@blamejs/exceptd-skills 0.13.60 → 0.13.63

package/CHANGELOG.md

@@ -1,5 +1,34 @@
 # Changelog
 
+## 0.13.63 — 2026-05-24
+
+Metadata accuracy corrections. Five references still cited MITRE ATLAS v5.1.0 — a catalog descriptor and four control-gap / TTP cross-walk notes — while the shipped catalog tracks v5.6.0. The catalog-summary index and one skill's forecast note dated ATLAS v5.6.0 to February 2026; its release date is May 2026 (2026-05-08). The package description counted 10 intelligence catalogs when 11 ship. The researcher skill described 37 downstream skills (itself the 38th); the library ships 42 (41 downstream).
+
+## 0.13.62 — 2026-05-24
+
+Threat-framework version pins are now consistent across the full surface. The remaining skills and the source registry cite MITRE ATT&CK v19.0 (April 2026); `attack-surface-pentest` and `skill-update-loop` still described the superseded v17 matrix, and `sources/index.json` pointed callers at v17 / 2025-06-25. The same registry's ATLAS pointer is corrected to v5.6.0 (May 2026) — it had drifted to v5.1.0 while every other surface moved on. A new guard refuses any operator-facing reference to an ATT&CK version older than the catalog pin, while permitting forward-looking references so forward-watch entries naming the next release cycle stay intact.
+
+### Bugs
+
+- **`attack-surface-pentest` and `skill-update-loop` cited ATT&CK v17** in their TTP-mapping tables and source-tracking rows while the catalog pin (`data/attack-techniques.json._meta.attack_version`) is v19.0. The version operators read in the skill body now matches the version the engine resolves against.
+- **`sources/index.json` pinned ATT&CK at v17 / 2025-06-25 and ATLAS at v5.1.0 / 2025-11-01** — the machine-readable "current version" pointers consumers read to learn which framework revision the catalog tracks. Both now match the catalog: ATT&CK v19.0 / 2026-04-28, ATLAS v5.6.0 / 2026-05-08, with the ATLAS update cadence corrected to monthly.
+
+### Internal
+
+- Added an ATT&CK-version drift guard mirroring the existing ATLAS guard. It is stale-only: a reference older than the pinned version fails the suite; an equal-or-newer reference (how forward-watch records the next release) passes. The source-registry version pointers are asserted against the catalog pins so they cannot silently diverge again.
+
+## 0.13.61 — 2026-05-22
+
+Documentation and skill-content drift fixes. `package.json` description, SBOM metadata, and the operator-queryable catalog summary now report the correct 35-jurisdiction count. Eight skills correct their MITRE ATLAS release date (May 2026, not February 2026); three skills bump their ATT&CK pin to v19.0 to match `data/attack-techniques.json._meta.attack_version` and the AGENTS.md Hard Rule #12 pin. `refresh --check-advisories` help text now enumerates all 15 advisory feeds the runtime polls. The agents/ directory roster drops a broken link to a non-existent `framework-analyst.md` and folds its responsibility into `threat-researcher`.
+
+### Bugs
+
+- **`package.json.description` and `sbom.cdx.json` reported "34 jurisdictions"** while every other surface (README badge, README body, ARCHITECTURE.md, CONTEXT.md) reported 35 and `data/global-frameworks.json` actually ships 35. The npm registry blurb — the first discovery-path operators see — was wrong by one. Bumped to 35 across both, plus `scripts/builders/catalog-summaries.js` and the regenerated `data/_indexes/catalog-summaries.json` which downstream AI consumers query for catalog introspection.
+- **Eight skills described MITRE ATLAS v5.6.0 as released "February 2026" (or `2026-02-06`)** when the actual release date is `2026-05-08` (May 2026), as pinned in AGENTS.md Hard Rule #12 and `data/atlas-ttps.json._meta.atlas_release_date`. Audit traceability — "which TTP catalog were we using on May 1?" — requires the date to be consistent across the shipped surface. Fixed in compliance-theater, framework-gap-analysis, incident-response-playbook, policy-exception-gen, mlops-security (×2), rag-pipeline-security, ransomware-response, and skill-update-loop (×2).
+- **Three skills referenced ATT&CK v17 (2025-06-25) and AGENTS.md "rule #8"** — both stale. Hard Rule #8 is compliance-theater detection, not version pinning; the version-pinning rule is #12. The pinned ATT&CK version per AGENTS.md and `data/attack-techniques.json._meta.attack_version` is v19.0 (April 2026), which split Defense Evasion into Stealth (TA0005) and Defense Impairment (TA0112). Skills now cite the correct rule number and the current pinned version. Affects incident-response-playbook and ransomware-response.
+- **`refresh --check-advisories` help text enumerated 12 venues** while the prose around it (and the runtime in `lib/source-advisories.js`) polls 15. The three omissions — BleepingComputer security, The Hacker News, and the Nightmare-Eclipse GitHub tracker — are now listed inline so the count and the enumeration agree.
+- **`agents/README.md` listed a `framework-analyst.md` role that has no file on disk** — the roster, workflow diagram, and parallelization section all referenced a fifth agent that ships as a 404. The threat-researcher role already covers framework amendments; its description and trigger list now reflect that, and the broken row + diagram node are removed.
+
 ## 0.13.60 — 2026-05-22
 
