@blamejs/exceptd-skills 0.13.0 → 0.13.1

package/lib/source-advisories.js

@@ -0,0 +1,281 @@
+'use strict';
+
+/**
+ * lib/source-advisories.js — primary-source advisory-feed polling.
+ *
+ * Why this exists. The post-mortem on CVE-2026-46333 (ssh-keysign-pwn,
+ * disclosed 2026-05-14, missed by the toolkit at T+0 through T+3) found
+ * that the existing source set (kev, epss, nvd, rfc, pins, ghsa, osv)
+ * sits at the END of the disclosure pipeline. Qualys → kernel.org commit
+ * → distro advisory → NVD enrichment is sequential; the existing pollers
+ * only see the last step, which lags by 3-14 days.
+ *
+ * The 4 feeds below sit much earlier in the pipeline:
+ *
+ *   Qualys TRU RSS    — Qualys-disclosed CVEs at T+0 (the originator of
+ *                       the ssh-keysign-pwn class of disclosure)
+ *   Red Hat RHSA RSS  — RHEL security advisories at T+1, often before NVD
+ *   Ubuntu USN RSS    — Ubuntu security notices at T+1, often before NVD
+ *   ZDI advisories    — Zero Day Initiative + Pwn2Own disclosures at T+0
+ *
+ * Behaviour. Each call returns a structured REPORT — not a catalog mutation.
+ * Operators consume the report via `exceptd refresh --check-advisories` and
+ * decide which advisories warrant a `refresh --advisory <CVE-ID>` auto-import
+ * to seed a draft entry. The report is informational; nothing is auto-written
+ * to the catalog. This is the conservative-by-default contract: primary-source
+ * surfacing must not silently mutate the catalog without operator triage.
+ *
+ * Output shape:
+ *   {
+ *     status: 'ok' | 'partial' | 'unreachable',
+ *     diffs: [
+ *       { id: 'CVE-2026-46333', source: 'qualys', advisory_url: '...',
+ *         disclosed_at: '2026-05-14', title: '...', in_catalog: false }
+ *     ],
+ *     summary: '4/4 feeds reachable; 3 new CVE references found'
+ *   }
+ *
+ * Each diff is read-only — there is no `applyDiff` that writes the catalog.
+ * That's by design: a fresh advisory from a primary source has insufficient
+ * fields to satisfy Hard Rule #1 (CVSS / KEV / PoC / AI-discovery /
+ * active-exploitation / patch-availability). The operator routes the
+ * promising ones through `refresh --advisory <CVE-ID>` which goes through
+ * the existing GHSA / OSV / NVD enrichment path (those pollers are mature).
+ *
+ * Cache mode (--from-cache <dir>): expected cache layout is
+ *   <dir>/advisories/<feed>.xml — caller passes `ctx.cacheDir`.
+ * Fixture mode: `ctx.fixtures.advisories = { qualys: '<xml>', ... }`.
+ */
+
+const path = require('path');
+const fs = require('fs');
+
+const TODAY = new Date().toISOString().slice(0, 10);
+
+// Feed registry. Each entry has a kind (rss | json), a URL, and a parser.
+// Parsers return [{ cve_ids: [...], title, link, published }, ...].
