@blamejs/exceptd-skills 0.12.27 → 0.12.28

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.12.27",
+  "version": "0.12.28",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -52,7 +52,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "N6H4u/u1fCFE6f/3QVkAr2cumZvLNE+xYBC91CCxKoeaSKm5zqbwzb2mvFDk9XKUegUy5W6npLFGi75yxNMIAg==",
-      "signed_at": "2026-05-15T22:38:12.653Z",
+      "signed_at": "2026-05-15T23:28:24.292Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -116,7 +116,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "Xen6ojQGzT4AZUN/WtuQon+gT2UrJyX50nrZwEdxLw5aiz8gDaeMkWo/Bic+h4NFEF7MRd7uDTm0dvKgWnlRBA==",
-      "signed_at": "2026-05-15T22:38:12.655Z",
+      "signed_at": "2026-05-15T23:28:24.294Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -179,7 +179,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "IDhdamTvyWfnz7SvIMrVMz2cwLuiP2/Iw2iYHFNbI1O302XnrGyIVsJcoKZa5QFClBYPiABVt+yI5HEuLxMCBw==",
-      "signed_at": "2026-05-15T22:38:12.655Z",
+      "signed_at": "2026-05-15T23:28:24.294Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -225,7 +225,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "cPRRTsNQT1MYR3cE5O3KdC4MB037EMc0fsMIbOyfOv16sR+DkiXmAhQOjlIC47HngHz3vhLI+rbqItN91VWpBg==",
-      "signed_at": "2026-05-15T22:38:12.656Z"
+      "signed_at": "2026-05-15T23:28:24.294Z"
     },
     {
       "name": "compliance-theater",
@@ -256,7 +256,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "79NrFMRsqGsipWeE5ETQSVICGO4BjTJYgyir+PSaNVFpkLqLcwZd8Dr1V7iwX0H0fXFL3WpPz35gtrYCEG32BQ==",
-      "signed_at": "2026-05-15T22:38:12.656Z"
+      "signed_at": "2026-05-15T23:28:24.295Z"
     },
     {
       "name": "exploit-scoring",
@@ -285,7 +285,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "O7YIzAOQtSCFD0pyUdF0otYy9xwksrRGCLnSw5aMMGOs0SYeYA1JsMX5XLxNOQJC8tURC21HgQc/yx22jLtvAw==",
-      "signed_at": "2026-05-15T22:38:12.656Z"
+      "signed_at": "2026-05-15T23:28:24.295Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -322,7 +322,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "ai6ebp9pz7dBigm2rQvQ0SklhDZtHqP3exKtolbEBiN0shQScypJfDBaQN2J3aoOC4dZjjTgIZvGfWLmBxrxBA==",
-      "signed_at": "2026-05-15T22:38:12.657Z",
+      "signed_at": "2026-05-15T23:28:24.295Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -379,7 +379,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "BkDjyCF53MAATVfzERmIhEhi474eWloxD0qyw9Gvw+VFE8aH3pOi+yeCpc0kq0vHAVmAEszwxBKEcuLkJbmSBg==",
-      "signed_at": "2026-05-15T22:38:12.657Z",
+      "signed_at": "2026-05-15T23:28:24.296Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -414,7 +414,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "DxfXhSyoAGUo1emHh0uIIcg324ZreBYxmFdBDVAKOOuPmMlfN4RqNc/JGDSfVmMv5CjgYCUcSmkcYB0A5lk0Cg==",
-      "signed_at": "2026-05-15T22:38:12.657Z",
+      "signed_at": "2026-05-15T23:28:24.296Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -442,7 +442,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "rFQ82v+1oAHWixWcGwokKhjZHfXUf6N7EfSgldhQ5Jrbiy3kv5CIbnOCsI6zPWyErSnpKVeBFTabJXnzLrzDCQ==",
-      "signed_at": "2026-05-15T22:38:12.658Z"
+      "signed_at": "2026-05-15T23:28:24.297Z"
     },
     {
       "name": "global-grc",
