@blamejs/exceptd-skills 0.11.11 → 0.11.12

package/CHANGELOG.md

@@ -1,5 +1,29 @@
 # Changelog
 
+## 0.11.12 — 2026-05-12
+
+**Patch: items 123-126 — content-not-just-shape, exit-code discipline, diff iteration.**
+
+Pattern: previous releases shipped the right field names but with empty content (notifications array existed but every entry's metadata was null), and exit-code semantics didn't cover the gates operators actually wanted to wire.
+
+### Bugs
+
+- **#123 jurisdiction notification entries carry obligation metadata.** Pre-0.11.12 `phases.close.jurisdiction_notifications` produced the right count of entries but each entry shape was `{ obligation_ref, recipient, draft_notification, deadline, ... }` — no `jurisdiction`, no `regulation`, no `window_hours`. The upstream `govern.jurisdiction_obligations` had the real metadata but close didn't carry it forward. Now each notification entry includes `jurisdiction`, `regulation`, `obligation_type`, `window_hours`, `clock_start_event`, `clock_started_at`, `deadline`, `notification_deadline` (alias matching compliance-team vocabulary), and `evidence_required`. Operators running `exceptd ci --block-on-jurisdiction-clock` now get notifications with the metadata they need to route to regulators and put on calendars.
+
+- **#124 `--ack` propagates into `phases.govern.operator_consent`.** Consent semantically belongs in govern (it acknowledges the jurisdiction obligations surfaced there). Pre-0.11.12 `--ack` set only `result.operator_consent` at the top level; the govern phase showed `null`. Now `phases.govern.operator_consent` is `{ acked_at, explicit: true }` when `--ack` is passed, `null` otherwise. Top-level `result.operator_consent` retained for backward compat.
+
+- **#125 ci exit-code matrix covers BLOCKED.** Pre-0.11.12 ci returned 0 for every non-detected path including blocked runs that never executed (preflight halt, mutex contention, stale threat intel, missing precondition). CI gates couldn't distinguish "ran clean" from "didn't run." Now: `0 PASS`, `2 detected/escalate`, `3 ran-but-no-evidence`, `4 BLOCKED (any ok:false)`, `1 framework error`. BLOCKED takes precedence over no-data because it's a harder gate failure. Help text updated.
+
+- **#126 attest diff iterates artifact sets correctly.** Pre-0.11.12 `total_compared` was always 0 on flat-shape submissions because the diff helper called `normalizeSubmission` with an empty playbook stub (`look.artifacts: []`), producing empty maps. Now the diff loads the real playbook from each attestation's `playbook_id` and normalizes against the actual artifact catalog; falls back to direct observation-key mapping when the playbook can't be loaded (renamed/removed). Identical submissions with N observations now correctly report `total_compared: N, unchanged_count: N`.
+
+### Tests
+
+5 new regression cases. 344 total. Tests assert content shape, not just field presence — every test that checks for a notification array now also asserts the entries carry non-null jurisdiction/regulation/window_hours.
+
+### Voice note (internal)
+
+Three of the four items (#123, #124, #126) were "added the field but the field was empty." Lesson: when an operator says "field is missing," the next question to ask after "is it on the result?" is "is its content meaningful, or is it a structurally-present null?" Codified in CLAUDE.md.
+
 ## 0.11.11 — 2026-05-12
 
 **Patch: CI test-gate hotfix — emit-then-exit stdout flush.**

package/bin/exceptd.js

@@ -219,7 +219,8 @@ v0.11.0 canonical surface
                              + rfc catalog + attestation-signing status.
                              --signatures | --currency | --cves | --rfcs
 
