@blamejs/exceptd-skills 0.12.34 → 0.12.36

package/sbom.cdx.json

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:93bc8223-aabd-419a-92d8-b02c70236ee5",
+  "serialNumber": "urn:uuid:54dffaaa-0570-45df-8c09-63895fec39a7",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-16T05:57:55.989Z",
+    "timestamp": "2026-05-16T13:07:42.087Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.12.34"
+        "version": "0.12.36"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.12.34",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.12.36",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.12.34",
+      "version": "0.12.36",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.12.34",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.12.36",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "9c3b6b863c51c69626132417943cad2ee91e8ebcb3a613878222b2add594883e"
+          "content": "f2c7fbe6fe2cc00240e87b017b2399e0338065f8c0ca29199f543c7497dde832"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.12.34"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.12.36"
         },
         {
           "type": "vcs",
@@ -108,7 +108,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "011575977afa6f1a9e828321f3c49e99bcf919fc1cfa1ffec51cd04496eea153"
+          "content": "4641f95ce71ceb772702bcf7cd39738c6acc802c8884f246ce907b2596e0a47b"
         }
       ]
     },
@@ -229,7 +229,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "6af016e0405166966d17ba7ccbd6bf11c566ec2abeb569133f32f333cbb40dfa"
+          "content": "4168621415ed12653a30c2cb25e4ca3c38e4946d7ac7459eea384fbbd1ae843f"
         }
       ]
     },
@@ -658,7 +658,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "a14d053624793f852080193666178fa1b864fdcaff92963ef7ed75c2ea60d54e"
+          "content": "fd05bb2df95d6faf755edc8fa67d61760bb26232c9ada9f5641f3849447f216b"
         }
       ]
     },
@@ -735,7 +735,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "ff4f5fc4a08804c4dc2509614b5ffcd0ddb1d32bb003dfa6b4e219bf7eb1564f"
+          "content": "79df02350a2b0c7249639c32cda6f1c809f967d8cf2b6a6401c2361e9c9a9b04"
         }
       ]
     },
@@ -911,7 +911,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "64d13ed6f7811c491a247b8812a1012096cd1c572a7a64c9eb90eb8bf0402d27"
+          "content": "deabb08300ea4087584070d6f434958a65ef6269a0d08a5a518985b083a3550b"
         }
       ]
     },
@@ -922,7 +922,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "14c857a5187f7ec64a33d45ca16cb3bfe5e9b8abaf44c75ba093d9678d9b95d3"
+          "content": "faf0ce67c6d0fad605090ed40e9c44dee2bc9807cedfdc4e3444dbddb83aa709"
         }
       ]
     },
@@ -933,7 +933,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "50090cebd148a129469ac8d38995d93882f16b2c3bad8a0f8bb27c0104bb3377"
+          "content": "d25d929ae43840da3ebfe052cf8da1969347e8fcbe1d59959fbb33c9ba9eadbe"
         }
       ]
     },
@@ -1087,7 +1087,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "4d7459896f91b7019792db0d9bb79c8a3e3fe652d1c2dc7b7c44431b0da5833b"
+          "content": "1c522279aea9ec5fe2a3d3dc711f25dd1728823d11c903e24014f75440e2da4e"
         }
       ]
     },
@@ -1153,7 +1153,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "a845c23d0ee17635492c22f4d9d352f6f72d98503b557e46235bdb5a78ed829d"
+          "content": "63e25ecf421e459e364d5f6d02ddd9ae9a29f76df11491cc8ba3529c0b5ab818"
         }
       ]
     },
@@ -1351,7 +1351,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "c741d7dca9da0abb09bdebb8a02e803ce4ae9fb9a6904fb8df3ec19cae83917d"
+          "content": "66c7f6537077e4e949214ebf3864cb75de0f50f80fa25d25365c6d7fe485dc7a"
         }
       ]
     },
@@ -1362,7 +1362,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "13e543fc92b9b27cdb647dce96a9eeb44919e0fa92ec41e8265a9981a23e7b79"
+          "content": "853ea46b500fa60b5f5db1137629f8b64447b5df2c8346c15c6cbd1e59285532"
         }
       ]
     },
@@ -1373,7 +1373,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "cdfbc086ed2b755a9d3170d66d0c33519478b693fb59944ac95a1749beb5c810"
+          "content": "4f986ac65d4cba36ef9173d204acaf81646a9f7c42623ebba0973ea0108133c0"
         }
       ]
     },
@@ -1395,7 +1395,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "302f7f6a071b856cc55a4cb5f0bc3f8566e31b5ebca58ca3bd78a91d4b6665ca"
+          "content": "75dcb1b9395de2be4ca60e53f900692721b7ef66ded3e510a20d17f35daf982d"
         }
       ]
     },
@@ -1406,7 +1406,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "3c42af04a5db79ce10c952f4bc7c9216116e77d38e6d57feb1f1c13678c94e53"
+          "content": "9cb02d9d428ef674ba8af8c935f86ddca197f0ba1f7d216d76ce1b268ae4bb6a"
         }
       ]
     },
@@ -1428,7 +1428,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "e0574c153aefbb0fc4581c78bc2d708ab7c49d6b5a45a985e51967b8ea740eb9"
+          "content": "56f0d5d6cf182d347e84baa95a04c39be51e82da3360dac48fcf5d8c4e56a9c3"
         }
       ]
     },
@@ -1439,7 +1439,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "367cde42553dfb59b0cb6e8afb6e88be28ec0ab73682ea3a9d397ca0068753bc"
+          "content": "5fa6207256d002c42a28a90d15b9a9ef0503ae7dba9b55b4098e2e52607377f4"
         }
       ]
     },
@@ -1450,7 +1450,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "f06260f0c468d6a4f0409294899017edab45c98d71db1fedd7a630fe6a7bf53a"
+          "content": "7e0806b9e13db120f9b65d5f48b33db9f1026c4c2d719838ef0f0c8778ec4365"
         }
       ]
     },
@@ -1461,7 +1461,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "c96fd2254abf8a29819f8175da85094bea1afe589fecc92abcf1289b30895030"
+          "content": "0e875953bb8a38a89c8ec5d2a9ef967b12e9a9f166dc9356723f10304fd0535e"
