@blamejs/exceptd-skills 0.12.2 → 0.12.5

package/CHANGELOG.md

@@ -1,5 +1,103 @@
 # Changelog
 
+## 0.12.5 — 2026-05-13
+
+**Patch: root cause of the signature regression — a test was generating a fresh keypair mid-suite.**
+
+### The actual bug
+
+`tests/operator-bugs.test.js:#87 doctor --fix is registered (smoke)` invoked `exceptd doctor --fix` directly. On any host where `.keys/private.pem` was missing (every CI run, every fresh clone), `--fix` synchronously spawned `lib/sign.js generate-keypair`, which OVERWRITES `keys/public.pem` with a fresh Ed25519 public key.
+
+After that point in the test suite:
+- `keys/public.pem` = new key generated by the test
+- `manifest.json` skill signatures = unchanged, still reference the COMMITTED private key
+- Every subsequent step ran against a state where signatures cover content signed by Key-A but the public key on disk is Key-B
+- `npm pack` shipped the new public.pem + the old (committed) manifest signatures
+- `verify` on the published tarball failed 0/38 because the keys don't match
+
+The reason it was invisible across v0.11.x and v0.12.x:
+- The CI verify gate (predeploy gate 1) ran BEFORE the test that overwrote the key
+- The local maintainer always had `.keys/private.pem` present, so `--fix` was a no-op locally → local verify always passed
+- npm-installed operators ran `exceptd doctor --signatures` and saw 0/38, but no CI gate caught the broken tarball before publish
+- The new `verify-shipped-tarball` gate (v0.12.3) caught the symptom but the forensic logging in v0.12.4 was the first time we saw HEAD's public.pem fingerprint differ from the source-tree pubkey 19 seconds later in the same CI run
+
+### The fix
+
+Pre-stage a dummy `.keys/private.pem` before invoking `doctor --fix` in the test, so `lib/sign.js generate-keypair` sees "private key already present" and exits before any key write. Restore the pre-test state in `finally{}`. The test still asserts the verb is registered + emits JSON, which is the only thing the smoke check needs to verify.
+
+### Why v0.12.3 and v0.12.4 didn't fix it
+
+v0.12.3 added the `verify-shipped-tarball` gate which correctly BLOCKED the broken publish. v0.12.4 added per-file forensic logging which surfaced the exact divergence (source-tree fingerprint at gate 1 vs. gate 14). Neither release attempted to fix the root cause because we hadn't yet localized it to `doctor --fix` invocation inside a test. v0.12.5 is the actual fix.
+
+### Operator impact
+
+This release SHOULD publish cleanly — the test no longer mutates `keys/public.pem` during the suite, so the post-test source tree matches the pre-test source tree, the packed tarball signatures verify against the packed public key, and the gate passes. Operators running `exceptd doctor --signatures` on v0.12.5 should see `38/38 skills passed Ed25519 verification` for the first time since v0.11.0.
+
+### Lessons codified in CLAUDE.md
+
+- "Tests that invoke a real CLI verb that mutates filesystem state outside the test's tempdir are a CI-vs-local divergence engine." Always sandbox key-writing CLI invocations.
+- "Smoke tests should not exercise mutating code paths." A test named `*is registered (smoke)` should only verify dispatch, not run the verb's side effects.
+
+## 0.12.4 — 2026-05-13
+
+**Patch: forensic instrumentation for the signature-regression gate. v0.12.3 publish was blocked by the gate; v0.12.4 adds the diagnostic data needed to pinpoint the root cause on the next CI run.**
+
+The v0.12.3 release was blocked at the new `verify-shipped-tarball` gate — exactly the behavior intended (better blocked publish than silent broken tarball). But the gate didn't log enough detail to pinpoint WHICH files diverge between source-tree and npm-packed tarball in CI. v0.12.4 adds per-file forensics + a working-tree drift dump.
+
+### What's new
+
+- `scripts/verify-shipped-tarball.js`: on signature-fail, logs the size + sha256 of both the tarball-extracted content AND the source-tree content, plus whether the bytes are equal. Local pass-paths unchanged.
+- `.github/workflows/release.yml`: new "Forensic — working-tree drift since checkout" step (runs `if: always()` so it fires even when prior gates fail). Dumps `git status --porcelain` + `git diff --stat HEAD` + `ls -la` of the case-mixed skill directory. The next CI failure surfaces the exact file-level divergence.
+
+### Why this isn't the root-cause fix
+
+The bug is platform-specific: local `npm pack` on Windows produces a tarball that verifies 38/38. CI's `npm pack` on Ubuntu produces a tarball that verifies 0/38 — even though pubkey fingerprints match between source and tarball. The content drift has to be in a file the manifest signatures cover, but the signed bytes match between Windows and Linux (`.gitattributes` LF-normalizes). Forensics on the next run should make it obvious; this release ships the instrumentation, not the underlying fix.
