@blamejs/exceptd-skills 0.12.23 → 0.12.25

package/scripts/check-test-coverage.js

@@ -448,6 +448,57 @@ function coversCveIoc(corpus, cveId) {
 
 // --- Main analyzer ----------------------------------------------------------
 
+// --- Class-level lint: ban coincidence-passing notEqual(r.status, 0) --------
+//
+// CLAUDE.md anti-coincidence rule: every exit-code assertion must pin the
+// EXACT code. `assert.notEqual(r.status, 0)` silently passes when an
+// unrelated failure produces ANY non-zero exit, hiding the regression the
+// test was meant to catch. This lint walks tests/*.test.js and rejects the
+// pattern outright. The `// allow-notEqual: <reason>` opt-out on the same
+// line is the escape hatch for genuine refusal-pins (asserting NOT a
+// specific code) — those must justify themselves inline.
+//
+// Pattern hits any of:
+//   assert.notEqual(r.status, 0)
+//   assert.notEqual(result.status, 0, '...')
+//   assert.notEqual(foo.status, 2, 'must not be unknown-cmd')   ← also refused
+// unless the same line ends with `// allow-notEqual: <reason>`.
+//
+// Cycle 8 JJJ: pre-fix, this class was a per-instance hunt across 25+ test
+// sites. Moving it to a structural lint keeps new tests / new ports from
+// regressing. Fix the class, not the instance (CLAUDE.md pitfall).
+function scanForCoincidenceAsserts(cwd) {
+  const out = [];
+  const testsDir = path.join(cwd, "tests");
+  if (!fs.existsSync(testsDir)) return out;
+  // Match `assert.notEqual( <ident>.status` — the receiver name varies
+  // (r, r1, result, child, etc.) but the .status access is the signal.
+  const banRe = /assert\.notEqual\s*\(\s*[A-Za-z_$][\w$]*\.status\b/;
+  const allowRe = /\/\/\s*allow-notEqual\s*:/;
+  const skipPrefix = "_helpers"; // helpers may legitimately reference the pattern
+  for (const entry of fs.readdirSync(testsDir, { withFileTypes: true })) {
+    if (!entry.isFile()) continue;
+    if (entry.name.startsWith(skipPrefix)) continue;
+    if (!entry.name.endsWith(".test.js")) continue;
+    const filePath = path.join(testsDir, entry.name);
+    let body;
+    try { body = fs.readFileSync(filePath, "utf8"); }
+    catch { continue; }
+    const lines = body.split(/\r?\n/);
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (!banRe.test(line)) continue;
+      if (allowRe.test(line)) continue;
+      out.push({
+        file: path.join("tests", entry.name).replace(/\\/g, "/"),
+        line: i + 1,
+        snippet: line.trim(),
+      });
+    }
+  }
+  return out;
+}
+
 function analyze(opts) {
   const cwd = opts.repo || ROOT;
   // v0.12.8: resolve the diff anchor ONCE and thread it through every
@@ -526,6 +577,21 @@ function analyze(opts) {
     }
   }
 
+  // Class-level lint: ban `notEqual(<ident>.status, N)` outside of
+  // refusal-pin allowlist comments. Runs irrespective of the diff —
+  // a coincidence-passing assert that lands via a non-test-coverage
+  // path (someone hand-edits a tests/ file in a docs-only commit) is
+  // still a regression vector the gate must catch.
+  const coincidenceFindings = scanForCoincidenceAsserts(cwd);
+  for (const f of coincidenceFindings) {
+    findings.push({
+      file: f.file,
+      kind: "coincidence-assert",
+      surface: f.snippet,
+      change: `line ${f.line}: pin to exact exit code; see CLAUDE.md anti-coincidence rule. Opt out only with \`// allow-notEqual: <reason>\` on the same line for genuine refusal-pins.`,
+    });
+  }
+
   return { findings, allowlisted, manualReview, totalChanged: changed.length };
 }
 
