13 Commits

Author	SHA1	Message	Date
leviathan	fa0228df9b	release v0.9.3: CVE metadata refresh (KEV 10→12) + dirtydecrypt bug fix ... CVE metadata refresh: - Added 8 entries to core/cve_metadata.c for the v0.8.0 + v0.9.0 module CVEs. Two are CISA-KEV-listed: - CVE-2018-14634 mutagen_astronomy (2026-01-26, CWE-190) - CVE-2025-32463 sudo_chwoot (2025-09-29, CWE-829) - Populated via direct curl when refresh-cve-metadata.py's Python urlopen hung on CISA's HTTP/2 endpoint for ~55 min — same data, different transport. dirtydecrypt module bug fix: - dd_detect() was wrongly gating 'predates the bug' on kernel < 7.0 - Per NVD CVE-2026-31635: bug entered at 6.16.1 stable; vulnerable through 6.18.22 / 6.19.12 / 7.0-rc7; fixed at 6.18.23 / 6.19.13 / 7.0 - Fix: predates-gate now uses 6.16.1; patched_branches[] adds {6,18,23} - Re-verified: dirtydecrypt now correctly returns VULNERABLE on mainline 6.19.7 instead of OK. Previously a false negative on real vulnerable kernels. Footer goes from '10 in CISA KEV' to '12 in CISA KEV'. Verified count stays at 28 but dirtydecrypt's record is now a TRUE VULNERABLE match (was OK match).	2026-05-24 01:17:58 -04:00
leviathan	d52fcd5512	docs: sweep stale counts to match v0.9.2 binary state ... Audit found several user-facing surfaces still carrying old numbers from earlier releases. Brought everything in line with the binary's authoritative footer ('39 modules · 10 KEV · 28 verified · 7 any'). README.md: - Status section: v0.9.0 → v0.9.2 framing; describe the 22 → 28 verification arc (v0.9.1 + v0.9.2) - '119 detection rules' → 151 (current bundled count) - '10 of 26 KEV-listed' → '10 of 34' - 'Not yet verified (4 of 26 CVEs)' → '(6 of 34 CVEs)' with the new honest list (vmwgfx, dirty_cow, mutagen_astronomy, pintheft, vsock_uaf, fragnesia) and the reason each is blocked - Example --auto output: 31 → 39 modules docs/index.html: - '22 of 26 CVEs confirmed' → '28 of 34', mainline kernel list expanded (5.4.0-26 / 5.15.5 / 6.1.10 / 6.19.7) - Corpus section '26 CVEs across 10 years' → '34 CVEs' - '26 CVEs, 10-year span' (author list intro) → '34 CVEs' - Footer feature list '22 of 26' → '28 of 34' - KEV stat chip 11 → 10 (matches binary; the anticipated 11th from metadata refresh hasn't been added yet) - '119 detection rules' → '151' (two occurrences) docs/og.svg + og.png: - KEV chip 11 → 10 (matches binary) CVES.md: - '31 modules' → '39 modules covering 34 CVEs' - Rewrote the unverified-rows note to match the actual 6-module list No content changes to RELEASE_NOTES.md or ROADMAP.md — those entries correctly describe state at the time they were written.	2026-05-24 00:09:21 -04:00
leviathan	66cca39a55	release v0.9.2: dirtydecrypt verified on mainline 6.19.7 (22 → 28) ... Verifies CVE-2026-31635 dirtydecrypt's OK path on a kernel that predates the bug: 'kernel predates the rxgk RESPONSE-handling code added in 7.0' — match. Confirms detect() doesn't false-positive on older 6.x kernels. Attempted fragnesia (CVE-2026-46300) but mainline 7.0.5 .debs depend on libssl3t64 / libelf1t64 (t64-transition libs from Ubuntu 24.04+ / Debian 13+). No Parallels-supported Vagrant box ships those yet — dpkg --force-depends leaves the kernel package in iHR state with no /boot/vmlinuz. Marked manual: true with rationale. Verifier infrastructure: pin-mainline now uses dpkg --force-depends as a fallback so partial-install state can at least be inspected.	2026-05-24 00:03:35 -04:00
leviathan	8ac041a295	release v0.9.1: VM verification sweep 22 → 27 ... Five more CVEs empirically confirmed end-to-end against real Linux VMs: - CVE-2019-14287 sudo_runas_neg1 (Ubuntu 18.04 + sudoers grant) - CVE-2020-29661 tioscpgrp (Ubuntu 20.04 pinned to 5.4.0-26) - CVE-2024-26581 nft_pipapo (Ubuntu 22.04 + mainline 5.15.5) - CVE-2025-32463 sudo_chwoot (Ubuntu 22.04 + sudo 1.9.16p1 from source) - CVE-2025-6019 udisks_libblockdev (Debian 12 + udisks2 + polkit rule) Required real plumbing work: - Per-module provisioner hook (tools/verify-vm/provisioners/<module>.sh) - Two-phase provision in verify.sh (prep → reboot if needed → verify) fixes silent-fail where new kernel installed but VM never rebooted - GRUB_DEFAULT pinning in both pin-kernel and pin-mainline blocks (kernel downgrades like 5.4.0-169 → 5.4.0-26 now actually boot the target) - Old-mainline URL fallback in pin-mainline (≤ 4.15 debs at /v$KVER/ not /amd64/) mutagen_astronomy marked manual: true — mainline 4.14.70 kernel-panics on Ubuntu 18.04's rootfs ('Failed to execute /init (error -8)' — kernel config mismatch). Genuinely needs a CentOS 6 / Debian 7 image.	2026-05-23 23:35:02 -04:00