 Final tranche of audit cycle 3 polish. `doctor` surfaces the local version; `--collectors` distinguishes policy-skipped from actually-missing collectors; `ask` confidence penalizes ties.

package/README.md

@@ -366,8 +366,10 @@ exceptd refresh                       Refresh upstream catalogs + indexes.
                                       ZDI, kernel.org commits, oss-security
                                       mailing list, JFrog SecOps, CISA current
                                       advisories, Microsoft Security Blog,
-                                      Sysdig, Trail of Bits, Embrace the Red)
-                                      for CVE IDs disclosed at T+0 to T+1 —
+                                      Sysdig, Trail of Bits, Embrace the Red,
+                                      BleepingComputer, The Hacker News,
+                                      Nightmare-Eclipse GitHub tracker) for
+                                      CVE IDs disclosed at T+0 to T+1 —
                                       days ahead of NVD enrichment.
                                       Report-only: emits structured diffs[]
                                       with {cve_id, sources[], advisory_urls[],

package/agents/README.md

@@ -8,9 +8,8 @@ Multi-agent coordination for exceptd Security. Each agent file defines a special
 
 | Agent | Role | Triggers |
 |---|---|---|
-| [threat-researcher](threat-researcher.md) | Research and validate new CVEs, threat campaigns, and ATLAS TTPs | New CVE published, ATLAS update, CISA KEV addition |
-| [framework-analyst](framework-analyst.md) | Analyze framework updates and gap changes | Framework amendment published |
-| [skill-updater](skill-updater.md) | Apply validated intelligence to update skill files | Threat researcher or framework analyst output |
+| [threat-researcher](threat-researcher.md) | Research and validate new CVEs, threat campaigns, ATLAS TTPs, and framework updates | New CVE published, ATLAS update, CISA KEV addition, framework amendment |
+| [skill-updater](skill-updater.md) | Apply validated intelligence to update skill files | Threat researcher output |
 | [source-validator](source-validator.md) | Cross-check data against primary sources | Before any data enters cve-catalog.json or atlas-ttps.json |
 | [report-generator](report-generator.md) | Generate structured reports from skill outputs | User invokes a reporting workflow |
 
