@blamejs/exceptd-skills 0.14.11 → 0.14.13

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.14.11",
+  "version": "0.14.13",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "lXhZgoIrrVloO3XaTvo/43AxZn4mwErstd7DR0O/oVhD3AOGODM4HqrageYEou9WKOdMEGP5mJNTjJsXdP5NDA==",
-      "signed_at": "2026-05-27T20:34:53.045Z",
+      "signed_at": "2026-05-27T22:15:41.262Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -123,7 +123,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "ztSKk/zFMFbT12qRcEeBKpydBn7fTT86KxMmor0DTCoKQWk5fJ0fSInfP1XMSB6rFk4/SuSjKVxQRMKVJ5a+Cg==",
-      "signed_at": "2026-05-27T20:34:53.047Z",
+      "signed_at": "2026-05-27T22:15:41.263Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -196,7 +196,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "K6QdPHNK5c4K5QFjrW0QsUhjp71D7SOisSoulwPNSvKRdi2rY+yg0kdckijBMkLMsVPyUvcC9giu93mKJ1OZDg==",
-      "signed_at": "2026-05-27T20:34:53.047Z",
+      "signed_at": "2026-05-27T22:15:41.264Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -248,7 +248,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "Qd3SBWmUAaaT++e1Ry2wBIz/dCBmNBMl0+4Rb0etvJLES0fIBEAkU1mTbgNZnT5XOg9J5twdUpymWtmKnDDQCQ==",
-      "signed_at": "2026-05-27T20:34:53.048Z"
+      "signed_at": "2026-05-27T22:15:41.264Z"
     },
     {
       "name": "compliance-theater",
@@ -279,7 +279,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "F2Shxae0ua0gPtvwzTRVzzHaIgJcFDRT3/akLUAZ4aaMQhkleKkcTaTpkjp+pTVEdPfLeLGNCeAOMs+whVYOBg==",
-      "signed_at": "2026-05-27T20:34:53.048Z"
+      "signed_at": "2026-05-27T22:15:41.265Z"
     },
     {
       "name": "exploit-scoring",
@@ -308,7 +308,7 @@
       ],
       "last_threat_review": "2026-05-18",
       "signature": "NA1hoQycvQhSUoG5rwlXX0mOVmGxoXRVezkELGEA2nZOdGis4gXkHT3O6Sfw7zxE4JuMrsCb65TEeOWk9WEPDg==",
-      "signed_at": "2026-05-27T20:34:53.049Z"
+      "signed_at": "2026-05-27T22:15:41.265Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -345,7 +345,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "W3pS8lnaCP96TQzsJpG5d5yv5IwgaQyS4Z2Ctcz5BOJf6LbajSIgeDgTZ4f4Bhr5m4E7KsgWGjZS4x7Fwd33BQ==",
-      "signed_at": "2026-05-27T20:34:53.049Z",
+      "signed_at": "2026-05-27T22:15:41.265Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -405,7 +405,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "/WDGygh1Ck4yWlBWDGtEUVCqKB8d+UaJXoAoBXujtt+GAl8JbMNpaN1TvI0WkEltQ9dTxaAzSn20/eVDqv8iDQ==",
-      "signed_at": "2026-05-27T20:34:53.049Z",
+      "signed_at": "2026-05-27T22:15:41.266Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -440,7 +440,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "za1NKBpy9LC91F/ESO/qhUfmvVr8GNItQOjR5OJLeHm+2dQ9HHiFWQK2eo53V/n/0uhubuggURA3yS6kJuWwBg==",
-      "signed_at": "2026-05-27T20:34:53.050Z",
+      "signed_at": "2026-05-27T22:15:41.266Z",
       "cwe_refs": [
         "CWE-1188"
       ],
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "xiHAhhdufm9hCKU8PLiPE0MX65ej2F4OZwtlWLGLCiie9/km+Kiqbt192LcMvr94v83C98pb9wIaqFsFWft6AQ==",
-      "signed_at": "2026-05-27T20:34:53.050Z",
+      "signed_at": "2026-05-27T22:15:41.266Z",
       "forward_watch": [
         "New AI attack classes as ATLAS v6 publishes",
         "Post-quantum adversary capability timeline",
@@ -513,7 +513,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "oYsSk35N2Uzq7MRofACykylcVwkgPhI4luWZ14vmQT+gUKLyZiKVOUJbe1+7lGl6BYPRN0sUDQ0f7S5Eu5w2Ag==",
-      "signed_at": "2026-05-27T20:34:53.051Z"
+      "signed_at": "2026-05-27T22:15:41.267Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -540,7 +540,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "igRqYyU1unRFH40BsPyAR62SPrk8QZv8dPGb8S9O9EvLCNOZAzm3t+HdT/NKqzWHwrpomOzkkkyLfYI/0qTUDA==",
