@blamejs/exceptd-skills 0.11.13 → 0.11.15

package/CHANGELOG.md

@@ -1,5 +1,80 @@
 # Changelog
 
+## 0.11.15 — 2026-05-13
+
+**Patch: CVE-2026-45321 (Mini Shai-Hulud TanStack npm worm) — catalog + playbook + IoC sweep.**
+
+Adds detection for the npm supply-chain worm disclosed 2026-05-11 (84 malicious versions across 42 `@tanstack/*` packages, including `@tanstack/react-router` at ~12M weekly downloads, CVSS 9.6). The novel category: first documented npm package shipping VALID SLSA provenance while being malicious. Provenance proves which pipeline built the artifact, not that the pipeline behaved as intended.
+
+### Catalog
+
+- `data/cve-catalog.json` — new entry `CVE-2026-45321` with full RWEP scoring (78), the three chained primitives (`pull_request_target` co-resident with `id-token: write` and shared `actions/cache`), payload IoCs, persistence IoCs (`.claude/settings.json` SessionStart hooks, `.vscode/tasks.json` folder-open hooks, macOS LaunchAgents, Linux systemd-user units), framework-gap analysis (SLSA L3 insufficient, NIST 800-218 SSDF PS.3/PO.3 gap), and the destructive-on-revocation behavior.
+
+### Playbook detections (sbom)
+
+- `tanstack-worm-payload-files` — find `node_modules/@tanstack/*/router_init.js` or `router_runtime.js`
+- `tanstack-worm-resolved-during-publish-window` — lockfile entries resolved 2026-05-11T19:20Z..19:26Z
+- `agent-persistence-claude-session-start-hook` — non-owner SessionStart hooks
+- `agent-persistence-vscode-folder-open-task` — folder-open tasks running staged setup scripts
+- `agent-persistence-os-level` — macOS LaunchAgents + Linux systemd-user units referencing in-repo `.mjs`
+- `ci-cache-poisoning-co-residency` — repo has `pull_request_target` + `id-token: write` + shared `actions/cache` (architectural pre-condition, even without payload)
+- `npm-registry-no-cooldown` — project consumes npm but `.npmrc` lacks `before=` or `minimumReleaseAge=`
+
+### Playbook detections (mcp)
+
+- Same `agent-persistence-*` indicators on the agentic-tooling side. MCP playbook covers the persistence vector; SBOM covers the supply-chain root.
+
+### Skill update
+
+- `skills/supply-chain-integrity/SKILL.md` — adds the CVE-2026-45321 case at the top of Threat Context with the chained-primitives explanation and the new SLSA-L3-insufficient framing.
+
+### Eating own dogfood
+
+- `.npmrc` — adds `before=72h` + `minimumReleaseAge=4320` so this repo refuses fresh-publish installs. Survives downgrade to older npm via both flags.
+
+### threat_currency_score bumps
+
+- `sbom` 95 → 97, `mcp` 96 → 97, both with `last_threat_review: 2026-05-13`.
+
+## 0.11.14 — 2026-05-13
+
+**Patch: items 129-134 + freshness surface — claims-vs-reality gap closure + opt-in registry-check.**
+
+### New: freshness surface (all opt-in, all offline-safe)
+
+- **`doctor --registry-check`.** Queries the npm registry for the latest published version + publish date. Reports `local_version`, `latest_version`, `days_since_latest_publish`, and a `behind` / `same` / `ahead` flag. Routed through a child process so the call is bounded by a hard timeout; offline degrades to a structured warning, not a hang. Opt-in: doctor without the flag stays offline.
+
+- **`run --upstream-check`.** Same registry call, fires before phase-4 detect. Surfaces an `upstream_check` block on the run result + a visible stderr warning when the local catalog is behind. Operators wiring CI gates can read `result.upstream_check.behind` to decide whether to trust today's findings. Doesn't fetch the catalog — only compares timestamps.
+