+
+### Operator impact
+
+v0.12.2 remains the latest npm-published version. Operators who ran `npm install -g @blamejs/exceptd-skills` see 0/38 verify on `exceptd doctor --signatures`. Until v0.12.4 (or later) publishes successfully, the integrity gate is open. Mitigations:
+
+- `exceptd run`, `exceptd ci`, etc. do NOT block on signature verification — they continue to function with the catalog content as installed. The skill bytes themselves are intact (npm has its own tarball integrity check; only the per-skill Ed25519 attestation layer is broken).
+- For audit purposes: the supply-chain trust anchor through npm provenance (OIDC + sigstore via `npm publish --provenance`) is unaffected. Confirm with `npm view @blamejs/exceptd-skills attestations`.
+
+### Shai-Hulud source audit (open question, not in this release)
+
+The original Shai-Hulud campaign (2024) and Mini Shai-Hulud (CVE-2026-45321, 2026-05-11) are documented in public security research. v0.11.15 added CVE-2026-45321 to the catalog based on the description of the attack, not from a line-by-line reading of the published payload. Cross-referencing the actual payload source for IoCs we may have missed is scoped for v0.12.5:
+
+- Walk the published worm source line-by-line; enumerate every credential path, every persistence vector, every C2 indicator.
+- Compare against `data/cve-catalog.json:CVE-2026-45321.iocs` and the seven detect indicators in `data/playbooks/sbom.json` we ship.
+- Add any missing patterns as additional indicators; update CHANGELOG with the line-level diff.
+
+Same audit pattern should be applied to Copy Fail (CVE-2026-31431) and other open-sourced CVEs the catalog references — currently every CVE entry was assembled from secondary sources (advisories, NVD descriptions) rather than primary-source code review. v0.12.5 codifies the "primary-source review required before catalog entry" rule in AGENTS.md Hard Rule #14.
+
+## 0.12.3 — 2026-05-13
+
+**Patch: critical signature-verification regression fix + 14th predeploy gate to prevent recurrence.**
+
+### The critical bug
+
+Every release from v0.11.x through v0.12.2 shipped a tarball whose `keys/public.pem` did not match the Ed25519 signatures inside `manifest.json`. The result: `node lib/verify.js` against a fresh `npm install` reported `0/38 skills passed Ed25519 verification` and every skill listed as `TAMPERED`. Verification was silently bypassed by `exceptd run`, `exceptd ci`, etc. (which load skills without re-verifying), so the surface was only visible to operators running `exceptd doctor --signatures`.
+
+### What broke
+
+The CI release workflow's `verify` step ran against the SOURCE tree (which had matching signatures + public key). It passed `38/38`. But the tarball that `npm publish` actually uploaded ended up with a different `public.pem` than the source tree. Verifying-on-source-tree is not the same as verifying-on-shipped-tarball. The mismatch went undetected for the entire v0.11.x and v0.12.x series.
+
+### The fix
+
+- `scripts/verify-shipped-tarball.js` — packs the package via `npm pack`, extracts the tarball to a temp dir, and runs Ed25519 verify against the **extracted tree**. Catches any divergence between source-tree state and shipped-tarball state. Logs both fingerprints (source vs. tarball) so any future mismatch is forensically obvious.
+- Wired in as **the 14th predeploy gate** so local maintainers + CI both run it. A release that produces a broken tarball now blocks before `npm publish` instead of shipping silently.
+- v0.12.3 re-signs every skill against the current public key, then runs the new gate to confirm the round-trip is clean.
+
+### Other fixes
+
+- **#137**: help text bumped from `v0.11.0 canonical surface` → `v0.12.0 canonical surface`.
+- **#136 (text part)**: legacy-verb removal target moved from v0.12 → v0.13 in help text and deprecation banner. Actually removing the verbs is scope for a future release.
+- **#135 (the run-with-no-evidence exit-0 case)**: deferred to v0.12.4. The fix is straightforward (have `run` exit 3 when classification: inconclusive AND no observations submitted, matching `ci`'s semantic) but changes the `run` verb's contract, which deserves a focused release that also documents the behavior change.
+
+### Lesson codified in CLAUDE.md
+
+"Verify-on-source-tree is not verify-on-shipped-tarball." Any project that signs artifacts must verify the EXACT bytes that downstream consumers receive, after `npm pack` (or equivalent packaging step). The next-easiest place to lose integrity is the file-set transformation between `git checkout` and the registry upload — and that transformation runs in CI, where the maintainer has the least visibility.
+
 ## 0.12.2 — 2026-05-13
 
