@blamejs/exceptd-skills 0.13.2 → 0.13.4

package/AGENTS.md

@@ -156,7 +156,7 @@ Cross-cutting playbook `framework` is the natural correlation layer — many pla
 
 | Verb | What it does |
 |---|---|
-| `exceptd brief --all` | Grouped-by-scope summary of all 16 playbooks. `--scope <type>` filters. `--directives` expands directive IDs/titles per playbook. `--flat` for non-grouped. Legacy alias: `exceptd plan` (deprecated, scheduled for removal in v0.13). |
+| `exceptd brief --all` | Grouped-by-scope summary of all 20 playbooks. `--scope <type>` filters. `--directives` expands directive IDs/titles per playbook. `--flat` for non-grouped. `exceptd plan` was removed in v0.13.0; invoking it returns a structured `ok:false` refusal pointing at this command. |
 | `exceptd brief <pb>` | Phase 2 threat-context briefing — threat context, RWEP thresholds, skill chain, token budget, jurisdiction obligations. |
 | `exceptd run <pb> --evidence <file>` | Phases 5-7 (analyze + validate + close) from agent evidence. Auto-detect cwd when no playbook positional. `--vex <file>` drops CycloneDX/OpenVEX `not_affected` CVEs. `--diff-from-latest` for drift mode. `--force-stale` overrides currency hard-block. |
 | `exceptd ai-run <pb>` | Streaming variant of `run` for AI agents; emits phase-by-phase NDJSON. |
@@ -164,12 +164,14 @@ Cross-cutting playbook `framework` is the natural correlation layer — many pla
 | `exceptd ci` | Top-level CI gate for a single playbook with exit-code semantics. Preferred over `run --ci`. |
 | `exceptd discover` | Repo discovery — scans cwd and surfaces matching playbooks + collection hints. |
 | `exceptd ask <pb> <question>` | Read-only Q&A against a playbook's directives, indicators, and threat context. |
-| `exceptd attest diff <sid>` | Replay analyze against a stored evidence bundle for drift detection. `--against <other-sid>` compares two sessions. `--playbook <id>` + `--since <ISO>` accepted with `--latest`. Legacy alias: `exceptd reattest` (deprecated, scheduled for removal in v0.13). |
+| `exceptd attest diff <sid>` | Replay analyze against a stored evidence bundle for drift detection. `--against <other-sid>` compares two sessions. `--playbook <id>` + `--since <ISO>` accepted with `--latest`. `exceptd reattest` remains a short-form alias — preserved (no removal scheduled). |
 | `exceptd attest verify <sid>` | Verify a persisted attestation's signature + evidence hash. |
 | `exceptd attest list` | Inventory `.exceptd/attestations/` — newest first. `--playbook <id>` filters. |
 | `exceptd attest show <sid>` | Print the attestation body. |
-| `exceptd doctor` | Health checks. `--signatures` verifies Ed25519 chains; `--cves` / `--rfcs` check catalog currency; `--fix` repairs recoverable state. |
+| `exceptd doctor` | Health checks. `--signatures` verifies Ed25519 chains; `--cves` / `--rfcs` check catalog currency; `--fix` repairs recoverable state; `--ai-config` audits AI-assistant config-file permissions (`~/.claude`, `~/.cursor`, `~/.codeium`, `~/.aider`, `~/.continue`) and flags sensitive files not at mode `0o600` on POSIX (NEW-CTRL-050). |
 | `exceptd lint` | Skill format lint — frontmatter completeness, required body sections, signature presence. |
+| `exceptd refresh --check-advisories` | Poll 8 primary-source advisory feeds (Qualys TRU, Red Hat RHSA, Ubuntu USN, ZDI, kernel.org commits, oss-security mailing list, JFrog SecOps, CISA current advisories) for CVE IDs at T+0 to T+1 — typically 3-14 days ahead of NVD enrichment. Report-only; emits structured `diffs[]` without mutating the catalog. Route promising IDs through `refresh --advisory <CVE-ID> --apply` to enrich. |
+| `exceptd watchlist` | Default: aggregate every skill's `forward_watch` entries. `--by-skill` inverts grouping. `--alerts` switches to CVE-catalog pattern alerts (5 patterns: `kernel_lpe_with_poc`, `supply_chain_family`, `ai_discovered_kev`, `active_exploitation_unpatched`, `recent_poc_no_kev_yet`); sorts critical-first, then by RWEP. `--org-scan --org <login>` probes GitHub Search for repos matching threat-actor naming patterns ("A Gift From TeamPCP", "Shai-Hulud", "TeamPCP"); custom patterns via repeatable `--pattern <s>`; set `GITHUB_TOKEN` for private-repo + rate-limit headroom (NEW-CTRL-052). |
 
 All verbs support `--help` for per-verb usage. JSON output by default; `--pretty` for indented.
 
@@ -210,6 +212,37 @@ Right: every new CVE triggers a corresponding entry in `zeroday-lessons.json` ma
 
 ---
 
+## New Control Requirements
+
+When a zero-day surfaces a control class no existing framework covers, the learning loop produces a `NEW-CTRL-*` entry under `data/zeroday-lessons.json[<CVE-ID>].new_control_requirements[]`. These are the operator-actionable controls the framework set is missing. The IDs are stable — cite them in skill bodies, in operator reports, and in framework-gap analyses.
+
+Recently added (use the IDs in skill prose and operator briefings; full text in `data/zeroday-lessons.json`):
+
+| ID | Name | Surfacing zero-day | Coverage gap closed |
+|---|---|---|---|
+| `NEW-CTRL-048` | NPM-MAINTAINER-MFA-ENFORCEMENT / KERNEL-EXIT-RACE-CVE-CLASS-MONITORING | `MAL-2026-NODE-IPC-STEALER`, `CVE-2026-46333` | NIST-800-218 SSDF, NIST-800-53 IA-5/AU-2/SI-4, NIS2 Art.21 supply-chain |
+| `NEW-CTRL-049` | LOCKFILE-INTEGRITY-VERIFIED-AT-CI-BOOT / SUID-MINIMIZATION-FOR-KERNEL-LPE-CARRIER-BINARIES | `MAL-2026-NODE-IPC-STEALER`, `CVE-2026-46333` | NIST-800-218 SSDF, EU CRA Art.13, SLSA Build L3, NIST-800-53 CM-6/AC-3 |
+| `NEW-CTRL-050` | AI-ASSISTANT-CONFIG-FILE-PERMISSION-LOCKDOWN | `MAL-2026-SHAI-HULUD-OSS` | NIST-800-53 AC-3/CM-6. Enforced operationally by `exceptd doctor --ai-config`. |
+| `NEW-CTRL-051` | NPM-PUBLISH-TOKEN-WORKSTATION-ISOLATION | `MAL-2026-SHAI-HULUD-OSS` | NIST-800-53 IA-5, NIST-800-218 SSDF PW.4 |
+| `NEW-CTRL-052` | GITHUB-REPO-PATTERN-MONITORING-FOR-EXFIL-CHANNELS | `MAL-2026-SHAI-HULUD-OSS` | NIST-800-53 SI-4. Enforced operationally by `exceptd watchlist --org-scan`. |
+| `NEW-CTRL-053` | MCP-SERVER-CONFIG-ALLOWLIST | `CVE-2026-30623` (Anthropic MCP SDK stdio injection) | NIST AI RMF MEASURE 2.7, OWASP LLM Top 10 2025 LLM05 |
+| `NEW-CTRL-054` | BACKUP-TIER-NETWORK-ISOLATION | `CVE-2025-59389` (QNAP Hyper Data Protector preauth RCE) | ISO-27001-2022 A.8.13, NIS2 Art.21 business-continuity |
+| `NEW-CTRL-055` | SECURITY-TOOL-INTEGRITY-VERIFICATION | `CVE-2025-11837` (QNAP Malware Remover code-injection) | NIST-800-53 SI-3, ISO-27001-2022 A.8.7, PCI-DSS 4.0 §5.1 |
+
+When you cite a `NEW-CTRL-*` ID in a skill body, the lint reads the upstream `zeroday-lessons.json` entry as the authoritative source for the requirement text — do not paraphrase the description in the skill body, link to the ID instead.
+
+---
+
+## Operational threat-intake cadence
+
+The toolkit ships with a `routine: exceptd-threat-intake` (claude.ai remote agent) that runs daily at 14:00 UTC. Sequence: `npm install` → `refresh --check-advisories` (poll the 8 primary-source feeds) → `watchlist --alerts` (5-pattern CVE-class scan) → `refresh --apply` → `refresh --advisory <CVE-ID>` for up to 5 newly-disclosed IDs from the primary-source diff → re-sign + rebuild-indexes if the catalog mutated → commit on `intake/<YYYY-MM-DD>` branch with the full diff in the report.
+
+The routine is operator-managed at <https://claude.ai/code/routines>. Closes the cadence gap between vendor disclosure (T+0) and NVD enrichment (T+10) — operators no longer depend on manual intake to surface ssh-keysign-pwn-class or Shai-Hulud-class events.
+
+When working on a fresh checkout: do not invoke the daily routine ad-hoc — it commits + pushes a branch. For one-off triage, use `exceptd refresh --check-advisories` (report-only) followed by `exceptd refresh --advisory <CVE-ID>` for the specific IDs you want to enrich.
+
+---
+
 ## Skill File Format
 