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "7yVjZkanFMKDQqXdX4B/7oLc2Rz72xHC1zscYd8F/+e5UAbR7ikK8Bn5EKZt3aBEOhHPAviSQNCMxpZD9U00CA==",
-      "signed_at": "2026-05-15T22:38:12.658Z"
+      "signed_at": "2026-05-15T23:28:24.297Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -501,7 +501,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "VlPR7yY39hEwDJYYKPgHAOeax9LU0X7eIrR8L7zMFJWS0SdKTalOXXJtD9GppByftnkYAAdryZ8tHQ/KWLtaBQ==",
-      "signed_at": "2026-05-15T22:38:12.659Z"
+      "signed_at": "2026-05-15T23:28:24.297Z"
     },
     {
       "name": "pqc-first",
@@ -553,7 +553,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "V+qn5FqUlETfsEjvvi6jZGuQdqLFtFejfgPA6KSYxSlBXBTbOBXP3BGk5S+ba9akIzgbKh1j9VGB1MqsIt56DA==",
-      "signed_at": "2026-05-15T22:38:12.659Z",
+      "signed_at": "2026-05-15T23:28:24.298Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -600,7 +600,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "WCNz19186cER1eEhCophTIbnL3ltS3FC98I1rfv463aRnuVxPB3sUlD9xHTbxTM2rUABhqKijhdkWiMh2uKxCQ==",
-      "signed_at": "2026-05-15T22:38:12.659Z"
+      "signed_at": "2026-05-15T23:28:24.298Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -637,7 +637,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "zjq6ACAHD46xvhvQJKlrCPh5xDCuBuIWBI+QJB8RxcudpC7p7I1pqv+BY8DZdsAgU4tquCU8KC+xlduMIk3/DQ==",
-      "signed_at": "2026-05-15T22:38:12.660Z",
+      "signed_at": "2026-05-15T23:28:24.298Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -672,7 +672,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "/lGgWehCMQUXjI6w4FUa+5wrbyRnct+txvVcXA+D2/ZEkoJKh+J/psO3j5HPf7Hpv+Y5SmkH71CoO+9qilyVDQ==",
-      "signed_at": "2026-05-15T22:38:12.660Z"
+      "signed_at": "2026-05-15T23:28:24.298Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -743,7 +743,7 @@
         "PTES revision incorporating AI-surface enumeration"
       ],
       "signature": "RqQMwOKK7xjG9e/Ls4986NOrDwKz/nQmpw1DwNJwV2nlOztyo7MgxUG3kTuLbuW3qCrrkO+CbpBA5nGS1cmKBQ==",
-      "signed_at": "2026-05-15T22:38:12.660Z"
+      "signed_at": "2026-05-15T23:28:24.299Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -803,7 +803,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "+ELdD+1AY5DymBitH7wU65CS60NY1nDoLowJAFn7cE5Gr/5jy9BTkyxsm7PEXaSlXWMOkTf/HQ+uyzyxUVD/Bw==",
-      "signed_at": "2026-05-15T22:38:12.661Z"
+      "signed_at": "2026-05-15T23:28:24.299Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -878,7 +878,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "vL5XeQOk7vwX0sLMuKghj6XLnXsqKcGpCUNMui9HwqnWyNQwgSRGu+JFqP7ZqpP3SUYRZHcVlWhXeTJHyOtiAA==",
-      "signed_at": "2026-05-15T22:38:12.661Z"
+      "signed_at": "2026-05-15T23:28:24.299Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -955,7 +955,7 @@
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
       "signature": "jp3MxKukV7zW47eX3VcAIMG5WxypMDcfHqwYDodI9YQgTxEojCrRcMSApaoZHTdD3yTQC1JtkXeKxU6K3C5NCg==",
-      "signed_at": "2026-05-15T22:38:12.661Z"
+      "signed_at": "2026-05-15T23:28:24.300Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1012,7 +1012,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "XZigwq8X/csfrdG10O6Q1V5q0zUqSQGd3QrjRKkZ4fkaodG4mZahYuIQqxc8rU9jjtGAm9LtBXYB+I5csqj9Bw==",
