@blamejs/exceptd-skills 0.16.28 → 0.16.30

package/data/_indexes/jurisdiction-map.json

@@ -35,7 +35,6 @@
       "policy-exception-gen",
       "pqc-first",
       "privacy-consent-ops",
-      "rag-pipeline-security",
       "ransomware-response",
       "researcher",
       "sector-energy",
@@ -54,7 +53,7 @@
       "zeroday-gap-learn"
     ],
     "example_excerpts": {},
-    "skill_count": 51
+    "skill_count": 50
   },
   "UK": {
     "skills": [
@@ -63,15 +62,11 @@
       "ai-c2-detection",
       "ai-risk-management",
       "api-security",
-      "attack-surface-pentest",
-      "cloud-iam-incident",
       "cloud-security",
       "compliance-theater",
       "container-runtime-security",
       "coordinated-vuln-disclosure",
-      "decompression-dos",
       "defensive-countermeasure-mapping",
-      "dlp-gap-analysis",
       "email-security-anti-phishing",
       "exploit-scoring",
       "framework-gap-analysis",
@@ -80,36 +75,22 @@
       "identity-assurance",
       "idp-incident-response",
       "incident-response-playbook",
-      "kernel-lpe-triage",
-      "log-injection-telemetry",
       "mcp-agent-trust",
-      "mlops-security",
-      "multitenancy-isolation",
-      "network-trust",
-      "ot-ics-security",
       "policy-exception-gen",
       "pqc-first",
-      "privacy-consent-ops",
-      "rag-pipeline-security",
       "ransomware-response",
       "researcher",
       "sector-energy",
       "sector-federal-government",
-      "sector-financial",
-      "sector-healthcare",
       "sector-telecom",
-      "security-maturity-tiers",
-      "self-update-integrity",
       "skill-update-loop",
       "supply-chain-integrity",
       "threat-model-currency",
       "threat-modeling-methodology",
-      "vc-wallet-trust",
-      "webapp-security",
-      "zeroday-gap-learn"
+      "webapp-security"
     ],
     "example_excerpts": {},
-    "skill_count": 49
+    "skill_count": 31
   },
   "AU": {
     "skills": [
@@ -138,13 +119,11 @@
       "kernel-lpe-triage",
       "log-injection-telemetry",
       "mcp-agent-trust",
-      "mlops-security",
       "multitenancy-isolation",
       "ot-ics-security",
       "policy-exception-gen",
       "pqc-first",
       "privacy-consent-ops",
-      "rag-pipeline-security",
       "ransomware-response",
       "researcher",
       "sector-energy",
@@ -162,72 +141,51 @@
       "zeroday-gap-learn"
     ],
     "example_excerpts": {},
-    "skill_count": 47
+    "skill_count": 45
   },
   "SG": {
     "skills": [
-      "age-gates-child-safety",
-      "ai-attack-surface",
-      "api-security",
-      "cloud-iam-incident",
-      "cloud-security",
       "container-runtime-security",
-      "coordinated-vuln-disclosure",
-      "email-security-anti-phishing",
       "framework-gap-analysis",
       "global-grc",
       "identity-assurance",
-      "incident-response-playbook",
-      "mcp-agent-trust",
-      "mlops-security",
       "researcher",
-      "sector-federal-government",
       "sector-financial",
-      "sector-healthcare",
-      "sector-telecom",
       "threat-modeling-methodology",
       "webapp-security"
     ],
     "example_excerpts": {},
-    "skill_count": 21
+    "skill_count": 8
   },
   "JP": {
     "skills": [
       "age-gates-child-safety",
-      "ai-risk-management",
       "api-security",
       "cloud-iam-incident",
-      "cloud-security",
       "container-runtime-security",
-      "coordinated-vuln-disclosure",
       "dlp-gap-analysis",
       "email-security-anti-phishing",
       "framework-gap-analysis",
       "global-grc",
       "identity-assurance",
       "incident-response-playbook",
-      "mlops-security",
       "ot-ics-security",
       "pqc-first",
-      "ransomware-response",
       "sector-energy",
       "sector-federal-government",
       "sector-financial",
       "sector-healthcare",
-      "sector-telecom",
       "supply-chain-integrity",
       "threat-modeling-methodology",
       "webapp-security"
     ],
     "example_excerpts": {},
-    "skill_count": 25
+    "skill_count": 19
   },
   "IN": {
     "skills": [
       "age-gates-child-safety",
       "ai-risk-management",
-      "api-security",
-      "cloud-security",
       "dlp-gap-analysis",
       "email-security-anti-phishing",
       "framework-gap-analysis",
@@ -242,51 +200,36 @@
       "threat-modeling-methodology"
     ],
     "example_excerpts": {},
-    "skill_count": 16
+    "skill_count": 14
   },
   "CA": {
     "skills": [
       "age-gates-child-safety",
-      "ai-c2-detection",
-      "cloud-iam-incident",
-      "cloud-security",
-      "defensive-countermeasure-mapping",
       "dlp-gap-analysis",
       "framework-gap-analysis",
       "global-grc",
-      "identity-assurance",
       "idp-incident-response",
-      "network-trust",
-      "sector-energy",
-      "sector-federal-government",
-      "sector-financial",
-      "sector-healthcare",
-      "sector-telecom",
-      "self-update-integrity",
-      "skill-update-loop",
-      "zeroday-gap-learn"
+      "sector-financial"
     ],
