@blamejs/exceptd-skills 0.10.3 → 0.11.1

package/data/_indexes/_meta.json

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-12T14:08:27.651Z",
+  "generated_at": "2026-05-12T15:12:14.697Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 49,
   "source_hashes": {
-    "manifest.json": "35c0e5e79c31c68c0a45e0bcad009fd34c935df5d0ba738e1f106a9be0c3d357",
+    "manifest.json": "c9d65112c41d74b26c533cc37160fe6d450789ad8910fcb8cc4dae6225940ef3",
     "data/atlas-ttps.json": "1500b5830dab070c4252496964a8c0948e1052a656e2c7c6e1efaf0350645e13",
     "data/cve-catalog.json": "a81d3e4b491b27ccc084596b063a6108ff10c9eb01d7776922fc393980b534fe",
     "data/cwe-catalog.json": "c3367d469b4b3d31e4c56397dd7a8305a0be338ecd85afa27804c0c9ce12157b",

package/lib/playbook-runner.js

@@ -143,16 +143,69 @@ function preflight(playbook, runOpts = {}) {
     }
   }
 
-  // 3. Mutex
+  // 3. Mutex — both intra-process (in-memory Set) AND cross-process
+  // (filesystem lockfile under .exceptd/locks/<playbook>.lock). v0.11.0 only
+  // enforced intra-process; v0.11.1 adds cross-process so two parallel CLI
+  // invocations of mutex-conflicting playbooks correctly race-detect.
   for (const conflictId of meta.mutex || []) {
     if (_activeRuns.has(conflictId)) {
-      return { ok: false, blocked_by: 'mutex', reason: `Mutex conflict: playbook ${conflictId} is currently active and listed in this playbook's mutex set.`, issues };
+      return { ok: false, blocked_by: 'mutex', reason: `Mutex conflict (intra-process): playbook ${conflictId} is currently active and listed in this playbook's mutex set.`, issues };
+    }
+    const lockPath = lockFilePath(conflictId);
+    if (lockPath && fs.existsSync(lockPath)) {
+      // Stale-lock detection: if the recorded PID is dead, ignore the lock.
+      try {
+        const lock = JSON.parse(fs.readFileSync(lockPath, 'utf8'));
+        if (lock.pid && !pidAlive(lock.pid)) {
+          fs.unlinkSync(lockPath); // GC stale
+        } else {
+          return {
+            ok: false,
+            blocked_by: 'mutex',
+            reason: `Mutex conflict (cross-process): playbook ${conflictId} has an active lock at ${lockPath} (pid ${lock.pid}, started ${lock.started_at}).`,
+            issues,
+          };
+        }
+      } catch { /* malformed lockfile — treat as stale and remove */
+        try { fs.unlinkSync(lockPath); } catch {}
+      }
     }
   }
 
   return { ok: true, issues };
 }
 
+function lockDir() {
+  const dir = path.join(process.cwd(), '.exceptd', 'locks');
+  try { fs.mkdirSync(dir, { recursive: true }); } catch {}
+  return dir;
+}
+
+function lockFilePath(playbookId) {
+  try { return path.join(lockDir(), `${playbookId}.lock`); }
+  catch { return null; }
+}
+
+function acquireLock(playbookId) {
+  const p = lockFilePath(playbookId);
+  if (!p) return null;
+  try {
+    fs.writeFileSync(p, JSON.stringify({ pid: process.pid, started_at: new Date().toISOString(), playbook: playbookId }, null, 2), { flag: 'wx' });
+    return p;
+  } catch { return null; /* already locked or unwritable */ }
+}
+
+function releaseLock(lockPath) {
+  if (!lockPath) return;
+  try { fs.unlinkSync(lockPath); } catch {}
+}
+
+function pidAlive(pid) {
+  if (typeof pid !== 'number') return false;
+  try { process.kill(pid, 0); return true; }
+  catch (e) { return e.code !== 'ESRCH'; }
+}
+
 // --- phase 1: govern ---
 
 /**
@@ -774,6 +827,26 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals)
     };
   }
 
