@blamejs/exceptd-skills 0.11.12 → 0.11.13

package/CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## 0.11.13 — 2026-05-13
+
+**Patch: the final two stragglers — universal `ok:false` exit and empty-submission diff counters.**
+
+### Bugs
+
+- **#127 (originally #100) — `ok:false` body always yields non-zero exit.** Pre-0.11.13 several verbs emitted a result body with `ok: false` to stdout but didn't set `process.exitCode`, so `exceptd run ...; echo $?` returned 0 and `set -e` shell scripts couldn't gate on it. The previous fix was per-verb. Now `emit()` itself sets `process.exitCode = 1` whenever the body has `ok: false` at top level (unless a caller already set a different non-zero code). Universal contract: anything that emits `ok: false` to stdout OR stderr returns non-zero, no exceptions. New verbs cannot regress this — the catch is at the renderer.
+
+- **#128 (originally #102) — attest diff falls back to playbook catalog when submissions are empty.** Pre-0.11.13 `attest diff` between two identical empty-submission attestations reported `status: unchanged` (hash equality) but `total_compared: 0, unchanged_count: 0` — operators couldn't tell whether "0 unchanged" meant "diff didn't iterate" or "nothing to compare." Now: when a submission has neither `artifacts` nor `observations`, the diff helper falls back to the playbook's `look.artifacts` catalog (via the attestation's stored `playbook_id`). Result: `total_compared` reflects the catalog size; `unchanged_count` equals `total_compared` when both sides are uniformly empty. Real observation submissions retain the prior behavior.
+
+### Tests
+
+3 new regression cases. 347 total. The `#127` test asserts the universal contract by hitting `attest verify` on a non-existent session id and checking that any `ok:false` body (stdout or stderr) maps to non-zero exit. The `#128` test runs two `{}` submissions through `run sbom` and asserts the diff reports `total_compared > 0` matching `unchanged_count`.
+
+### Lesson codified in CLAUDE.md
+
+When a class of bug ("verb forgot to set exit code") keeps recurring across releases, fix the class, not the instance. Move the contract to the lowest layer that all paths share — here, `emit()` itself.
+
 ## 0.11.12 — 2026-05-12
 
