@blamejs/exceptd-skills 0.13.2 → 0.13.4

package/skills/compliance-theater/skill.md

@@ -21,7 +21,7 @@ framework_gaps:
   - ALL-PROMPT-INJECTION-ACCESS-CONTROL
   - FedRAMP-Rev5-Moderate
   - CMMC-2.0-Level-2
-last_threat_review: "2026-05-17"
+last_threat_review: "2026-05-18"
 ---
 
 # Compliance Theater Detection
@@ -34,7 +34,7 @@ This skill identifies the specific, testable conditions where audit-passing cont
 
 ## Frontmatter Scope
 
-The `atlas_refs` and `attack_refs` arrays are intentionally empty. This skill is a meta-analysis that correlates findings *across* every other playbook and skill in the project — it has no native TTP attachment because its input is the existing TTP-to-control evidence base produced elsewhere. The `framework_gaps` array is populated because each theater pattern below points at specific named controls (FedRAMP-Rev5-Moderate, CMMC-2.0-Level-2, and the two ALL- gaps) whose mid-2026 inadequacy is the skill's primary subject. Defensive Countermeasure Mapping is not present as a body section because this skill produces a *coverage-gap* output, not a defensive-control prescription — the D3FEND mapping is the responsibility of the downstream skills the gap-findings route into.
+The `atlas_refs` and `attack_refs` arrays are intentionally empty. This skill is a meta-analysis that correlates findings *across* every other playbook and skill in the project — it has no native TTP attachment because its input is the existing TTP-to-control evidence base produced elsewhere. The `framework_gaps` array is populated because each theater pattern below points at specific named controls (FedRAMP-Rev5-Moderate, CMMC-2.0-Level-2, and the two ALL- gaps) whose mid-2026 inadequacy is the skill's primary subject. The Defensive Countermeasure Mapping below is a *routing table* rather than a defensive-control prescription — for each theater pattern, it names which downstream skill owns the canonical D3FEND mapping. This skill produces theater findings; the cited downstream skill produces the technique-level remediation.
 
 ---
 
@@ -325,6 +325,8 @@ For each relevant theater pattern:
 
 ## Output Format
 
+The skill produces a structured Compliance Theater Assessment that scores each of the seven theater patterns and surfaces the auditor-facing remediation language for any flagged pattern. The shape below is consumed downstream by `policy-exception-gen` (which converts theater flags into defensible exceptions with concrete compensating controls), by `framework-gap-analysis` (which escalates any newly discovered theater pattern into a Framework Lag Declaration), and by `global-grc` (which rolls up theater findings across EU/UK/AU/ISO jurisdictions per Hard Rule #5). Auditor-facing remediation language is the load-bearing field — preserve the wording so corrective-action plans can copy it verbatim.
+
 ```
 ## Compliance Theater Assessment
 
@@ -380,3 +382,27 @@ Applied at the level of the seven theater patterns:
 | 7 Security Awareness (AI phishing) | AI-generated content proportion in last 3 phishing simulations + phishing-resistant MFA deployment | Zero AI-generated simulation content or SMS/TOTP-only MFA |
 
 The output is consumed by policy-exception-gen (to convert theater flags into defensible exceptions with real compensating controls), framework-gap-analysis (to escalate any newly discovered theater pattern into a Framework Lag Declaration), and global-grc (to roll up theater findings across EU/UK/AU/ISO jurisdictions per Hard Rule #5).
+
+---
+
+## Defensive Countermeasure Mapping
+
+This skill produces theater findings, not control prescriptions. The mapping below routes each of the seven theater patterns to the D3FEND technique that closes the gap, and to the downstream skill that owns the canonical implementation guidance for that technique. Operators converting a theater flag into a remediation plan should consume the cited downstream skill rather than reading the D3FEND ID in isolation — the downstream skill carries the AI-pipeline applicability notes, least-privilege scoping, and zero-trust deployment posture for each technique.
+
+| Theater pattern | Offensive TTP class | D3FEND ID | Defensive technique | Owning downstream skill |
+|---|---|---|---|---|
+| 1 Patch Management (CISA KEV SLA breach) | T1068 (Exploitation for Privilege Escalation) | `D3-KBPI` + `D3-SCA` | Kernel-Based Process Isolation + System Call Analysis | `kernel-lpe-triage` |
+| 2 Network Segmentation (IPsec compromised subsystem) | T1190 (Exploit Public-Facing Application) | `D3-NI` | Network Isolation (non-IPsec data path) | `framework-gap-analysis` (SC-8 / SC-28 lag) |
+| 3 Access Control (AI agent prompt injection) | AML.T0051 (LLM Prompt Injection) | `D3-IOPR` + `D3-CSPP` | Input/Output Profiling + Client-server Payload Profiling | `ai-attack-surface` |
+| 4 Incident Response (AI-specific playbook absence) | AML.T0096 (LLM Integration Abuse — C2), AML.T0051 | `D3-NTA` + `D3-IOPR` | Network Traffic Analysis + Input/Output Profiling | `ai-c2-detection` + `incident-response-playbook` |
+| 5 Change Management (Model version drift) | AML.T0018 (Backdoor ML Model), AML.T0020 (Poison Training Data) | `D3-FAPA` + `D3-EFA` | File Access Pattern Analysis + Executable File Analysis | `mlops-security` |
+| 6 Vendor Management (AI APIs + MCP servers without DPA) | AML.T0010 (ML Supply Chain Compromise) | `D3-EAL` + `D3-EFA` | Executable Allowlisting + Executable File Analysis | `mcp-agent-trust` + `supply-chain-integrity` |
+| 7 Security Awareness (AI-generated phishing absent from simulations) | AML.T0016 (Develop Capabilities — payload generation), T1566 (Phishing) | `D3-MFA` + `D3-CSPP` | Multi-factor Authentication (passkey class) + Client-server Payload Profiling (gateway) | `email-security-anti-phishing` + `identity-assurance` |
+
+**Defense-in-depth posture:** every theater finding produced by this skill must cite the downstream skill that owns the remediation. A theater finding with no routing target is incomplete — the operator receives a gap with no closure path. Where a theater pattern names multiple D3FEND techniques, the downstream skill is the authority on which combinations satisfy defence-in-depth for the operator's environment.
+
+**Least-privilege scope:** the downstream-skill citation is the boundary. This skill does not re-scope D3FEND techniques per principal class — that scoping is owned by the cited downstream skill's own Defensive Countermeasure Mapping section, which is authoritative for principal-class breakdowns (human developer ≠ agent identity ≠ MCP server ≠ model-serving process).
+
+**Zero-trust posture:** a theater flag closes only when the downstream skill's recommended D3FEND technique is deployed, monitored, and tested against the cited offensive TTP — not when a policy document is updated. The Compliance Theater Assessment output (per the Output Format section) must record both the theater finding and the downstream-skill remediation target; auditors converting the finding into a corrective action plan use the downstream skill's verification tests, not this skill's detection tests.
+
+**AI-pipeline applicability (per AGENTS.md Hard Rule #9):** AI-pipeline degradations for each technique (serverless inference endpoints, ephemeral RAG indices) are documented in the cited downstream skill, not duplicated here. This skill's theater-finding format is unchanged across AI and non-AI pipelines — the AI specificity lives in the routing target.

package/skills/container-runtime-security/skill.md

@@ -245,6 +245,8 @@ Containers are ephemeral by design: pods die, nodes are replaced, log file paths
 
 ## Output Format
 
+The skill produces a Container + Kubernetes Runtime Security Posture Assessment covering per-cluster CIS Kubernetes Benchmark coverage, NSA / CISA Kubernetes Hardening Guide alignment, admission-control (Kyverno / OPA / Gatekeeper) policy maturity, runtime detection (Falco / Tetragon) coverage, sandboxing (gVisor / Kata) deployment, and the prioritized remediation roadmap. The shape below is consumed downstream by `cloud-security` (for the cloud-tier IAM and KMS dependencies), by `supply-chain-integrity` (for image provenance), and by `compliance-theater` (which compares deployed admission-control coverage against PCI / FedRAMP claims). Preserve the per-cluster benchmark-coverage rows verbatim — they are the auditable evidence chain.
+
 Produce this structure verbatim:
 
