@blamejs/exceptd-skills 0.16.4 → 0.16.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (33) hide show
  1. package/CHANGELOG.md +10 -0
  2. package/bin/exceptd.js +5 -1
  3. package/data/_indexes/_meta.json +2 -2
  4. package/data/playbooks/ai-api.json +5 -0
  5. package/data/playbooks/ai-discovered-cve-triage.json +5 -0
  6. package/data/playbooks/cicd-pipeline-compromise.json +5 -0
  7. package/data/playbooks/citation-hygiene.json +4 -0
  8. package/data/playbooks/cloud-iam-incident.json +4 -0
  9. package/data/playbooks/containers.json +7 -0
  10. package/data/playbooks/cred-stores.json +7 -0
  11. package/data/playbooks/crypto-codebase.json +8 -0
  12. package/data/playbooks/crypto.json +5 -0
  13. package/data/playbooks/framework.json +5 -0
  14. package/data/playbooks/hardening.json +4 -0
  15. package/data/playbooks/identity-sso-compromise.json +4 -0
  16. package/data/playbooks/idp-incident.json +3 -0
  17. package/data/playbooks/kernel.json +3 -0
  18. package/data/playbooks/library-author.json +9 -0
  19. package/data/playbooks/llm-tool-use-exfil.json +4 -0
  20. package/data/playbooks/mcp.json +4 -0
  21. package/data/playbooks/post-quantum-migration.json +6 -0
  22. package/data/playbooks/ransomware.json +1 -0
  23. package/data/playbooks/runtime.json +4 -0
  24. package/data/playbooks/sbom.json +6 -0
  25. package/data/playbooks/secrets.json +2 -0
  26. package/data/playbooks/supply-chain-recovery.json +6 -0
  27. package/data/playbooks/webhook-callback-abuse.json +3 -0
  28. package/lib/playbook-runner.js +41 -8
  29. package/lib/schemas/playbook.schema.json +5 -0
  30. package/lib/validate-playbooks.js +18 -0
  31. package/manifest.json +44 -44
  32. package/package.json +1 -1
  33. package/sbom.cdx.json +68 -68
package/CHANGELOG.md CHANGED
@@ -1,5 +1,15 @@
1
1
  # Changelog
2
2
 
3
+ ## 0.16.6 — 2026-05-31
4
+
5
+ `collect --help` now documents the `--attest-ownership` flag — it attests that you own (or hold written authorisation for) the asset being scanned, satisfying an ownership precondition such as the CI/CD playbook's fleet-ownership gate so a run does not block at preflight. The flag already worked and is what the precondition-block remediation points to; it was simply missing from the help text.
6
+
7
+ ## 0.16.5 — 2026-05-31
8
+
9
+ `selected_remediation` now matches the finding. Each `remediation_path` can declare an optional `for_signals` linkage naming the detect indicators it addresses; when no remediation's preconditions are verified (the common static-scan case), the recommendation is the highest-priority path that addresses a fired indicator instead of always defaulting to priority-1. So a FIPS-claim-without-runtime-activation finding now recommends activating the FIPS provider rather than an unrelated post-quantum migration. The linkage is populated across the playbook set, and each entry in `remediation_options_considered` gains an `addresses_fired_signal` flag.
10
+
11
+ A blocked-preflight `summary_line` is now truncated on a word boundary with an ellipsis instead of cut mid-word.
12
+
3
13
  ## 0.16.4 — 2026-05-31
4
14
 
5
15
  A `collect | run` result now surfaces non-fatal collector notices as a `collector_warnings` field — for example a file skipped for exceeding the scan size limit — so a consumer can see what the collector could not scan. The verdict and evidence completeness are unchanged; the field is omitted when the collector reported nothing.
package/bin/exceptd.js CHANGED
@@ -2312,7 +2312,7 @@ Exit codes:
2312
2312
  Output: verb, session_id, playbooks_run, summary{total, detected,
2313
2313
  max_rwep_observed, jurisdiction_clocks_started, verdict, fail_reasons[]},
2314
2314
  results[].`,
2315
- collect: `collect <playbook> [--cwd <dir>] [--resolve] [--air-gap] [--json]
2315
+ collect: `collect <playbook> [--cwd <dir>] [--attest-ownership] [--resolve] [--air-gap] [--json]
2316
2316
 
2317
2317
  Scan the working directory (or --cwd <dir>) and emit an evidence submission
2318
2318
  for <playbook>, ready to pipe into \`run\`:
@@ -2321,6 +2321,10 @@ for <playbook>, ready to pipe into \`run\`:
2321
2321
 
2322
2322
  Flags:
2323
2323
  --cwd <dir> Scan <dir> instead of the current directory.
