@blamejs/exceptd-skills 0.16.18 → 0.16.20
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +2 -1
- package/CHANGELOG.md +8 -0
- package/README.md +5 -5
- package/bin/exceptd.js +2 -1
- package/data/_indexes/_meta.json +15 -14
- package/data/_indexes/activity-feed.json +9 -2
- package/data/_indexes/chains.json +3875 -400
- package/data/_indexes/currency.json +10 -1
- package/data/_indexes/frequency.json +84 -59
- package/data/_indexes/handoff-dag.json +5 -1
- package/data/_indexes/jurisdiction-map.json +6 -3
- package/data/_indexes/section-offsets.json +85 -0
- package/data/_indexes/stale-content.json +1 -1
- package/data/_indexes/summary-cards.json +38 -0
- package/data/_indexes/token-budget.json +53 -3
- package/data/_indexes/trigger-table.json +48 -0
- package/data/_indexes/xref.json +20 -5
- package/data/cwe-catalog.json +9 -3
- package/data/playbooks/framework.json +1 -0
- package/data/playbooks/privacy-consent-ops.json +605 -0
- package/lib/cve-curation.js +3 -1
- package/lib/playbook-runner.js +1 -1
- package/lib/schemas/skill-frontmatter.schema.json +5 -0
- package/lib/source-osv.js +3 -5
- package/manifest-snapshot.json +53 -2
- package/manifest-snapshot.sha256 +1 -1
- package/manifest.json +107 -52
- package/package.json +2 -2
- package/sbom.cdx.json +68 -38
- package/scripts/refresh-sbom.js +2 -2
- package/skills/privacy-consent-ops/skill.md +80 -0
package/sbom.cdx.json
CHANGED
|
@@ -1,23 +1,23 @@
|
|
|
1
1
|
{
|
|
2
2
|
"bomFormat": "CycloneDX",
|
|
3
3
|
"specVersion": "1.6",
|
|
4
|
-
"serialNumber": "urn:uuid:
|
|
4
|
+
"serialNumber": "urn:uuid:27c29f93-ac9c-4df6-a278-6b1b3e4556df",
|
|
5
5
|
"version": 1,
|
|
6
6
|
"metadata": {
|
|
7
|
-
"timestamp": "
|
|
7
|
+
"timestamp": "2047-02-20T16:10:59.000Z",
|
|
8
8
|
"tools": [
|
|
9
9
|
{
|
|
10
10
|
"vendor": "blamejs",
|
|
11
11
|
"name": "scripts/refresh-sbom.js",
|
|
12
|
-
"version": "0.16.
|
|
12
|
+
"version": "0.16.20"
|
|
13
13
|
}
|
|
14
14
|
],
|
|
15
15
|
"component": {
|
|
16
|
-
"bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.16.
|
|
16
|
+
"bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.16.20",
|
|
17
17
|
"type": "application",
|
|
18
18
|
"name": "@blamejs/exceptd-skills",
|
|
19
|
-
"version": "0.16.
|
|
20
|
-
"description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation.
|
|
19
|
+
"version": "0.16.20",
|
|
20
|
+
"description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 51 skills, 11 catalogs (439 CVEs / 177 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
|
|
21
21
|
"licenses": [
|
|
22
22
|
{
|
|
23
23
|
"license": {
|
|
@@ -25,17 +25,17 @@
|
|
|
25
25
|
}
|
|
26
26
|
}
|
|
27
27
|
],
|
|
28
|
-
"purl": "pkg:npm/%40blamejs/exceptd-skills@0.16.
|
|
28
|
+
"purl": "pkg:npm/%40blamejs/exceptd-skills@0.16.20",
|
|
29
29
|
"hashes": [
|
|
30
30
|
{
|
|
31
31
|
"alg": "SHA-256",
|
|
32
|
-
"content": "
|
|
32
|
+
"content": "fe9dfa8a600bd9c4d238c64204f365fb966650fe535b4dd9840f0957432e8117"
|
|
33
33
|
}
|
|
34
34
|
],
|
|
35
35
|
"externalReferences": [
|
|
36
36
|
{
|
|
37
37
|
"type": "distribution",
|
|
38
|
-
"url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.16.
