@blamejs/exceptd-skills 0.12.25 → 0.12.26

package/CHANGELOG.md

@@ -1,5 +1,49 @@
 # Changelog
 
+## 0.12.26 — 2026-05-15
+
+**Patch: sector-telecom skill ships, with supporting framework-gap and ATLAS catalog scaffolding. Closes the cycle 8 LLL P1 finding that the unmodeled RWEP signal from Salt Typhoon-class campaigns was the highest gap in the catalog.**
+
+### New skill: `sector-telecom`
+
+Telecom and 5G security skill covering Salt Typhoon and Volt Typhoon TTPs, CALEA / IPA-LI gateway compromise, signaling-protocol abuse (SS7, Diameter, GTP), 5G N6 / N9 isolation, gNB / DU / CU integrity attestation, OEM-equipment supply-chain compromise, and AI-RAN / O-RAN security.
+
+The skill walks the seven-phase contract with telecom-specific jurisdictional clocks (FCC 47 CFR 64.2011 4-business-day rule, NIS2 Art. 23 24h initial, DORA Art. 19 4h for financial-touching incidents, UK TSA 2021 + Ofcom, AU SOCI / TSSR, JP MIC, IN CERT-In 6h, SG IMDA TCCSCoP, NZ TICSA, CA Bill C-26), evidence capture for LI provisioning audit logs / gNB firmware hashes / NMS access logs / signaling-flow statistics / cross-PLMN exchange patterns / eUICC SIM-swap events / 5GC slice-isolation tests / OEM remote-support tunnel inventory / NESAS deployment posture, and the standard analyze → validate → close phases against the new framework-gap entries.
+
+Compliance Theater Check enumerates seven posture-vs-actual tests specific to telecom: CPNI annual certification, GSMA NESAS deployment vs runtime, OEM firmware verification chain, 3GPP TR 33.926 deployment posture, ITU-T X.805 validation, signaling firewall PLMN-list refresh cadence, and LI-gateway MFA scope.
+
+Manifest skill count 38 → 39.
+
+### Catalog scaffolding to support the skill
+
+Nine telecom-specific framework-gap entries added to `data/framework-control-gaps.json` (totals 78 → 87 entries):
+
+- **FCC-CPNI-4.1** — 47 CFR 64.2009(e) CPNI annual certification + operational compliance, gap against Salt Typhoon LI-system vector
+- **FCC-Cyber-Incident-Notification-2024** — 47 CFR 64.2011 4-business-day rule, gap against LI-only compromise (no PII exfil) + signaling abuse + slow-roll campaign timing
+- **NIS2-Annex-I-Telecom** — telecom as essential entity, gap against LI-gateway access controls + OEM firmware attestation + AI-RAN coverage
+- **DORA-Art-21-Telecom-ICT** — ICT third-party risk through telecom services, gap against telecom-financial cadence misalignment + slice-isolation
+- **UK-CAF-B5** — resilient networks principle, gap against signaling-anomaly + gNB attestation + slice-isolation outcome tests
+- **AU-ISM-1556** — privileged-user MFA, gap against telecom NMS service accounts + LI-gateway operator credentials + OEM remote-support tunnels
+- **GSMA-NESAS-Deployment** — NESAS product-time vs operator-attested-runtime posture gap
+- **3GPP-TR-33.926** — SCAS submission-time test gap against post-deployment adversary-modified firmware + cross-spec N6/N9 isolation testing gap
+- **ITU-T-X.805** — 2003 reference architecture gap against modern Salt Typhoon / signaling abuse / slice-isolation threat models
+
+One ATLAS technique added to `data/atlas-ttps.json`:
+
+- **AML.T0040 Tool / Plugin Compromise** — anchors the AI-RAN xApp / rApp + MCP-class plugin attack class. Real-world instances: CVE-2026-30623 (Anthropic MCP SDK stdio command-injection), three Pwn2Own Berlin 2026 collisions (Viettel Claude Code, STARLabs LM Studio, Compass OpenAI Codex). `secure_ai_v2_layer: true`, `maturity: high`.
+
+Total ATLAS entries: 29 → 30.
+
+### RFC reverse-reference
+
+`data/rfc-references.json` RFC-9622 (TAPS Architecture) `skills_referencing` array gains `sector-telecom` (paired with the existing `webapp-security` reference) to satisfy the manifest forward-reference invariant.
+
+### AGENTS.md Quick Skill Reference
+
+Adds the `sector-telecom` row to the skill trigger table.
+
+Test count: 1051 pass (5 skipped). Predeploy gates: 14/14. Skills: 39/39 signed; manifest envelope signed.
+
 ## 0.12.25 — 2026-05-15
 