 Every `skills/*/skill.md` must have this frontmatter:
@@ -375,4 +408,8 @@ Maintainers convert approved requests into skill files. The contributor is credi
 | cloud iam incident, aws account takeover, gcp account takeover, azure account takeover, cross-account assume-role, imds, access key leak, snowflake breach, scim, workload identity | cloud-iam-incident |
 | email security, anti-phishing, dmarc, dkim, spf, bimi, arc, mta-sts, bec, vishing, deepfake phishing | email-security-anti-phishing |
 | age gate, age verification, coppa, cipa, california aadc, uk children's code, kosa, gdpr article 8, dsa article 28, parental consent, csam, child safety, children's online safety | age-gates-child-safety |
-| forward watch, watchlist, upcoming standards, horizon scan | `node orchestrator/index.js watchlist` (add `--by-skill` to invert) |
+| forward watch, watchlist, upcoming standards, horizon scan | `exceptd watchlist` (add `--by-skill` to invert) |
+| CVE alert triage, kernel LPE PoC, supply-chain MAL, active exploitation | `exceptd watchlist --alerts` |
+| github repo pattern scan, Shai-Hulud, TeamPCP, exfil-channel monitoring | `exceptd watchlist --org-scan --org <login>` |
+| AI-assistant config permission audit, ~/.cursor, ~/.claude, ~/.codeium, MCP config lockdown | `exceptd doctor --ai-config` |
+| primary-source advisory polling, Qualys TRU, Red Hat RHSA, Ubuntu USN, ZDI, kernel.org, oss-security, JFrog, CISA | `exceptd refresh --check-advisories` |

