@blamejs/exceptd-skills 0.13.59 → 0.13.62

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.13.59",
-  "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 10 catalogs (312 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 34 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
+  "version": "0.13.62",
+  "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 10 catalogs (312 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
   "keywords": [
     "ai-security",
     "ai-skills",

package/sbom.cdx.json

@@ -1,23 +1,23 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:eb996267-363d-46e0-9a5c-f259a8c46d9b",
+  "serialNumber": "urn:uuid:d905be3b-b5b0-4701-9bc1-43dcc2f5fb90",
   "version": 1,
   "metadata": {
-    "timestamp": "2151-04-04T19:39:19.000Z",
+    "timestamp": "2141-05-19T13:50:51.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.13.59"
+        "version": "0.13.62"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.13.59",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.13.62",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.13.59",
-      "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 10 catalogs (312 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 34 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
+      "version": "0.13.62",
+      "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 10 catalogs (312 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
           "license": {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.13.59",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.13.62",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "97387465e487f40271bdfd6dc20958446c2772c571c9c7671e9f912e0a6b32ae"
+          "content": "69652e30ed68856a926cc9b7993e8b629916bcfa4b9783edb94a7322fcfff6e9"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.13.59"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.13.62"
         },
         {
           "type": "vcs",
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "d08eca001f3bd9547d899b0531b59b5bcf929bcc1134f5f920bc85453a96bee8"
+          "content": "56b52f1a5a7e134c2578bb4c1f676ddaff8c9210572978a42ee4e74438cef1fa"
         },
         {
           "alg": "SHA3-512",
-          "content": "9b6e0d750008f8b273c44016fd002d31f38ebb95b00787cd57081c29f8afed8c9c56b94a85c17b9a1bd4edacdbf12ba602acda6459d7743ab409ff3471114932"
+          "content": "f2e0e0a96f6c5eec7b66b66a9048fef9f2f9cd4bcde0aa1c62564cb65676132c7339861c445bad81a96dc3357e4e9263b434330550c339a497d340c47dba6287"
         }
       ]
     },
@@ -176,11 +176,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "2ee761d26b36caeae8a4910ffab81f6a38e59cbbb6133d075bac2a1e7254a7ea"
+          "content": "7db9a736e127cd13945a2a0744db393ed166b18a7fc5915f5d953f0cb42a880c"
         },
         {
           "alg": "SHA3-512",
-          "content": "649d84489b66407b76467cb90033a4a4f02d5ce3dae7b3385fa3d80e09d2d012d63bcb994a7cb442dbc2435b0eb5914e17e77ae272fe8277b01ab5be1d4e81ab"
+          "content": "228d6d081b7132f8879949da656c7c379f6ca75a1277e13e4a6c4c4db91982cea1178f2e055c7335743d38bf330535b564205622f054cfc9898fac7254fba38e"
         }
       ]
     },
@@ -206,11 +206,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "354625ebd493dc899ea8f30f14ef07802407733ae01a6c6955ec883df800b47c"
+          "content": "1a5ecfd6e0856b39844984585081a55568939046a03ee3172ec6f926f896ca6b"
         },
         {
           "alg": "SHA3-512",
-          "content": "d6449f4474693b60b92c44f42001cdc4be93853252cb1095a7f44d66814dbdfb9bfd6a5f6c5e43fc9c6db2bb0e8f8a078a643df6c1a2353f420fc692262e8500"
+          "content": "ceeccc63fc3b6faaf437f74f6d3f633e0024178a5c480b3fcecb35b12b07da2c856724829dfbacb85a8e266cd085163490e857aea47c5ed1c6f5361adc0bcd55"
         }
       ]
     },
@@ -281,11 +281,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "679a543aec746f1e99d891099bd04ab88fd0b8ba6e20a3484c9d9e3a9d33fd7e"
+          "content": "5c9ce8eadb9b392d565d598bf49efadeb7e8c029c2e182ac53c9de2d8631ff3f"
         },
         {
           "alg": "SHA3-512",
-          "content": "694240b8a9268abc9ec54bdb52df56389fb115a81f99d70121ccb7e427d7bc670d7d4651fbaaec9b7be35f03c861b75b06177ba4e372890304542aa1a4615a83"
+          "content": "a358a3c9fdfc04c202f33568dcc3f046700f87b0210114a2cea8fe82178dc4c8f1d96301b0c6f34b01f675bfaf2d03ac36fdb96b45c26a9873006da099f4eb9c"
         }
       ]
     },
@@ -1661,11 +1661,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "020990fd6a13ea3a2a0273e80d0607c1cf0fd8887f03bb48294d2568a22d2789"
+          "content": "a5c737f12027f2dbea6de6ea9e540a81a075ba49cf0d4d72bdb9b247732e3907"
         },
         {
           "alg": "SHA3-512",
-          "content": "4bbf18c5ec14dbae987465ebca8dc06b2fcce0347eae3f834fb1fc33115289acf6484385b25f728548b70e37a7f4f2ce3d4c314b36465961cc22dbaf7c974e14"
+          "content": "0585a67e2809ecd5de7f1d82d4328e7dac571acd2e0a3c63c9d0d912277bc9e433fe5413d3d4131be59f3a6568f883539ec342a2735b39a55d851fbafb9e5c5b"
         }
       ]
     },
@@ -1886,11 +1886,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "47fe67ba6d182b9ce36e151189eb747125788e37cb0c4b3d1816e40b8a7bdaa2"
+          "content": "bfa54dc9dd5eea4e9fe18db8f5d609634a1d04870c37b7ceadf38b1c70020b2e"
         },
         {
           "alg": "SHA3-512",
-          "content": "370899c1f9ef93a215f25da18a37b207d74d99e8c5680024d86d030f0c2119953a7eb0f7a23a3f69dd62b0a5f5288e179328e380c67fa09db49a4684b2f31d60"
+          "content": "4e2648f3db02eab2dc069ad26c04af7ebfe57fda54a1230691407c92f831a3f389bdfcd54b1cfce2e5e7a38f50df866d923947a2902b786b04fd97660050e0b0"
         }
       ]
     },
@@ -2471,11 +2471,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "7609380c53bfc829b28a4478457a887aadcf31ddbade2d6ecf56fc5f845a0f72"
+          "content": "d6ea35136f93eb4aa75b65a5ae402353b0e2c63a83acece1606fe3f5d1ec6a8d"
         },
         {
