npm - @blamejs/exceptd-skills - Versions diffs - 0.11.9 → 0.11.12 - Mend

@blamejs/exceptd-skills 0.11.9 → 0.11.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,80 @@
 # Changelog
+## 0.11.12 — 2026-05-12
+**Patch: items 123-126 — content-not-just-shape, exit-code discipline, diff iteration.**
+Pattern: previous releases shipped the right field names but with empty content (notifications array existed but every entry's metadata was null), and exit-code semantics didn't cover the gates operators actually wanted to wire.
+### Bugs
+- **#123 jurisdiction notification entries carry obligation metadata.** Pre-0.11.12 `phases.close.jurisdiction_notifications` produced the right count of entries but each entry shape was `{ obligation_ref, recipient, draft_notification, deadline, ... }` — no `jurisdiction`, no `regulation`, no `window_hours`. The upstream `govern.jurisdiction_obligations` had the real metadata but close didn't carry it forward. Now each notification entry includes `jurisdiction`, `regulation`, `obligation_type`, `window_hours`, `clock_start_event`, `clock_started_at`, `deadline`, `notification_deadline` (alias matching compliance-team vocabulary), and `evidence_required`. Operators running `exceptd ci --block-on-jurisdiction-clock` now get notifications with the metadata they need to route to regulators and put on calendars.
+- **#124 `--ack` propagates into `phases.govern.operator_consent`.** Consent semantically belongs in govern (it acknowledges the jurisdiction obligations surfaced there). Pre-0.11.12 `--ack` set only `result.operator_consent` at the top level; the govern phase showed `null`. Now `phases.govern.operator_consent` is `{ acked_at, explicit: true }` when `--ack` is passed, `null` otherwise. Top-level `result.operator_consent` retained for backward compat.
+- **#125 ci exit-code matrix covers BLOCKED.** Pre-0.11.12 ci returned 0 for every non-detected path including blocked runs that never executed (preflight halt, mutex contention, stale threat intel, missing precondition). CI gates couldn't distinguish "ran clean" from "didn't run." Now: `0 PASS`, `2 detected/escalate`, `3 ran-but-no-evidence`, `4 BLOCKED (any ok:false)`, `1 framework error`. BLOCKED takes precedence over no-data because it's a harder gate failure. Help text updated.
+- **#126 attest diff iterates artifact sets correctly.** Pre-0.11.12 `total_compared` was always 0 on flat-shape submissions because the diff helper called `normalizeSubmission` with an empty playbook stub (`look.artifacts: []`), producing empty maps. Now the diff loads the real playbook from each attestation's `playbook_id` and normalizes against the actual artifact catalog; falls back to direct observation-key mapping when the playbook can't be loaded (renamed/removed). Identical submissions with N observations now correctly report `total_compared: N, unchanged_count: N`.
+### Tests
+5 new regression cases. 344 total. Tests assert content shape, not just field presence — every test that checks for a notification array now also asserts the entries carry non-null jurisdiction/regulation/window_hours.
+### Voice note (internal)
+Three of the four items (#123, #124, #126) were "added the field but the field was empty." Lesson: when an operator says "field is missing," the next question to ask after "is it on the result?" is "is its content meaningful, or is it a structurally-present null?" Codified in CLAUDE.md.
+## 0.11.11 — 2026-05-12
+**Patch: CI test-gate hotfix — emit-then-exit stdout flush.**
+v0.11.10 #100 used `process.exit(3)` after writing the result JSON to stdout. When stdout is piped (CI, test harnesses, JSON consumers), Node's `process.exit()` can return before the buffered async write drains — so `--json` consumers saw empty stdout despite the structured emit. Fix: switch to `process.exitCode = N; return;` so the event loop ends naturally and stdout drains.
+### Bugs
+- **`ci` --json with exit 3 truncated output.** Tests passed locally but the GitHub Actions release workflow's test gate failed on `tests/operator-bugs.test.js:#103` ("ci output should be JSON") because the Linux runner exposed the flush race more reliably than Windows. Fixed in two places:
+  - `cmdCi` exit 3 (no evidence + all inconclusive)
+  - `cmdCi` exit 2 (FAIL)
+  - `cmdRun` `--strict-preconditions` exit 1 (same shape; pre-existing latent risk)
+### Tests
+New regression: `#100/#103 ci exit-3 path still flushes JSON to stdout` — asserts both `r.status === 3` AND `tryJson(r.stdout)` parses. This is the test that would have caught v0.11.10 before CI.
+### Lesson
+When ending a verb with a non-zero exit AFTER writing structured stdout, prefer `process.exitCode = N; return;` over `process.exit(N)`. The former lets the event loop drain stdout; the latter can truncate. Codified in CLAUDE.md.
