@blamejs/exceptd-skills 0.13.3 → 0.13.4

package/skills/exploit-scoring/skill.md

@@ -21,7 +21,7 @@ attack_refs: []
 framework_gaps:
   - CWE-Top-25-2024-meta
   - CIS-Controls-v8-Control7
-last_threat_review: "2026-05-17"
+last_threat_review: "2026-05-18"
 ---
 
 # Real-World Exploit Priority (RWEP) Scoring
@@ -314,6 +314,8 @@ Translate RWEP-based timeline to framework compliance language:
 
 ## Output Format
 
+The skill produces a per-CVE Exploit Priority Assessment showing the RWEP score, the factor breakdown (CVSS, KEV, PoC, AI-acceleration, blast radius, live-patch availability), the required-action timeline, and any framework-SLA conflict. The shape below is consumed downstream by `kernel-lpe-triage` (for kernel-class CVEs), by `compliance-theater` (which compares the RWEP-required timeline against the org's CVSS-banded SLA), and by `incident-response-playbook` (which scopes IR per the required-action band). Preserve the RWEP factor rows verbatim — they are the auditable derivation.
+
 ```
 ## Exploit Priority Assessment
 
@@ -359,3 +361,30 @@ Run this check against any organization claiming vulnerability-management compli
 > "Open your last quarterly vuln-management metrics report. Does it report `mean time to remediate by CVSS band`? If that is the headline metric, the program optimizes for CVSS-band SLAs, not for actual exploit-priority response. The KPI itself is theater. The honest metric is: for CVEs that crossed RWEP ≥ 75 during the quarter, what was the mean time from RWEP-75 threshold crossing to deployed mitigation? If the org doesn't track RWEP at all, the program has no instrumentation to detect when CVSS-banded SLAs fail — which they do for every CISA KEV + AI-discovered class in `data/cve-catalog.json`."
 
 > "Ask: when CVE-2026-31431 was published, what was the actual time from publication to deployed mitigation across the estate? Compare it to the policy's 30-day High SLA. The org likely met SLA. RWEP 90 required action in 4 hours. CISA KEV listed the CVE on 2026-05-01 with federal due date 2026-05-15. Today (~13 days after listing) any unpatched estate is past the federal due date and demonstrably exposed to a 732-byte deterministic public PoC on CISA KEV. The gap between 'met internal SLA' and 'past federal due date with active exploitation in scope' is the size of the theater."
+
+---
+
+## Defensive Countermeasure Mapping
+
+RWEP scores priority; this section maps the priority bands to the D3FEND defensive techniques an operator deploys before, during, and after a patch lands. The mapping is per RWEP band rather than per CVE — the same techniques compose differently depending on whether the score is driven by KEV listing, public PoC, AI-acceleration, or live-patch availability. Operators consuming an RWEP score should pair it with the row below to convert "act in 4 hours" into "deploy these specific D3FEND techniques in the following order."
+
+| RWEP band | Threat shape | D3FEND ID | Defensive technique | Defense-in-depth layer |
+|---|---|---|---|---|
+| 90+ (KEV + public PoC + AI-discovered, e.g. Copy Fail) | T1068 deterministic LPE | `D3-KBPI` | Kernel-Based Process Isolation | Kernel — compensating control deployed within the 4-hour live-patch window |
+| 90+ | T1068 | `D3-SCA` | System Call Analysis | Endpoint — detection for the LPE primitive ahead of live-patch propagation |
+| 75–89 (KEV + PoC, not AI-accelerated) | T1190 / T1068 reachable | `D3-NI` | Network Isolation | Network — segmentation that closes the reachability precondition |
+| 75–89 | T1190 / T1068 | `D3-PA` | Process Analysis | Endpoint — behavioral detection of the exploit primitive in the unpatched window |
+| 50–74 (PoC public, KEV pending) | Exploit-likely class | `D3-EFA` | Executable File Analysis | Endpoint — pre-execution scanning for known PoC binaries and artifacts |
+| 50–74 | Exploit-likely class | `D3-FCR` | File Content Rules | Endpoint — content-based detection of exploit payloads in transit |
+| 25–49 (vendor patch available, no PoC) | Patchable, not yet weaponized | `D3-EAL` | Executable Allowlisting | Managed endpoint — reduce exposure surface during the routine-patch window |
+| 25–49 | Patchable | `D3-EI` | Execution Isolation | Endpoint / container — sandbox the vulnerable component until patch deploys |
+| AI-accelerated multiplier (any band with AML.T0016 capability development) | PROMPTFLUX-class evasion | `D3-NTA` | Network Traffic Analysis | Network egress — detect AI-API queries from unexpected processes |
+| AI-accelerated multiplier | AML.T0051 prompt-injection-driven exploitation chain | `D3-IOPR` + `D3-CSPP` | Input/Output Profiling + Client-server Payload Profiling | SDK / gateway — content-aware inspection of prompt+completion at the model boundary |
+
+**Defense-in-depth posture:** the RWEP band sets the timeline; D3FEND sets the technique set. A 4-hour timeline (RWEP 90+) without a deployed `D3-KBPI` or `D3-SCA` capability is a compliance gap, not an operational one — the timeline cannot be met. Operators reporting "RWEP 90 patched within 4 hours" must also report which D3FEND technique provided coverage during the pre-patch window; an unpatched 4-hour exposure window with no compensating defensive technique is the same outcome as a 30-day SLA breach.
+
+**Least-privilege scope:** D3FEND technique deployment is scoped to the asset class within the CVE's blast radius. `D3-KBPI` is per-host (production kernel ≠ developer kernel ≠ CI runner). `D3-NI` is per-segment. `D3-EAL` is per-host-class. Allowlists and isolation rules are derived from the CVE's affected component, not applied estate-wide.
+
+**Zero-trust posture:** an RWEP score is not a remediation; it is a triage signal. The remediation closes only when the cited D3FEND technique is verified in production for the affected asset class. RWEP 90 with no deployed `D3-KBPI` instrumentation is an unmitigated finding regardless of patch SLA. Auditors converting RWEP findings into corrective actions must verify both the patch deployment and the compensating-technique deployment.
+
+**AI-pipeline applicability (per AGENTS.md Hard Rule #9):** for AI-pipeline CVEs (model-serving runtime, MCP server, inference gateway), `D3-KBPI` and `D3-EAL` do not apply to serverless inference endpoints. The scoped alternative is `D3-CSPP` at the gateway plus signed-image attestation at the provider. RWEP bands are unchanged; the technique selection shifts to the gateway tier. `D3-FAPA` over training-data corpora is the additional technique for any AML.T0020 (Poison Training Data) finding above RWEP 50.

