@blamejs/exceptd-skills 0.11.15 → 0.12.0

package/lib/source-ghsa.js

@@ -0,0 +1,259 @@
+"use strict";
+
+/**
+ * lib/source-ghsa.js
+ *
+ * GitHub Advisory Database fetcher. The GHSA covers npm, PyPI, RubyGems,
+ * Maven, NuGet, Go, Composer, Swift, Erlang, Pub, and Rust ecosystems in
+ * one feed and is updated within hours of disclosure — much faster than
+ * NVD (~10 days) or KEV (variable, often days).
+ *
+ * Endpoint: GET https://api.github.com/advisories
+ *   - Unauthenticated: 60 req/hr (sufficient for nightly refresh)
+ *   - Authenticated:   5000 req/hr (set GITHUB_TOKEN env var)
+ *
+ * Returns drafts — every imported entry carries `_auto_imported: true`
+ * + `_draft: true` so the strict catalog validator treats them as
+ * warnings, not errors. Editorial fields (framework_control_gaps,
+ * iocs, atlas_refs) are left null until a human or AI assistant
+ * fills them in via the seven-phase playbook flow.
+ *
+ * Honors EXCEPTD_GHSA_FIXTURE env var for offline testing — value is a
+ * path to a JSON array matching the api.github.com/advisories shape.
+ *
+ * Zero npm deps. Node 24 stdlib only.
+ */
+
+const https = require("https");
+const fs = require("fs");
+
+const GHSA_HOST = "api.github.com";
+const GHSA_PATH = "/advisories?per_page=50&type=reviewed&sort=published&direction=desc";
+const REQUEST_TIMEOUT_MS = 10000;
+const USER_AGENT = "exceptd-security/source-ghsa (+https://exceptd.com)";
+
+/**
+ * Fetch a page of advisories (default: latest 50).
+ *
+ * Returns:
+ *   { ok: true,  advisories: [...], source: "github-api" | "fixture", rate_limit?: { remaining, reset } }
+ *   { ok: false, error, source: "offline" }
+ */
+async function fetchAdvisories({ timeoutMs = REQUEST_TIMEOUT_MS, path = GHSA_PATH, token = null } = {}) {
+  if (process.env.EXCEPTD_GHSA_FIXTURE) {
+    try {
+      const arr = JSON.parse(fs.readFileSync(process.env.EXCEPTD_GHSA_FIXTURE, "utf8"));
+      return { ok: true, advisories: Array.isArray(arr) ? arr : [arr], source: "fixture" };
+    } catch (e) {
+      return { ok: false, error: `fixture: ${e.message}`, source: "offline" };
+    }
+  }
+
+  return new Promise((resolve) => {
+    const headers = {
+      "Accept": "application/vnd.github+json",
+      "User-Agent": USER_AGENT,
+      "X-GitHub-Api-Version": "2022-11-28",
+    };
+    if (token || process.env.GITHUB_TOKEN) {
+      headers.Authorization = `Bearer ${token || process.env.GITHUB_TOKEN}`;
+    }
+    const req = https.get({
+      host: GHSA_HOST,
+      path,
+      headers,
+      timeout: timeoutMs,
+    }, (res) => {
+      if (res.statusCode !== 200) {
+        res.resume();
+        return resolve({ ok: false, error: `GHSA returned HTTP ${res.statusCode}`, source: "offline" });
+      }
+      const chunks = [];
+      res.on("data", (c) => chunks.push(c));
+      res.on("end", () => {
+        try {
+          const body = JSON.parse(Buffer.concat(chunks).toString("utf8"));
+          const advisories = Array.isArray(body) ? body : (body ? [body] : []);
+          resolve({
+            ok: true,
+            advisories,
+            source: "github-api",
+            rate_limit: {
+              remaining: parseInt(res.headers["x-ratelimit-remaining"], 10) || null,
+              reset: parseInt(res.headers["x-ratelimit-reset"], 10) || null,
+            },
+          });
+        } catch (e) {
+          resolve({ ok: false, error: `parse: ${e.message}`, source: "offline" });
+        }
+      });
+    });
+    req.on("timeout", () => req.destroy(new Error("timeout")));
+    req.on("error", (e) => resolve({ ok: false, error: e.message, source: "offline" }));
+  });
+}
+
+/**
+ * Fetch a single advisory by ID — accepts CVE-* or GHSA-* identifiers.
