@blamejs/exceptd-skills 0.12.20 → 0.12.22

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.12.20",
+  "version": "0.12.22",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -51,8 +51,8 @@
         "RFC-7296"
       ],
       "last_threat_review": "2026-05-01",
-      "signature": "GedX81xfe2Y/oIVTEvakZUcSPFccqsDjBibE+KbiiHezAx2EvCS4AOjlx4TO7F0iuC47G/wvOc12kMYe9iHtDw==",
-      "signed_at": "2026-05-14T21:23:13.037Z",
+      "signature": "hRGoOFHglwqtRzGDiNxOIFk7QuDvFvUgsCxfGQ8cNB+DUgUFFAwTpbmX2ssP42LzbmT2GXo+h3RKDYQ1TGJdDw==",
+      "signed_at": "2026-05-15T06:49:35.663Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -116,7 +116,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "Rz5jS554rDryT6FPVZy0PwHMCYoJQQhhNDNI9rvOptjDbsnnKtZkpVXlKke5OKmLu5fHEBaNPg856qMIZFq+Ag==",
-      "signed_at": "2026-05-14T21:23:13.039Z",
+      "signed_at": "2026-05-15T06:49:35.665Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -179,7 +179,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "goSMEVE6QbfcdqCEgq324TNy6rZ2mWwPA28gMPvojy8ZzGFng87hLdyvKhDMo4S3KTK1D6CaTBksAzZw4Go8Cg==",
-      "signed_at": "2026-05-14T21:23:13.039Z",
+      "signed_at": "2026-05-15T06:49:35.666Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -224,8 +224,8 @@
       "attack_refs": [],
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
-      "signature": "XFQO+fdOb388MLxMLoTqjOHhmV/PBOPKH0nZTp5NY4uzk5iUTo6G2T/IrgZGV7/CvsuvOvaXWP8+BDllXzOpDw==",
-      "signed_at": "2026-05-14T21:23:13.040Z"
+      "signature": "cPRRTsNQT1MYR3cE5O3KdC4MB037EMc0fsMIbOyfOv16sR+DkiXmAhQOjlIC47HngHz3vhLI+rbqItN91VWpBg==",
+      "signed_at": "2026-05-15T06:49:35.666Z"
     },
     {
       "name": "compliance-theater",
@@ -255,8 +255,8 @@
         "CMMC-2.0-Level-2"
       ],
       "last_threat_review": "2026-05-01",
-      "signature": "1UD9hHv44RWc1GSvN99pmxk26xaHLC74EbJ1ndn5Sptgd7w2rU9QznqCKf7Qc18uRyNEFhqW3jHvEs9c/XgrAw==",
-      "signed_at": "2026-05-14T21:23:13.040Z"
+      "signature": "79NrFMRsqGsipWeE5ETQSVICGO4BjTJYgyir+PSaNVFpkLqLcwZd8Dr1V7iwX0H0fXFL3WpPz35gtrYCEG32BQ==",
+      "signed_at": "2026-05-15T06:49:35.666Z"
     },
     {
       "name": "exploit-scoring",
@@ -284,8 +284,8 @@
         "CIS-Controls-v8-Control7"
       ],
       "last_threat_review": "2026-05-01",
-      "signature": "4tt6UuIkq/Mi8zMhO5cydYlXyG7jKxF2MFBC34Q6Q5l3FHPhhqrL5HLOB4WFgVmq27wBbD6AgUu2czVnKa5MDQ==",
-      "signed_at": "2026-05-14T21:23:13.041Z"
+      "signature": "HSU+zjDZBGEVpPARxe0kw//H5Uz5cGrPIKOZWGcJybEl4MgxTsWiQd9qxCyuWoVSRE7mZFO7YwUCn67W0BiODw==",
+      "signed_at": "2026-05-15T06:49:35.667Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -322,7 +322,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "4mstnPFMNhiorB7iEwqb7Jh+OCG79Mhqt2h/RwL5JbnAIPBi0Fcv0JBhQ5msEaHO4gNnpcBrdMfiDxLDwetZCw==",
-      "signed_at": "2026-05-14T21:23:13.041Z",
+      "signed_at": "2026-05-15T06:49:35.667Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -379,7 +379,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "FjdIy9NqQpSSMhIbyv5WhnJKrVLhO98iBfQ0AHqXw6yqXdVoWucyr729Jwhelq40oAkiBzbXi9RoVo63DHJwDw==",
-      "signed_at": "2026-05-14T21:23:13.041Z",
+      "signed_at": "2026-05-15T06:49:35.667Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -414,7 +414,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "DxfXhSyoAGUo1emHh0uIIcg324ZreBYxmFdBDVAKOOuPmMlfN4RqNc/JGDSfVmMv5CjgYCUcSmkcYB0A5lk0Cg==",