+  // v0.11.0 redesign #39: --format summary emits a 5-line digest for CI gates
+  // and human triage. Drops everything except verdict + RWEP + blast +
+  // feeds_into + jurisdiction clock count.
+  if (format === 'summary') {
+    return {
+      format: 'summary',
+      summary: {
+        playbook: playbook._meta.id,
+        verdict: analyze.compliance_theater_check?.verdict || 'pending',
+        matched_cves: analyze.matched_cves.length,
+        rwep_adjusted: analyze.rwep?.adjusted || 0,
+        rwep_threshold_escalate: analyze.rwep?.threshold?.escalate || null,
+        blast_radius_score: analyze.blast_radius_score || 0,
+        feeds_into: null,  // populated by close()
+        jurisdiction_clocks_active: null,  // populated by close()
+        remediation_recommended: validate.selected_remediation?.id || null,
+      }
+    };
+  }
+
   if (format === 'markdown') {
     const lines = [
       `# exceptd finding: ${playbook.domain.name}`,
@@ -797,14 +870,107 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals)
 
 // --- orchestrate: full run in one call ---
 
+/**
+ * v0.11.0 flat submission shape → v0.10.x nested shape. The flat shape is:
+ *
+ *   {
+ *     observations: {
+ *       <artifact-id>: { captured, value, indicator?, result? } | "<precondition-value>",
+ *     },
+ *     verdict: { theater, classification, blast_radius }
+ *   }
+ *
+ * Already-nested submissions pass through unchanged.
+ */
+function normalizeSubmission(submission, playbook) {
+  if (!submission || typeof submission !== "object") return submission || {};
+  if (submission.artifacts || submission.signal_overrides || submission.signals) return submission;
+  if (!submission.observations && !submission.verdict) return submission;
+
+  const out = { artifacts: {}, signal_overrides: {}, signals: {}, precondition_checks: {} };
+  const knownPreconditions = new Set((playbook?._meta?.preconditions || []).map(p => p.id));
+  const knownArtifacts = new Set((playbook?.phases?.look?.artifacts || []).map(a => a.id));
+
+  for (const [key, val] of Object.entries(submission.observations || {})) {
+    if (knownPreconditions.has(key)) {
+      out.precondition_checks[key] = val === "ok" || val === true || val === "true";
+      continue;
+    }
+    if (typeof val === "object" && val !== null) {
+      const aid = knownArtifacts.has(key) ? key : (val.artifact || key);
+      out.artifacts[aid] = { value: val.value, captured: val.captured !== false };
+      if (val.indicator && val.result) out.signal_overrides[val.indicator] = val.result;
+    }
+  }
+
+  const v = submission.verdict || {};
+  if (v.theater) out.signals.theater_verdict = v.theater === "actual_security" ? "clear" : v.theater;
+  if (v.classification) out.signals.detection_classification = v.classification;
+  if (v.blast_radius !== undefined) out.signals.blast_radius_score = v.blast_radius;
+
+  // Carry over precondition_checks if the operator supplied them at the top
+  // level even in the flat shape.
+  if (submission.precondition_checks) Object.assign(out.precondition_checks, submission.precondition_checks);
+
+  return out;
+}
+
+/**
+ * Smart precondition auto-detect (redesign #9). Some preconditions are
+ * mechanically answerable by the runner itself — host platform, cwd
+ * readability, command-on-PATH. The AI shouldn't have to declare these;
+ * we resolve them ourselves and only escalate to AI declaration when the
+ * check requires intent (e.g. "operator authorized this scan").
+ */
+function autoDetectPreconditions(submission, playbook) {
+  const fs = require('fs');
+  const out = { ...(submission || {}) };
+  out.precondition_checks = { ...(submission?.precondition_checks || {}) };
+  for (const pc of (playbook?._meta?.preconditions || [])) {
+    if (out.precondition_checks[pc.id] !== undefined) continue; // operator already supplied
+    const check = (pc.check || '').toLowerCase();
+    if (check.includes("host.platform == 'linux'") || check.includes("host.platform == \"linux\"")) {
+      out.precondition_checks[pc.id] = process.platform === 'linux';
+    } else if (check.includes("host.platform == 'darwin'") || check.includes("host.platform == \"darwin\"")) {
+      out.precondition_checks[pc.id] = process.platform === 'darwin';
+    } else if (check.includes("cwd_readable")) {
+      try { fs.readdirSync(process.cwd()); out.precondition_checks[pc.id] = true; }
+      catch { out.precondition_checks[pc.id] = false; }
+    } else if (check.includes("agent_has_filesystem_read")) {
+      out.precondition_checks[pc.id] = true; // Node has fs by definition
+    } else if (check.match(/agent_has_command\(['"]([^'"]+)['"]\)/)) {
+      const cmdName = check.match(/agent_has_command\(['"]([^'"]+)['"]\)/)[1];
+      const { spawnSync } = require('child_process');
+      const probe = spawnSync(process.platform === 'win32' ? 'where' : 'which', [cmdName], { stdio: 'ignore' });
+      out.precondition_checks[pc.id] = probe.status === 0;
+    }
+    // Intent-requiring checks (e.g. "operator_authorized == true") are NOT
+    // auto-resolved — the AI / operator still declares them. We leave them
+    // undefined and the preflight gate handles missing values per on_fail.
+  }
+  return out;
+}
+
 function run(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
   const playbook = loadPlaybook(playbookId);
-  const pre = preflight(playbook, runOpts);
+
+  // v0.11.0: accept flat submission shape (observations + verdict). Normalize
+  // to the engine's internal nested shape before preflight/detect. Smart
+  // precondition auto-detect (redesign #9) fires here when the cwd is readable
+  // / the host platform matches — the runner can answer those itself rather
+  // than blocking on AI declaration.
+  agentSubmission = normalizeSubmission(agentSubmission, playbook);
+  agentSubmission = autoDetectPreconditions(agentSubmission, playbook);
+
+  const pre = preflight(playbook, { ...runOpts, precondition_checks: { ...(agentSubmission.precondition_checks || {}), ...(runOpts.precondition_checks || {}) } });
   if (!pre.ok) {
     return { ok: false, phase: 'preflight', blocked_by: pre.blocked_by, reason: pre.reason, issues: pre.issues };
   }
 