+ *
+ * GHSA-IDs hit /advisories/<ghsa-id> directly. CVE-IDs require a search
+ * since the API is keyed by GHSA. We fall back to a query-string search.
+ */
+async function fetchAdvisoryById(id, opts = {}) {
+  if (!id || typeof id !== "string") {
+    return { ok: false, error: "id is required (CVE-* or GHSA-*)", source: "offline" };
+  }
+  if (process.env.EXCEPTD_GHSA_FIXTURE) {
+    const r = await fetchAdvisories(opts);
+    if (!r.ok) return r;
+    const match = r.advisories.find(a =>
+      (a.ghsa_id && a.ghsa_id.toUpperCase() === id.toUpperCase()) ||
+      (a.cve_id && a.cve_id.toUpperCase() === id.toUpperCase())
+    );
+    if (!match) return { ok: false, error: `${id} not in fixture`, source: "fixture" };
+    return { ok: true, advisories: [match], source: "fixture" };
+  }
+  if (/^GHSA-/i.test(id)) {
+    return fetchAdvisories({ ...opts, path: `/advisories/${id.toLowerCase()}` });
+  }
+  if (/^CVE-\d{4}-\d+$/i.test(id)) {
+    return fetchAdvisories({ ...opts, path: `/advisories?cve_id=${encodeURIComponent(id.toUpperCase())}` });
+  }
+  return { ok: false, error: `unrecognized id format (expected CVE-YYYY-NNNN or GHSA-*): ${id}`, source: "offline" };
+}
+
+/**
+ * Normalize a GHSA advisory object to the exceptd catalog draft shape.
+ * Fields the GHSA carries authoritatively: cve_id, ghsa_id, summary,
+ * severity, cvss, vulnerabilities (package + version range), published_at,
+ * references. Editorial fields (framework_control_gaps, iocs, atlas_refs,
+ * attack_refs, rwep_factors) are LEFT NULL — drafts. The seven-phase
+ * playbook flow OR a human reviewer fills these in.
+ *
+ * Returns null if the advisory lacks a CVE ID (we don't import GHSA-only
+ * advisories into the CVE catalog — they belong in a separate GHSA index
+ * which is a v0.13 design).
+ */
+function normalizeAdvisory(adv) {
+  if (!adv || !adv.cve_id) return null;
+
+  const ecosystems = new Set();
+  const affected = [];
+  const ecosystemPackages = [];
+  for (const v of (adv.vulnerabilities || [])) {
+    if (v?.package?.ecosystem) ecosystems.add(v.package.ecosystem);
+    if (v?.package?.name) {
+      ecosystemPackages.push(`${v.package.ecosystem || "?"}:${v.package.name}`);
+      if (v.vulnerable_version_range) {
+        affected.push(`${v.package.name} ${v.vulnerable_version_range}`);
+      }
+    }
+  }
+
+  const cvssScore = adv.cvss?.score ?? null;
+  const cvssVector = adv.cvss?.vector_string || null;
+  const severity = (adv.severity || "").toLowerCase();
+  // Derive a coarse type from package ecosystem when nothing better available.
