@blamejs/exceptd-skills 0.13.62 → 0.13.64

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.13.62",
-  "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 10 catalogs (312 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
+  "version": "0.13.64",
+  "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (312 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
   "keywords": [
     "ai-security",
     "ai-skills",

package/sbom.cdx.json

@@ -1,23 +1,23 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:d905be3b-b5b0-4701-9bc1-43dcc2f5fb90",
+  "serialNumber": "urn:uuid:aaf8fc24-f4e2-4453-8640-762eede96983",
   "version": 1,
   "metadata": {
-    "timestamp": "2141-05-19T13:50:51.000Z",
+    "timestamp": "2116-11-24T14:03:16.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.13.62"
+        "version": "0.13.64"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.13.62",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.13.64",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.13.62",
-      "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 10 catalogs (312 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
+      "version": "0.13.64",
+      "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (312 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
           "license": {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.13.62",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.13.64",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "69652e30ed68856a926cc9b7993e8b629916bcfa4b9783edb94a7322fcfff6e9"
+          "content": "1e6d554aa266e9d6a150562f44b56772728eb5cfed34a0e46c395dcff7f02016"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.13.62"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.13.64"
         },
         {
           "type": "vcs",
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "56b52f1a5a7e134c2578bb4c1f676ddaff8c9210572978a42ee4e74438cef1fa"
+          "content": "964e4c41230e398ab679c1bcbc2b977eb68967c7275ab5bed51063281335acf3"
         },
         {
           "alg": "SHA3-512",
-          "content": "f2e0e0a96f6c5eec7b66b66a9048fef9f2f9cd4bcde0aa1c62564cb65676132c7339861c445bad81a96dc3357e4e9263b434330550c339a497d340c47dba6287"
+          "content": "86c39b266e94f5e732d971b92cba0e831ef725b9a0fc9e516585e2d6fdca4f98dca6d48f867501244e64342ca20ac5af2f1ed96806f2f43011dd207124970a6f"
         }
       ]
     },
@@ -296,11 +296,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "d296c1d3e71807c9279b731f047e57796e85137f186586743a8cdad214b408f9"
+          "content": "019f12d24dc45ef8f5ae8812dec7c31a9506429a94751aaa559890a007ec6b22"
         },
         {
           "alg": "SHA3-512",
-          "content": "8db56ff2f1cc24058a4bb8533c76afa36700c9a36ee75bdf75573dac08f82e938d9f7ae463eda9fd4a32beac4d6b6c9d31d2b0d1c44de1c4b35de621b133e545"
+          "content": "d0429743b5a07dd04aaf02939ab95d9ca830081794ad2181c3a1f2051a161b5f566f3833fedc0d17e3da4dc8c5c76199e7168506d0aa3ede88fc89c685d2d71d"
         }
       ]
     },
@@ -401,11 +401,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "b63fe398c3de068093871e8bbca11e16b6567fb15482648d0bbce06939c34104"
+          "content": "2f6147edef1cdec29ae755ec42021038145a702d908a1d5cf0a42e2484cbc786"
         },
         {
           "alg": "SHA3-512",
-          "content": "e64c9e219f6e77fbb235ed875b1775ff6150bffc49fae5903600b15d3799f0d8a27dd553869646e3d0311c5b7fbe456686d9f7bf7e10c0c4cbc71079bcd943ff"
+          "content": "720db4c5e625812ac1f9724a17e7cee2b4bca508156570d4eff74bef216d305e9a0c903f24f0ccd3180f751d00f5cf57ef8c45acfa87f389c0691872e3260814"
         }
       ]
     },