   _activeRuns.add(playbookId);
+  // Cross-process mutex lock for this run. preflight verified no other lock
+  // exists; we acquire ours and release in the finally block.
+  const lockPath = acquireLock(playbookId);
   try {
     const phases = {
       govern:   govern(playbookId, directiveId, runOpts),
@@ -837,6 +1003,7 @@ function run(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
     };
   } finally {
     _activeRuns.delete(playbookId);
+    releaseLock(lockPath);
   }
 }
 
@@ -996,13 +1163,24 @@ function plan(opts = {}) {
     session_id: opts.session_id || crypto.randomBytes(8).toString('hex'),
     playbooks: ids.map(id => {
       const pb = loadPlaybook(id);
+      const baseDirect = pb.phases?.direct || {};
       return {
         id,
         domain: pb.domain,
         scope: pb._meta.scope || null,
         threat_currency_score: pb._meta.threat_currency_score,
         air_gap_mode: !!pb._meta.air_gap_mode,
-        directives: pb.directives.map(d => ({ id: d.id, title: d.title, applies_to: d.applies_to }))
+        directives: pb.directives.map(d => {
+          const overrideDirect = d.phase_overrides?.direct || {};
+          const threatContext = overrideDirect.threat_context || baseDirect.threat_context || null;
+          // Bug #46: include description by default (not just under --directives).
+          // Operators picking a directive need operator-facing prose.
+          const desc = d.description
+            || (threatContext ? (threatContext.split(/(?<=[.!?])\s+/)[0] || "").slice(0, 240) : null)
+            || pb.domain?.name
+            || null;
+          return { id: d.id, title: d.title, description: desc, applies_to: d.applies_to };
+        })
       };
     })
   };
@@ -1022,6 +1200,8 @@ module.exports = {
   close,
   run,
   vexFilterFromDoc,
+  normalizeSubmission,
+  autoDetectPreconditions,
   // internal helpers exposed for tests
   _resolvedPhase: resolvedPhase,
   _deepMerge: deepMerge,

