@blamejs/exceptd-skills 0.12.25 → 0.12.27

package/data/framework-control-gaps.json

@@ -1964,5 +1964,167 @@
     "attack_refs": [
       "T1195.001"
     ]
+  },
+  "FCC-CPNI-4.1": {
+    "framework": "FCC-CPNI",
+    "control_id": "47-CFR-64.2009(e)",
+    "control_name": "CPNI Annual Certification + Operational Compliance",
+    "designed_for": "Annual certification by US telecom carriers that they have established operating procedures to comply with CPNI rules; covers customer-proprietary network info disclosure to law enforcement and third parties.",
+    "misses": [
+      "Lawful-intercept (LI) gateway compromise detection — CPNI rules predate Salt Typhoon-class adversary access to CALEA-mandated systems",
+      "Anomalous LI activation requests from compromised admin accounts",
+      "Cross-PLMN signaling spike detection (SS7 / Diameter / GTP)",
+      "OEM firmware drift attestation on equipment that touches CPNI flows"
+    ],
+    "real_requirement": "Annual CPNI certification PLUS quarterly LI-gateway activation audit (PRC / Salt-Typhoon-class threat model), gNB firmware hash attestation, signaling-anomaly baselines per PLMN-pair.",
+    "status": "open",
+    "opened_date": "2026-05-15",
+    "evidence_cves": [],
+    "atlas_refs": ["AML.T0040"],
+    "attack_refs": ["T1078", "T1098", "T1199"]
+  },
+  "FCC-Cyber-Incident-Notification-2024": {
+    "framework": "FCC",
+    "control_id": "47-CFR-64.2011",
+    "control_name": "FCC Cyber Incident Notification (4 business days)",
+    "designed_for": "Notification rule requiring US telecom carriers to report PII or CPNI breaches within 4 business days of discovery (effective 2024-03-13).",
+    "misses": [
+      "No requirement to notify on lawful-intercept-system compromise that does not exfiltrate PII directly (e.g. Salt Typhoon access to LI feeds covering counter-intelligence targets)",
+      "No requirement to notify on signaling-protocol intrusion (SS7 / Diameter abuse) absent PII loss",
+      "4-business-day window is too slow for an ongoing nation-state campaign — peer regulators set tighter limits (NIS2 24h, DORA 4h)",
+      "No structured-data feed for cross-carrier IOC sharing"
+    ],
+    "real_requirement": "4-business-day window paired with 24-hour preliminary signal-flag for LI-system compromise + structured CISA / NSA / FBI IOC handoff format.",
+    "status": "open",
+    "opened_date": "2026-05-15",
+    "evidence_cves": [],
+    "atlas_refs": [],
+    "attack_refs": ["T1199", "T1078"]
+  },
+  "NIS2-Annex-I-Telecom": {
+    "framework": "NIS2",
+    "control_id": "Annex-I-Telecommunications",
+    "control_name": "NIS2 Annex I — telecommunications essential entities",
+    "designed_for": "NIS2 Directive (EU) 2022/2555 Annex I classifies telecom providers as essential entities, mandating risk management measures + 24h incident notification + supply-chain due diligence.",
+    "misses": [
+      "No specific obligations on lawful-intercept-system access controls (national-security scope deferred to MS-level law)",
+      "Supply-chain due diligence (Art. 21(2)(d)) does not name OEM-vendor-equipment firmware integrity attestation specifically",
+      "AI-RAN security obligations absent — O-RAN deployments span the entity boundary in ways the NIS2 risk-management framework does not yet model",
+      "24h notification clock starts at significant-incident-detection but signaling-protocol intrusion + slow-roll campaigns evade the trigger"
+    ],
+    "real_requirement": "Annex I + explicit LI-gateway operator-attested firmware hash + AI-RAN model-tampering controls + cross-PLMN signaling baseline obligation.",
+    "status": "open",
+    "opened_date": "2026-05-15",
+    "evidence_cves": [],
+    "atlas_refs": ["AML.T0040"],
+    "attack_refs": ["T1199", "T1078", "T1098"]
+  },
+  "DORA-Art-21-Telecom-ICT": {
+    "framework": "DORA",
+    "control_id": "Art-21-Telecom-ICT",
+    "control_name": "DORA Art. 21 — ICT third-party risk (telecom-adjacent application)",
+    "designed_for": "DORA Reg. (EU) 2022/2554 Art. 21 ICT third-party risk management; applies to financial entities consuming telecom-provided ICT services.",
+    "misses": [
+      "Telecom-to-financial trust boundary is asymmetric — DORA binds the financial entity but telecom providers (essential entities under NIS2) may not align reporting cadences",
+      "Lawful-intercept access by the telecom upstream is not in DORA scope but creates a parallel data-exposure surface",
+      "CTPP (critical third-party provider) oversight does not yet cover OEM equipment vendors transitively",
+      "No bridge to 5G slice-isolation obligations for financial-sector dedicated network slices"
+    ],
+    "real_requirement": "DORA Art. 21 + alignment with NIS2 telecom-essential-entity reporting + slice-isolation attestation for finance-dedicated 5G slices.",
+    "status": "open",
+    "opened_date": "2026-05-15",
+    "evidence_cves": [],
+    "atlas_refs": [],
+    "attack_refs": ["T1199"]
+  },
+  "UK-CAF-B5": {
+    "framework": "UK-CAF",
+    "control_id": "Principle-B5",
+    "control_name": "Resilient networks and systems",
+    "designed_for": "NCSC Cyber Assessment Framework Principle B5 — outcome-tested network resilience for essential service operators (incl. telecom under TSA 2021).",
+    "misses": [
+      "Signaling-protocol attack-surface (SS7 / Diameter / GTP) not in CAF B5 outcome tests",