@@ -595,5 +661,6 @@ module.exports = {
   analyze, parseArgs, categorize,
   extractCliSurface, extractLibExports, extractPlaybookIds, extractCveIocChanges,
   coversCliVerb, coversCliFlag, coversLibExport, coversPlaybookId, coversCveIoc,
+  scanForCoincidenceAsserts,
   DOCS_ALWAYS_GREEN,
 };

package/scripts/verify-shipped-tarball.js

@@ -300,6 +300,15 @@ try {
     const liveFpLine = `SHA256:${pubFp}`;
     if (firstLine !== liveFpLine) {
       if (process.env.KEYS_ROTATED === "1") {
+        // Surface the override through the structured warning channel as
+        // well so any caller listening on `process.on('warning')` can
+        // observe the key-rotation acceptance. Matches the three peer
+        // sites (bin/exceptd.js, lib/refresh-network.js, lib/verify.js).
+        process.emitWarning(
+          `extracted public.pem fingerprint ${liveFpLine} differs from pin ${firstLine}; KEYS_ROTATED=1 accepted. ` +
+          `Update keys/EXPECTED_FINGERPRINT to lock the new pin.`,
+          { code: "EXCEPTD_KEYS_ROTATED_OVERRIDE" }
+        );
         emit(`WARN: extracted public.pem fingerprint ${liveFpLine} differs from pin ${firstLine}; KEYS_ROTATED=1 accepted`);
       } else {
         fail(

package/skills/ai-attack-surface/skill.md

@@ -52,7 +52,16 @@ d3fend_refs:
   - D3-EAL
   - D3-FAPA
   - D3-CSPP
-last_threat_review: "2026-05-13"
+forward_watch:
+  - NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; expect coordinated CVE assignments and upstream patch; track KEV add post-embargo
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM full SSRF + Code Injection by Out Of Bounds (Byung Young Yi); duplicate-class with the k3vg3n entry; track unified patch advisory
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LM Studio 5-bug exploit chain by STARLabs SG; impacts local AI runtime trust; track patch and MCP integration advisories
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — OpenAI Codex CWE-150 improper neutralization by Compass Security; AI coding-agent surface; forward-watch only (no coding-agent-security skill yet)
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Chroma vector DB CWE-190 + CWE-362 chain by haehae; impacts RAG vector store integrity; track patch and downstream RAG advisory
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge overly permissive allowed list by Satoki Tsuji; AI training-stack supply-chain exposure; track patch and SBOM advisory
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM advisory
+last_threat_review: "2026-05-15"
 ---
 
 # AI Attack Surface Assessment
@@ -85,7 +94,7 @@ This is a supply chain attack surface. Every MCP server a user installs is a pot
 
 ### 3. AI-Assisted Exploit Development
 
-41% of 2025 zero-days were discovered by attackers using AI-assisted reverse engineering. Copy Fail (CVE-2026-31431) was discovered by an AI system in approximately one hour.
+41% of 2025 zero-days were discovered by attackers using AI-assisted reverse engineering (GTIG 2025 annual). Copy Fail (CVE-2026-31431) was discovered by an AI system in approximately one hour. The first documented AI-built in-the-wild zero-day surfaced 2026-05-11 (GTIG AI 2FA-bypass case), and Fragnesia (CVE-2026-46300, Linux LPE) was disclosed 2026-05-13 by William Bowling / Zellic with explicit credit to Zellic's AI-agentic code-auditing tool — the anchor case for autonomous AI vulnerability discovery in load-bearing OSS (18-year-old kernel code path). The Dirty Frag pair (CVE-2026-43284 / CVE-2026-43500) was disclosed 2026-05-08 and industry analysis (Sysdig, Help Net Security) assesses AI-assisted discovery as likely given the 9-year exposure window. The exceptd catalog's 2026 AI-discovery rate is now 40%, tracking the GTIG 41% reference. Defensive posture is calibrated to CTID Secure AI v2 (released 2026-05-06) — Secure AI v1 is superseded.
 
