npm - @blamejs/exceptd-skills - Versions diffs - 0.14.19 → 0.14.20 - Mend

@blamejs/exceptd-skills 0.14.19 → 0.14.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/CHANGELOG.md +8 -0
package/data/_indexes/_meta.json +7 -7
package/data/_indexes/section-offsets.json +62 -62
package/data/_indexes/summary-cards.json +2 -2
package/data/_indexes/token-budget.json +32 -32
package/manifest.json +48 -48
package/package.json +1 -1
package/sbom.cdx.json +20 -20
package/skills/email-security-anti-phishing/skill.md +1 -1
package/skills/pqc-first/skill.md +1 -1
package/skills/sector-telecom/skill.md +11 -11
package/skills/threat-model-currency/skill.md +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,13 @@
 # Changelog
+## 0.14.20 — 2026-05-27
+Skill content cleanup:
+- `sector-telecom` no longer labels its analysis-procedure subsections with the CLI verb names that were removed in 0.13.0 (`govern`, `direct`, `look`, etc.) — the section headings are neutral procedural language now. Its reference to `cred-stores` is annotated as a playbook (not a skill, matching the convention three sibling skills already use), and its `last_threat_review` date is quoted consistently with every other skill.
+- `threat-model-currency` no longer pins an outdated date literal in its body that contradicted the frontmatter — it references the frontmatter `last_threat_review` so the assertion can't desync.
+- `pqc-first` no longer leaks the engine's internal phase numbering ("Phase 5 analyze") into operator-facing output prose.
+- `email-security-anti-phishing` no longer cites an internal contributor rule by name in its threat-context narrative.
 ## 0.14.19 — 2026-05-27
 Catalog data-integrity pass:

package/data/_indexes/_meta.json CHANGED Viewed

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-28T02:01:28.108Z",
+  "generated_at": "2026-05-28T02:33:36.583Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "633b5ddcd6927b365cab9672477db8b0ce64df963f2d44526e10d3eb7b10edd7",
+    "manifest.json": "dc4cdb2fa56243e42a1989558997a236e564176fa6c8e5dcae9de9d2dad8399b",
     "data/atlas-ttps.json": "d24bc02859d40ccf1615db75cca68c077585904e41e0d8f6de448121e9b1abb0",
     "data/attack-techniques.json": "fa193f0d2d248176a8beddb641e9fe56ba4faa9e15dc253ff876dbf0c5d58a77",
     "data/cve-catalog.json": "03d8071c7ae244ccda7611c3bc66a5581c21e790d158c2948c3001f55aa5aac9",
@@ -25,10 +25,10 @@
     "skills/rag-pipeline-security/skill.md": "792c6f48a7ff06785c24258cac1714068feafefb3f8f05e6c62ddce2f2f9128d",
     "skills/ai-c2-detection/skill.md": "de83dc284dc4f85a8a383c0b715ec7b9ea127ec49c3227bf4c72344bad4008ed",
     "skills/policy-exception-gen/skill.md": "238074319b57399c75d76439ef1ff67153b5a3207adf1556f3ca1e68cfe7cfaa",
-    "skills/threat-model-currency/skill.md": "4295c0efe31dcbec1a7bc96b8ce05d41414d918cbfc7fb7dffb2be7e4d873ae3",
+    "skills/threat-model-currency/skill.md": "637861b4dcd2cb608c08c5aa62a8ef73efc976584f901e612c73cf53b3559422",
     "skills/global-grc/skill.md": "57ca729034e9d33c527d869c1c4aa82fe37e496878a3cbcd9e5043cb62b7105d",
     "skills/zeroday-gap-learn/skill.md": "d8872a4f5e5e927ae087e8319996ec3b9e010aa23fca32248c0909051032db48",
-    "skills/pqc-first/skill.md": "3b41b59eb4e8480b691ff17185f42b9fbfd7665e369fc210feba496688cc77aa",
+    "skills/pqc-first/skill.md": "8b77569100d10201044d63a69cbc83c9cfe6d2c3568884aa900ef0eb72ba99c3",
     "skills/skill-update-loop/skill.md": "f7cd18df293b90c0d2afb6ba8b87664419becea6b63221f03efaf09c69586025",
     "skills/security-maturity-tiers/skill.md": "2e46c9332a5a6190d4605ba7bc653410659be19fab50c78c0a6732f84ebdb300",
     "skills/researcher/skill.md": "dc8ceab8f69af370abb1165ed14ead6f3e9d236a8f703165eba52014ebfd43ab",
@@ -47,14 +47,14 @@
     "skills/sector-financial/skill.md": "ad8f207a6ce255aad9c33ea9a3009fb707c0f59be9df565fe68679654488bb6e",
     "skills/sector-federal-government/skill.md": "7b513d2365390fdb546c0f266139a21ae247339f0e346695fcbc92ba3d7fa69a",
     "skills/sector-energy/skill.md": "9aed96c78e8aaeafd3b7564d26311d625b4466a1e3822281721bdbfcfca058ec",
-    "skills/sector-telecom/skill.md": "59193e39c2fd73fdd7fede38a956bc730bbe4b712d7d6020788bb4d85f001ad8",
+    "skills/sector-telecom/skill.md": "2f336a0b79cd28a3353ec0a72ce0469ac57305345d652247e7cb368f79ec8d4f",
     "skills/api-security/skill.md": "120ed75df17db4dfc4746b9d5bd6efd33786bbf68cb840670aeed0be505866f9",
     "skills/cloud-security/skill.md": "425be2c6e3563f011d0280bf03268425bf60923ae3d02eafbf1b56d04f0b7ffe",
     "skills/container-runtime-security/skill.md": "f22bf5a305f8a33884d49d9bfb25fa2bd00c4b3d0dc490bd12f20a7721683b4a",
     "skills/mlops-security/skill.md": "498549ddc9d870cb8d6a28a4d79b8d7058d5eed832d7c266c281084f4371ce46",
     "skills/incident-response-playbook/skill.md": "9c219de36c7d702dff8504a25e2f1b07459716ea2ed02f49d751f91dbeca1b01",
     "skills/ransomware-response/skill.md": "471b714c42717d43f81b2b582cd8e89ca8d3140de2ddc06cce15f012a0e19be1",
-    "skills/email-security-anti-phishing/skill.md": "250f266908f51f99a4cb3aec0d5dacfcf91fac9f3d95e5a117429a40ed2ff45a",
+    "skills/email-security-anti-phishing/skill.md": "da0b937350e538b55db8daa1f50047d9f4e889e6b89b040dcecfb71feecd63d7",
     "skills/age-gates-child-safety/skill.md": "639b79a2724415afe9e4469202f806e5bec022c0946c9496d4e17ed73aabbe21",
     "skills/cloud-iam-incident/skill.md": "5ec3800a0049b2123aff67bfab4ff28491a86d2daeb712283e5e88b10c3d5d7b",
     "skills/idp-incident-response/skill.md": "e67a2576e7f1c3bf89f499f5c977bc470ef29e8b3e3e45f4cb5bd45a82674282"
@@ -78,7 +78,7 @@
     "handoff_dag_nodes": 42,
     "summary_cards": 42,
     "section_offsets_skills": 42,
-    "token_budget_total_approx": 418252,
+    "token_budget_total_approx": 418226,
     "recipes": 8,
     "jurisdiction_clocks": 29,
     "did_ladders": 8,

