@blamejs/exceptd-skills 0.12.10 → 0.12.13

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.12.10",
+  "version": "0.12.13",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -52,7 +52,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "GfdaqLFofMiou8doFBE68J+ll50MU3EfJh6N6mNL6RwjABmHsbyfOXCeEpR3NlhbDrYJaG4hpZg4PwhN+t9QAA==",
-      "signed_at": "2026-05-13T17:30:20.336Z",
+      "signed_at": "2026-05-14T14:28:31.387Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -116,7 +116,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "m93naZQwujXBedWEjRN+88R1b2q/Dzs595Rz0ufsctsSVL2kiqlorzqqwL4mIXBDUM/HJAMRyFzPQoxOhh5qBw==",
-      "signed_at": "2026-05-13T17:30:20.338Z",
+      "signed_at": "2026-05-14T14:28:31.389Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -179,7 +179,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "gvC+DFTp8TONJiYIq/Uvg/uTCWyQ2vjdU8hhNEjYqTghxwnNbryePTmvcxb1VZDBSv1r+kyE2MpHRBzSdLhxDQ==",
-      "signed_at": "2026-05-13T17:30:20.338Z",
+      "signed_at": "2026-05-14T14:28:31.390Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -225,7 +225,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "FqTRjHfEgw56pyHnyWzNtnhzDMEePBtmuamtW/iyX+h4yqbvP4Fyr7NRjRs3EgqT4j7oHuEZhV9Jt6ZTBgN4AA==",
-      "signed_at": "2026-05-13T17:30:20.339Z"
+      "signed_at": "2026-05-14T14:28:31.390Z"
     },
     {
       "name": "compliance-theater",
@@ -256,7 +256,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "69KnW3ol+BZAcIbex0JJo6/71BgBE4S4o9CxZPd5kgzm5kb85PwzE6KfnK40OaE1jz36FUYJgiQZo/T7RiDhAA==",
-      "signed_at": "2026-05-13T17:30:20.339Z"
+      "signed_at": "2026-05-14T14:28:31.390Z"
     },
     {
       "name": "exploit-scoring",
@@ -285,7 +285,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "k13lnnr4U4H58LOr2rj+ygF80RnVsdpAyGLXAdyLaY5oJFwfmEMMZQVLrcPhDx6cIQgP+Muzgtolhkh577kCCw==",
-      "signed_at": "2026-05-13T17:30:20.340Z"
+      "signed_at": "2026-05-14T14:28:31.391Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -322,7 +322,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "X4avgw01bNVZjoiYDF+NN9qSOTjaH2I/7nRbPByoTLzMcORO7zTrZtqpGExJiV3Dmn0EtJ2dX07P65MqQIWHCA==",
-      "signed_at": "2026-05-13T17:30:20.340Z",
+      "signed_at": "2026-05-14T14:28:31.391Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -379,7 +379,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "SQWndklQmECBemQj42XTfdXM9+7iH+LgIb+qanQsUGT6dhQi7RsXlLeMxe74hVvwpDeUKsn22u23J4bWJh+HCw==",
-      "signed_at": "2026-05-13T17:30:20.340Z",
+      "signed_at": "2026-05-14T14:28:31.391Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -414,7 +414,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "Dc740zhVm0mtlbj80QfgPcAKFyLZbbDJx/gdNHyYui0XKC3YNxykjcbqKOXnfdLAKkeLwWjMqZefkQk49wueAQ==",
-      "signed_at": "2026-05-13T17:30:20.341Z",
+      "signed_at": "2026-05-14T14:28:31.392Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -442,7 +442,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "3w189PCSFqXTTqlzNc14EKcW7vZ/CtAkuKB2hE4ERdJX+0DNo5AOfrPLjOD1/LdZpPLayEjDTZ83WGtEsMu1Cw==",
-      "signed_at": "2026-05-13T17:30:20.341Z"
+      "signed_at": "2026-05-14T14:28:31.392Z"
     },
     {
       "name": "global-grc",
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "S/YXUpI/mcG2FpdUTgMsccWBtTaR5A4Ph4QFQw31S9w9Hn/z3sOFHLkb1B5YSwlg+mMOtSIxMdet1eLGSZkTDg==",
-      "signed_at": "2026-05-13T17:30:20.342Z"
+      "signed_at": "2026-05-14T14:28:31.393Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -501,7 +501,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "84nQaJylnNIZ47BD7dSBryWwntprRc9zqoTb6i5K7jV6cq7bUm6fVlrCTlFGg/oWLMX3x9JHmc9hqZhgdzRMCw==",
-      "signed_at": "2026-05-13T17:30:20.342Z"
+      "signed_at": "2026-05-14T14:28:31.393Z"
     },
     {
       "name": "pqc-first",
@@ -553,7 +553,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "oEkK5bLS/G5RIHnxlNFJYdzhTJbKZnkJv+W4iS9UJ/uszZHgZGoxygELPc4kn3FowV5eE988SQYG4WKlXtNzCg==",
