npm - @blamejs/exceptd-skills - Versions diffs - 0.11.2 → 0.11.4 - Mend

@blamejs/exceptd-skills 0.11.2 → 0.11.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,65 @@
 # Changelog
+## 0.11.4 — 2026-05-12
+**Patch: high-impact #71 fix + items 72-77.**
+### Critical fix
+- **#71 detect didn't accept indicator-result synonyms.** Operators submitting flat-shape evidence with `observation.result: "no_hit"` (the standard vocabulary for years of CI/security tooling) hit the runner's strict `hit|miss|inconclusive` set, falsed every comparison, and ended up with `classification: "inconclusive"` regardless of evidence. This silently broke the new flat-shape submission UX that v0.11.0/v0.11.3 was built around. Same evidence in the legacy `signal_overrides` shape produced the correct `not_detected` verdict.
+  Fix: a `canonicalize()` step in both `normalizeSubmission` and `detect()` maps `no_hit`/`no-hit`/`clean`/`clear`/`not_hit`/`ok`/`pass`/`negative`/`false` → `miss`; `hit`/`detected`/`positive`/`true` → `hit`; `inconclusive`/`unknown`/`unverified`/`null` → `inconclusive`. Operator vocabulary is now normalized to the engine's canonical 3-value set at submission boundary.
+- **#77 CSAF/OpenVEX bundles auto-fixed.** Downstream of #71: now that detect actually processes signal_overrides correctly, the per-CVE statements in `bundle.vulnerabilities` / `statements` populate when there are matched_cves.
+### Bugs
+- **#72 ci --format silently ignored.** `exceptd ci --scope code --format summary` and the bare command emitted byte-identical full bundles (~350 KB). CI gates couldn't get a compact verdict without piping through jq. Now ci honors `--format summary|markdown|csaf-2.0|sarif|openvex` with the same shortcuts as `run --format`. Summary is a single-line JSON with `session_id + playbooks_run + verdict + counts`.
+- **#73 `indicators_evaluated` type changed silently.** v0.11.3 introduced it as an integer count; downstream consumers iterating `for i in detect.indicators_evaluated` crashed. Restored to an array of `{signal_id, outcome, confidence}`. Added `indicators_evaluated_count` as a peer field for callers wanting the integer.
+- **#76 `ci --format garbage` silent empty stdout.** Invalid format values now return `{ok:false, error, verb:"ci"}` JSON to stderr with exit 2, matching the unified error shape.
+### Not addressed in this patch
+- **#74 default-output flip still incomplete.** `emit()` indents JSON when stdout is a TTY (improvement over compact), but `brief`/`run`/`attest list`/`lint` still emit JSON, not a custom human form. The richer data on `brief`/`run` doesn't have a natural compact human view. Indented-JSON-on-TTY ships as the v0.11.x answer; a true human renderer per verb is deferred. `discover`/`doctor`/`ask`/`refresh` continue with their custom renderers.
+- **#75 preflight-blocked exit 0 for warn-level.** `on_fail: halt` preconditions correctly exit 1; `on_fail: warn` preconditions correctly exit 0 with `preflight_issues` populated. The operator wants warn-level to also fail CI — that's a `--strict-preconditions` flag, deferred to v0.11.5. Today: use `exceptd ci` for CI gates (correctly maps detected/escalate to exit 2); `run` is for single-investigation invocations where warn-level info is appropriate.
+### Already shipped (cross-referenced)
+- #78 `doctor --fix` (v0.11.2).
+## 0.11.3 — 2026-05-12
+**Patch: operator-reported item #71 + full feature audit findings.**
+A full audit across v0.10.0 → v0.11.2 features (64 surface elements: bug fixes, new verbs, flags, output formats, integration paths) confirmed 62/64 work as documented; this release fixes the 2 real gaps the audit found plus closes operator-reported #71.
+### Bugs
+- **#71 lint accepted half-shape submissions the runner couldn't drive detect with.** Operators submitting flat-shape evidence with `observations: { "<artifact-id>": { captured, value } }` (no `indicator + result` inline) passed lint with zero warnings, then got `detect.classification: "inconclusive"` from the runner because nothing drove indicator decisions. The flat-shape migration was half-complete: validator accepted the new shape; runner couldn't consume it.
+  Fixes:
+  - **Lint** now warns `observation_lacks_indicator_result` per captured artifact that lacks `indicator + result` AND no `verdict.classification` is supplied, plus an `info` saying "detect will be inconclusive". Operators see the gap before paying the run cost.
+  - **`normalizeSubmission`** previously bailed when the submission already had any nested key (`signals`, `artifacts`, `signal_overrides`) — including when the CLI itself had injected `signals._bundle_formats` for `--format` support. Now shape detection prioritizes `observations` / `verdict` and merges any pre-existing nested keys into the normalized output.
