@blamejs/exceptd-skills 0.12.7 → 0.12.9

package/scripts/predeploy.js

@@ -118,7 +118,7 @@ const GATES = [
   {
     name: "SBOM currency check (sbom.cdx.json vs. live surface)",
     command: process.execPath,
-    args: ["-e", sbomCurrencyChecker()],
+    args: [path.join(ROOT, "scripts", "check-sbom-currency.js")],
     ciJobName: "Data integrity (catalog + manifest snapshot)",
   },
   {
@@ -151,37 +151,21 @@ const GATES = [
     ciJobName: "Data integrity (catalog + manifest snapshot)",
     requiresKeys: true,
   },
+  {
+    // AGENTS.md hard rule #15 (e2e no-MVP). Every diff that touches a
+    // CLI verb, CLI flag, lib/orchestrator/scripts export, playbook
+    // indicator, or CVE iocs field must land with a covering test
+    // reference in the same PR. The analyzer parses git diff against
+    // origin/main, classifies each change shape, and fails if a covered
+    // surface lacks a test literal anywhere under tests/. Blocking — a
+    // covered surface change without a covering test fails the gate.
+    name: "Diff coverage (feature changes require test coverage)",
+    command: process.execPath,
+    args: [path.join(ROOT, "scripts", "check-test-coverage.js")],
+    ciJobName: "Diff coverage",
+  },
 ];
 
-/* Inline checker, run as `node -e`, so the predeploy gate stays one
- * file and the SBOM regen logic stays in scripts/refresh-sbom.js
- * (single source of truth). Compares the persisted sbom.cdx.json
- * against the live skill_count + catalog_count derived from
- * manifest.json + data/. Exits nonzero on drift, with a hint to run
- * `npm run refresh-sbom`. */
-function sbomCurrencyChecker() {
-  return [
-    "const fs=require('fs');const path=require('path');",
-    "const root=" + JSON.stringify(ROOT) + ";",
-    "const sbomPath=path.join(root,'sbom.cdx.json');",
-    "if(!fs.existsSync(sbomPath)){console.error('sbom.cdx.json not found — run `npm run refresh-sbom`.');process.exit(1);}",
-    "const sbom=JSON.parse(fs.readFileSync(sbomPath,'utf8'));",
-    "const manifest=JSON.parse(fs.readFileSync(path.join(root,'manifest.json'),'utf8'));",
-    "const dataDir=path.join(root,'data');",
-    "const liveCatalogs=fs.readdirSync(dataDir).filter(f=>f.endsWith('.json')).length;",
-    "const liveSkills=Array.isArray(manifest.skills)?manifest.skills.length:0;",
-    "const props=Object.fromEntries((sbom.metadata&&sbom.metadata.properties||[]).map(p=>[p.name,p.value]));",
-    "const sbomCatalogs=Number(props['exceptd:catalog:count']);",
-    "const sbomSkills=Number(props['exceptd:skill:count']);",
-    "let drift=false;",
-    "if(sbomCatalogs!==liveCatalogs){console.error(`SBOM catalog count ${sbomCatalogs} != live ${liveCatalogs}`);drift=true;}",
-    "if(sbomSkills!==liveSkills){console.error(`SBOM skill count ${sbomSkills} != live ${liveSkills}`);drift=true;}",
-    "if(sbom.bomFormat!=='CycloneDX'||sbom.specVersion!=='1.6'){console.error('SBOM is not CycloneDX 1.6');drift=true;}",
-    "if(drift){console.error('Run `npm run refresh-sbom` to regenerate sbom.cdx.json.');process.exit(1);}",
-    "console.log(`SBOM current — ${sbomSkills} skills, ${sbomCatalogs} catalogs.`);",
-  ].join("");
-}
-
 function runGate(gate) {
   if (gate.requiresKeys) {
     const pubKey = path.join(ROOT, "keys", "public.pem");

package/skills/age-gates-child-safety/skill.md

@@ -39,6 +39,9 @@ framework_gaps:
   - ISO-27001-2022-A.8.30
   - NIST-800-53-AC-2
   - SOC2-CC6-logical-access
+  - NIS2-Art21-incident-handling
+  - UK-CAF-B2
+  - AU-Essential-8-MFA
 rfc_refs: []
 cwe_refs:
   - CWE-200

package/skills/ai-attack-surface/skill.md

@@ -39,6 +39,9 @@ framework_gaps:
   - OWASP-LLM-Top-10-2025-LLM01
   - OWASP-LLM-Top-10-2025-LLM02
   - SOC2-CC6-logical-access
+  - EU-AI-Act-Art-15
+  - UK-CAF-A1
+  - AU-Essential-8-App-Hardening
 cwe_refs:
   - CWE-1039
   - CWE-1426
@@ -46,7 +49,10 @@ cwe_refs:
 d3fend_refs:
   - D3-IOPR
   - D3-NTA
-last_threat_review: "2026-05-01"
+  - D3-EAL
+  - D3-FAPA
+  - D3-CSPP
+last_threat_review: "2026-05-13"
 ---
 