 **Patch: end-to-end scenario gate — staged-IoC harness in release workflow.**

package/bin/exceptd.js

@@ -110,7 +110,7 @@ const PLAYBOOK_VERBS = new Set([
   // v0.11.0 canonical surface:
   "brief", "run", "ai-run", "attest", "discover", "doctor", "ci", "ask",
   "verify-attestation", "run-all", "lint",
-  // v0.10.x legacy verbs — kept as aliases with deprecation banner, removed in v0.12+:
+  // v0.10.x legacy verbs — kept as aliases with deprecation banner, scheduled for removal in v0.13:
   "plan", "govern", "direct", "look", "ingest", "reattest", "list-attestations",
 ]);
 
@@ -176,7 +176,7 @@ function printHelp() {
 Usage: exceptd <command> [args]
        npx @blamejs/exceptd-skills <command> [args]
 
-v0.11.0 canonical surface
+v0.12.0 canonical surface
 ─────────────────────────
 
   brief [playbook]           Unified info doc — jurisdictions + threat context
@@ -267,7 +267,7 @@ v0.11.0 canonical surface
                              Sources: kev|epss|nvd|rfc|pins|ghsa (v0.12.0).
                                                     ghsa drafts pass validator as warnings.
 
-v0.10.x compatibility (will be removed in v0.12)
+v0.10.x compatibility (will be removed in v0.13)
 ────────────────────────────────────────────────
 
 These verbs still work but emit a one-time deprecation banner. The
@@ -394,7 +394,7 @@ function main() {
         (haveBrief
           ? `Prefer \`${LEGACY_VERB_REPLACEMENTS[cmd]}\` (available in this install, v${ver}). `
           : `Upgrade to v0.11.0+ then use \`${LEGACY_VERB_REPLACEMENTS[cmd]}\` (currently installed: v${ver}). `) +
-        `Legacy verbs remain functional through this release; they will be removed in v0.12. ` +
+        `Legacy verbs remain functional through this release; they will be removed in v0.13. ` +
         `Suppress: export EXCEPTD_DEPRECATION_SHOWN=1.\n`
       );
       process.env.EXCEPTD_DEPRECATION_SHOWN = "1";

package/data/_indexes/_meta.json

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-13T02:49:16.936Z",
+  "generated_at": "2026-05-13T03:34:45.737Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 49,
   "source_hashes": {
-    "manifest.json": "c607b3254ea45ed898b325a4bacbfc1076d2669e813e2d4dcbbd9d6ab0cf73ec",
+    "manifest.json": "694af5663344e76c17f8de1953aa388246a49502ad7b8d49b4d33c8ce8709610",
     "data/atlas-ttps.json": "1500b5830dab070c4252496964a8c0948e1052a656e2c7c6e1efaf0350645e13",
     "data/cve-catalog.json": "e9a3a4ce988caa051e50a467f1cd9c0dcbf9e8f6f3e9522610baf196217b7bdc",
     "data/cwe-catalog.json": "c3367d469b4b3d31e4c56397dd7a8305a0be338ecd85afa27804c0c9ce12157b",

package/keys/public.pem

@@ -1,3 +1,3 @@
 -----BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEALm7uQSdGjE9NSorvxoDnbqolbQaRXyGrgb82J5gUHhA=
+MCowBQYDK2VwAyEAwEeCeTewS5TXFoRNRX4VKRHZL14bwdTVOZoMcedzq5s=
 -----END PUBLIC KEY-----

package/manifest-snapshot.json

@@ -1,6 +1,6 @@
 {
   "_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
-  "_generated_at": "2026-05-13T02:48:32.579Z",
+  "_generated_at": "2026-05-13T03:33:47.456Z",
   "atlas_version": "5.1.0",
   "skill_count": 38,
   "skills": [

