@blamejs/exceptd-skills 0.10.1 → 0.10.3

package/lib/framework-gap.js

@@ -160,7 +160,23 @@ function gapReport(frameworkIds, threatScenario, controlGaps, cveCatalog = {}) {
 
   const frameworkResults = {};
   for (const id of frameworkIds) {
-    const frameworkGaps = relevantGaps.filter(([, g]) => g.framework?.includes(id));
+    // Match a framework filter ID against catalog entries by:
+    //   - exact match against gap.framework (e.g. "NIST SP 800-53 Rev 5")
+    //   - normalized substring match (strip case + spaces + hyphens, e.g. user
+    //     passing "nist-800-53" matches catalog "NIST SP 800-53 Rev 5")
+    //   - normalized prefix match on the gap KEY (e.g. user "nist-800-53"
+    //     matches keys "NIST-800-53-SI-2", "NIST-800-53-SC-8")
+    // This makes the named-framework filter behave the same way `all` does
+    // when extracting per-framework subsets.
+    const normalize = (s) => String(s).toLowerCase().replace(/[\s_-]/g, '');
+    const idNorm = normalize(id);
+    const frameworkGaps = relevantGaps.filter(([key, g]) => {
+      if (!g.framework) return false;
+      if (g.framework === id) return true;
+      if (normalize(g.framework).includes(idNorm)) return true;
+      if (normalize(key).startsWith(idNorm)) return true;
+      return false;
+    });
     frameworkResults[id] = {
       gap_count: frameworkGaps.length,
       gaps: frameworkGaps.map(([key, g]) => ({

package/lib/playbook-runner.js

@@ -326,10 +326,20 @@ function analyze(playbookId, directiveId, detectResult, agentSignals = {}) {
 
   // Match catalogued CVEs from the domain.cve_refs list. The agent submits
   // signal values; engine joins to the catalog for RWEP context.
+  // VEX filter (agentSignals.vex_filter): a set of CVE IDs the operator
+  // has formally declared not_affected via a CycloneDX/OpenVEX statement.
+  // We drop those from matched_cves before scoring, and surface them
+  // separately so the analyze response still records the disposition.
   const cveRefs = playbook.domain.cve_refs || [];
-  const matchedCves = cveRefs
-    .map(id => xref.byCve(id))
-    .filter(r => r.found);
+  const vexFilter = agentSignals.vex_filter instanceof Set ? agentSignals.vex_filter
+    : (Array.isArray(agentSignals.vex_filter) ? new Set(agentSignals.vex_filter) : null);
+  const allMatches = cveRefs.map(id => xref.byCve(id)).filter(r => r.found);
+  const matchedCves = vexFilter
+    ? allMatches.filter(c => !vexFilter.has(c.cve_id))
+    : allMatches;
+  const vexDropped = vexFilter
+    ? allMatches.filter(c => vexFilter.has(c.cve_id)).map(c => c.cve_id)
+    : [];
 
   // RWEP composition: start from the catalogue's per-CVE rwep_score (already
   // baked from KEV + PoC + AI-disc + active-exploitation + blast-radius), then
@@ -423,10 +433,44 @@ function analyze(playbookId, directiveId, detectResult, agentSignals = {}) {
       verdict_text: theaterVerdict === 'theater' ? an.compliance_theater_check?.theater_verdict_if_gap : null
     },
     framework_gap_mapping: frameworkGaps,
-    escalations
+    escalations,
+    vex: vexFilter ? {
+      filter_applied: true,
+      dropped_cve_count: vexDropped.length,
+      dropped_cves: vexDropped,
+      note: vexDropped.length
+        ? `${vexDropped.length} CVE(s) dropped from analyze because the operator-supplied VEX statement marks them not_affected / resolved / false_positive. They remain in cve-catalog.json; the disposition lives in the VEX file.`
+        : "VEX filter supplied; zero matches dropped (no CVEs in domain.cve_refs matched the VEX not-affected set)."
+    } : null
   };
 }
 