@@ -21,8 +20,8 @@ Multi-agent coordination for exceptd Security. Each agent file defines a special
 ```
 External trigger (new CVE, ATLAS update, framework change)
           ↓
-[threat-researcher] or [framework-analyst]
-   — researches the trigger
+[threat-researcher]
+   — researches the trigger (CVE, ATLAS update, or framework amendment)
    — identifies affected skills
    — produces a validated intelligence package
           ↓
@@ -48,8 +47,7 @@ External trigger (new CVE, ATLAS update, framework change)
 These agents can run in parallel when their inputs are independent:
 
 **Parallel-safe:**
-- Multiple threat-researcher instances on different CVEs
-- framework-analyst + threat-researcher on unrelated topics
+- Multiple threat-researcher instances on different CVEs or framework amendments
 - Multiple source-validator instances on different data items
 
 **Must be sequential:**

package/data/_indexes/_meta.json

@@ -1,38 +1,38 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-22T23:59:02.374Z",
+  "generated_at": "2026-05-24T15:29:21.057Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "fc19c462b36237eeee08be520747e440f0cafdd27dcad4c7623042eec02815c2",
-    "data/atlas-ttps.json": "d296c1d3e71807c9279b731f047e57796e85137f186586743a8cdad214b408f9",
+    "manifest.json": "3be89a674691acd2ea97c62841b563b53f76cf22d1350f4b395f1259d684986b",
+    "data/atlas-ttps.json": "019f12d24dc45ef8f5ae8812dec7c31a9506429a94751aaa559890a007ec6b22",
     "data/attack-techniques.json": "49b6010b317edd219def135171ea8f3b1bbf1e00e9c5a08bf7237215ff54e2c3",
     "data/cve-catalog.json": "a09c83af3f9679a7ea73935726a1ff9de2cab94b4ab6321fc017fc147747d7c3",
     "data/cwe-catalog.json": "c56e74b8c9290583b1d6fdd21b54bd65a254c58890c5f683379788ca7b080e9d",
     "data/d3fend-catalog.json": "4271102f8c38999444bcd981c1cf5feb4ad09f8c0b1d9b79df3f1a82f4fb50f0",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
     "data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
-    "data/framework-control-gaps.json": "b63fe398c3de068093871e8bbca11e16b6567fb15482648d0bbce06939c34104",
+    "data/framework-control-gaps.json": "2f6147edef1cdec29ae755ec42021038145a702d908a1d5cf0a42e2484cbc786",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "926ea25892e052fc6a8b9952afc1d8e2bd06c4aec223a1a7aa79ef1dfd7b7bb5",
     "data/zeroday-lessons.json": "7242a7349ac79a74813bf2b7486b6000c0c877e71cec17e2d68df33bc4007b93",
     "skills/kernel-lpe-triage/skill.md": "08b3e9815ba481c57c80f5fc0ccbf5bb7cbb41f570c235ba6ff9596b8c07354d",
     "skills/ai-attack-surface/skill.md": "6ff82cd5e805a29b694a71ffbeba22e78966249da921706f3256fa4319e402fc",
     "skills/mcp-agent-trust/skill.md": "bf3ded40e84443400c9bec8634e0d6a14c9633e569d8c2e26f9d5881f8e78dff",
-    "skills/framework-gap-analysis/skill.md": "82acc8fc68ee5cc7aaddff1632a63524663981d4b9ce064f8543d1cfbba1b770",
-    "skills/compliance-theater/skill.md": "a664e202d4fdcd28eb3216983d6b982b288ce8e553461fa79468c6a1744b83ee",
+    "skills/framework-gap-analysis/skill.md": "17249909697a9c61b71f6885a1f4888ab1e727909ddb487ed82aeef535884a4f",