         }
       ]
     },
@@ -1483,7 +1483,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "eed1a5de55a9200e6f5c8ac49b0240b54d30b895ce40ccce9d286f5d9b40f664"
+          "content": "ee9fd4928d96b2e9957d8db9dec90c844443fbcf2a292e69040bfa47c78a4f4b"
         }
       ]
     },
@@ -1505,7 +1505,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "4213724d59d33d8fe768b3ce58edc3aed25c0f06031183542937a14d538ea94d"
+          "content": "91bab353257383bd21e49005c1c8188b98b46642184dea29729ad45fc732d698"
         }
       ]
     },
@@ -1516,7 +1516,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "573a097ceb4c952fe7ab3db765c942d06cc8e90f7cda3c42928db35cdcd7cf7b"
+          "content": "4994b47c2618d24e5557f2a23de21960f6f12a6d66d1b8780b4de6d9d3735dfe"
         }
       ]
     },
@@ -1527,7 +1527,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "83b1929a0d1e09a58908b91125ebc91ff14323ab9acc9bab6c4b04903b69b837"
+          "content": "eaab866236c8cb8a6c8ddc5e65d786ee6d598682de6014ed4e83c6cd163a2128"
         }
       ]
     },
@@ -1571,7 +1571,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "8ef7ce1246dc1329b6df3cc9de8d79d35e2c02c703dcef20f35b312b1c24fd52"
+          "content": "0695ee43881527459f657a90276748922347f16dd494ae2b98e2a9396c570a44"
         }
       ]
     },
@@ -1593,7 +1593,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "3cec1dce668deec44cb7330e165e89cee8379dd90833519004d566baf72c038c"
+          "content": "b09a33e71a0cc13ec70e7e750ac4b91887b657d293d92c3cdb49a4e094adcfea"
         }
       ]
     },
@@ -1604,7 +1604,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "e6a296fc67724aa3b026c0039f44867b44cf0926eade4fe616bfd0a4c77310bf"
+          "content": "cb6871691028f55d59e3efe47be2f1d6bf65fa8c6f3cf301e78d5d119fe3616d"
         }
       ]
     },
@@ -1615,7 +1615,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "d239ed497816e00ad14568e9fcca68ffdc7cb0c2a2cbd4960b35fab2065cce31"
+          "content": "2a30c888e515bed3c121e7396f841e15cad53fe443b3f0a1c3f2670c8c317339"
         }
       ]
     },
@@ -1626,7 +1626,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "79db45ba722a6dd9bba25bf84e0b52cf659b56b662193cef80a8273337e41df9"
+          "content": "78a8623700eab1801387e4792611529089b6248ff3faef15d70c0093609ec323"
         }
       ]
     },
@@ -1648,7 +1648,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "fc027d5e101a9934b402ed4086b9cbb8b2ee6b86f00e1feb54fe15a2018d89fc"
+          "content": "96d26b90539bda836032c2fc2935e0d5736f40bcd286165979c0ed34f47f3ce6"
         }
       ]
     },
@@ -1659,7 +1659,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "603126d81f6c3619f0b2f6d81ea1d6b64f9c8c1296f877ad2e6d802ddab09165"
+          "content": "15de039c5679215b7ceb9a55494f614b06fe618aa0f69ce8aff004dc9a841fa4"
         }
       ]
     },
@@ -1681,7 +1681,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "875799aa2ad88744b646583fef0a3399abd42a979541dc99bf39825a5ef48ce9"
+          "content": "b3f1a979beab4f22d689ea74c6aa43b7f1b9017a9b2110310adc2af8305fa134"
         }
       ]
     },
@@ -1692,7 +1692,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "48c3c019502c8b758598331dbad8a9b121f8dd3dc6fc68bfaf506eba7e3843e5"
+          "content": "4b5b2f46c97a1571eecbb1c92ca40ac69a8cafc9f74f39539a08cb539ee65f39"
         }
       ]
     },
@@ -1703,7 +1703,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "eec3ce95f36a0f70532aac2f658ad6fb350233dd49c7d95da91144e6c4c4d16c"
+          "content": "77f6355eb7672f2157bf3d18bfe1d6042efe302468ebddd48ffc385655bf4d10"
         }
       ]
     },
@@ -1714,7 +1714,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "97b4486419ab4480266bf2e938564d52bb1cdd70faae09697f695772adf02029"
+          "content": "217066e5961fbc3fcd1b5e3df42f299d7aeaf3b5f25e913152836b77f211f96d"
         }
       ]
     },
@@ -1736,7 +1736,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "817f0bca44297d03fb206c446fbf3f93aa3a64c309d6ef5efd046e6e47874030"
+          "content": "2027161ab0a3382ba506cca7be1966e11367bbdf861de316facd54e25fef5761"
         }
       ]
     },
@@ -1747,7 +1747,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "48617511ee8efdb257e9caee543009150f0638380ad92882b62021c7eb2f9d16"
+          "content": "0d5b08f71e4853a634344eaf260da90bd7a29d4df48200ee75be878dce3467e2"
         }
       ]
     },
@@ -1758,7 +1758,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "2f9bc5d5f0b70bf468d02a71ced718b50196e6139dfb1424d31cbe017d422027"
+          "content": "b44a8704e37d8efcd97d8e998e6b2b454e1bc3ba956c6aaf105aa155ffffd2a8"
         }
       ]
     },
@@ -1769,7 +1769,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "d1cf822c1e8a81466dc49e81b19f42d863c82bd8f8c878215a738e6ae9112fc5"
+          "content": "9fcddaa06334d104cb160bace92c92cdcb6b2881f579b82970e42fbd3d213a05"
         }
       ]
     },
@@ -1780,7 +1780,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "d57d1acc46851d4f1580858c60a90cc20732ca8a5a46da2c50e71c9bdf4cc0b4"
+          "content": "bb34933a1eee2cd1da98da5a5dada2c7fc7ebb0bddf5afb39e1f6ee26064d151"
         }
       ]
     },
@@ -1791,7 +1791,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "69b16f51ce79cbebd15120d6a0de1c116439bc4739c7dcaa0ecd451614038ad5"
+          "content": "6fdae41856963df0f8655fb52df7cd26b6b47031f55dfe897003ed9647a73ab5"
         }
       ]
     },
@@ -1802,7 +1802,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "5caa007d8c95f49ded22db581fd447f735c713b60866d18f5371457b0a60778b"
+          "content": "59a0d7cd85b923b3f5633bdc15c1a88eef7dea6332480d93b0bb0ae93a4cd0fe"
         }
       ]
     },