package/data/_indexes/section-offsets.json CHANGED Viewed

@@ -991,7 +991,7 @@
     },
     "threat-model-currency": {
       "path": "skills/threat-model-currency/skill.md",
-      "total_bytes": 33306,
+      "total_bytes": 33310,
       "total_lines": 448,
       "frontmatter": {
         "line_start": 1,
@@ -1059,16 +1059,16 @@
           "normalized_name": "exploit-availability-matrix",
           "line": 289,
           "byte_start": 20815,
-          "byte_end": 23164,
-          "bytes": 2349,
+          "byte_end": 23168,
+          "bytes": 2353,
           "h3_count": 0
         },
         {
           "name": "Compliance Theater Check",
           "normalized_name": "compliance-theater-check",
           "line": 308,
-          "byte_start": 23164,
-          "byte_end": 24732,
+          "byte_start": 23168,
+          "byte_end": 24736,
           "bytes": 1568,
           "h3_count": 0
         },
@@ -1076,8 +1076,8 @@
           "name": "Scoring",
           "normalized_name": "scoring",
           "line": 324,
-          "byte_start": 24732,
-          "byte_end": 25274,
+          "byte_start": 24736,
+          "byte_end": 25278,
           "bytes": 542,
           "h3_count": 0
         },
@@ -1085,8 +1085,8 @@
           "name": "Analysis Procedure",
           "normalized_name": "analysis-procedure",
           "line": 343,
-          "byte_start": 25274,
-          "byte_end": 26204,
+          "byte_start": 25278,
+          "byte_end": 26208,
           "bytes": 930,
           "h3_count": 4
         },
@@ -1094,8 +1094,8 @@
           "name": "Output Format",
           "normalized_name": "output-format",
           "line": 375,
-          "byte_start": 26204,
-          "byte_end": 28177,
+          "byte_start": 26208,
+          "byte_end": 28181,
           "bytes": 1973,
           "h3_count": 4
         },
@@ -1103,8 +1103,8 @@
           "name": "Defensive Countermeasure Mapping",
           "normalized_name": "defensive-countermeasure-mapping",
           "line": 417,
-          "byte_start": 28177,
-          "byte_end": 33306,
+          "byte_start": 28181,
+          "byte_end": 33310,
           "bytes": 5129,
           "h3_count": 0
         }
@@ -1327,7 +1327,7 @@
     },
     "pqc-first": {
       "path": "skills/pqc-first/skill.md",
-      "total_bytes": 37988,
+      "total_bytes": 38002,
       "total_lines": 572,
       "frontmatter": {
         "line_start": 1,
@@ -1449,16 +1449,16 @@
           "normalized_name": "output-format",
           "line": 515,
           "byte_start": 31983,
-          "byte_end": 33460,
-          "bytes": 1477,
+          "byte_end": 33474,
+          "bytes": 1491,
           "h3_count": 6
         },
         {
           "name": "Defensive Countermeasure Mapping",
           "normalized_name": "defensive-countermeasure-mapping",
           "line": 548,
-          "byte_start": 33460,
-          "byte_end": 37328,
+          "byte_start": 33474,
+          "byte_end": 37342,
           "bytes": 3868,
           "h3_count": 0
         },
@@ -1466,8 +1466,8 @@
           "name": "Compliance Theater Check",
           "normalized_name": "compliance-theater-check",
           "line": 569,
-          "byte_start": 37328,
-          "byte_end": 37988,
+          "byte_start": 37342,
+          "byte_end": 38002,
           "bytes": 660,
           "h3_count": 0
         }
@@ -3230,21 +3230,21 @@
     },
     "sector-telecom": {
       "path": "skills/sector-telecom/skill.md",
-      "total_bytes": 20862,
+      "total_bytes": 20754,
       "total_lines": 257,
       "frontmatter": {
         "line_start": 1,
         "line_end": 71,
         "byte_start": 0,
-        "byte_end": 1989
+        "byte_end": 1991
       },
       "sections": [
         {
           "name": "Threat Context (mid-2026)",
           "normalized_name": "threat-context",
           "line": 73,
-          "byte_start": 1990,
-          "byte_end": 5178,
+          "byte_start": 1992,
+          "byte_end": 5180,
           "bytes": 3188,
           "h3_count": 0
         },
@@ -3252,8 +3252,8 @@
           "name": "Framework Lag Declaration",
           "normalized_name": "framework-lag-declaration",
           "line": 87,
-          "byte_start": 5178,
-          "byte_end": 7260,
+          "byte_start": 5180,
+          "byte_end": 7262,
           "bytes": 2082,
           "h3_count": 0
         },
@@ -3261,8 +3261,8 @@
           "name": "TTP Mapping",
           "normalized_name": "ttp-mapping",
           "line": 91,
-          "byte_start": 7260,
-          "byte_end": 8694,
+          "byte_start": 7262,
+          "byte_end": 8696,
           "bytes": 1434,
           "h3_count": 0
         },
@@ -3270,8 +3270,8 @@
           "name": "Exploit Availability Matrix",
           "normalized_name": "exploit-availability-matrix",
           "line": 105,
-          "byte_start": 8694,
-          "byte_end": 9888,
+          "byte_start": 8696,
+          "byte_end": 9890,
           "bytes": 1194,
           "h3_count": 0
         },
@@ -3279,26 +3279,26 @@
           "name": "Analysis Procedure",
           "normalized_name": "analysis-procedure",
           "line": 118,
-          "byte_start": 9888,
-          "byte_end": 15717,
-          "bytes": 5829,
+          "byte_start": 9890,
+          "byte_end": 15596,
+          "bytes": 5706,
           "h3_count": 7
         },
         {
           "name": "Output Format",
           "normalized_name": "output-format",
           "line": 180,
-          "byte_start": 15717,
-          "byte_end": 17232,
-          "bytes": 1515,
+          "byte_start": 15596,
+          "byte_end": 17087,
+          "bytes": 1491,
           "h3_count": 0
         },
         {
           "name": "Compliance Theater Check",
           "normalized_name": "compliance-theater-check",
           "line": 228,
-          "byte_start": 17232,
-          "byte_end": 19439,
+          "byte_start": 17087,
+          "byte_end": 19294,
           "bytes": 2207,
           "h3_count": 0
         },
@@ -3306,8 +3306,8 @@
           "name": "Defensive Countermeasure Mapping",
           "normalized_name": "defensive-countermeasure-mapping",
           "line": 240,
-          "byte_start": 19439,
-          "byte_end": 20190,
+          "byte_start": 19294,
+          "byte_end": 20045,
           "bytes": 751,
           "h3_count": 0
         },
@@ -3315,9 +3315,9 @@
           "name": "Hand-Off / Related Skills",
           "normalized_name": "hand-off",
           "line": 250,
-          "byte_start": 20190,
-          "byte_end": 20862,
-          "bytes": 672,
+          "byte_start": 20045,
+          "byte_end": 20754,
+          "bytes": 709,
           "h3_count": 0
         }
       ]
@@ -3888,7 +3888,7 @@
     },
     "email-security-anti-phishing": {
       "path": "skills/email-security-anti-phishing/skill.md",
-      "total_bytes": 29232,
+      "total_bytes": 29207,
       "total_lines": 219,
       "frontmatter": {
         "line_start": 1,
@@ -3902,16 +3902,16 @@
           "normalized_name": "threat-context",
           "line": 62,
           "byte_start": 1381,
-          "byte_end": 5811,
-          "bytes": 4430,
+          "byte_end": 5786,
+          "bytes": 4405,
           "h3_count": 0
         },
         {
           "name": "Framework Lag Declaration",
           "normalized_name": "framework-lag-declaration",
           "line": 80,
-          "byte_start": 5811,
-          "byte_end": 9893,
+          "byte_start": 5786,
+          "byte_end": 9868,
           "bytes": 4082,
           "h3_count": 0
         },
@@ -3919,8 +3919,8 @@
           "name": "TTP Mapping",
           "normalized_name": "ttp-mapping",
           "line": 102,
-          "byte_start": 9893,
-          "byte_end": 11985,
+          "byte_start": 9868,
+          "byte_end": 11960,
           "bytes": 2092,
           "h3_count": 0
         },
@@ -3928,8 +3928,8 @@
           "name": "Exploit Availability Matrix",
           "normalized_name": "exploit-availability-matrix",
           "line": 116,
-          "byte_start": 11985,
-          "byte_end": 13825,
+          "byte_start": 11960,
+          "byte_end": 13800,
           "bytes": 1840,
           "h3_count": 0
         },
@@ -3937,8 +3937,8 @@
           "name": "Analysis Procedure",
           "normalized_name": "analysis-procedure",
           "line": 135,
-          "byte_start": 13825,
-          "byte_end": 21267,
+          "byte_start": 13800,
+          "byte_end": 21242,
           "bytes": 7442,
           "h3_count": 0
         },
@@ -3946,8 +3946,8 @@
           "name": "Output Format",
           "normalized_name": "output-format",
           "line": 164,
-          "byte_start": 21267,
-          "byte_end": 23088,
+          "byte_start": 21242,
+          "byte_end": 23063,
           "bytes": 1821,
           "h3_count": 0
         },
@@ -3955,8 +3955,8 @@
           "name": "Compliance Theater Check",
           "normalized_name": "compliance-theater-check",
           "line": 181,
-          "byte_start": 23088,
-          "byte_end": 24890,
+          "byte_start": 23063,
+          "byte_end": 24865,
           "bytes": 1802,
           "h3_count": 0
         },
@@ -3964,8 +3964,8 @@
           "name": "Defensive Countermeasure Mapping",
           "normalized_name": "defensive-countermeasure-mapping",
           "line": 192,
-          "byte_start": 24890,
-          "byte_end": 28097,
+          "byte_start": 24865,
+          "byte_end": 28072,
           "bytes": 3207,
           "h3_count": 0
         },
@@ -3973,8 +3973,8 @@
           "name": "Hand-Off / Related Skills",
           "normalized_name": "hand-off",
           "line": 207,
-          "byte_start": 28097,
-          "byte_end": 29232,
+          "byte_start": 28072,
+          "byte_end": 29207,
           "bytes": 1135,
           "h3_count": 0
         }

