@blamejs/exceptd-skills 0.13.63 → 0.13.65

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.13.63",
+  "version": "0.13.65",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (312 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:35e13dc7-91ee-4f61-bce1-a1187f70406d",
+  "serialNumber": "urn:uuid:98b472c4-9438-4efb-bf8e-4776acac888d",
   "version": 1,
   "metadata": {
-    "timestamp": "2054-08-24T10:17:43.000Z",
+    "timestamp": "2107-03-10T08:18:12.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.13.63"
+        "version": "0.13.65"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.13.63",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.13.65",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.13.63",
+      "version": "0.13.65",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (312 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 7476 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.13.63",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.13.65",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "39aa4e01292c0582b31a9b73c8367754e6abb8bc5dd6686a68671c2a3149bf55"
+          "content": "2891a0efb6d7e83bbb9fef4c129bdb077e010a8ab5ffa97b628c8fb14ebfba1a"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.13.63"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.13.65"
         },
         {
           "type": "vcs",
@@ -101,11 +101,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "07874f7839b841722364720ef44e41d7314e0b598c3c6c311894a378e47c7457"
+          "content": "c53e00aca85205cfae25eba8f333e64f43e48823013cdc1e4f4dcdd8260ddfe7"
         },
         {
           "alg": "SHA3-512",
-          "content": "fc4fdffb42ea6f36aca4b3e64c4ff3f0f11fed4b59abc609eb0a2ea5c57422a0b9946eb8bfa816d933694fc10a8688d1af182ec735aa308c5a333277f90cac9b"
+          "content": "d7a884c53b790f39f8d487d07dfc4b75f56d433639e8cc7c592e1d6fa830b02a7fa82c32164264132b08342a082245d2396edf90884813cdeca1d79591ed0b75"
         }
       ]
     },
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "354c4ce635f1297f98d9529d637b4b4ff4bdf507ed621346b52ce894922e0ead"
+          "content": "e81da1ef936ded554f744006bc412bc1f21006b04c50c78281de27c49493de95"
         },
         {
           "alg": "SHA3-512",
-          "content": "cea1412c91b608151c20d4bf85a381d6bcbb86cecbfe1358b108af2a759204f2b0171f3a94867791b785be9d7d2614a41d5de534770762fd3c81935a9bcc64a2"
+          "content": "b358df8eb236f0abb2f6d36df5fba03afdd82002acbe9ac6015f4743c7de15f86d7946c3a79035b66d4109a167ffafd88b278d7445ecbd41356ace93922096b5"
         }
       ]
     },
@@ -131,11 +131,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "bb19a5043644deaf49354a019b0d8a0286301cb30327dda99a0754a5507f538c"
+          "content": "2d41c604ecdc5fb61271bdf7ccb758b549f7587779952dc16e7675ec3bc4c634"
         },
         {
           "alg": "SHA3-512",
-          "content": "f1c44295b519fd815cc9d16ed24837730796b5b5604d88179756202981b61272939a6ff11996d56d88e43c9b030443e7d29cf664d633c368d7f74dbaac7b237b"
+          "content": "e9d808d434d7572ac408a7505d07904de20b4990176c1e802cebcb583a100ecb3b311e9742dcbba4f58478b0696751b4080d290f263a9bff2fbcbff6a0ca5971"
         }
       ]
     },