+/**
+ * Extract a set of "not affected" CVE IDs from a VEX document. Supports
+ * CycloneDX VEX (analysis.state in {not_affected, resolved, false_positive})
+ * and OpenVEX (statements[].status === "not_affected"). Returns a Set<string>.
+ */
+function vexFilterFromDoc(doc) {
+  const out = new Set();
+  if (!doc || typeof doc !== 'object') return out;
+
+  // CycloneDX shape
+  for (const v of (doc.vulnerabilities || [])) {
+    const state = v.analysis && v.analysis.state;
+    if (state === 'not_affected' || state === 'resolved' || state === 'false_positive') {
+      if (v.id) out.add(v.id);
+    }
+  }
+  // OpenVEX shape
+  for (const s of (doc.statements || [])) {
+    if (s.status === 'not_affected' || s.status === 'fixed') {
+      const id = s.vulnerability && (s.vulnerability['@id'] || s.vulnerability.name || s.vulnerability);
+      if (typeof id === 'string') out.add(id);
+    }
+  }
+  return out;
+}
+
 // --- phase 6: validate ---
 
 function validate(playbookId, directiveId, analyzeResult, agentSignals = {}) {
@@ -542,13 +586,23 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
     }
   }
 
-  // evidence_package
+  // evidence_package — playbook declares one primary bundle_format; the
+  // operator may request additional formats via agentSignals._bundle_formats
+  // (e.g. SARIF for GitHub Code Scanning + OpenVEX for supply-chain tooling
+  // alongside the CSAF default).
+  const primaryFormat = c.evidence_package?.bundle_format || 'csaf-2.0';
+  const extraFormats = Array.isArray(agentSignals._bundle_formats)
+    ? agentSignals._bundle_formats.filter(f => f !== primaryFormat)
+    : [];
   const evidencePackage = c.evidence_package ? {
-    bundle_format: c.evidence_package.bundle_format || 'csaf-2.0',
+    bundle_format: primaryFormat,
     contents: c.evidence_package.contents || [],
     destination: c.evidence_package.destination || 'local_only',
     signed: c.evidence_package.signed !== false,
-    bundle_body: buildEvidenceBundle(c.evidence_package.bundle_format || 'csaf-2.0', playbook, analyzeResult, validateResult, agentSignals)
+    bundle_body: buildEvidenceBundle(primaryFormat, playbook, analyzeResult, validateResult, agentSignals),
+    bundles_by_format: extraFormats.length ? Object.fromEntries(
+      [primaryFormat, ...extraFormats].map(f => [f, buildEvidenceBundle(f, playbook, analyzeResult, validateResult, agentSignals)])
+    ) : null,
   } : null;
 
