@blamejs/exceptd-skills 0.16.25 → 0.16.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. package/AGENTS.md +5 -5
  2. package/ARCHITECTURE.md +3 -3
  3. package/CHANGELOG.md +28 -0
  4. package/CONTEXT.md +2 -2
  5. package/README.md +6 -6
  6. package/agents/threat-researcher.md +2 -2
  7. package/bin/exceptd.js +41 -8
  8. package/data/_indexes/_meta.json +41 -40
  9. package/data/_indexes/activity-feed.json +240 -240
  10. package/data/_indexes/catalog-summaries.json +3 -3
  11. package/data/_indexes/currency.json +64 -64
  12. package/data/_indexes/jurisdiction-map.json +31 -158
  13. package/data/_indexes/recipes.json +1 -1
  14. package/data/_indexes/section-offsets.json +510 -510
  15. package/data/_indexes/summary-cards.json +33 -33
  16. package/data/_indexes/token-budget.json +200 -200
  17. package/data/atlas-ttps.json +7 -7
  18. package/data/attack-techniques.json +5 -5
  19. package/data/framework-control-gaps.json +3 -3
  20. package/lib/auto-discovery.js +15 -9
  21. package/lib/collectors/library-author.js +26 -9
  22. package/lib/collectors/secrets.js +8 -1
  23. package/lib/cvss.js +108 -0
  24. package/lib/lint-skills.js +6 -1
  25. package/lib/playbook-runner.js +17 -4
  26. package/lib/prefetch.js +97 -5
  27. package/lib/refresh-external.js +25 -13
  28. package/lib/schemas/manifest.schema.json +1 -1
  29. package/lib/schemas/skill-frontmatter.schema.json +1 -1
  30. package/lib/validate-indexes.js +5 -0
  31. package/lib/version-pins.js +3 -3
  32. package/manifest-snapshot.json +2 -2
  33. package/manifest-snapshot.sha256 +1 -1
  34. package/manifest.json +124 -124
  35. package/orchestrator/pipeline.js +16 -4
  36. package/package.json +1 -1
  37. package/sbom.cdx.json +170 -140
  38. package/scripts/build-indexes.js +12 -1
  39. package/scripts/builders/catalog-summaries.js +1 -1
  40. package/scripts/builders/recipes.js +1 -1
  41. package/scripts/check-sbom-currency.js +76 -14
  42. package/scripts/refresh-sbom.js +1 -1
  43. package/scripts/run-e2e-scenarios.js +48 -17
  44. package/scripts/sync-package-description.js +74 -0
  45. package/scripts/verify-shipped-tarball.js +18 -7
  46. package/skills/age-gates-child-safety/skill.md +3 -3
  47. package/skills/ai-attack-surface/skill.md +4 -4
  48. package/skills/ai-c2-detection/skill.md +5 -5
  49. package/skills/api-security/skill.md +2 -2
  50. package/skills/attack-surface-pentest/skill.md +4 -4
  51. package/skills/cloud-security/skill.md +3 -3
  52. package/skills/compliance-theater/skill.md +3 -3
  53. package/skills/container-runtime-security/skill.md +3 -3
  54. package/skills/coordinated-vuln-disclosure/skill.md +2 -2
  55. package/skills/defensive-countermeasure-mapping/skill.md +3 -3
  56. package/skills/dlp-gap-analysis/skill.md +5 -5
  57. package/skills/exploit-scoring/skill.md +2 -2
  58. package/skills/framework-gap-analysis/skill.md +4 -4
  59. package/skills/fuzz-testing-strategy/skill.md +2 -2
  60. package/skills/incident-response-playbook/skill.md +3 -3
  61. package/skills/mcp-agent-trust/skill.md +2 -2
  62. package/skills/mlops-security/skill.md +3 -3
  63. package/skills/ot-ics-security/skill.md +3 -3
  64. package/skills/policy-exception-gen/skill.md +3 -3
  65. package/skills/pqc-first/skill.md +2 -2
  66. package/skills/rag-pipeline-security/skill.md +4 -4
  67. package/skills/ransomware-response/skill.md +2 -2
  68. package/skills/sector-energy/skill.md +2 -2
  69. package/skills/sector-federal-government/skill.md +2 -2
  70. package/skills/sector-financial/skill.md +4 -4
  71. package/skills/sector-healthcare/skill.md +3 -3
  72. package/skills/security-maturity-tiers/skill.md +1 -1
  73. package/skills/skill-update-loop/skill.md +6 -6
  74. package/skills/supply-chain-integrity/skill.md +2 -2
  75. package/skills/threat-model-currency/skill.md +8 -8
  76. package/skills/threat-modeling-methodology/skill.md +2 -2
  77. package/skills/webapp-security/skill.md +2 -2
  78. package/skills/zeroday-gap-learn/skill.md +3 -3
  79. package/sources/validators/cve-validator.js +27 -18
package/orchestrator/pipeline.js CHANGED
@@ -233,11 +233,20 @@ function _currencyScore(daysSinceReview, _forwardWatchCount) {
233
233
  // currency even on the day after a review. forward_watch is a
234
234
  // signal of ACTIVE maintenance, not staleness, so the count no
235
235
  // longer affects the score. The arg is retained for ABI compat.
236
+ // The penalty schedule must be able to cross the tiers the gate checks
237
+ // against (currencyCheck: action_required at < 70, critical_count at < 50;
238
+ // _currencyLabel: 'stale' < 70, 'critical_stale' < 50). A schedule whose
239
+ // worst penalty was -30 floored the score at 70, so the warn/critical tiers —
240
+ // and the workflow issue they gate — could never fire. The deeper penalties
241
+ // only bite past 180/270/365 days, so a normally-maintained skill stays
242
+ // 'acceptable' while a genuinely abandoned one reaches the gate.
236
243
  let score = 100;
237
- if (daysSinceReview > 180) score -= 30;
238
- else if (daysSinceReview > 90) score -= 20;
239
- else if (daysSinceReview > 60) score -= 10;
240
- else if (daysSinceReview > 30) score -= 5;
244
+ if (daysSinceReview > 365) score -= 100; // a year+ unreviewed → 0 (critical_stale)
245
+ else if (daysSinceReview > 270) score -= 60; // → 40 (critical_stale, < 50)
246
+ else if (daysSinceReview > 180) score -= 40; // → 60 (stale, < 70 warn tier)
247
+ else if (daysSinceReview > 90) score -= 20; // → 80 (acceptable)
248
+ else if (daysSinceReview > 60) score -= 10; // → 90 (current)
249
+ else if (daysSinceReview > 30) score -= 5; // → 95 (current)
241
250
  return Math.max(0, score);
242
251
  }
243
252
 
@@ -265,4 +274,7 @@ module.exports = {
265
274
  getAgentDefinition,
266
275
  MANIFEST_CACHE_TTL_MS,
267
276
  _resetManifestCache,
277
+ // Exported for the gate-reachability contract test: the schedule must be able
278
+ // to reach the warn (< 70) and critical (< 50) tiers the workflow issues on.
279
+ _currencyScore,
268
280
  };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@blamejs/exceptd-skills",
3
- "version": "0.16.25",
3
+ "version": "0.16.29",
4
4
  "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 51 skills, 11 catalogs (439 CVEs / 177 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
5
5
  "keywords": [
6
6
  "ai-security",