           "alg": "SHA3-512",
-          "content": "a24b62dea162c3cf29f33556f08a5d5c8b8a1925a4a21a11a180da4969365f4b6bdc77f92189df8f9e7ad4b1c0713e29fd01015e298e5318538e6532050ecd8e"
+          "content": "9a2a33d2867ce2f8dc063a4005807ac6d8002c32545eee268f417e60d1e076b48c710a21eea09c04e9ab383e4b7fa9f292eddeeb2cc1ac744348eca96a68cd01"
         }
       ]
     },
@@ -2516,11 +2516,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "a664e202d4fdcd28eb3216983d6b982b288ce8e553461fa79468c6a1744b83ee"
+          "content": "d656444bb1987f43ae61374f210977d0c1f247f54d7318fdd639dd0cfdbef392"
         },
         {
           "alg": "SHA3-512",
-          "content": "fb6f05f1e10d603838a387fc228e652940cbc8d9071aaf5b3711914f8f432668e3640f8abdbccb421086ff0df9d28e30e36c19959079bbbafa2011bf1d2e996c"
+          "content": "9a579a0d63ad55d1ed2af127ce3ea022413a7f631eb136e896c5cf304486db3240eb00049be5a0ff9213062c6777240035d4f5e063c9b83e6044f5aef477cb7c"
         }
       ]
     },
@@ -2621,11 +2621,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "82acc8fc68ee5cc7aaddff1632a63524663981d4b9ce064f8543d1cfbba1b770"
+          "content": "17249909697a9c61b71f6885a1f4888ab1e727909ddb487ed82aeef535884a4f"
         },
         {
           "alg": "SHA3-512",
-          "content": "0044b4d4dd7e08e44692fd0e517ec3c165bf7f00d49fbaa305d6c2426786ecb1c576f9fb843e07e929bd2c306be9fb9637de4b2e16f65c759dd4f871cf3022bb"
+          "content": "2d656f044cbfe53cb9e5b630ce50e6d848eb5e0ef3eaad3c9c4b10974ab10776a9be0e03c136e32a62cbce08f59425be15c59624f10e4322396ddf531dfafec5"
         }
       ]
     },
@@ -2696,11 +2696,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "4d1509db64c59a8985bef7f53dfe6be54887e2989b39ed51f19eacc761750877"
+          "content": "9c219de36c7d702dff8504a25e2f1b07459716ea2ed02f49d751f91dbeca1b01"
         },
         {
           "alg": "SHA3-512",
-          "content": "4c337f1efd0c79f9edd3136963b6fa6049ea5c346540a1b4c41750a6428f61c7e6a93bddd99c0d0318f4d9b5f3c515025a2ded2c979454d0bbcd01f690e08b7a"
+          "content": "4065d54c67d6e58cb1948984af4d0f230ae939dc4ff4bba550d28e8c229ff1a423b7408e78b5229d936b487d76011fba57ee692aad5e121e49f704da3f421305"
         }
       ]
     },
@@ -2741,11 +2741,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "90225bee8c6980a08a4d9601ece15337d065fd12ff52b0821a91eee63aa6950a"
+          "content": "498549ddc9d870cb8d6a28a4d79b8d7058d5eed832d7c266c281084f4371ce46"
         },
         {
           "alg": "SHA3-512",
-          "content": "5015ef92001ed07174665dd9b8fa735c31f38adc6af02a16765932e964b38b449a418f66a18c687dc8df710454c3b49645891dc8958884c0f209a9f3587b2b45"
+          "content": "117941fed213252a1a9e304382af89b3167fb63adf54339849ecce2270850f46784bfbeee8fe958d25d3ff8d481fa9e08c02babf8904d7117e226f40e1d284c5"
         }
       ]
     },
@@ -2771,11 +2771,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "76c8f4dadf470103a467f40b01870585d8769c1af2bc15956e1d8b0b424626ae"
+          "content": "238074319b57399c75d76439ef1ff67153b5a3207adf1556f3ca1e68cfe7cfaa"
         },
         {
           "alg": "SHA3-512",
-          "content": "ab6ecbb676df3cf1716b3d1f9086cc692ff69555da6c529d00f34a72f8e0288adb5a0f378caa2d1251e598716d875dd5da4b35bb0c36ff147e10bf1869d7fba2"
+          "content": "17e1498e55e080d8e8521ba9efbd6137ae5d7975c6f5356066b496b1cb6c3d0b2ebe35822ddbb9f7384e3f533cbc35fe2e75fa4052c213c6372935a48a822ed5"
         }
       ]
     },
@@ -2786,11 +2786,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "07b38278b60d2437603a541c1ee954999abfe3a192f94b43cd384023738a0c1f"
+          "content": "3b41b59eb4e8480b691ff17185f42b9fbfd7665e369fc210feba496688cc77aa"
         },
         {
           "alg": "SHA3-512",
-          "content": "405c01efe705a8486cbbfc9417c8f8752811d09d1ec5b8b459654e0825e33136b87cfb33003f88dee49f1f3c56b3c87f7d7afb4ec30f42973904edc86066aef0"
+          "content": "29d98c34fc97e6bd7b9331c69ae7f27cf1eec5e182d7885c54eb6be91820bde0aaca746bda5590aa12cc1962d43d5337be569bfc7a007f4286ffee6a9a4a0412"
         }
       ]
     },
@@ -2801,11 +2801,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "785dac24078f4f3d798f04607aa13d2d902d027fb5ea95d1074240c4762b2dff"
+          "content": "d3ad18562a6083fb773347e24b6fcda2adcb68b4269e29df53b5afeb113cf7b0"
         },
         {
           "alg": "SHA3-512",
-          "content": "e54970a39cf42ab01506f17004a1afa0f9a637c8daf6941e424afee2566dd525f128047d4be2d30d7170d12a60630dad114914b984f8e5e6e1cd59e2e54ed9bf"
+          "content": "571ceeb55a9da0e4cddf7e0147f1186431b01de540f78dba2397be986b06e56ad1e9eafbb9df55a2e66152bcbddd12626f7a4cb2c9ab043929426cb45ffed94e"
         }
       ]
     },
@@ -2816,11 +2816,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "1455eeecbb18962447af80fe3d49aead15ebe7b45c206d8f4bd7d0c202b9681a"
+          "content": "471b714c42717d43f81b2b582cd8e89ca8d3140de2ddc06cce15f012a0e19be1"
         },
         {
           "alg": "SHA3-512",
-          "content": "08a77d2d8a74fa4470450775e66f70f70c864f3e42133f13b2bbd81104f7580e280061363ef531b10bbf36dd924fd2c6f69577735f3bda85110fa0d50fc431b0"
+          "content": "df074f0224ad7888bfef0836602e350930783586a73f2b6ef213ec78cd8e78898f1c341353948ed148f7a1970b425d3e3940302753f691da8e03fc5c8f763afc"
         }
       ]
     },
@@ -2936,11 +2936,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "358a0ac73bc7f211def7e2ad0d3eda147f847ded3a3f1dd27afdd360226e8add"
+          "content": "f7cd18df293b90c0d2afb6ba8b87664419becea6b63221f03efaf09c69586025"
         },
         {
           "alg": "SHA3-512",
-          "content": "bc0c3800e8e2ff63412cecb186e831ff4ac9b970cfb767722c4e37143777affd0196f810d5828e10bb8019f66a9910a7c646e139889e54c8162a5805691ae59a"
+          "content": "bf14365ae069f2028f1c66fe89f30a1380253fc01f4ab88228ae47c93b5abc028e8a8f20c86cc204676169ed64c1cb3697b83ba28900f731a7302a8b3099fe15"
         }
       ]
     },

