@blamejs/exceptd-skills 0.16.22 → 0.16.24

package/scripts/build-indexes.js

@@ -3,7 +3,7 @@
  * scripts/build-indexes.js
  *
  * Produces pre-computed indexes under `data/_indexes/` so AI consumers
- * and downstream tooling don't have to scan all 38 skills + 10 catalogs
+ * and downstream tooling don't have to scan every skill + catalog
  * to answer routine cross-reference questions.
  *
  * Outputs (17 total):
@@ -56,6 +56,7 @@
 const fs = require("fs");
 const path = require("path");
 const crypto = require("crypto");
+const lint = require("../lib/lint-skills.js");
 
 const ROOT = path.join(__dirname, "..");
 const ABS = (p) => path.join(ROOT, p);
@@ -109,15 +110,47 @@ Examples:
 
 // --- Source loading (shared in-memory snapshot) -------------------------
 
+// Cross-reference fields the derived indexes key on. The manifest carries a
+// cache of these, but the skill frontmatter is the authoritative source — the
+// linter and staleness gate read frontmatter. Overlaying the parsed
+// frontmatter onto each skill record here means the indexes reflect the skill
+// bodies even when the manifest cache has drifted (e.g. dropping UK-CAF / AU
+// control mappings from framework_gaps). Array fields are overlaid only when
+// present in frontmatter; description is a scalar.
+const FRONTMATTER_ARRAY_FIELDS = [
+  "framework_gaps", "d3fend_refs", "cwe_refs", "atlas_refs",
+  "attack_refs", "rfc_refs", "triggers", "data_deps",
+];
+const FRONTMATTER_SCALAR_FIELDS = ["description"];
+
+function authoritativeSkill(entry, body) {
+  const { frontmatter } = lint.extractFrontmatterBlock(body);
+  const fm = lint.parseFrontmatter(frontmatter);
+  const merged = { ...entry };
+  for (const field of FRONTMATTER_ARRAY_FIELDS) {
+    if (Array.isArray(fm[field])) merged[field] = fm[field];
+  }
+  for (const field of FRONTMATTER_SCALAR_FIELDS) {
+    if (typeof fm[field] === "string") merged[field] = fm[field];
+  }
+  return merged;
+}
+
 function loadSources() {
   const manifest = readJson(ABS("manifest.json"));
-  const skills = manifest.skills;
-  const skillNames = new Set(skills.map((s) => s.name));
   const catalogFiles = fs.readdirSync(ABS("data")).filter((f) => f.endsWith(".json")).map((f) => "data/" + f);
 
   // Per-skill body cache so multiple builders don't re-read the same file.
   const skillBodies = {};
-  for (const s of skills) skillBodies[s.name] = fs.readFileSync(ABS(s.path), "utf8");
+  for (const s of manifest.skills) skillBodies[s.name] = fs.readFileSync(ABS(s.path), "utf8");
+
+  // Build the skill records from the authoritative frontmatter, falling back
+  // to the manifest cache for fields frontmatter doesn't carry (signatures,
+  // dlp_refs, etc.). Downstream builders read cross-reference arrays from
+  // these records, so this is the single point that keeps the indexes aligned
+  // with the skill bodies.
+  const skills = manifest.skills.map((s) => authoritativeSkill(s, skillBodies[s.name]));
+  const skillNames = new Set(skills.map((s) => s.name));
 