package/skills/framework-gap-analysis/skill.md

@@ -20,7 +20,7 @@ data_deps:
 atlas_refs: []
 attack_refs: []
 framework_gaps: []
-last_threat_review: "2026-05-14"
+last_threat_review: "2026-05-18"
 ---
 
 # Framework Gap Analysis
@@ -376,3 +376,30 @@ Specific high-confidence theater signals (each triggers a mandatory Framework La
 | Org removed the esp4 / esp6 / rxrpc module-blacklist mitigation once Dirty Frag was patched | CVE-2026-46300 (Fragnesia) is in the same primitive class, was introduced by the Dirty Frag patch, and is mitigated by the same blacklist |
 
 When this check fires, hand off to the compliance-theater skill for the theater-pattern detection test and to policy-exception-gen if the org needs to grant a defensible exception with concrete compensating controls.
+
+---
+
+## Defensive Countermeasure Mapping
+
+Every Framework Lag Declaration this skill produces names the missing control. The mapping below converts that absence into a concrete defensive-technique recommendation drawn from `data/d3fend-catalog.json`, paired with the offensive TTP class (ATLAS or ATT&CK) the gap exposes. Operators feeding this output into a remediation plan should chain: offensive TTP → failed framework control → D3FEND defensive technique → enforcement layer.
+
+| Offensive TTP | Framework gap exemplar | D3FEND ID | Defensive technique | Defense-in-depth layer |
+|---|---|---|---|---|
+| T1068 (Exploitation for Privilege Escalation) — Copy Fail / Fragnesia | SI-2 / A.8.8 / PCI 6.3.3 30-day patch SLA | `D3-KBPI` | Kernel-Based Process Isolation | Kernel — compensating control while live-patch propagates; reduces blast radius when LPE primitive is reachable |
+| T1068 | SI-2 / A.8.8 patch SLA | `D3-SCA` | System Call Analysis | Endpoint — detects the deterministic LPE primitive at syscall layer before patch lands |
+| AML.T0051 (LLM Prompt Injection) — CVE-2025-53773 class | AC-2 / CC6 account-management as access control for AI agents | `D3-IOPR` | Input/Output Profiling Resource | SDK / application — content-aware inspection of prompt+completion at the model boundary |
+| AML.T0051 | AC-2 / CC6 | `D3-CSPP` | Client-server Payload Profiling | LLM gateway — gateway-layer inspection when SDK-side `D3-IOPR` is not deployable |
+| AML.T0010 (ML Supply Chain Compromise) — CVE-2026-30615 MCP class | A.5.19 / SA-12 vendor management as MCP trust boundary | `D3-EAL` | Executable Allowlisting | Managed endpoint — only sanctioned MCP servers and IDE assistants execute on developer workstations |
+| AML.T0010 | A.5.19 / SA-12 | `D3-EFA` | Executable File Analysis | Endpoint — pre-execution analysis of MCP server binaries and AI-assistant plugins |
+| AML.T0016 (Develop Capabilities — AI-generated payloads) — PROMPTFLUX class | SI-3 signature-based malware protection | `D3-PA` | Process Analysis | Endpoint — behavioral detection of in-process LLM-query patterns that signature engines cannot see |
+| AML.T0096 (LLM Integration Abuse — C2) — SesameOp class | SI-4 / CC7 anomaly detection without AI-API baseline | `D3-NTA` | Network Traffic Analysis | Network egress — per-identity baseline of model-API destinations |
+| T1190 (Exploit Public-Facing Application) — Dirty Frag IPsec | SC-8 / SC-28 cryptographic-control compensating-control claim | `D3-NI` | Network Isolation | Network — segmentation that does not depend on the compromised IPsec subsystem |
+| AML.T0020 (Poison Training Data) | NIS2 Art. 21 AI-pipeline integrity | `D3-FAPA` | File Access Pattern Analysis | Data tier — RAG-corpus and training-data access-pattern baselining |
+
+**Defense-in-depth posture:** every Framework Lag Declaration produced by this skill must propose at least one D3FEND technique per cited offensive TTP. A declaration that names the gap without recommending a defensive technique is incomplete — operators receive a finding with no remediation path. Where the framework gap is multi-jurisdictional (per Section 6 of the Output Format), the same D3FEND technique satisfies the equivalent obligation in each cross-walked framework — the defensive control is technique-level, not framework-level.
+
+**Least-privilege scope:** D3FEND recommendations are scoped to the principal class (human developer, agent identity, MCP server, model-serving process). `D3-EAL` and `D3-EFA` are per-host-class allowlists (developer ≠ production ≠ CI). `D3-IOPR` and `D3-CSPP` log the principal identity on every prompt/completion. `D3-FAPA` baselines are per-corpus-per-principal.
+
+**Zero-trust posture:** no control is claimed as compensating without verification that the defensive technique is deployed, monitored, and tested against the cited offensive TTP. "We have SC-8 IPsec" is not a compensating control for Dirty Frag — `D3-NI` over a non-IPsec data path is. The Framework Lag Declaration's "What a real control requires" field must name the D3FEND technique by ID.
+
+**AI-pipeline applicability (per AGENTS.md Hard Rule #9):** `D3-EAL` does not apply to serverless inference endpoints; the scoped alternative is `D3-CSPP` at the gateway plus signed-image attestation at the provider. `D3-FAPA` on ephemeral RAG indices degrades to per-query retrieval logging via `D3-IOPR` plus index-build provenance signed at construction. These degradations must be named explicitly in the declaration when the gap concerns an AI pipeline.

package/skills/fuzz-testing-strategy/skill.md

@@ -217,6 +217,8 @@ Internally discovered fuzz findings that map to a CWE class already in `data/cve
 
 ## Output Format
 
+The skill produces a Fuzz Posture Assessment covering fuzz-eligible interface inventory, harness coverage, crash inventory, and quarter-over-quarter CWE-class trend. The shape below is consumed downstream by `zeroday-gap-learn` (which appends internally found crashes as lesson entries), by `compliance-theater` (which compares the harness-coverage gap against SAMM / BSIMM / SDL compliance claims), and by the SBOM evidence chain (which inherits the per-component fuzz-instrumentation status). Preserve the per-interface CI-gated field verbatim — it distinguishes deployed fuzzing from one-shot security-team exercises.
+
 ```
 ## Fuzz Posture Assessment
 