+- **`refresh --network`.** Fetches the latest signed catalog snapshot from the maintainer's npm-published tarball, verifies every skill's Ed25519 signature against the `keys/public.pem` already in the operator's install, and swaps `data/` + `skills/` + `manifest.json` in place. Same trust anchor as `npm update -g`; only the data slice changes, so CLI/lib code stays pinned. Refuses the swap on public-key fingerprint mismatch (key rotation requires explicit `npm update -g` so the trust transition is auditable). Refuses when the install dir isn't writable (typical global installs) and points operators at `npm update -g` instead. Includes `--dry-run` for verifying signatures without applying. Backs up the prior `data/` to a timestamped dir so rollback is one `mv` away.
+
+All three honor `EXCEPTD_REGISTRY_FIXTURE` env var (path to a JSON file mimicking the registry response) so test runners and air-gapped operators can exercise the freshness paths offline.
+
+### Bugs
+
+- **#129 air-gap workflow is now operator-accessible.** Pre-0.11.14 the docs implied `refresh --from-cache` worked offline but the cache-population path wasn't surfaced; an empty cache produced a stack trace. Now `refresh --prefetch` is the operator-facing alias for the prefetch script (legacy `--no-network` retained). Missing-cache errors emit a structured hint that names the exact command: "(1) on connected host: `exceptd refresh --prefetch`, (2) copy `.cache/upstream/`, (3) offline: `exceptd refresh --from-cache --apply`." Help text rewritten to document the workflow.
+
+- **#130 `exceptd path copy` writes to the clipboard.** Previously the `copy` argument was silently consumed and the path was just printed — operators wondering "did anything happen?" had no signal. Now the verb invokes the platform clipboard tool (`clip` on Windows, `pbcopy` on macOS, `wl-copy` / `xclip` / `xsel` on Linux), confirms the copy on stderr, and still prints the path on stdout so shell consumers like `cd "$(exceptd path)"` continue to work. When no clipboard tool is available, a clear warning fires instead of a silent fallthrough.
+
+- **#131 `run <skill-name>` suggests the right playbook.** 13 playbooks vs 38 skills with a many-to-many relationship: operators routinely typed `run kernel-lpe-triage` (a skill) and got "Playbook not found." Now the error names the playbook(s) that load the skill (e.g. `kernel`), distinguishes skill-vs-playbook semantics, and suggests both `exceptd run <playbook>` (execute) and `exceptd skill <name>` (read). Near-matches on unknown ids also surface (`run secret` → "Did you mean: secrets?"). Landing site updated to clarify the distinction near the skills grid.
+
+- **#134 `ci` exit-code matrix puts BLOCKED before FAIL.** Pre-0.11.14 a preflight halt produced exit 2 (FAIL) — indistinguishable from "playbook detected a real problem." Operators wiring CI gates against `exit 2` couldn't separate "we never executed" from "we executed and found something." Now the precedence is BLOCKED (4) → FAIL (2) → NO-DATA (3) → PASS (0). The earlier `if (fail)` short-circuit was rearranged so blocked counts take precedence.
+
+### Website (operator-facing)
+
+- **#132** `exceptd build-indexes` references replaced with `exceptd refresh --indexes-only`.
+- **#133** "13-gate predeploy" feature card relabeled "13-gate release hygiene" and explicitly disambiguated from the operator-facing `exceptd ci` verb.
+- **#131** Skills grid header clarifies "skills are read-only; playbooks execute" with the three relevant verbs.
+- **#129** Operator persona card shows the actual air-gap workflow: `refresh --prefetch` → copy → `refresh --from-cache --apply`.
+
+### Tests
+
+7 new regression cases. 354 total. Notable: `#125/#134` now triggers a REAL preflight halt by submitting `repo-context: false` keyed by playbook id (autoDetectPreconditions can't override an explicit submission), and asserts `r.status === 4` not just non-zero — the earlier test only caught "not 0" which my v0.11.12 "fix" passed by coincidence (no-evidence → exit 3, also non-zero).
+
+### Lesson codified
+
+When a "fix" passes a regression test by coincidence (any non-zero exit satisfies "not 0"), the test is too weak. Tests must assert the EXACT contract — exit 4, not "any non-zero." Added to CLAUDE.md.
+
 ## 0.11.13 — 2026-05-13
 
