@blamejs/exceptd-skills 0.12.40 → 0.12.41

package/lib/verify.js

@@ -87,7 +87,7 @@ const EXPECTED_FINGERPRINT_PATH = path.join(ROOT, 'keys', 'EXPECTED_FINGERPRINT'
 function verifyAll() {
   const publicKey = loadPublicKey();
   if (!publicKey) {
-    console.error('[verify] No public key at keys/public.pem — run: node lib/sign.js generate-keypair');
+    console.error('[verify] No public key at keys/public.pem — run `exceptd doctor --fix` (or `node $(exceptd path)/lib/sign.js generate-keypair` from a contributor checkout)');
     return { valid: [], invalid: [], missing_sig: [], missing_file: [], no_key: true };
   }
 
@@ -128,7 +128,7 @@ function verifyOne(skillName) {
  */
 function signAll() {
   const privateKey = loadPrivateKey();
-  if (!privateKey) throw new Error('No private key at .keys/private.pem — run: node lib/sign.js generate-keypair');
+  if (!privateKey) throw new Error('No private key at .keys/private.pem — run `exceptd doctor --fix` (or `node $(exceptd path)/lib/sign.js generate-keypair` from a contributor checkout)');
 
   // P1-4: load the manifest without the signature gate. We're about to
   // mutate the manifest (re-sign skills + re-sign the manifest itself),
@@ -236,7 +236,7 @@ function validateSkillPath(skillPath) {
 
 function verifySkill(skill, publicKey) {
   if (!skill.signature) {
-    return { status: 'missing_sig', reason: 'No Ed25519 signature in manifest — run: node lib/sign.js sign-all' };
+    return { status: 'missing_sig', reason: 'No Ed25519 signature in manifest — run `exceptd doctor --fix` (or `node $(exceptd path)/lib/sign.js sign-all` from a contributor checkout)' };
   }
 
   const skillPath = path.join(ROOT, skill.path);
@@ -447,7 +447,7 @@ function loadManifestValidated() {
     // console.warn would spam stderr per call. Node's emitWarning() with
     // a stable `code` collapses repeated emissions automatically.
     process.emitWarning(
-      'manifest.json has no top-level manifest_signature field. This tarball predates v0.12.17 manifest signing; skills will still be verified but a coordinated rewrite of manifest.json could go undetected. Re-run `node lib/sign.js sign-all` to add the signature.',
+      'manifest.json has no top-level manifest_signature field. This tarball predates v0.12.17 manifest signing; skills will still be verified but a coordinated rewrite of manifest.json could go undetected. Re-run `exceptd doctor --fix` (or `node $(exceptd path)/lib/sign.js sign-all` from a contributor checkout) to add the signature.',
       { code: 'EXCEPTD_MANIFEST_UNSIGNED' }
     );
   } else if (sigResult.status === 'no-key') {
@@ -693,7 +693,7 @@ if (require.main === module) {
   if (arg === 'check-key') {
     const pub = loadPublicKey();
     if (!pub) {
-      console.error('[verify] No public key — run: node lib/sign.js generate-keypair');
+      console.error('[verify] No public key — run `exceptd doctor --fix` (or `node $(exceptd path)/lib/sign.js generate-keypair` from a contributor checkout)');
       process.exit(1);
     }
     console.log('[verify] Public key present at keys/public.pem');

