@blamejs/exceptd-skills 0.11.9 → 0.11.11

package/CHANGELOG.md

@@ -1,5 +1,56 @@
 # Changelog
 
+## 0.11.11 — 2026-05-12
+
+**Patch: CI test-gate hotfix — emit-then-exit stdout flush.**
+
+v0.11.10 #100 used `process.exit(3)` after writing the result JSON to stdout. When stdout is piped (CI, test harnesses, JSON consumers), Node's `process.exit()` can return before the buffered async write drains — so `--json` consumers saw empty stdout despite the structured emit. Fix: switch to `process.exitCode = N; return;` so the event loop ends naturally and stdout drains.
+
+### Bugs
+
+- **`ci` --json with exit 3 truncated output.** Tests passed locally but the GitHub Actions release workflow's test gate failed on `tests/operator-bugs.test.js:#103` ("ci output should be JSON") because the Linux runner exposed the flush race more reliably than Windows. Fixed in two places:
+  - `cmdCi` exit 3 (no evidence + all inconclusive)
+  - `cmdCi` exit 2 (FAIL)
+  - `cmdRun` `--strict-preconditions` exit 1 (same shape; pre-existing latent risk)
+
+### Tests
+
+New regression: `#100/#103 ci exit-3 path still flushes JSON to stdout` — asserts both `r.status === 3` AND `tryJson(r.stdout)` parses. This is the test that would have caught v0.11.10 before CI.
+
+### Lesson
+
+When ending a verb with a non-zero exit AFTER writing structured stdout, prefer `process.exitCode = N; return;` over `process.exit(N)`. The former lets the event loop drain stdout; the latter can truncate. Codified in CLAUDE.md.
+
+## 0.11.10 — 2026-05-12
+
+**Patch: items 119-122 — field-name alignment with operator expectations.**
+
+Pattern recognized across 10 v0.11.x releases: my output field names didn't match what operators were reading for. Several "broken" items were actually present-under-a-different-name. v0.11.10 adds the missing aliases + tightens ci's empty-evidence semantic.
+
+### Bugs
+
+- **#119 `result.ack` alias.** v0.11.9 surfaced `--ack` as `result.operator_consent.explicit`. Operators reading `result.ack` (matching the flag name) saw `undefined` and concluded the flag was dropped. Now: `result.ack` is a top-level boolean mirroring the consent state. `operator_consent.explicit` retains its richer shape.
+
+- **#100 ci with no evidence exits 3.** Pre-0.11.10 `ci --required <pb>` with NO `--evidence`/`--evidence-dir` ran every playbook to inconclusive and exited 0 — operators couldn't distinguish "ran clean" from "never had real data." Now: when no evidence was supplied AND every result is inconclusive, ci exits **3** with a clear stderr warning: "ran but never had real data. Pass --evidence <file> or --evidence-dir <dir>." Exit code matrix: 0 PASS, 2 FAIL (detected/escalate), 3 NO-DATA, 1 framework error.
+
+- **#102 `total_compared` field on attest diff.** Pre-0.11.10 `unchanged_count: 0 + added: 0 + removed: 0 + changed: 0` was ambiguous ("0 unchanged of how many?"). Now both `artifact_diff` and `signal_override_diff` include `total_compared` (set size of the union of both sides' keys). Operators can distinguish "no comparison happened" (total_compared: 0) from "everything matched" (total_compared: N, unchanged_count: N).
+
+- **#104 `phases.close.jurisdiction_notifications` alias + `jurisdiction_clocks_count`.** The runner emitted `notification_actions`; operators expected `jurisdiction_notifications`. Now both names point to the same array (full list), and `jurisdiction_clocks_count` mirrors the ci-aggregate count of notifications whose clock has actually started. Compliance teams reading `phases.close.jurisdiction_notifications.length` (or filtering by `.clock_started_at != null`) get the expected shape.
+
+### Tests
+
+5 new cases in `tests/operator-bugs.test.js` for items 119/100/102/104. 338 total.
+
+### Verified by direct repro before fix
+
+For every item I:
+1. Ran the user's exact CLI invocation
+2. Inspected the actual output shape vs the user's stated expectation
+3. Identified whether the bug was missing logic OR field-name mismatch
+4. Fixed both layers when the answer was "mismatch" (add alias) so subsequent operators reading by either name see the data
+
+Pattern documented in CLAUDE.md (project-side contributor guide).
+
 ## 0.11.9 — 2026-05-12
 
