,
+          "h3_count": 0
+        },
+        {
+          "name": "TTP Mapping",
+          "normalized_name": "ttp-mapping",
+          "line": 58,
+          "byte_start": 2895,
+          "byte_end": 3660,
+          "bytes": 765,
+          "h3_count": 0
+        },
+        {
+          "name": "Exploit Availability Matrix",
+          "normalized_name": "exploit-availability-matrix",
+          "line": 62,
+          "byte_start": 3660,
+          "byte_end": 4390,
+          "bytes": 730,
+          "h3_count": 0
+        },
+        {
+          "name": "Analysis Procedure",
+          "normalized_name": "analysis-procedure",
+          "line": 66,
+          "byte_start": 4390,
+          "byte_end": 5301,
+          "bytes": 911,
+          "h3_count": 0
+        },
+        {
+          "name": "Output Format",
+          "normalized_name": "output-format",
+          "line": 70,
+          "byte_start": 5301,
+          "byte_end": 6137,
+          "bytes": 836,
+          "h3_count": 0
+        },
+        {
+          "name": "Compliance Theater Check",
+          "normalized_name": "compliance-theater-check",
+          "line": 74,
+          "byte_start": 6137,
+          "byte_end": 6877,
+          "bytes": 740,
+          "h3_count": 0
+        },
+        {
+          "name": "Defensive Countermeasure Mapping",
+          "normalized_name": "defensive-countermeasure-mapping",
+          "line": 78,
+          "byte_start": 6877,
+          "byte_end": 7725,
+          "bytes": 848,
+          "h3_count": 0
+        }
+      ]
+    },
+    "privacy-consent-ops": {
+      "path": "skills/privacy-consent-ops/skill.md",
+      "total_bytes": 7758,
+      "total_lines": 81,
+      "frontmatter": {
+        "line_start": 1,
+        "line_end": 46,
+        "byte_start": 0,
+        "byte_end": 1110
+      },
+      "sections": [
+        {
+          "name": "Threat Context (mid-2026)",
+          "normalized_name": "threat-context",
+          "line": 50,
+          "byte_start": 1166,
+          "byte_end": 2082,
+          "bytes": 916,
+          "h3_count": 0
+        },
+        {
+          "name": "Framework Lag Declaration",
+          "normalized_name": "framework-lag-declaration",
+          "line": 54,
+          "byte_start": 2082,
+          "byte_end": 2912,
+          "bytes": 830,
+          "h3_count": 0
+        },
+        {
+          "name": "TTP Mapping",
+          "normalized_name": "ttp-mapping",
+          "line": 58,
+          "byte_start": 2912,
+          "byte_end": 3782,
+          "bytes": 870,
+          "h3_count": 0
+        },
+        {
+          "name": "Exploit Availability Matrix",
+          "normalized_name": "exploit-availability-matrix",
+          "line": 62,
+          "byte_start": 3782,
+          "byte_end": 4510,
+          "bytes": 728,
+          "h3_count": 0
+        },
+        {
+          "name": "Analysis Procedure",
+          "normalized_name": "analysis-procedure",
+          "line": 66,
+          "byte_start": 4510,
+          "byte_end": 5365,
+          "bytes": 855,
+          "h3_count": 0
+        },
+        {
+          "name": "Output Format",
+          "normalized_name": "output-format",
+          "line": 70,
+          "byte_start": 5365,
+          "byte_end": 6187,
+          "bytes": 822,
+          "h3_count": 0
+        },
+        {
+          "name": "Compliance Theater Check",
+          "normalized_name": "compliance-theater-check",
+          "line": 74,
+          "byte_start": 6187,
+          "byte_end": 6915,
+          "bytes": 728,
+          "h3_count": 0
+        },
+        {
+          "name": "Defensive Countermeasure Mapping",
+          "normalized_name": "defensive-countermeasure-mapping",
+          "line": 78,
+          "byte_start": 6915,
+          "byte_end": 7758,
+          "bytes": 843,
+          "h3_count": 0
+        }
+      ]
     }
   }
 }

package/data/_indexes/stale-content.json

@@ -15,7 +15,7 @@
       "severity": "medium",
       "category": "researcher_claim_drift",
       "artifact": "skills/researcher/skill.md",
-      "detail": "claims 41 specialized skills downstream; live count is 48"
+      "detail": "claims 41 specialized skills downstream; live count is 50"
     }
   ]
 }