+      "gNB / DU / CU integrity attestation not modeled — CAF B5 expects network-availability resilience, not equipment-supply-chain attestation",
+      "Lawful-intercept access path covered by separate IPA 2016 + TSA 2021 + Code of Practice — not CAF scope",
+      "AI-RAN slice-isolation testing not in the CAF outcome catalog"
+    ],
+    "real_requirement": "CAF B5 + signaling-anomaly detection + gNB firmware attestation outcome test + slice-isolation outcome test.",
+    "status": "open",
+    "opened_date": "2026-05-15",
+    "evidence_cves": [],
+    "atlas_refs": [],
+    "attack_refs": ["T1199", "T1078"]
+  },
+  "AU-ISM-1556": {
+    "framework": "au-ism",
+    "control_id": "ISM-1556",
+    "control_name": "Multi-factor authentication for privileged users (telecom NMS application)",
+    "designed_for": "Australian Government ISM control ISM-1556 — phishing-resistant MFA for privileged users + remote access.",
+    "misses": [
+      "Telecom NMS service accounts (which hold gNB / EMS / OSS access) often bypass human MFA",
+      "Service-account credential management policy is ISM-1559 (covered separately); ISM-1556 alone is insufficient for telecom OEM-vendor support tunnels",
+      "Lawful-intercept gateway operator credentials specifically uncovered — these are not always classified as privileged in telecom RBAC models",
+      "OEM remote-support inbound tunnels (Cisco TAC, Ericsson ENS) often pass credentials via shared mailbox — defeats MFA intent"
+    ],
+    "real_requirement": "ISM-1556 + telecom-NMS service-account FIDO2 enforcement + LI-gateway-specific MFA + OEM remote-support-tunnel federated-MFA mandate.",
+    "status": "open",
+    "opened_date": "2026-05-15",
+    "evidence_cves": [],
+    "atlas_refs": [],
+    "attack_refs": ["T1078", "T1098"]
+  },
+  "GSMA-NESAS-Deployment": {
+    "framework": "GSMA-NESAS",
+    "control_id": "NESAS-Deployment-Gap",
+    "control_name": "NESAS at-deployment posture",
+    "designed_for": "GSMA Network Equipment Security Assurance Scheme — product-time certification of telecom OEM equipment against 3GPP SCAS test cases (GSMA FS.13 / FS.14 / FS.15).",
+    "misses": [
+      "Certification is product-time (one snapshot, vendor-attested); deployment posture drifts as firmware / config evolves",
+      "No post-deployment attested-runtime check — operator has no canonical way to confirm a running gNB matches the certified build",
+      "Firmware update cadence is not tied to NESAS re-certification — vendor patches between certifications run uncertified",
+      "NESAS scope excludes the EMS / OSS / NMS systems that operate the equipment, which is where Salt Typhoon-class campaigns gained access"
+    ],
+    "real_requirement": "NESAS product-time certification PLUS operator-attested-runtime gNB hash + EMS / OSS NESAS-equivalent scheme + firmware-update-cadence-tied recertification.",
+    "status": "open",
+    "opened_date": "2026-05-15",
+    "evidence_cves": [],
+    "atlas_refs": [],
+    "attack_refs": ["T1199"]
+  },
+  "3GPP-TR-33.926": {
+    "framework": "3GPP",
+    "control_id": "TR-33.926",
+    "control_name": "3GPP Security Assurance Specification (gNB / eNB)",
+    "designed_for": "3GPP TR 33.926 Security Assurance Specification — security test cases applied against the gNB / eNB product class, paired with the broader 5G security architecture in TS 33.501.",
+    "misses": [
+      "TR 33.926 covers the equipment itself; the AI-RAN / O-RAN deployment is outside scope (O-RAN SFG / WG11 handles separately)",
+      "Test cases assume deterministic equipment behavior — adversary-modified firmware that passes TR 33.926 tests at submission time is undetected after the fact",
+      "N6 / N9 interface isolation testing is in TS 33.501 not TR 33.926 — operators consume both, gap is at the join",
+      "No bridge to ISM-1556-class operator-account hardening for the NMS that operates the certified equipment"
+    ],
+    "real_requirement": "TR 33.926 + post-deployment hash-attestation + O-RAN security WG11 alignment + cross-spec join testing between TR 33.926 and TS 33.501.",
+    "status": "open",
+    "opened_date": "2026-05-15",
+    "evidence_cves": [],
+    "atlas_refs": [],
+    "attack_refs": ["T1199"]
+  },
+  "ITU-T-X.805": {
+    "framework": "ITU-T",
+    "control_id": "X.805",
+    "control_name": "ITU-T X.805 — 8-dimension security architecture for end-to-end communications",
+    "designed_for": "ITU-T Recommendation X.805 (2003) — generic 8-dimension security architecture (access control, authentication, non-repudiation, data confidentiality, communication security, data integrity, availability, privacy) for telecom networks.",
+    "misses": [
+      "Specification predates 5G, O-RAN, AI-RAN, and CALEA / IPA-LI surface evolution; control language remains generic",
+      "No mapping to modern threat models (Salt Typhoon, signaling-protocol abuse)",
+      "Treated as reference architecture, not as a deployment-validation framework — operators rarely audit posture against X.805 dimensions directly",
+      "No bridge to NESAS / 3GPP / NIS2 / FCC CPNI specific obligations"
+    ],
+    "real_requirement": "X.805 8-dimension framing PLUS modern-threat-model annexes (LI-system compromise, signaling-protocol abuse, slice-isolation) + deployment-validation checklist.",
+    "status": "open",
+    "opened_date": "2026-05-15",
+    "evidence_cves": [],
+    "atlas_refs": [],
+    "attack_refs": ["T1199"]
   }
 }