@@ -176,11 +176,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "7db9a736e127cd13945a2a0744db393ed166b18a7fc5915f5d953f0cb42a880c"
+          "content": "fcd1276c6ad9327cf34adfaf5f6d08fcbd4686ceac0d70db1fa315b287dd20b6"
         },
         {
           "alg": "SHA3-512",
-          "content": "228d6d081b7132f8879949da656c7c379f6ca75a1277e13e4a6c4c4db91982cea1178f2e055c7335743d38bf330535b564205622f054cfc9898fac7254fba38e"
+          "content": "5b9b1fb6eac22b50e062d96b28fe346d0bb7008f799a1de44ad91b68fdf32525b94e9dc73a5e7de202d6040b8fa49bae1e45aec7d99fb28af50b007ac3794143"
         }
       ]
     },
@@ -341,11 +341,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "c56e74b8c9290583b1d6fdd21b54bd65a254c58890c5f683379788ca7b080e9d"
+          "content": "4cb1193c4e20ddd3f480a7f421f28e3472b856b0c070761a0fe149a64c90fa8e"
         },
         {
           "alg": "SHA3-512",
-          "content": "24a77d58aa84b7c91c5067dbb28c73ddfa42a0229c6f45b9e36aea58d65ab3bc17a0a759323bdfad7d6a7fad8f21eff8a9ea2efc118f069035a6e5c0373380f6"
+          "content": "d956f305004ecb8a04e3aa6405679ac02500a453af0092ddcaf1291b7e31c9032ab2c537f794a5c11beed1ef2987f30defa32d9b97f357165edfbb080e7e11a1"
         }
       ]
     },
@@ -356,11 +356,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "4271102f8c38999444bcd981c1cf5feb4ad09f8c0b1d9b79df3f1a82f4fb50f0"
+          "content": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf"
         },
         {
           "alg": "SHA3-512",
-          "content": "4714cd58cf9720ee679d430d0ea47bbfd4e9a25af362db974b9b7166701aa66d9aa6730c17c3cdbca9c07e5c894b778296998998f7bbd667d60dccc5e2ca129d"
+          "content": "30e0c721b086eabb1445b99a945d25b0ace33b2c03aa0a4fe7c2cc9d87247a5344b12b9fc33a52ffcc805712f27273f125989439fbe8fba1f35d1946f14c968b"
         }
       ]
     },
@@ -1661,11 +1661,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "3be89a674691acd2ea97c62841b563b53f76cf22d1350f4b395f1259d684986b"
+          "content": "3d668e206d800377a1ea731e226e36dd4b5aa02f4e608d07cdb87d323b5ad409"
         },
         {
           "alg": "SHA3-512",
-          "content": "00e4dd816a2363fb0a0f07fe406aab4d3106d38c1dce4afb4f0b93311a43390ddce6a74339a38e81feb399683d533f2e13a6b5030e2b2acab638ca9061833df3"
+          "content": "8b04b5b6925d6b6a36b17a810c22bdacd0ecf311b83da45d0d1b0e1645e7cea3e7683806c30c7b45ea0d543c0c3bd25d042b51b92b69edb332092ecb6daf2804"
         }
       ]
     },
@@ -1796,11 +1796,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "9b92e14442f93b57ce7cd3cc4ac6f8eec8fca33670397fde07ddaf0ec7200428"
+          "content": "94d280168dbf61199f0fb46175558db3da6e4df3fc68600c2ccd1638e9caa667"
         },
         {
           "alg": "SHA3-512",
-          "content": "6413dc8558a4d167889dce292f1fe88de8839afa78a0bbe5464414f5ccdf6d5062401c0a35d68200b32edbe2510c4ac42edecfc2411a60bb87107e9c12c48c7a"
+          "content": "b51f7a6020f6ea435fb49a09598a1ed609c70d54d542f330385d9480aa3d93ec9b76c14d8d6907100157ef8af7df5b0b59232425ff18c365c677643d573f9b00"
         }
       ]
     },
@@ -1886,11 +1886,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "6fa25dc8fa8d9743bab2f7ec04c5f793ee9fa21eba3bdfb7bfc153e8ac9a32ab"
+          "content": "4cafae018d02d6bca7a037b8131e66f40dc36620c919de69d9522705077aa2c2"
         },
         {