+const FEEDS = [
+  {
+    name: 'qualys',
+    url: 'https://blog.qualys.com/category/vulnerability-research/feed',
+    kind: 'rss',
+    description: 'Qualys Threat Research Unit blog — originator of high-impact disclosures (ssh-keysign-pwn class)',
+  },
+  {
+    name: 'rhsa',
+    url: 'https://access.redhat.com/security/data/csaf/v2/advisories/2026/index.txt',
+    kind: 'csaf-index',
+    description: 'Red Hat CSAF v2 advisory index — RHEL security advisories with NVD-class enrichment at T+1',
+  },
+  {
+    name: 'usn',
+    url: 'https://ubuntu.com/security/notices/rss.xml',
+    kind: 'rss',
+    description: 'Ubuntu USN RSS — Ubuntu security notices, typically published 1-2 days post-disclosure',
+  },
+  {
+    name: 'zdi',
+    url: 'https://www.zerodayinitiative.com/rss/published/',
+    kind: 'rss',
+    description: 'Zero Day Initiative — vendor-acknowledged advisories from ZDI + Pwn2Own pipeline',
+  },
+];
+
+// Permissive CVE-ID matcher. The official format is CVE-YYYY-NNNN+ but
+// some feeds embed CVEs in arbitrary surrounding markup AND occasionally
+// emit lowercase "cve-yyyy-nnnn" in URLs or filenames. Case-insensitive
+// match, then uppercase + dedupe in extractCveIds().
+const CVE_RE = /CVE-(?:19|20)\d{2}-\d{4,7}/gi;
+
+/**
+ * Extract CVE IDs from a string blob. De-duplicates within the blob.
+ */
+function extractCveIds(text) {
+  if (typeof text !== 'string' || text.length === 0) return [];
+  const matches = text.match(CVE_RE);
+  if (!matches) return [];
+  return [...new Set(matches.map((s) => s.toUpperCase()))];
+}
+
+/**
+ * Lightweight RSS / Atom parser. Avoids pulling in a dependency for what
+ * is effectively `<item>` / `<entry>` extraction + `<title>` / `<link>` /
+ * `<pubDate>` / `<published>` / `<description>` / `<content>` text grabs.
+ *
+ * Returns [{ title, link, published, body }, ...].
+ */
+function parseRssAtom(xml) {
+  if (typeof xml !== 'string') return [];
+  const items = [];
+  // Try Atom <entry>...</entry> first.
+  const atomEntryRe = /<entry\b[\s\S]*?<\/entry>/g;
+  const rssItemRe = /<item\b[\s\S]*?<\/item>/g;
+  const blocks = (xml.match(atomEntryRe) || xml.match(rssItemRe) || []);
+  for (const block of blocks) {
+    const title = matchInner(block, 'title') || '';
+    const link = matchInner(block, 'link') || matchAttr(block, 'link', 'href') || '';
+    const published = matchInner(block, 'pubDate') || matchInner(block, 'published') || matchInner(block, 'updated') || '';
+    const description = matchInner(block, 'description') || matchInner(block, 'content') || matchInner(block, 'summary') || '';
+    items.push({ title: stripCdata(title), link: stripCdata(link), published: stripCdata(published), body: stripCdata(description) });
+  }
+  return items;
+}
+
+function matchInner(block, tag) {
+  const re = new RegExp(`<${tag}[^>]*>([\\s\\S]*?)<\\/${tag}>`, 'i');
+  const m = block.match(re);
+  return m ? m[1].trim() : null;
+}
+
+function matchAttr(block, tag, attr) {
+  const re = new RegExp(`<${tag}[^>]*\\b${attr}=["']([^"']+)["']`, 'i');
+  const m = block.match(re);
+  return m ? m[1] : null;
+}
+
+function stripCdata(s) {
+  if (typeof s !== 'string') return '';
+  return s.replace(/<!\[CDATA\[([\s\S]*?)\]\]>/g, '$1').replace(/<[^>]+>/g, ' ').replace(/\s+/g, ' ').trim();
+}
+
+/**
+ * CSAF index parser — Red Hat ships a plain-text index of advisory JSON
+ * files under data/csaf/v2/advisories/YYYY/index.txt. Each line is a
+ * relative filename. We don't fetch the per-advisory JSON in v0.13.1
+ * (would blow the polling budget); we surface the advisory IDs that
+ * mention CVE-YYYY-NNNN inline.
