@blamejs/exceptd-skills 0.16.22 → 0.16.24

package/data/_indexes/token-budget.json

@@ -3,8 +3,8 @@
     "schema_version": "1.0.0",
     "tokenizer_note": "Character-density approximation: 1 token ≈ 4 chars. This is the canonical rule-of-thumb for OpenAI tokenizers on English+technical text. Claude's tokenizer is typically more efficient on prose; treat this as an upper-bound budget for both. Consumers with stricter precision needs should re-tokenize with their own tokenizer.",
     "approx_chars_per_token": 4,
-    "total_chars": 1743803,
-    "total_approx_tokens": 435954,
+    "total_chars": 1743806,
+    "total_approx_tokens": 435955,
     "skill_count": 51
   },
   "skills": {
@@ -300,10 +300,10 @@
     },
     "exploit-scoring": {
       "path": "skills/exploit-scoring/skill.md",
-      "bytes": 30227,
-      "chars": 30043,
+      "bytes": 30230,
+      "chars": 30046,
       "lines": 391,
-      "approx_tokens": 7511,
+      "approx_tokens": 7512,
       "approx_chars_per_token": 4,
       "sections": {
         "frontmatter-scope": {
@@ -332,8 +332,8 @@
           "approx_tokens": 435
         },
         "rwep-formula": {
-          "bytes": 2866,
-          "chars": 2856,
+          "bytes": 2867,
+          "chars": 2857,
           "approx_tokens": 714
         },
         "pre-calculated-rwep-scores": {
@@ -347,9 +347,9 @@
           "approx_tokens": 373
         },
         "analysis-procedure": {
-          "bytes": 1691,
-          "chars": 1665,
-          "approx_tokens": 416
+          "bytes": 1693,
+          "chars": 1667,
+          "approx_tokens": 417
         },
         "output-format": {
           "bytes": 1645,

package/data/_indexes/trigger-table.json

@@ -11,12 +11,18 @@
   "dirty frag": [
     "kernel-lpe-triage"
   ],
+  "fragnesia": [
+    "kernel-lpe-triage"
+  ],
   "cve-2026-31431": [
     "kernel-lpe-triage"
   ],
   "cve-2026-43284": [
     "kernel-lpe-triage"
   ],
+  "cve-2026-46300": [
+    "kernel-lpe-triage"
+  ],
   "linux root": [
     "kernel-lpe-triage"
   ],
@@ -1459,9 +1465,18 @@
   "age assurance": [
     "age-gates-child-safety"
   ],
+  "child safety": [
+    "age-gates-child-safety"
+  ],
   "child online safety": [
     "age-gates-child-safety"
   ],
+  "children's online safety": [
+    "age-gates-child-safety"
+  ],
+  "youth safety": [
+    "age-gates-child-safety"
+  ],
   "coppa": [
     "age-gates-child-safety"
   ],
@@ -1492,18 +1507,12 @@
   "csam": [
     "age-gates-child-safety"
   ],
-  "child safety": [
-    "age-gates-child-safety"
-  ],
   "ofcom": [
     "age-gates-child-safety"
   ],
   "esafety": [
     "age-gates-child-safety"
   ],
-  "children's online safety": [
-    "age-gates-child-safety"
-  ],
   "cloud iam compromise": [
     "cloud-iam-incident"
   ],