|
|
38
|
+
"url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.16.20"
|
|
39
39
|
},
|
|
40
40
|
{
|
|
41
41
|
"type": "vcs",
|
|
@@ -54,7 +54,7 @@
|
|
|
54
54
|
},
|
|
55
55
|
{
|
|
56
56
|
"name": "exceptd:skill:count",
|
|
57
|
-
"value": "
|
|
57
|
+
"value": "51"
|
|
58
58
|
},
|
|
59
59
|
{
|
|
60
60
|
"name": "exceptd:integrity:method",
|
|
@@ -86,11 +86,11 @@
|
|
|
86
86
|
"hashes": [
|
|
87
87
|
{
|
|
88
88
|
"alg": "SHA-256",
|
|
89
|
-
"content": "
|
|
89
|
+
"content": "4740bf09effd467a73a8e83ecebab2b70ef6a3c1d67bcf8ec136acb7dcb5544c"
|
|
90
90
|
},
|
|
91
91
|
{
|
|
92
92
|
"alg": "SHA3-512",
|
|
93
|
-
"content": "
|
|
93
|
+
"content": "97916b726fca2bac91639fad98c8793298259cbb7a90cf4e7afcdd5a4f9fd12b48af6520e7e7d0021fb99705c213a02cf583555c4b0aa9f091c3f5d26d12da9e"
|
|
94
94
|
}
|
|
95
95
|
]
|
|
96
96
|
},
|
|
@@ -116,11 +116,11 @@
|
|
|
116
116
|
"hashes": [
|
|
117
117
|
{
|
|
118
118
|
"alg": "SHA-256",
|
|
119
|
-
"content": "
|
|
119
|
+
"content": "da8e1908f872d2aa27e4b5815a954bac34156d92c17aea421b65d984be050d85"
|
|
120
120
|
},
|
|
121
121
|
{
|
|
122
122
|
"alg": "SHA3-512",
|
|
123
|
-
"content": "
|
|
123
|
+
"content": "6ab25dbfbf14dd5d33fc9ed12ae31eea40611ac9c45a6a9d39f59fc9bb3d0574e03edf1dba7580129d9fac832df599bb0aeb94d235aee564cba0cf2d229acfe8"
|
|
124
124
|
}
|
|
125
125
|
]
|
|
126
126
|
},
|
|
@@ -176,11 +176,11 @@
|
|
|
176
176
|
"hashes": [
|
|
177
177
|
{
|
|
178
178
|
"alg": "SHA-256",
|
|
179
|
-
"content": "
|
|
179
|
+
"content": "81ca9d3388220ac98069b35a594e915e6a6c95f047467f26d75d89d0c917684c"
|
|
180
180
|
},
|
|
181
181
|
{
|
|
182
182
|
"alg": "SHA3-512",
|
|
183
|
-
"content": "
|
|
183
|
+
"content": "cd0bed4f8dd100c272b20d7aecad64d09b9d65dc07551aec2f61ee20aae55978cf1c300ede8bac15d10ed9bbf8ea180aa48dfe3d951497527ee17440da1a696f"
|
|
184
184
|
}
|
|
185
185
|
]
|
|
186
186
|
},
|
|
@@ -281,11 +281,11 @@
|
|
|
281
281
|
"hashes": [
|
|
282
282
|
{
|
|
283
283
|
"alg": "SHA-256",
|
|
284
|
-
"content": "
|
|
284
|
+
"content": "9bcb27a03b259ed458da11b2d8396a1cada67c3c5b3d258945ee2eb031dd3069"
|
|
285
285
|
},
|
|
286
286
|
{
|
|
287
287
|
"alg": "SHA3-512",
|
|
288
|
-
"content": "
|
|
288
|
+
"content": "08c6edcbf777a74bf40f5907a279ebbbce8a886498dfaf37700749609cae23a120061a9f86b0f700f5218d046dfed318445997099f69771ed15b40c8009536e0"
|
|
289
289
|
}
|
|
290
290
|
]
|
|
291
291
|
},
|
|
@@ -341,11 +341,11 @@
|
|
|
341
341
|
"hashes": [
|
|
342
342
|
{
|
|
343
343
|
"alg": "SHA-256",
|
|
344
|
-
"content": "
|
|
344
|
+
"content": "feadd8497221c097d8237fb93d9557c4dbdd70434097da8debd6f5e50ede1b24"
|
|
345
345
|
},
|
|
346
346
|
{
|
|
347
347
|
"alg": "SHA3-512",
|
|
348
|
-
"content": "
|
|
348
|
+
"content": "97119842846c95f910bb1b9ef9ba9b36ebe5d9abe4461c22f9d2ccfda676082d606e2348535416da6e14841ffe4173a0b7399f64adbae9829a2e00eed32ec3c2"
|
|
349
349
|
}
|
|
350
350
|
]
|
|
351
351
|
},
|
|
