@blamejs/exceptd-skills 0.11.11 → 0.11.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +42 -0
- package/bin/exceptd.js +101 -28
- package/data/_indexes/_meta.json +2 -2
- package/keys/public.pem +1 -1
- package/lib/playbook-runner.js +28 -3
- package/manifest-snapshot.json +1 -1
- package/manifest.json +39 -39
- package/package.json +1 -1
- package/sbom.cdx.json +6 -6
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,47 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 0.11.13 — 2026-05-13
|
|
4
|
+
|
|
5
|
+
**Patch: the final two stragglers — universal `ok:false` exit and empty-submission diff counters.**
|
|
6
|
+
|
|
7
|
+
### Bugs
|
|
8
|
+
|
|
9
|
+
- **#127 (originally #100) — `ok:false` body always yields non-zero exit.** Pre-0.11.13 several verbs emitted a result body with `ok: false` to stdout but didn't set `process.exitCode`, so `exceptd run ...; echo $?` returned 0 and `set -e` shell scripts couldn't gate on it. The previous fix was per-verb. Now `emit()` itself sets `process.exitCode = 1` whenever the body has `ok: false` at top level (unless a caller already set a different non-zero code). Universal contract: anything that emits `ok: false` to stdout OR stderr returns non-zero, no exceptions. New verbs cannot regress this — the catch is at the renderer.
|
|
10
|
+
|
|
11
|
+
- **#128 (originally #102) — attest diff falls back to playbook catalog when submissions are empty.** Pre-0.11.13 `attest diff` between two identical empty-submission attestations reported `status: unchanged` (hash equality) but `total_compared: 0, unchanged_count: 0` — operators couldn't tell whether "0 unchanged" meant "diff didn't iterate" or "nothing to compare." Now: when a submission has neither `artifacts` nor `observations`, the diff helper falls back to the playbook's `look.artifacts` catalog (via the attestation's stored `playbook_id`). Result: `total_compared` reflects the catalog size; `unchanged_count` equals `total_compared` when both sides are uniformly empty. Real observation submissions retain the prior behavior.
|
|
12
|
+
|
|
13
|
+
### Tests
|
|
14
|
+
|
|
15
|
+
3 new regression cases. 347 total. The `#127` test asserts the universal contract by hitting `attest verify` on a non-existent session id and checking that any `ok:false` body (stdout or stderr) maps to non-zero exit. The `#128` test runs two `{}` submissions through `run sbom` and asserts the diff reports `total_compared > 0` matching `unchanged_count`.
|
|
16
|
+
|
|
17
|
+
### Lesson codified in CLAUDE.md
|
|
18
|
+
|
|
19
|
+
When a class of bug ("verb forgot to set exit code") keeps recurring across releases, fix the class, not the instance. Move the contract to the lowest layer that all paths share — here, `emit()` itself.
|
|
20
|
+
|
|
21
|
+
## 0.11.12 — 2026-05-12
|
|
22
|
+
|
|
23
|
+
**Patch: items 123-126 — content-not-just-shape, exit-code discipline, diff iteration.**
|
|
24
|
+
|
|
25
|
+
Pattern: previous releases shipped the right field names but with empty content (notifications array existed but every entry's metadata was null), and exit-code semantics didn't cover the gates operators actually wanted to wire.
|
|
26
|
+
|
|
27
|
+
### Bugs
|
|
28
|
+
|
|
29
|
+
- **#123 jurisdiction notification entries carry obligation metadata.** Pre-0.11.12 `phases.close.jurisdiction_notifications` produced the right count of entries but each entry shape was `{ obligation_ref, recipient, draft_notification, deadline, ... }` — no `jurisdiction`, no `regulation`, no `window_hours`. The upstream `govern.jurisdiction_obligations` had the real metadata but close didn't carry it forward. Now each notification entry includes `jurisdiction`, `regulation`, `obligation_type`, `window_hours`, `clock_start_event`, `clock_started_at`, `deadline`, `notification_deadline` (alias matching compliance-team vocabulary), and `evidence_required`. Operators running `exceptd ci --block-on-jurisdiction-clock` now get notifications with the metadata they need to route to regulators and put on calendars.
|
|
30
|
+
|
|
31
|
+
- **#124 `--ack` propagates into `phases.govern.operator_consent`.** Consent semantically belongs in govern (it acknowledges the jurisdiction obligations surfaced there). Pre-0.11.12 `--ack` set only `result.operator_consent` at the top level; the govern phase showed `null`. Now `phases.govern.operator_consent` is `{ acked_at, explicit: true }` when `--ack` is passed, `null` otherwise. Top-level `result.operator_consent` retained for backward compat.
|
|
32
|
+
|
|
33
|
+
- **#125 ci exit-code matrix covers BLOCKED.** Pre-0.11.12 ci returned 0 for every non-detected path including blocked runs that never executed (preflight halt, mutex contention, stale threat intel, missing precondition). CI gates couldn't distinguish "ran clean" from "didn't run." Now: `0 PASS`, `2 detected/escalate`, `3 ran-but-no-evidence`, `4 BLOCKED (any ok:false)`, `1 framework error`. BLOCKED takes precedence over no-data because it's a harder gate failure. Help text updated.
|
|
34
|
+
|
|
35
|
+
- **#126 attest diff iterates artifact sets correctly.** Pre-0.11.12 `total_compared` was always 0 on flat-shape submissions because the diff helper called `normalizeSubmission` with an empty playbook stub (`look.artifacts: []`), producing empty maps. Now the diff loads the real playbook from each attestation's `playbook_id` and normalizes against the actual artifact catalog; falls back to direct observation-key mapping when the playbook can't be loaded (renamed/removed). Identical submissions with N observations now correctly report `total_compared: N, unchanged_count: N`.
|
|
36
|
+
|
|
37
|
+
### Tests
|
|
38
|
+
|
|
39
|
+
5 new regression cases. 344 total. Tests assert content shape, not just field presence — every test that checks for a notification array now also asserts the entries carry non-null jurisdiction/regulation/window_hours.
|
|
40
|
+
|
|
41
|
+
### Voice note (internal)
|
|
42
|
+
|
|
43
|
+
Three of the four items (#123, #124, #126) were "added the field but the field was empty." Lesson: when an operator says "field is missing," the next question to ask after "is it on the result?" is "is its content meaningful, or is it a structurally-present null?" Codified in CLAUDE.md.