 **Patch: items 99-115 — CLI-shim audit, real fixes.**

package/bin/exceptd.js

@@ -1297,8 +1297,15 @@ function cmdRun(runner, args, runOpts, pretty) {
   // v0.11.9 (#113/#114): surface --operator and --ack in the run result so
   // operators see the attribution + consent state without inspecting the
   // attestation file. Pre-0.11.9 these were persisted to disk only.
+  // v0.11.10 (#119): add result.ack alias for consumers reading the
+  // ack state by that name (`result.ack` is shorter + matches the CLI flag).
   if (result && runOpts.operator) result.operator = runOpts.operator;
-  if (result && runOpts.operator_consent) result.operator_consent = runOpts.operator_consent;
+  if (result && runOpts.operator_consent) {
+    result.operator_consent = runOpts.operator_consent;
+    result.ack = !!runOpts.operator_consent.explicit;
+  } else if (result) {
+    result.ack = false;
+  }
 
   // Persist attestation for reattest cycles when the run succeeded.
   if (result && result.ok && result.session_id) {
@@ -1355,7 +1362,10 @@ function cmdRun(runner, args, runOpts, pretty) {
     if (warnIssues.length > 0) {
       process.stderr.write(`[exceptd run] --strict-preconditions: ${warnIssues.length} unverified/warn precondition(s) — exit 1.\n`);
       emit(result, pretty);
-      process.exit(1);
+      // v0.11.11: exitCode + return so emit()'s stdout flushes (process.exit
+      // can truncate buffered async stdout writes when piped).
+      process.exitCode = 1;
+      return;
     }
   }
 
@@ -2226,7 +2236,10 @@ function normalizedSignalOverrides(submission, runner) {
 function diffArtifacts(a, b) {
   a = a || {}; b = b || {};
   const allIds = new Set([...Object.keys(a), ...Object.keys(b)]);
-  const out = { added: [], removed: [], changed: [], unchanged_count: 0 };
+  // v0.11.10 (#102): total_compared disambiguates the empty-both case.
+  // unchanged_count: 0 + added: 0 + removed: 0 + changed: 0 is ambiguous
+  // ("0 unchanged of how many?"); total_compared answers it.
+  const out = { total_compared: allIds.size, added: [], removed: [], changed: [], unchanged_count: 0 };
   for (const id of allIds) {
     const av = a[id], bv = b[id];
     if (!av && bv) {
@@ -2252,7 +2265,7 @@ function diffArtifacts(a, b) {
 function diffSignalOverrides(a, b) {
   a = a || {}; b = b || {};
   const allIds = new Set([...Object.keys(a), ...Object.keys(b)]);
-  const out = { changed: [], unchanged_count: 0 };
+  const out = { total_compared: allIds.size, changed: [], unchanged_count: 0 };
   for (const id of allIds) {
     if (a[id] !== b[id]) out.changed.push({ id, a: a[id] || null, b: b[id] || null });
     else out.unchanged_count++;
@@ -3376,7 +3389,22 @@ function cmdCi(runner, args, runOpts, pretty) {
   }
   if (fail) {
     process.stderr.write(`[exceptd ci] FAIL: ${failReasons.join("; ")}\n`);
-    process.exit(2);
+    // v0.11.11: use exitCode + return instead of process.exit() so the
+    // structured stdout JSON has a chance to flush when stdout is piped.
+    // process.exit() can truncate buffered async stdout writes.
+    process.exitCode = 2;
+    return;
+  }
+  // v0.11.10 (#100): ci exits non-zero when NO evidence was supplied AND
+  // every playbook returned inconclusive. Pre-0.11.10 this exited 0,
+  // conflating "ran clean" with "never ran." Operators forgot --evidence /
+  // --evidence-dir and assumed a green CI = real coverage. Now: surface
+  // the gap loudly.
+  const suppliedEvidence = args.evidence || args["evidence-dir"];
+  const allInconclusive = summary.inconclusive === summary.total && summary.total > 0;
+  if (!suppliedEvidence && allInconclusive) {
+    process.stderr.write(`[exceptd ci] WARN: no --evidence supplied and all ${summary.total} playbook(s) returned inconclusive. CI exit 3 = "ran but never had real data." Pass --evidence <file> or --evidence-dir <dir> for a real gate.\n`);
+    process.exitCode = 3;
   }
 }
 