 **Data-refresh release: catalog freshness, Hard Rule #7 AI-discovery posture, ATLAS v5.4 + ATT&CK v19 standards bumps, Pwn2Own Berlin 2026 forward-watch, NGINX Rift, framework deltas (PCI 4.0.1 / HIPAA 2026 NPRM / EU AI Act ITS / DORA RTS).**

package/data/_indexes/_meta.json

@@ -1,20 +1,20 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-15T21:42:12.284Z",
+  "generated_at": "2026-05-15T22:17:17.497Z",
   "generator": "scripts/build-indexes.js",
-  "source_count": 50,
+  "source_count": 51,
   "source_hashes": {
-    "manifest.json": "f239465cd6c7d357bc185eef6457023de3433c8e9d07feb0008319915d142cd0",
-    "data/atlas-ttps.json": "f3d3ecb459ef5fb0d2c8339cd37072e1367a08d5a2fdef3d92c892a4b52dab97",
+    "manifest.json": "492f8548ab8dc7d8edba1666d07c401d77e9459e356e3c30283888c73be6f005",
+    "data/atlas-ttps.json": "db52a797f6ba7c9a61fd7b1225ebbc268ddf21abe29a106c4246c2ed2e617b86",
     "data/attack-techniques.json": "6b45448aa42cc6664376c93da73356624708e935c12589ee8c776a10215bce3a",
     "data/cve-catalog.json": "a2acad16f5e3856b07019fa00110e9dcb38ec5cc71b318d0e164bfcba7f4f644",
     "data/cwe-catalog.json": "19893d2a7139d86ff3fcf296b0e6cda10e357727a1d1ffb56af282104e99157a",
     "data/d3fend-catalog.json": "d219520c8d3eb61a270b25ea60f64721035e98a8d5d51d1a4e1f1140d9a586f9",
     "data/dlp-controls.json": "8ea8d907aea0a2cfd772b048a62122a322ba3284a5c36a272ad5e9d392564cb5",
     "data/exploit-availability.json": "a9eeda95d24b56c28a0d0178fc601b531653e2ba7dc857160b35ad23ad6c7471",
-    "data/framework-control-gaps.json": "8fb42b8a1503bda7d24bc48e34c5e26c425f5985767853ed1e1b8b3a5318369e",
+    "data/framework-control-gaps.json": "e87790cae8839dc5d73632d7d875d12cffa2ad741a9002ec7851e1ae04df54c4",
     "data/global-frameworks.json": "0168825497e03f079274c9da2e5529310a2ba5bd7c7da7c93acd0b66ed845b8a",
-    "data/rfc-references.json": "e88c1517f0ffc45c27bc5805c01de87994b9e65b54071699b3d7cb5832b82c7a",
+    "data/rfc-references.json": "863f1ad7a36c020d11eb7bffea49ca1df89b10d43f3986118cdc5a5712308115",
     "data/zeroday-lessons.json": "d960e5f8ca7a83c10194cd60207e13046a7eee1b8793e2f3de79475db283f800",
     "skills/kernel-lpe-triage/skill.md": "8e94bfd38d6db47342fbbe95a0c8df8f7c38743982c13e9de6a1c59cd3783d33",
     "skills/ai-attack-surface/skill.md": "13e543fc92b9b27cdb647dce96a9eeb44919e0fa92ec41e8265a9981a23e7b79",
@@ -47,6 +47,7 @@
     "skills/sector-financial/skill.md": "eec3ce95f36a0f70532aac2f658ad6fb350233dd49c7d95da91144e6c4c4d16c",
     "skills/sector-federal-government/skill.md": "48c3c019502c8b758598331dbad8a9b121f8dd3dc6fc68bfaf506eba7e3843e5",
     "skills/sector-energy/skill.md": "875799aa2ad88744b646583fef0a3399abd42a979541dc99bf39825a5ef48ce9",
+    "skills/sector-telecom/skill.md": "3489410b0905cbf6b392ea7f7cde35ccd4b03de0d22d2d1b0c671e46d70962c9",
     "skills/api-security/skill.md": "302f7f6a071b856cc55a4cb5f0bc3f8566e31b5ebca58ca3bd78a91d4b6665ca",
     "skills/cloud-security/skill.md": "e0574c153aefbb0fc4581c78bc2d708ab7c49d6b5a45a985e51967b8ea740eb9",
     "skills/container-runtime-security/skill.md": "f06260f0c468d6a4f0409294899017edab45c98d71db1fedd7a630fe6a7bf53a",
@@ -55,35 +56,35 @@
     "skills/email-security-anti-phishing/skill.md": "b5a7693b3ddbd6cd83303d092bc5e324db431245d25c4945d9f65fcffa1995e7",
     "skills/age-gates-child-safety/skill.md": "c741d7dca9da0abb09bdebb8a02e803ce4ae9fb9a6904fb8df3ec19cae83917d"
   },
-  "skill_count": 38,
+  "skill_count": 39,
   "catalog_count": 11,
   "index_stats": {
     "xref_entries": {
       "cwe_refs": 34,
       "d3fend_refs": 20,
-      "framework_gaps": 49,
-      "atlas_refs": 9,
-      "attack_refs": 30,
-      "rfc_refs": 19,
+      "framework_gaps": 58,
+      "atlas_refs": 10,
+      "attack_refs": 32,
+      "rfc_refs": 20,
       "dlp_refs": 0
     },
-    "trigger_table_entries": 453,
+    "trigger_table_entries": 475,
     "chains_cve_entries": 27,
     "chains_cwe_entries": 55,
     "jurisdictions_indexed": 29,
-    "handoff_dag_nodes": 38,
-    "summary_cards": 38,
-    "section_offsets_skills": 38,
-    "token_budget_total_approx": 357564,
+    "handoff_dag_nodes": 39,
+    "summary_cards": 39,
+    "section_offsets_skills": 39,
+    "token_budget_total_approx": 362735,
     "recipes": 8,
     "jurisdiction_clocks": 29,
     "did_ladders": 8,
     "theater_fingerprints": 7,
     "currency_action_required": 0,
     "frequency_fields": 7,
-    "activity_feed_events": 50,
+    "activity_feed_events": 51,
     "catalog_summaries": 11,
-    "stale_content_findings": 1
+    "stale_content_findings": 3
   },
   "invalidation_note": "If any source file in source_hashes has a different SHA-256 than recorded here, the indexes are stale. Re-run `npm run build-indexes`."
 }

