@blamejs/exceptd-skills 0.12.40 → 0.12.41

package/CONTEXT.md

@@ -114,7 +114,7 @@ Skills and playbooks read from `data/`. Authoritative catalog inventory:
 | File | Entries | Purpose |
 |------|---------|---------|
 | `cve-catalog.json` | 10 | CVEs with CVSS, RWEP score, EPSS estimates, CISA KEV flags, PoC and live-patch availability |
-| `atlas-ttps.json` | 15 | MITRE ATLAS v5.1.0 (November 2025) techniques with framework gap flags |
+| `atlas-ttps.json` | 15 | MITRE ATLAS v5.4.0 (February 2026) techniques with framework gap flags |
 | `attack-techniques.json` | 79 | MITRE ATT&CK techniques with framework coverage mappings |
 | `framework-control-gaps.json` | 62 | Framework control gap entries: designed-for vs. what each control misses |
 | `exploit-availability.json` | 10 | Per-CVE PoC locations, weaponization stage, AI-acceleration factor, live-patch status |
@@ -245,7 +245,7 @@ The `researcher` **skill** (front-door dispatcher) and `threat-researcher` **age
 |------|------------|
 | RWEP | Real-World Exploit Priority — risk score beyond CVSS |
 | KEV | CISA Known Exploited Vulnerabilities catalog |
-| ATLAS | MITRE ATLAS v5.1.0 — AI threat framework |
+| ATLAS | MITRE ATLAS v5.4.0 — AI threat framework |
 | MCP | Model Context Protocol — AI tool integration standard |
 | HNDL | Harvest-Now-Decrypt-Later — quantum threat to current crypto |
 | Framework lag | Gap between what a framework requires and what current TTPs demand |

package/README.md

@@ -30,13 +30,7 @@ This platform surfaces what is actually happening right now. Every skill explici
 
 ## Status
 
-Pre-1.0. Latest release lives on [GitHub Releases](https://github.com/blamejs/exceptd-skills/releases) and on npm as [`@blamejs/exceptd-skills`](https://www.npmjs.com/package/@blamejs/exceptd-skills) (signed npm provenance attestation). 42 skills across kernel LPE, AI attack surface, MCP trust, RAG security, AI-API C2 detection, PQC migration, framework gap analysis, compliance theater, exploit scoring, threat-model currency, zero-day learning, global GRC, policy exception generation, security maturity tiers, skill update loop, attack-surface pen testing, fuzz testing, DLP gap analysis, supply-chain integrity, defensive-countermeasure mapping, identity assurance, OT/ICS security, coordinated vulnerability disclosure, threat-modeling methodology, child-safety age gates, plus sector packs (federal, financial, healthcare, energy) — and a `researcher` triage dispatcher. 10 data catalogs cover CVE / ATLAS / ATT&CK / CWE / D3FEND / DLP / RFC / framework gaps / global frameworks / zero-day lessons. 35 jurisdictions tracked. AI-consumer ergonomics: `data/_indexes/` ships 17 pre-computed indexes (xref / chains / dispatch / DiD ladders / theater fingerprints / recipes / token budget / currency / activity feed) regenerated by `npm run build-indexes`. External-data refresh is automated nightly via `.github/workflows/refresh.yml` — KEV/EPSS/NVD/RFC drift opens an auto-PR with deltas pre-applied; KEV adds new CVEs and IETF discovery auto-imports new RFCs across 48 project-relevant working groups (`_auto_imported` annotation flags entries for human curation); ATLAS/ATT&CK/CWE/D3FEND version bumps open an issue (audit required per AGENTS.md Hard Rule #12). `exceptd doctor --signatures` prints dual SHA-256 + SHA3-512 public-key fingerprints for out-of-band key pinning. `exceptd discover` probes 22 PQC algorithms across the full NIST + IETF emerging landscape. `exceptd framework-gap <framework> <scenario>` provides a non-AI programmatic runner for the framework-gap skill.
-
-**v0.10.0 introduced the seven-phase playbook contract** — exceptd ships playbooks under `data/playbooks/*.json` that host AIs (Claude Code, Cursor, Gemini CLI, Codex) execute through seven phases: `govern → direct → look → detect → analyze → validate → close`. exceptd owns govern / direct / analyze / validate / close (knowledge + GRC layer); the host AI owns look / detect (artifact collection + indicator evaluation with its native Bash/Read/Grep/Glob).