+    "skills/compliance-theater/skill.md": "d656444bb1987f43ae61374f210977d0c1f247f54d7318fdd639dd0cfdbef392",
     "skills/exploit-scoring/skill.md": "f55e9aa4985ebad8a2a12092c937deb6939a639dc1e16e2214ecfa1c9b9402c4",
-    "skills/rag-pipeline-security/skill.md": "785dac24078f4f3d798f04607aa13d2d902d027fb5ea95d1074240c4762b2dff",
+    "skills/rag-pipeline-security/skill.md": "d3ad18562a6083fb773347e24b6fcda2adcb68b4269e29df53b5afeb113cf7b0",
     "skills/ai-c2-detection/skill.md": "524474483bdfa9614cf31276f16c0ec365a364e61e9ca6047c08621751539671",
-    "skills/policy-exception-gen/skill.md": "76c8f4dadf470103a467f40b01870585d8769c1af2bc15956e1d8b0b424626ae",
+    "skills/policy-exception-gen/skill.md": "238074319b57399c75d76439ef1ff67153b5a3207adf1556f3ca1e68cfe7cfaa",
     "skills/threat-model-currency/skill.md": "4295c0efe31dcbec1a7bc96b8ce05d41414d918cbfc7fb7dffb2be7e4d873ae3",
     "skills/global-grc/skill.md": "57ca729034e9d33c527d869c1c4aa82fe37e496878a3cbcd9e5043cb62b7105d",
     "skills/zeroday-gap-learn/skill.md": "d8872a4f5e5e927ae087e8319996ec3b9e010aa23fca32248c0909051032db48",
-    "skills/pqc-first/skill.md": "07b38278b60d2437603a541c1ee954999abfe3a192f94b43cd384023738a0c1f",
-    "skills/skill-update-loop/skill.md": "358a0ac73bc7f211def7e2ad0d3eda147f847ded3a3f1dd27afdd360226e8add",
+    "skills/pqc-first/skill.md": "3b41b59eb4e8480b691ff17185f42b9fbfd7665e369fc210feba496688cc77aa",
+    "skills/skill-update-loop/skill.md": "f7cd18df293b90c0d2afb6ba8b87664419becea6b63221f03efaf09c69586025",
     "skills/security-maturity-tiers/skill.md": "2e46c9332a5a6190d4605ba7bc653410659be19fab50c78c0a6732f84ebdb300",
-    "skills/researcher/skill.md": "959aeba706eea43a69136561968d7942dcd981d0a6c3da7db47673c51943b6df",
-    "skills/attack-surface-pentest/skill.md": "7609380c53bfc829b28a4478457a887aadcf31ddbade2d6ecf56fc5f845a0f72",
+    "skills/researcher/skill.md": "0f55168c5cbcf8f8ad2760e7f782ca171a1a82a1f92c5123cb3c80d769386c7a",
+    "skills/attack-surface-pentest/skill.md": "d6ea35136f93eb4aa75b65a5ae402353b0e2c63a83acece1606fe3f5d1ec6a8d",
     "skills/fuzz-testing-strategy/skill.md": "86e7bf537e4313b932acaba6282a4514336066a740bdbee4e7cbea2d2ef05b54",
     "skills/dlp-gap-analysis/skill.md": "b5183b5ea6fad6986500d7a04e83239a5fbf4272eaa6888b8be6420ce3d36ac5",
     "skills/supply-chain-integrity/skill.md": "90e930ef5d4cc5a54653844098d3549c3760b1a4aba5c48db1bd4eb24bea8d1b",
@@ -51,9 +51,9 @@
     "skills/api-security/skill.md": "120ed75df17db4dfc4746b9d5bd6efd33786bbf68cb840670aeed0be505866f9",
     "skills/cloud-security/skill.md": "425be2c6e3563f011d0280bf03268425bf60923ae3d02eafbf1b56d04f0b7ffe",
     "skills/container-runtime-security/skill.md": "f22bf5a305f8a33884d49d9bfb25fa2bd00c4b3d0dc490bd12f20a7721683b4a",
-    "skills/mlops-security/skill.md": "90225bee8c6980a08a4d9601ece15337d065fd12ff52b0821a91eee63aa6950a",
-    "skills/incident-response-playbook/skill.md": "4d1509db64c59a8985bef7f53dfe6be54887e2989b39ed51f19eacc761750877",
-    "skills/ransomware-response/skill.md": "1455eeecbb18962447af80fe3d49aead15ebe7b45c206d8f4bd7d0c202b9681a",