 The implication: the time between a vulnerability's introduction into a codebase and its reliable exploitation has compressed from months or years to hours or days for AI-capable threat actors. Patch management SLAs designed for human-speed exploit development are structurally inadequate.
 

package/skills/ai-c2-detection/skill.md

@@ -48,13 +48,15 @@ d3fend_refs:
   - D3-NI
   - D3-NTA
   - D3-NTPM
-last_threat_review: "2026-05-13"
+last_threat_review: "2026-05-15"
 ---
 
 # AI C2 Detection
 
 ## Threat Context (mid-2026)
 
+The AI-as-adversary reality that motivates this skill is now operationally documented: 41% of 2025 zero-days were AI-discovered (GTIG 2025), the first AI-built in-the-wild zero-day was confirmed 2026-05-11 (GTIG AI 2FA-bypass case), and Fragnesia (CVE-2026-46300, 2026-05-13) is the canonical AI-driven autonomous-discovery anchor — Zellic's agentic auditor surfaced an 18-year-old Linux kernel primitive. C2 channels riding the same agentic AI infrastructure are the next logical step; CTID Secure AI v2 (2026-05-06, replaces v1) treats AI-API C2 detection as an in-scope control class.
+
 ### SesameOp — AI APIs as Covert C2 (ATLAS AML.T0096)
 
 The SesameOp campaign documented a technique that has since been replicated and expanded: adversaries repurposing legitimate AI agent APIs as covert command-and-control channels.

package/skills/ai-risk-management/skill.md

@@ -42,7 +42,7 @@ cwe_refs:
   - CWE-1039
 d3fend_refs:
   - D3-IOPR
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-05-15"
 ---
 
 # AI Risk Management (Governance Layer)
@@ -79,6 +79,8 @@ AI red-team activity has likewise shifted from voluntary research practice to go
 
 The 2024–2026 disclosure record is unforgiving: vendor advisories from OpenAI, Anthropic, Google DeepMind, and Microsoft have published AI vulnerability disclosures spanning prompt-injection-driven RCE (CVE-2025-53773, CVSS 7.8 / AV:L), local-vector MCP supply-chain RCE (CVE-2026-30615, CVSS 8.0 / AV:L), agentic-pipeline compromise patterns, and indirect-injection via retrieved content. An organisation with no governance artefact mapping these classes to internal use cases is not in a position to act on any of them.
 
+AI as adversary is now operational reality, not forecast: 41% of 2025 zero-days were AI-discovered (GTIG 2025 annual), the first documented AI-built in-the-wild zero-day surfaced 2026-05-11 (GTIG AI 2FA-bypass case), and Fragnesia (CVE-2026-46300, 2026-05-13) is the anchor case for autonomous agentic-AI discovery in load-bearing OSS — Zellic's agentic auditor surfaced an 18-year-old Linux kernel page-cache primitive. Risk registers, vendor questionnaires, and incident playbooks that omit AI-as-discovery-actor are out of currency. Align the AIMS to **CTID Secure AI v2 (2026-05-06)** — Secure AI v1 is superseded; Annex SL clause-by-clause mapping in `data/framework-control-gaps.json`.
+
 ---
 