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.12.40",
+  "version": "0.12.41",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "N6H4u/u1fCFE6f/3QVkAr2cumZvLNE+xYBC91CCxKoeaSKm5zqbwzb2mvFDk9XKUegUy5W6npLFGi75yxNMIAg==",
-      "signed_at": "2026-05-16T15:50:05.556Z",
+      "signed_at": "2026-05-17T20:18:30.560Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -117,7 +117,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "CmPu9xiYnUQyug3+aQ8jwuros3EGIIxL4/vaSgvaBVgI0Zd96ehlSBHw9ISd3eXzEImvGTdFEYZEpSHoH76fBw==",
-      "signed_at": "2026-05-16T15:50:05.558Z",
+      "signed_at": "2026-05-17T20:18:30.564Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -180,7 +180,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "5jdS7h9+CgfkXIf0OOLEIBxoBFv9TSQh0HPEs2Ra6hmpFbyBPV6zAs7yFi+66EAXoHicasGL04QA10L0MGZyAg==",
-      "signed_at": "2026-05-16T15:50:05.559Z",
+      "signed_at": "2026-05-17T20:18:30.565Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -226,7 +226,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "ZfW88vN0se3O9AEpjsfImRFCEC9ayOsNYthRSrj+eIOO8XVu4C0Jk9INSBwX+8ws6ZVsEMvQ3htyouTGIapcCQ==",
-      "signed_at": "2026-05-16T15:50:05.559Z"
+      "signed_at": "2026-05-17T20:18:30.565Z"
     },
     {
       "name": "compliance-theater",
@@ -257,7 +257,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "OTu6DScKDWxaR1+TZ3S6FGBmf7c6WKkXOdP2MdMwMNjY5OJ7RSSXrOWg4XnT32VRtGncOetlHG47VZ0KgwWNCA==",
-      "signed_at": "2026-05-16T15:50:05.559Z"
+      "signed_at": "2026-05-17T20:18:30.566Z"
     },
     {
       "name": "exploit-scoring",
@@ -286,7 +286,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "T34BtDdNUzPblA+dG4LSAqNycM1kEFQpQAX6bvXWX3B02LB7VNBfQnD/52sDteAi+ishRf5IihuEYez8wRHGBA==",
-      "signed_at": "2026-05-16T15:50:05.560Z"
+      "signed_at": "2026-05-17T20:18:30.567Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -323,7 +323,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "kApombCESpQjg17tecmcOIPKxzKuYrkQM78S8eX8jA5ovjGgzl3kIJjcjKib15Vgy/MOpsh0GaWYpCEhCLRyDw==",
-      "signed_at": "2026-05-16T15:50:05.560Z",
+      "signed_at": "2026-05-17T20:18:30.568Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -380,7 +380,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "DRqLIBG1cJKMeTc5gpzWdb0ThvBTLrWl9CaFx4mNesIImUEWSEycrhILfPQ4fbA1jyhD1dsBJzttTZFKbezFDA==",
-      "signed_at": "2026-05-16T15:50:05.560Z",
+      "signed_at": "2026-05-17T20:18:30.569Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -415,7 +415,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "87pHjZe0xEuYR18owLqCHDtHNQ7bf8YzF6RaJlILN0n7ohgAdkmhWVODpTMA+/Ku0RLhMwz8dSkx48ue3VfLAw==",
-      "signed_at": "2026-05-16T15:50:05.561Z",
+      "signed_at": "2026-05-17T20:18:30.570Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -443,7 +443,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "X8BQpeJFFTxvE9jWkmqF1J5EnSB63TMNF/VCU6RQLf/+XsGYarOokZ5lWvZT2IL3djwxzzbWhr0BMtuLMtEcAg==",
-      "signed_at": "2026-05-16T15:50:05.561Z"
+      "signed_at": "2026-05-17T20:18:30.570Z"
     },
     {
       "name": "global-grc",
@@ -475,7 +475,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "7yVjZkanFMKDQqXdX4B/7oLc2Rz72xHC1zscYd8F/+e5UAbR7ikK8Bn5EKZt3aBEOhHPAviSQNCMxpZD9U00CA==",
-      "signed_at": "2026-05-16T15:50:05.562Z"