package/scripts/builders/catalog-summaries.js

@@ -18,7 +18,7 @@ const path = require("path");
 const CATALOG_PURPOSES = {
   "cve-catalog.json": "Per-CVE record (CVSS, EPSS, CISA KEV, RWEP, AI-discovery, vendor advisories, framework gaps, ATLAS/ATT&CK mappings). Cross-validated against NVD + CISA KEV + FIRST EPSS via validate-cves.",
   "cwe-catalog.json": "MITRE CWE entries used by the project (subset with skill citations), with severity hint and category. Pinned to a CWE catalog version.",
-  "atlas-ttps.json": "MITRE ATLAS TTPs (AML.T0xxx) cited by skills, with tactic, name, description. Pinned to ATLAS v5.1.0 (November 2025).",
+  "atlas-ttps.json": "MITRE ATLAS TTPs (AML.T0xxx) cited by skills, with tactic, name, description. Pinned to ATLAS v5.4.0 (February 2026).",
   "d3fend-catalog.json": "MITRE D3FEND countermeasures (D3-xxx) keyed by id, with tactic + name. Pinned to D3FEND v1.0.0 release.",
   "framework-control-gaps.json": "Per-control framework gap declarations: SI-2, A.8.8, PCI 6.3.3, etc. Each entry names the control, the lag, the evidence CVE, and remediation guidance.",
   "global-frameworks.json": "Multi-jurisdiction framework registry: 34 jurisdictions × applicable frameworks × patch_sla / notification_sla / critical_controls / framework_gaps. Cross-cutting authority for jurisdiction-clocks index.",

package/scripts/builders/recipes.js

@@ -21,7 +21,7 @@ const RECIPES = [
     when_to_use: "Before scoping or executing a red-team engagement against a model, agentic system, or AI feature.",
     typical_jurisdictions: ["US", "EU", "UK", "GLOBAL"],
     steps: [
-      { skill: "ai-attack-surface", why: "Comprehensive attack-surface inventory mapped to ATLAS v5.1.0 with gap flags." },
+      { skill: "ai-attack-surface", why: "Comprehensive attack-surface inventory mapped to ATLAS v5.4.0 with gap flags." },
       { skill: "ai-c2-detection", why: "Detection coverage for AI-as-C2 (PROMPTFLUX / SesameOp / AI-API egress) before testing." },
       { skill: "mcp-agent-trust", why: "MCP server trust boundary for the engineering toolchain side of the surface." },
       { skill: "rag-pipeline-security", why: "RAG ingestion provenance + prompt-injection chain coverage." },

package/skills/age-gates-child-safety/skill.md

@@ -128,13 +128,13 @@ Classical security and privacy frameworks (NIST 800-53 r5, ISO/IEC 27001:2022, S
 
 ## TTP Mapping
 
-This skill is primarily a compliance + privacy-engineering skill rather than a technical-exploit skill. There are no ATLAS-catalogued AI-attack TTPs that are child-specific as of v5.1.0, and most relevant attacker activity intersects general ATT&CK techniques rather than child-targeted novel TTPs. The relevant mapping is therefore narrower and explicitly flagged as such — `atlas_refs` is empty by design, not omission.
+This skill is primarily a compliance + privacy-engineering skill rather than a technical-exploit skill. There are no ATLAS-catalogued AI-attack TTPs that are child-specific as of v5.4.0, and most relevant attacker activity intersects general ATT&CK techniques rather than child-targeted novel TTPs. The relevant mapping is therefore narrower and explicitly flagged as such — `atlas_refs` is empty by design, not omission.
 
 | ID | Source | Technique | Child-Safeguarding Relevance | Gap Flag |
 |---|---|---|---|---|
 | T1078 | ATT&CK Enterprise | Valid Accounts | Account takeover targeting child accounts (compromised parental controls; sextortion via stolen accounts; grooming via account hijack) — child accounts are under-protected because MFA roll-out lags adult user populations. | NIST 800-53 AC-2 + COPPA / AADC / Children's Code silent on MFA-for-child requirement; the AC-2 gap entry in `data/framework-control-gaps.json` covers AI-service-principals not child identities. Hand off to `identity-assurance` for AAL2+ on child accounts where vendor terms permit. |
 | T1567 | ATT&CK Enterprise | Exfiltration Over Web Service | Child PI exfiltrated via AI-tool / SaaS egress — additional liability under COPPA (no behavioral-ad use of under-13 PI), AADC (DPIA failure), GDPR Art. 8 (no lawful basis), DPDPA (default-VPC bypass), CN PIPL Art. 31 (child PI = sensitive PI requiring separate consent). | Hand off to `dlp-gap-analysis` for child-PI as a protected data class; COPPA / AADC / Children's Code do not name DLP technical controls; the SOC2-CC7 anomaly-detection gap entry applies. |
-| AI-generated CSAM creation / distribution | Not catalogued in ATLAS or ATT&CK as of v5.1.0 | Generative-AI image / video synthesis depicting children | Direct criminal exposure under 18 U.S.C. §§2251, 2252, 2252A, 2256 (Protect Act / Mash-Up Act framework); mandatory NCMEC reporting per §2258A. Multiple 2024-2025 prosecutions (US v. Anderegg WD-Wis 2024 — first federal AI-CSAM prosecution; UK National Crime Agency campaign 2024-2025). | No formal TTP class. Evidence stream: NCMEC CyberTipline reports + EU IWF reports. Hand off to `ai-attack-surface` for generative-model content-policy red-team and to `incident-response-playbook` for reporting workflow. |
+| AI-generated CSAM creation / distribution | Not catalogued in ATLAS or ATT&CK as of v5.4.0 | Generative-AI image / video synthesis depicting children | Direct criminal exposure under 18 U.S.C. §§2251, 2252, 2252A, 2256 (Protect Act / Mash-Up Act framework); mandatory NCMEC reporting per §2258A. Multiple 2024-2025 prosecutions (US v. Anderegg WD-Wis 2024 — first federal AI-CSAM prosecution; UK National Crime Agency campaign 2024-2025). | No formal TTP class. Evidence stream: NCMEC CyberTipline reports + EU IWF reports. Hand off to `ai-attack-surface` for generative-model content-policy red-team and to `incident-response-playbook` for reporting workflow. |
 | AI chatbot grooming / harmful-content engagement with children | Not catalogued | Long-context AI chatbot interactions with children steering toward harm | Research and litigation evidence: Character.ai litigation 2024 (FL wrongful-death suit alleging companion-chatbot contribution to minor suicide; additional 2024-2025 complaints); UK NCA campaign 2024 documenting grooming attempts via AI chatbots; ESRC / RAND research 2024-2025. | No formal TTP class. EU DSA Art. 28 + UK OSA + AU OSA + KOSA-if-enacted all frame this as a platform duty-of-care obligation. Hand off to `ai-risk-management` for AI-product age policy enforcement. |
 