   if (evidencePackage && evidencePackage.signed && runOpts.session_key) {
@@ -643,22 +697,102 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals)
       },
       vulnerabilities: analyze.matched_cves.map(c => ({
         cve: c.cve_id,
-        scores: [{ products: [], cvss_v3: { base_score: 0 } }],
+        scores: [{ products: [], cvss_v3: { base_score: c.cvss_score || 0 } }],
         threats: c.active_exploitation === 'confirmed' ? [{ category: 'exploit_status', details: 'Active exploitation confirmed (CISA KEV).' }] : [],
         remediations: [{ category: 'vendor_fix', details: validate.selected_remediation?.description || 'See selected remediation path.' }]
       })),
       exceptd_extension: {
         rwep: analyze.rwep,
         blast_radius_score: analyze.blast_radius_score,
-        compliance_theater: analyze.compliance_theater,
+        compliance_theater: analyze.compliance_theater_check,
         framework_gap_mapping: analyze.framework_gap_mapping,
         evidence_requirements: validate.evidence_requirements,
         residual_risk_statement: validate.residual_risk_statement
       }
     };
   }
-  // Other formats deferred.
-  return { format, note: 'Non-CSAF formats deferred to GRC integration layer.', analyze, validate };
+
+  // SARIF 2.1.0 — GitHub Code Scanning / VS Code SARIF Viewer / Azure DevOps
+  // and most static analysis tooling. One run per playbook directive, one
+  // result per matched CVE. Each result references a rule (cve_id) and ties
+  // back to the directive as the "tool" producer.
+  if (format === 'sarif' || format === 'sarif-2.1.0') {
+    return {
+      $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+      version: '2.1.0',
+      runs: [{
+        tool: {
+          driver: {
+            name: 'exceptd',
+            version: playbook._meta.version,
+            informationUri: 'https://exceptd.com',
+            rules: analyze.matched_cves.map(c => ({
+              id: c.cve_id,
+              shortDescription: { text: c.cve_id },
+              fullDescription: { text: `RWEP ${c.rwep} · KEV=${c.cisa_kev} · active_exploitation=${c.active_exploitation} · PoC=${c.poc_available}` },
+              defaultConfiguration: { level: c.rwep >= 90 ? 'error' : c.rwep >= 70 ? 'warning' : 'note' },
+              helpUri: `https://nvd.nist.gov/vuln/detail/${c.cve_id}`,
+            }))
+          }
+        },
+        results: analyze.matched_cves.map(c => ({
+          ruleId: c.cve_id,
+          level: c.rwep >= 90 ? 'error' : c.rwep >= 70 ? 'warning' : 'note',
+          message: { text: `${c.cve_id}: RWEP ${c.rwep}, blast_radius ${analyze.blast_radius_score}. ${validate.selected_remediation?.description || ''}` },
+          properties: {
+            rwep: c.rwep,
+            cisa_kev: c.cisa_kev,
+            cisa_kev_due_date: c.cisa_kev_due_date,
+            active_exploitation: c.active_exploitation,
+            ai_discovered: c.ai_discovered,
+            blast_radius_score: analyze.blast_radius_score,
+            framework_gaps: analyze.framework_gap_mapping?.length || 0,
+          }
+        }))
+      }]
+    };
+  }
+
+  // OpenVEX 0.2.0 — supply-chain VEX statements. Each matched CVE becomes a
+  // statement with status derived from confidence + RWEP. Downstream tools
+  // (sigstore, in-toto, GUAC) consume this directly.
+  if (format === 'openvex' || format === 'openvex-0.2.0') {
+    const issued = new Date().toISOString();
+    return {
+      '@context': 'https://openvex.dev/ns/v0.2.0',
+      '@id': `https://exceptd.com/vex/${playbook._meta.id}/${Date.now()}`,
+      author: 'exceptd',
+      timestamp: issued,
+      version: 1,
+      statements: analyze.matched_cves.map(c => ({
+        vulnerability: { '@id': c.cve_id, name: c.cve_id },
+        status: c.active_exploitation === 'confirmed' ? 'under_investigation' : (c.live_patch_available ? 'fixed' : 'affected'),
+        timestamp: issued,
+        action_statement: validate.selected_remediation?.description || null,
+        impact_statement: `RWEP ${c.rwep}. Blast radius ${analyze.blast_radius_score}/5.`
+      }))
+    };
+  }
+
+  if (format === 'markdown') {
+    const lines = [
+      `# exceptd finding: ${playbook.domain.name}`,
+      `**Playbook:** ${playbook._meta.id} v${playbook._meta.version}`,
+      `**Matched CVEs:** ${analyze.matched_cves.length}`,
+      `**Top RWEP:** ${analyze.rwep?.adjusted || 0}`,
+      `**Blast radius:** ${analyze.blast_radius_score || 'unknown'}/5`,
+      `**Theater verdict:** ${analyze.compliance_theater_check?.verdict || 'n/a'}`,
+      `\n## Matched CVEs`,
+      ...analyze.matched_cves.map(c => `- **${c.cve_id}** RWEP ${c.rwep} · KEV=${c.cisa_kev} · ${c.active_exploitation}`),
+      `\n## Selected remediation`,
+      validate.selected_remediation ? `${validate.selected_remediation.id} (priority ${validate.selected_remediation.priority}): ${validate.selected_remediation.description}` : 'No remediation path selected.',
+      `\n## Residual risk`,
+      validate.residual_risk_statement ? `${validate.residual_risk_statement.risk}\n\n_Acceptance level: ${validate.residual_risk_statement.acceptance_level}_` : 'None recorded.',
+    ];
+    return { format: 'markdown', body: lines.join('\n') };
+  }
+
+  return { format, note: 'Unknown format — supported: csaf-2.0, sarif, openvex, markdown.', analyze, validate };
 }
 