+      "signed_at": "2026-05-17T20:18:30.571Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -502,7 +502,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "iwosQ4gcFZc+6QSmxUOhHB3jse8tHxd3XsXl155mU4K5UgbctHNhOUKMmF7WnUVfOUQ7PafHiMzZIbevvenNBA==",
-      "signed_at": "2026-05-16T15:50:05.562Z"
+      "signed_at": "2026-05-17T20:18:30.572Z"
     },
     {
       "name": "pqc-first",
@@ -554,7 +554,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "V+qn5FqUlETfsEjvvi6jZGuQdqLFtFejfgPA6KSYxSlBXBTbOBXP3BGk5S+ba9akIzgbKh1j9VGB1MqsIt56DA==",
-      "signed_at": "2026-05-16T15:50:05.562Z",
+      "signed_at": "2026-05-17T20:18:30.572Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -601,7 +601,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "mqjxjEhZiF+yOlqFr6ak39+NkNsasDxW9in5EBczWDxD9ngIxfnpVjKbnr5g+prB4qz3cG28UBtu8cHz9vJbBw==",
-      "signed_at": "2026-05-16T15:50:05.563Z"
+      "signed_at": "2026-05-17T20:18:30.573Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -638,7 +638,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "cZnSuh0PwPZjzxgfOoKNYDGz9bbdfDIAlQrUuavmRFxWmdAIoarOYsPwPG8NXYRqzxVdRbu8R7eF/+dssbfZDw==",
-      "signed_at": "2026-05-16T15:50:05.563Z",
+      "signed_at": "2026-05-17T20:18:30.573Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -673,7 +673,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "/lGgWehCMQUXjI6w4FUa+5wrbyRnct+txvVcXA+D2/ZEkoJKh+J/psO3j5HPf7Hpv+Y5SmkH71CoO+9qilyVDQ==",
-      "signed_at": "2026-05-16T15:50:05.563Z"
+      "signed_at": "2026-05-17T20:18:30.575Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -744,7 +744,7 @@
         "PTES revision incorporating AI-surface enumeration"
       ],
       "signature": "Zo+2DFJhxNkEvQ8X+eYnqtLKepukif9IyD7LmqK/MX6tyfOp/gXGl9KEOddhubuV2a79zEc/OGOYfTHsEVzcAg==",
-      "signed_at": "2026-05-16T15:50:05.564Z"
+      "signed_at": "2026-05-17T20:18:30.575Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -804,7 +804,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "jZq4Kv81CxQMMOAnw3/A1tBe5fIfrr+SGltivqcmH4WjUKmk6byO5BWCZKTxWWuaGa/AonsSDk5CGUPx9h8ZBw==",
-      "signed_at": "2026-05-16T15:50:05.564Z"
+      "signed_at": "2026-05-17T20:18:30.576Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -879,7 +879,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "vY2ym7pUhzJBD6R6jI4JwSKciqVS1fyVPuszN4WTiKJvYGePkis6w7upk/Fw0OXjnNSNdEf3f534FHRzGk5UDg==",
-      "signed_at": "2026-05-16T15:50:05.564Z"
+      "signed_at": "2026-05-17T20:18:30.576Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -956,7 +956,7 @@
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
       "signature": "SB5gpZ8nT7yZNIr9qaXf9l0ShbsE/b1+XYNucaOIi/G6YcjLly+u+mKGiY7qBVv3CP1FO7pbSvB/e5dlR2AsCw==",
-      "signed_at": "2026-05-16T15:50:05.565Z"
+      "signed_at": "2026-05-17T20:18:30.577Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1013,7 +1013,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "XZigwq8X/csfrdG10O6Q1V5q0zUqSQGd3QrjRKkZ4fkaodG4mZahYuIQqxc8rU9jjtGAm9LtBXYB+I5csqj9Bw==",
-      "signed_at": "2026-05-16T15:50:05.565Z"
+      "signed_at": "2026-05-17T20:18:30.578Z"
     },
     {
       "name": "identity-assurance",
@@ -1080,7 +1080,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "k0HrsZMBxiPWB1jl4dRwhv/R5IsqbZ+SLDv1Jx3/sRl51JyXjtm8vyogTNhSwsl5/IkaRakqIPJFRFRl5h/9CQ==",
-      "signed_at": "2026-05-16T15:50:05.565Z"
+      "signed_at": "2026-05-17T20:18:30.578Z"
     },
     {
       "name": "ot-ics-security",