 **Honest scope statement (per AGENTS.md rule #10).** This skill does not invent TTP IDs to fill gaps in the ATLAS or ATT&CK matrices. AI-generated CSAM and AI-chatbot-mediated harm to children are real-world threat classes documented through prosecution records, NCMEC / IWF reporting, and litigation — not novel ATLAS techniques. Citation is to the evidence stream, not to a TTP ID.
@@ -154,8 +154,8 @@ For this skill, "exploit availability" maps to "what child-exposure violations h
 | AI-generated CSAM | No CVE; criminal-statute violations | US v. Anderegg WD-Wis 2024 — first federal AI-CSAM prosecution; UK NCA 2024-2025 enforcement; multiple EU national prosecutions; NCMEC CyberTipline AI-CSAM reports doubled 2023-2024 (NCMEC 2024 annual reporting) | N/A | Yes — AI is the threat capability | OpenAI / Anthropic / Google / Stability AI / Midjourney deploy content classifiers + reporting infrastructure; open-weight model ecosystems are structural blind spot | NCMEC CyberTipline mandatory reporting in effect; EU CSAM Regulation contested but pressure rising; multiple Stable-Diffusion-derived prosecutions 2024-2025 |
 | Adult content served without age verification (US state laws) | No | Pornhub geo-blocked TX 2023 + LA 2023 + MT + UT + VA + MS + AR + NC + KY + AL + KS + OK + IN + NE 2023-2024-2025 rather than implement; SCOTUS upheld TX HB 18 in Free Speech Coalition v. Paxton June 2025 6-3; Aylo state-AG enforcement actions; XHamster + similar smaller operators face state AG actions 2024-2025 | N/A | N/A | AgeChecked, Yoti, VerifyMy, Incode, Persona, Jumio, OnFido provide commercial age-verification stacks; coverage uneven | TX, LA, MT, MS, UT, AR, VA, NC, KY, FL, AL, TN, KS, OK, IN, NE, ID, GA, SD active enforcement 2024-2025 |
 | EU AVMSD age-verification non-compliance for adult video content | No | DE BzKJ enforcement against adult-content services 2023-2025; FR ARCOM enforcement 2024-2025 culminating in geo-blocking orders under SREN | N/A | N/A | Member-state per-stack age-verification ecosystem (FR ARCOM referential, DE KJM-acceptable systems) | Per-member-state continuous enforcement |
-| UK Online Safety Act child-safety failure | No | Ofcom illegal-content code enforcement live March 2025; child-safety codes phasing July 2025 onward; first enforcement decisions expected late 2025 / 2026 | N/A | N/A | Major platforms deploying age-assurance stacks pre-emptively (Yoti, Persona, internal age-estimation) | Ofcom inquiries ongoing; first formal decisions in pipeline mid-2026 |
-| AU social-media-under-16 non-compliance | No | Implementation deferred to late 2025; no enforcement actions yet | N/A | N/A | Age-assurance trial concluded mid-2025; implementation method evolving | eSafety Commissioner first enforcement actions expected late 2025 / early 2026 |
+| UK Online Safety Act child-safety failure | No | Ofcom illegal-content code enforcement live March 2025; child-safety codes in force July 2025; Ofcom has launched 80+ investigations into adult sites and issued its first OSA fine (£1M for failure to implement highly effective age assurance); Ofcom 2026-27 priorities document confirms continued child-protection focus, AI-generated-harm enforcement, and categorised-services register publication July 2026 | N/A | N/A | Major platforms deploying age-assurance stacks pre-emptively (Yoti, Persona, internal age-estimation) | Ongoing OSA investigations; risk-assessment records due from notified providers April 2026; provider risk-assessment summary publication deadline November 2026; categorised-services register July 2026 |
+| AU social-media-under-16 non-compliance | No | Act entered force 10 December 2025; >4.7M underage accounts deactivated / restricted by mid-January 2026; eSafety Commissioner opened formal investigations into Facebook, Instagram, Snapchat, TikTok and YouTube on 31 March 2026 — first formal compliance assessment under the regime | N/A | N/A | Age-assurance trial concluded mid-2025; eSafety regulatory guidance published Feb 2026; implementation method evolving | eSafety civil penalty regime active (up to A$49.5M); investigation outcomes for the five named platforms pending; expect first civil penalty proceedings H2 2026 |
 | CN Children-Mode non-compliance + gaming time-limit non-compliance | No | CAC + NPPA enforcement against multiple platforms 2022-2025; real-name + age-verification operationally robust by global standards | N/A | N/A | Tencent / NetEase / ByteDance Children-Mode + real-name-based time limits comprehensive | CAC + MIIT active enforcement; NPPA gaming-time-limit enforcement continuous |
 | BR LGPD Art. 14 violations (child data processing without VPC) | No | ANPD TikTok proceeding 2023-2024; ANPD Best-Practices Guide 2024 set operational tone | N/A | N/A | Major Brazilian + multinational platforms aligning to ANPD 2024 Guide | ANPD continuing enforcement |
 | IN DPDPA child-provisions non-compliance | No | DPDP Rules not yet final (draft Jan 2025; final expected late 2026); Data Protection Board not yet operational | N/A | N/A | None — Rules not final, Board not operational | None — Rules pending |