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.12.2",
+  "version": "0.12.5",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -52,7 +52,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "Xk593pj7my6wPJbQBE47khpIUrPsp6N1lW7cE2T/VPPF5T+8C1yGKc9B8VphD7Q08yWFcbwF6HoWpA/+4uG9DA==",
-      "signed_at": "2026-05-13T02:48:32.136Z",
+      "signed_at": "2026-05-13T03:33:37.992Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -116,7 +116,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "nOgUu+LK9fy6ASTCoRGtx3ttgjZCl7WIkKu2wu06JEKVSpL2cKU3ex2tmVAvv11LBmpTH+b/0zvqXlzcxzHnCw==",
-      "signed_at": "2026-05-13T02:48:32.138Z",
+      "signed_at": "2026-05-13T03:33:37.994Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -179,7 +179,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "7FH1J9PlOyvcRCzRmggmenX9fIR0pi/veXihb3TeStcq1Rpuz1KHdOcJLqA9su4t2goYukKKCXHV6hx8hzplAA==",
-      "signed_at": "2026-05-13T02:48:32.138Z",
+      "signed_at": "2026-05-13T03:33:37.995Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -225,7 +225,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "FqTRjHfEgw56pyHnyWzNtnhzDMEePBtmuamtW/iyX+h4yqbvP4Fyr7NRjRs3EgqT4j7oHuEZhV9Jt6ZTBgN4AA==",
-      "signed_at": "2026-05-13T02:48:32.138Z"
+      "signed_at": "2026-05-13T03:33:37.995Z"
     },
     {
       "name": "compliance-theater",
@@ -256,7 +256,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "3fN4yotiIIq76PVTHwozCu28TzDZvWule6vX8SXUT3XXbIBSuvAO0M/euvc3pw3TdZ2UNf78dI18lOCNdJ0aAg==",
-      "signed_at": "2026-05-13T02:48:32.139Z"
+      "signed_at": "2026-05-13T03:33:37.996Z"
     },
     {
       "name": "exploit-scoring",
@@ -285,7 +285,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "yZfpk4lQMRXegj2ADWjMmZTchUN6Lxpv587O/0JMzbNkXQtD6FrSAQOBWjx8S7uQ/sTntxgGN7aQQDLxL9RWAA==",
-      "signed_at": "2026-05-13T02:48:32.139Z"
+      "signed_at": "2026-05-13T03:33:37.996Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -322,7 +322,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "ABHkoqee67KdUyDZ3bvF+/DNxjGhPR/ehT6pfOnmUIMmkcQFHpZ0OUVXKiFUANaLgKLP1vg0VEmHOoxpNA3vAA==",
-      "signed_at": "2026-05-13T02:48:32.140Z",
+      "signed_at": "2026-05-13T03:33:37.996Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -379,7 +379,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "+Nd/2tgBnW+mEGX84QvkgR2To2J7kA+lB63BsADDKeCXeebFv6Vo9H1P4vyUkKHfe4fP0ndpy3agIZcUO/e/Dg==",
-      "signed_at": "2026-05-13T02:48:32.140Z",
+      "signed_at": "2026-05-13T03:33:37.996Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -414,7 +414,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "VMNGFvowXLbBjZp5nvWloKkqyqHKhnSzbVRU3gX9quOZJHH56w2M4id+oDsXIjR0CfRRb7eXl/so0Hq4xLBuBQ==",
-      "signed_at": "2026-05-13T02:48:32.140Z",
+      "signed_at": "2026-05-13T03:33:37.997Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -442,7 +442,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "5MaJs7gPCuFlK4oAttLulAPOA1noeV+xD/UqVWaVyRedXZgebBGKjnlE2t1qmTugvxlNIfeAnBZapk+Wz3VAAg==",
-      "signed_at": "2026-05-13T02:48:32.141Z"
+      "signed_at": "2026-05-13T03:33:37.997Z"
     },
     {
       "name": "global-grc",
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "S/YXUpI/mcG2FpdUTgMsccWBtTaR5A4Ph4QFQw31S9w9Hn/z3sOFHLkb1B5YSwlg+mMOtSIxMdet1eLGSZkTDg==",
-      "signed_at": "2026-05-13T02:48:32.141Z"
+      "signed_at": "2026-05-13T03:33:37.997Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -501,7 +501,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "AKS+JsmhhBtytY2eIMuydjkZOYprWCmQ+RqxyxcVG9XcEI29ZSM/JbVIINQHozFl7OPPrOu1ouiTnk7LOJ86Bg==",
-      "signed_at": "2026-05-13T02:48:32.141Z"
+      "signed_at": "2026-05-13T03:33:37.998Z"
     },
     {
       "name": "pqc-first",
@@ -553,7 +553,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "oEkK5bLS/G5RIHnxlNFJYdzhTJbKZnkJv+W4iS9UJ/uszZHgZGoxygELPc4kn3FowV5eE988SQYG4WKlXtNzCg==",
-      "signed_at": "2026-05-13T02:48:32.142Z",