@@ -1136,7 +1136,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "kAYm2ym/wCoYnA0cMP7kY/0R+/IFTzuZ2Dn514xnLdQ+6aTbxJel9tTn+a6d7F8IWidciC9Xx4nG1A11VqofCg==",
-      "signed_at": "2026-05-16T15:50:05.566Z"
+      "signed_at": "2026-05-17T20:18:30.579Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1188,7 +1188,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "f1w8AOT3bw+IeaAkg+vubUf7+Gx+/zTuQyIKOxQTbF9m1HGIE/SJQlWZST9ALtlH1BN4gJK5WPRmloX6LzQYBw==",
-      "signed_at": "2026-05-16T15:50:05.566Z"
+      "signed_at": "2026-05-17T20:18:30.579Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1238,7 +1238,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "bOexHUZApL+t6r84lombGCRHOh8jT9f3rm9ckcdu0Mz6hKuoa9uMGq5D+JESKMoOdFMPMZM4KpjZ+fcYExp2AQ==",
-      "signed_at": "2026-05-16T15:50:05.567Z"
+      "signed_at": "2026-05-17T20:18:30.580Z"
     },
     {
       "name": "webapp-security",
@@ -1312,7 +1312,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "TS1bOSeoGVK77LkHrUrZALK5PeturDTZe68vippxgJ9q7dQYa6n+CQFydiPfam2HZZJWtRHfs+4bL8PS7qQtAw==",
-      "signed_at": "2026-05-16T15:50:05.567Z"
+      "signed_at": "2026-05-17T20:18:30.581Z"
     },
     {
       "name": "ai-risk-management",
@@ -1362,7 +1362,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "8E82UwKFNraXV/MKAbiUV6gUryYuN+Ff/kiv1aW4/XtriShdTyt/UgRuQJ8LXGXl0jMH8hRJ/xTAV8LOJqexDA==",
-      "signed_at": "2026-05-16T15:50:05.567Z"
+      "signed_at": "2026-05-17T20:18:30.581Z"
     },
     {
       "name": "sector-healthcare",
@@ -1422,7 +1422,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "oW7JP2esMH8RxJKHnKXj3uHKJ7E5iEvp+fg1PQWRL0FbTu1K/SwY56tVzeBZgfNBGb5W4Q7TKk7r+Fh9tXD+AQ==",
-      "signed_at": "2026-05-16T15:50:05.568Z"
+      "signed_at": "2026-05-17T20:18:30.582Z"
     },
     {
       "name": "sector-financial",
@@ -1503,7 +1503,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "8YE9Csb1WGVXzHUG2ZIw7vG0f4h6xZ3dqZMH8vsCzs9/uNaifToOhHXfjfzycqoE9jmOTcp2lFLTvim1FrJjCA==",
-      "signed_at": "2026-05-16T15:50:05.568Z"
+      "signed_at": "2026-05-17T20:18:30.583Z"
     },
     {
       "name": "sector-federal-government",
@@ -1572,7 +1572,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "OJVU06d5AVJffRAWuo1FlkEmtNXckfte/aHBIny98w5644d7jcxxj7I1VH7PaRaBOz049T5MJ9PlAwaRIB2LDA==",
-      "signed_at": "2026-05-16T15:50:05.568Z"
+      "signed_at": "2026-05-17T20:18:30.584Z"
     },
     {
       "name": "sector-energy",
@@ -1637,7 +1637,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "kp9RgI7ViCNA2fxdbPZQxKlIVSvcArIyYqQdfojgvh9OYALvI4Bp3XB2RMcJZX1VORfUm3bKZjV8MRZsqCNtDg==",
-      "signed_at": "2026-05-16T15:50:05.569Z"
+      "signed_at": "2026-05-17T20:18:30.585Z"
     },
     {
       "name": "sector-telecom",
@@ -1723,7 +1723,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "VKLuoRkFq7lNXqySipwzPSaiHaqemHQ2cReemF/Xy9hUpD9orQaTVZWClOA4lzoF6d2eQ/CeS///Jjnj4g9dCg==",
-      "signed_at": "2026-05-16T15:50:05.569Z"
+      "signed_at": "2026-05-17T20:18:30.585Z"
     },
     {
       "name": "api-security",
@@ -1792,7 +1792,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "bhgnM/PkYgduLokq5dCSm1geELvrfvKCGG4mwfgn4X9NdrheI1cjnrOqZjbOEt2q44iH2vDhqLJeA9l85GMeAg==",
-      "signed_at": "2026-05-16T15:50:05.570Z"
+      "signed_at": "2026-05-17T20:18:30.586Z"
     },
     {
       "name": "cloud-security",