package/data/_indexes/summary-cards.json CHANGED Viewed

@@ -469,7 +469,7 @@
     "pqc-first": {
       "description": "Post-quantum cryptography first mentality — hard version gates (OpenSSL 3.5+), algorithm sunset tracking, HNDL assessment, loopback learning for NIST/IETF evolution",
       "threat_context_excerpt": "The post-quantum migration is not a planning exercise. It is an operational deadline against an adversary that is already collecting ciphertext.",
-      "produces": "The skill produces a structured PQC Readiness Assessment that scores the org's post-quantum migration posture against the NIST PQC standards (ML-KEM / FIPS 203, ML-DSA / FIPS 204, SLH-DSA / FIPS 205), CNSA 2.0, and the BSI / ANSSI / NCSC migration guidance. The shape below is consumed downstream by `crypto` playbook runs (which feed the assessment into Phase 5 analyze), by `framework-gap-analysis` (for SC-8 / SC-13 / A.8.24 / A.10 lag declarations), and by `compliance-theater` (which compares the harvest-now-decrypt-later exposure against the org's data-classification claims). Preserve the per ...",
+      "produces": "The skill produces a structured PQC Readiness Assessment that scores the org's post-quantum migration posture against the NIST PQC standards (ML-KEM / FIPS 203, ML-DSA / FIPS 204, SLH-DSA / FIPS 205), CNSA 2.0, and the BSI / ANSSI / NCSC migration guidance. The shape below is consumed downstream by `crypto` playbook runs (which feed the assessment into the analysis correlation step), by `framework-gap-analysis` (for SC-8 / SC-13 / A.8.24 / A.10 lag declarations), and by `compliance-theater` (which compares the harvest-now-decrypt-later exposure against the org's data-classification claims). Pr ...",
       "key_xrefs": {
         "cwe_refs": [
           "CWE-327"
@@ -1354,7 +1354,7 @@
     "sector-telecom": {
       "description": "Telecom and 5G security for mid-2026 — Salt Typhoon, Volt Typhoon, CALEA / IPA-LI gateway compromise, signaling-protocol abuse (SS7 / Diameter / GTP), 5G N6 / N9 isolation, gNB / DU / CU integrity, OEM-equipment supply-chain compromise, AI-RAN / O-RAN security",
       "threat_context_excerpt": "**Salt Typhoon (China nation-state; PRC Ministry of State Security nexus).** The 2024–2026 campaign — disclosed in successive Five Eyes joint advisories from October 2024 onward (CISA / NSA / FBI joint product reissued through 2025–2026) — compromised at least nine US carriers (publicly named: AT&T, Verizon, T-Mobile US, Lumen, Charter, Cox, Windstream, Consolidated, plus undisclosed others) and extended to AU / CA / NZ / UK Tier-1 carriers. Threat actor TTPs map to T1199 (Trusted Relationship) via OEM vendor supply chain, T1098 (Account Manipulation) for persistent admin access on NMS, and ...",
-      "produces": "The investigation evidence bundle returned by phase 5 + 6 has this shape:\n\n```json\n{\n  \"session_id\": \"telecom-<iso>\",\n  \"playbook_id\": \"sector-telecom\",\n  \"classification\": \"detected | clean | not_detected | inconclusive\",\n  \"evidence_hash\": \"sha256:...\",\n  \"telecom_specific_findings\": {\n    \"li_gateway_audit\": {\n      \"anomalous_activations\": 0,\n      \"activations_outside_ticket\": 0,\n      \"outbound_tunnel_to_non_allowlist_ip\": 0\n    },\n    \"gnb_attestation_state\": {\n      \"expected_hashes_compared\": 0,\n      \"drifted_basestations\": [],\n      \"downgrade_events\": 0\n    },\n    \"signaling_anomal ...",
+      "produces": "The investigation evidence bundle has this shape:\n\n```json\n{\n  \"session_id\": \"telecom-<iso>\",\n  \"playbook_id\": \"sector-telecom\",\n  \"classification\": \"detected | clean | not_detected | inconclusive\",\n  \"evidence_hash\": \"sha256:...\",\n  \"telecom_specific_findings\": {\n    \"li_gateway_audit\": {\n      \"anomalous_activations\": 0,\n      \"activations_outside_ticket\": 0,\n      \"outbound_tunnel_to_non_allowlist_ip\": 0\n    },\n    \"gnb_attestation_state\": {\n      \"expected_hashes_compared\": 0,\n      \"drifted_basestations\": [],\n      \"downgrade_events\": 0\n    },\n    \"signaling_anomaly_count\": {\n      \"ss7_p ...",
       "key_xrefs": {
         "cwe_refs": [
           "CWE-287",