package/data/_indexes/activity-feed.json

@@ -2,16 +2,23 @@
   "_meta": {
     "schema_version": "1.0.0",
     "note": "Per-artifact 'last changed' feed sorted descending by date. Skill events from manifest.last_threat_review; catalog events from data/<catalog>.json _meta.last_updated.",
-    "event_count": 50
+    "event_count": 51
   },
   "events": [
+    {
+      "date": "2026-05-15",
+      "type": "skill_review",
+      "artifact": "sector-telecom",
+      "path": "skills/sector-telecom/skill.md",
+      "note": "Telecom and 5G security for mid-2026 — Salt Typhoon, Volt Typhoon, CALEA / IPA-LI gateway compromise, signaling-protocol abuse (SS7 / Diameter / GTP), 5G N6 / N9 isolation, gNB / DU / CU integrity, OEM-equipment supply-chain compromise, AI-RAN / O-RAN security"
+    },
     {
       "date": "2026-05-15",
       "type": "catalog_update",
       "artifact": "data/atlas-ttps.json",
       "path": "data/atlas-ttps.json",
       "schema_version": "1.0.0",
-      "entry_count": 29
+      "entry_count": 30
     },
     {
       "date": "2026-05-15",
@@ -35,7 +42,7 @@
       "artifact": "data/framework-control-gaps.json",
       "path": "data/framework-control-gaps.json",
       "schema_version": "1.0.0",
-      "entry_count": 78
+      "entry_count": 87
     },
     {
       "date": "2026-05-15",
@@ -364,7 +371,7 @@
       "type": "manifest_review",
       "artifact": "manifest.json",
       "path": "manifest.json",
-      "note": "manifest threat_review_date — 38 skills, 11 catalogs"
+      "note": "manifest threat_review_date — 39 skills, 11 catalogs"
     }
   ]
 }

