@qball-inc/the-bulwark 1.0.0

package/skills/bug-magnet-data/data/dates/invalid.yaml

@@ -0,0 +1,132 @@
+metadata:
+  version: "1.0.0"
+  last_updated: "2026-02-01"
+  source_urls: []
+
+category: dates
+subcategory: invalid
+tier: T2
+
+bugs_caught:
+  - "Invalid date parsing"
+  - "Date validation bypass"
+  - "Error handling for bad dates"
+
+values:
+  feb_30:
+    value: "2024-02-30"
+    bugs_caught:
+      - "February 30 doesn't exist"
+      - "Date validation"
+    safe_for_automation: true
+
+  feb_29_non_leap:
+    value: "2023-02-29"
+    bugs_caught:
+      - "Feb 29 in non-leap year"
+    safe_for_automation: true
+
+  month_32:
+    value: "2024-01-32"
+    bugs_caught:
+      - "Day 32 doesn't exist"
+    safe_for_automation: true
+
+  month_0:
+    value: "2024-00-15"
+    bugs_caught:
+      - "Month 0 doesn't exist"
+    safe_for_automation: true
+
+  month_13:
+    value: "2024-13-15"
+    bugs_caught:
+      - "Month 13 doesn't exist"
+    safe_for_automation: true
+
+  day_0:
+    value: "2024-06-00"
+    bugs_caught:
+      - "Day 0 doesn't exist"
+    safe_for_automation: true
+
+  negative_year:
+    value: "-2024-06-15"
+    bugs_caught:
+      - "Negative year handling"
+      - "BCE date handling"
+    safe_for_automation: true
+
+  hour_24:
+    value: "2024-06-15T24:00:00"
+    bugs_caught:
+      - "Hour 24 validity"
+      - "ISO 8601 allows 24:00:00"
+    safe_for_automation: true
+    note: "Technically valid in ISO 8601, means midnight next day"
+
+  hour_25:
+    value: "2024-06-15T25:00:00"
+    bugs_caught:
+      - "Hour 25 doesn't exist"
+    safe_for_automation: true
+
+  minute_60:
+    value: "2024-06-15T12:60:00"
+    bugs_caught:
+      - "Minute 60 doesn't exist"
+    safe_for_automation: true
+
+  second_60:
+    value: "2024-06-15T23:59:60"
+    bugs_caught:
+      - "Leap second handling"
+    safe_for_automation: true
+    note: "Valid during leap seconds, otherwise invalid"
+
+  empty_string:
+    value: ""
+    bugs_caught:
+      - "Empty date string"
+      - "Null/empty handling"
+    safe_for_automation: true
+
+  invalid_format:
+    value: "not-a-date"
+    bugs_caught:
+      - "Non-date string parsing"
+    safe_for_automation: true
+
+  partial_date:
+    value: "2024-06"
+    bugs_caught:
+      - "Partial date handling"
+      - "Missing day"
+    safe_for_automation: true
+
+  wrong_separator:
+    value: "2024/06/15"
+    bugs_caught:
+      - "Slash separator handling"
+      - "Format flexibility"
+    safe_for_automation: true
+
+  us_format:
+    value: "06/15/2024"
+    bugs_caught:
+      - "US date format (MM/DD/YYYY)"
+      - "Ambiguous format"
+    safe_for_automation: true
+
+  european_format:
+    value: "15/06/2024"
+    bugs_caught:
+      - "European format (DD/MM/YYYY)"
+      - "Format ambiguity"
+    safe_for_automation: true
+
+  ambiguous_date:
+    value: "01/02/2024"
+    bugs_caught:
+      - "Ambiguous date (Jan 2 or Feb 1?)"
+    safe_for_automation: true