-
-**v0.11.0 collapses the 21-verb CLI into 11 canonical verbs** + flips the default output to human-readable. The new surface: `discover` (scan cwd → recommend playbooks), `brief` (unified info doc, replaces plan + govern + direct + look), `run` (phases 4-7, with flat or nested submission shape, auto-detect cwd context), `ai-run` (JSONL streaming variant for AI conversational flow), `attest` (subverbs: list / show / export / verify / diff — replaces reattest + list-attestations), `doctor` (one-shot health check — signatures + currency + cve/rfc validation + signing status), `ci` (one-shot CI gate, exit-2 on detected or rwep ≥ escalate), `ask` (plain-English routing), `lint` (pre-flight submission shape check). Attestation root moved from cwd-relative `.exceptd/` to `~/.exceptd/attestations/<repo-or-host-tag>/`. v0.10.x verbs (`plan`/`govern`/`direct`/`look`/`scan`/`dispatch`/`currency`/`verify`/`validate-cves`/`validate-rfcs`/`watchlist`/`prefetch`/`build-indexes`/`ingest`/`reattest`/`list-attestations`) still work via one-time deprecation banner — scheduled for removal in v0.13.
-
-**v0.11 series** — CLI ergonomics and signature-verify hardening: mutex filesystem lockfile, `--vex` filter, `--ci` exit-code gating, `--diff-from-latest`, `--operator`/`--ack` attestation binding, `--format <fmt>` transforms output for `run` and `ci`, `ask` synonym routing, `lint` shares the normalize contract with the runner, CSAF/SARIF/OpenVEX bundles include indicator hits and framework gaps for posture-only playbooks, CSAF `current_release_date` populated, SARIF rule definitions for every ruleId, `doctor --fix` repairs a missing private key, `--strict-preconditions` flag, default human output for `attest list` and `lint` on TTY. Regression coverage at `tests/operator-bugs.test.js` catches re-introductions at `npm test`.
+Pre-1.0. Latest release lives on [GitHub Releases](https://github.com/blamejs/exceptd-skills/releases) and on npm as [`@blamejs/exceptd-skills`](https://www.npmjs.com/package/@blamejs/exceptd-skills) with signed npm provenance attestation and Ed25519-signed skill bodies. The package ships 42 skills across kernel LPE, MCP supply chain, AI-as-C2, prompt injection, post-quantum crypto, SBOM integrity, identity-incident response, and 35 other AI/security domains, plus 10 intelligence catalogs (CVE / ATLAS / ATT&CK / CWE / D3FEND / DLP / RFC / framework gaps / global frameworks / zero-day lessons) covering 35 jurisdictions, a CLI for discovery and seven-phase investigation runs (`govern → direct → look → detect → analyze → validate → close`), and a nightly auto-refresh job that pulls KEV / NVD / EPSS / GHSA / OSV / IETF deltas into auto-PRs for editorial review.
 
 ---
 
@@ -178,7 +172,7 @@ You're adding a skill, updating a catalog, or cutting a release. Clone + bootstr
 git clone https://github.com/blamejs/exceptd-skills
 cd exceptd-skills
 npm run bootstrap          # auto-detects: verify-only / re-sign / first-init
-npm run predeploy          # full 14-gate CI sequence locally
+npm run predeploy          # full predeploy gate sequence locally
 ```
 
 `bootstrap` auto-detects the right mode based on which keys exist on disk:

package/agents/threat-researcher.md

@@ -52,9 +52,9 @@ Research and validate new threat intelligence — CVEs, attack campaigns, new AT
    - Distinguish: "CISA KEV confirmed" vs. "suspected" vs. "no evidence"
 
 6. **Map to ATLAS/ATT&CK**
-   - Identify which ATLAS v5.1.0 TTPs are relevant to this CVE's attack vector
+   - Identify which ATLAS v5.4.0 TTPs are relevant to this CVE's attack vector
    - Identify which ATT&CK techniques are relevant
-   - Flag any ATLAS gaps (attack pattern not in ATLAS v5.1.0)
+   - Flag any ATLAS gaps (attack pattern not in ATLAS v5.4.0)
 
 7. **Identify affected skills**
    - Which skills cover the CVE's technology domain?

package/bin/exceptd.js

@@ -528,7 +528,7 @@ function main() {
         `Legacy verbs remain functional through this release; they will be removed in v0.13. ` +
         `This banner shows once per exceptd version per host (re-shown on upgrade). Permanent suppress: export EXCEPTD_DEPRECATION_SHOWN=1.\n`
       );
-      try { fs.writeFileSync(markerFile, `shown_at=${new Date().toISOString()}\nversion=${ver}\n`); }
+      try { fs.writeFileSync(markerFile, `shown_at=${new Date().toISOString()}\nversion=${ver}\n`, { mode: 0o600 }); }
       catch { /* tmpdir unwritable; the env-var guard below keeps the per-process suppression intact */ }
     }
     process.env.EXCEPTD_DEPRECATION_SHOWN = "1";
@@ -2858,8 +2858,10 @@ function cmdRun(runner, args, runOpts, pretty) {
     // exit-code expectations regardless of which verb they call. Without
     // --ci the legacy exit 1 is preserved (ok:false bodies are framework
     // signals when no CI gating is requested).