 // --- orchestrate: full run in one call ---
@@ -887,6 +1021,7 @@ module.exports = {
   validate,
   close,
   run,
+  vexFilterFromDoc,
   // internal helpers exposed for tests
   _resolvedPhase: resolvedPhase,
   _deepMerge: deepMerge,

package/lib/prefetch.js

@@ -260,6 +260,10 @@ async function prefetch(options = {}) {
         result.by_source[item.source].skipped_fresh++;
       }
     }
+    // Unconditional one-line summary (--quiet preserved on per-entry chatter
+    // but operator still needs confirmation the dry-run completed).
+    const stale = plan.length - result.skipped_fresh;
+    console.log(`prefetch summary: 0 fetched, ${result.skipped_fresh} fresh, ${stale} would-fetch (dry-run)`);
     return result;
   }
 
@@ -306,7 +310,11 @@ async function prefetch(options = {}) {
   idx.generated_at = new Date().toISOString();
   saveIndex(opts.cacheDir, idx);
 
-  log(`\nprefetch summary: ${result.fetched} fetched, ${result.skipped_fresh} fresh, ${result.errors} error(s)`);
+  // Final summary is unconditional — --quiet suppresses per-entry chatter
+  // (the noisy part) but the operator still needs one line confirming success.
+  // Without this, --quiet + --no-network was zero output even on dry-run
+  // success, leaving operators unsure if the command had run at all.
+  console.log(`prefetch summary: ${result.fetched} fetched, ${result.skipped_fresh} fresh, ${result.errors} error(s)${opts.noNetwork ? " (dry-run)" : ""}`);
   return result;
 }
 

package/manifest-snapshot.json

@@ -1,6 +1,6 @@
 {
   "_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
-  "_generated_at": "2026-05-12T13:34:58.543Z",
+  "_generated_at": "2026-05-12T14:06:22.523Z",
   "atlas_version": "5.1.0",
   "skill_count": 38,
   "skills": [