 ```

package/skills/coordinated-vuln-disclosure/skill.md

@@ -255,7 +255,7 @@ Per ISO 30111 §5 (continual improvement) and NIST 800-218 SSDF RV.2 (assess, pr
 
 ## Output Format
 
-The skill produces seven artifacts per program assessment:
+The skill produces seven artifacts per program assessment: an ISO 29147-shaped CVD policy text, a `security.txt` file, an ISO 30111-mapped triage workflow, a CSAF 2.0 advisory template, the safe-harbor language, the bug-bounty scope statement, and the jurisdiction-specific disclosure-clock table (EU CRA / NIS2, US, UK, AU, JP, SG). Each artifact is consumed by a different downstream operator: legal review for safe harbor, vendor PSIRT for CSAF, web ops for `security.txt`, executive risk owner for the disclosure-clock table.
 
 ### 1. CVD Policy Text (ISO 29147 template)
 

package/skills/defensive-countermeasure-mapping/skill.md

@@ -201,6 +201,8 @@ Zero-trust-compliant defense maps to controls that verify per request. Implicit-
 
 ## Output Format
 
+The skill produces a Defensive Countermeasure Map per input (CVE ID, ATLAS / ATT&CK TTP, threat-actor profile, or framework gap), pairing each offensive technique with the D3FEND defensive technique that disrupts it and the deployment layer that owns it. The shape below is consumed downstream by `framework-gap-analysis` (which wraps the map into Framework Lag Declarations), by `policy-exception-gen` (which converts the map into compensating-control language for defensible exceptions), and by every per-domain skill's own Defensive Countermeasure Mapping section. Preserve the D3FEND IDs verbatim — they are the auditable reference into `data/d3fend-catalog.json`.
+
 ```
 # Defensive Countermeasure Map — <input>
 

package/skills/dlp-gap-analysis/skill.md

@@ -243,6 +243,8 @@ Apply the three concrete tests in the Compliance Theater Check section. Any fail
 
 ## Output Format
 
+The skill produces a DLP Gap Analysis covering per-channel coverage (email, web, endpoint, cloud-storage, LLM-prompt, RAG-retrieval), policy enforcement evidence, and the prioritized roadmap to close LLM/RAG exfiltration channels that traditional DLP misses. The shape below is consumed downstream by `ai-attack-surface` (which integrates the LLM-prompt and RAG-retrieval gaps), by `email-security-anti-phishing` (which inherits the email-egress channel findings), and by `compliance-theater` (which compares the deployed DLP channels against the org's claimed data-protection compliance). Preserve the per-channel coverage rows verbatim — they are the auditable map of where DLP enforcement actually fires.
+
 ```
 ## DLP Gap Analysis
 

package/skills/email-security-anti-phishing/skill.md

@@ -20,7 +20,13 @@ triggers:
   - deepfake phishing
   - ai phishing
   - secure email gateway
-data_deps: []
+data_deps:
+  - atlas-ttps.json
+  - attack-techniques.json
+  - d3fend-catalog.json
+  - dlp-controls.json
+  - framework-control-gaps.json
+  - rfc-references.json
 atlas_refs: []
 attack_refs:
   - T1566
@@ -47,7 +53,7 @@ d3fend_refs:
   - D3-CSPP
   - D3-IOPR
   - D3-MFA
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-05-18"
 discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief email-security-anti-phishing` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
@@ -89,7 +95,7 @@ Phishing remained the #1 initial-access vector through 2025 (Verizon DBIR 2025)
 | IN CERT-In | Phishing guidance and 6-hour incident reporting rule | Reporting requirement is firm; control specifications lag. |
 | NYDFS | 23 NYCRR 500.14 (training and monitoring) | Annual phishing-aware training required; does not specify FIDO2, DMARC `p=reject`, or deepfake-aware procedures. |
 
-Per AGENTS.md Rule #5, this analysis spans EU + UK + AU + JP + IL + SG + IN + NYDFS alongside NIST and ISO.
+Per AGENTS.md Rule #5, this analysis spans EU + UK + AU + JP + IL + SG + IN + NYDFS alongside NIST and ISO. Each framework-gap ID in `framework_gaps` (`NIST-800-53-SI-3`, `ISO-27001-2022-A.8.16`, `SOC2-CC7-anomaly-detection`, `NIS2-Art21-incident-handling`, `UK-CAF-C1`, `AU-Essential-8-App-Hardening`) resolves against `data/framework-control-gaps.json` — operators producing a per-control evidence pack should pull the canonical lag rationale from that catalog rather than transcribing the table above.
 
 ---
 
@@ -103,7 +109,7 @@ Per AGENTS.md Rule #5, this analysis spans EU + UK + AU + JP + IL + SG + IN + NY
 | T1566.003 | Spearphishing via Service | LinkedIn DMs, Teams chat, Slack DMs, SMS, WhatsApp — all email-adjacent channels that DMARC/DKIM/SPF do not protect. Voice-cloned vishing and deepfake video calls land here too. |
 | T1078 | Valid Accounts | Post-phish credential use. The success metric for the program is "no T1078 follow-on," because every successful T1566 that reaches `p=reject` and FIDO2 still has to traverse credential use. |
 
-Note: `atlas_refs` is intentionally empty — these are ATT&CK Enterprise TTPs against human/email channels, not ATLAS AI-system TTPs. The AI-augmentation angle is handled via cross-reference to `ai-attack-surface`.
+Note: `atlas_refs` is intentionally empty — these are ATT&CK Enterprise TTPs against human/email channels, not ATLAS AI-system TTPs. The AI-augmentation angle is handled via cross-reference to `ai-attack-surface`. The ATT&CK technique IDs above (`T1566`, `T1566.001`, `T1566.002`, `T1566.003`, `T1078`) resolve against `data/attack-techniques.json`; when an investigation crosses into AI-mediated phishing (LLM-generated lures, deepfake video confirmation, voice cloning), cross-reference `data/atlas-ttps.json` for `AML.T0051` (LLM Prompt Injection — relevant when phishing payloads target the LLM-as-classifier instead of the human), `AML.T0024` (Exfiltration via Cyber Means — applicable where compromised mailbox sessions egress data via the message channel itself), and `AML.T0016` (Develop Capabilities — adversary use of public LLM APIs to author hyperpersonalized lures).
 
 ---
 
@@ -138,6 +144,8 @@ The procedure threads three foundational principles per AGENTS.md:
 
 **Cloud-email canonical, on-prem exception** (Rule #9): default scoping assumes Microsoft 365 Exchange Online or Google Workspace Gmail. On-prem Exchange (legacy, regulated enclave, air-gapped) gets an explicit exception path noting which controls (cloud-native sandbox detonation, Microsoft Defender XDR signals, Google Workspace Security Sandbox) have on-prem equivalents and which require compensating controls.
 