package/CHANGELOG.md

@@ -1,5 +1,78 @@
 # Changelog
 
+## 0.13.4 — 2026-05-18
+
+Warning-cleanup pass + catalog hygiene + docs surfacing. The post-v0.13.3 state had ~43 skill lint warnings and 20 cosmetic playbook warnings that operators saw on every predeploy run; this release drives both to zero. README and AGENTS catch up with the v0.13.0 → v0.13.3 operator surface.
+
+### Bugs
+
+**Playbook `_meta.fed_by` is now schema-accepted.** v0.13.0 added the `_meta.fed_by[]` reverse-direction field to every playbook but never updated `lib/schemas/playbook.schema.json`; every playbook surfaced a cosmetic `unexpected property "fed_by"` warning. Schema now declares the field as an array of strings; warning count for `validate-playbooks` drops from 22 → 0. 20/20 playbooks now validate clean without warnings.
+
+**Skill lint cleanup: 43 warnings → 0.** Two categories addressed:
+
+- **Output Format section too short (32 skills):** the lint requires `## Output Format` carry ≥ 20 words of body text. Most skills had the section terminated early because H2 / H1 headings inside example-output code fences were detected as real headings by the lint's heading-finder. Each affected skill now carries 1-2 sentences of explanatory prose between the `## Output Format` heading and the first fenced code block — naming the report shape, the downstream consumers (compliance-theater, framework-gap-analysis, incident-response-playbook, global-grc, CSAF auditor bundles), and the load-bearing fields operators must preserve verbatim. Two skills (`mcp-agent-trust`, `fuzz-testing-strategy`) had analogous heading-collision issues in other sections; same fix pattern.
+
+- **Missing Defensive Countermeasure Mapping section (6 skills):** the section is required for skills with `last_threat_review >= 2026-05-11`. Added to `framework-gap-analysis`, `compliance-theater`, `exploit-scoring`, `policy-exception-gen`, `threat-model-currency`, `zeroday-gap-learn`. Each section ships a 5-10 row table mapping offensive TTPs (ATLAS / ATT&CK) to D3FEND defensive technique IDs (all verified against `data/d3fend-catalog.json`), plus defense-in-depth posture, least-privilege scope, zero-trust posture, and AI-pipeline applicability notes per AGENTS.md Hard Rule #9. Updated `last_threat_review` to `2026-05-18`.
+
+Final lint state: **42/42 skills passing, 0 warnings.**
+
+**2 stuck-draft CVEs removed from catalog.** `MAL-2026-ANTHROPIC-MCP-STDIO` was a `_quarantine: true` duplicate of the verified `CVE-2026-30623` (Anthropic MCP SDK stdio command-injection). `CVE-2026-GTIG-AI-2FA` was a `_draft: true` placeholder for an embargoed/un-assigned CVE id. Both removed. Cross-references updated in `data/exploit-availability.json`, `data/framework-control-gaps.json` (inline text in `NIST-AI-RMF-MEASURE-2.7`), `data/_indexes/chains.json` (regenerated), `data/zeroday-lessons.json`. Catalog state now **38/38 verified, 0 drafts**.
+
+### Features
+
+**README.md catches up with v0.13.0 → v0.13.3 operator surface.** New documentation for: `exceptd watchlist --alerts` (CVE-class pattern matcher; 5 patterns), `exceptd watchlist --org-scan` (GitHub repo-pattern monitoring per NEW-CTRL-052; `--org`, `--pattern`, `GITHUB_TOKEN` env var), `exceptd doctor --ai-config` (file-mode audit per NEW-CTRL-050; walks ~/.claude / ~/.cursor / ~/.codeium / ~/.aider / ~/.continue), `exceptd refresh --check-advisories` (8-feed primary-source poller: Qualys / RHSA / USN / ZDI / kernel-org / oss-security / JFrog / CISA), and the daily scheduled `exceptd-threat-intake` remote agent. Playbook count updated 16 → 20 with the 4 v0.13.0 additions named. Legacy verb table split into "Removed in v0.13.0" (5 verbs) vs "Aliases — still functional, no removal scheduled" (10 verbs). Watchlist now has a first-class CLI block instead of the prior "no replacement yet" stub.
+
+**AGENTS.md catches up.** Two new sections:
+- **New Control Requirements** — table documenting NEW-CTRL-048 through NEW-CTRL-055 with name, surfacing zero-day, and coverage gap closed. Skill bodies should cite the IDs rather than paraphrase the upstream description.
+- **Operational threat-intake cadence** — documents the daily `exceptd-threat-intake` routine, the sequence it runs (`refresh --check-advisories` → `watchlist --alerts` → `refresh --apply` → `refresh --advisory <CVE-ID>` for up to 5 new IDs → PR), and operator instructions for one-off triage.
+
+CLI reference table extended: `exceptd brief --all` row updated 16 → 20 playbooks; `exceptd attest diff <sid>` row updated to describe `reattest` as a preserved short-form alias; `exceptd doctor` row added `--ai-config`; two new rows added for `exceptd refresh --check-advisories` and `exceptd watchlist`. Quick Skill Reference table replaced legacy `node orchestrator/index.js watchlist` invocation with `exceptd watchlist`.
+
+### Internal
+
+- 18 new tests: `tests/v0_13_4-fixes.test.js` (13 pins covering Phases A / C / E), `tests/doctor-ai-config-substantive.test.js` (5 fixture-driven tests, POSIX-only), `tests/watchlist-org-scan-substantive.test.js` (5 envelope-shape tests).
+- Test-count baseline refreshed.
+- Predeploy: 15/15 gates green; both `validate-playbooks` and `lint-skills` now run warning-free.
+
+## 0.13.3 — 2026-05-18
+
+Audit close-out continuation: the items the prior pass marked for follow-up. Workflow hardening, lint enforcement promoted from warning to hard error, two new operator-facing health checks for the Shai-Hulud lesson controls, and 4 more primary-source pollers covering kernel.org / oss-security / JFrog / CISA.
+
+### Security
+
+**`refresh.yml` split into two jobs — `refresh-data` (no write credentials) + `open-pr` (contents:write + pull-requests:write + issues:write scoped to PR creation only).** Pre-split a single `refresh` job carried write capability against the repo throughout the long-running data-parse + prefetch + apply + predeploy sequence; a compromise of any of those steps had repo-write access during the whole run. The new shape scopes write capability to the few-second PR-creation window. Data mutations flow between jobs via an upload-artifact / download-artifact bundle. The `refresh-data` checkout now uses `persist-credentials: false`.
+
+**`lib/lint-skills.js` Hard Rule #1 body-scan flipped from warning to hard error.** v0.13.2 introduced the body-scan as a warning while the 2 pre-existing violations were triaged. Both are now resolved (`CVE-2024-21762` landed in the catalog with full Hard Rule #1 fields; the placeholder `CVE-2026-21370` reference was removed from `cloud-iam-incident`). The body-scan now errors when a skill cites a CVE not in the catalog. Draft references continue to surface as warnings.
+
+### Features
+
+**`exceptd doctor --ai-config` audits AI-assistant config-file permissions.** Implements NEW-CTRL-050 from the MAL-2026-SHAI-HULUD-OSS zeroday-lessons entry. Walks `~/.claude`, `~/.cursor`, `~/.codeium`, `~/.aider`, `~/.continue` for sensitive files (`settings.json`, `mcp.json`, `*.mcp_config.json`, `api_key*`, `*.token`, `*.credentials`) and reports any not at mode 0600 on POSIX. On Windows the mode bits aren't load-bearing; each sensitive file is flagged with an info-level "manual ACL review" note. Opt-in via `--ai-config`; doesn't run as part of the default no-flag doctor pass.
+
+**`exceptd watchlist --org-scan` probes GitHub for threat-actor repo naming patterns.** Implements NEW-CTRL-052 from the MAL-2026-SHAI-HULUD-OSS zeroday-lessons entry. Queries the GitHub Search API for repos matching the canonical Shai-Hulud / TeamPCP patterns ("A Gift From TeamPCP", "Shai-Hulud", "TeamPCP") scoped to `--org <login>`. Custom patterns via repeatable `--pattern <s>`. Set `GITHUB_TOKEN` env var for private-repo coverage and higher rate limit; without it, public-repo search only.
+
+**4 more primary-source advisory pollers.** `lib/source-advisories.js` `FEEDS` grew 4 → 8:
+- `kernel-org` — torvalds/linux master commits atom feed. Catches the CVE-2026-46333 / ssh-keysign-pwn class at T+0, the moment the upstream fix lands. The v0.13.1 post-mortem identified this as the exact venue we missed.
+- `oss-security` — openwall.com `oss-security` mailing list atom feed. Coordinated-disclosure venue; many distro advisories announce CVEs here days before NVD enrichment.
+- `jfrog` — JFrog SecOps research blog feed. npm / PyPI / Maven supply-chain disclosures with CVE assignments (TanStack / Mini Shai-Hulud class).
+- `cisa-current` — CISA cybersecurity advisories feed (federal-vendor coordinated disclosures, separate from KEV which captures only exploited-in-the-wild items).
+
+### Bugs
+
+**`CVE-2024-21762` (Fortinet FortiOS SSL-VPN preauth RCE) added to catalog.** Was cited in skill prose without a backing catalog entry — surfaced by the v0.13.2 Hard Rule #1 body-scan. Full Hard Rule #1 fields (CVSS 9.8, CISA KEV 2024-02-09, public PoC, confirmed mass exploitation across multiple APT clusters, FortiOS patch versions 7.6.2 / 7.4.7 / 7.2.11 / 7.0.17 / 6.4.16). RWEP 85. Includes the 2025-04 follow-up advisory documenting symlink persistence that survives firmware patching.
+
+**`CVE-2026-21370` placeholder reference removed from `skills/cloud-iam-incident/skill.md`.** No record of CVE-2026-21370 in any source; was a class-marker parenthetical for the Azure managed-identity token-replay attack class. Rewritten as "design-class issue, not a single CVE" so the prose still accurately describes the IMDS-token-theft pattern without inventing threat intel.
+
+**12 framework-gap forward-orphan references closed.** Each pre-existing orphan got a real gap entry with theater_test per Hard Rule #6: `CIS-Kubernetes-Benchmark-4.2.13`, `CIS-Kubernetes-Benchmark-5.3`, `CIS-Controls-v8-Control6`, `ISO-27001-2022-A.5.15`, `ISO-27001-2022-A.8.13`, `NIST-800-53-IA-2`, `NIST-AI-RMF-MEASURE-2.7`, `OWASP-ML-Top-10-2023-ML06`, `NIS2-Art21-network-security`, `NIS2-Art21-business-continuity`, `PCI-DSS-4.0-5.1`, `AU-ISM-1808`. Gap catalog 130 → 142 entries; orphan count for `framework-control-gaps.json` is now 0.
+
+**2 empty-`data_deps` skills fixed.** `api-security` and `email-security-anti-phishing` previously had empty `data_deps` because the bodies referenced no catalog file by name. Each now carries 6 catalog references (atlas-ttps, attack-techniques, cwe-catalog / dlp-controls, d3fend-catalog, framework-control-gaps, rfc-references) threaded through the body in 4 new prose passages each. Every cited ID resolves to a real entry in its respective catalog. `last_threat_review` bumped to 2026-05-18.
+
+### Internal
+
+- 8 new tests in `tests/v0_13_3-fixes.test.js` covering all 5 phases.
+- Test-count baseline refreshed to match the new test surface.
+- ADVISORIES_SOURCE test-fixture extended to include the 4 new feeds.
+- `tests/source-advisories.test.js` `FEEDS: exactly N feeds` pin updated 4 → 8.
+
 ## 0.13.2 — 2026-05-18
 