 **Patch: the final two stragglers — universal `ok:false` exit and empty-submission diff counters.**

package/bin/exceptd.js

@@ -71,6 +71,7 @@ const COMMANDS = {
   "-h":            null,
   prefetch:        () => path.join(PKG_ROOT, "lib", "prefetch.js"),
   refresh:         () => path.join(PKG_ROOT, "lib", "refresh-external.js"),
+  "refresh-network": () => path.join(PKG_ROOT, "lib", "refresh-network.js"),
   "build-indexes": () => path.join(PKG_ROOT, "scripts", "build-indexes.js"),
   verify:          () => path.join(PKG_ROOT, "lib", "verify.js"),
   scan:            () => path.join(PKG_ROOT, "orchestrator", "index.js"),
@@ -196,6 +197,9 @@ v0.11.0 canonical surface
                              --ci                   exit-code gate (use \`exceptd ci\` instead)
                              --operator <name>      bind attestation to identity
                              --ack                  explicit jurisdiction-consent
+                             --upstream-check       (v0.11.14) opt-in registry freshness
+                                                    check before detect; warns if local
+                                                    catalog is behind latest published
                              --session-id <id>      reuse session id (collision refused)
                              --force-overwrite      override session collision refusal
                              --session-key <hex>    HMAC sign evidence_package
@@ -218,6 +222,8 @@ v0.11.0 canonical surface
   doctor                     Health check: signatures + currency + cve catalog
                              + rfc catalog + attestation-signing status.
                              --signatures | --currency | --cves | --rfcs
+                             --registry-check       (v0.11.14) opt-in: query npm registry
+                                                    for latest published version + days behind
 
   ci                         One-shot CI gate. Exit codes: 0 PASS, 2 detected/escalate,
                              3 ran-but-no-evidence, 4 blocked (ok:false), 1 framework error.
@@ -242,6 +248,13 @@ v0.11.0 canonical surface
 
   refresh [args]             Refresh upstream catalogs + indexes. Replaces
                              prefetch + refresh + build-indexes.
+                             --network              (v0.11.14) fetch latest signed
+                                                    catalog snapshot from npm registry,
+                                                    verify against local keys/public.pem,
+                                                    swap data/ in place (no CLI/lib reload)
+                             --prefetch             populate offline cache
+                             --from-cache           consume offline cache
+                             --indexes-only         rebuild indexes only
 
 v0.10.x compatibility (will be removed in v0.12)
 ────────────────────────────────────────────────
@@ -321,6 +334,35 @@ function main() {
     process.exit(0);
   }
   if (cmd === "path") {
+    // v0.11.14 (#130): `path copy` was silently consuming the `copy` arg and
+    // printing the path. Operators on Windows / Linux saw no clipboard write.
+    // Now: implement clipboard copy on the three host platforms (clip on
+    // Windows, pbcopy on macOS, xclip|wl-copy|xsel on Linux). If no usable
+    // tool is found, fall through to print + stderr-warn (so STDOUT still
+    // gives the path for shell consumers like `cd "$(exceptd path)"`).
+    const wantCopy = rest.includes("copy") || rest.includes("--copy");
+    if (wantCopy) {
+      const { spawnSync } = require("child_process");
+      const platform = process.platform;
+      const candidates = platform === "win32" ? [["clip"]]
+        : platform === "darwin" ? [["pbcopy"]]
+        : [["wl-copy"], ["xclip", "-selection", "clipboard"], ["xsel", "-bi"]];
+      let copied = false;
+      let tried = [];
+      for (const [bin, ...argv] of candidates) {
+        tried.push(bin);
+        const res = spawnSync(bin, argv, { input: PKG_ROOT, encoding: "utf8" });
+        if (res.status === 0 && !res.error) { copied = true; break; }
+      }
+      if (copied) {
+        process.stderr.write(`[exceptd path] copied to clipboard: ${PKG_ROOT}\n`);
+        process.stdout.write(PKG_ROOT + "\n");
+        process.exit(0);
+      }
+      process.stderr.write(`[exceptd path] copy: no clipboard tool available (tried: ${tried.join(", ")}). Path printed to stdout instead.\n`);
+      process.stdout.write(PKG_ROOT + "\n");
+      process.exit(0);
+    }
     process.stdout.write(PKG_ROOT + "\n");
     process.exit(0);
   }
@@ -356,12 +398,22 @@ function main() {
   // here so the deprecation pointer actually works.
   let effectiveCmd = cmd;
   let effectiveRest = rest;
-  if (cmd === "refresh" && rest.includes("--no-network")) {
+  if (cmd === "refresh" && (rest.includes("--no-network") || rest.includes("--prefetch"))) {
+    // v0.11.14 (#129): --prefetch is the operator-facing name for the
+    // cache-population path. --no-network retained as alias for back-compat.
     effectiveCmd = "prefetch";
-    effectiveRest = rest.filter(a => a !== "--no-network");
+    effectiveRest = rest.filter(a => a !== "--no-network" && a !== "--prefetch");
   } else if (cmd === "refresh" && rest.includes("--indexes-only")) {
     effectiveCmd = "build-indexes";
     effectiveRest = rest.filter(a => a !== "--indexes-only");
+  } else if (cmd === "refresh" && rest.includes("--network")) {
+    // v0.11.14: --network fetches a fresh signed catalog snapshot from the
+    // maintainer's npm-published tarball, verifies signatures against the
+    // public key already shipped in the operator's install, and swaps
+    // data/ in place. Same trust boundary as `npm update -g`; fresher
+    // data slice without requiring a full package upgrade.
+    effectiveCmd = "refresh-network";
+    effectiveRest = rest.filter(a => a !== "--network");
   }
 