2324
+ --attest-ownership Attest that you own (or hold written authorisation
2325
+ for) the asset being scanned, satisfying an ownership
2326
+ precondition (e.g. cicd-pipeline-compromise's
2327
+ operator-owns-ci-fleet gate) so run does not block.
2324
2328
  --resolve (citation-hygiene) resolve uncatalogued CVE/RFC
2325
2329
  citations found during the scan.
2326
2330
  --air-gap Do not touch the network during collection.
package/data/_indexes/_meta.json CHANGED
@@ -1,10 +1,10 @@
1
1
  {
2
2
  "schema_version": "1.1.0",
3
- "generated_at": "2026-05-31T14:52:41.465Z",
3
+ "generated_at": "2026-05-31T22:44:53.285Z",
4
4
  "generator": "scripts/build-indexes.js",
5
5
  "source_count": 54,
6
6
  "source_hashes": {
7
- "manifest.json": "a9da205a5c4d8847eb3c0d36b5b610cdc54d4347ffb9b03b8d9b5d740a6434ab",
7
+ "manifest.json": "6c371111138f37f9dcfbfc2b385e629ea7243806f58d1b21837865d897f641e7",
8
8
  "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
9
9
  "data/attack-techniques.json": "318bf8e9c5aee1d0a4a1dc37c4b211f2fbc937bf332a401a22483cc7d0547252",
10
10
  "data/cve-catalog.json": "1aac7e75eae24ece2ef09d1c63977bdd7a1f81a9f11609ebb966109be316426c",
package/data/playbooks/ai-api.json CHANGED
@@ -780,6 +780,7 @@
780
780
  "operator_authorized_for_key_rotation == true"
781
781
  ],
782
782
  "priority": 1,
783
+ "for_signals": ["cleartext-api-key-in-dotfile","long-lived-aws-keys","gcp-service-account-json","kubeconfig-with-static-token"],
783
784
  "compensating_controls": [
784
785
  "service_disruption_window_acknowledged",
785
786
  "rotation_audit_trail"
@@ -794,6 +795,7 @@
794
795
  "incident_response_authorized == true"
795
796
  ],
796
797
  "priority": 1,
798
+ "for_signals": ["ai-api-egress-from-unexpected-process","ai-api-anomalous-volume","ai-api-beaconing-cadence","base64-or-encoded-payload-in-prompts"],
797
799
  "compensating_controls": [
798
800
  "forensic_preservation",
799
801
  "vendor_abuse_team_notification"
@@ -807,6 +809,7 @@
807
809
  "broker_available_for_each_credential_class == true"
808
810
  ],
809
811
  "priority": 2,
812
+ "for_signals": ["cleartext-api-key-in-dotfile","long-lived-aws-keys","gcp-service-account-json","kubeconfig-with-static-token"],
810
813
  "compensating_controls": [
811
814
  "legacy_dotfile_still_present_until_keychain_validated",
812
815
  "developer_workflow_regression_test"
@@ -821,6 +824,7 @@
821
824
  "tls_termination_acceptable_per_policy == true"
822
825
  ],
823
826
  "priority": 3,
827
+ "for_signals": ["ai-api-egress-from-unexpected-process","ai-api-anomalous-volume","ai-api-beaconing-cadence","base64-or-encoded-payload-in-prompts"],
824
828
  "compensating_controls": [
825
829
  "proxy_failure_mode_defined",
826
830
  "developer_traffic_baseline_collection"
@@ -834,6 +838,7 @@
834
838
  "host-level_firewall_or_endpoint_egress_control_available == true"
835
839
  ],
836
840
  "priority": 4,
841
+ "for_signals": ["ai-api-egress-from-unexpected-process","ai-api-anomalous-volume","ai-api-beaconing-cadence"],
837
842
  "compensating_controls": [
838
843
  "allowlist_change_management",
839
844
  "monitoring_for_blocked_attempts"
package/data/playbooks/ai-discovered-cve-triage.json CHANGED
@@ -788,6 +788,7 @@
788
788
  "operator_can_add_feed_sources == true"
789
789
  ],
790
790
  "priority": 1,
791
+ "for_signals": ["ai-discovery-feed-coverage-incomplete"],
791
792
  "compensating_controls": [
792
793
  "ai_discovery_aggregator_subscription_as_interim",
793
794