+  const inferredType = ecosystems.has("npm") ? "supply-chain-npm"
+    : ecosystems.has("pip") ? "supply-chain-pypi"
+    : ecosystems.has("maven") ? "supply-chain-maven"
+    : ecosystems.has("rubygems") ? "supply-chain-gem"
+    : "supply-chain-other";
+
+  return {
+    [adv.cve_id]: {
+      name: adv.summary || adv.cve_id,
+      type: inferredType,
+      cvss_score: cvssScore,
+      cvss_vector: cvssVector,
+      cisa_kev: false,
+      cisa_kev_date: null,
+      cisa_kev_pending: severity === "critical",
+      cisa_kev_pending_reason: severity === "critical"
+        ? `GHSA severity critical (CVSS ${cvssScore}). KEV listing typically follows for critical advisories with confirmed exploitation; verify before publish.`
+        : null,
+      poc_available: null,
+      poc_description: null,
+      ai_discovered: null,
+      ai_assisted_weaponization: null,
+      active_exploitation: severity === "critical" ? "suspected" : "unknown",
+      affected: ecosystemPackages.join(", ") || null,
+      affected_versions: affected,
+      vector: null,
+      complexity: null,
+      patch_available: null,
+      patch_required_reboot: false,
+      live_patch_available: null,
+      live_patch_tools: [],
+      framework_control_gaps: null,
+      atlas_refs: [],
+      attack_refs: [],
+      rwep_score: null,
+      rwep_factors: null,
+      rwep_notes: "Auto-imported from GHSA. RWEP factors require editorial review before this entry passes the strict catalog gate.",
+      epss_score: null,
+      epss_percentile: null,
+      epss_date: null,
+      epss_source: adv.cve_id ? `https://api.first.org/data/v1/epss?cve=${adv.cve_id}` : null,
+      source_verified: new Date().toISOString().slice(0, 10),
+      verification_sources: [
+        ...(adv.html_url ? [adv.html_url] : []),
+        ...(adv.cve_id ? [`https://nvd.nist.gov/vuln/detail/${adv.cve_id}`] : []),
+        ...(adv.references || []).slice(0, 10),
+      ],
+      vendor_advisories: [
+        {
+          vendor: "GitHub Security Advisories",
+          advisory_id: adv.ghsa_id || null,
+          url: adv.html_url || `https://github.com/advisories?query=${encodeURIComponent(adv.cve_id)}`,
+          severity: severity || null,
+          published_date: (adv.published_at || "").slice(0, 10) || null,
+        },
+      ],
+      iocs: null,
+      _auto_imported: true,
+      _draft: true,
+      _draft_reason: "Imported from GHSA on " + new Date().toISOString().slice(0, 10) + ". Editorial fields (framework_control_gaps, atlas_refs, attack_refs, iocs, vector, complexity, rwep_factors) require human review. Run `exceptd run sbom --evidence -` against an affected repo to gather IoCs; consult MITRE ATLAS + ATT&CK catalogs for refs.",
+      _source_ghsa_id: adv.ghsa_id || null,
+      _source_published_at: adv.published_at || null,
+      last_updated: new Date().toISOString().slice(0, 10),
+    },
+  };
+}
+
+/**
+ * Build a refresh diff for the existing refresh-external orchestrator.
+ * Compares the latest 50 advisories' CVE IDs against the local catalog;
+ * any CVE ID not in the catalog becomes an "add" diff.
+ */
+async function buildDiff(ctx) {
+  const result = await fetchAdvisories({});
+  if (!result.ok) {
+    return { status: "unreachable", diffs: [], errors: 1, summary: `GHSA fetch failed: ${result.error}` };
+  }
+  const existing = new Set(Object.keys(ctx.cveCatalog || {}).filter(k => /^CVE-/.test(k)));
+  const diffs = [];
+  for (const adv of result.advisories) {
+    if (!adv.cve_id) continue;
+    if (existing.has(adv.cve_id)) continue;
+    const normalized = normalizeAdvisory(adv);
+    if (!normalized) continue;
+    diffs.push({
+      id: adv.cve_id,
+      field: "_new_entry",
+      before: null,
+      after: normalized[adv.cve_id],
+      severity: adv.severity || null,
+      source: "ghsa",
+    });
+  }
+  return {
+    status: "ok",
+    diffs,
+    errors: 0,
+    summary: `GHSA returned ${result.advisories.length} reviewed advisories; ${diffs.length} new CVE ID(s) not yet in local catalog.`,
+    rate_limit: result.rate_limit || null,
+  };
+}
+
+module.exports = { fetchAdvisories, fetchAdvisoryById, normalizeAdvisory, buildDiff };

package/lib/validate-cve-catalog.js

@@ -172,14 +172,30 @@ function main() {
   const lessonKeys = new Set(Object.keys(lessons).filter((k) => !k.startsWith('_')));
 
   let failed = 0;
+  let drafts = 0;
   for (const key of cveKeys) {
     const entry = catalog[key];
+    // v0.12.0: GHSA-imported drafts are flagged `_auto_imported: true` +
+    // `_draft: true`. They pass validation as WARNINGS (printed but not
+    // exit-failing) so the nightly auto-PR pipeline can ship them while
+    // editorial fields await human or AI-assisted enrichment via
+    // `exceptd run cve-curation --advisory <id>`.