+Email-authentication RFCs cited throughout the procedure (`RFC-7489` DMARC, `RFC-6376` DKIM, `RFC-7208` SPF, `RFC-8616` BIMI/AuthIndicators DNS encoding, `RFC-8461` MTA-STS, `RFC-8617` ARC, `RFC-8460` TLSRPT) resolve against `data/rfc-references.json`. The DLP exfil-channel mappings invoked by the gateway-and-egress sub-procedures (`DLP-CHAN-EMAIL-OUT` for outbound message exfil, `DLP-CHAN-LLM-PROMPT` for LLM-prompt-as-egress when users paste mailbox content into AI assistants, `DLP-ENFORCE-BLOCK` for hard-block enforcement on confirmed PHI/PCI patterns) resolve against `data/dlp-controls.json` — these are the canonical IDs to cite when handing off to `dlp-gap-analysis`.
+
 **Ten-step assessment:**
 
 1. **Email authentication posture audit.** For each owned sending domain: pull SPF record, count DNS lookups (≤10), check for `+all` or `?all` (fail open), and check for SPF-flattening or macro-misuse. Pull DKIM selectors and verify key length ≥2048-bit, current rotation cadence. Pull DMARC record and capture policy (`p=`), subdomain policy (`sp=`), `pct=`, `rua=`/`ruf=` aggregate-report destinations, and alignment modes. Pull BIMI record and check VMC/CMC presence. Pull ARC seal status from inbound flow samples. Pull MTA-STS policy and TLSRPT destination.
@@ -192,6 +200,8 @@ Per AGENTS.md, this skill ships on 2026-05-11 and includes the optional 8th sect
 | D3-IOPR (Inbound Operation Restriction) | Restrict inbound operations the message can perform — URL rewriting, click-time re-evaluation, macro neutralization, container-format unpacking, sandbox detonation | Pre-delivery and at click-time | Per-user click policy (privileged users on stricter detonation tier) | No payload is allowed to act on the user's behalf without the gateway's verification | LLM-generated email detection sits here at the gateway-classification layer |
 | D3-MFA (Multi-factor Authentication) | Phishing-resistant authenticator class — FIDO2 / WebAuthn synced passkeys with proper relying-party verification | User authentication layer | Mandatory at 100% for privileged role classes; recovery flow hardened against helpdesk-vishing | Every authentication is verified by possession of the bound authenticator; session tokens are not transferable across origin | Canonical defense — passkeys remove the credential-disclosure win condition that AI-augmented phishing optimizes for |
 
+The D3FEND technique IDs above (`D3-NTA`, `D3-CSPP`, `D3-IOPR`, `D3-MFA`) resolve against `data/d3fend-catalog.json`. Operators producing a defence-in-depth map for an email-security finding should chain: offensive technique (`T1566.*` from `data/attack-techniques.json`, plus AI-augmentation context from `data/atlas-ttps.json`) → missing control (entry in `data/framework-control-gaps.json`) → defensive technique (entry in `data/d3fend-catalog.json`) → DLP enforcement channel (`DLP-CHAN-EMAIL-OUT` / `DLP-CHAN-LLM-PROMPT` from `data/dlp-controls.json`) → wire-level RFC anchor (entry in `data/rfc-references.json`). This is the cross-walk pattern the seven-phase playbook expects when packaging anti-phishing evidence for an auditor or jurisdiction notification.
+
 ---
 
 ## Hand-Off / Related Skills

package/skills/exploit-scoring/skill.md

@@ -21,7 +21,7 @@ attack_refs: []
 framework_gaps:
   - CWE-Top-25-2024-meta
   - CIS-Controls-v8-Control7
-last_threat_review: "2026-05-17"
+last_threat_review: "2026-05-18"
 ---
 
 # Real-World Exploit Priority (RWEP) Scoring
@@ -314,6 +314,8 @@ Translate RWEP-based timeline to framework compliance language:
 
