@blamejs/exceptd-skills 0.13.3 → 0.13.4

package/AGENTS.md

@@ -156,7 +156,7 @@ Cross-cutting playbook `framework` is the natural correlation layer — many pla
 
 | Verb | What it does |
 |---|---|
-| `exceptd brief --all` | Grouped-by-scope summary of all 16 playbooks. `--scope <type>` filters. `--directives` expands directive IDs/titles per playbook. `--flat` for non-grouped. Legacy alias: `exceptd plan` (deprecated, scheduled for removal in v0.13). |
+| `exceptd brief --all` | Grouped-by-scope summary of all 20 playbooks. `--scope <type>` filters. `--directives` expands directive IDs/titles per playbook. `--flat` for non-grouped. `exceptd plan` was removed in v0.13.0; invoking it returns a structured `ok:false` refusal pointing at this command. |
 | `exceptd brief <pb>` | Phase 2 threat-context briefing — threat context, RWEP thresholds, skill chain, token budget, jurisdiction obligations. |
 | `exceptd run <pb> --evidence <file>` | Phases 5-7 (analyze + validate + close) from agent evidence. Auto-detect cwd when no playbook positional. `--vex <file>` drops CycloneDX/OpenVEX `not_affected` CVEs. `--diff-from-latest` for drift mode. `--force-stale` overrides currency hard-block. |
 | `exceptd ai-run <pb>` | Streaming variant of `run` for AI agents; emits phase-by-phase NDJSON. |
@@ -164,12 +164,14 @@ Cross-cutting playbook `framework` is the natural correlation layer — many pla
 | `exceptd ci` | Top-level CI gate for a single playbook with exit-code semantics. Preferred over `run --ci`. |
 | `exceptd discover` | Repo discovery — scans cwd and surfaces matching playbooks + collection hints. |
 | `exceptd ask <pb> <question>` | Read-only Q&A against a playbook's directives, indicators, and threat context. |
-| `exceptd attest diff <sid>` | Replay analyze against a stored evidence bundle for drift detection. `--against <other-sid>` compares two sessions. `--playbook <id>` + `--since <ISO>` accepted with `--latest`. Legacy alias: `exceptd reattest` (deprecated, scheduled for removal in v0.13). |
+| `exceptd attest diff <sid>` | Replay analyze against a stored evidence bundle for drift detection. `--against <other-sid>` compares two sessions. `--playbook <id>` + `--since <ISO>` accepted with `--latest`. `exceptd reattest` remains a short-form alias — preserved (no removal scheduled). |
 | `exceptd attest verify <sid>` | Verify a persisted attestation's signature + evidence hash. |
 | `exceptd attest list` | Inventory `.exceptd/attestations/` — newest first. `--playbook <id>` filters. |
 | `exceptd attest show <sid>` | Print the attestation body. |
-| `exceptd doctor` | Health checks. `--signatures` verifies Ed25519 chains; `--cves` / `--rfcs` check catalog currency; `--fix` repairs recoverable state. |
+| `exceptd doctor` | Health checks. `--signatures` verifies Ed25519 chains; `--cves` / `--rfcs` check catalog currency; `--fix` repairs recoverable state; `--ai-config` audits AI-assistant config-file permissions (`~/.claude`, `~/.cursor`, `~/.codeium`, `~/.aider`, `~/.continue`) and flags sensitive files not at mode `0o600` on POSIX (NEW-CTRL-050). |
 | `exceptd lint` | Skill format lint — frontmatter completeness, required body sections, signature presence. |
+| `exceptd refresh --check-advisories` | Poll 8 primary-source advisory feeds (Qualys TRU, Red Hat RHSA, Ubuntu USN, ZDI, kernel.org commits, oss-security mailing list, JFrog SecOps, CISA current advisories) for CVE IDs at T+0 to T+1 — typically 3-14 days ahead of NVD enrichment. Report-only; emits structured `diffs[]` without mutating the catalog. Route promising IDs through `refresh --advisory <CVE-ID> --apply` to enrich. |
+| `exceptd watchlist` | Default: aggregate every skill's `forward_watch` entries. `--by-skill` inverts grouping. `--alerts` switches to CVE-catalog pattern alerts (5 patterns: `kernel_lpe_with_poc`, `supply_chain_family`, `ai_discovered_kev`, `active_exploitation_unpatched`, `recent_poc_no_kev_yet`); sorts critical-first, then by RWEP. `--org-scan --org <login>` probes GitHub Search for repos matching threat-actor naming patterns ("A Gift From TeamPCP", "Shai-Hulud", "TeamPCP"); custom patterns via repeatable `--pattern <s>`; set `GITHUB_TOKEN` for private-repo + rate-limit headroom (NEW-CTRL-052). |
 
 All verbs support `--help` for per-verb usage. JSON output by default; `--pretty` for indented.
 
@@ -210,6 +212,37 @@ Right: every new CVE triggers a corresponding entry in `zeroday-lessons.json` ma
 