 **Patch: items 123-126 — content-not-just-shape, exit-code discipline, diff iteration.**

package/bin/exceptd.js

@@ -448,6 +448,16 @@ function emit(obj, pretty, humanRenderer) {
   //   default (no flag, renderer present) → HUMAN
   //   default (no flag, no renderer)      → indented JSON when TTY else compact
   // This closes the longest-standing UX gap across 8 releases.
+  //
+  // v0.11.13 (#127): emit() now ALSO sets process.exitCode = 1 when the body
+  // carries `ok: false` at top level (unless a caller already set a different
+  // non-zero exitCode). Pre-0.11.13 verbs that emitted ok:false to stdout
+  // without explicitly setting the exit code returned 0, defeating `set -e`
+  // and CI gates. The previous fix was per-verb; this is a universal catch
+  // so new verbs / new ok:false paths can't regress the contract.
+  if (obj && obj.ok === false && !process.exitCode) {
+    process.exitCode = 1;
+  }
   const wantJson = !!global.__exceptdWantJson || !!process.env.EXCEPTD_RAW_JSON;
   if (humanRenderer && !wantJson && !pretty) {
     process.stdout.write(humanRenderer(obj) + "\n");
@@ -2206,16 +2216,35 @@ function cmdAttest(runner, args, runOpts, pretty) {
  * canonical nested view of both shapes lets `attest diff` produce meaningful
  * counts regardless of which shape the operator submitted.
  */
+function _playbookArtifactCatalog(runner, playbookId) {
+  if (!playbookId) return null;
+  try {
+    const pb = runner.loadPlaybook ? runner.loadPlaybook(playbookId) : null;
+    if (!pb) return null;
+    const arts = (pb.phases?.look?.artifacts || []).filter(a => a && a.id);
+    if (arts.length === 0) return null;
+    return Object.fromEntries(arts.map(a => [a.id, { captured: false, _catalog_stub: true }]));
+  } catch { return null; }
+}
+function _playbookSignalCatalog(runner, playbookId) {
+  if (!playbookId) return null;
+  try {
+    const pb = runner.loadPlaybook ? runner.loadPlaybook(playbookId) : null;
+    if (!pb) return null;
+    const inds = (pb.phases?.look?.indicators || []).filter(i => i && i.id);
+    if (inds.length === 0) return null;
+    return Object.fromEntries(inds.map(i => [i.id, 'inconclusive']));
+  } catch { return null; }
+}
 function normalizedArtifacts(submission, runner, playbookId) {
-  if (!submission || typeof submission !== "object") return {};
-  if (submission.artifacts) return submission.artifacts;
-  if (submission.observations) {
-    // v0.11.12 (#126): the prior stub playbook (look.artifacts: []) caused
-    // normalizeSubmission to produce {}, so attest diff reported
-    // total_compared: 0 even when both submissions held real observations.
-    // Try to load the real playbook from the attestation's playbook_id; if
-    // that fails (renamed/removed), fall back to treating each observation
-    // key as its own artifact id with `{ captured: true, value: <indicator|value> }`.
+  if (!submission || typeof submission !== "object") {
+    return _playbookArtifactCatalog(runner, playbookId) || {};
+  }
+  if (submission.artifacts && Object.keys(submission.artifacts).length > 0) return submission.artifacts;
+  if (submission.observations && Object.keys(submission.observations).length > 0) {
+    // v0.11.12 (#126): load real playbook so look.artifacts catalog can map
+    // observations. v0.11.13 (#128): when normalize succeeds but produces an
+    // empty map, fall through to direct mapping instead of returning empty.
     if (playbookId) {
       try {
         const pb = runner.loadPlaybook ? runner.loadPlaybook(playbookId) : null;
@@ -2223,23 +2252,26 @@ function normalizedArtifacts(submission, runner, playbookId) {
           const norm = runner.normalizeSubmission({ observations: submission.observations }, pb);
           if (norm && norm.artifacts && Object.keys(norm.artifacts).length > 0) return norm.artifacts;
         }
-      } catch { /* fall through to direct mapping */ }
+      } catch { /* fall through */ }
     }
-    // Direct mapping: observation keys are the artifact ids by convention.
     const out = {};
     for (const [k, v] of Object.entries(submission.observations)) {
       out[k] = (v && typeof v === "object") ? v : { value: v };
     }
     return out;
   }
-  return {};
+  // v0.11.13 (#128): empty submission ({} or {observations:{}}). Identical
+  // hashes still mean "no operator data was supplied, same on both sides."
+  // Fall back to the playbook's look.artifacts catalog so total_compared
+  // reflects "N catalog artifacts, all uniformly empty on both sides."
+  return _playbookArtifactCatalog(runner, playbookId) || {};
 }
 function normalizedSignalOverrides(submission, runner, playbookId) {
-  if (!submission || typeof submission !== "object") return {};
-  if (submission.signal_overrides) return submission.signal_overrides;
-  if (submission.observations) {
-    // v0.11.12 (#126): same fix as normalizedArtifacts — load the real
-    // playbook so look.indicators can map observation results to signal IDs.
+  if (!submission || typeof submission !== "object") {
+    return _playbookSignalCatalog(runner, playbookId) || {};
+  }
+  if (submission.signal_overrides && Object.keys(submission.signal_overrides).length > 0) return submission.signal_overrides;
+  if (submission.observations && Object.keys(submission.observations).length > 0) {
     if (playbookId) {
       try {
         const pb = runner.loadPlaybook ? runner.loadPlaybook(playbookId) : null;
@@ -2247,16 +2279,15 @@ function normalizedSignalOverrides(submission, runner, playbookId) {
           const norm = runner.normalizeSubmission({ observations: submission.observations }, pb);
           if (norm && norm.signal_overrides && Object.keys(norm.signal_overrides).length > 0) return norm.signal_overrides;
         }
-      } catch { /* fall through to direct mapping */ }
+      } catch { /* fall through */ }
     }
-    // Direct mapping: observation key -> result (canonical hit/miss/inconclusive).
     const out = {};
     for (const [k, v] of Object.entries(submission.observations)) {
       if (v && typeof v === "object" && v.result !== undefined) out[k] = v.result;
     }
     return out;
   }
-  return {};
+  return _playbookSignalCatalog(runner, playbookId) || {};
 }
 