-      "signed_at": "2026-05-14T21:23:13.041Z",
+      "signed_at": "2026-05-15T06:49:35.668Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -441,8 +441,8 @@
       "attack_refs": [],
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
-      "signature": "xwlad/p5XlICc76KqrdWpEpBgwx1D87oM5qlccRQ5LKC/o0pr8vQ8LN3WLiiziBChplwNbruiIN6UETniZpjCg==",
-      "signed_at": "2026-05-14T21:23:13.042Z"
+      "signature": "xALyn4ZC71A8oxFV18AZgTvLbggo5erRpMOwVJToNFZ0zdf1GF8O0dUBDxqKmEGfp5qDytR1mgyPw8TFwahBAg==",
+      "signed_at": "2026-05-15T06:49:35.668Z"
     },
     {
       "name": "global-grc",
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "7yVjZkanFMKDQqXdX4B/7oLc2Rz72xHC1zscYd8F/+e5UAbR7ikK8Bn5EKZt3aBEOhHPAviSQNCMxpZD9U00CA==",
-      "signed_at": "2026-05-14T21:23:13.043Z"
+      "signed_at": "2026-05-15T06:49:35.669Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -500,8 +500,8 @@
       "attack_refs": [],
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
-      "signature": "pKv1b8JAj1ldwR2KGccvjUKqlor2KNXXzxkKypkv+4O8WbqY7v8fWlbFe1F36OJrL2xYJdnZL5mJzqjYVHLRCg==",
-      "signed_at": "2026-05-14T21:23:13.043Z"
+      "signature": "OsoKfE75/MJQXdBKXfosPDE701t9kWHRAOx/1iCS/z5FJCWgcUGJJ0IvMbno2BT3O1UB5rL6QDCHK9arRyxLBQ==",
+      "signed_at": "2026-05-15T06:49:35.669Z"
     },
     {
       "name": "pqc-first",
@@ -553,7 +553,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "V+qn5FqUlETfsEjvvi6jZGuQdqLFtFejfgPA6KSYxSlBXBTbOBXP3BGk5S+ba9akIzgbKh1j9VGB1MqsIt56DA==",
-      "signed_at": "2026-05-14T21:23:13.043Z",
+      "signed_at": "2026-05-15T06:49:35.669Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -600,7 +600,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "UayHLLWXAkhnLPaPRsgDpAyE8FGk1tuG1/DYyhw84Uv4tfCKXMamsAhXHOyMIosQfsJq5ZHYVXZz0bYNpnlvDw==",
-      "signed_at": "2026-05-14T21:23:13.044Z"
+      "signed_at": "2026-05-15T06:49:35.670Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -637,7 +637,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "zjq6ACAHD46xvhvQJKlrCPh5xDCuBuIWBI+QJB8RxcudpC7p7I1pqv+BY8DZdsAgU4tquCU8KC+xlduMIk3/DQ==",
-      "signed_at": "2026-05-14T21:23:13.044Z",
+      "signed_at": "2026-05-15T06:49:35.670Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -672,7 +672,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "/lGgWehCMQUXjI6w4FUa+5wrbyRnct+txvVcXA+D2/ZEkoJKh+J/psO3j5HPf7Hpv+Y5SmkH71CoO+9qilyVDQ==",
-      "signed_at": "2026-05-14T21:23:13.044Z"
+      "signed_at": "2026-05-15T06:49:35.670Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -743,7 +743,7 @@
         "PTES revision incorporating AI-surface enumeration"
       ],
       "signature": "rh+/cr+wTcEmBwrGscBni/jXpxjjYP91pUKDFIGkahZpw+nghCM/3aLKFf5RFRnl3JKTyBRywIrYhUH1YuSlDw==",
-      "signed_at": "2026-05-14T21:23:13.044Z"
+      "signed_at": "2026-05-15T06:49:35.671Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -803,7 +803,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "+ELdD+1AY5DymBitH7wU65CS60NY1nDoLowJAFn7cE5Gr/5jy9BTkyxsm7PEXaSlXWMOkTf/HQ+uyzyxUVD/Bw==",
-      "signed_at": "2026-05-14T21:23:13.045Z"
+      "signed_at": "2026-05-15T06:49:35.671Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -878,7 +878,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "/BCBGUVjGs1RZzqXfElxBWB8UoD4+MY2G1YekdWsTDbMcHvt3NZJf0/JcqdYHOsEhFQ21NEz3w3+6tmQ8htKDw==",