package/manifest-snapshot.json

@@ -1,6 +1,6 @@
 {
   "_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
-  "_generated_at": "2026-05-12T14:06:22.523Z",
+  "_generated_at": "2026-05-12T15:10:59.836Z",
   "atlas_version": "5.1.0",
   "skill_count": 38,
   "skills": [

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.10.3",
+  "version": "0.11.1",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -52,7 +52,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "WprHkO1KOjQtCBj6/EJghBTNyNKJhn7O2HDbAQZPi5jn4flwHpSrtP8LC15a4Unoh+xiIIgGhvTHZIQFHGMpBQ==",
-      "signed_at": "2026-05-12T14:06:21.967Z",
+      "signed_at": "2026-05-12T15:10:59.392Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -116,7 +116,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "fg20bOXGRkPUdLmegeXpTM4hnzl/ArgcVc88rItZN5DdsnFnzPgUU1PwCI82zooyj2GfxJHYjxNkq5qd2zNPBg==",
-      "signed_at": "2026-05-12T14:06:21.969Z",
+      "signed_at": "2026-05-12T15:10:59.394Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -179,7 +179,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "6JuSzkSSFzFHEZ3ANzqjtIbKPOkwJeKhQ+8WAPB4+dTRvDSeg46n3D88XfGaNd2z7pmg/i8p9ZoImQcHFS4BCg==",
-      "signed_at": "2026-05-12T14:06:21.970Z",
+      "signed_at": "2026-05-12T15:10:59.395Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -225,7 +225,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "PYSw9abiYfW+y7IkY8udJG5LSds2a4rMimlw3rrdD0zE3vunEeV/y7oTmDD4o83OqHSCKNzF/7vMhvd/noqICQ==",
-      "signed_at": "2026-05-12T14:06:21.970Z"
+      "signed_at": "2026-05-12T15:10:59.395Z"
     },
     {
       "name": "compliance-theater",
@@ -256,7 +256,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "BMFmmJYP3HsHIjUqnhw8E3MiMGZJsI/eDq51we+nxUicZ8nFUQT9DhmRntAqOs6BUnsfiQNNLc/rrsNh8yg1CQ==",
-      "signed_at": "2026-05-12T14:06:21.971Z"
+      "signed_at": "2026-05-12T15:10:59.396Z"
     },
     {
       "name": "exploit-scoring",
@@ -285,7 +285,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "VGPyDwy5BRlpn1lZthhPB6ytb4ZcU2j0KtCZbaMkyLdMugQJtK2yEuwrsDH4yEtAhTB6/A4B3eSygJckum49Ag==",
-      "signed_at": "2026-05-12T14:06:21.971Z"
+      "signed_at": "2026-05-12T15:10:59.396Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -322,7 +322,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "XkFGpsNnXBVslkQ48usEu9l1LjPiV2ppW+M4B63zXFBP2Puh52qYCffEPjUHYhoO5bjgTM7yCbK8XF/Dzk5wBw==",
-      "signed_at": "2026-05-12T14:06:21.971Z",
+      "signed_at": "2026-05-12T15:10:59.396Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -379,7 +379,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "1Xqy7Kxxy6GpTvuYJPdllPzVDRFxb7N6AuxKuoaO4v91CiZLmiXt0sTIWImKJ3p9Eup6rJNDdsY71dolFhHNBA==",
-      "signed_at": "2026-05-12T14:06:21.972Z",
+      "signed_at": "2026-05-12T15:10:59.396Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -414,7 +414,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "QNLOmAL54S/Cmk4cdO4L2BCGkqZ/FgY4UBsKWtg/EEW+YXF5ev+a8XsUT8q5veuUa2VYcYna7rD1iAnE+2PDBA==",
-      "signed_at": "2026-05-12T14:06:21.972Z",