-      "signed_at": "2026-05-15T22:38:12.662Z"
+      "signed_at": "2026-05-15T23:28:24.300Z"
     },
     {
       "name": "identity-assurance",
@@ -1079,7 +1079,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "k0HrsZMBxiPWB1jl4dRwhv/R5IsqbZ+SLDv1Jx3/sRl51JyXjtm8vyogTNhSwsl5/IkaRakqIPJFRFRl5h/9CQ==",
-      "signed_at": "2026-05-15T22:38:12.662Z"
+      "signed_at": "2026-05-15T23:28:24.300Z"
     },
     {
       "name": "ot-ics-security",
@@ -1135,7 +1135,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "oHxjumOhk8y86WcwhAX8sSWIlPzt60KfTMn4DCJLeRrrQd5+i54fVADKAdZ3vOqfDN+DexO0uX4f5dLPtacRCQ==",
-      "signed_at": "2026-05-15T22:38:12.662Z"
+      "signed_at": "2026-05-15T23:28:24.301Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1187,7 +1187,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "UCiNjncvhkZItmLQA/Sm1/NCsOiLMwdCjfUw+067v4NIxhaMMaqRrAeD3KgMyEtov7m2Hq2kfwYSt5+DQsYDCQ==",
-      "signed_at": "2026-05-15T22:38:12.663Z"
+      "signed_at": "2026-05-15T23:28:24.301Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1237,7 +1237,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "V9kl8Cf8UMjNFyn3D/fSyhWHLeXWlx3WV/jT9jdF9SrjfDqymimuTt2o91cZ2FOEJndAH9V0JGXB13Ohz8K4CQ==",
-      "signed_at": "2026-05-15T22:38:12.663Z"
+      "signed_at": "2026-05-15T23:28:24.301Z"
     },
     {
       "name": "webapp-security",
@@ -1311,7 +1311,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ENSL4MJSNXhriKsTVBjg2jTc7JTtb6mxqbfBw/SVVajPMkLMcLBk4Gem9LhZWZ8DSqyWLnFO2d6hlz5q8bjuCg==",
-      "signed_at": "2026-05-15T22:38:12.663Z"
+      "signed_at": "2026-05-15T23:28:24.301Z"
     },
     {
       "name": "ai-risk-management",
@@ -1361,7 +1361,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "8E82UwKFNraXV/MKAbiUV6gUryYuN+Ff/kiv1aW4/XtriShdTyt/UgRuQJ8LXGXl0jMH8hRJ/xTAV8LOJqexDA==",
-      "signed_at": "2026-05-15T22:38:12.663Z"
+      "signed_at": "2026-05-15T23:28:24.302Z"
     },
     {
       "name": "sector-healthcare",
@@ -1421,7 +1421,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "BDuLcpTeFp2BNSf1q4rYOhYKNhlgd3o5RZ0Uw9xW5olyYxPbZSgqekQ+6Ggaec09s7y6sqR37GS0vuAMdbrdDQ==",
-      "signed_at": "2026-05-15T22:38:12.664Z"
+      "signed_at": "2026-05-15T23:28:24.302Z"
     },
     {
       "name": "sector-financial",
@@ -1502,7 +1502,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "w12QqGBlRDaDVYug9uQVmEbxR7+gX23rOKZSjlt3XcszYDHBCRiP4cBRKMuEguu44DCaQsg+Btu4vAVMlss9Dg==",
-      "signed_at": "2026-05-15T22:38:12.664Z"
+      "signed_at": "2026-05-15T23:28:24.303Z"
     },
     {
       "name": "sector-federal-government",
@@ -1571,7 +1571,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "nMsyJ+rp5fM8/VjC7zsZyDjOC4hpxB+noT1VX7W0HBlq5t3SY56cwOGApwES/kBcCuf4qexKY376OxUr93zvCQ==",
-      "signed_at": "2026-05-15T22:38:12.665Z"
+      "signed_at": "2026-05-15T23:28:24.303Z"
     },
     {
       "name": "sector-energy",
@@ -1636,7 +1636,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "L1moEqEGkBkqY/3ohJcfqrlJn40UurDCyb2MOP/IwTAeZD+QbVZ17/drdsydkJ6qSXPiyiE6u8HDfZsDS13NBQ==",
-      "signed_at": "2026-05-15T22:38:12.665Z"
+      "signed_at": "2026-05-15T23:28:24.304Z"
     },
     {