-      "signed_at": "2026-05-14T21:23:13.045Z"
+      "signed_at": "2026-05-15T06:49:35.671Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -955,7 +955,7 @@
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
       "signature": "mySOkGScsNPtEZcHg42EKcvUSBzADIB9mSlNe0L1yPllrB/83ypBj6cCERRw9ql+rtrNxapyc6Do+nCz7E5rDg==",
-      "signed_at": "2026-05-14T21:23:13.045Z"
+      "signed_at": "2026-05-15T06:49:35.672Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1012,7 +1012,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "XZigwq8X/csfrdG10O6Q1V5q0zUqSQGd3QrjRKkZ4fkaodG4mZahYuIQqxc8rU9jjtGAm9LtBXYB+I5csqj9Bw==",
-      "signed_at": "2026-05-14T21:23:13.046Z"
+      "signed_at": "2026-05-15T06:49:35.672Z"
     },
     {
       "name": "identity-assurance",
@@ -1079,7 +1079,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "k0HrsZMBxiPWB1jl4dRwhv/R5IsqbZ+SLDv1Jx3/sRl51JyXjtm8vyogTNhSwsl5/IkaRakqIPJFRFRl5h/9CQ==",
-      "signed_at": "2026-05-14T21:23:13.046Z"
+      "signed_at": "2026-05-15T06:49:35.672Z"
     },
     {
       "name": "ot-ics-security",
@@ -1135,7 +1135,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "oHxjumOhk8y86WcwhAX8sSWIlPzt60KfTMn4DCJLeRrrQd5+i54fVADKAdZ3vOqfDN+DexO0uX4f5dLPtacRCQ==",
-      "signed_at": "2026-05-14T21:23:13.046Z"
+      "signed_at": "2026-05-15T06:49:35.673Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1187,7 +1187,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "UCiNjncvhkZItmLQA/Sm1/NCsOiLMwdCjfUw+067v4NIxhaMMaqRrAeD3KgMyEtov7m2Hq2kfwYSt5+DQsYDCQ==",
-      "signed_at": "2026-05-14T21:23:13.047Z"
+      "signed_at": "2026-05-15T06:49:35.673Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1237,7 +1237,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "V9kl8Cf8UMjNFyn3D/fSyhWHLeXWlx3WV/jT9jdF9SrjfDqymimuTt2o91cZ2FOEJndAH9V0JGXB13Ohz8K4CQ==",
-      "signed_at": "2026-05-14T21:23:13.047Z"
+      "signed_at": "2026-05-15T06:49:35.673Z"
     },
     {
       "name": "webapp-security",
@@ -1310,8 +1310,8 @@
       ],
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
-      "signature": "csC9KRA3ExCSK77+UF6gj0OFPPZzOvuPxQtKEoaUZmLvn3V37My4IpbUjXAN2ZavTHqyFG9yQNfq3ELZeSJ7Cg==",
-      "signed_at": "2026-05-14T21:23:13.047Z"
+      "signature": "CgqHC9W0PUKbTMUR+K2lG/Dq8EAQGBKb07o8IqIDcn5Q9zxiIzE9kJg8AL+zN8z0vTkZSAIv2O+FfErNNkMvBw==",
+      "signed_at": "2026-05-15T06:49:35.674Z"
     },
     {
       "name": "ai-risk-management",
@@ -1361,7 +1361,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "P2D++lB5hea3oi2vl9mf8C7N+E7zASoqt1v4tjKxtaTeb+U0UARgMOaZsoK/sO9TT/PG/au14Rl4EFxv+Xi1BA==",
-      "signed_at": "2026-05-14T21:23:13.048Z"
+      "signed_at": "2026-05-15T06:49:35.674Z"
     },
     {
       "name": "sector-healthcare",
@@ -1421,7 +1421,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "BDuLcpTeFp2BNSf1q4rYOhYKNhlgd3o5RZ0Uw9xW5olyYxPbZSgqekQ+6Ggaec09s7y6sqR37GS0vuAMdbrdDQ==",
-      "signed_at": "2026-05-14T21:23:13.048Z"
+      "signed_at": "2026-05-15T06:49:35.674Z"
     },
     {
       "name": "sector-financial",
@@ -1502,7 +1502,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "4IUJePr6XbE1Ns+cPvEFAVgrwdHLImuxdPYiilurxM2SmJym1itRC1prFMcuT6Kh6e1clYXwlzflcKm/eikyDA==",
-      "signed_at": "2026-05-14T21:23:13.048Z"