package/data/_indexes/_meta.json

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-12T22:31:50.263Z",
+  "generated_at": "2026-05-12T23:33:08.941Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 49,
   "source_hashes": {
-    "manifest.json": "6d71ff7bba13b2ac8fb51d6b351b05378dd3f598080fff000b9db1ea9bdc5431",
+    "manifest.json": "3b6c4c6f48c63ce7b72621b3fcf19a9f37ace376ffef363d800dfc2b40ba3efe",
     "data/atlas-ttps.json": "1500b5830dab070c4252496964a8c0948e1052a656e2c7c6e1efaf0350645e13",
     "data/cve-catalog.json": "a81d3e4b491b27ccc084596b063a6108ff10c9eb01d7776922fc393980b534fe",
     "data/cwe-catalog.json": "c3367d469b4b3d31e4c56397dd7a8305a0be338ecd85afa27804c0c9ce12157b",

package/keys/public.pem

@@ -1,3 +1,3 @@
 -----BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEA3VtzvPIJbnd0sZyuyr5vRzxRpQNkoLgFOlab8NurSuM=
+MCowBQYDK2VwAyEAS6tN6exkzYtwxqy/WghFhetrvpVtaV8mvtg4SoCkLQw=
 -----END PUBLIC KEY-----

package/lib/playbook-runner.js

@@ -751,6 +751,13 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
     evidence_package: evidencePackage,
     learning_loop: lesson,
     notification_actions: notificationActions,
+    // v0.11.10 (#104): operators expected the field name
+    // `jurisdiction_notifications`. Surface it as an alias for the full
+    // notification_actions list, plus a `jurisdiction_clocks_count` that
+    // mirrors `ci.summary.jurisdiction_clocks_started` — the count of
+    // notifications whose clock has actually started (clock_started_at != null).
+    jurisdiction_notifications: notificationActions,
+    jurisdiction_clocks_count: notificationActions.filter(n => n && n.clock_started_at != null).length,
     exception: exception,
     regression_schedule: regressionSchedule,
     feeds_into: feeds

package/manifest-snapshot.json

@@ -1,6 +1,6 @@
 {
   "_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
-  "_generated_at": "2026-05-12T22:30:56.549Z",
+  "_generated_at": "2026-05-12T23:32:24.955Z",
   "atlas_version": "5.1.0",
   "skill_count": 38,
   "skills": [