       "name": "sector-telecom",
@@ -1722,7 +1722,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "VKLuoRkFq7lNXqySipwzPSaiHaqemHQ2cReemF/Xy9hUpD9orQaTVZWClOA4lzoF6d2eQ/CeS///Jjnj4g9dCg==",
-      "signed_at": "2026-05-15T22:38:12.666Z"
+      "signed_at": "2026-05-15T23:28:24.304Z"
     },
     {
       "name": "api-security",
@@ -1791,7 +1791,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "JHGu5OI35payaFR1At3XZIX4HnflgF3lI9vk/XsHpu0loWHtbTiA/SrNzTuWO+be8aIfd36uNz7WnJNwBTCHDA==",
-      "signed_at": "2026-05-15T22:38:12.666Z"
+      "signed_at": "2026-05-15T23:28:24.304Z"
     },
     {
       "name": "cloud-security",
@@ -1872,7 +1872,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "UEn0305KAEqIfYOdzadLBdPG/PJ+3sJ/8ubvPFNcXfqXp2uOWTfqGUqY65PApA992VEEa1RBQt5R7Nyhd/OjDQ==",
-      "signed_at": "2026-05-15T22:38:12.666Z"
+      "signed_at": "2026-05-15T23:28:24.304Z"
     },
     {
       "name": "container-runtime-security",
@@ -1934,7 +1934,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "lPd9tHAskNapjrWwFWhsb8ntAL0xovDCIGElsOCyjcafzby4ArwRw5Lq28sfNloJZAhMN+AWj+lDdFytiUQHCQ==",
-      "signed_at": "2026-05-15T22:38:12.667Z"
+      "signed_at": "2026-05-15T23:28:24.305Z"
     },
     {
       "name": "mlops-security",
@@ -2005,7 +2005,7 @@
         "MITRE ATLAS v5.2 — track AML.T0010 sub-technique expansion and any new MLOps-pipeline-specific TTPs"
       ],
       "signature": "U+HyElcP007FIblXUE/nFpj/rZ5z3VohsvxRCWEuuJDLdOnsXYEadb7ccr3X7S4aRG2MC4T2KtVtgbKIuO5QDw==",
-      "signed_at": "2026-05-15T22:38:12.667Z"
+      "signed_at": "2026-05-15T23:28:24.305Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2067,7 +2067,87 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "XB3TVjNRBlqqbIhatFoYtTJHTS51nVt9k7DVrb2roUflLDjbCnaTbrpztA2oqJyyxwgnLlX+K7NW8oYOYEMeCg==",
-      "signed_at": "2026-05-15T22:38:12.667Z"
+      "signed_at": "2026-05-15T23:28:24.306Z"
+    },
+    {
+      "name": "ransomware-response",
+      "version": "1.0.0",
+      "path": "skills/ransomware-response/skill.md",
+      "description": "Ransomware-specific incident response — OFAC SDN sanctions screening as payment-posture blocker, EU Reg 2014/833 + UK OFSI + AU DFAT + JP MOF cross-jurisdiction sanctions lookups, decryptor availability via No More Ransom + vendor-specific catalogs, cyber-insurance carrier 24h notification, negotiator-engagement legal posture, immutable-backup viability test, PHI exfil-before-encrypt as distinct breach class, parallel jurisdiction clocks",
+      "triggers": [
+        "ransomware",
+        "ransomware incident",
+        "encryption event",
+        "akira ransomware",
+        "lockbit",
+        "alphv",
+        "blackcat",
+        "cuba ransomware",
+        "royal ransomware",
+        "blacksuit",
+        "hunters international",
+        "ransomhub",
+        "ofac sanctions ransomware",
+        "ransom payment",
+        "decryptor availability",
+        "no more ransom",
+        "cyber insurance ransomware",
+        "immutable backup",
+        "shadow copy deletion",
+        "exfil before encrypt",
+        "double extortion",
+        "data theft before encryption"
+      ],
+      "data_deps": [