 Audit close-out: the remaining v0.13 deferrals from the original 6-domain audit + the v0.13.1 post-mortem follow-ups. Patch-class — additive across CI hardening, lint enforcement, CLI UX, predeploy gates, catalog data cleanup, and skill metadata.

package/README.md

@@ -30,7 +30,7 @@ This platform surfaces what is actually happening right now. Every skill explici
 
 ## Status
 
-Pre-1.0. Latest release lives on [GitHub Releases](https://github.com/blamejs/exceptd-skills/releases) and on npm as [`@blamejs/exceptd-skills`](https://www.npmjs.com/package/@blamejs/exceptd-skills) with signed npm provenance attestation and Ed25519-signed skill bodies. The package ships 42 skills across kernel LPE, MCP supply chain, AI-as-C2, prompt injection, post-quantum crypto, SBOM integrity, identity-incident response, and 35 other AI/security domains, plus 10 intelligence catalogs (CVE / ATLAS / ATT&CK / CWE / D3FEND / DLP / RFC / framework gaps / global frameworks / zero-day lessons) covering 35 jurisdictions, a CLI for discovery and seven-phase investigation runs (`govern → direct → look → detect → analyze → validate → close`), and a nightly auto-refresh job that pulls KEV / NVD / EPSS / GHSA / OSV / IETF deltas into auto-PRs for editorial review.
+Pre-1.0. Latest release lives on [GitHub Releases](https://github.com/blamejs/exceptd-skills/releases) and on npm as [`@blamejs/exceptd-skills`](https://www.npmjs.com/package/@blamejs/exceptd-skills) with signed npm provenance attestation and Ed25519-signed skill bodies. The package ships 42 skills across kernel LPE, MCP supply chain, AI-as-C2, prompt injection, post-quantum crypto, SBOM integrity, identity-incident response, and 35 other AI/security domains, plus 10 intelligence catalogs (CVE / ATLAS / ATT&CK / CWE / D3FEND / DLP / RFC / framework gaps / global frameworks / zero-day lessons) covering 35 jurisdictions, 20 investigation playbooks (kernel, MCP, AI-API, framework, SBOM, runtime, hardening, secrets, cred-stores, containers, crypto, plus `webhook-callback-abuse`, `cicd-pipeline-compromise`, `identity-sso-compromise`, `llm-tool-use-exfil`, and more), a CLI for discovery and seven-phase investigation runs (`govern → direct → look → detect → analyze → validate → close`), and a nightly auto-refresh job that pulls KEV / NVD / EPSS / GHSA / OSV / IETF deltas plus primary-source advisories (Qualys TRU, Red Hat RHSA, Ubuntu USN, ZDI, kernel.org, oss-security, JFrog, CISA) into auto-PRs for editorial review.
 
 ---
 
@@ -154,6 +154,16 @@ Air-gapped operation: run `exceptd refresh --prefetch` on a connected host, copy
 
 Fresh-disclosure workflow (v0.12.0): the nightly auto-PR job pulls KEV / NVD / EPSS / IETF / **GHSA** (added in v0.12.0) / **OSV** (added in v0.12.10). KEV typically takes days; NVD ~10 days; GHSA fires within hours of disclosure and covers npm + PyPI + Maven + Go + NuGet + …; OSV aggregates the OSSF Malicious Packages dataset (`MAL-*` keys) + Snyk + RustSec + Mageia + Ubuntu USN + Go Vuln DB + PYSEC + UVI on top of GHSA — useful for malicious-package compromises that don't have CVEs yet (`exceptd refresh --advisory MAL-2026-3083`). New IDs land as drafts (`_auto_imported: true`, `_draft: true`) that the catalog validator treats as warnings, not errors — operators get the fresh entry immediately, editorial review (framework gaps, IoCs, ATLAS/ATT&CK refs) follows via `exceptd refresh --curate <ID>`. For "I want this advisory today, not tomorrow": `exceptd refresh --advisory <CVE-or-GHSA-or-MAL-or-SNYK-or-RUSTSEC-ID> --apply`.
 
+Primary-source advisory polling: `exceptd refresh --check-advisories` polls 8 vendor and coordinated-disclosure feeds (Qualys TRU, Red Hat RHSA, Ubuntu USN, Zero Day Initiative, kernel.org commits, oss-security mailing list, JFrog SecOps, CISA current advisories) that publish CVE IDs at T+0 to T+1 — typically 3–14 days ahead of NVD enrichment. The command is report-only: it returns a structured `diffs[]` listing each newly-seen CVE ID with its source attributions and advisory URLs, but does not mutate the catalog. Operators triage the output and route promising IDs through `exceptd refresh --advisory <CVE-ID> --apply`. Pairs naturally with the daily scheduled remote agent below.
+
+CVE-class alert surfacing: `exceptd watchlist --alerts` matches the live `cve-catalog.json` against five operational patterns (`kernel_lpe_with_poc`, `supply_chain_family`, `ai_discovered_kev`, `active_exploitation_unpatched`, `recent_poc_no_kev_yet`) and returns the matches sorted critical-severity-first, then by RWEP. Use as a fast operational triage on a refreshed catalog without scanning every entry by hand.
+
+GitHub repo-pattern monitoring: `exceptd watchlist --org-scan --org <login>` probes GitHub Search for repositories matching known threat-actor naming patterns ("A Gift From TeamPCP", "Shai-Hulud", "TeamPCP") scoped to one org. Custom patterns via repeatable `--pattern <s>`. Implements the canonical detection for the Shai-Hulud / TeamPCP supply-chain framework class — the attacker uses GitHub itself as the exfil channel. Set `GITHUB_TOKEN` for private-repo coverage and rate-limit headroom; public-repo search works without auth.
+
+AI-assistant config-file audit: `exceptd doctor --ai-config` walks `~/.claude`, `~/.cursor`, `~/.codeium`, `~/.aider`, and `~/.continue`, flagging sensitive files (`settings.json`, `mcp.json`, `*.mcp_config.json`, `api_key*`, `*.token`, `*.credentials`) not at mode 0600 on POSIX. On Windows the mode bits aren't load-bearing; each finding is surfaced with an info-level "manual ACL review" note. Catches the AI-config-credential-exfil class that the Shai-Hulud framework targets. Opt-in — does not run as part of the default no-flag `doctor` pass.
+
+Daily scheduled threat intake: a `routine: exceptd-threat-intake` (claude.ai remote agent) runs daily at 14:00 UTC. Sequence: `npm install` → `refresh --check-advisories` → `watchlist --alerts` → `refresh --apply` → `refresh --advisory <CVE-ID>` for up to 5 new CVE IDs from the primary-source feeds → re-sign + rebuild-indexes if the catalog mutated → commit on `intake/<YYYY-MM-DD>` branch with the full diff in the report. Closes the cadence gap that previously left fresh disclosures dependent on operator-triggered intake. Operator-managed at <https://claude.ai/code/routines>.
+
 Optional env vars for higher rate budgets:
 
 | Variable | Purpose |
@@ -270,6 +280,16 @@ exceptd doctor                        One-shot health check.
   --currency                          Only skill currency report.
   --cves                              Only CVE catalog drift check.
   --rfcs                              Only RFC catalog drift check.
+  --ai-config                         Audit AI-assistant config-file permissions
+                                      across ~/.claude, ~/.cursor, ~/.codeium,
+                                      ~/.aider, ~/.continue. Flags sensitive
+                                      files (settings.json, mcp.json,
+                                      *.mcp_config.json, api_key*, *.token,
+                                      *.credentials) not at mode 0600 on POSIX;
+                                      surfaces an info-level "manual ACL review"
+                                      note for each sensitive file on Windows.
+                                      Opt-in; not part of the default doctor
+                                      pass.
 