package/scripts/builders/catalog-summaries.js

@@ -21,7 +21,7 @@ const CATALOG_PURPOSES = {
   "atlas-ttps.json": "MITRE ATLAS TTPs (AML.T0xxx) cited by skills, with tactic, name, description. Pinned to ATLAS v5.6.0 (February 2026).",
   "d3fend-catalog.json": "MITRE D3FEND countermeasures (D3-xxx) keyed by id, with tactic + name. Pinned to D3FEND v1.0.0 release.",
   "framework-control-gaps.json": "Per-control framework gap declarations: SI-2, A.8.8, PCI 6.3.3, etc. Each entry names the control, the lag, the evidence CVE, and remediation guidance.",
-  "global-frameworks.json": "Multi-jurisdiction framework registry: 34 jurisdictions × applicable frameworks × patch_sla / notification_sla / critical_controls / framework_gaps. Cross-cutting authority for jurisdiction-clocks index.",
+  "global-frameworks.json": "Multi-jurisdiction framework registry: 35 jurisdictions × applicable frameworks × patch_sla / notification_sla / critical_controls / framework_gaps. Cross-cutting authority for jurisdiction-clocks index.",
   "exploit-availability.json": "Per-CVE exploit availability: PoC public status, weaponization signal, AI-assist status, blast-radius. Project-curated (B2 Admiralty confidence) with source citations.",
   "zeroday-lessons.json": "Distilled lessons from notable zero-days and campaigns (SesameOp, Copy Fail, Dirty Frag, Copilot RCE, Windsurf MCP). Each entry: technique, distinguishing characteristic, what it means for the framework lag.",
   "rfc-references.json": "IETF RFCs + active Internet-Drafts cited by skills (TLS, IPsec, PQ crypto migration, HTTP/3, CT). Cross-validated against IETF Datatracker via validate-rfcs.",