+      "signed_at": "2026-05-12T15:10:59.397Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -442,7 +442,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "aFHq4cSl3CKchnVITxx+BrAEWD33WtFFJoQtwAug5g9R3/3ABtjaXYGVQaZcdcG1AIZkMoGSPywgLQWDY7ZDCw==",
-      "signed_at": "2026-05-12T14:06:21.972Z"
+      "signed_at": "2026-05-12T15:10:59.397Z"
     },
     {
       "name": "global-grc",
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "viCTUWdy6euvd2KTAo6sLvarK/FZkDtYGocxBt0H+fY94kLQGW8K5cSpqIWdUF5NUytSHBCiG4YcSze8P9Z/BQ==",
-      "signed_at": "2026-05-12T14:06:21.973Z"
+      "signed_at": "2026-05-12T15:10:59.398Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -501,7 +501,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "6PkUaHQi3Hxuqq/Jp4GYckvfqVEofmeT87NUH0T+pwyjlc+xZkoqNPn65f7ldciEPL86JIPi3/dDTKQbIFFBCw==",
-      "signed_at": "2026-05-12T14:06:21.973Z"
+      "signed_at": "2026-05-12T15:10:59.398Z"
     },
     {
       "name": "pqc-first",
@@ -553,7 +553,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "ZenFTEzWx+DzrSXlNXhbZ70vOdJSXfrnKkAwqMlBf5nlDf38V1/hG4XCKj43snQXWr4mVJOX6ilqFLTYNIjnBw==",
-      "signed_at": "2026-05-12T14:06:21.974Z",
+      "signed_at": "2026-05-12T15:10:59.398Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -600,7 +600,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "ih0vpd2v2zS31JSJv7SnABoya8JlJdrXZXx4rBnrsV3Assj+dbjAP0pQ1HMT/5RX8yTTswRQsg0bJV3qmbJ3Bw==",
-      "signed_at": "2026-05-12T14:06:21.974Z"
+      "signed_at": "2026-05-12T15:10:59.399Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -637,7 +637,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "Lv8dHiwIqUbNsywCCB/+pYWGF+MHCvxVn1IAvR7Cnif5fy0sICv0N4SVsSb621qAAkHNshpfxqwuhbuQnE1TBA==",
-      "signed_at": "2026-05-12T14:06:21.975Z",
+      "signed_at": "2026-05-12T15:10:59.399Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -672,7 +672,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "BS+wrL28HHYhBpe+v84VLoq9KPBXu6alfG968katfGIoLNYQueaHP931bRmlkrjfeb6qbDf067GWdPEh7nroAw==",
-      "signed_at": "2026-05-12T14:06:21.975Z"
+      "signed_at": "2026-05-12T15:10:59.399Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -743,7 +743,7 @@
         "PTES revision incorporating AI-surface enumeration"
       ],
       "signature": "vLhIYT/CC3IzxMRa+UPeqGSZTvthuwUeTMGNFMm37+TaEk0TtfwPrPyrBJLHw4W6Wt7+pufjHs46X3nTgzoRAg==",
-      "signed_at": "2026-05-12T14:06:21.975Z"
+      "signed_at": "2026-05-12T15:10:59.399Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -803,7 +803,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "TOcQLy/427cuf0Lw90J7A0oIeuhUmf9NXb6tOUS5K3SazCKTJujPgYSVAPZOYf1zZrRAY/aq0iqELd5cLyk5DA==",
-      "signed_at": "2026-05-12T14:06:21.975Z"
+      "signed_at": "2026-05-12T15:10:59.400Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -878,7 +878,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "u4IN7escQa5V+OgdtaJXLdvhmNiGZsdmGOvebTLZ30WoImT+WiksvaqSa0POGdbr6HzFkALe2RrZEH9Tr0U6Dg==",