+## 0.11.10 — 2026-05-12
+**Patch: items 119-122 — field-name alignment with operator expectations.**
+Pattern recognized across 10 v0.11.x releases: my output field names didn't match what operators were reading for. Several "broken" items were actually present-under-a-different-name. v0.11.10 adds the missing aliases + tightens ci's empty-evidence semantic.
+### Bugs
+- **#119 `result.ack` alias.** v0.11.9 surfaced `--ack` as `result.operator_consent.explicit`. Operators reading `result.ack` (matching the flag name) saw `undefined` and concluded the flag was dropped. Now: `result.ack` is a top-level boolean mirroring the consent state. `operator_consent.explicit` retains its richer shape.
+- **#100 ci with no evidence exits 3.** Pre-0.11.10 `ci --required <pb>` with NO `--evidence`/`--evidence-dir` ran every playbook to inconclusive and exited 0 — operators couldn't distinguish "ran clean" from "never had real data." Now: when no evidence was supplied AND every result is inconclusive, ci exits **3** with a clear stderr warning: "ran but never had real data. Pass --evidence <file> or --evidence-dir <dir>." Exit code matrix: 0 PASS, 2 FAIL (detected/escalate), 3 NO-DATA, 1 framework error.
+- **#102 `total_compared` field on attest diff.** Pre-0.11.10 `unchanged_count: 0 + added: 0 + removed: 0 + changed: 0` was ambiguous ("0 unchanged of how many?"). Now both `artifact_diff` and `signal_override_diff` include `total_compared` (set size of the union of both sides' keys). Operators can distinguish "no comparison happened" (total_compared: 0) from "everything matched" (total_compared: N, unchanged_count: N).
+- **#104 `phases.close.jurisdiction_notifications` alias + `jurisdiction_clocks_count`.** The runner emitted `notification_actions`; operators expected `jurisdiction_notifications`. Now both names point to the same array (full list), and `jurisdiction_clocks_count` mirrors the ci-aggregate count of notifications whose clock has actually started. Compliance teams reading `phases.close.jurisdiction_notifications.length` (or filtering by `.clock_started_at != null`) get the expected shape.
+### Tests
+5 new cases in `tests/operator-bugs.test.js` for items 119/100/102/104. 338 total.
+### Verified by direct repro before fix
+For every item I:
+1. Ran the user's exact CLI invocation
+2. Inspected the actual output shape vs the user's stated expectation
+3. Identified whether the bug was missing logic OR field-name mismatch
+4. Fixed both layers when the answer was "mismatch" (add alias) so subsequent operators reading by either name see the data
+Pattern documented in CLAUDE.md (project-side contributor guide).
 ## 0.11.9 — 2026-05-12
 **Patch: items 99-115 — CLI-shim audit, real fixes.**

package/bin/exceptd.js CHANGED Viewed

@@ -219,7 +219,8 @@ v0.11.0 canonical surface
                              + rfc catalog + attestation-signing status.
                              --signatures | --currency | --cves | --rfcs
-  ci                         One-shot CI gate. Exits 2 on detected or rwep≥escalate.
+  ci                         One-shot CI gate. Exit codes: 0 PASS, 2 detected/escalate,
+                             3 ran-but-no-evidence, 4 blocked (ok:false), 1 framework error.
                              --all | --scope <type> | (auto-detect)
                              --max-rwep <n>         cap below playbook default
                              --block-on-jurisdiction-clock
@@ -1297,8 +1298,15 @@ function cmdRun(runner, args, runOpts, pretty) {
   // v0.11.9 (#113/#114): surface --operator and --ack in the run result so
   // operators see the attribution + consent state without inspecting the
   // attestation file. Pre-0.11.9 these were persisted to disk only.
+  // v0.11.10 (#119): add result.ack alias for consumers reading the
+  // ack state by that name (`result.ack` is shorter + matches the CLI flag).
   if (result && runOpts.operator) result.operator = runOpts.operator;
-  if (result && runOpts.operator_consent) result.operator_consent = runOpts.operator_consent;
+  if (result && runOpts.operator_consent) {
+    result.operator_consent = runOpts.operator_consent;
+    result.ack = !!runOpts.operator_consent.explicit;
+  } else if (result) {
+    result.ack = false;
+  }
   // Persist attestation for reattest cycles when the run succeeded.
   if (result && result.ok && result.session_id) {
@@ -1355,7 +1363,10 @@ function cmdRun(runner, args, runOpts, pretty) {
     if (warnIssues.length > 0) {
       process.stderr.write(`[exceptd run] --strict-preconditions: ${warnIssues.length} unverified/warn precondition(s) — exit 1.\n`);
       emit(result, pretty);
-      process.exit(1);
+      // v0.11.11: exitCode + return so emit()'s stdout flushes (process.exit
+      // can truncate buffered async stdout writes when piped).