-      "signed_at": "2026-05-27T20:34:53.051Z",
+      "signed_at": "2026-05-27T22:15:41.267Z",
       "forward_watch": [
         "New CISA KEV entries",
         "New ATLAS TTP additions in each ATLAS release",
@@ -604,7 +604,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "i/17u4kJiSpcZAz7LnTyRePFugQOstQ1P4kVoe0oGf4E2/j8oIN9U9DccjUn/YHZhKWIJ2AILG/DMhvMrr3bBg==",
-      "signed_at": "2026-05-27T20:34:53.051Z",
+      "signed_at": "2026-05-27T22:15:41.267Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -652,7 +652,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "QuOVaQ4E2Sl39TClbhZ7HA9XrYAyRrDL44HY3RTE7aWLue0hV2cxaBt40ALGmHS++631QGFDlZTLZI77Tr6nAA==",
-      "signed_at": "2026-05-27T20:34:53.052Z"
+      "signed_at": "2026-05-27T22:15:41.268Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -689,7 +689,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "8Px1s2lDj10/Q6erwEQlXgUHM1+OTruUR8qAHPX7Oo3k/l69N6P9sm0PsafS9wDFtj9l5C/OiLiFgzMlMt6vBw==",
-      "signed_at": "2026-05-27T20:34:53.052Z",
+      "signed_at": "2026-05-27T22:15:41.268Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -724,7 +724,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "urRcataVWg6/utyEkSiOWoNxTL8sABRjPR7ShyDfZGnAozFph/yDktSoaPVxQDXwu9EfJE+qhUW5OYR/yJECBQ==",
-      "signed_at": "2026-05-27T20:34:53.052Z"
+      "signed_at": "2026-05-27T22:15:41.269Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -796,7 +796,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Microsoft Edge 4-bug sandbox escape by Orange Tsai (DEVCORE); forward-watch only (browser sandbox, out of current playbook scope); track Microsoft Edge security advisory and KEV add"
       ],
       "signature": "C7lv65/Ecm8JJgSKxrX5lxx0YFzKWtrIQSKp+vy50I5e8945s1JmifGUUrnQwRQhq/Pkv7EmfiH5XSO8h75bDg==",
-      "signed_at": "2026-05-27T20:34:53.053Z"
+      "signed_at": "2026-05-27T22:15:41.269Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -856,7 +856,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "Z7ypCUnXx8JpLtgxxB6RHNi39w74AmrGY1N4ofAGCXhkuM2EaFVm1AU0dvl9UQ1bVLfHKEDGqMO/TwlIY7RABg==",
-      "signed_at": "2026-05-27T20:34:53.053Z"
+      "signed_at": "2026-05-27T22:15:41.269Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -931,7 +931,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "IgEnpHOhCftAyfUNdKsjbrd169T9pJkk/rRM2ZEna+H18y7p5x48+1kME2sJMZjJuyAdQFBJi8PJXZFwLGI+DQ==",
-      "signed_at": "2026-05-27T20:34:53.053Z"
+      "signed_at": "2026-05-27T22:15:41.270Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -1010,7 +1010,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM-attestation impact"
       ],
       "signature": "pcLrM98A3vUSZRjwNAk0aZ9umvOwB41XCLLsCOy/IebB2F/06oIrGUKkMHtHwm4pTVPShMMcKdZQQ3jz30FnCg==",
-      "signed_at": "2026-05-27T20:34:53.054Z"
+      "signed_at": "2026-05-27T22:15:41.270Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1067,7 +1067,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "G5q5elh7Q7eu2xcwTVQJGDTGfvZR0OGQaLSLJPb2wjzCHFF8PWuZfCHZdjjqisiRzRWPyLlzgfHeMJqOdy7cBw==",
-      "signed_at": "2026-05-27T20:34:53.054Z"
+      "signed_at": "2026-05-27T22:15:41.270Z"
     },
     {
       "name": "identity-assurance",
@@ -1134,7 +1134,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "Wv5hGMeHjlaQK1zwicVCA7AvdKgJBgvcjdpGM9Ywahh9tagAKhbkOjybowDQZzu7OZ3bDkbh6pBYc1Sdwr6NAA==",
-      "signed_at": "2026-05-27T20:34:53.054Z"
+      "signed_at": "2026-05-27T22:15:41.271Z"
     },
     {
       "name": "ot-ics-security",