 exceptd ci                            One-shot CI gate. Exits 2 on detected or
                                       rwep ≥ rwep_threshold.escalate.
@@ -302,12 +322,56 @@ exceptd refresh                       Refresh upstream catalogs + indexes.
   --curate <CVE-ID>                   (v0.12.0) Emit editorial questions + ranked
                                       candidates (ATLAS/ATT&CK/CWE/framework) for
                                       a draft catalog entry.
+  --check-advisories                  Poll 8 primary-source advisory feeds
+                                      (Qualys TRU, Red Hat RHSA, Ubuntu USN,
+                                      ZDI, kernel.org commits, oss-security
+                                      mailing list, JFrog SecOps, CISA current
+                                      advisories) for CVE IDs disclosed at T+0
+                                      to T+1 — days ahead of NVD enrichment.
+                                      Report-only: emits structured diffs[]
+                                      with {cve_id, sources[], advisory_urls[],
+                                      disclosed_at, title}; does NOT mutate the
+                                      catalog. Route promising IDs through
+                                      `refresh --advisory <CVE-ID>` to enrich.
   --indexes-only                      Rebuild data/_indexes/*.json only.
 
-Sources (default = all): kev | epss | nvd | rfc | pins | ghsa (v0.12.0).
-GHSA covers npm, PyPI, Maven, Go, NuGet, etc. New CVE IDs land as drafts
-that the catalog validator treats as warnings, not errors — editorial
-review (framework gaps, IoCs, ATLAS/ATT&CK refs) is still required.
+Sources (default = all): kev | epss | nvd | rfc | pins | ghsa | osv.
+GHSA covers npm, PyPI, Maven, Go, NuGet, etc.; OSV layers Snyk, RustSec,
+Mageia, Ubuntu USN, Go Vuln DB, PYSEC, UVI, plus the OSSF Malicious
+Packages dataset (`MAL-*` keys). New IDs land as drafts that the catalog
+validator treats as warnings, not errors — editorial review (framework
+gaps, IoCs, ATLAS/ATT&CK refs) is still required.
+
+exceptd watchlist                     Default mode: aggregate every skill's
+                                      forward_watch entries (upcoming standards,
+                                      RFC publications, new TTPs to monitor).
+                                      `--by-skill` inverts the grouping.
+  --alerts                            Switch to CVE-catalog pattern alerts.
+                                      Five patterns ship:
+                                        - kernel_lpe_with_poc (high) — kernel
+                                          LPE class with public PoC + blast
+                                          radius >= 25
+                                        - supply_chain_family (high) — MAL-*
+                                          entries or `type: malicious-*`
+                                        - ai_discovered_kev (high) — AI-
+                                          discovered AND CISA KEV-listed
+                                        - active_exploitation_unpatched
+                                          (critical) — confirmed in-the-wild
+                                          + no patch available
+                                        - recent_poc_no_kev_yet (medium) —
+                                          public PoC verified within 14 days,
+                                          not yet KEV-listed
+                                      Sorted critical-severity first, then by
+                                      RWEP descending. JSON or human output.
+  --org-scan --org <login>            Probe GitHub Search for repositories
+                                      matching known threat-actor naming
+                                      patterns ("A Gift From TeamPCP",
+                                      "Shai-Hulud", "TeamPCP") scoped to one
+                                      org. Custom patterns via repeatable
+                                      `--pattern <s>`. Set GITHUB_TOKEN for
+                                      private-repo coverage + higher rate
+                                      limit; without it, public-repo search
+                                      only.
 