 # AI Attack Surface Assessment
@@ -275,6 +281,28 @@ For each identified risk, declare the framework gap:
 
 ---
 
+## Defensive Countermeasure Mapping
+
+D3FEND v1.0+ references from `data/d3fend-catalog.json`. The AI attack surface enumerated above lands on five primary defensive techniques. Each entry below identifies which ATLAS TTP class the countermeasure addresses and the defense-in-depth layer it occupies.
+
+| D3FEND ID | Name | Layer | Rationale (what it counters here) |
+|---|---|---|---|
+| `D3-IOPR` | Input/Output Profiling | SDK / application | SDK-level prompt and completion inspection — the foundational control for AML.T0051 (prompt injection), AML.T0096 (LLM C2), AML.T0054 (extraction). Without per-call I/O profiling, every detection step below is degraded. |
+| `D3-CSPP` | Client-server Payload Profiling | LLM / MCP gateway | Gateway-layer inspection of tool-call args and prompt/completion bodies. Necessary when the AI client (mobile app, browser extension, IDE) cannot host `D3-IOPR` instrumentation in-process — the gateway becomes the only content-aware control. |
+| `D3-EAL` | Executable Allowlisting | Endpoint / managed host | Restricts which AI-tool binaries (IDE assistants, browser extensions, MCP servers) can execute on managed endpoints. Direct counter to AML.T0010 (ML supply-chain compromise) for tooling shipped as native binaries; precondition for managed-endpoint clipboard- and code-completion controls. |
+| `D3-FAPA` | File Access Pattern Analysis | Endpoint / data tier | Detects RAG-corpus and training-data abuse by pattern-matching the file-access shape of AML.T0018 (model poisoning at training time) and AML.T0020 (RAG retrieval abuse). Anchors the data-tier defence against poisoning that prompt-layer controls cannot see. |
+| `D3-NTA` | Network Traffic Analysis | Network egress | Per-identity baseline of model-API and MCP-server egress. Catches the AML.T0017 capability-development pattern (PROMPTFLUX-style rapid querying) and the AML.T0096 covert-C2 destination shape when SDK instrumentation is partial or missing. |
+
+**Defense-in-depth posture:** `D3-EAL` is the prerequisite endpoint layer (only sanctioned AI clients run); `D3-FAPA` is the data-tier layer (RAG and training corpora); `D3-IOPR` and `D3-CSPP` are the content-aware application and gateway layers; `D3-NTA` is the network-observability backstop. Skills that recommend a single layer alone are flagged as incomplete during Analysis Procedure Step 7.
+
+**Least-privilege scope:** every AI principal (human developer, agent identity, MCP server) has the minimum set of model-API, MCP-tool, and RAG-corpus authorisations required for its sanctioned use case. `D3-EAL` allowlists are per-host-class (developer ≠ production ≠ CI); `D3-FAPA` access-pattern baselines are per-corpus-per-principal; `D3-IOPR` logs include the principal identity on every prompt/completion pair.
+
+**Zero-trust posture:** every prompt is verified content-shape and origin-identity before downstream tool invocation; every RAG retrieval is clearance-checked at retrieval time (not just at index time); every MCP tool call has its args inspected at the gateway before reaching the tool. No "trusted prompt" exemption — AML.T0051 indirect prompt injection enters via documents and tool outputs, not just user prompts.
+
+**AI-pipeline applicability (per AGENTS.md Hard Rule #9):** `D3-EAL` is not applicable to serverless inference endpoints (no executable to allowlist on the consumer side). The scoped alternative is `D3-CSPP` at the gateway plus signed-image attestation at the provider — the model-serving container is the executable surface, and its provenance is the prerequisite. `D3-FAPA` on ephemeral RAG indices degrades to per-query retrieval logging (`D3-IOPR`) plus index-build provenance signed at construction.
+
+---
+
 ## Compliance Theater Check
 
 > "Your security awareness training includes phishing detection. 82.6% of phishing emails now contain AI-generated content indistinguishable by grammar or style checks. Open your most recent phishing simulation report: what percentage of simulated phishes used AI-generated content? If zero, the simulation is testing resistance to 2021 phishing, not 2026 phishing. If your detection rule set has not been updated to reflect AI-generated content as the baseline, the control is theater for the threat it claims to address."

package/skills/ai-c2-detection/skill.md

@@ -28,6 +28,11 @@ framework_gaps:
   - NIST-800-53-SC-7
   - ISO-27001-2022-A.8.16
   - SOC2-CC7-anomaly-detection
+  - NIS2-Art21-incident-handling
+  - UK-CAF-C1
+  - AU-Essential-8-App-Hardening
+cwe_refs:
+  - CWE-918
 rfc_refs:
   - RFC-8446
   - RFC-9180
@@ -43,7 +48,7 @@ d3fend_refs:
   - D3-NI
   - D3-NTA
   - D3-NTPM
-last_threat_review: "2026-05-01"
+last_threat_review: "2026-05-13"
 ---
 