+ */
+function parseCsafIndex(text) {
+  if (typeof text !== 'string') return [];
+  const lines = text.split(/\r?\n/).filter((l) => l.trim().length > 0);
+  return lines.map((line) => {
+    const cves = extractCveIds(line);
+    return { title: line.trim(), link: '', published: '', body: '', cves_from_filename: cves };
+  });
+}
+
+/**
+ * Fetch a feed body. In fixture / cache modes, read from disk.
+ */
+async function fetchFeed(feed, ctx) {
+  if (ctx.fixtures && ctx.fixtures.advisories && ctx.fixtures.advisories[feed.name]) {
+    return { ok: true, body: ctx.fixtures.advisories[feed.name] };
+  }
+  if (ctx.cacheDir) {
+    const ext = feed.kind === 'csaf-index' ? '.txt' : '.xml';
+    const p = path.join(ctx.cacheDir, 'advisories', `${feed.name}${ext}`);
+    if (!fs.existsSync(p)) return { ok: false, error: `cache miss: ${p}` };
+    return { ok: true, body: fs.readFileSync(p, 'utf8') };
+  }
+  if (typeof fetch !== 'function') return { ok: false, error: 'fetch() not available — Node 18+ required' };
+  try {
+    const ac = new AbortController();
+    const timer = setTimeout(() => ac.abort(), 8000);
+    const r = await fetch(feed.url, { signal: ac.signal, headers: { 'User-Agent': 'exceptd-advisories-poller/0.13.1 (+https://exceptd.com)' } });
+    clearTimeout(timer);
+    if (!r.ok) return { ok: false, error: `HTTP ${r.status}` };
+    return { ok: true, body: await r.text() };
+  } catch (e) {
+    return { ok: false, error: e.message || String(e) };
+  }
+}
+
+/**
+ * Walk one feed: fetch, parse, extract CVE IDs, compare to local catalog.
+ * Returns { diffs, errors, status }.
+ */
+async function checkFeed(feed, ctx) {
+  const res = await fetchFeed(feed, ctx);
+  if (!res.ok) return { diffs: [], errors: 1, status: 'unreachable', _why: res.error };
+  let items;
+  if (feed.kind === 'csaf-index') {
+    items = parseCsafIndex(res.body);
+    // Flatten cves_from_filename onto cve_ids field uniformly.
+    items = items.map((it) => ({ ...it, cve_ids: it.cves_from_filename || [] }));
+  } else {
+    items = parseRssAtom(res.body);
+    items = items.map((it) => ({ ...it, cve_ids: extractCveIds(`${it.title} ${it.body} ${it.link}`) }));
+  }
+  const diffs = [];
+  for (const it of items) {
+    for (const cveId of it.cve_ids) {
+      const inCatalog = !!ctx.cveCatalog[cveId];
+      if (!inCatalog) {
+        diffs.push({
+          id: cveId,
+          source: feed.name,
+          advisory_url: it.link || feed.url,
+          disclosed_at: it.published || null,
+          title: it.title.slice(0, 200),
+          in_catalog: false,
+        });
+      }
+    }
+  }
+  return { diffs, errors: 0, status: 'ok' };
+}
+
+/**
+ * The exported SOURCE definition, matching the shape ALL_SOURCES expects.
+ */
+const ADVISORIES_SOURCE = {
+  name: 'advisories',
+  description: 'Primary-source advisory feeds (Qualys TRU, Red Hat RHSA, Ubuntu USN, Zero Day Initiative / ZDI) — surfaces CVE IDs disclosed at T+0 to T+1 that lag NVD enrichment. Report-only — does not auto-write the catalog.',
+  applies_to: 'data/cve-catalog.json',
+  async fetchDiff(ctx) {
+    const results = await Promise.all(FEEDS.map((feed) => checkFeed(feed, ctx)));
+    const allDiffs = [];
+    let unreachable = 0;
+    for (const r of results) {
+      allDiffs.push(...r.diffs);
+      if (r.status === 'unreachable') unreachable++;
+    }
+    // Deduplicate by CVE-ID across feeds — multiple advisories for the
+    // same CVE collapse to one entry with sources[] array of contributing
+    // feed names.