           "alg": "SHA3-512",
-          "content": "df8845265c271180506628db9c2625ad284744719bc2c09991e32c77b0925f595b58bf49dab58c321703f310672eed33abc7475b5ea5955793cb707c0798996e"
+          "content": "f82d6a2dc910d461647dd1bb5b16674cc8709bc4c62c4d8d5e71e495d6925e544e76fb217ca74de8f93022fcf1051988027c5272fcde05c3be1eb62f26bbbe42"
         }
       ]
     },
@@ -2359,6 +2359,21 @@
         }
       ]
     },
+    {
+      "bom-ref": "file:scripts/sync-manifest-metadata.js",
+      "type": "file",
+      "name": "scripts/sync-manifest-metadata.js",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "fff6e7b8d8d50d30fa8839bf529fb7551f4b78541d7dddc2613064bff4a0cc8b"
+        },
+        {
+          "alg": "SHA3-512",
+          "content": "b1adf63200cf14cbd6757c963e3f4c67342ed3db9ee33ae73dcaf5e34a00c862d2d40f5be26af0acd274eb7855481c4ab6ee7638253b7e94af9c92572e1110d8"
+        }
+      ]
+    },
     {
       "bom-ref": "file:scripts/validate-vendor-online.js",
       "type": "file",
@@ -2396,11 +2411,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "b8fad37033ba955eee678950963e816b6c56fd34a953e5c81b3bdd4c12a8f69a"
+          "content": "639b79a2724415afe9e4469202f806e5bec022c0946c9496d4e17ed73aabbe21"
         },
         {
           "alg": "SHA3-512",
-          "content": "3f3c80f0b4d79bbdb8e066b5ac9e6b5bf3f56210c5d632d972b137bc358ee911ec56d66c7993c93d392abc5552c31075ef3e21e969a407aea03ede4b87bb9a40"
+          "content": "50a86b044a31f3047f1cf5c01b51b71868a82b6e72a3dc500f388ebc1987df6cea1c04d7fe666dcea27a4c0ecac15ad71d5b7c11dc702f6878eb4ae6292a110c"
         }
       ]
     },
@@ -2411,11 +2426,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "6ff82cd5e805a29b694a71ffbeba22e78966249da921706f3256fa4319e402fc"
+          "content": "c4c1eb22a38ca7a959b5725222bab8fbd4f4044a548a93f3e288e6f698334b72"
         },
         {
           "alg": "SHA3-512",
-          "content": "ac26332ce1c18f99e07056dbc16784206f21dfd5640c22adedbc1e0c9f617c4b46bae6bbfd28f0057c7a14ef2e9404a3ebb5406d600de439e2f655b27b264bac"
+          "content": "2dd2a4ee45af9b58c779ec01b1e405c3273a149b44cd6a668c74235352f5f76eb52cca9ecb2694b54abc0738d3911ac2dfae37f18021e11f669162fae2aaf888"
         }
       ]
     },
@@ -2426,11 +2441,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "524474483bdfa9614cf31276f16c0ec365a364e61e9ca6047c08621751539671"
+          "content": "de83dc284dc4f85a8a383c0b715ec7b9ea127ec49c3227bf4c72344bad4008ed"
         },
         {
           "alg": "SHA3-512",
-          "content": "15a75bcb580e8ee7e3acee9230267afb120fca727a3852262ab4314f6b798fe02845818070885f3ed23f4979d8d233ed34f70b592e00656d6abc9bc64f35e684"
+          "content": "cf17d7ea20823c58484171fea21dbfa1545d8b494c7b3a25b8b4517e982ca377dd3f3f0959481e0110611d405b7f8d9e28a97838843e30c1d8d94ad6dd2a549d"
         }
       ]
     },
@@ -2471,11 +2486,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "d6ea35136f93eb4aa75b65a5ae402353b0e2c63a83acece1606fe3f5d1ec6a8d"
+          "content": "6174a20b777a82c83941ef64d27e8c7e4091649358930ac1ba564a0ad4d9399f"
         },
         {
           "alg": "SHA3-512",
-          "content": "9a2a33d2867ce2f8dc063a4005807ac6d8002c32545eee268f417e60d1e076b48c710a21eea09c04e9ab383e4b7fa9f292eddeeb2cc1ac744348eca96a68cd01"