-    process.stderr.write((pretty ? JSON.stringify(result, null, 2) : JSON.stringify(result)) + "\n");
+    // Set exitCode BEFORE emit(): emit's ok:false fallback only fires when
+    // exitCode is not already set, so the BLOCKED override survives.
     process.exitCode = args.ci ? EXIT_CODES.BLOCKED : EXIT_CODES.GENERIC_FAILURE;
+    emit(result, pretty);
     return;
   }
 
@@ -3535,8 +3537,7 @@ function cmdIngest(runner, args, runOpts, pretty) {
   }
 
   if (result && result.ok === false) {
-    process.stderr.write((pretty ? JSON.stringify(result, null, 2) : JSON.stringify(result)) + "\n");
-    process.exitCode = EXIT_CODES.GENERIC_FAILURE;
+    emit(result, pretty);
     return;
   }
   emit(result, pretty);
@@ -3897,13 +3898,18 @@ function maybeSignAttestation(filePath) {
         algorithm: "Ed25519",
         signature_base64: sig.toString("base64"),
         note: "Ed25519 signature covers the attestation file bytes only. Use filesystem mtime for freshness; use the attestation's `captured_at` for the signed timestamp.",
-      }, null, 2));
+      }, null, 2), { mode: 0o600 });
+      // Mirror the v0.12.38 attestation.json hardening: 0o600 on POSIX +
+      // icacls inheritance strip on win32. The sidecar carries the
+      // signature payload; multi-tenant hosts shouldn't leak it.
+      try { require("./../lib/sign.js").restrictWindowsAcl(sigPath); } catch { /* best-effort */ }
     } else {
       fs.writeFileSync(sigPath, JSON.stringify({
         algorithm: "unsigned",
         signed: false,
-        note: "No private key at .keys/private.pem — attestation is hash-stable but unsigned. Run `node lib/sign.js generate-keypair` to enable signing.",
-      }, null, 2));
+        note: "No private key at .keys/private.pem — attestation is hash-stable but unsigned. Run `exceptd doctor --fix` to enable signing.",
+      }, null, 2), { mode: 0o600 });
+      try { require("./../lib/sign.js").restrictWindowsAcl(sigPath); } catch { /* best-effort */ }
     }
   } catch { /* non-fatal — signing failure shouldn't block the run */ }
 }
@@ -4477,6 +4483,23 @@ function cmdAttest(runner, args, runOpts, pretty) {
   if (!subverb) {
     return emitError("attest: missing subverb. Usage: attest list | show <sid> | export <sid> | verify <sid> | diff <sid>", null, pretty);
   }
+  // Validate subverb membership BEFORE the session-id branch so a typo
+  // (`attest verfy sid`) gets the did-you-mean response, not the
+  // misleading "no session dir for sid" downstream. Pre-fix the
+  // session-id resolution ran first and a valid-but-unrecognized
+  // subverb collapsed into a session-lookup failure.
+  const ATTEST_SUBVERBS = ["list", "show", "export", "verify", "diff"];
+  if (!ATTEST_SUBVERBS.includes(subverb)) {
+    const dym = suggestVerb(subverb, ATTEST_SUBVERBS);
+    const hint = dym.length > 0
+      ? `Did you mean: ${dym.join(" | ")}? Accepted: ${ATTEST_SUBVERBS.join(" | ")}.`
+      : `Accepted: ${ATTEST_SUBVERBS.join(" | ")}.`;
+    return emitError(
+      `attest: unknown subverb "${subverb}". ${hint}`,
+      { verb: "attest", subverb_input: subverb, did_you_mean: dym, accepted_subverbs: ATTEST_SUBVERBS },
+      pretty
+    );
+  }
   // `list` doesn't require a session-id positional.
   if (subverb === "list") {
     return cmdListAttestations(runner, args, runOpts, pretty);
@@ -4568,6 +4591,15 @@ function cmdAttest(runner, args, runOpts, pretty) {
         return emitError(`attest diff --against ${args.against}: no attestations under that session id.`, null, pretty);
       }
       const self = attestations[0];
+      if (!self) {
+        // Session dir contains only replay records, no attestation —
+        // diff has nothing to compare on the A side.