 ---
 
+## New Control Requirements
+
+When a zero-day surfaces a control class no existing framework covers, the learning loop produces a `NEW-CTRL-*` entry under `data/zeroday-lessons.json[<CVE-ID>].new_control_requirements[]`. These are the operator-actionable controls the framework set is missing. The IDs are stable — cite them in skill bodies, in operator reports, and in framework-gap analyses.
+
+Recently added (use the IDs in skill prose and operator briefings; full text in `data/zeroday-lessons.json`):
+
+| ID | Name | Surfacing zero-day | Coverage gap closed |
+|---|---|---|---|
+| `NEW-CTRL-048` | NPM-MAINTAINER-MFA-ENFORCEMENT / KERNEL-EXIT-RACE-CVE-CLASS-MONITORING | `MAL-2026-NODE-IPC-STEALER`, `CVE-2026-46333` | NIST-800-218 SSDF, NIST-800-53 IA-5/AU-2/SI-4, NIS2 Art.21 supply-chain |
+| `NEW-CTRL-049` | LOCKFILE-INTEGRITY-VERIFIED-AT-CI-BOOT / SUID-MINIMIZATION-FOR-KERNEL-LPE-CARRIER-BINARIES | `MAL-2026-NODE-IPC-STEALER`, `CVE-2026-46333` | NIST-800-218 SSDF, EU CRA Art.13, SLSA Build L3, NIST-800-53 CM-6/AC-3 |
+| `NEW-CTRL-050` | AI-ASSISTANT-CONFIG-FILE-PERMISSION-LOCKDOWN | `MAL-2026-SHAI-HULUD-OSS` | NIST-800-53 AC-3/CM-6. Enforced operationally by `exceptd doctor --ai-config`. |
+| `NEW-CTRL-051` | NPM-PUBLISH-TOKEN-WORKSTATION-ISOLATION | `MAL-2026-SHAI-HULUD-OSS` | NIST-800-53 IA-5, NIST-800-218 SSDF PW.4 |
+| `NEW-CTRL-052` | GITHUB-REPO-PATTERN-MONITORING-FOR-EXFIL-CHANNELS | `MAL-2026-SHAI-HULUD-OSS` | NIST-800-53 SI-4. Enforced operationally by `exceptd watchlist --org-scan`. |
+| `NEW-CTRL-053` | MCP-SERVER-CONFIG-ALLOWLIST | `CVE-2026-30623` (Anthropic MCP SDK stdio injection) | NIST AI RMF MEASURE 2.7, OWASP LLM Top 10 2025 LLM05 |
+| `NEW-CTRL-054` | BACKUP-TIER-NETWORK-ISOLATION | `CVE-2025-59389` (QNAP Hyper Data Protector preauth RCE) | ISO-27001-2022 A.8.13, NIS2 Art.21 business-continuity |
+| `NEW-CTRL-055` | SECURITY-TOOL-INTEGRITY-VERIFICATION | `CVE-2025-11837` (QNAP Malware Remover code-injection) | NIST-800-53 SI-3, ISO-27001-2022 A.8.7, PCI-DSS 4.0 §5.1 |
+
+When you cite a `NEW-CTRL-*` ID in a skill body, the lint reads the upstream `zeroday-lessons.json` entry as the authoritative source for the requirement text — do not paraphrase the description in the skill body, link to the ID instead.
+
+---
+
+## Operational threat-intake cadence
+
+The toolkit ships with a `routine: exceptd-threat-intake` (claude.ai remote agent) that runs daily at 14:00 UTC. Sequence: `npm install` → `refresh --check-advisories` (poll the 8 primary-source feeds) → `watchlist --alerts` (5-pattern CVE-class scan) → `refresh --apply` → `refresh --advisory <CVE-ID>` for up to 5 newly-disclosed IDs from the primary-source diff → re-sign + rebuild-indexes if the catalog mutated → commit on `intake/<YYYY-MM-DD>` branch with the full diff in the report.
+
+The routine is operator-managed at <https://claude.ai/code/routines>. Closes the cadence gap between vendor disclosure (T+0) and NVD enrichment (T+10) — operators no longer depend on manual intake to surface ssh-keysign-pwn-class or Shai-Hulud-class events.
+
+When working on a fresh checkout: do not invoke the daily routine ad-hoc — it commits + pushes a branch. For one-off triage, use `exceptd refresh --check-advisories` (report-only) followed by `exceptd refresh --advisory <CVE-ID>` for the specific IDs you want to enrich.
+
+---
+
 ## Skill File Format
 
 Every `skills/*/skill.md` must have this frontmatter:
@@ -375,4 +408,8 @@ Maintainers convert approved requests into skill files. The contributor is credi
 | cloud iam incident, aws account takeover, gcp account takeover, azure account takeover, cross-account assume-role, imds, access key leak, snowflake breach, scim, workload identity | cloud-iam-incident |
 | email security, anti-phishing, dmarc, dkim, spf, bimi, arc, mta-sts, bec, vishing, deepfake phishing | email-security-anti-phishing |
 | age gate, age verification, coppa, cipa, california aadc, uk children's code, kosa, gdpr article 8, dsa article 28, parental consent, csam, child safety, children's online safety | age-gates-child-safety |
-| forward watch, watchlist, upcoming standards, horizon scan | `node orchestrator/index.js watchlist` (add `--by-skill` to invert) |
+| forward watch, watchlist, upcoming standards, horizon scan | `exceptd watchlist` (add `--by-skill` to invert) |
+| CVE alert triage, kernel LPE PoC, supply-chain MAL, active exploitation | `exceptd watchlist --alerts` |
+| github repo pattern scan, Shai-Hulud, TeamPCP, exfil-channel monitoring | `exceptd watchlist --org-scan --org <login>` |
+| AI-assistant config permission audit, ~/.cursor, ~/.claude, ~/.codeium, MCP config lockdown | `exceptd doctor --ai-config` |
+| primary-source advisory polling, Qualys TRU, Red Hat RHSA, Ubuntu USN, ZDI, kernel.org, oss-security, JFrog, CISA | `exceptd refresh --check-advisories` |