@@ -262,8 +264,8 @@ Internally discovered fuzz findings that map to a CWE class already in `data/cve
 ### Framework Gap Declaration
 [Per-framework statement: which controls the org claims cover this domain, and where the absence of normative fuzz requirements creates a gap. Mandatory rows: NIST 800-218, NIST 800-115, NIST 800-53 SA-11, OWASP ASVS V14, PCI DSS 4.0 6.2, ISO 27001:2022 A.8.29, EU NIS2 Art. 21, EU CRA Annex I, UK CAF B4, ASD Essential 8 / ISM 1235, EU AI Act Art. 15 (if LLM in scope).]
 
-### Compliance Theater Check Result
-[See Compliance Theater Check section — answer the four questions, record the gap]
+### Theater Check Result
+[See the Compliance Theater Check section — answer the four questions, record the gap]
 
 ### Defensive Countermeasure Mapping
 | Fuzz Finding Class | D3FEND Countermeasure | Implementation |

package/skills/global-grc/skill.md

@@ -538,6 +538,8 @@ Produce a matrix of: threat class × jurisdiction framework × requirement adequ
 
 ## Output Format
 
+The skill produces a structured Global GRC Assessment that rolls compliance findings across the org's jurisdictional footprint — EU (NIS2, DORA, EU AI Act, CRA), UK (CAF, Cyber Essentials), AU (ISM, Essential 8, APRA CPS 234), ISO 27001:2022 / 42001:2023, NIST, and the expanded set tracked in `data/global-frameworks.json`. The shape below is consumed downstream by `framework-gap-analysis` (which produces per-jurisdiction Framework Lag Declarations), by `policy-exception-gen` (for cross-jurisdictional exception language), and by CSAF-style auditor evidence bundles. Preserve the per-jurisdiction control-mapping rows verbatim — they are the load-bearing cross-walk per Hard Rule #5.
+
 ```
 ## Global GRC Assessment
 

package/skills/identity-assurance/skill.md

@@ -191,6 +191,8 @@ NIST 800-207 ZTA posture, extended for agents:
 
 ## Output Format
 
+The skill produces an Identity Assurance Assessment covering per-IdP AAL/IAL/FAL posture, passkey / WebAuthn / FIDO2 deployment coverage, agent-identity scoping (workload, service-account, AI-agent principal), and the prioritized roadmap to close phishing-resistance gaps. The shape below is consumed downstream by `idp-incident-response` (which scopes IR on confirmed identity compromise), by `email-security-anti-phishing` (which inherits the phishing-resistant-MFA coverage), and by `compliance-theater` (which compares the deployed authenticator class against any AAL2 / AAL3 compliance claim). Preserve the per-IdP AAL / IAL / FAL rows verbatim — they are the auditable derivation of the phishing-resistance score.
+
 ```
 ## Identity Assurance Assessment
 

package/skills/kernel-lpe-triage/skill.md

@@ -302,6 +302,8 @@ Flag: "Dirty Frag (CVE-2026-43284) exploits the IPsec implementation. Network co
 
 ## Output Format
 
+The triage produces a structured Kernel LPE Exposure Assessment per host or fleet snapshot. The shape below is consumed downstream by `exploit-scoring` (which converts the per-CVE exposure into RWEP bands), by `incident-response-playbook` (which uses the affected-host count to scope IR), and by `compliance-theater` (which compares the deployed-mitigation field against the org's claimed SI-2 / A.8.8 patch SLA). Operators surfacing the output to auditors should preserve the CISA KEV due-date field verbatim — federal due dates are the authoritative regulatory clock, not internal SLAs.
+
 Produce this structure:
 
 ```

package/skills/mcp-agent-trust/skill.md

@@ -190,6 +190,8 @@ Sourced from `data/cve-catalog.json` and `data/exploit-availability.json` as of
 
 ## Analysis Procedure
 
+The procedure runs five sequential steps: inventory installed MCP servers per workstation, verify each server's package provenance against npm signatures and CISA KEV listings, assess trust configuration (auth, allowlist, scope), score the trust posture against the published CVE class, and generate remediation actions for any server scoring above the operator's risk threshold. Each step's output feeds the next; the inventory drives the provenance check, the provenance result drives the trust score, and the trust score drives the remediation list.
+
 ### Step 1: Inventory installed MCP servers
 
 For each developer workstation or shared AI system:
@@ -302,6 +304,8 @@ For each MCP client configuration, check:
 
 ## Output Format
 
+The skill produces a structured MCP Trust Assessment per workstation or fleet. The shape below is consumed downstream by `supply-chain-integrity` (which picks up the per-server hash and provenance fields), by `ai-attack-surface` (which integrates the MCP Trust posture into the broader AI surface report), and by `compliance-theater` (which compares the unallowlisted-server count against any vendor-management compliance claim). Operators feeding the output into MDM or endpoint-management policy should preserve the approved-server registry shape verbatim.
+
 ```
 ## MCP Trust Assessment
 

package/skills/mlops-security/skill.md

@@ -227,6 +227,8 @@ Every artifact is untrusted until cryptographically verified.
 