package/data/_indexes/catalog-summaries.json

@@ -18,13 +18,13 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 29,
+      "entry_count": 30,
       "sample_keys": [
         "AML.T0001",
+        "AML.T0040",
         "AML.T0010",
         "AML.T0016",
-        "AML.T0017",
-        "AML.T0018"
+        "AML.T0017"
       ]
     },
     "attack-techniques.json": {
@@ -172,7 +172,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 78,
+      "entry_count": 87,
       "sample_keys": [
         "ALL-AI-PIPELINE-INTEGRITY",
         "ALL-MCP-TOOL-TRUST",

package/data/_indexes/chains.json

@@ -3804,11 +3804,12 @@
       "sector-healthcare",
       "sector-financial",
       "sector-energy",
+      "sector-telecom",
       "api-security",
       "cloud-security",
       "age-gates-child-safety"
     ],
-    "skill_count": 9,
+    "skill_count": 10,
     "chain": {
       "atlas": [
         {
@@ -3821,6 +3822,11 @@
           "name": "Discover ML Model Ontology",
           "tactic": "Discovery"
         },
+        {
+          "id": "AML.T0040",
+          "name": "Tool / Plugin Compromise",
+          "tactic": "Execution"
+        },
         {
           "id": "AML.T0051",
           "name": "LLM Prompt Injection",
@@ -3837,9 +3843,12 @@
         "T0883",
         "T1059",
         "T1068",
+        "T1071",
         "T1078",
+        "T1098",
         "T1110",
         "T1190",
+        "T1199",
         "T1486",
         "T1505",
         "T1530",
@@ -3848,11 +3857,41 @@
         "T1567"
       ],
       "framework_gaps": [
+        {
+          "id": "3GPP-TR-33.926",
+          "framework": "3GPP",
+          "control_name": "3GPP Security Assurance Specification (gNB / eNB)"
+        },
+        {
+          "id": "AU-ISM-1556",
+          "framework": "au-ism",
+          "control_name": "Multi-factor authentication for privileged users (telecom NMS application)"
+        },
+        {
+          "id": "DORA-Art-21-Telecom-ICT",
+          "framework": "DORA",
+          "control_name": "DORA Art. 21 — ICT third-party risk (telecom-adjacent application)"
+        },
+        {
+          "id": "FCC-CPNI-4.1",
+          "framework": "FCC-CPNI",
+          "control_name": "CPNI Annual Certification + Operational Compliance"
+        },
+        {
+          "id": "FCC-Cyber-Incident-Notification-2024",
+          "framework": "FCC",
+          "control_name": "FCC Cyber Incident Notification (4 business days)"
+        },
         {
           "id": "FedRAMP-Rev5-Moderate",
           "framework": "FedRAMP Rev 5 Moderate",
           "control_name": "FedRAMP Moderate baseline (NIST 800-53 Rev 5 tailoring)"
         },
+        {
+          "id": "GSMA-NESAS-Deployment",
+          "framework": "GSMA-NESAS",
+          "control_name": "NESAS at-deployment posture"
+        },
         {
           "id": "HIPAA-Security-Rule-164.312(a)(1)",
           "framework": "HIPAA Security Rule (45 CFR § 164.312)",
@@ -3878,11 +3917,21 @@
           "framework": "ISO/IEC 27001:2022",
           "control_name": "Outsourced development"
         },
+        {
+          "id": "ITU-T-X.805",
+          "framework": "ITU-T",
+          "control_name": "ITU-T X.805 — 8-dimension security architecture for end-to-end communications"
+        },
         {
           "id": "NERC-CIP-007-6-R4",
           "framework": "NERC CIP-007-6 (BES Cyber System Security Management)",
           "control_name": "Security event monitoring"
         },
+        {
+          "id": "NIS2-Annex-I-Telecom",
+          "framework": "NIS2",
+          "control_name": "NIS2 Annex I — telecommunications essential entities"
+        },