package/CHANGELOG.md

@@ -1,5 +1,39 @@
 # Changelog
 
+## 0.13.4 — 2026-05-18
+
+Warning-cleanup pass + catalog hygiene + docs surfacing. The post-v0.13.3 state had ~43 skill lint warnings and 20 cosmetic playbook warnings that operators saw on every predeploy run; this release drives both to zero. README and AGENTS catch up with the v0.13.0 → v0.13.3 operator surface.
+
+### Bugs
+
+**Playbook `_meta.fed_by` is now schema-accepted.** v0.13.0 added the `_meta.fed_by[]` reverse-direction field to every playbook but never updated `lib/schemas/playbook.schema.json`; every playbook surfaced a cosmetic `unexpected property "fed_by"` warning. Schema now declares the field as an array of strings; warning count for `validate-playbooks` drops from 22 → 0. 20/20 playbooks now validate clean without warnings.
+
+**Skill lint cleanup: 43 warnings → 0.** Two categories addressed:
+
+- **Output Format section too short (32 skills):** the lint requires `## Output Format` carry ≥ 20 words of body text. Most skills had the section terminated early because H2 / H1 headings inside example-output code fences were detected as real headings by the lint's heading-finder. Each affected skill now carries 1-2 sentences of explanatory prose between the `## Output Format` heading and the first fenced code block — naming the report shape, the downstream consumers (compliance-theater, framework-gap-analysis, incident-response-playbook, global-grc, CSAF auditor bundles), and the load-bearing fields operators must preserve verbatim. Two skills (`mcp-agent-trust`, `fuzz-testing-strategy`) had analogous heading-collision issues in other sections; same fix pattern.
+
+- **Missing Defensive Countermeasure Mapping section (6 skills):** the section is required for skills with `last_threat_review >= 2026-05-11`. Added to `framework-gap-analysis`, `compliance-theater`, `exploit-scoring`, `policy-exception-gen`, `threat-model-currency`, `zeroday-gap-learn`. Each section ships a 5-10 row table mapping offensive TTPs (ATLAS / ATT&CK) to D3FEND defensive technique IDs (all verified against `data/d3fend-catalog.json`), plus defense-in-depth posture, least-privilege scope, zero-trust posture, and AI-pipeline applicability notes per AGENTS.md Hard Rule #9. Updated `last_threat_review` to `2026-05-18`.
+
+Final lint state: **42/42 skills passing, 0 warnings.**
+
+**2 stuck-draft CVEs removed from catalog.** `MAL-2026-ANTHROPIC-MCP-STDIO` was a `_quarantine: true` duplicate of the verified `CVE-2026-30623` (Anthropic MCP SDK stdio command-injection). `CVE-2026-GTIG-AI-2FA` was a `_draft: true` placeholder for an embargoed/un-assigned CVE id. Both removed. Cross-references updated in `data/exploit-availability.json`, `data/framework-control-gaps.json` (inline text in `NIST-AI-RMF-MEASURE-2.7`), `data/_indexes/chains.json` (regenerated), `data/zeroday-lessons.json`. Catalog state now **38/38 verified, 0 drafts**.
+
+### Features
+
+**README.md catches up with v0.13.0 → v0.13.3 operator surface.** New documentation for: `exceptd watchlist --alerts` (CVE-class pattern matcher; 5 patterns), `exceptd watchlist --org-scan` (GitHub repo-pattern monitoring per NEW-CTRL-052; `--org`, `--pattern`, `GITHUB_TOKEN` env var), `exceptd doctor --ai-config` (file-mode audit per NEW-CTRL-050; walks ~/.claude / ~/.cursor / ~/.codeium / ~/.aider / ~/.continue), `exceptd refresh --check-advisories` (8-feed primary-source poller: Qualys / RHSA / USN / ZDI / kernel-org / oss-security / JFrog / CISA), and the daily scheduled `exceptd-threat-intake` remote agent. Playbook count updated 16 → 20 with the 4 v0.13.0 additions named. Legacy verb table split into "Removed in v0.13.0" (5 verbs) vs "Aliases — still functional, no removal scheduled" (10 verbs). Watchlist now has a first-class CLI block instead of the prior "no replacement yet" stub.
+
+**AGENTS.md catches up.** Two new sections:
+- **New Control Requirements** — table documenting NEW-CTRL-048 through NEW-CTRL-055 with name, surfacing zero-day, and coverage gap closed. Skill bodies should cite the IDs rather than paraphrase the upstream description.
+- **Operational threat-intake cadence** — documents the daily `exceptd-threat-intake` routine, the sequence it runs (`refresh --check-advisories` → `watchlist --alerts` → `refresh --apply` → `refresh --advisory <CVE-ID>` for up to 5 new IDs → PR), and operator instructions for one-off triage.
+
+CLI reference table extended: `exceptd brief --all` row updated 16 → 20 playbooks; `exceptd attest diff <sid>` row updated to describe `reattest` as a preserved short-form alias; `exceptd doctor` row added `--ai-config`; two new rows added for `exceptd refresh --check-advisories` and `exceptd watchlist`. Quick Skill Reference table replaced legacy `node orchestrator/index.js watchlist` invocation with `exceptd watchlist`.
+
+### Internal
+
+- 18 new tests: `tests/v0_13_4-fixes.test.js` (13 pins covering Phases A / C / E), `tests/doctor-ai-config-substantive.test.js` (5 fixture-driven tests, POSIX-only), `tests/watchlist-org-scan-substantive.test.js` (5 envelope-shape tests).
+- Test-count baseline refreshed.
+- Predeploy: 15/15 gates green; both `validate-playbooks` and `lint-skills` now run warning-free.
+
 ## 0.13.3 — 2026-05-18
 
 Audit close-out continuation: the items the prior pass marked for follow-up. Workflow hardening, lint enforcement promoted from warning to hard error, two new operator-facing health checks for the Shai-Hulud lesson controls, and 4 more primary-source pollers covering kernel.org / oss-security / JFrog / CISA.

package/README.md

@@ -30,7 +30,7 @@ This platform surfaces what is actually happening right now. Every skill explici
 
 ## Status
 
-Pre-1.0. Latest release lives on [GitHub Releases](https://github.com/blamejs/exceptd-skills/releases) and on npm as [`@blamejs/exceptd-skills`](https://www.npmjs.com/package/@blamejs/exceptd-skills) with signed npm provenance attestation and Ed25519-signed skill bodies. The package ships 42 skills across kernel LPE, MCP supply chain, AI-as-C2, prompt injection, post-quantum crypto, SBOM integrity, identity-incident response, and 35 other AI/security domains, plus 10 intelligence catalogs (CVE / ATLAS / ATT&CK / CWE / D3FEND / DLP / RFC / framework gaps / global frameworks / zero-day lessons) covering 35 jurisdictions, a CLI for discovery and seven-phase investigation runs (`govern → direct → look → detect → analyze → validate → close`), and a nightly auto-refresh job that pulls KEV / NVD / EPSS / GHSA / OSV / IETF deltas into auto-PRs for editorial review.
+Pre-1.0. Latest release lives on [GitHub Releases](https://github.com/blamejs/exceptd-skills/releases) and on npm as [`@blamejs/exceptd-skills`](https://www.npmjs.com/package/@blamejs/exceptd-skills) with signed npm provenance attestation and Ed25519-signed skill bodies. The package ships 42 skills across kernel LPE, MCP supply chain, AI-as-C2, prompt injection, post-quantum crypto, SBOM integrity, identity-incident response, and 35 other AI/security domains, plus 10 intelligence catalogs (CVE / ATLAS / ATT&CK / CWE / D3FEND / DLP / RFC / framework gaps / global frameworks / zero-day lessons) covering 35 jurisdictions, 20 investigation playbooks (kernel, MCP, AI-API, framework, SBOM, runtime, hardening, secrets, cred-stores, containers, crypto, plus `webhook-callback-abuse`, `cicd-pipeline-compromise`, `identity-sso-compromise`, `llm-tool-use-exfil`, and more), a CLI for discovery and seven-phase investigation runs (`govern → direct → look → detect → analyze → validate → close`), and a nightly auto-refresh job that pulls KEV / NVD / EPSS / GHSA / OSV / IETF deltas plus primary-source advisories (Qualys TRU, Red Hat RHSA, Ubuntu USN, ZDI, kernel.org, oss-security, JFrog, CISA) into auto-PRs for editorial review.
 