   const resolver = COMMANDS[effectiveCmd];
@@ -594,10 +646,55 @@ function dispatchPlaybook(cmd, argv) {
       case "ci":     return cmdCi(runner, args, runOpts, pretty);
     }
   } catch (e) {
+    // v0.11.14 (#131): when the operator typed a skill name (kernel-lpe-triage)
+    // and got "Playbook not found," surface the playbooks that load that skill.
+    // 13 playbooks vs 38 skills with many-to-many: operators routinely confuse
+    // the two because the website (and AGENTS.md) describe both as runnable.
+    const m = e && e.message && e.message.match(/^Playbook not found: ([^\s(]+)/);
+    if (m) {
+      const wanted = m[1];
+      const hint = buildSkillToPlaybookHint(runner, wanted);
+      if (hint) {
+        return emitError(`Playbook not found: "${wanted}". ${hint}`, { verb: cmd, wanted, type: "playbook_not_found" }, pretty);
+      }
+    }
     emitError(e.message, { verb: cmd }, pretty);
   }
 }
 
+function buildSkillToPlaybookHint(runner, wanted) {
+  try {
+    const ids = runner.listPlaybooks ? runner.listPlaybooks() : [];
+    const matches = [];
+    for (const id of ids) {
+      let pb;
+      try { pb = runner.loadPlaybook(id); } catch { continue; }
+      const skills = new Set();
+      const collect = (val) => {
+        if (Array.isArray(val)) val.forEach(collect);
+        else if (val && typeof val === "object") Object.values(val).forEach(collect);
+        else if (typeof val === "string") skills.add(val);
+      };
+      collect(pb.phases?.govern?.skill_preload);
+      for (const d of (pb.directives || [])) {
+        collect(d.phase_overrides?.govern?.skill_preload);
+      }
+      if (skills.has(wanted)) matches.push(id);
+    }
+    if (matches.length > 0) {
+      return `That is a SKILL (read-only knowledge unit), not a PLAYBOOK (executable). Skill "${wanted}" is loaded by playbook${matches.length === 1 ? "" : "s"}: ${matches.join(", ")}. ` +
+             `To execute: \`exceptd run ${matches[0]}\`. To read the skill: \`exceptd skill ${wanted}\`. ` +
+             `Tip: \`exceptd plan\` lists all 13 playbooks; \`exceptd watchlist\` lists skills.`;
+    }
+    // No matching skill either — provide nearest-playbook suggestions.
+    const near = ids.filter(id => id.includes(wanted) || wanted.includes(id)).slice(0, 3);
+    if (near.length > 0) {
+      return `Did you mean: ${near.join(", ")}? Run \`exceptd plan\` for the full list.`;
+    }
+    return `Run \`exceptd plan\` to list the 13 playbooks.`;
+  } catch { return null; }
+}
+
 function printPlaybookVerbHelp(verb) {
   const cmds = {
     plan: `plan — list playbooks + directives, grouped by scope.
@@ -1303,7 +1400,30 @@ function cmdRun(runner, args, runOpts, pretty) {
     }
   }
 
