@blamejs/exceptd-skills 0.13.1 → 0.13.3

package/scripts/predeploy.js

@@ -177,6 +177,22 @@ const GATES = [
     args: [path.join(ROOT, "lib", "validate-playbooks.js")],
     ciJobName: "Validate playbooks",
   },
+  {
+    // v0.13.2: refuse silent test-set shrinkage. Static-counts `test(`
+    // declarations across tests/*.test.js and compares to the pinned
+    // baseline in tests/.test-count-baseline.json. Catches the class
+    // of regression where a test file gets accidentally deleted, a
+    // skip-all lands without review, or a misnamed file slips through
+    // the glob. The baseline is operator-refreshed on releases that
+    // intentionally add many new tests; --update-baseline rewrites it.
+    name: "Test-count baseline (no silent shrinkage)",
+    command: process.execPath,
+    args: [path.join(ROOT, "scripts", "check-test-count.js")],
+    // Folds under the existing Data integrity CI job rather than a
+    // dedicated job — the check is fast (~70ms) static analysis and
+    // shares the integrity-tier framing with manifest-snapshot etc.
+    ciJobName: "Data integrity (catalog + manifest snapshot)",
+  },
 ];
 
 function runGate(gate) {

package/skills/age-gates-child-safety/skill.md

@@ -59,6 +59,7 @@ forward_watch:
   - France SREN (Securing and Regulating the Digital Space) Act 2024 — ARCOM age-verification referential for adult content services; double-anonymity model under deployment
   - US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states
 last_threat_review: "2026-05-11"
+discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief age-gates-child-safety` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 # Age Gates and Child Online Safety (mid-2026)

package/skills/ai-risk-management/skill.md

@@ -45,6 +45,7 @@ cwe_refs:
 d3fend_refs:
   - D3-IOPR
 last_threat_review: "2026-05-15"
+discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief ai-risk-management` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 # AI Risk Management (Governance Layer)

package/skills/api-security/skill.md

@@ -17,7 +17,13 @@ triggers:
   - ai api security
   - mcp transport
   - openapi security
-data_deps: []
+data_deps:
+  - atlas-ttps.json
+  - attack-techniques.json
+  - cwe-catalog.json
+  - d3fend-catalog.json
+  - framework-control-gaps.json
+  - rfc-references.json
 atlas_refs:
   - AML.T0096
   - AML.T0017
@@ -61,7 +67,7 @@ forward_watch:
   - NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments
   - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments
   - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM full SSRF + Code Injection by Out Of Bounds (Byung Young Yi); duplicate-class with the k3vg3n entry; track unified patch advisory
-last_threat_review: "2026-05-17"
+last_threat_review: "2026-05-18"
 ---
 
 # API Security Assessment
@@ -130,7 +136,7 @@ APIs are now the integration substrate of every non-trivial system. The mid-2026
 | AML.T0096 | AI Service Exploitation (AI-API as covert C2) | LLM API used as a covert command-and-control / exfil channel — prompt content carries instructions; response carries staged data | CWE-77, CWE-200 | Missing in NIST/ISO; hand-off to `ai-c2-detection` |
 | AML.T0017 | Discover ML Model Ontology (inference-API probing for system-prompt, guardrail, model-family signal) | High-volume queries against a hosted model used to reconstruct behaviour, guardrail surface, or training-data signal | CWE-200 | Missing — detected only by per-identity rate-and-shape monitoring at egress |
 
-CWE root-causes referenced as a set (per `cwe_refs` in frontmatter): CWE-287 (Improper Authentication), CWE-862 (Missing Authorization — BFLA root cause), CWE-863 (Incorrect Authorization — BOLA root cause), CWE-918 (SSRF — API7), CWE-200 (Information Exposure — BOPLA contributor), CWE-352 (CSRF — cookie-auth APIs + WebSocket CSWSH), CWE-22 (Path Traversal — API parameter sinks), CWE-77 (Command Injection — API parameter to shell), CWE-1188 (Insecure Default Initialization — default-open API state).
+CWE root-causes referenced as a set (per `cwe_refs` in frontmatter, all resolved against `data/cwe-catalog.json`): CWE-287 (Improper Authentication), CWE-862 (Missing Authorization — BFLA root cause), CWE-863 (Incorrect Authorization — BOLA root cause), CWE-918 (SSRF — API7), CWE-200 (Information Exposure — BOPLA contributor), CWE-352 (CSRF — cookie-auth APIs + WebSocket CSWSH), CWE-22 (Path Traversal — API parameter sinks), CWE-77 (Command Injection — API parameter to shell), CWE-1188 (Insecure Default Initialization — default-open API state). ATT&CK Enterprise techniques (T1190, T1078, T1567) resolve against `data/attack-techniques.json`; the AML.T0096 (AI service exploitation) and AML.T0017 (model-ontology discovery) entries resolve against `data/atlas-ttps.json`. Cross-reference every BOLA / BFLA finding against the `CWE-863` / `CWE-862` entries in `data/cwe-catalog.json` for the canonical weakness description used in operator briefings.
 
 ---
 
@@ -158,6 +164,8 @@ CWE root-causes referenced as a set (per `cwe_refs` in frontmatter): CWE-287 (Im
 
 The procedure threads three foundational design principles. They are not optional.
 
+Wire-level RFC mappings cited below resolve against `data/rfc-references.json` (RFC-7519 JWT, RFC-8725 JWT BCP, RFC-6749 OAuth 2.0, RFC-9700 OAuth Security BCP, RFC-9421 HTTP Message Signatures, RFC-8446 TLS 1.3, RFC-9114 HTTP/3); framework-gap IDs cited throughout (OWASP-ASVS-v5.0-V14, NIST-800-53-AC-2, NIST-800-218-SSDF, ISO-27001-2022-A.8.28, NIS2-Art21-incident-handling, UK-CAF-B2, AU-Essential-8-App-Hardening) resolve against `data/framework-control-gaps.json`.
+
 **Defense in depth** — the API request lifecycle is layered. No single control is trusted to fail closed.
 
 1. **API gateway (perimeter)** — terminates TLS (RFC 8446 baseline; HTTP/3 over QUIC per RFC 9114 for public global APIs), enforces auth, enforces rate limits per route + per identity + per cost-unit, applies threat-detection rules, captures the canonical log record. Gateways with bypass paths (a "direct backend" route that skips the gateway) are gateway-in-name-only.
@@ -198,7 +206,7 @@ The procedure threads three foundational design principles. They are not optiona
 7. **GraphQL query-complexity limits.** Depth limit, breadth (alias) limit, complexity-cost calculator with budget per query, persisted-query allowlist for production clients. **Introspection disabled in production.**
 8. **gRPC reflection disabled in production.** mTLS for service-to-service; per-method authorisation (BFLA in gRPC terms is per-method); deadline propagation enforced; max-message-size bounded.
 9. **WebSocket origin validation at upgrade + CSRF / sender-constrained token thereafter.** Per-message authorisation if the channel multiplexes operations across resources; rate-limit per connection AND per identity (one identity cannot fan out across many connections to bypass).
-10. **MCP transport audit (hand-off to `mcp-agent-trust`) and AI-API egress map (hand-off to `ai-c2-detection`).** Document every MCP server and every AI-API destination. Per-destination quota with explicit USD cap; per-identity rate-and-shape baseline; D3-NTA egress monitoring fed to SIEM. AI-API keys treated as the most sensitive credential class — rotation cadence ≤ 30 days, automated key-leak scanning on commits.
+10. **MCP transport audit (hand-off to `mcp-agent-trust`) and AI-API egress map (hand-off to `ai-c2-detection`).** Document every MCP server and every AI-API destination. Per-destination quota with explicit USD cap; per-identity rate-and-shape baseline; D3-NTA egress monitoring fed to SIEM. AI-API keys treated as the most sensitive credential class — rotation cadence ≤ 30 days, automated key-leak scanning on commits. The egress map cross-references the AML.T0096 / AML.T0017 catalog entries in `data/atlas-ttps.json` so that egress-baseline rules can be authored against the canonical TTP IDs rather than ad-hoc local names.
 
 ---
 
@@ -281,6 +289,8 @@ Each D3FEND technique below maps an offensive API-security finding to a defensiv
 | D3-MFA | Multi-Factor Authentication (auth hardening at the API gateway) | Identity layer — phishing-resistant FIDO2 / WebAuthn passkeys for human-fronted APIs; service identities for machine-to-machine | Per-principal MFA enrolment; passkey-only for privileged routes | Every interactive authentication challenge is AiTM-resistant; TOTP / SMS insufficient for privileged API surfaces | Applies — AI-assisted phishing kits compress time-to-weaponise; passkey-mandatory for any human accessing AI-API management consoles (key rotation, budget setting) |
 | D3-CBAN | Certificate-Based Authentication | Service-to-service and high-value gateway boundaries — mTLS per RFC 8446 with appropriate cipher choice | Per-service workload identity (SPIFFE/SPIRE-class); no shared service certificate | Workload identity verified at every hop; certificate revocation honoured (OCSP stapling / short-lived certificates per ACME) | Applies to MCP transport — mTLS at the gateway-to-MCP-server boundary; AI-API consumption via signed-and-attested workload identity where the AI provider supports it |
 
+D3FEND technique IDs above resolve against `data/d3fend-catalog.json`; framework-gap rationales for each layer cross-walk to the matching entries in `data/framework-control-gaps.json` (notably `OWASP-ASVS-v5.0-V14`, `NIST-800-53-AC-2`, `NIST-800-218-SSDF`, `ISO-27001-2022-A.8.28`, `NIS2-Art21-incident-handling`, `UK-CAF-B2`, and `AU-Essential-8-App-Hardening`) so the defensive layer chosen for any finding can be cross-cited to both the offensive ATT&CK / ATLAS technique (`data/attack-techniques.json`, `data/atlas-ttps.json`) and the missing framework control in one operator pass.
+
 ---
 
 ## Hand-Off / Related Skills

package/skills/cloud-iam-incident/skill.md

@@ -88,7 +88,7 @@ Cloud-IAM compromise has been the dominant cloud-breach root cause across all th
 
 2. **2024-2025 AWS-key-in-public-repo crypto-mining campaigns.** Scraper bots monitoring the GitHub firehose monetise within ~5 minutes of public exposure. Typical spend pattern: 50-500 USD/hour of GPU instances in an unused region (where the victim has no resources to alert on regional anomalies). Common compromise window: 30 minutes to 4 hours before the victim notices. Even after revocation, the attacker often establishes long-lived persistence by creating their own IAM user with AdministratorAccess inside the compromised account before the original key is revoked.
 
-3. **2026 Azure managed-identity token replay (CVE-2026-21370-adjacent class).** Attackers with limited code-execution on an Azure VM (often via SSRF in a hosted web application) steal the managed-identity token from the IMDS endpoint at 169.254.169.254. The token is valid for its TTL (default 24h on most managed-identity scopes) and can be replayed from the attacker's infrastructure. Azure Continuous Access Evaluation is the long-term mitigation; rollout is incomplete in most large estates.
+3. **2026 Azure managed-identity token replay (design-class issue, not a single CVE).** Attackers with limited code-execution on an Azure VM (often via SSRF in a hosted web application) steal the managed-identity token from the IMDS endpoint at 169.254.169.254. The token is valid for its TTL (default 24h on most managed-identity scopes) and can be replayed from the attacker's infrastructure. Azure Continuous Access Evaluation is the long-term mitigation; rollout is incomplete in most large estates.
 
 4. **Scattered Spider AWS-MFA-bypass via help-desk social engineering.** Continuous 2023-2026 pattern. Voice-cloned or socially-engineered help-desk agent resets MFA on a privileged user, attacker logs in, escalates via either (a) creating their own IAM user with AdministratorAccess for persistence, (b) directly assuming a privileged role into a production account, or (c) modifying the federated IdP trust policy to grant ongoing access. Help-desk OOB-callback policy + voice-channel deepfake-resistant verification is the operational mitigation; coverage is fragmentary.
 

package/skills/defensive-countermeasure-mapping/skill.md

@@ -48,6 +48,7 @@ d3fend_refs:
   - D3-RPA
   - D3-SCP
 last_threat_review: "2026-05-11"
+discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief defensive-countermeasure-mapping` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 # Defensive Countermeasure Mapping — D3FEND as the Blue-Team Counterpart to ATT&CK / ATLAS

package/skills/email-security-anti-phishing/skill.md

@@ -20,7 +20,13 @@ triggers:
   - deepfake phishing
   - ai phishing
   - secure email gateway
-data_deps: []
+data_deps:
+  - atlas-ttps.json
+  - attack-techniques.json
+  - d3fend-catalog.json
+  - dlp-controls.json
+  - framework-control-gaps.json
+  - rfc-references.json
 atlas_refs: []
 attack_refs:
   - T1566
@@ -47,7 +53,8 @@ d3fend_refs:
   - D3-CSPP
   - D3-IOPR
   - D3-MFA
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-05-18"
+discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief email-security-anti-phishing` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 # Email Security and Anti-Phishing Assessment
@@ -88,7 +95,7 @@ Phishing remained the #1 initial-access vector through 2025 (Verizon DBIR 2025)
 | IN CERT-In | Phishing guidance and 6-hour incident reporting rule | Reporting requirement is firm; control specifications lag. |
 | NYDFS | 23 NYCRR 500.14 (training and monitoring) | Annual phishing-aware training required; does not specify FIDO2, DMARC `p=reject`, or deepfake-aware procedures. |
 
-Per AGENTS.md Rule #5, this analysis spans EU + UK + AU + JP + IL + SG + IN + NYDFS alongside NIST and ISO.
+Per AGENTS.md Rule #5, this analysis spans EU + UK + AU + JP + IL + SG + IN + NYDFS alongside NIST and ISO. Each framework-gap ID in `framework_gaps` (`NIST-800-53-SI-3`, `ISO-27001-2022-A.8.16`, `SOC2-CC7-anomaly-detection`, `NIS2-Art21-incident-handling`, `UK-CAF-C1`, `AU-Essential-8-App-Hardening`) resolves against `data/framework-control-gaps.json` — operators producing a per-control evidence pack should pull the canonical lag rationale from that catalog rather than transcribing the table above.
 
 ---
 
@@ -102,7 +109,7 @@ Per AGENTS.md Rule #5, this analysis spans EU + UK + AU + JP + IL + SG + IN + NY
 | T1566.003 | Spearphishing via Service | LinkedIn DMs, Teams chat, Slack DMs, SMS, WhatsApp — all email-adjacent channels that DMARC/DKIM/SPF do not protect. Voice-cloned vishing and deepfake video calls land here too. |
 | T1078 | Valid Accounts | Post-phish credential use. The success metric for the program is "no T1078 follow-on," because every successful T1566 that reaches `p=reject` and FIDO2 still has to traverse credential use. |
 
-Note: `atlas_refs` is intentionally empty — these are ATT&CK Enterprise TTPs against human/email channels, not ATLAS AI-system TTPs. The AI-augmentation angle is handled via cross-reference to `ai-attack-surface`.
+Note: `atlas_refs` is intentionally empty — these are ATT&CK Enterprise TTPs against human/email channels, not ATLAS AI-system TTPs. The AI-augmentation angle is handled via cross-reference to `ai-attack-surface`. The ATT&CK technique IDs above (`T1566`, `T1566.001`, `T1566.002`, `T1566.003`, `T1078`) resolve against `data/attack-techniques.json`; when an investigation crosses into AI-mediated phishing (LLM-generated lures, deepfake video confirmation, voice cloning), cross-reference `data/atlas-ttps.json` for `AML.T0051` (LLM Prompt Injection — relevant when phishing payloads target the LLM-as-classifier instead of the human), `AML.T0024` (Exfiltration via Cyber Means — applicable where compromised mailbox sessions egress data via the message channel itself), and `AML.T0016` (Develop Capabilities — adversary use of public LLM APIs to author hyperpersonalized lures).
 
 ---
 
@@ -137,6 +144,8 @@ The procedure threads three foundational principles per AGENTS.md:
 
 **Cloud-email canonical, on-prem exception** (Rule #9): default scoping assumes Microsoft 365 Exchange Online or Google Workspace Gmail. On-prem Exchange (legacy, regulated enclave, air-gapped) gets an explicit exception path noting which controls (cloud-native sandbox detonation, Microsoft Defender XDR signals, Google Workspace Security Sandbox) have on-prem equivalents and which require compensating controls.
 
+Email-authentication RFCs cited throughout the procedure (`RFC-7489` DMARC, `RFC-6376` DKIM, `RFC-7208` SPF, `RFC-8616` BIMI/AuthIndicators DNS encoding, `RFC-8461` MTA-STS, `RFC-8617` ARC, `RFC-8460` TLSRPT) resolve against `data/rfc-references.json`. The DLP exfil-channel mappings invoked by the gateway-and-egress sub-procedures (`DLP-CHAN-EMAIL-OUT` for outbound message exfil, `DLP-CHAN-LLM-PROMPT` for LLM-prompt-as-egress when users paste mailbox content into AI assistants, `DLP-ENFORCE-BLOCK` for hard-block enforcement on confirmed PHI/PCI patterns) resolve against `data/dlp-controls.json` — these are the canonical IDs to cite when handing off to `dlp-gap-analysis`.
+
 **Ten-step assessment:**
 
 1. **Email authentication posture audit.** For each owned sending domain: pull SPF record, count DNS lookups (≤10), check for `+all` or `?all` (fail open), and check for SPF-flattening or macro-misuse. Pull DKIM selectors and verify key length ≥2048-bit, current rotation cadence. Pull DMARC record and capture policy (`p=`), subdomain policy (`sp=`), `pct=`, `rua=`/`ruf=` aggregate-report destinations, and alignment modes. Pull BIMI record and check VMC/CMC presence. Pull ARC seal status from inbound flow samples. Pull MTA-STS policy and TLSRPT destination.
@@ -191,6 +200,8 @@ Per AGENTS.md, this skill ships on 2026-05-11 and includes the optional 8th sect
 | D3-IOPR (Inbound Operation Restriction) | Restrict inbound operations the message can perform — URL rewriting, click-time re-evaluation, macro neutralization, container-format unpacking, sandbox detonation | Pre-delivery and at click-time | Per-user click policy (privileged users on stricter detonation tier) | No payload is allowed to act on the user's behalf without the gateway's verification | LLM-generated email detection sits here at the gateway-classification layer |
 | D3-MFA (Multi-factor Authentication) | Phishing-resistant authenticator class — FIDO2 / WebAuthn synced passkeys with proper relying-party verification | User authentication layer | Mandatory at 100% for privileged role classes; recovery flow hardened against helpdesk-vishing | Every authentication is verified by possession of the bound authenticator; session tokens are not transferable across origin | Canonical defense — passkeys remove the credential-disclosure win condition that AI-augmented phishing optimizes for |
 
+The D3FEND technique IDs above (`D3-NTA`, `D3-CSPP`, `D3-IOPR`, `D3-MFA`) resolve against `data/d3fend-catalog.json`. Operators producing a defence-in-depth map for an email-security finding should chain: offensive technique (`T1566.*` from `data/attack-techniques.json`, plus AI-augmentation context from `data/atlas-ttps.json`) → missing control (entry in `data/framework-control-gaps.json`) → defensive technique (entry in `data/d3fend-catalog.json`) → DLP enforcement channel (`DLP-CHAN-EMAIL-OUT` / `DLP-CHAN-LLM-PROMPT` from `data/dlp-controls.json`) → wire-level RFC anchor (entry in `data/rfc-references.json`). This is the cross-walk pattern the seven-phase playbook expects when packaging anti-phishing evidence for an auditor or jurisdiction notification.
+
 ---
 