+  - **`detect` output** surfaces `observations_received`, `signals_received`, `indicators_evaluated`, `classification_override_applied`, and `submission_shape_seen` so operators can see exactly what the runner consumed from their submission. Pre-0.11.3 an inconclusive verdict was opaque.
+- **`attest export --format csaf` was a no-op.** The `--format` flag is registered as a multi-flag (returning an array), but the export subverb compared `format === "csaf"` directly against the array, falsing every time. Operators always got the plain redacted-JSON export regardless of the flag. Now unwrapped + normalizes `csaf-2.0` → `csaf` so both shortcuts hit the CSAF envelope path.
+### Audit pass — verified working as documented
+Smoke-tested 64 features across v0.10.0–v0.11.2. The full list:
+- **Bug regressions:** skill not-found JSON, unknown-command JSON, prefetch --quiet summary, validate-cves --offline, --mode validation, --session-key hex validation, framework-gap NIST normalization, default-stdin on pipe, --json-stdout-only stderr silence, mutex lockfile released after run, session-id collision refusal, --operator persistence, --ack persistence, --diff-from-latest, reattest --latest.
+- **Verbs:** brief (incl. --all / --phase), discover, doctor (all four sub-checks), ask (incl. synonym routing), lint (catches missing artifacts), ci (incl. --scope code alignment with discover), watch, verify-attestation alias, run-all alias, attest list/show/verify/export/diff/diff --against.
+- **Run flags:** --evidence, --evidence-dir, --vex, --explain, --signal-list, --format summary/markdown/sarif/openvex (--format csaf fixed here), --diff-from-latest, --ci, --force-overwrite.
+- **Attestation root:** EXCEPTD_HOME respected, --attestation-root respected, legacy + new root both scanned by `findSessionDir`.
+- **Catalog tooling:** validate-cves --since filter, refresh --no-network / --indexes-only routing, report csaf envelope.
+- **Flat submission shape:** verdict.classification propagates, observation + indicator + result drives detect, smart precondition auto-detect resolves cwd_readable / host.platform / agent_has_command.
+- **First-run welcome.**
+### Audit pass — known false positives
+- **`exceptd watch`** prints `"[orchestrator] Starting event watcher..."` not `"Listening"` — works correctly; my test string was wrong.
 ## 0.11.2 — 2026-05-12
 **Patch: operator-reported items 58-70 from real CLI use.**

package/bin/exceptd.js CHANGED Viewed

@@ -866,6 +866,37 @@ function cmdLint(runner, args, runOpts, pretty) {
     issues.push({ severity: "warn", kind: "unknown_observation_key", key: k });
   }
+  // #71 (v0.11.3): when a submission is flat-shape with all captured artifacts
+  // but no indicator+result inline and no verdict.classification — detect()
+  // will return "inconclusive" because nothing drives the indicator decisions.
+  // Lint must surface this so operators don't ship a half-shape evidence file
+  // that passes lint but produces an inconclusive run.
+  if (flat) {
+    const observationsWithoutIndicator = Object.entries(flat).filter(([k, v]) => {
+      if (!knownArtifacts.has(k)) return false; // unknown keys flagged elsewhere
+      if (typeof v !== "object" || v === null) return false;
+      const captured = v.captured !== false;
+      return captured && !(v.indicator && v.result);
+    });
+    const verdictClass = submission.verdict?.classification;
+    const verdictWillDrive = verdictClass === "clean" || verdictClass === "not_detected" || verdictClass === "detected" || verdictClass === "inconclusive";
+    if (observationsWithoutIndicator.length > 0 && !verdictWillDrive && Object.keys(submission.signal_overrides || {}).length === 0) {
+      for (const [k] of observationsWithoutIndicator) {
+        issues.push({
+          severity: "warn",
+          kind: "observation_lacks_indicator_result",
+          observation_key: k,
+          hint: `Artifact "${k}" captured without "indicator" + "result" fields. detect will return 'inconclusive' for this indicator. Either add { "indicator": "<id>", "result": "hit"|"miss"|"inconclusive" } per observation, OR supply verdict.classification at the submission root to drive the overall verdict.`,
+        });
+      }
+      issues.push({
+        severity: "info",
+        kind: "detect_will_be_inconclusive",
+        hint: `Flat submission shape with ${observationsWithoutIndicator.length} captured artifact(s) but no indicator+result inline and no verdict.classification. detect() will return 'inconclusive'. Run \`exceptd run ${playbookId} --signal-list\` to see the indicator IDs the playbook recognizes.`,
+      });
+    }
+  }
   const ok = issues.every(i => i.severity !== "error");
   emit({
     verb: "lint",
@@ -1944,7 +1975,12 @@ function cmdAttest(runner, args, runOpts, pretty) {
     // remediation choice, residual risk acceptance, signature. Auditors get
     // what they need (the verdict + proof of process) without leaking raw
     // captured data (which may contain PII / secret shapes).