+        return emitError(
+          `attest diff ${sessionId}: no attestation found in session dir (only replay records). The session may be replay-only; verify with \`exceptd attest show ${sessionId}\`.`,
+          { verb: "attest diff", session_id: sessionId, attestation_count: 0, replay_count: replays.length },
+          pretty
+        );
+      }
       emit({
         verb: "attest diff",
         a_session: sessionId,
@@ -4599,10 +4631,6 @@ function cmdAttest(runner, args, runOpts, pretty) {
     return cmdReattest(runner, args, {}, pretty);
   }
 
-  if (subverb === "list") {
-    return cmdListAttestations(runner, args, {}, pretty);
-  }
-
   if (subverb === "verify") {
     const crypto = require("crypto");
     const pubKeyPath = path.join(PKG_ROOT, "keys", "public.pem");
@@ -4796,7 +4824,10 @@ function cmdAttest(runner, args, runOpts, pretty) {
     return;
   }
 
-  return emitError(`attest: unknown subverb "${subverb}". Try export | verify | show.`, null, pretty);
+  // Unreachable — front-loaded subverb membership check above handles
+  // unknown subverbs. Defensive return so future refactors that move
+  // the gate don't silently fall through.
+  return emitError(`attest: unknown subverb "${subverb}".`, { verb: "attest", subverb_input: subverb }, pretty);
 }
 
 /**
@@ -5335,7 +5366,7 @@ function cmdDoctor(runner, args, runOpts, pretty) {
         severity: present ? "info" : "warn",
         private_key_present: present,
         can_sign_attestations: present,
-        ...(present ? {} : { hint: "run `node lib/sign.js generate-keypair` (or `exceptd doctor --fix`) to enable attestation signing" }),
+        ...(present ? {} : { hint: "run `exceptd doctor --fix` to generate an Ed25519 keypair and sign skills (or `node $(exceptd path)/lib/sign.js generate-keypair` from a contributor checkout)" }),
       };
     } catch (e) {
       checks.signing = { ok: false, error: e.message };
@@ -5410,27 +5441,78 @@ function cmdDoctor(runner, args, runOpts, pretty) {
     },
   };
 
-  // v0.11.6 (#97): --fix runs BEFORE the JSON early-return so `exceptd doctor
-  // --fix --json` actually fixes (was a no-op pre-0.11.6). Re-runs the
-  // signing check after fix so the returned JSON reflects the post-fix state.
+  // --fix runs BEFORE the JSON early-return so `exceptd doctor --fix --json`
+  // actually fixes (was a no-op pre-v0.11.6). Re-runs the signing check
+  // after fix so the returned JSON reflects the post-fix state.
+  //
+  // Safety: lib/sign.js generateKeypair() refuses if keys/public.pem
+  // already exists (overwriting it would orphan every shipped signature —
+  // the v0.11.x regression class). Surface that refusal as a distinct
+  // fix_attempted reason so operators see WHY the fix declined.
+  // After successful key generation, chain sign-all so the manifest +
+  // every shipped skill carries a signature paired with the new public
+  // key. Without this chain, `doctor --fix` succeeds but the very next
+  // `exceptd doctor` (signatures check) reports 0/N passing.
   if (args.fix && checks.signing && !checks.signing.private_key_present) {
-    process.stderr.write("[doctor --fix] generating Ed25519 keypair via `node lib/sign.js generate-keypair`...\n");
-    const r = require("child_process").spawnSync(process.execPath, [path.join(PKG_ROOT, "lib", "sign.js"), "generate-keypair"], {
+    const pubKeyExists = fs.existsSync(path.join(PKG_ROOT, "keys", "public.pem"));
+    if (pubKeyExists) {
+      out.summary.fix_attempted = "ed25519_keypair_generation_declined";
+      out.summary.fix_decline_reason = "keys/public.pem already exists but no matching private key. Generating a fresh keypair would overwrite the public key and orphan every shipped signature. If you intend to establish a new signing identity, run `node $(exceptd path)/lib/sign.js generate-keypair --rotate` followed by sign-all.";
+      process.stderr.write("[doctor --fix] refused: keys/public.pem present without matching private key. Pass --rotate via the underlying lib/sign.js if a new identity is intended.\n");
+    } else {
+      process.stderr.write("[doctor --fix] generating Ed25519 keypair...\n");
+      const r = require("child_process").spawnSync(process.execPath, [path.join(PKG_ROOT, "lib", "sign.js"), "generate-keypair"], {
+        stdio: ["ignore", "pipe", "pipe"], cwd: PKG_ROOT,
+      });
+      if (r.status === 0) {
+        // Chain sign-all so the manifest + skills carry signatures paired
+        // with the new keypair. Without this every shipped signature is
+        // invalid against the new public key.