-      "signed_at": "2026-05-12T14:06:21.976Z"
+      "signed_at": "2026-05-12T15:10:59.400Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -955,7 +955,7 @@
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
       "signature": "eTGQJ3gnG24WggfwuFNNIFOWV/ttPxTa3pvx9OH28m5KDS1a4ZmOR7K8y01wk/su8bH0ClYYRfoBfKQOtRswAg==",
-      "signed_at": "2026-05-12T14:06:21.976Z"
+      "signed_at": "2026-05-12T15:10:59.401Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1012,7 +1012,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "q7gFLPoqf/8bqATR6gt/nj0EoyUOlfzi+bZ0bT3pC9KW7O6M/ji9fT+AXSGNp6PKd+70ACb3mkMGmWgjLpQXCg==",
-      "signed_at": "2026-05-12T14:06:21.976Z"
+      "signed_at": "2026-05-12T15:10:59.402Z"
     },
     {
       "name": "identity-assurance",
@@ -1079,7 +1079,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "pX8rhrrzuyG3iRrPORLqTZAjzGdWK/bKPUGJG5WHSZcv4LB0kQXOit4sHG0exdXxI6HY8jyX67QY4r5vEHHACw==",
-      "signed_at": "2026-05-12T14:06:21.976Z"
+      "signed_at": "2026-05-12T15:10:59.402Z"
     },
     {
       "name": "ot-ics-security",
@@ -1135,7 +1135,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ypb8kNZQRdyu5mWeveB7sjCjNKXS1yXvjDJv88muzwhOs/a4Fu/Gb532js5NKyy+eCw/emrphpTZaL8R9a2lBA==",
-      "signed_at": "2026-05-12T14:06:21.977Z"
+      "signed_at": "2026-05-12T15:10:59.402Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1187,7 +1187,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "346Lt+277ycRNsyAOGwLSONi4awgxKy3hP9G+BWjwaa8ySmTeqbYsbyyhtxjeohk9bV2SF+Hl2q4JdSvc/2qCQ==",
-      "signed_at": "2026-05-12T14:06:21.977Z"
+      "signed_at": "2026-05-12T15:10:59.402Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1237,7 +1237,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "ewTvG5vu3ngFHyXgBur5vSKDFQsOZx0x79djGMricl7LCvQf5//OG6LZKXa+AOuEq58prRS+HgzrFA1DiTfeCQ==",
-      "signed_at": "2026-05-12T14:06:21.977Z"
+      "signed_at": "2026-05-12T15:10:59.403Z"
     },
     {
       "name": "webapp-security",
@@ -1311,7 +1311,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ZHjbKu0Em92Kimr2esL1g93mf9TmcsChBhVEMWf/lFrjeLcg8nyHEIcDstIZ3FWYgc6MQNHnc3Rup3Xp/Za1Cw==",
-      "signed_at": "2026-05-12T14:06:21.978Z"
+      "signed_at": "2026-05-12T15:10:59.403Z"
     },
     {
       "name": "ai-risk-management",
@@ -1361,7 +1361,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "1KRxjCbAX0Rs5NTOioi1w/f1SOzDQrtRoXjTDtzEwJ+d1QzFf9cqmBlp0uXmGpL0bzEaHWIctjigSychmoL2Dw==",
-      "signed_at": "2026-05-12T14:06:21.978Z"
+      "signed_at": "2026-05-12T15:10:59.403Z"
     },
     {
       "name": "sector-healthcare",
@@ -1421,7 +1421,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "eiajFh7w7d4g+/crGalTtw9Qsu0deVsdHkdthZSy595ifGmgu0zaFD8usKThbPhOdUCCclTYkZYz5GalQmkhCw==",
-      "signed_at": "2026-05-12T14:06:21.978Z"
+      "signed_at": "2026-05-12T15:10:59.404Z"
     },
     {
       "name": "sector-financial",
@@ -1502,7 +1502,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "iSZR/fYESQVyjkcqj+O+yzU0BQfaELH5s7WizzUTWvDPDTD2ZyOnZTT1r/Zfx2l4mbPmVeFGWdYnnVFTk/i3Aw==",