-      "signed_at": "2026-05-13T17:30:20.342Z",
+      "signed_at": "2026-05-14T14:28:31.393Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -600,7 +600,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "JCrqB0GmldDIYPpgC+U3DDzxpYWJa0QgEQF7L1T8kxY0U0bsa7cw87CNC5KGk1VZRNsCa3v/I4XR1E/T5GkpBA==",
-      "signed_at": "2026-05-13T17:30:20.343Z"
+      "signed_at": "2026-05-14T14:28:31.393Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -637,7 +637,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "ctxS+0nGTJgJ4YroLpckhG+ryjYxfwvisSeGt2o8OF6eiQBlu/VbrOk03Jb+qkahgD0mLnSeBE4sjRwekGL9BQ==",
-      "signed_at": "2026-05-13T17:30:20.343Z",
+      "signed_at": "2026-05-14T14:28:31.394Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -672,7 +672,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "cdmQWTu9bFjeheH/B6pa88zCtPqVeEDDElnC/h7pUQ/JQSh9HuqCSiK/Jv2C4gaLA9h0dmKVe7NEFajshrZZDA==",
-      "signed_at": "2026-05-13T17:30:20.343Z"
+      "signed_at": "2026-05-14T14:28:31.394Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -743,7 +743,7 @@
         "PTES revision incorporating AI-surface enumeration"
       ],
       "signature": "6YqZpHsmUz1/aTyOPNDUgJquKaacOqEqTIELHc5wlaydDz4bYboutEu/YiTYy+wF/nYo2nOyuJfMdR8jsYwEDQ==",
-      "signed_at": "2026-05-13T17:30:20.343Z"
+      "signed_at": "2026-05-14T14:28:31.394Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -803,7 +803,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "+ELdD+1AY5DymBitH7wU65CS60NY1nDoLowJAFn7cE5Gr/5jy9BTkyxsm7PEXaSlXWMOkTf/HQ+uyzyxUVD/Bw==",
-      "signed_at": "2026-05-13T17:30:20.344Z"
+      "signed_at": "2026-05-14T14:28:31.395Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -878,7 +878,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "H1N113M/YhnEPQptJ2B88wwAOB4eMPKuVABQ4DSlMjFMsX0ts1DBCupHHDoHcJHbi8vs+Wi10ekpL5SnsroZDQ==",
-      "signed_at": "2026-05-13T17:30:20.344Z"
+      "signed_at": "2026-05-14T14:28:31.395Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -955,7 +955,7 @@
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
       "signature": "TmV9ZBDYqp2pHIbNZKQYf+kZLNAiyagnH/pjK9+LiSd7OdFIN3KEpFHPUNzcivB/CT5q7nl7Tsmvc9UvGo8WDg==",
-      "signed_at": "2026-05-13T17:30:20.344Z"
+      "signed_at": "2026-05-14T14:28:31.395Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1012,7 +1012,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "XZigwq8X/csfrdG10O6Q1V5q0zUqSQGd3QrjRKkZ4fkaodG4mZahYuIQqxc8rU9jjtGAm9LtBXYB+I5csqj9Bw==",
-      "signed_at": "2026-05-13T17:30:20.344Z"
+      "signed_at": "2026-05-14T14:28:31.395Z"
     },
     {
       "name": "identity-assurance",
@@ -1079,7 +1079,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "pCvavMUh5wR/TFl03Vh6ggKJHWPjakOEPDh7IjaD/U3WLBGPF3eyLBzieNLrPDXxIBbCJqnt9E79Bd4e73xCCg==",
-      "signed_at": "2026-05-13T17:30:20.345Z"
+      "signed_at": "2026-05-14T14:28:31.396Z"
     },
     {
       "name": "ot-ics-security",
@@ -1135,7 +1135,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "3V0ZpDLRTmCBx5Li+9m3XKA+k9QR+l0aE55cRPMX+UTDRlStKSG5PgrSGcL2ZKJog9hKaUPmjIVh7kkn54SfAg==",
-      "signed_at": "2026-05-13T17:30:20.345Z"
+      "signed_at": "2026-05-14T14:28:31.396Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1187,7 +1187,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "UCiNjncvhkZItmLQA/Sm1/NCsOiLMwdCjfUw+067v4NIxhaMMaqRrAeD3KgMyEtov7m2Hq2kfwYSt5+DQsYDCQ==",
-      "signed_at": "2026-05-13T17:30:20.345Z"
+      "signed_at": "2026-05-14T14:28:31.396Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1237,7 +1237,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "i8ZUFT7hwTQJyqYXWh8rchdEUNv1kk0bzkF3BHOANFwuVoM0+mukOPr+rhKdOWCPjTX72EG+0Mbs6hBTSfBBAg==",
-      "signed_at": "2026-05-13T17:30:20.346Z"
+      "signed_at": "2026-05-14T14:28:31.397Z"
     },
     {
       "name": "webapp-security",
@@ -1311,7 +1311,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "3d+Hs8yfERF/NUuVhO3YFYCY+bVn7aAGbNCCyGeqYM2VIt7q/nzNXGfbNfJbSPezClwutOyxbzPwXMj+TjmMDA==",