-    const format = args.format || "json";
+    //
+    // v0.11.3: --format is registered as multi in parseArgs, so args.format
+    // is an array when present. Unwrap for direct comparison.
+    let formatRaw = args.format || "json";
+    if (Array.isArray(formatRaw)) formatRaw = formatRaw[0];
+    const format = formatRaw === "csaf-2.0" ? "csaf" : formatRaw;
     const redacted = attestations.map(a => ({
       session_id: a.session_id,
       playbook_id: a.playbook_id,
@@ -3030,25 +3066,53 @@ function cmdCi(runner, args, runOpts, pretty) {
   const rwepValues = results.map(r => r.phases?.analyze?.rwep?.adjusted ?? 0);
   const maxRwepObserved = rwepValues.length ? Math.max(...rwepValues) : 0;
-  emit({
-    verb: "ci",
-    session_id: sessionId,
-    playbooks_run: ids,
-    summary: {
-      total: results.length,
-      detected: results.filter(r => r.phases?.detect?.classification === "detected").length,
-      inconclusive: results.filter(r => r.phases?.detect?.classification === "inconclusive").length,
-      not_detected: results.filter(r => ["not_detected", "clean"].includes(r.phases?.detect?.classification)).length,
-      blocked: results.filter(r => r && r.ok === false).length,
-      max_rwep_observed: maxRwepObserved,
-      jurisdiction_clocks_started: results
-        .flatMap(r => r.phases?.close?.notification_actions || [])
-        .filter(n => n && n.clock_started_at != null).length,
-      verdict: fail ? "FAIL" : "PASS",
-      fail_reasons: failReasons,
-    },
-    results,
-  }, pretty);
+  const summary = {
+    total: results.length,
+    detected: results.filter(r => r.phases?.detect?.classification === "detected").length,
+    inconclusive: results.filter(r => r.phases?.detect?.classification === "inconclusive").length,
+    not_detected: results.filter(r => ["not_detected", "clean"].includes(r.phases?.detect?.classification)).length,
+    blocked: results.filter(r => r && r.ok === false).length,
+    max_rwep_observed: maxRwepObserved,
+    jurisdiction_clocks_started: results
+      .flatMap(r => r.phases?.close?.notification_actions || [])
+      .filter(n => n && n.clock_started_at != null).length,
+    verdict: fail ? "FAIL" : "PASS",
+    fail_reasons: failReasons,
+  };
+  // v0.11.4 (#72): ci --format <fmt> previously emitted the full bundle
+  // regardless of flag. Now honors the same shortcuts as `run --format`:
+  //   summary  → one-line JSON of session + verdict + counts
+  //   markdown → operator-readable digest
+  //   csaf     → CSAF 2.0 envelope wrapping every result
+  //   sarif    → SARIF 2.1.0 with results from every playbook
+  //   openvex  → OpenVEX statements derived from every playbook's matched_cves
+  let formatRaw = args.format;
+  if (Array.isArray(formatRaw)) formatRaw = formatRaw[0];
+  const fmt = formatRaw === "csaf-2.0" ? "csaf" : formatRaw;
+  if (fmt === "summary") {
+    emit({ verb: "ci", session_id: sessionId, playbooks_run: ids, summary }, pretty);
+  } else if (fmt === "markdown") {
+    const lines = [`# exceptd ci summary`, `session-id: ${sessionId}`, `verdict: **${summary.verdict}**`, ``];
+    lines.push(`**Playbooks run:** ${summary.total} (${summary.detected} detected, ${summary.inconclusive} inconclusive, ${summary.not_detected} clean, ${summary.blocked} blocked)`);
+    lines.push(`**Max RWEP observed:** ${summary.max_rwep_observed}`);
+    lines.push(`**Jurisdiction clocks started:** ${summary.jurisdiction_clocks_started}`);
+    if (summary.fail_reasons.length) {
+      lines.push(``, `## Fail reasons`);
+      for (const r of summary.fail_reasons) lines.push(`- ${r}`);
+    }
+    process.stdout.write(lines.join("\n") + "\n");
+  } else if (fmt === "csaf" || fmt === "sarif" || fmt === "openvex") {
+    // Aggregate the per-run bundles_by_format if present.
+    const bundles = results.map(r => r.phases?.close?.evidence_package?.bundles_by_format?.[fmt === "csaf" ? "csaf-2.0" : fmt]).filter(Boolean);
+    emit({ verb: "ci", session_id: sessionId, format: fmt, bundles_count: bundles.length, bundles }, pretty);
+  } else if (fmt && fmt !== "json") {
+    // v0.11.4 (#76): garbage format rejected with structured error, not silent empty stdout.