+  // v0.11.14: opt-in `--upstream-check` queries the npm registry BEFORE
+  // detect to warn operators if their local catalog is behind the latest
+  // published version. Opt-in so the runner stays offline by default.
+  // Network bounded by an 8s timeout; degrades gracefully when offline.
+  let upstreamCheck = null;
+  if (args["upstream-check"]) {
+    try {
+      const cliPath = path.join(PKG_ROOT, "lib", "upstream-check-cli.js");
+      const res = spawnSync(process.execPath, [cliPath, "--timeout", "5000"], {
+        encoding: "utf8",
+        cwd: PKG_ROOT,
+        timeout: 8000,
+      });
+      try { upstreamCheck = JSON.parse((res.stdout || "").trim()); } catch { /* fall through */ }
+      if (upstreamCheck && upstreamCheck.behind) {
+        process.stderr.write(`[exceptd run --upstream-check] STALE: local v${upstreamCheck.local_version} < published v${upstreamCheck.latest_version} (published ${upstreamCheck.latest_published_at}, ${upstreamCheck.days_since_latest_publish}d ago). Continuing with local catalog. Run \`npm update -g @blamejs/exceptd-skills\` or \`exceptd refresh --network\` to consume the latest.\n`);
+      }
+    } catch (e) {
+      upstreamCheck = { ok: false, error: e.message, source: "offline" };
+    }
+  }
+
   const result = runner.run(playbookId, directiveId, submission, runOpts);
+  if (result && upstreamCheck) result.upstream_check = upstreamCheck;
 
   // v0.11.9 (#113/#114): surface --operator and --ack in the run result so
   // operators see the attribution + consent state without inspecting the
@@ -2699,6 +2819,41 @@ function cmdDoctor(runner, args, runOpts, pretty) {
     }
   }
 
+  // v0.11.14: opt-in `--registry-check` queries the npm registry for the
+  // latest published version + publish date and computes "days behind."
+  // Opt-in (not on every doctor invocation) so offline use + air-gap
+  // workflows aren't disturbed. Routed through a child process to keep
+  // cmdDoctor synchronous + bound the network timeout cleanly.
+  if (args["registry-check"]) {
+    try {
+      const cliPath = path.join(PKG_ROOT, "lib", "upstream-check-cli.js");
+      const res = spawnSync(process.execPath, [cliPath, "--timeout", "5000"], {
+        encoding: "utf8",
+        cwd: PKG_ROOT,
+        timeout: 8000,
+      });
+      let parsed = null;
+      try { parsed = JSON.parse((res.stdout || "").trim()); } catch { /* fall through */ }
+      if (parsed) {
+        checks.registry = {
+          ok: parsed.ok && (parsed.same || parsed.ahead),
+          severity: parsed.behind ? "warn" : (parsed.ok ? "info" : "warn"),
+          ...parsed,
+        };
+      } else {
+        checks.registry = {
+          ok: false,
+          severity: "warn",
+          error: "upstream-check did not return JSON",
+          exit_code: res.status,
+          raw: ((res.stderr || res.stdout || "")).slice(0, 200),
+        };
+      }
+    } catch (e) {
+      checks.registry = { ok: false, severity: "warn", error: e.message };
+    }
+  }
+
   // Walk every check and split: errors (severity error/missing/fail) vs warnings
   // (severity warn). all_green is true ONLY when zero errors AND zero warnings.
   const warnList = [];