     "example_excerpts": {},
-    "skill_count": 19
+    "skill_count": 6
   },
   "BR": {
     "skills": [
       "age-gates-child-safety",
       "ai-risk-management",
-      "api-security",
       "cloud-security",
       "dlp-gap-analysis",
       "framework-gap-analysis",
       "global-grc",
       "incident-response-playbook",
       "pqc-first",
-      "sector-financial",
       "sector-healthcare",
       "supply-chain-integrity",
       "threat-modeling-methodology"
     ],
     "example_excerpts": {},
-    "skill_count": 13
+    "skill_count": 11
   },
   "CN": {
     "skills": [
@@ -315,53 +258,33 @@
     "skill_count": 1
   },
   "AE": {
-    "skills": [
-      "incident-response-playbook",
-      "sector-financial"
-    ],
+    "skills": [],
     "example_excerpts": {},
-    "skill_count": 2
+    "skill_count": 0
   },
   "SA": {
     "skills": [
       "age-gates-child-safety",
-      "compliance-theater",
-      "defensive-countermeasure-mapping",
       "dlp-gap-analysis",
-      "framework-gap-analysis",
-      "fuzz-testing-strategy",
-      "global-grc",
-      "mcp-agent-trust",
-      "mlops-security",
-      "pqc-first",
-      "sector-energy",
-      "sector-federal-government",
-      "sector-financial",
-      "sector-healthcare",
-      "supply-chain-integrity",
-      "zeroday-gap-learn"
+      "sector-financial"
     ],
     "example_excerpts": {},
-    "skill_count": 16
+    "skill_count": 3
   },
   "NZ": {
-    "skills": [
-      "sector-financial",
-      "sector-telecom"
-    ],
+    "skills": [],
     "example_excerpts": {},
-    "skill_count": 2
+    "skill_count": 0
   },
   "KR": {
     "skills": [
       "age-gates-child-safety",
       "dlp-gap-analysis",
       "framework-gap-analysis",
-      "global-grc",
-      "supply-chain-integrity"
+      "global-grc"
     ],
     "example_excerpts": {},
-    "skill_count": 5
+    "skill_count": 4
   },
   "CL": {
     "skills": [],
@@ -371,8 +294,6 @@
   "IL": {
     "skills": [
       "ai-risk-management",
-      "api-security",
-      "cloud-iam-incident",
       "cloud-security",
       "container-runtime-security",
       "coordinated-vuln-disclosure",
@@ -394,7 +315,7 @@
       "webapp-security"
     ],
     "example_excerpts": {},
-    "skill_count": 22
+    "skill_count": 20
   },
   "CH": {
     "skills": [
@@ -423,74 +344,33 @@
   },
   "TW": {
     "skills": [
-      "cloud-security",
       "container-runtime-security",
-      "dlp-gap-analysis",
-      "framework-gap-analysis",
       "global-grc",
       "ot-ics-security",
       "pqc-first",
       "supply-chain-integrity"
     ],
     "example_excerpts": {},
-    "skill_count": 8
+    "skill_count": 5
   },
   "ID": {
     "skills": [
-      "age-gates-child-safety",
-      "ai-attack-surface",
-      "ai-c2-detection",
       "ai-risk-management",
-      "api-security",
-      "attack-surface-pentest",
-      "cloud-iam-incident",
-      "cloud-security",
-      "compliance-theater",
-      "container-runtime-security",
-      "coordinated-vuln-disclosure",
-      "defensive-countermeasure-mapping",
       "dlp-gap-analysis",
-      "email-security-anti-phishing",
-      "exploit-scoring",
       "framework-gap-analysis",
-      "fuzz-testing-strategy",
       "global-grc",
       "identity-assurance",
-      "idp-incident-response",
-      "incident-response-playbook",
-      "kernel-lpe-triage",
-      "mcp-agent-trust",
-      "mlops-security",
       "ot-ics-security",
-      "policy-exception-gen",
       "pqc-first",
-      "rag-pipeline-security",
-      "ransomware-response",
-      "researcher",
-      "sector-energy",
-      "sector-federal-government",
-      "sector-financial",
-      "sector-healthcare",
-      "sector-telecom",
-      "skill-update-loop",
-      "supply-chain-integrity",
-      "threat-model-currency",
-      "threat-modeling-methodology",
-      "webapp-security",
-      "zeroday-gap-learn"
+      "supply-chain-integrity"
     ],
     "example_excerpts": {},
-    "skill_count": 41
+    "skill_count": 8
   },
   "VN": {
-    "skills": [
-      "dlp-gap-analysis",
-      "framework-gap-analysis",
-      "global-grc",
-      "supply-chain-integrity"
-    ],
+    "skills": [],
     "example_excerpts": {},
-    "skill_count": 4
+    "skill_count": 0
   },
   "US_NYDFS": {
     "skills": [
@@ -520,33 +400,26 @@
   },
   "NO": {
     "skills": [
-      "mail-server-hardening",
       "sector-energy",
       "skill-update-loop"
     ],
     "example_excerpts": {},
-    "skill_count": 3
+    "skill_count": 2
   },
   "MX": {
-    "skills": [
-      "sector-financial"
-    ],
+    "skills": [],
     "example_excerpts": {},
-    "skill_count": 1
+    "skill_count": 0
   },
   "AR": {
-    "skills": [
-      "age-gates-child-safety"
-    ],
+    "skills": [],
     "example_excerpts": {},
-    "skill_count": 1
+    "skill_count": 0
   },
   "TR": {
-    "skills": [
-      "sector-telecom"
-    ],
+    "skills": [],
     "example_excerpts": {},
-    "skill_count": 1
+    "skill_count": 0
   },
   "TH": {
     "skills": [],