|
|
44
|
+
|
|
3
45
|
## 0.11.11 — 2026-05-12
|
|
4
46
|
|
|
5
47
|
**Patch: CI test-gate hotfix — emit-then-exit stdout flush.**
|
package/bin/exceptd.js
CHANGED
|
@@ -219,7 +219,8 @@ v0.11.0 canonical surface
|
|
|
219
219
|
+ rfc catalog + attestation-signing status.
|
|
220
220
|
--signatures | --currency | --cves | --rfcs
|
|
221
221
|
|
|
222
|
-
ci One-shot CI gate.
|
|
222
|
+
ci One-shot CI gate. Exit codes: 0 PASS, 2 detected/escalate,
|
|
223
|
+
3 ran-but-no-evidence, 4 blocked (ok:false), 1 framework error.
|
|
223
224
|
--all | --scope <type> | (auto-detect)
|
|
224
225
|
--max-rwep <n> cap below playbook default
|
|
225
226
|
--block-on-jurisdiction-clock
|
|
@@ -447,6 +448,16 @@ function emit(obj, pretty, humanRenderer) {
|
|
|
447
448
|
// default (no flag, renderer present) → HUMAN
|
|
448
449
|
// default (no flag, no renderer) → indented JSON when TTY else compact
|
|
449
450
|
// This closes the longest-standing UX gap across 8 releases.
|
|
451
|
+
//
|
|
452
|
+
// v0.11.13 (#127): emit() now ALSO sets process.exitCode = 1 when the body
|
|
453
|
+
// carries `ok: false` at top level (unless a caller already set a different
|
|
454
|
+
// non-zero exitCode). Pre-0.11.13 verbs that emitted ok:false to stdout
|
|
455
|
+
// without explicitly setting the exit code returned 0, defeating `set -e`
|
|
456
|
+
// and CI gates. The previous fix was per-verb; this is a universal catch
|
|
457
|
+
// so new verbs / new ok:false paths can't regress the contract.
|
|
458
|
+
if (obj && obj.ok === false && !process.exitCode) {
|
|
459
|
+
process.exitCode = 1;
|
|
460
|
+
}
|
|
450
461
|
const wantJson = !!global.__exceptdWantJson || !!process.env.EXCEPTD_RAW_JSON;
|
|
451
462
|
if (humanRenderer && !wantJson && !pretty) {
|
|
452
463
|
process.stdout.write(humanRenderer(obj) + "\n");
|
|
@@ -2090,12 +2101,12 @@ function cmdAttest(runner, args, runOpts, pretty) {
|
|
|
2090
2101
|
// for flat submissions; the diff returned all zeros even when
|
|
2091
2102
|
// artifacts were present in observations.
|
|
2092
2103
|
artifact_diff: diffArtifacts(
|
|
2093
|
-
normalizedArtifacts(self.submission, runner),
|
|
2094
|
-
normalizedArtifacts(other.submission, runner)
|
|
2104
|
+
normalizedArtifacts(self.submission, runner, self.playbook_id),
|
|
2105
|
+
normalizedArtifacts(other.submission, runner, other.playbook_id)
|
|
2095
2106
|
),
|
|
2096
2107
|
signal_override_diff: diffSignalOverrides(
|
|
2097
|
-
normalizedSignalOverrides(self.submission, runner),
|
|
2098
|
-
normalizedSignalOverrides(other.submission, runner)
|
|
2108
|
+
normalizedSignalOverrides(self.submission, runner, self.playbook_id),
|
|
2109
|
+
normalizedSignalOverrides(other.submission, runner, other.playbook_id)
|
|
2099
2110
|
),
|
|
2100
2111
|
}, pretty);
|
|
2101
2112
|
return;
|
|
@@ -2205,27 +2216,78 @@ function cmdAttest(runner, args, runOpts, pretty) {
|
|
|
2205
2216
|
* canonical nested view of both shapes lets `attest diff` produce meaningful
|
|
2206
2217
|
* counts regardless of which shape the operator submitted.
|
|
2207
2218
|
*/
|
|
2208
|
-
function
|
|
2209
|
-
if (!
|
|
2210
|
-
|
|
2211
|
-
|
|
2212
|
-
|
|
2213
|
-
|
|
2214
|
-
|
|
2215
|
-
|
|
2219
|
+
function _playbookArtifactCatalog(runner, playbookId) {
|
|
2220
|
+
if (!playbookId) return null;
|
|
2221
|
+
try {
|
|
2222
|
+
const pb = runner.loadPlaybook ? runner.loadPlaybook(playbookId) : null;
|
|
2223
|
+
if (!pb) return null;
|
|
2224
|
+
const arts = (pb.phases?.look?.artifacts || []).filter(a => a && a.id);
|
|
2225
|
+
if (arts.length === 0) return null;
|
|
2226
|
+
return Object.fromEntries(arts.map(a => [a.id, { captured: false, _catalog_stub: true }]));
|
|
2227
|
+
} catch { return null; }
|
|
2228
|
+
}
|
|
2229
|
+
function _playbookSignalCatalog(runner, playbookId) {
|
|
2230
|
+
if (!playbookId) return null;
|
|
2231
|
+
try {
|
|
2232
|
+
const pb = runner.loadPlaybook ? runner.loadPlaybook(playbookId) : null;
|
|
2233
|
+
if (!pb) return null;
|
|
2234
|
+
const inds = (pb.phases?.look?.indicators || []).filter(i => i && i.id);
|
|
2235
|
+
if (inds.length === 0) return null;
|
|
2236
|
+
return Object.fromEntries(inds.map(i => [i.id, 'inconclusive']));
|
|
2237
|
+
} catch { return null; }
|
|
2238
|
+
}
|
|
2239
|
+
function normalizedArtifacts(submission, runner, playbookId) {
|
|
2240
|
+
if (!submission || typeof submission !== "object") {
|
|
2241
|
+
return _playbookArtifactCatalog(runner, playbookId) || {};
|
|
2242
|
+
}
|
|
2243
|
+
if (submission.artifacts && Object.keys(submission.artifacts).length > 0) return submission.artifacts;
|
|
2244
|
+
if (submission.observations && Object.keys(submission.observations).length > 0) {
|
|
2245
|
+
// v0.11.12 (#126): load real playbook so look.artifacts catalog can map
|
|
2246
|
+
// observations. v0.11.13 (#128): when normalize succeeds but produces an
|
|
2247
|
+
// empty map, fall through to direct mapping instead of returning empty.