package/skills/attack-surface-pentest/skill.md

@@ -115,17 +115,17 @@ A pen test scoped to layers 1 and (partly) 7 — i.e. "web app + network + nomin
 | CBEST (Bank of England / PRA / FCA) | Whole framework | UK equivalent to TIBER-EU for systemically important financial firms. Same lag pattern as TIBER-EU. CBEST-certified providers are not required to demonstrate competence in AI-surface attack emulation as of mid-2026. |
 | Australian ISM (Information Security Manual) + ACSC Essential 8 | ISM controls on penetration testing; Essential 8 Maturity Level 3 testing requirements | Essential 8 mandates regular testing of mitigation strategies (patching, app control, MFA, etc.). The testing requirements do not extend to AI-API egress as C2, MCP trust, or RAG poisoning. ISM control set is network/endpoint centric. |
 | ISO/IEC 27001:2022 | A.5.34 (Privacy and protection of PII) — note: the actually relevant clause for independent review is **A.5.35 (Independent review of information security)** and **A.8.29 (Security testing in development and acceptance)** | A.5.35 requires independent review of the information security approach at planned intervals or when significant changes occur. The clause is methodology-agnostic — auditors accept a network/web pen test as evidence even when AI surfaces are in production. A.8.29 mandates security testing of new and changed information systems, but does not define what an adequate test of an AI system looks like. |
-| MITRE ATT&CK Enterprise (v17) | Whole matrix | The enterprise matrix does not contain prompt-injection as a technique. AI-as-C2 (SesameOp pattern) is absent from ATT&CK as of mid-2026. Adversary emulation programs that are ATT&CK-only and not ATLAS-extended will not include the mid-2026 dominant new tradecraft in their playbooks. ATLAS v5.6.0 covers it — but ATLAS is not yet a standard requirement for pen testing certification or scoping. |
+| MITRE ATT&CK Enterprise (v19.0) | Whole matrix | The enterprise matrix does not contain prompt-injection as a technique. AI-as-C2 (SesameOp pattern) is absent from ATT&CK as of mid-2026. Adversary emulation programs that are ATT&CK-only and not ATLAS-extended will not include the mid-2026 dominant new tradecraft in their playbooks. ATLAS v5.6.0 covers it — but ATLAS is not yet a standard requirement for pen testing certification or scoping. |
 
 > Global coverage note (AGENTS.md rule #5): the above table spans US (NIST 800-115, ATT&CK), EU (NIS2, TIBER-EU under DORA), UK (CBEST), AU (ISM/Essential 8), and ISO 27001:2022. US-only pen test scoping is incomplete.
 
 ---
 
-## TTP Mapping (MITRE ATLAS v5.6.0 + MITRE ATT&CK v17)
+## TTP Mapping (MITRE ATLAS v5.6.0 + MITRE ATT&CK v19.0)
 
 Pen testers must emulate both classical and AI-class chains. The table below maps the kill-chain phases a mid-2026 adversary emulation engagement must cover.
 
-| Phase | Classical TTP (ATT&CK v17) | AI-Class TTP (ATLAS v5.6.0) | Framework Gap Flag |
+| Phase | Classical TTP (ATT&CK v19.0) | AI-Class TTP (ATLAS v5.6.0) | Framework Gap Flag |
 |---|---|---|---|
 | Reconnaissance | T1595 (Active Scanning) — implied by T1190 setup | AML.TA0002 (Reconnaissance tactic) — model card / dataset / API endpoint discovery, system-prompt probing | NIST 800-115 §3.x recon guidance is network-only |
 | Initial Access | T1190 (Exploit Public-Facing Application) | AML.T0051 (LLM Prompt Injection) — entered via PR description, support ticket, retrieved doc | OWASP WSTG covers webapp; not prompt-injection as entry vector |

package/skills/compliance-theater/skill.md

@@ -21,7 +21,7 @@ framework_gaps:
   - ALL-PROMPT-INJECTION-ACCESS-CONTROL
   - FedRAMP-Rev5-Moderate
   - CMMC-2.0-Level-2
-last_threat_review: "2026-05-18"
+last_threat_review: "2026-05-22"
 ---
 
 # Compliance Theater Detection
@@ -92,7 +92,7 @@ Each theater pattern below maps to one or more attacker TTPs in `data/atlas-ttps
 | Vendor/Third-Party Risk Theater — AI APIs (Pattern 6) | AML.T0010 (ML Supply Chain Compromise) | MCP servers and LLM APIs sit outside the vendor-management scope |
 | Security Awareness Theater — AI Phishing (Pattern 7) | T1566 (Phishing), AML.T0016 (Obtain Capabilities: Develop Capabilities — misuse of public AI APIs for payload crafting) | AI-generated content evades grammar/style heuristics and template-matching detectors |
 
-Source-of-truth TTP catalog: `data/atlas-ttps.json` (pinned to MITRE ATLAS v5.6.0, February 2026). Any theater claim in an assessment must cite at least one TTP ID from that catalog or an ATT&CK Enterprise ID — claims without a mapped TTP fail Hard Rule #4 (no orphaned controls).
+Source-of-truth TTP catalog: `data/atlas-ttps.json` (pinned to MITRE ATLAS v5.6.0, May 2026). Any theater claim in an assessment must cite at least one TTP ID from that catalog or an ATT&CK Enterprise ID — claims without a mapped TTP fail Hard Rule #4 (no orphaned controls).
 