package/data/playbooks/crypto.json

@@ -36,6 +36,12 @@
         "description": "At least one TLS library must be present and queryable. If none, the host has no crypto surface this playbook scopes.",
         "check": "exists_any(['openssl', 'libssl.so*', 'libcrypto.so*']) == true",
         "on_fail": "warn"
+      },
+      {
+        "id": "linux-platform",
+        "description": "Host must be Linux — crypto enumeration reads /etc/ssh and invokes the system openssl/ssh binaries.",
+        "check": "host.platform == 'linux'",
+        "on_fail": "halt"
       }
     ],
     "mutex": [],

package/lib/auto-discovery.js

@@ -557,6 +557,14 @@ function extractAcronymFromGroupUri(uri) {
  * @param {object} opts  { cap?: number, sinceDays?: number }
  */
 async function discoverNewRfcs(ctx, opts = {}) {
+  // Air-gap: new-RFC discovery queries IETF Datatracker live (~one call per
+  // project working group). Refuse the egress under --air-gap so a fully
+  // offline run makes no network calls — the other discovery paths guard the
+  // same way. --from-cache alone (network-available host, e.g. the scheduled
+  // refresh) still discovers live; add --air-gap for a truly offline run.
+  if ((ctx && ctx.airGap === true) || process.env.EXCEPTD_AIR_GAP === "1") {
+    return { diffs: [], errors: 0, spilled: 0, summary: "RFC discovery: skipped under air-gap (no live Datatracker query)" };
+  }
   const cap = opts.cap ?? DEFAULT_CAP;
   const sinceDays = opts.sinceDays ?? 180;
   const cutoff = new Date(Date.now() - sinceDays * 86_400_000).toISOString().slice(0, 10);

package/lib/collectors/README.md

@@ -62,8 +62,9 @@ exceptd collect <playbook> | exceptd run <playbook> --evidence -   # full loop
 Exit codes:
 
 - `0` — submission emitted successfully (operator should check `collector_errors[]` for partial-evidence warnings)
-- `1` — no collector exists for the playbook id (the AI-evidence path remains)
-- `2` — collector threw an unhandled exception (file a bug)
+- `1` — failure: either no collector exists for the playbook id (the AI-evidence path remains) **or** the collector threw an unhandled exception (file a bug). Both go through the shared error path, so both exit `1`; the JSON envelope on stderr distinguishes them — `type: "collector_not_found"` for the missing-collector case, an `"threw an unhandled exception"` message plus a `stack` for the crash case.
+
+Run `exceptd doctor --exit-codes` for the full exit-code map. Code `2` is reserved for the CI escalation gate (`detected` classification), not used by `collect`.
 