 /**

package/data/_indexes/_meta.json

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-12T23:57:49.662Z",
+  "generated_at": "2026-05-13T01:02:44.048Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 49,
   "source_hashes": {
-    "manifest.json": "be34fdbfb886861dff2f440d58324bfeba5f0c9188bffc5b6855ad682cc16e7b",
+    "manifest.json": "15f45ccdd329dd8a1c99905610df970ad44a560c4fadee971c29a6376bfc8eb4",
     "data/atlas-ttps.json": "1500b5830dab070c4252496964a8c0948e1052a656e2c7c6e1efaf0350645e13",
     "data/cve-catalog.json": "a81d3e4b491b27ccc084596b063a6108ff10c9eb01d7776922fc393980b534fe",
     "data/cwe-catalog.json": "c3367d469b4b3d31e4c56397dd7a8305a0be338ecd85afa27804c0c9ce12157b",

package/keys/public.pem

@@ -1,3 +1,3 @@
 -----BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEAvh9LPaLkX7A41C4cKF1gOWfhLtiRPyAN2emiISakga4=
+MCowBQYDK2VwAyEABzYdqZx/L/XFA8w/EHgjXi/WMpUO5qJg9lrDMgiG2q4=
 -----END PUBLIC KEY-----

package/manifest-snapshot.json

@@ -1,6 +1,6 @@
 {
   "_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
-  "_generated_at": "2026-05-12T23:57:10.646Z",
+  "_generated_at": "2026-05-13T01:02:03.236Z",
   "atlas_version": "5.1.0",
   "skill_count": 38,
   "skills": [