+      "signed_at": "2026-05-13T03:33:37.998Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -600,7 +600,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "nPV6YTo1rsNH49qUnZpfoNLEQZXuLNyV05QMUOgXKHYeVDjotYpWhLgyVXlRhjV/fStiA2sWQ0MOnEJ4FBIfDg==",
-      "signed_at": "2026-05-13T02:48:32.142Z"
+      "signed_at": "2026-05-13T03:33:37.999Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -637,7 +637,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "7rirSEONz6O9Yyf46eTyuwkGizCj9FRcNHe5p7Qz6nhJoZQRW5FwW7n9opL0WlbIw8FDBYn1f22zgNUV87L5AQ==",
-      "signed_at": "2026-05-13T02:48:32.143Z",
+      "signed_at": "2026-05-13T03:33:37.999Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -672,7 +672,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "+evehnd2wSBb8uMTlTr5/aTN4bfLjsKzZJk/+OMLMOJrjCt+OuMU7EQC6xMUGeSc4cPEGajghDvq3xVaacV2Dw==",
-      "signed_at": "2026-05-13T02:48:32.143Z"
+      "signed_at": "2026-05-13T03:33:37.999Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -743,7 +743,7 @@
         "PTES revision incorporating AI-surface enumeration"
       ],
       "signature": "KHOXxloAYf7xqXjm2BaL3HVAZOmb7rMiMh20H/oaIkjN0WD1CnKCrRGPJn867uSFhCh/timkXolaiqD1L/h8Dg==",
-      "signed_at": "2026-05-13T02:48:32.143Z"
+      "signed_at": "2026-05-13T03:33:38.000Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -803,7 +803,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "+ELdD+1AY5DymBitH7wU65CS60NY1nDoLowJAFn7cE5Gr/5jy9BTkyxsm7PEXaSlXWMOkTf/HQ+uyzyxUVD/Bw==",
-      "signed_at": "2026-05-13T02:48:32.143Z"
+      "signed_at": "2026-05-13T03:33:38.000Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -878,7 +878,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "8tFAhXAS8zZN3SUOdn+ZIu7lQ48JMOyBQ8SaObR3L/fDyFmDhufqleY2VzI3yigqlT/D4Y8FYxZHKmzXiALjDw==",
-      "signed_at": "2026-05-13T02:48:32.144Z"
+      "signed_at": "2026-05-13T03:33:38.000Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -955,7 +955,7 @@
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
       "signature": "YhvlD+6gdFGg7P6QtpWeb0n54/Ujlxc7I6o/bXtpkfPiy/JY4OJo5xdreb+mbytHkasmUErL5LsDtTCAVq0QAA==",
-      "signed_at": "2026-05-13T02:48:32.144Z"
+      "signed_at": "2026-05-13T03:33:38.000Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1012,7 +1012,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "AMdLkDx/e3ESI4NAnJhhcaas+Ru8VjrSn6v6RBbmmzoLCGo/vFxGraa1p/qF9udhVG+DdkbwHfbfKK5Im19KDw==",
-      "signed_at": "2026-05-13T02:48:32.145Z"
+      "signed_at": "2026-05-13T03:33:38.001Z"
     },
     {
       "name": "identity-assurance",
@@ -1079,7 +1079,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "pSMHKkyWoZvRIuVtN7Vue51sP5MIy9lSaQa2YSAMhxjptx81cUnPt3S11/Tb9Ea1/eluMNQ+5F25eF2njr4mBQ==",
-      "signed_at": "2026-05-13T02:48:32.145Z"
+      "signed_at": "2026-05-13T03:33:38.001Z"
     },
     {
       "name": "ot-ics-security",
@@ -1135,7 +1135,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "qjky+ZTX1DP7uRRMQZq7S7P9/uaJEoB1dy4RZ1l37Q4OO3k2ryfL+7o0Cgm/piuafJfH+dqUeNCRrVefj4r8Dw==",
-      "signed_at": "2026-05-13T02:48:32.146Z"
+      "signed_at": "2026-05-13T03:33:38.001Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1187,7 +1187,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "F86Zl/I+dBzHYRUuGWsjDQI2F/I/vhzwZUFMqhNfKUzRbMf6mafOX2APCPYTp3eP1DvvvfL3Yc0hb1R5Q4nOAg==",
-      "signed_at": "2026-05-13T02:48:32.146Z"
+      "signed_at": "2026-05-13T03:33:38.002Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1237,7 +1237,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "D/4d5NcJScNH58ADXsSrVzTmLSWZpUZTdyhtDkJlC0twSMNczOiDsXgYFitBaZgGdv5nVd00viR45mNrsaZ4BQ==",
-      "signed_at": "2026-05-13T02:48:32.147Z"
+      "signed_at": "2026-05-13T03:33:38.002Z"
     },
     {
       "name": "webapp-security",
@@ -1311,7 +1311,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "UOXaUtpcFjXyDQ70z2PaGu6K3pABtXp+7YzO6eGVGpN1CxXpPq/xW/CnTng6B7wk9WSsqD0OORBJp4VCjiVfAQ==",
-      "signed_at": "2026-05-13T02:48:32.147Z"