package/data/_indexes/summary-cards.json

@@ -2257,6 +2257,83 @@
       "last_threat_review": "2026-06-02",
       "path": "skills/decompression-dos/skill.md",
       "handoff_targets": []
+    },
+    "log-injection-telemetry": {
+      "description": "Telemetry-pipeline integrity for mid-2026 — CR/LF log-injection neutralization across every sink, secret/PII redaction before shipping, authenticated metrics endpoints, and exporter destination allowlisting, secret-store credentials, verified TLS, and webhook SSRF guarding",
+      "threat_context_excerpt": "The telemetry pipeline is both an integrity target and a confidentiality leak that \"we centralize all logs\" does not address. Integrity: un-sanitized CR/LF in interpolated log values lets an attacker forge or split log entries — injecting fake lines, breaking the log parser, or hiding their own actions — corrupting the observability record incident response depends on. Confidentiality: secrets and PII logged without a redaction pass persist in every downstream sink (SIEM, cloud log service); an unauthenticated /metrics or debug endpoint leaks internal topology and operational state; exporters ...",
+      "produces": "Report per sink/exporter/endpoint, marking each control enforced / missing / inconclusive (visibility gap). For every missing control, state whether it leaks secrets/PII across sinks, allows forging the audit record, or enables exfil/SSRF from the telemetry process, and whether the surface is internet-reachable. Distinguish a control enforced at a lower layer (a sanitizing collector/sidecar, a private scrape network) from an absent one. Provide the prioritised remediation (neutralize CR/LF + redact per sink, authenticate/private metrics, allowlist exporters with secret-store credentials over v ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-117",
+          "CWE-532",
+          "CWE-918",
+          "CWE-200"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.15",
+          "NIS2-Art21-network-security",
+          "UK-CAF-B4",
+          "AU-ISM-1556"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T1565.001",
+          "T1530",
+          "T1213"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 15,
+      "atlas_count": 0,
+      "attack_count": 3,
+      "framework_gap_count": 5,
+      "cwe_count": 4,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-06-02",
+      "path": "skills/log-injection-telemetry/skill.md",
+      "handoff_targets": []
+    },
+    "privacy-consent-ops": {
+      "description": "Privacy, consent, and sanctions operational integrity for mid-2026 — confusable/homoglyph normalization before sanctions screening, integrity-bound and re-validated consent records, evidence-gated and downstream-propagated DSR erasure, and ROPA reconciliation against actual processing",
+      "threat_context_excerpt": "Privacy and sanctions controls fail operationally even when they exist on paper. A sanctions screen that compares raw strings is evaded by a listed name spelled with confusable Unicode (Cyrillic/Latin lookalikes, combining marks, zero-width characters) — or simply by an alias or transliteration the screen does not cover. A consent signal (IAB TCF / MSPA or first-party) trusted from the client with no integrity binding to a server-side consent_log is forgeable and stale-by-default, and continuing to process on a cached signal after withdrawal is unlawful. A data-subject erasure marked ...",
+      "produces": "Report per control (sanctions screening, consent, DSR erasure, ROPA), marking each enforced / missing / inconclusive (visibility gap). For every missing control, state whether a prohibited party could clear screening, whether personal data is unlawfully processed or un-erased, and the affected population. Distinguish a control enforced by a dedicated layer (a confusable-folding screen, a consent platform, an evidence-gated workflow) from an absent one. Provide the prioritised remediation (normalize + alias/fuzzy screen, server-bind + re-validate consent, evidence-gate + propagate erasure, reco ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-807",
+          "CWE-345",
+          "CWE-778",
+          "CWE-672"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-53-SI-2",
+          "NIS2-Art21-network-security",
+          "UK-CAF-B4",
+          "AU-ISM-1556"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T1036",
+          "T1565.001",
+          "T1070"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 16,
+      "atlas_count": 0,
+      "attack_count": 3,
+      "framework_gap_count": 4,
+      "cwe_count": 4,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-06-02",
+      "path": "skills/privacy-consent-ops/skill.md",
+      "handoff_targets": []
     }
   }
 }