+        "cve-catalog.json",
+        "atlas-ttps.json",
+        "framework-control-gaps.json",
+        "global-frameworks.json",
+        "cwe-catalog.json",
+        "d3fend-catalog.json",
+        "zeroday-lessons.json"
+      ],
+      "atlas_refs": [],
+      "attack_refs": [
+        "T1486",
+        "T1567",
+        "T1078",
+        "T1059"
+      ],
+      "framework_gaps": [
+        "OFAC-SDN-Payment-Block",
+        "Insurance-Carrier-24h-Notification",
+        "EU-Sanctions-Reg-2014-833-Cyber",
+        "Immutable-Backup-Recovery",
+        "Decryptor-Availability-Pre-Decision",
+        "PHI-Exfil-Before-Encrypt-Breach-Class"
+      ],
+      "rfc_refs": [],
+      "cwe_refs": [
+        "CWE-287",
+        "CWE-798"
+      ],
+      "d3fend_refs": [
+        "D3-RPA",
+        "D3-NTA",
+        "D3-IOPR",
+        "D3-CSPP"
+      ],
+      "forward_watch": [
+        "OFAC Ransomware Advisory revisions (post-2021 advisory, updated periodically) — track expansions to the SDN list for ransomware affiliates, especially LockBit splinter brands, Cuba, ALPHV/BlackCat successors, and Russia/DPRK/Iran-affiliated clusters",
+        "EU Cyber Sanctions Regulation 2014/833 — additions and the EU's coordination with US OFAC on attribution",
+        "UK OFSI cyber listings — post-Operation Cronos (LockBit, February 2024) and Operation Endgame (May 2024) expansions",
+        "AU DFAT autonomous cyber sanctions — first cyber listing 2024; further listings expected",
+        "NYDFS 23 NYCRR 500.17 — 2023 amendments operationalization; 24h ransom-payment clock case law",
+        "SEC 17 CFR 229.106(b) Form 8-K Item 1.05 — materiality determination guidance and SEC enforcement actions through 2025-2026",
+        "CIRCIA implementation — final rule timeline; covered-entity scope expansion",
+        "HIPAA Security Rule update (NPRM late 2024 → final rule expected 2026) — explicit ransomware-recovery and encryption-at-rest requirements",
+        "No More Ransom Project decryptor releases — affiliate-takedown decryptor drops (Operation Cronos LockBit decryptor, BlackCat post-exit-scam decryptors)",
+        "SCOTUS or circuit-court rulings on ransomware payment, sanctions liability, and insurance-policy enforcement"
+      ],
+      "last_threat_review": "2026-05-15",
+      "signature": "ChZ8EWZFfrQYLNH6gJBdcRrayROvcQfiPOpb4H+0rio99OZS0AmQgWQjlWfrF1K5KPEYsLjDqtp2i5P7xLfyBw==",
+      "signed_at": "2026-05-15T23:28:24.306Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2120,7 +2200,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "RiCryJEd66T2NNcSo/mZTd3sGWDycE3C37guLJanLdVL5co35DrPFmIl8qy3ZM/y+Wzg5vpny8VKgr1//1/bCA==",
-      "signed_at": "2026-05-15T22:38:12.668Z"
+      "signed_at": "2026-05-15T23:28:24.306Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2188,11 +2268,172 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "MMWvg3lIf5ygm31zyf1E43t3W9MfRbMBBPrqlj1wOa8AxVJL8LICnAXfmyJ/TNJXwpF+rfZeDdoxXkql8wmtBA==",
-      "signed_at": "2026-05-15T22:38:12.668Z"
+      "signed_at": "2026-05-15T23:28:24.307Z"
+    },
+    {
+      "name": "cloud-iam-incident",
+      "version": "1.0.0",
+      "path": "skills/cloud-iam-incident/skill.md",