@@ -1190,7 +1190,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "8t5qKHd3yWi57dvG36YQkLN/X9bQWqtEiYjay4IfSmqhJpM/xXPaQVKNGz3wscrO8OLKUZ0OaX7Mj5kzpgBKBQ==",
-      "signed_at": "2026-05-27T20:34:53.055Z"
+      "signed_at": "2026-05-27T22:15:41.271Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1242,7 +1242,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "GDGt4UPqBa04PjlpSmpyihGzd3OgfBN7jaAK5tfwp+LRSs3ygKOdbeivUCCHNagTY1hE6hG2Ou40ADfBFuXeAg==",
-      "signed_at": "2026-05-27T20:34:53.055Z"
+      "signed_at": "2026-05-27T22:15:41.271Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1292,7 +1292,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "rFBpOQEJUPpl+v88Lw/WqVJRhTl80vy0VbPAbzQj3Q0suJRRrJg368I9uKu5LXIBKFDvKxnGIcIzbGg9NUtaCA==",
-      "signed_at": "2026-05-27T20:34:53.055Z"
+      "signed_at": "2026-05-27T22:15:41.272Z"
     },
     {
       "name": "webapp-security",
@@ -1366,7 +1366,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ux85YI4t2mVHOyt744Yin1HHy+z11JIFygjKfFfQOBBl5QVV3A267jeIy7utix85irMcpZm/T3yx/ooqiK2tBA==",
-      "signed_at": "2026-05-27T20:34:53.056Z",
+      "signed_at": "2026-05-27T22:15:41.272Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments"
       ]
@@ -1419,7 +1419,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "IIXnkZ5ZNqFwOto5KfytADTLLZLoyXNZACD1ORZ40P1HUAQxe6u2uyXFzzsfuob4Uy06jNkRGr2FFgCphUH1Cw==",
-      "signed_at": "2026-05-27T20:34:53.056Z"
+      "signed_at": "2026-05-27T22:15:41.272Z"
     },
     {
       "name": "sector-healthcare",
@@ -1479,7 +1479,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "AhF9KF8ZBlDteciV+F8IBSmFVYCvQOn44GmD4rZjgLoPxfIv/QE1/vSkK32zyqDKtHWkLSXExbkkPkxA/V6dDw==",
-      "signed_at": "2026-05-27T20:34:53.057Z"
+      "signed_at": "2026-05-27T22:15:41.273Z"
     },
     {
       "name": "sector-financial",
@@ -1560,7 +1560,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "HQgZvb4ReziEz5rNFr8i/O8/rJEZR+iHRROT7m/D2QUqhrcNISPkYXENsUZlG8xapzy/Ik92ehkseyj4hdmhCQ==",
-      "signed_at": "2026-05-27T20:34:53.057Z"
+      "signed_at": "2026-05-27T22:15:41.273Z"
     },
     {
       "name": "sector-federal-government",
@@ -1629,7 +1629,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "linxmsXZiOYtcs71sSWgGCrvb8xQfmxmtTY5PRvZJ0/8FgJulo0tQtejzexYG775s7XhjAmGsDP238BQTQ8ADA==",
-      "signed_at": "2026-05-27T20:34:53.057Z"
+      "signed_at": "2026-05-27T22:15:41.274Z"
     },
     {
       "name": "sector-energy",
@@ -1694,7 +1694,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "JjBfc0ovta560Clk0x3QGRM5osFJDwcvpy3rT7QEGdCIL827jzE8QCow1C8deXq+4JhY2sA/d7/8IsxikdlkCg==",
-      "signed_at": "2026-05-27T20:34:53.058Z"
+      "signed_at": "2026-05-27T22:15:41.274Z"
     },
     {
       "name": "sector-telecom",
@@ -1780,7 +1780,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "JWVxKFoKrbX4d+Tko1d4OBdwyg25MfFFKn4CT6E/CzH+YwnU3T6Y76uBQIKg3+gIGTvPduqyvQwQQ5FxKDuPBw==",
-      "signed_at": "2026-05-27T20:34:53.058Z"
+      "signed_at": "2026-05-27T22:15:41.274Z"
     },
     {
       "name": "api-security",
@@ -1849,7 +1849,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "BmCRCestWqr55+fCynEhtAl5NWLT+xLTkpwS0Icp3SaoZOw/ce3Y6TtqjHRSKn4CBJq7YDiLRWxmhO3MStvOAA==",
-      "signed_at": "2026-05-27T20:34:53.058Z",
+      "signed_at": "2026-05-27T22:15:41.275Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments",
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments",
@@ -1935,7 +1935,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "/DV3pmZwrRySrk1OCbyI+0BQESacjupJfUX3eC2NGtXuYOBro0vndIP+z27heFxumnjU3a9sfla7/U9X+pqnDw==",
-      "signed_at": "2026-05-27T20:34:53.059Z"