         {
           "id": "NIS2-Art21-patch-management",
           "framework": "EU NIS2 Directive",
@@ -3942,9 +3991,35 @@
           "id": "SWIFT-CSCF-v2026-1.1",
           "framework": "SWIFT Customer Security Controls Framework v2026",
           "control_name": "SWIFT Environment Protection"
+        },
+        {
+          "id": "UK-CAF-B5",
+          "framework": "UK-CAF",
+          "control_name": "Resilient networks and systems"
+        }
+      ],
+      "d3fend": [
+        {
+          "id": "D3-IOPR",
+          "name": "Input/Output Profiling Resource",
+          "tactic": "Detect"
+        },
+        {
+          "id": "D3-NI",
+          "name": "Network Isolation",
+          "tactic": "Isolate"
+        },
+        {
+          "id": "D3-NTA",
+          "name": "Network Traffic Analysis",
+          "tactic": "Detect"
+        },
+        {
+          "id": "D3-NTPM",
+          "name": "Network Traffic Policy Mapping",
+          "tactic": "Model"
         }
       ],
-      "d3fend": [],
       "rfc_refs": [
         {
           "id": "RFC-6749",
@@ -3986,6 +4061,11 @@
           "title": "HTTP Message Signatures",
           "status": "Proposed Standard"
         },
+        {
+          "id": "RFC-9622",
+          "title": "An Architecture for Transport Services",
+          "status": "Proposed Standard"
+        },
         {
           "id": "RFC-9700",
           "title": "Best Current Practice for OAuth 2.0 Security",
@@ -4005,9 +4085,10 @@
     "referencing_skills": [
       "identity-assurance",
       "ot-ics-security",
-      "sector-energy"
+      "sector-energy",
+      "sector-telecom"
     ],
-    "skill_count": 3,
+    "skill_count": 4,
     "chain": {
       "atlas": [
         {
@@ -4015,6 +4096,11 @@
           "name": "ML Supply Chain Compromise",
           "tactic": "Initial Access"
         },
+        {
+          "id": "AML.T0040",
+          "name": "Tool / Plugin Compromise",
+          "tactic": "Execution"
+        },
         {
           "id": "AML.T0051",
           "name": "LLM Prompt Injection",
@@ -4025,12 +4111,45 @@
         "T0855",
         "T0883",
         "T1068",
+        "T1071",
         "T1078",
+        "T1098",
         "T1110",
         "T1190",
+        "T1199",
         "T1556"
       ],
       "framework_gaps": [
+        {
+          "id": "3GPP-TR-33.926",
+          "framework": "3GPP",
+          "control_name": "3GPP Security Assurance Specification (gNB / eNB)"
+        },
+        {
+          "id": "AU-ISM-1556",
+          "framework": "au-ism",
+          "control_name": "Multi-factor authentication for privileged users (telecom NMS application)"
+        },
+        {
+          "id": "DORA-Art-21-Telecom-ICT",
+          "framework": "DORA",
+          "control_name": "DORA Art. 21 — ICT third-party risk (telecom-adjacent application)"
+        },
+        {
+          "id": "FCC-CPNI-4.1",
+          "framework": "FCC-CPNI",
+          "control_name": "CPNI Annual Certification + Operational Compliance"
+        },
+        {
+          "id": "FCC-Cyber-Incident-Notification-2024",
+          "framework": "FCC",
+          "control_name": "FCC Cyber Incident Notification (4 business days)"
+        },
+        {
+          "id": "GSMA-NESAS-Deployment",
+          "framework": "GSMA-NESAS",
+          "control_name": "NESAS at-deployment posture"
+        },
         {
           "id": "IEC-62443-3-3",
           "framework": "IEC 62443-3-3 (Industrial communication networks — security for IACS)",
@@ -4041,11 +4160,21 @@
           "framework": "ISO/IEC 27001:2022",
           "control_name": "Outsourced development"