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.11.9",
+  "version": "0.11.11",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -52,7 +52,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "Xk593pj7my6wPJbQBE47khpIUrPsp6N1lW7cE2T/VPPF5T+8C1yGKc9B8VphD7Q08yWFcbwF6HoWpA/+4uG9DA==",
-      "signed_at": "2026-05-12T22:30:56.134Z",
+      "signed_at": "2026-05-12T23:32:24.457Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -116,7 +116,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "nOgUu+LK9fy6ASTCoRGtx3ttgjZCl7WIkKu2wu06JEKVSpL2cKU3ex2tmVAvv11LBmpTH+b/0zvqXlzcxzHnCw==",
-      "signed_at": "2026-05-12T22:30:56.136Z",
+      "signed_at": "2026-05-12T23:32:24.459Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -179,7 +179,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "7FH1J9PlOyvcRCzRmggmenX9fIR0pi/veXihb3TeStcq1Rpuz1KHdOcJLqA9su4t2goYukKKCXHV6hx8hzplAA==",
-      "signed_at": "2026-05-12T22:30:56.136Z",
+      "signed_at": "2026-05-12T23:32:24.459Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -225,7 +225,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "FqTRjHfEgw56pyHnyWzNtnhzDMEePBtmuamtW/iyX+h4yqbvP4Fyr7NRjRs3EgqT4j7oHuEZhV9Jt6ZTBgN4AA==",
-      "signed_at": "2026-05-12T22:30:56.136Z"
+      "signed_at": "2026-05-12T23:32:24.459Z"
     },
     {
       "name": "compliance-theater",
@@ -256,7 +256,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "3fN4yotiIIq76PVTHwozCu28TzDZvWule6vX8SXUT3XXbIBSuvAO0M/euvc3pw3TdZ2UNf78dI18lOCNdJ0aAg==",
-      "signed_at": "2026-05-12T22:30:56.137Z"
+      "signed_at": "2026-05-12T23:32:24.460Z"
     },
     {
       "name": "exploit-scoring",
@@ -285,7 +285,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "yZfpk4lQMRXegj2ADWjMmZTchUN6Lxpv587O/0JMzbNkXQtD6FrSAQOBWjx8S7uQ/sTntxgGN7aQQDLxL9RWAA==",
-      "signed_at": "2026-05-12T22:30:56.137Z"
+      "signed_at": "2026-05-12T23:32:24.460Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -322,7 +322,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "ABHkoqee67KdUyDZ3bvF+/DNxjGhPR/ehT6pfOnmUIMmkcQFHpZ0OUVXKiFUANaLgKLP1vg0VEmHOoxpNA3vAA==",
-      "signed_at": "2026-05-12T22:30:56.138Z",
+      "signed_at": "2026-05-12T23:32:24.461Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -379,7 +379,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "+Nd/2tgBnW+mEGX84QvkgR2To2J7kA+lB63BsADDKeCXeebFv6Vo9H1P4vyUkKHfe4fP0ndpy3agIZcUO/e/Dg==",
-      "signed_at": "2026-05-12T22:30:56.138Z",
+      "signed_at": "2026-05-12T23:32:24.461Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -414,7 +414,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "VMNGFvowXLbBjZp5nvWloKkqyqHKhnSzbVRU3gX9quOZJHH56w2M4id+oDsXIjR0CfRRb7eXl/so0Hq4xLBuBQ==",
-      "signed_at": "2026-05-12T22:30:56.138Z",
+      "signed_at": "2026-05-12T23:32:24.461Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -442,7 +442,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "5MaJs7gPCuFlK4oAttLulAPOA1noeV+xD/UqVWaVyRedXZgebBGKjnlE2t1qmTugvxlNIfeAnBZapk+Wz3VAAg==",
-      "signed_at": "2026-05-12T22:30:56.139Z"
+      "signed_at": "2026-05-12T23:32:24.462Z"
     },
     {
       "name": "global-grc",