+      process.exitCode = 1;
+      return;
     }
   }
@@ -2080,12 +2091,12 @@ function cmdAttest(runner, args, runOpts, pretty) {
         // for flat submissions; the diff returned all zeros even when
         // artifacts were present in observations.
         artifact_diff: diffArtifacts(
-          normalizedArtifacts(self.submission, runner),
-          normalizedArtifacts(other.submission, runner)
+          normalizedArtifacts(self.submission, runner, self.playbook_id),
+          normalizedArtifacts(other.submission, runner, other.playbook_id)
         ),
         signal_override_diff: diffSignalOverrides(
-          normalizedSignalOverrides(self.submission, runner),
-          normalizedSignalOverrides(other.submission, runner)
+          normalizedSignalOverrides(self.submission, runner, self.playbook_id),
+          normalizedSignalOverrides(other.submission, runner, other.playbook_id)
         ),
       }, pretty);
       return;
@@ -2195,25 +2206,55 @@ function cmdAttest(runner, args, runOpts, pretty) {
  * canonical nested view of both shapes lets `attest diff` produce meaningful
  * counts regardless of which shape the operator submitted.
  */
-function normalizedArtifacts(submission, runner) {
+function normalizedArtifacts(submission, runner, playbookId) {
   if (!submission || typeof submission !== "object") return {};
   if (submission.artifacts) return submission.artifacts;
   if (submission.observations) {
-    try {
-      const norm = runner.normalizeSubmission({ observations: submission.observations }, { _meta: {}, phases: { look: { artifacts: [] } } });
-      return norm.artifacts || {};
-    } catch { return {}; }
+    // v0.11.12 (#126): the prior stub playbook (look.artifacts: []) caused
+    // normalizeSubmission to produce {}, so attest diff reported
+    // total_compared: 0 even when both submissions held real observations.
+    // Try to load the real playbook from the attestation's playbook_id; if
+    // that fails (renamed/removed), fall back to treating each observation
+    // key as its own artifact id with `{ captured: true, value: <indicator|value> }`.
+    if (playbookId) {
+      try {
+        const pb = runner.loadPlaybook ? runner.loadPlaybook(playbookId) : null;
+        if (pb) {
+          const norm = runner.normalizeSubmission({ observations: submission.observations }, pb);
+          if (norm && norm.artifacts && Object.keys(norm.artifacts).length > 0) return norm.artifacts;
+        }
+      } catch { /* fall through to direct mapping */ }
+    }
+    // Direct mapping: observation keys are the artifact ids by convention.
+    const out = {};
+    for (const [k, v] of Object.entries(submission.observations)) {
+      out[k] = (v && typeof v === "object") ? v : { value: v };
+    }
+    return out;
   }
   return {};
 }
-function normalizedSignalOverrides(submission, runner) {
+function normalizedSignalOverrides(submission, runner, playbookId) {
   if (!submission || typeof submission !== "object") return {};
   if (submission.signal_overrides) return submission.signal_overrides;
   if (submission.observations) {
-    try {
-      const norm = runner.normalizeSubmission({ observations: submission.observations }, { _meta: {}, phases: { look: { artifacts: [] } } });
-      return norm.signal_overrides || {};
-    } catch { return {}; }
+    // v0.11.12 (#126): same fix as normalizedArtifacts — load the real
+    // playbook so look.indicators can map observation results to signal IDs.
+    if (playbookId) {
+      try {
+        const pb = runner.loadPlaybook ? runner.loadPlaybook(playbookId) : null;
+        if (pb) {
+          const norm = runner.normalizeSubmission({ observations: submission.observations }, pb);
+          if (norm && norm.signal_overrides && Object.keys(norm.signal_overrides).length > 0) return norm.signal_overrides;
+        }
+      } catch { /* fall through to direct mapping */ }
+    }
+    // Direct mapping: observation key -> result (canonical hit/miss/inconclusive).
+    const out = {};
+    for (const [k, v] of Object.entries(submission.observations)) {
+      if (v && typeof v === "object" && v.result !== undefined) out[k] = v.result;
+    }
+    return out;
   }
   return {};
 }
@@ -2226,7 +2267,10 @@ function normalizedSignalOverrides(submission, runner) {
 function diffArtifacts(a, b) {
   a = a || {}; b = b || {};
   const allIds = new Set([...Object.keys(a), ...Object.keys(b)]);
-  const out = { added: [], removed: [], changed: [], unchanged_count: 0 };
+  // v0.11.10 (#102): total_compared disambiguates the empty-both case.
+  // unchanged_count: 0 + added: 0 + removed: 0 + changed: 0 is ambiguous
+  // ("0 unchanged of how many?"); total_compared answers it.