+      "signed_at": "2026-05-15T06:49:35.675Z"
     },
     {
       "name": "sector-federal-government",
@@ -1571,7 +1571,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "nMsyJ+rp5fM8/VjC7zsZyDjOC4hpxB+noT1VX7W0HBlq5t3SY56cwOGApwES/kBcCuf4qexKY376OxUr93zvCQ==",
-      "signed_at": "2026-05-14T21:23:13.049Z"
+      "signed_at": "2026-05-15T06:49:35.675Z"
     },
     {
       "name": "sector-energy",
@@ -1636,7 +1636,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "L1moEqEGkBkqY/3ohJcfqrlJn40UurDCyb2MOP/IwTAeZD+QbVZ17/drdsydkJ6qSXPiyiE6u8HDfZsDS13NBQ==",
-      "signed_at": "2026-05-14T21:23:13.049Z"
+      "signed_at": "2026-05-15T06:49:35.676Z"
     },
     {
       "name": "api-security",
@@ -1705,7 +1705,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ad1pHD4QQ8uXkhrzqLuWgnDpESOapzx3qGFchU9rxiX1aeLQkYKwpDzqIItFq82B5xjNsW7g5jXlF1sgK2HmCA==",
-      "signed_at": "2026-05-14T21:23:13.050Z"
+      "signed_at": "2026-05-15T06:49:35.676Z"
     },
     {
       "name": "cloud-security",
@@ -1786,7 +1786,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "UEn0305KAEqIfYOdzadLBdPG/PJ+3sJ/8ubvPFNcXfqXp2uOWTfqGUqY65PApA992VEEa1RBQt5R7Nyhd/OjDQ==",
-      "signed_at": "2026-05-14T21:23:13.051Z"
+      "signed_at": "2026-05-15T06:49:35.677Z"
     },
     {
       "name": "container-runtime-security",
@@ -1848,7 +1848,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "4easZDYn25XK4E9MRnwnZohG3xdYMmOLlPznNVmr1ykNfB+343+ooj+R0quG8uEV/IqbTQpR1ink35K6jCghCg==",
-      "signed_at": "2026-05-14T21:23:13.051Z"
+      "signed_at": "2026-05-15T06:49:35.677Z"
     },
     {
       "name": "mlops-security",
@@ -1919,7 +1919,7 @@
         "MITRE ATLAS v5.2 — track AML.T0010 sub-technique expansion and any new MLOps-pipeline-specific TTPs"
       ],
       "signature": "chbPWzjfx92OjEAwMIm+J4GObxy8uwTahNBvbhMfYL7vTAJe/lf2BaW8wUpchpMIwYL0985A/+WykH8zmk/DBA==",
-      "signed_at": "2026-05-14T21:23:13.051Z"
+      "signed_at": "2026-05-15T06:49:35.677Z"
     },
     {
       "name": "incident-response-playbook",
@@ -1981,7 +1981,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "3V7kvM5cxXdCBoMnjvOoTvT3zD+/yZEBHYgiunYQe8tBm+vVnS4jCz1Nzv/ymePIfbYDo/PlzKeGTWStSsGiAg==",
-      "signed_at": "2026-05-14T21:23:13.052Z"
+      "signed_at": "2026-05-15T06:49:35.678Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2034,7 +2034,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "RiCryJEd66T2NNcSo/mZTd3sGWDycE3C37guLJanLdVL5co35DrPFmIl8qy3ZM/y+Wzg5vpny8VKgr1//1/bCA==",
-      "signed_at": "2026-05-14T21:23:13.052Z"
+      "signed_at": "2026-05-15T06:49:35.678Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2102,11 +2102,11 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "MMWvg3lIf5ygm31zyf1E43t3W9MfRbMBBPrqlj1wOa8AxVJL8LICnAXfmyJ/TNJXwpF+rfZeDdoxXkql8wmtBA==",
-      "signed_at": "2026-05-14T21:23:13.053Z"
+      "signed_at": "2026-05-15T06:49:35.678Z"
     }
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "Ql9tfxW2Qoi/Zjfhwgm0o2TrefcyaOusalb9vMbfwhHPiNlAsPwDs5iFXA4oI3ZwNJ72GE2FY54Wtmq/QU7cDA=="
+    "signature_base64": "NkAWf7ofAvj1EuZz7Mo6G4M41r8YJBKfShO7qDwoJ0vCPXARYnD15RqKkBYPKLhM7TRvBL9kdAwi86TXoERjBw=="
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.12.20",
+  "version": "0.12.22",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json