@@ -596,11 +596,11 @@
|
|
|
596
596
|
"hashes": [
|
|
597
597
|
{
|
|
598
598
|
"alg": "SHA-256",
|
|
599
|
-
"content": "
|
|
599
|
+
"content": "6f74bc9a8b5dd04a18931644101d0860b968ba13512f7d5f6b36282b4119978d"
|
|
600
600
|
},
|
|
601
601
|
{
|
|
602
602
|
"alg": "SHA3-512",
|
|
603
|
-
"content": "
|
|
603
|
+
"content": "bed2d8d1e9f210afa4ec9b101a27d9e7b7d84f4e724194bad131ef83d231c0b158c5b0dc30fcbb7415062aadd7f8568e2390c204823b8b13b96044bb324c6654"
|
|
604
604
|
}
|
|
605
605
|
]
|
|
606
606
|
},
|
|
@@ -784,6 +784,21 @@
|
|
|
784
784
|
}
|
|
785
785
|
]
|
|
786
786
|
},
|
|
787
|
+
{
|
|
788
|
+
"bom-ref": "file:data/playbooks/privacy-consent-ops.json",
|
|
789
|
+
"type": "file",
|
|
790
|
+
"name": "data/playbooks/privacy-consent-ops.json",
|
|
791
|
+
"hashes": [
|
|
792
|
+
{
|
|
793
|
+
"alg": "SHA-256",
|
|
794
|
+
"content": "a1545f8028ffd100d8d2ab52099196a2d200d593f07916e71ba5e5a27b817a38"
|
|
795
|
+
},
|
|
796
|
+
{
|
|
797
|
+
"alg": "SHA3-512",
|
|
798
|
+
"content": "94431fca8e351cf2af3f409c4494358500087d7baade07896d4ab2b19b3c45b74ec6e50ab2e9a79bcd3a7ab54808811669dce6d6775b8eccbf4b010960e818e1"
|
|
799
|
+
}
|
|
800
|
+
]
|
|
801
|
+
},
|
|
787
802
|
{
|
|
788
803
|
"bom-ref": "file:data/playbooks/ransomware.json",
|
|
789
804
|
"type": "file",
|
|
@@ -1286,11 +1301,11 @@
|
|
|
1286
1301
|
"hashes": [
|
|
1287
1302
|
{
|
|
1288
1303
|
"alg": "SHA-256",
|
|
1289
|
-
"content": "
|
|
1304
|
+
"content": "532c88389281d4d5ab7f0e640b9c368b3f61bdf2ce607541c2aaa1c6dbc0e2a5"
|
|
1290
1305
|
},
|
|
1291
1306
|
{
|
|
1292
1307
|
"alg": "SHA3-512",
|
|
1293
|
-
"content": "
|
|
1308
|
+
"content": "c06a034d871683f858dc821a74518a51d1a6fec33900b725ff9813bc4b648b87a62d43f34ce38432299c35a64f4d0a28bfbcf53b17a1739716684aa19ccd2910"
|
|
1294
1309
|
}
|
|
1295
1310
|
]
|
|
1296
1311
|
},
|
|
@@ -1436,11 +1451,11 @@
|
|
|
1436
1451
|
"hashes": [
|
|
1437
1452
|
{
|
|
1438
1453
|
"alg": "SHA-256",
|
|
1439
|
-
"content": "
|
|
1454
|
+
"content": "c4d081a381f82dc32421bcfbb616548b07e3b5c2bcc0cc5be20461fb641f8f10"
|
|
1440
1455
|
},
|
|
1441
1456
|
{
|
|
1442
1457
|
"alg": "SHA3-512",
|
|
1443
|
-
"content": "
|
|
1458
|
+
"content": "a8ac7ac0f5d36fcc79e6e475c2cd6685eb52da09816503dd5fa9668633551ff604ad5e7512647c9d300dcc4552ca7a820d38ee1016a133b23c065ed1dba772c6"
|
|
1444
1459
|
}
|
|
1445
1460
|
]
|
|
1446
1461
|
},
|
|
@@ -1556,11 +1571,11 @@
|
|
|
1556
1571
|
"hashes": [
|
|
1557
1572
|
{
|
|
1558
1573
|
"alg": "SHA-256",
|
|
1559
|
-
"content": "
|
|
1574
|
+
"content": "df338394673140ae744d667555d3995f9a4170bb600ffd1e60b42a2bc4858ec9"
|
|
1560
1575
|
},
|
|
1561
1576
|
{
|
|
1562
1577
|
"alg": "SHA3-512",
|
|
1563
|
-
"content": "
|
|
1578
|
+
"content": "b142362521971c4b0e987356885de80298d4ef939bd0b2bf2968d7e95c270f7a4ffd3774d8f92eaff29b3e888a66c006ea6641054a0bc260ba56996c2d881c0c"
|
|
1564
1579
|
}
|
|
1565
1580
|
]
|
|
1566
1581
|
},
|
|