-      "signed_at": "2026-05-13T17:30:20.346Z"
+      "signed_at": "2026-05-14T14:28:31.397Z"
     },
     {
       "name": "ai-risk-management",
@@ -1361,7 +1361,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "runa3PkfcThZmv5I+F6D1hOR/kfBeVOcdDZHsJ/59WOjsPj4BPi4d9MtP1vV7G9qq9daGGz6YzZGnejjin4pCA==",
-      "signed_at": "2026-05-13T17:30:20.346Z"
+      "signed_at": "2026-05-14T14:28:31.397Z"
     },
     {
       "name": "sector-healthcare",
@@ -1421,7 +1421,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "58fEAPnojhmGSpEIIyWIwfj65A2KB4SMyUCoieJ28OZaUktUF+56wLHQOdAW6v2fSeiriFqZEqGyKyLryGGcBg==",
-      "signed_at": "2026-05-13T17:30:20.346Z"
+      "signed_at": "2026-05-14T14:28:31.398Z"
     },
     {
       "name": "sector-financial",
@@ -1502,7 +1502,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "wByxWUburbU5PB7EHLDVAByCpMbhKRTWqSoVsBmxIDsz2jCiKb3ogJutFnAV2r2oXuQIUaffGvrvACIrJ2GlBQ==",
-      "signed_at": "2026-05-13T17:30:20.347Z"
+      "signed_at": "2026-05-14T14:28:31.398Z"
     },
     {
       "name": "sector-federal-government",
@@ -1571,7 +1571,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "gdiwq/+AQxxNJ2t90dITyLd2ZWdDKHxbyS2I+AVRdM45VVKQEAY4XyheGZW8m5wdDF7N9X2ENIE5CRMfP5jnCA==",
-      "signed_at": "2026-05-13T17:30:20.347Z"
+      "signed_at": "2026-05-14T14:28:31.398Z"
     },
     {
       "name": "sector-energy",
@@ -1636,7 +1636,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "3M6nshB0ZNfr3H/rpcy58+/yve91u8kiTOhwUBePTZ0lQeuzlXZZV6/36i/NTWKC4SwgMn8fsZCpLxA5llRaCg==",
-      "signed_at": "2026-05-13T17:30:20.348Z"
+      "signed_at": "2026-05-14T14:28:31.399Z"
     },
     {
       "name": "api-security",
@@ -1705,7 +1705,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "rLOJBYVELFSVT2zLEByuko5Z1+HwGY99pQOC1XIVHs9l7gmY7F8N8luU/EBvVDcnT9w6nPiC5YKmCy/50LbxBQ==",
-      "signed_at": "2026-05-13T17:30:20.348Z"
+      "signed_at": "2026-05-14T14:28:31.399Z"
     },
     {
       "name": "cloud-security",
@@ -1786,7 +1786,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "PyA9IHcGNrCLC0AJW2jF5D5XheA60igeirjHb3IOz/HitBEg3t2g/siP6pAUImx3IUmwp9vh+A6k+KBuyHRgBQ==",
-      "signed_at": "2026-05-13T17:30:20.348Z"
+      "signed_at": "2026-05-14T14:28:31.399Z"
     },
     {
       "name": "container-runtime-security",
@@ -1848,7 +1848,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "/RQD2SZghTsrG7qurGb1uabyJ2IL9nmbqd412k8tqZw6nzdvvNFWcYDUGBACEQLbSlJvuaJeQdMHQH5ZzzkNDA==",
-      "signed_at": "2026-05-13T17:30:20.349Z"
+      "signed_at": "2026-05-14T14:28:31.400Z"
     },
     {
       "name": "mlops-security",
@@ -1919,7 +1919,7 @@
         "MITRE ATLAS v5.2 — track AML.T0010 sub-technique expansion and any new MLOps-pipeline-specific TTPs"
       ],
       "signature": "BeACZFTsTRZyGuOEc7NPGnGUQ84ZrFbYRsg+yqJxCH7QOM69jYJTnExyAyxXfiJyoytzSffJQNK3h0E48rm0BQ==",
-      "signed_at": "2026-05-13T17:30:20.349Z"
+      "signed_at": "2026-05-14T14:28:31.400Z"
     },
     {
       "name": "incident-response-playbook",
@@ -1981,7 +1981,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "oy63A4wX5g9rYq3wWYGSS9L7wndNaa1+wJPRPtiHMvQ6CNhTzN8kCs9Ur2SkT7U9BKYdfPLni0gGMjoeDbx+AA==",
-      "signed_at": "2026-05-13T17:30:20.349Z"
+      "signed_at": "2026-05-14T14:28:31.401Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2034,7 +2034,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "EFhMVyQdiLRtYPHsMADrX3aDXyWd/F5sjnGoWtUTeTiIOmrhFMOCHsvpTPotfsLt0u3LgRK5ACgjgeON8PgQAg==",
-      "signed_at": "2026-05-13T17:30:20.350Z"
+      "signed_at": "2026-05-14T14:28:31.401Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2102,7 +2102,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "MMWvg3lIf5ygm31zyf1E43t3W9MfRbMBBPrqlj1wOa8AxVJL8LICnAXfmyJ/TNJXwpF+rfZeDdoxXkql8wmtBA==",
-      "signed_at": "2026-05-13T17:30:20.350Z"
+      "signed_at": "2026-05-14T14:28:31.401Z"
     }
   ]
 }