+    const byCve = new Map();
+    for (const d of allDiffs) {
+      if (!byCve.has(d.id)) {
+        byCve.set(d.id, { ...d, sources: [d.source], advisory_urls: [d.advisory_url] });
+      } else {
+        const existing = byCve.get(d.id);
+        if (!existing.sources.includes(d.source)) existing.sources.push(d.source);
+        if (!existing.advisory_urls.includes(d.advisory_url)) existing.advisory_urls.push(d.advisory_url);
+      }
+    }
+    const diffs = Array.from(byCve.values()).map((d) => {
+      delete d.source;
+      delete d.advisory_url;
+      return d;
+    });
+    const status =
+      unreachable === 0 ? 'ok' :
+      unreachable === FEEDS.length ? 'unreachable' : 'partial';
+    return {
+      status,
+      diffs,
+      errors: unreachable,
+      summary: `${FEEDS.length - unreachable}/${FEEDS.length} feeds reachable; ${diffs.length} new CVE references found across primary advisory sources`,
+    };
+  },
+  // Report-only: no applyDiff. Operators route promising CVE IDs through
+  // `exceptd refresh --advisory <CVE-ID>` (GHSA / OSV / NVD enrichment).
+  applyDiff(_ctx, _diffs) {
+    return {
+      updated: 0,
+      added: 0,
+      drift_updated: 0,
+      errors: [],
+      note: 'ADVISORIES_SOURCE is report-only. Route promising IDs through `exceptd refresh --advisory <CVE-ID>` to auto-import a draft via the GHSA / OSV / NVD enrichment pipeline.',
+    };
+  },
+};
+
+module.exports = {
+  ADVISORIES_SOURCE,
+  // Exposed for tests + future schedule-agent reuse:
+  FEEDS,
+  extractCveIds,
+  parseRssAtom,
+  parseCsafIndex,
+};

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.13.0",
+  "version": "0.13.1",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "ZS8UdA+c6vWovG2EsBP2X2xd43uSC33/LPq6SZtYEEQto4zuzLNH+pcL74oE2V5mie03r+5YdisQYtV5g+ANCQ==",
-      "signed_at": "2026-05-17T23:40:16.683Z",
+      "signed_at": "2026-05-18T01:03:36.899Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -117,7 +117,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "l5PS3EMYS5+e4EBeYOaWTeKLcmeWDuqxRjDQFD4m7n1uRdCPziTEkHkEAVxSuBp1aKhbOvShTFpXXtTgZ0nhBg==",
-      "signed_at": "2026-05-17T23:40:16.687Z",
+      "signed_at": "2026-05-18T01:03:36.901Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -180,7 +180,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "KXUDBx+nPn+85iFh7+zMIllAdkjUWbhgXpaot5/yliZwKzVmFFPjQF/xZm8gdZLFkskyO5M0MS/MqjowPvAHBw==",
-      "signed_at": "2026-05-17T23:40:16.688Z",
+      "signed_at": "2026-05-18T01:03:36.901Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -226,7 +226,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "Jn4HdauaKGzLGB4lmqgS7ntrrkKykfHrths/mlJegHgjoRsauVK/+S3VN82YxRcnTa1gOYd08hMUV7FnKRs6Cg==",
-      "signed_at": "2026-05-17T23:40:16.689Z"
+      "signed_at": "2026-05-18T01:03:36.902Z"
     },
     {
       "name": "compliance-theater",
@@ -257,7 +257,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "byFyQfZFeQ9mhH4+DxNWyM2lBVDcZiEx+vDPSJpjmblb61T3KIK70PWb9KhUKO//9RBwnb7Bz9KbltruhaB3DA==",
