@blamejs/exceptd-skills 0.12.11 → 0.12.15

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.12.11",
+  "version": "0.12.15",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -51,8 +51,8 @@
         "RFC-7296"
       ],
       "last_threat_review": "2026-05-01",
-      "signature": "GfdaqLFofMiou8doFBE68J+ll50MU3EfJh6N6mNL6RwjABmHsbyfOXCeEpR3NlhbDrYJaG4hpZg4PwhN+t9QAA==",
-      "signed_at": "2026-05-13T21:19:34.408Z",
+      "signature": "GedX81xfe2Y/oIVTEvakZUcSPFccqsDjBibE+KbiiHezAx2EvCS4AOjlx4TO7F0iuC47G/wvOc12kMYe9iHtDw==",
+      "signed_at": "2026-05-14T16:47:03.242Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -115,8 +115,8 @@
         "SOC2-CC6-logical-access"
       ],
       "last_threat_review": "2026-05-01",
-      "signature": "m93naZQwujXBedWEjRN+88R1b2q/Dzs595Rz0ufsctsSVL2kiqlorzqqwL4mIXBDUM/HJAMRyFzPQoxOhh5qBw==",
-      "signed_at": "2026-05-13T21:19:34.410Z",
+      "signature": "Rz5jS554rDryT6FPVZy0PwHMCYoJQQhhNDNI9rvOptjDbsnnKtZkpVXlKke5OKmLu5fHEBaNPg856qMIZFq+Ag==",
+      "signed_at": "2026-05-14T16:47:03.244Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -178,8 +178,8 @@
         "RFC-9700"
       ],
       "last_threat_review": "2026-05-01",
-      "signature": "gvC+DFTp8TONJiYIq/Uvg/uTCWyQ2vjdU8hhNEjYqTghxwnNbryePTmvcxb1VZDBSv1r+kyE2MpHRBzSdLhxDQ==",
-      "signed_at": "2026-05-13T21:19:34.411Z",
+      "signature": "goSMEVE6QbfcdqCEgq324TNy6rZ2mWwPA28gMPvojy8ZzGFng87hLdyvKhDMo4S3KTK1D6CaTBksAzZw4Go8Cg==",
+      "signed_at": "2026-05-14T16:47:03.245Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -224,8 +224,8 @@
       "attack_refs": [],
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
-      "signature": "FqTRjHfEgw56pyHnyWzNtnhzDMEePBtmuamtW/iyX+h4yqbvP4Fyr7NRjRs3EgqT4j7oHuEZhV9Jt6ZTBgN4AA==",
-      "signed_at": "2026-05-13T21:19:34.411Z"
+      "signature": "XFQO+fdOb388MLxMLoTqjOHhmV/PBOPKH0nZTp5NY4uzk5iUTo6G2T/IrgZGV7/CvsuvOvaXWP8+BDllXzOpDw==",
+      "signed_at": "2026-05-14T16:47:03.245Z"
     },
     {
       "name": "compliance-theater",
@@ -255,8 +255,8 @@
         "CMMC-2.0-Level-2"
       ],
       "last_threat_review": "2026-05-01",
-      "signature": "69KnW3ol+BZAcIbex0JJo6/71BgBE4S4o9CxZPd5kgzm5kb85PwzE6KfnK40OaE1jz36FUYJgiQZo/T7RiDhAA==",
-      "signed_at": "2026-05-13T21:19:34.412Z"
+      "signature": "1UD9hHv44RWc1GSvN99pmxk26xaHLC74EbJ1ndn5Sptgd7w2rU9QznqCKf7Qc18uRyNEFhqW3jHvEs9c/XgrAw==",
+      "signed_at": "2026-05-14T16:47:03.245Z"
     },
     {
       "name": "exploit-scoring",
@@ -284,8 +284,8 @@
         "CIS-Controls-v8-Control7"
       ],
       "last_threat_review": "2026-05-01",
-      "signature": "k13lnnr4U4H58LOr2rj+ygF80RnVsdpAyGLXAdyLaY5oJFwfmEMMZQVLrcPhDx6cIQgP+Muzgtolhkh577kCCw==",
-      "signed_at": "2026-05-13T21:19:34.412Z"
+      "signature": "4tt6UuIkq/Mi8zMhO5cydYlXyG7jKxF2MFBC34Q6Q5l3FHPhhqrL5HLOB4WFgVmq27wBbD6AgUu2czVnKa5MDQ==",
+      "signed_at": "2026-05-14T16:47:03.245Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -321,8 +321,8 @@
         "OWASP-LLM-Top-10-2025-LLM08"
       ],