+    process.stderr.write(JSON.stringify({ ok: false, error: `ci: --format "${fmt}" not in accepted set ["summary","markdown","csaf-2.0","sarif","openvex","json"].`, verb: "ci" }) + "\n");
+    process.exit(2);
+  } else {
+    emit({ verb: "ci", session_id: sessionId, playbooks_run: ids, summary, results }, pretty);
+  }
   if (fail) {
     process.stderr.write(`[exceptd ci] FAIL: ${failReasons.join("; ")}\n`);
     process.exit(2);

package/data/_indexes/_meta.json CHANGED Viewed

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-12T15:32:44.669Z",
+  "generated_at": "2026-05-12T16:00:45.631Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 49,
   "source_hashes": {
-    "manifest.json": "13b2aa2d552d684a06d9865d94e7233438ba95129914b4fd89e15968cf544ff5",
+    "manifest.json": "6935c71303fe299a6a52e1776d571e30808cae14ddfadc48b27d9ac2443c423a",
     "data/atlas-ttps.json": "1500b5830dab070c4252496964a8c0948e1052a656e2c7c6e1efaf0350645e13",
     "data/cve-catalog.json": "a81d3e4b491b27ccc084596b063a6108ff10c9eb01d7776922fc393980b534fe",
     "data/cwe-catalog.json": "c3367d469b4b3d31e4c56397dd7a8305a0be338ecd85afa27804c0c9ce12157b",

package/lib/playbook-runner.js CHANGED Viewed

@@ -304,8 +304,23 @@ function detect(playbookId, directiveId, agentSubmission = {}) {
   const artifacts = agentSubmission.artifacts || {};
   const overrides = agentSubmission.signal_overrides || {};
+  // v0.11.4 (#71): canonicalize the indicator result vocabulary. Operators
+  // submit shapes like "no_hit" / "clean" / "ok" / false from years of
+  // CI/security tooling convention; the engine internally uses
+  // hit | miss | inconclusive. Without canonicalization every flat-shape
+  // observation with result:"no_hit" silently fell through to inconclusive
+  // and broke per-indicator detection. Canonicalization happens here so
+  // both detect() and normalizeSubmission consumers see the same outcomes.
+  const canonicalize = (v) => {
+    if (v === true || v === 'hit' || v === 'detected' || v === 'positive') return 'hit';
+    if (v === false || v === 'miss' || v === 'no_hit' || v === 'no-hit' || v === 'clean' || v === 'clear' || v === 'not_hit' || v === 'ok' || v === 'pass' || v === 'negative') return 'miss';
+    if (v === 'inconclusive' || v === 'unknown' || v === 'unverified' || v === null) return 'inconclusive';
+    return null; // truly unknown — fall through
+  };
   const indicatorResults = (det.indicators || []).map(ind => {
-    const override = overrides[ind.id];
+    const rawOverride = overrides[ind.id];
+    const override = canonicalize(rawOverride);
     let verdict;
     if (override === 'hit' || override === 'miss' || override === 'inconclusive') {
       verdict = override;
@@ -361,7 +376,19 @@ function detect(playbookId, directiveId, agentSubmission = {}) {
     indicators: indicatorResults,
     false_positive_checks_required: fpChecksRequired,
     classification,
-    minimum_signal_basis: det.minimum_signal?.[classification === 'detected' ? 'detected' : classification === 'not_detected' ? 'not_detected' : 'inconclusive']
+    minimum_signal_basis: det.minimum_signal?.[classification === 'detected' ? 'detected' : classification === 'not_detected' ? 'not_detected' : 'inconclusive'],
+    // v0.11.3 #71: surface what detect actually consumed. Operators reading
+    // the detect output now see whether their flat-shape observations + the
+    // signal_overrides + the classification override all reached the runner.
+    observations_received: Object.keys(agentSubmission.artifacts || {}),
+    signals_received: Object.keys(agentSubmission.signal_overrides || {}),
+    // v0.11.4 (#73): downstream consumers iterating `indicators_evaluated`
+    // expect an array, not a count. Restore as array; provide
+    // `indicators_evaluated_count` for callers wanting the integer.
+    indicators_evaluated: indicatorResults.map(i => ({ signal_id: i.id, outcome: i.verdict, confidence: i.confidence })),
+    indicators_evaluated_count: indicatorResults.length,
+    classification_override_applied: validOverrides.has(override) ? (override === 'clean' ? 'not_detected' : override) : null,
+    submission_shape_seen: agentSubmission._original_shape || (agentSubmission.artifacts ? 'nested (v0.10.x)' : 'empty')
   };
 }
@@ -884,13 +911,42 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals)
  */
 function normalizeSubmission(submission, playbook) {
   if (!submission || typeof submission !== "object") return submission || {};
-  if (submission.artifacts || submission.signal_overrides || submission.signals) return submission;
-  if (!submission.observations && !submission.verdict) return submission;
-  const out = { artifacts: {}, signal_overrides: {}, signals: {}, precondition_checks: {} };
+  // v0.11.3 #71 fix: the CLI may inject `signals._bundle_formats` before
+  // calling normalize (for --format <fmt> support). Pre-0.11.3 normalize
+  // detected the injected `signals` key and bailed, leaving the flat
+  // `observations` / `verdict` untranslated and breaking detect. The shape
+  // detector now treats `observations` or `verdict` as authoritative for
+  // "this is flat" — even when nested keys also exist — and merges any
+  // pre-existing nested keys into the normalized result.