package/data/_indexes/token-budget.json

@@ -3,9 +3,9 @@
     "schema_version": "1.0.0",
     "tokenizer_note": "Character-density approximation: 1 token ≈ 4 chars. This is the canonical rule-of-thumb for OpenAI tokenizers on English+technical text. Claude's tokenizer is typically more efficient on prose; treat this as an upper-bound budget for both. Consumers with stricter precision needs should re-tokenize with their own tokenizer.",
     "approx_chars_per_token": 4,
-    "total_chars": 1728352,
-    "total_approx_tokens": 432091,
-    "skill_count": 49
+    "total_chars": 1743803,
+    "total_approx_tokens": 435954,
+    "skill_count": 51
   },
   "skills": {
     "kernel-lpe-triage": {
@@ -2852,6 +2852,106 @@
           "approx_tokens": 211
         }
       }
+    },
+    "log-injection-telemetry": {
+      "path": "skills/log-injection-telemetry/skill.md",
+      "bytes": 7725,
+      "chars": 7709,
+      "lines": 81,
+      "approx_tokens": 1927,
+      "approx_chars_per_token": 4,
+      "sections": {
+        "threat-context": {
+          "bytes": 881,
+          "chars": 877,
+          "approx_tokens": 219
+        },
+        "framework-lag-declaration": {
+          "bytes": 823,
+          "chars": 823,
+          "approx_tokens": 206
+        },
+        "ttp-mapping": {
+          "bytes": 765,
+          "chars": 759,
+          "approx_tokens": 190
+        },
+        "exploit-availability-matrix": {
+          "bytes": 730,
+          "chars": 728,
+          "approx_tokens": 182
+        },
+        "analysis-procedure": {
+          "bytes": 911,
+          "chars": 909,
+          "approx_tokens": 227
+        },
+        "output-format": {
+          "bytes": 836,
+          "chars": 836,
+          "approx_tokens": 209
+        },
+        "compliance-theater-check": {
+          "bytes": 740,
+          "chars": 740,
+          "approx_tokens": 185
+        },
+        "defensive-countermeasure-mapping": {
+          "bytes": 848,
+          "chars": 848,
+          "approx_tokens": 212
+        }
+      }
+    },
+    "privacy-consent-ops": {
+      "path": "skills/privacy-consent-ops/skill.md",
+      "bytes": 7758,
+      "chars": 7742,
+      "lines": 81,
+      "approx_tokens": 1936,
+      "approx_chars_per_token": 4,
+      "sections": {
+        "threat-context": {
+          "bytes": 916,
+          "chars": 914,
+          "approx_tokens": 229
+        },
+        "framework-lag-declaration": {
+          "bytes": 830,
+          "chars": 828,
+          "approx_tokens": 207
+        },
+        "ttp-mapping": {
+          "bytes": 870,
+          "chars": 862,
+          "approx_tokens": 216
+        },
+        "exploit-availability-matrix": {
+          "bytes": 728,
+          "chars": 726,
+          "approx_tokens": 182
+        },
+        "analysis-procedure": {
+          "bytes": 855,
+          "chars": 855,
+          "approx_tokens": 214
+        },
+        "output-format": {
+          "bytes": 822,
+          "chars": 822,
+          "approx_tokens": 206
+        },
+        "compliance-theater-check": {
+          "bytes": 728,
+          "chars": 728,
+          "approx_tokens": 182
+        },
+        "defensive-countermeasure-mapping": {
+          "bytes": 843,
+          "chars": 843,
+          "approx_tokens": 211
+        }
+      }
     }
   }
 }

package/data/_indexes/trigger-table.json

@@ -1976,5 +1976,98 @@
   ],
   "input amplification": [
     "decompression-dos"
+  ],
+  "log injection": [
+    "log-injection-telemetry"
+  ],
+  "crlf injection": [
+    "log-injection-telemetry"
+  ],
+  "log forging": [
+    "log-injection-telemetry"
+  ],
+  "telemetry integrity": [
+    "log-injection-telemetry"
+  ],
+  "secrets in logs": [
+    "log-injection-telemetry"
+  ],
+  "log redaction": [
+    "log-injection-telemetry"
+  ],
+  "metrics endpoint exposure": [
+    "log-injection-telemetry"
+  ],
+  "prometheus exposure": [
+    "log-injection-telemetry"
+  ],
+  "otlp exporter": [
+    "log-injection-telemetry"
+  ],
+  "cloudwatch": [
+    "log-injection-telemetry"
+  ],
+  "webhook sink": [
+    "log-injection-telemetry"
+  ],
+  "exporter ssrf": [
+    "log-injection-telemetry"
+  ],
+  "observability security": [
+    "log-injection-telemetry"
+  ],
+  "log sink": [
+    "log-injection-telemetry"
+  ],
+  "telemetry exfiltration": [
+    "log-injection-telemetry"
+  ],
+  "privacy operations": [
+    "privacy-consent-ops"
+  ],
+  "consent integrity": [
+    "privacy-consent-ops"
+  ],
+  "sanctions screening": [
+    "privacy-consent-ops"
+  ],
+  "ofac screening": [
+    "privacy-consent-ops"
+  ],
+  "homoglyph evasion": [
+    "privacy-consent-ops"
+  ],
+  "confusable normalization": [
+    "privacy-consent-ops"
+  ],
+  "iab tcf": [
+    "privacy-consent-ops"
+  ],
+  "mspa": [
+    "privacy-consent-ops"
+  ],
+  "consent string": [
+    "privacy-consent-ops"
+  ],
+  "dsr": [
+    "privacy-consent-ops"
+  ],
+  "right to erasure": [
+    "privacy-consent-ops"
+  ],
+  "right to be forgotten": [
+    "privacy-consent-ops"
+  ],
+  "gdpr article 17": [
+    "privacy-consent-ops"
+  ],
+  "ropa": [
+    "privacy-consent-ops"
+  ],
+  "record of processing": [
+    "privacy-consent-ops"
+  ],
+  "data subject request": [
+    "privacy-consent-ops"
   ]
 }