 ---
 
@@ -154,6 +154,16 @@ Air-gapped operation: run `exceptd refresh --prefetch` on a connected host, copy
 
 Fresh-disclosure workflow (v0.12.0): the nightly auto-PR job pulls KEV / NVD / EPSS / IETF / **GHSA** (added in v0.12.0) / **OSV** (added in v0.12.10). KEV typically takes days; NVD ~10 days; GHSA fires within hours of disclosure and covers npm + PyPI + Maven + Go + NuGet + …; OSV aggregates the OSSF Malicious Packages dataset (`MAL-*` keys) + Snyk + RustSec + Mageia + Ubuntu USN + Go Vuln DB + PYSEC + UVI on top of GHSA — useful for malicious-package compromises that don't have CVEs yet (`exceptd refresh --advisory MAL-2026-3083`). New IDs land as drafts (`_auto_imported: true`, `_draft: true`) that the catalog validator treats as warnings, not errors — operators get the fresh entry immediately, editorial review (framework gaps, IoCs, ATLAS/ATT&CK refs) follows via `exceptd refresh --curate <ID>`. For "I want this advisory today, not tomorrow": `exceptd refresh --advisory <CVE-or-GHSA-or-MAL-or-SNYK-or-RUSTSEC-ID> --apply`.
 
+Primary-source advisory polling: `exceptd refresh --check-advisories` polls 8 vendor and coordinated-disclosure feeds (Qualys TRU, Red Hat RHSA, Ubuntu USN, Zero Day Initiative, kernel.org commits, oss-security mailing list, JFrog SecOps, CISA current advisories) that publish CVE IDs at T+0 to T+1 — typically 3–14 days ahead of NVD enrichment. The command is report-only: it returns a structured `diffs[]` listing each newly-seen CVE ID with its source attributions and advisory URLs, but does not mutate the catalog. Operators triage the output and route promising IDs through `exceptd refresh --advisory <CVE-ID> --apply`. Pairs naturally with the daily scheduled remote agent below.
+
+CVE-class alert surfacing: `exceptd watchlist --alerts` matches the live `cve-catalog.json` against five operational patterns (`kernel_lpe_with_poc`, `supply_chain_family`, `ai_discovered_kev`, `active_exploitation_unpatched`, `recent_poc_no_kev_yet`) and returns the matches sorted critical-severity-first, then by RWEP. Use as a fast operational triage on a refreshed catalog without scanning every entry by hand.
+
+GitHub repo-pattern monitoring: `exceptd watchlist --org-scan --org <login>` probes GitHub Search for repositories matching known threat-actor naming patterns ("A Gift From TeamPCP", "Shai-Hulud", "TeamPCP") scoped to one org. Custom patterns via repeatable `--pattern <s>`. Implements the canonical detection for the Shai-Hulud / TeamPCP supply-chain framework class — the attacker uses GitHub itself as the exfil channel. Set `GITHUB_TOKEN` for private-repo coverage and rate-limit headroom; public-repo search works without auth.
+
+AI-assistant config-file audit: `exceptd doctor --ai-config` walks `~/.claude`, `~/.cursor`, `~/.codeium`, `~/.aider`, and `~/.continue`, flagging sensitive files (`settings.json`, `mcp.json`, `*.mcp_config.json`, `api_key*`, `*.token`, `*.credentials`) not at mode 0600 on POSIX. On Windows the mode bits aren't load-bearing; each finding is surfaced with an info-level "manual ACL review" note. Catches the AI-config-credential-exfil class that the Shai-Hulud framework targets. Opt-in — does not run as part of the default no-flag `doctor` pass.
+
+Daily scheduled threat intake: a `routine: exceptd-threat-intake` (claude.ai remote agent) runs daily at 14:00 UTC. Sequence: `npm install` → `refresh --check-advisories` → `watchlist --alerts` → `refresh --apply` → `refresh --advisory <CVE-ID>` for up to 5 new CVE IDs from the primary-source feeds → re-sign + rebuild-indexes if the catalog mutated → commit on `intake/<YYYY-MM-DD>` branch with the full diff in the report. Closes the cadence gap that previously left fresh disclosures dependent on operator-triggered intake. Operator-managed at <https://claude.ai/code/routines>.
+
 Optional env vars for higher rate budgets:
 
 | Variable | Purpose |
@@ -270,6 +280,16 @@ exceptd doctor                        One-shot health check.
   --currency                          Only skill currency report.
   --cves                              Only CVE catalog drift check.
   --rfcs                              Only RFC catalog drift check.
+  --ai-config                         Audit AI-assistant config-file permissions
+                                      across ~/.claude, ~/.cursor, ~/.codeium,
+                                      ~/.aider, ~/.continue. Flags sensitive
+                                      files (settings.json, mcp.json,
+                                      *.mcp_config.json, api_key*, *.token,
+                                      *.credentials) not at mode 0600 on POSIX;
+                                      surfaces an info-level "manual ACL review"
+                                      note for each sensitive file on Windows.
+                                      Opt-in; not part of the default doctor
+                                      pass.
 