|
|
2248
|
+
if (playbookId) {
|
|
2249
|
+
try {
|
|
2250
|
+
const pb = runner.loadPlaybook ? runner.loadPlaybook(playbookId) : null;
|
|
2251
|
+
if (pb) {
|
|
2252
|
+
const norm = runner.normalizeSubmission({ observations: submission.observations }, pb);
|
|
2253
|
+
if (norm && norm.artifacts && Object.keys(norm.artifacts).length > 0) return norm.artifacts;
|
|
2254
|
+
}
|
|
2255
|
+
} catch { /* fall through */ }
|
|
2256
|
+
}
|
|
2257
|
+
const out = {};
|
|
2258
|
+
for (const [k, v] of Object.entries(submission.observations)) {
|
|
2259
|
+
out[k] = (v && typeof v === "object") ? v : { value: v };
|
|
2260
|
+
}
|
|
2261
|
+
return out;
|
|
2216
2262
|
}
|
|
2217
|
-
|
|
2263
|
+
// v0.11.13 (#128): empty submission ({} or {observations:{}}). Identical
|
|
2264
|
+
// hashes still mean "no operator data was supplied, same on both sides."
|
|
2265
|
+
// Fall back to the playbook's look.artifacts catalog so total_compared
|
|
2266
|
+
// reflects "N catalog artifacts, all uniformly empty on both sides."
|
|
2267
|
+
return _playbookArtifactCatalog(runner, playbookId) || {};
|
|
2218
2268
|
}
|
|
2219
|
-
function normalizedSignalOverrides(submission, runner) {
|
|
2220
|
-
if (!submission || typeof submission !== "object")
|
|
2221
|
-
|
|
2222
|
-
|
|
2223
|
-
|
|
2224
|
-
|
|
2225
|
-
|
|
2226
|
-
|
|
2269
|
+
function normalizedSignalOverrides(submission, runner, playbookId) {
|
|
2270
|
+
if (!submission || typeof submission !== "object") {
|
|
2271
|
+
return _playbookSignalCatalog(runner, playbookId) || {};
|
|
2272
|
+
}
|
|
2273
|
+
if (submission.signal_overrides && Object.keys(submission.signal_overrides).length > 0) return submission.signal_overrides;
|
|
2274
|
+
if (submission.observations && Object.keys(submission.observations).length > 0) {
|
|
2275
|
+
if (playbookId) {
|
|
2276
|
+
try {
|
|
2277
|
+
const pb = runner.loadPlaybook ? runner.loadPlaybook(playbookId) : null;
|
|
2278
|
+
if (pb) {
|
|
2279
|
+
const norm = runner.normalizeSubmission({ observations: submission.observations }, pb);
|
|
2280
|
+
if (norm && norm.signal_overrides && Object.keys(norm.signal_overrides).length > 0) return norm.signal_overrides;
|
|
2281
|
+
}
|
|
2282
|
+
} catch { /* fall through */ }
|
|
2283
|
+
}
|
|
2284
|
+
const out = {};
|
|
2285
|
+
for (const [k, v] of Object.entries(submission.observations)) {
|
|
2286
|
+
if (v && typeof v === "object" && v.result !== undefined) out[k] = v.result;
|
|
2287
|
+
}
|
|
2288
|
+
return out;
|
|
2227
2289
|
}
|
|
2228
|
-
return {};
|
|
2290
|
+
return _playbookSignalCatalog(runner, playbookId) || {};
|
|
2229
2291
|
}
|
|
2230
2292
|
|
|
2231
2293
|
/**
|
|
@@ -3395,11 +3457,22 @@ function cmdCi(runner, args, runOpts, pretty) {
|
|
|
3395
3457
|
process.exitCode = 2;
|
|
3396
3458
|
return;
|
|
3397
3459
|
}
|
|
3398
|
-
// v0.11.
|
|
3399
|
-
//
|
|
3400
|
-
//
|
|
3401
|
-
//
|
|
3402
|
-
//
|
|
3460
|
+
// v0.11.12 (#125): ci exit code matrix. Pre-0.11.12 every non-detected
|
|
3461
|
+
// path exited 0 including blocked runs that never executed — CI gates
|
|
3462
|
+
// couldn't distinguish ok:false from ok:true. Now:
|
|
3463
|
+
// 0 PASS — every playbook produced a result, none detected/escalating
|
|
3464
|
+
// 2 FAIL — at least one detected or rwep>=escalate (above)
|
|
3465
|
+
// 3 NO-DATA — ran but no --evidence and all inconclusive
|
|
3466
|
+
// 4 BLOCKED — at least one playbook returned ok:false (preflight halt,
|
|
3467
|
+
// stale threat intel, missing precondition, mutex contention, etc.)
|
|
3468
|
+
// 1 FRAMEWORK — engine/parse error (set elsewhere)
|
|
3469
|
+
// BLOCKED takes precedence over NO-DATA because a blocked run is a
|
|
3470
|
+
// harder gate failure than "no real data."
|
|
3471
|
+
if (summary.blocked > 0) {
|
|
3472
|
+
process.stderr.write(`[exceptd ci] BLOCKED: ${summary.blocked}/${summary.total} playbook(s) returned ok:false (preflight/mutex/threat-currency/etc.). Exit 4. Inspect results[].reason for each blocked entry.\n`);
|
|
3473
|
+
process.exitCode = 4;
|
|
3474
|
+
return;
|
|
3475
|
+
}
|
|
3403
3476
|
const suppliedEvidence = args.evidence || args["evidence-dir"];
|
|
3404
3477
|
const allInconclusive = summary.inconclusive === summary.total && summary.total > 0;
|
|
3405
3478
|
if (!suppliedEvidence && allInconclusive) {
|
package/data/_indexes/_meta.json
CHANGED
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
{
|
|
2
2
|
"schema_version": "1.1.0",
|
|
3
|
-
"generated_at": "2026-05-
|
|
3
|
+
"generated_at": "2026-05-13T01:02:44.048Z",
|
|
4
4
|
"generator": "scripts/build-indexes.js",
|
|
5
5
|
"source_count": 49,
|
|
6
6
|
"source_hashes": {
|
|
7
|
-
"manifest.json": "
|
|
7
|
+
"manifest.json": "15f45ccdd329dd8a1c99905610df970ad44a560c4fadee971c29a6376bfc8eb4",
|
|
8
8
|
"data/atlas-ttps.json": "1500b5830dab070c4252496964a8c0948e1052a656e2c7c6e1efaf0350645e13",
|
|
9
9
|
"data/cve-catalog.json": "a81d3e4b491b27ccc084596b063a6108ff10c9eb01d7776922fc393980b534fe",
|
|
10
10
|
"data/cwe-catalog.json": "c3367d469b4b3d31e4c56397dd7a8305a0be338ecd85afa27804c0c9ce12157b",
|
package/keys/public.pem
CHANGED
package/lib/playbook-runner.js
CHANGED
|
@@ -227,7 +227,12 @@ function govern(playbookId, directiveId, runOpts = {}) {
|
|
|
227
227
|
jurisdiction_obligations: g.jurisdiction_obligations || [],
|
|
228
228
|
theater_fingerprints: g.theater_fingerprints || [],
|
|
229
229
|
framework_context: g.framework_context || {},
|
|
230
|
-
skill_preload: g.skill_preload || []
|
|
230
|
+
skill_preload: g.skill_preload || [],
|
|
231
|
+
// v0.11.12 (#124): --ack belongs semantically in govern (it acknowledges
|
|
232
|
+
// the jurisdiction_obligations surfaced here). Carry it forward so
|
|
233
|
+
// phases.govern.operator_consent reflects the consent state. Null when
|
|
234
|
+
// --ack was not passed.