@@ -1661,11 +1661,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "a5c737f12027f2dbea6de6ea9e540a81a075ba49cf0d4d72bdb9b247732e3907"
+          "content": "7bef48dc556daf70b02e3816e1be1392c249559ea08c2365946cd215126d1d65"
         },
         {
           "alg": "SHA3-512",
-          "content": "0585a67e2809ecd5de7f1d82d4328e7dac571acd2e0a3c63c9d0d912277bc9e433fe5413d3d4131be59f3a6568f883539ec342a2735b39a55d851fbafb9e5c5b"
+          "content": "48b457fd2443722a838b1af9f29c4cbc813b8a0bcacbca43164b6483928fdead501d946df8ca671988a6148f8c7645ea7ca8411e8962d6f21813b1de3b187f2b"
         }
       ]
     },
@@ -1796,11 +1796,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "9b92e14442f93b57ce7cd3cc4ac6f8eec8fca33670397fde07ddaf0ec7200428"
+          "content": "94d280168dbf61199f0fb46175558db3da6e4df3fc68600c2ccd1638e9caa667"
         },
         {
           "alg": "SHA3-512",
-          "content": "6413dc8558a4d167889dce292f1fe88de8839afa78a0bbe5464414f5ccdf6d5062401c0a35d68200b32edbe2510c4ac42edecfc2411a60bb87107e9c12c48c7a"
+          "content": "b51f7a6020f6ea435fb49a09598a1ed609c70d54d542f330385d9480aa3d93ec9b76c14d8d6907100157ef8af7df5b0b59232425ff18c365c677643d573f9b00"
         }
       ]
     },
@@ -1886,11 +1886,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "bfa54dc9dd5eea4e9fe18db8f5d609634a1d04870c37b7ceadf38b1c70020b2e"
+          "content": "48cbb215f1a89ee4474503a85aa1532554a3aea45666db9aebd066a05a3305d8"
         },
         {
           "alg": "SHA3-512",
-          "content": "4e2648f3db02eab2dc069ad26c04af7ebfe57fda54a1230691407c92f831a3f389bdfcd54b1cfce2e5e7a38f50df866d923947a2902b786b04fd97660050e0b0"
+          "content": "cef6b4730a597b008322ea27f48ae4b98fe1b3c7cc3f5ee2f52d774b7fb922151007025b7f56b8aba9a003cf08272cea871466db9e7c321882dd31d78f0dab48"
         }
       ]
     },
@@ -2359,6 +2359,21 @@
         }
       ]
     },
+    {
+      "bom-ref": "file:scripts/sync-manifest-metadata.js",
+      "type": "file",
+      "name": "scripts/sync-manifest-metadata.js",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "fff6e7b8d8d50d30fa8839bf529fb7551f4b78541d7dddc2613064bff4a0cc8b"
+        },
+        {
+          "alg": "SHA3-512",
+          "content": "b1adf63200cf14cbd6757c963e3f4c67342ed3db9ee33ae73dcaf5e34a00c862d2d40f5be26af0acd274eb7855481c4ab6ee7638253b7e94af9c92572e1110d8"
+        }
+      ]
+    },
     {
       "bom-ref": "file:scripts/validate-vendor-online.js",
       "type": "file",
@@ -2561,11 +2576,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "331a0248dd8ed3b509b759c41a9a4d6d8d6dc67fb732ad31d1a4c2d9a0865054"
+          "content": "dd89c729e7bbfa3c9455dec9b986455dec3c720249c559d2195179a5cbbb2933"
         },
         {
           "alg": "SHA3-512",
-          "content": "f73a601d687c506cd75c28b19f3a14ffa47b5267f1e4a558f2b12d9e89739f636fe7fedef901e3ffec4556f0e5b77ca979cfdca5a26a46d2dd56ae422638b4db"
+          "content": "bf3fccad2e6e7b6027cd65c16336412e12b84fa388454b8d030ad610c3e56e17611eb815ab8288b76d3e29654b41be7db6162d868b4d6316a331fd7d1c039b29"
         }
       ]
     },
@@ -2831,11 +2846,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "959aeba706eea43a69136561968d7942dcd981d0a6c3da7db47673c51943b6df"
+          "content": "dc8ceab8f69af370abb1165ed14ead6f3e9d236a8f703165eba52014ebfd43ab"
         },
         {
           "alg": "SHA3-512",
-          "content": "541f0378a7369de146e0b71a57a98e29d634e3c716eddd114c9de391348566ebb1545c6625b08e5c79804934b3e45875108f511bf2d8112069b828a76a2c5d9f"
+          "content": "b08fe447bf5cc57f967207ad2926b139446f3034cb5145bad83918531fd4bcf5b1ee3f97db538ab4932407face1b922ea399c266f35b56005c4d73fd82a24fe1"
         }
       ]
     },