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "S/YXUpI/mcG2FpdUTgMsccWBtTaR5A4Ph4QFQw31S9w9Hn/z3sOFHLkb1B5YSwlg+mMOtSIxMdet1eLGSZkTDg==",
-      "signed_at": "2026-05-12T22:30:56.139Z"
+      "signed_at": "2026-05-12T23:32:24.462Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -501,7 +501,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "AKS+JsmhhBtytY2eIMuydjkZOYprWCmQ+RqxyxcVG9XcEI29ZSM/JbVIINQHozFl7OPPrOu1ouiTnk7LOJ86Bg==",
-      "signed_at": "2026-05-12T22:30:56.139Z"
+      "signed_at": "2026-05-12T23:32:24.462Z"
     },
     {
       "name": "pqc-first",
@@ -553,7 +553,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "oEkK5bLS/G5RIHnxlNFJYdzhTJbKZnkJv+W4iS9UJ/uszZHgZGoxygELPc4kn3FowV5eE988SQYG4WKlXtNzCg==",
-      "signed_at": "2026-05-12T22:30:56.140Z",
+      "signed_at": "2026-05-12T23:32:24.463Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -600,7 +600,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "nPV6YTo1rsNH49qUnZpfoNLEQZXuLNyV05QMUOgXKHYeVDjotYpWhLgyVXlRhjV/fStiA2sWQ0MOnEJ4FBIfDg==",
-      "signed_at": "2026-05-12T22:30:56.140Z"
+      "signed_at": "2026-05-12T23:32:24.463Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -637,7 +637,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "7rirSEONz6O9Yyf46eTyuwkGizCj9FRcNHe5p7Qz6nhJoZQRW5FwW7n9opL0WlbIw8FDBYn1f22zgNUV87L5AQ==",
-      "signed_at": "2026-05-12T22:30:56.140Z",
+      "signed_at": "2026-05-12T23:32:24.463Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -672,7 +672,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "+evehnd2wSBb8uMTlTr5/aTN4bfLjsKzZJk/+OMLMOJrjCt+OuMU7EQC6xMUGeSc4cPEGajghDvq3xVaacV2Dw==",
-      "signed_at": "2026-05-12T22:30:56.141Z"
+      "signed_at": "2026-05-12T23:32:24.464Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -743,7 +743,7 @@
         "PTES revision incorporating AI-surface enumeration"
       ],
       "signature": "KHOXxloAYf7xqXjm2BaL3HVAZOmb7rMiMh20H/oaIkjN0WD1CnKCrRGPJn867uSFhCh/timkXolaiqD1L/h8Dg==",
-      "signed_at": "2026-05-12T22:30:56.141Z"
+      "signed_at": "2026-05-12T23:32:24.464Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -803,7 +803,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "+ELdD+1AY5DymBitH7wU65CS60NY1nDoLowJAFn7cE5Gr/5jy9BTkyxsm7PEXaSlXWMOkTf/HQ+uyzyxUVD/Bw==",
-      "signed_at": "2026-05-12T22:30:56.141Z"
+      "signed_at": "2026-05-12T23:32:24.464Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -878,7 +878,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "8tFAhXAS8zZN3SUOdn+ZIu7lQ48JMOyBQ8SaObR3L/fDyFmDhufqleY2VzI3yigqlT/D4Y8FYxZHKmzXiALjDw==",
-      "signed_at": "2026-05-12T22:30:56.141Z"
+      "signed_at": "2026-05-12T23:32:24.464Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -955,7 +955,7 @@
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
       "signature": "8xlk5ZfTKVYqTE2+ifkjTBu/RPqs4MIvX7SpOHl22YDHi7nzJ1ywPhSNYJzoPdPV4AUuWG518EldQJsEIuyuAA==",
-      "signed_at": "2026-05-12T22:30:56.142Z"
+      "signed_at": "2026-05-12T23:32:24.465Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1012,7 +1012,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "AMdLkDx/e3ESI4NAnJhhcaas+Ru8VjrSn6v6RBbmmzoLCGo/vFxGraa1p/qF9udhVG+DdkbwHfbfKK5Im19KDw==",
-      "signed_at": "2026-05-12T22:30:56.142Z"
+      "signed_at": "2026-05-12T23:32:24.465Z"