|
|
235
|
+
operator_consent: runOpts.operator_consent || null
|
|
231
236
|
};
|
|
232
237
|
}
|
|
233
238
|
|
|
@@ -640,6 +645,14 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
|
|
|
640
645
|
const sessionId = runOpts.session_id || crypto.randomBytes(8).toString('hex');
|
|
641
646
|
|
|
642
647
|
// notification_actions — compute ISO deadlines from clock_starts events.
|
|
648
|
+
// v0.11.12 (#123): enrich each entry with the matched obligation's
|
|
649
|
+
// jurisdiction/regulation/window_hours/evidence_required fields. The
|
|
650
|
+
// playbook's notification_actions entry only carries `obligation_ref` +
|
|
651
|
+
// `draft_notification` + `recipient`; without enrichment, operators reading
|
|
652
|
+
// `jurisdiction_notifications[i].jurisdiction` got `undefined`. The
|
|
653
|
+
// upstream `govern.jurisdiction_obligations` has the real data — carry it
|
|
654
|
+
// forward. `notification_deadline` is published as an alias for `deadline`
|
|
655
|
+
// (matches the field name compliance teams expect on a notification record).
|
|
643
656
|
const notificationActions = (c.notification_actions || []).map(na => {
|
|
644
657
|
const obligation = (g.jurisdiction_obligations || []).find(o =>
|
|
645
658
|
`${o.jurisdiction}/${o.regulation} ${o.window_hours}h` === na.obligation_ref
|
|
@@ -650,9 +663,21 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
|
|
|
650
663
|
: 'pending_clock_start_event';
|
|
651
664
|
return {
|
|
652
665
|
...na,
|
|
653
|
-
|
|
654
|
-
|
|
666
|
+
// Carry obligation metadata forward so each notification entry is
|
|
667
|
+
// operationally usable on its own (calendar deadlines, regulator
|
|
668
|
+
// routing, evidence checklist).
|
|
669
|
+
jurisdiction: obligation?.jurisdiction || null,
|
|
670
|
+
regulation: obligation?.regulation || null,
|
|
671
|
+
obligation_type: obligation?.obligation || null,
|
|
672
|
+
window_hours: obligation?.window_hours ?? null,
|
|
673
|
+
clock_start_event: obligation?.clock_starts || null,
|
|
655
674
|
clock_started_at: clockStart?.toISOString() || null,
|
|
675
|
+
deadline,
|
|
676
|
+
// Alias matching compliance-team vocabulary.
|
|
677
|
+
notification_deadline: deadline,
|
|
678
|
+
// Evidence the regulator expects attached (from the obligation, not
|
|
679
|
+
// just the operator-facing recipient bundle on the notification entry).
|
|
680
|
+
evidence_required: obligation?.evidence_required || na.evidence_attached || [],
|
|
656
681
|
draft_notification: interpolate(na.draft_notification, { ...agentSignals, ...analyzeFindingShape(analyzeResult) })
|
|
657
682
|
};
|
|
658
683
|
});
|
package/manifest-snapshot.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
|
|
3
|
-
"_generated_at": "2026-05-
|
|
3
|
+
"_generated_at": "2026-05-13T01:02:03.236Z",
|
|
4
4
|
"atlas_version": "5.1.0",
|
|
5
5
|
"skill_count": 38,
|
|
6
6
|
"skills": [
|
package/manifest.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "exceptd-security",
|
|
3
|
-
"version": "0.11.
|
|
3
|
+
"version": "0.11.13",
|
|
4
4
|
"description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
|
|
5
5
|
"homepage": "https://exceptd.com",
|
|
6
6
|
"license": "Apache-2.0",
|
|
@@ -52,7 +52,7 @@
|
|
|
52
52
|
],
|
|
53
53
|
"last_threat_review": "2026-05-01",
|
|
54
54
|
"signature": "Xk593pj7my6wPJbQBE47khpIUrPsp6N1lW7cE2T/VPPF5T+8C1yGKc9B8VphD7Q08yWFcbwF6HoWpA/+4uG9DA==",
|
|
55
|
-
"signed_at": "2026-05-
|
|
55
|
+
"signed_at": "2026-05-13T01:02:02.817Z",
|
|
56
56
|
"cwe_refs": [
|
|
57
57
|
"CWE-125",
|
|
58
58
|
"CWE-362",
|
|
@@ -116,7 +116,7 @@
|
|
|
116
116
|
],
|
|
117
117
|
"last_threat_review": "2026-05-01",
|
|
118
118
|
"signature": "nOgUu+LK9fy6ASTCoRGtx3ttgjZCl7WIkKu2wu06JEKVSpL2cKU3ex2tmVAvv11LBmpTH+b/0zvqXlzcxzHnCw==",
|
|
119
|
-
"signed_at": "2026-05-
|
|
119
|
+
"signed_at": "2026-05-13T01:02:02.819Z",
|
|
120
120
|
"cwe_refs": [
|
|
121
121
|
"CWE-1039",
|
|
122
122
|
"CWE-1426",
|
|
@@ -179,7 +179,7 @@
|
|
|
179
179
|
],
|
|
180
180