+    const isDraft = entry && (entry._auto_imported === true || entry._draft === true);
     const errors = validate(entry, schema, 'cve', key);
-    if (!lessonKeys.has(key)) {
+    if (!lessonKeys.has(key) && !isDraft) {
       errors.push(
         `${key}: missing matching entry in data/zeroday-lessons.json (rule #6: zero-day learning is live)`,
       );
     }
+    if (isDraft) {
+      drafts++;
+      if (!opts.quiet) {
+        console.log(`DRAFT ${key} (auto-imported — needs editorial review)`);
+        for (const e of errors) console.log(`        - [warn] ${e}`);
+      }
+      // Drafts don't increment `failed` — they're warnings, not errors.
+      continue;
+    }
     if (errors.length === 0) {
       if (!opts.quiet) console.log(`PASS  ${key}`);
     } else {
@@ -203,10 +219,11 @@ function main() {
   }
 
   const total = cveKeys.length;
-  const passed = total - failed;
-  console.log(
-    `\n${passed}/${total} CVE entries validated${failed ? `, ${failed} failed` : ''}.`,
-  );
+  const passed = total - failed - drafts;
+  const summary = `\n${passed}/${total} CVE entries validated` +
+    (drafts ? `, ${drafts} draft(s) (auto-imported)` : '') +
+    (failed ? `, ${failed} failed` : '') + '.';
+  console.log(summary);
   process.exit(failed === 0 ? 0 : 1);
 }
 

package/manifest-snapshot.json

@@ -1,6 +1,6 @@
 {
   "_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
-  "_generated_at": "2026-05-13T02:18:38.639Z",
+  "_generated_at": "2026-05-13T02:31:32.493Z",
   "atlas_version": "5.1.0",
   "skill_count": 38,
   "skills": [

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.11.15",
+  "version": "0.12.0",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -52,7 +52,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "Xk593pj7my6wPJbQBE47khpIUrPsp6N1lW7cE2T/VPPF5T+8C1yGKc9B8VphD7Q08yWFcbwF6HoWpA/+4uG9DA==",
-      "signed_at": "2026-05-13T02:18:38.231Z",
+      "signed_at": "2026-05-13T02:31:32.071Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -116,7 +116,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "nOgUu+LK9fy6ASTCoRGtx3ttgjZCl7WIkKu2wu06JEKVSpL2cKU3ex2tmVAvv11LBmpTH+b/0zvqXlzcxzHnCw==",
-      "signed_at": "2026-05-13T02:18:38.233Z",
+      "signed_at": "2026-05-13T02:31:32.073Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -179,7 +179,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "7FH1J9PlOyvcRCzRmggmenX9fIR0pi/veXihb3TeStcq1Rpuz1KHdOcJLqA9su4t2goYukKKCXHV6hx8hzplAA==",
-      "signed_at": "2026-05-13T02:18:38.233Z",
+      "signed_at": "2026-05-13T02:31:32.073Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -225,7 +225,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "FqTRjHfEgw56pyHnyWzNtnhzDMEePBtmuamtW/iyX+h4yqbvP4Fyr7NRjRs3EgqT4j7oHuEZhV9Jt6ZTBgN4AA==",
-      "signed_at": "2026-05-13T02:18:38.233Z"
+      "signed_at": "2026-05-13T02:31:32.073Z"
     },
     {
       "name": "compliance-theater",
@@ -256,7 +256,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "3fN4yotiIIq76PVTHwozCu28TzDZvWule6vX8SXUT3XXbIBSuvAO0M/euvc3pw3TdZ2UNf78dI18lOCNdJ0aAg==",
-      "signed_at": "2026-05-13T02:18:38.234Z"
+      "signed_at": "2026-05-13T02:31:32.074Z"
     },
     {
       "name": "exploit-scoring",
@@ -285,7 +285,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "yZfpk4lQMRXegj2ADWjMmZTchUN6Lxpv587O/0JMzbNkXQtD6FrSAQOBWjx8S7uQ/sTntxgGN7aQQDLxL9RWAA==",