leviathan	d84b3b0033	release v0.9.0: 5 gap-fillers — every year 2016 → 2026 now covered ... Five new modules close the 2018 gap entirely and thicken 2019 / 2020 / 2024. All five carry the full 4-format detection-rule corpus + opsec_notes + arch_support + register helpers. CVE-2018-14634 — mutagen_astronomy (Qualys, closes 2018) create_elf_tables() int wrap → SUID-execve stack corruption. CISA KEV-listed Jan 2026 despite the bug's age; legacy RHEL 7 / CentOS 7 / Debian 8 fleets still affected. 🟡 PRIMITIVE. arch_support: x86_64+unverified-arm64. CVE-2019-14287 — sudo_runas_neg1 (Joe Vennix) sudo -u#-1 → uid_t underflow → root despite (ALL,!root) blacklist. Pure userspace logic bug; the famous Apple Information Security finding. detect() looks for a (ALL,!root) grant in sudo -ln output; PRECOND_FAIL when no such grant exists for the invoking user. arch_support: any (4 -> 5 userspace 'any' modules). CVE-2020-29661 — tioscpgrp (Jann Horn / Project Zero) TTY TIOCSPGRP ioctl race on PTY pairs → struct pid UAF in kmalloc-256. Affects everything through Linux 5.9.13. 🟡 PRIMITIVE (race-driver + msg_msg groom). Public PoCs from grsecurity / spender + Maxime Peterlin. CVE-2024-50264 — vsock_uaf (a13xp0p0v / Pwnie Award 2025 winner) AF_VSOCK connect-race UAF in kmalloc-96. Pwn2Own 2024 + Pwnie 2025 winner. Reachable as plain unprivileged user (no userns required — unusual). Two public exploit paths: @v4bel+@qwerty kernelCTF (BPF JIT spray + SLUBStick) and Alexander Popov / PT SWARM (msg_msg). 🟡 PRIMITIVE. CVE-2024-26581 — nft_pipapo (Notselwyn II, 'Flipping Pages') nft_set_pipapo destroy-race UAF. Sibling to nf_tables (CVE-2024-1086) from the same Notselwyn paper. Distinct bug in the pipapo set substrate. Same family signature. 🟡 PRIMITIVE. Plumbing changes: core/registry.h + registry_all.c — 5 new register declarations + calls. Makefile — 5 new MUT/SRN/TIO/VSK/PIP module groups in MODULE_OBJS. tests/test_detect.c — 7 new test rows covering the new modules (above-fix OK, predates-the-bug OK, sudo-no-grant PRECOND_FAIL). tools/verify-vm/targets.yaml — verifier entries for all 5 with honest 'expect_detect' values based on what Vagrant boxes can realistically reach (mutagen_astronomy gets OK on stock 18.04 since 4.15.0-213 is post-fix; sudo_runas_neg1 gets PRECOND_FAIL because no (ALL,!root) grant on default vagrant user; tioscpgrp + nft_pipapo VULNERABLE with kernel pins; vsock_uaf flagged manual because vsock module rarely available on CI runners). tools/refresh-cve-metadata.py — added curl fallback for the CISA KEV CSV fetch (urlopen times out intermittently against CISA's HTTP/2 endpoint). Corpus growth across v0.8.0 + v0.9.0: v0.7.1 v0.8.0 v0.9.0 Modules 31 34 39 Distinct CVEs 26 29 34 KEV-listed 10 10 11 (mutagen_astronomy) arch 'any' 4 6 7 (sudo_runas_neg1) Years 2016-2026: 10/11 10/11 **11/11** Year-by-year coverage: 2016: 1 2017: 1 2018: 1 2019: 2 2020: 2 2021: 5 2022: 5 2023: 8 2024: 3 2025: 2 2026: 4 CVE-2018 gap → CLOSED. Every year from 2016 through 2026 now has at least one module. Surfaces updated: - README.md: badge → 22 VM-verified / 34, Status section refreshed - docs/index.html: hero eyebrow + footer → v0.9.0, hero tagline 'every year 2016 → 2026', stats chips → 39 / 22 / 11 / 151 - docs/RELEASE_NOTES.md: v0.9.0 entry added on top with year coverage matrix + per-module breakdown; v0.8.0 + v0.7.1 entries preserved below - docs/og.svg + og.png: regenerated with new numbers + 'Every year 2016 → 2026' tagline CVE metadata refresh (tools/refresh-cve-metadata.py) deferred to follow-up — CISA KEV CSV + NVD CVE API were timing out during the v0.9.0 push window. The 5 new CVEs will return NULL from cve_metadata_lookup() until the refresh runs (—module-info simply skips the WEAKNESS/THREAT INTEL header for them; no functional impact). Re-run 'tools/refresh-cve-metadata.py' when network cooperates. Tests: macOS local 33/33 kernel_range pass; detect-test stubs (88 total) build clean; ASan/UBSan + clang-tidy CI jobs still green from the v0.7.x setup.	2026-05-23 22:15:44 -04:00