 exceptd skill <name>                  Show context for one skill.
 exceptd framework-gap <FW> <ref>      One framework + one CVE/scenario, JSON
@@ -319,31 +383,33 @@ exceptd help                          This help.
 exceptd <verb> --help                 Per-verb usage with flag descriptions.
 ```
 
-### Legacy v0.10.x verbs (deprecated, scheduled for removal in v0.13)
+### Legacy v0.10.x verbs
 
-These still work but emit a one-time deprecation banner per process:
+Five verbs removed in v0.13.0 after deprecation since v0.11.0. Invoking any of these now returns a structured `ok:false` refusal pointing at the replacement; pre-v0.13 scripts must migrate.
 
-| Legacy verb | v0.11.0 replacement |
+| Removed verb | Replacement |
 |---|---|
 | `plan` | `brief --all` |
 | `govern <pb>` | `brief <pb> --phase govern` |
 | `direct <pb>` | `brief <pb> --phase direct` |
 | `look <pb>` | `brief <pb> --phase look` |
+| `ingest` | `run` |
+
+The remaining v0.10.x verbs are aliases — still functional, no banner, no removal scheduled:
+
+| Alias | Canonical |
+|---|---|
 | `scan` | `discover --scan-only` |
 | `dispatch` | `discover` |
 | `currency` | `doctor --currency` |
 | `verify` | `doctor --signatures` |
 | `validate-cves` | `doctor --cves` |
 | `validate-rfcs` | `doctor --rfcs` |
-| `ingest` | `run` |
 | `reattest <sid>` | `attest diff <sid>` |
 | `list-attestations` | `attest list` |
-| `watchlist` | (no replacement yet — kept) |
 | `prefetch` | `refresh --no-network` |
 | `build-indexes` | `refresh --indexes-only` |
 
-Suppress the deprecation banner: `EXCEPTD_DEPRECATION_SHOWN=1`.
-
 ## Invoking a skill from your AI assistant
 
 Once your assistant has loaded `AGENTS.md`, type a trigger phrase or skill name:
@@ -399,7 +465,7 @@ The `agents/` directory ships markdown role cards documenting authoring conventi
 All skills pull from `data/`. Cross-validated against canonical upstream sources via `exceptd refresh` / `exceptd doctor --cves` / `exceptd doctor --rfcs`.
 
 - `cve-catalog.json` — CVE metadata with RWEP scores, CISA KEV status, PoC availability, live-patch info
-- `atlas-ttps.json` — MITRE ATLAS v5.4.0 TTPs with gap flags and exploitation examples
+- `atlas-ttps.json` — MITRE ATLAS v5.4.0 TTPs with gap flags and exploitation examples. Each TTP now carries a `cve_refs[]` back-edge — operators reading an ATLAS entry see the catalogued CVEs that cite it without grepping `cve-catalog.json`. The same back-edge is populated on `attack-techniques.json`, and each playbook carries a `_meta.fed_by[]` reverse field naming the upstream playbooks that chain into it.
 - `framework-control-gaps.json` — Per-framework, per-control: what it was designed for vs. what it misses
 - `exploit-availability.json` — PoC locations, weaponization status, AI-assist factor
 - `global-frameworks.json` — All major global compliance frameworks (35 jurisdictions) with control inventories and lag scores

package/bin/exceptd.js

@@ -5205,16 +5205,24 @@ function cmdDoctor(runner, args, runOpts, pretty) {
 
   // Selective subchecks. If any of the four flags is passed, run only those.
   // If none are passed, run all four plus signing-status.
+  // v0.13.3: --ai-config audits AI-assistant config-file permissions per
+  // NEW-CTRL-050 (from the MAL-2026-SHAI-HULUD-OSS zeroday-lessons entry).
+  // It's a separate flag because the check is opt-in — most operators
+  // don't want their AI-config state probed by default.
   const onlySigs = !!args.signatures;
   const onlyCurrency = !!args.currency;
   const onlyCves = !!args.cves;
   const onlyRfcs = !!args.rfcs;
-  const anySelected = onlySigs || onlyCurrency || onlyCves || onlyRfcs;
+  const onlyAiConfig = !!args["ai-config"];
+  const anySelected = onlySigs || onlyCurrency || onlyCves || onlyRfcs || onlyAiConfig;
   const runSigs = !anySelected || onlySigs;
   const runCurrency = !anySelected || onlyCurrency;
   const runCves = !anySelected || onlyCves;
   const runRfcs = !anySelected || onlyRfcs;
   const runSigning = !anySelected;
+  // --ai-config is opt-in — never runs as part of the default no-flag
+  // doctor pass. Operators ask for it explicitly.
+  const runAiConfig = onlyAiConfig;
 
   const checks = {};
   const issues = [];
@@ -5453,6 +5461,102 @@ function cmdDoctor(runner, args, runOpts, pretty) {
     }
   }
 
+  // v0.13.3 — AI-assistant config-file permission audit per NEW-CTRL-050
+  // (from the MAL-2026-SHAI-HULUD-OSS zeroday-lessons entry). Walks
+  // ~/.claude/, ~/.cursor/, ~/.codeium/, ~/.aider/, ~/.continue/ for
+  // sensitive config files (settings.json, mcp.json, *.mcp_config.json,
+  // api_key*, *.token, *.credentials) and reports any not at mode 0600.
+  // The MAL-2026-SHAI-HULUD-OSS framework reads these files at
+  // unprivileged-process scope; tightening to 0600 forces npm/node-spawned
+  // processes that don't share UID to fail the read.
+  //
+  // Opt-in only — never runs as part of the default no-flag doctor pass.
+  // Operators request it via `exceptd doctor --ai-config`.
+  if (runAiConfig) {
+    const os = require('os');
+    const HOME = os.homedir();
+    const AI_CONFIG_DIRS = [
+      { dir: '.claude', display: '~/.claude' },
+      { dir: '.cursor', display: '~/.cursor' },
+      { dir: '.codeium', display: '~/.codeium' },
+      { dir: '.aider', display: '~/.aider' },
+      { dir: '.continue', display: '~/.continue' },
+    ];
+    // Files within those dirs that warrant the strict-mode check.
+    const SENSITIVE_PATTERNS = [
+      /^settings\.json$/,
+      /^mcp\.json$/,
+      /\.mcp_config\.json$/,
+      /^api_key/,
+      /\.token$/,
+      /\.credentials$/,
+    ];
+    const findings = [];
+    let scannedDirs = 0;
+    let scannedFiles = 0;
+    function walk(absDir, displayRoot, rel) {
+      if (!fs.existsSync(absDir)) return;
+      let entries;
+      try { entries = fs.readdirSync(absDir, { withFileTypes: true }); }
+      catch { return; }
+      for (const e of entries) {
+        const childAbs = path.join(absDir, e.name);
+        const childRel = rel ? rel + '/' + e.name : e.name;
+        if (e.isDirectory()) {
+          walk(childAbs, displayRoot, childRel);
+        } else if (e.isFile()) {
+          scannedFiles++;
+          if (!SENSITIVE_PATTERNS.some((re) => re.test(e.name))) continue;
+          let st;
+          try { st = fs.statSync(childAbs); } catch { continue; }
+          if (process.platform === 'win32') {
+            // Windows POSIX mode bits don't carry meaningful ACL info.
+            // Flag every sensitive file with a manual-review note rather
+            // than emit a noisy permission claim that's likely wrong.
+            findings.push({
+              path: `${displayRoot}/${childRel}`,
+              mode: null,
+              severity: 'info',
+              issue: 'win32_acl_check_not_implemented',