 # AI C2 Detection
@@ -390,6 +395,30 @@ For every identity flagged in Step 2, every prompt flagged in Step 3, every Sesa
 
 ---
 
+## Defensive Countermeasure Mapping
+
+D3FEND v1.0+ references from `data/d3fend-catalog.json`. Maps the SesameOp / PROMPTFLUX / PROMPTSTEAL detection surfaces to the defense-in-depth layer they actually live on.
+
+| D3FEND ID | Name | Layer | Rationale (what it counters here) |
+|---|---|---|---|
+| `D3-NTA` | Network Traffic Analysis | Network egress | Establishes the AI-provider-egress baseline (per-identity volume, cadence, time-of-day) that SesameOp's persistent bursty-but-aperiodic shape violates. Primary detection control when SDK-level prompt logging is absent. |
+| `D3-NTPM` | Network Traffic Policy Mapping | Network egress | Per-identity sanctioned-business-reason allowlist for AI provider domains. Implements the SC-7 real_requirement; without it, blanket domain allowlisting is theater. |
+| `D3-CSPP` | Client-server Payload Profiling | Gateway / TLS-inspected proxy | The only layer that can observe prompt/completion content shape (entropy, base64 ratio, recognisable IOC tokens) without per-SDK instrumentation. Covers the QUIC / HTTP/3 case where boundary inspection sees only ciphertext. |
+| `D3-IOPR` | Input/Output Profiling | SDK / application | SDK-level prompt and completion logging with identity binding. The single most-load-bearing control for AI C2 — every Step in the Analysis Procedure degrades to "structurally zero coverage" without it. |
+| `D3-CA` | Connection Attempt Analysis | Network egress | Detects the AI-API connection from processes that have no business reason on this host type (e.g. a system service contacting `api.openai.com`). Cheap; deployable without TLS interception. |
+| `D3-DA` | Domain Analysis | Network egress | Catches Oblivious HTTP (RFC 9458) relays and atypical AI-provider edge endpoints whose direct upstream is a sanctioned LLM provider — the SesameOp evasion shape when ECH is in play. |
+| `D3-NI` | Network Isolation | Network segmentation | For non-developer host classes (databases, network gear, OT) where no AI API egress is ever sanctioned, hard-blocking the provider AS-paths removes the C2 channel entirely. |
+
+**Defense-in-depth posture:** `D3-NTA` + `D3-CA` + `D3-NI` are the network layer; `D3-CSPP` is the gateway layer; `D3-IOPR` is the SDK layer; `D3-NTPM` is the policy layer that binds the other four to identity. No single layer is sufficient — SesameOp is invisible to network-only deployments without `D3-CSPP` or `D3-IOPR`, and `D3-IOPR` is invisible without `D3-NTPM` to give it the per-identity baseline against which Step 3 anomaly detection fires.
+
+**Least-privilege scope:** `D3-NTPM` is implemented per-identity-per-business-reason — the developer using Cursor on a workstation is allowlisted for `api.anthropic.com`; the same developer's service account is not. `D3-IOPR` retention is scoped to the identities authorised to call AI APIs; prompts from unauthorised identities trigger Step 2 the moment they appear in the log, not after retention review.
+
+**Zero-trust posture:** every prompt is logged and identity-bound regardless of source host trust level; `D3-CSPP` and `D3-IOPR` verify content shape on every call rather than sampling. The verification primitive at the gateway is entropy + identity + business-reason; at the SDK layer it is full prompt + identity + retention. No "trusted developer" exemption — PROMPTFLUX is delivered to developer workstations as readily as to production hosts.
+
+**AI-pipeline applicability (per AGENTS.md Hard Rule #9):** `D3-IOPR` is the only control that survives serverless / ephemeral runtimes; per-host `D3-NTA` and `D3-CA` cannot baseline a host whose lifetime is shorter than the correlation window. The scoped alternative for ephemeral workloads is workload-identity-bound `D3-IOPR` correlated by IAM role / service-account identity rather than by host — preserving the PROMPTFLUX cadence shape and PROMPTSTEAL credential-access correlation across short-lived function invocations.
+
+---
+
 ## Compliance Theater Check
 
 > "Your SC-7 boundary-protection evidence shows AI provider domains — `api.openai.com`, `api.anthropic.com`, `generativelanguage.googleapis.com`, Azure OpenAI endpoints, Bedrock endpoints — on the egress allowlist, with NetFlow or Zeek records demonstrating that egress is monitored. Now answer two questions. First: for each AI provider domain on the allowlist, does the allowlist entry enumerate the specific sanctioned business reason and the identities or services entitled to use it, or is the entry a blanket allow for the domain? Second: do you have SDK-level prompt and completion logging, bound to identity, retained for at least 90 days, and forwarded to the SIEM, for every place AI APIs are called in production? If the allowlist is a blanket domain allow and SDK-level prompt logging is absent, the SC-7 control is theater for AI C2 — boundary inspection of an allowlisted domain cannot distinguish a developer prompt from a SesameOp-encoded C2 prompt, and you have no content-layer evidence to fall back on. SC-7 evidence is structurally incomplete for any org using AI APIs in production unless both an identity-bound business-reason allowlist and SDK-level prompt logging are in place. The control gap is recorded in `data/framework-control-gaps.json` under NIST-800-53-SC-7 — the real requirement names exactly these components."

package/skills/ai-risk-management/skill.md

@@ -33,6 +33,9 @@ framework_gaps:
   - ISO-IEC-23894-2023-clause-7
   - NIST-AI-RMF-MEASURE-2.5
   - OWASP-LLM-Top-10-2025-LLM01
+  - EU-AI-Act-Art-15
+  - UK-CAF-A1
+  - AU-Essential-8-App-Hardening
 rfc_refs: []
 cwe_refs:
   - CWE-1426

package/skills/api-security/skill.md

@@ -36,6 +36,9 @@ framework_gaps:
   - NIST-800-218-SSDF
   - ISO-27001-2022-A.8.28
   - NIST-800-53-AC-2
+  - NIS2-Art21-incident-handling
+  - UK-CAF-B2
+  - AU-Essential-8-App-Hardening
 rfc_refs:
   - RFC-8446
   - RFC-9114

package/skills/attack-surface-pentest/skill.md

@@ -34,6 +34,9 @@ framework_gaps:
   - OWASP-Pen-Testing-Guide-v5
   - PTES-Pre-engagement
   - NIS2-Art21-patch-management
+  - ISO-27001-2022-A.8.8
+  - UK-CAF-A1
+  - AU-Essential-8-App-Hardening
 rfc_refs: []
 cwe_refs:
   - CWE-1395

package/skills/cloud-security/skill.md

@@ -38,6 +38,9 @@ framework_gaps:
   - ISO-27001-2022-A.8.30
   - SOC2-CC9-vendor-management
   - FedRAMP-Rev5-Moderate
+  - NIS2-Art21-incident-handling
+  - UK-CAF-B2
+  - AU-Essential-8-MFA
 rfc_refs:
   - RFC-8446
   - RFC-9180

package/skills/compliance-theater/skill.md

@@ -32,6 +32,12 @@ This skill identifies the specific, testable conditions where audit-passing cont
 
 ---
 
+## Frontmatter Scope
+
+The `atlas_refs` and `attack_refs` arrays are intentionally empty. This skill is a meta-analysis that correlates findings *across* every other playbook and skill in the project — it has no native TTP attachment because its input is the existing TTP-to-control evidence base produced elsewhere. The `framework_gaps` array is populated because each theater pattern below points at specific named controls (FedRAMP-Rev5-Moderate, CMMC-2.0-Level-2, and the two ALL- gaps) whose mid-2026 inadequacy is the skill's primary subject. Defensive Countermeasure Mapping is not present as a body section because this skill produces a *coverage-gap* output, not a defensive-control prescription — the D3FEND mapping is the responsibility of the downstream skills the gap-findings route into.
+
+---
+
 ## Threat Context (mid-2026)
 