  "manual_weekly_triage_against_named_sources_during_pipeline_buildout"
@@ -802,6 +803,7 @@
802
803
  "deployment_cadence_supports_sla_tightening == true"
803
804
  ],
804
805
  "priority": 1,
806
+ "for_signals": ["policy-no-ai-discovered-tier","deployment-tempo-equal-ai-vs-non-ai","asset-unpatched-past-rwep-sla"],
805
807
  "compensating_controls": [
806
808
  "interim_compensating_controls_for_assets_unable_to_meet_sla",
807
809
  "live_patch_subscription_for_kernel_assets"
@@ -816,6 +818,7 @@
816
818
  "operator_assigns_verification_owner == true"
817
819
  ],
818
820
  "priority": 2,
821
+ "for_signals": ["ai-discovery-attribution-band-c-unverified","no-ai-discovery-verification-process"],
819
822
  "compensating_controls": [
820
823
  "weekly_attribution_corroboration_review",
821
824
  "automated_secondary_source_polling"
@@ -829,6 +832,7 @@
829
832
  "deployment_metric_pipeline_operational == true"
830
833
  ],
831
834
  "priority": 3,
835
+ "for_signals": ["deployment-tempo-equal-ai-vs-non-ai"],
832
836
  "compensating_controls": [
833
837
  "monthly_metric_review_with_security_leadership"
834
838
  ],
@@ -842,6 +846,7 @@
842
846
  "operator_holds_live_patch_subscription == true"
843
847
  ],
844
848
  "priority": 3,
849
+ "for_signals": ["asset-unpatched-past-rwep-sla","ai-discovered-cve-applicable"],
845
850
  "compensating_controls": [
846
851
  "module_unload_mitigation_where_applicable",
847
852
  "host_isolation_during_window_pending_reboot"
package/data/playbooks/cicd-pipeline-compromise.json CHANGED
@@ -672,6 +672,7 @@
672
672
  "deploy_window_within_72h == true"
673
673
  ],
674
674
  "priority": 1,
675
+ "for_signals": ["workflow-injection-sink","pull-request-target-with-pr-checkout","secret-exposed-to-fork-pr"],
675
676
  "compensating_controls": [
676
677
  "env_pinning_lint_added_to_ci",
677
678
  "fork_pr_workflow_blocked_until_remediated"
@@ -686,6 +687,7 @@
686
687
  "ci_throughput_can_absorb_pin_updates == true"
687
688
  ],
688
689
  "priority": 2,
690
+ "for_signals": ["actions-floating-tag-pin"],
689
691
  "compensating_controls": [
690
692
  "sha_pin_drift_alert_configured",
691
693
  "maintenance_cadence_recorded_in_change_management"
@@ -700,6 +702,7 @@
700
702
  "production_environments_can_be_introduced_to_ci_workflow == true"
701
703
  ],
702
704
  "priority": 3,
705
+ "for_signals": ["wildcarded-oidc-sub-claim"],
703
706
  "compensating_controls": [
704
707
  "oidc_trust_policy_recorded_in_iac",
705
708
  "environment_approval_gate_active"
@@ -714,6 +717,7 @@
714
717
  "downstream_consumers_can_verify_keyless_or_developer_signature == true"
715
718
  ],
716
719
  "priority": 3,
720
+ "for_signals": ["runner-scoped-signing-key"],
717
721
  "compensating_controls": [
718
722
  "signing_trust_documented_in_release_runbook",
719
723
  "verification_step_added_to_runner_workflow"
@@ -728,6 +732,7 @@
728
732
  "ci_throughput_can_absorb_per_job_startup_cost == true"
729
733
  ],
730
734
  "priority": 3,
735
+ "for_signals": ["self-hosted-runner-non-ephemeral"],
731
736
  "compensating_controls": [
732
737
  "ephemeral_runner_orchestration_recorded_in_iac",
733
738
  "runner_image_provenance_tracked"
package/data/playbooks/citation-hygiene.json CHANGED
@@ -556,6 +556,7 @@
556
556
  "fabricated_citations_inventoried == true"
557
557
  ],
558
558
  "priority": 1,
559
+ "for_signals": ["fabricated-cve-id"],
559
560
  "compensating_controls": [
560
561
  "lint_rule_rejecting_non_canonical_cve_form_in_comments_and_docs",
561
562