+              hint: 'On Windows the POSIX mode bits are not load-bearing. Use icacls to confirm only the current user has read access. Tracked for v0.14+.',
+            });
+            continue;
+          }
+          const mode = st.mode & 0o777;
+          if ((mode & 0o077) !== 0) {
+            findings.push({
+              path: `${displayRoot}/${childRel}`,
+              mode: '0' + mode.toString(8),
+              severity: 'warn',
+              issue: 'group_or_other_readable',
+              hint: `chmod 600 '${childAbs}'  # NEW-CTRL-050: AI-assistant configs holding MCP tokens / API keys must be 0600 to defeat unprivileged exfil`,
+            });
+          }
+        }
+      }
+    }
+    for (const d of AI_CONFIG_DIRS) {
+      const abs = path.join(HOME, d.dir);
+      if (fs.existsSync(abs)) {
+        scannedDirs++;
+        walk(abs, d.display, '');
+      }
+    }
+    const errorFindings = findings.filter((f) => f.severity === 'warn');
+    checks.ai_config = {
+      ok: errorFindings.length === 0,
+      severity: errorFindings.length > 0 ? 'warn' : 'info',
+      scanned_dirs: scannedDirs,
+      scanned_files: scannedFiles,
+      directories_inspected: AI_CONFIG_DIRS.map((d) => d.display),
+      sensitive_patterns: ['settings.json', 'mcp.json', '*.mcp_config.json', 'api_key*', '*.token', '*.credentials'],
+      findings,
+      platform: process.platform,
+      control_reference: 'NEW-CTRL-050 (MAL-2026-SHAI-HULUD-OSS lesson)',
+    };
+    if (errorFindings.length > 0) issues.push('ai_config');
+  }
+
   // Walk every check and split: errors (severity error/missing/fail) vs warnings
   // (severity warn). all_green is true ONLY when zero errors AND zero warnings.
   const warnList = [];

package/data/_indexes/_meta.json

@@ -1,62 +1,62 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-18T02:23:54.488Z",
+  "generated_at": "2026-05-18T04:13:12.063Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "fca4de497211754bbca0e04f91cbc13746bbf05a393b92062810ebf9d1a502a8",
+    "manifest.json": "0d7cc1e5a718515519e81b973126f0fe316ad8252e4c8e04f54934ea575a9b80",
     "data/atlas-ttps.json": "2b021f47355365d1ba59078dfa582397c7a64c2b4ebea4657ea260a66b76daf6",
-    "data/attack-techniques.json": "5c992a3c2974e117ee38b62f7ead36043819880baf23863979b490f19fe5826b",
-    "data/cve-catalog.json": "8ddc5d3f9441334d544df5bc4e34846259f981d15a87dd7bed825e7f2d8b961d",
-    "data/cwe-catalog.json": "4baff0970c17224aef4606598b90d72e09da5e927ee4f46bdbf3e12b2e6247e3",
+    "data/attack-techniques.json": "76461dbec048c5e072435d57e3a04b780e3992dab9f316b1b52608e0a997e355",
+    "data/cve-catalog.json": "4b8c05074744f9e099c776e0f9c3afd2b978fc52d702bc8805c3b5bfecdbafcb",
+    "data/cwe-catalog.json": "4a0036f9ec17af29e0df111ac77b94f8be6a52742bfd89ff3583096d23b75e35",
     "data/d3fend-catalog.json": "a1fc2827ceb344669e148d55197dbf1b0e5b20bcc618e90517639c17d67ee82d",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
-    "data/exploit-availability.json": "003a400f5ae5b15527589571679ccdb9b3a62e60073627b5fbdeb2a9fe330a7a",
-    "data/framework-control-gaps.json": "c4b735cac63559b4dad4cccfc97dda57434de4d9bb61a712264131ec3aae8ae6",
+    "data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
+    "data/framework-control-gaps.json": "994bf3203f3a2c80fe21194d00f67ecffa77b80193ba3f4b046e9d38e7b09f0f",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "e253a548c8a829d178d5aea601e268724b85c936ccbfa51c2e5d80c5f8efe2b0",
-    "data/zeroday-lessons.json": "6e503b75e52c8baea7e3ffaa872a2f7faedc36ca1cf53c8aec07e610c4c4ce07",
-    "skills/kernel-lpe-triage/skill.md": "ae4a0af924d0078ffc6cd051a3ef9fce75a6a3f9c0c15d1c07900ae5faf80502",
-    "skills/ai-attack-surface/skill.md": "dcca7d92a1ab4d1e4c46356b614a138b1c1f79b65a6a290eccf2095d8d443993",
-    "skills/mcp-agent-trust/skill.md": "6821f6d38f6e23bbed953f8f86a279597b0b95a2d0548b5383e851bca7442531",
-    "skills/framework-gap-analysis/skill.md": "3b139eaefbedd36b2379cfe22dceef71e97d0e34404b0009b7afbfe0a8dc39e6",
-    "skills/compliance-theater/skill.md": "a1387c523f7aa2481a199f6288e0152b94aa5a6644600eb39dbb3ea9ee9af6bd",
-    "skills/exploit-scoring/skill.md": "fba9e27722d361cc6ed5992d9aaeaa397598b417fc5a0d6fe0bee2993942e7e8",
-    "skills/rag-pipeline-security/skill.md": "ff07e48918090247aef71def4150b0df372a24bcdaa34eb6e11d246b9e71e1ee",
-    "skills/ai-c2-detection/skill.md": "3da9f549f5c62e6163cddd70c8edccbef7be622d5a45fa89c90c6550e68c6b2e",
-    "skills/policy-exception-gen/skill.md": "a7d886f7fa99a150b040f158b09045ba45e107439315389aea785311b0013395",
-    "skills/threat-model-currency/skill.md": "cf1cc27ae5ae68d336c56d9f3afd950641e1d8d5b9f90b64c2daf00abe92bab0",
-    "skills/global-grc/skill.md": "1dca534cce7612c1d26a7b1bfd088a811081555ecfa25b1f68cff2ca2ba28c98",
-    "skills/zeroday-gap-learn/skill.md": "e26f194880cd6acf46abe31e9348d445e9222c7691e9b9b953662c4a472462f5",
-    "skills/pqc-first/skill.md": "a7131b65d0ceee47887b16679ee4e4b065d32d8751fe59921762388703662913",
-    "skills/skill-update-loop/skill.md": "b6f3bee321833dc18f5624a9be4d28673d22e22018254b0bd1f3690b945073af",
-    "skills/security-maturity-tiers/skill.md": "ed962937c45f3d95f325f231b787d272fe45c4cb91d4c5a2d982493d722c2acf",
-    "skills/researcher/skill.md": "fd441131484dc5af4cd785ded0bac039123e6205483543752cb16fa508460c00",
-    "skills/attack-surface-pentest/skill.md": "0d301beb9fb8e247ec80256a7e647804b5f9a41c7156e5724555ca9f93ccb986",
-    "skills/fuzz-testing-strategy/skill.md": "fb8c261def9e3344b44fd219c209027029e1eddf0e6bee1ecffb2d2176e1585e",
-    "skills/dlp-gap-analysis/skill.md": "1c4e1d7da2421b82f202eaf2c9e21876af34ab5c76ce1359166842ee473f02dd",
-    "skills/supply-chain-integrity/skill.md": "ad69b72f5c5df095f8618b977fbc8f0fbff396eebd4a8448b44c3f93309f63f9",
-    "skills/defensive-countermeasure-mapping/skill.md": "3d0c7ca85f32ee1fe74598889361ef2be16d099fe6e9e8d8c8184b7004306b30",
-    "skills/identity-assurance/skill.md": "4ee7096fd82997c66b0f9e825ea3c04c3aa84768b74e6f668c1a9104104138cf",
-    "skills/ot-ics-security/skill.md": "7423cca19aab1026c07de63279137441018345731d3ee895c474316d432adaa2",
-    "skills/coordinated-vuln-disclosure/skill.md": "0e875953bb8a38a89c8ec5d2a9ef967b12e9a9f166dc9356723f10304fd0535e",
-    "skills/threat-modeling-methodology/skill.md": "cebeba3940320ebc5b44ad2bb7b4cdcda412257c1a6319a1b7379c875ebe8d6a",
-    "skills/webapp-security/skill.md": "f2063eaea3f5ddf0f3d37b41985bf522b682a41f104796b3f0dff611cefd043c",
-    "skills/ai-risk-management/skill.md": "2b611eb8fa4841fdfc3f1dd1ffd504a46c6ecdc654213a955efbabefb6b1db87",
-    "skills/sector-healthcare/skill.md": "a18e11d25524cdbf40df3798f4c2aa3cb51a4db1b088242ea53fa2885e86b64c",
-    "skills/sector-financial/skill.md": "023b5440d614e6b83ba7294219bcac3cdbffd28fdfdd5f0ec23abbeea71b8230",