package/data/_indexes/xref.json

@@ -79,6 +79,7 @@
       "webapp-security"
     ],
     "CWE-918": [
+      "ai-c2-detection",
       "api-security",
       "attack-surface-pentest",
       "log-injection-telemetry",
@@ -292,73 +293,142 @@
       "kernel-lpe-triage"
     ],
     "D3-EAL": [
+      "ai-attack-surface",
       "attack-surface-pentest",
+      "cloud-security",
+      "container-runtime-security",
       "defensive-countermeasure-mapping",
       "dlp-gap-analysis",
       "fuzz-testing-strategy",
       "kernel-lpe-triage",
       "mcp-agent-trust",
-      "supply-chain-integrity"
+      "mlops-security",
+      "sector-energy",
+      "sector-federal-government",
+      "supply-chain-integrity",
+      "webapp-security"
+    ],
+    "D3-PA": [
+      "defensive-countermeasure-mapping",
+      "kernel-lpe-triage"
     ],
     "D3-PHRA": [
       "defensive-countermeasure-mapping",
       "kernel-lpe-triage"
     ],
     "D3-PSEP": [
+      "container-runtime-security",
       "defensive-countermeasure-mapping",
       "fuzz-testing-strategy",
+      "kernel-lpe-triage",
+      "sector-energy"
+    ],
+    "D3-SCP": [
+      "defensive-countermeasure-mapping",
       "kernel-lpe-triage"
     ],
     "D3-IOPR": [
+      "age-gates-child-safety",
       "ai-attack-surface",
       "ai-c2-detection",
+      "ai-risk-management",
+      "api-security",
       "cloud-iam-incident",
+      "cloud-security",
+      "container-runtime-security",
       "defensive-countermeasure-mapping",
       "dlp-gap-analysis",
+      "email-security-anti-phishing",
       "fuzz-testing-strategy",
       "idp-incident-response",
+      "incident-response-playbook",
+      "mlops-security",
       "rag-pipeline-security",
       "ransomware-response",
-      "sector-telecom"
+      "sector-financial",
+      "sector-healthcare",
+      "sector-telecom",
+      "webapp-security"
     ],
     "D3-NTA": [
       "ai-attack-surface",
       "ai-c2-detection",
+      "api-security",
       "attack-surface-pentest",
       "cloud-iam-incident",
+      "cloud-security",
       "defensive-countermeasure-mapping",
       "dlp-gap-analysis",
+      "email-security-anti-phishing",
       "idp-incident-response",
+      "incident-response-playbook",
       "rag-pipeline-security",
       "ransomware-response",
-      "sector-telecom"
+      "sector-energy",
+      "sector-financial",
+      "sector-telecom",
+      "webapp-security"
     ],
-    "D3-CBAN": [
-      "cloud-iam-incident",
+    "D3-FAPA": [
+      "ai-attack-surface",
       "defensive-countermeasure-mapping",
-      "idp-incident-response",
-      "mcp-agent-trust",
-      "supply-chain-integrity"
+      "rag-pipeline-security"
     ],
     "D3-CSPP": [
+      "age-gates-child-safety",
+      "ai-attack-surface",
       "ai-c2-detection",
+      "api-security",
       "attack-surface-pentest",
       "defensive-countermeasure-mapping",
       "dlp-gap-analysis",
+      "email-security-anti-phishing",
+      "identity-assurance",
+      "incident-response-playbook",
       "mcp-agent-trust",
       "rag-pipeline-security",
-      "ransomware-response"
+      "ransomware-response",
+      "sector-healthcare",
+      "webapp-security"
+    ],
+    "D3-CAA": [
+      "cloud-iam-incident",
+      "mcp-agent-trust"
+    ],
+    "D3-CBAN": [
+      "api-security",
+      "cloud-iam-incident",
+      "cloud-security",
+      "defensive-countermeasure-mapping",
+      "idp-incident-response",
+      "mcp-agent-trust",
+      "sector-federal-government",
+      "sector-financial",
+      "supply-chain-integrity"
     ],
     "D3-EHB": [
+      "container-runtime-security",
       "defensive-countermeasure-mapping",
       "mcp-agent-trust",
+      "mlops-security",
+      "sector-federal-government",
       "supply-chain-integrity"
     ],
     "D3-MFA": [
+      "age-gates-child-safety",
+      "api-security",
       "cloud-iam-incident",
       "defensive-countermeasure-mapping",
+      "email-security-anti-phishing",
+      "identity-assurance",
       "idp-incident-response",
-      "mcp-agent-trust"
+      "mcp-agent-trust",
+      "sector-financial",
+      "sector-healthcare",
+      "webapp-security"
+    ],
+    "D3-FCR": [
+      "rag-pipeline-security"
     ],
     "D3-CA": [
       "ai-c2-detection",
@@ -370,13 +440,18 @@
     ],
     "D3-NI": [
       "ai-c2-detection",
+      "container-runtime-security",
       "defensive-countermeasure-mapping",
+      "sector-energy",
       "sector-telecom"
     ],
     "D3-NTPM": [
       "ai-c2-detection",
+      "cloud-security",
+      "container-runtime-security",
       "defensive-countermeasure-mapping",
       "dlp-gap-analysis",
+      "sector-energy",
       "sector-telecom"
     ],
     "D3-FE": [
@@ -387,21 +462,10 @@
       "defensive-countermeasure-mapping",
       "pqc-first"
     ],
-    "D3-FAPA": [
-      "defensive-countermeasure-mapping"
-    ],
-    "D3-PA": [
-      "defensive-countermeasure-mapping"
-    ],
     "D3-RPA": [
       "defensive-countermeasure-mapping",
+      "incident-response-playbook",
       "ransomware-response"
-    ],
-    "D3-SCP": [