 ---
 

package/skills/framework-gap-analysis/skill.md

@@ -20,7 +20,7 @@ data_deps:
 atlas_refs: []
 attack_refs: []
 framework_gaps: []
-last_threat_review: "2026-05-18"
+last_threat_review: "2026-05-22"
 ---
 
 # Framework Gap Analysis
@@ -69,7 +69,7 @@ A gap declaration that closes section 6 (Global coverage check) without referenc
 
 ## TTP Mapping (MITRE ATLAS v5.6.0 and ATT&CK)
 
-This skill maps framework controls to attacker TTPs on demand rather than statically. The authoritative TTP catalog is `data/atlas-ttps.json` (pinned to MITRE ATLAS v5.6.0, February 2026) supplemented by MITRE ATT&CK Enterprise IDs for non-AI threats. The mapping convention used in every gap declaration this skill produces:
+This skill maps framework controls to attacker TTPs on demand rather than statically. The authoritative TTP catalog is `data/atlas-ttps.json` (pinned to MITRE ATLAS v5.6.0, May 2026) supplemented by MITRE ATT&CK Enterprise IDs for non-AI threats. The mapping convention used in every gap declaration this skill produces:
 
 | Built-in gap | Primary TTP(s) | Gap flag |
 |---|---|---|

package/skills/incident-response-playbook/skill.md

@@ -55,14 +55,14 @@ forward_watch:
   - AU SOCI Act expanded sector coverage (data-storage and processing entities added 2024; further mandatory-reporting tiers under review)
   - IL INCD Incident Response Process v4 (slated for 2026-2027) consolidating AI-incident sub-class
   - NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization
-last_threat_review: "2026-05-15"
+last_threat_review: "2026-05-22"
 ---
 
 # Incident Response Playbook
 
 Incident response (IR) is the operational closure of every other skill in this catalog. A vulnerability becomes a CVE through `coordinated-vuln-disclosure`; a CVE becomes a lesson through `zeroday-gap-learn`; a lesson becomes a control through `framework-gap-analysis`; an attack on that control becomes an incident — and the incident handler runs the playbook this skill defines. If the playbook is wrong, every preceding investment leaks at the last yard.
 
-This skill operationalizes NIST SP 800-61r3 (Computer Security Incident Handling Guide, 2025 update integrating ATT&CK and Cyber Kill Chain), ISO/IEC 27035-1:2023 (principles and process) + ISO/IEC 27035-2:2023 (guidelines for incident response planning), and the SANS PICERL phases (Preparation, Identification, Containment, Eradication, Recovery, Lessons learned). It threads the Diamond Model and the MITRE Unified Kill Chain for adversary-narrative reconstruction, anchors detection engineering to MITRE ATT&CK v17 (2025-06-25), and treats three incident classes that the legacy IR literature predates: AI-class incidents (prompt-injection breach, model exfiltration, AI-API as C2 channel, AI-agent-initiated unauthorized action), AI-generated supply-chain compromise, and regulator-mandated notification under cross-jurisdiction clocks running in parallel.
+This skill operationalizes NIST SP 800-61r3 (Computer Security Incident Handling Guide, 2025 update integrating ATT&CK and Cyber Kill Chain), ISO/IEC 27035-1:2023 (principles and process) + ISO/IEC 27035-2:2023 (guidelines for incident response planning), and the SANS PICERL phases (Preparation, Identification, Containment, Eradication, Recovery, Lessons learned). It threads the Diamond Model and the MITRE Unified Kill Chain for adversary-narrative reconstruction, anchors detection engineering to MITRE ATT&CK v19.0 (April 2026), and treats three incident classes that the legacy IR literature predates: AI-class incidents (prompt-injection breach, model exfiltration, AI-API as C2 channel, AI-agent-initiated unauthorized action), AI-generated supply-chain compromise, and regulator-mandated notification under cross-jurisdiction clocks running in parallel.
 
 ---
 
@@ -128,7 +128,7 @@ This skill is response-shaped — the TTPs below name the incident classes the p
 | **AML.T0017** | Discover ML Model Ontology | Adversary mapping of deployed model family, system-prompt structure, guardrails, and training-data signal — precursor to extraction and adversarial-input crafting | Identification: anomalous inference-API usage patterns (high-volume queries, structured probing, membership-inference signatures, repeated training-data extraction prompts). Containment: rate-limit + API-key revocation + IP block. Eradication: identify attacker access surface; assess what model-ontology data was exposed. Recovery: re-key, consider model-rotation if proprietary weights are at risk; for training-data exfiltration consider differential-privacy retraining. | No standardized detection signatures; org must build custom telemetry over AI inference APIs. |
 | **AML.T0051** | LLM Prompt Injection | Prompt-injection breach as incident trigger | Identification: AI-assistant or agentic-system anomalous action (unauthorized data access, anomalous tool invocation, identity-context confusion). Containment: revoke AI-system tool scopes, disable agent autonomy, isolate affected RAG corpus. Eradication: identify injection vector (web content, email signature, document metadata, RAG corpus poisoning) and remove. Recovery: re-deploy with hardened system prompt + tool-scoping per `mcp-agent-trust`. | Detection lags; most orgs discover the incident from downstream effect (unauthorized action) rather than detection at the prompt boundary. |
 
-ATLAS pinned to v5.6.0 (February 2026) per AGENTS.md rule #8. ATT&CK pinned to v17 (2025-06-25) per the same rule; the v15-to-v17 ID migration does not introduce breaking changes for the T-IDs cited above.
+ATLAS pinned to v5.6.0 (May 2026) per AGENTS.md rule #12. ATT&CK pinned to v19.0 (April 2026) per the same rule; the Defense Evasion (TA0005) split into Stealth (TA0005) and Defense Impairment (TA0112) is traced via `tactic_moved_from` on affected `data/attack-techniques.json` entries and does not introduce breaking changes for the T-IDs cited above.
 