       "last_threat_review": "2026-05-01",
-      "signature": "X4avgw01bNVZjoiYDF+NN9qSOTjaH2I/7nRbPByoTLzMcORO7zTrZtqpGExJiV3Dmn0EtJ2dX07P65MqQIWHCA==",
-      "signed_at": "2026-05-13T21:19:34.412Z",
+      "signature": "4mstnPFMNhiorB7iEwqb7Jh+OCG79Mhqt2h/RwL5JbnAIPBi0Fcv0JBhQ5msEaHO4gNnpcBrdMfiDxLDwetZCw==",
+      "signed_at": "2026-05-14T16:47:03.246Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -378,8 +378,8 @@
         "RFC-9000"
       ],
       "last_threat_review": "2026-05-01",
-      "signature": "SQWndklQmECBemQj42XTfdXM9+7iH+LgIb+qanQsUGT6dhQi7RsXlLeMxe74hVvwpDeUKsn22u23J4bWJh+HCw==",
-      "signed_at": "2026-05-13T21:19:34.412Z",
+      "signature": "FjdIy9NqQpSSMhIbyv5WhnJKrVLhO98iBfQ0AHqXw6yqXdVoWucyr729Jwhelq40oAkiBzbXi9RoVo63DHJwDw==",
+      "signed_at": "2026-05-14T16:47:03.246Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -413,8 +413,8 @@
       "attack_refs": [],
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
-      "signature": "Dc740zhVm0mtlbj80QfgPcAKFyLZbbDJx/gdNHyYui0XKC3YNxykjcbqKOXnfdLAKkeLwWjMqZefkQk49wueAQ==",
-      "signed_at": "2026-05-13T21:19:34.413Z",
+      "signature": "DxfXhSyoAGUo1emHh0uIIcg324ZreBYxmFdBDVAKOOuPmMlfN4RqNc/JGDSfVmMv5CjgYCUcSmkcYB0A5lk0Cg==",
+      "signed_at": "2026-05-14T16:47:03.246Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -441,8 +441,8 @@
       "attack_refs": [],
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
-      "signature": "3w189PCSFqXTTqlzNc14EKcW7vZ/CtAkuKB2hE4ERdJX+0DNo5AOfrPLjOD1/LdZpPLayEjDTZ83WGtEsMu1Cw==",
-      "signed_at": "2026-05-13T21:19:34.413Z"
+      "signature": "xwlad/p5XlICc76KqrdWpEpBgwx1D87oM5qlccRQ5LKC/o0pr8vQ8LN3WLiiziBChplwNbruiIN6UETniZpjCg==",
+      "signed_at": "2026-05-14T16:47:03.247Z"
     },
     {
       "name": "global-grc",
@@ -473,8 +473,8 @@
       "attack_refs": [],
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
-      "signature": "S/YXUpI/mcG2FpdUTgMsccWBtTaR5A4Ph4QFQw31S9w9Hn/z3sOFHLkb1B5YSwlg+mMOtSIxMdet1eLGSZkTDg==",
-      "signed_at": "2026-05-13T21:19:34.414Z"
+      "signature": "7yVjZkanFMKDQqXdX4B/7oLc2Rz72xHC1zscYd8F/+e5UAbR7ikK8Bn5EKZt3aBEOhHPAviSQNCMxpZD9U00CA==",
+      "signed_at": "2026-05-14T16:47:03.247Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -500,8 +500,8 @@
       "attack_refs": [],
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
-      "signature": "84nQaJylnNIZ47BD7dSBryWwntprRc9zqoTb6i5K7jV6cq7bUm6fVlrCTlFGg/oWLMX3x9JHmc9hqZhgdzRMCw==",
-      "signed_at": "2026-05-13T21:19:34.414Z"
+      "signature": "pKv1b8JAj1ldwR2KGccvjUKqlor2KNXXzxkKypkv+4O8WbqY7v8fWlbFe1F36OJrL2xYJdnZL5mJzqjYVHLRCg==",
+      "signed_at": "2026-05-14T16:47:03.248Z"
     },
     {
       "name": "pqc-first",
@@ -552,8 +552,8 @@
         "CRQC timeline estimate changes"
       ],
       "last_threat_review": "2026-05-01",
-      "signature": "oEkK5bLS/G5RIHnxlNFJYdzhTJbKZnkJv+W4iS9UJ/uszZHgZGoxygELPc4kn3FowV5eE988SQYG4WKlXtNzCg==",
-      "signed_at": "2026-05-13T21:19:34.414Z",
+      "signature": "V+qn5FqUlETfsEjvvi6jZGuQdqLFtFejfgPA6KSYxSlBXBTbOBXP3BGk5S+ba9akIzgbKh1j9VGB1MqsIt56DA==",