package/skills/ai-attack-surface/skill.md

@@ -1,7 +1,7 @@
 ---
 name: ai-attack-surface
 version: "1.0.0"
-description: Comprehensive AI/ML attack surface assessment mapped to MITRE ATLAS v5.1.0 with explicit framework gap flags
+description: Comprehensive AI/ML attack surface assessment mapped to MITRE ATLAS v5.4.0 with explicit framework gap flags
 triggers:
   - ai attack surface
   - prompt injection
@@ -158,12 +158,12 @@ AI-assisted reconnaissance is observed at 36,000 probes per second per campaign.
 | SOC 2 | CC6 (Logical and Physical Access) | Access control via IAM, authentication, authorization. Prompt injection is an access control failure that routes around CC6 entirely — the authorized model account takes the action, not the attacker. Audit trails show the model's service account performed the action. |
 | SOC 2 | CC7 (System Operations) | Anomaly detection for system operations. No guidance for AI API baseline, AI C2 detection, or PROMPTFLUX behavioral patterns. |
 | PCI DSS 4.0 | 6.4.1 | Web application protection (WAF). WAFs operate on HTTP request/response patterns. They have no semantic understanding of prompt injection embedded in JSON `message` fields. |
-| MITRE ATT&CK | Enterprise | Does not include prompt injection as a technique. AI-as-C2 (SesameOp) is not in ATT&CK as of mid-2026. ATLAS v5.1.0 covers these but is not part of SOC detection engineering programs that are ATT&CK-mapped. |
+| MITRE ATT&CK | Enterprise | Does not include prompt injection as a technique. AI-as-C2 (SesameOp) is not in ATT&CK as of mid-2026. ATLAS v5.4.0 covers these but is not part of SOC detection engineering programs that are ATT&CK-mapped. |
 | NIST AI RMF | MEASURE 2.5 | Measure AI risks during operation. Provides a framework for thinking about AI risk but no specific controls for prompt injection, MCP supply chain, or AI-as-C2. |
 
 ---
 
-## TTP Mapping (MITRE ATLAS v5.1.0)
+## TTP Mapping (MITRE ATLAS v5.4.0)
 
 | ATLAS ID | Technique | Framework Coverage | Gap Description | Exploitation Example |
 |---|---|---|---|---|

package/skills/ai-c2-detection/skill.md

@@ -321,13 +321,13 @@ level: medium
 
 ---
 
-## TTP Mapping (MITRE ATLAS v5.1.0 + MITRE ATT&CK)
+## TTP Mapping (MITRE ATLAS v5.4.0 + MITRE ATT&CK)
 
 | ID | Source | Technique | C2 Relevance | Gap Flag — Which Detection Control Fails |
 |---|---|---|---|---|
-| AML.T0096 | ATLAS v5.1.0 | LLM API as covert C2 / LLM Integration Abuse | Direct: SesameOp encodes commands and exfiltrated data in prompt and completion fields against api.openai.com, api.anthropic.com, generativelanguage.googleapis.com. AI provider domain is the relay, not the attacker C2 endpoint. | NIST-800-53-SC-7 (Boundary Protection) — AI provider domains are allowlisted in most enterprise egress for legitimate developer and product use, so boundary inspection cannot distinguish benign developer prompts from C2-encoded prompts. See SC-7 entry in `data/framework-control-gaps.json` — real requirement is SDK-level prompt logging with identity binding, anomaly detection on prompt-shape and token-volume, and an allowlist that enumerates the sanctioned business reason per identity. Boundary-only SC-7 evidence is incomplete for any org with AI API access in production. |
-| AML.T0017 | ATLAS v5.1.0 | Discover ML Model Ontology — adversary maps the deployed LLM's family, system-prompt structure, guardrail surface via inference-API probing | PROMPTFLUX queries public LLMs to generate per-execution evasion code; PROMPTSTEAL uses LLMs to prioritise exfiltration targets — both depend on first discovering what the target model will answer. The inference API is the discovery surface. | NIST-800-53-SI-3 fails — there is no static signature for code generated per-event by a public LLM. NIST-800-53-SI-4 fails as commonly deployed — no AI-API behavioural baseline per process/identity. |
-| AML.T0016 | ATLAS v5.1.0 | Obtain Capabilities: Develop Capabilities — adversary use of inference APIs to generate / refine malware, evasion, phishing payloads | PROMPTFLUX and PROMPTSTEAL both consume public LLMs as a real-time capability-development service. The inference API is doing weaponization work for the adversary. | NIST-800-53-SI-3 fails for the same reason. SC-7 boundary control treats the AI provider as allowlisted SaaS. |
+| AML.T0096 | ATLAS v5.4.0 | LLM API as covert C2 / LLM Integration Abuse | Direct: SesameOp encodes commands and exfiltrated data in prompt and completion fields against api.openai.com, api.anthropic.com, generativelanguage.googleapis.com. AI provider domain is the relay, not the attacker C2 endpoint. | NIST-800-53-SC-7 (Boundary Protection) — AI provider domains are allowlisted in most enterprise egress for legitimate developer and product use, so boundary inspection cannot distinguish benign developer prompts from C2-encoded prompts. See SC-7 entry in `data/framework-control-gaps.json` — real requirement is SDK-level prompt logging with identity binding, anomaly detection on prompt-shape and token-volume, and an allowlist that enumerates the sanctioned business reason per identity. Boundary-only SC-7 evidence is incomplete for any org with AI API access in production. |
+| AML.T0017 | ATLAS v5.4.0 | Discover ML Model Ontology — adversary maps the deployed LLM's family, system-prompt structure, guardrail surface via inference-API probing | PROMPTFLUX queries public LLMs to generate per-execution evasion code; PROMPTSTEAL uses LLMs to prioritise exfiltration targets — both depend on first discovering what the target model will answer. The inference API is the discovery surface. | NIST-800-53-SI-3 fails — there is no static signature for code generated per-event by a public LLM. NIST-800-53-SI-4 fails as commonly deployed — no AI-API behavioural baseline per process/identity. |
+| AML.T0016 | ATLAS v5.4.0 | Obtain Capabilities: Develop Capabilities — adversary use of inference APIs to generate / refine malware, evasion, phishing payloads | PROMPTFLUX and PROMPTSTEAL both consume public LLMs as a real-time capability-development service. The inference API is doing weaponization work for the adversary. | NIST-800-53-SI-3 fails for the same reason. SC-7 boundary control treats the AI provider as allowlisted SaaS. |
 | T1071 | ATT&CK | Application Layer Protocol (C2) | AI C2 traffic is standard HTTPS REST to api.openai.com or equivalent. Application-protocol C2 detection that looks for DGA, unusual TLS, or beaconing does not fire. | SC-7 boundary control sees only the destination domain (allowlisted) — no protocol anomaly to alert on. Detection requires identity-bound prompt content inspection, which SC-7 as written does not require. |
 | T1102 | ATT&CK | Web Service (C2 via legitimate web service) | AI API endpoints are exactly the "legitimate web service used as C2" pattern that T1102 describes — but at scale and pre-allowlisted in nearly every enterprise. | SOC 2 CC7 anomaly-detection control: AI API traffic shares the SaaS blind spot — typically not baselined per process or identity. ISO 27001 A.8.16 monitoring activities: no guidance for AI-API-shaped traffic. |
 | T1568 | ATT&CK | Dynamic Resolution | AI provider responses can carry encoded instructions that dynamically determine the next-hop behaviour for the malware (effectively model-mediated dynamic resolution of the next attacker instruction). | No standard DNS-tunnelling or DGA detection applies — the "resolution" happens inside an HTTPS payload to a trusted endpoint. SC-7 cannot see it without SDK-level prompt + response logging. |