+          "content": "550ca5bec39365ff37bcbf607a5d06c5a59be78832c6845c7c2edc8d518a9a62d5a794728403878e303686e779da5ba2cd39e88f212bd9fe1a7a0b1427f36def"
         }
       ]
     },
@@ -2561,11 +2576,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "331a0248dd8ed3b509b759c41a9a4d6d8d6dc67fb732ad31d1a4c2d9a0865054"
+          "content": "dd89c729e7bbfa3c9455dec9b986455dec3c720249c559d2195179a5cbbb2933"
         },
         {
           "alg": "SHA3-512",
-          "content": "f73a601d687c506cd75c28b19f3a14ffa47b5267f1e4a558f2b12d9e89739f636fe7fedef901e3ffec4556f0e5b77ca979cfdca5a26a46d2dd56ae422638b4db"
+          "content": "bf3fccad2e6e7b6027cd65c16336412e12b84fa388454b8d030ad610c3e56e17611eb815ab8288b76d3e29654b41be7db6162d868b4d6316a331fd7d1c039b29"
         }
       ]
     },
@@ -2576,11 +2591,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "b5183b5ea6fad6986500d7a04e83239a5fbf4272eaa6888b8be6420ce3d36ac5"
+          "content": "d59a136aa6478b069975b2406c4e3be4b227273641b054852ebc6eedeebd3754"
         },
         {
           "alg": "SHA3-512",
-          "content": "5a93ddf19de835eac986ba1b196392ac170feb2f54a6ee1d2e5741e88af7c09fb8bc96919691e0d32f92ddd82e425c92b9c42fa45f1a4af50aee32e481c188a3"
+          "content": "52d7570873bc806c7637e9093567e81107d9c6a675f6d7d6a208159a15c453129148e598c4999932238aaaa8fa48d068fd6fbc7119021a17a44777443cb5430f"
         }
       ]
     },
@@ -2726,11 +2741,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "bf3ded40e84443400c9bec8634e0d6a14c9633e569d8c2e26f9d5881f8e78dff"
+          "content": "89ac89084391d2341b6513fefb1be2d36b93de1c130f057696219c1c59440f13"
         },
         {
           "alg": "SHA3-512",
-          "content": "6952fdea45280bc850acc909cec1df1da86e127ba98ec326552809a2d63dad2c9e7f6e9211978f360996841bdceba7fd6371edb09ae52ef0c6d4961d08a45662"
+          "content": "dc78cd7182350ce1048e2d49cacca299fa4942e398f5d75e6e27020d04e6a4af7963d495f992594469678b8c091bd071612d40a2baa47069837497f33f7f61c6"
         }
       ]
     },
@@ -2801,11 +2816,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "d3ad18562a6083fb773347e24b6fcda2adcb68b4269e29df53b5afeb113cf7b0"
+          "content": "792c6f48a7ff06785c24258cac1714068feafefb3f8f05e6c62ddce2f2f9128d"
         },
         {
           "alg": "SHA3-512",
-          "content": "571ceeb55a9da0e4cddf7e0147f1186431b01de540f78dba2397be986b06e56ad1e9eafbb9df55a2e66152bcbddd12626f7a4cb2c9ab043929426cb45ffed94e"
+          "content": "bb5b9ff697427b603bfa2aff6b06d1260cd19bdf4aca8406403061b8190e571c4b59a8d68677e9ddb4508712f5319488cdff7f689eecf517942020ed8bed7997"
         }
       ]
     },
@@ -2831,11 +2846,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "0f55168c5cbcf8f8ad2760e7f782ca171a1a82a1f92c5123cb3c80d769386c7a"
+          "content": "dc8ceab8f69af370abb1165ed14ead6f3e9d236a8f703165eba52014ebfd43ab"
         },
         {
           "alg": "SHA3-512",
-          "content": "2808a09b0e7c16a0802d1b02de7d3e80c45229dddcbb97bae2fc2194ccca784097883b18a04207c0f0b2e1b54ef599e224f7fdb3cc74d34df0a29a7060921bb3"
+          "content": "b08fe447bf5cc57f967207ad2926b139446f3034cb5145bad83918531fd4bcf5b1ee3f97db538ab4932407face1b922ea399c266f35b56005c4d73fd82a24fe1"
         }
       ]
     },