+      "signed_at": "2026-05-14T16:47:03.248Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -599,8 +599,8 @@
         "Framework publication updates"
       ],
       "last_threat_review": "2026-05-01",
-      "signature": "JCrqB0GmldDIYPpgC+U3DDzxpYWJa0QgEQF7L1T8kxY0U0bsa7cw87CNC5KGk1VZRNsCa3v/I4XR1E/T5GkpBA==",
-      "signed_at": "2026-05-13T21:19:34.415Z"
+      "signature": "UayHLLWXAkhnLPaPRsgDpAyE8FGk1tuG1/DYyhw84Uv4tfCKXMamsAhXHOyMIosQfsJq5ZHYVXZz0bYNpnlvDw==",
+      "signed_at": "2026-05-14T16:47:03.248Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -636,8 +636,8 @@
         "PQC tooling maturity shifting overkill to practical"
       ],
       "last_threat_review": "2026-05-01",
-      "signature": "ctxS+0nGTJgJ4YroLpckhG+ryjYxfwvisSeGt2o8OF6eiQBlu/VbrOk03Jb+qkahgD0mLnSeBE4sjRwekGL9BQ==",
-      "signed_at": "2026-05-13T21:19:34.415Z",
+      "signature": "zjq6ACAHD46xvhvQJKlrCPh5xDCuBuIWBI+QJB8RxcudpC7p7I1pqv+BY8DZdsAgU4tquCU8KC+xlduMIk3/DQ==",
+      "signed_at": "2026-05-14T16:47:03.248Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -671,8 +671,8 @@
       "attack_refs": [],
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
-      "signature": "cdmQWTu9bFjeheH/B6pa88zCtPqVeEDDElnC/h7pUQ/JQSh9HuqCSiK/Jv2C4gaLA9h0dmKVe7NEFajshrZZDA==",
-      "signed_at": "2026-05-13T21:19:34.415Z"
+      "signature": "/lGgWehCMQUXjI6w4FUa+5wrbyRnct+txvVcXA+D2/ZEkoJKh+J/psO3j5HPf7Hpv+Y5SmkH71CoO+9qilyVDQ==",
+      "signed_at": "2026-05-14T16:47:03.249Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -742,8 +742,8 @@
         "OWASP WSTG v5.x AI/MCP test cases (currently in working-group draft)",
         "PTES revision incorporating AI-surface enumeration"
       ],
-      "signature": "6YqZpHsmUz1/aTyOPNDUgJquKaacOqEqTIELHc5wlaydDz4bYboutEu/YiTYy+wF/nYo2nOyuJfMdR8jsYwEDQ==",
-      "signed_at": "2026-05-13T21:19:34.416Z"
+      "signature": "rh+/cr+wTcEmBwrGscBni/jXpxjjYP91pUKDFIGkahZpw+nghCM/3aLKFf5RFRnl3JKTyBRywIrYhUH1YuSlDw==",
+      "signed_at": "2026-05-14T16:47:03.249Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -803,7 +803,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "+ELdD+1AY5DymBitH7wU65CS60NY1nDoLowJAFn7cE5Gr/5jy9BTkyxsm7PEXaSlXWMOkTf/HQ+uyzyxUVD/Bw==",
-      "signed_at": "2026-05-13T21:19:34.416Z"
+      "signed_at": "2026-05-14T16:47:03.249Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -877,8 +877,8 @@
         "MCP gateway / proxy standardisation (Anthropic enterprise MCP gateway, Portkey MCP) — tool-call argument inspection is the missing primary control",
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
-      "signature": "H1N113M/YhnEPQptJ2B88wwAOB4eMPKuVABQ4DSlMjFMsX0ts1DBCupHHDoHcJHbi8vs+Wi10ekpL5SnsroZDQ==",
-      "signed_at": "2026-05-13T21:19:34.416Z"
+      "signature": "/BCBGUVjGs1RZzqXfElxBWB8UoD4+MY2G1YekdWsTDbMcHvt3NZJf0/JcqdYHOsEhFQ21NEz3w3+6tmQ8htKDw==",
+      "signed_at": "2026-05-14T16:47:03.249Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -954,8 +954,8 @@
