@blamejs/exceptd-skills 0.14.18 → 0.14.20

package/sbom.cdx.json

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:4db535c8-69f7-4f7c-8aba-67d7acac1e3f",
+  "serialNumber": "urn:uuid:ad7d6e30-1f30-448b-9b72-08b3725ef84e",
   "version": 1,
   "metadata": {
-    "timestamp": "2067-04-25T08:50:16.000Z",
+    "timestamp": "2118-03-28T09:49:36.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.14.18"
+        "version": "0.14.20"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.14.18",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.14.20",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.14.18",
+      "version": "0.14.20",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (406 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.14.18",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.14.20",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "4cdd06322a6bf28399fdf08493f9114b39ce1d7202a1c1b8deec4ef42b241386"
+          "content": "c1335307705d90a12e6b3d03d0213107590748fbefb17affec2b4134027a2066"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.14.18"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.14.20"
         },
         {
           "type": "vcs",
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "2cf0a7117bf53cd22887176edf014fa8787a096263a2284d6835348e019f7f15"
+          "content": "70237899d20090dad92ebb1847b7645138b1f94f072f0a4c6101e969f30c4049"
         },
         {
           "alg": "SHA3-512",
-          "content": "62c7b9732676ce40db41571ded6773ce9076dbec68deb95ebe90c6a09b48dd74cdffd2de565ae4b90eb240827ef7103287ac50a378f0501ad505b75ebe76a2fe"
+          "content": "5d51b673341672c8f0efbca7ba0c7fb85acbc07fda47ec314bd10b2a979a3c736aa5cea78f73f7f259cd5099332bfaa70b8ab59d0d376d1f41b07cd962b88927"
         }
       ]
     },
@@ -326,11 +326,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "3d451dda7ac0c7d57a4075ae4bafd3148c6184b35dc1bc59d8b81d1f2641e430"
+          "content": "03d8071c7ae244ccda7611c3bc66a5581c21e790d158c2948c3001f55aa5aac9"
         },
         {
           "alg": "SHA3-512",
-          "content": "dc380fbea328169dd713bdc0fef7d47ab74cb923bcb1481e3148f78316fb2be67feefc04d151dc3bbe904f51a2b7397008be70e0bcaed7b510b11e5db64a466d"
+          "content": "bce244f776fac20692cdc07d49790a77f02811332ecba6c2afe4796e904b4aa9720b484ddcfa020c772e03d954166b51b3ea997d26d809162d2787f764eac915"
         }
       ]
     },
@@ -401,11 +401,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "46094ad9b9584f454daddd28f4c5d27faf0ea0510daafd38fb60bf9d30f6a305"
+          "content": "563890a91e25079c1b36f61d8cdf21176fba3801168c4b4697cabae3437b33c1"
         },
         {
           "alg": "SHA3-512",
-          "content": "c06ddd5710a2ed081c48b0ca4204e993541430764527f82b44a357eaab35a3a0dd0255178928f2240672148a9d9e8b5d3fb3ddd1184092b0cab19bf5581e9d91"
+          "content": "7c168e2271d515921e63b5c1791f72439ca084794ab0ae24f4d0ba8356889567e3fd14152bfb3466a273de5f37df011e23c17d08ecb9b8ff53c79262f7d8aa98"
         }
       ]
     },
