@blamejs/exceptd-skills 0.14.19 → 0.14.21

package/sbom.cdx.json

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:a14d98c4-ae19-4c3f-b7b7-4f7b8eac8934",
+  "serialNumber": "urn:uuid:f146b015-d9dd-4d2f-838c-622d665d3777",
   "version": 1,
   "metadata": {
-    "timestamp": "2111-10-04T22:59:16.000Z",
+    "timestamp": "2154-04-11T04:14:13.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.14.19"
+        "version": "0.14.21"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.14.19",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.14.21",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.14.19",
+      "version": "0.14.21",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (406 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.14.19",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.14.21",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "0cb7b8199eb85326d5c176968e0719de6dcaa30e94d41b6bfcf748744619dd7e"
+          "content": "1bc1d2d5014d8a83b8f499cf898b342920cc38777e20b96d9aa0a4809c5e3446"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.14.19"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.14.21"
         },
         {
           "type": "vcs",
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "16ad3e1e4f9fd21269c5b9d75b8fbfc8405087a0cb3d2ae889b52fce3f109e9f"
+          "content": "e5b92405b978dea5757ad66959b0cc39a1007261f83ffd793d318d2a187df1e0"
         },
         {
           "alg": "SHA3-512",
-          "content": "98b3a80808845374818c95b68fda38cdfb79dc40991add63d0e1456be75de8b4f2d890f1e1a52e518c7363a4cbfbf6e6779fb5dd675440252281326ac8126690"
+          "content": "8d872587150b13cefadfdccdb74b2954b129e6fe82177dad98ac3eae5e9bc02efcc75ab1b54c05b66ab24e0d1641cf7e488ef416ac35c318f6b864784907ba6d"
         }
       ]
     },
@@ -1751,11 +1751,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "633b5ddcd6927b365cab9672477db8b0ce64df963f2d44526e10d3eb7b10edd7"
+          "content": "238a94feb0967eb74eedd99084ecf49ee6a20cbf04e9f704a6a3526fdddb6363"
         },
         {
           "alg": "SHA3-512",
-          "content": "3bcccff8e1981ae4ca0ea07df52219e444326b718e14d42cfe36dc04e8148ccad8cb2a9a77a162a2b1f3381f07b693b3973fbae4ef24466afa787d22c5a33327"
+          "content": "c531fde98b619b4f5438f4aeea5e046b2fc405d6267609e2de0f7430a6a408d3d5a287efe63d78399c8d1dd46ce27079ad6e31d8f5f6cf98fefd4b5e7af85873"
         }
       ]
     },
@@ -2696,11 +2696,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "250f266908f51f99a4cb3aec0d5dacfcf91fac9f3d95e5a117429a40ed2ff45a"
+          "content": "da0b937350e538b55db8daa1f50047d9f4e889e6b89b040dcecfb71feecd63d7"
         },
         {
           "alg": "SHA3-512",
-          "content": "fd4b35d28d126b0fd5ea76c565deb723d69738e96545f86b8c3684bf7aea82d32bb2a2ebc278321fed9e8e9895ae4d1851a65c53b945fdecf49cb6964f895ad6"
+          "content": "0e8f1255c307f32515741283bbd8090add1429fbd69a0df1ddff2f246ddac1759216e1c2d8e19ec866cac4f374144525984e621002ff389a982b6e8f3111209a"
         }
       ]
     },
@@ -2726,11 +2726,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "17249909697a9c61b71f6885a1f4888ab1e727909ddb487ed82aeef535884a4f"
+          "content": "f7092b8d3efbcbf0b7af9a712a6705ad07ce4dd1abbd92762b5b395d6cbe6cca"
         },
         {
           "alg": "SHA3-512",
-          "content": "2d656f044cbfe53cb9e5b630ce50e6d848eb5e0ef3eaad3c9c4b10974ab10776a9be0e03c136e32a62cbce08f59425be15c59624f10e4322396ddf531dfafec5"