-      "defensive-countermeasure-mapping"
-    ],
-    "D3-CAA": [
-      "cloud-iam-incident"
     ]
   },
   "framework_gaps": {
@@ -414,9 +478,12 @@
       "privacy-consent-ops"
     ],
     "ISO-27001-2022-A.8.8": [
+      "attack-surface-pentest",
       "coordinated-vuln-disclosure",
       "kernel-lpe-triage",
-      "mail-server-hardening"
+      "mail-server-hardening",
+      "ot-ics-security",
+      "sector-energy"
     ],
     "PCI-DSS-4.0-6.3.3": [
       "kernel-lpe-triage",
@@ -437,6 +504,17 @@
       "exploit-scoring",
       "kernel-lpe-triage"
     ],
+    "UK-CAF-D1": [
+      "coordinated-vuln-disclosure",
+      "incident-response-playbook",
+      "kernel-lpe-triage",
+      "sector-energy",
+      "sector-healthcare"
+    ],
+    "AU-Essential-8-Patch": [
+      "coordinated-vuln-disclosure",
+      "kernel-lpe-triage"
+    ],
     "ALL-AI-PIPELINE-INTEGRITY": [
       "ai-attack-surface",
       "compliance-theater"
@@ -486,6 +564,42 @@
       "identity-assurance",
       "sector-financial"
     ],
+    "EU-AI-Act-Art-15": [
+      "ai-attack-surface",
+      "ai-risk-management",
+      "mcp-agent-trust",
+      "mlops-security",
+      "rag-pipeline-security"
+    ],
+    "UK-CAF-A1": [
+      "ai-attack-surface",
+      "ai-risk-management",
+      "attack-surface-pentest",
+      "mcp-agent-trust",
+      "mlops-security",
+      "sector-federal-government",
+      "sector-financial",
+      "supply-chain-integrity",
+      "threat-modeling-methodology"
+    ],
+    "AU-Essential-8-App-Hardening": [
+      "ai-attack-surface",
+      "ai-c2-detection",
+      "ai-risk-management",
+      "api-security",
+      "attack-surface-pentest",
+      "container-runtime-security",
+      "dlp-gap-analysis",
+      "email-security-anti-phishing",
+      "mcp-agent-trust",
+      "mlops-security",
+      "ot-ics-security",
+      "rag-pipeline-security",
+      "sector-federal-government",
+      "supply-chain-integrity",
+      "threat-modeling-methodology",
+      "webapp-security"
+    ],
     "ALL-MCP-TOOL-TRUST": [
       "mcp-agent-trust"
     ],
@@ -544,6 +658,17 @@
       "mlops-security",
       "rag-pipeline-security"
     ],
+    "UK-CAF-B2": [
+      "age-gates-child-safety",
+      "api-security",
+      "cloud-security",
+      "container-runtime-security",
+      "identity-assurance",
+      "ot-ics-security",
+      "rag-pipeline-security",
+      "vc-wallet-trust",
+      "webapp-security"
+    ],
     "NIST-800-53-SC-7": [
       "ai-c2-detection",
       "dlp-gap-analysis"
@@ -561,6 +686,29 @@
       "email-security-anti-phishing",
       "incident-response-playbook"
     ],
+    "NIS2-Art21-incident-handling": [
+      "age-gates-child-safety",
+      "ai-c2-detection",
+      "api-security",
+      "cloud-security",
+      "container-runtime-security",
+      "coordinated-vuln-disclosure",
+      "dlp-gap-analysis",
+      "email-security-anti-phishing",
+      "identity-assurance",
+      "incident-response-playbook",
+      "sector-federal-government",
+      "sector-financial",
+      "sector-healthcare",
+      "supply-chain-integrity",
+      "threat-modeling-methodology",
+      "webapp-security"
+    ],
+    "UK-CAF-C1": [
+      "ai-c2-detection",
+      "dlp-gap-analysis",
+      "email-security-anti-phishing"
+    ],
     "NIST-800-53-SC-28": [
       "dlp-gap-analysis",
       "pqc-first"
@@ -627,6 +775,12 @@
       "identity-assurance",
       "sector-financial"
     ],
+    "AU-Essential-8-MFA": [
+      "age-gates-child-safety",
+      "cloud-security",
+      "identity-assurance",
+      "sector-financial"
+    ],
     "NIST-800-82r3": [
       "ot-ics-security",
       "sector-energy"
@@ -639,6 +793,11 @@
       "ot-ics-security",
       "sector-energy"
     ],
+    "AU-Essential-8-Backup": [
+      "incident-response-playbook",
+      "sector-energy",
+      "sector-healthcare"
+    ],
     "FCC-CPNI-4.1": [
       "sector-telecom"
     ],
@@ -740,9 +899,6 @@
     "OFAC-Sanctions-Threat-Actor-Negotiation": [
       "idp-incident-response"
     ],
-    "UK-CAF-B2": [
-      "vc-wallet-trust"
-    ],
     "NIS2-Art21-network-security": [
       "audit-log-integrity",
       "decompression-dos",
@@ -1174,9 +1330,45 @@
     "RFC-9106": [
       "pqc-first"
     ],
+    "ISO-29147": [
+      "coordinated-vuln-disclosure"
+    ],
+    "ISO-30111": [
+      "coordinated-vuln-disclosure"
+    ],
+    "RFC-9116": [
+      "coordinated-vuln-disclosure"
+    ],
+    "CSAF-2.0": [
+      "coordinated-vuln-disclosure"
+    ],
     "RFC-9622": [
       "sector-telecom"
     ],
+    "RFC-6545": [
+      "incident-response-playbook"
+    ],
+    "RFC-6546": [
+      "incident-response-playbook"
+    ],
+    "RFC-7970": [
+      "incident-response-playbook"
+    ],
+    "RFC-7489": [
+      "email-security-anti-phishing"
+    ],
+    "RFC-6376": [
+      "email-security-anti-phishing"
+    ],
+    "RFC-7208": [
+      "email-security-anti-phishing"
+    ],
+    "RFC-8616": [
+      "email-security-anti-phishing"
+    ],
+    "RFC-8461": [
+      "email-security-anti-phishing"
+    ],
     "RFC-8693": [
       "cloud-iam-incident"
     ],