|
"last_threat_review": "2026-05-01",
|
|
181
181
|
"signature": "7FH1J9PlOyvcRCzRmggmenX9fIR0pi/veXihb3TeStcq1Rpuz1KHdOcJLqA9su4t2goYukKKCXHV6hx8hzplAA==",
|
|
182
|
-
"signed_at": "2026-05-
|
|
182
|
+
"signed_at": "2026-05-13T01:02:02.819Z",
|
|
183
183
|
"cwe_refs": [
|
|
184
184
|
"CWE-22",
|
|
185
185
|
"CWE-345",
|
|
@@ -225,7 +225,7 @@
|
|
|
225
225
|
"framework_gaps": [],
|
|
226
226
|
"last_threat_review": "2026-05-01",
|
|
227
227
|
"signature": "FqTRjHfEgw56pyHnyWzNtnhzDMEePBtmuamtW/iyX+h4yqbvP4Fyr7NRjRs3EgqT4j7oHuEZhV9Jt6ZTBgN4AA==",
|
|
228
|
-
"signed_at": "2026-05-
|
|
228
|
+
"signed_at": "2026-05-13T01:02:02.820Z"
|
|
229
229
|
},
|
|
230
230
|
{
|
|
231
231
|
"name": "compliance-theater",
|
|
@@ -256,7 +256,7 @@
|
|
|
256
256
|
],
|
|
257
257
|
"last_threat_review": "2026-05-01",
|
|
258
258
|
"signature": "3fN4yotiIIq76PVTHwozCu28TzDZvWule6vX8SXUT3XXbIBSuvAO0M/euvc3pw3TdZ2UNf78dI18lOCNdJ0aAg==",
|
|
259
|
-
"signed_at": "2026-05-
|
|
259
|
+
"signed_at": "2026-05-13T01:02:02.820Z"
|
|
260
260
|
},
|
|
261
261
|
{
|
|
262
262
|
"name": "exploit-scoring",
|
|
@@ -285,7 +285,7 @@
|
|
|
285
285
|
],
|
|
286
286
|
"last_threat_review": "2026-05-01",
|
|
287
287
|
"signature": "yZfpk4lQMRXegj2ADWjMmZTchUN6Lxpv587O/0JMzbNkXQtD6FrSAQOBWjx8S7uQ/sTntxgGN7aQQDLxL9RWAA==",
|
|
288
|
-
"signed_at": "2026-05-
|
|
288
|
+
"signed_at": "2026-05-13T01:02:02.821Z"
|
|
289
289
|
},
|
|
290
290
|
{
|
|
291
291
|
"name": "rag-pipeline-security",
|
|
@@ -322,7 +322,7 @@
|
|
|
322
322
|
],
|
|
323
323
|
"last_threat_review": "2026-05-01",
|
|
324
324
|
"signature": "ABHkoqee67KdUyDZ3bvF+/DNxjGhPR/ehT6pfOnmUIMmkcQFHpZ0OUVXKiFUANaLgKLP1vg0VEmHOoxpNA3vAA==",
|
|
325
|
-
"signed_at": "2026-05-
|
|
325
|
+
"signed_at": "2026-05-13T01:02:02.821Z",
|
|
326
326
|
"cwe_refs": [
|
|
327
327
|
"CWE-1395",
|
|
328
328
|
"CWE-1426"
|
|
@@ -379,7 +379,7 @@
|
|
|
379
379
|
],
|
|
380
380
|
"last_threat_review": "2026-05-01",
|
|
381
381
|
"signature": "+Nd/2tgBnW+mEGX84QvkgR2To2J7kA+lB63BsADDKeCXeebFv6Vo9H1P4vyUkKHfe4fP0ndpy3agIZcUO/e/Dg==",
|
|
382
|
-
"signed_at": "2026-05-
|
|
382
|
+
"signed_at": "2026-05-13T01:02:02.821Z",
|
|
383
383
|
"d3fend_refs": [
|
|
384
384
|
"D3-CA",
|
|
385
385
|
"D3-CSPP",
|
|
@@ -414,7 +414,7 @@
|
|
|
414
414
|
"framework_gaps": [],
|
|
415
415
|
"last_threat_review": "2026-05-01",
|
|
416
416
|
"signature": "VMNGFvowXLbBjZp5nvWloKkqyqHKhnSzbVRU3gX9quOZJHH56w2M4id+oDsXIjR0CfRRb7eXl/so0Hq4xLBuBQ==",
|
|
417
|
-
"signed_at": "2026-05-
|
|
417
|
+
"signed_at": "2026-05-13T01:02:02.821Z",
|
|
418
418
|
"cwe_refs": [
|
|
419
419
|
"CWE-1188"
|
|
420
420
|
]
|
|
@@ -442,7 +442,7 @@
|
|
|
442
442
|
"framework_gaps": [],
|
|
443
443
|
"last_threat_review": "2026-05-01",
|
|
444
444
|
"signature": "5MaJs7gPCuFlK4oAttLulAPOA1noeV+xD/UqVWaVyRedXZgebBGKjnlE2t1qmTugvxlNIfeAnBZapk+Wz3VAAg==",
|
|
445
|
-
"signed_at": "2026-05-
|
|
445
|
+
"signed_at": "2026-05-13T01:02:02.822Z"
|
|
446
446
|
},
|
|
447
447
|
{
|
|
448
448
|
"name": "global-grc",
|
|
@@ -474,7 +474,7 @@
|
|
|
474
474
|
"framework_gaps": [],
|
|
475
475
|
"last_threat_review": "2026-05-01",
|
|
476
476
|
"signature": "S/YXUpI/mcG2FpdUTgMsccWBtTaR5A4Ph4QFQw31S9w9Hn/z3sOFHLkb1B5YSwlg+mMOtSIxMdet1eLGSZkTDg==",
|
|
477
|
-
"signed_at": "2026-05-
|
|
477
|
+
"signed_at": "2026-05-13T01:02:02.822Z"
|
|
478
478
|
},
|
|
479
479
|
{
|
|
480
480
|
"name": "zeroday-gap-learn",
|
|
@@ -501,7 +501,7 @@
|
|
|
501
501
|
"framework_gaps": [],
|
|
502
502
|
"last_threat_review": "2026-05-01",
|
|
503
503
|
"signature": "AKS+JsmhhBtytY2eIMuydjkZOYprWCmQ+RqxyxcVG9XcEI29ZSM/JbVIINQHozFl7OPPrOu1ouiTnk7LOJ86Bg==",
|
|
504
|
-
"signed_at": "2026-05-
|
|
504
|
+
"signed_at": "2026-05-13T01:02:02.822Z"
|
|
505
505
|
},
|
|
506
506
|
{
|
|
507
507
|
"name": "pqc-first",
|
|
@@ -553,7 +553,7 @@
|
|
|
553
553
|
],
|
|
554
554
|
"last_threat_review": "2026-05-01",
|
|
555
555
|
"signature": "oEkK5bLS/G5RIHnxlNFJYdzhTJbKZnkJv+W4iS9UJ/uszZHgZGoxygELPc4kn3FowV5eE988SQYG4WKlXtNzCg==",