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.10.1",
+  "version": "0.10.3",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -52,7 +52,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "WprHkO1KOjQtCBj6/EJghBTNyNKJhn7O2HDbAQZPi5jn4flwHpSrtP8LC15a4Unoh+xiIIgGhvTHZIQFHGMpBQ==",
-      "signed_at": "2026-05-12T13:34:58.085Z",
+      "signed_at": "2026-05-12T14:06:21.967Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -116,7 +116,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "fg20bOXGRkPUdLmegeXpTM4hnzl/ArgcVc88rItZN5DdsnFnzPgUU1PwCI82zooyj2GfxJHYjxNkq5qd2zNPBg==",
-      "signed_at": "2026-05-12T13:34:58.087Z",
+      "signed_at": "2026-05-12T14:06:21.969Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -179,7 +179,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "6JuSzkSSFzFHEZ3ANzqjtIbKPOkwJeKhQ+8WAPB4+dTRvDSeg46n3D88XfGaNd2z7pmg/i8p9ZoImQcHFS4BCg==",
-      "signed_at": "2026-05-12T13:34:58.087Z",
+      "signed_at": "2026-05-12T14:06:21.970Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -225,7 +225,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "PYSw9abiYfW+y7IkY8udJG5LSds2a4rMimlw3rrdD0zE3vunEeV/y7oTmDD4o83OqHSCKNzF/7vMhvd/noqICQ==",
-      "signed_at": "2026-05-12T13:34:58.088Z"
+      "signed_at": "2026-05-12T14:06:21.970Z"
     },
     {
       "name": "compliance-theater",
@@ -256,7 +256,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "BMFmmJYP3HsHIjUqnhw8E3MiMGZJsI/eDq51we+nxUicZ8nFUQT9DhmRntAqOs6BUnsfiQNNLc/rrsNh8yg1CQ==",
-      "signed_at": "2026-05-12T13:34:58.088Z"
+      "signed_at": "2026-05-12T14:06:21.971Z"
     },
     {
       "name": "exploit-scoring",
@@ -285,7 +285,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "VGPyDwy5BRlpn1lZthhPB6ytb4ZcU2j0KtCZbaMkyLdMugQJtK2yEuwrsDH4yEtAhTB6/A4B3eSygJckum49Ag==",
-      "signed_at": "2026-05-12T13:34:58.088Z"
+      "signed_at": "2026-05-12T14:06:21.971Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -322,7 +322,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "XkFGpsNnXBVslkQ48usEu9l1LjPiV2ppW+M4B63zXFBP2Puh52qYCffEPjUHYhoO5bjgTM7yCbK8XF/Dzk5wBw==",
-      "signed_at": "2026-05-12T13:34:58.089Z",
+      "signed_at": "2026-05-12T14:06:21.971Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -379,7 +379,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "1Xqy7Kxxy6GpTvuYJPdllPzVDRFxb7N6AuxKuoaO4v91CiZLmiXt0sTIWImKJ3p9Eup6rJNDdsY71dolFhHNBA==",
-      "signed_at": "2026-05-12T13:34:58.089Z",
+      "signed_at": "2026-05-12T14:06:21.972Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -414,7 +414,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "QNLOmAL54S/Cmk4cdO4L2BCGkqZ/FgY4UBsKWtg/EEW+YXF5ev+a8XsUT8q5veuUa2VYcYna7rD1iAnE+2PDBA==",
-      "signed_at": "2026-05-12T13:34:58.089Z",
+      "signed_at": "2026-05-12T14:06:21.972Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -442,7 +442,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "aFHq4cSl3CKchnVITxx+BrAEWD33WtFFJoQtwAug5g9R3/3ABtjaXYGVQaZcdcG1AIZkMoGSPywgLQWDY7ZDCw==",
-      "signed_at": "2026-05-12T13:34:58.090Z"
+      "signed_at": "2026-05-12T14:06:21.972Z"
     },
     {
       "name": "global-grc",
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "viCTUWdy6euvd2KTAo6sLvarK/FZkDtYGocxBt0H+fY94kLQGW8K5cSpqIWdUF5NUytSHBCiG4YcSze8P9Z/BQ==",
-      "signed_at": "2026-05-12T13:34:58.090Z"
+      "signed_at": "2026-05-12T14:06:21.973Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -501,7 +501,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "6PkUaHQi3Hxuqq/Jp4GYckvfqVEofmeT87NUH0T+pwyjlc+xZkoqNPn65f7ldciEPL86JIPi3/dDTKQbIFFBCw==",
-      "signed_at": "2026-05-12T13:34:58.090Z"
+      "signed_at": "2026-05-12T14:06:21.973Z"
     },
     {
       "name": "pqc-first",
@@ -553,7 +553,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "ZenFTEzWx+DzrSXlNXhbZ70vOdJSXfrnKkAwqMlBf5nlDf38V1/hG4XCKj43snQXWr4mVJOX6ilqFLTYNIjnBw==",
-      "signed_at": "2026-05-12T13:34:58.091Z",