package/scripts/audit-cross-skill.js

@@ -228,7 +228,12 @@ if (badgeMatch && Number(badgeMatch[1]) !== skills.length) {
 const jurBadge = readme.match(/jurisdictions-(\d+)-/);
 const liveJurs = (() => {
   const g = JSON.parse(fs.readFileSync(ABS("data/global-frameworks.json"), "utf8"));
-  return Object.keys(g).filter((k) => !k.startsWith("_") && k !== "GLOBAL").length;
+  // Canonical jurisdiction count: every non-metadata top-level entry in the
+  // registry. GLOBAL (the International / Multi-Jurisdiction standards scope:
+  // ISO, CSA, CIS) is a counted entry, matching the README badge and the
+  // catalog-summary index. Only `_`-prefixed keys (_meta, _notification_summary,
+  // _patch_sla_summary) are metadata and excluded.
+  return Object.keys(g).filter((k) => !k.startsWith("_")).length;
 })();
 if (jurBadge && Number(jurBadge[1]) !== liveJurs) {
   note(`README BADGE DRIFT: shows jurisdictions-${jurBadge[1]}- but live count is ${liveJurs}`);

package/scripts/builders/catalog-summaries.js

@@ -19,9 +19,9 @@ const CATALOG_PURPOSES = {
   "cve-catalog.json": "Per-CVE record (CVSS, EPSS, CISA KEV, RWEP, AI-discovery, vendor advisories, framework gaps, ATLAS/ATT&CK mappings). Cross-validated against NVD + CISA KEV + FIRST EPSS via validate-cves.",
   "cwe-catalog.json": "MITRE CWE entries used by the project (subset with skill citations), with severity hint and category. Pinned to a CWE catalog version.",
   "atlas-ttps.json": "MITRE ATLAS TTPs (AML.T0xxx) cited by skills, with tactic, name, description. Pinned to ATLAS v5.6.0 (May 2026).",
-  "d3fend-catalog.json": "MITRE D3FEND countermeasures (D3-xxx) keyed by id, with tactic + name. Pinned to D3FEND v1.0.0 release.",
+  "d3fend-catalog.json": "MITRE D3FEND countermeasures (D3-xxx) keyed by id, with tactic + name. Pinned to D3FEND v1.3.0 release.",
   "framework-control-gaps.json": "Per-control framework gap declarations: SI-2, A.8.8, PCI 6.3.3, etc. Each entry names the control, the lag, the evidence CVE, and remediation guidance.",
-  "global-frameworks.json": "Multi-jurisdiction framework registry: 35 jurisdictions × applicable frameworks × patch_sla / notification_sla / critical_controls / framework_gaps. Cross-cutting authority for jurisdiction-clocks index.",
+  "global-frameworks.json": "Multi-jurisdiction framework registry: per-jurisdiction applicable frameworks × patch_sla / notification_sla / critical_controls / framework_gaps (jurisdiction count is reported by entry_count, not duplicated here). Cross-cutting authority for jurisdiction-clocks index.",
   "exploit-availability.json": "Per-CVE exploit availability: PoC public status, weaponization signal, AI-assist status, blast-radius. Project-curated (B2 Admiralty confidence) with source citations.",
   "zeroday-lessons.json": "Distilled lessons from notable zero-days and campaigns (SesameOp, Copy Fail, Dirty Frag, Copilot RCE, Windsurf MCP). Each entry: technique, distinguishing characteristic, what it means for the framework lag.",
   "rfc-references.json": "IETF RFCs + active Internet-Drafts cited by skills (TLS, IPsec, PQ crypto migration, HTTP/3, CT). Cross-validated against IETF Datatracker via validate-rfcs.",

package/scripts/sync-manifest-metadata.js

@@ -0,0 +1,88 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * scripts/sync-manifest-metadata.js
+ *
+ * The per-skill `forward_watch` and `last_threat_review` fields in
+ * manifest.json are a cache of the authoritative values in each skill's
+ * frontmatter. There was no step that refreshed that cache, so editing a
+ * skill's frontmatter (e.g. bumping last_threat_review on a threat-review
+ * pass, or rewording a forward_watch item) left the manifest copy stale.
+ * Over time the two diverged on dozens of skills.
+ *
+ * This script rewrites the manifest's `forward_watch` and
+ * `last_threat_review` for every skill from that skill's frontmatter, which
+ * is the single source of truth (the linter and the staleness gate both read
+ * frontmatter). Run it whenever skill frontmatter changes, then re-run the
+ * sign-all step so the refreshed manifest is signed.
+ *
+ * tests/manifest-frontmatter-sync.test.js fails the suite if the cache ever
+ * drifts again, so a missed run is caught before release rather than shipping
+ * a manifest that contradicts its own skill bodies.
+ *
+ * Exit codes: 0 = wrote (or already in sync), 1 = a skill file was missing or
+ * its frontmatter failed to parse.
+ */
+
+const fs = require("fs");
+const path = require("path");
+const lint = require("../lib/lint-skills.js");
+
+const ROOT = path.resolve(__dirname, "..");
+const MANIFEST = path.join(ROOT, "manifest.json");
+
+// The frontmatter fields the manifest caches and must mirror verbatim.
+const MIRRORED_SCALAR = ["last_threat_review"];
+const MIRRORED_ARRAY = ["forward_watch"];
+
+function skillFrontmatter(id) {
+  const p = path.join(ROOT, "skills", id, "skill.md");
+  if (!fs.existsSync(p)) return null;
+  const { frontmatter } = lint.extractFrontmatterBlock(fs.readFileSync(p, "utf8"));
+  return lint.parseFrontmatter(frontmatter);
+}
+
+function sync() {
+  const manifest = JSON.parse(fs.readFileSync(MANIFEST, "utf8"));
+  let changed = 0;
+  const errors = [];
+  for (const entry of manifest.skills) {
+    const id = entry.id || entry.name;
+    let fm;
+    try {
+      fm = skillFrontmatter(id);
+    } catch (e) {
+      errors.push(`${id}: frontmatter parse failed — ${e.message}`);
+      continue;
+    }
+    if (!fm) {
+      errors.push(`${id}: skill.md not found`);
+      continue;
+    }
+    for (const key of MIRRORED_SCALAR) {
+      if (key in fm && entry[key] !== fm[key]) {
+        entry[key] = fm[key];
+        changed++;
+      }
+    }
+    for (const key of MIRRORED_ARRAY) {
+      const want = Array.isArray(fm[key]) ? fm[key] : [];
+      const have = Array.isArray(entry[key]) ? entry[key] : [];
+      if (JSON.stringify(have) !== JSON.stringify(want)) {
+        entry[key] = want;
+        changed++;
+      }
+    }
+  }
+  if (errors.length) {
+    for (const e of errors) process.stderr.write(`[sync-manifest-metadata] ${e}\n`);
+    process.exitCode = 1;
+    return;
+  }
+  if (changed > 0) {
+    fs.writeFileSync(MANIFEST, JSON.stringify(manifest, null, 2) + "\n");
+  }
+  process.stdout.write(`[sync-manifest-metadata] ${changed} field(s) synced from frontmatter\n`);
+}
+
+sync();