   const ctx = {
     root: ROOT,
@@ -157,7 +190,7 @@ const OUTPUTS = [
   {
     name: "xref",
     file: "xref.json",
-    deps: [isManifest],
+    deps: [isManifest, isAnySkillBody],
     build: (ctx) => {
       const xref = {
         cwe_refs: {}, d3fend_refs: {}, framework_gaps: {},
@@ -181,7 +214,7 @@ const OUTPUTS = [
   {
     name: "trigger-table",
     file: "trigger-table.json",
-    deps: [isManifest],
+    deps: [isManifest, isAnySkillBody],
     build: (ctx) => {
       const t = {};
       for (const s of ctx.skills) {
@@ -279,6 +312,7 @@ const OUTPUTS = [
     file: "chains.json",
     deps: [
       isManifest,
+      isAnySkillBody,
       isCatalog("cve-catalog"),
       isCatalog("cwe-catalog"),
       isCatalog("framework-control-gaps"),
@@ -429,7 +463,7 @@ const OUTPUTS = [
   {
     name: "frequency",
     file: "frequency.json",
-    deps: [isManifest, isAnyCatalog],
+    deps: [isManifest, isAnySkillBody, isAnyCatalog],
     build: (ctx) => {
       const { buildFrequency } = require("./builders/frequency");
       return buildFrequency({
@@ -445,7 +479,7 @@ const OUTPUTS = [
   {
     name: "activity-feed",
     file: "activity-feed.json",
-    deps: [isManifest, isAnyCatalog],
+    deps: [isManifest, isAnySkillBody, isAnyCatalog],
     build: (ctx) => {
       const { buildActivityFeed } = require("./builders/activity-feed");
       return buildActivityFeed({ root: ctx.root, manifest: ctx.manifest, skills: ctx.skills, catalogFiles: ctx.catalogFiles });

package/scripts/builders/cwe-chains.js

@@ -77,6 +77,7 @@ function buildCweChains({ skills, cweCatalog, atlasTtps, cveCatalog, frameworkGa
         title: rfcCatalog[r]?.title,
         status: rfcCatalog[r]?.status,
       })),
+      dlp_refs: [...accum.dlp_refs].sort(),
     };
 
     // Related CVEs: walk evidence_cves on the framework_gaps that the

package/scripts/builders/section-offsets.js

@@ -118,11 +118,19 @@ function buildOne(absPath, relPath) {
     const next = h2[j + 1];
     const startByte = lineByteOffsets[cur.idx];
     const endByte = next ? lineByteOffsets[next.idx] : totalBytes;
-    // Count H3 within this section.
+    // Count H3 within this section — fence-aware, the same way the H2 loop
+    // above is. A section starts and ends on an H2 header, both of which are
+    // outside any fence, so fence state always begins false here. "### Foo"
+    // lines inside ```...``` output templates are not real sub-sections.
     const endIdx = next ? next.idx : lines.length;
     let h3Count = 0;
+    let h3InFence = false;
     for (let k = cur.idx + 1; k < endIdx; k++) {
-      if (/^### /.test(lines[k])) h3Count++;
+      if (/^```/.test(lines[k])) {
+        h3InFence = !h3InFence;
+        continue;
+      }
+      if (!h3InFence && /^### /.test(lines[k])) h3Count++;
     }
     sections.push({
       name: cur.raw.replace(/^##\s+/, ""),

package/scripts/builders/token-budget.js

@@ -26,10 +26,10 @@
  *     }
  *   }
  *
- * Plus a totals block:
+ * Corpus totals live under the top-level `_meta` block:
  *   {
- *     total_chars, total_approx_tokens,
- *     by_recipe: { … } — placeholder consumers can use to estimate bundles
+ *     schema_version, tokenizer_note, approx_chars_per_token,
+ *     total_chars, total_approx_tokens, skill_count
  *   }
  */
 

package/scripts/check-changelog-extract.js

@@ -100,6 +100,35 @@ function readPackageVersion() {
   return JSON.parse(fs.readFileSync(PACKAGE_JSON, 'utf8')).version;
 }
 
+// Every previously released version must keep its own `## <version> ` heading.
+// The release flow edits the TOP of the file; an edit that replaces the prior
+// release's heading instead of inserting above it silently merges that
+// release's notes into the new section — the extract then spans multiple
+// releases and the public release body republishes old notes under the new
+// version. Tags are the authoritative record of what was released.
+// Tags whose release never published: the tag-push event was dropped (e.g.
+// a GitHub Actions outage) and — because the v* ruleset forbids re-pushing a
+// tag — the recovery is a version bump re-released with the same notes under
+// the NEW heading. The orphan tag therefore legitimately has no CHANGELOG
+// entry of its own. Tag exists, npm/GitHub Release do not.
+const ORPHAN_RELEASE_TAGS = new Set(['0.13.111', '0.15.25']);
+
+function releasedVersionsFromTags() {
+  try {
+    const out = require('node:child_process').execFileSync('git', ['tag', '-l', 'v*'], { cwd: ROOT, encoding: 'utf8' });
+    return out.split(/\r?\n/)
+      .map((t) => (t.match(/^v(\d+\.\d+\.\d+)$/) || [])[1])
+      .filter((v) => v && !ORPHAN_RELEASE_TAGS.has(v));
+  } catch {
+    // git absent or tags not fetched (shallow checkout) — nothing to check.
+    return [];
+  }
+}
+
+function missingReleasedHeadings(text, versions) {
+  return versions.filter((v) => !headingLine(text, v));
+}
+
 function main() {
   const version = process.argv[2] || readPackageVersion();
   if (!/^\d+\.\d+\.\d+$/.test(version)) {
@@ -130,6 +159,14 @@ function main() {
     return;
   }
 