 ## Framework Lag Declaration

package/skills/api-security/skill.md

@@ -63,6 +63,10 @@ d3fend_refs:
   - D3-CSPP
   - D3-MFA
   - D3-CBAN
+forward_watch:
+  - NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM full SSRF + Code Injection by Out Of Bounds (Byung Young Yi); duplicate-class with the k3vg3n entry; track unified patch advisory
 last_threat_review: "2026-05-11"
 ---
 

package/skills/attack-surface-pentest/skill.md

@@ -55,6 +55,7 @@ forward_watch:
   - TIBER-EU scenario library refresh under DORA Year-2 supervisory cycle
   - OWASP WSTG v5.x AI/MCP test cases (currently in working-group draft)
   - PTES revision incorporating AI-surface enumeration
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Microsoft Edge 4-bug sandbox escape by Orange Tsai (DEVCORE); forward-watch only (browser sandbox, out of current playbook scope); track Microsoft Edge security advisory and KEV add
 d3fend_refs:
   - D3-CSPP
   - D3-EAL

package/skills/container-runtime-security/skill.md

@@ -57,7 +57,9 @@ d3fend_refs:
   - D3-NI
   - D3-NTPM
   - D3-IOPR
-last_threat_review: "2026-05-11"
+forward_watch:
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Container Toolkit container escape ($50K award) by chompie / IBM X-Force XOR; high-severity container/hypervisor boundary break; track patch and KEV add post-embargo
+last_threat_review: "2026-05-15"
 ---
 
 # Container + Kubernetes Runtime Security (mid-2026)

package/skills/dlp-gap-analysis/skill.md

@@ -62,7 +62,7 @@ d3fend_refs:
   - D3-IOPR
   - D3-NTA
   - D3-NTPM
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-05-15"
 ---
 
 # DLP Gap Analysis

package/skills/exploit-scoring/skill.md

@@ -19,7 +19,7 @@ attack_refs: []
 framework_gaps:
   - CWE-Top-25-2024-meta
   - CIS-Controls-v8-Control7
-last_threat_review: "2026-05-14"
+last_threat_review: "2026-05-15"
 ---
 
 # Real-World Exploit Priority (RWEP) Scoring
@@ -40,7 +40,7 @@ The `atlas_refs` and `attack_refs` arrays are intentionally empty. This skill is
 
 RWEP exists because the exploit development cycle has compressed. The factors that CVSS does not model are now the dominant signal in real-world prioritization.
 
-- **AI-accelerated exploit development is current operational reality, not emerging.** 41% of 2025 zero-days were discovered or weaponized with AI-assisted tooling (AGENTS.md DR-5). Copy Fail (CVE-2026-31431) was discovered by an AI system in approximately one hour. CVSS scoring assumes a human-speed gap between disclosure and reliable exploitation — that gap is gone for AI-capable threat actors.
+- **AI-accelerated exploit development is current operational reality, not emerging.** 41% of 2025 zero-days were discovered or weaponized with AI-assisted tooling (AGENTS.md DR-5 / GTIG 2025). Copy Fail (CVE-2026-31431) was discovered by an AI system in approximately one hour; Fragnesia (CVE-2026-46300, 2026-05-13) is the 2026 anchor case for autonomous agentic-AI discovery — Zellic's agentic auditor surfaced an 18-year-old Linux kernel primitive. The first documented AI-built in-the-wild zero-day landed 2026-05-11 (GTIG AI 2FA-bypass). CVSS scoring assumes a human-speed gap between disclosure and reliable exploitation — that gap is gone for AI-capable threat actors. RWEP's `ai_factor` weight is calibrated to this reality; align downstream scoring narratives to CTID Secure AI v2 (2026-05-06, replaces v1).
 - **CVSS undercounts AI-discovered + KEV-listed bugs.** CVE-2026-31431 scores CVSS 7.8 (High). Treated as a CVSS-band-7 item, it lands in a 30-day remediation queue. Treated honestly — CISA KEV listed, 732-byte deterministic public PoC, all Linux ≥ 4.14, AI-discovered — it is a 4-hour incident. CVSS misses every one of those amplifiers.
 - **CVSS local-vector blindness vs. RWEP exploitation reality.** CVE-2026-30615 (Windsurf MCP) scores CVSS 8.0 with AV:L (the NVD-authoritative corrected score; the initial CVSS 9.8 was withdrawn after attack-vector analysis confirmed the local-vector reality — the attacker must control HTML content that the Windsurf MCP client processes). RWEP rates it 35, lower than Copy Fail at 90: the supply-chain prerequisite (a victim first installs a malicious MCP server) plus the local attack vector throttle real exploitation rate. This pair is the canonical example of CVSS-vector-only scoring losing to RWEP's exploitation-evidence weighting.
 - **Compliance frameworks anchor SLAs on CVSS bands.** NIST 800-53 SI-2, PCI DSS 6.3.3, ISO 27001:2022 A.8.8, and most internal vuln-management policies translate CVSS High/Critical into 30-day/7-day windows. For AI-discovered KEV-listed LPEs with public PoCs, these windows are exploitation windows. RWEP is the layer that lets an org prioritize honestly without re-writing every framework control.