package/skills/api-security/skill.md

@@ -121,7 +121,7 @@ APIs are now the integration substrate of every non-trivial system. The mid-2026
 
 ---
 
-## TTP Mapping (MITRE ATT&CK Enterprise + ATLAS v5.1.0)
+## TTP Mapping (MITRE ATT&CK Enterprise + ATLAS v5.4.0)
 
 | TTP ID | Technique | API Manifestation | CWE Root-Causes | Framework Coverage |
 |---|---|---|---|---|

package/skills/attack-surface-pentest/skill.md

@@ -115,17 +115,17 @@ A pen test scoped to layers 1 and (partly) 7 — i.e. "web app + network + nomin
 | CBEST (Bank of England / PRA / FCA) | Whole framework | UK equivalent to TIBER-EU for systemically important financial firms. Same lag pattern as TIBER-EU. CBEST-certified providers are not required to demonstrate competence in AI-surface attack emulation as of mid-2026. |
 | Australian ISM (Information Security Manual) + ACSC Essential 8 | ISM controls on penetration testing; Essential 8 Maturity Level 3 testing requirements | Essential 8 mandates regular testing of mitigation strategies (patching, app control, MFA, etc.). The testing requirements do not extend to AI-API egress as C2, MCP trust, or RAG poisoning. ISM control set is network/endpoint centric. |
 | ISO/IEC 27001:2022 | A.5.34 (Privacy and protection of PII) — note: the actually relevant clause for independent review is **A.5.35 (Independent review of information security)** and **A.8.29 (Security testing in development and acceptance)** | A.5.35 requires independent review of the information security approach at planned intervals or when significant changes occur. The clause is methodology-agnostic — auditors accept a network/web pen test as evidence even when AI surfaces are in production. A.8.29 mandates security testing of new and changed information systems, but does not define what an adequate test of an AI system looks like. |
-| MITRE ATT&CK Enterprise (v17) | Whole matrix | The enterprise matrix does not contain prompt-injection as a technique. AI-as-C2 (SesameOp pattern) is absent from ATT&CK as of mid-2026. Adversary emulation programs that are ATT&CK-only and not ATLAS-extended will not include the mid-2026 dominant new tradecraft in their playbooks. ATLAS v5.1.0 covers it — but ATLAS is not yet a standard requirement for pen testing certification or scoping. |
+| MITRE ATT&CK Enterprise (v17) | Whole matrix | The enterprise matrix does not contain prompt-injection as a technique. AI-as-C2 (SesameOp pattern) is absent from ATT&CK as of mid-2026. Adversary emulation programs that are ATT&CK-only and not ATLAS-extended will not include the mid-2026 dominant new tradecraft in their playbooks. ATLAS v5.4.0 covers it — but ATLAS is not yet a standard requirement for pen testing certification or scoping. |
 
 > Global coverage note (AGENTS.md rule #5): the above table spans US (NIST 800-115, ATT&CK), EU (NIS2, TIBER-EU under DORA), UK (CBEST), AU (ISM/Essential 8), and ISO 27001:2022. US-only pen test scoping is incomplete.
 
 ---
 
-## TTP Mapping (MITRE ATLAS v5.1.0 + MITRE ATT&CK v17)
+## TTP Mapping (MITRE ATLAS v5.4.0 + MITRE ATT&CK v17)
 
 Pen testers must emulate both classical and AI-class chains. The table below maps the kill-chain phases a mid-2026 adversary emulation engagement must cover.
 