+  const missing = missingReleasedHeadings(text, releasedVersionsFromTags());
+  if (missing.length > 0) {
+    console.error('[check-changelog-extract] FAIL: released version(s) lost their CHANGELOG heading: ' + missing.map((v) => '## ' + v).join(', '));
+    console.error('[check-changelog-extract] A new entry must be INSERTED ABOVE the previous release heading, never replace it — otherwise the prior release\'s notes merge into the new section and republish in the new release body.');
+    process.exitCode = 1;
+    return;
+  }
+
   const section = extractSection(text, version);
   if (section.length === 0) {
     console.error('[check-changelog-extract] FAIL: v' + version + ' section is empty — the release body would fall back to the generic "Release of v' + version + '." line.');
@@ -153,6 +190,6 @@ function main() {
   process.exitCode = 0;
 }
 
-module.exports = { extractSection, headingLine, lintOperatorClean, FORBIDDEN };
+module.exports = { extractSection, headingLine, lintOperatorClean, FORBIDDEN, missingReleasedHeadings, releasedVersionsFromTags };
 
 if (require.main === module) main();

package/scripts/check-sbom-currency.js

@@ -31,6 +31,39 @@ function resolveRoot(argv) {
   return path.join(__dirname, "..");
 }
 
+// Entry count for a data/*.json catalog: keys minus the _meta sentinel. The
+// catalogs are objects keyed by entry id (CVE-…, CWE-…, T…, AML.T…, D3-…,
+// RFC-…) with a single _meta block, so the live entry total is the key count
+// excluding _meta.
+function catalogEntryCount(dataDir, file) {
+  const p = path.join(dataDir, file);
+  // A --root pointed at a partial tree (no such catalog file) skips that
+  // token's check rather than crashing — catalog PRESENCE is asserted by
+  // the cardinality check above and the per-component hash check below,
+  // not by the description parser.
+  if (!fs.existsSync(p)) return null;
+  const j = JSON.parse(fs.readFileSync(p, "utf8"));
+  if (Array.isArray(j)) return j.length;
+  if (j && typeof j === "object") {
+    return Object.keys(j).filter((k) => k !== "_meta").length;
+  }
+  return 0;
+}
+
+// The description string embeds per-catalog ENTRY counts as free text, e.g.
+// "11 catalogs (439 CVEs / 177 CWEs / 805 ATT&CK + ICS / 170 ATLAS /
+// 468 D3FEND / 8888 RFCs)". Each token maps to one data/*.json catalog whose
+// live entry count must match. `label` is the regex-escaped text that follows
+// the number in the description.
+const DESCRIPTION_ENTRY_TOKENS = [
+  { file: "cve-catalog.json", label: "CVEs" },
+  { file: "cwe-catalog.json", label: "CWEs" },
+  { file: "attack-techniques.json", label: "ATT&CK \\+ ICS" },
+  { file: "atlas-ttps.json", label: "ATLAS" },
+  { file: "d3fend-catalog.json", label: "D3FEND" },
+  { file: "rfc-references.json", label: "RFCs" },
+];
+
 function checkSbomCurrency(root) {
   const sbomPath = path.join(root, "sbom.cdx.json");
   const manifestPath = path.join(root, "manifest.json");
@@ -64,6 +97,45 @@ function checkSbomCurrency(root) {
     errors.push("SBOM is not CycloneDX 1.6");
   }
 