-      "signed_at": "2026-05-17T23:40:16.690Z"
+      "signed_at": "2026-05-18T01:03:36.902Z"
     },
     {
       "name": "exploit-scoring",
@@ -286,7 +286,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "6nar8a3phaFK55Xpgw0XEBz3k4WrtRfW79JfKjgeKRc1FqljMaqmNxb3ftOCFy0CgMEu/lULuubGXFqp0DpcDA==",
-      "signed_at": "2026-05-17T23:40:16.690Z"
+      "signed_at": "2026-05-18T01:03:36.903Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -323,7 +323,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "8BOfZgS2fm9KeEYZwwUc4JUSVxnLAgQ3UrViUcGlrA1NMcJz92mw7QGGhTx+PUn4yoPTGelxGz6MF5mEqpfDAQ==",
-      "signed_at": "2026-05-17T23:40:16.691Z",
+      "signed_at": "2026-05-18T01:03:36.903Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -380,7 +380,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "o5CamxRHrwbM+R7lQzEoKxHBTFbo76C3Uf8/Qx3cbLlrXczvI6K9a1KfWIoOq/8UoTuQy7dB6lZge0H+94gbBw==",
-      "signed_at": "2026-05-17T23:40:16.693Z",
+      "signed_at": "2026-05-18T01:03:36.904Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -415,7 +415,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "02UBMUa3Wox2vXhKVr+2m0Lq5+sY3azliVeAyNSM2p8tw7Fj/HzKQwsgBVAfTM+5yqDzaIMCmup9UAgn4FYbAw==",
-      "signed_at": "2026-05-17T23:40:16.693Z",
+      "signed_at": "2026-05-18T01:03:36.904Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -443,7 +443,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "3CYvOmOyXGspSkyorxV22yH+LFn0WikZrHggdqB+ZxObq27MA0meOxUFkUKOu47z1tEF99BrmOBKOmE+qXGkCA==",
-      "signed_at": "2026-05-17T23:40:16.694Z"
+      "signed_at": "2026-05-18T01:03:36.905Z"
     },
     {
       "name": "global-grc",
@@ -475,7 +475,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "VcWZd1hN1fxw3BmLqcNP1giz9yiAQEDI928Y9ECOV1bPQvt/zZpONoLg4K7f13HyfoO192mssEcAOTQgnGxQDA==",
-      "signed_at": "2026-05-17T23:40:16.695Z"
+      "signed_at": "2026-05-18T01:03:36.905Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -502,7 +502,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "iwosQ4gcFZc+6QSmxUOhHB3jse8tHxd3XsXl155mU4K5UgbctHNhOUKMmF7WnUVfOUQ7PafHiMzZIbevvenNBA==",
-      "signed_at": "2026-05-17T23:40:16.695Z"
+      "signed_at": "2026-05-18T01:03:36.905Z"
     },
     {
       "name": "pqc-first",
@@ -554,7 +554,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "BoFVxwiopgnmDY8AJ0j5KzRkwQQOzdizisTsZOLHBE2BUixr/B6FV8S3AIN3rvS9YixL48rbt8rdAz0j0HDCAw==",
-      "signed_at": "2026-05-17T23:40:16.696Z",
+      "signed_at": "2026-05-18T01:03:36.906Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -601,7 +601,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "jPMVYXqS0oy6Ay+mp4FBcc+njppBgO8xZcGrpUBAUOnZikaAkUfG5E4xXYulNIZG2CVPOdTOGhh3/gwUH/s0Ag==",
-      "signed_at": "2026-05-17T23:40:16.696Z"
+      "signed_at": "2026-05-18T01:03:36.906Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -638,7 +638,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "nZNIznYPxcs2mAjruwejfH2HrlW0SVDQ2Q2Ethh35uJBZkK7twgCDSJKVPbvR5ftaVdslDrq5o6Xhcwf7rWJDw==",