@@ -671,11 +671,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "91bbe085689c3569c9731f41b87c1ba61879220a67127b60f94f59045f0f82d9"
+          "content": "1fb17a651a62077c3e312cd4250fe7bcb77f57380550c7bb55d0d86b89fc0aeb"
         },
         {
           "alg": "SHA3-512",
-          "content": "489ba7ec9a99cf29ca62e163a8a355b810387e8918d371e273880fc2b4fdbd6811ee625ae90fc1fafd1da495082e4a480c7eacc5d239b21e35f98993f07e1cd0"
+          "content": "72d0c1d3b65a7369a3857aa1385e93bc9c1894e23716aee885873a89b7d423515d8e34af09aa88712c659fe9b498274c1cb4b73d13ec2177e82aaac6fce8317a"
         }
       ]
     },
@@ -731,11 +731,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "e0128a312c3f44af858db3bb2eae225c264472fac4c2e63e63033dfdc376aed9"
+          "content": "4ede3fbf5cbb322cc177e1be3bf2bae27b68882a0486689074ca904f5edaec18"
         },
         {
           "alg": "SHA3-512",
-          "content": "773e00656252a0e633d726acfd05a89a26b49067daf1ad0db45c05b9333b8861a7c5b9f3a574a5d1828622c045910802fdeed65681f2c7a4d0408990c05aaa1f"
+          "content": "8b7cfdeb5031a04a435acd90dc62d18dd1eab577a99fe5eff33a1140cbfc16d8e09e9f6419ab17649d99009486ab3e730ac867c47fd1b3f4437ab319c2832d0e"
         }
       ]
     },
@@ -1451,11 +1451,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "a491b2b6ca35d75f7d3d27696d6ae20d1ee22ade22c507de7bfcfd4bbc4d8a8d"
+          "content": "2f782451d36dc9c6022a49b0eca1ef038304af4aa3fa1f1dced71ebe5bbe1e2e"
         },
         {
           "alg": "SHA3-512",
-          "content": "a47ecd510b73942d64d5e81ad455a38bb174609c02df5f531cbc4ace198721bbf4006c126dc1d2d640e9a202ca0b302e59f58c24dc97a9d30efb6099d1ef7da4"
+          "content": "b1c7b066701bcdc650dc09509822ab0d4f9842b562b85d03f3e24c641f1a15fd55a42d09f51b3b056f0c093090ee322298c9f8c322baa434b5742b868d14e564"
         }
       ]
     },
@@ -1586,11 +1586,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "d98598a62974f8e0b01cce1120b54f5c117744b5bdb1a84d3a092556fc2f67d8"
+          "content": "ba92f12ed265afe414fa79b88aaa677c5bf9b44e4c3837e4d1571e927f28803d"
         },
         {
           "alg": "SHA3-512",
-          "content": "6405b26b6ccf8c0a89a615779357323afedb54532921609cfcac197821ce674b0d554e76470cad2d87918f0e061fefc7f90dc0aaa8c0968820844ba914d834b2"
+          "content": "c437e1c817718659544eb1bb1f3181f783619b77f76675494301d329ab0af011e8b03051634ec9039afaefaeba8eb7eaae511bfff63b163dbed51234e70c8b44"
         }
       ]
     },
@@ -1751,11 +1751,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "942085b9f004cd46ededef88160239a7ab66946592f89e8e974bd411c6d9a10a"
+          "content": "dc4cdb2fa56243e42a1989558997a236e564176fa6c8e5dcae9de9d2dad8399b"
         },
         {
           "alg": "SHA3-512",
-          "content": "b063a08a01b6ab2552361d9d4fa01e6ab9318531ddc137013c6fee3b7889e1a89380be6b0cbd5d531f246b4f84fa2dd10a329a2c148ea2220261501568dc5b79"
+          "content": "79f50a6fa13bb5b81b29bed3a637e6e94a3df1689ed14d88bfc6ce1bd1df5353044308c3db24c065d69b522dd38de3c37f5bf0efd9b0ccc6c66a3acc163d77b8"
         }
       ]
     },