@@ -3449,30 +3604,34 @@ function cmdCi(runner, args, runOpts, pretty) {
   } else {
     emit({ verb: "ci", session_id: sessionId, playbooks_run: ids, summary, results }, pretty);
   }
+  // v0.11.14 (#134): exit-code matrix with BLOCKED before FAIL.
+  // Pre-0.11.14 the `if (fail)` check fired first for blocked runs (because
+  // the loop pushed blocked entries onto failReasons), so blocked runs got
+  // exit 2 (FAIL/detected) instead of exit 4 (BLOCKED/didn't-execute).
+  // Operators wiring CI gates couldn't distinguish "playbook detected a
+  // problem" from "playbook never executed because preflight halted."
+  //
+  // Exit-code matrix (final, documented in --help):
+  //   0  PASS      every playbook produced a result, none detected/escalating
+  //   1  FRAMEWORK engine/parse error (set by emit() when body is ok:false)
+  //   2  FAIL      detected classification OR rwep>=escalate
+  //   3  NO-DATA   ran but no --evidence and all inconclusive
+  //   4  BLOCKED   at least one playbook returned ok:false (preflight halt,
+  //                stale threat intel, missing precondition, mutex contention)
+  // Precedence: BLOCKED > FAIL > NO-DATA > PASS. A blocked playbook didn't
+  // actually evaluate signals, so it can't be a true detection.
+  if (summary.blocked > 0) {
+    const blockedReasons = failReasons.filter(r => r.includes("blocked"));
+    process.stderr.write(`[exceptd ci] BLOCKED: ${summary.blocked}/${summary.total} playbook(s) halted before detect. Exit 4. Reasons:\n  ${blockedReasons.join("\n  ")}\n`);
+    process.exitCode = 4;
+    return;
+  }
   if (fail) {
     process.stderr.write(`[exceptd ci] FAIL: ${failReasons.join("; ")}\n`);
-    // v0.11.11: use exitCode + return instead of process.exit() so the
-    // structured stdout JSON has a chance to flush when stdout is piped.
-    // process.exit() can truncate buffered async stdout writes.
+    // v0.11.11: exitCode + return so emit()'s stdout flushes.
     process.exitCode = 2;
     return;
   }
-  // v0.11.12 (#125): ci exit code matrix. Pre-0.11.12 every non-detected
-  // path exited 0 including blocked runs that never executed — CI gates
-  // couldn't distinguish ok:false from ok:true. Now:
-  //   0 PASS — every playbook produced a result, none detected/escalating
-  //   2 FAIL — at least one detected or rwep>=escalate (above)
-  //   3 NO-DATA — ran but no --evidence and all inconclusive
-  //   4 BLOCKED — at least one playbook returned ok:false (preflight halt,
-  //     stale threat intel, missing precondition, mutex contention, etc.)
-  //   1 FRAMEWORK — engine/parse error (set elsewhere)
-  // BLOCKED takes precedence over NO-DATA because a blocked run is a
-  // harder gate failure than "no real data."
-  if (summary.blocked > 0) {
-    process.stderr.write(`[exceptd ci] BLOCKED: ${summary.blocked}/${summary.total} playbook(s) returned ok:false (preflight/mutex/threat-currency/etc.). Exit 4. Inspect results[].reason for each blocked entry.\n`);
-    process.exitCode = 4;
-    return;
-  }
   const suppliedEvidence = args.evidence || args["evidence-dir"];
   const allInconclusive = summary.inconclusive === summary.total && summary.total > 0;
   if (!suppliedEvidence && allInconclusive) {