package/data/cve-catalog.json

@@ -3010,12 +3010,12 @@
     "attack_refs": [
       "T1592"
     ],
-    "rwep_score": 30,
+    "rwep_score": 35,
     "rwep_factors": {
       "cisa_kev": 0,
       "poc_available": 20,
       "ai_factor": 0,
-      "active_exploitation": 0,
+      "active_exploitation": 5,
       "blast_radius": 25,
       "patch_available": -15,
       "live_patch_available": 0,
@@ -4983,7 +4983,7 @@
     "attack_refs": [
       "T1068"
     ],
-    "rwep_score": 30,
+    "rwep_score": 35,
     "rwep_factors": {
       "cisa_kev": 0,
       "poc_available": 20,
@@ -4992,9 +4992,9 @@
       "blast_radius": 25,
       "patch_available": -15,
       "live_patch_available": 0,
-      "reboot_required": 0
+      "reboot_required": 5
     },
-    "rwep_notes": "RWEP 30 today (T+3). Score will jump to 50 (+25 KEV) on CISA KEV listing — expected within weeks once exploitation observed. Reboot-required nature adds operator friction not captured in RWEP — practical exposure window is longer than the math suggests because reboot scheduling lags kernel-package availability. blast_radius 25 reflects every Linux host running setuid ssh-keysign or chage (every default OpenSSH + shadow-utils install). Live-patch credit deferred until KernelCare ships.",
+    "rwep_notes": "RWEP 35 today (T+3). Score will jump to 60 (+25 KEV) on CISA KEV listing — expected within weeks once exploitation observed. Reboot-required nature adds operator friction not captured in RWEP — practical exposure window is longer than the math suggests because reboot scheduling lags kernel-package availability. blast_radius 25 reflects every Linux host running setuid ssh-keysign or chage (every default OpenSSH + shadow-utils install). Live-patch credit deferred until KernelCare ships.",
     "cwe_refs": [
       "CWE-672",
       "CWE-362"
@@ -7615,11 +7615,11 @@
       "cisa_kev": 0,
       "poc_available": 20,
       "ai_factor": 0,
-      "active_exploitation": 5,
+      "active_exploitation": 0,
       "blast_radius": 25,
       "patch_available": -15,
       "live_patch_available": 0,
-      "reboot_required": 0
+      "reboot_required": 5
     },
     "cwe_refs": [
       "CWE-362",
@@ -21079,7 +21079,7 @@
     "attack_refs": [
       "T1203"
     ],
-    "rwep_score": 70,
+    "rwep_score": 65,
     "rwep_factors": {
       "cisa_kev": 25,
       "poc_available": 20,
@@ -21088,9 +21088,9 @@
       "blast_radius": 15,
       "patch_available": -15,
       "live_patch_available": 0,
-      "reboot_required": 5
+      "reboot_required": 0
     },
-    "rwep_notes": "P1 — KEV-listed legacy client-side RCE; blast_radius=15 (legacy-constrained). Draft (KEV-gap-fill).",
+    "rwep_notes": "P1 — KEV-listed legacy client-side RCE; blast_radius=15 (legacy-constrained). Client-application patch (APSB09-15) does not require a reboot. Draft (KEV-gap-fill).",
     "epss_score": null,
     "epss_date": "2026-05-25",
     "epss_note": "EPSS not pulled for this KEV-gap-fill draft.",