-    "skills/sector-federal-government/skill.md": "a73c3f36f23c12750d369931b7e3f884edae4a8aef35fc8690d15ef4500c4dd0",
-    "skills/sector-energy/skill.md": "91f00e7a9be2608393ec8cb6d5f0c9828f81b954a12a7c9fd04bd642b9091e09",
+    "data/zeroday-lessons.json": "3d4c18977f2100f200e209dc55331931a5d0adc54af35879fc58f1b43deac56f",
+    "skills/kernel-lpe-triage/skill.md": "08b3e9815ba481c57c80f5fc0ccbf5bb7cbb41f570c235ba6ff9596b8c07354d",
+    "skills/ai-attack-surface/skill.md": "d1361c53c8360999e1ec6a403bcbfaa53d0afc11689e8781d26081196dd079d4",
+    "skills/mcp-agent-trust/skill.md": "19a6b54375808e59143070011328d8c936836845bca4a484108738bbef290694",
+    "skills/framework-gap-analysis/skill.md": "04e841fc426f92f20c254497b3b92b54d603062a0e6a617f3e9d607d6115c097",
+    "skills/compliance-theater/skill.md": "42babdc846b3e91af6be4698c7b5e876d9dd5cdb214d1aa2b4faceb6773e4ed1",
+    "skills/exploit-scoring/skill.md": "9f50b4d52c470d5616fc1626589843a5b2602d209436ded08cc9cc9885df770c",
+    "skills/rag-pipeline-security/skill.md": "4a64b4bc317141a219bcba40593f1994f791103381fd91c17ce23d06b0f6bc4e",
+    "skills/ai-c2-detection/skill.md": "490511ad517a0c3ad64f6a951c36cffb3109fed2c5da6376b5efc50e799e02a9",
+    "skills/policy-exception-gen/skill.md": "1e758322d74386f5c48d5bf5d7a4b4adfcef29553aca6d7c610845953beb8228",
+    "skills/threat-model-currency/skill.md": "38dc4369132fd199d10cebf3287ed8e35ffb0cf3eefbb98ec17d57027a5df7f1",
+    "skills/global-grc/skill.md": "57ca729034e9d33c527d869c1c4aa82fe37e496878a3cbcd9e5043cb62b7105d",
+    "skills/zeroday-gap-learn/skill.md": "adcb681f90ab3c58a98c7935fd8bad102d7ed16b6db6235661483ec1be6cf410",
+    "skills/pqc-first/skill.md": "07b38278b60d2437603a541c1ee954999abfe3a192f94b43cd384023738a0c1f",
+    "skills/skill-update-loop/skill.md": "eb67e2466230e143784b6e741c6ce7ea3e0c0e4385e5ab21b81b8de04f0168e2",
+    "skills/security-maturity-tiers/skill.md": "c1e699e4d48a7f89c32fbc9f2fe64c721a61603624eb93afae7148348cc4637d",
+    "skills/researcher/skill.md": "959aeba706eea43a69136561968d7942dcd981d0a6c3da7db47673c51943b6df",
+    "skills/attack-surface-pentest/skill.md": "e845c4e08adef038888a025bf920a042c851df41ca53f41aa5fc11ec02a37fbb",
+    "skills/fuzz-testing-strategy/skill.md": "1088d1ef5a0b4b2e50b356e3ff766a3ba6c66ba3435caf394d7c9c493d45b17e",
+    "skills/dlp-gap-analysis/skill.md": "6aa0960d85465006cdffcce3478dc790a14fd1cc95c73e124d5809836c26a4c4",
+    "skills/supply-chain-integrity/skill.md": "aea9c61c09e1ec714e129a6000d7b91ddbc74db52a64aa8bc95d3c698bf4ece6",
+    "skills/defensive-countermeasure-mapping/skill.md": "331a0248dd8ed3b509b759c41a9a4d6d8d6dc67fb732ad31d1a4c2d9a0865054",
+    "skills/identity-assurance/skill.md": "f3c29ce17aaa426b65b58238e5bc9ccabcda23a8d350e597840e5d6d664aa102",
+    "skills/ot-ics-security/skill.md": "33d3d82c87ed8708839f5211bb7b59a924c2e3d9c5d915dc2cc101c53176145e",
+    "skills/coordinated-vuln-disclosure/skill.md": "6c85b8761e557069ae0623400a2218a81356e5426f0a4e3ddebdc2a569735c9b",
+    "skills/threat-modeling-methodology/skill.md": "ba175224737571f9c6148e4cbe47b9ebaa762592cc659b7fb2cf0e9a6b3679c0",
+    "skills/webapp-security/skill.md": "135ca1cd01476b4df9ba7fbba2f194d0cac521480b51d479d60045d9abfc0350",
+    "skills/ai-risk-management/skill.md": "686f53c2aee3a44108d1fa3e5f52fc7d971edc00946cfc1f082e4658af25fddc",
+    "skills/sector-healthcare/skill.md": "9f3164def71c1f6f78b074ffc452bd02d8b71b313f2feb1554289bd5a099b4e9",
+    "skills/sector-financial/skill.md": "4c4c6fb95c6c2fd6cad3fec8ab8e08076fd4ddfa89ad5f00de017e546e01044d",
+    "skills/sector-federal-government/skill.md": "91e3eecdc18d108c669d49db1221ac89041a43c8294c8be65d4397cd149d75d0",
+    "skills/sector-energy/skill.md": "efc7681d62b23aaad277e9018687362717bb1fcfb29d7ada844dfb7196870c78",
     "skills/sector-telecom/skill.md": "59193e39c2fd73fdd7fede38a956bc730bbe4b712d7d6020788bb4d85f001ad8",
-    "skills/api-security/skill.md": "2bdfa3dbe534efa3df245e0da37998ad7ab2da4a3171d5000d3346513c10bceb",
-    "skills/cloud-security/skill.md": "c9fad9ed3663cf2faec74ad8f06d62eb86e6636f79933560d8c8d50e0e82d1da",
-    "skills/container-runtime-security/skill.md": "605a8e8eb1af09835b967ec7179456015ec116c6b9051af3a8d225866cc2f7af",
-    "skills/mlops-security/skill.md": "72429f05010accbcb191cb1544f1b88493c2f5249362846e5713ec3226b83dc2",
+    "skills/api-security/skill.md": "8a79a28b7b1c3088672bc09017a0d2481e45fb1c0f89768e87642268b62d4808",
+    "skills/cloud-security/skill.md": "84844b369f3195eae06115b392b4ceb41d96c1b3fda254f82c37cd8165858e7f",
+    "skills/container-runtime-security/skill.md": "d608fc7cc9e7c89640101078623490596b1610f7020eecde0d696e5c5084f932",
+    "skills/mlops-security/skill.md": "44fc3a4a6118e764a4bef840358c98d01b87f6e47bac9dd88e2df7633573414a",
     "skills/incident-response-playbook/skill.md": "2017515d899c1b2bcb878bc6731e4059623ac52345b2cebbd92204583657bf60",
     "skills/ransomware-response/skill.md": "2e4fc488f86ed1ba7791ab0e7021160d8ca5ad33a02cdf92a5b916c8afecaa54",
-    "skills/email-security-anti-phishing/skill.md": "82af58b98bd808c0c6ec92554d89948378702465504db1113fc462a96366a601",
-    "skills/age-gates-child-safety/skill.md": "51295c849bcced965b6448eb6b4bbd5caef5ba0b0cea7ce48abbacf47d331621",
-    "skills/cloud-iam-incident/skill.md": "6494ee3856edeb212e65fe5cdb208357c1a832eb8ac374b26055586bfc71f629",
+    "skills/email-security-anti-phishing/skill.md": "250f266908f51f99a4cb3aec0d5dacfcf91fac9f3d95e5a117429a40ed2ff45a",
+    "skills/age-gates-child-safety/skill.md": "51ffbbc0743daa26d6c7fe55ff6ec223dccb2087ddca981e06ab7133230e9ec5",
+    "skills/cloud-iam-incident/skill.md": "5ec3800a0049b2123aff67bfab4ff28491a86d2daeb712283e5e88b10c3d5d7b",
     "skills/idp-incident-response/skill.md": "e67a2576e7f1c3bf89f499f5c977bc470ef29e8b3e3e45f4cb5bd45a82674282"
   },
   "skill_count": 42,
@@ -78,7 +78,7 @@
     "handoff_dag_nodes": 42,
     "summary_cards": 42,
     "section_offsets_skills": 42,
-    "token_budget_total_approx": 403351,
+    "token_budget_total_approx": 416983,
     "recipes": 8,
     "jurisdiction_clocks": 29,
     "did_ladders": 8,

package/data/_indexes/activity-feed.json

@@ -55,7 +55,7 @@
       "artifact": "data/exploit-availability.json",
       "path": "data/exploit-availability.json",
       "schema_version": "1.1.0",
-      "entry_count": 30
+      "entry_count": 28
     },
     {
       "date": "2026-05-15",
@@ -63,7 +63,7 @@
       "artifact": "data/framework-control-gaps.json",
       "path": "data/framework-control-gaps.json",
       "schema_version": "1.0.0",
-      "entry_count": 130
+      "entry_count": 142
     },
     {
       "date": "2026-05-15",
@@ -102,7 +102,7 @@
       "artifact": "data/cve-catalog.json",
       "path": "data/cve-catalog.json",
       "schema_version": "1.0.0",
-      "entry_count": 39
+      "entry_count": 38
     },
     {
       "date": "2026-05-13",