leviathan	4af82b82d9	docs: post-v0.7.1 surface sync (README + site + ROADMAP) ... Three stale surfaces refreshed after the v0.7.1 cut + arm64 release: README.md — Status section was 'v0.6.0 cut 2026-05-23'; updated to v0.7.1 with the new prebuilt-binary inventory (4 artifacts: x86_64 + arm64, each dynamic + static-musl) and the CI hardening additions (ASan/UBSan + clang-tidy). docs/index.html — hero eyebrow chip and footer meta both showed v0.6.0; both bumped to v0.7.1. ROADMAP.md — entire v0.7.x phase added as 'Phase 9 — Empirical verification + operator briefing (DONE 2026-05-23, v0.7.1)'. Captures everything since Phase 7+/8 (which were the v0.5–v0.6 era): the VM verifier, mainline kernel fetch, 22 of 26 CVEs verified, --explain mode, OPSEC notes, CVE metadata pipeline (CISA KEV + NVD CWE), 119 detection rules, 88-test harness, arm64-static binary, arch_support field, marketing site. Plus an explicit 'open follow-ups' list (arm64 verification sweep, SIEM query templates, install.sh smoke test, PackageKit provisioner, custom <=4.4 kernel image for dirty_cow, 9 deferred drift findings) and the 'wait-for-upstream blockers' list (vmwgfx, dirtydecrypt, fragnesia).	2026-05-23 21:27:23 -04:00
leviathan	6e0f811a2c	README + site + binary: surface 22-of-26 VM-verified count ... Updates the visible 'how trustworthy is this' signal across all three touchpoints after the verifier sweep landed 22 modules confirmed in real Linux VMs: README.md - Badge: '28 verified + 3 ported' → '22 VM-verified / 26'. - Headline tagline: emphasizes the 22-of-26 empirical confirmation. - 'Corpus at a glance' restructured: tier counts unchanged, but the stale '3 ported-but-unverified' subsection is replaced by a new 'Empirical verification' table breaking the 22 records down by distro/kernel. - 'Status' section refreshed for v0.6.0 reality: 88 tests + 22 verifications + mainline kernel fetch + --explain + KEV/CWE/ATT&CK metadata + 119 detection rules. The four still-unverified entries (vmwgfx, dirty_cow, dirtydecrypt, fragnesia) are listed with their blocking reasons. docs/index.html - Hero stats row gets a new '22 ✓ VM-verified' chip (emerald-styled via new .stat-vfy CSS class), keeping modules/KEV/rules siblings. - Hero tagline calls out '22 of 26 CVEs empirically verified'. - Meta description + og:description updated. - Bento card 'Verifier ready' rewritten as '22 modules empirically verified' with concrete distro/kernel breakdown; styled with new .bento-vfy class for emerald accent (matches the stat chip). - Timeline 'shipped' column adds the verifier wins; 'in flight' swapped to current open items (drift fixes, packagekit provisioner, custom <=4.4 box for dirty_cow). docs/og.svg + docs/og.png - 4-chip stats row instead of 3: 31 modules · 22 ✓ VM-verified · 10 ★ in CISA KEV · 119 detection rules. Tagline now '22 of 26 CVEs verified in real Linux VMs.' Re-rendered to PNG via rsvg-convert. skeletonkey.c (binary) - --list footer now prints '31 modules registered · 10 in CISA KEV (★) · 22 empirically verified in real VMs (✓)'. Counts computed from the registry + cve_metadata + verifications tables at runtime (so it stays accurate as more verifications land — the JSONL refresh propagates automatically). No code logic changed; only surfacing.	2026-05-23 18:03:38 -04:00