package/data/cwe-catalog.json

@@ -1913,6 +1913,7 @@
       "CAPEC-664"
     ],
     "skills_referencing": [
+      "ai-c2-detection",
       "api-security",
       "attack-surface-pentest",
       "log-injection-telemetry",

package/lib/auto-discovery.js

@@ -29,6 +29,7 @@
 
 const fs = require("fs");
 const path = require("path");
+const crypto = require("crypto");
 const { scoreCustom, RWEP_WEIGHTS, ACTIVE_EXPLOITATION_LADDER } = require("./scoring");
 
 // Stored rwep_factors must reproduce the stored rwep_score.
@@ -138,12 +139,49 @@ const RFC_STATUS_MAP = {
   unkn: "Unknown",
 };
 
+// Read a per-source cache payload and verify its integrity against the
+// signed _index.json before returning it. Values from these files flow into
+// auto-imported catalog drafts (CVSS / CWE / EPSS), so an unverified read
+// would let an attacker who dropped a forged payload between prefetch and
+// refresh inject false mechanical fields. Discovery cannot throw (it returns
+// drafts, not errors), so the fail-closed action is to return null — the
+// payload is treated as absent and the draft keeps its null mechanical
+// fields, the same fallback used when no cache file exists.
+//
+// Integrity policy, mirroring the hardened drift reader in
+// refresh-external.js but never throwing:
+//   - _index.json present, has a per-entry sha256, payload matches -> return.
+//   - _index.json present, has a per-entry sha256, payload MISMATCHES ->
+//     return null. This is the core defense: a freshly-DISCOVERED CVE's
+//     NVD/EPSS sidecar dropped into a cache that already carries a valid
+//     signed index has no matching entry, and a tampered legit entry no
+//     longer hashes — both refuse to populate.
+//   - _index.json present but no entry for this source/id -> return null
+//     (the inject-alongside-a-signed-cache vector).
+//   - _index.json absent entirely -> unverified read. The --from-cache
+//     signature gate (loadCtx) already refuses an unsigned cache before
+//     consume unless --force-stale, so an index-less cache only reaches here
+//     under that explicit operator override or a direct library caller.
 function readCachedJson(cacheDir, source, id) {
   if (!cacheDir) return null;
   const safe = String(id).replace(/[^A-Za-z0-9._-]/g, "_");
   const p = path.join(cacheDir, source, `${safe}.json`);
   if (!fs.existsSync(p)) return null;
-  try { return JSON.parse(fs.readFileSync(p, "utf8")); } catch { return null; }
+  let parsed;
+  try { parsed = JSON.parse(fs.readFileSync(p, "utf8")); } catch { return null; }
+
+  const indexPath = path.join(cacheDir, "_index.json");
+  if (!fs.existsSync(indexPath)) return parsed;
+  let idx;
+  try { idx = JSON.parse(fs.readFileSync(indexPath, "utf8")); } catch { return null; }
+  const meta = idx && idx.entries && idx.entries[`${source}/${id}`];
+  if (!meta || typeof meta.sha256 !== "string") return null;
+  // The sha256 recorded at prefetch time is computed over JSON.stringify of
+  // the parsed payload (unindented), so round-trip + re-stringify to compute
+  // the comparable hash.
+  const actual = crypto.createHash("sha256").update(JSON.stringify(parsed)).digest("hex");
+  if (actual !== meta.sha256) return null;
+  return parsed;
 }
 
 function extractNvdMetrics(payload) {