-  ci                         One-shot CI gate. Exits 2 on detected or rwep≥escalate.
+  ci                         One-shot CI gate. Exit codes: 0 PASS, 2 detected/escalate,
+                             3 ran-but-no-evidence, 4 blocked (ok:false), 1 framework error.
                              --all | --scope <type> | (auto-detect)
                              --max-rwep <n>         cap below playbook default
                              --block-on-jurisdiction-clock
@@ -2090,12 +2091,12 @@ function cmdAttest(runner, args, runOpts, pretty) {
         // for flat submissions; the diff returned all zeros even when
         // artifacts were present in observations.
         artifact_diff: diffArtifacts(
-          normalizedArtifacts(self.submission, runner),
-          normalizedArtifacts(other.submission, runner)
+          normalizedArtifacts(self.submission, runner, self.playbook_id),
+          normalizedArtifacts(other.submission, runner, other.playbook_id)
         ),
         signal_override_diff: diffSignalOverrides(
-          normalizedSignalOverrides(self.submission, runner),
-          normalizedSignalOverrides(other.submission, runner)
+          normalizedSignalOverrides(self.submission, runner, self.playbook_id),
+          normalizedSignalOverrides(other.submission, runner, other.playbook_id)
         ),
       }, pretty);
       return;
@@ -2205,25 +2206,55 @@ function cmdAttest(runner, args, runOpts, pretty) {
  * canonical nested view of both shapes lets `attest diff` produce meaningful
  * counts regardless of which shape the operator submitted.
  */
-function normalizedArtifacts(submission, runner) {
+function normalizedArtifacts(submission, runner, playbookId) {
   if (!submission || typeof submission !== "object") return {};
   if (submission.artifacts) return submission.artifacts;
   if (submission.observations) {
-    try {
-      const norm = runner.normalizeSubmission({ observations: submission.observations }, { _meta: {}, phases: { look: { artifacts: [] } } });
-      return norm.artifacts || {};
-    } catch { return {}; }
+    // v0.11.12 (#126): the prior stub playbook (look.artifacts: []) caused
+    // normalizeSubmission to produce {}, so attest diff reported
+    // total_compared: 0 even when both submissions held real observations.
+    // Try to load the real playbook from the attestation's playbook_id; if
+    // that fails (renamed/removed), fall back to treating each observation
+    // key as its own artifact id with `{ captured: true, value: <indicator|value> }`.
+    if (playbookId) {
+      try {
+        const pb = runner.loadPlaybook ? runner.loadPlaybook(playbookId) : null;
+        if (pb) {
+          const norm = runner.normalizeSubmission({ observations: submission.observations }, pb);
+          if (norm && norm.artifacts && Object.keys(norm.artifacts).length > 0) return norm.artifacts;
+        }
+      } catch { /* fall through to direct mapping */ }
+    }
+    // Direct mapping: observation keys are the artifact ids by convention.
+    const out = {};
+    for (const [k, v] of Object.entries(submission.observations)) {
+      out[k] = (v && typeof v === "object") ? v : { value: v };
+    }
+    return out;
   }
   return {};
 }
-function normalizedSignalOverrides(submission, runner) {
+function normalizedSignalOverrides(submission, runner, playbookId) {
   if (!submission || typeof submission !== "object") return {};
   if (submission.signal_overrides) return submission.signal_overrides;
   if (submission.observations) {
-    try {
-      const norm = runner.normalizeSubmission({ observations: submission.observations }, { _meta: {}, phases: { look: { artifacts: [] } } });
-      return norm.signal_overrides || {};
-    } catch { return {}; }
+    // v0.11.12 (#126): same fix as normalizedArtifacts — load the real
+    // playbook so look.indicators can map observation results to signal IDs.
+    if (playbookId) {
+      try {
+        const pb = runner.loadPlaybook ? runner.loadPlaybook(playbookId) : null;
+        if (pb) {
+          const norm = runner.normalizeSubmission({ observations: submission.observations }, pb);
+          if (norm && norm.signal_overrides && Object.keys(norm.signal_overrides).length > 0) return norm.signal_overrides;
+        }
+      } catch { /* fall through to direct mapping */ }
+    }
+    // Direct mapping: observation key -> result (canonical hit/miss/inconclusive).
+    const out = {};
+    for (const [k, v] of Object.entries(submission.observations)) {
+      if (v && typeof v === "object" && v.result !== undefined) out[k] = v.result;
+    }
+    return out;
   }
   return {};
 }
@@ -3395,11 +3426,22 @@ function cmdCi(runner, args, runOpts, pretty) {
     process.exitCode = 2;
     return;
   }
-  // v0.11.10 (#100): ci exits non-zero when NO evidence was supplied AND
-  // every playbook returned inconclusive. Pre-0.11.10 this exited 0,
-  // conflating "ran clean" with "never ran." Operators forgot --evidence /
-  // --evidence-dir and assumed a green CI = real coverage. Now: surface
-  // the gap loudly.
+  // v0.11.12 (#125): ci exit code matrix. Pre-0.11.12 every non-detected
+  // path exited 0 including blocked runs that never executed — CI gates
+  // couldn't distinguish ok:false from ok:true. Now:
+  //   0 PASS — every playbook produced a result, none detected/escalating
+  //   2 FAIL — at least one detected or rwep>=escalate (above)
+  //   3 NO-DATA — ran but no --evidence and all inconclusive
+  //   4 BLOCKED — at least one playbook returned ok:false (preflight halt,
+  //     stale threat intel, missing precondition, mutex contention, etc.)
+  //   1 FRAMEWORK — engine/parse error (set elsewhere)
+  // BLOCKED takes precedence over NO-DATA because a blocked run is a
+  // harder gate failure than "no real data."
+  if (summary.blocked > 0) {
+    process.stderr.write(`[exceptd ci] BLOCKED: ${summary.blocked}/${summary.total} playbook(s) returned ok:false (preflight/mutex/threat-currency/etc.). Exit 4. Inspect results[].reason for each blocked entry.\n`);
+    process.exitCode = 4;
+    return;
+  }
   const suppliedEvidence = args.evidence || args["evidence-dir"];
   const allInconclusive = summary.inconclusive === summary.total && summary.total > 0;
   if (!suppliedEvidence && allInconclusive) {