@@ -2096,11 +2096,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "e0ada7118356a557105ca726f4525fd6eae488d25346bd435dc0ccd5f312ab87"
+          "content": "0d369d14e5653e19643933b9eedf9b15aaec8a248a07c69eaf44e4c61149fc11"
         },
         {
           "alg": "SHA3-512",
-          "content": "ce5f2508970c90cb35bf997855a1d97fea353fb4660aab0bdec602d57c08d533acf98a6422dca72297edec1b0573ffacff15e01866ff0ec38b994d5bf49fef00"
+          "content": "c3f3c53d89deb2674cb385544cc50fa09c4c9ec89ab42559f50d27e479b5112ec0117ffb56a2b0d674338c3674888089eed8adc4579f056cccbb5b3f4abca80a"
         }
       ]
     },
@@ -2696,11 +2696,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "250f266908f51f99a4cb3aec0d5dacfcf91fac9f3d95e5a117429a40ed2ff45a"
+          "content": "da0b937350e538b55db8daa1f50047d9f4e889e6b89b040dcecfb71feecd63d7"
         },
         {
           "alg": "SHA3-512",
-          "content": "fd4b35d28d126b0fd5ea76c565deb723d69738e96545f86b8c3684bf7aea82d32bb2a2ebc278321fed9e8e9895ae4d1851a65c53b945fdecf49cb6964f895ad6"
+          "content": "0e8f1255c307f32515741283bbd8090add1429fbd69a0df1ddff2f246ddac1759216e1c2d8e19ec866cac4f374144525984e621002ff389a982b6e8f3111209a"
         }
       ]
     },
@@ -2891,11 +2891,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "3b41b59eb4e8480b691ff17185f42b9fbfd7665e369fc210feba496688cc77aa"
+          "content": "8b77569100d10201044d63a69cbc83c9cfe6d2c3568884aa900ef0eb72ba99c3"
         },
         {
           "alg": "SHA3-512",
-          "content": "29d98c34fc97e6bd7b9331c69ae7f27cf1eec5e182d7885c54eb6be91820bde0aaca746bda5590aa12cc1962d43d5337be569bfc7a007f4286ffee6a9a4a0412"
+          "content": "280de5761907468c126ec976b8d8bce97bbb87acdf8895c4f8885630dd2c887a76abff3a2b6781d77f34bc0306801b0f7f6a59e33af85f36f155aea2b92e185d"
         }
       ]
     },
@@ -3011,11 +3011,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "59193e39c2fd73fdd7fede38a956bc730bbe4b712d7d6020788bb4d85f001ad8"
+          "content": "2f336a0b79cd28a3353ec0a72ce0469ac57305345d652247e7cb368f79ec8d4f"
         },
         {
           "alg": "SHA3-512",
-          "content": "872b65942dd189504cca186babc7543c806b2c1463070f527524e9a2c097b2f030b1806bb434436b3a4bbb4865b4f38d15115327a37ecc9aad64a6bccbd3bf50"
+          "content": "ea3a722c2a18e32d1127393561f3122d827a26b69f95df986999a957f943fb809aef26aa99fd4f1ec0f7223a7e78843c784e0cea2710482f9b6dc20fc7196884"
         }
       ]
     },
@@ -3071,11 +3071,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "4295c0efe31dcbec1a7bc96b8ce05d41414d918cbfc7fb7dffb2be7e4d873ae3"
+          "content": "637861b4dcd2cb608c08c5aa62a8ef73efc976584f901e612c73cf53b3559422"
         },
         {
           "alg": "SHA3-512",
-          "content": "48b2a5adaea65860fe55c4b263d3365bc8416052ed7bb348f9af60f6af2e377208ece65ff3de4ea56059bf712029b3ad9bd3fead5f1a5aca5292a249ab5e1cdf"
+          "content": "82a8f600bc6ebf7acfe9c80dfe691569f6f65e362e4e81f259c24d899f8cef54c55ee31e56548ddcc0a2fd3a50f31f199d5f133823221457c03e0cfc86a6a076"
         }
       ]
     },