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.11.12",
+  "version": "0.11.13",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -52,7 +52,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "Xk593pj7my6wPJbQBE47khpIUrPsp6N1lW7cE2T/VPPF5T+8C1yGKc9B8VphD7Q08yWFcbwF6HoWpA/+4uG9DA==",
-      "signed_at": "2026-05-12T23:57:10.174Z",
+      "signed_at": "2026-05-13T01:02:02.817Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -116,7 +116,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "nOgUu+LK9fy6ASTCoRGtx3ttgjZCl7WIkKu2wu06JEKVSpL2cKU3ex2tmVAvv11LBmpTH+b/0zvqXlzcxzHnCw==",
-      "signed_at": "2026-05-12T23:57:10.176Z",
+      "signed_at": "2026-05-13T01:02:02.819Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -179,7 +179,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "7FH1J9PlOyvcRCzRmggmenX9fIR0pi/veXihb3TeStcq1Rpuz1KHdOcJLqA9su4t2goYukKKCXHV6hx8hzplAA==",
-      "signed_at": "2026-05-12T23:57:10.177Z",
+      "signed_at": "2026-05-13T01:02:02.819Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -225,7 +225,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "FqTRjHfEgw56pyHnyWzNtnhzDMEePBtmuamtW/iyX+h4yqbvP4Fyr7NRjRs3EgqT4j7oHuEZhV9Jt6ZTBgN4AA==",
-      "signed_at": "2026-05-12T23:57:10.177Z"
+      "signed_at": "2026-05-13T01:02:02.820Z"
     },
     {
       "name": "compliance-theater",
@@ -256,7 +256,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "3fN4yotiIIq76PVTHwozCu28TzDZvWule6vX8SXUT3XXbIBSuvAO0M/euvc3pw3TdZ2UNf78dI18lOCNdJ0aAg==",
-      "signed_at": "2026-05-12T23:57:10.178Z"
+      "signed_at": "2026-05-13T01:02:02.820Z"
     },
     {
       "name": "exploit-scoring",
@@ -285,7 +285,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "yZfpk4lQMRXegj2ADWjMmZTchUN6Lxpv587O/0JMzbNkXQtD6FrSAQOBWjx8S7uQ/sTntxgGN7aQQDLxL9RWAA==",
-      "signed_at": "2026-05-12T23:57:10.178Z"
+      "signed_at": "2026-05-13T01:02:02.821Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -322,7 +322,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "ABHkoqee67KdUyDZ3bvF+/DNxjGhPR/ehT6pfOnmUIMmkcQFHpZ0OUVXKiFUANaLgKLP1vg0VEmHOoxpNA3vAA==",
-      "signed_at": "2026-05-12T23:57:10.178Z",
+      "signed_at": "2026-05-13T01:02:02.821Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -379,7 +379,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "+Nd/2tgBnW+mEGX84QvkgR2To2J7kA+lB63BsADDKeCXeebFv6Vo9H1P4vyUkKHfe4fP0ndpy3agIZcUO/e/Dg==",
-      "signed_at": "2026-05-12T23:57:10.179Z",
+      "signed_at": "2026-05-13T01:02:02.821Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -414,7 +414,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "VMNGFvowXLbBjZp5nvWloKkqyqHKhnSzbVRU3gX9quOZJHH56w2M4id+oDsXIjR0CfRRb7eXl/so0Hq4xLBuBQ==",
-      "signed_at": "2026-05-12T23:57:10.179Z",
+      "signed_at": "2026-05-13T01:02:02.821Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -442,7 +442,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "5MaJs7gPCuFlK4oAttLulAPOA1noeV+xD/UqVWaVyRedXZgebBGKjnlE2t1qmTugvxlNIfeAnBZapk+Wz3VAAg==",
-      "signed_at": "2026-05-12T23:57:10.179Z"
+      "signed_at": "2026-05-13T01:02:02.822Z"
     },
     {
       "name": "global-grc",
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "S/YXUpI/mcG2FpdUTgMsccWBtTaR5A4Ph4QFQw31S9w9Hn/z3sOFHLkb1B5YSwlg+mMOtSIxMdet1eLGSZkTDg==",
-      "signed_at": "2026-05-12T23:57:10.180Z"
+      "signed_at": "2026-05-13T01:02:02.822Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -501,7 +501,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "AKS+JsmhhBtytY2eIMuydjkZOYprWCmQ+RqxyxcVG9XcEI29ZSM/JbVIINQHozFl7OPPrOu1ouiTnk7LOJ86Bg==",
-      "signed_at": "2026-05-12T23:57:10.180Z"
+      "signed_at": "2026-05-13T01:02:02.822Z"
     },
     {
       "name": "pqc-first",
@@ -553,7 +553,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "oEkK5bLS/G5RIHnxlNFJYdzhTJbKZnkJv+W4iS9UJ/uszZHgZGoxygELPc4kn3FowV5eE988SQYG4WKlXtNzCg==",
-      "signed_at": "2026-05-12T23:57:10.181Z",
+      "signed_at": "2026-05-13T01:02:02.823Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -600,7 +600,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "nPV6YTo1rsNH49qUnZpfoNLEQZXuLNyV05QMUOgXKHYeVDjotYpWhLgyVXlRhjV/fStiA2sWQ0MOnEJ4FBIfDg==",
-      "signed_at": "2026-05-12T23:57:10.181Z"