-| Phase | Classical TTP (ATT&CK v17) | AI-Class TTP (ATLAS v5.1.0) | Framework Gap Flag |
+| Phase | Classical TTP (ATT&CK v17) | AI-Class TTP (ATLAS v5.4.0) | Framework Gap Flag |
 |---|---|---|---|
 | Reconnaissance | T1595 (Active Scanning) — implied by T1190 setup | AML.TA0002 (Reconnaissance tactic) — model card / dataset / API endpoint discovery, system-prompt probing | NIST 800-115 §3.x recon guidance is network-only |
 | Initial Access | T1190 (Exploit Public-Facing Application) | AML.T0051 (LLM Prompt Injection) — entered via PR description, support ticket, retrieved doc | OWASP WSTG covers webapp; not prompt-injection as entry vector |

package/skills/cloud-security/skill.md

@@ -135,8 +135,8 @@ Cloud is where AI runs. Every consequential AI service — OpenAI, Anthropic, Go
 | Cloud data exfiltration | T1530 — Data from Cloud Storage Object | ATT&CK Enterprise | Public S3 / GCS / Blob storage discovery via Wiz-style external attack-surface scan; legitimate IAM principal exfil via federated workload; cross-tenant boundary failure on SaaS | NIST 800-53 SC-28 (encryption at rest) does not address access-policy errors; CWE-200, CWE-732, CWE-862 |
 | Cloud-facing application | T1190 — Exploit Public-Facing Application | ATT&CK Enterprise | API Gateway / Load Balancer / managed-WAF-bypass; managed-database exposure (RDS / SQL DB / Cloud SQL public IP); container-registry public image abuse; Lambda / Cloud Functions / Azure Functions endpoint exploit | NIST 800-53 SC-7 perimeter assumption inadequate; CSA CCM AIS-04 and IVS-08 partial; CWE-1188 (Insecure Default Initialization) |
 | Cloud-credential exposure | T1552 — Unsecured Credentials (incl. T1552.001 Files, T1552.005 Cloud Instance Metadata API, T1552.007 Container API) | ATT&CK Enterprise | IMDSv1 SSRF on EC2 / GCE; static cloud credentials in git / images / env vars; container API and kubeconfig theft; workload-identity-federation trust-policy abuse | CWE-798 (hardcoded credentials), CWE-200; NIST 800-53 IA-5 method-neutral |
-| AI model registry / cloud-hosted model | AML.T0010 — ML Supply Chain Compromise | ATLAS v5.1.0 | Bedrock / SageMaker custom model from poisoned upstream; Azure ML model registry tampering; Vertex Model Garden mirror tampering; HF model pulled into Bedrock / SageMaker / Vertex with weights backdoor | CSA CCM CCC-09 (vendor / supply chain) silent on model-supply-chain specifics; SLSA / in-toto / Sigstore for models still maturing |
-| Cloud inference API abuse / model extraction | AML.T0017 — Discover ML Model Ontology (inference-API probing for system-prompt, guardrail, model-family signal against cloud-hosted endpoints); AML.T0016 — Obtain Capabilities: Develop Capabilities (downstream weaponization) | ATLAS v5.1.0 | Programmatic query of Bedrock / Azure OpenAI / Vertex endpoint to extract model behaviour, training-data inference, system-prompt leakage | No cloud-specific ATLAS control mapping for inference-API rate-limit / anomaly detection; chain to `ai-attack-surface` |
+| AI model registry / cloud-hosted model | AML.T0010 — ML Supply Chain Compromise | ATLAS v5.4.0 | Bedrock / SageMaker custom model from poisoned upstream; Azure ML model registry tampering; Vertex Model Garden mirror tampering; HF model pulled into Bedrock / SageMaker / Vertex with weights backdoor | CSA CCM CCC-09 (vendor / supply chain) silent on model-supply-chain specifics; SLSA / in-toto / Sigstore for models still maturing |
+| Cloud inference API abuse / model extraction | AML.T0017 — Discover ML Model Ontology (inference-API probing for system-prompt, guardrail, model-family signal against cloud-hosted endpoints); AML.T0016 — Obtain Capabilities: Develop Capabilities (downstream weaponization) | ATLAS v5.4.0 | Programmatic query of Bedrock / Azure OpenAI / Vertex endpoint to extract model behaviour, training-data inference, system-prompt leakage | No cloud-specific ATLAS control mapping for inference-API rate-limit / anomaly detection; chain to `ai-attack-surface` |
 
 **Note on ATT&CK Enterprise cloud-platform sub-techniques.** ATT&CK Enterprise has cloud-platform-specific matrices (IaaS, SaaS, Office 365, Azure AD / Entra ID, Google Workspace). T1078.004 (Cloud Accounts), T1552.005 (Cloud Instance Metadata API), T1552.007 (Container API), T1190 with cloud-service variants, T1530 with managed-storage variants are the most operationally relevant. The frontmatter pins the parent IDs; analysis should descend to the sub-technique appropriate to the cloud(s) in scope.
 

package/skills/compliance-theater/skill.md

@@ -70,7 +70,7 @@ The pre-analyzed gaps for these controls live in the framework-gap-analysis skil
 
 ---
 
-## TTP Mapping (MITRE ATLAS v5.1.0 and ATT&CK)
+## TTP Mapping (MITRE ATLAS v5.4.0 and ATT&CK)
 
 Each theater pattern below maps to one or more attacker TTPs in `data/atlas-ttps.json` and MITRE ATT&CK Enterprise. The mapping is what distinguishes theater from genuine compliance: a control claimed as compensating must map to a TTP it actually disrupts.
 
@@ -84,7 +84,7 @@ Each theater pattern below maps to one or more attacker TTPs in `data/atlas-ttps
 | Vendor/Third-Party Risk Theater — AI APIs (Pattern 6) | AML.T0010 (ML Supply Chain Compromise) | MCP servers and LLM APIs sit outside the vendor-management scope |
 | Security Awareness Theater — AI Phishing (Pattern 7) | T1566 (Phishing), AML.T0016 (Obtain Capabilities: Develop Capabilities — misuse of public AI APIs for payload crafting) | AI-generated content evades grammar/style heuristics and template-matching detectors |
 
-Source-of-truth TTP catalog: `data/atlas-ttps.json` (pinned to MITRE ATLAS v5.1.0, November 2025). Any theater claim in an assessment must cite at least one TTP ID from that catalog or an ATT&CK Enterprise ID — claims without a mapped TTP fail Hard Rule #4 (no orphaned controls).
+Source-of-truth TTP catalog: `data/atlas-ttps.json` (pinned to MITRE ATLAS v5.4.0, February 2026). Any theater claim in an assessment must cite at least one TTP ID from that catalog or an ATT&CK Enterprise ID — claims without a mapped TTP fail Hard Rule #4 (no orphaned controls).
 