 ## Output Format
 
+The skill produces a per-CVE Exploit Priority Assessment showing the RWEP score, the factor breakdown (CVSS, KEV, PoC, AI-acceleration, blast radius, live-patch availability), the required-action timeline, and any framework-SLA conflict. The shape below is consumed downstream by `kernel-lpe-triage` (for kernel-class CVEs), by `compliance-theater` (which compares the RWEP-required timeline against the org's CVSS-banded SLA), and by `incident-response-playbook` (which scopes IR per the required-action band). Preserve the RWEP factor rows verbatim — they are the auditable derivation.
+
 ```
 ## Exploit Priority Assessment
 
@@ -359,3 +361,30 @@ Run this check against any organization claiming vulnerability-management compli
 > "Open your last quarterly vuln-management metrics report. Does it report `mean time to remediate by CVSS band`? If that is the headline metric, the program optimizes for CVSS-band SLAs, not for actual exploit-priority response. The KPI itself is theater. The honest metric is: for CVEs that crossed RWEP ≥ 75 during the quarter, what was the mean time from RWEP-75 threshold crossing to deployed mitigation? If the org doesn't track RWEP at all, the program has no instrumentation to detect when CVSS-banded SLAs fail — which they do for every CISA KEV + AI-discovered class in `data/cve-catalog.json`."
 
 > "Ask: when CVE-2026-31431 was published, what was the actual time from publication to deployed mitigation across the estate? Compare it to the policy's 30-day High SLA. The org likely met SLA. RWEP 90 required action in 4 hours. CISA KEV listed the CVE on 2026-05-01 with federal due date 2026-05-15. Today (~13 days after listing) any unpatched estate is past the federal due date and demonstrably exposed to a 732-byte deterministic public PoC on CISA KEV. The gap between 'met internal SLA' and 'past federal due date with active exploitation in scope' is the size of the theater."
+
+---
+
+## Defensive Countermeasure Mapping
+
+RWEP scores priority; this section maps the priority bands to the D3FEND defensive techniques an operator deploys before, during, and after a patch lands. The mapping is per RWEP band rather than per CVE — the same techniques compose differently depending on whether the score is driven by KEV listing, public PoC, AI-acceleration, or live-patch availability. Operators consuming an RWEP score should pair it with the row below to convert "act in 4 hours" into "deploy these specific D3FEND techniques in the following order."
+
+| RWEP band | Threat shape | D3FEND ID | Defensive technique | Defense-in-depth layer |
+|---|---|---|---|---|
+| 90+ (KEV + public PoC + AI-discovered, e.g. Copy Fail) | T1068 deterministic LPE | `D3-KBPI` | Kernel-Based Process Isolation | Kernel — compensating control deployed within the 4-hour live-patch window |
+| 90+ | T1068 | `D3-SCA` | System Call Analysis | Endpoint — detection for the LPE primitive ahead of live-patch propagation |
+| 75–89 (KEV + PoC, not AI-accelerated) | T1190 / T1068 reachable | `D3-NI` | Network Isolation | Network — segmentation that closes the reachability precondition |
+| 75–89 | T1190 / T1068 | `D3-PA` | Process Analysis | Endpoint — behavioral detection of the exploit primitive in the unpatched window |
+| 50–74 (PoC public, KEV pending) | Exploit-likely class | `D3-EFA` | Executable File Analysis | Endpoint — pre-execution scanning for known PoC binaries and artifacts |
+| 50–74 | Exploit-likely class | `D3-FCR` | File Content Rules | Endpoint — content-based detection of exploit payloads in transit |
+| 25–49 (vendor patch available, no PoC) | Patchable, not yet weaponized | `D3-EAL` | Executable Allowlisting | Managed endpoint — reduce exposure surface during the routine-patch window |
+| 25–49 | Patchable | `D3-EI` | Execution Isolation | Endpoint / container — sandbox the vulnerable component until patch deploys |
+| AI-accelerated multiplier (any band with AML.T0016 capability development) | PROMPTFLUX-class evasion | `D3-NTA` | Network Traffic Analysis | Network egress — detect AI-API queries from unexpected processes |
+| AI-accelerated multiplier | AML.T0051 prompt-injection-driven exploitation chain | `D3-IOPR` + `D3-CSPP` | Input/Output Profiling + Client-server Payload Profiling | SDK / gateway — content-aware inspection of prompt+completion at the model boundary |
+
+**Defense-in-depth posture:** the RWEP band sets the timeline; D3FEND sets the technique set. A 4-hour timeline (RWEP 90+) without a deployed `D3-KBPI` or `D3-SCA` capability is a compliance gap, not an operational one — the timeline cannot be met. Operators reporting "RWEP 90 patched within 4 hours" must also report which D3FEND technique provided coverage during the pre-patch window; an unpatched 4-hour exposure window with no compensating defensive technique is the same outcome as a 30-day SLA breach.
+
+**Least-privilege scope:** D3FEND technique deployment is scoped to the asset class within the CVE's blast radius. `D3-KBPI` is per-host (production kernel ≠ developer kernel ≠ CI runner). `D3-NI` is per-segment. `D3-EAL` is per-host-class. Allowlists and isolation rules are derived from the CVE's affected component, not applied estate-wide.
+
+**Zero-trust posture:** an RWEP score is not a remediation; it is a triage signal. The remediation closes only when the cited D3FEND technique is verified in production for the affected asset class. RWEP 90 with no deployed `D3-KBPI` instrumentation is an unmitigated finding regardless of patch SLA. Auditors converting RWEP findings into corrective actions must verify both the patch deployment and the compensating-technique deployment.
+
+**AI-pipeline applicability (per AGENTS.md Hard Rule #9):** for AI-pipeline CVEs (model-serving runtime, MCP server, inference gateway), `D3-KBPI` and `D3-EAL` do not apply to serverless inference endpoints. The scoped alternative is `D3-CSPP` at the gateway plus signed-image attestation at the provider. RWEP bands are unchanged; the technique selection shifts to the gateway tier. `D3-FAPA` over training-data corpora is the additional technique for any AML.T0020 (Poison Training Data) finding above RWEP 50.

package/skills/framework-gap-analysis/skill.md

@@ -20,7 +20,7 @@ data_deps:
 atlas_refs: []
 attack_refs: []
 framework_gaps: []
-last_threat_review: "2026-05-14"
+last_threat_review: "2026-05-18"
 ---
 
 # Framework Gap Analysis
@@ -376,3 +376,30 @@ Specific high-confidence theater signals (each triggers a mandatory Framework La
 | Org removed the esp4 / esp6 / rxrpc module-blacklist mitigation once Dirty Frag was patched | CVE-2026-46300 (Fragnesia) is in the same primitive class, was introduced by the Dirty Frag patch, and is mitigated by the same blacklist |
 
 When this check fires, hand off to the compliance-theater skill for the theater-pattern detection test and to policy-exception-gen if the org needs to grant a defensible exception with concrete compensating controls.
+
+---
+
+## Defensive Countermeasure Mapping
+
+Every Framework Lag Declaration this skill produces names the missing control. The mapping below converts that absence into a concrete defensive-technique recommendation drawn from `data/d3fend-catalog.json`, paired with the offensive TTP class (ATLAS or ATT&CK) the gap exposes. Operators feeding this output into a remediation plan should chain: offensive TTP → failed framework control → D3FEND defensive technique → enforcement layer.
+
+| Offensive TTP | Framework gap exemplar | D3FEND ID | Defensive technique | Defense-in-depth layer |
+|---|---|---|---|---|
+| T1068 (Exploitation for Privilege Escalation) — Copy Fail / Fragnesia | SI-2 / A.8.8 / PCI 6.3.3 30-day patch SLA | `D3-KBPI` | Kernel-Based Process Isolation | Kernel — compensating control while live-patch propagates; reduces blast radius when LPE primitive is reachable |
+| T1068 | SI-2 / A.8.8 patch SLA | `D3-SCA` | System Call Analysis | Endpoint — detects the deterministic LPE primitive at syscall layer before patch lands |
+| AML.T0051 (LLM Prompt Injection) — CVE-2025-53773 class | AC-2 / CC6 account-management as access control for AI agents | `D3-IOPR` | Input/Output Profiling Resource | SDK / application — content-aware inspection of prompt+completion at the model boundary |
+| AML.T0051 | AC-2 / CC6 | `D3-CSPP` | Client-server Payload Profiling | LLM gateway — gateway-layer inspection when SDK-side `D3-IOPR` is not deployable |
+| AML.T0010 (ML Supply Chain Compromise) — CVE-2026-30615 MCP class | A.5.19 / SA-12 vendor management as MCP trust boundary | `D3-EAL` | Executable Allowlisting | Managed endpoint — only sanctioned MCP servers and IDE assistants execute on developer workstations |
+| AML.T0010 | A.5.19 / SA-12 | `D3-EFA` | Executable File Analysis | Endpoint — pre-execution analysis of MCP server binaries and AI-assistant plugins |
+| AML.T0016 (Develop Capabilities — AI-generated payloads) — PROMPTFLUX class | SI-3 signature-based malware protection | `D3-PA` | Process Analysis | Endpoint — behavioral detection of in-process LLM-query patterns that signature engines cannot see |
+| AML.T0096 (LLM Integration Abuse — C2) — SesameOp class | SI-4 / CC7 anomaly detection without AI-API baseline | `D3-NTA` | Network Traffic Analysis | Network egress — per-identity baseline of model-API destinations |
+| T1190 (Exploit Public-Facing Application) — Dirty Frag IPsec | SC-8 / SC-28 cryptographic-control compensating-control claim | `D3-NI` | Network Isolation | Network — segmentation that does not depend on the compromised IPsec subsystem |
+| AML.T0020 (Poison Training Data) | NIS2 Art. 21 AI-pipeline integrity | `D3-FAPA` | File Access Pattern Analysis | Data tier — RAG-corpus and training-data access-pattern baselining |
+
+**Defense-in-depth posture:** every Framework Lag Declaration produced by this skill must propose at least one D3FEND technique per cited offensive TTP. A declaration that names the gap without recommending a defensive technique is incomplete — operators receive a finding with no remediation path. Where the framework gap is multi-jurisdictional (per Section 6 of the Output Format), the same D3FEND technique satisfies the equivalent obligation in each cross-walked framework — the defensive control is technique-level, not framework-level.
+
+**Least-privilege scope:** D3FEND recommendations are scoped to the principal class (human developer, agent identity, MCP server, model-serving process). `D3-EAL` and `D3-EFA` are per-host-class allowlists (developer ≠ production ≠ CI). `D3-IOPR` and `D3-CSPP` log the principal identity on every prompt/completion. `D3-FAPA` baselines are per-corpus-per-principal.
+
+**Zero-trust posture:** no control is claimed as compensating without verification that the defensive technique is deployed, monitored, and tested against the cited offensive TTP. "We have SC-8 IPsec" is not a compensating control for Dirty Frag — `D3-NI` over a non-IPsec data path is. The Framework Lag Declaration's "What a real control requires" field must name the D3FEND technique by ID.
+
+**AI-pipeline applicability (per AGENTS.md Hard Rule #9):** `D3-EAL` does not apply to serverless inference endpoints; the scoped alternative is `D3-CSPP` at the gateway plus signed-image attestation at the provider. `D3-FAPA` on ephemeral RAG indices degrades to per-query retrieval logging via `D3-IOPR` plus index-build provenance signed at construction. These degradations must be named explicitly in the declaration when the gap concerns an AI pipeline.

package/skills/fuzz-testing-strategy/skill.md

@@ -217,6 +217,8 @@ Internally discovered fuzz findings that map to a CWE class already in `data/cve
 
 ## Output Format
 
+The skill produces a Fuzz Posture Assessment covering fuzz-eligible interface inventory, harness coverage, crash inventory, and quarter-over-quarter CWE-class trend. The shape below is consumed downstream by `zeroday-gap-learn` (which appends internally found crashes as lesson entries), by `compliance-theater` (which compares the harness-coverage gap against SAMM / BSIMM / SDL compliance claims), and by the SBOM evidence chain (which inherits the per-component fuzz-instrumentation status). Preserve the per-interface CI-gated field verbatim — it distinguishes deployed fuzzing from one-shot security-team exercises.
+
 ```
 ## Fuzz Posture Assessment
 