 ## When to write a collector
 

package/lib/collectors/library-author.js

@@ -88,7 +88,7 @@ function looksLikePublishWorkflow(name, content) {
   // filename-prefix checks above are unaffected. A `#` inside a quoted string
   // is rare in workflow YAML and not load-bearing for these command probes
   // (stripping can only REMOVE comment text, never create a false match).
-  const code = content.replace(/#.*$/gm, '');
+  const code = stripYamlComments(content);
 
   // Explicit publish-shape commands — these are commitments to push
   // artifacts, not setup / scaffolding.
@@ -133,7 +133,22 @@ function hasIdTokenWriteAnyScope(content) {
   return /\bid-token:\s*write\b/.test(content);
 }
 
+// Strip YAML line-comments so a `#`-commented MENTION of a publish-shape
+// token / command / runner is not read as the real thing. The classifier
+// (looksLikePublishWorkflow) already does this; the indicator probes — and the
+// provenance / SBOM-capability probes in collect() — must use the same view,
+// or a comment produces a false (often deterministic) hit, and in the
+// provenance direction a commented `--provenance` would suppress a real gap
+// (a false negative on a security-relevant posture check).
+function stripYamlComments(content) {
+  return content.replace(/#.*$/gm, "");
+}
+
 function scanPublishWorkflow(content, rel) {
+  // Whole-content probes below run against a comment-stripped view. The
+  // `uses:` line scan stays on the raw lines — its anchored regex already
+  // rejects `#`-prefixed lines, so a commented `uses:` cannot match.
+  const code = stripYamlComments(content);
   const hits = {
     "publish-workflow-uses-static-token": [],
     "publish-workflow-no-id-token-write": [],
@@ -148,11 +163,13 @@ function scanPublishWorkflow(content, rel) {
   // NPM_TOKEN / PYPI_TOKEN / CARGO_TOKEN / RUBYGEMS_API_KEY /
   // GEM_HOST_API_KEY; expand to cover the common variants for each
   // ecosystem.
-  const usesStaticToken = /\bsecrets\.(NPM_TOKEN|PYPI_TOKEN|PYPI_API_TOKEN|CARGO_TOKEN|CARGO_REGISTRY_TOKEN|RUBYGEMS_API_KEY|GEM_HOST_API_KEY|MAVEN_TOKEN|MAVEN_CENTRAL_TOKEN|GH_TOKEN)\b/.test(content);
+  const usesStaticToken = /\bsecrets\.(NPM_TOKEN|PYPI_TOKEN|PYPI_API_TOKEN|CARGO_TOKEN|CARGO_REGISTRY_TOKEN|RUBYGEMS_API_KEY|GEM_HOST_API_KEY|MAVEN_TOKEN|MAVEN_CENTRAL_TOKEN|GH_TOKEN)\b/.test(code);
   // OIDC is available when THIS publish file declares `id-token: write` at
   // any scope (workflow or job). Scoped to the file by design — a sibling
-  // workflow's OIDC does not authenticate this publish job.
-  const hasIdTokenWrite = hasIdTokenWriteAnyScope(content);
+  // workflow's OIDC does not authenticate this publish job. Read from the
+  // comment-stripped view so a commented `id-token: write` cannot falsely
+  // satisfy the capability (which would suppress the static-token finding).
+  const hasIdTokenWrite = hasIdTokenWriteAnyScope(code);
   if (usesStaticToken && !hasIdTokenWrite) {
     hits["publish-workflow-uses-static-token"].push({ file: rel, line: 0, snippet: "publish workflow uses a static long-lived token (NPM_TOKEN / PYPI / Cargo / Maven) without id-token: write for OIDC" });
   }
@@ -186,15 +203,15 @@ function scanPublishWorkflow(content, rel) {
   // non-frozen-install: workflow uses `npm install` instead of `npm ci`,
   // or `pip install <pkg>` without `--require-hashes`, or `cargo
   // install` without `--locked`.
-  if (/\bnpm\s+install\b/.test(content) && !/\bnpm\s+ci\b/.test(content)) {
+  if (/\bnpm\s+install\b/.test(code) && !/\bnpm\s+ci\b/.test(code)) {
     hits["release-workflow-non-frozen-install"].push({ file: rel, line: 0, snippet: "publish workflow uses `npm install` rather than `npm ci` — lockfile is not enforced" });
   }
-  if (/\bcargo\s+(?:build|install)\b/.test(content) && !/--locked\b/.test(content) && !/--frozen\b/.test(content)) {
+  if (/\bcargo\s+(?:build|install)\b/.test(code) && !/--locked\b/.test(code) && !/--frozen\b/.test(code)) {
     hits["release-workflow-non-frozen-install"].push({ file: rel, line: 0, snippet: "cargo build/install without --locked / --frozen" });
   }
 