package/skills/bug-magnet-data/data/dates/timezone.yaml

@@ -0,0 +1,118 @@
+metadata:
+  version: "1.0.0"
+  last_updated: "2026-02-01"
+  source_urls: []
+
+category: dates
+subcategory: timezone
+tier: T2
+
+bugs_caught:
+  - "Daylight saving time transitions"
+  - "UTC offset handling"
+  - "Timezone conversion errors"
+
+values:
+  utc:
+    value: "2024-06-15T12:00:00Z"
+    bugs_caught:
+      - "UTC handling"
+      - "Z suffix parsing"
+    safe_for_automation: true
+
+  positive_offset:
+    value: "2024-06-15T12:00:00+05:30"
+    bugs_caught:
+      - "Positive UTC offset"
+      - "India Standard Time"
+    safe_for_automation: true
+
+  negative_offset:
+    value: "2024-06-15T12:00:00-08:00"
+    bugs_caught:
+      - "Negative UTC offset"
+      - "Pacific Time"
+    safe_for_automation: true
+
+  max_positive_offset:
+    value: "2024-06-15T12:00:00+14:00"
+    bugs_caught:
+      - "Maximum positive offset"
+      - "Line Islands"
+    safe_for_automation: true
+
+  max_negative_offset:
+    value: "2024-06-15T12:00:00-12:00"
+    bugs_caught:
+      - "Maximum negative offset"
+      - "Baker Island"
+    safe_for_automation: true
+
+  half_hour_offset:
+    value: "2024-06-15T12:00:00+05:30"
+    bugs_caught:
+      - "Half-hour timezone"
+      - "India, Nepal, etc."
+    safe_for_automation: true
+
+  quarter_hour_offset:
+    value: "2024-06-15T12:00:00+05:45"
+    bugs_caught:
+      - "Quarter-hour timezone"
+      - "Nepal"
+    safe_for_automation: true
+
+  dst_spring_forward_us:
+    value: "2024-03-10T02:30:00"
+    timezone: "America/New_York"
+    bugs_caught:
+      - "DST spring forward"
+      - "Non-existent time"
+    safe_for_automation: true
+    note: "2:30 AM doesn't exist on this day in US"
+
+  dst_fall_back_us:
+    value: "2024-11-03T01:30:00"
+    timezone: "America/New_York"
+    bugs_caught:
+      - "DST fall back"
+      - "Ambiguous time"
+    safe_for_automation: true
+    note: "1:30 AM occurs twice on this day in US"
+
+  dst_spring_forward_eu:
+    value: "2024-03-31T02:30:00"
+    timezone: "Europe/London"
+    bugs_caught:
+      - "EU DST spring forward"
+    safe_for_automation: true
+
+  dst_fall_back_eu:
+    value: "2024-10-27T01:30:00"
+    timezone: "Europe/London"
+    bugs_caught:
+      - "EU DST fall back"
+    safe_for_automation: true
+
+  no_dst_timezone:
+    value: "2024-06-15T12:00:00"
+    timezone: "UTC"
+    bugs_caught:
+      - "No-DST timezone handling"
+    safe_for_automation: true
+
+  date_line_crossing:
+    value: "2024-06-15T23:00:00+12:00"
+    bugs_caught:
+      - "International Date Line"
+      - "Same instant, different dates"
+    safe_for_automation: true
+    note: "Same instant is 2024-06-16 in -12:00"
+
+  historical_tz_change:
+    value: "2011-12-29T23:59:59"
+    timezone: "Pacific/Apia"
+    bugs_caught:
+      - "Historical timezone change"
+      - "Samoa skipped Dec 30, 2011"
+    safe_for_automation: true