+        process.stderr.write("[doctor --fix] keypair generated — signing skills + manifest...\n");
+        const s = require("child_process").spawnSync(process.execPath, [path.join(PKG_ROOT, "lib", "sign.js"), "sign-all"], {
+          stdio: ["ignore", "pipe", "pipe"], cwd: PKG_ROOT,
+        });
+        const keyPath = path.join(PKG_ROOT, ".keys", "private.pem");
+        const present = fs.existsSync(keyPath);
+        checks.signing = { ok: present, severity: present ? "info" : "warn", private_key_present: present, can_sign_attestations: present };
+        out.checks = checks;
+        if (s.status === 0) {
+          out.summary.fix_applied = "ed25519_keypair_generated_and_skills_signed";
+          process.stderr.write("[doctor --fix] keypair + sign-all complete — re-checking signing status.\n");
+        } else {
+          out.summary.fix_applied = "ed25519_keypair_generated";
+          out.summary.fix_partial = "sign_all_failed";
+          out.summary.sign_all_exit_code = s.status;
+          process.stderr.write(`[doctor --fix] WARNING: keypair generated but sign-all failed (exit=${s.status}). Skills carry signatures from a different key; verify will report mismatches.\n`);
+        }
+      } else {
+        out.summary.fix_attempted = "ed25519_keypair_generation_failed";
+        out.summary.fix_exit_code = r.status;
+        process.stderr.write(`[doctor --fix] generation failed (exit=${r.status}); run \`node $(exceptd path)/lib/sign.js generate-keypair\` manually.\n`);
+      }
+    }
+  }
+
+  // Second --fix path: private key IS present but the signatures check
+  // FAILED. This is the post-rotation case (codex P2 v0.12.41): operator
+  // ran `node $(exceptd path)/lib/sign.js generate-keypair --rotate`,
+  // got a fresh keypair, but the manifest + skills still carry signatures
+  // from the OLD keypair. Pre-fix doctor --fix's signing path only fired
+  // when the private key was missing, so the rotation flow's remediation
+  // step was a no-op. Chain sign-all here so the post-rotate doctor --fix
+  // converges to a fully-verified state.
+  if (args.fix && checks.signing && checks.signing.private_key_present && checks.signatures && checks.signatures.ok === false && !out.summary.fix_applied && !out.summary.fix_attempted) {
+    process.stderr.write("[doctor --fix] private key present, signatures failing — running sign-all to re-sign skills + manifest...\n");
+    const s = require("child_process").spawnSync(process.execPath, [path.join(PKG_ROOT, "lib", "sign.js"), "sign-all"], {
       stdio: ["ignore", "pipe", "pipe"], cwd: PKG_ROOT,
     });
-    if (r.status === 0) {
-      // Re-verify the private key is now present so the JSON output reflects
-      // the fix. v0.12.9 codex P1: PKG_ROOT-only (sign + verify use this path).
-      const keyPath = path.join(PKG_ROOT, ".keys", "private.pem");
-      const present = fs.existsSync(keyPath);
-      checks.signing = { ok: present, severity: present ? "info" : "warn", private_key_present: present, can_sign_attestations: present };
-      out.checks = checks;
-      out.summary.fix_applied = "ed25519_keypair_generated";
-      process.stderr.write("[doctor --fix] keypair generated — re-checking signing status.\n");
+    if (s.status === 0) {
+      out.summary.fix_applied = "skills_resigned_against_current_keypair";
+      process.stderr.write("[doctor --fix] sign-all complete — re-run `exceptd doctor` to confirm.\n");
     } else {
-      out.summary.fix_attempted = "ed25519_keypair_generation_failed";
-      out.summary.fix_exit_code = r.status;
-      process.stderr.write(`[doctor --fix] generation failed (exit=${r.status}); run \`node lib/sign.js generate-keypair\` manually.\n`);
+      out.summary.fix_attempted = "sign_all_failed";
+      out.summary.sign_all_exit_code = s.status;
+      process.stderr.write(`[doctor --fix] sign-all failed (exit=${s.status}); run \`node $(exceptd path)/lib/sign.js sign-all\` manually.\n`);
     }
   }
 
@@ -5509,7 +5591,7 @@ function cmdDoctor(runner, args, runOpts, pretty) {
     if (checks.signing.private_key_present) {
       lines.push(`  [ok] attestation signing: private key present (.keys/private.pem)`);
     } else {
-      lines.push(`  [!!] attestation signing: private key MISSING (.keys/private.pem) — run \`node lib/sign.js generate-keypair\` to enable`);
+      lines.push(`  [!!] attestation signing: private key MISSING (.keys/private.pem) — run \`exceptd doctor --fix\` to enable`);
     }
   }
   lines.push("");
@@ -5526,7 +5608,11 @@ function cmdDoctor(runner, args, runOpts, pretty) {
   if (out.summary.fix_applied) {
     process.stdout.write(`\n[doctor --fix] ${out.summary.fix_applied} — re-run \`exceptd doctor\` to confirm.\n`);
   } else if (out.summary.fix_attempted) {
-    process.stdout.write(`\n[doctor --fix] ${out.summary.fix_attempted} (exit=${out.summary.fix_exit_code}); run \`node lib/sign.js generate-keypair\` manually.\n`);
+    if (out.summary.fix_decline_reason) {
+      process.stdout.write(`\n[doctor --fix] ${out.summary.fix_attempted}: ${out.summary.fix_decline_reason}\n`);
+    } else {
+      process.stdout.write(`\n[doctor --fix] ${out.summary.fix_attempted} (exit=${out.summary.fix_exit_code}); run \`node $(exceptd path)/lib/sign.js generate-keypair\` from a contributor checkout if needed.\n`);
+    }
     process.exitCode = EXIT_CODES.GENERIC_FAILURE;
     return;
   }
@@ -5764,10 +5850,11 @@ function cmdAiRun(runner, args, runOpts, pretty) {
       );
     }
     if (!result || result.ok === false) {
-      // v0.12.12: same exit-after-write anti-pattern as the pre-stream
-      // load path. Use exitCode + return so stderr drains.