@@ -1873,7 +1873,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "wTxiyl9IN127tDk8msLw1/0REqZ3Ldeyj5HSwNdmJWOFkqGs1MbgQYFt0wCSVNcGtdoWtZtV6uuUxdOlCoo4AA==",
-      "signed_at": "2026-05-16T15:50:05.570Z"
+      "signed_at": "2026-05-17T20:18:30.587Z"
     },
     {
       "name": "container-runtime-security",
@@ -1935,7 +1935,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "kYHthY7uKOnVV64XC7evRWZuwQxY1Ihdsz4KAqGFnjTg+9hkBMcMfW1K3lwCIXEXElENznsZ8RI6LcwcbmDjBg==",
-      "signed_at": "2026-05-16T15:50:05.571Z"
+      "signed_at": "2026-05-17T20:18:30.587Z"
     },
     {
       "name": "mlops-security",
@@ -2005,8 +2005,8 @@
         "EU AI Act high-risk technical-file implementing acts (2026-2027) — operational requirements for Article 10 / 13 / 15 documentation may pin ML-BOM or model-signing",
         "MITRE ATLAS v5.4.0 (released February 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: ATLAS v5.5 / v6.0 — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
-      "signature": "L0OCRb+jIzUqdx+pZHY9WsF1fJ+FxGF3+ALWqjHerBi+EbHxi5js81xZMATRf4dIGH/4YpSjVn5Xu/apu94lBA==",
-      "signed_at": "2026-05-16T15:50:05.571Z"
+      "signature": "e4IaAtuKgDd7wzaV5Fs8unk3ui1PVMSM7/sLsHTxo5e/kA7i/KHuiQ/K7xQciqe6iuyAx+6NGA4DnPlKaAMGBw==",
+      "signed_at": "2026-05-17T20:18:30.588Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2068,7 +2068,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "f2AhpIOdMBZaOPfGa0ebnHc0Iofv5Aj+NcyW3rwlP7oxx4WbvhO5n+ECVtqZ8HRoD3BC/2KxrFGcvBhnObf+AA==",
-      "signed_at": "2026-05-16T15:50:05.571Z"
+      "signed_at": "2026-05-17T20:18:30.589Z"
     },
     {
       "name": "ransomware-response",
@@ -2148,7 +2148,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "2+KCRXcUy0d1DdV2RHNFTCadii+2m9DXVcygPVFITwoGbNwnN3e10JZRjLewMtRkxXboYPZ7Qt25xoDRszYQAg==",
-      "signed_at": "2026-05-16T15:50:05.572Z"
+      "signed_at": "2026-05-17T20:18:30.589Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2201,7 +2201,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "RiCryJEd66T2NNcSo/mZTd3sGWDycE3C37guLJanLdVL5co35DrPFmIl8qy3ZM/y+Wzg5vpny8VKgr1//1/bCA==",
-      "signed_at": "2026-05-16T15:50:05.572Z"
+      "signed_at": "2026-05-17T20:18:30.590Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2269,7 +2269,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "rRX0+wEkhrjEIi1e+OSjg1U5uR0/hDoaai36WcIrzxViRVuIS5WwyH0GBeJF1eTcbMOIvd7QZApG8aHbXmTpAg==",
-      "signed_at": "2026-05-16T15:50:05.572Z"
+      "signed_at": "2026-05-17T20:18:30.590Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2349,7 +2349,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "L85ONmu51m4EKwat2IJlMYz9V3Wvl+ISVHe92B01/mfPv/kf0TpYqaUZ8NoBT9G4rO5yNUtsWS0NMOJHHNANCA==",
-      "signed_at": "2026-05-16T15:50:05.573Z"
+      "signed_at": "2026-05-17T20:18:30.591Z"
     },
     {
       "name": "idp-incident-response",
@@ -2430,11 +2430,11 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "n9d4fdaSHCMieXRDkBz88kITsUFFlngr2gn2IvGFqJLH+xOEDp4ohS62Vk/zq4+Mhi4QEVKSu3mONOAk3nsYBQ==",
-      "signed_at": "2026-05-16T15:50:05.573Z"
+      "signed_at": "2026-05-17T20:18:30.592Z"
     }
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "PSaiWmP07ZPzixTlLo78S2sTFrqFcmEDwc5WgdY3+mjU0sssloownIt/Jf8hjvP3/qXuoQLZUFgE2dAn/EAfAw=="
+    "signature_base64": "tL22F4bchkekSqLelV6NAGjU7xdiu9ErmwqyJtZTjKz1S2HAhYVfnIEG9dLJbrTKXMZR6kWdT5qdYn8FdRPPDw=="
   }
 }