 The defining mid-2026 reality is that an organization can pass a clean ISO 27001:2022, SOC 2 Type II, or PCI DSS 4.0 audit while remaining exposed to KEV-listed deterministic LPEs and zero-interaction RCEs. The contrast cases drive every theater pattern below:

package/skills/container-runtime-security/skill.md

@@ -38,6 +38,9 @@ framework_gaps:
   - NIST-800-53-CM-7
   - ISO-27001-2022-A.8.28
   - SLSA-v1.0-Build-L3
+  - NIS2-Art21-incident-handling
+  - UK-CAF-B2
+  - AU-Essential-8-App-Hardening
 rfc_refs:
   - RFC-8446
   - RFC-8032

package/skills/coordinated-vuln-disclosure/skill.md

@@ -29,7 +29,14 @@ framework_gaps:
   - NIST-800-218-SSDF
   - ISO-27001-2022-A.8.8
   - SOC2-CC9-vendor-management
-rfc_refs: []
+  - NIS2-Art21-incident-handling
+  - UK-CAF-D1
+  - AU-Essential-8-Patch
+rfc_refs:
+  - ISO-29147
+  - ISO-30111
+  - RFC-9116
+  - CSAF-2.0
 cwe_refs:
   - CWE-1357
 d3fend_refs: []

package/skills/defensive-countermeasure-mapping/skill.md

@@ -208,7 +208,7 @@ Zero-trust-compliant defense maps to controls that verify per request. Implicit-
 Example: "CVE — Linux kernel LPE. Canonical: CVE-2026-31431 (Copy Fail)."
 
 ## Offensive technique set (input to D3FEND query)
-- <AML.Txxxx / Txxxx / CWE-xxx list, with one-line descriptions>
+- <AML.T0001-or-similar / T0001-or-similar / CWE-<id> list, with one-line descriptions>
 
 ## Defensive-coverage map
 | D3FEND ID | Name | Tactic (DiD layer) | Privilege scope | ZT posture | Deployed? | AI-pipeline applicable? | Framework controls partially mapped | Live-tunable? |

package/skills/dlp-gap-analysis/skill.md

@@ -41,6 +41,9 @@ framework_gaps:
   - HIPAA-Security-Rule-164.312(a)(1)
   - SOC2-CC7-anomaly-detection
   - NIST-800-53-SC-28
+  - NIS2-Art21-incident-handling
+  - UK-CAF-C1
+  - AU-Essential-8-App-Hardening
 rfc_refs:
   - RFC-8446
   - RFC-9458

package/skills/email-security-anti-phishing/skill.md

@@ -39,7 +39,15 @@ framework_gaps:
   - NIST-800-53-SI-3
   - ISO-27001-2022-A.8.16
   - SOC2-CC7-anomaly-detection
-rfc_refs: []
+  - NIS2-Art21-incident-handling
+  - UK-CAF-C1
+  - AU-Essential-8-App-Hardening
+rfc_refs:
+  - RFC-7489
+  - RFC-6376
+  - RFC-7208
+  - RFC-8616
+  - RFC-8461
 cwe_refs: []
 d3fend_refs:
   - D3-NTA

package/skills/exploit-scoring/skill.md

@@ -30,6 +30,12 @@ A CVSS 9.8 vulnerability with no public exploit, no active exploitation, and a s
 
 ---
 
+## Frontmatter Scope
+
+The `atlas_refs` and `attack_refs` arrays are intentionally empty. This skill is a scoring methodology — its input is whatever CVE the operator hands it, with whatever TTPs that CVE already carries in `data/cve-catalog.json`. Pinning a fixed TTP subset would mis-frame the score's coverage; RWEP applies to every CVE in the catalog regardless of which ATLAS or ATT&CK technique it maps to. `framework_gaps` is populated because the scoring outcome explicitly references control families (CWE-Top-25-2024-meta, CIS-Controls-v8-Control7) that the RWEP rationale ties remediation timing to.
+
+---
+
 ## Threat Context (mid-2026)
 
 RWEP exists because the exploit development cycle has compressed. The factors that CVSS does not model are now the dominant signal in real-world prioritization.

package/skills/identity-assurance/skill.md

@@ -38,6 +38,9 @@ framework_gaps:
   - ISO-27001-2022-A.8.30
   - SOC2-CC6-logical-access
   - PSD2-RTS-SCA
+  - NIS2-Art21-incident-handling
+  - UK-CAF-B2
+  - AU-Essential-8-MFA
 rfc_refs:
   - RFC-7519
   - RFC-8725
@@ -52,7 +55,9 @@ cwe_refs:
   - CWE-798
   - CWE-862
   - CWE-863
-d3fend_refs: []
+d3fend_refs:
+  - D3-MFA
+  - D3-CSPP
 last_threat_review: "2026-05-11"
 ---
 