 exceptd ci                            One-shot CI gate. Exits 2 on detected or
                                       rwep ≥ rwep_threshold.escalate.
@@ -302,12 +322,56 @@ exceptd refresh                       Refresh upstream catalogs + indexes.
   --curate <CVE-ID>                   (v0.12.0) Emit editorial questions + ranked
                                       candidates (ATLAS/ATT&CK/CWE/framework) for
                                       a draft catalog entry.
+  --check-advisories                  Poll 8 primary-source advisory feeds
+                                      (Qualys TRU, Red Hat RHSA, Ubuntu USN,
+                                      ZDI, kernel.org commits, oss-security
+                                      mailing list, JFrog SecOps, CISA current
+                                      advisories) for CVE IDs disclosed at T+0
+                                      to T+1 — days ahead of NVD enrichment.
+                                      Report-only: emits structured diffs[]
+                                      with {cve_id, sources[], advisory_urls[],
+                                      disclosed_at, title}; does NOT mutate the
+                                      catalog. Route promising IDs through
+                                      `refresh --advisory <CVE-ID>` to enrich.
   --indexes-only                      Rebuild data/_indexes/*.json only.
 
-Sources (default = all): kev | epss | nvd | rfc | pins | ghsa (v0.12.0).
-GHSA covers npm, PyPI, Maven, Go, NuGet, etc. New CVE IDs land as drafts
-that the catalog validator treats as warnings, not errors — editorial
-review (framework gaps, IoCs, ATLAS/ATT&CK refs) is still required.
+Sources (default = all): kev | epss | nvd | rfc | pins | ghsa | osv.
+GHSA covers npm, PyPI, Maven, Go, NuGet, etc.; OSV layers Snyk, RustSec,
+Mageia, Ubuntu USN, Go Vuln DB, PYSEC, UVI, plus the OSSF Malicious
+Packages dataset (`MAL-*` keys). New IDs land as drafts that the catalog
+validator treats as warnings, not errors — editorial review (framework
+gaps, IoCs, ATLAS/ATT&CK refs) is still required.
+
+exceptd watchlist                     Default mode: aggregate every skill's
+                                      forward_watch entries (upcoming standards,
+                                      RFC publications, new TTPs to monitor).
+                                      `--by-skill` inverts the grouping.
+  --alerts                            Switch to CVE-catalog pattern alerts.
+                                      Five patterns ship:
+                                        - kernel_lpe_with_poc (high) — kernel
+                                          LPE class with public PoC + blast
+                                          radius >= 25
+                                        - supply_chain_family (high) — MAL-*
+                                          entries or `type: malicious-*`
+                                        - ai_discovered_kev (high) — AI-
+                                          discovered AND CISA KEV-listed
+                                        - active_exploitation_unpatched
+                                          (critical) — confirmed in-the-wild
+                                          + no patch available
+                                        - recent_poc_no_kev_yet (medium) —
+                                          public PoC verified within 14 days,
+                                          not yet KEV-listed
+                                      Sorted critical-severity first, then by
+                                      RWEP descending. JSON or human output.
+  --org-scan --org <login>            Probe GitHub Search for repositories
+                                      matching known threat-actor naming
+                                      patterns ("A Gift From TeamPCP",
+                                      "Shai-Hulud", "TeamPCP") scoped to one
+                                      org. Custom patterns via repeatable
+                                      `--pattern <s>`. Set GITHUB_TOKEN for
+                                      private-repo coverage + higher rate
+                                      limit; without it, public-repo search
+                                      only.
 