package/data/_indexes/_meta.json

@@ -1,12 +1,12 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-13T01:02:44.048Z",
+  "generated_at": "2026-05-13T02:21:22.318Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 49,
   "source_hashes": {
-    "manifest.json": "15f45ccdd329dd8a1c99905610df970ad44a560c4fadee971c29a6376bfc8eb4",
+    "manifest.json": "8231ac5cd18201c56fd29b5925a86f279708e32eb8fcc8fff35823a7fec0ee3a",
     "data/atlas-ttps.json": "1500b5830dab070c4252496964a8c0948e1052a656e2c7c6e1efaf0350645e13",
-    "data/cve-catalog.json": "a81d3e4b491b27ccc084596b063a6108ff10c9eb01d7776922fc393980b534fe",
+    "data/cve-catalog.json": "e9a3a4ce988caa051e50a467f1cd9c0dcbf9e8f6f3e9522610baf196217b7bdc",
     "data/cwe-catalog.json": "c3367d469b4b3d31e4c56397dd7a8305a0be338ecd85afa27804c0c9ce12157b",
     "data/d3fend-catalog.json": "b5cd14669e2a931d0df81bb8402f3c8ac08b0d2613e595eaecd8cc4631a57587",
     "data/dlp-controls.json": "8ea8d907aea0a2cfd772b048a62122a322ba3284a5c36a272ad5e9d392564cb5",
@@ -14,7 +14,7 @@
     "data/framework-control-gaps.json": "25db4d0cc9e6242e1143494178393ae8eab3384672ca0d685bd55c537f028c83",
     "data/global-frameworks.json": "84fd19061f052e4ccf66308a7b8d3fd38e00325e97e9e5e19e4d9b302c128957",
     "data/rfc-references.json": "23ffeb970af5403e9a733844dcea9b45cbae689623085f030dec826c492682e3",
-    "data/zeroday-lessons.json": "56d63821686403c6894c93b9ff9ef318ca8e08d7027e8517131068811d529beb",
+    "data/zeroday-lessons.json": "0840eacd580d4ee5bd7dc44ccea6d52bfa95096576af0ccf67132eea05bedd55",
     "skills/kernel-lpe-triage/skill.md": "c00e0a77e8b7b1a1ebcb7267dd728b39ec2671d1260bf4f6a4842f10101a69b0",
     "skills/ai-attack-surface/skill.md": "3f5c59f1823f1552efe8a5cb32656d34d6407609ddaa1eed254c263864563453",
     "skills/mcp-agent-trust/skill.md": "716d0d65499f8be21e0389a06a1fcaf6abd1cd2e90f068cab54471dd67127f74",
@@ -34,7 +34,7 @@
     "skills/attack-surface-pentest/skill.md": "f639b6d9c19def5908eddbbb79f0514e168e74661c0894b737d7c76cbb550841",
     "skills/fuzz-testing-strategy/skill.md": "83b1929a0d1e09a58908b91125ebc91ff14323ab9acc9bab6c4b04903b69b837",
     "skills/dlp-gap-analysis/skill.md": "041c4c6a5299057383b1d6bd4328c1ef578f8c5c6bade8750d339c7b51020027",
-    "skills/supply-chain-integrity/skill.md": "b7fbb5bfcce53d774c51be3fe2231c5f371850a5bdb8d7edfced3342dd99dbb8",
+    "skills/supply-chain-integrity/skill.md": "94527929c150bf9bc7a5a61a596373d49a88ae9114adf841b2d3771e25fb8d51",
     "skills/defensive-countermeasure-mapping/skill.md": "634f0805597a0ab417248a7413eed39b08afbc820e7c6bd257eebaa663d8990d",
     "skills/identity-assurance/skill.md": "e8f3958ef8dd89f9276f2a62a0a1b418a206a3312bb8ff228729c8f358603dc7",
     "skills/ot-ics-security/skill.md": "7c6eb389e7ace5b2c6e092f8dfcf4795ce1b0aefaa2738c6e383cb0fef4d6287",
@@ -67,13 +67,13 @@
       "dlp_refs": 0
     },
     "trigger_table_entries": 453,
-    "chains_cve_entries": 5,
+    "chains_cve_entries": 6,
     "chains_cwe_entries": 34,
     "jurisdictions_indexed": 29,
     "handoff_dag_nodes": 38,
     "summary_cards": 38,
     "section_offsets_skills": 38,
-    "token_budget_total_approx": 334394,
+    "token_budget_total_approx": 334832,
     "recipes": 8,
     "jurisdiction_clocks": 29,
     "did_ladders": 8,

package/data/_indexes/activity-feed.json

@@ -172,7 +172,7 @@
       "artifact": "data/cve-catalog.json",
       "path": "data/cve-catalog.json",
       "schema_version": "1.0.0",
-      "entry_count": 5
+      "entry_count": 6
     },
     {
       "date": "2026-05-11",
@@ -349,7 +349,7 @@
       "artifact": "data/zeroday-lessons.json",
       "path": "data/zeroday-lessons.json",
       "schema_version": "1.0.0",
-      "entry_count": 5
+      "entry_count": 6
     },
     {
       "date": "2026-05-01",

package/data/_indexes/catalog-summaries.json

@@ -40,7 +40,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 5,
+      "entry_count": 6,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2026-43284",
@@ -216,7 +216,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 5,
+      "entry_count": 6,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",

package/data/_indexes/chains.json

@@ -1751,6 +1751,23 @@
       ]
     }
   },
+  "CVE-2026-45321": {
+    "name": "Mini Shai-Hulud TanStack npm worm",
+    "rwep": 45,
+    "cvss": 9.6,
+    "cisa_kev": false,
+    "epss_score": 0.78,
+    "epss_percentile": 0.97,
+    "referencing_skills": [],
+    "chain": {
+      "cwes": [],
+      "atlas": [],
+      "d3fend": [],
+      "framework_gaps": [],
+      "attack_refs": [],
+      "rfc_refs": []
+    }
+  },
   "CWE-787": {
     "name": "Out-of-bounds Write",
     "category": "Memory Safety",