         },
+        {
+          "id": "ITU-T-X.805",
+          "framework": "ITU-T",
+          "control_name": "ITU-T X.805 — 8-dimension security architecture for end-to-end communications"
+        },
         {
           "id": "NERC-CIP-007-6-R4",
           "framework": "NERC CIP-007-6 (BES Cyber System Security Management)",
           "control_name": "Security event monitoring"
         },
+        {
+          "id": "NIS2-Annex-I-Telecom",
+          "framework": "NIS2",
+          "control_name": "NIS2 Annex I — telecommunications essential entities"
+        },
         {
           "id": "NIS2-Art21-patch-management",
           "framework": "EU NIS2 Directive",
@@ -4075,9 +4204,35 @@
           "id": "SOC2-CC6-logical-access",
           "framework": "SOC 2 (AICPA Trust Services Criteria)",
           "control_name": "Logical and Physical Access Controls"
+        },
+        {
+          "id": "UK-CAF-B5",
+          "framework": "UK-CAF",
+          "control_name": "Resilient networks and systems"
+        }
+      ],
+      "d3fend": [
+        {
+          "id": "D3-IOPR",
+          "name": "Input/Output Profiling Resource",
+          "tactic": "Detect"
+        },
+        {
+          "id": "D3-NI",
+          "name": "Network Isolation",
+          "tactic": "Isolate"
+        },
+        {
+          "id": "D3-NTA",
+          "name": "Network Traffic Analysis",
+          "tactic": "Detect"
+        },
+        {
+          "id": "D3-NTPM",
+          "name": "Network Traffic Policy Mapping",
+          "tactic": "Model"
         }
       ],
-      "d3fend": [],
       "rfc_refs": [
         {
           "id": "RFC-6749",
@@ -4099,6 +4254,11 @@
           "title": "JSON Web Token Best Current Practices",
           "status": "Best Current Practice"
         },
+        {
+          "id": "RFC-9622",
+          "title": "An Architecture for Transport Services",
+          "status": "Proposed Standard"
+        },
         {
           "id": "RFC-9700",
           "title": "Best Current Practice for OAuth 2.0 Security",
@@ -6668,9 +6828,10 @@
       "mcp-agent-trust",
       "attack-surface-pentest",
       "webapp-security",
+      "sector-telecom",
       "api-security"
     ],
-    "skill_count": 4,
+    "skill_count": 5,
     "chain": {
       "atlas": [
         {
@@ -6688,6 +6849,11 @@
           "name": "Discover ML Model Ontology",
           "tactic": "Discovery"
         },
+        {
+          "id": "AML.T0040",
+          "name": "Tool / Plugin Compromise",
+          "tactic": "Execution"
+        },
         {
           "id": "AML.T0043",
           "name": "Craft Adversarial Data",
@@ -6706,19 +6872,53 @@
       ],
       "attack_refs": [
         "T1059",
+        "T1071",
         "T1078",
+        "T1098",
         "T1133",
         "T1190",
         "T1195.001",
+        "T1199",
         "T1505",
+        "T1556",
         "T1567"
       ],
       "framework_gaps": [
+        {
+          "id": "3GPP-TR-33.926",
+          "framework": "3GPP",
+          "control_name": "3GPP Security Assurance Specification (gNB / eNB)"
+        },
         {
           "id": "ALL-MCP-TOOL-TRUST",
           "framework": "ALL",
           "control_name": "MCP/Agent Tool Trust Boundaries"
         },
+        {
+          "id": "AU-ISM-1556",
+          "framework": "au-ism",
+          "control_name": "Multi-factor authentication for privileged users (telecom NMS application)"
+        },
+        {
+          "id": "DORA-Art-21-Telecom-ICT",
+          "framework": "DORA",
+          "control_name": "DORA Art. 21 — ICT third-party risk (telecom-adjacent application)"
+        },