-      "signed_at": "2026-05-13T02:18:38.234Z"
+      "signed_at": "2026-05-13T02:31:32.074Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -322,7 +322,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "ABHkoqee67KdUyDZ3bvF+/DNxjGhPR/ehT6pfOnmUIMmkcQFHpZ0OUVXKiFUANaLgKLP1vg0VEmHOoxpNA3vAA==",
-      "signed_at": "2026-05-13T02:18:38.235Z",
+      "signed_at": "2026-05-13T02:31:32.075Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -379,7 +379,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "+Nd/2tgBnW+mEGX84QvkgR2To2J7kA+lB63BsADDKeCXeebFv6Vo9H1P4vyUkKHfe4fP0ndpy3agIZcUO/e/Dg==",
-      "signed_at": "2026-05-13T02:18:38.235Z",
+      "signed_at": "2026-05-13T02:31:32.075Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -414,7 +414,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "VMNGFvowXLbBjZp5nvWloKkqyqHKhnSzbVRU3gX9quOZJHH56w2M4id+oDsXIjR0CfRRb7eXl/so0Hq4xLBuBQ==",
-      "signed_at": "2026-05-13T02:18:38.235Z",
+      "signed_at": "2026-05-13T02:31:32.075Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -442,7 +442,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "5MaJs7gPCuFlK4oAttLulAPOA1noeV+xD/UqVWaVyRedXZgebBGKjnlE2t1qmTugvxlNIfeAnBZapk+Wz3VAAg==",
-      "signed_at": "2026-05-13T02:18:38.235Z"
+      "signed_at": "2026-05-13T02:31:32.075Z"
     },
     {
       "name": "global-grc",
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "S/YXUpI/mcG2FpdUTgMsccWBtTaR5A4Ph4QFQw31S9w9Hn/z3sOFHLkb1B5YSwlg+mMOtSIxMdet1eLGSZkTDg==",
-      "signed_at": "2026-05-13T02:18:38.236Z"
+      "signed_at": "2026-05-13T02:31:32.076Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -501,7 +501,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "AKS+JsmhhBtytY2eIMuydjkZOYprWCmQ+RqxyxcVG9XcEI29ZSM/JbVIINQHozFl7OPPrOu1ouiTnk7LOJ86Bg==",
-      "signed_at": "2026-05-13T02:18:38.236Z"
+      "signed_at": "2026-05-13T02:31:32.076Z"
     },
     {
       "name": "pqc-first",
@@ -553,7 +553,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "oEkK5bLS/G5RIHnxlNFJYdzhTJbKZnkJv+W4iS9UJ/uszZHgZGoxygELPc4kn3FowV5eE988SQYG4WKlXtNzCg==",
-      "signed_at": "2026-05-13T02:18:38.237Z",
+      "signed_at": "2026-05-13T02:31:32.077Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -600,7 +600,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "nPV6YTo1rsNH49qUnZpfoNLEQZXuLNyV05QMUOgXKHYeVDjotYpWhLgyVXlRhjV/fStiA2sWQ0MOnEJ4FBIfDg==",
-      "signed_at": "2026-05-13T02:18:38.237Z"
+      "signed_at": "2026-05-13T02:31:32.077Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -637,7 +637,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "7rirSEONz6O9Yyf46eTyuwkGizCj9FRcNHe5p7Qz6nhJoZQRW5FwW7n9opL0WlbIw8FDBYn1f22zgNUV87L5AQ==",
-      "signed_at": "2026-05-13T02:18:38.237Z",
+      "signed_at": "2026-05-13T02:31:32.077Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -672,7 +672,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "+evehnd2wSBb8uMTlTr5/aTN4bfLjsKzZJk/+OMLMOJrjCt+OuMU7EQC6xMUGeSc4cPEGajghDvq3xVaacV2Dw==",
-      "signed_at": "2026-05-13T02:18:38.238Z"
+      "signed_at": "2026-05-13T02:31:32.078Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -743,7 +743,7 @@
         "PTES revision incorporating AI-surface enumeration"
       ],
       "signature": "KHOXxloAYf7xqXjm2BaL3HVAZOmb7rMiMh20H/oaIkjN0WD1CnKCrRGPJn867uSFhCh/timkXolaiqD1L/h8Dg==",
-      "signed_at": "2026-05-13T02:18:38.238Z"