-      process.stderr.write((pretty ? JSON.stringify(result || {}, null, 2) : JSON.stringify(result || {})) + "\n");
-      process.exitCode = EXIT_CODES.GENERIC_FAILURE;
+      // Route through emit() so the body lands on stdout (per v0.12.39
+      // envelope contracts) and exitCode is set by the shared ok:false
+      // fallback. Pre-fix the body went to stderr, which split it from
+      // the success path and made consumers parse two streams.
+      emit(result || { ok: false, error: 'ai-run returned empty result' }, pretty);
       return;
     }
     // v0.12.14: ai-run --no-stream previously emitted a
@@ -6132,7 +6219,10 @@ function cmdAsk(runner, args, runOpts, pretty) {
       routed_to: [],
       hint: "No playbook matched. Try `exceptd brief --all` to see what's available, or `exceptd discover` to detect what's in your cwd.",
     };
-    if (args.json) return emit(result, pretty);
+    // Honor --pretty as an implicit opt-in to structured output, matching
+    // the discover/doctor convention. Pre-fix `ask "..." --pretty` fell
+    // into the human-text branch and silently ignored the flag.
+    if (args.json || args.pretty) return emit(result, pretty);
     process.stdout.write(`ask: ${question}\n  no playbook matched.\n  try: exceptd discover  (auto-detect what's in your cwd)\n`);
     return;
   }
@@ -6145,7 +6235,7 @@ function cmdAsk(runner, args, runOpts, pretty) {
     next_step: `exceptd run ${top[0].id}    # or: exceptd brief ${top[0].id} to learn first`,
     full_match_list: top,
   };
-  if (args.json) return emit(result, pretty);
+  if (args.json || args.pretty) return emit(result, pretty);
   process.stdout.write(`ask: ${question}\n  top match: ${top[0].id} (score ${top[0].score})\n  next: ${result.next_step}\n  alternates: ${top.slice(1).map(t => t.id).join(", ") || "(none)"}\n`);
 }
 

package/data/_indexes/_meta.json

@@ -1,21 +1,21 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-16T15:50:46.737Z",
+  "generated_at": "2026-05-17T20:21:35.517Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "32dc1f7ebdf72e65bac8a969abc45e539f506ca4ec9149cd548d72fb41252548",
+    "manifest.json": "adcee350ac3e4ffc9a6edd5003735df10503bffcd7474e298d1ecddb1e948224",
     "data/atlas-ttps.json": "259e76e4252c7a56c17bbe96982a5e37ac89131c2d37a547fe38d64dcacfd763",
     "data/attack-techniques.json": "51f60819aef36e960fd768e44dcc725e137781534fbbb028e5ef6baa21defa1d",
-    "data/cve-catalog.json": "5bfd08a3fc62850e0cdaf454a2dce3e6719acb8917b7c7249c4c02bf945b62f5",
+    "data/cve-catalog.json": "415384660f879d26491a612e579943092135acb676cbb95327f309c921ff69ed",
     "data/cwe-catalog.json": "6e7349a0fac39bdf9c4cb4598e101e51400f67d64c5d653bbca462f28bc1a0cb",
     "data/d3fend-catalog.json": "a1fc2827ceb344669e148d55197dbf1b0e5b20bcc618e90517639c17d67ee82d",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
-    "data/exploit-availability.json": "a9eeda95d24b56c28a0d0178fc601b531653e2ba7dc857160b35ad23ad6c7471",
-    "data/framework-control-gaps.json": "aa66fa78b0aad53767755532e41e391a41e75d7d81d77d3fad5eaa744f32f4de",
-    "data/global-frameworks.json": "0168825497e03f079274c9da2e5529310a2ba5bd7c7da7c93acd0b66ed845b8a",
+    "data/exploit-availability.json": "003a400f5ae5b15527589571679ccdb9b3a62e60073627b5fbdeb2a9fe330a7a",
+    "data/framework-control-gaps.json": "45d4b461a733fc31ce5a02b0462d0e23aa5d7469d937d77ad69417eb5293f189",
+    "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "e253a548c8a829d178d5aea601e268724b85c936ccbfa51c2e5d80c5f8efe2b0",
-    "data/zeroday-lessons.json": "c927653e6d9d86d1a36c23a3d782b099a49675ccd928cdc204887c79b0cfbbf1",