+      "signed_at": "2026-05-12T14:06:21.974Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -600,7 +600,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "ih0vpd2v2zS31JSJv7SnABoya8JlJdrXZXx4rBnrsV3Assj+dbjAP0pQ1HMT/5RX8yTTswRQsg0bJV3qmbJ3Bw==",
-      "signed_at": "2026-05-12T13:34:58.091Z"
+      "signed_at": "2026-05-12T14:06:21.974Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -637,7 +637,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "Lv8dHiwIqUbNsywCCB/+pYWGF+MHCvxVn1IAvR7Cnif5fy0sICv0N4SVsSb621qAAkHNshpfxqwuhbuQnE1TBA==",
-      "signed_at": "2026-05-12T13:34:58.091Z",
+      "signed_at": "2026-05-12T14:06:21.975Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -672,7 +672,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "BS+wrL28HHYhBpe+v84VLoq9KPBXu6alfG968katfGIoLNYQueaHP931bRmlkrjfeb6qbDf067GWdPEh7nroAw==",
-      "signed_at": "2026-05-12T13:34:58.092Z"
+      "signed_at": "2026-05-12T14:06:21.975Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -743,7 +743,7 @@
         "PTES revision incorporating AI-surface enumeration"
       ],
       "signature": "vLhIYT/CC3IzxMRa+UPeqGSZTvthuwUeTMGNFMm37+TaEk0TtfwPrPyrBJLHw4W6Wt7+pufjHs46X3nTgzoRAg==",
-      "signed_at": "2026-05-12T13:34:58.092Z"
+      "signed_at": "2026-05-12T14:06:21.975Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -803,7 +803,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "TOcQLy/427cuf0Lw90J7A0oIeuhUmf9NXb6tOUS5K3SazCKTJujPgYSVAPZOYf1zZrRAY/aq0iqELd5cLyk5DA==",
-      "signed_at": "2026-05-12T13:34:58.092Z"
+      "signed_at": "2026-05-12T14:06:21.975Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -878,7 +878,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "u4IN7escQa5V+OgdtaJXLdvhmNiGZsdmGOvebTLZ30WoImT+WiksvaqSa0POGdbr6HzFkALe2RrZEH9Tr0U6Dg==",
-      "signed_at": "2026-05-12T13:34:58.092Z"
+      "signed_at": "2026-05-12T14:06:21.976Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -955,7 +955,7 @@
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
       "signature": "eTGQJ3gnG24WggfwuFNNIFOWV/ttPxTa3pvx9OH28m5KDS1a4ZmOR7K8y01wk/su8bH0ClYYRfoBfKQOtRswAg==",
-      "signed_at": "2026-05-12T13:34:58.093Z"
+      "signed_at": "2026-05-12T14:06:21.976Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1012,7 +1012,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "q7gFLPoqf/8bqATR6gt/nj0EoyUOlfzi+bZ0bT3pC9KW7O6M/ji9fT+AXSGNp6PKd+70ACb3mkMGmWgjLpQXCg==",
-      "signed_at": "2026-05-12T13:34:58.093Z"
+      "signed_at": "2026-05-12T14:06:21.976Z"
     },
     {
       "name": "identity-assurance",
@@ -1079,7 +1079,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "pX8rhrrzuyG3iRrPORLqTZAjzGdWK/bKPUGJG5WHSZcv4LB0kQXOit4sHG0exdXxI6HY8jyX67QY4r5vEHHACw==",
-      "signed_at": "2026-05-12T13:34:58.093Z"
+      "signed_at": "2026-05-12T14:06:21.976Z"
     },
     {
       "name": "ot-ics-security",
@@ -1135,7 +1135,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ypb8kNZQRdyu5mWeveB7sjCjNKXS1yXvjDJv88muzwhOs/a4Fu/Gb532js5NKyy+eCw/emrphpTZaL8R9a2lBA==",
-      "signed_at": "2026-05-12T13:34:58.093Z"
+      "signed_at": "2026-05-12T14:06:21.977Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1187,7 +1187,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "346Lt+277ycRNsyAOGwLSONi4awgxKy3hP9G+BWjwaa8ySmTeqbYsbyyhtxjeohk9bV2SF+Hl2q4JdSvc/2qCQ==",
-      "signed_at": "2026-05-12T13:34:58.094Z"
+      "signed_at": "2026-05-12T14:06:21.977Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1237,7 +1237,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "ewTvG5vu3ngFHyXgBur5vSKDFQsOZx0x79djGMricl7LCvQf5//OG6LZKXa+AOuEq58prRS+HgzrFA1DiTfeCQ==",
-      "signed_at": "2026-05-12T13:34:58.094Z"
+      "signed_at": "2026-05-12T14:06:21.977Z"
     },
     {
       "name": "webapp-security",
@@ -1311,7 +1311,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ZHjbKu0Em92Kimr2esL1g93mf9TmcsChBhVEMWf/lFrjeLcg8nyHEIcDstIZ3FWYgc6MQNHnc3Rup3Xp/Za1Cw==",