package/skills/incident-response-playbook/skill.md

@@ -37,7 +37,13 @@ framework_gaps:
   - NIST-800-53-AC-2
   - ISO-27001-2022-A.8.16
   - SOC2-CC7-anomaly-detection
-rfc_refs: []
+  - NIS2-Art21-incident-handling
+  - UK-CAF-D1
+  - AU-Essential-8-Backup
+rfc_refs:
+  - RFC-6545
+  - RFC-6546
+  - RFC-7970
 cwe_refs: []
 d3fend_refs:
   - D3-RPA
@@ -120,7 +126,7 @@ This skill is response-shaped — the TTPs below name the incident classes the p
 |---|---|---|---|---|
 | **T1486** | Data Encrypted for Impact | Ransomware | Identification: EDR file-encryption telemetry, share-mass-write pattern. Containment: network-segment isolation, identity revocation. Eradication: backup-validation-before-restore. Recovery: validated-restore + service-level verification. Lessons: feed to `zeroday-gap-learn` if initial access was a known CVE. | Detection coverage strong; identity-rotation maturity weak. NYDFS 24h ransom-payment clock and OFAC sanctions screening intersect at decision-to-pay. |
 | **T1041** | Exfiltration Over C2 Channel | Data exfiltration via established C2 | Identification: DLP egress, anomalous outbound bandwidth, beaconing patterns. Containment: egress filtering, certificate-pinned proxy. Eradication: C2 artifact removal. Recovery: identity + secrets rotation. Lessons: detection-engineering gap analysis. | EDR coverage variable; encrypted exfiltration to legitimate services (Box, OneDrive, S3) often missed by signature-based DLP. |
-| **T1567** | Exfiltration Over Web Service | Exfiltration via legitimate web/SaaS services including AI-API | Identification: web-egress to anomalous services or anomalous-volume to legitimate services; for AI-API channel pair with `ai-c2-detection`. Containment: egress block of identified channel, AI-API key revocation, MCP-server scope reduction. Eradication: identify exfiltrated dataset, follow data-incident sub-playbook. Recovery: re-key + re-issue access. | AI-API exfiltration (sub-technique T1567.xxx pattern; ATLAS overlap with AML.T0017) typically blends with legitimate traffic — see `ai-c2-detection` for content-layer detection. |
+| **T1567** | Exfiltration Over Web Service | Exfiltration via legitimate web/SaaS services including AI-API | Identification: web-egress to anomalous services or anomalous-volume to legitimate services; for AI-API channel pair with `ai-c2-detection`. Containment: egress block of identified channel, AI-API key revocation, MCP-server scope reduction. Eradication: identify exfiltrated dataset, follow data-incident sub-playbook. Recovery: re-key + re-issue access. | AI-API exfiltration (sub-technique T1567.<sub-technique-id> pattern; ATLAS overlap with AML.T0017) typically blends with legitimate traffic — see `ai-c2-detection` for content-layer detection. |
 | **T1078** | Valid Accounts | Identity compromise as initial access | Identification: anomalous-sign-in UEBA, impossible-travel, MFA-fatigue patterns. Containment: account disable + session revocation + re-authentication for affected blast radius. Eradication: credential rotation, token revocation, OAuth-grant audit, AI-agent service-account rotation. Recovery: re-issue under zero-trust posture. Lessons: identity-control gap analysis. | Dominant initial-access vector mid-2026; coverage strong for human accounts, weak for AI-agent / service-account / OAuth-app identities. |
 | **AML.T0096** | LLM API as C2 | AI-API as command-and-control channel (SesameOp pattern) | Identification: see `ai-c2-detection` skill — content-layer detection at the AI API egress boundary, prompt-and-response correlation, anomalous AI-API usage shape. Containment: AI-API egress block or proxy-mediated allowlist. Eradication: identify the agent or workload abusing the channel. Recovery: re-issue AI-API keys under scoped least-privilege. | Detection coverage near-absent in legacy SOC stacks; the AI traffic shape is novel and signatures do not exist for most enterprise SIEMs. |
 | **AML.T0017** | ML Model Exfiltration | Model weights, training data, or system-prompt extraction | Identification: anomalous inference-API usage patterns (high-volume queries, structured probing, membership-inference signatures, repeated training-data extraction prompts). Containment: rate-limit + API-key revocation + IP block. Eradication: identify attacker access surface; assess data sensitivity. Recovery: re-key, consider model-rotation if proprietary weights are at risk; for training-data exfiltration consider differential-privacy retraining. | No standardized detection signatures; org must build custom telemetry over AI inference APIs. |

package/skills/kernel-lpe-triage/skill.md

@@ -26,6 +26,8 @@ framework_gaps:
   - NIS2-Art21-patch-management
   - NIST-800-53-SC-8
   - CIS-Controls-v8-Control7
+  - UK-CAF-D1
+  - AU-Essential-8-Patch
 rfc_refs:
   - RFC-4301
   - RFC-4303
@@ -41,7 +43,7 @@ d3fend_refs:
   - D3-EAL
   - D3-PHRA
   - D3-PSEP
-last_threat_review: "2026-05-01"
+last_threat_review: "2026-05-13"
 ---
 
 # Kernel LPE Triage
@@ -134,6 +136,24 @@ Note: ATLAS refs are intentionally empty in frontmatter — these are Linux kern
 
 ---
 
+## Compliance Theater Check
+
+Run this check for any org claiming patch-management compliance for kernel LPE class CVEs:
+
+> "Your patch-management control (NIST SI-2 / ISO 27001:2022 A.8.8 / PCI-DSS v4 6.3.3 / NIS2 Art. 21(2)(g) / UK-CAF B4 / AU-ISM-1493) documents a 30-day remediation window for Critical/High CVEs. CVE-2026-31431 (Copy Fail) is CISA KEV listed with a public deterministic exploit requiring no privileges and KEV listing dated 2026-03-15. What is the actual time, on this fleet, between KEV listing and confirmed patch-or-mitigate for the affected kernel versions? If that interval exceeds 72 hours without live-patching as a deployed capability for the affected hosts, the patch-management control is theater for the KEV-class kernel-LPE threat surface."
+
+**Theater fingerprints (any of these reduces the control to paper compliance):**
+
+- Patch SLA is measured against advisory-publication date, not KEV-listing date — KEV listings are the operational signal that exploitation is happening now, and the SLA must trigger from there.
+- The fleet inventory cannot answer "which hosts run the affected kernel version" within minutes — without live inventory, the SLA cannot be measured.
+- Live-patching is described as "available" but no kernel was live-patched in the last 30 days — capability without operation is theater.
+- The compensating-controls plan for hosts that cannot be rebooted within SLA is undocumented or relies on controls the CVE PoC bypasses (e.g. AppArmor profiles where the exploit runs as the legitimate user).
+- "Patch management" includes only OS vendor patches, not third-party kernel modules or out-of-tree drivers — Dirty Frag RxRPC class lives in the network subsystem and is often patched on an asymmetric cadence.
+
+**Real requirement:** patch SLA anchored to KEV listing date, fleet inventory live enough to answer "affected hosts" in under 5 minutes, live-patching deployed and exercised in the prior 30 days, written compensating-controls plan that survives the PoC test, third-party kernel modules in scope.
+
+---
+
 ## Analysis Procedure
 