         "EU CRA (Regulation 2024/2847) — implementing acts for technical documentation and SBOM submission expected through 2027",
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
-      "signature": "TmV9ZBDYqp2pHIbNZKQYf+kZLNAiyagnH/pjK9+LiSd7OdFIN3KEpFHPUNzcivB/CT5q7nl7Tsmvc9UvGo8WDg==",
-      "signed_at": "2026-05-13T21:19:34.416Z"
+      "signature": "mySOkGScsNPtEZcHg42EKcvUSBzADIB9mSlNe0L1yPllrB/83ypBj6cCERRw9ql+rtrNxapyc6Do+nCz7E5rDg==",
+      "signed_at": "2026-05-14T16:47:03.250Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1012,7 +1012,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "XZigwq8X/csfrdG10O6Q1V5q0zUqSQGd3QrjRKkZ4fkaodG4mZahYuIQqxc8rU9jjtGAm9LtBXYB+I5csqj9Bw==",
-      "signed_at": "2026-05-13T21:19:34.417Z"
+      "signed_at": "2026-05-14T16:47:03.250Z"
     },
     {
       "name": "identity-assurance",
@@ -1078,8 +1078,8 @@
       ],
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
-      "signature": "pCvavMUh5wR/TFl03Vh6ggKJHWPjakOEPDh7IjaD/U3WLBGPF3eyLBzieNLrPDXxIBbCJqnt9E79Bd4e73xCCg==",
-      "signed_at": "2026-05-13T21:19:34.417Z"
+      "signature": "k0HrsZMBxiPWB1jl4dRwhv/R5IsqbZ+SLDv1Jx3/sRl51JyXjtm8vyogTNhSwsl5/IkaRakqIPJFRFRl5h/9CQ==",
+      "signed_at": "2026-05-14T16:47:03.250Z"
     },
     {
       "name": "ot-ics-security",
@@ -1134,8 +1134,8 @@
       ],
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
-      "signature": "3V0ZpDLRTmCBx5Li+9m3XKA+k9QR+l0aE55cRPMX+UTDRlStKSG5PgrSGcL2ZKJog9hKaUPmjIVh7kkn54SfAg==",
-      "signed_at": "2026-05-13T21:19:34.417Z"
+      "signature": "oHxjumOhk8y86WcwhAX8sSWIlPzt60KfTMn4DCJLeRrrQd5+i54fVADKAdZ3vOqfDN+DexO0uX4f5dLPtacRCQ==",
+      "signed_at": "2026-05-14T16:47:03.251Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1187,7 +1187,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "UCiNjncvhkZItmLQA/Sm1/NCsOiLMwdCjfUw+067v4NIxhaMMaqRrAeD3KgMyEtov7m2Hq2kfwYSt5+DQsYDCQ==",
-      "signed_at": "2026-05-13T21:19:34.418Z"
+      "signed_at": "2026-05-14T16:47:03.251Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1236,8 +1236,8 @@
         "LINDDUN-GO and LINDDUN-PRO updates incorporating LLM privacy threats",
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
-      "signature": "i8ZUFT7hwTQJyqYXWh8rchdEUNv1kk0bzkF3BHOANFwuVoM0+mukOPr+rhKdOWCPjTX72EG+0Mbs6hBTSfBBAg==",
-      "signed_at": "2026-05-13T21:19:34.418Z"
+      "signature": "V9kl8Cf8UMjNFyn3D/fSyhWHLeXWlx3WV/jT9jdF9SrjfDqymimuTt2o91cZ2FOEJndAH9V0JGXB13Ohz8K4CQ==",
+      "signed_at": "2026-05-14T16:47:03.251Z"
     },
     {
       "name": "webapp-security",
@@ -1310,8 +1310,8 @@
       ],
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
-      "signature": "3d+Hs8yfERF/NUuVhO3YFYCY+bVn7aAGbNCCyGeqYM2VIt7q/nzNXGfbNfJbSPezClwutOyxbzPwXMj+TjmMDA==",
-      "signed_at": "2026-05-13T21:19:34.418Z"
+      "signature": "csC9KRA3ExCSK77+UF6gj0OFPPZzOvuPxQtKEoaUZmLvn3V37My4IpbUjXAN2ZavTHqyFG9yQNfq3ELZeSJ7Cg==",
+      "signed_at": "2026-05-14T16:47:03.252Z"
     },
     {
       "name": "ai-risk-management",
@@ -1360,8 +1360,8 @@
       ],