+  const hasFlat = submission.observations || submission.verdict;
+  if (!hasFlat) {
+    // Truly already-nested. Mark shape and return.
+    if (!submission._original_shape) submission._original_shape = 'nested (v0.10.x)';
+    return submission;
+  }
+  const out = {
+    artifacts: { ...(submission.artifacts || {}) },
+    signal_overrides: { ...(submission.signal_overrides || {}) },
+    signals: { ...(submission.signals || {}) },
+    precondition_checks: { ...(submission.precondition_checks || {}) },
+    _original_shape: 'flat (v0.11.0)',
+  };
   const knownPreconditions = new Set((playbook?._meta?.preconditions || []).map(p => p.id));
   const knownArtifacts = new Set((playbook?.phases?.look?.artifacts || []).map(a => a.id));
+  // v0.11.4 (#71): canonicalize indicator outcome strings here too so the
+  // signal_overrides object handed to detect() carries the runner's expected
+  // hit|miss|inconclusive vocabulary regardless of what the operator typed.
+  const canonicalizeOutcome = (v) => {
+    if (v === true || v === 'hit' || v === 'detected' || v === 'positive') return 'hit';
+    if (v === false || v === 'miss' || v === 'no_hit' || v === 'no-hit' || v === 'clean' || v === 'clear' || v === 'not_hit' || v === 'ok' || v === 'pass' || v === 'negative') return 'miss';
+    if (v === 'inconclusive' || v === 'unknown' || v === 'unverified' || v === null) return 'inconclusive';
+    return v; // leave unrecognized values for detect() to decide
+  };
   for (const [key, val] of Object.entries(submission.observations || {})) {
     if (knownPreconditions.has(key)) {
       out.precondition_checks[key] = val === "ok" || val === true || val === "true";
@@ -899,7 +955,9 @@ function normalizeSubmission(submission, playbook) {
     if (typeof val === "object" && val !== null) {
       const aid = knownArtifacts.has(key) ? key : (val.artifact || key);
       out.artifacts[aid] = { value: val.value, captured: val.captured !== false };
-      if (val.indicator && val.result) out.signal_overrides[val.indicator] = val.result;
+      if (val.indicator && val.result !== undefined) {
+        out.signal_overrides[val.indicator] = canonicalizeOutcome(val.result);
+      }
     }
   }

package/manifest-snapshot.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
-  "_generated_at": "2026-05-12T15:31:43.757Z",
+  "_generated_at": "2026-05-12T15:59:29.819Z",
   "atlas_version": "5.1.0",
   "skill_count": 38,
   "skills": [

package/manifest.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.11.2",
+  "version": "0.11.4",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -52,7 +52,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "WprHkO1KOjQtCBj6/EJghBTNyNKJhn7O2HDbAQZPi5jn4flwHpSrtP8LC15a4Unoh+xiIIgGhvTHZIQFHGMpBQ==",
-      "signed_at": "2026-05-12T15:31:43.313Z",
+      "signed_at": "2026-05-12T15:59:29.388Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -116,7 +116,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "fg20bOXGRkPUdLmegeXpTM4hnzl/ArgcVc88rItZN5DdsnFnzPgUU1PwCI82zooyj2GfxJHYjxNkq5qd2zNPBg==",
-      "signed_at": "2026-05-12T15:31:43.315Z",
+      "signed_at": "2026-05-12T15:59:29.390Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -179,7 +179,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "6JuSzkSSFzFHEZ3ANzqjtIbKPOkwJeKhQ+8WAPB4+dTRvDSeg46n3D88XfGaNd2z7pmg/i8p9ZoImQcHFS4BCg==",
-      "signed_at": "2026-05-12T15:31:43.315Z",
+      "signed_at": "2026-05-12T15:59:29.390Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -225,7 +225,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "PYSw9abiYfW+y7IkY8udJG5LSds2a4rMimlw3rrdD0zE3vunEeV/y7oTmDD4o83OqHSCKNzF/7vMhvd/noqICQ==",
-      "signed_at": "2026-05-12T15:31:43.316Z"
+      "signed_at": "2026-05-12T15:59:29.391Z"
     },
     {
       "name": "compliance-theater",