package/data/_indexes/token-budget.json CHANGED Viewed

@@ -3,8 +3,8 @@
     "schema_version": "1.0.0",
     "tokenizer_note": "Character-density approximation: 1 token ≈ 4 chars. This is the canonical rule-of-thumb for OpenAI tokenizers on English+technical text. Claude's tokenizer is typically more efficient on prose; treat this as an upper-bound budget for both. Consumers with stricter precision needs should re-tokenize with their own tokenizer.",
     "approx_chars_per_token": 4,
-    "total_chars": 1672973,
-    "total_approx_tokens": 418252,
+    "total_chars": 1672872,
+    "total_approx_tokens": 418226,
     "skill_count": 42
   },
   "skills": {
@@ -575,10 +575,10 @@
     },
     "threat-model-currency": {
       "path": "skills/threat-model-currency/skill.md",
-      "bytes": 33306,
-      "chars": 33120,
+      "bytes": 33310,
+      "chars": 33124,
       "lines": 448,
-      "approx_tokens": 8280,
+      "approx_tokens": 8281,
       "approx_chars_per_token": 4,
       "sections": {
         "frontmatter-scope": {
@@ -612,9 +612,9 @@
           "approx_tokens": 765
         },
         "exploit-availability-matrix": {
-          "bytes": 2349,
-          "chars": 2331,
-          "approx_tokens": 583
+          "bytes": 2353,
+          "chars": 2335,
+          "approx_tokens": 584
         },
         "compliance-theater-check": {
           "bytes": 1568,
@@ -770,10 +770,10 @@
     },
     "pqc-first": {
       "path": "skills/pqc-first/skill.md",
-      "bytes": 37988,
-      "chars": 37818,
+      "bytes": 38002,
+      "chars": 37832,
       "lines": 572,
-      "approx_tokens": 9455,
+      "approx_tokens": 9458,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {
@@ -837,9 +837,9 @@
           "approx_tokens": 375
         },
         "output-format": {
-          "bytes": 1477,
-          "chars": 1471,
-          "approx_tokens": 368
+          "bytes": 1491,
+          "chars": 1485,
+          "approx_tokens": 371
         },
         "defensive-countermeasure-mapping": {
           "bytes": 3868,
@@ -1880,10 +1880,10 @@
     },
     "sector-telecom": {
       "path": "skills/sector-telecom/skill.md",
-      "bytes": 20862,
-      "chars": 20762,
+      "bytes": 20754,
+      "chars": 20668,
       "lines": 257,
-      "approx_tokens": 5191,
+      "approx_tokens": 5167,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {
@@ -1907,14 +1907,14 @@
           "approx_tokens": 299
         },
         "analysis-procedure": {
-          "bytes": 5829,
-          "chars": 5773,
-          "approx_tokens": 1443
+          "bytes": 5706,
+          "chars": 5664,
+          "approx_tokens": 1416
         },
         "output-format": {
-          "bytes": 1515,
-          "chars": 1515,
-          "approx_tokens": 379
+          "bytes": 1491,
+          "chars": 1491,
+          "approx_tokens": 373
         },
         "compliance-theater-check": {
           "bytes": 2207,
@@ -1927,9 +1927,9 @@
           "approx_tokens": 188
         },
         "hand-off": {
-          "bytes": 672,
-          "chars": 662,
-          "approx_tokens": 166
+          "bytes": 709,
+          "chars": 699,
+          "approx_tokens": 175
         }
       }
     },
@@ -2265,16 +2265,16 @@
     },
     "email-security-anti-phishing": {
       "path": "skills/email-security-anti-phishing/skill.md",
-      "bytes": 29232,
-      "chars": 29116,
+      "bytes": 29207,
+      "chars": 29091,
       "lines": 219,
-      "approx_tokens": 7279,
+      "approx_tokens": 7273,
       "approx_chars_per_token": 4,
       "sections": {
         "threat-context": {
-          "bytes": 4430,
-          "chars": 4414,
-          "approx_tokens": 1104
+          "bytes": 4405,
+          "chars": 4389,
+          "approx_tokens": 1097
         },
         "framework-lag-declaration": {
           "bytes": 4082,