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
-      "signature": "runa3PkfcThZmv5I+F6D1hOR/kfBeVOcdDZHsJ/59WOjsPj4BPi4d9MtP1vV7G9qq9daGGz6YzZGnejjin4pCA==",
-      "signed_at": "2026-05-13T21:19:34.418Z"
+      "signature": "P2D++lB5hea3oi2vl9mf8C7N+E7zASoqt1v4tjKxtaTeb+U0UARgMOaZsoK/sO9TT/PG/au14Rl4EFxv+Xi1BA==",
+      "signed_at": "2026-05-14T16:47:03.252Z"
     },
     {
       "name": "sector-healthcare",
@@ -1420,8 +1420,8 @@
       ],
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
-      "signature": "58fEAPnojhmGSpEIIyWIwfj65A2KB4SMyUCoieJ28OZaUktUF+56wLHQOdAW6v2fSeiriFqZEqGyKyLryGGcBg==",
-      "signed_at": "2026-05-13T21:19:34.419Z"
+      "signature": "BDuLcpTeFp2BNSf1q4rYOhYKNhlgd3o5RZ0Uw9xW5olyYxPbZSgqekQ+6Ggaec09s7y6sqR37GS0vuAMdbrdDQ==",
+      "signed_at": "2026-05-14T16:47:03.252Z"
     },
     {
       "name": "sector-financial",
@@ -1501,8 +1501,8 @@
         "OSFI B-13 (Technology and Cyber Risk Management) post-2024 examination findings",
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
-      "signature": "wByxWUburbU5PB7EHLDVAByCpMbhKRTWqSoVsBmxIDsz2jCiKb3ogJutFnAV2r2oXuQIUaffGvrvACIrJ2GlBQ==",
-      "signed_at": "2026-05-13T21:19:34.419Z"
+      "signature": "4IUJePr6XbE1Ns+cPvEFAVgrwdHLImuxdPYiilurxM2SmJym1itRC1prFMcuT6Kh6e1clYXwlzflcKm/eikyDA==",
+      "signed_at": "2026-05-14T16:47:03.252Z"
     },
     {
       "name": "sector-federal-government",
@@ -1570,8 +1570,8 @@
         "EU Cybersecurity Certification Scheme on Common Criteria (EUCC) operational — first certificates issued 2024; high-assurance level for government use cases ramping",
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
-      "signature": "gdiwq/+AQxxNJ2t90dITyLd2ZWdDKHxbyS2I+AVRdM45VVKQEAY4XyheGZW8m5wdDF7N9X2ENIE5CRMfP5jnCA==",
-      "signed_at": "2026-05-13T21:19:34.420Z"
+      "signature": "nMsyJ+rp5fM8/VjC7zsZyDjOC4hpxB+noT1VX7W0HBlq5t3SY56cwOGApwES/kBcCuf4qexKY376OxUr93zvCQ==",
+      "signed_at": "2026-05-14T16:47:03.253Z"
     },
     {
       "name": "sector-energy",
@@ -1635,8 +1635,8 @@
         "MadIoT-class research on consumer-IoT-driven grid frequency manipulation moving from proof-of-concept to attributed campaigns",
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
-      "signature": "3M6nshB0ZNfr3H/rpcy58+/yve91u8kiTOhwUBePTZ0lQeuzlXZZV6/36i/NTWKC4SwgMn8fsZCpLxA5llRaCg==",
-      "signed_at": "2026-05-13T21:19:34.420Z"
+      "signature": "L1moEqEGkBkqY/3ohJcfqrlJn40UurDCyb2MOP/IwTAeZD+QbVZ17/drdsydkJ6qSXPiyiE6u8HDfZsDS13NBQ==",
+      "signed_at": "2026-05-14T16:47:03.253Z"
     },
     {
       "name": "api-security",
@@ -1704,8 +1704,8 @@
       ],
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
-      "signature": "rLOJBYVELFSVT2zLEByuko5Z1+HwGY99pQOC1XIVHs9l7gmY7F8N8luU/EBvVDcnT9w6nPiC5YKmCy/50LbxBQ==",
-      "signed_at": "2026-05-13T21:19:34.420Z"
+      "signature": "ad1pHD4QQ8uXkhrzqLuWgnDpESOapzx3qGFchU9rxiX1aeLQkYKwpDzqIItFq82B5xjNsW7g5jXlF1sgK2HmCA==",
+      "signed_at": "2026-05-14T16:47:03.253Z"
     },
     {
       "name": "cloud-security",
@@ -1785,8 +1785,8 @@