-      "signed_at": "2026-05-17T23:40:16.697Z",
+      "signed_at": "2026-05-18T01:03:36.906Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -673,7 +673,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "ZDo/m8ddmu5J8+uA7sHM85KUyxdSwzZu+BNNAOoOLijjWIaxoGWZ62Tw7ahyyg3pEFcZteDWY53HlSxNysGkBQ==",
-      "signed_at": "2026-05-17T23:40:16.697Z"
+      "signed_at": "2026-05-18T01:03:36.906Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -744,7 +744,7 @@
         "PTES revision incorporating AI-surface enumeration"
       ],
       "signature": "/p8RImZYTSneXWjgwqMbuJN4XKROGWxzVzz3fwldev/qEhUZi3ptW/nZ/OZF0hgrO/04Xbm9p5fHzOshNYCODQ==",
-      "signed_at": "2026-05-17T23:40:16.698Z"
+      "signed_at": "2026-05-18T01:03:36.907Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -804,7 +804,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "Kd0vMiFxg48sN0kkmiNzlJe1fFN5chp5KW2rzy534wW4VKdQrXbgoJlb0G5UoDtuABOTP5bXtJpFu3CKvMvRCg==",
-      "signed_at": "2026-05-17T23:40:16.698Z"
+      "signed_at": "2026-05-18T01:03:36.907Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -879,7 +879,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "lXBKwsA1ouEI8CLFW9AQMwTaR2HTtz/tZC3qEs13XL8IOBpl6OwZj6GkDCWuT1SK4enOgpmKHypaNGJ/vtGQBg==",
-      "signed_at": "2026-05-17T23:40:16.699Z"
+      "signed_at": "2026-05-18T01:03:36.907Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -956,7 +956,7 @@
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
       "signature": "6r0zv9/tNfZd/NKSc8z1+4p/6R80EwbelY+mr5zLrwEc/ViD0E8G9SbE2dLuWg4V0EoIMLrWJ/b9RQGSaOYvBQ==",
-      "signed_at": "2026-05-17T23:40:16.700Z"
+      "signed_at": "2026-05-18T01:03:36.908Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1013,7 +1013,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "XZigwq8X/csfrdG10O6Q1V5q0zUqSQGd3QrjRKkZ4fkaodG4mZahYuIQqxc8rU9jjtGAm9LtBXYB+I5csqj9Bw==",
-      "signed_at": "2026-05-17T23:40:16.700Z"
+      "signed_at": "2026-05-18T01:03:36.908Z"
     },
     {
       "name": "identity-assurance",
@@ -1080,7 +1080,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "zx3uucOcICwlEUJytEMnHsfqTpOSK+Zsv4/Z3hX6AUtUvh5Bi6pgAQYkX45Y6fk5K+QEGR5Vkiecv/9R+UakCw==",
-      "signed_at": "2026-05-17T23:40:16.701Z"
+      "signed_at": "2026-05-18T01:03:36.908Z"
     },
     {
       "name": "ot-ics-security",
@@ -1136,7 +1136,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "jReqaDZGyzeCmKqO79yMvHszOFjAuKa1iqPBMW4/TD8KGkh0Wd7r6gjQMdk050e/+03K0h/kga4n3QPqdQwbBA==",
-      "signed_at": "2026-05-17T23:40:16.701Z"
+      "signed_at": "2026-05-18T01:03:36.908Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1188,7 +1188,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "f1w8AOT3bw+IeaAkg+vubUf7+Gx+/zTuQyIKOxQTbF9m1HGIE/SJQlWZST9ALtlH1BN4gJK5WPRmloX6LzQYBw==",
-      "signed_at": "2026-05-17T23:40:16.702Z"