 ## Output Format
 
+The skill produces an MLOps Pipeline Security Assessment covering training-pipeline integrity, model-registry trust posture, deployment-time signing / attestation, drift-detection coverage, and post-deployment behavioral-regression test cadence across MLflow / Kubeflow / Vertex AI / SageMaker / Azure ML / Hugging Face / DIY stacks. The shape below is consumed downstream by `supply-chain-integrity` (for model-artifact provenance), by `ai-attack-surface` (for the model-serving inventory), and by `compliance-theater` (which compares the deployed model-governance against ISO 42001 / NIST AI RMF claims). Preserve the per-model deployment-attestation rows verbatim — they are the auditable evidence chain for model-substitution detection.
+
 ```
 ## MLOps Pipeline Security Assessment
 

package/skills/ot-ics-security/skill.md

@@ -219,6 +219,8 @@ For each jurisdiction the operator is exposed to (EU, UK, AU, JP, IL, ID, TW, US
 
 ## Output Format
 
+The skill produces an OT / ICS Security Posture Assessment covering Purdue-model zone inventory, IEC 62443 zone-and-conduit posture, NERC CIP / TSA-pipeline coverage, AI-augmented threat exposure (NIST IR 8504 ICS-AI), and the prioritized roadmap for safety-system isolation. The shape below is consumed downstream by `sector-energy` (which inherits the NERC CIP rows), by `incident-response-playbook` (which scopes IR with the Purdue-zone affected-asset list), and by `compliance-theater` (which compares the deployed segmentation against IEC 62443 / NERC CIP claims). Preserve the per-zone safety-system field verbatim — it is the auditable safety-isolation evidence.
+
 Produce this structure verbatim:
 
 ```

package/skills/policy-exception-gen/skill.md

@@ -23,7 +23,7 @@ forward_watch:
   - EU CRA exceptions for AI pipeline components
   - NIST SP 800-204 series updates for microservices
   - FedRAMP updates for container/serverless authorization
-last_threat_review: "2026-05-17"
+last_threat_review: "2026-05-18"
 ---
 
 # Policy Exception Generation
@@ -449,3 +449,30 @@ Specific high-confidence theater signals for this skill's four exception categor
 | Critical Systems No-Reboot Kernel Patching | "Can't reboot, will catch up later" with no live patch, no eBPF rules, no maintenance window | `kpatch list` / `canonical-livepatch status` output, named eBPF / auditd rules for the exploitation pattern, scheduled maintenance date, escalation contact if missed |
 
 When this check fires on any exception, hand off to the compliance-theater skill to record the systemic finding (this is Pattern 3 / 4 / 5 / 6 territory depending on category) and to framework-gap-analysis to determine whether the framework lag warrants escalation to the global-grc skill for cross-jurisdictional review.
+
+---
+
+## Defensive Countermeasure Mapping
+
+Every defensible exception names the residual TTPs in scope and the compensating-control bundle that disrupts them. The mapping below converts the compensating-control language ("eBPF monitoring", "workload identity", "image-scanning") into the D3FEND technique IDs that audit reviewers can verify against `data/d3fend-catalog.json`. An exception template that cites vague compensating controls without a D3FEND ID fails the Compliance Theater Check above.
+
+| Exception category | Residual offensive TTP | D3FEND ID | Defensive technique (compensating control) | Defense-in-depth layer |
+|---|---|---|---|---|
+| Ephemeral Infrastructure (CM-8 / A.5.9) | T1610 (Deploy Container), T1525 (Implant Internal Image) | `D3-EFA` | Executable File Analysis (image-registry scanning, SBOM per image) | Build / registry — pre-deployment image integrity verification |
+| Ephemeral Infrastructure | T1525 | `D3-EAL` | Executable Allowlisting (signed-image-only deploy gate) | Cluster admission — only signed images reach the runtime |
+| AI Pipeline Change Management (CM-3 / A.8.32) | AML.T0018 (Backdoor ML Model), AML.T0020 (Poison Training Data) | `D3-FAPA` | File Access Pattern Analysis (training-data and model-artifact access baselining) | Data tier — detect anomalous access to corpora and weights |
+| AI Pipeline Change Management | AML.T0018 | `D3-IOPR` | Input/Output Profiling (behavioral regression suite, model-fingerprinting prompt set) | SDK / application — detect model substitution and drift |
+| Zero Trust Architecture Segmentation (SC-7 / A.8.22) | T1021 (Remote Services), T1570 (Lateral Tool Transfer) | `D3-NTPM` | Network Traffic Policy Mapping (SPIFFE / mTLS workload identity enforcement) | Network — per-workload-identity policy on east-west flows |
+| Zero Trust Architecture Segmentation | T1021 / T1570 | `D3-NTA` | Network Traffic Analysis (east-west behavioral analytics) | Network — detect lateral movement that policy alone cannot prevent |
+| Zero Trust Architecture Segmentation | T1078 (Valid Accounts) | `D3-CBAN` | Certificate-based Authentication (mTLS workload certificates) | Identity — workload identities are certificate-bound, not perimeter-bound |
+| No-Reboot Kernel Patching (SI-2 / A.8.8) | T1068 (Exploitation for Privilege Escalation) | `D3-SCA` | System Call Analysis (eBPF / auditd rules for the exploitation primitive) | Kernel — detect the LPE primitive while live-patch is in flight |
+| No-Reboot Kernel Patching | T1068 | `D3-KBPI` | Kernel-Based Process Isolation | Kernel — reduce blast radius until the live patch deploys |
+| No-Reboot Kernel Patching | T1068 (post-exploit persistence) | `D3-PA` | Process Analysis (anomalous-uid / capability-set detection) | Endpoint — catch successful LPE before it persists |
+
+**Defense-in-depth posture:** an exception that names a single D3FEND technique is insufficient — the residual TTP set is multi-stage, and the compensating-control bundle must cover the chain. The Output Format's "Compensating Controls" field must enumerate at least two D3FEND techniques per residual TTP, drawn from different defense-in-depth layers (network + endpoint, build + admission, SDK + gateway). An exception with only one layer cited is theater for the multi-stage attack chain.
+
+**Least-privilege scope:** D3FEND technique deployment is scoped to the exception's affected asset class. `D3-EAL` admission rules are per-cluster (production ≠ staging ≠ developer). `D3-NTPM` workload-identity policies are per-namespace. `D3-FAPA` training-data baselines are per-corpus-per-principal. The exception document must record the scope alongside the technique ID — "we deploy `D3-EAL` cluster-wide" is too coarse; "we deploy `D3-EAL` on `prod-*` clusters with signed-image-only admission" is auditable.
+
+**Zero-trust posture:** the exception is defensible only when the cited D3FEND techniques are deployed, monitored, and tested against the residual TTPs at exception-grant time and re-verified at the documented review cadence. An exception with deployed techniques but no test evidence (chaos-engineering exercise, red-team result, detection-rule firing on a controlled trigger) is unverified. The "Review Cadence" field in the Output Format must specify the re-verification test, not just the calendar date.
+
+**AI-pipeline applicability (per AGENTS.md Hard Rule #9):** for AI Pipeline Change Management exceptions, `D3-EAL` and `D3-EFA` do not apply to serverless inference endpoints — the scoped alternative is `D3-CSPP` at the inference gateway plus provider-signed-image attestation in the model-card. `D3-FAPA` on ephemeral RAG indices degrades to per-query retrieval logging via `D3-IOPR` plus index-build provenance signed at construction. These degradations must be enumerated in the exception's "Compensating Controls" field; an AI-pipeline exception that copies a non-AI exception template is incomplete.