package/skills/incident-response-playbook/skill.md

@@ -59,7 +59,7 @@ forward_watch:
   - AU SOCI Act expanded sector coverage (data-storage and processing entities added 2024; further mandatory-reporting tiers under review)
   - IL INCD Incident Response Process v4 (slated for 2026-2027) consolidating AI-incident sub-class
   - NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-05-15"
 ---
 
 # Incident Response Playbook

package/skills/kernel-lpe-triage/skill.md

@@ -47,7 +47,12 @@ d3fend_refs:
   - D3-PHRA
   - D3-PSEP
   - D3-SCP
-last_threat_review: "2026-05-14"
+forward_watch:
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12 or sooner via Patch Tuesday) — Windows 11 LPE improper access control by DEVCORE (Angelboy + TwinkleStar03); track MSRC advisory and KEV add
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12 or sooner via Patch Tuesday) — Windows 11 LPE heap buffer overflow by Marcin Wiązowski; track MSRC advisory and KEV add
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12 or sooner via Patch Tuesday) — Windows 11 LPE 2x use-after-free by Kentaro Kawane (GMO); track MSRC advisory and KEV add
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — RHEL race-condition LPE by chompie / IBM X-Force XOR; track Red Hat advisory and KEV add
+last_threat_review: "2026-05-15"
 ---
 
 # Kernel LPE Triage

package/skills/mcp-agent-trust/skill.md

@@ -60,14 +60,19 @@ d3fend_refs:
   - D3-EAL
   - D3-EHB
   - D3-MFA
-last_threat_review: "2026-05-13"
+forward_watch:
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; MCP-adjacent LLM proxy surface; track upstream patch and MCP trust advisory
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM full SSRF + Code Injection by Out Of Bounds (Byung Young Yi); duplicate-class with the k3vg3n entry; track unified patch advisory
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LM Studio 5-bug exploit chain by STARLabs SG; impacts local MCP/agent runtime trust; track patch and integration advisories
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Claude Code MCP collision-scored entry by Viettel Cyber Security; CVE in flight; track MCP trust and tool-collision advisory
+last_threat_review: "2026-05-15"
 ---
 
 # MCP Agent Trust Assessment
 
 ## Threat Context (mid-2026)
 
-The Model Context Protocol (MCP) is an open protocol for connecting AI assistants to external tools and data sources. It is now the standard integration layer for AI coding assistants: Cursor, VS Code + GitHub Copilot, Windsurf, Claude Code, and Gemini CLI all support MCP servers.
+The Model Context Protocol (MCP) is an open protocol for connecting AI assistants to external tools and data sources. It is now the standard integration layer for AI coding assistants: Cursor, VS Code + GitHub Copilot, Windsurf, Claude Code, and Gemini CLI all support MCP servers. Background reality: 41% of 2025 zero-days were AI-discovered (GTIG 2025); Fragnesia (CVE-2026-46300, 2026-05-13) is the canonical AI-driven autonomous-discovery anchor — Zellic's agentic auditor surfaced an 18-year-old kernel primitive that load-bearing MCP-server hosts depend on. The first documented AI-built in-the-wild zero-day landed 2026-05-11 (GTIG AI 2FA-bypass). MCP trust posture should align to CTID Secure AI v2 (2026-05-06, replaces v1).
 