package/orchestrator/scheduler.js

@@ -8,11 +8,23 @@
  *
  * This is a simple interval-based scheduler. For production use, swap for a
  * proper cron daemon or cloud scheduler without changing the task definitions.
+ *
+ * Implementation note — INT32 overflow guard. `setInterval` / `setTimeout`
+ * delay values are coerced to a signed 32-bit integer; any value above
+ * 2^31 - 1 ms (~24.8 days) is silently clamped to 1 ms by Node, which
+ * causes the handler to fire ~1000×/sec. The MONTHLY_CVE_VALIDATION and
+ * ANNUAL_AUDIT intervals both exceed that limit. `scheduleEvery` wraps the
+ * underlying timer with a short tick interval (capped at SAFE_MAX_MS) and
+ * compares wall-clock elapsed time against the requested interval, so any
+ * delay — including multi-year intervals — fires exactly when due.
  */
 
 const { bus, EVENT_TYPES } = require('./event-bus');
 const { currencyCheck } = require('./pipeline');
 
+const SAFE_MAX_MS = 2_147_483_647;            // INT32 max — Node's setTimeout/setInterval ceiling.
+const TICK_MS = Math.min(SAFE_MAX_MS, 24 * 60 * 60 * 1000);  // 24h tick by default.
+
 const INTERVALS = {
   WEEKLY_CURRENCY: 7 * 24 * 60 * 60 * 1000,
   MONTHLY_CVE_VALIDATION: 30 * 24 * 60 * 60 * 1000,
@@ -24,9 +36,38 @@ const CURRENCY_THRESHOLDS = {
   warning: 70
 };
 