+      "signed_at": "2026-05-13T01:02:02.823Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -637,7 +637,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "7rirSEONz6O9Yyf46eTyuwkGizCj9FRcNHe5p7Qz6nhJoZQRW5FwW7n9opL0WlbIw8FDBYn1f22zgNUV87L5AQ==",
-      "signed_at": "2026-05-12T23:57:10.181Z",
+      "signed_at": "2026-05-13T01:02:02.824Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -672,7 +672,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "+evehnd2wSBb8uMTlTr5/aTN4bfLjsKzZJk/+OMLMOJrjCt+OuMU7EQC6xMUGeSc4cPEGajghDvq3xVaacV2Dw==",
-      "signed_at": "2026-05-12T23:57:10.182Z"
+      "signed_at": "2026-05-13T01:02:02.824Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -743,7 +743,7 @@
         "PTES revision incorporating AI-surface enumeration"
       ],
       "signature": "KHOXxloAYf7xqXjm2BaL3HVAZOmb7rMiMh20H/oaIkjN0WD1CnKCrRGPJn867uSFhCh/timkXolaiqD1L/h8Dg==",
-      "signed_at": "2026-05-12T23:57:10.182Z"
+      "signed_at": "2026-05-13T01:02:02.824Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -803,7 +803,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "+ELdD+1AY5DymBitH7wU65CS60NY1nDoLowJAFn7cE5Gr/5jy9BTkyxsm7PEXaSlXWMOkTf/HQ+uyzyxUVD/Bw==",
-      "signed_at": "2026-05-12T23:57:10.182Z"
+      "signed_at": "2026-05-13T01:02:02.825Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -878,7 +878,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "8tFAhXAS8zZN3SUOdn+ZIu7lQ48JMOyBQ8SaObR3L/fDyFmDhufqleY2VzI3yigqlT/D4Y8FYxZHKmzXiALjDw==",
-      "signed_at": "2026-05-12T23:57:10.183Z"
+      "signed_at": "2026-05-13T01:02:02.825Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -955,7 +955,7 @@
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
       "signature": "8xlk5ZfTKVYqTE2+ifkjTBu/RPqs4MIvX7SpOHl22YDHi7nzJ1ywPhSNYJzoPdPV4AUuWG518EldQJsEIuyuAA==",
-      "signed_at": "2026-05-12T23:57:10.183Z"
+      "signed_at": "2026-05-13T01:02:02.825Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1012,7 +1012,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "AMdLkDx/e3ESI4NAnJhhcaas+Ru8VjrSn6v6RBbmmzoLCGo/vFxGraa1p/qF9udhVG+DdkbwHfbfKK5Im19KDw==",
-      "signed_at": "2026-05-12T23:57:10.183Z"
+      "signed_at": "2026-05-13T01:02:02.825Z"
     },
     {
       "name": "identity-assurance",
@@ -1079,7 +1079,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "pSMHKkyWoZvRIuVtN7Vue51sP5MIy9lSaQa2YSAMhxjptx81cUnPt3S11/Tb9Ea1/eluMNQ+5F25eF2njr4mBQ==",
-      "signed_at": "2026-05-12T23:57:10.183Z"
+      "signed_at": "2026-05-13T01:02:02.826Z"
     },
     {
       "name": "ot-ics-security",
@@ -1135,7 +1135,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "qjky+ZTX1DP7uRRMQZq7S7P9/uaJEoB1dy4RZ1l37Q4OO3k2ryfL+7o0Cgm/piuafJfH+dqUeNCRrVefj4r8Dw==",
-      "signed_at": "2026-05-12T23:57:10.184Z"
+      "signed_at": "2026-05-13T01:02:02.826Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1187,7 +1187,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "F86Zl/I+dBzHYRUuGWsjDQI2F/I/vhzwZUFMqhNfKUzRbMf6mafOX2APCPYTp3eP1DvvvfL3Yc0hb1R5Q4nOAg==",
-      "signed_at": "2026-05-12T23:57:10.184Z"
+      "signed_at": "2026-05-13T01:02:02.826Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1237,7 +1237,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "D/4d5NcJScNH58ADXsSrVzTmLSWZpUZTdyhtDkJlC0twSMNczOiDsXgYFitBaZgGdv5nVd00viR45mNrsaZ4BQ==",
-      "signed_at": "2026-05-12T23:57:10.184Z"
+      "signed_at": "2026-05-13T01:02:02.827Z"
     },
     {
       "name": "webapp-security",
@@ -1311,7 +1311,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "UOXaUtpcFjXyDQ70z2PaGu6K3pABtXp+7YzO6eGVGpN1CxXpPq/xW/CnTng6B7wk9WSsqD0OORBJp4VCjiVfAQ==",
-      "signed_at": "2026-05-12T23:57:10.185Z"
+      "signed_at": "2026-05-13T01:02:02.827Z"
     },
     {
       "name": "ai-risk-management",
@@ -1361,7 +1361,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "IVKygsrFjiM64fQVbd2PT6jDjs6fm5nKwJSqGfK53gG0S9wdHC4QYuh+LWlI/2ftvIKjjedLQ6FRyTrqpDEuDw==",
-      "signed_at": "2026-05-12T23:57:10.185Z"
+      "signed_at": "2026-05-13T01:02:02.827Z"
     },
     {
       "name": "sector-healthcare",
@@ -1421,7 +1421,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "P+CdSu8ZJCNUU4nTa09Voh2PcYF3y/AFJn4v7cjVIGo9FbbqO7MwvGN7cJ+aSRs2/3NMUXX4eupcODslxYyJDw==",
-      "signed_at": "2026-05-12T23:57:10.185Z"
+      "signed_at": "2026-05-13T01:02:02.828Z"