-      "signed_at": "2026-05-12T14:06:21.979Z"
+      "signed_at": "2026-05-12T15:10:59.404Z"
     },
     {
       "name": "sector-federal-government",
@@ -1571,7 +1571,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "Wjdo5YXEL8XeNZkaEueG1DOUoyalstNPzQkxD/cwP5iMrJWg/Ly+sC0Oluuqm3aU7d63z55PrbGQCJD0XVZqBg==",
-      "signed_at": "2026-05-12T14:06:21.979Z"
+      "signed_at": "2026-05-12T15:10:59.404Z"
     },
     {
       "name": "sector-energy",
@@ -1636,7 +1636,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "c/l7dOHe0Zj6Ag3abUaEie6o0f8M4rhY5aPI9/wG4z6FDue9PzCVw8vUGoITFgg89g97lMfy2C3CE2PegQoFCw==",
-      "signed_at": "2026-05-12T14:06:21.980Z"
+      "signed_at": "2026-05-12T15:10:59.405Z"
     },
     {
       "name": "api-security",
@@ -1705,7 +1705,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "9FgcJvYeo07QxQ+mnVRQk4jYLDMO/AVSXMs8cueO2f/qMOTQmrhBMVhj5ze7hzvXpGkp7EK/3Q1XKqde61JMAg==",
-      "signed_at": "2026-05-12T14:06:21.980Z"
+      "signed_at": "2026-05-12T15:10:59.405Z"
     },
     {
       "name": "cloud-security",
@@ -1786,7 +1786,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "xRA0XZf7VPtuBtbsm41bay9yBLphw/hlL3YxIUrpko5g9ldM3oJe9o1qSwzIj/wSnQSI29qqPpNsnlks+HEOCA==",
-      "signed_at": "2026-05-12T14:06:21.980Z"
+      "signed_at": "2026-05-12T15:10:59.405Z"
     },
     {
       "name": "container-runtime-security",
@@ -1848,7 +1848,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "GcU50DStuN1gU/Evm/sFRgeieQbqffVp12rgbGnasRX89Q7kM4ltFXB+bgCXHIvICzYb78hPIifWQb9UVupWBQ==",
-      "signed_at": "2026-05-12T14:06:21.980Z"
+      "signed_at": "2026-05-12T15:10:59.406Z"
     },
     {
       "name": "mlops-security",
@@ -1919,7 +1919,7 @@
         "MITRE ATLAS v5.2 — track AML.T0010 sub-technique expansion and any new MLOps-pipeline-specific TTPs"
       ],
       "signature": "onIazpFoL1t4PMNRsoF06ggnl7BzCKjt0x+ZmVfWfyt1V06DgllsrbN3AAz4+g4jW2Sc71q0vIFKfwEUWpGVAQ==",
-      "signed_at": "2026-05-12T14:06:21.981Z"
+      "signed_at": "2026-05-12T15:10:59.406Z"
     },
     {
       "name": "incident-response-playbook",
@@ -1981,7 +1981,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "P0Yv4CtqbnBNP6nSIxQUYYHL7T7ci+iE7iE2UXVfnMPeWVdKG2nvRePjBXc3JZTLima1Txn/I5ocDNhLTIeUAQ==",
-      "signed_at": "2026-05-12T14:06:21.981Z"
+      "signed_at": "2026-05-12T15:10:59.406Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2034,7 +2034,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "2pv81lLRbazpHqundCANb3YiLB4lkVsYctIDvI8rxSvHxhPS9jYXqmAoB5APSdDuOaew6XqpfZOehQUj9WmyBw==",
-      "signed_at": "2026-05-12T14:06:21.982Z"
+      "signed_at": "2026-05-12T15:10:59.407Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2102,7 +2102,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "BJ/YYnGVXeSBaR9oWAVrcNX7Wz+kE8R4CghX6+XEI/qY89fyrkKNNwo2veqqf49wffJhHVJ1wTp8ZDECjNp+Dw==",
-      "signed_at": "2026-05-12T14:06:21.982Z"
+      "signed_at": "2026-05-12T15:10:59.407Z"
     }
   ]
 }