+        {
+          "id": "FCC-CPNI-4.1",
+          "framework": "FCC-CPNI",
+          "control_name": "CPNI Annual Certification + Operational Compliance"
+        },
+        {
+          "id": "FCC-Cyber-Incident-Notification-2024",
+          "framework": "FCC",
+          "control_name": "FCC Cyber Incident Notification (4 business days)"
+        },
+        {
+          "id": "GSMA-NESAS-Deployment",
+          "framework": "GSMA-NESAS",
+          "control_name": "NESAS at-deployment posture"
+        },
         {
           "id": "ISO-27001-2022-A.8.28",
           "framework": "ISO/IEC 27001:2022",
@@ -6729,6 +6929,16 @@
           "framework": "ISO/IEC 27001:2022",
           "control_name": "Outsourced development"
         },
+        {
+          "id": "ITU-T-X.805",
+          "framework": "ITU-T",
+          "control_name": "ITU-T X.805 — 8-dimension security architecture for end-to-end communications"
+        },
+        {
+          "id": "NIS2-Annex-I-Telecom",
+          "framework": "NIS2",
+          "control_name": "NIS2 Annex I — telecommunications essential entities"
+        },
         {
           "id": "NIS2-Art21-patch-management",
           "framework": "EU NIS2 Directive",
@@ -6793,6 +7003,11 @@
           "id": "SWIFT-CSCF-v2026-1.1",
           "framework": "SWIFT Customer Security Controls Framework v2026",
           "control_name": "SWIFT Environment Protection"
+        },
+        {
+          "id": "UK-CAF-B5",
+          "framework": "UK-CAF",
+          "control_name": "Resilient networks and systems"
         }
       ],
       "d3fend": [
@@ -6816,15 +7031,30 @@
           "name": "Executable Hashbased Allowlist",
           "tactic": "Harden"
         },
+        {
+          "id": "D3-IOPR",
+          "name": "Input/Output Profiling Resource",
+          "tactic": "Detect"
+        },
         {
           "id": "D3-MFA",
           "name": "Multi-factor Authentication",
           "tactic": "Harden"
         },
+        {
+          "id": "D3-NI",
+          "name": "Network Isolation",
+          "tactic": "Isolate"
+        },
         {
           "id": "D3-NTA",
           "name": "Network Traffic Analysis",
           "tactic": "Detect"
+        },
+        {
+          "id": "D3-NTPM",
+          "name": "Network Traffic Policy Mapping",
+          "tactic": "Model"
         }
       ],
       "rfc_refs": [
@@ -6858,6 +7088,11 @@
           "title": "HTTP Message Signatures",
           "status": "Proposed Standard"
         },
+        {
+          "id": "RFC-9622",
+          "title": "An Architecture for Transport Services",
+          "status": "Proposed Standard"
+        },
         {
           "id": "RFC-9700",
           "title": "Best Current Practice for OAuth 2.0 Security",

package/data/_indexes/currency.json

@@ -6,7 +6,7 @@
     "decay_formula": "100 base; -30/-20/-10/-5 at 180/90/60/30-day thresholds. forward_watch count does NOT affect the score (it's a maintenance signal, not a staleness one). Label thresholds: ≥90 current, ≥70 acceptable, ≥50 stale, <50 critical_stale."
   },
   "summary": {
-    "current": 38,
+    "current": 39,
     "acceptable": 0,
     "stale": 0,
     "critical_stale": 0,
@@ -292,6 +292,15 @@
       "forward_watch_count": 0,
       "action_required": false
     },
+    {
+      "skill": "sector-telecom",
+      "last_threat_review": "2026-05-15",
+      "days_since_review": -14,
+      "currency_score": 100,
+      "currency_label": "current",
+      "forward_watch_count": 7,
+      "action_required": false
+    },
     {
       "skill": "security-maturity-tiers",
       "last_threat_review": "2026-05-01",