package/skills/pqc-first/skill.md

@@ -514,6 +514,8 @@ Priority order:
 
 ## Output Format
 
+The skill produces a structured PQC Readiness Assessment that scores the org's post-quantum migration posture against the NIST PQC standards (ML-KEM / FIPS 203, ML-DSA / FIPS 204, SLH-DSA / FIPS 205), CNSA 2.0, and the BSI / ANSSI / NCSC migration guidance. The shape below is consumed downstream by `crypto` playbook runs (which feed the assessment into Phase 5 analyze), by `framework-gap-analysis` (for SC-8 / SC-13 / A.8.24 / A.10 lag declarations), and by `compliance-theater` (which compares the harvest-now-decrypt-later exposure against the org's data-classification claims). Preserve the per-protocol cryptographic-inventory rows verbatim — they are the auditable derivation of the migration roadmap.
+
 ```
 ## PQC Readiness Assessment
 

package/skills/rag-pipeline-security/skill.md

@@ -260,6 +260,8 @@ Prioritize by: data classification of knowledge base content (higher classificat
 
 ## Output Format
 
+The skill produces a structured RAG Pipeline Security Assessment covering vector-store inventory, embedding-model trust posture, retrieval-policy coverage, and observed exfiltration risk per corpus. The shape below is consumed downstream by `ai-attack-surface` (which integrates the per-corpus risk band into the broader AI surface report), by `dlp-gap-analysis` (which picks up the retrieval-policy gaps as DLP-channel findings), and by `mlops-security` (which inherits the embedding-model trust assessment). Operators feeding the output into auditor evidence should preserve the per-corpus retrieval-baseline field — it is the test that distinguishes paper retrieval controls from monitored ones.
+
 ```
 ## RAG Pipeline Security Assessment
 

package/skills/researcher/skill.md

@@ -251,6 +251,8 @@ Produce the Output Format below. Keep it to one page. The point of the researche
 
 ## Output Format
 
+The skill produces a Researcher Triage Report that converts a free-form research query (CVE ID, threat-actor name, framework reference, RFC number, vendor advisory) into a structured triage: canonical identifier, threat-currency assessment, the skill(s) that own follow-on analysis, and the suggested next operator action. The shape below is consumed downstream by `exceptd dispatch` (which routes to matching skills) and by the operator's investigation queue. Preserve the canonical-reference field verbatim — it is the load-bearing field for downstream skill chaining.
+
 ```
 # Researcher Triage Report — <input>
 

package/skills/sector-energy/skill.md

@@ -273,6 +273,8 @@ For operators with material aggregate consumer-IoT or DER influence (TSOs, large
 
 ## Output Format
 
+The skill produces an Energy-Sector Cybersecurity Posture Assessment covering NERC CIP v6 / v7 coverage, TSA Pipeline Security Directives, IEC 62443 zone-and-conduit posture, ENISA EECSP, ASD Essential 8 + AESCSF (AU), CER NIS2 transposition (EU), and the AI-augmented OT threat exposure. The shape below is consumed downstream by `ot-ics-security` (which inherits the Purdue-zone analysis), by `incident-response-playbook` (for the FERC / NERC EOP-004 incident-classification clock), and by `global-grc` (for cross-jurisdictional energy rollup). Preserve the per-substation / per-pipeline asset rows verbatim — they are the auditable evidence for regulator reporting.
+
 Produce this structure verbatim:
 
 ```

package/skills/sector-federal-government/skill.md

@@ -212,6 +212,8 @@ Verify-not-assume posture per M-22-09 and CISA ZTMM v2.0.
 
 ## Output Format
 
+The skill produces a Federal Government / DIB Cybersecurity Assessment covering FedRAMP Rev5 Moderate / High coverage, CMMC 2.0 Level 1/2/3 maturity, NIST 800-171 Rev 2/3 + 800-172 enhanced security requirements, M-22-09 zero-trust strategy progress, M-24-04 AI obligations, UK GovAssure, EU NIS2 public administration, AU PSPF / ISM Essential 8, and IL CDM v2.1. The shape below is consumed downstream by `incident-response-playbook` (for federal IR notification clocks), by `compliance-theater` (FedRAMP-vs-deployed comparison), and by `global-grc` (for cross-jurisdictional government rollup). Preserve the per-baseline maturity rows verbatim — they are the auditable evidence for ATO / continuous-ATO renewal.
+
 ```
 ## Federal Government / DIB Cybersecurity Assessment
 

package/skills/sector-financial/skill.md

@@ -270,6 +270,8 @@ For NY-regulated entities:
 
 ## Output Format
 
+The skill produces a Financial Sector Cybersecurity Posture Assessment covering EU DORA Art. 6-15 + RTS coverage, UK FCA / PRA SS2/21, US NYDFS 23 NYCRR 500 (Nov 2025 amended), AU APRA CPS 234 + CPG 235, SG MAS TRM, HK HKMA SA-2 / TM-G-1, JP FISC, BR BCB, and the BEC / wire-fraud exposure. The shape below is consumed downstream by `incident-response-playbook` (for the DORA 4h initial-notification clock), by `email-security-anti-phishing` (for BEC exposure), and by `global-grc` (for cross-jurisdictional financial rollup). Preserve the per-regulator obligation rows verbatim — they are the auditable evidence for incident-classification timing.
+
 Produce this structure verbatim:
 