package/scripts/builders/stale-content.js

@@ -71,7 +71,11 @@ function buildStaleContent({ root, manifest, skills, catalogFiles }) {
     const liveJurisdictions = (() => {
       try {
         const gf = JSON.parse(fs.readFileSync(path.join(root, "data/global-frameworks.json"), "utf8"));
-        return Object.keys(gf).filter((k) => !k.startsWith("_") && k !== "GLOBAL").length;
+        // Count non-underscore keys (GLOBAL included) — the canonical
+        // jurisdiction count used by the README badge and catalog-summaries.
+        // Excluding GLOBAL here uniquely produced 34 and emitted a false
+        // badge_drift finding against the README's (correct) 35.
+        return Object.keys(gf).filter((k) => !k.startsWith("_")).length;
       } catch {
         return null;
       }

package/skills/email-security-anti-phishing/skill.md

@@ -71,7 +71,7 @@ Phishing remained the #1 initial-access vector through 2025 (Verizon DBIR 2025)
 
 **Business Email Compromise losses continued growing through 2025.** FBI IC3 2024 and 2025 reports place BEC at multi-billion-USD annual loss globally, with the wire-redirection and vendor-invoice-fraud subclasses dominant. The 2026 reality is that BEC is no longer "compromised mailbox sends a wire request" — it is increasingly "spoofed-or-look-alike domain plus deepfake voice/video confirmation channel" so that out-of-band verification by phone *fails open* unless the callback number is a pre-registered known-good.
 
-**Defense ecosystem snapshot.** SPF (RFC 7208), DKIM (RFC 6376), and DMARC (RFC 7489) adoption is effectively universal among Fortune 500 sender domains, but **enforcement** (`p=reject` vs `p=none`) lags — only roughly 60% of large enterprise domains are at `p=reject` by mid-2026, with the rest stuck in monitoring mode for fear of breaking legitimate forwarders. BIMI (AuthIndicators Working Group draft, with IETF mailing-list discussion ongoing as of mid-2026) for visual brand verification is deployed at Gmail, Yahoo Mail, and Apple Mail, but requires DMARC `p=quarantine` or `p=reject` to take effect — so it doubles as enforcement-status signaling. ARC (RFC 8617) is the forwarder-authentication answer to the DMARC-vs-mailing-list problem and is maturing across major providers. MTA-STS (RFC 8461) and TLSRPT (RFC 8460) close the in-transit TLS-downgrade gap that opportunistic STARTTLS leaves open. The cloud email duopoly — Microsoft 365 Exchange Online and Google Workspace Gmail — is the canonical ephemeral inbox environment per the project's ephemeral-realities rule; on-prem Exchange remains in regulated and air-gapped enclaves and gets an explicit exception path below.
+**Defense ecosystem snapshot.** SPF (RFC 7208), DKIM (RFC 6376), and DMARC (RFC 7489) adoption is effectively universal among Fortune 500 sender domains, but **enforcement** (`p=reject` vs `p=none`) lags — only roughly 60% of large enterprise domains are at `p=reject` by mid-2026, with the rest stuck in monitoring mode for fear of breaking legitimate forwarders. BIMI (AuthIndicators Working Group draft, with IETF mailing-list discussion ongoing as of mid-2026) for visual brand verification is deployed at Gmail, Yahoo Mail, and Apple Mail, but requires DMARC `p=quarantine` or `p=reject` to take effect — so it doubles as enforcement-status signaling. ARC (RFC 8617) is the forwarder-authentication answer to the DMARC-vs-mailing-list problem and is maturing across major providers. MTA-STS (RFC 8461) and TLSRPT (RFC 8460) close the in-transit TLS-downgrade gap that opportunistic STARTTLS leaves open. The cloud email duopoly — Microsoft 365 Exchange Online and Google Workspace Gmail — is the canonical inbox environment most enterprises operate in; on-prem Exchange remains in regulated and air-gapped enclaves and gets an explicit exception path below.
 