         "eBPF-based runtime detection coverage of confidential-computing enclaves (AWS Nitro Enclaves, Azure Confidential VMs, GCP Confidential Space) — partial visibility is a tracked detection gap",
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
-      "signature": "PyA9IHcGNrCLC0AJW2jF5D5XheA60igeirjHb3IOz/HitBEg3t2g/siP6pAUImx3IUmwp9vh+A6k+KBuyHRgBQ==",
-      "signed_at": "2026-05-13T21:19:34.421Z"
+      "signature": "UEn0305KAEqIfYOdzadLBdPG/PJ+3sJ/8ubvPFNcXfqXp2uOWTfqGUqY65PApA992VEEa1RBQt5R7Nyhd/OjDQ==",
+      "signed_at": "2026-05-14T16:47:03.254Z"
     },
     {
       "name": "container-runtime-security",
@@ -1847,8 +1847,8 @@
       ],
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
-      "signature": "/RQD2SZghTsrG7qurGb1uabyJ2IL9nmbqd412k8tqZw6nzdvvNFWcYDUGBACEQLbSlJvuaJeQdMHQH5ZzzkNDA==",
-      "signed_at": "2026-05-13T21:19:34.421Z"
+      "signature": "4easZDYn25XK4E9MRnwnZohG3xdYMmOLlPznNVmr1ykNfB+343+ooj+R0quG8uEV/IqbTQpR1ink35K6jCghCg==",
+      "signed_at": "2026-05-14T16:47:03.254Z"
     },
     {
       "name": "mlops-security",
@@ -1918,8 +1918,8 @@
         "EU AI Act high-risk technical-file implementing acts (2026-2027) — operational requirements for Article 10 / 13 / 15 documentation may pin ML-BOM or model-signing",
         "MITRE ATLAS v5.2 — track AML.T0010 sub-technique expansion and any new MLOps-pipeline-specific TTPs"
       ],
-      "signature": "BeACZFTsTRZyGuOEc7NPGnGUQ84ZrFbYRsg+yqJxCH7QOM69jYJTnExyAyxXfiJyoytzSffJQNK3h0E48rm0BQ==",
-      "signed_at": "2026-05-13T21:19:34.421Z"
+      "signature": "chbPWzjfx92OjEAwMIm+J4GObxy8uwTahNBvbhMfYL7vTAJe/lf2BaW8wUpchpMIwYL0985A/+WykH8zmk/DBA==",
+      "signed_at": "2026-05-14T16:47:03.255Z"
     },
     {
       "name": "incident-response-playbook",
@@ -1980,8 +1980,8 @@
         "IL INCD Incident Response Process v4 (slated for 2026-2027) consolidating AI-incident sub-class",
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
-      "signature": "oy63A4wX5g9rYq3wWYGSS9L7wndNaa1+wJPRPtiHMvQ6CNhTzN8kCs9Ur2SkT7U9BKYdfPLni0gGMjoeDbx+AA==",
-      "signed_at": "2026-05-13T21:19:34.422Z"
+      "signature": "3V7kvM5cxXdCBoMnjvOoTvT3zD+/yZEBHYgiunYQe8tBm+vVnS4jCz1Nzv/ymePIfbYDo/PlzKeGTWStSsGiAg==",
+      "signed_at": "2026-05-14T16:47:03.255Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2033,8 +2033,8 @@
       "cwe_refs": [],
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
-      "signature": "EFhMVyQdiLRtYPHsMADrX3aDXyWd/F5sjnGoWtUTeTiIOmrhFMOCHsvpTPotfsLt0u3LgRK5ACgjgeON8PgQAg==",
-      "signed_at": "2026-05-13T21:19:34.422Z"
+      "signature": "RiCryJEd66T2NNcSo/mZTd3sGWDycE3C37guLJanLdVL5co35DrPFmIl8qy3ZM/y+Wzg5vpny8VKgr1//1/bCA==",
+      "signed_at": "2026-05-14T16:47:03.255Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2102,7 +2102,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "MMWvg3lIf5ygm31zyf1E43t3W9MfRbMBBPrqlj1wOa8AxVJL8LICnAXfmyJ/TNJXwpF+rfZeDdoxXkql8wmtBA==",
-      "signed_at": "2026-05-13T21:19:34.422Z"
+      "signed_at": "2026-05-14T16:47:03.256Z"
     }
   ]
 }