   // runs-on-self-hosted: any `runs-on: self-hosted` line.
-  if (/runs-on:\s*['"]?(?:self-hosted|\[?\s*self-hosted)/i.test(content)) {
+  if (/runs-on:\s*['"]?(?:self-hosted|\[?\s*self-hosted)/i.test(code)) {
     hits["publish-workflow-runs-on-self-hosted"].push({ file: rel, line: 0, snippet: "publish workflow runs on a self-hosted runner — non-ephemeral execution context" });
   }
 
@@ -265,7 +282,7 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
     try {
       const j = JSON.parse(pkgManifest.content);
       const manifestOptIn = j?.publishConfig?.provenance === true;
-      const workflowOptIn = publishWorkflows.some(w => /npm\s+publish[^\n]*--provenance\b/.test(w.content));
+      const workflowOptIn = publishWorkflows.some(w => /npm\s+publish[^\n]*--provenance\b/.test(stripYamlComments(w.content)));
       provenanceMissing = (manifestOptIn || workflowOptIn) ? "miss" : "hit";
     } catch (e) {
       errors.push({ artifact_id: "package-manifest", kind: "parse_failed", reason: `package.json: ${e.message}` });
@@ -414,7 +431,7 @@ function collect({ cwd = process.cwd(), env = process.env, args = {} } = {}) {
   // signed-attestation capability exists at release and the indicator
   // should not fire on the absence of a committed artifact.
   const releaseSbomCapable = publishWorkflows.some(w => {
-    const c = w.content;
+    const c = stripYamlComments(w.content);
     return (
       // SBOM-generation tooling invoked in the workflow.
       /cyclonedx/i.test(c) ||

package/lib/collectors/secrets.js

@@ -207,7 +207,14 @@ function fpIndicesSatisfied(indicatorId, value, file, window) {
 const INDICATOR_PATTERNS = [
   { id: "aws-access-key-id",          re: /\bAKIA[0-9A-Z]{16}\b/g },
   { id: "aws-secret-access-key",      re: /\baws_secret_access_key\s*[=:]\s*['"]?([A-Za-z0-9/+=]{40})['"]?/gi },
-  { id: "gcp-service-account-json",   re: /"type"\s*:\s*"service_account"[\s\S]{0,1200}?"private_key"\s*:\s*"-----BEGIN PRIVATE KEY-----/g },
+  // Require a full PEM block (header, base64 body, closing marker) — not just
+  // the `-----BEGIN PRIVATE KEY-----` header — so a service-account JSON shown
+  // as a doc placeholder or a redaction/DLP library's detection-pattern literal
+  // does not register as a real embedded key. A real key is JSON-encoded with
+  // `\n` escapes, so the body class includes backslash; `-` is excluded so the
+  // run halts at `-----END` (no backtracking, ReDoS-safe). Mirrors
+  // ssh-private-key-block below.
+  { id: "gcp-service-account-json",   re: /"type"\s*:\s*"service_account"[\s\S]{0,1200}?"private_key"\s*:\s*"-----BEGIN PRIVATE KEY-----[A-Za-z0-9+/=\s\\]{40,4000}-----END/g },
   { id: "github-personal-access-token", re: /\bghp_[A-Za-z0-9]{36}\b/g },
   { id: "github-fine-grained-pat",    re: /\bgithub_pat_[A-Za-z0-9_]{82}\b/g },
   { id: "slack-bot-or-user-token",    re: /\bxox[abposr]-[A-Za-z0-9-]{10,}\b/g },