package/data/_indexes/_meta.json

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-12T23:33:08.941Z",
+  "generated_at": "2026-05-12T23:57:49.662Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 49,
   "source_hashes": {
-    "manifest.json": "3b6c4c6f48c63ce7b72621b3fcf19a9f37ace376ffef363d800dfc2b40ba3efe",
+    "manifest.json": "be34fdbfb886861dff2f440d58324bfeba5f0c9188bffc5b6855ad682cc16e7b",
     "data/atlas-ttps.json": "1500b5830dab070c4252496964a8c0948e1052a656e2c7c6e1efaf0350645e13",
     "data/cve-catalog.json": "a81d3e4b491b27ccc084596b063a6108ff10c9eb01d7776922fc393980b534fe",
     "data/cwe-catalog.json": "c3367d469b4b3d31e4c56397dd7a8305a0be338ecd85afa27804c0c9ce12157b",

package/keys/public.pem

@@ -1,3 +1,3 @@
 -----BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEAS6tN6exkzYtwxqy/WghFhetrvpVtaV8mvtg4SoCkLQw=
+MCowBQYDK2VwAyEAvh9LPaLkX7A41C4cKF1gOWfhLtiRPyAN2emiISakga4=
 -----END PUBLIC KEY-----

package/lib/playbook-runner.js

@@ -227,7 +227,12 @@ function govern(playbookId, directiveId, runOpts = {}) {
     jurisdiction_obligations: g.jurisdiction_obligations || [],
     theater_fingerprints: g.theater_fingerprints || [],
     framework_context: g.framework_context || {},
-    skill_preload: g.skill_preload || []
+    skill_preload: g.skill_preload || [],
+    // v0.11.12 (#124): --ack belongs semantically in govern (it acknowledges
+    // the jurisdiction_obligations surfaced here). Carry it forward so
+    // phases.govern.operator_consent reflects the consent state. Null when
+    // --ack was not passed.
+    operator_consent: runOpts.operator_consent || null
   };
 }
 
@@ -640,6 +645,14 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
   const sessionId = runOpts.session_id || crypto.randomBytes(8).toString('hex');
 
   // notification_actions — compute ISO deadlines from clock_starts events.
+  // v0.11.12 (#123): enrich each entry with the matched obligation's
+  // jurisdiction/regulation/window_hours/evidence_required fields. The
+  // playbook's notification_actions entry only carries `obligation_ref` +
+  // `draft_notification` + `recipient`; without enrichment, operators reading
+  // `jurisdiction_notifications[i].jurisdiction` got `undefined`. The
+  // upstream `govern.jurisdiction_obligations` has the real data — carry it
+  // forward. `notification_deadline` is published as an alias for `deadline`
+  // (matches the field name compliance teams expect on a notification record).
   const notificationActions = (c.notification_actions || []).map(na => {
     const obligation = (g.jurisdiction_obligations || []).find(o =>
       `${o.jurisdiction}/${o.regulation} ${o.window_hours}h` === na.obligation_ref
@@ -650,9 +663,21 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
       : 'pending_clock_start_event';
     return {
       ...na,
-      deadline,
-      clock_start_event: obligation?.clock_starts,
+      // Carry obligation metadata forward so each notification entry is
+      // operationally usable on its own (calendar deadlines, regulator
+      // routing, evidence checklist).
+      jurisdiction: obligation?.jurisdiction || null,
+      regulation: obligation?.regulation || null,
+      obligation_type: obligation?.obligation || null,
+      window_hours: obligation?.window_hours ?? null,
+      clock_start_event: obligation?.clock_starts || null,
       clock_started_at: clockStart?.toISOString() || null,
+      deadline,
+      // Alias matching compliance-team vocabulary.
+      notification_deadline: deadline,
+      // Evidence the regulator expects attached (from the obligation, not
+      // just the operator-facing recipient bundle on the notification entry).
+      evidence_required: obligation?.evidence_required || na.evidence_attached || [],
       draft_notification: interpolate(na.draft_notification, { ...agentSignals, ...analyzeFindingShape(analyzeResult) })
     };
   });