@@ -1631,11 +1646,11 @@
|
|
|
1631
1646
|
"hashes": [
|
|
1632
1647
|
{
|
|
1633
1648
|
"alg": "SHA-256",
|
|
1634
|
-
"content": "
|
|
1649
|
+
"content": "18846c70ddfd17eb2a3ce4a6aca5703dfa08df090ac04d34e42d121a631e02e8"
|
|
1635
1650
|
},
|
|
1636
1651
|
{
|
|
1637
1652
|
"alg": "SHA3-512",
|
|
1638
|
-
"content": "
|
|
1653
|
+
"content": "7fff075b9d676081bcf5b8d686cb5da4da4570784b7adfa5cf6479a7c83d28666725968952f8a93e1274368053bd64891e7e45a3715669c3b4ec565ffc3ff0df"
|
|
1639
1654
|
}
|
|
1640
1655
|
]
|
|
1641
1656
|
},
|
|
@@ -1841,11 +1856,11 @@
|
|
|
1841
1856
|
"hashes": [
|
|
1842
1857
|
{
|
|
1843
1858
|
"alg": "SHA-256",
|
|
1844
|
-
"content": "
|
|
1859
|
+
"content": "faa01f939b1473c436cd81d614612593e92034e1119518e4e44f61e37b35de8b"
|
|
1845
1860
|
},
|
|
1846
1861
|
{
|
|
1847
1862
|
"alg": "SHA3-512",
|
|
1848
|
-
"content": "
|
|
1863
|
+
"content": "5b84120225b544abcbfd2e87555b71293105c843fe2595c7b0fc4f92c78e3a39291e6a92600d1bbf0fd3ce09de9968799686a8a23555ceb63d17dd56d0162f58"
|
|
1849
1864
|
}
|
|
1850
1865
|
]
|
|
1851
1866
|
},
|
|
@@ -1856,11 +1871,11 @@
|
|
|
1856
1871
|
"hashes": [
|
|
1857
1872
|
{
|
|
1858
1873
|
"alg": "SHA-256",
|
|
1859
|
-
"content": "
|
|
1874
|
+
"content": "99279ed5a5a7ddb3f00e639b956a83bb2df492288db176f4c3d55dc498949c17"
|
|
1860
1875
|
},
|
|
1861
1876
|
{
|
|
1862
1877
|
"alg": "SHA3-512",
|
|
1863
|
-
"content": "
|
|
1878
|
+
"content": "3bb717a033303c961161784e1fd4da815da62106baaf62863c3f6e950b600cd36fb3faba663e49add7853f13137789ccad7884034a7638d11a15706548ec03a5"
|
|
1864
1879
|
}
|
|
1865
1880
|
]
|
|
1866
1881
|
},
|
|
@@ -1871,11 +1886,11 @@
|
|
|
1871
1886
|
"hashes": [
|
|
1872
1887
|
{
|
|
1873
1888
|
"alg": "SHA-256",
|
|
1874
|
-
"content": "
|
|
1889
|
+
"content": "7907552767ac9017929f434124666fa32c6b68d3f9b0ccbbe66f897c553ee6e3"
|
|
1875
1890
|
},
|
|
1876
1891
|
{
|
|
1877
1892
|
"alg": "SHA3-512",
|
|
1878
|
-
"content": "
|
|
1893
|
+
"content": "2a1ab5a93e7ade12930932811d8082d4ea9f757caeed62a1f2fb6fffb2e4a0aebf8e411ccc0433b87e76b6aec96ccb4ad98e1740eb4197c2f25ef338cbde1687"
|
|
1879
1894
|
}
|
|
1880
1895
|
]
|
|
1881
1896
|
},
|
|
@@ -2576,11 +2591,11 @@
|
|
|
2576
2591
|
"hashes": [
|
|
2577
2592
|
{
|
|
2578
2593
|
"alg": "SHA-256",
|
|
2579
|
-
"content": "
|
|
2594
|
+
"content": "c70973d1c3ecf755361539423b6a41d9d598f25527c64a116c63a5bab240bcbd"
|
|
2580
2595
|
},
|
|
2581
2596
|
{
|
|
2582
2597
|
"alg": "SHA3-512",
|
|
2583
|
-
"content": "
|
|
2598
|
+
"content": "b5356776cd94758a64c4b8d7e66e2b8eaf027136c878fe0fe1a404e8ce22fd2826346b5b547e3db67e1c73c001e09be007a0a1b4c968ca6c8e58235a28032233"
|
|
2584
2599
|
}
|
|
2585
2600
|
]
|
|
2586
2601
|
},
|
|
@@ -3169,6 +3184,21 @@
|
|
|
3169
3184
|
}
|
|
3170
3185
|
]
|
|
3171
3186
|
},
|
|
3187
|
+
{
|
|
3188
|
+
"bom-ref": "file:skills/privacy-consent-ops/skill.md",
|
|
3189
|
+
"type": "file",
|
|
3190
|
+