+  const out = { total_compared: allIds.size, added: [], removed: [], changed: [], unchanged_count: 0 };
   for (const id of allIds) {
     const av = a[id], bv = b[id];
     if (!av && bv) {
@@ -2252,7 +2296,7 @@ function diffArtifacts(a, b) {
 function diffSignalOverrides(a, b) {
   a = a || {}; b = b || {};
   const allIds = new Set([...Object.keys(a), ...Object.keys(b)]);
-  const out = { changed: [], unchanged_count: 0 };
+  const out = { total_compared: allIds.size, changed: [], unchanged_count: 0 };
   for (const id of allIds) {
     if (a[id] !== b[id]) out.changed.push({ id, a: a[id] || null, b: b[id] || null });
     else out.unchanged_count++;
@@ -3376,7 +3420,33 @@ function cmdCi(runner, args, runOpts, pretty) {
   }
   if (fail) {
     process.stderr.write(`[exceptd ci] FAIL: ${failReasons.join("; ")}\n`);
-    process.exit(2);
+    // v0.11.11: use exitCode + return instead of process.exit() so the
+    // structured stdout JSON has a chance to flush when stdout is piped.
+    // process.exit() can truncate buffered async stdout writes.
+    process.exitCode = 2;
+    return;
+  }
+  // v0.11.12 (#125): ci exit code matrix. Pre-0.11.12 every non-detected
+  // path exited 0 including blocked runs that never executed — CI gates
+  // couldn't distinguish ok:false from ok:true. Now:
+  //   0 PASS — every playbook produced a result, none detected/escalating
+  //   2 FAIL — at least one detected or rwep>=escalate (above)
+  //   3 NO-DATA — ran but no --evidence and all inconclusive
+  //   4 BLOCKED — at least one playbook returned ok:false (preflight halt,
+  //     stale threat intel, missing precondition, mutex contention, etc.)
+  //   1 FRAMEWORK — engine/parse error (set elsewhere)
+  // BLOCKED takes precedence over NO-DATA because a blocked run is a
+  // harder gate failure than "no real data."
+  if (summary.blocked > 0) {
+    process.stderr.write(`[exceptd ci] BLOCKED: ${summary.blocked}/${summary.total} playbook(s) returned ok:false (preflight/mutex/threat-currency/etc.). Exit 4. Inspect results[].reason for each blocked entry.\n`);
+    process.exitCode = 4;
+    return;
+  }
+  const suppliedEvidence = args.evidence || args["evidence-dir"];
+  const allInconclusive = summary.inconclusive === summary.total && summary.total > 0;
+  if (!suppliedEvidence && allInconclusive) {
+    process.stderr.write(`[exceptd ci] WARN: no --evidence supplied and all ${summary.total} playbook(s) returned inconclusive. CI exit 3 = "ran but never had real data." Pass --evidence <file> or --evidence-dir <dir> for a real gate.\n`);
+    process.exitCode = 3;
   }
 }

package/data/_indexes/_meta.json CHANGED Viewed

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-12T22:31:50.263Z",
+  "generated_at": "2026-05-12T23:57:49.662Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 49,
   "source_hashes": {
-    "manifest.json": "6d71ff7bba13b2ac8fb51d6b351b05378dd3f598080fff000b9db1ea9bdc5431",
+    "manifest.json": "be34fdbfb886861dff2f440d58324bfeba5f0c9188bffc5b6855ad682cc16e7b",
     "data/atlas-ttps.json": "1500b5830dab070c4252496964a8c0948e1052a656e2c7c6e1efaf0350645e13",
     "data/cve-catalog.json": "a81d3e4b491b27ccc084596b063a6108ff10c9eb01d7776922fc393980b534fe",
     "data/cwe-catalog.json": "c3367d469b4b3d31e4c56397dd7a8305a0be338ecd85afa27804c0c9ce12157b",

package/keys/public.pem CHANGED Viewed

@@ -1,3 +1,3 @@
 -----BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEA3VtzvPIJbnd0sZyuyr5vRzxRpQNkoLgFOlab8NurSuM=
+MCowBQYDK2VwAyEAvh9LPaLkX7A41C4cKF1gOWfhLtiRPyAN2emiISakga4=
 -----END PUBLIC KEY-----

package/lib/playbook-runner.js CHANGED Viewed

@@ -227,7 +227,12 @@ function govern(playbookId, directiveId, runOpts = {}) {
     jurisdiction_obligations: g.jurisdiction_obligations || [],
     theater_fingerprints: g.theater_fingerprints || [],
     framework_context: g.framework_context || {},
-    skill_preload: g.skill_preload || []
+    skill_preload: g.skill_preload || [],
+    // v0.11.12 (#124): --ack belongs semantically in govern (it acknowledges
+    // the jurisdiction_obligations surfaced here). Carry it forward so
+    // phases.govern.operator_consent reflects the consent state. Null when
+    // --ack was not passed.