package/scripts/audit-cross-skill.js

@@ -228,7 +228,12 @@ if (badgeMatch && Number(badgeMatch[1]) !== skills.length) {
 const jurBadge = readme.match(/jurisdictions-(\d+)-/);
 const liveJurs = (() => {
   const g = JSON.parse(fs.readFileSync(ABS("data/global-frameworks.json"), "utf8"));
-  return Object.keys(g).filter((k) => !k.startsWith("_") && k !== "GLOBAL").length;
+  // Canonical jurisdiction count: every non-metadata top-level entry in the
+  // registry. GLOBAL (the International / Multi-Jurisdiction standards scope:
+  // ISO, CSA, CIS) is a counted entry, matching the README badge and the
+  // catalog-summary index. Only `_`-prefixed keys (_meta, _notification_summary,
+  // _patch_sla_summary) are metadata and excluded.
+  return Object.keys(g).filter((k) => !k.startsWith("_")).length;
 })();
 if (jurBadge && Number(jurBadge[1]) !== liveJurs) {
   note(`README BADGE DRIFT: shows jurisdictions-${jurBadge[1]}- but live count is ${liveJurs}`);

package/scripts/builders/catalog-summaries.js

@@ -18,10 +18,10 @@ const path = require("path");
 const CATALOG_PURPOSES = {
   "cve-catalog.json": "Per-CVE record (CVSS, EPSS, CISA KEV, RWEP, AI-discovery, vendor advisories, framework gaps, ATLAS/ATT&CK mappings). Cross-validated against NVD + CISA KEV + FIRST EPSS via validate-cves.",
   "cwe-catalog.json": "MITRE CWE entries used by the project (subset with skill citations), with severity hint and category. Pinned to a CWE catalog version.",
-  "atlas-ttps.json": "MITRE ATLAS TTPs (AML.T0xxx) cited by skills, with tactic, name, description. Pinned to ATLAS v5.6.0 (February 2026).",
+  "atlas-ttps.json": "MITRE ATLAS TTPs (AML.T0xxx) cited by skills, with tactic, name, description. Pinned to ATLAS v5.6.0 (May 2026).",
   "d3fend-catalog.json": "MITRE D3FEND countermeasures (D3-xxx) keyed by id, with tactic + name. Pinned to D3FEND v1.0.0 release.",
   "framework-control-gaps.json": "Per-control framework gap declarations: SI-2, A.8.8, PCI 6.3.3, etc. Each entry names the control, the lag, the evidence CVE, and remediation guidance.",
-  "global-frameworks.json": "Multi-jurisdiction framework registry: 35 jurisdictions × applicable frameworks × patch_sla / notification_sla / critical_controls / framework_gaps. Cross-cutting authority for jurisdiction-clocks index.",
+  "global-frameworks.json": "Multi-jurisdiction framework registry: per-jurisdiction applicable frameworks × patch_sla / notification_sla / critical_controls / framework_gaps (jurisdiction count is reported by entry_count, not duplicated here). Cross-cutting authority for jurisdiction-clocks index.",
   "exploit-availability.json": "Per-CVE exploit availability: PoC public status, weaponization signal, AI-assist status, blast-radius. Project-curated (B2 Admiralty confidence) with source citations.",
   "zeroday-lessons.json": "Distilled lessons from notable zero-days and campaigns (SesameOp, Copy Fail, Dirty Frag, Copilot RCE, Windsurf MCP). Each entry: technique, distinguishing characteristic, what it means for the framework lag.",
   "rfc-references.json": "IETF RFCs + active Internet-Drafts cited by skills (TLS, IPsec, PQ crypto migration, HTTP/3, CT). Cross-validated against IETF Datatracker via validate-rfcs.",