package/skills/bug-magnet-data/data/encoding/charset.yaml

@@ -0,0 +1,79 @@
+metadata:
+  version: "1.0.0"
+  last_updated: "2026-02-01"
+  source_urls: []
+
+category: encoding
+subcategory: charset
+tier: T2
+
+bugs_caught:
+  - "Character encoding detection"
+  - "BOM handling"
+  - "Mojibake"
+
+values:
+  utf8_bom:
+    value: "\xEF\xBB\xBFHello"
+    bugs_caught:
+      - "UTF-8 BOM handling"
+      - "Invisible prefix"
+    safe_for_automation: true
+    bytes: "EF BB BF 48 65 6C 6C 6F"
+
+  utf16_le_bom:
+    value: "\xFF\xFEH\x00e\x00l\x00l\x00o\x00"
+    bugs_caught:
+      - "UTF-16 LE detection"
+    safe_for_automation: true
+    bytes: "FF FE 48 00 65 00 6C 00 6C 00 6F 00"
+
+  utf16_be_bom:
+    value: "\xFE\xFF\x00H\x00e\x00l\x00l\x00o"
+    bugs_caught:
+      - "UTF-16 BE detection"
+    safe_for_automation: true
+    bytes: "FE FF 00 48 00 65 00 6C 00 6C 00 6F"
+
+  latin1_high:
+    value: "\xe9"
+    bugs_caught:
+      - "Latin-1 high byte (é)"
+      - "UTF-8 vs Latin-1 confusion"
+    safe_for_automation: true
+    note: "é in Latin-1, invalid UTF-8"
+
+  windows_1252:
+    value: "\x93\x94"
+    bugs_caught:
+      - "Windows smart quotes"
+      - "CP1252 vs Latin-1"
+    safe_for_automation: true
+    note: "Smart quotes in Windows-1252"
+
+  ascii_only:
+    value: "Hello World 123"
+    bugs_caught:
+      - "Pure ASCII handling"
+    safe_for_automation: true
+
+  high_ascii:
+    value: "\x80\x81\x82"
+    bugs_caught:
+      - "High ASCII bytes"
+      - "Extended ASCII handling"
+    safe_for_automation: true
+
+  mixed_valid_invalid:
+    value: "Hello\xFFWorld"
+    bugs_caught:
+      - "Invalid byte in string"
+      - "Replacement character handling"
+    safe_for_automation: true
+
+  null_byte_middle:
+    value: "Hello\x00World"
+    bugs_caught:
+      - "Null byte in string"
+      - "C-string truncation"
+    safe_for_automation: true

package/skills/bug-magnet-data/data/encoding/normalization.yaml

@@ -0,0 +1,105 @@
+metadata:
+  version: "1.0.0"
+  last_updated: "2026-02-01"
+  source_urls: []
+
+category: encoding
+subcategory: normalization
+tier: T2
+
+bugs_caught:
+  - "Unicode normalization mismatches"
+  - "String comparison failures"
+  - "Security bypasses"
+
+values:
+  nfc_composed:
+    value: "\u00e9"
+    bugs_caught:
+      - "NFC composed form"
+      - "é as single codepoint"
+    safe_for_automation: true
+    codepoints: ["U+00E9"]
+
+  nfd_decomposed:
+    value: "\u0065\u0301"
+    bugs_caught:
+      - "NFD decomposed form"
+      - "é as e + combining accent"
+    safe_for_automation: true
+    codepoints: ["U+0065", "U+0301"]
+
+  nfc_vs_nfd:
+    values:
+      nfc: "\u00e9"
+      nfd: "\u0065\u0301"
+    bugs_caught:
+      - "Normalization comparison failure"
+      - "Visual identical, byte different"
+    safe_for_automation: true
+    note: "Both render as é, but != without normalization"
+
+  overlong_utf8:
+    value: "\xC0\xAF"
+    bugs_caught:
+      - "Overlong UTF-8 encoding"
+      - "Security filter bypass"
+    safe_for_automation: true
+    note: "Overlong encoding of '/'"
+
+  invalid_utf8_continuation:
+    value: "\x80\x81\x82"
+    bugs_caught:
+      - "Invalid UTF-8 continuation bytes"
+    safe_for_automation: true
+
+  invalid_utf8_start:
+    value: "\xFE\xFF"
+    bugs_caught:
+      - "Invalid UTF-8 start bytes"
+    safe_for_automation: true
+
+  surrogate_pair:
+    value: "\uD83D\uDE00"
+    bugs_caught:
+      - "UTF-16 surrogate pair"
+      - "Emoji handling"
+    safe_for_automation: true
+    note: "😀 as surrogate pair"
+
+  unpaired_surrogate:
+    value: "\uD800"
+    bugs_caught:
+      - "Unpaired surrogate"
+      - "Invalid UTF-16"
+    safe_for_automation: true
+
+  bidi_override:
+    value: "\u202Edesrever"
+    bugs_caught:
+      - "Right-to-left override"
+      - "Display spoofing"
+    safe_for_automation: true
+    note: "Renders as 'reversed'"
+
+  zero_width:
+    value: "a\u200Bb"
+    bugs_caught:
+      - "Zero-width space"
+      - "Invisible characters"
+    safe_for_automation: true
+
+  soft_hyphen:
+    value: "soft\u00ADhyphen"
+    bugs_caught:
+      - "Soft hyphen handling"
+      - "Print vs display"
+    safe_for_automation: true
+
+  ligature:
+    value: "\uFB01"
+    bugs_caught:
+      - "Ligature handling (fi)"
+      - "Search/match failure"
+    safe_for_automation: true
+    note: "fi ligature vs 'fi'"