package/skills/age-gates-child-safety/skill.md

@@ -420,7 +420,7 @@ Ask: "Under COPPA, AADC, DSA Art. 28(2), and ANPD 2024 Guide, behavioural advert
 
 ## Defensive Countermeasure Mapping
 
-Per AGENTS.md optional 8th section (required for skills shipped on or after 2026-05-11). Maps the offensive findings of this skill to MITRE D3FEND v1.0+ countermeasure references from `data/d3fend-catalog.json`, with explicit defense-in-depth layer position, least-privilege scope, zero-trust posture, and AI-pipeline applicability per Hard Rule #9.
+Per AGENTS.md optional 8th section (required for skills shipped on or after 2026-05-11). Maps the offensive findings of this skill to MITRE D3FEND v1.3.0+ countermeasure references from `data/d3fend-catalog.json`, with explicit defense-in-depth layer position, least-privilege scope, zero-trust posture, and AI-pipeline applicability per Hard Rule #9.
 
 | D3FEND ID | Technique | Child-Safeguarding Layer Position | Least-Privilege Scope | Zero-Trust Posture | AI-Pipeline Applicability (Hard Rule #9) |
 |---|---|---|---|---|---|

package/skills/ai-attack-surface/skill.md

@@ -309,7 +309,7 @@ The assessment produces a structured AI Attack Surface Assessment report. The sh
 
 ## Defensive Countermeasure Mapping
 
-D3FEND v1.0+ references from `data/d3fend-catalog.json`. The AI attack surface enumerated above lands on five primary defensive techniques. Each entry below identifies which ATLAS TTP class the countermeasure addresses and the defense-in-depth layer it occupies.
+D3FEND v1.3.0+ references from `data/d3fend-catalog.json`. The AI attack surface enumerated above lands on five primary defensive techniques. Each entry below identifies which ATLAS TTP class the countermeasure addresses and the defense-in-depth layer it occupies.
 
 | D3FEND ID | Name | Layer | Rationale (what it counters here) |
 |---|---|---|---|

package/skills/ai-c2-detection/skill.md

@@ -413,7 +413,7 @@ For every identity flagged in Step 2, every prompt flagged in Step 3, every Sesa
 
 ## Defensive Countermeasure Mapping
 
-D3FEND v1.0+ references from `data/d3fend-catalog.json`. Maps the SesameOp / PROMPTFLUX / PROMPTSTEAL detection surfaces to the defense-in-depth layer they actually live on.
+D3FEND v1.3.0+ references from `data/d3fend-catalog.json`. Maps the SesameOp / PROMPTFLUX / PROMPTSTEAL detection surfaces to the defense-in-depth layer they actually live on.
 
 | D3FEND ID | Name | Layer | Rationale (what it counters here) |
 |---|---|---|---|

package/skills/attack-surface-pentest/skill.md

@@ -376,7 +376,7 @@ Apply each of the following tests to a candidate "we have a pen test" assertion.
 