 ---
 

package/skills/container-runtime-security/skill.md

@@ -126,9 +126,9 @@ State of standards baselines:
 | Container escape to host | T1611 — Escape to Host | ATT&CK Enterprise | Kernel LPE (Copy Fail CVE-2026-31431, Dirty Frag CVE-2026-43284 family); historical runc CVE-2024-21626 LeakyVessels family; cgroup v1 release_agent legacy abuses; abuse of overly permissive capabilities (`CAP_SYS_ADMIN`, `CAP_SYS_MODULE`) | NIST 800-190 predates kernel-LPE-as-container-escape as the dominant vector. Defense requires kernel patching cadence (hand off to `kernel-lpe-triage`) plus seccomp default profile, capability drops, read-only rootfs, and runtime detection. None of these are framework-mandated. |
 | Privilege escalation within the container | T1068 — Exploitation for Privilege Escalation | ATT&CK Enterprise | In-container kernel LPE (yields host root via T1611 chain); abuse of writable hostPath; abuse of mounted Docker socket | Method-neutral framework controls; the actual control is seccomp + dropped capabilities + read-only rootfs + non-root runAsUser, all enforced by PSS-Restricted profile |
 | Exploit public-facing K8s component | T1190 — Exploit Public-Facing Application | ATT&CK Enterprise | Exposed kube-apiserver (rare but seen on self-managed clusters); exposed kubelet read-only port (10255) or read/write port (10250) without authentication; exposed Kubernetes Dashboard with no auth; exposed Argo CD or Jenkins on the cluster; ingress controller CVEs (ingress-nginx CVE-2025 family) | NSA/CISA Hardening Guide v1.2 addresses control-plane exposure; managed services close this by default; self-managed clusters in CI/government still expose these |
-| Compromised container image at a public/private registry | AML.T0010 — ML Supply Chain Compromise (umbrella) | ATLAS v5.1.0 | Poisoned base image; backdoored model-serving image; typosquatted MCP server in a sidecar; AI-pipeline-specific (KServe / vLLM / Triton image with embedded malicious payload) | ATLAS classifies; no framework mandates signature verification at admission. Hand off the build-side provenance to `supply-chain-integrity`; the container-runtime control is `ClusterImagePolicy` enforcement |
+| Compromised container image at a public/private registry | AML.T0010 — ML Supply Chain Compromise (umbrella) | ATLAS v5.4.0 | Poisoned base image; backdoored model-serving image; typosquatted MCP server in a sidecar; AI-pipeline-specific (KServe / vLLM / Triton image with embedded malicious payload) | ATLAS classifies; no framework mandates signature verification at admission. Hand off the build-side provenance to `supply-chain-integrity`; the container-runtime control is `ClusterImagePolicy` enforcement |
 
-ATT&CK Containers matrix (sub-matrix, since 2021) and ATT&CK for Kubernetes (Microsoft's threat matrix, 2020, since absorbed conceptually into ATT&CK Containers) are both relevant prior art. The Enterprise IDs above are canonical in ATLAS v5.1.0 alignment and pass the linter regex `^T\d{4}(\.\d{3})?$`.
+ATT&CK Containers matrix (sub-matrix, since 2021) and ATT&CK for Kubernetes (Microsoft's threat matrix, 2020, since absorbed conceptually into ATT&CK Containers) are both relevant prior art. The Enterprise IDs above are canonical in ATLAS v5.4.0 alignment and pass the linter regex `^T\d{4}(\.\d{3})?$`.
 
 CWE cross-walk (see `data/cwe-catalog.json`):
 

package/skills/coordinated-vuln-disclosure/skill.md

@@ -106,7 +106,7 @@ This skill is meta — it is the upstream input pipeline that feeds the downstre
 |---|---|
 | `data/cve-catalog.json` | **Downstream product.** Every CVE in this catalog is the output of a CVD process (someone's, somewhere). When this org receives a report covering one of its own products, the resulting CVE enters this catalog via the same schema. |
 | `data/zeroday-lessons.json` | **Downstream consumer.** Every disclosed CVE feeds the zero-day learning loop run by `zeroday-gap-learn`. A CVD program with no entries here is not learning from its own disclosures. |
-| `data/atlas-ttps.json` (MITRE ATLAS v5.1.0) | **Lookup for AI-class disclosures.** When a report covers an AI vulnerability, map the attack mechanism to an ATLAS TTP (e.g., AML.T0051 LLM Prompt Injection, AML.T0096 LLM Plugin Compromise) for advisory tagging. |
+| `data/atlas-ttps.json` (MITRE ATLAS v5.4.0) | **Lookup for AI-class disclosures.** When a report covers an AI vulnerability, map the attack mechanism to an ATLAS TTP (e.g., AML.T0051 LLM Prompt Injection, AML.T0096 LLM Plugin Compromise) for advisory tagging. |
 | `data/framework-control-gaps.json` | **Lookup for regulator-notification routing.** Each disclosure intersects one or more framework controls; this skill writes new gaps when a disclosure exposes one. |
 | `data/cwe-catalog.json` | **Required taxonomy for advisories.** Per CVE-Numbering-Authority practice, every CVE advisory cites a CWE. `CWE-1357 Reliance on Insufficiently Trustworthy Component` is invoked for supply-chain disclosures (MCP servers, AI dependencies); other CWEs per the specific class. |
 | `data/d3fend-catalog.json` | **Defensive mapping for advisory recommendations.** Advisories that recommend mitigations should cite D3FEND IDs so blue teams can map the recommendation to existing control surfaces. See Defensive Countermeasure Mapping section. |