package/manifest.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.14.19",
+  "version": "0.14.20",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "lXhZgoIrrVloO3XaTvo/43AxZn4mwErstd7DR0O/oVhD3AOGODM4HqrageYEou9WKOdMEGP5mJNTjJsXdP5NDA==",
-      "signed_at": "2026-05-28T02:00:05.573Z",
+      "signed_at": "2026-05-28T02:32:11.254Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -123,7 +123,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "ztSKk/zFMFbT12qRcEeBKpydBn7fTT86KxMmor0DTCoKQWk5fJ0fSInfP1XMSB6rFk4/SuSjKVxQRMKVJ5a+Cg==",
-      "signed_at": "2026-05-28T02:00:05.575Z",
+      "signed_at": "2026-05-28T02:32:11.256Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -196,7 +196,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "K6QdPHNK5c4K5QFjrW0QsUhjp71D7SOisSoulwPNSvKRdi2rY+yg0kdckijBMkLMsVPyUvcC9giu93mKJ1OZDg==",
-      "signed_at": "2026-05-28T02:00:05.575Z",
+      "signed_at": "2026-05-28T02:32:11.256Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -248,7 +248,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "Qd3SBWmUAaaT++e1Ry2wBIz/dCBmNBMl0+4Rb0etvJLES0fIBEAkU1mTbgNZnT5XOg9J5twdUpymWtmKnDDQCQ==",
-      "signed_at": "2026-05-28T02:00:05.576Z"
+      "signed_at": "2026-05-28T02:32:11.257Z"
     },
     {
       "name": "compliance-theater",
@@ -279,7 +279,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "F2Shxae0ua0gPtvwzTRVzzHaIgJcFDRT3/akLUAZ4aaMQhkleKkcTaTpkjp+pTVEdPfLeLGNCeAOMs+whVYOBg==",
-      "signed_at": "2026-05-28T02:00:05.576Z"
+      "signed_at": "2026-05-28T02:32:11.257Z"
     },
     {
       "name": "exploit-scoring",
@@ -308,7 +308,7 @@
       ],
       "last_threat_review": "2026-05-18",
       "signature": "NA1hoQycvQhSUoG5rwlXX0mOVmGxoXRVezkELGEA2nZOdGis4gXkHT3O6Sfw7zxE4JuMrsCb65TEeOWk9WEPDg==",
-      "signed_at": "2026-05-28T02:00:05.577Z"
+      "signed_at": "2026-05-28T02:32:11.258Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -345,7 +345,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "W3pS8lnaCP96TQzsJpG5d5yv5IwgaQyS4Z2Ctcz5BOJf6LbajSIgeDgTZ4f4Bhr5m4E7KsgWGjZS4x7Fwd33BQ==",
-      "signed_at": "2026-05-28T02:00:05.577Z",
+      "signed_at": "2026-05-28T02:32:11.258Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -405,7 +405,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "/WDGygh1Ck4yWlBWDGtEUVCqKB8d+UaJXoAoBXujtt+GAl8JbMNpaN1TvI0WkEltQ9dTxaAzSn20/eVDqv8iDQ==",
-      "signed_at": "2026-05-28T02:00:05.577Z",
+      "signed_at": "2026-05-28T02:32:11.258Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -440,7 +440,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "za1NKBpy9LC91F/ESO/qhUfmvVr8GNItQOjR5OJLeHm+2dQ9HHiFWQK2eo53V/n/0uhubuggURA3yS6kJuWwBg==",
-      "signed_at": "2026-05-28T02:00:05.578Z",
+      "signed_at": "2026-05-28T02:32:11.259Z",
       "cwe_refs": [
         "CWE-1188"
       ],
@@ -473,8 +473,8 @@
       "attack_refs": [],
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
-      "signature": "xiHAhhdufm9hCKU8PLiPE0MX65ej2F4OZwtlWLGLCiie9/km+Kiqbt192LcMvr94v83C98pb9wIaqFsFWft6AQ==",
-      "signed_at": "2026-05-28T02:00:05.578Z",
+      "signature": "1853tUUOO35GCXP4vn4qYdBDCdGJu2/WXCNOShhEt69G6BUoq9C3gYGjKWwEPxRKjwjyMtb2nmsL2BZFHRIADw==",
+      "signed_at": "2026-05-28T02:32:11.259Z",
       "forward_watch": [
         "New AI attack classes as ATLAS v6 publishes",
         "Post-quantum adversary capability timeline",
@@ -513,7 +513,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "oYsSk35N2Uzq7MRofACykylcVwkgPhI4luWZ14vmQT+gUKLyZiKVOUJbe1+7lGl6BYPRN0sUDQ0f7S5Eu5w2Ag==",
-      "signed_at": "2026-05-28T02:00:05.578Z"
+      "signed_at": "2026-05-28T02:32:11.259Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -540,7 +540,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "igRqYyU1unRFH40BsPyAR62SPrk8QZv8dPGb8S9O9EvLCNOZAzm3t+HdT/NKqzWHwrpomOzkkkyLfYI/0qTUDA==",
-      "signed_at": "2026-05-28T02:00:05.579Z",
+      "signed_at": "2026-05-28T02:32:11.260Z",
       "forward_watch": [
         "New CISA KEV entries",
         "New ATLAS TTP additions in each ATLAS release",
@@ -603,8 +603,8 @@
         "New CRQC timeline estimates from academic cryptanalysis"
       ],
       "last_threat_review": "2026-05-22",
-      "signature": "i/17u4kJiSpcZAz7LnTyRePFugQOstQ1P4kVoe0oGf4E2/j8oIN9U9DccjUn/YHZhKWIJ2AILG/DMhvMrr3bBg==",
-      "signed_at": "2026-05-28T02:00:05.579Z",
+      "signature": "XJFnPtu9tG23qlHGUJulQ0/Vu/p41qFrQng0fE3+GpCPD35+oipdlDXvf9zFo6A6i4OVj601qNuXKh9/kfcHDw==",
+      "signed_at": "2026-05-28T02:32:11.260Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -652,7 +652,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "QuOVaQ4E2Sl39TClbhZ7HA9XrYAyRrDL44HY3RTE7aWLue0hV2cxaBt40ALGmHS++631QGFDlZTLZI77Tr6nAA==",
-      "signed_at": "2026-05-28T02:00:05.579Z"
+      "signed_at": "2026-05-28T02:32:11.260Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -689,7 +689,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "8Px1s2lDj10/Q6erwEQlXgUHM1+OTruUR8qAHPX7Oo3k/l69N6P9sm0PsafS9wDFtj9l5C/OiLiFgzMlMt6vBw==",
-      "signed_at": "2026-05-28T02:00:05.580Z",
+      "signed_at": "2026-05-28T02:32:11.261Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -724,7 +724,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "urRcataVWg6/utyEkSiOWoNxTL8sABRjPR7ShyDfZGnAozFph/yDktSoaPVxQDXwu9EfJE+qhUW5OYR/yJECBQ==",
-      "signed_at": "2026-05-28T02:00:05.580Z"
+      "signed_at": "2026-05-28T02:32:11.261Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -796,7 +796,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Microsoft Edge 4-bug sandbox escape by Orange Tsai (DEVCORE); forward-watch only (browser sandbox, out of current playbook scope); track Microsoft Edge security advisory and KEV add"
       ],
       "signature": "C7lv65/Ecm8JJgSKxrX5lxx0YFzKWtrIQSKp+vy50I5e8945s1JmifGUUrnQwRQhq/Pkv7EmfiH5XSO8h75bDg==",
-      "signed_at": "2026-05-28T02:00:05.580Z"
+      "signed_at": "2026-05-28T02:32:11.261Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -856,7 +856,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "Z7ypCUnXx8JpLtgxxB6RHNi39w74AmrGY1N4ofAGCXhkuM2EaFVm1AU0dvl9UQ1bVLfHKEDGqMO/TwlIY7RABg==",
-      "signed_at": "2026-05-28T02:00:05.581Z"
+      "signed_at": "2026-05-28T02:32:11.261Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -931,7 +931,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "IgEnpHOhCftAyfUNdKsjbrd169T9pJkk/rRM2ZEna+H18y7p5x48+1kME2sJMZjJuyAdQFBJi8PJXZFwLGI+DQ==",
-      "signed_at": "2026-05-28T02:00:05.581Z"
+      "signed_at": "2026-05-28T02:32:11.262Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -1010,7 +1010,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM-attestation impact"
       ],
       "signature": "pcLrM98A3vUSZRjwNAk0aZ9umvOwB41XCLLsCOy/IebB2F/06oIrGUKkMHtHwm4pTVPShMMcKdZQQ3jz30FnCg==",
-      "signed_at": "2026-05-28T02:00:05.581Z"
+      "signed_at": "2026-05-28T02:32:11.262Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1067,7 +1067,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "G5q5elh7Q7eu2xcwTVQJGDTGfvZR0OGQaLSLJPb2wjzCHFF8PWuZfCHZdjjqisiRzRWPyLlzgfHeMJqOdy7cBw==",
-      "signed_at": "2026-05-28T02:00:05.582Z"
+      "signed_at": "2026-05-28T02:32:11.262Z"
     },
     {
       "name": "identity-assurance",
@@ -1134,7 +1134,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "Wv5hGMeHjlaQK1zwicVCA7AvdKgJBgvcjdpGM9Ywahh9tagAKhbkOjybowDQZzu7OZ3bDkbh6pBYc1Sdwr6NAA==",
-      "signed_at": "2026-05-28T02:00:05.582Z"
+      "signed_at": "2026-05-28T02:32:11.263Z"
     },
     {
       "name": "ot-ics-security",
@@ -1190,7 +1190,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "8t5qKHd3yWi57dvG36YQkLN/X9bQWqtEiYjay4IfSmqhJpM/xXPaQVKNGz3wscrO8OLKUZ0OaX7Mj5kzpgBKBQ==",
-      "signed_at": "2026-05-28T02:00:05.582Z"
+      "signed_at": "2026-05-28T02:32:11.263Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1242,7 +1242,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "GDGt4UPqBa04PjlpSmpyihGzd3OgfBN7jaAK5tfwp+LRSs3ygKOdbeivUCCHNagTY1hE6hG2Ou40ADfBFuXeAg==",
-      "signed_at": "2026-05-28T02:00:05.582Z"
+      "signed_at": "2026-05-28T02:32:11.263Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1292,7 +1292,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "rFBpOQEJUPpl+v88Lw/WqVJRhTl80vy0VbPAbzQj3Q0suJRRrJg368I9uKu5LXIBKFDvKxnGIcIzbGg9NUtaCA==",
-      "signed_at": "2026-05-28T02:00:05.583Z"
+      "signed_at": "2026-05-28T02:32:11.264Z"
     },
     {
       "name": "webapp-security",
@@ -1366,7 +1366,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ux85YI4t2mVHOyt744Yin1HHy+z11JIFygjKfFfQOBBl5QVV3A267jeIy7utix85irMcpZm/T3yx/ooqiK2tBA==",
-      "signed_at": "2026-05-28T02:00:05.583Z",
+      "signed_at": "2026-05-28T02:32:11.264Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments"
       ]
@@ -1419,7 +1419,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "IIXnkZ5ZNqFwOto5KfytADTLLZLoyXNZACD1ORZ40P1HUAQxe6u2uyXFzzsfuob4Uy06jNkRGr2FFgCphUH1Cw==",
-      "signed_at": "2026-05-28T02:00:05.584Z"
+      "signed_at": "2026-05-28T02:32:11.265Z"
     },
     {
       "name": "sector-healthcare",
@@ -1479,7 +1479,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "AhF9KF8ZBlDteciV+F8IBSmFVYCvQOn44GmD4rZjgLoPxfIv/QE1/vSkK32zyqDKtHWkLSXExbkkPkxA/V6dDw==",
-      "signed_at": "2026-05-28T02:00:05.584Z"
+      "signed_at": "2026-05-28T02:32:11.265Z"
     },
     {
       "name": "sector-financial",
@@ -1560,7 +1560,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "HQgZvb4ReziEz5rNFr8i/O8/rJEZR+iHRROT7m/D2QUqhrcNISPkYXENsUZlG8xapzy/Ik92ehkseyj4hdmhCQ==",
-      "signed_at": "2026-05-28T02:00:05.584Z"
+      "signed_at": "2026-05-28T02:32:11.266Z"
     },
     {
       "name": "sector-federal-government",
@@ -1629,7 +1629,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "linxmsXZiOYtcs71sSWgGCrvb8xQfmxmtTY5PRvZJ0/8FgJulo0tQtejzexYG775s7XhjAmGsDP238BQTQ8ADA==",
-      "signed_at": "2026-05-28T02:00:05.585Z"
+      "signed_at": "2026-05-28T02:32:11.266Z"
     },
     {
       "name": "sector-energy",
@@ -1694,7 +1694,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "JjBfc0ovta560Clk0x3QGRM5osFJDwcvpy3rT7QEGdCIL827jzE8QCow1C8deXq+4JhY2sA/d7/8IsxikdlkCg==",
-      "signed_at": "2026-05-28T02:00:05.585Z"
+      "signed_at": "2026-05-28T02:32:11.266Z"
     },
     {
       "name": "sector-telecom",
@@ -1779,8 +1779,8 @@
         "3GPP TS 33.501 updates (5G security architecture rebaseline)",
         "O-RAN SFG / WG11 security specifications"
       ],
-      "signature": "JWVxKFoKrbX4d+Tko1d4OBdwyg25MfFFKn4CT6E/CzH+YwnU3T6Y76uBQIKg3+gIGTvPduqyvQwQQ5FxKDuPBw==",
-      "signed_at": "2026-05-28T02:00:05.585Z"
+      "signature": "QpfWU8d2FFbo/Kt0Be2jcyDM9JPhKOiwKSi+RWmtPa2SrBVzFNYdC3T23fQXxHDEC2iyApEbXnwk8KN4d6PuBQ==",
+      "signed_at": "2026-05-28T02:32:11.267Z"
     },
     {
       "name": "api-security",
@@ -1849,7 +1849,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "BmCRCestWqr55+fCynEhtAl5NWLT+xLTkpwS0Icp3SaoZOw/ce3Y6TtqjHRSKn4CBJq7YDiLRWxmhO3MStvOAA==",
-      "signed_at": "2026-05-28T02:00:05.586Z",
+      "signed_at": "2026-05-28T02:32:11.267Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments",
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments",
@@ -1935,7 +1935,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "/DV3pmZwrRySrk1OCbyI+0BQESacjupJfUX3eC2NGtXuYOBro0vndIP+z27heFxumnjU3a9sfla7/U9X+pqnDw==",
-      "signed_at": "2026-05-28T02:00:05.586Z"
+      "signed_at": "2026-05-28T02:32:11.267Z"
     },
     {
       "name": "container-runtime-security",
@@ -1997,7 +1997,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "E2UGSf9ATyYgzBr8uM/0ubOUmDqo1jVA7f9mVxv6LHfWGCNuQNXDyuNou9VAmUCeeXEeUYIi3AFjXkJqpOkxDA==",
-      "signed_at": "2026-05-28T02:00:05.586Z",
+      "signed_at": "2026-05-28T02:32:11.268Z",
       "forward_watch": [
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Container Toolkit container escape ($50K award) by chompie / IBM X-Force XOR; high-severity container/hypervisor boundary break; track patch and KEV add post-embargo"
       ]
@@ -2071,7 +2071,7 @@
         "MITRE ATLAS v5.6.0 (released May 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
       "signature": "IL+DlRCDJN/p08iiJCFkasKcoyjcB0uWrJ6ORLjQcS1HrUa5Xt62QxVjYPHzaevlm5y36ZdmfESqsZJmzK3lCg==",
-      "signed_at": "2026-05-28T02:00:05.587Z"
+      "signed_at": "2026-05-28T02:32:11.268Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2133,7 +2133,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "MmjLjlmOMLjhJJ4ZfR8MYlHam+ZB+eSqfh6Nv+DecaG4O5zeo9DBP/iL3cbyDVZxmhnhivgJild2ccYeWTeZAg==",
-      "signed_at": "2026-05-28T02:00:05.587Z"
+      "signed_at": "2026-05-28T02:32:11.269Z"
     },
     {
       "name": "ransomware-response",
@@ -2213,7 +2213,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "ssueL03g9fWlhXpTe+IiY5l7RqQkunN4DTN5QETKE+VOX+qggdjAR8PONxk77ol4xWYmHrM/VcH8CNtXUEvgBA==",
-      "signed_at": "2026-05-28T02:00:05.587Z"
+      "signed_at": "2026-05-28T02:32:11.269Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2265,8 +2265,8 @@
       "cwe_refs": [],
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
-      "signature": "rK+WnuS+9tqEABmwc0jO/PEmxcLjG1/tmUb897HsClQeKzf+TQOlwBE+OsbtuKxpjYNwur62Xxs3TxObkwm8Cw==",
-      "signed_at": "2026-05-28T02:00:05.588Z"
+      "signature": "oAFeZmci6BN7Xlu0oOThrazZNBQBIWeCQnoZDqjXo9cs1hIe/6ZijSEr3R3hFQSXH3c1KAbhPw+InR9Gc0HIBQ==",
+      "signed_at": "2026-05-28T02:32:11.269Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2334,7 +2334,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "Rgho5TOFUL1txOzcVR0kASCNdovSU4yt99JlGilJlJRyg0A+BdeeQYrZrhPF6Vx2reUAVG0BeHfcZtSbi+cwCg==",
-      "signed_at": "2026-05-28T02:00:05.588Z"
+      "signed_at": "2026-05-28T02:32:11.270Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2414,7 +2414,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "e/kij7GtKaytROyIj7V5RH+FC9WtmVFzrmG2kIlNDNn29ep/CRNlIQKwXLpzo/81AIf634pmdr1qy/+vwIuUDA==",
-      "signed_at": "2026-05-28T02:00:05.588Z",
+      "signed_at": "2026-05-28T02:32:11.270Z",
       "forward_watch": [
         "AWS IAM Identity Center session-policy refresh and step-up-on-admin enforcement (anticipated 2026-H2 release)",
         "GCP Workload Identity Federation principal-set attribute mapping tightening (post-2026 Q3 Federation hardening guide)",
@@ -2508,7 +2508,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "ew9Kglc9fAZzbn0ZIfGP7WSK/j4eV2VhSvpy+s5bEfNEVYIMa2kZjnGBapgUsyGDLes9H9K2ovjQyX17+GKiBw==",
-      "signed_at": "2026-05-28T02:00:05.589Z",
+      "signed_at": "2026-05-28T02:32:11.270Z",
       "forward_watch": [
         "Entra ID conditional access evolution post-Midnight Blizzard — Microsoft's 2025-2026 commitments on legacy-tenant MFA enforcement and OAuth-app consent gating",
         "Okta IPSIE (Interoperability Profile for Secure Identity in the Enterprise) OpenID Foundation working-group output and adoption timeline",
@@ -2526,6 +2526,6 @@
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "A9IcW6Aq3w7+HN5w1AY317hnSWFQnrOebXtFjJEDQMO1MHsyLn1yd73rjuMWNQKcwJZ79eXFZfUQNfmr3zrwAQ=="
+    "signature_base64": "5OiCS9JG1FyBhcQTjlzV2KgueN5dvuLey3BsQCUskFORk8RMth3VNoYjSCzbaxKo1U3WcqjY21DtpdjPWFXxCg=="
   }
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.14.19",
+  "version": "0.14.20",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (406 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json CHANGED Viewed