+      "signed_at": "2026-05-13T03:33:38.002Z"
     },
     {
       "name": "ai-risk-management",
@@ -1361,7 +1361,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "IVKygsrFjiM64fQVbd2PT6jDjs6fm5nKwJSqGfK53gG0S9wdHC4QYuh+LWlI/2ftvIKjjedLQ6FRyTrqpDEuDw==",
-      "signed_at": "2026-05-13T02:48:32.147Z"
+      "signed_at": "2026-05-13T03:33:38.003Z"
     },
     {
       "name": "sector-healthcare",
@@ -1421,7 +1421,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "P+CdSu8ZJCNUU4nTa09Voh2PcYF3y/AFJn4v7cjVIGo9FbbqO7MwvGN7cJ+aSRs2/3NMUXX4eupcODslxYyJDw==",
-      "signed_at": "2026-05-13T02:48:32.148Z"
+      "signed_at": "2026-05-13T03:33:38.003Z"
     },
     {
       "name": "sector-financial",
@@ -1502,7 +1502,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "zpEfh181Sc0b0cvRf/31Ir1f8lD4V5tehTogO3TJMxdKmXu06IAK7hrhBcLA/jFBv3xDDwrWW3sHzChVhWDeDA==",
-      "signed_at": "2026-05-13T02:48:32.148Z"
+      "signed_at": "2026-05-13T03:33:38.003Z"
     },
     {
       "name": "sector-federal-government",
@@ -1571,7 +1571,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "7NpQlPu1DkpY9f+Frv/LLBHWUUe/qTM80c+xeYDxOzweXhvJGE/dnDCjglYHTjxT82L9cVxzBezvLEne20UpBg==",
-      "signed_at": "2026-05-13T02:48:32.148Z"
+      "signed_at": "2026-05-13T03:33:38.004Z"
     },
     {
       "name": "sector-energy",
@@ -1636,7 +1636,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "4rhyHN5HykK7MQUmhvaTeDGj6Qf5swDd5ry8foh4KBvTkRKxTI/XyxconFGm5FASnySGPLMxX6m4JZAq5wiNBg==",
-      "signed_at": "2026-05-13T02:48:32.149Z"
+      "signed_at": "2026-05-13T03:33:38.004Z"
     },
     {
       "name": "api-security",
@@ -1705,7 +1705,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "hS1izPhETclITK7fp6R67dhy+wFDti/YsJ2M5I1gDjeWZYK41WuxeYSyt5xEHbCr3WCGDFJe77jkK1MWkxk2BA==",
-      "signed_at": "2026-05-13T02:48:32.149Z"
+      "signed_at": "2026-05-13T03:33:38.004Z"
     },
     {
       "name": "cloud-security",
@@ -1786,7 +1786,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "kuatqNZoRnv+oeyrxbnk+m37JRBIgRAWnDp0/IYLnoBOybiG09RzLILJraxjhvdSNCgo7WXTeBO3Y6a3Ji9MAA==",
-      "signed_at": "2026-05-13T02:48:32.149Z"
+      "signed_at": "2026-05-13T03:33:38.005Z"
     },
     {
       "name": "container-runtime-security",
@@ -1848,7 +1848,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "Btb3/7fjPFopFVdxP7+E6n322gnAAwd7OPrnuqatq6c1rXTD9aXKxiBeCmWxs8zYbIbE/lFoe9R2g6uTp8ZDBg==",
-      "signed_at": "2026-05-13T02:48:32.150Z"
+      "signed_at": "2026-05-13T03:33:38.005Z"
     },
     {
       "name": "mlops-security",
@@ -1919,7 +1919,7 @@
         "MITRE ATLAS v5.2 — track AML.T0010 sub-technique expansion and any new MLOps-pipeline-specific TTPs"
       ],
       "signature": "TBWnlgdllW7K1F10HCJ7p4dbLeS3lyNWm+7mNNtyZu7jB1V5AauG1P7sb1nLLqwKqeGlHS1F0eh/BNiuAvkABg==",
-      "signed_at": "2026-05-13T02:48:32.151Z"
+      "signed_at": "2026-05-13T03:33:38.005Z"
     },
     {
       "name": "incident-response-playbook",
@@ -1981,7 +1981,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "FVAXpD6sIoOLQSPtZSLLsXQnc2o2hRwiFj4xK8zEWJVkUWGqvAWRrngie7O2DRKIbWqjO5h9EevVYSzhwYHCAA==",
-      "signed_at": "2026-05-13T02:48:32.151Z"
+      "signed_at": "2026-05-13T03:33:38.006Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2034,7 +2034,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "0HDt3Qklee4FQeKoZfwr+8qdq2pVDS0a+c7JxVw1hV/bl8+YTPaPjPTAhQUnbhUCa5cGo7G4MBQ1AifQTMJdDA==",
-      "signed_at": "2026-05-13T02:48:32.152Z"
+      "signed_at": "2026-05-13T03:33:38.006Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2102,7 +2102,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "UyPSKUztZI/daHCRTnAh6ryoKLX4xyjuG+EaNMPRVuCz2gANGl1F/NozDsw7R2koMUwSFoiYTzwqDvo1tpuKAg==",
-      "signed_at": "2026-05-13T02:48:32.152Z"
+      "signed_at": "2026-05-13T03:33:38.006Z"
     }
   ]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.12.2",
+  "version": "0.12.5",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json