"name": "skills/privacy-consent-ops/skill.md",
|
|
3191
|
+
"hashes": [
|
|
3192
|
+
{
|
|
3193
|
+
"alg": "SHA-256",
|
|
3194
|
+
"content": "6c14052577178f0cffc943c2d7f1ac2aca6704cca912ce7492d9eac88a1c6d88"
|
|
3195
|
+
},
|
|
3196
|
+
{
|
|
3197
|
+
"alg": "SHA3-512",
|
|
3198
|
+
"content": "8f39f408d80a2ee83d874c50308facb8722f57c8be26b01255e032949f7e40d41ce2464dd48f1b9b99adad9006c22c0254338faf6a41ee17c4fa054dee60a304"
|
|
3199
|
+
}
|
|
3200
|
+
]
|
|
3201
|
+
},
|
|
3172
3202
|
{
|
|
3173
3203
|
"bom-ref": "file:skills/rag-pipeline-security/skill.md",
|
|
3174
3204
|
"type": "file",
|
package/scripts/refresh-sbom.js
CHANGED
|
@@ -59,7 +59,7 @@ function readJson(p) {
|
|
|
59
59
|
return JSON.parse(fs.readFileSync(p, 'utf8'));
|
|
60
60
|
}
|
|
61
61
|
|
|
62
|
-
function
|
|
62
|
+
function listDataCatalogs(dir) {
|
|
63
63
|
return fs
|
|
64
64
|
.readdirSync(dir)
|
|
65
65
|
.filter((f) => f.endsWith('.json'))
|
|
@@ -274,7 +274,7 @@ function vendorComponents(prov) {
|
|
|
274
274
|
function buildSbom() {
|
|
275
275
|
const pkg = readJson(PACKAGE_PATH);
|
|
276
276
|
const manifest = readJson(MANIFEST_PATH);
|
|
277
|
-
const catalogs =
|
|
277
|
+
const catalogs = listDataCatalogs(DATA_DIR);
|
|
278
278
|
const skillCount = Array.isArray(manifest.skills) ? manifest.skills.length : 0;
|
|
279
279
|
const catalogCount = catalogs.length;
|
|
280
280
|
const vendorProv = loadVendorProvenance();
|
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: privacy-consent-ops
|
|
3
|
+
version: "1.0.0"
|
|
4
|
+
description: Privacy, consent, and sanctions operational integrity for mid-2026 — confusable/homoglyph normalization before sanctions screening, integrity-bound and re-validated consent records, evidence-gated and downstream-propagated DSR erasure, and ROPA reconciliation against actual processing
|
|
5
|
+
triggers:
|
|
6
|
+
- privacy operations
|
|
7
|
+
- consent integrity
|
|
8
|
+
- sanctions screening
|
|
9
|
+
- ofac screening
|
|
10
|
+
- homoglyph evasion
|
|
11
|
+
- confusable normalization
|
|
12
|
+
- iab tcf
|
|
13
|
+
- mspa
|
|
14
|
+
- consent string
|
|
15
|
+
- dsr
|
|
16
|
+
- right to erasure
|
|
17
|
+
- right to be forgotten
|
|
18
|
+
- gdpr article 17
|
|
19
|
+
- ropa
|
|
20
|
+
- record of processing
|
|
21
|
+
- data subject request
|
|
22
|
+
discovery_mode: standalone
|
|
23
|
+
data_deps:
|
|
24
|
+
- cve-catalog.json
|
|
25
|
+
- atlas-ttps.json
|
|
26
|
+
- attack-techniques.json
|
|
27
|
+
- framework-control-gaps.json
|
|
28
|
+
- cwe-catalog.json
|
|
29
|
+
- rfc-references.json
|
|
30
|
+
atlas_refs: []
|
|
31
|
+
attack_refs:
|
|
32
|
+
- T1036
|
|
33
|
+
- T1565.001
|
|
34
|
+
- T1070
|
|
35
|
+
framework_gaps:
|
|
36
|
+
- NIST-800-53-SI-2
|
|
37
|
+
- NIS2-Art21-network-security
|
|
38
|
+
- UK-CAF-B4
|
|
39
|
+
- AU-ISM-1556
|
|
40
|
+
cwe_refs:
|
|
41
|
+
- CWE-807
|
|
42
|
+
- CWE-345
|
|
43
|
+
