npm - @blamejs/exceptd-skills - Versions diffs - 0.13.18 → 0.13.19 - Mend

@blamejs/exceptd-skills 0.13.18 → 0.13.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/CHANGELOG.md +38 -0
package/data/_indexes/_meta.json +9 -9
package/data/_indexes/activity-feed.json +2 -2
package/data/_indexes/catalog-summaries.json +2 -2
package/data/_indexes/chains.json +14 -0
package/data/_indexes/frequency.json +1 -0
package/data/attack-techniques.json +2600 -109
package/data/cve-catalog.json +1265 -305
package/data/cwe-catalog.json +60 -1
package/data/framework-control-gaps.json +504 -0
package/data/rfc-references.json +286 -125
package/data/zeroday-lessons.json +156 -24
package/manifest.json +44 -44
package/package.json +6 -2
package/sbom.cdx.json +59 -29
package/scripts/audit-catalog-gaps.js +338 -0
package/scripts/check-test-coverage.js +14 -6
package/scripts/refresh-mitre-ics-attack.js +15 -0
package/scripts/refresh-upstream-catalogs.js +158 -54

package/data/framework-control-gaps.json CHANGED Viewed

@@ -48,6 +48,12 @@
         "provider changelog review log with reviewer identity + timestamp"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "ALL-MCP-TOOL-TRUST": {
@@ -80,6 +86,12 @@
         "tool-grant audit log for one randomly selected developer over 30 days"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "ALL-PROMPT-INJECTION-ACCESS-CONTROL": {
@@ -112,6 +124,12 @@
         "policy text defining prompt-level scope for each agent role"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "AU-Essential-8-App-Hardening": {
@@ -144,6 +162,12 @@
         "test-induced modification on a non-production endpoint to confirm alert fires"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "AU-Essential-8-Backup": {
@@ -175,6 +199,12 @@
         "per-document hash diff between restored and production corpus"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "AU-Essential-8-MFA": {
@@ -207,6 +237,12 @@
         "documented credential rotation policy"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "AU-Essential-8-Patch": {
@@ -236,6 +272,12 @@
         "fleet coverage rollup per CVE"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "CIS-Controls-v8-Control7": {
@@ -336,6 +378,12 @@
         "cross-walk document for joint programmes (if any)"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "CWE-Top-25-2024-meta": {
@@ -370,6 +418,12 @@
         "scan report against the fixture"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "CycloneDX-v1.6-SBOM": {
@@ -404,6 +458,12 @@
         "MCP server manifest from build environment"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "DORA-Art28": {
@@ -472,6 +532,12 @@
         "exit-strategy evidence per critical AI sub-processor"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "DORA-ITS-TLPT": {
@@ -507,6 +573,12 @@
         "TLPT team CVs covering AI/MCP red-team experience"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "DORA-RTS-Incident-Classification": {
@@ -541,6 +613,12 @@
         "synthetic AI-incident classification dry-run record"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "DORA-IA-CTPP-Oversight": {
@@ -574,6 +652,12 @@
         "AI-provider concentration analysis"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "EU-AI-Act-Art-15": {
@@ -642,6 +726,12 @@
         "per-corpus copyright-policy attestations"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "EU-AI-Act-Art-55-Systemic": {
@@ -678,6 +768,12 @@
         "incident-clock cross-walk to DORA"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "EU-AI-Act-Annex-IX-Conformity": {
@@ -709,6 +805,12 @@
         "change log showing modifications assessed against the policy"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "EU-AI-Act-GPAI-CoP": {
@@ -741,6 +843,12 @@
         "AI Office enforcement-deference reference"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "EU-CRA-Art13": {
@@ -821,6 +929,12 @@
         "SSP excerpts showing AI shared-responsibility language"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "HIPAA-Security-Rule-164.312(a)(1)": {
@@ -855,6 +969,12 @@
         "agent-session control configuration"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "HIPAA-Security-Rule-2026-NPRM-164.308": {
@@ -889,6 +1009,12 @@
         "tabletop exercise catalogue with execution dates"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "HIPAA-Security-Rule-2026-NPRM-164.310": {
@@ -922,6 +1048,12 @@
         "departed-user credential-revocation evidence"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "HIPAA-Security-Rule-2026-NPRM-164.312": {
@@ -958,6 +1090,12 @@
         "prompt-injection / RAG-poisoning detection rule export"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "HIPAA-Security-Rule-2026-NPRM-164.314": {
@@ -991,6 +1129,12 @@
         "sub-processor disclosure inventories"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "HITRUST-CSF-v11.4-09.l": {
@@ -1024,6 +1168,12 @@
         "endpoint scan for self-signup AI tools"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "IEC-62443-3-3": {
@@ -1060,6 +1210,12 @@
         "threat-model document covering AI conduit threats"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "ISO-27001-2022-A.8.16": {
@@ -1092,6 +1248,12 @@
         "telemetry volume report by source class"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "ISO-27001-2022-A.8.22": {
@@ -1517,6 +1679,12 @@
         "review-cadence schedule"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "ISO-IEC-42001-2023-clause-6.1.2": {
@@ -1552,6 +1720,12 @@
         "AIMS internal audit report"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "NERC-CIP-007-6-R4": {
@@ -1588,6 +1762,12 @@
         "NIS2 alignment document where applicable"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "NIS2-Art21-incident-handling": {
@@ -1706,6 +1886,12 @@
         "tester competency CV/credentials"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "NIST-800-218-SSDF": {
@@ -2097,6 +2283,12 @@
         "deletion verification log"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "NIST-800-53-SI-2": {
@@ -2503,6 +2695,12 @@
         "service-account token lifecycle export"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "NIST-800-82r3": {
@@ -2539,6 +2737,12 @@
         "engineering workstation MCP-server scan"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "NIST-AI-RMF-MAP-3.4": {
@@ -2605,6 +2809,12 @@
         "ATLAS/OWASP coverage matrix"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "OWASP-ASVS-v5.0-V14": {
@@ -2638,6 +2848,12 @@
         "prompt-isolation design document"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "OWASP-LLM-Top-10-2025-LLM01": {
@@ -2709,6 +2925,12 @@
         "test cases proving validation fires on malicious payloads"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "OWASP-LLM-Top-10-2025-LLM06": {
@@ -2744,6 +2966,12 @@
         "data classification policy"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "OWASP-LLM-Top-10-2025-LLM08": {
@@ -2780,6 +3008,12 @@
         "destructive-action confirmation flow evidence"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "OWASP-Pen-Testing-Guide-v5": {
@@ -2818,6 +3052,12 @@
         "scope-of-engagement document"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "OWASP-Top-10-2021-A06": {
@@ -2922,6 +3162,12 @@
         "SRI configuration export"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "PCI-DSS-4.0.1-11.6.1": {
@@ -2954,6 +3200,12 @@
         "CSP report-uri correlation pipeline"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "PCI-DSS-4.0.1-12.3.3": {
@@ -2985,6 +3237,12 @@
         "PQC migration roadmap"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "PCI-DSS-4.0.1-12.10.7": {
@@ -3019,6 +3277,12 @@
         "carrier-notification workflow record"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "PSD2-RTS-SCA": {
@@ -3053,6 +3317,12 @@
         "audit log sample with AI-mediated indicator"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "PTES-Pre-engagement": {
@@ -3088,6 +3358,12 @@
         "tester competency CV"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "SLSA-v1.0-Build-L3": {
@@ -3228,6 +3504,12 @@
         "telemetry volume report"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "SOC2-CC9-vendor-management": {
@@ -3296,6 +3578,12 @@
         "SPDX↔CycloneDX cross-walk mapping"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "SWIFT-CSCF-v2026-1.1": {
@@ -3331,6 +3619,12 @@
         "DORA Art. 28 cross-walk record"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "UK-CAF-A1": {
@@ -3360,6 +3654,12 @@
         "executive accountability matrix"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "UK-CAF-B2": {
@@ -3392,6 +3692,12 @@
         "continuous-verification configuration"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "UK-CAF-C1": {
@@ -3425,6 +3731,12 @@
         "alert-triage records past 90 days"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "UK-CAF-D1": {
@@ -3454,6 +3766,12 @@
         "NIS2 timing integration document"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "VEX-CSAF-v2.1": {
@@ -3487,6 +3805,12 @@
         "VEX chain example for base→derived model"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "FCC-CPNI-4.1": {
@@ -3521,6 +3845,12 @@
         "signaling baseline document"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "FCC-Cyber-Incident-Notification-2024": {
@@ -3552,6 +3882,12 @@
         "cross-jurisdiction timing matrix"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "NIS2-Annex-I-Telecom": {
@@ -3586,6 +3922,12 @@
         "LI-gateway activation audit log"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "DORA-Art-21-Telecom-ICT": {
@@ -3616,6 +3958,12 @@
         "concentration analysis report"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "UK-CAF-B5": {
@@ -3647,6 +3995,12 @@
         "LI-gateway audit log"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "AU-ISM-1556": {
@@ -3678,6 +4032,12 @@
         "alert-triage records"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "GSMA-NESAS-Deployment": {
@@ -3708,6 +4068,12 @@
         "firmware-update → recertification mapping"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "3GPP-TR-33.926": {
@@ -3738,6 +4104,12 @@
         "LI/signaling threat-treatment document"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "ITU-T-X.805": {
@@ -3768,6 +4140,12 @@
         "slice-isolation test results"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "NIST-800-53-IA-5-Federated": {
@@ -3831,6 +4209,12 @@
         "claim-transformation review cadence document"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "SOC2-CC6-OAuth-Consent": {
@@ -3860,6 +4244,12 @@
         "business-purpose attestation samples"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "UK-CAF-B2-IdP-Tenant": {
@@ -3891,6 +4281,12 @@
         "token-signing rotation alert configuration"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "AU-ISM-1559-IdP": {
@@ -3921,6 +4317,12 @@
         "management-API token inventory"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "NIS2-Art-21-Federated-Identity": {
@@ -3952,6 +4354,12 @@
         "IdP concentration analysis"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "DORA-Art-19-IdP-4h": {
@@ -3982,6 +4390,12 @@
         "on-call rota covering 24/7 IdP-incident response"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "OFAC-Sanctions-Threat-Actor-Negotiation": {
@@ -4012,6 +4426,12 @@
         "tabletop execution log"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "FedRAMP-IL5-IAM-Federated": {
@@ -4046,6 +4466,12 @@
         "evidence retention per IL5 cadence"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "CISA-Snowflake-AA24-IdP-Cloud": {
@@ -4080,6 +4506,12 @@
         "network policy configuration"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "NIST-800-53-AC-2-Cross-Account": {
@@ -4114,6 +4546,12 @@
         "external-ID enforcement evidence"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "ISO-27017-Cloud-IAM": {
@@ -4146,6 +4584,12 @@
         "assume-role policy document sample"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "SOC2-CC6-Access-Key-Leak-Public-Repo": {
@@ -4178,6 +4622,12 @@
         "leak-to-revocation timing per incident"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "AWS-Security-Hub-Coverage-Gap": {
@@ -4212,6 +4662,12 @@
         "cloud-iam-incident detect-indicator → CloudTrail behavioural-rule mapping"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "UK-CAF-B2-Cloud-IAM": {
@@ -4244,6 +4700,12 @@
         "cross-account assume-role policy export"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "AU-ISM-1546-Cloud-Service-Account": {
@@ -4276,6 +4738,12 @@
         "source-IP allowlist configuration"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "OFAC-SDN-Payment-Block": {
@@ -4306,6 +4774,12 @@
         "counsel-signed attestation template"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "Insurance-Carrier-24h-Notification": {
@@ -4337,6 +4811,12 @@
         "broker after-hours contact + loss-notice form"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "EU-Sanctions-Reg-2014-833-Cyber": {
@@ -4367,6 +4847,12 @@
         "tabletop execution log covering EU sanctions inject"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "Immutable-Backup-Recovery": {
@@ -4398,6 +4884,12 @@
         "admin-separation policy document"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "Decryptor-Availability-Pre-Decision": {
@@ -4429,6 +4921,12 @@
         "quarterly catalogue refresh evidence"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "PHI-Exfil-Before-Encrypt-Breach-Class": {
@@ -4461,6 +4959,12 @@
         "tabletop execution log within past 12 months"
       ],
       "verdict_when_failed": "compliance-theater"
+    },
+    "_gap_skip": {
+      "fields": [
+        "evidence_cves"
+      ],
+      "reason": "forward-looking gap with no CVE anchor in the catalog yet — operator notes the control class without binding to a single incident"
     }
   },
   "NIS2-Art21-vulnerability-management": {