+    "data/zeroday-lessons.json": "27d46a0e09a3edbe97dfbb070c3991348567cf93c86a3e94c767c5ad2dfb653e",
     "skills/kernel-lpe-triage/skill.md": "8e94bfd38d6db47342fbbe95a0c8df8f7c38743982c13e9de6a1c59cd3783d33",
     "skills/ai-attack-surface/skill.md": "853ea46b500fa60b5f5db1137629f8b64447b5df2c8346c15c6cbd1e59285532",
     "skills/mcp-agent-trust/skill.md": "b09a33e71a0cc13ec70e7e750ac4b91887b657d293d92c3cdb49a4e094adcfea",
@@ -51,7 +51,7 @@
     "skills/api-security/skill.md": "75dcb1b9395de2be4ca60e53f900692721b7ef66ded3e510a20d17f35daf982d",
     "skills/cloud-security/skill.md": "56f0d5d6cf182d347e84baa95a04c39be51e82da3360dac48fcf5d8c4e56a9c3",
     "skills/container-runtime-security/skill.md": "7e0806b9e13db120f9b65d5f48b33db9f1026c4c2d719838ef0f0c8778ec4365",
-    "skills/mlops-security/skill.md": "cb6871691028f55d59e3efe47be2f1d6bf65fa8c6f3cf301e78d5d119fe3616d",
+    "skills/mlops-security/skill.md": "a7bf448527e15bb0c6936217c69f3e18cc823f534e0c7f749966cde32039c63e",
     "skills/incident-response-playbook/skill.md": "0695ee43881527459f657a90276748922347f16dd494ae2b98e2a9396c570a44",
     "skills/ransomware-response/skill.md": "15de039c5679215b7ceb9a55494f614b06fe618aa0f69ce8aff004dc9a841fa4",
     "skills/email-security-anti-phishing/skill.md": "b5a7693b3ddbd6cd83303d092bc5e324db431245d25c4945d9f65fcffa1995e7",
@@ -78,7 +78,7 @@
     "handoff_dag_nodes": 42,
     "summary_cards": 42,
     "section_offsets_skills": 42,
-    "token_budget_total_approx": 397769,
+    "token_budget_total_approx": 397775,
     "recipes": 8,
     "jurisdiction_clocks": 29,
     "did_ladders": 8,

package/data/_indexes/activity-feed.json

@@ -63,7 +63,7 @@
       "artifact": "data/framework-control-gaps.json",
       "path": "data/framework-control-gaps.json",
       "schema_version": "1.0.0",
-      "entry_count": 118
+      "entry_count": 122
     },
     {
       "date": "2026-05-15",

package/data/_indexes/catalog-summaries.json

@@ -172,7 +172,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 118,
+      "entry_count": 122,
       "sample_keys": [
         "ALL-AI-PIPELINE-INTEGRITY",
         "ALL-MCP-TOOL-TRUST",

package/data/_indexes/frequency.json

@@ -2520,6 +2520,7 @@
       "AU-Essential-8-Backup",
       "AU-Essential-8-MFA",
       "AU-Essential-8-Patch",
+      "AU-ISM-1546",
       "CIS-Controls-v8-10.1",
       "DORA-Art-9",
       "DORA-Art28",
@@ -2537,9 +2538,11 @@
       "HIPAA-Security-Rule-2026-NPRM-164.310",
       "HIPAA-Security-Rule-2026-NPRM-164.312",
       "HIPAA-Security-Rule-2026-NPRM-164.314",
+      "ISO-27001-2022-A.5.7",
       "ISO-27001-2022-A.8.7",
       "NIS2-Art21-identity-management",
       "NIS2-Art21-incident-handling",
+      "NIS2-Art21-supply-chain",
       "NIS2-Art21-vulnerability-management",
       "NIST-800-53-AC-3",
       "NIST-800-53-AC-6",
@@ -2552,6 +2555,7 @@
       "PCI-DSS-4.0.1-6.4.3",
       "UK-CAF-A1",
       "UK-CAF-B2",
+      "UK-CAF-B4",
       "UK-CAF-C1",
       "UK-CAF-D1"
     ],

package/data/_indexes/section-offsets.json

@@ -3543,21 +3543,21 @@
     },
     "mlops-security": {
       "path": "skills/mlops-security/skill.md",
-      "total_bytes": 45439,
+      "total_bytes": 45463,
       "total_lines": 330,
       "frontmatter": {
         "line_start": 1,
         "line_end": 66,
         "byte_start": 0,
-        "byte_end": 2398
+        "byte_end": 2422
       },
       "sections": [
         {
           "name": "Threat Context (mid-2026)",
           "normalized_name": "threat-context",
           "line": 70,
-          "byte_start": 2437,
-          "byte_end": 8267,
+          "byte_start": 2461,
+          "byte_end": 8291,
           "bytes": 5830,