package/scripts/sync-manifest-metadata.js

@@ -0,0 +1,88 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * scripts/sync-manifest-metadata.js
+ *
+ * The per-skill `forward_watch` and `last_threat_review` fields in
+ * manifest.json are a cache of the authoritative values in each skill's
+ * frontmatter. There was no step that refreshed that cache, so editing a
+ * skill's frontmatter (e.g. bumping last_threat_review on a threat-review
+ * pass, or rewording a forward_watch item) left the manifest copy stale.
+ * Over time the two diverged on dozens of skills.
+ *
+ * This script rewrites the manifest's `forward_watch` and
+ * `last_threat_review` for every skill from that skill's frontmatter, which
+ * is the single source of truth (the linter and the staleness gate both read
+ * frontmatter). Run it whenever skill frontmatter changes, then re-run the
+ * sign-all step so the refreshed manifest is signed.
+ *
+ * tests/manifest-frontmatter-sync.test.js fails the suite if the cache ever
+ * drifts again, so a missed run is caught before release rather than shipping
+ * a manifest that contradicts its own skill bodies.
+ *
+ * Exit codes: 0 = wrote (or already in sync), 1 = a skill file was missing or
+ * its frontmatter failed to parse.
+ */
+
+const fs = require("fs");
+const path = require("path");
+const lint = require("../lib/lint-skills.js");
+
+const ROOT = path.resolve(__dirname, "..");
+const MANIFEST = path.join(ROOT, "manifest.json");
+
+// The frontmatter fields the manifest caches and must mirror verbatim.
+const MIRRORED_SCALAR = ["last_threat_review"];
+const MIRRORED_ARRAY = ["forward_watch"];
+
+function skillFrontmatter(id) {
+  const p = path.join(ROOT, "skills", id, "skill.md");
+  if (!fs.existsSync(p)) return null;
+  const { frontmatter } = lint.extractFrontmatterBlock(fs.readFileSync(p, "utf8"));
+  return lint.parseFrontmatter(frontmatter);
+}
+
+function sync() {
+  const manifest = JSON.parse(fs.readFileSync(MANIFEST, "utf8"));
+  let changed = 0;
+  const errors = [];
+  for (const entry of manifest.skills) {
+    const id = entry.id || entry.name;
+    let fm;
+    try {
+      fm = skillFrontmatter(id);
+    } catch (e) {
+      errors.push(`${id}: frontmatter parse failed — ${e.message}`);
+      continue;
+    }
+    if (!fm) {
+      errors.push(`${id}: skill.md not found`);
+      continue;
+    }
+    for (const key of MIRRORED_SCALAR) {
+      if (key in fm && entry[key] !== fm[key]) {
+        entry[key] = fm[key];
+        changed++;
+      }
+    }
+    for (const key of MIRRORED_ARRAY) {
+      const want = Array.isArray(fm[key]) ? fm[key] : [];
+      const have = Array.isArray(entry[key]) ? entry[key] : [];
+      if (JSON.stringify(have) !== JSON.stringify(want)) {
+        entry[key] = want;
+        changed++;
+      }
+    }
+  }
+  if (errors.length) {
+    for (const e of errors) process.stderr.write(`[sync-manifest-metadata] ${e}\n`);
+    process.exitCode = 1;
+    return;
+  }
+  if (changed > 0) {
+    fs.writeFileSync(MANIFEST, JSON.stringify(manifest, null, 2) + "\n");
+  }
+  process.stdout.write(`[sync-manifest-metadata] ${changed} field(s) synced from frontmatter\n`);
+}
+
+sync();

package/skills/defensive-countermeasure-mapping/skill.md

@@ -79,7 +79,7 @@ The skill exists because the inverse direction — given a CVE or TTP, produce t
 