+      "signed_at": "2026-05-27T22:15:41.275Z"
     },
     {
       "name": "container-runtime-security",
@@ -1997,7 +1997,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "E2UGSf9ATyYgzBr8uM/0ubOUmDqo1jVA7f9mVxv6LHfWGCNuQNXDyuNou9VAmUCeeXEeUYIi3AFjXkJqpOkxDA==",
-      "signed_at": "2026-05-27T20:34:53.059Z",
+      "signed_at": "2026-05-27T22:15:41.275Z",
       "forward_watch": [
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Container Toolkit container escape ($50K award) by chompie / IBM X-Force XOR; high-severity container/hypervisor boundary break; track patch and KEV add post-embargo"
       ]
@@ -2071,7 +2071,7 @@
         "MITRE ATLAS v5.6.0 (released May 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
       "signature": "IL+DlRCDJN/p08iiJCFkasKcoyjcB0uWrJ6ORLjQcS1HrUa5Xt62QxVjYPHzaevlm5y36ZdmfESqsZJmzK3lCg==",
-      "signed_at": "2026-05-27T20:34:53.059Z"
+      "signed_at": "2026-05-27T22:15:41.276Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2133,7 +2133,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "MmjLjlmOMLjhJJ4ZfR8MYlHam+ZB+eSqfh6Nv+DecaG4O5zeo9DBP/iL3cbyDVZxmhnhivgJild2ccYeWTeZAg==",
-      "signed_at": "2026-05-27T20:34:53.060Z"
+      "signed_at": "2026-05-27T22:15:41.276Z"
     },
     {
       "name": "ransomware-response",
@@ -2213,7 +2213,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "ssueL03g9fWlhXpTe+IiY5l7RqQkunN4DTN5QETKE+VOX+qggdjAR8PONxk77ol4xWYmHrM/VcH8CNtXUEvgBA==",
-      "signed_at": "2026-05-27T20:34:53.060Z"
+      "signed_at": "2026-05-27T22:15:41.276Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2266,7 +2266,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "rK+WnuS+9tqEABmwc0jO/PEmxcLjG1/tmUb897HsClQeKzf+TQOlwBE+OsbtuKxpjYNwur62Xxs3TxObkwm8Cw==",
-      "signed_at": "2026-05-27T20:34:53.060Z"
+      "signed_at": "2026-05-27T22:15:41.277Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2334,7 +2334,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "Rgho5TOFUL1txOzcVR0kASCNdovSU4yt99JlGilJlJRyg0A+BdeeQYrZrhPF6Vx2reUAVG0BeHfcZtSbi+cwCg==",
-      "signed_at": "2026-05-27T20:34:53.061Z"
+      "signed_at": "2026-05-27T22:15:41.277Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2414,7 +2414,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "e/kij7GtKaytROyIj7V5RH+FC9WtmVFzrmG2kIlNDNn29ep/CRNlIQKwXLpzo/81AIf634pmdr1qy/+vwIuUDA==",
-      "signed_at": "2026-05-27T20:34:53.061Z",
+      "signed_at": "2026-05-27T22:15:41.278Z",
       "forward_watch": [
         "AWS IAM Identity Center session-policy refresh and step-up-on-admin enforcement (anticipated 2026-H2 release)",
         "GCP Workload Identity Federation principal-set attribute mapping tightening (post-2026 Q3 Federation hardening guide)",
@@ -2508,7 +2508,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "ew9Kglc9fAZzbn0ZIfGP7WSK/j4eV2VhSvpy+s5bEfNEVYIMa2kZjnGBapgUsyGDLes9H9K2ovjQyX17+GKiBw==",
-      "signed_at": "2026-05-27T20:34:53.062Z",
+      "signed_at": "2026-05-27T22:15:41.278Z",
       "forward_watch": [
         "Entra ID conditional access evolution post-Midnight Blizzard — Microsoft's 2025-2026 commitments on legacy-tenant MFA enforcement and OAuth-app consent gating",
         "Okta IPSIE (Interoperability Profile for Secure Identity in the Enterprise) OpenID Foundation working-group output and adoption timeline",
@@ -2526,6 +2526,6 @@
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "GiJgwVB+yGfTQxNMFBR3nhzebn0c1LBsNIW3dtRuHaQ7YIvHO50HSWAGieaCzQVS6QVL13RHGZO/rpW+cD6WBQ=="
+    "signature_base64": "XvNerZTXJt8fW7G+X8lLqi22bKAf0AU1rg63L2yy/I2smf8dA+nnbhicXsnfheVfWYVWfYmkL+9Dhznpb3hSBA=="
   }
 }