+    operator_consent: runOpts.operator_consent || null
   };
 }
@@ -640,6 +645,14 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
   const sessionId = runOpts.session_id || crypto.randomBytes(8).toString('hex');
   // notification_actions — compute ISO deadlines from clock_starts events.
+  // v0.11.12 (#123): enrich each entry with the matched obligation's
+  // jurisdiction/regulation/window_hours/evidence_required fields. The
+  // playbook's notification_actions entry only carries `obligation_ref` +
+  // `draft_notification` + `recipient`; without enrichment, operators reading
+  // `jurisdiction_notifications[i].jurisdiction` got `undefined`. The
+  // upstream `govern.jurisdiction_obligations` has the real data — carry it
+  // forward. `notification_deadline` is published as an alias for `deadline`
+  // (matches the field name compliance teams expect on a notification record).
   const notificationActions = (c.notification_actions || []).map(na => {
     const obligation = (g.jurisdiction_obligations || []).find(o =>
       `${o.jurisdiction}/${o.regulation} ${o.window_hours}h` === na.obligation_ref
@@ -650,9 +663,21 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
       : 'pending_clock_start_event';
     return {
       ...na,
-      deadline,
-      clock_start_event: obligation?.clock_starts,
+      // Carry obligation metadata forward so each notification entry is
+      // operationally usable on its own (calendar deadlines, regulator
+      // routing, evidence checklist).
+      jurisdiction: obligation?.jurisdiction || null,
+      regulation: obligation?.regulation || null,
+      obligation_type: obligation?.obligation || null,
+      window_hours: obligation?.window_hours ?? null,
+      clock_start_event: obligation?.clock_starts || null,
       clock_started_at: clockStart?.toISOString() || null,
+      deadline,
+      // Alias matching compliance-team vocabulary.
+      notification_deadline: deadline,
+      // Evidence the regulator expects attached (from the obligation, not
+      // just the operator-facing recipient bundle on the notification entry).
+      evidence_required: obligation?.evidence_required || na.evidence_attached || [],
       draft_notification: interpolate(na.draft_notification, { ...agentSignals, ...analyzeFindingShape(analyzeResult) })
     };
   });
@@ -751,6 +776,13 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
     evidence_package: evidencePackage,
     learning_loop: lesson,
     notification_actions: notificationActions,
+    // v0.11.10 (#104): operators expected the field name
+    // `jurisdiction_notifications`. Surface it as an alias for the full
+    // notification_actions list, plus a `jurisdiction_clocks_count` that
+    // mirrors `ci.summary.jurisdiction_clocks_started` — the count of
+    // notifications whose clock has actually started (clock_started_at != null).
+    jurisdiction_notifications: notificationActions,
+    jurisdiction_clocks_count: notificationActions.filter(n => n && n.clock_started_at != null).length,
     exception: exception,
     regression_schedule: regressionSchedule,
     feeds_into: feeds

package/manifest-snapshot.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
-  "_generated_at": "2026-05-12T22:30:56.549Z",
+  "_generated_at": "2026-05-12T23:57:10.646Z",
   "atlas_version": "5.1.0",
   "skill_count": 38,
   "skills": [

package/manifest.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.11.9",
+  "version": "0.11.12",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -52,7 +52,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "Xk593pj7my6wPJbQBE47khpIUrPsp6N1lW7cE2T/VPPF5T+8C1yGKc9B8VphD7Q08yWFcbwF6HoWpA/+4uG9DA==",
-      "signed_at": "2026-05-12T22:30:56.134Z",
+      "signed_at": "2026-05-12T23:57:10.174Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -116,7 +116,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "nOgUu+LK9fy6ASTCoRGtx3ttgjZCl7WIkKu2wu06JEKVSpL2cKU3ex2tmVAvv11LBmpTH+b/0zvqXlzcxzHnCw==",
-      "signed_at": "2026-05-12T22:30:56.136Z",