package/orchestrator/README.md

@@ -60,25 +60,25 @@ Scheduled tasks:
 
 ```bash
 # Scan current environment and produce findings
-node orchestrator/index.js scan
+exceptd scan
 
 # Route findings to relevant skills
-node orchestrator/index.js dispatch
+exceptd dispatch
 
 # Run a specific skill programmatically
-node orchestrator/index.js skill kernel-lpe-triage
+exceptd skill kernel-lpe-triage
 
 # Run the full agent pipeline (threat-researcher → report)
-node orchestrator/index.js pipeline
+exceptd pipeline
 
 # Check skill currency scores
-node orchestrator/index.js currency
+exceptd currency
 
 # Generate an executive report from current findings
-node orchestrator/index.js report --format executive
+exceptd report --format executive
 
 # Watch for events and trigger updates automatically
-node orchestrator/index.js watch
+exceptd watch
 ```
 
 ## Output Formats

package/orchestrator/index.js

@@ -145,7 +145,10 @@ Examples:
   exceptd framework-gap NIST-800-53 CVE-2026-31431
   exceptd framework-gap PCI-DSS-4.0 "prompt injection"
   exceptd framework-gap all CVE-2025-53773 --json`);
-    process.exit(2);
+    // Pinned exit 2 by operator contract. Envelope harmonization
+    // across orchestrator + CLI is a v0.13 concern.
+    process.exitCode = 2;
+    return;
   }
 
   const root = path.join(__dirname, '..');
@@ -155,7 +158,8 @@ Examples:
     cveCatalog = JSON.parse(fs.readFileSync(path.join(root, 'data', 'cve-catalog.json'), 'utf8'));
   } catch (err) {
     console.error(`[framework-gap] cannot read catalog: ${err.message}`);
-    process.exit(2);
+    process.exitCode = 2;
+    return;
   }
 
   const requested = args[0].toLowerCase() === 'all'
@@ -292,20 +296,24 @@ async function runDispatch() {
 
 function runSkillContext(skillName) {
   if (!skillName) {
-    // Cycle 20 A P2 (v0.12.40): operator-facing surface must reference
-    // the canonical `exceptd skill <name>` form, not the orchestrator
-    // path that's an implementation detail. CLAUDE.md global rule:
-    // "no internal narrative in operator-facing artifacts."
+    // v0.12.40: operator-facing surface uses the canonical `exceptd skill
+    // <name>` form, not the orchestrator path that's an implementation
+    // detail.
     console.error('Usage: exceptd skill <skill-name>');
     console.error('       (Lists available skills: exceptd brief --all)');
-    process.exit(1);
+    process.exitCode = 1;
+    return;
   }
 