package/data/_indexes/xref.json

@@ -14,6 +14,7 @@
     ],
     "CWE-672": [
       "kernel-lpe-triage",
+      "privacy-consent-ops",
       "vc-wallet-trust"
     ],
     "CWE-787": [
@@ -51,7 +52,8 @@
       "audit-log-integrity",
       "idp-incident-response",
       "mcp-agent-trust",
-      "network-trust"
+      "network-trust",
+      "privacy-consent-ops"
     ],
     "CWE-352": [
       "api-security",
@@ -79,6 +81,7 @@
     "CWE-918": [
       "api-security",
       "attack-surface-pentest",
+      "log-injection-telemetry",
       "mcp-agent-trust",
       "network-trust",
       "sector-telecom",
@@ -140,6 +143,7 @@
       "api-security",
       "cloud-security",
       "dlp-gap-analysis",
+      "log-injection-telemetry",
       "sector-healthcare",
       "vc-wallet-trust",
       "webapp-security"
@@ -244,7 +248,8 @@
       "multitenancy-isolation"
     ],
     "CWE-778": [
-      "audit-log-integrity"
+      "audit-log-integrity",
+      "privacy-consent-ops"
     ],
     "CWE-353": [
       "self-update-integrity"
@@ -270,6 +275,15 @@
     ],
     "CWE-834": [
       "decompression-dos"
+    ],
+    "CWE-117": [
+      "log-injection-telemetry"
+    ],
+    "CWE-532": [
+      "log-injection-telemetry"
+    ],
+    "CWE-807": [
+      "privacy-consent-ops"
     ]
   },
   "d3fend_refs": {
@@ -395,7 +409,9 @@
       "audit-log-integrity",
       "decompression-dos",
       "kernel-lpe-triage",
-      "mail-server-hardening"
+      "log-injection-telemetry",
+      "mail-server-hardening",
+      "privacy-consent-ops"
     ],
     "ISO-27001-2022-A.8.8": [
       "coordinated-vuln-disclosure",
@@ -640,7 +656,9 @@
     ],
     "AU-ISM-1556": [
       "decompression-dos",
+      "log-injection-telemetry",
       "multitenancy-isolation",
+      "privacy-consent-ops",
       "sector-telecom",
       "self-update-integrity"
     ],
@@ -728,9 +746,11 @@
     "NIS2-Art21-network-security": [
       "audit-log-integrity",
       "decompression-dos",
+      "log-injection-telemetry",
       "mail-server-hardening",
       "multitenancy-isolation",
       "network-trust",
+      "privacy-consent-ops",
       "self-update-integrity"
     ],
     "ISO-27001-2022-A.8.21": [
@@ -738,12 +758,15 @@
     ],
     "UK-CAF-B4": [
       "decompression-dos",
+      "log-injection-telemetry",
       "multitenancy-isolation",
       "network-trust",
+      "privacy-consent-ops",
       "self-update-integrity"
     ],
     "ISO-27001-2022-A.8.15": [
-      "audit-log-integrity"
+      "audit-log-integrity",
+      "log-injection-telemetry"
     ],
     "NIST-800-53-SR-11": [
       "self-update-integrity"
@@ -913,11 +936,13 @@
     "T1530": [
       "cloud-security",
       "dlp-gap-analysis",
+      "log-injection-telemetry",
       "multitenancy-isolation",
       "sector-healthcare"
     ],
     "T1213": [
-      "dlp-gap-analysis"
+      "dlp-gap-analysis",
+      "log-injection-telemetry"
     ],
     "T1041": [
       "dlp-gap-analysis",
@@ -1021,10 +1046,13 @@
       "network-trust"
     ],
     "T1070": [
-      "audit-log-integrity"
+      "audit-log-integrity",
+      "privacy-consent-ops"
     ],
     "T1565.001": [
-      "audit-log-integrity"
+      "audit-log-integrity",
+      "log-injection-telemetry",
+      "privacy-consent-ops"
     ],
     "T1562.008": [
       "audit-log-integrity"
@@ -1039,6 +1067,9 @@
     "T1499.001": [
       "decompression-dos",
       "multitenancy-isolation"
+    ],
+    "T1036": [
+      "privacy-consent-ops"
     ]
   },
   "rfc_refs": {