+      "signed_at": "2026-05-12T23:57:10.176Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -179,7 +179,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "7FH1J9PlOyvcRCzRmggmenX9fIR0pi/veXihb3TeStcq1Rpuz1KHdOcJLqA9su4t2goYukKKCXHV6hx8hzplAA==",
-      "signed_at": "2026-05-12T22:30:56.136Z",
+      "signed_at": "2026-05-12T23:57:10.177Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -225,7 +225,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "FqTRjHfEgw56pyHnyWzNtnhzDMEePBtmuamtW/iyX+h4yqbvP4Fyr7NRjRs3EgqT4j7oHuEZhV9Jt6ZTBgN4AA==",
-      "signed_at": "2026-05-12T22:30:56.136Z"
+      "signed_at": "2026-05-12T23:57:10.177Z"
     },
     {
       "name": "compliance-theater",
@@ -256,7 +256,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "3fN4yotiIIq76PVTHwozCu28TzDZvWule6vX8SXUT3XXbIBSuvAO0M/euvc3pw3TdZ2UNf78dI18lOCNdJ0aAg==",
-      "signed_at": "2026-05-12T22:30:56.137Z"
+      "signed_at": "2026-05-12T23:57:10.178Z"
     },
     {
       "name": "exploit-scoring",
@@ -285,7 +285,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "yZfpk4lQMRXegj2ADWjMmZTchUN6Lxpv587O/0JMzbNkXQtD6FrSAQOBWjx8S7uQ/sTntxgGN7aQQDLxL9RWAA==",
-      "signed_at": "2026-05-12T22:30:56.137Z"
+      "signed_at": "2026-05-12T23:57:10.178Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -322,7 +322,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "ABHkoqee67KdUyDZ3bvF+/DNxjGhPR/ehT6pfOnmUIMmkcQFHpZ0OUVXKiFUANaLgKLP1vg0VEmHOoxpNA3vAA==",
-      "signed_at": "2026-05-12T22:30:56.138Z",
+      "signed_at": "2026-05-12T23:57:10.178Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -379,7 +379,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "+Nd/2tgBnW+mEGX84QvkgR2To2J7kA+lB63BsADDKeCXeebFv6Vo9H1P4vyUkKHfe4fP0ndpy3agIZcUO/e/Dg==",
-      "signed_at": "2026-05-12T22:30:56.138Z",
+      "signed_at": "2026-05-12T23:57:10.179Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -414,7 +414,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "VMNGFvowXLbBjZp5nvWloKkqyqHKhnSzbVRU3gX9quOZJHH56w2M4id+oDsXIjR0CfRRb7eXl/so0Hq4xLBuBQ==",
-      "signed_at": "2026-05-12T22:30:56.138Z",
+      "signed_at": "2026-05-12T23:57:10.179Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -442,7 +442,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "5MaJs7gPCuFlK4oAttLulAPOA1noeV+xD/UqVWaVyRedXZgebBGKjnlE2t1qmTugvxlNIfeAnBZapk+Wz3VAAg==",
-      "signed_at": "2026-05-12T22:30:56.139Z"
+      "signed_at": "2026-05-12T23:57:10.179Z"
     },
     {
       "name": "global-grc",
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "S/YXUpI/mcG2FpdUTgMsccWBtTaR5A4Ph4QFQw31S9w9Hn/z3sOFHLkb1B5YSwlg+mMOtSIxMdet1eLGSZkTDg==",
-      "signed_at": "2026-05-12T22:30:56.139Z"
+      "signed_at": "2026-05-12T23:57:10.180Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -501,7 +501,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "AKS+JsmhhBtytY2eIMuydjkZOYprWCmQ+RqxyxcVG9XcEI29ZSM/JbVIINQHozFl7OPPrOu1ouiTnk7LOJ86Bg==",
-      "signed_at": "2026-05-12T22:30:56.139Z"
+      "signed_at": "2026-05-12T23:57:10.180Z"
     },
     {
       "name": "pqc-first",
@@ -553,7 +553,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "oEkK5bLS/G5RIHnxlNFJYdzhTJbKZnkJv+W4iS9UJ/uszZHgZGoxygELPc4kn3FowV5eE988SQYG4WKlXtNzCg==",
-      "signed_at": "2026-05-12T22:30:56.140Z",
+      "signed_at": "2026-05-12T23:57:10.181Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -600,7 +600,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "nPV6YTo1rsNH49qUnZpfoNLEQZXuLNyV05QMUOgXKHYeVDjotYpWhLgyVXlRhjV/fStiA2sWQ0MOnEJ4FBIfDg==",
-      "signed_at": "2026-05-12T22:30:56.140Z"
+      "signed_at": "2026-05-12T23:57:10.181Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -637,7 +637,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "7rirSEONz6O9Yyf46eTyuwkGizCj9FRcNHe5p7Qz6nhJoZQRW5FwW7n9opL0WlbIw8FDBYn1f22zgNUV87L5AQ==",
-      "signed_at": "2026-05-12T22:30:56.140Z",
+      "signed_at": "2026-05-12T23:57:10.181Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -672,7 +672,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "+evehnd2wSBb8uMTlTr5/aTN4bfLjsKzZJk/+OMLMOJrjCt+OuMU7EQC6xMUGeSc4cPEGajghDvq3xVaacV2Dw==",