- CWE-778
|
|
44
|
+
- CWE-672
|
|
45
|
+
last_threat_review: "2026-06-02"
|
|
46
|
+
---
|
|
47
|
+
|
|
48
|
+
# Privacy / Consent / Sanctions Operational Integrity
|
|
49
|
+
|
|
50
|
+
## Threat Context (mid-2026)
|
|
51
|
+
|
|
52
|
+
Privacy and sanctions controls fail operationally even when they exist on paper. A sanctions screen that compares raw strings is evaded by a listed name spelled with confusable Unicode (Cyrillic/Latin lookalikes, combining marks, zero-width characters) — or simply by an alias or transliteration the screen does not cover. A consent signal (IAB TCF / MSPA or first-party) trusted from the client with no integrity binding to a server-side consent_log is forgeable and stale-by-default, and continuing to process on a cached signal after withdrawal is unlawful. A data-subject erasure marked "completed" without per-store proof, and not propagated to backups, indexes, warehouses, and processors, leaves live personal data behind while the organisation asserts compliance. A ROPA that drifts from actual processing hides flows that escape the consent/retention/DSR analysis entirely.
|
|
53
|
+
|
|
54
|
+
## Framework Lag Declaration
|
|
55
|
+
|
|
56
|
+
Organisational privacy and sanctions controls are attested by having the process — a screening vendor, a consent banner, a DSR queue, a ROPA document. NIST 800-53 SI-10 (input validation) does not require Unicode confusable normalization before a sanctions-screening decision. ISO 27001 A.5.34 (privacy / PII) is met by having consent and DSR processes and does not require the consent signal be integrity-bound or the erasure be evidence-backed and propagated. A clean "we screen against OFAC, capture consent, complete DSRs, and maintain a ROPA" audit is therefore NON-EVIDENCE for operational integrity; it confirms the processes exist, not that screening normalizes confusables, consent is server-bound and re-validated, erasure is evidence-gated and propagated, and the ROPA matches reality.
|
|
57
|
+
|
|
58
|
+
## TTP Mapping
|
|
59
|
+
|
|
60
|
+
The privacy/sanctions failures map to MITRE ATT&CK: **T1036 (Masquerading)** for a prohibited party spelling a sanctioned name with homoglyphs or an uncovered alias to evade screening; **T1565.001 (Stored Data Manipulation)** for forging or replaying a consent signal with no authoritative record, and for an erasure status falsely marked "completed"; and **T1070 (Indicator Removal)** for claiming erasure that removes the compliance indicator while live copies survive downstream. The weakness classes are CWE-807 (reliance on untrusted inputs in a security decision — unnormalized screening input), CWE-345 (insufficient verification of data authenticity — unbound consent), CWE-778 (insufficient logging — unevidenced erasure / drifted ROPA), and CWE-672 (operation on a resource after expiration — processing on withdrawn/expired consent).