+    "skills/mlops-security/skill.md": "498549ddc9d870cb8d6a28a4d79b8d7058d5eed832d7c266c281084f4371ce46",
+    "skills/incident-response-playbook/skill.md": "9c219de36c7d702dff8504a25e2f1b07459716ea2ed02f49d751f91dbeca1b01",
+    "skills/ransomware-response/skill.md": "471b714c42717d43f81b2b582cd8e89ca8d3140de2ddc06cce15f012a0e19be1",
     "skills/email-security-anti-phishing/skill.md": "250f266908f51f99a4cb3aec0d5dacfcf91fac9f3d95e5a117429a40ed2ff45a",
     "skills/age-gates-child-safety/skill.md": "b8fad37033ba955eee678950963e816b6c56fd34a953e5c81b3bdd4c12a8f69a",
     "skills/cloud-iam-incident/skill.md": "5ec3800a0049b2123aff67bfab4ff28491a86d2daeb712283e5e88b10c3d5d7b",
@@ -78,7 +78,7 @@
     "handoff_dag_nodes": 42,
     "summary_cards": 42,
     "section_offsets_skills": 42,
-    "token_budget_total_approx": 416979,
+    "token_budget_total_approx": 417973,
     "recipes": 8,
     "jurisdiction_clocks": 29,
     "did_ladders": 8,
@@ -87,7 +87,7 @@
     "frequency_fields": 7,
     "activity_feed_events": 54,
     "catalog_summaries": 11,
-    "stale_content_findings": 2
+    "stale_content_findings": 1
   },
   "invalidation_note": "If any source file in source_hashes has a different SHA-256 than recorded here, the indexes are stale. Re-run `npm run build-indexes`."
 }

package/data/_indexes/catalog-summaries.json

@@ -7,7 +7,7 @@
   "catalogs": {
     "atlas-ttps.json": {
       "path": "data/atlas-ttps.json",
-      "purpose": "MITRE ATLAS TTPs (AML.T0xxx) cited by skills, with tactic, name, description. Pinned to ATLAS v5.6.0 (February 2026).",
+      "purpose": "MITRE ATLAS TTPs (AML.T0xxx) cited by skills, with tactic, name, description. Pinned to ATLAS v5.6.0 (May 2026).",
       "schema_version": "1.0.0",
       "last_updated": "2026-05-19",
       "tlp": "CLEAR",
@@ -183,7 +183,7 @@
     },
     "global-frameworks.json": {
       "path": "data/global-frameworks.json",
-      "purpose": "Multi-jurisdiction framework registry: 34 jurisdictions × applicable frameworks × patch_sla / notification_sla / critical_controls / framework_gaps. Cross-cutting authority for jurisdiction-clocks index.",
+      "purpose": "Multi-jurisdiction framework registry: 35 jurisdictions × applicable frameworks × patch_sla / notification_sla / critical_controls / framework_gaps. Cross-cutting authority for jurisdiction-clocks index.",
       "schema_version": "1.3.0",
       "last_updated": "2026-05-15",
       "tlp": "CLEAR",

package/data/_indexes/handoff-dag.json

@@ -126,6 +126,7 @@
       "mcp-agent-trust"
     ],
     "pqc-first": [
+      "ai-c2-detection",
       "compliance-theater",
       "framework-gap-analysis"
     ],
@@ -513,7 +514,7 @@
   "in_degree": {
     "age-gates-child-safety": 1,
     "ai-attack-surface": 26,
-    "ai-c2-detection": 12,
+    "ai-c2-detection": 13,
     "ai-risk-management": 5,
     "api-security": 4,
     "attack-surface-pentest": 13,
@@ -581,7 +582,7 @@
     "mlops-security": 10,
     "ot-ics-security": 14,
     "policy-exception-gen": 0,
-    "pqc-first": 2,
+    "pqc-first": 3,
     "rag-pipeline-security": 6,
     "ransomware-response": 10,
     "researcher": 37,