@@ -1,10 +1,10 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:4ae17d1f-ac0e-41e3-95eb-0b58ced8b08d",
+  "serialNumber": "urn:uuid:ca7fd1e9-8239-4241-afb0-399835da7965",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-14T21:23:13.962Z",
+    "timestamp": "2026-05-15T06:17:57.473Z",
     "tools": [
       {
         "name": "hand-written",
@@ -13,10 +13,10 @@
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.12.20",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.12.22",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.12.20",
+      "version": "0.12.22",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
       "licenses": [
         {
@@ -25,11 +25,11 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.12.20",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.12.22",
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.12.20"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.12.22"
         },
         {
           "type": "vcs",

package/scripts/check-manifest-snapshot.js

@@ -190,7 +190,7 @@ if (require.main === module) {
       process.exit(2);
     }
 
-    // Audit G F23 — when manifest-snapshot.sha256 is present, validate that
+    // when manifest-snapshot.sha256 is present, validate that
     // the on-disk snapshot still hashes to the recorded value. Catches a
     // hand-edit of manifest-snapshot.json that bypassed refresh-manifest-
     // snapshot.js (so the F5 commit-only guard never had a chance to fire).

package/scripts/check-sbom-currency.js

@@ -63,7 +63,7 @@ function checkSbomCurrency(root) {
     errors.push("SBOM is not CycloneDX 1.6");
   }
 
-  // Audit G F2 — component-level cross-check. A renamed or version-bumped
+  // component-level cross-check. A renamed or version-bumped
   // skill that never made it into the SBOM refresh will pass the count
   // check (the cardinality is unchanged) but the per-component name +
   // version comparison surfaces it. Two component classes are recognised:

package/scripts/predeploy.js

@@ -20,7 +20,7 @@
  * in .github/workflows/ci.yml. Test coverage in tests/predeploy.test.js
  * asserts the two stay in sync.
  *
- * Audit G F5 — when the manifest-snapshot gate fails, the fix is NOT to
+ * when the manifest-snapshot gate fails, the fix is NOT to
  * run `npm run refresh-snapshot` blindly. The refresh script now refuses
  * unless the operator passes `--commit-only` or sets
  * EXCEPTD_SNAPSHOT_AUDIT_ACK=1. This is intentional: a failing snapshot
@@ -71,7 +71,7 @@ const GATES = [
     args: [path.join(ROOT, "lib", "validate-cve-catalog.js")],
     ciJobName: "Data integrity (catalog + manifest snapshot)",
   },
-  // Audit G F13 — the "validate-cves --offline --no-fail" and
+  // the "validate-cves --offline --no-fail" and
   // "validate-rfcs --offline --no-fail" gates were enumeration-only sanity
   // checks: `--no-fail` forced them to always exit 0, so they never blocked
   // a release on a real catalog problem. The deep catalog validation is
@@ -94,7 +94,7 @@ const GATES = [
   },
   {
     // Informational — surfaces the forward_watch horizon across all skills.
-    // Audit G F12: an exit code of 0 means "ok", 1 means "items present
+    // an exit code of 0 means "ok", 1 means "items present
     // (informational)", 2+ means a runtime error in the gate itself.
     // The runner now distinguishes the two: 0/1 stay informational, 2+
     // surface as a real failure. Pre-fix, any non-zero exit was rolled up
@@ -177,7 +177,7 @@ const GATES = [
     args: [path.join(ROOT, "lib", "validate-playbooks.js")],
     ciJobName: "Validate playbooks",
     informational: true,
-    // audit Y F30: cap informational acceptance at exit 1 so a CRASH (137 OOM,
+    // cap informational acceptance at exit 1 so a CRASH (137 OOM,
     // 139 SIGSEGV, 134 SIGABRT, etc.) surfaces as a real failure instead of
     // being absorbed under the informational bucket. Matches the
     // forward-watch gate (line ~111) which already pins the same ceiling.
@@ -198,7 +198,7 @@ function runGate(gate) {
     }
   }
   const t0 = Date.now();
-  // Audit G F21 — spawn the child with piped stdio + tee to the parent so we
+  // spawn the child with piped stdio + tee to the parent so we
   // can count `WARN ` lines for the summary table. We still want the live
   // output, so each chunk is forwarded as it arrives.
   const { spawnSync } = require("child_process");
@@ -222,7 +222,7 @@ function runGate(gate) {
   if (r.status === 0) {
     return { status: "passed", durationMs, warnCount };
   }
-  // Audit G F12 — gates may declare informationalMaxExitCode to distinguish
+  // gates may declare informationalMaxExitCode to distinguish
   // "soft signal" (exit codes 0..N) from "crash" (> N). Default behaviour
   // for an informational gate without that field stays the same.
   if (gate.informational) {

package/scripts/refresh-manifest-snapshot.js

@@ -11,7 +11,7 @@
  * blindly — read the breaking-change list first. A breaking change is
  * a surface narrowing every downstream consumer needs to know about.
  *
- * Audit G F5 — commitOnly mode. Pass `--commit-only` (or set the env
+ * commitOnly mode. Pass `--commit-only` (or set the env
  * EXCEPTD_SNAPSHOT_AUDIT_ACK=1) to acknowledge that the operator
  * deliberately wants to overwrite the committed snapshot. When neither
  * flag nor env is set AND the snapshot would actually change, the
@@ -98,7 +98,7 @@ fs.writeFileSync(SNAPSHOT_PATH, newJson, "utf8");
 console.log(`[refresh-manifest-snapshot] wrote ${snapshot.skill_count} skills to manifest-snapshot.json`);
 console.log("[refresh-manifest-snapshot] commit this file alongside the surface change.");
 
-// Audit G F23 — write a tracked SHA-256 of the snapshot so the
+// write a tracked SHA-256 of the snapshot so the
 // check-manifest-snapshot.js gate can verify integrity (no hand edits
 // after refresh).
 const crypto = require("crypto");

package/scripts/validate-vendor-online.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 "use strict";
 /**
- * scripts/validate-vendor-online.js — Audit G F6.
+ * scripts/validate-vendor-online.js
  *
  * Optional, network-touching companion to lib/validate-vendor.js. For every
  * file recorded in vendor/blamejs/_PROVENANCE.json, fetches the upstream

package/scripts/verify-shipped-tarball.js

@@ -18,8 +18,7 @@
  * The bug was invisible because CI's verify ran against the SOURCE tree,
  * not the shipped tarball. This gate closes that gap.
  *
- * Audit G:
- *   F9  — After the first-pass extraction (using the source-tree parseTar),
+ * *   F9  — After the first-pass extraction (using the source-tree parseTar),
  *         re-parse the tarball using the parseTar shipped INSIDE the
  *         extracted tree itself. If the two parses disagree, fail with a
  *         structured error. Catches the class where the shipped parser
@@ -45,7 +44,7 @@ const path = require("path");
 const os = require("os");
 const { spawnSync } = require("child_process");
 