@@ -256,7 +256,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "BMFmmJYP3HsHIjUqnhw8E3MiMGZJsI/eDq51we+nxUicZ8nFUQT9DhmRntAqOs6BUnsfiQNNLc/rrsNh8yg1CQ==",
-      "signed_at": "2026-05-12T15:31:43.317Z"
+      "signed_at": "2026-05-12T15:59:29.392Z"
     },
     {
       "name": "exploit-scoring",
@@ -285,7 +285,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "VGPyDwy5BRlpn1lZthhPB6ytb4ZcU2j0KtCZbaMkyLdMugQJtK2yEuwrsDH4yEtAhTB6/A4B3eSygJckum49Ag==",
-      "signed_at": "2026-05-12T15:31:43.317Z"
+      "signed_at": "2026-05-12T15:59:29.392Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -322,7 +322,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "XkFGpsNnXBVslkQ48usEu9l1LjPiV2ppW+M4B63zXFBP2Puh52qYCffEPjUHYhoO5bjgTM7yCbK8XF/Dzk5wBw==",
-      "signed_at": "2026-05-12T15:31:43.317Z",
+      "signed_at": "2026-05-12T15:59:29.392Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -379,7 +379,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "1Xqy7Kxxy6GpTvuYJPdllPzVDRFxb7N6AuxKuoaO4v91CiZLmiXt0sTIWImKJ3p9Eup6rJNDdsY71dolFhHNBA==",
-      "signed_at": "2026-05-12T15:31:43.317Z",
+      "signed_at": "2026-05-12T15:59:29.392Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -414,7 +414,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "QNLOmAL54S/Cmk4cdO4L2BCGkqZ/FgY4UBsKWtg/EEW+YXF5ev+a8XsUT8q5veuUa2VYcYna7rD1iAnE+2PDBA==",
-      "signed_at": "2026-05-12T15:31:43.318Z",
+      "signed_at": "2026-05-12T15:59:29.393Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -442,7 +442,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "aFHq4cSl3CKchnVITxx+BrAEWD33WtFFJoQtwAug5g9R3/3ABtjaXYGVQaZcdcG1AIZkMoGSPywgLQWDY7ZDCw==",
-      "signed_at": "2026-05-12T15:31:43.318Z"
+      "signed_at": "2026-05-12T15:59:29.393Z"
     },
     {
       "name": "global-grc",
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "viCTUWdy6euvd2KTAo6sLvarK/FZkDtYGocxBt0H+fY94kLQGW8K5cSpqIWdUF5NUytSHBCiG4YcSze8P9Z/BQ==",
-      "signed_at": "2026-05-12T15:31:43.318Z"
+      "signed_at": "2026-05-12T15:59:29.394Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -501,7 +501,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "6PkUaHQi3Hxuqq/Jp4GYckvfqVEofmeT87NUH0T+pwyjlc+xZkoqNPn65f7ldciEPL86JIPi3/dDTKQbIFFBCw==",
-      "signed_at": "2026-05-12T15:31:43.319Z"
+      "signed_at": "2026-05-12T15:59:29.394Z"
     },
     {
       "name": "pqc-first",
@@ -553,7 +553,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "ZenFTEzWx+DzrSXlNXhbZ70vOdJSXfrnKkAwqMlBf5nlDf38V1/hG4XCKj43snQXWr4mVJOX6ilqFLTYNIjnBw==",
-      "signed_at": "2026-05-12T15:31:43.319Z",
+      "signed_at": "2026-05-12T15:59:29.394Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -600,7 +600,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "ih0vpd2v2zS31JSJv7SnABoya8JlJdrXZXx4rBnrsV3Assj+dbjAP0pQ1HMT/5RX8yTTswRQsg0bJV3qmbJ3Bw==",
-      "signed_at": "2026-05-12T15:31:43.320Z"
+      "signed_at": "2026-05-12T15:59:29.395Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -637,7 +637,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "Lv8dHiwIqUbNsywCCB/+pYWGF+MHCvxVn1IAvR7Cnif5fy0sICv0N4SVsSb621qAAkHNshpfxqwuhbuQnE1TBA==",
-      "signed_at": "2026-05-12T15:31:43.320Z",
+      "signed_at": "2026-05-12T15:59:29.395Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -672,7 +672,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "BS+wrL28HHYhBpe+v84VLoq9KPBXu6alfG968katfGIoLNYQueaHP931bRmlkrjfeb6qbDf067GWdPEh7nroAw==",
-      "signed_at": "2026-05-12T15:31:43.320Z"
+      "signed_at": "2026-05-12T15:59:29.395Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -743,7 +743,7 @@
         "PTES revision incorporating AI-surface enumeration"
       ],
       "signature": "vLhIYT/CC3IzxMRa+UPeqGSZTvthuwUeTMGNFMm37+TaEk0TtfwPrPyrBJLHw4W6Wt7+pufjHs46X3nTgzoRAg==",
-      "signed_at": "2026-05-12T15:31:43.320Z"