@@ -262,8 +264,8 @@ Internally discovered fuzz findings that map to a CWE class already in `data/cve
 ### Framework Gap Declaration
 [Per-framework statement: which controls the org claims cover this domain, and where the absence of normative fuzz requirements creates a gap. Mandatory rows: NIST 800-218, NIST 800-115, NIST 800-53 SA-11, OWASP ASVS V14, PCI DSS 4.0 6.2, ISO 27001:2022 A.8.29, EU NIS2 Art. 21, EU CRA Annex I, UK CAF B4, ASD Essential 8 / ISM 1235, EU AI Act Art. 15 (if LLM in scope).]
 
-### Compliance Theater Check Result
-[See Compliance Theater Check section — answer the four questions, record the gap]
+### Theater Check Result
+[See the Compliance Theater Check section — answer the four questions, record the gap]
 
 ### Defensive Countermeasure Mapping
 | Fuzz Finding Class | D3FEND Countermeasure | Implementation |

package/skills/global-grc/skill.md

@@ -538,6 +538,8 @@ Produce a matrix of: threat class × jurisdiction framework × requirement adequ
 
 ## Output Format
 
+The skill produces a structured Global GRC Assessment that rolls compliance findings across the org's jurisdictional footprint — EU (NIS2, DORA, EU AI Act, CRA), UK (CAF, Cyber Essentials), AU (ISM, Essential 8, APRA CPS 234), ISO 27001:2022 / 42001:2023, NIST, and the expanded set tracked in `data/global-frameworks.json`. The shape below is consumed downstream by `framework-gap-analysis` (which produces per-jurisdiction Framework Lag Declarations), by `policy-exception-gen` (for cross-jurisdictional exception language), and by CSAF-style auditor evidence bundles. Preserve the per-jurisdiction control-mapping rows verbatim — they are the load-bearing cross-walk per Hard Rule #5.
+
 ```
 ## Global GRC Assessment
 

package/skills/identity-assurance/skill.md

@@ -191,6 +191,8 @@ NIST 800-207 ZTA posture, extended for agents:
 
 ## Output Format
 
+The skill produces an Identity Assurance Assessment covering per-IdP AAL/IAL/FAL posture, passkey / WebAuthn / FIDO2 deployment coverage, agent-identity scoping (workload, service-account, AI-agent principal), and the prioritized roadmap to close phishing-resistance gaps. The shape below is consumed downstream by `idp-incident-response` (which scopes IR on confirmed identity compromise), by `email-security-anti-phishing` (which inherits the phishing-resistant-MFA coverage), and by `compliance-theater` (which compares the deployed authenticator class against any AAL2 / AAL3 compliance claim). Preserve the per-IdP AAL / IAL / FAL rows verbatim — they are the auditable derivation of the phishing-resistance score.
+
 ```
 ## Identity Assurance Assessment
 

package/skills/kernel-lpe-triage/skill.md

@@ -302,6 +302,8 @@ Flag: "Dirty Frag (CVE-2026-43284) exploits the IPsec implementation. Network co
 
 ## Output Format
 
+The triage produces a structured Kernel LPE Exposure Assessment per host or fleet snapshot. The shape below is consumed downstream by `exploit-scoring` (which converts the per-CVE exposure into RWEP bands), by `incident-response-playbook` (which uses the affected-host count to scope IR), and by `compliance-theater` (which compares the deployed-mitigation field against the org's claimed SI-2 / A.8.8 patch SLA). Operators surfacing the output to auditors should preserve the CISA KEV due-date field verbatim — federal due dates are the authoritative regulatory clock, not internal SLAs.
+
 Produce this structure:
 
 ```

package/skills/mcp-agent-trust/skill.md

@@ -190,6 +190,8 @@ Sourced from `data/cve-catalog.json` and `data/exploit-availability.json` as of
 
 ## Analysis Procedure
 
+The procedure runs five sequential steps: inventory installed MCP servers per workstation, verify each server's package provenance against npm signatures and CISA KEV listings, assess trust configuration (auth, allowlist, scope), score the trust posture against the published CVE class, and generate remediation actions for any server scoring above the operator's risk threshold. Each step's output feeds the next; the inventory drives the provenance check, the provenance result drives the trust score, and the trust score drives the remediation list.
+
 ### Step 1: Inventory installed MCP servers
 
 For each developer workstation or shared AI system:
@@ -302,6 +304,8 @@ For each MCP client configuration, check:
 
 ## Output Format
 
+The skill produces a structured MCP Trust Assessment per workstation or fleet. The shape below is consumed downstream by `supply-chain-integrity` (which picks up the per-server hash and provenance fields), by `ai-attack-surface` (which integrates the MCP Trust posture into the broader AI surface report), and by `compliance-theater` (which compares the unallowlisted-server count against any vendor-management compliance claim). Operators feeding the output into MDM or endpoint-management policy should preserve the approved-server registry shape verbatim.
+
 ```
 ## MCP Trust Assessment
 

package/skills/mlops-security/skill.md

@@ -227,6 +227,8 @@ Every artifact is untrusted until cryptographically verified.
 
 ## Output Format
 
+The skill produces an MLOps Pipeline Security Assessment covering training-pipeline integrity, model-registry trust posture, deployment-time signing / attestation, drift-detection coverage, and post-deployment behavioral-regression test cadence across MLflow / Kubeflow / Vertex AI / SageMaker / Azure ML / Hugging Face / DIY stacks. The shape below is consumed downstream by `supply-chain-integrity` (for model-artifact provenance), by `ai-attack-surface` (for the model-serving inventory), and by `compliance-theater` (which compares the deployed model-governance against ISO 42001 / NIST AI RMF claims). Preserve the per-model deployment-attestation rows verbatim — they are the auditable evidence chain for model-substitution detection.
+
 ```
 ## MLOps Pipeline Security Assessment
 

package/skills/ot-ics-security/skill.md

@@ -219,6 +219,8 @@ For each jurisdiction the operator is exposed to (EU, UK, AU, JP, IL, ID, TW, US
 
 ## Output Format
 
+The skill produces an OT / ICS Security Posture Assessment covering Purdue-model zone inventory, IEC 62443 zone-and-conduit posture, NERC CIP / TSA-pipeline coverage, AI-augmented threat exposure (NIST IR 8504 ICS-AI), and the prioritized roadmap for safety-system isolation. The shape below is consumed downstream by `sector-energy` (which inherits the NERC CIP rows), by `incident-response-playbook` (which scopes IR with the Purdue-zone affected-asset list), and by `compliance-theater` (which compares the deployed segmentation against IEC 62443 / NERC CIP claims). Preserve the per-zone safety-system field verbatim — it is the auditable safety-isolation evidence.
+
 Produce this structure verbatim:
 