  "ci_check_cross_referencing_cited_cves_against_an_authoritative_catalog"
@@ -569,6 +570,7 @@
569
570
  "rejected_disputed_citations_inventoried == true"
570
571
  ],
571
572
  "priority": 2,
573
+ "for_signals": ["rejected-or-disputed-cve"],
572
574
  "compensating_controls": [
573
575
  "ci_check_flagging_citations_to_catalog_rejected_disputed_entries",
574
576
  "documentation_review_step_requiring_status_disclosure"
@@ -582,6 +584,7 @@
582
584
  "rfc_title_mismatches_inventoried == true"
583
585
  ],
584
586
  "priority": 3,
587
+ "for_signals": ["rfc-number-title-mismatch"],
585
588
  "compensating_controls": [
586
589
  "ci_check_matching_cited_rfc_numbers_to_index_titles",
587
590
  "implementation_re_review_against_corrected_rfc"
@@ -595,6 +598,7 @@
595
598
  "external_lookup_available == true"
596
599
  ],
597
600
  "priority": 4,
601
+ "for_signals": ["cve-citation-needs-external-verification","draft-mislabeled-as-rfc"],
598
602
  "compensating_controls": [
599
603
  "scheduled_re_verification_when_catalog_refreshes",
600
604
  "needs_verification_register_maintained_until_resolved"
package/data/playbooks/cloud-iam-incident.json CHANGED
@@ -976,6 +976,7 @@
976
976
  "rotation_ownership_identified == true"
977
977
  ],
978
978
  "priority": 1,
979
+ "for_signals": ["root_login_from_new_asn","iam_access_key_created_no_iac_ticket","mass_iam_user_creation_outside_iac","cross_account_assume_role_anomaly","kms_key_policy_self_grant","s3_bucket_policy_public_grant","cloudtrail_logging_disabled_event"],
979
980
  "compensating_controls": [
980
981
  "session-revocation",
981
982
  "audit-log-review-for-misuse-window",
@@ -991,6 +992,7 @@
991
992
  "iam_read_only_across_org == true"
992
993
  ],
993
994
  "priority": 2,
995
+ "for_signals": ["cross_account_assume_role_anomaly","mass_iam_user_creation_outside_iac","iam_access_key_created_no_iac_ticket","kms_key_policy_self_grant","s3_bucket_policy_public_grant","gpu_instance_creation_spike","unused_region_resource_creation"],
994
996
  "compensating_controls": [
995
997
  "iam-event-review-completed",
996
998
  "scp-tightened",
@@ -1005,6 +1007,7 @@
1005
1007
  "imdsv2_migration_blocker_inventory_complete == true"
1006
1008
  ],
1007
1009
  "priority": 2,
1010
+ "for_signals": ["imds_v1_legacy_access"],
1008
1011
  "compensating_controls": [
1009
1012
  "imdsv2-enforced-org-wide",
1010
1013
  "scp-deny-imdsv1-launch"
@@ -1018,6 +1021,7 @@
1018
1021
  "federated_trust_inventory_complete == true"
1019
1022
  ],
1020
1023
  "priority": 2,
1024
+ "for_signals": ["cross_account_assume_role_anomaly"],
1021
1025
  "compensating_controls": [
1022
1026
  "federated-trust-tightened",
1023
1027
  "conditional-access-mfa-required-on-admin"
package/data/playbooks/containers.json CHANGED
@@ -819,6 +819,7 @@
819
819
  "alternative_capability_path_identified == true"
820
820
  ],
821
821
  "priority": 1,
822
+ "for_signals": ["compose-privileged","k8s-privileged","compose-cap-add-sys-admin"],
822
823
  "compensating_controls": [
823
824
  "pod-security-baseline-enforced",
824
825
  "admission-controller-blocks-privileged"
@@ -833,6 +834,7 @@
833
834
  "host_namespace_requirement_documented_or_invalid == true"
834
835
  ],
835
836
  "priority": 1,
837
+ "for_signals": ["k8s-host-namespaces","compose-host-network"],
836
838
  "compensating_controls": [
837
839
  "pod-security-baseline-enforced",
838
840
  "namespace-isolation-tightened"
@@ -846,6 +848,7 @@
846
848
  "ci_supports_digest_resolution == true OR manual_digest_pinning_accepted == true"