 exceptd skill <name>                  Show context for one skill.
 exceptd framework-gap <FW> <ref>      One framework + one CVE/scenario, JSON
@@ -319,31 +383,33 @@ exceptd help                          This help.
 exceptd <verb> --help                 Per-verb usage with flag descriptions.
 ```
 
-### Legacy v0.10.x verbs (deprecated, scheduled for removal in v0.13)
+### Legacy v0.10.x verbs
 
-These still work but emit a one-time deprecation banner per process:
+Five verbs removed in v0.13.0 after deprecation since v0.11.0. Invoking any of these now returns a structured `ok:false` refusal pointing at the replacement; pre-v0.13 scripts must migrate.
 
-| Legacy verb | v0.11.0 replacement |
+| Removed verb | Replacement |
 |---|---|
 | `plan` | `brief --all` |
 | `govern <pb>` | `brief <pb> --phase govern` |
 | `direct <pb>` | `brief <pb> --phase direct` |
 | `look <pb>` | `brief <pb> --phase look` |
+| `ingest` | `run` |
+
+The remaining v0.10.x verbs are aliases — still functional, no banner, no removal scheduled:
+
+| Alias | Canonical |
+|---|---|
 | `scan` | `discover --scan-only` |
 | `dispatch` | `discover` |
 | `currency` | `doctor --currency` |
 | `verify` | `doctor --signatures` |
 | `validate-cves` | `doctor --cves` |
 | `validate-rfcs` | `doctor --rfcs` |
-| `ingest` | `run` |
 | `reattest <sid>` | `attest diff <sid>` |
 | `list-attestations` | `attest list` |
-| `watchlist` | (no replacement yet — kept) |
 | `prefetch` | `refresh --no-network` |
 | `build-indexes` | `refresh --indexes-only` |
 
-Suppress the deprecation banner: `EXCEPTD_DEPRECATION_SHOWN=1`.
-
 ## Invoking a skill from your AI assistant
 
 Once your assistant has loaded `AGENTS.md`, type a trigger phrase or skill name:
@@ -399,7 +465,7 @@ The `agents/` directory ships markdown role cards documenting authoring conventi
 All skills pull from `data/`. Cross-validated against canonical upstream sources via `exceptd refresh` / `exceptd doctor --cves` / `exceptd doctor --rfcs`.
 
 - `cve-catalog.json` — CVE metadata with RWEP scores, CISA KEV status, PoC availability, live-patch info
-- `atlas-ttps.json` — MITRE ATLAS v5.4.0 TTPs with gap flags and exploitation examples
+- `atlas-ttps.json` — MITRE ATLAS v5.4.0 TTPs with gap flags and exploitation examples. Each TTP now carries a `cve_refs[]` back-edge — operators reading an ATLAS entry see the catalogued CVEs that cite it without grepping `cve-catalog.json`. The same back-edge is populated on `attack-techniques.json`, and each playbook carries a `_meta.fed_by[]` reverse field naming the upstream playbooks that chain into it.
 - `framework-control-gaps.json` — Per-framework, per-control: what it was designed for vs. what it misses
 - `exploit-availability.json` — PoC locations, weaponization status, AI-assist factor
 - `global-frameworks.json` — All major global compliance frameworks (35 jurisdictions) with control inventories and lag scores

package/data/_indexes/_meta.json

@@ -1,61 +1,61 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-18T03:04:24.499Z",
+  "generated_at": "2026-05-18T04:13:12.063Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "b1b4b86879805e28975155d7aa29c1d1463ec266f2c98a1045d543ecf5acaa6c",
+    "manifest.json": "0d7cc1e5a718515519e81b973126f0fe316ad8252e4c8e04f54934ea575a9b80",
     "data/atlas-ttps.json": "2b021f47355365d1ba59078dfa582397c7a64c2b4ebea4657ea260a66b76daf6",
     "data/attack-techniques.json": "76461dbec048c5e072435d57e3a04b780e3992dab9f316b1b52608e0a997e355",
-    "data/cve-catalog.json": "1d34601fbc4ff925ac38b8eb325375a32dc60ffaff31a23a5ca5f3e1524e88f8",
+    "data/cve-catalog.json": "4b8c05074744f9e099c776e0f9c3afd2b978fc52d702bc8805c3b5bfecdbafcb",
     "data/cwe-catalog.json": "4a0036f9ec17af29e0df111ac77b94f8be6a52742bfd89ff3583096d23b75e35",
     "data/d3fend-catalog.json": "a1fc2827ceb344669e148d55197dbf1b0e5b20bcc618e90517639c17d67ee82d",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
-    "data/exploit-availability.json": "003a400f5ae5b15527589571679ccdb9b3a62e60073627b5fbdeb2a9fe330a7a",
-    "data/framework-control-gaps.json": "ce1535f13d29ab90fac99b983f38a23dd685702b3f12ac9f2371294cb9859ecf",
+    "data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
+    "data/framework-control-gaps.json": "994bf3203f3a2c80fe21194d00f67ecffa77b80193ba3f4b046e9d38e7b09f0f",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "e253a548c8a829d178d5aea601e268724b85c936ccbfa51c2e5d80c5f8efe2b0",
-    "data/zeroday-lessons.json": "1438620d2c8b0606eac4f63e620906b9ba079c57bfa7f737ceb6a50370cdc9a5",
-    "skills/kernel-lpe-triage/skill.md": "ae4a0af924d0078ffc6cd051a3ef9fce75a6a3f9c0c15d1c07900ae5faf80502",
-    "skills/ai-attack-surface/skill.md": "dcca7d92a1ab4d1e4c46356b614a138b1c1f79b65a6a290eccf2095d8d443993",
-    "skills/mcp-agent-trust/skill.md": "6821f6d38f6e23bbed953f8f86a279597b0b95a2d0548b5383e851bca7442531",
-    "skills/framework-gap-analysis/skill.md": "3b139eaefbedd36b2379cfe22dceef71e97d0e34404b0009b7afbfe0a8dc39e6",
-    "skills/compliance-theater/skill.md": "a1387c523f7aa2481a199f6288e0152b94aa5a6644600eb39dbb3ea9ee9af6bd",
-    "skills/exploit-scoring/skill.md": "fba9e27722d361cc6ed5992d9aaeaa397598b417fc5a0d6fe0bee2993942e7e8",
-    "skills/rag-pipeline-security/skill.md": "ff07e48918090247aef71def4150b0df372a24bcdaa34eb6e11d246b9e71e1ee",