 ```

package/skills/policy-exception-gen/skill.md

@@ -23,7 +23,7 @@ forward_watch:
   - EU CRA exceptions for AI pipeline components
   - NIST SP 800-204 series updates for microservices
   - FedRAMP updates for container/serverless authorization
-last_threat_review: "2026-05-17"
+last_threat_review: "2026-05-18"
 ---
 
 # Policy Exception Generation
@@ -449,3 +449,30 @@ Specific high-confidence theater signals for this skill's four exception categor
 | Critical Systems No-Reboot Kernel Patching | "Can't reboot, will catch up later" with no live patch, no eBPF rules, no maintenance window | `kpatch list` / `canonical-livepatch status` output, named eBPF / auditd rules for the exploitation pattern, scheduled maintenance date, escalation contact if missed |
 
 When this check fires on any exception, hand off to the compliance-theater skill to record the systemic finding (this is Pattern 3 / 4 / 5 / 6 territory depending on category) and to framework-gap-analysis to determine whether the framework lag warrants escalation to the global-grc skill for cross-jurisdictional review.
+
+---
+
+## Defensive Countermeasure Mapping
+
+Every defensible exception names the residual TTPs in scope and the compensating-control bundle that disrupts them. The mapping below converts the compensating-control language ("eBPF monitoring", "workload identity", "image-scanning") into the D3FEND technique IDs that audit reviewers can verify against `data/d3fend-catalog.json`. An exception template that cites vague compensating controls without a D3FEND ID fails the Compliance Theater Check above.
+
+| Exception category | Residual offensive TTP | D3FEND ID | Defensive technique (compensating control) | Defense-in-depth layer |
+|---|---|---|---|---|
+| Ephemeral Infrastructure (CM-8 / A.5.9) | T1610 (Deploy Container), T1525 (Implant Internal Image) | `D3-EFA` | Executable File Analysis (image-registry scanning, SBOM per image) | Build / registry — pre-deployment image integrity verification |
+| Ephemeral Infrastructure | T1525 | `D3-EAL` | Executable Allowlisting (signed-image-only deploy gate) | Cluster admission — only signed images reach the runtime |
+| AI Pipeline Change Management (CM-3 / A.8.32) | AML.T0018 (Backdoor ML Model), AML.T0020 (Poison Training Data) | `D3-FAPA` | File Access Pattern Analysis (training-data and model-artifact access baselining) | Data tier — detect anomalous access to corpora and weights |
+| AI Pipeline Change Management | AML.T0018 | `D3-IOPR` | Input/Output Profiling (behavioral regression suite, model-fingerprinting prompt set) | SDK / application — detect model substitution and drift |
+| Zero Trust Architecture Segmentation (SC-7 / A.8.22) | T1021 (Remote Services), T1570 (Lateral Tool Transfer) | `D3-NTPM` | Network Traffic Policy Mapping (SPIFFE / mTLS workload identity enforcement) | Network — per-workload-identity policy on east-west flows |
+| Zero Trust Architecture Segmentation | T1021 / T1570 | `D3-NTA` | Network Traffic Analysis (east-west behavioral analytics) | Network — detect lateral movement that policy alone cannot prevent |
+| Zero Trust Architecture Segmentation | T1078 (Valid Accounts) | `D3-CBAN` | Certificate-based Authentication (mTLS workload certificates) | Identity — workload identities are certificate-bound, not perimeter-bound |
+| No-Reboot Kernel Patching (SI-2 / A.8.8) | T1068 (Exploitation for Privilege Escalation) | `D3-SCA` | System Call Analysis (eBPF / auditd rules for the exploitation primitive) | Kernel — detect the LPE primitive while live-patch is in flight |
+| No-Reboot Kernel Patching | T1068 | `D3-KBPI` | Kernel-Based Process Isolation | Kernel — reduce blast radius until the live patch deploys |
+| No-Reboot Kernel Patching | T1068 (post-exploit persistence) | `D3-PA` | Process Analysis (anomalous-uid / capability-set detection) | Endpoint — catch successful LPE before it persists |
+
+**Defense-in-depth posture:** an exception that names a single D3FEND technique is insufficient — the residual TTP set is multi-stage, and the compensating-control bundle must cover the chain. The Output Format's "Compensating Controls" field must enumerate at least two D3FEND techniques per residual TTP, drawn from different defense-in-depth layers (network + endpoint, build + admission, SDK + gateway). An exception with only one layer cited is theater for the multi-stage attack chain.
+
+**Least-privilege scope:** D3FEND technique deployment is scoped to the exception's affected asset class. `D3-EAL` admission rules are per-cluster (production ≠ staging ≠ developer). `D3-NTPM` workload-identity policies are per-namespace. `D3-FAPA` training-data baselines are per-corpus-per-principal. The exception document must record the scope alongside the technique ID — "we deploy `D3-EAL` cluster-wide" is too coarse; "we deploy `D3-EAL` on `prod-*` clusters with signed-image-only admission" is auditable.
+
+**Zero-trust posture:** the exception is defensible only when the cited D3FEND techniques are deployed, monitored, and tested against the residual TTPs at exception-grant time and re-verified at the documented review cadence. An exception with deployed techniques but no test evidence (chaos-engineering exercise, red-team result, detection-rule firing on a controlled trigger) is unverified. The "Review Cadence" field in the Output Format must specify the re-verification test, not just the calendar date.
+
+**AI-pipeline applicability (per AGENTS.md Hard Rule #9):** for AI Pipeline Change Management exceptions, `D3-EAL` and `D3-EFA` do not apply to serverless inference endpoints — the scoped alternative is `D3-CSPP` at the inference gateway plus provider-signed-image attestation in the model-card. `D3-FAPA` on ephemeral RAG indices degrades to per-query retrieval logging via `D3-IOPR` plus index-build provenance signed at construction. These degradations must be enumerated in the exception's "Compensating Controls" field; an AI-pipeline exception that copies a non-AI exception template is incomplete.

package/skills/pqc-first/skill.md

@@ -514,6 +514,8 @@ Priority order:
 
 ## Output Format
 
+The skill produces a structured PQC Readiness Assessment that scores the org's post-quantum migration posture against the NIST PQC standards (ML-KEM / FIPS 203, ML-DSA / FIPS 204, SLH-DSA / FIPS 205), CNSA 2.0, and the BSI / ANSSI / NCSC migration guidance. The shape below is consumed downstream by `crypto` playbook runs (which feed the assessment into Phase 5 analyze), by `framework-gap-analysis` (for SC-8 / SC-13 / A.8.24 / A.10 lag declarations), and by `compliance-theater` (which compares the harvest-now-decrypt-later exposure against the org's data-classification claims). Preserve the per-protocol cryptographic-inventory rows verbatim — they are the auditable derivation of the migration roadmap.
+
 ```
 ## PQC Readiness Assessment
 

package/skills/rag-pipeline-security/skill.md

@@ -260,6 +260,8 @@ Prioritize by: data classification of knowledge base content (higher classificat
 
 ## Output Format
 
+The skill produces a structured RAG Pipeline Security Assessment covering vector-store inventory, embedding-model trust posture, retrieval-policy coverage, and observed exfiltration risk per corpus. The shape below is consumed downstream by `ai-attack-surface` (which integrates the per-corpus risk band into the broader AI surface report), by `dlp-gap-analysis` (which picks up the retrieval-policy gaps as DLP-channel findings), and by `mlops-security` (which inherits the embedding-model trust assessment). Operators feeding the output into auditor evidence should preserve the per-corpus retrieval-baseline field — it is the test that distinguishes paper retrieval controls from monitored ones.
+
 ```
 ## RAG Pipeline Security Assessment
 

package/skills/researcher/skill.md

@@ -251,6 +251,8 @@ Produce the Output Format below. Keep it to one page. The point of the researche
 