847
849
  ],
848
850
  "priority": 2,
851
+ "for_signals": ["dockerfile-from-latest","dockerfile-no-digest-pin","k8s-image-latest"],
849
852
  "compensating_controls": [
850
853
  "image-signature-verified",
851
854
  "registry-immutability-enforced"
@@ -859,6 +862,7 @@
859
862
  "image_supports_non_root == true"
860
863
  ],
861
864
  "priority": 2,
865
+ "for_signals": ["dockerfile-runs-as-root","k8s-run-as-root"],
862
866
  "compensating_controls": [
863
867
  "pod-security-restricted-enforced"
864
868
  ],
@@ -871,6 +875,7 @@
871
875
  "cluster_supports_seccomp_profile == true"
872
876
  ],
873
877
  "priority": 2,
878
+ "for_signals": ["k8s-no-seccomp-profile"],
874
879
  "compensating_controls": [
875
880
  "seccomp-profile-active"
876
881
  ],
@@ -883,6 +888,7 @@
883
888
  "alternative_path_identified == true"
884
889
  ],
885
890
  "priority": 1,
891
+ "for_signals": ["compose-docker-sock-mount","k8s-hostpath-sensitive"],
886
892
  "compensating_controls": [
887
893
  "bounded-rbac-applied",
888
894
  "sysbox-or-kata-deployed"
@@ -896,6 +902,7 @@
896
902
  "sa_usage_audit_complete == true"
897
903
  ],
898
904
  "priority": 1,
905
+ "for_signals": ["k8s-cluster-admin-binding"],
899
906
  "compensating_controls": [
900
907
  "scoped-role-applied",
901
908
  "audit2rbac-output-attached"
package/data/playbooks/cred-stores.json CHANGED
@@ -739,6 +739,7 @@
739
739
  "user_enrolled_in_sso == true"
740
740
  ],
741
741
  "priority": 1,
742
+ "for_signals": ["aws-static-key-present"],
742
743
  "compensating_controls": [
743
744
  "iam-key-deactivated",
744
745
  "cloudtrail-monitor-on-old-key-for-residual-use"
@@ -752,6 +753,7 @@
752
753
  "org_has_workforce_identity_pool == true OR user_has_authorized_user_credentials == true"
753
754
  ],
754
755
  "priority": 1,
756
+ "for_signals": ["gcp-service-account-json-adc"],
755
757
  "compensating_controls": [
756
758
  "gcp-key-deleted",
757
759
  "gcp-audit-log-monitor-on-old-key"
@@ -765,6 +767,7 @@
765
767
  "cluster_supports_oidc == true OR cluster_is_managed_cloud_k8s == true"
766
768
  ],
767
769
  "priority": 1,
770
+ "for_signals": ["kube-static-token"],
768
771
  "compensating_controls": [
769
772
  "kube-token-revoked",
770
773
  "k8s-audit-log-monitor-on-old-token"
@@ -778,6 +781,7 @@
778
781
  "target_registry_supports_cred_helper == true"
779
782
  ],
780
783
  "priority": 1,
784
+ "for_signals": ["docker-cleartext-auth"],
781
785
  "compensating_controls": [
782
786
  "docker-token-rotated"
783
787
  ],
@@ -790,6 +794,7 @@
790
794
  "org_authority_to_rotate == true"
791
795
  ],
792
796
  "priority": 2,
797
+ "for_signals": ["npm-pat-present","pypi-token-present"],
793
798
  "compensating_controls": [
794
799
  "token-scope-tightened",
795
800
  "publish-mfa-required"
@@ -803,6 +808,7 @@
803
808
  "file_owner_is_current_user"
804
809
  ],
805
810
  "priority": 2,
811
+ "for_signals": ["credentials-file-bad-perms"],
806
812
  "compensating_controls": [],
807
813
  "estimated_time_hours": 0.25
808
814
  },
@@ -813,6 +819,7 @@
813
819
  "all_authorized_hosts_known == true"
814
820
  ],
815
821
  "priority": 2,
822
+ "for_signals": ["ssh-key-rsa-short-bits","ssh-key-old"],
816
823
  "compensating_controls": [
817
824
  "ssh-key-inventory-updated"
818
825
  ],
package/data/playbooks/crypto-codebase.json CHANGED
@@ -959,6 +959,7 @@
959
959
  "api_stability_promise_permits_default_change == true OR major_version_bump_planned == true"
960
960
  ],