     },
     {
       "name": "sector-financial",
@@ -1502,7 +1502,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "zpEfh181Sc0b0cvRf/31Ir1f8lD4V5tehTogO3TJMxdKmXu06IAK7hrhBcLA/jFBv3xDDwrWW3sHzChVhWDeDA==",
-      "signed_at": "2026-05-12T23:57:10.186Z"
+      "signed_at": "2026-05-13T01:02:02.828Z"
     },
     {
       "name": "sector-federal-government",
@@ -1571,7 +1571,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "7NpQlPu1DkpY9f+Frv/LLBHWUUe/qTM80c+xeYDxOzweXhvJGE/dnDCjglYHTjxT82L9cVxzBezvLEne20UpBg==",
-      "signed_at": "2026-05-12T23:57:10.186Z"
+      "signed_at": "2026-05-13T01:02:02.828Z"
     },
     {
       "name": "sector-energy",
@@ -1636,7 +1636,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "4rhyHN5HykK7MQUmhvaTeDGj6Qf5swDd5ry8foh4KBvTkRKxTI/XyxconFGm5FASnySGPLMxX6m4JZAq5wiNBg==",
-      "signed_at": "2026-05-12T23:57:10.186Z"
+      "signed_at": "2026-05-13T01:02:02.828Z"
     },
     {
       "name": "api-security",
@@ -1705,7 +1705,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "hS1izPhETclITK7fp6R67dhy+wFDti/YsJ2M5I1gDjeWZYK41WuxeYSyt5xEHbCr3WCGDFJe77jkK1MWkxk2BA==",
-      "signed_at": "2026-05-12T23:57:10.187Z"
+      "signed_at": "2026-05-13T01:02:02.829Z"
     },
     {
       "name": "cloud-security",
@@ -1786,7 +1786,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "kuatqNZoRnv+oeyrxbnk+m37JRBIgRAWnDp0/IYLnoBOybiG09RzLILJraxjhvdSNCgo7WXTeBO3Y6a3Ji9MAA==",
-      "signed_at": "2026-05-12T23:57:10.187Z"
+      "signed_at": "2026-05-13T01:02:02.829Z"
     },
     {
       "name": "container-runtime-security",
@@ -1848,7 +1848,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "Btb3/7fjPFopFVdxP7+E6n322gnAAwd7OPrnuqatq6c1rXTD9aXKxiBeCmWxs8zYbIbE/lFoe9R2g6uTp8ZDBg==",
-      "signed_at": "2026-05-12T23:57:10.187Z"
+      "signed_at": "2026-05-13T01:02:02.829Z"
     },
     {
       "name": "mlops-security",
@@ -1919,7 +1919,7 @@
         "MITRE ATLAS v5.2 — track AML.T0010 sub-technique expansion and any new MLOps-pipeline-specific TTPs"
       ],
       "signature": "TBWnlgdllW7K1F10HCJ7p4dbLeS3lyNWm+7mNNtyZu7jB1V5AauG1P7sb1nLLqwKqeGlHS1F0eh/BNiuAvkABg==",
-      "signed_at": "2026-05-12T23:57:10.188Z"
+      "signed_at": "2026-05-13T01:02:02.830Z"
     },
     {
       "name": "incident-response-playbook",
@@ -1981,7 +1981,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "FVAXpD6sIoOLQSPtZSLLsXQnc2o2hRwiFj4xK8zEWJVkUWGqvAWRrngie7O2DRKIbWqjO5h9EevVYSzhwYHCAA==",
-      "signed_at": "2026-05-12T23:57:10.188Z"
+      "signed_at": "2026-05-13T01:02:02.830Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2034,7 +2034,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "0HDt3Qklee4FQeKoZfwr+8qdq2pVDS0a+c7JxVw1hV/bl8+YTPaPjPTAhQUnbhUCa5cGo7G4MBQ1AifQTMJdDA==",
-      "signed_at": "2026-05-12T23:57:10.189Z"
+      "signed_at": "2026-05-13T01:02:02.830Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2102,7 +2102,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "UyPSKUztZI/daHCRTnAh6ryoKLX4xyjuG+EaNMPRVuCz2gANGl1F/NozDsw7R2koMUwSFoiYTzwqDvo1tpuKAg==",
-      "signed_at": "2026-05-12T23:57:10.189Z"
+      "signed_at": "2026-05-13T01:02:02.831Z"
     }
   ]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.11.12",
+  "version": "0.11.13",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json

@@ -1,10 +1,10 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:b2610e1f-020c-4e3e-b5a2-e9ed1431c086",
+  "serialNumber": "urn:uuid:374964ee-df91-40f9-8a5f-e22b551ede8c",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-12T23:57:11.194Z",
+    "timestamp": "2026-05-13T01:02:03.645Z",
     "tools": [
       {
         "name": "hand-written",
@@ -13,10 +13,10 @@
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.11.12",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.11.13",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.11.12",
+      "version": "0.11.13",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
       "licenses": [
         {
@@ -25,11 +25,11 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.11.12",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.11.13",
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.11.12"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.11.13"
         },
         {
           "type": "vcs",