package/manifest-snapshot.json

@@ -1,6 +1,6 @@
 {
   "_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
-  "_generated_at": "2026-05-12T23:32:24.955Z",
+  "_generated_at": "2026-05-12T23:57:10.646Z",
   "atlas_version": "5.1.0",
   "skill_count": 38,
   "skills": [

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.11.11",
+  "version": "0.11.12",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -52,7 +52,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "Xk593pj7my6wPJbQBE47khpIUrPsp6N1lW7cE2T/VPPF5T+8C1yGKc9B8VphD7Q08yWFcbwF6HoWpA/+4uG9DA==",
-      "signed_at": "2026-05-12T23:32:24.457Z",
+      "signed_at": "2026-05-12T23:57:10.174Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -116,7 +116,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "nOgUu+LK9fy6ASTCoRGtx3ttgjZCl7WIkKu2wu06JEKVSpL2cKU3ex2tmVAvv11LBmpTH+b/0zvqXlzcxzHnCw==",
-      "signed_at": "2026-05-12T23:32:24.459Z",
+      "signed_at": "2026-05-12T23:57:10.176Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -179,7 +179,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "7FH1J9PlOyvcRCzRmggmenX9fIR0pi/veXihb3TeStcq1Rpuz1KHdOcJLqA9su4t2goYukKKCXHV6hx8hzplAA==",
-      "signed_at": "2026-05-12T23:32:24.459Z",
+      "signed_at": "2026-05-12T23:57:10.177Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -225,7 +225,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "FqTRjHfEgw56pyHnyWzNtnhzDMEePBtmuamtW/iyX+h4yqbvP4Fyr7NRjRs3EgqT4j7oHuEZhV9Jt6ZTBgN4AA==",
-      "signed_at": "2026-05-12T23:32:24.459Z"
+      "signed_at": "2026-05-12T23:57:10.177Z"
     },
     {
       "name": "compliance-theater",
@@ -256,7 +256,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "3fN4yotiIIq76PVTHwozCu28TzDZvWule6vX8SXUT3XXbIBSuvAO0M/euvc3pw3TdZ2UNf78dI18lOCNdJ0aAg==",
-      "signed_at": "2026-05-12T23:32:24.460Z"
+      "signed_at": "2026-05-12T23:57:10.178Z"
     },
     {
       "name": "exploit-scoring",
@@ -285,7 +285,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "yZfpk4lQMRXegj2ADWjMmZTchUN6Lxpv587O/0JMzbNkXQtD6FrSAQOBWjx8S7uQ/sTntxgGN7aQQDLxL9RWAA==",
-      "signed_at": "2026-05-12T23:32:24.460Z"
+      "signed_at": "2026-05-12T23:57:10.178Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -322,7 +322,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "ABHkoqee67KdUyDZ3bvF+/DNxjGhPR/ehT6pfOnmUIMmkcQFHpZ0OUVXKiFUANaLgKLP1vg0VEmHOoxpNA3vAA==",
-      "signed_at": "2026-05-12T23:32:24.461Z",
+      "signed_at": "2026-05-12T23:57:10.178Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -379,7 +379,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "+Nd/2tgBnW+mEGX84QvkgR2To2J7kA+lB63BsADDKeCXeebFv6Vo9H1P4vyUkKHfe4fP0ndpy3agIZcUO/e/Dg==",
-      "signed_at": "2026-05-12T23:32:24.461Z",
+      "signed_at": "2026-05-12T23:57:10.179Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -414,7 +414,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "VMNGFvowXLbBjZp5nvWloKkqyqHKhnSzbVRU3gX9quOZJHH56w2M4id+oDsXIjR0CfRRb7eXl/so0Hq4xLBuBQ==",
-      "signed_at": "2026-05-12T23:32:24.461Z",
+      "signed_at": "2026-05-12T23:57:10.179Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -442,7 +442,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "5MaJs7gPCuFlK4oAttLulAPOA1noeV+xD/UqVWaVyRedXZgebBGKjnlE2t1qmTugvxlNIfeAnBZapk+Wz3VAAg==",