 When a user invokes this skill, perform this assessment in order:
@@ -156,10 +176,10 @@ Ask for or assess:
 Exposed if: kernel >= 4.14 AND kernel < [patched version for distribution]
 Patched versions:
   RHEL 8/9:        kernel-4.18.0-553.xx.el8 / kernel-5.14.0-427.xx.el9
-  Ubuntu 22.04:    linux-image-5.15.0-xxx (check USN-7xxx)
-  Ubuntu 24.04:    linux-image-6.8.0-xxx (check USN-7xxx)
+  Ubuntu 22.04:    linux-image-5.15.0-<patch-revision> (check USN-7<advisory-number>)
+  Ubuntu 24.04:    linux-image-6.8.0-xxx (check USN-7<advisory-number>)
   Debian 12:       6.1.xxx (check DSA-5xxx)
-  Amazon Linux 2:  kernel 5.10.xxx (check ALAS-2026-xxx)
+  Amazon Linux 2:  kernel 5.10.xxx (check ALAS-2026-<advisory-number>)
   SUSE 15:         kernel 5.14.xxx (check SUSE-SU-2026:xxx)
 ```
 

package/skills/mcp-agent-trust/skill.md

@@ -33,6 +33,9 @@ framework_gaps:
   - OWASP-LLM-Top-10-2025-LLM06
   - SOC2-CC9-vendor-management
   - SWIFT-CSCF-v2026-1.1
+  - EU-AI-Act-Art-15
+  - UK-CAF-A1
+  - AU-Essential-8-App-Hardening
 rfc_refs:
   - RFC-6749
   - RFC-7519
@@ -51,12 +54,13 @@ cwe_refs:
   - CWE-918
   - CWE-94
 d3fend_refs:
+  - D3-CAA
   - D3-CBAN
   - D3-CSPP
   - D3-EAL
   - D3-EHB
   - D3-MFA
-last_threat_review: "2026-05-01"
+last_threat_review: "2026-05-13"
 ---
 
 # MCP Agent Trust Assessment
@@ -321,6 +325,29 @@ For ephemeral / serverless AI-pipeline contexts (per AGENTS.md rule #9): live SL
 
 ---
 
+## Defensive Countermeasure Mapping
+
+D3FEND v1.0+ references from `data/d3fend-catalog.json`. MCP trust failures land on a tightly bounded set of defensive techniques because the attack surface is structural: a tool registered in `mcp.json` runs with the AI assistant's authority unless the listed controls intervene.
+
+| D3FEND ID | Name | Layer | Rationale (what it counters here) |
+|---|---|---|---|
+| `D3-EHB` | Executable Hash-based Allowlist | Host / MCP server registration | Pins each MCP server binary by hash so CVE-2026-30615-class supply-chain swaps (compromised `npx` package replaces the server with an exploit variant) cannot replace the trusted binary silently. Direct counter to AML.T0010 + T1195.001. |
+| `D3-EAL` | Executable Allowlisting | Host / shell-capable tool | Restricts which executables an MCP shell-tool or process-exec-capable server can spawn. Without this, a server with `bash`/`pwsh` tools is a shell on the developer workstation with the developer's authority. |
+| `D3-CAA` | Credential Access Auditing | Identity / MCP bearer-auth | Logs every MCP server's use of the bearer token / OAuth credential and the resources it touched. The audit anchor for AML.T0016 (model and credential exfiltration via tool calls); the only post-hoc evidence stream when an MCP server is trusted but malicious. |
+| `D3-CSPP` | Client-server Payload Profiling | MCP gateway | Gateway-layer inspection of MCP tool-call args and tool-result bodies. The single control that can detect indirect prompt-injection payloads landing in `tools/call` results, AML.T0051 patterns reaching the assistant through document fetches, and AML.T0096 covert C2 over MCP transport. |
+| `D3-CBAN` | Certificate Analysis | Transport / MCP server-side | Validates the MCP server's TLS certificate chain and binds it to a pinned identity registered in the host's MCP catalog. Counters the "stand-up a malicious MCP server with a Let's Encrypt cert pretending to be a sanctioned vendor" pattern. |
+| `D3-MFA` | Multi-factor Authentication | Identity / OAuth client registration | Required for MCP servers registered as OAuth clients against enterprise IdPs. Without phishing-resistant MFA on the registration flow, a compromised developer credential can register an attacker-controlled MCP server inside the org's trust boundary. |
+
+**Defense-in-depth posture:** `D3-EHB` is the registration layer (only signed/hashed binaries register); `D3-EAL` is the runtime layer (only allowlisted child processes spawn); `D3-CSPP` is the in-flight content layer; `D3-CAA` is the post-hoc audit layer; `D3-CBAN` is the transport-identity layer; `D3-MFA` is the registration-identity layer. CVE-2026-30615 demonstrated that any single-layer defence fails — a signed manifest alone (`D3-EHB`) does not prevent an in-band path-traversal RCE that lands once the manifest is honoured.
+
+**Least-privilege scope:** every MCP server's tool allowlist is the minimum set required for its sanctioned use case — a documentation-search server does not get a `bash` tool, an issue-tracker server does not get a `read_file` tool with `/etc/**` glob authority. `D3-EAL` enforces this at the spawn boundary; `D3-CAA` audits every authorisation use against the documented scope.
+
+**Zero-trust posture:** every MCP server is treated as an untrusted third party regardless of vendor reputation — `D3-EHB` pin on registration, `D3-CBAN` cert verification on every connection, `D3-CSPP` payload inspection on every tool call. No "first-party vendor" exemption; the Cursor / Windsurf / VS Code first-party plugins ship through the same supply-chain (`npm` / `pip` / VS Code marketplace) that AML.T0010 targets.
+
+**AI-pipeline applicability (per AGENTS.md Hard Rule #9):** `D3-EAL` and `D3-EHB` apply only when the MCP server runs as a local executable. For hosted / remote MCP servers (the Claude Code, Cursor, and Windsurf hosted-tool pattern), the scoped alternative is `D3-CBAN` (pinned server identity) + `D3-CSPP` at the egress gateway + `D3-CAA` against the hosted-server provider's audit log feed. The endpoint controls (`D3-EAL`/`D3-EHB`) move from "verify locally before run" to "verify provider attestation before connect."