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:a14d98c4-ae19-4c3f-b7b7-4f7b8eac8934",
+  "serialNumber": "urn:uuid:ad7d6e30-1f30-448b-9b72-08b3725ef84e",
   "version": 1,
   "metadata": {
-    "timestamp": "2111-10-04T22:59:16.000Z",
+    "timestamp": "2118-03-28T09:49:36.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.14.19"
+        "version": "0.14.20"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.14.19",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.14.20",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.14.19",
+      "version": "0.14.20",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (406 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.14.19",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.14.20",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "0cb7b8199eb85326d5c176968e0719de6dcaa30e94d41b6bfcf748744619dd7e"
+          "content": "c1335307705d90a12e6b3d03d0213107590748fbefb17affec2b4134027a2066"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.14.19"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.14.20"
         },
         {
           "type": "vcs",
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "16ad3e1e4f9fd21269c5b9d75b8fbfc8405087a0cb3d2ae889b52fce3f109e9f"
+          "content": "70237899d20090dad92ebb1847b7645138b1f94f072f0a4c6101e969f30c4049"
         },
         {
           "alg": "SHA3-512",
-          "content": "98b3a80808845374818c95b68fda38cdfb79dc40991add63d0e1456be75de8b4f2d890f1e1a52e518c7363a4cbfbf6e6779fb5dd675440252281326ac8126690"
+          "content": "5d51b673341672c8f0efbca7ba0c7fb85acbc07fda47ec314bd10b2a979a3c736aa5cea78f73f7f259cd5099332bfaa70b8ab59d0d376d1f41b07cd962b88927"
         }
       ]
     },
@@ -1751,11 +1751,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "633b5ddcd6927b365cab9672477db8b0ce64df963f2d44526e10d3eb7b10edd7"
+          "content": "dc4cdb2fa56243e42a1989558997a236e564176fa6c8e5dcae9de9d2dad8399b"
         },
         {
           "alg": "SHA3-512",
-          "content": "3bcccff8e1981ae4ca0ea07df52219e444326b718e14d42cfe36dc04e8148ccad8cb2a9a77a162a2b1f3381f07b693b3973fbae4ef24466afa787d22c5a33327"
+          "content": "79f50a6fa13bb5b81b29bed3a637e6e94a3df1689ed14d88bfc6ce1bd1df5353044308c3db24c065d69b522dd38de3c37f5bf0efd9b0ccc6c66a3acc163d77b8"
         }
       ]
     },
@@ -2696,11 +2696,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "250f266908f51f99a4cb3aec0d5dacfcf91fac9f3d95e5a117429a40ed2ff45a"
+          "content": "da0b937350e538b55db8daa1f50047d9f4e889e6b89b040dcecfb71feecd63d7"
         },
         {
           "alg": "SHA3-512",
-          "content": "fd4b35d28d126b0fd5ea76c565deb723d69738e96545f86b8c3684bf7aea82d32bb2a2ebc278321fed9e8e9895ae4d1851a65c53b945fdecf49cb6964f895ad6"
+          "content": "0e8f1255c307f32515741283bbd8090add1429fbd69a0df1ddff2f246ddac1759216e1c2d8e19ec866cac4f374144525984e621002ff389a982b6e8f3111209a"
         }
       ]
     },
@@ -2891,11 +2891,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "3b41b59eb4e8480b691ff17185f42b9fbfd7665e369fc210feba496688cc77aa"
+          "content": "8b77569100d10201044d63a69cbc83c9cfe6d2c3568884aa900ef0eb72ba99c3"
         },
         {
           "alg": "SHA3-512",
-          "content": "29d98c34fc97e6bd7b9331c69ae7f27cf1eec5e182d7885c54eb6be91820bde0aaca746bda5590aa12cc1962d43d5337be569bfc7a007f4286ffee6a9a4a0412"
+          "content": "280de5761907468c126ec976b8d8bce97bbb87acdf8895c4f8885630dd2c887a76abff3a2b6781d77f34bc0306801b0f7f6a59e33af85f36f155aea2b92e185d"
         }
       ]
     },
@@ -3011,11 +3011,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "59193e39c2fd73fdd7fede38a956bc730bbe4b712d7d6020788bb4d85f001ad8"
+          "content": "2f336a0b79cd28a3353ec0a72ce0469ac57305345d652247e7cb368f79ec8d4f"
         },
         {
           "alg": "SHA3-512",
-          "content": "872b65942dd189504cca186babc7543c806b2c1463070f527524e9a2c097b2f030b1806bb434436b3a4bbb4865b4f38d15115327a37ecc9aad64a6bccbd3bf50"
+          "content": "ea3a722c2a18e32d1127393561f3122d827a26b69f95df986999a957f943fb809aef26aa99fd4f1ec0f7223a7e78843c784e0cea2710482f9b6dc20fc7196884"
         }
       ]
     },
@@ -3071,11 +3071,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "4295c0efe31dcbec1a7bc96b8ce05d41414d918cbfc7fb7dffb2be7e4d873ae3"
+          "content": "637861b4dcd2cb608c08c5aa62a8ef73efc976584f901e612c73cf53b3559422"
         },
         {
           "alg": "SHA3-512",
-          "content": "48b2a5adaea65860fe55c4b263d3365bc8416052ed7bb348f9af60f6af2e377208ece65ff3de4ea56059bf712029b3ad9bd3fead5f1a5aca5292a249ab5e1cdf"
+          "content": "82a8f600bc6ebf7acfe9c80dfe691569f6f65e362e4e81f259c24d899f8cef54c55ee31e56548ddcc0a2fd3a50f31f199d5f133823221457c03e0cfc86a6a076"
         }
       ]
     },