-    "skills/ai-c2-detection/skill.md": "3da9f549f5c62e6163cddd70c8edccbef7be622d5a45fa89c90c6550e68c6b2e",
-    "skills/policy-exception-gen/skill.md": "a7d886f7fa99a150b040f158b09045ba45e107439315389aea785311b0013395",
-    "skills/threat-model-currency/skill.md": "cf1cc27ae5ae68d336c56d9f3afd950641e1d8d5b9f90b64c2daf00abe92bab0",
-    "skills/global-grc/skill.md": "1dca534cce7612c1d26a7b1bfd088a811081555ecfa25b1f68cff2ca2ba28c98",
-    "skills/zeroday-gap-learn/skill.md": "e26f194880cd6acf46abe31e9348d445e9222c7691e9b9b953662c4a472462f5",
-    "skills/pqc-first/skill.md": "a7131b65d0ceee47887b16679ee4e4b065d32d8751fe59921762388703662913",
-    "skills/skill-update-loop/skill.md": "b6f3bee321833dc18f5624a9be4d28673d22e22018254b0bd1f3690b945073af",
-    "skills/security-maturity-tiers/skill.md": "ed962937c45f3d95f325f231b787d272fe45c4cb91d4c5a2d982493d722c2acf",
-    "skills/researcher/skill.md": "fd441131484dc5af4cd785ded0bac039123e6205483543752cb16fa508460c00",
-    "skills/attack-surface-pentest/skill.md": "0d301beb9fb8e247ec80256a7e647804b5f9a41c7156e5724555ca9f93ccb986",
-    "skills/fuzz-testing-strategy/skill.md": "fb8c261def9e3344b44fd219c209027029e1eddf0e6bee1ecffb2d2176e1585e",
-    "skills/dlp-gap-analysis/skill.md": "1c4e1d7da2421b82f202eaf2c9e21876af34ab5c76ce1359166842ee473f02dd",
-    "skills/supply-chain-integrity/skill.md": "ad69b72f5c5df095f8618b977fbc8f0fbff396eebd4a8448b44c3f93309f63f9",
-    "skills/defensive-countermeasure-mapping/skill.md": "3d0c7ca85f32ee1fe74598889361ef2be16d099fe6e9e8d8c8184b7004306b30",
-    "skills/identity-assurance/skill.md": "4ee7096fd82997c66b0f9e825ea3c04c3aa84768b74e6f668c1a9104104138cf",
-    "skills/ot-ics-security/skill.md": "7423cca19aab1026c07de63279137441018345731d3ee895c474316d432adaa2",
-    "skills/coordinated-vuln-disclosure/skill.md": "0e875953bb8a38a89c8ec5d2a9ef967b12e9a9f166dc9356723f10304fd0535e",
-    "skills/threat-modeling-methodology/skill.md": "cebeba3940320ebc5b44ad2bb7b4cdcda412257c1a6319a1b7379c875ebe8d6a",
-    "skills/webapp-security/skill.md": "f2063eaea3f5ddf0f3d37b41985bf522b682a41f104796b3f0dff611cefd043c",
-    "skills/ai-risk-management/skill.md": "2b611eb8fa4841fdfc3f1dd1ffd504a46c6ecdc654213a955efbabefb6b1db87",
-    "skills/sector-healthcare/skill.md": "a18e11d25524cdbf40df3798f4c2aa3cb51a4db1b088242ea53fa2885e86b64c",
-    "skills/sector-financial/skill.md": "023b5440d614e6b83ba7294219bcac3cdbffd28fdfdd5f0ec23abbeea71b8230",
-    "skills/sector-federal-government/skill.md": "a73c3f36f23c12750d369931b7e3f884edae4a8aef35fc8690d15ef4500c4dd0",
-    "skills/sector-energy/skill.md": "91f00e7a9be2608393ec8cb6d5f0c9828f81b954a12a7c9fd04bd642b9091e09",
+    "data/zeroday-lessons.json": "3d4c18977f2100f200e209dc55331931a5d0adc54af35879fc58f1b43deac56f",
+    "skills/kernel-lpe-triage/skill.md": "08b3e9815ba481c57c80f5fc0ccbf5bb7cbb41f570c235ba6ff9596b8c07354d",
+    "skills/ai-attack-surface/skill.md": "d1361c53c8360999e1ec6a403bcbfaa53d0afc11689e8781d26081196dd079d4",
+    "skills/mcp-agent-trust/skill.md": "19a6b54375808e59143070011328d8c936836845bca4a484108738bbef290694",
+    "skills/framework-gap-analysis/skill.md": "04e841fc426f92f20c254497b3b92b54d603062a0e6a617f3e9d607d6115c097",
+    "skills/compliance-theater/skill.md": "42babdc846b3e91af6be4698c7b5e876d9dd5cdb214d1aa2b4faceb6773e4ed1",
+    "skills/exploit-scoring/skill.md": "9f50b4d52c470d5616fc1626589843a5b2602d209436ded08cc9cc9885df770c",
+    "skills/rag-pipeline-security/skill.md": "4a64b4bc317141a219bcba40593f1994f791103381fd91c17ce23d06b0f6bc4e",
+    "skills/ai-c2-detection/skill.md": "490511ad517a0c3ad64f6a951c36cffb3109fed2c5da6376b5efc50e799e02a9",
+    "skills/policy-exception-gen/skill.md": "1e758322d74386f5c48d5bf5d7a4b4adfcef29553aca6d7c610845953beb8228",
+    "skills/threat-model-currency/skill.md": "38dc4369132fd199d10cebf3287ed8e35ffb0cf3eefbb98ec17d57027a5df7f1",
+    "skills/global-grc/skill.md": "57ca729034e9d33c527d869c1c4aa82fe37e496878a3cbcd9e5043cb62b7105d",
+    "skills/zeroday-gap-learn/skill.md": "adcb681f90ab3c58a98c7935fd8bad102d7ed16b6db6235661483ec1be6cf410",
+    "skills/pqc-first/skill.md": "07b38278b60d2437603a541c1ee954999abfe3a192f94b43cd384023738a0c1f",
+    "skills/skill-update-loop/skill.md": "eb67e2466230e143784b6e741c6ce7ea3e0c0e4385e5ab21b81b8de04f0168e2",
+    "skills/security-maturity-tiers/skill.md": "c1e699e4d48a7f89c32fbc9f2fe64c721a61603624eb93afae7148348cc4637d",
+    "skills/researcher/skill.md": "959aeba706eea43a69136561968d7942dcd981d0a6c3da7db47673c51943b6df",
+    "skills/attack-surface-pentest/skill.md": "e845c4e08adef038888a025bf920a042c851df41ca53f41aa5fc11ec02a37fbb",
+    "skills/fuzz-testing-strategy/skill.md": "1088d1ef5a0b4b2e50b356e3ff766a3ba6c66ba3435caf394d7c9c493d45b17e",
+    "skills/dlp-gap-analysis/skill.md": "6aa0960d85465006cdffcce3478dc790a14fd1cc95c73e124d5809836c26a4c4",
+    "skills/supply-chain-integrity/skill.md": "aea9c61c09e1ec714e129a6000d7b91ddbc74db52a64aa8bc95d3c698bf4ece6",
+    "skills/defensive-countermeasure-mapping/skill.md": "331a0248dd8ed3b509b759c41a9a4d6d8d6dc67fb732ad31d1a4c2d9a0865054",
+    "skills/identity-assurance/skill.md": "f3c29ce17aaa426b65b58238e5bc9ccabcda23a8d350e597840e5d6d664aa102",
+    "skills/ot-ics-security/skill.md": "33d3d82c87ed8708839f5211bb7b59a924c2e3d9c5d915dc2cc101c53176145e",
+    "skills/coordinated-vuln-disclosure/skill.md": "6c85b8761e557069ae0623400a2218a81356e5426f0a4e3ddebdc2a569735c9b",