+          "content": "893b789ffc99ffd3724aa51eef2254e64c2fea4e28c1b9bb378454dd5c86280c18b92f16d1e4313ae3980cbbcb7d0b728fdead29140f487d50bd313c316c2f2e"
         }
       ]
     },
@@ -2756,11 +2756,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "57ca729034e9d33c527d869c1c4aa82fe37e496878a3cbcd9e5043cb62b7105d"
+          "content": "6d9722b7a85b8ad1150a61188b578f380e9c9685118028e134a0ba5804dae708"
         },
         {
           "alg": "SHA3-512",
-          "content": "fe0573c4c5a22f2fc24ce2b3a54a7695de6fd392cfe3b396a2e4b0eca812989cf33404c6d5cf932ef4a474fd84b900b6d40f1e728357a9df6ade95746e4444ec"
+          "content": "498af3e4d2b94c4312e65d3e266ecc6edebd411ee5da590f4038ac890d0428efc32cdf1754ed472f9fe17d0a1517fd12480a00c3204593a81dfde5c283ac5362"
         }
       ]
     },
@@ -2891,11 +2891,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "3b41b59eb4e8480b691ff17185f42b9fbfd7665e369fc210feba496688cc77aa"
+          "content": "8b77569100d10201044d63a69cbc83c9cfe6d2c3568884aa900ef0eb72ba99c3"
         },
         {
           "alg": "SHA3-512",
-          "content": "29d98c34fc97e6bd7b9331c69ae7f27cf1eec5e182d7885c54eb6be91820bde0aaca746bda5590aa12cc1962d43d5337be569bfc7a007f4286ffee6a9a4a0412"
+          "content": "280de5761907468c126ec976b8d8bce97bbb87acdf8895c4f8885630dd2c887a76abff3a2b6781d77f34bc0306801b0f7f6a59e33af85f36f155aea2b92e185d"
         }
       ]
     },
@@ -3011,11 +3011,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "59193e39c2fd73fdd7fede38a956bc730bbe4b712d7d6020788bb4d85f001ad8"
+          "content": "2f336a0b79cd28a3353ec0a72ce0469ac57305345d652247e7cb368f79ec8d4f"
         },
         {
           "alg": "SHA3-512",
-          "content": "872b65942dd189504cca186babc7543c806b2c1463070f527524e9a2c097b2f030b1806bb434436b3a4bbb4865b4f38d15115327a37ecc9aad64a6bccbd3bf50"
+          "content": "ea3a722c2a18e32d1127393561f3122d827a26b69f95df986999a957f943fb809aef26aa99fd4f1ec0f7223a7e78843c784e0cea2710482f9b6dc20fc7196884"
         }
       ]
     },
@@ -3071,11 +3071,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "4295c0efe31dcbec1a7bc96b8ce05d41414d918cbfc7fb7dffb2be7e4d873ae3"
+          "content": "637861b4dcd2cb608c08c5aa62a8ef73efc976584f901e612c73cf53b3559422"
         },
         {
           "alg": "SHA3-512",
-          "content": "48b2a5adaea65860fe55c4b263d3365bc8416052ed7bb348f9af60f6af2e377208ece65ff3de4ea56059bf712029b3ad9bd3fead5f1a5aca5292a249ab5e1cdf"
+          "content": "82a8f600bc6ebf7acfe9c80dfe691569f6f65e362e4e81f259c24d899f8cef54c55ee31e56548ddcc0a2fd3a50f31f199d5f133823221457c03e0cfc86a6a076"
         }
       ]
     },
@@ -3086,11 +3086,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "0a115fb8bf2ddd8e97d5ff49d61ffb1d221f1ce9f37f19b4ba86edbf765f632c"
+          "content": "964e90dd9ba632926414987ab7c26cac881ff1b36ff161172271ad8c94bcc49d"
         },
         {
           "alg": "SHA3-512",
-          "content": "865782360930bc6fda9c86b8c46b2d30fd65841854c1558ee9c1080fc9123c4defcc32c809f0d72407521c3f456d74c546ea37c75cfd6829e1e01bcf31d251e6"
+          "content": "92777b2822acb929b345c7000def8cbcaaaac82dd5ba4fde2ad7829351c97f3b81d5dee7f53586892fc78ec022aeaabca5d38246fa433a2f9c9a9f50f647f959"
         }
       ]
     },

package/skills/email-security-anti-phishing/skill.md

@@ -71,7 +71,7 @@ Phishing remained the #1 initial-access vector through 2025 (Verizon DBIR 2025)
 