 ## Framework Lag Declaration
 
-No major compliance framework requires technique-grained defensive mapping. Each requires controls; none require controls expressed in the D3FEND technique taxonomy that mirrors ATT&CK and ATLAS. The MITRE ATT&CK Mappings v17 project (the NIST 800-53 → ATT&CK and D3FEND → NIST 800-53 crosswalks) provides the bridge, but operator awareness is limited and no framework yet requires its use.
+No major compliance framework requires technique-grained defensive mapping. Each requires controls; none require controls expressed in the D3FEND technique taxonomy that mirrors ATT&CK and ATLAS. The MITRE Center for Threat-Informed Defense ATT&CK Mappings project (the NIST 800-53 → ATT&CK and D3FEND → NIST 800-53 crosswalks) provides the bridge, but its latest published crosswalk targets ATT&CK Enterprise v16.1 — lagging the current v19.0 matrix — operator awareness is limited, and no framework yet requires its use.
 
 | Jurisdiction | Framework / Control | What It Requires | Why It Is Insufficient at D3FEND Grain |
 |---|---|---|---|
@@ -290,7 +290,7 @@ This skill is itself the canonical mapper. The section name doubles as the secti
 
 The cross-walks the skill maintains:
 
-- **ATT&CK → D3FEND.** Sourced from the MITRE ATT&CK Mappings v17 NIST 800-53 → ATT&CK and D3FEND → ATT&CK crosswalks, materialized locally in `data/d3fend-catalog.json` as the `counters_attack_techniques` array on every D3FEND entry. To map an ATT&CK T-number to D3FEND, scan every catalog entry and collect those whose `counters_attack_techniques` includes the T-number. This skill never invents a mapping not present in the catalog; if a T-number has no coverage, the absence is a finding routed to `zeroday-gap-learn`.
+- **ATT&CK → D3FEND.** Sourced from the MITRE Center for Threat-Informed Defense ATT&CK Mappings NIST 800-53 → ATT&CK and D3FEND → ATT&CK crosswalks (latest crosswalk targets ATT&CK Enterprise v16.1; the live matrix is v19.0), materialized locally in `data/d3fend-catalog.json` as the `counters_attack_techniques` array on every D3FEND entry. To map an ATT&CK T-number to D3FEND, scan every catalog entry and collect those whose `counters_attack_techniques` includes the T-number. This skill never invents a mapping not present in the catalog; if a T-number has no coverage, the absence is a finding routed to `zeroday-gap-learn`.
 
 - **ATLAS → D3FEND.** Sourced from cross-references in `data/atlas-ttps.json` (each ATLAS entry's defensive references) and from `data/d3fend-catalog.json` (each D3FEND entry's `counters_attack_techniques` array, which carries AML.T-numbers in addition to T-numbers). To map an AML.T technique to D3FEND, scan the catalog the same way as for ATT&CK. The bidirectional consistency is enforced by `lib/lint-skills.js` and by the schemas declared in the catalog `_meta` blocks.
 

package/skills/researcher/skill.md

@@ -55,7 +55,7 @@ The researcher skill sits between raw input and the specialized analytical skill
 - **SesameOp campaign report.** Operator asks: "we are seeing strange Azure OpenAI calls from a finance host — is this anything?" Researcher recognizes the AI-as-C2 pattern from `data/zeroday-lessons.json`, maps to AML.T0096, routes to `ai-c2-detection`.
 - **NIST 800-53 Rev. 6 draft published.** Operator asks: "does our gap analysis change?" Researcher routes to `skill-update-loop` for currency review, then to `framework-gap-analysis` for the specific control deltas.
 
-Without this skill, the operator either has to know the full inventory of 37 specialized skills downstream of the researcher (researcher itself is the 38th) and pick the right one (cognitive load that does not scale) or default to a single catch-all skill (which produces shallow output). The researcher skill is the routing layer that makes the rest of the library usable under operational pressure.
+Without this skill, the operator either has to know the full inventory of 41 specialized skills downstream of the researcher (researcher itself is the 42nd) and pick the right one (cognitive load that does not scale) or default to a single catch-all skill (which produces shallow output). The researcher skill is the routing layer that makes the rest of the library usable under operational pressure.
 