package/data/rfc-references.json

@@ -463,7 +463,8 @@
     "relevance": "Transport Services (TAPS) architecture — abstracts the choice of underlying transport (TCP, QUIC, SCTP) behind a unified API that selects the protocol at runtime based on path conditions. Forward-watch relevance: webapp / AI-API client libraries that adopt TAPS may transparently shift between TCP-HTTP/2 and QUIC-HTTP/3 mid-session, complicating boundary inspection assumptions that pin to a single transport. Currently tracked as a deployment-watch item rather than an operational control point.",
     "lag_notes": "Architecture document; companion documents (TAPS implementation, TAPS programming interface) are still in progress at IETF TAPS WG. Enterprise tooling impact is forward-looking.",
     "skills_referencing": [
-      "webapp-security"
+      "webapp-security",
+      "sector-telecom"
     ],
     "last_verified": "2026-05-15"
   },

package/lib/flag-suggest.js

@@ -79,21 +79,25 @@ const VERB_FLAG_ALLOWLIST = Object.freeze({
     'mode', 'air-gap', 'force-stale', 'operator', 'ack', 'csaf-status',
     'publisher-namespace', 'vex', 'all', 'scope', 'required', 'format',
     'strict-preconditions', 'block-on-jurisdiction-clock', 'tlp',
+    'bundle-deterministic', 'bundle-epoch',
   ],
   'run-all': [
     'evidence', 'evidence-dir', 'session-id', 'force-overwrite', 'attestation-root',
     'mode', 'air-gap', 'force-stale', 'operator', 'ack', 'csaf-status',
     'publisher-namespace', 'vex', 'scope', 'strict-preconditions', 'tlp',
+    'bundle-deterministic', 'bundle-epoch',
   ],
   'ai-run': [
     'evidence', 'no-stream', 'session-id', 'force-overwrite', 'attestation-root',
     'operator', 'ack', 'csaf-status', 'publisher-namespace', 'air-gap',
     'mode', 'force-stale', 'tlp',
+    'bundle-deterministic', 'bundle-epoch',
   ],
   ingest: [
     'evidence', 'session-id', 'force-overwrite', 'attestation-root', 'operator',
     'ack', 'csaf-status', 'publisher-namespace', 'air-gap', 'force-stale',
     'strict-preconditions',
+    'bundle-deterministic', 'bundle-epoch',
   ],
   brief: ['all', 'scope', 'directives', 'flat', 'phase'],
   discover: ['scan-only', 'scope'],