+  // The SBOM ships per-catalog entry counts and a skill count embedded as free
+  // text in metadata.component.description (propagated verbatim from
+  // package.json). The numeric properties above only cover catalog/skill
+  // CARDINALITY (file count + skill count), so a catalog's entry total can
+  // drift past the count baked into the description while the dedicated SBOM
+  // gate still passes. Parse each token out of the description and assert it
+  // against the live entry count so a stale published-SBOM description fails
+  // the gate.
+  const description =
+    (sbom.metadata && sbom.metadata.component && sbom.metadata.component.description) || "";
+  for (const { file, label } of DESCRIPTION_ENTRY_TOKENS) {
+    const live = catalogEntryCount(dataDir, file);
+    if (live === null) continue;
+    const m = description.match(new RegExp("(\\d+)\\s+" + label + "\\b"));
+    if (!m) {
+      errors.push(
+        `SBOM description is missing the "${file.replace(/\.json$/, "")}" entry-count token (${label}) — regenerate via \`npm run refresh-sbom\``
+      );
+      continue;
+    }
+    const stated = Number(m[1]);
+    if (stated !== live) {
+      errors.push(
+        `SBOM description entry count for ${label} is ${stated} but live ${file} has ${live} — description is stale; update package.json.description and \`npm run refresh-sbom\``
+      );
+    }
+  }
+  // The skill count is embedded in the same description string ("N skills").
+  const skillMatch = description.match(/(\d+)\s+skills\b/);
+  if (!skillMatch) {
+    errors.push(
+      "SBOM description is missing the skill-count token (N skills) — regenerate via `npm run refresh-sbom`"
+    );
+  } else if (Number(skillMatch[1]) !== liveSkills) {
+    errors.push(
+      `SBOM description skill count is ${Number(skillMatch[1])} but live manifest has ${liveSkills} skills — description is stale; update package.json.description and \`npm run refresh-sbom\``
+    );
+  }
+
   // component-level cross-check. A renamed or version-bumped
   // skill that never made it into the SBOM refresh will pass the count
   // check (the cardinality is unchanged) but the per-component name +

package/scripts/check-version-tags.js

@@ -70,6 +70,11 @@ const COMMENT_EXEMPT = new Set([
   // MUST embed real `## X.Y.Z` headings (e.g. 0.15.5 vs 0.15.50) — load-bearing
   // test data, not sprinkled release tags.
   "tests/check-changelog-extract.test.js",
+  // The extract gate's orphan-tag allowlist must name the exact versions of
+  // tags that exist with no published release (outage-recovery bumps), so the
+  // heading-completeness check can skip them — load-bearing references to git
+  // tags, an authoritative version surface.
+  "scripts/check-changelog-extract.js",
 ]);
 
 // Git-ignored files (a contributor's local-only working docs, scratch) are

package/scripts/release.js

@@ -503,21 +503,27 @@ function cmdRelease() {
   if (runId) {
     _run("gh", ["run", "watch", runId, "--exit-status"], { allowFail: true });
     var concl = _capture("gh", ["run", "view", runId, "--json", "conclusion", "--jq", ".conclusion"]).stdout;
+    // A non-success conclusion is a hard failure: the publish either failed or
+    // is unconfirmable, and either way the release is not done. Warning-and-
+    // continuing let a stalled publish read as a clean release.
     if (concl !== "success") {
-      console.error("warning: release.yml conclusion=" + concl + " — re-check before trusting npm");
-    } else {
-      _ok("release.yml: success");
+      throw new Error("release: release.yml conclusion=" + (concl || "(unknown)") +
+        " — the publish workflow did not finish successfully; re-check release.yml before treating the release as done");
     }
+    _ok("release.yml: success");
   } else {
-    console.log("no release.yml run found yet (tag push may still be propagating)");
+    throw new Error("release: no release.yml run found for the tag — the publish workflow has not started; " +
+      "confirm the tag was pushed and the workflow fired before treating the release as done");
   }
 
   _section("verify npm");
   var npmVersion = _capture("npm", ["view", PKG_NAME, "version"]).stdout;
   console.log("npm " + PKG_NAME + ": " + (npmVersion || "(unable to query)") + "   (expected " + next + ")");
+  // Require a POSITIVE confirmation: the queried npm version must equal `next`.
+  // The hard failure is asserted at the end of the phase (after the tarball
+  // verify). An empty stdout (registry/auth/network failure) is treated as a
+  // mismatch — an unconfirmable publish is a failure, not a success.
   if (npmVersion === next) _ok("npm matches " + next);
-  // A mismatch is asserted as a hard failure at the end of the phase (after
-  // the tarball verify), so a stalled publish can't read as a clean release.
 