-      "signed_at": "2026-05-12T23:32:24.462Z"
+      "signed_at": "2026-05-12T23:57:10.179Z"
     },
     {
       "name": "global-grc",
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "S/YXUpI/mcG2FpdUTgMsccWBtTaR5A4Ph4QFQw31S9w9Hn/z3sOFHLkb1B5YSwlg+mMOtSIxMdet1eLGSZkTDg==",
-      "signed_at": "2026-05-12T23:32:24.462Z"
+      "signed_at": "2026-05-12T23:57:10.180Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -501,7 +501,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "AKS+JsmhhBtytY2eIMuydjkZOYprWCmQ+RqxyxcVG9XcEI29ZSM/JbVIINQHozFl7OPPrOu1ouiTnk7LOJ86Bg==",
-      "signed_at": "2026-05-12T23:32:24.462Z"
+      "signed_at": "2026-05-12T23:57:10.180Z"
     },
     {
       "name": "pqc-first",
@@ -553,7 +553,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "oEkK5bLS/G5RIHnxlNFJYdzhTJbKZnkJv+W4iS9UJ/uszZHgZGoxygELPc4kn3FowV5eE988SQYG4WKlXtNzCg==",
-      "signed_at": "2026-05-12T23:32:24.463Z",
+      "signed_at": "2026-05-12T23:57:10.181Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -600,7 +600,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "nPV6YTo1rsNH49qUnZpfoNLEQZXuLNyV05QMUOgXKHYeVDjotYpWhLgyVXlRhjV/fStiA2sWQ0MOnEJ4FBIfDg==",
-      "signed_at": "2026-05-12T23:32:24.463Z"
+      "signed_at": "2026-05-12T23:57:10.181Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -637,7 +637,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "7rirSEONz6O9Yyf46eTyuwkGizCj9FRcNHe5p7Qz6nhJoZQRW5FwW7n9opL0WlbIw8FDBYn1f22zgNUV87L5AQ==",
-      "signed_at": "2026-05-12T23:32:24.463Z",
+      "signed_at": "2026-05-12T23:57:10.181Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -672,7 +672,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "+evehnd2wSBb8uMTlTr5/aTN4bfLjsKzZJk/+OMLMOJrjCt+OuMU7EQC6xMUGeSc4cPEGajghDvq3xVaacV2Dw==",
-      "signed_at": "2026-05-12T23:32:24.464Z"
+      "signed_at": "2026-05-12T23:57:10.182Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -743,7 +743,7 @@
         "PTES revision incorporating AI-surface enumeration"
       ],
       "signature": "KHOXxloAYf7xqXjm2BaL3HVAZOmb7rMiMh20H/oaIkjN0WD1CnKCrRGPJn867uSFhCh/timkXolaiqD1L/h8Dg==",
-      "signed_at": "2026-05-12T23:32:24.464Z"
+      "signed_at": "2026-05-12T23:57:10.182Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -803,7 +803,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "+ELdD+1AY5DymBitH7wU65CS60NY1nDoLowJAFn7cE5Gr/5jy9BTkyxsm7PEXaSlXWMOkTf/HQ+uyzyxUVD/Bw==",
-      "signed_at": "2026-05-12T23:32:24.464Z"
+      "signed_at": "2026-05-12T23:57:10.182Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -878,7 +878,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "8tFAhXAS8zZN3SUOdn+ZIu7lQ48JMOyBQ8SaObR3L/fDyFmDhufqleY2VzI3yigqlT/D4Y8FYxZHKmzXiALjDw==",
-      "signed_at": "2026-05-12T23:32:24.464Z"
+      "signed_at": "2026-05-12T23:57:10.183Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -955,7 +955,7 @@
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
       "signature": "8xlk5ZfTKVYqTE2+ifkjTBu/RPqs4MIvX7SpOHl22YDHi7nzJ1ywPhSNYJzoPdPV4AUuWG518EldQJsEIuyuAA==",
-      "signed_at": "2026-05-12T23:32:24.465Z"
+      "signed_at": "2026-05-12T23:57:10.183Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1012,7 +1012,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "AMdLkDx/e3ESI4NAnJhhcaas+Ru8VjrSn6v6RBbmmzoLCGo/vFxGraa1p/qF9udhVG+DdkbwHfbfKK5Im19KDw==",