package/orchestrator/index.js

@@ -86,7 +86,7 @@ async function main() {
       await runDispatch();
       break;
     case 'skill':
-      runSkillContext(args[0]);
+      runSkillContext(args);
       break;
     case 'pipeline':
       runPipeline(args[0] || 'manual', args[1] ? JSON.parse(args[1]) : {});
@@ -141,11 +141,23 @@ function runFrameworkGap(rawArgs) {
   const jsonOut = flags.has('--json');
 
   if (args.length < 2) {
-    console.error(`Usage: exceptd framework-gap <FRAMEWORK_ID|all> <SCENARIO|CVE-ID> [--json]
+    const usage = `Usage: exceptd framework-gap <FRAMEWORK_ID|all> <SCENARIO|CVE-ID> [--json]
 Examples:
   exceptd framework-gap NIST-800-53 CVE-2026-31431
   exceptd framework-gap PCI-DSS-4.0 "prompt injection"
-  exceptd framework-gap all CVE-2025-53773 --json`);
+  exceptd framework-gap all CVE-2025-53773 --json`;
+    // Honor --json on the missing-arg path: a JSON consumer must get a
+    // structured ok:false envelope, not plain usage text on stderr.
+    if (jsonOut) {
+      process.stdout.write(JSON.stringify({
+        ok: false,
+        verb: 'framework-gap',
+        error: 'framework-gap requires <FRAMEWORK_ID|all> and <SCENARIO|CVE-ID>',
+        usage,
+      }) + '\n');
+    } else {
+      console.error(usage);
+    }
     // v0.13 exit-code class fix: usage error is GENERIC_FAILURE (1),
     // not DETECTED_ESCALATE (2). Pre-v0.13 the orchestrator emitted
     // exit 2 for usage errors, colliding with CI gates that branch on
@@ -258,12 +270,15 @@ async function runScan() {
   // other verbs (validate-cves, watchlist, etc.). Previously this was a
   // bare `process.argv.includes('--json')`, which differed in style from
   // the verbs below and could miss `--json=true` or similar future forms.
+  if (rejectUnknownFlags('scan', args, ['--json'])) return;
   const { flags } = parseFlags(process.argv.slice(2), []);
   const jsonOut = flags.has('--json');
   if (!jsonOut) console.log('[orchestrator] Scanning environment...\n');
   const result = await scan();
   if (jsonOut) {
-    process.stdout.write(JSON.stringify(result) + '\n');
+    // Top-level ok:true so a single JSON consumer can branch on the same
+    // envelope the ok:false error paths emit.
+    process.stdout.write(JSON.stringify({ ok: true, ...result }) + '\n');
     return result;
   }
 