961
961
  "priority": 1,
962
+ "for_signals": ["no-ml-kem-implementation","rsa-1024-anywhere","tls-old-protocol"],
962
963
  "compensating_controls": [
963
964
  "config_flag_for_classical_only_fallback_with_deprecation_warning",
964
965
  "downstream_consumer_migration_guide_published"
@@ -973,6 +974,7 @@
973
974
  "downstream_consumer_compat_path_planned == true"
974
975
  ],
975
976
  "priority": 2,
977
+ "for_signals": ["ecdsa-without-pqc-roadmap"],
976
978
  "compensating_controls": [
977
979
  "dual_signature_envelope_during_migration",
978
980
  "explicit_algorithm_identifier_in_signed_payload"
@@ -986,6 +988,7 @@
986
988
  "weak_hash_call_sites_inventoried == true"
987
989
  ],
988
990
  "priority": 3,
991
+ "for_signals": ["weak-hash-import","weak-cipher-mode"],
989
992
  "compensating_controls": [
990
993
  "deprecation_warning_emitted_when_legacy_hash_method_invoked",
991
994
  "telemetry_to_track_legacy_method_consumer_usage"
@@ -1000,6 +1003,7 @@
1000
1003
  "performance_regression_acceptable_in_current_release == true"
1001
1004
  ],
1002
1005
  "priority": 4,
1006
+ "for_signals": ["pbkdf2-under-iterated","bcrypt-cost-low"],
1003
1007
  "compensating_controls": [
1004
1008
  "kdf_parameter_floor_enforced_at_runtime_not_just_default",
1005
1009
  "consumer_documentation_about_password_rehash_on_login_for_legacy_storage"
@@ -1013,6 +1017,7 @@
1013
1017
  "rng_call_sites_inventoried == true"
1014
1018
  ],
1015
1019
  "priority": 5,
1020
+ "for_signals": ["math-random-in-security-path"],
1016
1021
  "compensating_controls": [
1017
1022
  "linter_rule_added_to_ci",
1018
1023
  "data_flow_analysis_for_residual_paths"
@@ -1026,6 +1031,7 @@
1026
1031
  "fips_provider_available_in_target_dep == true"
1027
1032
  ],
1028
1033
  "priority": 6,
1034
+ "for_signals": ["fips-claim-without-runtime-activation"],
1029
1035
  "compensating_controls": [
1030
1036
  "fips_runtime_assertion_in_init_path",
1031
1037
  "ci_job_running_against_fips_provider_config"
@@ -1039,6 +1045,7 @@
1039
1045
  "vendored_crypto_inventoried == true"
1040
1046
  ],
1041
1047
  "priority": 7,
1048
+ "for_signals": ["vendored-pqc-no-provenance"],
1042
1049
  "compensating_controls": [
1043
1050
  "vendored_copy_pinned_to_release_tag_not_branch",
1044
1051
  "automated_upstream_security_advisory_subscription"
@@ -1052,6 +1059,7 @@
1052
1059
  "api_change_acceptable_in_next_major == true"
1053
1060
  ],
1054
1061
  "priority": 8,
1062
+ "for_signals": ["no-crypto-agility-abstraction"],
1055
1063
  "compensating_controls": [
1056
1064
  "deprecation_path_for_old_api",
1057
1065
  "migration_guide_published"
package/data/playbooks/crypto.json CHANGED
@@ -716,6 +716,7 @@
716
716
  "system_libssl_upgrade_safe == true"
717
717
  ],
718
718
  "priority": 1,
719
+ "for_signals": ["ml-kem-absent","ml-dsa-slh-dsa-absent","openssl-pre-3-5"],
719
720
  "compensating_controls": [
720
721
  "pin classical-only group fallback for legacy peers via per-service override"
721
722
  ],
@@ -729,6 +730,7 @@
729
730
  "ops_authorization_for_service_restart == true"
730
731
  ],
731
732
  "priority": 2,
733
+ "for_signals": ["tls-no-hybrid-group"],
732
734
  "compensating_controls": [
733
735
  "client_compat_canary_for_each_service",
734
736
  "monitoring_for_negotiation_failures"
@@ -743,6 +745,7 @@
743
745
  "operator_authorized_for_sshd_change == true"
744
746
  ],
745
747
  "priority": 3,
748
+ "for_signals": ["sshd-no-pqc-kex"],
746
749
  "compensating_controls": [
747
750