+
+---
+
 ## Compliance Theater Check
 
 > "Your vendor management control (CC9 / SA-12 / A.5.19) documents a review process for third-party software with access to sensitive systems. Enumerate the MCP servers installed on developer workstations that have access to production codebases or credentials. How many of those MCP servers went through your vendor review process? If the answer is zero, the vendor management control is theater for the attack surface where AI-assisted supply chain attacks are actually occurring."

package/skills/mlops-security/skill.md

@@ -41,6 +41,9 @@ framework_gaps:
   - ISO-IEC-42001-2023-clause-6.1.2
   - NIST-AI-RMF-MEASURE-2.5
   - OWASP-LLM-Top-10-2025-LLM08
+  - EU-AI-Act-Art-15
+  - UK-CAF-A1
+  - AU-Essential-8-App-Hardening
 rfc_refs:
   - RFC-8032
 cwe_refs:

package/skills/ot-ics-security/skill.md

@@ -36,6 +36,9 @@ framework_gaps:
   - IEC-62443-3-3
   - NERC-CIP-007-6-R4
   - NIS2-Art21-patch-management
+  - ISO-27001-2022-A.8.8
+  - UK-CAF-B2
+  - AU-Essential-8-App-Hardening
 rfc_refs: []
 cwe_refs:
   - CWE-287

package/skills/policy-exception-gen/skill.md

@@ -38,6 +38,12 @@ This skill generates exception templates for architectural realities that curren
 
 ---
 
+## Frontmatter Scope
+
+The `atlas_refs`, `attack_refs`, and `framework_gaps` arrays are intentionally empty. Exceptions are generated *against* whatever control the operator names at invocation time — the input is the framework-control ID, and the output is a templated exception keyed to that ID. Pinning a fixed subset here would constrain the skill's input domain to the wrong dimension; any framework gap any other skill produces is a legitimate exception-template input.
+
+---
+
 ## Threat Context (mid-2026)
 
 Most non-trivial mid-2026 production architectures break the literal reading of at least one major framework control. Serverless functions break asset-inventory language; immutable container images break in-place patch-window language; LLM API dependencies break change-management language; Zero Trust environments break network-segmentation language. Where the organization has no defensible exception process, only two outcomes remain: (1) the organization claims compliance falsely (theater) or (2) the audit blocks the architecture entirely.

package/skills/rag-pipeline-security/skill.md

@@ -25,14 +25,19 @@ framework_gaps:
   - NIST-800-53-SI-12
   - NIST-AI-RMF-MEASURE-2.5
   - OWASP-LLM-Top-10-2025-LLM08
+  - EU-AI-Act-Art-15
+  - UK-CAF-B2
+  - AU-Essential-8-App-Hardening
 cwe_refs:
   - CWE-1395
   - CWE-1426
 d3fend_refs:
   - D3-CSPP
+  - D3-FCR
+  - D3-FAPA
   - D3-IOPR
   - D3-NTA
-last_threat_review: "2026-05-01"
+last_threat_review: "2026-05-13"
 ---
 
 # RAG Pipeline Security Assessment
@@ -168,6 +173,8 @@ This attack requires:
 | NIST AI RMF MEASURE 2.5 | Evaluate AI risk during operation | Identifies operational monitoring as important. No specific controls for retrieval security, vector store integrity, or indirect prompt injection via retrieved content. |
 | SOC 2 CC6 | Logical and Physical Access | IAM for identified systems. Vector stores as inference surfaces don't map to traditional access control models. |
 | All frameworks | (none) | No framework has controls for: vector store poisoning, embedding manipulation for exfiltration, chunking exploitation, retrieval filter bypass, or indirect prompt injection via retrieved content. |
+| UK CAF | B2 (Identity and access control) | Selected over CAF-A1 because every RAG attack class above resolves to an access-control failure at retrieval time — clearance-aware namespace partitioning, per-query authorisation, and embedding-space ACLs are the missing controls. CAF-A1 (governance) is the parent concern but does not name the retrieval-access-control surface that is the actual mid-2026 gap. |
+| AU Essential Eight | User application hardening | The RAG pipeline is the application surface that hosts the retrieval engine, embedding model, and vector store. App-hardening as written covers browser/Office hardening; the AU mapping is partial because Essential Eight does not contemplate AI pipelines as a user-application class. |
 
 ---
 
@@ -289,6 +296,28 @@ For ephemeral / serverless RAG pipelines (per AGENTS.md rule #9): embedding-dist
 
 ---
 
+## Defensive Countermeasure Mapping
+
+D3FEND v1.0+ references from `data/d3fend-catalog.json`. The five RAG attack classes above map to the following defensive techniques. Coverage for RAG pipelines is uneven across enterprises in mid-2026 — most have `D3-NTA` on the network layer and nothing else.
+
+| D3FEND ID | Name | Layer | Rationale (what it counters here) |
+|---|---|---|---|
+| `D3-FCR` | File Content Rules | Data tier / corpus ingestion | Content classification at ingestion. Direct counter to Attack Class 2 (vector store poisoning) — corpus documents are content-filtered before they reach the embedding model. Also catches Attack Class 5 (indirect prompt injection) when payload patterns are recognisable in the source document. |