 ```

package/skills/sector-healthcare/skill.md

@@ -235,6 +235,8 @@ For each jurisdiction the operator is exposed to (US, EU, UK, AU, JP, IL, SG, IN
 
 ## Output Format
 
+The skill produces a Healthcare Sector Security Posture Assessment covering HIPAA Security Rule + 2025 NPRM coverage, HITRUST control maturity, NIS2 essential-entity obligations (where applicable), FDA pre/post-market cybersecurity for medical devices, and ambient-AI documentation-pilot risk. The shape below is consumed downstream by `incident-response-playbook` (for HIPAA Breach Notification timing), by `compliance-theater` (HITRUST-vs-deployed-control comparison), and by `global-grc` (for cross-jurisdictional healthcare rollup). Preserve the per-control HIPAA / HITRUST rows verbatim — they are the auditable evidence for breach-notification timing.
+
 Produce this structure verbatim:
 
 ```

package/skills/security-maturity-tiers/skill.md

@@ -344,6 +344,8 @@ Year 1+:  Tier 3 — by domain, starting with highest-sensitivity data
 
 ## Output Format
 
+The skill produces a Security Maturity Roadmap that scores each in-scope domain against the published tier definitions and surfaces the next-tier upgrade path with budget bands and dependency ordering. The shape below is consumed downstream by `policy-exception-gen` (for domains where the operator chooses a lower tier than the threat model requires), by `compliance-theater` (which compares the claimed tier against deployed controls), and by `global-grc` (for cross-jurisdictional tier obligations). Preserve the per-domain tier rows verbatim — they are the auditable baseline for the upgrade plan.
+
 ```
 ## Security Maturity Roadmap
 

package/skills/skill-update-loop/skill.md

@@ -431,6 +431,8 @@ For each required update: specific skill file, specific section, specific change
 
 ## Output Format
 
+The skill produces a Skill Update Loop Report covering per-skill `last_threat_review` currency, ATLAS / ATT&CK / D3FEND / CWE catalog version drift, CISA KEV additions since the last review, and the priority queue of skills requiring body updates before the next release. The shape below is consumed downstream by the release-cadence maintainer workflow, by `data/_meta` tracking, and by the predeploy `watchlist` gate. Preserve the per-skill drift columns verbatim — they are the auditable trigger for each forced body refresh.
+
 ```
 ## Skill Update Loop Report
 

package/skills/supply-chain-integrity/skill.md

@@ -252,6 +252,8 @@ Every artifact is untrusted until provenance is verified.
 
 ## Output Format
 
+The skill produces a Supply-Chain Integrity Assessment covering per-pipeline build provenance, SLSA / in-toto / sigstore attestation coverage, SBOM completeness, dependency-risk inventory, and the prioritized roadmap to close gaps against EU CRA, NIST 800-218, and the expanded global framework set. The shape below is consumed downstream by `mcp-agent-trust` (for AI-tool supply-chain rows), by `mlops-security` (for model-artifact provenance), and by `compliance-theater` (which compares the deployed attestation surface against EU CRA Annex I claims). Preserve the per-pipeline attestation rows verbatim — they are the auditable evidence chain.
+
 ```
 ## Supply-Chain Integrity Assessment
 

package/skills/threat-model-currency/skill.md

@@ -22,7 +22,7 @@ forward_watch:
   - New CISA KEV entries in kernel/AI/supply chain categories
   - New MCP or agent protocol security disclosures
   - Emerging malware families using AI for evasion
-last_threat_review: "2026-05-15"
+last_threat_review: "2026-05-18"
 discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief threat-model-currency` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
@@ -374,6 +374,8 @@ For each gap, produce a specific, actionable update:
 