 ---
 
@@ -75,7 +75,7 @@ No compliance framework prescribes a research-and-route step between intake and
 | SOC 2 | CC7.3 (Incident detection) | Requires incident detection and response procedures. Generic; does not require routing logic against a specialized analytical inventory. |
 | CIS Controls v8 | 17 (Incident Response Management) | Plan, train, test. No structured triage layer specified. |
 
-The framework lag here is structural: every framework assumes a generic incident handling pipeline. None assume the org has a curated inventory of 37 specialized analytical procedures and needs a router. The researcher skill is the routing layer the frameworks do not describe.
+The framework lag here is structural: every framework assumes a generic incident handling pipeline. None assume the org has a curated inventory of 41 specialized analytical procedures and needs a router. The researcher skill is the routing layer the frameworks do not describe.
 
 ---
 
@@ -222,11 +222,15 @@ Use this mapping. Pick one primary route and zero-or-more secondary routes.
 - Financial cyber / banking cyber / DORA TLPT / PSD2 SCA / SWIFT CSCF / NYDFS 23 NYCRR 500 / FFIEC / MAS TRM / APRA CPS 234 / TIBER-EU / CBEST question → `sector-financial`
 - Federal cyber / government cyber / FedRAMP / CMMC / EO 14028 / NIST 800-171 CUI / FISMA / M-22-09 Zero Trust / OMB M-24-04 AI / CISA BOD/ED question → `sector-federal-government`
 - Energy cyber / electric grid cyber / NERC CIP / TSA pipeline / AWWA water / EU NCCS-G / AESCSF / DER cyber / inverter security / smart meter cyber question → `sector-energy`
+- Telecom / 5G core / Salt Typhoon / Volt Typhoon / SS7 / Diameter / GTP / lawful intercept / CALEA / FCC CPNI / O-RAN / GSMA NESAS / 3GPP TS 33.501 question → `sector-telecom`
 - API security / OWASP API Top 10 / BOLA / BFLA / mass assignment / GraphQL / gRPC / WebSocket / API gateway / rate limit policy question → `api-security`
 - Cloud security / CSPM / CWPP / CNAPP / CSA CCM / AWS / Azure / GCP / shared responsibility / workload identity / cloud IAM question → `cloud-security`
 - Container security / Kubernetes / CIS K8s Benchmark / Pod Security Standards / Kyverno / Gatekeeper / Falco / Tetragon / admission policy / NetworkPolicy question → `container-runtime-security`
 - MLOps security / training data integrity / model registry / model signing / drift detection / MLflow / Kubeflow / Vertex AI / SageMaker / Hugging Face question → `mlops-security`
 - Incident response / IR playbook / PICERL / NIST 800-61 / ISO 27035 / breach notification / BEC incident / AI-class incident handling question → `incident-response-playbook`
+- Ransomware incident / encryption event / LockBit / ALPHV / Akira / RansomHub / Hunters International / ransom payment / OFAC sanctions screening / decryptor availability question → `ransomware-response`
+- Cloud-IAM incident / AWS account takeover / GCP service-account compromise / Azure managed-identity replay / access-key leak / IAM role-assumption abuse / cross-account assume-role / IMDS SSRF / CloudTrail anomaly question → `cloud-iam-incident`
+- IdP incident / Okta / Entra ID / Auth0 / Ping / OneLogin tenant compromise / federated-trust abuse / OAuth consent abuse / SAML-OIDC token forgery / Midnight Blizzard / Scattered Spider question → `idp-incident-response`
 - Email security / anti-phishing / SPF / DKIM / DMARC / BIMI / ARC / MTA-STS / BEC / vishing / deepfake / AI-augmented phishing question → `email-security-anti-phishing`
 - Age gate / age verification / age assurance / child online safety / COPPA / CIPA / California AADC / UK Children's Code / KOSA / GDPR Art. 8 / DSA Art. 28 / parental consent / CSAM detection question → `age-gates-child-safety`