+    "skills/threat-modeling-methodology/skill.md": "ba175224737571f9c6148e4cbe47b9ebaa762592cc659b7fb2cf0e9a6b3679c0",
+    "skills/webapp-security/skill.md": "135ca1cd01476b4df9ba7fbba2f194d0cac521480b51d479d60045d9abfc0350",
+    "skills/ai-risk-management/skill.md": "686f53c2aee3a44108d1fa3e5f52fc7d971edc00946cfc1f082e4658af25fddc",
+    "skills/sector-healthcare/skill.md": "9f3164def71c1f6f78b074ffc452bd02d8b71b313f2feb1554289bd5a099b4e9",
+    "skills/sector-financial/skill.md": "4c4c6fb95c6c2fd6cad3fec8ab8e08076fd4ddfa89ad5f00de017e546e01044d",
+    "skills/sector-federal-government/skill.md": "91e3eecdc18d108c669d49db1221ac89041a43c8294c8be65d4397cd149d75d0",
+    "skills/sector-energy/skill.md": "efc7681d62b23aaad277e9018687362717bb1fcfb29d7ada844dfb7196870c78",
     "skills/sector-telecom/skill.md": "59193e39c2fd73fdd7fede38a956bc730bbe4b712d7d6020788bb4d85f001ad8",
-    "skills/api-security/skill.md": "9fc2252cbcf6162591e70d0bf5499a430b0584495ad584ce49fb7daf070d335f",
-    "skills/cloud-security/skill.md": "c9fad9ed3663cf2faec74ad8f06d62eb86e6636f79933560d8c8d50e0e82d1da",
-    "skills/container-runtime-security/skill.md": "605a8e8eb1af09835b967ec7179456015ec116c6b9051af3a8d225866cc2f7af",
-    "skills/mlops-security/skill.md": "72429f05010accbcb191cb1544f1b88493c2f5249362846e5713ec3226b83dc2",
+    "skills/api-security/skill.md": "8a79a28b7b1c3088672bc09017a0d2481e45fb1c0f89768e87642268b62d4808",
+    "skills/cloud-security/skill.md": "84844b369f3195eae06115b392b4ceb41d96c1b3fda254f82c37cd8165858e7f",
+    "skills/container-runtime-security/skill.md": "d608fc7cc9e7c89640101078623490596b1610f7020eecde0d696e5c5084f932",
+    "skills/mlops-security/skill.md": "44fc3a4a6118e764a4bef840358c98d01b87f6e47bac9dd88e2df7633573414a",
     "skills/incident-response-playbook/skill.md": "2017515d899c1b2bcb878bc6731e4059623ac52345b2cebbd92204583657bf60",
     "skills/ransomware-response/skill.md": "2e4fc488f86ed1ba7791ab0e7021160d8ca5ad33a02cdf92a5b916c8afecaa54",
     "skills/email-security-anti-phishing/skill.md": "250f266908f51f99a4cb3aec0d5dacfcf91fac9f3d95e5a117429a40ed2ff45a",
-    "skills/age-gates-child-safety/skill.md": "51295c849bcced965b6448eb6b4bbd5caef5ba0b0cea7ce48abbacf47d331621",
+    "skills/age-gates-child-safety/skill.md": "51ffbbc0743daa26d6c7fe55ff6ec223dccb2087ddca981e06ab7133230e9ec5",
     "skills/cloud-iam-incident/skill.md": "5ec3800a0049b2123aff67bfab4ff28491a86d2daeb712283e5e88b10c3d5d7b",
     "skills/idp-incident-response/skill.md": "e67a2576e7f1c3bf89f499f5c977bc470ef29e8b3e3e45f4cb5bd45a82674282"
   },
@@ -72,13 +72,13 @@
       "dlp_refs": 0
     },
     "trigger_table_entries": 538,
-    "chains_cve_entries": 35,
+    "chains_cve_entries": 34,
     "chains_cwe_entries": 55,
     "jurisdictions_indexed": 29,
     "handoff_dag_nodes": 42,
     "summary_cards": 42,
     "section_offsets_skills": 42,
-    "token_budget_total_approx": 404483,
+    "token_budget_total_approx": 416983,
     "recipes": 8,
     "jurisdiction_clocks": 29,
     "did_ladders": 8,

package/data/_indexes/activity-feed.json

@@ -55,7 +55,7 @@
       "artifact": "data/exploit-availability.json",
       "path": "data/exploit-availability.json",
       "schema_version": "1.1.0",
-      "entry_count": 30
+      "entry_count": 28
     },
     {
       "date": "2026-05-15",
@@ -87,7 +87,7 @@
       "artifact": "data/zeroday-lessons.json",
       "path": "data/zeroday-lessons.json",
       "schema_version": "1.1.0",
-      "entry_count": 39
+      "entry_count": 38
     },
     {
       "date": "2026-05-15",
@@ -102,7 +102,7 @@
       "artifact": "data/cve-catalog.json",
       "path": "data/cve-catalog.json",
       "schema_version": "1.0.0",
-      "entry_count": 40
+      "entry_count": 38
     },
     {
       "date": "2026-05-13",

package/data/_indexes/catalog-summaries.json

@@ -62,7 +62,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 40,
+      "entry_count": 38,
       "sample_keys": [
         "CVE-2025-53773",
         "CVE-2026-30615",
@@ -150,7 +150,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 30,
+      "entry_count": 28,
       "sample_keys": [
         "CVE-2025-53773",
         "CVE-2026-30615",
@@ -238,7 +238,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 39,
+      "entry_count": 38,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",

package/data/_indexes/chains.json

@@ -4359,38 +4359,6 @@
       "rfc_refs": []
     }
   },
-  "MAL-2026-ANTHROPIC-MCP-STDIO": {
-    "name": "Anthropic SDK MCP STDIO command-injection (embargoed)",
-    "rwep": 25,
-    "cvss": 9,
-    "cisa_kev": false,
-    "epss_score": null,
-    "referencing_skills": [],
-    "chain": {
-      "cwes": [],
-      "atlas": [],
-      "d3fend": [],
-      "framework_gaps": [],
-      "attack_refs": [],
-      "rfc_refs": []
-    }
-  },
-  "CVE-2026-GTIG-AI-2FA": {
-    "name": "GTIG-tracked AI-built 2FA-bypass zero-day (placeholder)",
-    "rwep": 55,
-    "cvss": 8.1,
-    "cisa_kev": false,
-    "epss_score": null,
-    "referencing_skills": [],
-    "chain": {
-      "cwes": [],
-      "atlas": [],
-      "d3fend": [],
-      "framework_gaps": [],
-      "attack_refs": [],
-      "rfc_refs": []
-    }
-  },
   "CVE-2026-30623": {
     "name": "Anthropic MCP SDK stdio command-injection",
     "rwep": 30,