-      "signed_at": "2026-05-12T22:30:56.141Z"
+      "signed_at": "2026-05-12T23:57:10.182Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -743,7 +743,7 @@
         "PTES revision incorporating AI-surface enumeration"
       ],
       "signature": "KHOXxloAYf7xqXjm2BaL3HVAZOmb7rMiMh20H/oaIkjN0WD1CnKCrRGPJn867uSFhCh/timkXolaiqD1L/h8Dg==",
-      "signed_at": "2026-05-12T22:30:56.141Z"
+      "signed_at": "2026-05-12T23:57:10.182Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -803,7 +803,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "+ELdD+1AY5DymBitH7wU65CS60NY1nDoLowJAFn7cE5Gr/5jy9BTkyxsm7PEXaSlXWMOkTf/HQ+uyzyxUVD/Bw==",
-      "signed_at": "2026-05-12T22:30:56.141Z"
+      "signed_at": "2026-05-12T23:57:10.182Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -878,7 +878,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "8tFAhXAS8zZN3SUOdn+ZIu7lQ48JMOyBQ8SaObR3L/fDyFmDhufqleY2VzI3yigqlT/D4Y8FYxZHKmzXiALjDw==",
-      "signed_at": "2026-05-12T22:30:56.141Z"
+      "signed_at": "2026-05-12T23:57:10.183Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -955,7 +955,7 @@
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
       "signature": "8xlk5ZfTKVYqTE2+ifkjTBu/RPqs4MIvX7SpOHl22YDHi7nzJ1ywPhSNYJzoPdPV4AUuWG518EldQJsEIuyuAA==",
-      "signed_at": "2026-05-12T22:30:56.142Z"
+      "signed_at": "2026-05-12T23:57:10.183Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1012,7 +1012,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "AMdLkDx/e3ESI4NAnJhhcaas+Ru8VjrSn6v6RBbmmzoLCGo/vFxGraa1p/qF9udhVG+DdkbwHfbfKK5Im19KDw==",
-      "signed_at": "2026-05-12T22:30:56.142Z"
+      "signed_at": "2026-05-12T23:57:10.183Z"
     },
     {
       "name": "identity-assurance",
@@ -1079,7 +1079,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "pSMHKkyWoZvRIuVtN7Vue51sP5MIy9lSaQa2YSAMhxjptx81cUnPt3S11/Tb9Ea1/eluMNQ+5F25eF2njr4mBQ==",
-      "signed_at": "2026-05-12T22:30:56.142Z"
+      "signed_at": "2026-05-12T23:57:10.183Z"
     },
     {
       "name": "ot-ics-security",
@@ -1135,7 +1135,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "qjky+ZTX1DP7uRRMQZq7S7P9/uaJEoB1dy4RZ1l37Q4OO3k2ryfL+7o0Cgm/piuafJfH+dqUeNCRrVefj4r8Dw==",
-      "signed_at": "2026-05-12T22:30:56.142Z"
+      "signed_at": "2026-05-12T23:57:10.184Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1187,7 +1187,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "F86Zl/I+dBzHYRUuGWsjDQI2F/I/vhzwZUFMqhNfKUzRbMf6mafOX2APCPYTp3eP1DvvvfL3Yc0hb1R5Q4nOAg==",
-      "signed_at": "2026-05-12T22:30:56.143Z"
+      "signed_at": "2026-05-12T23:57:10.184Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1237,7 +1237,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "D/4d5NcJScNH58ADXsSrVzTmLSWZpUZTdyhtDkJlC0twSMNczOiDsXgYFitBaZgGdv5nVd00viR45mNrsaZ4BQ==",
-      "signed_at": "2026-05-12T22:30:56.143Z"
+      "signed_at": "2026-05-12T23:57:10.184Z"
     },
     {
       "name": "webapp-security",
@@ -1311,7 +1311,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "UOXaUtpcFjXyDQ70z2PaGu6K3pABtXp+7YzO6eGVGpN1CxXpPq/xW/CnTng6B7wk9WSsqD0OORBJp4VCjiVfAQ==",
-      "signed_at": "2026-05-12T22:30:56.143Z"
+      "signed_at": "2026-05-12T23:57:10.185Z"
     },
     {
       "name": "ai-risk-management",
@@ -1361,7 +1361,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "IVKygsrFjiM64fQVbd2PT6jDjs6fm5nKwJSqGfK53gG0S9wdHC4QYuh+LWlI/2ftvIKjjedLQ6FRyTrqpDEuDw==",
-      "signed_at": "2026-05-12T22:30:56.144Z"
+      "signed_at": "2026-05-12T23:57:10.185Z"
     },
     {
       "name": "sector-healthcare",
@@ -1421,7 +1421,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "P+CdSu8ZJCNUU4nTa09Voh2PcYF3y/AFJn4v7cjVIGo9FbbqO7MwvGN7cJ+aSRs2/3NMUXX4eupcODslxYyJDw==",
-      "signed_at": "2026-05-12T22:30:56.144Z"
+      "signed_at": "2026-05-12T23:57:10.185Z"
     },
     {
       "name": "sector-financial",
@@ -1502,7 +1502,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "zpEfh181Sc0b0cvRf/31Ir1f8lD4V5tehTogO3TJMxdKmXu06IAK7hrhBcLA/jFBv3xDDwrWW3sHzChVhWDeDA==",