+      "signed_at": "2026-05-13T02:31:32.078Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -803,7 +803,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "+ELdD+1AY5DymBitH7wU65CS60NY1nDoLowJAFn7cE5Gr/5jy9BTkyxsm7PEXaSlXWMOkTf/HQ+uyzyxUVD/Bw==",
-      "signed_at": "2026-05-13T02:18:38.238Z"
+      "signed_at": "2026-05-13T02:31:32.078Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -878,7 +878,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "8tFAhXAS8zZN3SUOdn+ZIu7lQ48JMOyBQ8SaObR3L/fDyFmDhufqleY2VzI3yigqlT/D4Y8FYxZHKmzXiALjDw==",
-      "signed_at": "2026-05-13T02:18:38.238Z"
+      "signed_at": "2026-05-13T02:31:32.079Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -955,7 +955,7 @@
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
       "signature": "YhvlD+6gdFGg7P6QtpWeb0n54/Ujlxc7I6o/bXtpkfPiy/JY4OJo5xdreb+mbytHkasmUErL5LsDtTCAVq0QAA==",
-      "signed_at": "2026-05-13T02:18:38.239Z"
+      "signed_at": "2026-05-13T02:31:32.079Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1012,7 +1012,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "AMdLkDx/e3ESI4NAnJhhcaas+Ru8VjrSn6v6RBbmmzoLCGo/vFxGraa1p/qF9udhVG+DdkbwHfbfKK5Im19KDw==",
-      "signed_at": "2026-05-13T02:18:38.239Z"
+      "signed_at": "2026-05-13T02:31:32.079Z"
     },
     {
       "name": "identity-assurance",
@@ -1079,7 +1079,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "pSMHKkyWoZvRIuVtN7Vue51sP5MIy9lSaQa2YSAMhxjptx81cUnPt3S11/Tb9Ea1/eluMNQ+5F25eF2njr4mBQ==",
-      "signed_at": "2026-05-13T02:18:38.239Z"
+      "signed_at": "2026-05-13T02:31:32.079Z"
     },
     {
       "name": "ot-ics-security",
@@ -1135,7 +1135,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "qjky+ZTX1DP7uRRMQZq7S7P9/uaJEoB1dy4RZ1l37Q4OO3k2ryfL+7o0Cgm/piuafJfH+dqUeNCRrVefj4r8Dw==",
-      "signed_at": "2026-05-13T02:18:38.239Z"
+      "signed_at": "2026-05-13T02:31:32.080Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1187,7 +1187,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "F86Zl/I+dBzHYRUuGWsjDQI2F/I/vhzwZUFMqhNfKUzRbMf6mafOX2APCPYTp3eP1DvvvfL3Yc0hb1R5Q4nOAg==",
-      "signed_at": "2026-05-13T02:18:38.240Z"
+      "signed_at": "2026-05-13T02:31:32.080Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1237,7 +1237,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "D/4d5NcJScNH58ADXsSrVzTmLSWZpUZTdyhtDkJlC0twSMNczOiDsXgYFitBaZgGdv5nVd00viR45mNrsaZ4BQ==",
-      "signed_at": "2026-05-13T02:18:38.240Z"
+      "signed_at": "2026-05-13T02:31:32.081Z"
     },
     {
       "name": "webapp-security",
@@ -1311,7 +1311,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "UOXaUtpcFjXyDQ70z2PaGu6K3pABtXp+7YzO6eGVGpN1CxXpPq/xW/CnTng6B7wk9WSsqD0OORBJp4VCjiVfAQ==",
-      "signed_at": "2026-05-13T02:18:38.241Z"
+      "signed_at": "2026-05-13T02:31:32.081Z"
     },
     {
       "name": "ai-risk-management",
@@ -1361,7 +1361,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "IVKygsrFjiM64fQVbd2PT6jDjs6fm5nKwJSqGfK53gG0S9wdHC4QYuh+LWlI/2ftvIKjjedLQ6FRyTrqpDEuDw==",
-      "signed_at": "2026-05-13T02:18:38.241Z"
+      "signed_at": "2026-05-13T02:31:32.081Z"
     },
     {
       "name": "sector-healthcare",
@@ -1421,7 +1421,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "P+CdSu8ZJCNUU4nTa09Voh2PcYF3y/AFJn4v7cjVIGo9FbbqO7MwvGN7cJ+aSRs2/3NMUXX4eupcODslxYyJDw==",
-      "signed_at": "2026-05-13T02:18:38.241Z"