|
|
556
|
-
"signed_at": "2026-05-
|
|
556
|
+
"signed_at": "2026-05-13T01:02:02.823Z",
|
|
557
557
|
"cwe_refs": [
|
|
558
558
|
"CWE-327"
|
|
559
559
|
],
|
|
@@ -600,7 +600,7 @@
|
|
|
600
600
|
],
|
|
601
601
|
"last_threat_review": "2026-05-01",
|
|
602
602
|
"signature": "nPV6YTo1rsNH49qUnZpfoNLEQZXuLNyV05QMUOgXKHYeVDjotYpWhLgyVXlRhjV/fStiA2sWQ0MOnEJ4FBIfDg==",
|
|
603
|
-
"signed_at": "2026-05-
|
|
603
|
+
"signed_at": "2026-05-13T01:02:02.823Z"
|
|
604
604
|
},
|
|
605
605
|
{
|
|
606
606
|
"name": "security-maturity-tiers",
|
|
@@ -637,7 +637,7 @@
|
|
|
637
637
|
],
|
|
638
638
|
"last_threat_review": "2026-05-01",
|
|
639
639
|
"signature": "7rirSEONz6O9Yyf46eTyuwkGizCj9FRcNHe5p7Qz6nhJoZQRW5FwW7n9opL0WlbIw8FDBYn1f22zgNUV87L5AQ==",
|
|
640
|
-
"signed_at": "2026-05-
|
|
640
|
+
"signed_at": "2026-05-13T01:02:02.824Z",
|
|
641
641
|
"cwe_refs": [
|
|
642
642
|
"CWE-1188"
|
|
643
643
|
]
|
|
@@ -672,7 +672,7 @@
|
|
|
672
672
|
"framework_gaps": [],
|
|
673
673
|
"last_threat_review": "2026-05-11",
|
|
674
674
|
"signature": "+evehnd2wSBb8uMTlTr5/aTN4bfLjsKzZJk/+OMLMOJrjCt+OuMU7EQC6xMUGeSc4cPEGajghDvq3xVaacV2Dw==",
|
|
675
|
-
"signed_at": "2026-05-
|
|
675
|
+
"signed_at": "2026-05-13T01:02:02.824Z"
|
|
676
676
|
},
|
|
677
677
|
{
|
|
678
678
|
"name": "attack-surface-pentest",
|
|
@@ -743,7 +743,7 @@
|
|
|
743
743
|
"PTES revision incorporating AI-surface enumeration"
|
|
744
744
|
],
|
|
745
745
|
"signature": "KHOXxloAYf7xqXjm2BaL3HVAZOmb7rMiMh20H/oaIkjN0WD1CnKCrRGPJn867uSFhCh/timkXolaiqD1L/h8Dg==",
|
|
746
|
-
"signed_at": "2026-05-
|
|
746
|
+
"signed_at": "2026-05-13T01:02:02.824Z"
|
|
747
747
|
},
|
|
748
748
|
{
|
|
749
749
|
"name": "fuzz-testing-strategy",
|
|
@@ -803,7 +803,7 @@
|
|
|
803
803
|
"OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
|
|
804
804
|
],
|
|
805
805
|
"signature": "+ELdD+1AY5DymBitH7wU65CS60NY1nDoLowJAFn7cE5Gr/5jy9BTkyxsm7PEXaSlXWMOkTf/HQ+uyzyxUVD/Bw==",
|
|
806
|
-
"signed_at": "2026-05-
|
|
806
|
+
"signed_at": "2026-05-13T01:02:02.825Z"
|
|
807
807
|
},
|
|
808
808
|
{
|
|
809
809
|
"name": "dlp-gap-analysis",
|
|
@@ -878,7 +878,7 @@
|
|
|
878
878
|
"Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
|
|
879
879
|
],
|
|
880
880
|
"signature": "8tFAhXAS8zZN3SUOdn+ZIu7lQ48JMOyBQ8SaObR3L/fDyFmDhufqleY2VzI3yigqlT/D4Y8FYxZHKmzXiALjDw==",
|
|
881
|
-
"signed_at": "2026-05-
|
|
881
|
+
"signed_at": "2026-05-13T01:02:02.825Z"
|
|
882
882
|
},
|
|
883
883
|
{
|
|
884
884
|
"name": "supply-chain-integrity",
|
|
@@ -955,7 +955,7 @@
|
|
|
955
955
|
"OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
|
|
956
956
|
],
|
|
957
957
|
"signature": "8xlk5ZfTKVYqTE2+ifkjTBu/RPqs4MIvX7SpOHl22YDHi7nzJ1ywPhSNYJzoPdPV4AUuWG518EldQJsEIuyuAA==",
|
|
958
|
-
"signed_at": "2026-05-
|
|
958
|
+
"signed_at": "2026-05-13T01:02:02.825Z"
|
|
959
959
|
},
|
|
960
960
|
{
|
|
961
961
|
"name": "defensive-countermeasure-mapping",
|
|
@@ -1012,7 +1012,7 @@
|
|
|
1012
1012
|
],
|
|
1013
1013
|
"last_threat_review": "2026-05-11",
|
|
1014
1014
|
"signature": "AMdLkDx/e3ESI4NAnJhhcaas+Ru8VjrSn6v6RBbmmzoLCGo/vFxGraa1p/qF9udhVG+DdkbwHfbfKK5Im19KDw==",
|
|
1015
|
-
"signed_at": "2026-05-
|
|
1015
|
+
"signed_at": "2026-05-13T01:02:02.825Z"
|
|
1016
1016
|
},
|
|
1017
1017
|
{
|
|
1018
1018
|
"name": "identity-assurance",
|
|
@@ -1079,7 +1079,7 @@
|
|
|
1079
1079
|
"d3fend_refs": [],
|
|
1080
1080
|
"last_threat_review": "2026-05-11",
|
|
1081
1081
|
"signature": "pSMHKkyWoZvRIuVtN7Vue51sP5MIy9lSaQa2YSAMhxjptx81cUnPt3S11/Tb9Ea1/eluMNQ+5F25eF2njr4mBQ==",
|
|
1082
|
-
"signed_at": "2026-05-
|
|
1082
|
+
"signed_at": "2026-05-13T01:02:02.826Z"
|
|
1083
1083
|
},
|
|
1084
1084
|
{
|
|
1085
1085
|
"name": "ot-ics-security",
|
|
@@ -1135,7 +1135,7 @@
|
|
|
1135
1135
|
"d3fend_refs": [],
|
|
1136
1136
|
"last_threat_review": "2026-05-11",
|
|
1137
1137
|
"signature": "qjky+ZTX1DP7uRRMQZq7S7P9/uaJEoB1dy4RZ1l37Q4OO3k2ryfL+7o0Cgm/piuafJfH+dqUeNCRrVefj4r8Dw==",
|
|
1138
|
-
"signed_at": "2026-05-
|
|
1138
|
+