+      "signed_at": "2026-05-18T01:03:36.909Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1238,7 +1238,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "sjSMkSm8L5AuXTmG7SWcnEVsyWo7iEncR3eAXpPU9GIu29AZGnfwmsTBAimbafFT3V4jMix4QHcnZ/HNwwWYCw==",
-      "signed_at": "2026-05-17T23:40:16.702Z"
+      "signed_at": "2026-05-18T01:03:36.909Z"
     },
     {
       "name": "webapp-security",
@@ -1312,7 +1312,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "5zF3M+0ic8dj2bgl25q5XK4Ha4Mf1Xeu+MJN0zyOmTSZf2iG7tMgqtEfXfiES+N9qiL392eN1c0fzScqc94ZAw==",
-      "signed_at": "2026-05-17T23:40:16.703Z"
+      "signed_at": "2026-05-18T01:03:36.909Z"
     },
     {
       "name": "ai-risk-management",
@@ -1362,7 +1362,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "n/S2woidz4PVZ11V8gWhCiwp1H9n+8Pwm3aXGarXd71Hp15MHPY9sTMxJIcVWT6qnTBhPdSf+uPcV2nxadi2AQ==",
-      "signed_at": "2026-05-17T23:40:16.703Z"
+      "signed_at": "2026-05-18T01:03:36.910Z"
     },
     {
       "name": "sector-healthcare",
@@ -1422,7 +1422,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "53kKCGnBk6b88Q0Mf34CkowBH1osOYTpUf0wkMK70CAOCna2qYaBTTnYVHamV2+DsE6IC9W+JIzmPWcl3jC5BA==",
-      "signed_at": "2026-05-17T23:40:16.704Z"
+      "signed_at": "2026-05-18T01:03:36.910Z"
     },
     {
       "name": "sector-financial",
@@ -1503,7 +1503,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "64PrvGD26sxvxzfmMBsCGpocascDDurGSNMJrdJJ5IS4rj5aXS6oQCBw0pDDasJvwaQdkrOiQ/RoEQoEQnRkDg==",
-      "signed_at": "2026-05-17T23:40:16.705Z"
+      "signed_at": "2026-05-18T01:03:36.910Z"
     },
     {
       "name": "sector-federal-government",
@@ -1572,7 +1572,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "qbX+JHQDR5Q6VJ09F9kABSVw5P+mTRcp93+lGfHJmYM9l6MFoYRUJ0E7y5QFXRjNFGk/ybb1Q3vTsiALamcAAA==",
-      "signed_at": "2026-05-17T23:40:16.706Z"
+      "signed_at": "2026-05-18T01:03:36.911Z"
     },
     {
       "name": "sector-energy",
@@ -1637,7 +1637,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "bpJCQ55+HLSgiJPoyvDBEr7mPhDQoLdn2dkDW0mNhU+lfXuQ6WDiNGdhUEFu8J8FF4sg2imn5vlZ2xgLJKGxBA==",
-      "signed_at": "2026-05-17T23:40:16.707Z"
+      "signed_at": "2026-05-18T01:03:36.911Z"
     },
     {
       "name": "sector-telecom",
@@ -1723,7 +1723,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "Xk9QmR+9N9JtEHE/+jXl0glgzszOfHq+SwfmIMiHYH7/pVmbSlxwBBejrV4sg6Y4zarq4ry9Sgcv8hybE8vyAQ==",
-      "signed_at": "2026-05-17T23:40:16.707Z"
+      "signed_at": "2026-05-18T01:03:36.912Z"
     },
     {
       "name": "api-security",
@@ -1792,7 +1792,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ACPV5cQskL0TR4SK9eKev6jCNEWj+d6zE+BOB7QHXAcungz3K5qugDTkz3NjEHefebiFi8GW8VPuchA8vRYODg==",
-      "signed_at": "2026-05-17T23:40:16.708Z"
+      "signed_at": "2026-05-18T01:03:36.912Z"
     },
     {
       "name": "cloud-security",
@@ -1873,7 +1873,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "9eHXut2agJm6+Z7r6zRD8Rbokj1yTeSeFh9BIoZCE9KrntlnAVU0Y0jl+JRBHOptWh4z04bOW1eAhy0vjl+lAQ==",