+      "signed_at": "2026-05-13T02:31:32.082Z"
     },
     {
       "name": "sector-financial",
@@ -1502,7 +1502,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "zpEfh181Sc0b0cvRf/31Ir1f8lD4V5tehTogO3TJMxdKmXu06IAK7hrhBcLA/jFBv3xDDwrWW3sHzChVhWDeDA==",
-      "signed_at": "2026-05-13T02:18:38.241Z"
+      "signed_at": "2026-05-13T02:31:32.082Z"
     },
     {
       "name": "sector-federal-government",
@@ -1571,7 +1571,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "7NpQlPu1DkpY9f+Frv/LLBHWUUe/qTM80c+xeYDxOzweXhvJGE/dnDCjglYHTjxT82L9cVxzBezvLEne20UpBg==",
-      "signed_at": "2026-05-13T02:18:38.242Z"
+      "signed_at": "2026-05-13T02:31:32.082Z"
     },
     {
       "name": "sector-energy",
@@ -1636,7 +1636,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "4rhyHN5HykK7MQUmhvaTeDGj6Qf5swDd5ry8foh4KBvTkRKxTI/XyxconFGm5FASnySGPLMxX6m4JZAq5wiNBg==",
-      "signed_at": "2026-05-13T02:18:38.242Z"
+      "signed_at": "2026-05-13T02:31:32.083Z"
     },
     {
       "name": "api-security",
@@ -1705,7 +1705,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "hS1izPhETclITK7fp6R67dhy+wFDti/YsJ2M5I1gDjeWZYK41WuxeYSyt5xEHbCr3WCGDFJe77jkK1MWkxk2BA==",
-      "signed_at": "2026-05-13T02:18:38.243Z"
+      "signed_at": "2026-05-13T02:31:32.083Z"
     },
     {
       "name": "cloud-security",
@@ -1786,7 +1786,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "kuatqNZoRnv+oeyrxbnk+m37JRBIgRAWnDp0/IYLnoBOybiG09RzLILJraxjhvdSNCgo7WXTeBO3Y6a3Ji9MAA==",
-      "signed_at": "2026-05-13T02:18:38.243Z"
+      "signed_at": "2026-05-13T02:31:32.083Z"
     },
     {
       "name": "container-runtime-security",
@@ -1848,7 +1848,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "Btb3/7fjPFopFVdxP7+E6n322gnAAwd7OPrnuqatq6c1rXTD9aXKxiBeCmWxs8zYbIbE/lFoe9R2g6uTp8ZDBg==",
-      "signed_at": "2026-05-13T02:18:38.243Z"
+      "signed_at": "2026-05-13T02:31:32.084Z"
     },
     {
       "name": "mlops-security",
@@ -1919,7 +1919,7 @@
         "MITRE ATLAS v5.2 — track AML.T0010 sub-technique expansion and any new MLOps-pipeline-specific TTPs"
       ],
       "signature": "TBWnlgdllW7K1F10HCJ7p4dbLeS3lyNWm+7mNNtyZu7jB1V5AauG1P7sb1nLLqwKqeGlHS1F0eh/BNiuAvkABg==",
-      "signed_at": "2026-05-13T02:18:38.244Z"
+      "signed_at": "2026-05-13T02:31:32.084Z"
     },
     {
       "name": "incident-response-playbook",
@@ -1981,7 +1981,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "FVAXpD6sIoOLQSPtZSLLsXQnc2o2hRwiFj4xK8zEWJVkUWGqvAWRrngie7O2DRKIbWqjO5h9EevVYSzhwYHCAA==",
-      "signed_at": "2026-05-13T02:18:38.244Z"
+      "signed_at": "2026-05-13T02:31:32.085Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2034,7 +2034,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "0HDt3Qklee4FQeKoZfwr+8qdq2pVDS0a+c7JxVw1hV/bl8+YTPaPjPTAhQUnbhUCa5cGo7G4MBQ1AifQTMJdDA==",
-      "signed_at": "2026-05-13T02:18:38.244Z"
+      "signed_at": "2026-05-13T02:31:32.085Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2102,7 +2102,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "UyPSKUztZI/daHCRTnAh6ryoKLX4xyjuG+EaNMPRVuCz2gANGl1F/NozDsw7R2koMUwSFoiYTzwqDvo1tpuKAg==",
-      "signed_at": "2026-05-13T02:18:38.245Z"
+      "signed_at": "2026-05-13T02:31:32.085Z"
     }
   ]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.11.15",
+  "version": "0.12.0",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
   "keywords": [
     "ai-security",