@@ -1,10 +1,10 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:f4ef44ca-296e-4961-bf84-1231c24d3c05",
+  "serialNumber": "urn:uuid:9dc98664-f302-4563-875e-0b2a119304d0",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-13T02:48:32.992Z",
+    "timestamp": "2026-05-13T03:33:47.860Z",
     "tools": [
       {
         "name": "hand-written",
@@ -13,10 +13,10 @@
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.12.2",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.12.5",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.12.2",
+      "version": "0.12.5",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
       "licenses": [
         {
@@ -25,11 +25,11 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.12.2",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.12.5",
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.12.2"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.12.5"
         },
         {
           "type": "vcs",

package/scripts/predeploy.js

@@ -139,6 +139,18 @@ const GATES = [
     args: [path.join(ROOT, "lib", "validate-package.js")],
     ciJobName: "Data integrity (catalog + manifest snapshot)",
   },
+  {
+    // v0.12.3 — packs the tarball, extracts it, runs Ed25519 verify on the
+    // EXTRACTED tree. Catches the class of bug where verify-on-source-tree
+    // passes (38/38) but verify-on-shipped-tarball fails (0/38) because
+    // something between sign and pack swapped keys/public.pem. Every release
+    // v0.11.x through v0.12.2 shipped this regression invisibly.
+    name: "Verify shipped tarball (sign + pack + extract + verify round-trip)",
+    command: process.execPath,
+    args: [path.join(ROOT, "scripts", "verify-shipped-tarball.js")],
+    ciJobName: "Data integrity (catalog + manifest snapshot)",
+    requiresKeys: true,
+  },
 ];
 