package/lib/playbook-runner.js

@@ -1515,6 +1515,13 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
   // bypass run() (e.g. unit tests).
   const sessionId = runOpts.session_id || crypto.randomBytes(8).toString('hex');
 
+  // v0.12.27: when opt-in deterministic bundle mode is set, resolve the
+  // single frozen epoch used by every timestamp surface below. Cached for
+  // the whole close() call so notification_actions, regression_schedule,
+  // and the bundle emitter all agree on the same Date.
+  const deterministic = runOpts.bundleDeterministic === true;
+  const frozenEpoch = deterministic ? resolveFrozenEpoch(runOpts, playbook) : null;
+
   // notification_actions — compute ISO deadlines from clock_starts events.
   // v0.11.12 (#123): enrich each entry with the matched obligation's
   // jurisdiction/regulation/window_hours/evidence_required fields. The
@@ -1605,7 +1612,10 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
           framework_id: playbook.domain.frameworks_in_scope[0] || 'unspecified',
           control_id: analyzeResult.framework_gap_mapping?.[0]?.claimed_control || 'unspecified',
           ciso_name: agentSignals.ciso_name || '<CISO NAME>',
-          acceptance_date: new Date().toISOString().slice(0, 10),
+          // v0.12.27: deterministic mode roots acceptance_date in the
+          // frozen epoch so two runs against the same evidence emit the
+          // same auditor-facing date.
+          acceptance_date: (deterministic ? frozenEpoch : new Date().toISOString()).slice(0, 10),
           duration_expiry: agentSignals.duration_expiry || 'until vendor patch'
         })
       };
@@ -1628,7 +1638,11 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
   // spurious millisecond drift on tracking.initial_release_date /
   // timestamp / current_release_date.
   const evidencePackage = c.evidence_package ? (() => {
-    const issuedAt = new Date().toISOString();
+    // v0.12.27: deterministic mode pins issuedAt to the frozen epoch so
+    // CSAF tracking.{initial_release_date,current_release_date,
+    // generator.date,revision_history[0].date} and OpenVEX timestamp +
+    // statements[].timestamp all collapse to a single, byte-stable value.
+    const issuedAt = deterministic ? frozenEpoch : new Date().toISOString();
     const builtFormats = new Map();
     const buildOnce = (format) => {
       if (!builtFormats.has(format)) {
@@ -1680,11 +1694,27 @@ function close(playbookId, directiveId, analyzeResult, validateResult, agentSign
   } : { enabled: false };
 
   // regression_schedule
-  const regressionSchedule = c.regression_schedule ? {
-    next_run: validateResult.regression_next_run,
-    trigger: c.regression_schedule.trigger,
-    notify_on_skip: c.regression_schedule.notify_on_skip !== false
-  } : null;
+  //
+  // v0.12.27: deterministic mode re-derives next_run from the frozen epoch
+  // rather than wall-clock-now-at-validate-time. Without this, two runs
+  // against the same evidence diverge on next_run by the interval between
+  // the two `validate()` invocations. Frozen base + the same interval set
+  // = byte-identical schedule.
+  const regressionSchedule = c.regression_schedule ? (() => {
+    let nextRun = validateResult.regression_next_run;
+    if (deterministic) {
+      // Re-derive against the validate phase's trigger set (not the
+      // close phase's regression_schedule subtree — close has no triggers
+      // of its own, just the canonical interval declared upstream).
+      const v = resolvedPhase(playbook, directiveId, 'validate');
+      nextRun = frozenRegressionNextRun(v.regression_trigger || [], new Date(frozenEpoch));
+    }
+    return {
+      next_run: nextRun,
+      trigger: c.regression_schedule.trigger,
+      notify_on_skip: c.regression_schedule.notify_on_skip !== false
+    };
+  })() : null;
 