-      "signed_at": "2026-05-12T23:32:24.465Z"
+      "signed_at": "2026-05-12T23:57:10.183Z"
     },
     {
       "name": "identity-assurance",
@@ -1079,7 +1079,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "pSMHKkyWoZvRIuVtN7Vue51sP5MIy9lSaQa2YSAMhxjptx81cUnPt3S11/Tb9Ea1/eluMNQ+5F25eF2njr4mBQ==",
-      "signed_at": "2026-05-12T23:32:24.465Z"
+      "signed_at": "2026-05-12T23:57:10.183Z"
     },
     {
       "name": "ot-ics-security",
@@ -1135,7 +1135,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "qjky+ZTX1DP7uRRMQZq7S7P9/uaJEoB1dy4RZ1l37Q4OO3k2ryfL+7o0Cgm/piuafJfH+dqUeNCRrVefj4r8Dw==",
-      "signed_at": "2026-05-12T23:32:24.465Z"
+      "signed_at": "2026-05-12T23:57:10.184Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1187,7 +1187,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "F86Zl/I+dBzHYRUuGWsjDQI2F/I/vhzwZUFMqhNfKUzRbMf6mafOX2APCPYTp3eP1DvvvfL3Yc0hb1R5Q4nOAg==",
-      "signed_at": "2026-05-12T23:32:24.466Z"
+      "signed_at": "2026-05-12T23:57:10.184Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1237,7 +1237,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "D/4d5NcJScNH58ADXsSrVzTmLSWZpUZTdyhtDkJlC0twSMNczOiDsXgYFitBaZgGdv5nVd00viR45mNrsaZ4BQ==",
-      "signed_at": "2026-05-12T23:32:24.466Z"
+      "signed_at": "2026-05-12T23:57:10.184Z"
     },
     {
       "name": "webapp-security",
@@ -1311,7 +1311,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "UOXaUtpcFjXyDQ70z2PaGu6K3pABtXp+7YzO6eGVGpN1CxXpPq/xW/CnTng6B7wk9WSsqD0OORBJp4VCjiVfAQ==",
-      "signed_at": "2026-05-12T23:32:24.466Z"
+      "signed_at": "2026-05-12T23:57:10.185Z"
     },
     {
       "name": "ai-risk-management",
@@ -1361,7 +1361,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "IVKygsrFjiM64fQVbd2PT6jDjs6fm5nKwJSqGfK53gG0S9wdHC4QYuh+LWlI/2ftvIKjjedLQ6FRyTrqpDEuDw==",
-      "signed_at": "2026-05-12T23:32:24.467Z"
+      "signed_at": "2026-05-12T23:57:10.185Z"
     },
     {
       "name": "sector-healthcare",
@@ -1421,7 +1421,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "P+CdSu8ZJCNUU4nTa09Voh2PcYF3y/AFJn4v7cjVIGo9FbbqO7MwvGN7cJ+aSRs2/3NMUXX4eupcODslxYyJDw==",
-      "signed_at": "2026-05-12T23:32:24.467Z"
+      "signed_at": "2026-05-12T23:57:10.185Z"
     },
     {
       "name": "sector-financial",
@@ -1502,7 +1502,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "zpEfh181Sc0b0cvRf/31Ir1f8lD4V5tehTogO3TJMxdKmXu06IAK7hrhBcLA/jFBv3xDDwrWW3sHzChVhWDeDA==",
-      "signed_at": "2026-05-12T23:32:24.467Z"
+      "signed_at": "2026-05-12T23:57:10.186Z"
     },
     {
       "name": "sector-federal-government",
@@ -1571,7 +1571,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "7NpQlPu1DkpY9f+Frv/LLBHWUUe/qTM80c+xeYDxOzweXhvJGE/dnDCjglYHTjxT82L9cVxzBezvLEne20UpBg==",
-      "signed_at": "2026-05-12T23:32:24.468Z"
+      "signed_at": "2026-05-12T23:57:10.186Z"
     },
     {
       "name": "sector-energy",
@@ -1636,7 +1636,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "4rhyHN5HykK7MQUmhvaTeDGj6Qf5swDd5ry8foh4KBvTkRKxTI/XyxconFGm5FASnySGPLMxX6m4JZAq5wiNBg==",
-      "signed_at": "2026-05-12T23:32:24.468Z"
+      "signed_at": "2026-05-12T23:57:10.186Z"
     },
     {
       "name": "api-security",