  "bastion_session_recording_for_legacy_kex_fallback",
748
751
  "monitoring_for_kex_negotiation_downgrades"
@@ -756,6 +759,7 @@
756
759
  "ca_supports_hybrid_signatures == true OR internal_ca_can_be_extended == true"
757
760
  ],
758
761
  "priority": 4,
762
+ "for_signals": ["rsa-2048-cert-long-life"],
759
763
  "compensating_controls": [
760
764
  "legacy_chain_for_pre-PQC_client_compat",
761
765
  "transparency_log_entries_for_hybrid_certs"
@@ -769,6 +773,7 @@
769
773
  "asset_inventory_baseline_exists == true"
770
774
  ],
771
775
  "priority": 5,
776
+ "for_signals": ["no-crypto-inventory"],
772
777
  "compensating_controls": [],
773
778
  "estimated_time_hours": 40
774
779
  },
package/data/playbooks/framework.json CHANGED
@@ -723,6 +723,7 @@
723
723
  "upstream_findings_actionable == true"
724
724
  ],
725
725
  "priority": 1,
726
+ "for_signals": ["audit-clean-with-active-finding","compound-theater"],
726
727
  "compensating_controls": [],
727
728
  "estimated_time_hours": 16
728
729
  },
@@ -733,6 +734,7 @@
733
734
  "compensating_control_design_feasible == true"
734
735
  ],
735
736
  "priority": 2,
737
+ "for_signals": ["framework-lag-no-compensating-control"],
736
738
  "compensating_controls": [
737
739
  "test_cadence_recorded_in_change_management"
738
740
  ],
@@ -745,6 +747,7 @@
745
747
  "exception_register_exists == true"
746
748
  ],
747
749
  "priority": 3,
750
+ "for_signals": ["exception-missing-expiry-or-owner"],
748
751
  "compensating_controls": [
749
752
  "exception_review_cadence_documented"
750
753
  ],
@@ -757,6 +760,7 @@
757
760
  "jurisdictional_footprint_documented == true"
758
761
  ],
759
762
  "priority": 4,
763
+ "for_signals": ["jurisdiction-without-framework"],
760
764
  "compensating_controls": [
761
765
  "mapping_review_cadence_documented"
762
766
  ],
@@ -769,6 +773,7 @@
769
773
  "ai_in_production == true"
770
774
  ],
771
775
  "priority": 5,
776
+ "for_signals": ["ai-use-without-ai-controls"],
772
777
  "compensating_controls": [],
773
778
  "estimated_time_hours": 80
774
779
  },
package/data/playbooks/hardening.json CHANGED
@@ -742,6 +742,7 @@
742
742
  "ops_authorization_for_sysctl_changes == true"
743
743
  ],
744
744
  "priority": 1,
745
+ "for_signals": ["kptr-restrict-disabled","unprivileged-userns-enabled","unprivileged-bpf-allowed","yama-ptrace-permissive","core-pid-dumpable"],
745
746
  "compensating_controls": [
746
747
  "change-management-ticket",
747
748
  "regression-test-suite-passed"
@@ -756,6 +757,7 @@
756
757
  "reboot_window_within_72h == true"
757
758
  ],
758
759
  "priority": 2,
760
+ "for_signals": ["kaslr-disabled-at-boot","mitigations-off","kernel-lockdown-none"],
759
761
  "compensating_controls": [
760
762
  "change-management-ticket",
761
763
  "post-boot-cmdline-verification"
@@ -770,6 +772,7 @@
770
772
  "workload_compatible_with_enforcing == true"
771
773
  ],
772
774
  "priority": 1,
775
+ "for_signals": ["selinux-not-enforcing"],
773
776
  "compensating_controls": [
774
777
  "audit-log-baseline-captured",
775
778
  "regression-test-suite-passed"
@@ -784,6 +787,7 @@
784
787
  "ssh_key_or_mfa_already_deployed == true"
785
788
  ],
786
789
  "priority": 1,
790
+ "for_signals": ["sshd-permitrootlogin-yes","sshd-password-auth-enabled"],
787
791
  "compensating_controls": [
788
792
  "second-session-verified",
789
793
  "break-glass-console-access-confirmed"
package/data/playbooks/identity-sso-compromise.json CHANGED
@@ -672,6 +672,7 @@
672
672
  "rule_authoring_capacity_within_72h == true"