-let timers = [];
+let unschedulers = [];
 let running = false;
 
+// --- scheduling primitive ---
+
+/**
+ * Schedule `handler` to fire every `intervalMs`, safely for intervals that
+ * exceed Node's INT32 setTimeout ceiling. Returns an unschedule function.
+ *
+ * @param {number} intervalMs   Desired interval in milliseconds (any positive value).
+ * @param {Function} handler    Function to invoke on each interval.
+ * @returns {Function}          Call to stop further firings.
+ */
+function scheduleEvery(intervalMs, handler) {
+  const startedAt = Date.now();
+  let lastFired = startedAt;
+  const tick = () => {
+    const now = Date.now();
+    if (now - lastFired >= intervalMs) {
+      lastFired = now;
+      try { handler(); } catch (e) { console.error('[scheduler]', e); }
+    }
+  };
+  const id = setInterval(tick, Math.min(intervalMs, TICK_MS));
+  // Deliberately NOT calling id.unref(): the `watch` orchestrator verb
+  // is long-running and relies on the scheduler timers to keep the event
+  // loop alive (the event bus has no I/O of its own). Callers that don't
+  // want the timer to hold the loop open should call the returned
+  // unschedule function in their teardown path.
+  return () => clearInterval(id);
+}
+
 // --- public API ---
 
 /**
@@ -37,9 +78,9 @@ function start() {
   running = true;
 
   runWeeklyCurrencyCheck();
-  timers.push(setInterval(runWeeklyCurrencyCheck, INTERVALS.WEEKLY_CURRENCY));
-  timers.push(setInterval(runMonthlyCveValidation, INTERVALS.MONTHLY_CVE_VALIDATION));
-  timers.push(setInterval(runAnnualAudit, INTERVALS.ANNUAL_AUDIT));
+  unschedulers.push(scheduleEvery(INTERVALS.WEEKLY_CURRENCY, runWeeklyCurrencyCheck));
+  unschedulers.push(scheduleEvery(INTERVALS.MONTHLY_CVE_VALIDATION, runMonthlyCveValidation));
+  unschedulers.push(scheduleEvery(INTERVALS.ANNUAL_AUDIT, runAnnualAudit));
 
   console.log('[scheduler] Started. Weekly currency check, monthly CVE validation, annual audit scheduled.');
 }
@@ -48,8 +89,10 @@ function start() {
  * Stop the scheduler and clear all timers.
  */
 function stop() {
-  for (const t of timers) clearInterval(t);
-  timers = [];
+  for (const off of unschedulers) {
+    try { off(); } catch { /* ignore */ }
+  }
+  unschedulers = [];
   running = false;
   console.log('[scheduler] Stopped.');
 }
@@ -134,4 +177,4 @@ function runAnnualAudit() {
   };
 }
 
-module.exports = { start, stop, runCurrencyNow };
+module.exports = { start, stop, runCurrencyNow, scheduleEvery, SAFE_MAX_MS, TICK_MS };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.12.10",
+  "version": "0.12.13",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json

@@ -1,10 +1,10 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:9f17cd00-16e6-4fd2-b943-190a84d36bc4",
+  "serialNumber": "urn:uuid:4ab68946-cb1d-4bca-82a3-99dd37c31e07",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-13T17:23:27.661Z",
+    "timestamp": "2026-05-14T14:28:32.202Z",
     "tools": [
       {
         "name": "hand-written",
@@ -13,10 +13,10 @@
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.12.10",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.12.13",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.12.10",
+      "version": "0.12.13",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
       "licenses": [
         {
@@ -25,11 +25,11 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.12.10",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.12.13",
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.12.10"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.12.13"
         },
         {
           "type": "vcs",
@@ -40,11 +40,11 @@
     "properties": [
       {
         "name": "cyclonedx:dataflow:input",
-        "value": "data/atlas-ttps.json,data/cve-catalog.json,data/cwe-catalog.json,data/d3fend-catalog.json,data/dlp-controls.json,data/exploit-availability.json,data/framework-control-gaps.json,data/global-frameworks.json,data/rfc-references.json,data/zeroday-lessons.json"
+        "value": "data/atlas-ttps.json,data/attack-techniques.json,data/cve-catalog.json,data/cwe-catalog.json,data/d3fend-catalog.json,data/dlp-controls.json,data/exploit-availability.json,data/framework-control-gaps.json,data/global-frameworks.json,data/rfc-references.json,data/zeroday-lessons.json"
       },
       {
         "name": "exceptd:catalog:count",
-        "value": "10"
+        "value": "11"
       },
       {
         "name": "exceptd:skill:count",