 **Business Email Compromise losses continued growing through 2025.** FBI IC3 2024 and 2025 reports place BEC at multi-billion-USD annual loss globally, with the wire-redirection and vendor-invoice-fraud subclasses dominant. The 2026 reality is that BEC is no longer "compromised mailbox sends a wire request" — it is increasingly "spoofed-or-look-alike domain plus deepfake voice/video confirmation channel" so that out-of-band verification by phone *fails open* unless the callback number is a pre-registered known-good.
 
-**Defense ecosystem snapshot.** SPF (RFC 7208), DKIM (RFC 6376), and DMARC (RFC 7489) adoption is effectively universal among Fortune 500 sender domains, but **enforcement** (`p=reject` vs `p=none`) lags — only roughly 60% of large enterprise domains are at `p=reject` by mid-2026, with the rest stuck in monitoring mode for fear of breaking legitimate forwarders. BIMI (AuthIndicators Working Group draft, with IETF mailing-list discussion ongoing as of mid-2026) for visual brand verification is deployed at Gmail, Yahoo Mail, and Apple Mail, but requires DMARC `p=quarantine` or `p=reject` to take effect — so it doubles as enforcement-status signaling. ARC (RFC 8617) is the forwarder-authentication answer to the DMARC-vs-mailing-list problem and is maturing across major providers. MTA-STS (RFC 8461) and TLSRPT (RFC 8460) close the in-transit TLS-downgrade gap that opportunistic STARTTLS leaves open. The cloud email duopoly — Microsoft 365 Exchange Online and Google Workspace Gmail — is the canonical ephemeral inbox environment per the project's ephemeral-realities rule; on-prem Exchange remains in regulated and air-gapped enclaves and gets an explicit exception path below.
+**Defense ecosystem snapshot.** SPF (RFC 7208), DKIM (RFC 6376), and DMARC (RFC 7489) adoption is effectively universal among Fortune 500 sender domains, but **enforcement** (`p=reject` vs `p=none`) lags — only roughly 60% of large enterprise domains are at `p=reject` by mid-2026, with the rest stuck in monitoring mode for fear of breaking legitimate forwarders. BIMI (AuthIndicators Working Group draft, with IETF mailing-list discussion ongoing as of mid-2026) for visual brand verification is deployed at Gmail, Yahoo Mail, and Apple Mail, but requires DMARC `p=quarantine` or `p=reject` to take effect — so it doubles as enforcement-status signaling. ARC (RFC 8617) is the forwarder-authentication answer to the DMARC-vs-mailing-list problem and is maturing across major providers. MTA-STS (RFC 8461) and TLSRPT (RFC 8460) close the in-transit TLS-downgrade gap that opportunistic STARTTLS leaves open. The cloud email duopoly — Microsoft 365 Exchange Online and Google Workspace Gmail — is the canonical inbox environment most enterprises operate in; on-prem Exchange remains in regulated and air-gapped enclaves and gets an explicit exception path below.
 
 **Phishing-resistant authentication.** FIDO2 / WebAuthn synced passkeys are the only widely deployed authenticator class that survives AiTM proxy phishing (evilginx-class), Tycoon-2FA-style session-token relay, and push-notification fatigue attacks. TOTP, SMS, and push-MFA are all bypassable by 2026 phishing-kit ecosystems. Caffeine and Tycoon 2FA continue to evolve; observed 2025 telemetry shows passkey-relay attempts emerging against poorly configured WebAuthn relying-party verification.
 

package/skills/framework-gap-analysis/skill.md

@@ -27,6 +27,10 @@ last_threat_review: "2026-05-22"
 
 This skill analyzes the gap between what a compliance framework control was designed to address and what current attacker TTPs require. It is the meta-skill that underlies compliance-theater, global-grc, and policy-exception-gen.
 