 ---
 

package/skills/mlops-security/skill.md

@@ -60,8 +60,8 @@ forward_watch:
   - OpenSSF model-signing emergence to v1.0 — Sigstore-based model-weight signing; track for production adoption and admission-control integration
   - SLSA v1.1 ML profile (draft) — model-provenance extension for training-run attestation chains; track ID and section changes
   - EU AI Act high-risk technical-file implementing acts (2026-2027) — operational requirements for Article 10 / 13 / 15 documentation may pin ML-BOM or model-signing
-  - MITRE ATLAS v5.6.0 (released February 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques ("Publish Poisoned AI Agent Tool", "Escape to Host"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques
-last_threat_review: "2026-05-15"
+  - MITRE ATLAS v5.6.0 (released May 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques ("Publish Poisoned AI Agent Tool", "Escape to Host"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques
+last_threat_review: "2026-05-22"
 discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief mlops-security` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
@@ -111,7 +111,7 @@ This skill is distinct from `rag-pipeline-security` (which is retrieval-side of
 
 ## TTP Mapping
 
-Descriptions sourced from `data/atlas-ttps.json` (ATLAS v5.6.0, released 2026-02-06).
+Descriptions sourced from `data/atlas-ttps.json` (ATLAS v5.6.0, released 2026-05-08).
 
 | ATLAS / ATT&CK ID | Technique | MLOps Lifecycle Stage | Gap |
 |---|---|---|---|

package/skills/policy-exception-gen/skill.md

@@ -23,7 +23,7 @@ forward_watch:
   - EU CRA exceptions for AI pipeline components
   - NIST SP 800-204 series updates for microservices
   - FedRAMP updates for container/serverless authorization
-last_threat_review: "2026-05-18"
+last_threat_review: "2026-05-22"
 ---
 
 # Policy Exception Generation
@@ -99,7 +99,7 @@ A granted exception does not remove the threat — it shifts the burden onto com
 | Exception 3 — Zero Trust Architecture Network Segmentation | T1021 (Remote Services), T1570 (Lateral Tool Transfer), T1078 (Valid Accounts), T1199 (Trusted Relationship) | Workload identity (SPIFFE/SPIRE), per-request mTLS, device-posture verification, east-west behavioral analytics |
 | Exception 4 — Critical Systems No-Reboot Kernel Patching | T1068 (Exploitation for Privilege Escalation — Copy Fail class), T1548.001 (Setuid and Setgid), T1611 (Escape to Host) | Live kernel patch deployed and verified (`kpatch list` / `canonical-livepatch status`), eBPF/auditd exploitation-pattern rules, network-layer isolation if no live patch available, scheduled reboot window |
 
-The TTP source-of-truth is `data/atlas-ttps.json` (MITRE ATLAS v5.6.0, February 2026) supplemented by ATT&CK Enterprise. Per Hard Rule #4, no exception in this skill is granted without an enumerated residual-TTP set; an exception with no listed residual is theater.
+The TTP source-of-truth is `data/atlas-ttps.json` (MITRE ATLAS v5.6.0, May 2026) supplemented by ATT&CK Enterprise. Per Hard Rule #4, no exception in this skill is granted without an enumerated residual-TTP set; an exception with no listed residual is theater.
 
 ---
 

package/skills/pqc-first/skill.md

@@ -53,7 +53,7 @@ cwe_refs:
 d3fend_refs:
   - D3-FE
   - D3-MENCR
-last_threat_review: "2026-05-01"
+last_threat_review: "2026-05-22"
 ---
 
 # PQC-First Mentality
@@ -139,7 +139,7 @@ This skill addresses a **future-state attack class** that is not yet represented
 |---|---|---|
 | MITRE ATT&CK T1557 (Adversary-in-the-Middle) | Partial — operational family | T1557 covers AitM credential capture and traffic interception. The capture half of HNDL falls into T1557 operationally; the later decrypt phase has no ATT&CK technique. |
 | MITRE ATT&CK T1040 (Network Sniffing) | Partial — capture phase | Covers passive traffic capture. Does not cover the strategic-archive intent of HNDL, where the captured data has no immediate use and is stored for future decryption. |
-| MITRE ATT&CK — "Cryptanalysis via CRQC" | **MISSING** | No technique presently captures CRQC-enabled decryption of previously-captured ciphertext. Known gap through ATT&CK v17 (2025-06-25). |
+| MITRE ATT&CK — "Cryptanalysis via CRQC" | **MISSING** | No technique presently captures CRQC-enabled decryption of previously-captured ciphertext. Known gap through ATT&CK v19.0 (April 2026). |
 | MITRE ATLAS | **MISSING (out of scope)** | ATLAS scope is ML/AI system attacks. CRQC cryptanalysis is not in ATLAS scope. |
 | CAPEC-114 (Authentication Abuse) | Indirect | Forged signatures via broken signature scheme would manifest as authentication abuse, but CAPEC does not enumerate "signature scheme broken by CRQC" as a precondition. |
 | CAPEC-475 (Signature Spoofing by Improper Validation) | Indirect | Same — the post-CRQC equivalent has no CAPEC entry. |
@@ -545,6 +545,27 @@ The skill produces a structured PQC Readiness Assessment that scores the org's p
 