package/orchestrator/dispatcher.js

@@ -20,6 +20,14 @@ const SKILLS_DIR = process.env.EXCEPTD_SKILLS_DIR || path.join(__dirname, '..',
  * @returns {{ plan: object[], unmatched: object[], summary: object }}
  */
 function dispatch(findings) {
+  // Type-check up front. A string argument would iterate character-by-
+  // character (since `for...of` on a string yields code points), producing
+  // nonsense "findings" with no domain/signal. Refuse loudly rather than
+  // silently process garbage; downstream consumers depend on plan entries
+  // being shaped by real findings.
+  if (!Array.isArray(findings)) {
+    throw new TypeError('dispatch: findings must be an array');
+  }
   const manifest = loadManifest();
   const plan = [];
   const unmatched = [];
@@ -85,10 +93,22 @@ function dispatch(findings) {
  */
 function routeQuery(query) {
   const manifest = loadManifest();
-  const q = query.toLowerCase();
+  if (typeof query !== 'string') return [];
+  const q = query.trim().toLowerCase();
+  // Reject empty + very short queries. The legacy substring match treats
+  // any trigger string as containing the empty string, so a bare empty
+  // query matched every skill — useless and misleading for callers.
+  // Short queries (1-2 chars) only match when they are an explicit
+  // prefix of a trigger; that prevents single letters from matching
+  // every trigger that contains them (e.g. "a" would match anything).
+  if (q.length === 0) return [];
 
   return manifest.skills.filter(skill => {
     const triggers = skill.triggers || [];
+    if (q.length < 3) {
+      // Trigger-prefix match only for short queries.
+      return triggers.some(t => t.toLowerCase().startsWith(q));
+    }
     return triggers.some(t => q.includes(t.toLowerCase()) || t.toLowerCase().includes(q));
   });
 }

package/orchestrator/event-bus.js

@@ -3,14 +3,36 @@
 /**
  * Event bus for trigger-driven skill updates.
  *
- * Events are typed and carry structured payloads. Handlers are registered per event type.
- * This is an in-process event bus — no external message queue required.
- * For production deployments, swap the internal emitter for a durable queue (Redis, SQS, etc.)
- * without changing the event schema.
+ * Events are typed and carry structured payloads. Handlers are registered per
+ * event type. This bus is in-process only; the event log is held in a bounded
+ * ring buffer in memory and is NOT persisted across process restarts. For
+ * production deployments where event history must survive restarts, swap the
+ * internal emitter for a durable queue (Redis Streams, SQS, NATS JetStream,
+ * etc.) without changing the event schema.
+ *
+ * Bounded log policy:
+ *   - The in-memory log is capped at EVENT_LOG_MAX_SIZE entries to prevent
+ *     unbounded memory growth on long-running `watch` processes.
+ *   - Default cap is 1000 entries; override at process start via the
+ *     EXCEPTD_EVENT_LOG_MAX_SIZE env var (positive integer).
+ *   - When the cap is reached, the oldest entry is shifted off on each new
+ *     emit (FIFO ring buffer semantics).
  */
 
 const { EventEmitter } = require('events');
 