     },
     {
       "name": "identity-assurance",
@@ -1079,7 +1079,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "pSMHKkyWoZvRIuVtN7Vue51sP5MIy9lSaQa2YSAMhxjptx81cUnPt3S11/Tb9Ea1/eluMNQ+5F25eF2njr4mBQ==",
-      "signed_at": "2026-05-12T22:30:56.142Z"
+      "signed_at": "2026-05-12T23:32:24.465Z"
     },
     {
       "name": "ot-ics-security",
@@ -1135,7 +1135,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "qjky+ZTX1DP7uRRMQZq7S7P9/uaJEoB1dy4RZ1l37Q4OO3k2ryfL+7o0Cgm/piuafJfH+dqUeNCRrVefj4r8Dw==",
-      "signed_at": "2026-05-12T22:30:56.142Z"
+      "signed_at": "2026-05-12T23:32:24.465Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1187,7 +1187,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "F86Zl/I+dBzHYRUuGWsjDQI2F/I/vhzwZUFMqhNfKUzRbMf6mafOX2APCPYTp3eP1DvvvfL3Yc0hb1R5Q4nOAg==",
-      "signed_at": "2026-05-12T22:30:56.143Z"
+      "signed_at": "2026-05-12T23:32:24.466Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1237,7 +1237,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "D/4d5NcJScNH58ADXsSrVzTmLSWZpUZTdyhtDkJlC0twSMNczOiDsXgYFitBaZgGdv5nVd00viR45mNrsaZ4BQ==",
-      "signed_at": "2026-05-12T22:30:56.143Z"
+      "signed_at": "2026-05-12T23:32:24.466Z"
     },
     {
       "name": "webapp-security",
@@ -1311,7 +1311,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "UOXaUtpcFjXyDQ70z2PaGu6K3pABtXp+7YzO6eGVGpN1CxXpPq/xW/CnTng6B7wk9WSsqD0OORBJp4VCjiVfAQ==",
-      "signed_at": "2026-05-12T22:30:56.143Z"
+      "signed_at": "2026-05-12T23:32:24.466Z"
     },
     {
       "name": "ai-risk-management",
@@ -1361,7 +1361,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "IVKygsrFjiM64fQVbd2PT6jDjs6fm5nKwJSqGfK53gG0S9wdHC4QYuh+LWlI/2ftvIKjjedLQ6FRyTrqpDEuDw==",
-      "signed_at": "2026-05-12T22:30:56.144Z"
+      "signed_at": "2026-05-12T23:32:24.467Z"
     },
     {
       "name": "sector-healthcare",
@@ -1421,7 +1421,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "P+CdSu8ZJCNUU4nTa09Voh2PcYF3y/AFJn4v7cjVIGo9FbbqO7MwvGN7cJ+aSRs2/3NMUXX4eupcODslxYyJDw==",
-      "signed_at": "2026-05-12T22:30:56.144Z"
+      "signed_at": "2026-05-12T23:32:24.467Z"
     },
     {
       "name": "sector-financial",
@@ -1502,7 +1502,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "zpEfh181Sc0b0cvRf/31Ir1f8lD4V5tehTogO3TJMxdKmXu06IAK7hrhBcLA/jFBv3xDDwrWW3sHzChVhWDeDA==",
-      "signed_at": "2026-05-12T22:30:56.144Z"
+      "signed_at": "2026-05-12T23:32:24.467Z"
     },
     {
       "name": "sector-federal-government",
@@ -1571,7 +1571,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "7NpQlPu1DkpY9f+Frv/LLBHWUUe/qTM80c+xeYDxOzweXhvJGE/dnDCjglYHTjxT82L9cVxzBezvLEne20UpBg==",
-      "signed_at": "2026-05-12T22:30:56.145Z"
+      "signed_at": "2026-05-12T23:32:24.468Z"
     },
     {
       "name": "sector-energy",
@@ -1636,7 +1636,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "4rhyHN5HykK7MQUmhvaTeDGj6Qf5swDd5ry8foh4KBvTkRKxTI/XyxconFGm5FASnySGPLMxX6m4JZAq5wiNBg==",
-      "signed_at": "2026-05-12T22:30:56.145Z"
+      "signed_at": "2026-05-12T23:32:24.468Z"
     },
     {
       "name": "api-security",
@@ -1705,7 +1705,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "hS1izPhETclITK7fp6R67dhy+wFDti/YsJ2M5I1gDjeWZYK41WuxeYSyt5xEHbCr3WCGDFJe77jkK1MWkxk2BA==",