package/skills/bug-magnet-data/data/formats/email.yaml

@@ -0,0 +1,154 @@
+metadata:
+  version: "1.0.0"
+  last_updated: "2026-02-01"
+  source_urls: []
+
+category: formats
+subcategory: email
+tier: T2
+
+bugs_caught:
+  - "Email validation too strict"
+  - "Email validation too lenient"
+  - "RFC compliance issues"
+
+values:
+  # Valid but often rejected
+  plus_addressing:
+    value: "user+tag@example.com"
+    valid: true
+    bugs_caught:
+      - "Plus addressing rejected"
+      - "Gmail style tagging"
+    safe_for_automation: true
+
+  subdomain:
+    value: "user@mail.example.com"
+    valid: true
+    bugs_caught:
+      - "Subdomain handling"
+    safe_for_automation: true
+
+  numeric_domain:
+    value: "user@123.45.67.89"
+    valid: true
+    bugs_caught:
+      - "IP address domain"
+    safe_for_automation: true
+
+  quoted_local:
+    value: "\"user name\"@example.com"
+    valid: true
+    bugs_caught:
+      - "Quoted local part"
+      - "Space in email"
+    safe_for_automation: true
+
+  dotted_local:
+    value: "user.name.here@example.com"
+    valid: true
+    bugs_caught:
+      - "Multiple dots handling"
+    safe_for_automation: true
+
+  single_char_local:
+    value: "a@example.com"
+    valid: true
+    bugs_caught:
+      - "Single character local"
+    safe_for_automation: true
+
+  long_local:
+    value: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa@example.com"
+    valid: true
+    bugs_caught:
+      - "64-char local part limit"
+    safe_for_automation: true
+    note: "Max 64 chars in local part"
+
+  new_tld:
+    value: "user@example.technology"
+    valid: true
+    bugs_caught:
+      - "New TLD rejection"
+      - "TLD length assumptions"
+    safe_for_automation: true
+
+  idn_domain:
+    value: "user@münchen.de"
+    valid: true
+    bugs_caught:
+      - "International domain name"
+      - "Punycode handling"
+    safe_for_automation: true
+
+  # Invalid but often accepted
+  double_dot:
+    value: "user..name@example.com"
+    valid: false
+    bugs_caught:
+      - "Consecutive dots invalid"
+    safe_for_automation: true
+
+  leading_dot:
+    value: ".user@example.com"
+    valid: false
+    bugs_caught:
+      - "Leading dot invalid"
+    safe_for_automation: true
+
+  trailing_dot_local:
+    value: "user.@example.com"
+    valid: false
+    bugs_caught:
+      - "Trailing dot in local"
+    safe_for_automation: true
+
+  no_at:
+    value: "userexample.com"
+    valid: false
+    bugs_caught:
+      - "Missing @ sign"
+    safe_for_automation: true
+
+  double_at:
+    value: "user@@example.com"
+    valid: false
+    bugs_caught:
+      - "Double @ sign"
+    safe_for_automation: true
+
+  no_domain:
+    value: "user@"
+    valid: false
+    bugs_caught:
+      - "Missing domain"
+    safe_for_automation: true
+
+  no_local:
+    value: "@example.com"
+    valid: false
+    bugs_caught:
+      - "Missing local part"
+    safe_for_automation: true
+
+  space_unquoted:
+    value: "user name@example.com"
+    valid: false
+    bugs_caught:
+      - "Unquoted space"
+    safe_for_automation: true
+
+  special_unquoted:
+    value: "user<>@example.com"
+    valid: false
+    bugs_caught:
+      - "Special chars unquoted"
+    safe_for_automation: true
+
+  empty:
+    value: ""
+    valid: false
+    bugs_caught:
+      - "Empty email"
+    safe_for_automation: true