+const DEFAULT_EVENT_LOG_MAX_SIZE = 1000;
+
+function _resolveLogMaxSize() {
+  const raw = process.env.EXCEPTD_EVENT_LOG_MAX_SIZE;
+  if (raw === undefined || raw === null || raw === '') return DEFAULT_EVENT_LOG_MAX_SIZE;
+  const n = Number(raw);
+  if (!Number.isFinite(n) || !Number.isInteger(n) || n <= 0) return DEFAULT_EVENT_LOG_MAX_SIZE;
+  return n;
+}
+
+const EVENT_LOG_MAX_SIZE = _resolveLogMaxSize();
+
 const EVENT_TYPES = {
   CISA_KEV_ADDED: 'cisa.kev.added',
   ATLAS_VERSION_RELEASED: 'atlas.version.released',
@@ -20,7 +42,8 @@ const EVENT_TYPES = {
   PQC_STANDARD_UPDATE: 'pqc.standard.update',
   EXPLOIT_STATUS_CHANGE: 'exploit.status.change',
   NEW_ATTACK_CLASS: 'attack_class.new',
-  SKILL_CURRENCY_LOW: 'skill.currency.low'
+  SKILL_CURRENCY_LOW: 'skill.currency.low',
+  SKILL_CURRENCY_LOW_AGGREGATE: 'skill.currency.low.aggregate'
 };
 
 // Maps event types to the skills they should trigger for review
@@ -33,13 +56,18 @@ const EVENT_SKILL_MAP = {
   [EVENT_TYPES.PQC_STANDARD_UPDATE]: ['pqc-first', 'framework-gap-analysis'],
   [EVENT_TYPES.EXPLOIT_STATUS_CHANGE]: ['exploit-scoring', 'kernel-lpe-triage', 'compliance-theater'],
   [EVENT_TYPES.NEW_ATTACK_CLASS]: ['threat-model-currency', 'ai-attack-surface', 'skill-update-loop'],
-  [EVENT_TYPES.SKILL_CURRENCY_LOW]: ['skill-update-loop']
+  [EVENT_TYPES.SKILL_CURRENCY_LOW]: ['skill-update-loop'],
+  [EVENT_TYPES.SKILL_CURRENCY_LOW_AGGREGATE]: ['skill-update-loop']
 };
 
 class ExceptdEventBus extends EventEmitter {
-  constructor() {
+  constructor(opts) {
     super();
+    const cap = opts && Number.isInteger(opts.maxLogSize) && opts.maxLogSize > 0
+      ? opts.maxLogSize
+      : EVENT_LOG_MAX_SIZE;
     this.eventLog = [];
+    this.maxLogSize = cap;
   }
 
   /**
@@ -58,6 +86,12 @@ class ExceptdEventBus extends EventEmitter {
     };
 
     this.eventLog.push(event);
+    // Bounded ring buffer — shift the oldest entry off when over cap. Loop
+    // rather than `if` so a runtime mutation of maxLogSize (or a burst that
+    // exceeds the cap in a single tick) still leaves the buffer at-cap.
+    while (this.eventLog.length > this.maxLogSize) {
+      this.eventLog.shift();
+    }
     super.emit(eventType, event);
     super.emit('*', event);
     return event;
@@ -83,6 +117,16 @@ class ExceptdEventBus extends EventEmitter {
     return this.on('*', handler);
   }
 
+  /**
+   * Detach a handler previously registered via onAny().
+   *
+   * @param {function} handler
+   */
+  offAny(handler) {
+    this.removeListener('*', handler);
+    return this;
+  }
+
   /**
    * Get all events that affected a specific skill.
    *
@@ -143,4 +187,4 @@ class ExceptdEventBus extends EventEmitter {
 
 const bus = new ExceptdEventBus();
 
-module.exports = { bus, EVENT_TYPES, EVENT_SKILL_MAP };
+module.exports = { bus, EVENT_TYPES, EVENT_SKILL_MAP, ExceptdEventBus, EVENT_LOG_MAX_SIZE, DEFAULT_EVENT_LOG_MAX_SIZE };