-      "signed_at": "2026-05-12T22:30:56.144Z"
+      "signed_at": "2026-05-12T23:57:10.186Z"
     },
     {
       "name": "sector-federal-government",
@@ -1571,7 +1571,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "7NpQlPu1DkpY9f+Frv/LLBHWUUe/qTM80c+xeYDxOzweXhvJGE/dnDCjglYHTjxT82L9cVxzBezvLEne20UpBg==",
-      "signed_at": "2026-05-12T22:30:56.145Z"
+      "signed_at": "2026-05-12T23:57:10.186Z"
     },
     {
       "name": "sector-energy",
@@ -1636,7 +1636,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "4rhyHN5HykK7MQUmhvaTeDGj6Qf5swDd5ry8foh4KBvTkRKxTI/XyxconFGm5FASnySGPLMxX6m4JZAq5wiNBg==",
-      "signed_at": "2026-05-12T22:30:56.145Z"
+      "signed_at": "2026-05-12T23:57:10.186Z"
     },
     {
       "name": "api-security",
@@ -1705,7 +1705,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "hS1izPhETclITK7fp6R67dhy+wFDti/YsJ2M5I1gDjeWZYK41WuxeYSyt5xEHbCr3WCGDFJe77jkK1MWkxk2BA==",
-      "signed_at": "2026-05-12T22:30:56.145Z"
+      "signed_at": "2026-05-12T23:57:10.187Z"
     },
     {
       "name": "cloud-security",
@@ -1786,7 +1786,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "kuatqNZoRnv+oeyrxbnk+m37JRBIgRAWnDp0/IYLnoBOybiG09RzLILJraxjhvdSNCgo7WXTeBO3Y6a3Ji9MAA==",
-      "signed_at": "2026-05-12T22:30:56.146Z"
+      "signed_at": "2026-05-12T23:57:10.187Z"
     },
     {
       "name": "container-runtime-security",
@@ -1848,7 +1848,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "Btb3/7fjPFopFVdxP7+E6n322gnAAwd7OPrnuqatq6c1rXTD9aXKxiBeCmWxs8zYbIbE/lFoe9R2g6uTp8ZDBg==",
-      "signed_at": "2026-05-12T22:30:56.146Z"
+      "signed_at": "2026-05-12T23:57:10.187Z"
     },
     {
       "name": "mlops-security",
@@ -1919,7 +1919,7 @@
         "MITRE ATLAS v5.2 — track AML.T0010 sub-technique expansion and any new MLOps-pipeline-specific TTPs"
       ],
       "signature": "TBWnlgdllW7K1F10HCJ7p4dbLeS3lyNWm+7mNNtyZu7jB1V5AauG1P7sb1nLLqwKqeGlHS1F0eh/BNiuAvkABg==",
-      "signed_at": "2026-05-12T22:30:56.146Z"
+      "signed_at": "2026-05-12T23:57:10.188Z"
     },
     {
       "name": "incident-response-playbook",
@@ -1981,7 +1981,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "FVAXpD6sIoOLQSPtZSLLsXQnc2o2hRwiFj4xK8zEWJVkUWGqvAWRrngie7O2DRKIbWqjO5h9EevVYSzhwYHCAA==",
-      "signed_at": "2026-05-12T22:30:56.147Z"
+      "signed_at": "2026-05-12T23:57:10.188Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2034,7 +2034,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "0HDt3Qklee4FQeKoZfwr+8qdq2pVDS0a+c7JxVw1hV/bl8+YTPaPjPTAhQUnbhUCa5cGo7G4MBQ1AifQTMJdDA==",
-      "signed_at": "2026-05-12T22:30:56.147Z"
+      "signed_at": "2026-05-12T23:57:10.189Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2102,7 +2102,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "UyPSKUztZI/daHCRTnAh6ryoKLX4xyjuG+EaNMPRVuCz2gANGl1F/NozDsw7R2koMUwSFoiYTzwqDvo1tpuKAg==",
-      "signed_at": "2026-05-12T22:30:56.147Z"
+      "signed_at": "2026-05-12T23:57:10.189Z"
     }
   ]
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.11.9",
+  "version": "0.11.12",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json CHANGED Viewed

@@ -1,10 +1,10 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:1370612e-bb38-413e-9e02-f1b64d6786e0",
+  "serialNumber": "urn:uuid:b2610e1f-020c-4e3e-b5a2-e9ed1431c086",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-12T22:30:56.981Z",
+    "timestamp": "2026-05-12T23:57:11.194Z",
     "tools": [
       {
         "name": "hand-written",
@@ -13,10 +13,10 @@
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.11.9",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.11.12",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.11.9",
+      "version": "0.11.12",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
       "licenses": [
         {
@@ -25,11 +25,11 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.11.9",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.11.12",
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.11.9"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.11.12"
         },
         {
           "type": "vcs",