@@ -1705,7 +1705,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "hS1izPhETclITK7fp6R67dhy+wFDti/YsJ2M5I1gDjeWZYK41WuxeYSyt5xEHbCr3WCGDFJe77jkK1MWkxk2BA==",
-      "signed_at": "2026-05-12T23:32:24.468Z"
+      "signed_at": "2026-05-12T23:57:10.187Z"
     },
     {
       "name": "cloud-security",
@@ -1786,7 +1786,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "kuatqNZoRnv+oeyrxbnk+m37JRBIgRAWnDp0/IYLnoBOybiG09RzLILJraxjhvdSNCgo7WXTeBO3Y6a3Ji9MAA==",
-      "signed_at": "2026-05-12T23:32:24.469Z"
+      "signed_at": "2026-05-12T23:57:10.187Z"
     },
     {
       "name": "container-runtime-security",
@@ -1848,7 +1848,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "Btb3/7fjPFopFVdxP7+E6n322gnAAwd7OPrnuqatq6c1rXTD9aXKxiBeCmWxs8zYbIbE/lFoe9R2g6uTp8ZDBg==",
-      "signed_at": "2026-05-12T23:32:24.469Z"
+      "signed_at": "2026-05-12T23:57:10.187Z"
     },
     {
       "name": "mlops-security",
@@ -1919,7 +1919,7 @@
         "MITRE ATLAS v5.2 — track AML.T0010 sub-technique expansion and any new MLOps-pipeline-specific TTPs"
       ],
       "signature": "TBWnlgdllW7K1F10HCJ7p4dbLeS3lyNWm+7mNNtyZu7jB1V5AauG1P7sb1nLLqwKqeGlHS1F0eh/BNiuAvkABg==",
-      "signed_at": "2026-05-12T23:32:24.469Z"
+      "signed_at": "2026-05-12T23:57:10.188Z"
     },
     {
       "name": "incident-response-playbook",
@@ -1981,7 +1981,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "FVAXpD6sIoOLQSPtZSLLsXQnc2o2hRwiFj4xK8zEWJVkUWGqvAWRrngie7O2DRKIbWqjO5h9EevVYSzhwYHCAA==",
-      "signed_at": "2026-05-12T23:32:24.470Z"
+      "signed_at": "2026-05-12T23:57:10.188Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2034,7 +2034,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "0HDt3Qklee4FQeKoZfwr+8qdq2pVDS0a+c7JxVw1hV/bl8+YTPaPjPTAhQUnbhUCa5cGo7G4MBQ1AifQTMJdDA==",
-      "signed_at": "2026-05-12T23:32:24.470Z"
+      "signed_at": "2026-05-12T23:57:10.189Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2102,7 +2102,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "UyPSKUztZI/daHCRTnAh6ryoKLX4xyjuG+EaNMPRVuCz2gANGl1F/NozDsw7R2koMUwSFoiYTzwqDvo1tpuKAg==",
-      "signed_at": "2026-05-12T23:32:24.470Z"
+      "signed_at": "2026-05-12T23:57:10.189Z"
     }
   ]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.11.11",
+  "version": "0.11.12",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json

@@ -1,10 +1,10 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:fe521429-0d04-441e-bc39-601e6158201f",
+  "serialNumber": "urn:uuid:b2610e1f-020c-4e3e-b5a2-e9ed1431c086",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-12T23:32:25.386Z",
+    "timestamp": "2026-05-12T23:57:11.194Z",
     "tools": [
       {
         "name": "hand-written",
@@ -13,10 +13,10 @@
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.11.11",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.11.12",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.11.11",
+      "version": "0.11.12",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
       "licenses": [
         {
@@ -25,11 +25,11 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.11.11",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.11.12",
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.11.11"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.11.12"
         },
         {
           "type": "vcs",