   const context = getSkillContext(skillName);
   if (!context) {
     // Unified error shape across the CLI surface — see v0.10.3 bug #18.
+    // Stderr is the documented stream for ok:false bodies emitted by
+    // orchestrator dispatch; envelope harmonization across the CLI is
+    // a v0.13 concern.
     process.stderr.write(JSON.stringify({ ok: false, error: `Skill not found: ${skillName}`, verb: "skill", hint: "Run `exceptd brief --all` or check skills/ for available skill IDs." }) + "\n");
-    process.exit(1);
+    process.exitCode = 1;
+    return;
   }
 
   console.log(`Skill: ${context.skill.name} v${context.skill.version}`);
@@ -332,7 +340,7 @@ function runPipeline(triggerType, payload) {
     console.log(`  Agent: ${stage.agent_path}`);
   }
   console.log('\nTo run each stage, load the agent definition and follow its instructions:');
-  console.log('  node orchestrator/index.js skill skill-update-loop');
+  console.log('  exceptd skill skill-update-loop');
   return run;
 }
 
@@ -368,12 +376,16 @@ async function runReport(format) {
   // string. Now: reject with structured JSON error matching other verbs.
   const VALID_REPORT_FORMATS = ['executive', 'technical', 'compliance', 'csaf'];
   if (!VALID_REPORT_FORMATS.includes(format)) {
+    // Pinned exit 2 + stderr-stream by operator contract. Envelope
+    // harmonization across orchestrator + CLI is a v0.13 concern.
     process.stderr.write(JSON.stringify({
       ok: false,
       error: `report: format "${format}" not in accepted set ${JSON.stringify(VALID_REPORT_FORMATS)}.`,
       verb: 'report',
+      accepted_formats: VALID_REPORT_FORMATS,
     }) + '\n');
-    process.exit(2);
+    process.exitCode = 2;
+    return;
   }
 
   // v0.11.1 feature #55: `report csaf` emits a CSAF 2.0 envelope covering
@@ -1078,7 +1090,8 @@ function runWatchlist(rawArgs = []) {
     manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf8'));
   } catch (err) {
     console.error(`[watchlist] cannot read ${manifestPath}: ${err.message}`);
-    process.exit(2);
+    process.exitCode = 2;
+    return;
   }
 
   // Exclude entries that are explicitly marked `status: "deprecated"` so
@@ -1378,11 +1391,11 @@ Environment variables:
   EXCEPTD_SCAN_TARGETS Directories to scan for MCP configs
 
 Examples:
-  node orchestrator/index.js scan
-  node orchestrator/index.js skill kernel-lpe-triage
-  node orchestrator/index.js currency
-  node orchestrator/index.js report executive
-  node orchestrator/index.js watch
+  exceptd scan
+  exceptd skill kernel-lpe-triage
+  exceptd currency
+  exceptd report executive
+  exceptd watch
 `);
 }
 
@@ -1394,7 +1407,7 @@ Examples:
 if (require.main === module) {
   main().catch(err => {
     console.error('[orchestrator] Fatal:', err.message);
-    process.exit(1);
+    process.exitCode = 1;
   });
 }
 

package/orchestrator/scheduler.js

@@ -277,12 +277,12 @@ function runMonthlyCveValidation() {
   console.log(`[scheduler] Monthly CVE validation reminder — ${timestamp}`);
   console.log('[scheduler] Action: Verify all data/cve-catalog.json entries against NVD and CISA KEV.');
   console.log('[scheduler] Action: Update last_verified dates in data/exploit-availability.json.');
-  console.log('[scheduler] Run: node orchestrator/index.js validate-cves');
+  console.log('[scheduler] Run: exceptd validate-cves');
 
   return {
     task: 'monthly_cve_validation',
     timestamp,
-    action: 'Run node orchestrator/index.js validate-cves to check all CVE entries'
+    action: 'Run `exceptd validate-cves` to check all CVE entries'
   };
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.12.40",
+  "version": "0.12.41",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
   "keywords": [
     "ai-security",