+      "description": "Cloud-IAM incident response for AWS / GCP / Azure — account takeover, IAM role assumption abuse, access-key compromise, cross-account assume-role chains, federated-trust attacks, IMDS metadata exfiltration, and Snowflake-AA24-class IdP-to-cloud credential reuse",
+      "triggers": [
+        "cloud iam compromise",
+        "aws account takeover",
+        "gcp service account compromise",
+        "azure managed identity replay",
+        "cross account assume role",
+        "federated trust abuse",
+        "oidc trust policy",
+        "workload identity federation",
+        "iam access key leak",
+        "cloudtrail anomaly",
+        "imds metadata abuse",
+        "imdsv1 ssrf",
+        "scattered spider aws",
+        "snowflake aa24",
+        "aws sso compromise",
+        "iam identity center",
+        "crypto mining cloud",
+        "access key public repo"
+      ],
+      "data_deps": [
+        "cve-catalog.json",
+        "atlas-ttps.json",
+        "attack-techniques.json",
+        "framework-control-gaps.json",
+        "global-frameworks.json",
+        "cwe-catalog.json",
+        "d3fend-catalog.json"
+      ],
+      "atlas_refs": [
+        "AML.T0051"
+      ],
+      "attack_refs": [
+        "T1078",
+        "T1078.004",
+        "T1098.001",
+        "T1552.005",
+        "T1580",
+        "T1538"
+      ],
+      "framework_gaps": [
+        "FedRAMP-IL5-IAM-Federated",
+        "CISA-Snowflake-AA24-IdP-Cloud",
+        "NIST-800-53-AC-2-Cross-Account",
+        "ISO-27017-Cloud-IAM",
+        "SOC2-CC6-Access-Key-Leak-Public-Repo",
+        "AWS-Security-Hub-Coverage-Gap",
+        "UK-CAF-B2-Cloud-IAM",
+        "AU-ISM-1546-Cloud-Service-Account"
+      ],
+      "rfc_refs": [
+        "RFC-8693",
+        "RFC-7519",
+        "RFC-8725",
+        "RFC-9068"
+      ],
+      "cwe_refs": [
+        "CWE-287",
+        "CWE-522",
+        "CWE-798",
+        "CWE-863",
+        "CWE-732",
+        "CWE-269"
+      ],
+      "d3fend_refs": [
+        "D3-MFA",
+        "D3-CBAN",
+        "D3-NTA",
+        "D3-IOPR",
+        "D3-CAA"
+      ],
+      "last_threat_review": "2026-05-15",
+      "signature": "03brHySNWPVnrfZwGBZH5rKLh20DQxVNln0w30fhdcMXtaHQYRuCfhhvqbHVHHoLEogMfsixQX1YtbiqOojsAQ==",
+      "signed_at": "2026-05-15T23:28:24.307Z"
+    },
+    {
+      "name": "idp-incident-response",
+      "version": "1.0.0",
+      "path": "skills/idp-incident-response/skill.md",
+      "description": "Identity-provider incident response for mid-2026 — Okta, Entra ID, Auth0, Ping, OneLogin tenant compromise, federated-trust abuse, OAuth app consent abuse, Midnight Blizzard and Scattered Spider TTPs against the IdP control plane",
+      "triggers": [
+        "idp incident",
+        "identity provider incident",
+        "okta breach",
+        "okta compromise",
+        "entra id compromise",
+        "entra app consent",
+        "auth0 breach",
+        "ping identity breach",
+        "onelogin breach",
+        "midnight blizzard",
+        "cozy bear",
+        "apt29 entra",
+        "scattered spider",
+        "octo tempest",
+        "storm-0875",