|
|
61
|
+
|
|
62
|
+
## Exploit Availability Matrix
|
|
63
|
+
|
|
64
|
+
These are operational-integrity gaps, so the exploit is the absent control, reproduced with trivial means. A homoglyph-spelled sanctioned name is a copy-paste with lookalike code points; an alias variant is in the sanction list's own alias data. A forged consent string is a crafted request when no server record reconciles it. A falsely-completed erasure needs no attacker at all — it surfaces on audit or a re-request. The real-world priority is set by whether a prohibited party can clear screening on a live onboarding/payment path (regulatory + legal exposure) or whether personal data is systemically unlawfully processed or un-erased across the data estate (false compliance at scale).
|
|
65
|
+
|
|
66
|
+
## Analysis Procedure
|
|
67
|
+
|
|
68
|
+
1. Inspect the sanctions screen: does it normalize to a confusable-folded skeleton (NFKC + Unicode confusable folding) and apply the list's aliases + transliteration + bounded fuzzy match before deciding? 2. Inspect consent: is the signal integrity-bound to a server-side consent_log and re-validated (purpose, expiry, withdrawal) at processing time, not just capture? 3. Inspect DSR erasure: is "completed" gated on per-store deletion evidence, and is erasure propagated to every downstream copy and processor on a maintained data-map? 4. Inspect the ROPA: is it reconciled against actual data flows / processors on a cadence? Run the `privacy-consent-ops` playbook to execute these as detect indicators with false-positive checks, then score by prohibited-party admission risk and the breadth of unlawful / un-erased processing.
|
|
69
|
+
|
|
70
|
+
## Output Format
|
|
71
|
+
|
|
72
|
+
Report per control (sanctions screening, consent, DSR erasure, ROPA), marking each enforced / missing / inconclusive (visibility gap). For every missing control, state whether a prohibited party could clear screening, whether personal data is unlawfully processed or un-erased, and the affected population. Distinguish a control enforced by a dedicated layer (a confusable-folding screen, a consent platform, an evidence-gated workflow) from an absent one. Provide the prioritised remediation (normalize + alias/fuzzy screen, server-bind + re-validate consent, evidence-gate + propagate erasure, reconcile ROPA) and the negative validation tests (homoglyph name screened, forged consent rejected, erasure-completion gated) plus a functional test that legitimate parties, consents, and erasures proceed.
|
|
73
|
+
|
|
74
|
+
## Compliance Theater Check
|
|
75
|
+
|
|
76
|
+
The recurring theater is "we screen all parties against OFAC," "we capture user consent," and "erasure requests are completed." The distinguishing tests: submit a Cyrillic-lookalike spelling of a listed name (if it passes, the screen compares raw strings without confusable normalization); ask whether the consent signal is server-bound and re-validated (a client-presented string with no record is forgeable and stale); ask for the per-store erasure evidence and the downstream-propagation map (a "completed" flag with no proof leaves records live in indexes, backups, and processors). If any control reports success while the obligation is unmet, the process is paper and the verdict is theater.
|
|
77
|
+
|
|
78
|
+
## Defensive Countermeasure Mapping
|
|
79
|
+
|
|
80
|
+
Map findings to MITRE D3FEND: confusable-folding + alias/fuzzy screening realises Input Normalization and Identifier Reputation Analysis (countering T1036 evasion); server-bound + re-validated consent realises Authentication-Token Verification and Stored-Record Integrity (countering T1565.001 forged/stale consent); evidence-gated + propagated erasure realises Verifiable Deletion and Data-Inventory Mapping (countering T1070 false-erasure claims); ROPA reconciliation realises Asset/Processing Inventory accuracy. The sanctions-normalization control reuses the vendored Unicode confusable / codepoint-class tooling. The residual risk is a novel transliteration the alias list does not cover and a processor retaining data outside the data-map, accepted at the CISO level with periodic re-reconciliation.
|