+      "signed_at": "2026-05-12T15:59:29.396Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -803,7 +803,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "TOcQLy/427cuf0Lw90J7A0oIeuhUmf9NXb6tOUS5K3SazCKTJujPgYSVAPZOYf1zZrRAY/aq0iqELd5cLyk5DA==",
-      "signed_at": "2026-05-12T15:31:43.321Z"
+      "signed_at": "2026-05-12T15:59:29.396Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -878,7 +878,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "u4IN7escQa5V+OgdtaJXLdvhmNiGZsdmGOvebTLZ30WoImT+WiksvaqSa0POGdbr6HzFkALe2RrZEH9Tr0U6Dg==",
-      "signed_at": "2026-05-12T15:31:43.321Z"
+      "signed_at": "2026-05-12T15:59:29.396Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -955,7 +955,7 @@
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
       "signature": "eTGQJ3gnG24WggfwuFNNIFOWV/ttPxTa3pvx9OH28m5KDS1a4ZmOR7K8y01wk/su8bH0ClYYRfoBfKQOtRswAg==",
-      "signed_at": "2026-05-12T15:31:43.321Z"
+      "signed_at": "2026-05-12T15:59:29.396Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1012,7 +1012,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "q7gFLPoqf/8bqATR6gt/nj0EoyUOlfzi+bZ0bT3pC9KW7O6M/ji9fT+AXSGNp6PKd+70ACb3mkMGmWgjLpQXCg==",
-      "signed_at": "2026-05-12T15:31:43.322Z"
+      "signed_at": "2026-05-12T15:59:29.397Z"
     },
     {
       "name": "identity-assurance",
@@ -1079,7 +1079,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "pX8rhrrzuyG3iRrPORLqTZAjzGdWK/bKPUGJG5WHSZcv4LB0kQXOit4sHG0exdXxI6HY8jyX67QY4r5vEHHACw==",
-      "signed_at": "2026-05-12T15:31:43.322Z"
+      "signed_at": "2026-05-12T15:59:29.397Z"
     },
     {
       "name": "ot-ics-security",
@@ -1135,7 +1135,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ypb8kNZQRdyu5mWeveB7sjCjNKXS1yXvjDJv88muzwhOs/a4Fu/Gb532js5NKyy+eCw/emrphpTZaL8R9a2lBA==",
-      "signed_at": "2026-05-12T15:31:43.322Z"
+      "signed_at": "2026-05-12T15:59:29.397Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1187,7 +1187,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "346Lt+277ycRNsyAOGwLSONi4awgxKy3hP9G+BWjwaa8ySmTeqbYsbyyhtxjeohk9bV2SF+Hl2q4JdSvc/2qCQ==",
-      "signed_at": "2026-05-12T15:31:43.322Z"
+      "signed_at": "2026-05-12T15:59:29.398Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1237,7 +1237,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "ewTvG5vu3ngFHyXgBur5vSKDFQsOZx0x79djGMricl7LCvQf5//OG6LZKXa+AOuEq58prRS+HgzrFA1DiTfeCQ==",
-      "signed_at": "2026-05-12T15:31:43.323Z"
+      "signed_at": "2026-05-12T15:59:29.398Z"
     },
     {
       "name": "webapp-security",
@@ -1311,7 +1311,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ZHjbKu0Em92Kimr2esL1g93mf9TmcsChBhVEMWf/lFrjeLcg8nyHEIcDstIZ3FWYgc6MQNHnc3Rup3Xp/Za1Cw==",
-      "signed_at": "2026-05-12T15:31:43.323Z"
+      "signed_at": "2026-05-12T15:59:29.398Z"
     },
     {
       "name": "ai-risk-management",
@@ -1361,7 +1361,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "1KRxjCbAX0Rs5NTOioi1w/f1SOzDQrtRoXjTDtzEwJ+d1QzFf9cqmBlp0uXmGpL0bzEaHWIctjigSychmoL2Dw==",
-      "signed_at": "2026-05-12T15:31:43.323Z"
+      "signed_at": "2026-05-12T15:59:29.399Z"
     },
     {
       "name": "sector-healthcare",
@@ -1421,7 +1421,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "eiajFh7w7d4g+/crGalTtw9Qsu0deVsdHkdthZSy595ifGmgu0zaFD8usKThbPhOdUCCclTYkZYz5GalQmkhCw==",
-      "signed_at": "2026-05-12T15:31:43.324Z"
+      "signed_at": "2026-05-12T15:59:29.399Z"
     },
     {
       "name": "sector-financial",
@@ -1502,7 +1502,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "iSZR/fYESQVyjkcqj+O+yzU0BQfaELH5s7WizzUTWvDPDTD2ZyOnZTT1r/Zfx2l4mbPmVeFGWdYnnVFTk/i3Aw==",
-      "signed_at": "2026-05-12T15:31:43.324Z"
+      "signed_at": "2026-05-12T15:59:29.399Z"
     },
     {
       "name": "sector-federal-government",
@@ -1571,7 +1571,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "Wjdo5YXEL8XeNZkaEueG1DOUoyalstNPzQkxD/cwP5iMrJWg/Ly+sC0Oluuqm3aU7d63z55PrbGQCJD0XVZqBg==",