package/skills/email-security-anti-phishing/skill.md CHANGED Viewed

@@ -71,7 +71,7 @@ Phishing remained the #1 initial-access vector through 2025 (Verizon DBIR 2025)
 **Business Email Compromise losses continued growing through 2025.** FBI IC3 2024 and 2025 reports place BEC at multi-billion-USD annual loss globally, with the wire-redirection and vendor-invoice-fraud subclasses dominant. The 2026 reality is that BEC is no longer "compromised mailbox sends a wire request" — it is increasingly "spoofed-or-look-alike domain plus deepfake voice/video confirmation channel" so that out-of-band verification by phone *fails open* unless the callback number is a pre-registered known-good.
-**Defense ecosystem snapshot.** SPF (RFC 7208), DKIM (RFC 6376), and DMARC (RFC 7489) adoption is effectively universal among Fortune 500 sender domains, but **enforcement** (`p=reject` vs `p=none`) lags — only roughly 60% of large enterprise domains are at `p=reject` by mid-2026, with the rest stuck in monitoring mode for fear of breaking legitimate forwarders. BIMI (AuthIndicators Working Group draft, with IETF mailing-list discussion ongoing as of mid-2026) for visual brand verification is deployed at Gmail, Yahoo Mail, and Apple Mail, but requires DMARC `p=quarantine` or `p=reject` to take effect — so it doubles as enforcement-status signaling. ARC (RFC 8617) is the forwarder-authentication answer to the DMARC-vs-mailing-list problem and is maturing across major providers. MTA-STS (RFC 8461) and TLSRPT (RFC 8460) close the in-transit TLS-downgrade gap that opportunistic STARTTLS leaves open. The cloud email duopoly — Microsoft 365 Exchange Online and Google Workspace Gmail — is the canonical ephemeral inbox environment per the project's ephemeral-realities rule; on-prem Exchange remains in regulated and air-gapped enclaves and gets an explicit exception path below.
+**Defense ecosystem snapshot.** SPF (RFC 7208), DKIM (RFC 6376), and DMARC (RFC 7489) adoption is effectively universal among Fortune 500 sender domains, but **enforcement** (`p=reject` vs `p=none`) lags — only roughly 60% of large enterprise domains are at `p=reject` by mid-2026, with the rest stuck in monitoring mode for fear of breaking legitimate forwarders. BIMI (AuthIndicators Working Group draft, with IETF mailing-list discussion ongoing as of mid-2026) for visual brand verification is deployed at Gmail, Yahoo Mail, and Apple Mail, but requires DMARC `p=quarantine` or `p=reject` to take effect — so it doubles as enforcement-status signaling. ARC (RFC 8617) is the forwarder-authentication answer to the DMARC-vs-mailing-list problem and is maturing across major providers. MTA-STS (RFC 8461) and TLSRPT (RFC 8460) close the in-transit TLS-downgrade gap that opportunistic STARTTLS leaves open. The cloud email duopoly — Microsoft 365 Exchange Online and Google Workspace Gmail — is the canonical inbox environment most enterprises operate in; on-prem Exchange remains in regulated and air-gapped enclaves and gets an explicit exception path below.
 **Phishing-resistant authentication.** FIDO2 / WebAuthn synced passkeys are the only widely deployed authenticator class that survives AiTM proxy phishing (evilginx-class), Tycoon-2FA-style session-token relay, and push-notification fatigue attacks. TOTP, SMS, and push-MFA are all bypassable by 2026 phishing-kit ecosystems. Caffeine and Tycoon 2FA continue to evolve; observed 2025 telemetry shows passkey-relay attempts emerging against poorly configured WebAuthn relying-party verification.