 ## Output Format
 
+The skill produces a structured Threat Model Currency Assessment that scores the threat model against each of the 14 threat classes, computes a currency percentage, and emits a priority update roadmap. The shape below is consumed downstream by `framework-gap-analysis` (which converts per-class gaps into Framework Lag Declarations), by `policy-exception-gen` (which generates defensible exceptions for any class the operator cannot remediate immediately), and by `global-grc` (which rolls up the currency score across EU/UK/AU/ISO jurisdictions per Hard Rule #5). Preserve the per-class scoring rows verbatim — they are the auditable derivation of the currency percentage.
+
 ```
 ## Threat Model Currency Assessment
 
@@ -409,3 +411,37 @@ Current reference: MITRE ATLAS v5.4.0 (February 2026)
 Threat model references: [version cited in document]
 Gap: [if different]
 ```
+
+---
+
+## Defensive Countermeasure Mapping
+
+A threat model is current only when each of the 14 threat classes above has a named defensive control. The mapping below converts each class to the D3FEND defensive technique that disrupts its offensive TTP. A currency assessment that scores a class as "addressed" without naming the corresponding D3FEND technique is under-specified — the threat model identifies the threat but does not commit to a defence.
+
+| Class | Offensive TTP | D3FEND ID | Defensive technique | Defense-in-depth layer |
+|---|---|---|---|---|
+| 1 — AI-discovered kernel LPE (Copy Fail) | T1068 | `D3-KBPI` | Kernel-Based Process Isolation | Kernel — compensating control during the AI-compressed weaponization window |
+| 2 — Deterministic LPE | T1068 | `D3-SCA` | System Call Analysis | Endpoint — detect the deterministic primitive at syscall layer |
+| 3 — IPsec subsystem LPE (Dirty Frag / Fragnesia) | T1190 | `D3-NI` | Network Isolation (non-IPsec data path) | Network — segmentation independent of the compromised cryptographic subsystem |
+| 4 — Prompt injection RCE | AML.T0051, AML.T0054 | `D3-IOPR` | Input/Output Profiling | SDK / application — content-aware prompt+completion inspection |
+| 4 — Prompt injection RCE (gateway tier) | AML.T0051 | `D3-CSPP` | Client-server Payload Profiling | LLM gateway — when SDK-side instrumentation is not deployable |
+| 5 — MCP supply chain RCE | AML.T0010 | `D3-EAL` | Executable Allowlisting | Managed endpoint — only sanctioned MCP servers and IDE assistants execute |
+| 5 — MCP supply chain RCE | AML.T0010 | `D3-EFA` | Executable File Analysis | Endpoint — pre-execution analysis of MCP-server binaries |
+| 6 — AI-assisted weaponization | AML.T0016 | `D3-NTA` | Network Traffic Analysis | Network egress — detect attacker-side AI-API queries from compromised tooling |
+| 7 — AI as covert C2 (SesameOp) | AML.T0096 | `D3-NTA` | Network Traffic Analysis | Network egress — per-identity baseline of model-API destinations |
+| 8 — AI-generated malware evasion (PROMPTFLUX) | AML.T0016 | `D3-PA` | Process Analysis | Endpoint — behavioral detection of in-process LLM-query patterns |
+| 9 — RAG exfiltration | AML.T0043 | `D3-FAPA` | File Access Pattern Analysis | Data tier — RAG-corpus retrieval-pattern baselining |
+| 10 — Model poisoning | AML.T0020 | `D3-FAPA` | File Access Pattern Analysis | Data tier — training-corpus access-pattern baselining |
+| 11 — AI-speed reconnaissance | T1595 | `D3-NTA` | Network Traffic Analysis | Network ingress — recalibrated thresholds for AI-speed probe rates |
+| 12 — AI-generated phishing | T1566, AML.T0016 | `D3-MFA` | Multi-factor Authentication (passkey class) | Identity — remove the credential-disclosure win condition AI phishing optimizes for |
+| 12 — AI-generated phishing (gateway tier) | T1566 | `D3-CSPP` | Client-server Payload Profiling | Email gateway — stylometric drift detection for LLM-generated lures |
+| 13 — ATLAS coverage | All AML.T* | `D3-IOPR` + `D3-NTA` | Input/Output Profiling + Network Traffic Analysis | SDK + network — the two-layer minimum for AI TTP detection |
+| 14 — Post-quantum adversary | T1557 (harvest-now-decrypt-later) | `D3-MENCR` | Message Encryption (PQC-hybrid TLS) | Network — ML-KEM / X25519 hybrid key agreement for long-lived sensitive traffic |
+
+**Defense-in-depth posture:** the 14-class currency score (per the Scoring section above) is upgraded from "addressed" to "operationally addressed" only when each class names at least one deployed D3FEND technique from the table. A threat model that scores 28/28 on knowledge of threats but cites zero D3FEND techniques is paper-current — the document is updated, the defence is not.
+
+**Least-privilege scope:** the D3FEND techniques in this table are technique-level; their per-principal scoping is owned by the downstream skill cited in each class (e.g. `ai-attack-surface` owns `D3-IOPR` scoping for AI principals, `kernel-lpe-triage` owns `D3-KBPI` scoping for kernel-class assets). The threat-model currency assessment cites the technique by ID; the scoping document lives in the downstream skill.
+
+**Zero-trust posture:** every class above is verified in production before the currency score credits it. A class scored as "addressed" with a D3FEND technique that is policy-approved but not deployed, or deployed but not monitored, or monitored but not tested against the cited TTP, is over-credited. The Priority Update Roadmap field (per the Output Format) must list verification tests alongside the technique deployment plan.
+
+**AI-pipeline applicability (per AGENTS.md Hard Rule #9):** Classes 4, 5, 7, 8, 9, 10, 11, 12, 13 are AI-pipeline-applicable. `D3-EAL` does not apply to serverless inference endpoints; the scoped alternative is `D3-CSPP` at the gateway plus signed-image attestation at the provider. `D3-FAPA` on ephemeral RAG indices degrades to per-query retrieval logging via `D3-IOPR` plus index-build provenance signed at construction. The currency assessment must record these degradations explicitly when scoring AI-pipeline classes.

package/skills/threat-modeling-methodology/skill.md

@@ -234,6 +234,8 @@ Per Hard Rule AGENTS.md #12 (external data version pinning): when ATLAS, ATT&CK,
 
 ## Output Format
 
+The skill produces a structured Threat Model per system covering the chosen methodology composite (STRIDE-ML + LINDDUN + Diamond, or Unified Kill Chain v3.0, or a domain-specific composite), the data-flow diagram, identified threats with ATLAS / ATT&CK mapping, mitigations with D3FEND ID, and the currency-trigger list that schedules re-runs. The shape below is consumed downstream by `threat-model-currency` (which scores the model against the 14-class checklist), by `framework-gap-analysis` (which converts each unmitigated threat into a Framework Lag Declaration), and by `policy-exception-gen` (for any threat accepted as residual risk). Preserve the methodology-rationale field verbatim — it is the auditable justification for the chosen composite.
+
 ```
 ## Threat Model — <system name>
 **Date:** YYYY-MM-DD

package/skills/webapp-security/skill.md

@@ -185,6 +185,8 @@ The procedure threads three foundational design principles end-to-end. They are
 
 ## Output Format
 
+The skill produces a Web Application Security Assessment covering OWASP ASVS-mapped per-control coverage, OWASP Top 10 + API Top 10 findings, AI/LLM Top 10 exposure for any LLM-integrated routes, dependency-risk inventory, and the prioritized remediation roadmap. The shape below is consumed downstream by `api-security` (for service-to-service routes), by `ai-attack-surface` (for any LLM-integrated component), and by `compliance-theater` (which compares the ASVS-claimed level against the deployed-control evidence). Preserve the per-control coverage rows verbatim — they are the auditable ASVS-level derivation.
+
 ```
 ## Web Application Security Assessment
 

package/skills/zeroday-gap-learn/skill.md

@@ -23,7 +23,7 @@ forward_watch:
   - New ATLAS TTP additions in each ATLAS release
   - Framework updates that close previously open gaps
   - Vendor advisories for MCP/AI tool supply chain CVEs
-last_threat_review: "2026-05-15"
+last_threat_review: "2026-05-18"
 discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief zeroday-gap-learn` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
@@ -398,6 +398,8 @@ Format the output for addition to `data/zeroday-lessons.json`.
 