-      "signed_at": "2026-05-17T23:40:16.708Z"
+      "signed_at": "2026-05-18T01:03:36.912Z"
     },
     {
       "name": "container-runtime-security",
@@ -1935,7 +1935,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "gTi2joMM9bqqXQ+R7oqL0MUtz1sOettl0mOXrQS5jTnZ9TDwrg3E/PbuanQjPDC8aLRFRgPdi/EN2Rtp5Zj+Dg==",
-      "signed_at": "2026-05-17T23:40:16.709Z"
+      "signed_at": "2026-05-18T01:03:36.913Z"
     },
     {
       "name": "mlops-security",
@@ -2006,7 +2006,7 @@
         "MITRE ATLAS v5.4.0 (released February 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: ATLAS v5.5 / v6.0 — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
       "signature": "Rj1G9RKTQ6cROzmoOBM0e3hOe6HFeof8fm5V2w4nTnd6pjG6c0fiaUpXRCgYiT/m4UVtbuMGAPOehATLZgIBDA==",
-      "signed_at": "2026-05-17T23:40:16.709Z"
+      "signed_at": "2026-05-18T01:03:36.913Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2068,7 +2068,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "6/9Ehyx49Rr/o5Tp9oQ3cfHa2WhKYtLXJp0akoDbRC1RSCxZVbkKaW7/5/IkdgCQMiJivI/Q0g0Bq/5q/UUZAA==",
-      "signed_at": "2026-05-17T23:40:16.710Z"
+      "signed_at": "2026-05-18T01:03:36.913Z"
     },
     {
       "name": "ransomware-response",
@@ -2148,7 +2148,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "+5FiwJFRq08x2oXejTO1Nw6Cd+EzOcrwAG2xNrngJ8vHPDXqFgGAjTAJuXrNl7QblTfSLQ+xvoAziBly56/eDg==",
-      "signed_at": "2026-05-17T23:40:16.711Z"
+      "signed_at": "2026-05-18T01:03:36.914Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2201,7 +2201,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "T2epR7LKAKPl5iJuQ5fm5/bfVqA6E0JXbcLSUe+GC3/BLtTVjCCCBAQzhIaC5/L5QM9VF0tZ7mM9Z5RjKPFHDg==",
-      "signed_at": "2026-05-17T23:40:16.711Z"
+      "signed_at": "2026-05-18T01:03:36.914Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2269,7 +2269,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "L/igYQahvedjP6oxty1GDxBETVoGDo11hFTrri/5M+xr2V0KnUqFYZOOe1ALcy/mfO8B6wPmD3WIOin9C2PKCw==",
-      "signed_at": "2026-05-17T23:40:16.712Z"
+      "signed_at": "2026-05-18T01:03:36.914Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2349,7 +2349,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "6O5peFBKz4XFasajnzMIF8Zjdb84bd361WHRGx6WiddKNfu687Q9qAanvzujxPmzYA1qiGGJJkujT+6y8T/WCQ==",
-      "signed_at": "2026-05-17T23:40:16.712Z"
+      "signed_at": "2026-05-18T01:03:36.914Z"
     },
     {
       "name": "idp-incident-response",
@@ -2430,11 +2430,11 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "ew9Kglc9fAZzbn0ZIfGP7WSK/j4eV2VhSvpy+s5bEfNEVYIMa2kZjnGBapgUsyGDLes9H9K2ovjQyX17+GKiBw==",
-      "signed_at": "2026-05-17T23:40:16.713Z"
+      "signed_at": "2026-05-18T01:03:36.915Z"
     }
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "YdKTQhYMh+JHg6ahJdIRDmUJjJ7PtUHXyWzBorFdcXTWLbUFaRQRwCzgOp0xSUC9zrk42J0ltb39/UZul0C2AA=="
+    "signature_base64": "UAFB9lil5aa5kZFebqJ9w3CUp7xla6nh8ngD8qXQsxTgC3D5CpG3xUbtJOvQDxbBsGAZUm0HqwHvz2waW3ntDw=="
   }
 }