+## Frontmatter Scope
+
+The `atlas_refs` and `attack_refs` arrays are intentionally empty. This skill is a meta-analysis: its subject is the *gap* between a control's design intent and the live TTP landscape, so its inputs are the TTP-to-control mappings already attached to every other playbook and skill rather than a fixed native TTP set. The specific techniques appear in the body where a given gap is illustrated; the authoritative TTP attachment lives on the skill or playbook that owns that detection. The `framework_gaps` reference set is the populated, authoritative declaration for this skill.
+
 ## Threat Context (mid-2026)
 
 Compliance frameworks lag the threat environment by years. Most active controls in NIST 800-53, ISO 27001:2022, SOC 2, PCI DSS 4.0, NIS2, and DORA were drafted against assumptions (human-speed exploit development, persistent inventoriable assets, human-controlled accounts) that current attacker TTPs no longer respect. Three concrete mid-2026 instances anchor the lag:

package/skills/global-grc/skill.md

@@ -31,6 +31,10 @@ last_threat_review: "2026-05-01"
 
 This skill provides multi-jurisdiction GRC analysis. It maps current security threats against frameworks from 14 jurisdictions and two global standards bodies, identifies universal control gaps that no jurisdiction's framework covers, and surfaces jurisdiction-specific notification and compliance requirements.
 
+## Frontmatter Scope
+
+The `atlas_refs` and `attack_refs` arrays are intentionally empty. This skill is a jurisdiction/framework registry and gap-correlation layer — its subject is regulatory coverage, not a native set of attacker techniques. The TTPs referenced in the body come from the domain skills whose threats each framework is measured against; that downstream skill carries the authoritative technique attachment.
+
 ---
 
 ## Framework Registry (mid-2026 currency)

package/skills/pqc-first/skill.md

@@ -514,7 +514,7 @@ Priority order:
 