 **Phishing-resistant authentication.** FIDO2 / WebAuthn synced passkeys are the only widely deployed authenticator class that survives AiTM proxy phishing (evilginx-class), Tycoon-2FA-style session-token relay, and push-notification fatigue attacks. TOTP, SMS, and push-MFA are all bypassable by 2026 phishing-kit ecosystems. Caffeine and Tycoon 2FA continue to evolve; observed 2025 telemetry shows passkey-relay attempts emerging against poorly configured WebAuthn relying-party verification.
 

package/skills/pqc-first/skill.md

@@ -514,7 +514,7 @@ Priority order:
 
 ## Output Format
 
-The skill produces a structured PQC Readiness Assessment that scores the org's post-quantum migration posture against the NIST PQC standards (ML-KEM / FIPS 203, ML-DSA / FIPS 204, SLH-DSA / FIPS 205), CNSA 2.0, and the BSI / ANSSI / NCSC migration guidance. The shape below is consumed downstream by `crypto` playbook runs (which feed the assessment into Phase 5 analyze), by `framework-gap-analysis` (for SC-8 / SC-13 / A.8.24 / A.10 lag declarations), and by `compliance-theater` (which compares the harvest-now-decrypt-later exposure against the org's data-classification claims). Preserve the per-protocol cryptographic-inventory rows verbatim — they are the auditable derivation of the migration roadmap.
+The skill produces a structured PQC Readiness Assessment that scores the org's post-quantum migration posture against the NIST PQC standards (ML-KEM / FIPS 203, ML-DSA / FIPS 204, SLH-DSA / FIPS 205), CNSA 2.0, and the BSI / ANSSI / NCSC migration guidance. The shape below is consumed downstream by `crypto` playbook runs (which feed the assessment into the analysis correlation step), by `framework-gap-analysis` (for SC-8 / SC-13 / A.8.24 / A.10 lag declarations), and by `compliance-theater` (which compares the harvest-now-decrypt-later exposure against the org's data-classification claims). Preserve the per-protocol cryptographic-inventory rows verbatim — they are the auditable derivation of the migration roadmap.
 
 ```
 ## PQC Readiness Assessment

package/skills/sector-telecom/skill.md

@@ -66,7 +66,7 @@ forward_watch:
   - "Five Eyes joint advisories on telecom-equipment intrusion"
   - "3GPP TS 33.501 updates (5G security architecture rebaseline)"
   - "O-RAN SFG / WG11 security specifications"
-last_threat_review: 2026-05-15
+last_threat_review: "2026-05-15"
 discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief sector-telecom` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
@@ -117,7 +117,7 @@ ATLAS AML.T0040 (Tool / Plugin Compromise) anchors the AI-RAN attack class: plug
 
 ## Analysis Procedure
 
-### Phase 1 — govern (jurisdictional clock + obligations)
+### Jurisdictional clocks + obligations
 
 Surface the operator's jurisdictional notification clocks immediately on detection:
 
@@ -134,11 +134,11 @@ Surface the operator's jurisdictional notification clocks immediately on detecti
 
 Wait for operator acknowledgment of the highest-priority clock before proceeding.
 
-### Phase 2 — direct (threat context)
+### Threat context briefing
 
 Brief the operator on Salt Typhoon-class TTPs + RWEP-threshold bands. For telecom CVEs with active exploitation: live-patch threshold 90, urgent-patch 70, scheduled 30.
 
-### Phase 3 — look (artifacts to capture)
+### Artifacts to capture
 
 Capture the following telecom-specific evidence (use `air_gap_alternative` paths if operator is in disconnected mode):
 
@@ -152,7 +152,7 @@ Capture the following telecom-specific evidence (use `air_gap_alternative` paths
 - **OEM vendor remote-support tunnel inventory** — open Cisco TAC / Ericsson ENS / Nokia OMS tunnels with last-active timestamp.
 - **NESAS deployment posture report** — most recent operator-attested deployment match against the vendor-certified build.
 
-### Phase 4 — detect (indicators)
+### Detection indicators
 
 Walk every indicator's `false_positive_checks_required` list before submitting a hit:
 
@@ -163,23 +163,23 @@ Walk every indicator's `false_positive_checks_required` list before submitting a
 - **Unauthorized LI gateway tunnel** — outbound connection from the LI gateway to an IP outside the LE / DOJ / regulator allowlist. FP check: rule out documented maintenance bastion.
 - **OEM firmware downgrade events** — vendor-equipment firmware version regressed below the operator-published minimum. FP check: rule out documented incident-response rollback.
 
-### Phase 5 — analyze (correlation)
+### Correlation
 
 Match captured artifacts against `data/cve-catalog.json` entries with `attack_class: telecom` or matching `attack_refs`. Cross-reference against `data/framework-control-gaps.json` for FCC-CPNI-4.1, FCC-Cyber-Incident-Notification-2024, NIS2-Annex-I-Telecom, DORA-Art-21-Telecom-ICT, UK-CAF-B5, AU-ISM-1556, GSMA-NESAS-Deployment, 3GPP-TR-33.926, ITU-T-X.805. Score blast-radius based on subscriber count + LI-feed-exposure dimension + AI-RAN slice-mismapping potential.
 
-### Phase 6 — validate (priority-sorted remediation)
+### Priority-sorted remediation
 
 Priority 1 (immediate): isolate compromised NMS account; revoke and re-issue LI-gateway operator credentials; pull running-gNB firmware hash off every base station and compare against operator-attested expected.
 Priority 2 (24h): rotate all OEM vendor remote-support credentials; close TAC tunnels not actively in use; signaling-firewall block on cross-PLMN spike sources.
 Priority 3 (72h): operator-attested NESAS recertification of every gNB / EMS / OSS; slice-isolation verification across every active 5GC slice; comprehensive review of the last 90 days of NMS admin actions.
 
-### Phase 7 — close (regulator notifications + evidence preservation)
+### Regulator notifications + evidence preservation
 
-Draft jurisdictional notification messages with regulator-specific evidence templates. Preserve LI-system audit trail for downstream law-enforcement / intelligence-community handoff. Schedule a follow-up `reattest` window at the highest applicable regulator deadline minus 48 hours.
+Draft jurisdictional notification messages with regulator-specific evidence templates. Preserve LI-system audit trail for downstream law-enforcement / intelligence-community handoff. Schedule a follow-up re-attestation window at the highest applicable regulator deadline minus 48 hours.
 
 ## Output Format
 
-The investigation evidence bundle returned by phase 5 + 6 has this shape:
+The investigation evidence bundle has this shape:
 