673
673
  ],
674
674
  "priority": 1,
675
+ "for_signals": ["out-of-window-global-admin-grant","high-impact-oauth-consent-grant","conditional-access-exclusion-membership-change","federation-signing-cert-added","refresh-token-hoarding-by-sp","prt-claim-anomaly","okta-class-support-session"],
675
676
  "compensating_controls": [
676
677
  "rule_set_recorded_in_iac",
677
678
  "rule_test_suite_in_ci"
@@ -686,6 +687,7 @@
686
687
  "break_glass_inventory_complete == true"
687
688
  ],
688
689
  "priority": 2,
690
+ "for_signals": ["conditional-access-exclusion-membership-change"],
689
691
  "compensating_controls": [
690
692
  "exclusion_group_membership_alert_active",
691
693
  "quarterly_attestation_recorded"
@@ -700,6 +702,7 @@
700
702
  "business_owner_engagement_secured == true"
701
703
  ],
702
704
  "priority": 2,
705
+ "for_signals": ["high-impact-oauth-consent-grant"],
703
706
  "compensating_controls": [
704
707
  "consent_revocation_recorded",
705
708
  "re_grant_requires_documented_justification"
@@ -714,6 +717,7 @@
714
717
  "downstream_dependent_apps_can_tolerate_rotation_window == true"
715
718
  ],
716
719
  "priority": 1,
720
+ "for_signals": ["federation-signing-cert-added"],
717
721
  "compensating_controls": [
718
722
  "rotation_recorded_in_change_management",
719
723
  "old_cert_signed_assertions_quarantined_for_review"
package/data/playbooks/idp-incident.json CHANGED
@@ -905,6 +905,7 @@
905
905
  "downstream_relying_party_inventory_complete == true"
906
906
  ],
907
907
  "priority": 1,
908
+ "for_signals": ["anomalous-federated-trust-addition","session-token-forgery-evidence","mfa-factor-swap-without-password-reset","recent-high-privilege-role-assignment"],
908
909
  "compensating_controls": [
909
910
  "session-revocation-attestation",
910
911
  "downstream-saas-audit-log-baseline-captured",
@@ -920,6 +921,7 @@
920
921
  "cross_tenant_inventory_complete == true"
921
922
  ],
922
923
  "priority": 2,
924
+ "for_signals": ["unauthorized-consent-grant-from-non-corp-tenant","oauth-app-publisher-unverified","cross-tenant-assumption-anomaly","anomalous-federated-trust-addition"],
923
925
  "compensating_controls": [
924
926
  "consent-grant-attestation",
925
927
  "federated-trust-attestation"
@@ -934,6 +936,7 @@
934
936
  "break_glass_inventory_complete == true"
935
937
  ],
936
938
  "priority": 3,
939
+ "for_signals": ["service-account-unused-then-active","break-glass-account-authentication"],
937
940
  "compensating_controls": [
938
941
  "service-account-rotation-attestation",
939
942
  "break-glass-drill-calendar"
package/data/playbooks/kernel.json CHANGED
@@ -589,6 +589,7 @@
589
589
  "host_supports_livepatch == true"
590
590
  ],
591
591
  "priority": 1,
592
+ "for_signals": ["kver-in-affected-range"],
592
593
  "compensating_controls": [],
593
594
  "estimated_time_hours": 1
594
595
  },
@@ -600,6 +601,7 @@
600
601
  "reboot_window_within_72h == true"
601
602
  ],
602
603
  "priority": 2,
604
+ "for_signals": ["kver-in-affected-range"],
603
605
  "compensating_controls": [
604
606
  "MAC_policy_tightened_until_reboot",
605
607
  "ssh_access_restricted_to_admins_until_reboot"
@@ -614,6 +616,7 @@
614
616
  "ops_authorization_for_sysctl_changes == true"
615
617
  ],
616
618
  "priority": 3,
619
+ "for_signals": ["unpriv-userns-enabled","unpriv-bpf-allowed"],
617
620
  "compensating_controls": [
618
621
  "sysctl_changes_recorded_in_change_management",
619
622
  "exploit_replay_negative_test_passed"