 ## Defensive Countermeasure Mapping (D3FEND)
 
-The findings the pen test typically produces map to D3FEND v0.10+ defensive countermeasures from `data/d3fend-catalog.json`. The table below is the recommended-counter cross-walk used in section 8 of the output format.
+The findings the pen test typically produces map to D3FEND v1.3.0+ defensive countermeasures from `data/d3fend-catalog.json`. The table below is the recommended-counter cross-walk used in section 8 of the output format.
 
 | Typical finding | D3FEND ID | What the counter actually does |
 |---|---|---|

package/skills/defensive-countermeasure-mapping/skill.md

@@ -79,7 +79,7 @@ The skill exists because the inverse direction — given a CVE or TTP, produce t
 
 ## Framework Lag Declaration
 
-No major compliance framework requires technique-grained defensive mapping. Each requires controls; none require controls expressed in the D3FEND technique taxonomy that mirrors ATT&CK and ATLAS. The MITRE ATT&CK Mappings v17 project (the NIST 800-53 → ATT&CK and D3FEND → NIST 800-53 crosswalks) provides the bridge, but operator awareness is limited and no framework yet requires its use.
+No major compliance framework requires technique-grained defensive mapping. Each requires controls; none require controls expressed in the D3FEND technique taxonomy that mirrors ATT&CK and ATLAS. The MITRE Center for Threat-Informed Defense ATT&CK Mappings project (the NIST 800-53 → ATT&CK and D3FEND → NIST 800-53 crosswalks) provides the bridge, but its latest published crosswalk targets ATT&CK Enterprise v16.1 — lagging the current v19.0 matrix — operator awareness is limited, and no framework yet requires its use.
 
 | Jurisdiction | Framework / Control | What It Requires | Why It Is Insufficient at D3FEND Grain |
 |---|---|---|---|
@@ -290,7 +290,7 @@ This skill is itself the canonical mapper. The section name doubles as the secti
 
 The cross-walks the skill maintains:
 
-- **ATT&CK → D3FEND.** Sourced from the MITRE ATT&CK Mappings v17 NIST 800-53 → ATT&CK and D3FEND → ATT&CK crosswalks, materialized locally in `data/d3fend-catalog.json` as the `counters_attack_techniques` array on every D3FEND entry. To map an ATT&CK T-number to D3FEND, scan every catalog entry and collect those whose `counters_attack_techniques` includes the T-number. This skill never invents a mapping not present in the catalog; if a T-number has no coverage, the absence is a finding routed to `zeroday-gap-learn`.
+- **ATT&CK → D3FEND.** Sourced from the MITRE Center for Threat-Informed Defense ATT&CK Mappings NIST 800-53 → ATT&CK and D3FEND → ATT&CK crosswalks (latest crosswalk targets ATT&CK Enterprise v16.1; the live matrix is v19.0), materialized locally in `data/d3fend-catalog.json` as the `counters_attack_techniques` array on every D3FEND entry. To map an ATT&CK T-number to D3FEND, scan every catalog entry and collect those whose `counters_attack_techniques` includes the T-number. This skill never invents a mapping not present in the catalog; if a T-number has no coverage, the absence is a finding routed to `zeroday-gap-learn`.
 
 - **ATLAS → D3FEND.** Sourced from cross-references in `data/atlas-ttps.json` (each ATLAS entry's defensive references) and from `data/d3fend-catalog.json` (each D3FEND entry's `counters_attack_techniques` array, which carries AML.T-numbers in addition to T-numbers). To map an AML.T technique to D3FEND, scan the catalog the same way as for ATT&CK. The bidirectional consistency is enforced by `lib/lint-skills.js` and by the schemas declared in the catalog `_meta` blocks.
 

package/skills/dlp-gap-analysis/skill.md

@@ -318,7 +318,7 @@ Ask: "A customer files a Data Subject Access Request under GDPR Art 15, LGPD Art
 
 ## Defensive Countermeasure Mapping
 
-D3FEND v1.0+ countermeasure references from `data/d3fend-catalog.json`. Indicates which D3FEND defenses are the primary control category for each DLP channel.
+D3FEND v1.3.0+ countermeasure references from `data/d3fend-catalog.json`. Indicates which D3FEND defenses are the primary control category for each DLP channel.
 
 | DLP Channel | Primary D3FEND Defense | Secondary D3FEND Defenses | Notes |
 |---|---|---|---|

package/skills/mcp-agent-trust/skill.md

@@ -353,7 +353,7 @@ For ephemeral / serverless AI-pipeline contexts (per AGENTS.md rule #9): live SL
 