 ---
 
+## Defensive Countermeasure Mapping
+
+D3FEND references from `data/d3fend-catalog.json`. The harvest-now-decrypt-later (HNDL) threat has two capture surfaces — data in transit and data at rest — and each maps to a distinct D3FEND hardening technique. The capture itself is conventional; it is the *future decryption* that has no ATT&CK or D3FEND coverage. The countermeasure is therefore not "detect the capture" but "make the captured ciphertext worthless to a future CRQC."
+
+| D3FEND ID | Name | Layer | Rationale (what it counters here) |
+|---|---|---|---|
+| `D3-MENCR` | Message Encryption | Transit (TLS / application) | Counters in-flight HNDL capture (T1040 Network Sniffing, T1557 Adversary-in-the-Middle — the same techniques the TTP Mapping above flags as the HNDL capture half). Only PQC-hybrid key exchange (ML-KEM-768 + X25519, per the TLS Configuration section) makes today's captured session ciphertext non-decryptable post-CRQC. Classical-only TLS is HNDL-exposed even when otherwise correctly configured. |
+| `D3-FE` | File Encryption | At-rest (storage) | Counters HNDL on stolen or copied storage (T1005 Data from Local System, T1565.001 Stored Data Manipulation). The trap: AES-256 at rest is quantum-resilient (Grover only halves the effective key length), but the DEK→KEK key-wrapping step is usually RSA/ECC and therefore HNDL-exposed. The control is incomplete unless the envelope KEM is ML-KEM-based or the wrapped key is itself 256-bit symmetric. |
+
+**Framework gap — signature forgery has no D3FEND technique.** The third PQC threat — a CRQC forging RSA/ECDSA signatures (code-signing, certificate, document) — maps to no D3FEND hardening technique and no ATT&CK technique (see the TTP Mapping table). D3FEND's encryption families harden confidentiality, not authenticity. The only countermeasure is migrating signature schemes to ML-DSA / SLH-DSA per the Hybrid Signature Standard; there is no detection-layer fallback, which is why the version gates are non-negotiable minimums rather than defense-in-depth options.
+
+**Defense-in-depth posture:** `D3-MENCR` and `D3-FE` are independent layers (transit vs. at-rest) and both are required — encrypting the wire while leaving model weights wrapped under RSA, or the reverse, leaves an HNDL surface open. Neither D3FEND technique expresses *algorithm strength*; the PQC-specific minimum (hybrid KEM, ML-KEM-768 floor) is the layer the taxonomy omits, which is the framework lag this skill exists to close.
+
+**Least-privilege scope:** key-management authority is scoped to the migration roadmap — DEK/KEK rotation to PQC-hybrid wrapping is an operation a narrow KMS-admin identity performs, not a blanket "re-encrypt everything" grant. At-rest re-wrapping (`D3-FE`) is staged by data-sensitivity-window so the longest-lived secrets migrate first.
+
+**Zero-trust posture:** every session negotiates PQC-hybrid key exchange regardless of network trust level — there is no "internal traffic is safe from HNDL" exemption, because a passive collector on an internal span harvests ciphertext as readily as one on the public path. Confidentiality is asserted per-session at the crypto layer, not inferred from network position.
+
+**AI-pipeline applicability (per AGENTS.md Hard Rule #9):** `D3-FE` applies to model-weight files, training datasets, and embedding stores at rest; for ephemeral inference workloads that never persist state locally, the control shifts to PQC-hybrid-wrapped object storage (e.g. SSE-KMS with an ML-KEM-based envelope) rather than local-disk encryption. `D3-MENCR` applies to all AI-API traffic, which must move to TLS 1.3 with hybrid key exchange on the CNSA 2.0 timeline — noting that PQC protects the confidentiality of that traffic but not its content-layer abuse as a covert channel (pair with the AI-C2 egress controls in `ai-c2-detection`).
+
+---
+
 ## Compliance Theater Check
 
 > "Your cryptographic policy references 'strong cryptography' per [PCI DSS / HIPAA / ISO 27001]. Locate the policy definition of 'strong cryptography' and check when it was last updated. If 'strong cryptography' is defined as 'AES-128 or better, RSA-2048 or better' without reference to post-quantum algorithms: the policy is based on NIST guidance from before FIPS 203/204/205 finalization (August 2024). For any data with a sensitivity window exceeding 5 years, 'strong cryptography' as currently defined does not protect against harvest-now-decrypt-later adversaries. The policy is theater for the threat it claims to address."

package/skills/rag-pipeline-security/skill.md

@@ -41,7 +41,7 @@ d3fend_refs:
   - D3-NTA
 forward_watch:
   - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Chroma vector DB CWE-190 + CWE-362 chain by haehae; impacts RAG vector store integrity (integer overflow + race condition); track patch and downstream RAG pipeline advisory
-last_threat_review: "2026-05-15"
+last_threat_review: "2026-05-22"
 ---
 
 # RAG Pipeline Security Assessment
@@ -184,7 +184,7 @@ This attack requires:
 
 ## TTP Mapping (MITRE ATLAS v5.6.0)
 
-Descriptions sourced verbatim from `data/atlas-ttps.json` (ATLAS v5.6.0, released 2026-02-06). Partial-coverage controls from `data/framework-control-gaps.json`.
+Descriptions sourced verbatim from `data/atlas-ttps.json` (ATLAS v5.6.0, released 2026-05-08). Partial-coverage controls from `data/framework-control-gaps.json`.
 
 | ATLAS ID | ATLAS Name | RAG Attack Class | Control Gap That Lets It Land | Controls That Partially Cover It |
 |---|---|---|---|---|

package/skills/ransomware-response/skill.md

@@ -62,7 +62,7 @@ forward_watch:
   - HIPAA Security Rule update (NPRM late 2024 → final rule expected 2026) — explicit ransomware-recovery and encryption-at-rest requirements
   - No More Ransom Project decryptor releases — affiliate-takedown decryptor drops (Operation Cronos LockBit decryptor, BlackCat post-exit-scam decryptors)
   - SCOTUS or circuit-court rulings on ransomware payment, sanctions liability, and insurance-policy enforcement
-last_threat_review: "2026-05-15"
+last_threat_review: "2026-05-22"
 ---
 
 # Ransomware Response Playbook
@@ -129,7 +129,7 @@ Cross-cutting gap: **no security framework treats the four ransomware-specific d
 
 Shadow Copy deletion and exfil-staging via Web Service align to the parent IR playbook's `T1486` and `T1567` entries; the parent's `AML.T0096 / T0017 / T0051` entries do not apply to ransomware-as-a-class but may apply if AI-system data is exfiltrated within the ransomware operation.
 