 ## Output Format
 
+The skill produces a Researcher Triage Report that converts a free-form research query (CVE ID, threat-actor name, framework reference, RFC number, vendor advisory) into a structured triage: canonical identifier, threat-currency assessment, the skill(s) that own follow-on analysis, and the suggested next operator action. The shape below is consumed downstream by `exceptd dispatch` (which routes to matching skills) and by the operator's investigation queue. Preserve the canonical-reference field verbatim — it is the load-bearing field for downstream skill chaining.
+
 ```
 # Researcher Triage Report — <input>
 

package/skills/sector-energy/skill.md

@@ -273,6 +273,8 @@ For operators with material aggregate consumer-IoT or DER influence (TSOs, large
 
 ## Output Format
 
+The skill produces an Energy-Sector Cybersecurity Posture Assessment covering NERC CIP v6 / v7 coverage, TSA Pipeline Security Directives, IEC 62443 zone-and-conduit posture, ENISA EECSP, ASD Essential 8 + AESCSF (AU), CER NIS2 transposition (EU), and the AI-augmented OT threat exposure. The shape below is consumed downstream by `ot-ics-security` (which inherits the Purdue-zone analysis), by `incident-response-playbook` (for the FERC / NERC EOP-004 incident-classification clock), and by `global-grc` (for cross-jurisdictional energy rollup). Preserve the per-substation / per-pipeline asset rows verbatim — they are the auditable evidence for regulator reporting.
+
 Produce this structure verbatim:
 
 ```

package/skills/sector-federal-government/skill.md

@@ -212,6 +212,8 @@ Verify-not-assume posture per M-22-09 and CISA ZTMM v2.0.
 
 ## Output Format
 
+The skill produces a Federal Government / DIB Cybersecurity Assessment covering FedRAMP Rev5 Moderate / High coverage, CMMC 2.0 Level 1/2/3 maturity, NIST 800-171 Rev 2/3 + 800-172 enhanced security requirements, M-22-09 zero-trust strategy progress, M-24-04 AI obligations, UK GovAssure, EU NIS2 public administration, AU PSPF / ISM Essential 8, and IL CDM v2.1. The shape below is consumed downstream by `incident-response-playbook` (for federal IR notification clocks), by `compliance-theater` (FedRAMP-vs-deployed comparison), and by `global-grc` (for cross-jurisdictional government rollup). Preserve the per-baseline maturity rows verbatim — they are the auditable evidence for ATO / continuous-ATO renewal.
+
 ```
 ## Federal Government / DIB Cybersecurity Assessment
 

package/skills/sector-financial/skill.md

@@ -270,6 +270,8 @@ For NY-regulated entities:
 
 ## Output Format
 
+The skill produces a Financial Sector Cybersecurity Posture Assessment covering EU DORA Art. 6-15 + RTS coverage, UK FCA / PRA SS2/21, US NYDFS 23 NYCRR 500 (Nov 2025 amended), AU APRA CPS 234 + CPG 235, SG MAS TRM, HK HKMA SA-2 / TM-G-1, JP FISC, BR BCB, and the BEC / wire-fraud exposure. The shape below is consumed downstream by `incident-response-playbook` (for the DORA 4h initial-notification clock), by `email-security-anti-phishing` (for BEC exposure), and by `global-grc` (for cross-jurisdictional financial rollup). Preserve the per-regulator obligation rows verbatim — they are the auditable evidence for incident-classification timing.
+
 Produce this structure verbatim:
 
 ```

package/skills/sector-healthcare/skill.md

@@ -235,6 +235,8 @@ For each jurisdiction the operator is exposed to (US, EU, UK, AU, JP, IL, SG, IN
 
 ## Output Format
 
+The skill produces a Healthcare Sector Security Posture Assessment covering HIPAA Security Rule + 2025 NPRM coverage, HITRUST control maturity, NIS2 essential-entity obligations (where applicable), FDA pre/post-market cybersecurity for medical devices, and ambient-AI documentation-pilot risk. The shape below is consumed downstream by `incident-response-playbook` (for HIPAA Breach Notification timing), by `compliance-theater` (HITRUST-vs-deployed-control comparison), and by `global-grc` (for cross-jurisdictional healthcare rollup). Preserve the per-control HIPAA / HITRUST rows verbatim — they are the auditable evidence for breach-notification timing.
+
 Produce this structure verbatim:
 
 ```

package/skills/security-maturity-tiers/skill.md

@@ -344,6 +344,8 @@ Year 1+:  Tier 3 — by domain, starting with highest-sensitivity data
 
 ## Output Format
 
+The skill produces a Security Maturity Roadmap that scores each in-scope domain against the published tier definitions and surfaces the next-tier upgrade path with budget bands and dependency ordering. The shape below is consumed downstream by `policy-exception-gen` (for domains where the operator chooses a lower tier than the threat model requires), by `compliance-theater` (which compares the claimed tier against deployed controls), and by `global-grc` (for cross-jurisdictional tier obligations). Preserve the per-domain tier rows verbatim — they are the auditable baseline for the upgrade plan.
+
 ```
 ## Security Maturity Roadmap
 

package/skills/skill-update-loop/skill.md

@@ -431,6 +431,8 @@ For each required update: specific skill file, specific section, specific change
 
 ## Output Format
 
+The skill produces a Skill Update Loop Report covering per-skill `last_threat_review` currency, ATLAS / ATT&CK / D3FEND / CWE catalog version drift, CISA KEV additions since the last review, and the priority queue of skills requiring body updates before the next release. The shape below is consumed downstream by the release-cadence maintainer workflow, by `data/_meta` tracking, and by the predeploy `watchlist` gate. Preserve the per-skill drift columns verbatim — they are the auditable trigger for each forced body refresh.
+
 ```
 ## Skill Update Loop Report
 

package/skills/supply-chain-integrity/skill.md

@@ -252,6 +252,8 @@ Every artifact is untrusted until provenance is verified.
 
 ## Output Format
 
+The skill produces a Supply-Chain Integrity Assessment covering per-pipeline build provenance, SLSA / in-toto / sigstore attestation coverage, SBOM completeness, dependency-risk inventory, and the prioritized roadmap to close gaps against EU CRA, NIST 800-218, and the expanded global framework set. The shape below is consumed downstream by `mcp-agent-trust` (for AI-tool supply-chain rows), by `mlops-security` (for model-artifact provenance), and by `compliance-theater` (which compares the deployed attestation surface against EU CRA Annex I claims). Preserve the per-pipeline attestation rows verbatim — they are the auditable evidence chain.
+
 ```
 ## Supply-Chain Integrity Assessment
 

package/skills/threat-model-currency/skill.md

@@ -22,7 +22,7 @@ forward_watch:
   - New CISA KEV entries in kernel/AI/supply chain categories
   - New MCP or agent protocol security disclosures
   - Emerging malware families using AI for evasion
-last_threat_review: "2026-05-15"
+last_threat_review: "2026-05-18"
 discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief threat-model-currency` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
@@ -374,6 +374,8 @@ For each gap, produce a specific, actionable update:
 