 ## Output Format
 
+The skill produces a Zero-Day Learning Loop entry per CVE, capturing attack-vector extraction, control-gap identification, framework coverage assessment, the new control requirement that closes the gap, and an exposure score for the org's environment. The shape below is consumed downstream by `framework-gap-analysis` (which converts the new control requirement into a Framework Lag Declaration), by `defensive-countermeasure-mapping` (which maps the requirement to D3FEND IDs), and by `data/zeroday-lessons.json` (which inherits the lesson entry as a persistent record). Preserve the attack-vector and control-gap fields verbatim — they are the auditable derivation of the new control requirement.
+
 ```
 ## Zero-Day Learning Loop: [CVE-ID / Vulnerability Name]
 
@@ -442,3 +444,33 @@ Run this check against any organization claiming a mature vulnerability-manageme
 > "Open `data/zeroday-lessons.json` (or the org's equivalent). Count the entries. Compare to the count of CVEs the org actually responded to in the same period. If the lesson-entry count is < CVE-response count, the loop is partial. Per AGENTS.md DR-8, partial is failure: every zero-day-in-scope must produce a lesson entry. The gap between CVEs-patched and lessons-learned is the size of the theater. The org's `Improve` function (NIST CSF 2.0) is not running."
 
 > "Ask: in the last 12 months, has a single internal control requirement been created or modified as a result of a public zero-day the org was NOT directly hit by? If no, the org's threat-intelligence control (ISO A.5.7) is consumption-only — collecting feeds, not changing controls. Threat-intel without control-system change is library subscription, not security capability."
+
+---
+
+## Defensive Countermeasure Mapping
+
+The learning loop's output is a new control requirement. The mapping below converts each of the lesson-class outputs this skill produces into the D3FEND defensive technique that codifies the requirement. A lesson entry that names a new control requirement without citing a D3FEND ID is incomplete — the requirement names the goal but not the implementation technique, which is exactly the framework-lag failure the learning loop is meant to close.
+
+| Lesson class | Offensive TTP class | D3FEND ID | Defensive technique | Defense-in-depth layer |
+|---|---|---|---|---|
+| Deterministic kernel LPE (Copy Fail class) | T1068 | `D3-KBPI` | Kernel-Based Process Isolation | Kernel — compensating control during AI-compressed weaponization |
+| Deterministic kernel LPE | T1068 | `D3-SCA` | System Call Analysis | Endpoint — detect the LPE primitive at syscall layer |
+| Cryptographic subsystem compromise (Dirty Frag / Fragnesia) | T1190 | `D3-NI` | Network Isolation (non-IPsec data path) | Network — segmentation independent of the compromised subsystem |
+| Cryptographic subsystem compromise | T1068 (post-exploit) | `D3-PA` | Process Analysis | Endpoint — anomalous-uid / capability-set detection |
+| Prompt injection RCE (Copilot YOLO-mode class) | AML.T0051, AML.T0054 | `D3-IOPR` | Input/Output Profiling | SDK / application — content-aware prompt+completion inspection |
+| Prompt injection RCE (gateway tier) | AML.T0051 | `D3-CSPP` | Client-server Payload Profiling | LLM gateway — when SDK-side instrumentation is not deployable |
+| MCP supply chain RCE (Windsurf class) | AML.T0010 | `D3-EAL` | Executable Allowlisting | Managed endpoint — only sanctioned MCP servers execute |
+| MCP supply chain RCE | AML.T0010 | `D3-EFA` | Executable File Analysis | Endpoint — pre-execution analysis of MCP-server binaries |
+| AI-as-C2 (SesameOp class) | AML.T0096 | `D3-NTA` | Network Traffic Analysis | Network egress — per-identity baseline of model-API destinations |
+| AI-generated malware (PROMPTFLUX class) | AML.T0016 | `D3-PA` | Process Analysis | Endpoint — behavioral detection of in-process LLM-query patterns |
+| RAG exfiltration | AML.T0043 | `D3-FAPA` | File Access Pattern Analysis | Data tier — RAG-corpus retrieval-pattern baselining |
+| Model poisoning | AML.T0020 | `D3-FAPA` | File Access Pattern Analysis | Data tier — training-corpus access-pattern baselining |
+| Identity-provider blast-radius (sigstore-class) | T1078 (Valid Accounts) | `D3-CBAN` | Certificate-based Authentication | Identity — short-lived workload certificates limit token-theft blast radius |
+
+**Defense-in-depth posture:** every lesson entry produced by this skill must cite at least one D3FEND technique from the table for the cited offensive TTP class. A lesson that names "we need better prompt-injection defence" without citing `D3-IOPR` or `D3-CSPP` is rhetorically complete but operationally vacant — the next variant lands against the same unchanged control surface because the lesson never named the technique that disrupts it.
+
+**Least-privilege scope:** the D3FEND techniques in this table are technique-level; the per-principal scoping is owned by the downstream skill named in the lesson's `feeds_into` field (e.g. `ai-attack-surface` for AML.T0051 lessons, `kernel-lpe-triage` for T1068 lessons). A lesson entry routes the new control requirement to the downstream skill, which carries the principal-class scoping.
+
+**Zero-trust posture:** a lesson entry closes only when the new control requirement is deployed and verified in production, not when the lesson is recorded. The Output Format's "Exposure Scoring" section must track lesson-deployment latency alongside lesson-creation latency — a lesson recorded but not deployed is the same operational state as no lesson at all.
+
+**AI-pipeline applicability (per AGENTS.md Hard Rule #9):** lessons targeting AML.T0010 (MCP / model-serving supply chain) must record AI-pipeline degradations explicitly. `D3-EAL` does not apply to serverless inference endpoints — the scoped alternative is `D3-CSPP` at the gateway plus signed-image attestation at the provider. `D3-FAPA` on ephemeral RAG indices degrades to per-query retrieval logging via `D3-IOPR` plus index-build provenance signed at construction. Lessons that omit these degradations propagate the framework-lag they were meant to close.