-ATLAS pinned to v5.6.0 (February 2026) per AGENTS.md rule #8. ATT&CK pinned to v17 (2025-06-25) per the same rule.
+ATLAS pinned to v5.6.0 (May 2026) per AGENTS.md rule #12. ATT&CK pinned to v19.0 (April 2026) per the same rule.
 
 ---
 

package/skills/skill-update-loop/skill.md

@@ -33,7 +33,7 @@ forward_watch:
   - AI/MCP platform CVEs (GitHub Security Advisories, OSV database)
   - Framework publication updates (NIST SP updates, ISO amendments, NIS2 implementing acts)
   - IETF RFC publications and draft status changes (datatracker.ietf.org, rfc-editor.org); run `npm run validate-rfcs` quarterly
-last_threat_review: "2026-05-15"
+last_threat_review: "2026-05-22"
 discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief skill-update-loop` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
@@ -55,7 +55,7 @@ The threat context this skill defends against is not a specific adversary techni
 
 Real-world manifestations in mid-2026:
 
-- ATLAS v5.6.0 (February 2026) added TTPs that bind to operational reality (AML.T0096 AI-API C2, AML.T0048 erode-integrity-via-drift). A skill pinned to ATLAS v4 cannot route these. **AML.T0010** family was expanded to cover MCP supply-chain compromise mid-cycle.
+- ATLAS v5.6.0 (May 2026) added TTPs that bind to operational reality (AML.T0096 AI-API C2, AML.T0048 erode-integrity-via-drift). A skill pinned to ATLAS v4 cannot route these. **AML.T0010** family was expanded to cover MCP supply-chain compromise mid-cycle.
 - CVE-2026-31431 (Copy Fail) joined CISA KEV on 2026-05-01 with a 2026-05-15 federal due date. Any skill whose `last_threat_review` predates that listing and whose body recommends "patch on 30-day SLA" is recommending against a threat model that KEV escalated to days, not weeks.
 - NIST SP 800-63B updated PBKDF2 iteration guidance to ≥ 600,000 in 2022; many compliance attestations still cite the 2017 numbers. A skill that does not track that lag perpetuates the theater.
 - IETF RFC 9116 (security.txt) and the CSAF 2.0 transition both have hard cutover signals that change how `coordinated-vuln-disclosure` should advise.
@@ -482,10 +482,10 @@ This skill does not have a single exploited target — its "exploit surface" is
 | Source | What It Provides | Cadence | Pinned Version / Anchor | Tracked In |
 |---|---|---|---|---|
 | CISA KEV catalog | Confirmed in-the-wild exploitation flag per CVE | Real-time (RSS / JSON API) | cisa.gov/known-exploited-vulnerabilities-catalog | `data/exploit-availability.json` (`cisa_kev`, `cisa_kev_date`) |
-| MITRE ATLAS changelog | TTP additions, renames, removals for AI/ML threat domain | Quarterly check; immediate on minor-version release | ATLAS v5.6.0 (February 2026) — pinned in AGENTS.md and `data/atlas-ttps.json._meta.atlas_version` | `_meta.atlas_version` |
+| MITRE ATLAS changelog | TTP additions, renames, removals for AI/ML threat domain | Quarterly check; immediate on minor-version release | ATLAS v5.6.0 (May 2026) — pinned in AGENTS.md and `data/atlas-ttps.json._meta.atlas_version` | `_meta.atlas_version` |
 | NVD CVE 2.0 API | Authoritative CVE metadata, CVSS vectors, references | Real-time on new CVE in covered domain | services.nvd.nist.gov/rest/json/cves/2.0 | `data/cve-catalog.json` |
 | NIST FIPS publication tracker | PQC and crypto-standard finalizations | Per-publication (event-driven) | csrc.nist.gov/publications | pqc-first `forward_watch` + manifest `last_threat_review` |
-| MITRE ATT&CK Enterprise | Non-AI TTP additions/renames | Per ATT&CK version release | attack.mitre.org (current pinned: v17, 2025-06-25) | Skill `attack_refs` fields |
+| MITRE ATT&CK Enterprise | Non-AI TTP additions/renames | Per ATT&CK version release | attack.mitre.org (current pinned: v19.0, 2026-04-28) | Skill `attack_refs` fields |
 | GitHub Security Advisories / OSV | CVEs for AI assistants, MCP clients/servers, supply-chain JS/Python packages | Real-time on covered repos | osv.dev, github.com/advisories | `data/cve-catalog.json` |
 | Framework publisher feeds | NIST SP revisions, ISO amendments, NIS2 implementing acts, EU Official Journal, ENISA, NCSC, ASD | RSS / changelog per publisher | csrc.nist.gov, iso.org, eur-lex.europa.eu | `data/framework-control-gaps.json`, `data/global-frameworks.json` |
 | Kernel CNA / distro advisories | Kernel LPE, container-escape, page-cache CVEs | Per advisory | kernel.org, RHEL/Ubuntu/Debian security advisories | `data/cve-catalog.json`, kernel-lpe-triage |