 ```json
 {
@@ -251,6 +251,6 @@ Theater patterns specific to telecom posture:
 
 - **incident-response-playbook** — parent IR flow; sector-telecom extends the IR contract with telecom-specific evidence and jurisdictional clocks.
 - **framework-gap-analysis** — invoke for downstream Hard-Rule-5 gap mapping against catalog framework_gaps.
-- **cred-stores** — LI-gateway operator credential storage falls under the cred-stores skill for secret-management depth.
+- **cred-stores** *(playbook chain, not a skill)* — LI-gateway operator credential storage falls under the `cred-stores` playbook for secret-management depth.
 - **sector-federal-government** — national-security adjacency on LI-system compromise touches federal investigation scope.
 - **mcp-agent-trust** — AI-RAN xApp / rApp compromise (ATLAS AML.T0040 class) crosses into MCP-class agent-tool trust boundaries.

package/skills/threat-model-currency/skill.md

@@ -288,7 +288,7 @@ The truth set: every `AML.T*` key in `data/atlas-ttps.json` (excluding `_meta`)
 
 ## Exploit Availability Matrix
 
-A threat model is "current" only if it accounts for every `data/cve-catalog.json` entry with RWEP >= 50 — with either a deployed mitigation or a documented, accepted residual risk. As of `last_threat_review: 2026-05-14`:
+A threat model is "current" only if it accounts for every `data/cve-catalog.json` entry with RWEP >= 50 — with either a deployed mitigation or a documented, accepted residual risk. As of the frontmatter `last_threat_review`:
 
 | CVE | Name | CVSS | RWEP | KEV | PoC | AI factor | Live-patchable | Required threat-model treatment |
 |---|---|---|---|---|---|---|---|---|