-// v0.12.16 (audit I P1-1): mirror the byte-stability normalize() contract
+// v0.12.16: mirror the byte-stability normalize() contract
 // from lib/sign.js + lib/verify.js + lib/refresh-network.js. Duplicated
 // (not require'd) to keep this script's dep surface minimal and to ensure
 // a bug in the normalize() implementation in lib/ doesn't simultaneously
@@ -58,7 +57,7 @@ function normalizeSkillBytes(buf) {
   return Buffer.from(s.replace(/\r\n/g, "\n"), "utf8");
 }
 
-// Audit O P1-C: in-line manifest-signature verifier for the extracted
+// C: in-line manifest-signature verifier for the extracted
 // tarball. Kept here (rather than imported) for the same defense-in-depth
 // reasoning as normalizeSkillBytes: a bug in lib/verify.js's verifier
 // should not also disable this gate (we want at least one independent
@@ -109,7 +108,7 @@ function verifyExtractedManifestSignature(manifest, publicKeyPem) {
   return ok ? { status: "valid" } : { status: "invalid", reason: "Ed25519 manifest signature did not verify against extracted public.pem" };
 }
 
-// Audit P P1-A: exported so tests/normalize-contract.test.js can assert
+// A: exported so tests/normalize-contract.test.js can assert
 // byte-identical normalize() behavior across all four implementations.
 module.exports = {
   normalizeSkillBytes,
@@ -125,7 +124,7 @@ function fail(msg, code = 1) {
   process.exit(code);
 }
 
-// Audit P P1-A: gate the script body behind require.main === module so
+// A: gate the script body behind require.main === module so
 // tests can `require()` this file to load the exported helpers (notably
 // normalizeSkillBytes for the byte-stability contract test) without
 // invoking npm pack as a side effect of import.
@@ -176,7 +175,7 @@ try {
   }
   emit(`extracted to ${pkgRoot}`);
 
-  // Audit G F9 — load the extracted tree's OWN parseTar and re-parse the
+  // load the extracted tree's OWN parseTar and re-parse the
   // tarball. If the two parsers diverge on entry list or content, the
   // gate trips: this means CI exercised a different parser than operators
   // will. Defense against drift between source and shipped tarball when
@@ -248,7 +247,7 @@ try {
   const pubPem = fs.readFileSync(pubKeyPath, "utf8");
   const pubKey = crypto.createPublicKey(pubPem);
 
-  // Audit O P1-C: verify the top-level manifest_signature on the
+  // C: verify the top-level manifest_signature on the
   // EXTRACTED manifest.json. Per-skill signatures only sign the skill body
   // bytes — they do not sign skill.name / skill.path / skill.atlas_refs or
   // any other manifest envelope metadata. A tarball whose body bytes are
@@ -286,14 +285,18 @@ try {
     emit(`*** Something between sign and pack is swapping the key. Verify will fail below. ***`);
   }
 