@@ -293,13 +308,14 @@ async function runScan() {
 }
 
 async function runDispatch() {
+  if (rejectUnknownFlags('dispatch', args, ['--json'])) return;
   const jsonOut = process.argv.includes('--json');
   if (!jsonOut) console.log('[orchestrator] Scanning then dispatching...\n');
   const scanResult = await scan();
   const plan = dispatch(scanResult.findings);
 
   if (jsonOut) {
-    process.stdout.write(JSON.stringify({ scan: scanResult, dispatch: plan }) + '\n');
+    process.stdout.write(JSON.stringify({ ok: true, scan: scanResult, dispatch: plan }) + '\n');
     return plan;
   }
 
@@ -334,10 +350,28 @@ async function runDispatch() {
   return plan;
 }
 
-function runSkillContext(skillName) {
+function runSkillContext(rawArgs) {
+  // `rawArgs` is the full arg list. Filter --flags out of the positional set
+  // before treating the first positional as the skill name — pre-fix
+  // `skill --json` passed "--json" through as args[0] and reported
+  // "Skill not found: --json".
+  const argList = Array.isArray(rawArgs) ? rawArgs : (rawArgs == null ? [] : [rawArgs]);
+  const jsonOut = argList.includes('--json');
+  const positionals = argList.filter(a => typeof a === 'string' && !a.startsWith('--'));
+  const skillName = positionals[0];
+
   if (!skillName) {
-    console.error('Usage: exceptd skill <skill-name>');
-    console.error('       (Lists available skills: exceptd brief --all)');
+    if (jsonOut) {
+      process.stdout.write(JSON.stringify({
+        ok: false,
+        verb: 'skill',
+        error: 'usage: exceptd skill <skill-name>',
+        hint: 'List available skills: exceptd brief --all',
+      }) + '\n');
+    } else {
+      console.error('Usage: exceptd skill <skill-name>');
+      console.error('       (Lists available skills: exceptd brief --all)');
+    }
     safeExit(EXIT_CODES.GENERIC_FAILURE);
     return;
   }
@@ -381,12 +415,13 @@ function runPipeline(triggerType, payload) {
 }
 
 function runCurrency() {
+  if (rejectUnknownFlags('currency', args, ['--json'])) return;
   const jsonOut = process.argv.includes('--json');
   const result = runCurrencyNow();
   const { currency_report, action_required, critical_count } = currencyCheck();
 
   if (jsonOut) {
-    process.stdout.write(JSON.stringify({ currency_report, action_required, critical_count, generated_at: new Date().toISOString() }) + '\n');
+    process.stdout.write(JSON.stringify({ ok: true, currency_report, action_required, critical_count, generated_at: new Date().toISOString() }) + '\n');
     return;
   }
 
@@ -712,12 +747,52 @@ async function runWatch() {
   console.log('Press Ctrl+C to stop. (SIGTERM / SIGHUP / SIGBREAK also honored.)\n');
 }
 