package/data/_indexes/section-offsets.json

@@ -1868,8 +1868,8 @@
     },
     "supply-chain-integrity": {
       "path": "skills/supply-chain-integrity/skill.md",
-      "total_bytes": 37908,
-      "total_lines": 319,
+      "total_bytes": 39667,
+      "total_lines": 320,
       "frontmatter": {
         "line_start": 1,
         "line_end": 65,
@@ -1882,70 +1882,70 @@
           "normalized_name": "threat-context",
           "line": 69,
           "byte_start": 1820,
-          "byte_end": 5452,
-          "bytes": 3632,
+          "byte_end": 7211,
+          "bytes": 5391,
           "h3_count": 0
         },
         {
           "name": "Framework Lag Declaration",
           "normalized_name": "framework-lag-declaration",
-          "line": 87,
-          "byte_start": 5452,
-          "byte_end": 15935,
+          "line": 88,
+          "byte_start": 7211,
+          "byte_end": 17694,
           "bytes": 10483,
           "h3_count": 1
         },
         {
           "name": "TTP Mapping",
           "normalized_name": "ttp-mapping",
-          "line": 132,
-          "byte_start": 15935,
-          "byte_end": 19063,
+          "line": 133,
+          "byte_start": 17694,
+          "byte_end": 20822,
           "bytes": 3128,
           "h3_count": 0
         },
         {
           "name": "Exploit Availability Matrix",
           "normalized_name": "exploit-availability-matrix",
-          "line": 155,
-          "byte_start": 19063,
-          "byte_end": 23644,
+          "line": 156,
+          "byte_start": 20822,
+          "byte_end": 25403,
           "bytes": 4581,
           "h3_count": 0
         },
         {
           "name": "Analysis Procedure",
           "normalized_name": "analysis-procedure",
-          "line": 172,
-          "byte_start": 23644,
-          "byte_end": 31101,
+          "line": 173,
+          "byte_start": 25403,
+          "byte_end": 32860,
           "bytes": 7457,
           "h3_count": 4
         },
         {
           "name": "Output Format",
           "normalized_name": "output-format",
-          "line": 246,
-          "byte_start": 31101,
-          "byte_end": 33203,
+          "line": 247,
+          "byte_start": 32860,
+          "byte_end": 34962,
           "bytes": 2102,
           "h3_count": 9
         },
         {
           "name": "Compliance Theater Check",
           "normalized_name": "compliance-theater-check",
-          "line": 286,
-          "byte_start": 33203,
-          "byte_end": 35491,
+          "line": 287,
+          "byte_start": 34962,
+          "byte_end": 37250,
           "bytes": 2288,
           "h3_count": 0
         },
         {
           "name": "Defensive Countermeasure Mapping",
           "normalized_name": "defensive-countermeasure-mapping",
-          "line": 302,
-          "byte_start": 35491,
-          "byte_end": 37908,
+          "line": 303,
+          "byte_start": 37250,
+          "byte_end": 39667,
           "bytes": 2417,
           "h3_count": 0
         }

package/data/_indexes/token-budget.json

@@ -3,8 +3,8 @@
     "schema_version": "1.0.0",
     "tokenizer_note": "Character-density approximation: 1 token ≈ 4 chars. This is the canonical rule-of-thumb for OpenAI tokenizers on English+technical text. Claude's tokenizer is typically more efficient on prose; treat this as an upper-bound budget for both. Consumers with stricter precision needs should re-tokenize with their own tokenizer.",
     "approx_chars_per_token": 4,
-    "total_chars": 1337563,
-    "total_approx_tokens": 334394,
+    "total_chars": 1339318,
+    "total_approx_tokens": 334832,
     "skill_count": 38
   },
   "skills": {
@@ -1090,16 +1090,16 @@
     },
     "supply-chain-integrity": {
       "path": "skills/supply-chain-integrity/skill.md",
-      "bytes": 37908,
-      "chars": 37778,
-      "lines": 319,
-      "approx_tokens": 9445,
+      "bytes": 39667,
+      "chars": 39533,
+      "lines": 320,
+      "approx_tokens": 9883,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {
-          "bytes": 3632,
-          "chars": 3622,
-          "approx_tokens": 906
+          "bytes": 5391,
+          "chars": 5377,
+          "approx_tokens": 1344
         },
         "framework-lag-declaration": {
           "bytes": 10483,