-  // Audit G F4 — key-pin cross-check against the EXTRACTED tree. The pin
+  // key-pin cross-check against the EXTRACTED tree. The pin
   // is consumed from keys/EXPECTED_FINGERPRINT in the extracted package —
   // that's the file operators will actually receive on `npm install`.
   // Warn when absent, fail when present-but-mismatched (unless KEYS_ROTATED).
   const expectedFpPath = path.join(pkgRoot, "keys", "EXPECTED_FINGERPRINT");
   if (fs.existsSync(expectedFpPath)) {
-    const raw = fs.readFileSync(expectedFpPath, "utf8").trim();
-    const firstLine = raw.split(/\r?\n/).map((l) => l.trim()).find((l) => l.length > 0) || "";
+    // KK P1-5: route through the shared lib/verify loader so a BOM-prefixed
+    // pin file (Notepad with files.encoding=utf8bom in the source tree) is
+    // tolerated identically across every verify site. The helper strips
+    // leading U+FEFF + ignores comment lines (`#`).
+    const { loadExpectedFingerprintFirstLine } = require(path.join(ROOT, "lib", "verify.js"));
+    const firstLine = loadExpectedFingerprintFirstLine(expectedFpPath) || "";
     const liveFpLine = `SHA256:${pubFp}`;
     if (firstLine !== liveFpLine) {
       if (process.env.KEYS_ROTATED === "1") {
@@ -323,7 +326,7 @@ try {
       failures.push(`${s.name}: file not found at ${s.path}`);
       continue;
     }
-    // v0.12.16 (audit I P1-1): the prior code passed the raw file bytes
+    // v0.12.16: the prior code passed the raw file bytes
     // directly to crypto.verify. lib/sign.js + lib/verify.js both NORMALIZE
     // bytes (strip UTF-8 BOM, convert CRLF -> LF) before sign/verify, per
     // the byte-stability contract in lib/verify.js's normalize() header.

package/skills/compliance-theater/skill.md

@@ -21,7 +21,7 @@ framework_gaps:
   - ALL-PROMPT-INJECTION-ACCESS-CONTROL
   - FedRAMP-Rev5-Moderate
   - CMMC-2.0-Level-2
-last_threat_review: "2026-05-01"
+last_threat_review: "2026-05-14"
 ---
 
 # Compliance Theater Detection
@@ -98,6 +98,7 @@ The theater patterns most acutely under attack today are those backed by high-RW
 | Vendor Management Theater (AI APIs / MCP) | CVE-2026-30615 (Windsurf MCP local-vector RCE) | 8.0 | 35 | No | Partial | No | Yes (IDE update) | Suspected |
 | Access Control Theater (AI agents) | CVE-2025-53773 (Copilot YOLO-mode RCE) | 7.8 | 30 | No | Yes (demonstrated) | Yes (AI tooling enables) | Yes (SaaS push / IDE update) | Suspected |
 | Network Segmentation Theater (IPsec) | CVE-2026-43284 (Dirty Frag) | High | High | Pending | Partial | No | Limited (subsystem-dependent) | Suspected |
+| Patch Management Theater (Bug-Family Sequel) | CVE-2026-46300 (Fragnesia) | 7.8 | 20 (today) / 55+ on KEV | No (candidate) | Yes (one-liner vs /usr/bin/su) | No | Yes (kpatch / canonical-livepatch / KernelCare) | None observed |
 | Incident Response Theater (AI pipeline) | SesameOp campaign + AML.T0096 | N/A | High | N/A | ATLAS-documented | Yes | N/A | Confirmed campaign |
 | Change Management Theater (AI models) | Continuous provider updates | N/A | Medium | N/A | N/A | N/A | N/A | Ongoing (uncontrolled) |
 | Security Awareness Theater (AI phishing) | AI-generated phishing baseline (82.6%) | N/A | High | N/A | Operational | Yes | N/A | Confirmed (industry-wide) |
@@ -132,6 +133,8 @@ The first three rows (Critical / Critical / High RWEP with public PoC or active
 
 **What a real control looks like:** Tiered SLA: CISA KEV = 4 hours to live-patch or isolate; public PoC = 24 hours; Critical (no public PoC) = 72 hours; High = 7 days. Live patching capability deployed and verified quarterly.
 
+**Bug-family sequel sub-pattern (Fragnesia, CVE-2026-46300):** when a CVE patch lands, retain the pre-patch compensating controls (module blacklists, sysctl restrictions) until the patched code has soaked. The Dirty Frag patch introduced Fragnesia — a sibling page-cache-corruption bug in the same primitive class. The module-unload mitigation (`blacklist esp4 / esp6 / rxrpc`) covers both. A patch-management program that removed the Dirty Frag blacklist when the patch landed re-exposed the host to Fragnesia. Theater signal: a vulnerability scanner that reports "patched for CVE-2026-43284" while the kernel still lacks the CVE-2026-46300 patch and the module blacklist has been removed.
+
 ---
 
 ### Pattern 2: Network Segmentation Theater (IPsec Edition)