+// Known flags accepted by validate-cves. An unknown flag (typo) must be
+// rejected before any network work — a swallowed `--ofline` previously fell
+// through to the default live-network path and the verb hung fetching the
+// whole catalog from NVD until killed.
+const VALIDATE_CVES_KNOWN_FLAGS = Object.freeze([
+  '--offline', '--no-fail', '--from-cache', '--concurrency', '--since', '--air-gap',
+]);
+// Known flags accepted by validate-rfcs (same hang-on-typo class as
+// validate-cves). `--live` is the explicit opt-in to the default network
+// path; `--air-gap` forces the offline view with no egress.
+const VALIDATE_RFCS_KNOWN_FLAGS = Object.freeze([
+  '--offline', '--no-fail', '--from-cache', '--since', '--live', '--air-gap',
+]);
+
+// Reject unknown --flags against a per-verb allowlist BEFORE any network work.
+// Returns true when a rejection was emitted (caller should return); false when
+// every flag is recognized. The base flag (text before any `=`) is what gets
+// matched so `--from-cache=path` and `--since=2026-01-01` are accepted.
+function rejectUnknownFlags(verb, rawArgs, knownFlags) {
+  const known = new Set(knownFlags);
+  const unknown = rawArgs
+    .filter(a => typeof a === 'string' && a.startsWith('--'))
+    .map(a => { const eq = a.indexOf('='); return eq === -1 ? a : a.slice(0, eq); })
+    .filter(base => !known.has(base));
+  if (unknown.length === 0) return false;
+  // Dedupe while preserving order.
+  const uniq = [...new Set(unknown)];
+  process.stdout.write(JSON.stringify({
+    ok: false,
+    verb,
+    error: `${verb}: unknown flag(s): ${uniq.join(', ')}`,
+    unknown_flags: uniq,
+    known_flags: knownFlags,
+  }) + '\n');
+  safeExit(EXIT_CODES.GENERIC_FAILURE);
+  return true;
+}
+
 async function runValidateCves(rawArgs = []) {
   const fs = require('fs');
   const path = require('path');
 
+  if (rejectUnknownFlags('validate-cves', rawArgs, VALIDATE_CVES_KNOWN_FLAGS)) return;
+
   const flags = new Set(rawArgs.filter(a => a.startsWith('--')));
-  const offline = flags.has('--offline');
+  const offline = flags.has('--offline') || flags.has('--air-gap');
   const noFail = flags.has('--no-fail');
   // --from-cache: prefer cached upstream snapshots before falling back to live
   // network. Accepts an optional path; defaults to .cache/upstream when bare.
@@ -963,8 +1038,10 @@ async function runValidateRfcs(rawArgs = []) {
   const fs = require('fs');
   const path = require('path');
 
+  if (rejectUnknownFlags('validate-rfcs', rawArgs, VALIDATE_RFCS_KNOWN_FLAGS)) return;
+
   const flags = new Set(rawArgs.filter(a => a.startsWith('--')));
-  const offline = flags.has('--offline');
+  const offline = flags.has('--offline') || flags.has('--air-gap');
   const noFail = flags.has('--no-fail');
   let cacheDir = null;
   for (let i = 0; i < rawArgs.length; i++) {
@@ -1136,11 +1213,21 @@ async function runValidateRfcs(rawArgs = []) {
  * that should trigger a skill update. This command surfaces the union so
  * maintainers can see the full horizon at a glance.
  */
+// Every flag any watchlist mode (default aggregator, --alerts, --org-scan)
+// accepts. The unknown-flag guard runs once at the top of runWatchlist so a
+// typo is rejected regardless of which sub-mode it would have reached.
+const WATCHLIST_KNOWN_FLAGS = Object.freeze([
+  '--json', '--by-skill', '--alerts', '--org-scan',
+  '--org', '--pattern', '--output-format', '--air-gap',
+]);
+
 function runWatchlist(rawArgs = []) {
   const fs = require('fs');
   const path = require('path');
   const { parseFrontmatter, extractFrontmatterBlock } = require('../lib/lint-skills.js');
 
+  if (rejectUnknownFlags('watchlist', rawArgs, WATCHLIST_KNOWN_FLAGS)) return;
+
   const byskill = rawArgs.includes('--by-skill');
   const alertsMode = rawArgs.includes('--alerts');
   const orgScanMode = rawArgs.includes('--org-scan');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.14.11",
+  "version": "0.14.13",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (406 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
   "keywords": [
     "ai-security",