 ## Output Format
 
+The skill produces a structured Threat Model Currency Assessment that scores the threat model against each of the 14 threat classes, computes a currency percentage, and emits a priority update roadmap. The shape below is consumed downstream by `framework-gap-analysis` (which converts per-class gaps into Framework Lag Declarations), by `policy-exception-gen` (which generates defensible exceptions for any class the operator cannot remediate immediately), and by `global-grc` (which rolls up the currency score across EU/UK/AU/ISO jurisdictions per Hard Rule #5). Preserve the per-class scoring rows verbatim — they are the auditable derivation of the currency percentage.
+
 ```
 ## Threat Model Currency Assessment
 
@@ -409,3 +411,37 @@ Current reference: MITRE ATLAS v5.4.0 (February 2026)
 Threat model references: [version cited in document]
 Gap: [if different]
 ```
+
+---
+
+## Defensive Countermeasure Mapping
+
+A threat model is current only when each of the 14 threat classes above has a named defensive control. The mapping below converts each class to the D3FEND defensive technique that disrupts its offensive TTP. A currency assessment that scores a class as "addressed" without naming the corresponding D3FEND technique is under-specified — the threat model identifies the threat but does not commit to a defence.
+
+| Class | Offensive TTP | D3FEND ID | Defensive technique | Defense-in-depth layer |
+|---|---|---|---|---|
+| 1 — AI-discovered kernel LPE (Copy Fail) | T1068 | `D3-KBPI` | Kernel-Based Process Isolation | Kernel — compensating control during the AI-compressed weaponization window |
+| 2 — Deterministic LPE | T1068 | `D3-SCA` | System Call Analysis | Endpoint — detect the deterministic primitive at syscall layer |
+| 3 — IPsec subsystem LPE (Dirty Frag / Fragnesia) | T1190 | `D3-NI` | Network Isolation (non-IPsec data path) | Network — segmentation independent of the compromised cryptographic subsystem |
+| 4 — Prompt injection RCE | AML.T0051, AML.T0054 | `D3-IOPR` | Input/Output Profiling | SDK / application — content-aware prompt+completion inspection |
+| 4 — Prompt injection RCE (gateway tier) | AML.T0051 | `D3-CSPP` | Client-server Payload Profiling | LLM gateway — when SDK-side instrumentation is not deployable |
+| 5 — MCP supply chain RCE | AML.T0010 | `D3-EAL` | Executable Allowlisting | Managed endpoint — only sanctioned MCP servers and IDE assistants execute |
+| 5 — MCP supply chain RCE | AML.T0010 | `D3-EFA` | Executable File Analysis | Endpoint — pre-execution analysis of MCP-server binaries |
+| 6 — AI-assisted weaponization | AML.T0016 | `D3-NTA` | Network Traffic Analysis | Network egress — detect attacker-side AI-API queries from compromised tooling |
+| 7 — AI as covert C2 (SesameOp) | AML.T0096 | `D3-NTA` | Network Traffic Analysis | Network egress — per-identity baseline of model-API destinations |
+| 8 — AI-generated malware evasion (PROMPTFLUX) | AML.T0016 | `D3-PA` | Process Analysis | Endpoint — behavioral detection of in-process LLM-query patterns |
+| 9 — RAG exfiltration | AML.T0043 | `D3-FAPA` | File Access Pattern Analysis | Data tier — RAG-corpus retrieval-pattern baselining |
+| 10 — Model poisoning | AML.T0020 | `D3-FAPA` | File Access Pattern Analysis | Data tier — training-corpus access-pattern baselining |
+| 11 — AI-speed reconnaissance | T1595 | `D3-NTA` | Network Traffic Analysis | Network ingress — recalibrated thresholds for AI-speed probe rates |
+| 12 — AI-generated phishing | T1566, AML.T0016 | `D3-MFA` | Multi-factor Authentication (passkey class) | Identity — remove the credential-disclosure win condition AI phishing optimizes for |
+| 12 — AI-generated phishing (gateway tier) | T1566 | `D3-CSPP` | Client-server Payload Profiling | Email gateway — stylometric drift detection for LLM-generated lures |
+| 13 — ATLAS coverage | All AML.T* | `D3-IOPR` + `D3-NTA` | Input/Output Profiling + Network Traffic Analysis | SDK + network — the two-layer minimum for AI TTP detection |
+| 14 — Post-quantum adversary | T1557 (harvest-now-decrypt-later) | `D3-MENCR` | Message Encryption (PQC-hybrid TLS) | Network — ML-KEM / X25519 hybrid key agreement for long-lived sensitive traffic |
+
+**Defense-in-depth posture:** the 14-class currency score (per the Scoring section above) is upgraded from "addressed" to "operationally addressed" only when each class names at least one deployed D3FEND technique from the table. A threat model that scores 28/28 on knowledge of threats but cites zero D3FEND techniques is paper-current — the document is updated, the defence is not.
+
+**Least-privilege scope:** the D3FEND techniques in this table are technique-level; their per-principal scoping is owned by the downstream skill cited in each class (e.g. `ai-attack-surface` owns `D3-IOPR` scoping for AI principals, `kernel-lpe-triage` owns `D3-KBPI` scoping for kernel-class assets). The threat-model currency assessment cites the technique by ID; the scoping document lives in the downstream skill.
+
+**Zero-trust posture:** every class above is verified in production before the currency score credits it. A class scored as "addressed" with a D3FEND technique that is policy-approved but not deployed, or deployed but not monitored, or monitored but not tested against the cited TTP, is over-credited. The Priority Update Roadmap field (per the Output Format) must list verification tests alongside the technique deployment plan.
+
+**AI-pipeline applicability (per AGENTS.md Hard Rule #9):** Classes 4, 5, 7, 8, 9, 10, 11, 12, 13 are AI-pipeline-applicable. `D3-EAL` does not apply to serverless inference endpoints; the scoped alternative is `D3-CSPP` at the gateway plus signed-image attestation at the provider. `D3-FAPA` on ephemeral RAG indices degrades to per-query retrieval logging via `D3-IOPR` plus index-build provenance signed at construction. The currency assessment must record these degradations explicitly when scoring AI-pipeline classes.

package/skills/threat-modeling-methodology/skill.md

@@ -234,6 +234,8 @@ Per Hard Rule AGENTS.md #12 (external data version pinning): when ATLAS, ATT&CK,
 
 ## Output Format
 
+The skill produces a structured Threat Model per system covering the chosen methodology composite (STRIDE-ML + LINDDUN + Diamond, or Unified Kill Chain v3.0, or a domain-specific composite), the data-flow diagram, identified threats with ATLAS / ATT&CK mapping, mitigations with D3FEND ID, and the currency-trigger list that schedules re-runs. The shape below is consumed downstream by `threat-model-currency` (which scores the model against the 14-class checklist), by `framework-gap-analysis` (which converts each unmitigated threat into a Framework Lag Declaration), and by `policy-exception-gen` (for any threat accepted as residual risk). Preserve the methodology-rationale field verbatim — it is the auditable justification for the chosen composite.
+
 ```
 ## Threat Model — <system name>
 **Date:** YYYY-MM-DD

package/skills/webapp-security/skill.md

@@ -185,6 +185,8 @@ The procedure threads three foundational design principles end-to-end. They are
 
 ## Output Format
 
+The skill produces a Web Application Security Assessment covering OWASP ASVS-mapped per-control coverage, OWASP Top 10 + API Top 10 findings, AI/LLM Top 10 exposure for any LLM-integrated routes, dependency-risk inventory, and the prioritized remediation roadmap. The shape below is consumed downstream by `api-security` (for service-to-service routes), by `ai-attack-surface` (for any LLM-integrated component), and by `compliance-theater` (which compares the ASVS-claimed level against the deployed-control evidence). Preserve the per-control coverage rows verbatim — they are the auditable ASVS-level derivation.
+
 ```
 ## Web Application Security Assessment