           "h3_count": 0
         },
@@ -3565,8 +3565,8 @@
           "name": "Framework Lag Declaration",
           "normalized_name": "framework-lag-declaration",
           "line": 88,
-          "byte_start": 8267,
-          "byte_end": 14049,
+          "byte_start": 8291,
+          "byte_end": 14073,
           "bytes": 5782,
           "h3_count": 0
         },
@@ -3574,8 +3574,8 @@
           "name": "TTP Mapping",
           "normalized_name": "ttp-mapping",
           "line": 112,
-          "byte_start": 14049,
-          "byte_end": 18425,
+          "byte_start": 14073,
+          "byte_end": 18449,
           "bytes": 4376,
           "h3_count": 0
         },
@@ -3583,8 +3583,8 @@
           "name": "Exploit Availability Matrix",
           "normalized_name": "exploit-availability-matrix",
           "line": 137,
-          "byte_start": 18425,
-          "byte_end": 23911,
+          "byte_start": 18449,
+          "byte_end": 23935,
           "bytes": 5486,
           "h3_count": 0
         },
@@ -3592,8 +3592,8 @@
           "name": "Analysis Procedure",
           "normalized_name": "analysis-procedure",
           "line": 163,
-          "byte_start": 23911,
-          "byte_end": 32980,
+          "byte_start": 23935,
+          "byte_end": 33004,
           "bytes": 9069,
           "h3_count": 4
         },
@@ -3601,8 +3601,8 @@
           "name": "Output Format",
           "normalized_name": "output-format",
           "line": 228,
-          "byte_start": 32980,
-          "byte_end": 35658,
+          "byte_start": 33004,
+          "byte_end": 35682,
           "bytes": 2678,
           "h3_count": 10
         },
@@ -3610,8 +3610,8 @@
           "name": "Compliance Theater Check",
           "normalized_name": "compliance-theater-check",
           "line": 281,
-          "byte_start": 35658,
-          "byte_end": 38589,
+          "byte_start": 35682,
+          "byte_end": 38613,
           "bytes": 2931,
           "h3_count": 0
         },
@@ -3619,8 +3619,8 @@
           "name": "Defensive Countermeasure Mapping",
           "normalized_name": "defensive-countermeasure-mapping",
           "line": 297,
-          "byte_start": 38589,
-          "byte_end": 42509,
+          "byte_start": 38613,
+          "byte_end": 42533,
           "bytes": 3920,
           "h3_count": 0
         },
@@ -3628,8 +3628,8 @@
           "name": "Hand-Off / Related Skills",
           "normalized_name": "hand-off",
           "line": 317,
-          "byte_start": 42509,
-          "byte_end": 45439,
+          "byte_start": 42533,
+          "byte_end": 45463,
           "bytes": 2930,
           "h3_count": 0
         }

package/data/_indexes/token-budget.json

@@ -3,8 +3,8 @@
     "schema_version": "1.0.0",
     "tokenizer_note": "Character-density approximation: 1 token ≈ 4 chars. This is the canonical rule-of-thumb for OpenAI tokenizers on English+technical text. Claude's tokenizer is typically more efficient on prose; treat this as an upper-bound budget for both. Consumers with stricter precision needs should re-tokenize with their own tokenizer.",
     "approx_chars_per_token": 4,
-    "total_chars": 1591052,
-    "total_approx_tokens": 397769,
+    "total_chars": 1591076,
+    "total_approx_tokens": 397775,
     "skill_count": 42
   },
   "skills": {
@@ -2065,10 +2065,10 @@
     },
     "mlops-security": {
       "path": "skills/mlops-security/skill.md",
-      "bytes": 45439,
-      "chars": 45147,
+      "bytes": 45463,
+      "chars": 45171,
       "lines": 330,
-      "approx_tokens": 11287,
+      "approx_tokens": 11293,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {