@blamejs/exceptd-skills 0.13.2 → 0.13.3

package/sbom.cdx.json

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:594c61d8-9616-4df7-9bb0-cef4da00b814",
+  "serialNumber": "urn:uuid:215c1846-8948-4275-8e79-ad2f8593225c",
   "version": 1,
   "metadata": {
-    "timestamp": "2073-06-23T00:33:28.000Z",
+    "timestamp": "2043-09-26T19:40:54.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.13.2"
+        "version": "0.13.3"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.13.2",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.13.3",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.13.2",
+      "version": "0.13.3",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.13.2",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.13.3",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "2ec5e865222c3ce57aa170d553cfb29c3b2e72da144e971138e433e39cd42776"
+          "content": "5f31c2d0207da9b36fe526a2913e975e27ae2442561e03b079695af7f5a8926b"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.13.2"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.13.3"
         },
         {
           "type": "vcs",
@@ -108,7 +108,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "119d02d2e0db3628538359c7a0714a109faf1abc51780ce0c3be25d6ade94817"
+          "content": "1932f52ef4f3d1ba7963310436df82f5ef6269a3c77851e993e31885ebade1b2"
         }
       ]
     },
@@ -229,7 +229,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "2451bc7b4e6775fdb71d2255f0d0d20230951a049343fffbd7999efb7bd665d3"
+          "content": "b3540a3296e5e901004d428351d40d3ac40b154da082071da2c00222c40b7b6e"
         }
       ]
     },
@@ -251,7 +251,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "5c992a3c2974e117ee38b62f7ead36043819880baf23863979b490f19fe5826b"
+          "content": "76461dbec048c5e072435d57e3a04b780e3992dab9f316b1b52608e0a997e355"
         }
       ]
     },
@@ -262,7 +262,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "8ddc5d3f9441334d544df5bc4e34846259f981d15a87dd7bed825e7f2d8b961d"
+          "content": "b499cb431c1b71aab505db577a1e3b2fdcb5190afbcc6aaee0f6a237cfc16ca8"
         }
       ]
     },
@@ -273,7 +273,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "4baff0970c17224aef4606598b90d72e09da5e927ee4f46bdbf3e12b2e6247e3"
+          "content": "4a0036f9ec17af29e0df111ac77b94f8be6a52742bfd89ff3583096d23b75e35"
         }
       ]
     },
@@ -317,7 +317,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "c4b735cac63559b4dad4cccfc97dda57434de4d9bb61a712264131ec3aae8ae6"
+          "content": "ce1535f13d29ab90fac99b983f38a23dd685702b3f12ac9f2371294cb9859ecf"
         }
       ]
     },
@@ -570,7 +570,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "6e503b75e52c8baea7e3ffaa872a2f7faedc36ca1cf53c8aec07e610c4c4ce07"
+          "content": "1438620d2c8b0606eac4f63e620906b9ba079c57bfa7f737ceb6a50370cdc9a5"
         }
       ]
     },
@@ -691,7 +691,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "4e6667e490ed81afb0b23b0119e182b2c916c20d6f6a2c82163d8db1981c3ebe"
+          "content": "48aa70089fe9fc3bee80e19042d28d91ceb996ed018b6131db970dba7cadb90e"
         }
       ]
     },
@@ -812,7 +812,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "678cce9841ee92128e777cc0f355e020bd69c37cbd637be91479858e6a4958fd"
+          "content": "63702da0ef17b9dd32cff349473d5e1c32aae763cd769936a07570e34cb6b824"
         }
       ]
     },
@@ -988,7 +988,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "034fb84e4508b8cb103699bdfe1ca220c8aa5d18cc8951f76cf74c5a1b30e418"
+          "content": "fbc30b15d294d3bdfccfb3880781dae9e9a9624e3b6d6a64723cdc75b6b47d3b"
         }
       ]
     },
@@ -1032,7 +1032,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "58e6e1acf753cfa8f578eec3e41420f518dbd26d4ee0a7db7f6f0019e46350bb"
+          "content": "b827fb5d2a43409ba2c390b000e175c9357b86137d25d6647ff238b94922275b"
         }
       ]
     },
@@ -1461,7 +1461,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "2bdfa3dbe534efa3df245e0da37998ad7ab2da4a3171d5000d3346513c10bceb"
+          "content": "9fc2252cbcf6162591e70d0bf5499a430b0584495ad584ce49fb7daf070d335f"
         }
       ]
     },
@@ -1483,7 +1483,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "6494ee3856edeb212e65fe5cdb208357c1a832eb8ac374b26055586bfc71f629"
+          "content": "5ec3800a0049b2123aff67bfab4ff28491a86d2daeb712283e5e88b10c3d5d7b"
         }
       ]
     },
@@ -1560,7 +1560,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "82af58b98bd808c0c6ec92554d89948378702465504db1113fc462a96366a601"
+          "content": "250f266908f51f99a4cb3aec0d5dacfcf91fac9f3d95e5a117429a40ed2ff45a"
         }
       ]
     },

package/skills/api-security/skill.md

@@ -17,7 +17,13 @@ triggers:
   - ai api security
   - mcp transport
   - openapi security
-data_deps: []
+data_deps:
+  - atlas-ttps.json
+  - attack-techniques.json
+  - cwe-catalog.json
+  - d3fend-catalog.json
+  - framework-control-gaps.json
+  - rfc-references.json
 atlas_refs:
   - AML.T0096
   - AML.T0017
@@ -61,7 +67,7 @@ forward_watch:
   - NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments
   - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments
   - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM full SSRF + Code Injection by Out Of Bounds (Byung Young Yi); duplicate-class with the k3vg3n entry; track unified patch advisory
-last_threat_review: "2026-05-17"
+last_threat_review: "2026-05-18"
 ---
 
 # API Security Assessment
@@ -130,7 +136,7 @@ APIs are now the integration substrate of every non-trivial system. The mid-2026
 | AML.T0096 | AI Service Exploitation (AI-API as covert C2) | LLM API used as a covert command-and-control / exfil channel — prompt content carries instructions; response carries staged data | CWE-77, CWE-200 | Missing in NIST/ISO; hand-off to `ai-c2-detection` |
 | AML.T0017 | Discover ML Model Ontology (inference-API probing for system-prompt, guardrail, model-family signal) | High-volume queries against a hosted model used to reconstruct behaviour, guardrail surface, or training-data signal | CWE-200 | Missing — detected only by per-identity rate-and-shape monitoring at egress |
 
-CWE root-causes referenced as a set (per `cwe_refs` in frontmatter): CWE-287 (Improper Authentication), CWE-862 (Missing Authorization — BFLA root cause), CWE-863 (Incorrect Authorization — BOLA root cause), CWE-918 (SSRF — API7), CWE-200 (Information Exposure — BOPLA contributor), CWE-352 (CSRF — cookie-auth APIs + WebSocket CSWSH), CWE-22 (Path Traversal — API parameter sinks), CWE-77 (Command Injection — API parameter to shell), CWE-1188 (Insecure Default Initialization — default-open API state).
+CWE root-causes referenced as a set (per `cwe_refs` in frontmatter, all resolved against `data/cwe-catalog.json`): CWE-287 (Improper Authentication), CWE-862 (Missing Authorization — BFLA root cause), CWE-863 (Incorrect Authorization — BOLA root cause), CWE-918 (SSRF — API7), CWE-200 (Information Exposure — BOPLA contributor), CWE-352 (CSRF — cookie-auth APIs + WebSocket CSWSH), CWE-22 (Path Traversal — API parameter sinks), CWE-77 (Command Injection — API parameter to shell), CWE-1188 (Insecure Default Initialization — default-open API state). ATT&CK Enterprise techniques (T1190, T1078, T1567) resolve against `data/attack-techniques.json`; the AML.T0096 (AI service exploitation) and AML.T0017 (model-ontology discovery) entries resolve against `data/atlas-ttps.json`. Cross-reference every BOLA / BFLA finding against the `CWE-863` / `CWE-862` entries in `data/cwe-catalog.json` for the canonical weakness description used in operator briefings.
 
 ---
 
@@ -158,6 +164,8 @@ CWE root-causes referenced as a set (per `cwe_refs` in frontmatter): CWE-287 (Im
 
 The procedure threads three foundational design principles. They are not optional.
 
+Wire-level RFC mappings cited below resolve against `data/rfc-references.json` (RFC-7519 JWT, RFC-8725 JWT BCP, RFC-6749 OAuth 2.0, RFC-9700 OAuth Security BCP, RFC-9421 HTTP Message Signatures, RFC-8446 TLS 1.3, RFC-9114 HTTP/3); framework-gap IDs cited throughout (OWASP-ASVS-v5.0-V14, NIST-800-53-AC-2, NIST-800-218-SSDF, ISO-27001-2022-A.8.28, NIS2-Art21-incident-handling, UK-CAF-B2, AU-Essential-8-App-Hardening) resolve against `data/framework-control-gaps.json`.
+
 **Defense in depth** — the API request lifecycle is layered. No single control is trusted to fail closed.
 
 1. **API gateway (perimeter)** — terminates TLS (RFC 8446 baseline; HTTP/3 over QUIC per RFC 9114 for public global APIs), enforces auth, enforces rate limits per route + per identity + per cost-unit, applies threat-detection rules, captures the canonical log record. Gateways with bypass paths (a "direct backend" route that skips the gateway) are gateway-in-name-only.
@@ -198,7 +206,7 @@ The procedure threads three foundational design principles. They are not optiona
 7. **GraphQL query-complexity limits.** Depth limit, breadth (alias) limit, complexity-cost calculator with budget per query, persisted-query allowlist for production clients. **Introspection disabled in production.**
 8. **gRPC reflection disabled in production.** mTLS for service-to-service; per-method authorisation (BFLA in gRPC terms is per-method); deadline propagation enforced; max-message-size bounded.
 9. **WebSocket origin validation at upgrade + CSRF / sender-constrained token thereafter.** Per-message authorisation if the channel multiplexes operations across resources; rate-limit per connection AND per identity (one identity cannot fan out across many connections to bypass).
-10. **MCP transport audit (hand-off to `mcp-agent-trust`) and AI-API egress map (hand-off to `ai-c2-detection`).** Document every MCP server and every AI-API destination. Per-destination quota with explicit USD cap; per-identity rate-and-shape baseline; D3-NTA egress monitoring fed to SIEM. AI-API keys treated as the most sensitive credential class — rotation cadence ≤ 30 days, automated key-leak scanning on commits.
+10. **MCP transport audit (hand-off to `mcp-agent-trust`) and AI-API egress map (hand-off to `ai-c2-detection`).** Document every MCP server and every AI-API destination. Per-destination quota with explicit USD cap; per-identity rate-and-shape baseline; D3-NTA egress monitoring fed to SIEM. AI-API keys treated as the most sensitive credential class — rotation cadence ≤ 30 days, automated key-leak scanning on commits. The egress map cross-references the AML.T0096 / AML.T0017 catalog entries in `data/atlas-ttps.json` so that egress-baseline rules can be authored against the canonical TTP IDs rather than ad-hoc local names.
 
 ---
 
@@ -281,6 +289,8 @@ Each D3FEND technique below maps an offensive API-security finding to a defensiv
 | D3-MFA | Multi-Factor Authentication (auth hardening at the API gateway) | Identity layer — phishing-resistant FIDO2 / WebAuthn passkeys for human-fronted APIs; service identities for machine-to-machine | Per-principal MFA enrolment; passkey-only for privileged routes | Every interactive authentication challenge is AiTM-resistant; TOTP / SMS insufficient for privileged API surfaces | Applies — AI-assisted phishing kits compress time-to-weaponise; passkey-mandatory for any human accessing AI-API management consoles (key rotation, budget setting) |
 | D3-CBAN | Certificate-Based Authentication | Service-to-service and high-value gateway boundaries — mTLS per RFC 8446 with appropriate cipher choice | Per-service workload identity (SPIFFE/SPIRE-class); no shared service certificate | Workload identity verified at every hop; certificate revocation honoured (OCSP stapling / short-lived certificates per ACME) | Applies to MCP transport — mTLS at the gateway-to-MCP-server boundary; AI-API consumption via signed-and-attested workload identity where the AI provider supports it |
 
+D3FEND technique IDs above resolve against `data/d3fend-catalog.json`; framework-gap rationales for each layer cross-walk to the matching entries in `data/framework-control-gaps.json` (notably `OWASP-ASVS-v5.0-V14`, `NIST-800-53-AC-2`, `NIST-800-218-SSDF`, `ISO-27001-2022-A.8.28`, `NIS2-Art21-incident-handling`, `UK-CAF-B2`, and `AU-Essential-8-App-Hardening`) so the defensive layer chosen for any finding can be cross-cited to both the offensive ATT&CK / ATLAS technique (`data/attack-techniques.json`, `data/atlas-ttps.json`) and the missing framework control in one operator pass.
+
 ---
 
 ## Hand-Off / Related Skills

package/skills/cloud-iam-incident/skill.md

@@ -88,7 +88,7 @@ Cloud-IAM compromise has been the dominant cloud-breach root cause across all th
 
 2. **2024-2025 AWS-key-in-public-repo crypto-mining campaigns.** Scraper bots monitoring the GitHub firehose monetise within ~5 minutes of public exposure. Typical spend pattern: 50-500 USD/hour of GPU instances in an unused region (where the victim has no resources to alert on regional anomalies). Common compromise window: 30 minutes to 4 hours before the victim notices. Even after revocation, the attacker often establishes long-lived persistence by creating their own IAM user with AdministratorAccess inside the compromised account before the original key is revoked.
 
-3. **2026 Azure managed-identity token replay (CVE-2026-21370-adjacent class).** Attackers with limited code-execution on an Azure VM (often via SSRF in a hosted web application) steal the managed-identity token from the IMDS endpoint at 169.254.169.254. The token is valid for its TTL (default 24h on most managed-identity scopes) and can be replayed from the attacker's infrastructure. Azure Continuous Access Evaluation is the long-term mitigation; rollout is incomplete in most large estates.
+3. **2026 Azure managed-identity token replay (design-class issue, not a single CVE).** Attackers with limited code-execution on an Azure VM (often via SSRF in a hosted web application) steal the managed-identity token from the IMDS endpoint at 169.254.169.254. The token is valid for its TTL (default 24h on most managed-identity scopes) and can be replayed from the attacker's infrastructure. Azure Continuous Access Evaluation is the long-term mitigation; rollout is incomplete in most large estates.
 
 4. **Scattered Spider AWS-MFA-bypass via help-desk social engineering.** Continuous 2023-2026 pattern. Voice-cloned or socially-engineered help-desk agent resets MFA on a privileged user, attacker logs in, escalates via either (a) creating their own IAM user with AdministratorAccess for persistence, (b) directly assuming a privileged role into a production account, or (c) modifying the federated IdP trust policy to grant ongoing access. Help-desk OOB-callback policy + voice-channel deepfake-resistant verification is the operational mitigation; coverage is fragmentary.
 

package/skills/email-security-anti-phishing/skill.md

@@ -20,7 +20,13 @@ triggers:
   - deepfake phishing
   - ai phishing
   - secure email gateway
-data_deps: []
+data_deps:
+  - atlas-ttps.json
+  - attack-techniques.json
+  - d3fend-catalog.json
+  - dlp-controls.json
+  - framework-control-gaps.json
+  - rfc-references.json
 atlas_refs: []
 attack_refs:
   - T1566
@@ -47,7 +53,7 @@ d3fend_refs:
   - D3-CSPP
   - D3-IOPR
   - D3-MFA
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-05-18"
 discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief email-security-anti-phishing` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
@@ -89,7 +95,7 @@ Phishing remained the #1 initial-access vector through 2025 (Verizon DBIR 2025)
 | IN CERT-In | Phishing guidance and 6-hour incident reporting rule | Reporting requirement is firm; control specifications lag. |
 | NYDFS | 23 NYCRR 500.14 (training and monitoring) | Annual phishing-aware training required; does not specify FIDO2, DMARC `p=reject`, or deepfake-aware procedures. |
 
-Per AGENTS.md Rule #5, this analysis spans EU + UK + AU + JP + IL + SG + IN + NYDFS alongside NIST and ISO.
+Per AGENTS.md Rule #5, this analysis spans EU + UK + AU + JP + IL + SG + IN + NYDFS alongside NIST and ISO. Each framework-gap ID in `framework_gaps` (`NIST-800-53-SI-3`, `ISO-27001-2022-A.8.16`, `SOC2-CC7-anomaly-detection`, `NIS2-Art21-incident-handling`, `UK-CAF-C1`, `AU-Essential-8-App-Hardening`) resolves against `data/framework-control-gaps.json` — operators producing a per-control evidence pack should pull the canonical lag rationale from that catalog rather than transcribing the table above.
 
 ---
 
@@ -103,7 +109,7 @@ Per AGENTS.md Rule #5, this analysis spans EU + UK + AU + JP + IL + SG + IN + NY
 | T1566.003 | Spearphishing via Service | LinkedIn DMs, Teams chat, Slack DMs, SMS, WhatsApp — all email-adjacent channels that DMARC/DKIM/SPF do not protect. Voice-cloned vishing and deepfake video calls land here too. |
 | T1078 | Valid Accounts | Post-phish credential use. The success metric for the program is "no T1078 follow-on," because every successful T1566 that reaches `p=reject` and FIDO2 still has to traverse credential use. |
 
-Note: `atlas_refs` is intentionally empty — these are ATT&CK Enterprise TTPs against human/email channels, not ATLAS AI-system TTPs. The AI-augmentation angle is handled via cross-reference to `ai-attack-surface`.
+Note: `atlas_refs` is intentionally empty — these are ATT&CK Enterprise TTPs against human/email channels, not ATLAS AI-system TTPs. The AI-augmentation angle is handled via cross-reference to `ai-attack-surface`. The ATT&CK technique IDs above (`T1566`, `T1566.001`, `T1566.002`, `T1566.003`, `T1078`) resolve against `data/attack-techniques.json`; when an investigation crosses into AI-mediated phishing (LLM-generated lures, deepfake video confirmation, voice cloning), cross-reference `data/atlas-ttps.json` for `AML.T0051` (LLM Prompt Injection — relevant when phishing payloads target the LLM-as-classifier instead of the human), `AML.T0024` (Exfiltration via Cyber Means — applicable where compromised mailbox sessions egress data via the message channel itself), and `AML.T0016` (Develop Capabilities — adversary use of public LLM APIs to author hyperpersonalized lures).
 
 ---
 
@@ -138,6 +144,8 @@ The procedure threads three foundational principles per AGENTS.md:
 
 **Cloud-email canonical, on-prem exception** (Rule #9): default scoping assumes Microsoft 365 Exchange Online or Google Workspace Gmail. On-prem Exchange (legacy, regulated enclave, air-gapped) gets an explicit exception path noting which controls (cloud-native sandbox detonation, Microsoft Defender XDR signals, Google Workspace Security Sandbox) have on-prem equivalents and which require compensating controls.
 
+Email-authentication RFCs cited throughout the procedure (`RFC-7489` DMARC, `RFC-6376` DKIM, `RFC-7208` SPF, `RFC-8616` BIMI/AuthIndicators DNS encoding, `RFC-8461` MTA-STS, `RFC-8617` ARC, `RFC-8460` TLSRPT) resolve against `data/rfc-references.json`. The DLP exfil-channel mappings invoked by the gateway-and-egress sub-procedures (`DLP-CHAN-EMAIL-OUT` for outbound message exfil, `DLP-CHAN-LLM-PROMPT` for LLM-prompt-as-egress when users paste mailbox content into AI assistants, `DLP-ENFORCE-BLOCK` for hard-block enforcement on confirmed PHI/PCI patterns) resolve against `data/dlp-controls.json` — these are the canonical IDs to cite when handing off to `dlp-gap-analysis`.
+
 **Ten-step assessment:**
 
 1. **Email authentication posture audit.** For each owned sending domain: pull SPF record, count DNS lookups (≤10), check for `+all` or `?all` (fail open), and check for SPF-flattening or macro-misuse. Pull DKIM selectors and verify key length ≥2048-bit, current rotation cadence. Pull DMARC record and capture policy (`p=`), subdomain policy (`sp=`), `pct=`, `rua=`/`ruf=` aggregate-report destinations, and alignment modes. Pull BIMI record and check VMC/CMC presence. Pull ARC seal status from inbound flow samples. Pull MTA-STS policy and TLSRPT destination.
@@ -192,6 +200,8 @@ Per AGENTS.md, this skill ships on 2026-05-11 and includes the optional 8th sect
 | D3-IOPR (Inbound Operation Restriction) | Restrict inbound operations the message can perform — URL rewriting, click-time re-evaluation, macro neutralization, container-format unpacking, sandbox detonation | Pre-delivery and at click-time | Per-user click policy (privileged users on stricter detonation tier) | No payload is allowed to act on the user's behalf without the gateway's verification | LLM-generated email detection sits here at the gateway-classification layer |
 | D3-MFA (Multi-factor Authentication) | Phishing-resistant authenticator class — FIDO2 / WebAuthn synced passkeys with proper relying-party verification | User authentication layer | Mandatory at 100% for privileged role classes; recovery flow hardened against helpdesk-vishing | Every authentication is verified by possession of the bound authenticator; session tokens are not transferable across origin | Canonical defense — passkeys remove the credential-disclosure win condition that AI-augmented phishing optimizes for |
 
+The D3FEND technique IDs above (`D3-NTA`, `D3-CSPP`, `D3-IOPR`, `D3-MFA`) resolve against `data/d3fend-catalog.json`. Operators producing a defence-in-depth map for an email-security finding should chain: offensive technique (`T1566.*` from `data/attack-techniques.json`, plus AI-augmentation context from `data/atlas-ttps.json`) → missing control (entry in `data/framework-control-gaps.json`) → defensive technique (entry in `data/d3fend-catalog.json`) → DLP enforcement channel (`DLP-CHAN-EMAIL-OUT` / `DLP-CHAN-LLM-PROMPT` from `data/dlp-controls.json`) → wire-level RFC anchor (entry in `data/rfc-references.json`). This is the cross-walk pattern the seven-phase playbook expects when packaging anti-phishing evidence for an auditor or jurisdiction notification.
+
 ---
 
 ## Hand-Off / Related Skills