   _section("fresh-tarball signature verify");
   // Verify against the EXACT bytes a downstream consumer installs — the
@@ -535,18 +541,19 @@ function cmdRelease() {
     throw new Error("release: scripts/verify-shipped-tarball.js missing — cannot verify the shipped artifact");
   }
 
-  // An npm-version mismatch after the workflow finished is not mere
-  // propagation lag — fail so a stalled/failed publish can't read as a
-  // completed release. (A genuinely in-flight publish is caught by the
-  // workflow-conclusion check above; by the time we query npm post-watch the
-  // version should be live.)
-  if (npmVersion && npmVersion !== next) {
-    throw new Error("release: npm shows " + npmVersion + " but expected " + next +
-      " — publish did not complete; re-check release.yml before treating the release as done");
+  // Require a positive npm confirmation after the workflow finished. A version
+  // that is empty (query failed) OR != next is not mere propagation lag — fail
+  // so a stalled/failed/unconfirmable publish can't read as a completed
+  // release. (A genuinely in-flight publish is caught by the workflow-
+  // conclusion check above; by the time we query npm post-watch the version
+  // should be live.) The message reports the value actually queried.
+  if (npmVersion !== next) {
+    throw new Error("release: npm shows " + (npmVersion || "(unable to query)") + " but expected " + next +
+      " — publish did not complete or could not be confirmed; re-check release.yml before treating the release as done");
   }
 
   console.log("\nThe landing site auto-injects the version from jsDelivr @latest — no manual deploy.");
-  console.log("Release complete: npm shows " + next + " and the shipped tarball verifies.");
+  console.log("Release complete: npm shows " + npmVersion + " and the shipped tarball verifies.");
 }
 
 function cmdAll(opts) {

package/skills/exploit-scoring/skill.md

@@ -109,7 +109,7 @@ RWEP = min(100, max(0,
   (poc_public    × 20) +
   (ai_assisted   × 15) +
   (active_expl   × 20) +
-  (blast_radius  × 15) -
+  (blast_radius  × 30) -
   (patch_avail   × 15) -
   (live_patch    × 10) +
   (reboot_req    × 5)
@@ -135,11 +135,11 @@ RWEP = min(100, max(0,
 - Score contribution: +20 points if confirmed
 - Rationale: Confirmed exploitation means the threat is not theoretical. Treat as an incident-level response trigger.
 
-**blast_radius** (0.0 to 1.0 scaled to 0–15): How broad is the affected population?
-- 15 points: Affects all Linux systems since a specific kernel version (e.g., Copy Fail: all 4.14+)
-- 10 points: Affects a major distribution's default configuration
-- 7 points: Affects a specific distribution or configuration
-- 3 points: Affects a narrow software version range
+**blast_radius** (0.0 to 1.0 scaled to 0–30): How broad is the affected population?
+- 30 points: Affects all Linux systems since a specific kernel version (e.g., Copy Fail: all 4.14+)
+- 20 points: Affects a major distribution's default configuration
+- 14 points: Affects a specific distribution or configuration
+- 6 points: Affects a narrow software version range
 - 0 points: Affects only highly specific configurations
 
 **patch_avail** (0 or 1): Is a patch available?
@@ -290,7 +290,7 @@ For a CVE not in the pre-calculated catalog, collect:
 
 ### Step 2: Apply RWEP formula
 
-Calculate factor values (binary 0/1 or scaled 0–1 for blast radius) and apply formula.
+Calculate factor values (binary 0/1, or scaled 0–30 for blast radius) and apply formula.
 
 ### Step 3: Generate remediation timeline
 
@@ -336,7 +336,7 @@ The skill produces a per-CVE Exploit Priority Assessment showing the RWEP score,
 | PoC Public | Yes/No | +20/0 |
 | AI-Assisted | Yes/No | +15/0 |
 | Active Exploitation | Confirmed/Suspected/No | +20/+10/0 |
-| Blast Radius | [description] | [0-15] |
+| Blast Radius | [description] | [0-30] |
 | Patch Available | Yes/No | -15/0 |
 | Live Patch Available | Yes/No | -10/0 |
 | Reboot Required | Yes/No | +5/0 |