 ## Hand-Off / Related Skills

package/skills/fuzz-testing-strategy/skill.md

@@ -45,6 +45,7 @@ d3fend_refs:
   - D3-IOPR
   - D3-PSEP
 last_threat_review: "2026-05-11"
+discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief fuzz-testing-strategy` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 # Fuzz Testing Strategy

package/skills/mlops-security/skill.md

@@ -62,6 +62,7 @@ forward_watch:
   - EU AI Act high-risk technical-file implementing acts (2026-2027) — operational requirements for Article 10 / 13 / 15 documentation may pin ML-BOM or model-signing
   - MITRE ATLAS v5.4.0 (released February 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques ("Publish Poisoned AI Agent Tool", "Escape to Host"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques
 last_threat_review: "2026-05-15"
+discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief mlops-security` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 # MLOps Pipeline Security Assessment

package/skills/ot-ics-security/skill.md

@@ -44,6 +44,7 @@ cwe_refs:
   - CWE-1037
 d3fend_refs: []
 last_threat_review: "2026-05-11"
+discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief ot-ics-security` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 # OT / ICS Security (mid-2026)

package/skills/researcher/skill.md

@@ -25,6 +25,7 @@ atlas_refs: []
 attack_refs: []
 framework_gaps: []
 last_threat_review: "2026-05-11"
+discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief researcher` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 # Researcher — Threat Intel Triage and Dispatch

package/skills/sector-energy/skill.md

@@ -57,6 +57,7 @@ forward_watch:
   - MadIoT-class research on consumer-IoT-driven grid frequency manipulation moving from proof-of-concept to attributed campaigns
   - ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI
 last_threat_review: "2026-05-11"
+discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief sector-energy` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 # Sector — Energy (Electric Power, Oil & Gas, Water/Wastewater, Renewables) — mid-2026

package/skills/sector-federal-government/skill.md

@@ -61,6 +61,7 @@ forward_watch:
   - EU Cybersecurity Certification Scheme on Common Criteria (EUCC) operational — first certificates issued 2024; high-assurance level for government use cases ramping
   - Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities
 last_threat_review: "2026-05-11"
+discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief sector-federal-government` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 # Federal Government and Defense Contractor Cybersecurity

package/skills/sector-telecom/skill.md

@@ -67,6 +67,7 @@ forward_watch:
   - "3GPP TS 33.501 updates (5G security architecture rebaseline)"
   - "O-RAN SFG / WG11 security specifications"
 last_threat_review: 2026-05-15
+discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief sector-telecom` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 ## Threat Context (mid-2026)

package/skills/skill-update-loop/skill.md

@@ -34,6 +34,7 @@ forward_watch:
   - Framework publication updates (NIST SP updates, ISO amendments, NIS2 implementing acts)
   - IETF RFC publications and draft status changes (datatracker.ietf.org, rfc-editor.org); run `npm run validate-rfcs` quarterly
 last_threat_review: "2026-05-15"
+discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief skill-update-loop` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 # Skill Update Loop

package/skills/threat-model-currency/skill.md

@@ -23,6 +23,7 @@ forward_watch:
   - New MCP or agent protocol security disclosures
   - Emerging malware families using AI for evasion
 last_threat_review: "2026-05-15"
+discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief threat-model-currency` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 # Threat Model Currency Assessment

package/skills/threat-modeling-methodology/skill.md

@@ -44,6 +44,7 @@ forward_watch:
   - LINDDUN-GO and LINDDUN-PRO updates incorporating LLM privacy threats
   - PASTA v2 updates incorporating AI/ML application threats
 last_threat_review: "2026-05-11"
+discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief threat-modeling-methodology` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 # Threat Modeling Methodology

package/skills/webapp-security/skill.md

@@ -66,6 +66,7 @@ d3fend_refs:
 forward_watch:
   - NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments
 last_threat_review: "2026-05-11"
+discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief webapp-security` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 # Web Application Security Assessment

package/skills/zeroday-gap-learn/skill.md

@@ -24,6 +24,7 @@ forward_watch:
   - Framework updates that close previously open gaps
   - Vendor advisories for MCP/AI tool supply chain CVEs
 last_threat_review: "2026-05-15"
+discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief zeroday-gap-learn` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 # Zero-Day Learning Loop