package/skills/pqc-first/skill.md CHANGED Viewed

@@ -514,7 +514,7 @@ Priority order:
 ## Output Format
-The skill produces a structured PQC Readiness Assessment that scores the org's post-quantum migration posture against the NIST PQC standards (ML-KEM / FIPS 203, ML-DSA / FIPS 204, SLH-DSA / FIPS 205), CNSA 2.0, and the BSI / ANSSI / NCSC migration guidance. The shape below is consumed downstream by `crypto` playbook runs (which feed the assessment into Phase 5 analyze), by `framework-gap-analysis` (for SC-8 / SC-13 / A.8.24 / A.10 lag declarations), and by `compliance-theater` (which compares the harvest-now-decrypt-later exposure against the org's data-classification claims). Preserve the per-protocol cryptographic-inventory rows verbatim — they are the auditable derivation of the migration roadmap.
+The skill produces a structured PQC Readiness Assessment that scores the org's post-quantum migration posture against the NIST PQC standards (ML-KEM / FIPS 203, ML-DSA / FIPS 204, SLH-DSA / FIPS 205), CNSA 2.0, and the BSI / ANSSI / NCSC migration guidance. The shape below is consumed downstream by `crypto` playbook runs (which feed the assessment into the analysis correlation step), by `framework-gap-analysis` (for SC-8 / SC-13 / A.8.24 / A.10 lag declarations), and by `compliance-theater` (which compares the harvest-now-decrypt-later exposure against the org's data-classification claims). Preserve the per-protocol cryptographic-inventory rows verbatim — they are the auditable derivation of the migration roadmap.
 ```
 ## PQC Readiness Assessment

package/skills/sector-telecom/skill.md CHANGED Viewed

@@ -66,7 +66,7 @@ forward_watch:
   - "Five Eyes joint advisories on telecom-equipment intrusion"
   - "3GPP TS 33.501 updates (5G security architecture rebaseline)"
   - "O-RAN SFG / WG11 security specifications"
-last_threat_review: 2026-05-15
+last_threat_review: "2026-05-15"
 discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief sector-telecom` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
@@ -117,7 +117,7 @@ ATLAS AML.T0040 (Tool / Plugin Compromise) anchors the AI-RAN attack class: plug
 ## Analysis Procedure
-### Phase 1 — govern (jurisdictional clock + obligations)
+### Jurisdictional clocks + obligations
 Surface the operator's jurisdictional notification clocks immediately on detection:
@@ -134,11 +134,11 @@ Surface the operator's jurisdictional notification clocks immediately on detecti
 Wait for operator acknowledgment of the highest-priority clock before proceeding.
-### Phase 2 — direct (threat context)
+### Threat context briefing
 Brief the operator on Salt Typhoon-class TTPs + RWEP-threshold bands. For telecom CVEs with active exploitation: live-patch threshold 90, urgent-patch 70, scheduled 30.
-### Phase 3 — look (artifacts to capture)
+### Artifacts to capture
 Capture the following telecom-specific evidence (use `air_gap_alternative` paths if operator is in disconnected mode):
@@ -152,7 +152,7 @@ Capture the following telecom-specific evidence (use `air_gap_alternative` paths
 - **OEM vendor remote-support tunnel inventory** — open Cisco TAC / Ericsson ENS / Nokia OMS tunnels with last-active timestamp.
 - **NESAS deployment posture report** — most recent operator-attested deployment match against the vendor-certified build.
-### Phase 4 — detect (indicators)
+### Detection indicators
 Walk every indicator's `false_positive_checks_required` list before submitting a hit:
@@ -163,23 +163,23 @@ Walk every indicator's `false_positive_checks_required` list before submitting a
 - **Unauthorized LI gateway tunnel** — outbound connection from the LI gateway to an IP outside the LE / DOJ / regulator allowlist. FP check: rule out documented maintenance bastion.
 - **OEM firmware downgrade events** — vendor-equipment firmware version regressed below the operator-published minimum. FP check: rule out documented incident-response rollback.
-### Phase 5 — analyze (correlation)
+### Correlation
 Match captured artifacts against `data/cve-catalog.json` entries with `attack_class: telecom` or matching `attack_refs`. Cross-reference against `data/framework-control-gaps.json` for FCC-CPNI-4.1, FCC-Cyber-Incident-Notification-2024, NIS2-Annex-I-Telecom, DORA-Art-21-Telecom-ICT, UK-CAF-B5, AU-ISM-1556, GSMA-NESAS-Deployment, 3GPP-TR-33.926, ITU-T-X.805. Score blast-radius based on subscriber count + LI-feed-exposure dimension + AI-RAN slice-mismapping potential.
-### Phase 6 — validate (priority-sorted remediation)
+### Priority-sorted remediation
 Priority 1 (immediate): isolate compromised NMS account; revoke and re-issue LI-gateway operator credentials; pull running-gNB firmware hash off every base station and compare against operator-attested expected.
 Priority 2 (24h): rotate all OEM vendor remote-support credentials; close TAC tunnels not actively in use; signaling-firewall block on cross-PLMN spike sources.
 Priority 3 (72h): operator-attested NESAS recertification of every gNB / EMS / OSS; slice-isolation verification across every active 5GC slice; comprehensive review of the last 90 days of NMS admin actions.
-### Phase 7 — close (regulator notifications + evidence preservation)
+### Regulator notifications + evidence preservation
-Draft jurisdictional notification messages with regulator-specific evidence templates. Preserve LI-system audit trail for downstream law-enforcement / intelligence-community handoff. Schedule a follow-up `reattest` window at the highest applicable regulator deadline minus 48 hours.
+Draft jurisdictional notification messages with regulator-specific evidence templates. Preserve LI-system audit trail for downstream law-enforcement / intelligence-community handoff. Schedule a follow-up re-attestation window at the highest applicable regulator deadline minus 48 hours.
 ## Output Format
-The investigation evidence bundle returned by phase 5 + 6 has this shape:
+The investigation evidence bundle has this shape:
 ```json
 {
@@ -251,6 +251,6 @@ Theater patterns specific to telecom posture:
 - **incident-response-playbook** — parent IR flow; sector-telecom extends the IR contract with telecom-specific evidence and jurisdictional clocks.
 - **framework-gap-analysis** — invoke for downstream Hard-Rule-5 gap mapping against catalog framework_gaps.
-- **cred-stores** — LI-gateway operator credential storage falls under the cred-stores skill for secret-management depth.
+- **cred-stores** *(playbook chain, not a skill)* — LI-gateway operator credential storage falls under the `cred-stores` playbook for secret-management depth.
 - **sector-federal-government** — national-security adjacency on LI-system compromise touches federal investigation scope.
 - **mcp-agent-trust** — AI-RAN xApp / rApp compromise (ATLAS AML.T0040 class) crosses into MCP-class agent-tool trust boundaries.

package/skills/threat-model-currency/skill.md CHANGED Viewed

@@ -288,7 +288,7 @@ The truth set: every `AML.T*` key in `data/atlas-ttps.json` (excluding `_meta`)
 ## Exploit Availability Matrix
-A threat model is "current" only if it accounts for every `data/cve-catalog.json` entry with RWEP >= 50 — with either a deployed mitigation or a documented, accepted residual risk. As of `last_threat_review: 2026-05-14`:
+A threat model is "current" only if it accounts for every `data/cve-catalog.json` entry with RWEP >= 50 — with either a deployed mitigation or a documented, accepted residual risk. As of the frontmatter `last_threat_review`:
 | CVE | Name | CVSS | RWEP | KEV | PoC | AI factor | Live-patchable | Required threat-model treatment |
 |---|---|---|---|---|---|---|---|---|