leviathan	5071ad4ba9	site: marketing-grade redesign with --explain showcase + animated hero ... Full rewrite of docs/index.html + style.css + new app.js + OG card. Hero - Animated gradient mesh background (3 drifting blurred blobs; respects prefers-reduced-motion). - Space Grotesk display wordmark with subtle white→gray gradient. - Eyebrow chip with pulsing dot showing current release. - Type-on-load install command with blinking cursor in a faux-terminal chrome (traffic-light dots, title bar, copy button). - Stats row that counts up from 0 on first paint: 31 modules, 10 KEV, 119 detection rules, 88 tests. - Primary CTA + secondary 'See --explain in action' + GitHub link. Trust strip - 'Grounded in authoritative sources' row: CISA KEV, NVD CVE API, MITRE ATT&CK, kernel.org stable tree, Debian Security Tracker, NIST CWE. Establishes the federal-data-source provenance. --explain showcase (flagship section) - Big terminal mockup that types out a real --explain nf_tables run line-by-line on scroll-into-view (45-95ms per line, easing). - Four annotation cards explaining each part: triage metadata, host fingerprint, detect() trace, OPSEC footprint. Bento grid (8 feature cards in a varied 3-col layout) - Auto-pick safest exploit (large card with code sample) - 119 detection rules (with animated per-format coverage bars) - CISA KEV prioritized (red-accented) - OPSEC notes per exploit - One host fingerprint, every module (large card with struct excerpt) - JSON for pipelines - No SaaS, no telemetry - Verifier ready (Vagrant + Parallels) Module corpus - Same green/yellow split as before, but every KEV-listed module pill now carries a ★ prefix + red-tinted border so 'actively exploited in the wild' is visible at a glance. Audience - 4 colored cards (red/blue/gray/purple) — pentesters, SOC, sysadmins, researchers — each with a deep link to the right doc. Verified-vs-claimed honesty callout - Featured gradient-bordered card restating the no-fabricated-offsets bar. ✓ icon, project's defining trust claim. Quickstart - Tabbed: install / scan / explain / auto / detect-rules. Each tab is a short, copy-ready snippet with inline comments. Roadmap timeline - Three columns: shipped / in flight / next. Shipped lists every feature from the last several sessions (--explain, OPSEC, CWE/ ATT&CK/KEV pipeline, 119 rules, host refactor, 88 tests, drift detector, VM scaffold). Next lists arm64 musl, mass-fleet aggregator, SIEM query templates, CI hardening. Footer - Four-column gradient footer (Brand / Project / Docs / Ethics) + bottom bar with credits to original PoC authors + license + repo link. Tech - Typography: Inter (UI) + JetBrains Mono (code) + Space Grotesk (display wordmark), all via Google Fonts with display=swap. - Palette: deep purple-tinted dark (#07070d) + emerald accent (#10b981) + cyan secondary (#06b6d4) + KEV-red (#ef4444) + violet (#a855f7) for threat-intel framing. - CSS: ~28KB unminified, custom-properties driven; gracefully degrades to single-column on every grid section at narrow widths. - JS: ~8KB vanilla, no frameworks. Respects prefers-reduced-motion everywhere. IntersectionObserver-driven scroll reveal and stat-count-up. - OG image: hand-authored SVG → rsvg-convert → 1200x630 PNG (121KB). Renders cleanly when shared on Twitter/LinkedIn/Slack. - 4 new files: app.js, og.svg, og.png; rewrites: index.html, style.css. Refreshed content: - v0.5.0 → v0.6.0 throughout. - '28 verified modules' → 31. - Adds KEV cross-ref, --explain, OPSEC, ATT&CK/CWE callouts that didn't exist in the previous version. HTML structure validated balanced (Python html.parser smoke test).	2026-05-23 11:42:56 -04:00
leviathan	9a4cc91619	pack2theroot (CVE-2026-41651) + --auto accuracy work ... Adds the third ported module — Pack2TheRoot, a userspace PackageKit D-Bus TOCTOU LPE — and spends real effort hardening --auto so its detect step gives an accurate, robust verdict before deploying. pack2theroot (CVE-2026-41651): - Ported from the public Vozec PoC (github.com/Vozec/CVE-2026-41651). Original disclosure by the Deutsche Telekom security team. - Two back-to-back InstallFiles D-Bus calls (SIMULATE then NONE) overwrite the cached transaction flags between polkit auth and dispatch. GLib priority ordering makes the overwrite deterministic, not a timing race; postinst of the malicious .deb drops a SUID