-      "signed_at": "2026-05-12T13:34:58.094Z"
+      "signed_at": "2026-05-12T14:06:21.978Z"
     },
     {
       "name": "ai-risk-management",
@@ -1361,7 +1361,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "1KRxjCbAX0Rs5NTOioi1w/f1SOzDQrtRoXjTDtzEwJ+d1QzFf9cqmBlp0uXmGpL0bzEaHWIctjigSychmoL2Dw==",
-      "signed_at": "2026-05-12T13:34:58.095Z"
+      "signed_at": "2026-05-12T14:06:21.978Z"
     },
     {
       "name": "sector-healthcare",
@@ -1421,7 +1421,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "eiajFh7w7d4g+/crGalTtw9Qsu0deVsdHkdthZSy595ifGmgu0zaFD8usKThbPhOdUCCclTYkZYz5GalQmkhCw==",
-      "signed_at": "2026-05-12T13:34:58.095Z"
+      "signed_at": "2026-05-12T14:06:21.978Z"
     },
     {
       "name": "sector-financial",
@@ -1502,7 +1502,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "iSZR/fYESQVyjkcqj+O+yzU0BQfaELH5s7WizzUTWvDPDTD2ZyOnZTT1r/Zfx2l4mbPmVeFGWdYnnVFTk/i3Aw==",
-      "signed_at": "2026-05-12T13:34:58.095Z"
+      "signed_at": "2026-05-12T14:06:21.979Z"
     },
     {
       "name": "sector-federal-government",
@@ -1571,7 +1571,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "Wjdo5YXEL8XeNZkaEueG1DOUoyalstNPzQkxD/cwP5iMrJWg/Ly+sC0Oluuqm3aU7d63z55PrbGQCJD0XVZqBg==",
-      "signed_at": "2026-05-12T13:34:58.096Z"
+      "signed_at": "2026-05-12T14:06:21.979Z"
     },
     {
       "name": "sector-energy",
@@ -1636,7 +1636,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "c/l7dOHe0Zj6Ag3abUaEie6o0f8M4rhY5aPI9/wG4z6FDue9PzCVw8vUGoITFgg89g97lMfy2C3CE2PegQoFCw==",
-      "signed_at": "2026-05-12T13:34:58.096Z"
+      "signed_at": "2026-05-12T14:06:21.980Z"
     },
     {
       "name": "api-security",
@@ -1705,7 +1705,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "9FgcJvYeo07QxQ+mnVRQk4jYLDMO/AVSXMs8cueO2f/qMOTQmrhBMVhj5ze7hzvXpGkp7EK/3Q1XKqde61JMAg==",
-      "signed_at": "2026-05-12T13:34:58.096Z"
+      "signed_at": "2026-05-12T14:06:21.980Z"
     },
     {
       "name": "cloud-security",
@@ -1786,7 +1786,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "xRA0XZf7VPtuBtbsm41bay9yBLphw/hlL3YxIUrpko5g9ldM3oJe9o1qSwzIj/wSnQSI29qqPpNsnlks+HEOCA==",
-      "signed_at": "2026-05-12T13:34:58.096Z"
+      "signed_at": "2026-05-12T14:06:21.980Z"
     },
     {
       "name": "container-runtime-security",
@@ -1848,7 +1848,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "GcU50DStuN1gU/Evm/sFRgeieQbqffVp12rgbGnasRX89Q7kM4ltFXB+bgCXHIvICzYb78hPIifWQb9UVupWBQ==",
-      "signed_at": "2026-05-12T13:34:58.097Z"
+      "signed_at": "2026-05-12T14:06:21.980Z"
     },
     {
       "name": "mlops-security",
@@ -1919,7 +1919,7 @@
         "MITRE ATLAS v5.2 — track AML.T0010 sub-technique expansion and any new MLOps-pipeline-specific TTPs"
       ],
       "signature": "onIazpFoL1t4PMNRsoF06ggnl7BzCKjt0x+ZmVfWfyt1V06DgllsrbN3AAz4+g4jW2Sc71q0vIFKfwEUWpGVAQ==",
-      "signed_at": "2026-05-12T13:34:58.097Z"
+      "signed_at": "2026-05-12T14:06:21.981Z"
     },
     {
       "name": "incident-response-playbook",
@@ -1981,7 +1981,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "P0Yv4CtqbnBNP6nSIxQUYYHL7T7ci+iE7iE2UXVfnMPeWVdKG2nvRePjBXc3JZTLima1Txn/I5ocDNhLTIeUAQ==",
-      "signed_at": "2026-05-12T13:34:58.098Z"
+      "signed_at": "2026-05-12T14:06:21.981Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2034,7 +2034,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "2pv81lLRbazpHqundCANb3YiLB4lkVsYctIDvI8rxSvHxhPS9jYXqmAoB5APSdDuOaew6XqpfZOehQUj9WmyBw==",
-      "signed_at": "2026-05-12T13:34:58.098Z"
+      "signed_at": "2026-05-12T14:06:21.982Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2102,7 +2102,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "BJ/YYnGVXeSBaR9oWAVrcNX7Wz+kE8R4CghX6+XEI/qY89fyrkKNNwo2veqqf49wffJhHVJ1wTp8ZDECjNp+Dw==",
-      "signed_at": "2026-05-12T13:34:58.098Z"
+      "signed_at": "2026-05-12T14:06:21.982Z"
     }
   ]
 }