   // feeds_into chaining — full analyze result is exposed so conditions can
   // reference `analyze.compliance_theater_check.verdict` etc.
@@ -1996,6 +2026,40 @@ function getEngineVersion() {
   return _CACHED_PKG_VERSION;
 }
 
+// v0.12.27: deterministic-bundle epoch resolution. Priority:
+//   1. runOpts.bundleEpoch (operator-supplied --bundle-epoch <ISO>)
+//   2. playbook._meta.last_threat_review (the freshness anchor that already
+//      gates every shipped playbook — stable across re-runs of the same
+//      catalog version)
+//   3. '1970-01-01T00:00:00Z' fallback (effectively impossible in practice
+//      because every shipped playbook carries last_threat_review, but
+//      guarantees the deterministic path never crashes on a malformed
+//      playbook).
+// Returns a full ISO-8601 timestamp (date-only inputs are normalised).
+function resolveFrozenEpoch(runOpts, playbook) {
+  const raw = runOpts && runOpts.bundleEpoch
+    ? runOpts.bundleEpoch
+    : (playbook && playbook._meta && playbook._meta.last_threat_review)
+      || '1970-01-01T00:00:00Z';
+  try { return new Date(raw).toISOString(); }
+  catch { return '1970-01-01T00:00:00Z'; }
+}
+
+// Recompute regression_schedule.next_run against a frozen `now` so two
+// deterministic-mode runs of the same playbook produce byte-identical
+// schedules. Mirrors computeRegressionNextRun but with an injected base
+// date. Returns the soonest ISO timestamp or null when no interval-based
+// trigger fired.
+function frozenRegressionNextRun(triggers, frozenNow) {
+  let soonest = null;
+  for (const t of (triggers || [])) {
+    const parsed = parseInterval(t.interval, frozenNow);
+    if (!parsed || !parsed.date) continue;
+    if (!soonest || parsed.date < soonest) soonest = parsed.date;
+  }
+  return soonest ? soonest.toISOString() : null;
+}
+
 // Operator-supplied identity strings (--operator) and publisher namespace
 // URLs (--publisher-namespace) flow into operator-facing CSAF surfaces.
 // Strip ASCII control characters as defence in depth — bin/exceptd.js
@@ -2410,7 +2474,19 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
         if (branches.length > 0) tree.branches = branches;
         return tree;
       })(),
-      vulnerabilities: [...cveVulns, ...indicatorVulns],
+      vulnerabilities: (function () {
+        // v0.12.27: deterministic mode sorts vulnerabilities[] by their
+        // primary identifier (cve_id for CVE entries, ids[0].text otherwise)
+        // ascending. Default mode preserves insertion order so existing
+        // operators see byte-identical output to pre-v0.12.27.
+        const all = [...cveVulns, ...indicatorVulns];
+        if (runOpts && runOpts.bundleDeterministic === true) {
+          const keyOf = (v) => (typeof v.cve === 'string' && v.cve)
+            || (Array.isArray(v.ids) && v.ids[0] && typeof v.ids[0].text === 'string' ? v.ids[0].text : '');
+          return all.slice().sort((a, b) => keyOf(a).localeCompare(keyOf(b)));
+        }
+        return all;
+      })(),
       exceptd_extension: {
         classification: analyze._detect_classification,
         rwep: analyze.rwep,
@@ -2642,7 +2718,17 @@ function buildEvidenceBundle(format, playbook, analyze, validate, agentSignals,
       author: 'exceptd',
       timestamp: issued,
       version: 1,
-      statements: [...cveStatements, ...indicatorStatements],
+      statements: (function () {
+        // v0.12.27: deterministic mode sorts statements[] by
+        // vulnerability['@id'] ascending. Insertion order otherwise.
+        const all = [...cveStatements, ...indicatorStatements];
+        if (runOpts && runOpts.bundleDeterministic === true) {
+          const keyOf = (s) => (s && s.vulnerability && typeof s.vulnerability['@id'] === 'string')
+            ? s.vulnerability['@id'] : '';
+          return all.slice().sort((a, b) => keyOf(a).localeCompare(keyOf(b)));
+        }
+        return all;
+      })(),
     };
   }
 