+| `D3-FAPA` | File Access Pattern Analysis | Data tier / corpus access | Detects retrieval-time anomalies — a query topology that systematically targets sensitive-document embeddings (Attack Class 1) shows up as an unusual file-access pattern against the corpus index, even when no individual retrieval is suspicious in isolation. |
+| `D3-IOPR` | Input/Output Profiling | RAG pipeline / SDK | Inspects retrieval queries and their resulting context bundles before they reach the LLM prompt. Required for Attack Class 3 (chunking exploitation) and Attack Class 4 (retrieval filter bypass) detection — the offending content shape is only visible at the pipeline boundary between retrieval and generation. |
+| `D3-CSPP` | Client-server Payload Profiling | LLM gateway | Gateway-layer inspection of the final composed prompt (query + retrieved context + instructions). Catches Attack Class 5 patterns that survived `D3-FCR` at ingestion — indirect prompt injection in retrieved context is visible as a structural anomaly in the assembled prompt. |
+| `D3-NTA` | Network Traffic Analysis | Network egress / RAG outputs | Per-identity baseline of RAG-result egress volume and destinations. Catches Attack Class 1's terminal phase — the exfiltrated content has to leave the boundary to reach the attacker. Last-resort detection when content controls fail. |
+
+**Defense-in-depth posture:** `D3-FCR` is the corpus-ingestion layer; `D3-FAPA` is the retrieval-access layer; `D3-IOPR` is the pipeline-internal layer; `D3-CSPP` is the gateway layer; `D3-NTA` is the egress layer. The Attack Class table maps each class to at least two of these — Class 5 (indirect prompt injection) is the canonical example: `D3-FCR` at ingestion + `D3-CSPP` at the gateway, because neither alone catches payloads that pass content rules at ingest but compose into a prompt-injection structure post-retrieval.
+
+**Least-privilege scope:** every query identity has a clearance label; retrieval results are filtered against that label at retrieval time (`D3-FAPA` enforces the filter and audits the pattern). RAG corpora are partitioned per-clearance — a Restricted-clearance corpus is not accessible to a Public-clearance principal even when query similarity would otherwise surface the document.
+
+**Zero-trust posture:** every retrieved chunk is treated as untrusted content. `D3-CSPP` inspects the composed prompt as if the retrieved context came from a hostile source — because under Attack Class 5, it did. No "internal document is trusted" exemption — internal documents are the documented vector for indirect prompt injection that survives external-content filters.
+
+**AI-pipeline applicability (per AGENTS.md Hard Rule #9):** `D3-FAPA` on ephemeral, per-query rebuilt indices degrades to per-query retrieval logging (`D3-IOPR` captures the query + result set) because there is no persistent corpus to baseline against. The scoped alternative is build-time provenance (signed index manifest at construction) combined with query-time `D3-IOPR` capture of the query+result-set tuple — equivalent observation surface, different anchoring.
+
+---
+
 ## Compliance Theater Check
 
 > "Your data classification policy defines sensitivity levels for documents in your knowledge base. Now trace a specific high-sensitivity document through your RAG pipeline: at what point is its classification applied as a retrieval constraint? If the answer is 'it's in a separate namespace' — verify that namespace boundaries are enforced before similarity scoring, not after. If the answer is 'it's not in the RAG system' — verify that the ingestion pipeline cannot be used to introduce it. If neither answer can be verified: the data classification control has no enforcement mechanism in the RAG context."

package/skills/researcher/skill.md

@@ -32,6 +32,12 @@ This skill is the front door to the exceptd library. Operators do not always arr
 
 ---
 
+## Frontmatter Scope
+
+The `atlas_refs`, `attack_refs`, and `framework_gaps` arrays are intentionally empty. This skill is a dispatch layer — it routes the operator to whichever specialised skill owns the relevant TTPs and framework gaps. The routed-to skill carries the authoritative reference set; duplicating those IDs here would create a divergence surface the next time a downstream skill's mappings change. The `data_deps` list is the complete dependency declaration: every catalog the researcher reads is enumerated there.
+
+---
+
 ## Threat Context (mid-2026)
 
 Most security teams in mid-2026 sit on a torrent of raw threat input: CISA KEV additions, vendor advisories, ATLAS updates, red-team reports, internal SIEM alerts, framework amendment bulletins, supply-chain notices. The two failure modes are symmetric and equally damaging.

package/skills/sector-energy/skill.md

@@ -36,6 +36,9 @@ framework_gaps:
   - NIST-800-82r3
   - IEC-62443-3-3
   - NIS2-Art21-patch-management
+  - ISO-27001-2022-A.8.8
+  - UK-CAF-D1
+  - AU-Essential-8-Backup
 rfc_refs: []
 cwe_refs:
   - CWE-287

package/skills/sector-federal-government/skill.md

@@ -36,6 +36,9 @@ framework_gaps:
   - CMMC-2.0-Level-2
   - NIST-800-218-SSDF
   - SLSA-v1.0-Build-L3
+  - NIS2-Art21-incident-handling
+  - UK-CAF-A1
+  - AU-Essential-8-App-Hardening
 rfc_refs:
   - RFC-8032
   - RFC-8446

package/skills/sector-financial/skill.md

@@ -41,6 +41,9 @@ framework_gaps:
   - SWIFT-CSCF-v2026-1.1
   - NIST-800-53-AC-2
   - SOC2-CC6-logical-access
+  - NIS2-Art21-incident-handling
+  - UK-CAF-A1
+  - AU-Essential-8-MFA
 rfc_refs:
   - RFC-8446
   - RFC-7519