 ## Defensive Countermeasure Mapping
 
-D3FEND v1.0+ references from `data/d3fend-catalog.json`. MCP trust failures land on a tightly bounded set of defensive techniques because the attack surface is structural: a tool registered in `mcp.json` runs with the AI assistant's authority unless the listed controls intervene.
+D3FEND v1.3.0+ references from `data/d3fend-catalog.json`. MCP trust failures land on a tightly bounded set of defensive techniques because the attack surface is structural: a tool registered in `mcp.json` runs with the AI assistant's authority unless the listed controls intervene.
 
 | D3FEND ID | Name | Layer | Rationale (what it counters here) |
 |---|---|---|---|

package/skills/rag-pipeline-security/skill.md

@@ -308,7 +308,7 @@ For ephemeral / serverless RAG pipelines (per AGENTS.md rule #9): embedding-dist
 
 ## Defensive Countermeasure Mapping
 
-D3FEND v1.0+ references from `data/d3fend-catalog.json`. The five RAG attack classes above map to the following defensive techniques. Coverage for RAG pipelines is uneven across enterprises in mid-2026 — most have `D3-NTA` on the network layer and nothing else.
+D3FEND v1.3.0+ references from `data/d3fend-catalog.json`. The five RAG attack classes above map to the following defensive techniques. Coverage for RAG pipelines is uneven across enterprises in mid-2026 — most have `D3-NTA` on the network layer and nothing else.
 
 | D3FEND ID | Name | Layer | Rationale (what it counters here) |
 |---|---|---|---|

package/skills/researcher/skill.md

@@ -222,11 +222,15 @@ Use this mapping. Pick one primary route and zero-or-more secondary routes.
 - Financial cyber / banking cyber / DORA TLPT / PSD2 SCA / SWIFT CSCF / NYDFS 23 NYCRR 500 / FFIEC / MAS TRM / APRA CPS 234 / TIBER-EU / CBEST question → `sector-financial`
 - Federal cyber / government cyber / FedRAMP / CMMC / EO 14028 / NIST 800-171 CUI / FISMA / M-22-09 Zero Trust / OMB M-24-04 AI / CISA BOD/ED question → `sector-federal-government`
 - Energy cyber / electric grid cyber / NERC CIP / TSA pipeline / AWWA water / EU NCCS-G / AESCSF / DER cyber / inverter security / smart meter cyber question → `sector-energy`
+- Telecom / 5G core / Salt Typhoon / Volt Typhoon / SS7 / Diameter / GTP / lawful intercept / CALEA / FCC CPNI / O-RAN / GSMA NESAS / 3GPP TS 33.501 question → `sector-telecom`
 - API security / OWASP API Top 10 / BOLA / BFLA / mass assignment / GraphQL / gRPC / WebSocket / API gateway / rate limit policy question → `api-security`
 - Cloud security / CSPM / CWPP / CNAPP / CSA CCM / AWS / Azure / GCP / shared responsibility / workload identity / cloud IAM question → `cloud-security`
 - Container security / Kubernetes / CIS K8s Benchmark / Pod Security Standards / Kyverno / Gatekeeper / Falco / Tetragon / admission policy / NetworkPolicy question → `container-runtime-security`
 - MLOps security / training data integrity / model registry / model signing / drift detection / MLflow / Kubeflow / Vertex AI / SageMaker / Hugging Face question → `mlops-security`
 - Incident response / IR playbook / PICERL / NIST 800-61 / ISO 27035 / breach notification / BEC incident / AI-class incident handling question → `incident-response-playbook`
+- Ransomware incident / encryption event / LockBit / ALPHV / Akira / RansomHub / Hunters International / ransom payment / OFAC sanctions screening / decryptor availability question → `ransomware-response`
+- Cloud-IAM incident / AWS account takeover / GCP service-account compromise / Azure managed-identity replay / access-key leak / IAM role-assumption abuse / cross-account assume-role / IMDS SSRF / CloudTrail anomaly question → `cloud-iam-incident`
+- IdP incident / Okta / Entra ID / Auth0 / Ping / OneLogin tenant compromise / federated-trust abuse / OAuth consent abuse / SAML-OIDC token forgery / Midnight Blizzard / Scattered Spider question → `idp-incident-response`
 - Email security / anti-phishing / SPF / DKIM / DMARC / BIMI / ARC / MTA-STS / BEC / vishing / deepfake / AI-augmented phishing question → `email-security-anti-phishing`
 - Age gate / age verification / age assurance / child online safety / COPPA / CIPA / California AADC / UK Children's Code / KOSA / GDPR Art. 8 / DSA Art. 28 / parental consent / CSAM detection question → `age-gates-child-safety`