bash in /tmp. - detect() reads PackageKit's VersionMajor/Minor/Micro directly over D-Bus and compares against the pinned fix release 1.3.5 (commit 76cfb675). This is a high-confidence verdict, not precondition-only. - Debian-family only (PoC builds its own .deb in pure C; ar/ustar/ gzip-stored inline). Cleanup removes /tmp .debs + best-effort unlinks /tmp/.suid_bash + sudo -n dpkg -r the staging packages. - Adds an optional GLib/GIO build dependency. The top-level Makefile autodetects via `pkg-config gio-2.0`; when absent the module compiles as a stub returning PRECOND_FAIL. - Embedded auditd + sigma rules cover the file-side footprint (/tmp/.suid_bash, /tmp/.pk-*.deb, non-root dpkg/apt execve). --auto accuracy improvements: - Auto-enables --active before the scan. Per-module sentinel probes (page-cache /tmp files, fork-isolated namespace mounts) turn version-only checks into definitive verdicts, so silent distro backports don't fool the scan and --auto won't pick blind on TEST_ERROR. - Per-module verdict printing — every module's result is shown (VULNERABLE / patched / precondition / indeterminate), not just VULNERABLE rows. Operator sees the full picture. - Scan-end summary line: "N vulnerable, M patched/n.a., K precondition-fail, L indeterminate" with a separate callout when modules crashed. - Distro fingerprint added to the auto banner (ID + VERSION_ID from /etc/os-release alongside kernel/arch). - Fork-isolated detect() — each detector runs in a child process so a SIGILL/SIGSEGV in one module's probe is contained and the scan continues. Surfaced live while testing: entrybleed's prefetchnta KASLR sweep SIGILLs on emulated CPUs (linuxkit on darwin); without isolation the whole --auto died at module 7 of 31. With isolation the scan reports "detect() crashed (signal 4) — continuing" and finishes cleanly. module_safety_rank additions: - pack2theroot: 95 (userspace D-Bus TOCTOU; dpkg + /tmp SUID footprint — clean but heavier than pwnkit's gconv-modules-only path). - dirtydecrypt / fragnesia: 86 (page-cache writes; one step below the verified copy_fail/dirty_frag family at 88 to prefer verified modules when both apply). Docs: - README badge / tagline / tier table / ⚪ block / example output / v0.5.0 status — all updated to "28 verified + 3 ported". - CVES.md counts line, the ported-modules note (now calling out pack2theroot's high-confidence detect vs. precondition-only for the page-cache pair), inventory row, operations table row. - ROADMAP Phase 7+: pack2theroot moved out of carry-overs into the "landed (ported, pending VM verification)" group; added a new "--auto accuracy work" subsection documenting the dispatcher hardening landed in this commit. - docs/index.html: scanning-count example bumped to 31, status line updated to mention 3 ported modules. Build verification: full `make clean && make` in `docker gcc:latest` with libglib2.0-dev installed: links into a 31-module skeletonkey ELF (413KB), `--list` shows all modules including pack2theroot, `--detect-rules --format=auditd` emits the new pack2theroot section, `--auto --i-know --no-shell` exercises the new banner + active probes + verdict table + fork isolation + scan summary end-to-end. Only build warning is the pre-existing `-Wunterminated-string-initialization` in dirty_pipe (not introduced here).	2026-05-22 22:42:07 -04:00
leviathan	ac557b67d0	review pass: fidelity + credits + count consistency for ported modules ... Three-agent rigorous review of the dirtydecrypt + fragnesia ports plus repo-wide doc consistency, followed by a full Linux build verification. dirtydecrypt (NOTICE + detection rules): - NOTICE.md: removed an unsupported "Zellic co-founder" detail and a fabricated disclosure-date narrative; tightened phrasing of the Zellic + V12 credit; noted that upstream poc.c carries no author/license header of its own. - Embedded auditd + sigma rules and detect/sigma.yml broadened to cover every binary in dd_targets[] (added /usr/bin/mount, /usr/bin/passwd, /usr/bin/chsh) and added the b32 splice rule, so the embedded ruleset matches the