 /* Inline checker, run as `node -e`, so the predeploy gate stays one

package/scripts/verify-shipped-tarball.js

@@ -0,0 +1,157 @@
+#!/usr/bin/env node
+"use strict";
+
+/**
+ * scripts/verify-shipped-tarball.js
+ *
+ * Pack the package with `npm pack`, extract the tarball to a temp dir,
+ * then run lib/verify.js against the EXTRACTED tree (not the source
+ * working tree). This catches the class of bug where:
+ *
+ *   - CI's verify step against the source tree passes (38/38)
+ *   - The tarball that npm publish actually uploads has different
+ *     content (e.g. keys/public.pem swapped) and verify-on-tarball fails
+ *
+ * Every release v0.11.x through v0.12.2 shipped a tarball whose
+ * keys/public.pem did not match the Ed25519 signatures in manifest.json.
+ * Operators installing from npm saw 0/38 verify on every fresh install.
+ * The bug was invisible because CI's verify ran against the SOURCE tree,
+ * not the shipped tarball. This gate closes that gap.
+ *
+ * Exit codes:
+ *   0  verify passed against the packed tarball
+ *   1  verify failed against the packed tarball (the bug class above)
+ *   2  pack or extract failed (infrastructure error)
+ *
+ * Zero npm deps. Node 24 stdlib only.
+ */
+
+const fs = require("fs");
+const path = require("path");
+const os = require("os");
+const { spawnSync } = require("child_process");
+
+const ROOT = path.resolve(__dirname, "..");
+
+function emit(msg) { process.stdout.write(`[verify-shipped-tarball] ${msg}\n`); }
+function fail(msg, code = 1) {
+  process.stderr.write(`[verify-shipped-tarball] FAIL: ${msg}\n`);
+  process.exit(code);
+}
+
+const tmpRoot = fs.mkdtempSync(path.join(os.tmpdir(), "verify-shipped-"));
+try {
+  emit(`packing into ${tmpRoot} ...`);
+  const pack = spawnSync("npm", ["pack", "--pack-destination", tmpRoot], {
+    cwd: ROOT,
+    encoding: "utf8",
+    shell: process.platform === "win32",
+  });
+  if (pack.status !== 0) {
+    fail(`npm pack failed (exit ${pack.status}): ${pack.stderr || pack.stdout}`, 2);
+  }
+  const tarballName = pack.stdout.trim().split(/\r?\n/).filter(Boolean).pop();
+  const tarballPath = path.join(tmpRoot, tarballName);
+  if (!fs.existsSync(tarballPath)) fail(`expected tarball at ${tarballPath}, not found`, 2);
+  emit(`tarball: ${tarballPath} (${fs.statSync(tarballPath).size} bytes)`);
+
+  // Extract via Node — bypasses GNU tar's "C:..." path quirk on Windows
+  // where it interprets the colon as a remote-host separator.
+  const extractDir = path.join(tmpRoot, "extract");
+  fs.mkdirSync(extractDir, { recursive: true });
+  const zlib = require("zlib");
+  const { parseTar } = require(path.join(ROOT, "lib", "refresh-network.js"));
+  const tgz = fs.readFileSync(tarballPath);
+  const tarBuf = zlib.gunzipSync(tgz);
+  const entries = parseTar(tarBuf);
+  for (const e of entries) {
+    if (!e.name) continue;
+    const dst = path.join(extractDir, e.name);
+    fs.mkdirSync(path.dirname(dst), { recursive: true });
+    fs.writeFileSync(dst, e.body);
+  }
+
+  const pkgRoot = path.join(extractDir, "package");
+  if (!fs.existsSync(path.join(pkgRoot, "lib", "verify.js"))) {
+    fail(`extracted tree missing lib/verify.js at ${pkgRoot}`, 2);
+  }
+  emit(`extracted to ${pkgRoot}`);
+
+  // Run the verifier inline against the extracted package tree. This avoids
+  // having to spawn a separate process whose cwd resolution differs across
+  // platforms.
+  const crypto = require("crypto");
+  const manifestPath = path.join(pkgRoot, "manifest.json");
+  const pubKeyPath = path.join(pkgRoot, "keys", "public.pem");
+  if (!fs.existsSync(manifestPath)) fail(`extracted tree missing manifest.json`, 2);
+  if (!fs.existsSync(pubKeyPath)) fail(`extracted tree missing keys/public.pem`, 2);
+
+  const manifest = JSON.parse(fs.readFileSync(manifestPath, "utf8"));
+  const pubPem = fs.readFileSync(pubKeyPath, "utf8");
+  const pubKey = crypto.createPublicKey(pubPem);
+  const pubFp = crypto.createHash("sha256")
+    .update(pubKey.export({ type: "spki", format: "der" }))
+    .digest("base64");
+
+  // Compute the same fingerprint for the SOURCE-tree public.pem so the log
+  // shows the divergence explicitly.
+  const sourcePubPem = fs.readFileSync(path.join(ROOT, "keys", "public.pem"), "utf8");
+  const sourcePubKey = crypto.createPublicKey(sourcePubPem);
+  const sourcePubFp = crypto.createHash("sha256")
+    .update(sourcePubKey.export({ type: "spki", format: "der" }))
+    .digest("base64");
+
+  emit(`source-tree public.pem fingerprint: SHA256:${sourcePubFp}`);
+  emit(`tarball     public.pem fingerprint: SHA256:${pubFp}`);
+  if (pubFp !== sourcePubFp) {
+    emit(`*** WARNING: tarball public.pem differs from source-tree public.pem ***`);
+    emit(`*** Something between sign and pack is swapping the key. Verify will fail below. ***`);
+  }
+
+  let pass = 0, miss = 0, fail_count = 0;
+  const failures = [];
+  for (const s of (manifest.skills || [])) {
+    const skillPath = path.join(pkgRoot, s.path);
+    const sourceSkillPath = path.join(ROOT, s.path);
+    if (!fs.existsSync(skillPath)) {
+      miss++;
+      failures.push(`${s.name}: file not found at ${s.path}`);
+      continue;
+    }
+    const content = fs.readFileSync(skillPath);
+    const ok = crypto.verify(null, content, pubKey, Buffer.from(s.signature, "base64"));
+    if (ok) pass++;
+    else {
+      fail_count++;
+      // Forensic detail: log size + sha256 of tarball-extracted content vs source-tree content
+      // so we can pinpoint which bytes changed between npm pack and what was signed.
+      const tarSha = crypto.createHash("sha256").update(content).digest("hex").slice(0, 16);
+      let srcSha = "<missing>", srcSize = 0, srcContent;
+      if (fs.existsSync(sourceSkillPath)) {
+        srcContent = fs.readFileSync(sourceSkillPath);
+        srcSize = srcContent.length;
+        srcSha = crypto.createHash("sha256").update(srcContent).digest("hex").slice(0, 16);
+      }
+      const equal = srcContent && content.equals(srcContent) ? "equal" : "DIFFER";
+      failures.push(`${s.name}: signature did not verify (tarball size=${content.length} sha=${tarSha}; source size=${srcSize} sha=${srcSha}; bytes ${equal})`);
+    }
+  }
+
+  const total = (manifest.skills || []).length;
+  emit(`tarball verify result: ${pass}/${total} pass, ${fail_count} fail, ${miss} missing`);
+  if (fail_count === 0 && miss === 0 && pass === total) {
+    emit(`PASS — shipped tarball is internally consistent`);
+    process.exit(0);
+  }
+  for (const f of failures.slice(0, 10)) emit(`  - ${f}`);
+  if (failures.length > 10) emit(`  ... and ${failures.length - 10} more`);
+  emit(`FAIL — shipped tarball would be broken on every fresh install. Refusing to publish.`);
+  process.exit(1);
+} finally {
+  // Best-effort cleanup; leave on failure for diagnostics.
+  if (process.exitCode === 0) {
+    try { fs.rmSync(tmpRoot, { recursive: true, force: true }); } catch {}
+  } else {
+    emit(`temp dir preserved for inspection: ${tmpRoot}`);
+  }
+}