 MCP creates an architectural trust problem that no existing security framework addresses.
 

package/skills/mlops-security/skill.md

@@ -62,7 +62,7 @@ forward_watch:
   - SLSA v1.1 ML profile (draft) — model-provenance extension for training-run attestation chains; track ID and section changes
   - EU AI Act high-risk technical-file implementing acts (2026-2027) — operational requirements for Article 10 / 13 / 15 documentation may pin ML-BOM or model-signing
   - MITRE ATLAS v5.2 — track AML.T0010 sub-technique expansion and any new MLOps-pipeline-specific TTPs
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-05-15"
 ---
 
 # MLOps Pipeline Security Assessment

package/skills/rag-pipeline-security/skill.md

@@ -37,14 +37,16 @@ d3fend_refs:
   - D3-FAPA
   - D3-IOPR
   - D3-NTA
-last_threat_review: "2026-05-13"
+forward_watch:
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Chroma vector DB CWE-190 + CWE-362 chain by haehae; impacts RAG vector store integrity (integer overflow + race condition); track patch and downstream RAG pipeline advisory
+last_threat_review: "2026-05-15"
 ---
 
 # RAG Pipeline Security Assessment
 
 ## Threat Context (mid-2026)
 
-Retrieval-Augmented Generation (RAG) pipelines introduce a unique attack surface that exists at the intersection of traditional data security and AI-specific vulnerabilities. No current compliance framework has adequate controls for this attack surface. The threats in this skill are not theoretical — they have been demonstrated in research and observed in production incidents.
+Retrieval-Augmented Generation (RAG) pipelines introduce a unique attack surface that exists at the intersection of traditional data security and AI-specific vulnerabilities. No current compliance framework has adequate controls for this attack surface. The threats in this skill are not theoretical — they have been demonstrated in research and observed in production incidents. Operational context: 41% of 2025 zero-days were AI-discovered (GTIG 2025); the first AI-built in-the-wild zero-day surfaced 2026-05-11 (GTIG AI 2FA-bypass), and Fragnesia (CVE-2026-46300, 2026-05-13) is the canonical AI-driven autonomous-discovery anchor (Zellic agentic auditor, 18-year-old Linux kernel primitive). RAG corpus trust posture should align to CTID Secure AI v2 (2026-05-06, replaces v1) — embedding-store integrity is in-scope.
 
 A RAG pipeline has five attack surfaces:
 

package/skills/sector-financial/skill.md

@@ -73,7 +73,7 @@ forward_watch:
   - BCB Resolução BCB 85 (cyber policy for FIs) and Brazil PIX fraud-typology updates
   - OSFI B-13 (Technology and Cyber Risk Management) post-2024 examination findings
   - TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-05-15"
 ---
 
 # Sector — Financial Services Cybersecurity (mid-2026)

package/skills/skill-update-loop/skill.md

@@ -32,7 +32,7 @@ forward_watch:
   - AI/MCP platform CVEs (GitHub Security Advisories, OSV database)
   - Framework publication updates (NIST SP updates, ISO amendments, NIS2 implementing acts)
   - IETF RFC publications and draft status changes (datatracker.ietf.org, rfc-editor.org); run `npm run validate-rfcs` quarterly
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-05-15"
 ---
 
 # Skill Update Loop

package/skills/supply-chain-integrity/skill.md

@@ -54,6 +54,8 @@ forward_watch:
   - SPDX 3.1 — AI profile maturation, dataset provenance schema stabilization
   - EU CRA (Regulation 2024/2847) — implementing acts for technical documentation and SBOM submission expected through 2027
   - OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge overly permissive allowed list by Satoki Tsuji; AI training-stack supply-chain exposure; track patch and SBOM-attestation impact
+  - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM-attestation impact
 cwe_refs:
   - CWE-1357
   - CWE-1395
@@ -64,7 +66,7 @@ d3fend_refs:
   - D3-CBAN
   - D3-EAL
   - D3-EHB
-last_threat_review: "2026-05-13"
+last_threat_review: "2026-05-15"
 ---
 