@@ -2948,7 +3034,28 @@ function run(playbookId, directiveId, agentSubmission = {}, runOpts = {}) {
   // Without the single-source-of-truth, close() would mint its own id
   // and operators correlating attestation files to embedded bundle URNs
   // would see mismatches.
-  const sessionId = runOpts.session_id || crypto.randomBytes(8).toString('hex');
+  //
+  // v0.12.27: when runOpts.bundleDeterministic is set AND the operator did
+  // not pass --session-id, derive the session_id from the submission shape
+  // so two runs against identical evidence produce the same id (and
+  // therefore the same CSAF tracking.id / OpenVEX @id / attestation file
+  // name). Mirrors the evidence_hash path further down but is computed
+  // here so close() can thread it through. Operator-supplied --session-id
+  // still wins on collision.
+  let sessionId;
+  if (runOpts.session_id) {
+    sessionId = runOpts.session_id;
+  } else if (runOpts.bundleDeterministic) {
+    const submissionDigest = crypto.createHash('sha256')
+      .update(canonicalStringify(extractSubmissionForHash(agentSubmission)))
+      .digest('hex');
+    sessionId = crypto.createHash('sha256')
+      .update(`${playbookId}\0${submissionDigest}\0${getEngineVersion()}`)
+      .digest('hex')
+      .slice(0, 16);
+  } else {
+    sessionId = crypto.randomBytes(8).toString('hex');
+  }
   const cachedRunOpts = { ...runOpts, _playbookCache: playbook, session_id: sessionId };
   // Run-time error accumulator for evalCondition regex failures and other
   // non-fatal anomalies surfaced into analyze.runtime_errors[].

package/manifest-snapshot.json

@@ -1,8 +1,8 @@
 {
   "_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
-  "_generated_at": "2026-05-15T21:41:39.732Z",
+  "_generated_at": "2026-05-15T22:38:13.114Z",
   "atlas_version": "5.1.0",
-  "skill_count": 38,
+  "skill_count": 39,
   "skills": [
     {
       "name": "age-gates-child-safety",
@@ -1543,6 +1543,79 @@
       "d3fend_refs": [],
       "dlp_refs": []
     },
+    {
+      "name": "sector-telecom",
+      "version": "1.0.0",
+      "triggers": [
+        "3gpp tr 33.926",
+        "3gpp ts 33.501",
+        "4-business-day notification",
+        "5g core",
+        "au soci",
+        "calea",
+        "diameter",
+        "fcc cpni",
+        "gnb integrity",
+        "gsma nesas",
+        "gtp",
+        "itu-t x.805",
+        "lawful intercept",
+        "n6 n9 isolation",
+        "nis2 annex i",
+        "o-ran",
+        "salt typhoon",
+        "ss7",
+        "telecom security",
+        "tssr",
+        "uk tsa 2021",
+        "volt typhoon"
+      ],
+      "data_deps": [
+        "atlas-ttps.json",
+        "cve-catalog.json",
+        "cwe-catalog.json",
+        "d3fend-catalog.json",
+        "framework-control-gaps.json",
+        "global-frameworks.json"
+      ],
+      "atlas_refs": [
+        "AML.T0040"
+      ],
+      "attack_refs": [
+        "T1071",
+        "T1078",
+        "T1098",
+        "T1190",
+        "T1199",
+        "T1556"
+      ],
+      "framework_gaps": [
+        "3GPP-TR-33.926",
+        "AU-ISM-1556",
+        "DORA-Art-21-Telecom-ICT",
+        "FCC-CPNI-4.1",
+        "FCC-Cyber-Incident-Notification-2024",
+        "GSMA-NESAS-Deployment",
+        "ITU-T-X.805",
+        "NIS2-Annex-I-Telecom",
+        "UK-CAF-B5"
+      ],
+      "rfc_refs": [
+        "RFC-9622"
+      ],
+      "cwe_refs": [
+        "CWE-287",
+        "CWE-306",
+        "CWE-918"
+      ],
+      "d3fend_refs": [
+        "D3-IOPR",
+        "D3-NI",
+        "D3-NTA",
+        "D3-NTPM"
+      ],
+      "dlp_refs": []
+    },
     {
       "name": "security-maturity-tiers",
       "version": "1.0.0",

package/manifest-snapshot.sha256

@@ -1 +1 @@
-e00285a7e3629aac068b46959038a8e9b1ead1ba7c722796c8c749f2b64ed764  manifest-snapshot.json
+259bbbc7ec375bfb21c2e8fe4c397cca265b33b357e19282d34acff932752237  manifest-snapshot.json