package/scripts/predeploy.js

@@ -164,6 +164,19 @@ const GATES = [
     args: [path.join(ROOT, "scripts", "check-test-coverage.js")],
     ciJobName: "Diff coverage",
   },
+  {
+    // v0.12.12 — Validate every playbook in data/playbooks/ against the
+    // JSON schema + cross-playbook + cross-catalog references. Runs as
+    // informational (warnings, not failures) for v0.12.12 so the patch-
+    // class release can land without retroactively breaking schema-drift
+    // cases that operators have not yet reconciled. v0.13.0 will flip
+    // `informational: false`.
+    name: "Validate playbooks (schema + cross-refs, informational)",
+    command: process.execPath,
+    args: [path.join(ROOT, "lib", "validate-playbooks.js")],
+    ciJobName: "Validate playbooks",
+    informational: true,
+  },
 ];
 
 function runGate(gate) {
@@ -174,45 +187,56 @@ function runGate(gate) {
         status: "skipped",
         reason:
           "keys/public.pem missing — run `npm run bootstrap` to generate keys + sign skills.",
+        durationMs: 0,
       };
     }
   }
+  const t0 = Date.now();
   try {
     execFileSync(gate.command, gate.args, { stdio: "inherit", cwd: ROOT });
-    return { status: "passed" };
+    return { status: "passed", durationMs: Date.now() - t0 };
   } catch (e) {
     if (gate.informational) {
       return {
         status: "informational",
         exitCode: e.status ?? null,
         message: e.message,
+        durationMs: Date.now() - t0,
       };
     }
     return {
       status: "failed",
       exitCode: e.status ?? null,
       message: e.message,
+      durationMs: Date.now() - t0,
     };
   }
 }
 
+function fmtMs(ms) {
+  if (typeof ms !== "number" || !Number.isFinite(ms)) return "";
+  return `${ms} ms`;
+}
+
 function main() {
   const results = [];
   for (const gate of GATES) {
     process.stdout.write(`\n=== ${gate.name} ===\n`);
     const outcome = runGate(gate);
     results.push({ gate, outcome });
+    const timing = fmtMs(outcome.durationMs);
+    const timingSuffix = timing ? ` (${timing})` : "";
     if (outcome.status === "skipped") {
       process.stdout.write(`  ⊘ skipped — ${outcome.reason}\n`);
     } else if (outcome.status === "passed") {
-      process.stdout.write(`  ✓ passed\n`);
+      process.stdout.write(`  ✓ passed${timingSuffix}\n`);
     } else if (outcome.status === "informational") {
       process.stdout.write(
-        `  ℹ informational (exit ${outcome.exitCode ?? "?"}) — not failing the run\n`
+        `  ℹ informational (exit ${outcome.exitCode ?? "?"})${timingSuffix} — not failing the run\n`
       );
     } else {
       process.stdout.write(
-        `  ✗ failed (exit ${outcome.exitCode ?? "?"}): ${outcome.message}\n`
+        `  ✗ failed (exit ${outcome.exitCode ?? "?"})${timingSuffix}: ${outcome.message}\n`
       );
     }
   }
@@ -232,8 +256,10 @@ function main() {
         : outcome.status === "informational"
         ? "ℹ"
         : "✗";
+    const timing = fmtMs(outcome.durationMs);
+    const timingSuffix = timing ? `  (${timing})` : "";
     process.stdout.write(
-      `  ${icon} ${gate.name.padEnd(widest)}  ${outcome.status}\n`
+      `  ${icon} ${gate.name.padEnd(widest)}  ${outcome.status}${timingSuffix}\n`
     );
   }