 # Supply-Chain Integrity Assessment

package/skills/threat-model-currency/skill.md

@@ -22,7 +22,7 @@ forward_watch:
   - New CISA KEV entries in kernel/AI/supply chain categories
   - New MCP or agent protocol security disclosures
   - Emerging malware families using AI for evasion
-last_threat_review: "2026-05-14"
+last_threat_review: "2026-05-15"
 ---
 
 # Threat Model Currency Assessment

package/skills/webapp-security/skill.md

@@ -68,6 +68,8 @@ d3fend_refs:
   - D3-CSPP
   - D3-EAL
   - D3-MFA
+forward_watch:
+  - NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments
 last_threat_review: "2026-05-11"
 ---
 

package/skills/zeroday-gap-learn/skill.md

@@ -23,7 +23,7 @@ forward_watch:
   - New ATLAS TTP additions in each ATLAS release
   - Framework updates that close previously open gaps
   - Vendor advisories for MCP/AI tool supply chain CVEs
-last_threat_review: "2026-05-14"
+last_threat_review: "2026-05-15"
 ---
 
 # Zero-Day Learning Loop
@@ -44,7 +44,7 @@ The `atlas_refs`, `attack_refs`, and `framework_gaps` arrays are intentionally e
 
 The zero-day learning cycle has compressed. The frameworks have not.
 
-- **41% of 2025 zero-days were discovered by attackers using AI-assisted reverse engineering** (AGENTS.md DR-5). Copy Fail (CVE-2026-31431) was AI-found in approximately one hour. The historical learning rhythm — researcher disclosure → industry analysis → framework update cycle measured in quarters or years — is incompatible with AI-discovery cadence measured in weeks.
+- **41% of 2025 zero-days were discovered by attackers using AI-assisted reverse engineering** (AGENTS.md DR-5 / GTIG 2025). Copy Fail (CVE-2026-31431) was AI-found in approximately one hour; Fragnesia (CVE-2026-46300, 2026-05-13) is the canonical 2026 anchor case — Zellic's agentic code-auditing tool surfaced an 18-year-old Linux kernel page-cache primitive in load-bearing OSS. The first documented AI-built in-the-wild zero-day surfaced 2026-05-11 (GTIG AI 2FA-bypass case). The exceptd catalog's 2026 AI-discovery rate now stands at 40% (4/10), tracking the GTIG reference. The historical learning rhythm — researcher disclosure → industry analysis → framework update cycle measured in quarters or years — is incompatible with AI-discovery cadence measured in weeks. CTID Secure AI v2 (2026-05-06) replaces v1 as the alignment target for the learning-loop outputs.
 - **The compounding consequence**: when a zero-day is announced, the relevant question is no longer "when will the patch ship?" but "what control, if it had existed, would have stopped this, and how do we add that control to the next thousand systems before the AI-generated variant lands?" Without a running learning loop, every novel TTP becomes a one-off incident response rather than a control-system improvement.
 - **AI-acceleration also compresses variant generation.** A single disclosed primitive (Copy Fail's deterministic page-cache CoW; SesameOp's AI-API C2 channel) can be re-applied by AI tooling to adjacent code paths within days. Frameworks that only respond to specific CVE-IDs miss the class-level lesson entirely.
 - **Compliance frameworks do not include zero-day learning as a required control category.** The "learn from incidents" language in NIST CSF 2.0 IMPROVE and ISO 27001:2022 A.5.7 is process-only, no required artifact. An org can be fully compliant while patching every CVE and learning nothing.