-      "signed_at": "2026-05-12T22:30:56.145Z"
+      "signed_at": "2026-05-12T23:32:24.468Z"
     },
     {
       "name": "cloud-security",
@@ -1786,7 +1786,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "kuatqNZoRnv+oeyrxbnk+m37JRBIgRAWnDp0/IYLnoBOybiG09RzLILJraxjhvdSNCgo7WXTeBO3Y6a3Ji9MAA==",
-      "signed_at": "2026-05-12T22:30:56.146Z"
+      "signed_at": "2026-05-12T23:32:24.469Z"
     },
     {
       "name": "container-runtime-security",
@@ -1848,7 +1848,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "Btb3/7fjPFopFVdxP7+E6n322gnAAwd7OPrnuqatq6c1rXTD9aXKxiBeCmWxs8zYbIbE/lFoe9R2g6uTp8ZDBg==",
-      "signed_at": "2026-05-12T22:30:56.146Z"
+      "signed_at": "2026-05-12T23:32:24.469Z"
     },
     {
       "name": "mlops-security",
@@ -1919,7 +1919,7 @@
         "MITRE ATLAS v5.2 — track AML.T0010 sub-technique expansion and any new MLOps-pipeline-specific TTPs"
       ],
       "signature": "TBWnlgdllW7K1F10HCJ7p4dbLeS3lyNWm+7mNNtyZu7jB1V5AauG1P7sb1nLLqwKqeGlHS1F0eh/BNiuAvkABg==",
-      "signed_at": "2026-05-12T22:30:56.146Z"
+      "signed_at": "2026-05-12T23:32:24.469Z"
     },
     {
       "name": "incident-response-playbook",
@@ -1981,7 +1981,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "FVAXpD6sIoOLQSPtZSLLsXQnc2o2hRwiFj4xK8zEWJVkUWGqvAWRrngie7O2DRKIbWqjO5h9EevVYSzhwYHCAA==",
-      "signed_at": "2026-05-12T22:30:56.147Z"
+      "signed_at": "2026-05-12T23:32:24.470Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2034,7 +2034,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "0HDt3Qklee4FQeKoZfwr+8qdq2pVDS0a+c7JxVw1hV/bl8+YTPaPjPTAhQUnbhUCa5cGo7G4MBQ1AifQTMJdDA==",
-      "signed_at": "2026-05-12T22:30:56.147Z"
+      "signed_at": "2026-05-12T23:32:24.470Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2102,7 +2102,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "UyPSKUztZI/daHCRTnAh6ryoKLX4xyjuG+EaNMPRVuCz2gANGl1F/NozDsw7R2koMUwSFoiYTzwqDvo1tpuKAg==",
-      "signed_at": "2026-05-12T22:30:56.147Z"
+      "signed_at": "2026-05-12T23:32:24.470Z"
     }
   ]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.11.9",
+  "version": "0.11.11",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json

@@ -1,10 +1,10 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:1370612e-bb38-413e-9e02-f1b64d6786e0",
+  "serialNumber": "urn:uuid:fe521429-0d04-441e-bc39-601e6158201f",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-12T22:30:56.981Z",
+    "timestamp": "2026-05-12T23:32:25.386Z",
     "tools": [
       {
         "name": "hand-written",
@@ -13,10 +13,10 @@
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.11.9",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.11.11",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.11.9",
+      "version": "0.11.11",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
       "licenses": [
         {
@@ -25,11 +25,11 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.11.9",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.11.11",
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.11.9"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.11.11"
         },
         {
           "type": "vcs",