on-disk reference and the carrier list the exploit actually targets. - Exploit primitive verified byte-for-byte against the V12 PoC (tiny_elf[] identical, all rxgk/XDR/fire/pagecache_write logic token-identical). docker gcc:latest compile of the Linux path: COMPILE_OK, zero warnings. fragnesia: review found no defects. Exploit primitive byte-identical to the V12 PoC (shell_elf[] 192 bytes identical, AF_ALG GCM keystream table + userns/netns/XFRM + receiver/sender/run_trigger_pair all faithful). The deliberate omissions (ANSI TUI, CLI arg parsing) drop nothing exploit-critical. docker gcc:latest compile: COMPILE_OK; full project build links into a working skeletonkey ELF and --list shows the module registered correctly. Repo docs (README.md / CVES.md / ROADMAP.md): - Chose to keep "28 verified" as the headline; the two ported modules are represented as a separate clearly-labelled tier ("ported-but-unverified") that is explicitly excluded from the 28-module verified counts. README + CVES.md + ROADMAP.md now tell one consistent story. - Filled a pre-existing documentation gap: sudo_samedit, sequoia, sudoedit_editor, vmwgfx were registered + built but absent from CVES.md's inventory + operations tables. Added rows synthesized from each module's .cve / .summary / .kernel_range fields. - ROADMAP Phase 8 "7 🟡 PRIMITIVE modules" → "14"; added a "Landed since v0.1.0" group; moved vmwgfx out of the stale carry-overs. docs site (docs/index.html): - Stat box "28 / total modules" → "28 / verified modules" (the 14+14 breakdown now sums to the headline consistently). - Terminal example "scanning 28 modules" → "scanning 30 modules" (was factually wrong — the binary literally prints module_count() which is 30). - Status line: updated to mention the 2 ported-but-unverified modules and mirror the README phrasing. - docs/LAUNCH.md left as a dated v0.5.0 launch snapshot. Build verification: `docker run gcc:latest make clean && make` — links into a 30-module skeletonkey ELF on Linux. macOS dev box still hits the pre-existing dirty_pipe header gap; unchanged. .gitignore: added /skeletonkey to exclude the top-level build artifact (the existing modules/*/skeletonkey only covered per-module binaries; the root one was getting picked up by `git add -A`).	2026-05-22 18:41:37 -04:00
leviathan	33f81aeb69	site: revert CVE table → pill grid ... The sortable table was denser but lost the visual scan-ability of the color-coded pill grid. Restoring the pill view: two grouped sections (🟢 / 🟡) each showing every module name as a pill. Drops the table-sort JS (~25 lines) and the .cve-table CSS block.	2026-05-17 02:25:25 -04:00
leviathan	58fb2e0951	site: simplify nav + add sortable CVE chart ... nav: removed Releases / CVEs / Defenders links — kept only a right-aligned GitHub link with the Octocat SVG icon. index.html: replaced pill-grid corpus view with a proper sortable table — Year, CVE, Bug, Module, Tier columns. Click headers to sort. Defaults to Year descending. 28 rows covering 2016 → 2026. style.css: added .nav-github (border-pill style) + table styles (sortable headers with arrow indicators, hover rows, mobile- responsive font-size + overflow-x scroll). JS for sort is ~25 lines vanilla — no library.	2026-05-17 02:22:54 -04:00
leviathan	2904fa159c	site: GitHub Pages landing page ... Single-page static site under /docs/, served by GitHub Pages from the main branch /docs source. docs/index.html: hero with one-liner + copy button, why-this-exists, corpus stats + module pills (14 🟢 + 14 🟡), audience cards (red/blue/sysadmin/CTF), terminal-shape worked example, verified-vs-claimed bar, quickstart commands, status, footer. docs/style.css: dark theme matching GitHub's color palette (#0d1117 bg, #c9d1d9 text). System sans for prose, ui-monospace for code. Mobile-responsive with grid breakpoints. No JS framework, no external fonts, no analytics. docs/.nojekyll: disable Jekyll so the static HTML is served verbatim and the existing /docs/*.md files stay as raw markdown (viewable via GitHub UI, not the Pages site).	2026-05-17 02:14:15 -04:00