"signed_at": "2026-05-13T01:02:02.826Z"
|
|
1139
1139
|
},
|
|
1140
1140
|
{
|
|
1141
1141
|
"name": "coordinated-vuln-disclosure",
|
|
@@ -1187,7 +1187,7 @@
|
|
|
1187
1187
|
"NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
|
|
1188
1188
|
],
|
|
1189
1189
|
"signature": "F86Zl/I+dBzHYRUuGWsjDQI2F/I/vhzwZUFMqhNfKUzRbMf6mafOX2APCPYTp3eP1DvvvfL3Yc0hb1R5Q4nOAg==",
|
|
1190
|
-
"signed_at": "2026-05-
|
|
1190
|
+
"signed_at": "2026-05-13T01:02:02.826Z"
|
|
1191
1191
|
},
|
|
1192
1192
|
{
|
|
1193
1193
|
"name": "threat-modeling-methodology",
|
|
@@ -1237,7 +1237,7 @@
|
|
|
1237
1237
|
"PASTA v2 updates incorporating AI/ML application threats"
|
|
1238
1238
|
],
|
|
1239
1239
|
"signature": "D/4d5NcJScNH58ADXsSrVzTmLSWZpUZTdyhtDkJlC0twSMNczOiDsXgYFitBaZgGdv5nVd00viR45mNrsaZ4BQ==",
|
|
1240
|
-
"signed_at": "2026-05-
|
|
1240
|
+
"signed_at": "2026-05-13T01:02:02.827Z"
|
|
1241
1241
|
},
|
|
1242
1242
|
{
|
|
1243
1243
|
"name": "webapp-security",
|
|
@@ -1311,7 +1311,7 @@
|
|
|
1311
1311
|
"d3fend_refs": [],
|
|
1312
1312
|
"last_threat_review": "2026-05-11",
|
|
1313
1313
|
"signature": "UOXaUtpcFjXyDQ70z2PaGu6K3pABtXp+7YzO6eGVGpN1CxXpPq/xW/CnTng6B7wk9WSsqD0OORBJp4VCjiVfAQ==",
|
|
1314
|
-
"signed_at": "2026-05-
|
|
1314
|
+
"signed_at": "2026-05-13T01:02:02.827Z"
|
|
1315
1315
|
},
|
|
1316
1316
|
{
|
|
1317
1317
|
"name": "ai-risk-management",
|
|
@@ -1361,7 +1361,7 @@
|
|
|
1361
1361
|
"d3fend_refs": [],
|
|
1362
1362
|
"last_threat_review": "2026-05-11",
|
|
1363
1363
|
"signature": "IVKygsrFjiM64fQVbd2PT6jDjs6fm5nKwJSqGfK53gG0S9wdHC4QYuh+LWlI/2ftvIKjjedLQ6FRyTrqpDEuDw==",
|
|
1364
|
-
"signed_at": "2026-05-
|
|
1364
|
+
"signed_at": "2026-05-13T01:02:02.827Z"
|
|
1365
1365
|
},
|
|
1366
1366
|
{
|
|
1367
1367
|
"name": "sector-healthcare",
|
|
@@ -1421,7 +1421,7 @@
|
|
|
1421
1421
|
"d3fend_refs": [],
|
|
1422
1422
|
"last_threat_review": "2026-05-11",
|
|
1423
1423
|
"signature": "P+CdSu8ZJCNUU4nTa09Voh2PcYF3y/AFJn4v7cjVIGo9FbbqO7MwvGN7cJ+aSRs2/3NMUXX4eupcODslxYyJDw==",
|
|
1424
|
-
"signed_at": "2026-05-
|
|
1424
|
+
"signed_at": "2026-05-13T01:02:02.828Z"
|
|
1425
1425
|
},
|
|
1426
1426
|
{
|
|
1427
1427
|
"name": "sector-financial",
|
|
@@ -1502,7 +1502,7 @@
|
|
|
1502
1502
|
"TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
|
|
1503
1503
|
],
|
|
1504
1504
|
"signature": "zpEfh181Sc0b0cvRf/31Ir1f8lD4V5tehTogO3TJMxdKmXu06IAK7hrhBcLA/jFBv3xDDwrWW3sHzChVhWDeDA==",
|
|
1505
|
-
"signed_at": "2026-05-
|
|
1505
|
+
"signed_at": "2026-05-13T01:02:02.828Z"
|
|
1506
1506
|
},
|
|
1507
1507
|
{
|
|
1508
1508
|
"name": "sector-federal-government",
|
|
@@ -1571,7 +1571,7 @@
|
|
|
1571
1571
|
"Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
|
|
1572
1572
|
],
|
|
1573
1573
|
"signature": "7NpQlPu1DkpY9f+Frv/LLBHWUUe/qTM80c+xeYDxOzweXhvJGE/dnDCjglYHTjxT82L9cVxzBezvLEne20UpBg==",
|
|
1574
|
-
"signed_at": "2026-05-
|
|
1574
|
+
"signed_at": "2026-05-13T01:02:02.828Z"
|
|
1575
1575
|
},
|
|
1576
1576
|
{
|
|
1577
1577
|
"name": "sector-energy",
|
|
@@ -1636,7 +1636,7 @@
|
|
|
1636
1636
|
"ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
|
|
1637
1637
|
],
|
|
1638
1638
|
"signature": "4rhyHN5HykK7MQUmhvaTeDGj6Qf5swDd5ry8foh4KBvTkRKxTI/XyxconFGm5FASnySGPLMxX6m4JZAq5wiNBg==",
|
|
1639
|
-
"signed_at": "2026-05-
|
|
1639
|
+
"signed_at": "2026-05-13T01:02:02.828Z"
|
|
1640
1640
|
},
|
|
1641
1641
|
{
|
|
1642
1642
|
"name": "api-security",
|
|
@@ -1705,7 +1705,7 @@
|
|
|
1705
1705
|
"d3fend_refs": [],
|
|
1706
1706
|
"last_threat_review": "2026-05-11",
|
|
1707
1707
|
"signature": "hS1izPhETclITK7fp6R67dhy+wFDti/YsJ2M5I1gDjeWZYK41WuxeYSyt5xEHbCr3WCGDFJe77jkK1MWkxk2BA==",
|
|
1708
|
-
"signed_at": "2026-05-
|
|
1708
|
+
"signed_at": "2026-05-13T01:02:02.829Z"
|
|
1709
1709
|
},
|
|
1710
1710
|
{
|
|
1711
1711
|
"name": "cloud-security",
|
|
@@ -1786,7 +1786,7 @@
|
|
|
1786
1786
|
"CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
|
|
1787
1787
|
],
|
|
1788
1788
|