-      "signed_at": "2026-05-12T15:31:43.324Z"
+      "signed_at": "2026-05-12T15:59:29.400Z"
     },
     {
       "name": "sector-energy",
@@ -1636,7 +1636,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "c/l7dOHe0Zj6Ag3abUaEie6o0f8M4rhY5aPI9/wG4z6FDue9PzCVw8vUGoITFgg89g97lMfy2C3CE2PegQoFCw==",
-      "signed_at": "2026-05-12T15:31:43.325Z"
+      "signed_at": "2026-05-12T15:59:29.400Z"
     },
     {
       "name": "api-security",
@@ -1705,7 +1705,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "9FgcJvYeo07QxQ+mnVRQk4jYLDMO/AVSXMs8cueO2f/qMOTQmrhBMVhj5ze7hzvXpGkp7EK/3Q1XKqde61JMAg==",
-      "signed_at": "2026-05-12T15:31:43.325Z"
+      "signed_at": "2026-05-12T15:59:29.400Z"
     },
     {
       "name": "cloud-security",
@@ -1786,7 +1786,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "xRA0XZf7VPtuBtbsm41bay9yBLphw/hlL3YxIUrpko5g9ldM3oJe9o1qSwzIj/wSnQSI29qqPpNsnlks+HEOCA==",
-      "signed_at": "2026-05-12T15:31:43.325Z"
+      "signed_at": "2026-05-12T15:59:29.401Z"
     },
     {
       "name": "container-runtime-security",
@@ -1848,7 +1848,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "GcU50DStuN1gU/Evm/sFRgeieQbqffVp12rgbGnasRX89Q7kM4ltFXB+bgCXHIvICzYb78hPIifWQb9UVupWBQ==",
-      "signed_at": "2026-05-12T15:31:43.326Z"
+      "signed_at": "2026-05-12T15:59:29.401Z"
     },
     {
       "name": "mlops-security",
@@ -1919,7 +1919,7 @@
         "MITRE ATLAS v5.2 — track AML.T0010 sub-technique expansion and any new MLOps-pipeline-specific TTPs"
       ],
       "signature": "onIazpFoL1t4PMNRsoF06ggnl7BzCKjt0x+ZmVfWfyt1V06DgllsrbN3AAz4+g4jW2Sc71q0vIFKfwEUWpGVAQ==",
-      "signed_at": "2026-05-12T15:31:43.326Z"
+      "signed_at": "2026-05-12T15:59:29.401Z"
     },
     {
       "name": "incident-response-playbook",
@@ -1981,7 +1981,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "P0Yv4CtqbnBNP6nSIxQUYYHL7T7ci+iE7iE2UXVfnMPeWVdKG2nvRePjBXc3JZTLima1Txn/I5ocDNhLTIeUAQ==",
-      "signed_at": "2026-05-12T15:31:43.326Z"
+      "signed_at": "2026-05-12T15:59:29.402Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2034,7 +2034,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "2pv81lLRbazpHqundCANb3YiLB4lkVsYctIDvI8rxSvHxhPS9jYXqmAoB5APSdDuOaew6XqpfZOehQUj9WmyBw==",
-      "signed_at": "2026-05-12T15:31:43.327Z"
+      "signed_at": "2026-05-12T15:59:29.402Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2102,7 +2102,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "BJ/YYnGVXeSBaR9oWAVrcNX7Wz+kE8R4CghX6+XEI/qY89fyrkKNNwo2veqqf49wffJhHVJ1wTp8ZDECjNp+Dw==",
-      "signed_at": "2026-05-12T15:31:43.327Z"
+      "signed_at": "2026-05-12T15:59:29.402Z"
     }
   ]
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.11.2",
+  "version": "0.11.4",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json CHANGED Viewed

@@ -1,10 +1,10 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:e0933f0c-38fd-4206-8754-c27d585831ad",
+  "serialNumber": "urn:uuid:057eee67-86e4-4750-80f8-8dfdf5b5c9d3",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-12T15:31:44.204Z",
+    "timestamp": "2026-05-12T15:59:30.308Z",
     "tools": [
       {
         "name": "hand-written",
@@ -13,10 +13,10 @@
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.11.2",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.11.4",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.11.2",
+      "version": "0.11.4",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
       "licenses": [
         {
@@ -25,11 +25,11 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.11.2",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.11.4",
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.11.2"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.11.4"
         },
         {
           "type": "vcs",