+        "oauth consent abuse",
+        "federated trust abuse",
+        "saml token forgery",
+        "cross-tenant abuse",
+        "management api token leak",
+        "service account compromise",
+        "help-desk social engineering",
+        "mfa factor swap",
+        "tenant compromise"
+      ],
+      "data_deps": [
+        "cve-catalog.json",
+        "attack-techniques.json",
+        "framework-control-gaps.json",
+        "global-frameworks.json",
+        "cwe-catalog.json",
+        "d3fend-catalog.json"
+      ],
+      "atlas_refs": [],
+      "attack_refs": [
+        "T1078.004",
+        "T1556.007",
+        "T1098.001",
+        "T1606.002",
+        "T1199"
+      ],
+      "framework_gaps": [
+        "NIST-800-53-IA-5-Federated",
+        "ISO-27001-2022-A.5.16-Federated",
+        "SOC2-CC6-OAuth-Consent",
+        "UK-CAF-B2-IdP-Tenant",
+        "AU-ISM-1559-IdP",
+        "NIS2-Art-21-Federated-Identity",
+        "DORA-Art-19-IdP-4h",
+        "OFAC-Sanctions-Threat-Actor-Negotiation"
+      ],
+      "rfc_refs": [
+        "RFC-7519",
+        "RFC-8725",
+        "RFC-7591",
+        "RFC-9421"
+      ],
+      "cwe_refs": [
+        "CWE-287",
+        "CWE-863",
+        "CWE-269",
+        "CWE-284",
+        "CWE-522",
+        "CWE-345"
+      ],
+      "d3fend_refs": [
+        "D3-MFA",
+        "D3-CBAN",
+        "D3-NTA",
+        "D3-IOPR"
+      ],
+      "last_threat_review": "2026-05-15",
+      "signature": "EMdSANZrYCCWZ3+PL8CGKiXM7gQVsPBfj7BNMzNlEkjMIc+OccHUSjNEIWLgVZH6H5So1Le4JQSePqLq/nPABA==",
+      "signed_at": "2026-05-15T23:28:24.307Z"
     }
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "hRjCIjBncoCecBmhExyEZhUaTyUAe0s3pbLg1Oj7eHaSsdEfynFJ2RvW+LqpEPokeS6HgaU9ORyC4LMNBiWeAQ=="
+    "signature_base64": "4E1AybkXa3TIWCwxWuMP83zDMkbqUsvuL1apzBuKWZhMFWRrFftjXEjPTLWARiI0oho+ReyH1HLZZPHdXziyAw=="
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.12.27",
+  "version": "0.12.28",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json

@@ -1,10 +1,10 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:c26c612d-400e-4270-9716-299e76224a35",
+  "serialNumber": "urn:uuid:20da9e75-f361-4da1-8ded-d148f0e125f5",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-15T22:38:14.241Z",
+    "timestamp": "2026-05-15T23:11:31.244Z",
     "tools": [
       {
         "name": "hand-written",
@@ -13,10 +13,10 @@
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.12.27",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.12.28",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.12.27",
+      "version": "0.12.28",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
       "licenses": [
         {
@@ -25,11 +25,11 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.12.27",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.12.28",
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.12.27"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.12.28"
         },
         {
           "type": "vcs",
@@ -48,7 +48,7 @@
       },
       {
         "name": "exceptd:skill:count",
-        "value": "39"
+        "value": "42"
       },
       {
         "name": "exceptd:integrity:method",