"signature": "kuatqNZoRnv+oeyrxbnk+m37JRBIgRAWnDp0/IYLnoBOybiG09RzLILJraxjhvdSNCgo7WXTeBO3Y6a3Ji9MAA==",
|
|
1789
|
-
"signed_at": "2026-05-
|
|
1789
|
+
"signed_at": "2026-05-13T01:02:02.829Z"
|
|
1790
1790
|
},
|
|
1791
1791
|
{
|
|
1792
1792
|
"name": "container-runtime-security",
|
|
@@ -1848,7 +1848,7 @@
|
|
|
1848
1848
|
"d3fend_refs": [],
|
|
1849
1849
|
"last_threat_review": "2026-05-11",
|
|
1850
1850
|
"signature": "Btb3/7fjPFopFVdxP7+E6n322gnAAwd7OPrnuqatq6c1rXTD9aXKxiBeCmWxs8zYbIbE/lFoe9R2g6uTp8ZDBg==",
|
|
1851
|
-
"signed_at": "2026-05-
|
|
1851
|
+
"signed_at": "2026-05-13T01:02:02.829Z"
|
|
1852
1852
|
},
|
|
1853
1853
|
{
|
|
1854
1854
|
"name": "mlops-security",
|
|
@@ -1919,7 +1919,7 @@
|
|
|
1919
1919
|
"MITRE ATLAS v5.2 — track AML.T0010 sub-technique expansion and any new MLOps-pipeline-specific TTPs"
|
|
1920
1920
|
],
|
|
1921
1921
|
"signature": "TBWnlgdllW7K1F10HCJ7p4dbLeS3lyNWm+7mNNtyZu7jB1V5AauG1P7sb1nLLqwKqeGlHS1F0eh/BNiuAvkABg==",
|
|
1922
|
-
"signed_at": "2026-05-
|
|
1922
|
+
"signed_at": "2026-05-13T01:02:02.830Z"
|
|
1923
1923
|
},
|
|
1924
1924
|
{
|
|
1925
1925
|
"name": "incident-response-playbook",
|
|
@@ -1981,7 +1981,7 @@
|
|
|
1981
1981
|
"NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
|
|
1982
1982
|
],
|
|
1983
1983
|
"signature": "FVAXpD6sIoOLQSPtZSLLsXQnc2o2hRwiFj4xK8zEWJVkUWGqvAWRrngie7O2DRKIbWqjO5h9EevVYSzhwYHCAA==",
|
|
1984
|
-
"signed_at": "2026-05-
|
|
1984
|
+
"signed_at": "2026-05-13T01:02:02.830Z"
|
|
1985
1985
|
},
|
|
1986
1986
|
{
|
|
1987
1987
|
"name": "email-security-anti-phishing",
|
|
@@ -2034,7 +2034,7 @@
|
|
|
2034
2034
|
"d3fend_refs": [],
|
|
2035
2035
|
"last_threat_review": "2026-05-11",
|
|
2036
2036
|
"signature": "0HDt3Qklee4FQeKoZfwr+8qdq2pVDS0a+c7JxVw1hV/bl8+YTPaPjPTAhQUnbhUCa5cGo7G4MBQ1AifQTMJdDA==",
|
|
2037
|
-
"signed_at": "2026-05-
|
|
2037
|
+
"signed_at": "2026-05-13T01:02:02.830Z"
|
|
2038
2038
|
},
|
|
2039
2039
|
{
|
|
2040
2040
|
"name": "age-gates-child-safety",
|
|
@@ -2102,7 +2102,7 @@
|
|
|
2102
2102
|
"US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
|
|
2103
2103
|
],
|
|
2104
2104
|
"signature": "UyPSKUztZI/daHCRTnAh6ryoKLX4xyjuG+EaNMPRVuCz2gANGl1F/NozDsw7R2koMUwSFoiYTzwqDvo1tpuKAg==",
|
|
2105
|
-
"signed_at": "2026-05-
|
|
2105
|
+
"signed_at": "2026-05-13T01:02:02.831Z"
|
|
2106
2106
|
}
|
|
2107
2107
|
]
|
|
2108
2108
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@blamejs/exceptd-skills",
|
|
3
|
-
"version": "0.11.
|
|
3
|
+
"version": "0.11.13",
|
|
4
4
|
"description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"ai-security",
|
package/sbom.cdx.json
CHANGED
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
{
|
|
2
2
|
"bomFormat": "CycloneDX",
|
|
3
3
|
"specVersion": "1.6",
|
|
4
|
-
"serialNumber": "urn:uuid:
|
|
4
|
+
"serialNumber": "urn:uuid:374964ee-df91-40f9-8a5f-e22b551ede8c",
|
|
5
5
|
"version": 1,
|
|
6
6
|
"metadata": {
|
|
7
|
-
"timestamp": "2026-05-
|
|
7
|
+
"timestamp": "2026-05-13T01:02:03.645Z",
|
|
8
8
|
"tools": [
|
|
9
9
|
{
|
|
10
10
|
"name": "hand-written",
|
|
@@ -13,10 +13,10 @@
|
|
|
13
13
|
}
|
|
14
14
|
],
|
|
15
15
|
"component": {
|
|
16
|
-
"bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.11.
|
|
16
|
+
"bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.11.13",
|
|
17
17
|
"type": "application",
|
|
18
18
|
"name": "@blamejs/exceptd-skills",
|
|
19
|
-
"version": "0.11.
|
|
19
|
+
"version": "0.11.13",
|
|
20
20
|
"description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
|
|
21
21
|
"licenses": [
|
|
22
22
|
{
|
|
@@ -25,11 +25,11 @@
|
|
|
25
25
|
}
|
|
26
26
|
}
|
|
27
27
|
],
|
|
28
|
-
"purl": "pkg:npm/%40blamejs/exceptd-skills@0.11.
|
|
28
|
+
"purl": "pkg:npm/%40blamejs/exceptd-skills@0.11.13",
|
|
29
29
|
"externalReferences": [
|
|
30
30
|
{
|
|
31
31
|
"type": "distribution",
|
|
32
|
-
"url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.11.
|
|
32
|
+
"url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.11.13"
|
|
33
33
|
},
|
|
34
34
|
{
|
|
35
35
|
"type": "vcs",
|