 ## Output Format
 
-The skill produces a structured PQC Readiness Assessment that scores the org's post-quantum migration posture against the NIST PQC standards (ML-KEM / FIPS 203, ML-DSA / FIPS 204, SLH-DSA / FIPS 205), CNSA 2.0, and the BSI / ANSSI / NCSC migration guidance. The shape below is consumed downstream by `crypto` playbook runs (which feed the assessment into Phase 5 analyze), by `framework-gap-analysis` (for SC-8 / SC-13 / A.8.24 / A.10 lag declarations), and by `compliance-theater` (which compares the harvest-now-decrypt-later exposure against the org's data-classification claims). Preserve the per-protocol cryptographic-inventory rows verbatim — they are the auditable derivation of the migration roadmap.
+The skill produces a structured PQC Readiness Assessment that scores the org's post-quantum migration posture against the NIST PQC standards (ML-KEM / FIPS 203, ML-DSA / FIPS 204, SLH-DSA / FIPS 205), CNSA 2.0, and the BSI / ANSSI / NCSC migration guidance. The shape below is consumed downstream by `crypto` playbook runs (which feed the assessment into the analysis correlation step), by `framework-gap-analysis` (for SC-8 / SC-13 / A.8.24 / A.10 lag declarations), and by `compliance-theater` (which compares the harvest-now-decrypt-later exposure against the org's data-classification claims). Preserve the per-protocol cryptographic-inventory rows verbatim — they are the auditable derivation of the migration roadmap.
 
 ```
 ## PQC Readiness Assessment

package/skills/sector-telecom/skill.md

@@ -66,7 +66,7 @@ forward_watch:
   - "Five Eyes joint advisories on telecom-equipment intrusion"
   - "3GPP TS 33.501 updates (5G security architecture rebaseline)"
   - "O-RAN SFG / WG11 security specifications"
-last_threat_review: 2026-05-15
+last_threat_review: "2026-05-15"
 discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief sector-telecom` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
@@ -117,7 +117,7 @@ ATLAS AML.T0040 (Tool / Plugin Compromise) anchors the AI-RAN attack class: plug
 
 ## Analysis Procedure
 
-### Phase 1 — govern (jurisdictional clock + obligations)
+### Jurisdictional clocks + obligations
 
 Surface the operator's jurisdictional notification clocks immediately on detection:
 
@@ -134,11 +134,11 @@ Surface the operator's jurisdictional notification clocks immediately on detecti
 
 Wait for operator acknowledgment of the highest-priority clock before proceeding.
 
-### Phase 2 — direct (threat context)
+### Threat context briefing
 
 Brief the operator on Salt Typhoon-class TTPs + RWEP-threshold bands. For telecom CVEs with active exploitation: live-patch threshold 90, urgent-patch 70, scheduled 30.
 
-### Phase 3 — look (artifacts to capture)
+### Artifacts to capture
 
 Capture the following telecom-specific evidence (use `air_gap_alternative` paths if operator is in disconnected mode):
 
@@ -152,7 +152,7 @@ Capture the following telecom-specific evidence (use `air_gap_alternative` paths
 - **OEM vendor remote-support tunnel inventory** — open Cisco TAC / Ericsson ENS / Nokia OMS tunnels with last-active timestamp.
 - **NESAS deployment posture report** — most recent operator-attested deployment match against the vendor-certified build.
 
-### Phase 4 — detect (indicators)
+### Detection indicators
 
 Walk every indicator's `false_positive_checks_required` list before submitting a hit:
 
@@ -163,23 +163,23 @@ Walk every indicator's `false_positive_checks_required` list before submitting a
 - **Unauthorized LI gateway tunnel** — outbound connection from the LI gateway to an IP outside the LE / DOJ / regulator allowlist. FP check: rule out documented maintenance bastion.
 - **OEM firmware downgrade events** — vendor-equipment firmware version regressed below the operator-published minimum. FP check: rule out documented incident-response rollback.
 
-### Phase 5 — analyze (correlation)
+### Correlation
 
 Match captured artifacts against `data/cve-catalog.json` entries with `attack_class: telecom` or matching `attack_refs`. Cross-reference against `data/framework-control-gaps.json` for FCC-CPNI-4.1, FCC-Cyber-Incident-Notification-2024, NIS2-Annex-I-Telecom, DORA-Art-21-Telecom-ICT, UK-CAF-B5, AU-ISM-1556, GSMA-NESAS-Deployment, 3GPP-TR-33.926, ITU-T-X.805. Score blast-radius based on subscriber count + LI-feed-exposure dimension + AI-RAN slice-mismapping potential.
 
-### Phase 6 — validate (priority-sorted remediation)
+### Priority-sorted remediation
 
 Priority 1 (immediate): isolate compromised NMS account; revoke and re-issue LI-gateway operator credentials; pull running-gNB firmware hash off every base station and compare against operator-attested expected.
 Priority 2 (24h): rotate all OEM vendor remote-support credentials; close TAC tunnels not actively in use; signaling-firewall block on cross-PLMN spike sources.
 Priority 3 (72h): operator-attested NESAS recertification of every gNB / EMS / OSS; slice-isolation verification across every active 5GC slice; comprehensive review of the last 90 days of NMS admin actions.
 
-### Phase 7 — close (regulator notifications + evidence preservation)
+### Regulator notifications + evidence preservation
 
-Draft jurisdictional notification messages with regulator-specific evidence templates. Preserve LI-system audit trail for downstream law-enforcement / intelligence-community handoff. Schedule a follow-up `reattest` window at the highest applicable regulator deadline minus 48 hours.
+Draft jurisdictional notification messages with regulator-specific evidence templates. Preserve LI-system audit trail for downstream law-enforcement / intelligence-community handoff. Schedule a follow-up re-attestation window at the highest applicable regulator deadline minus 48 hours.
 
 ## Output Format
 
-The investigation evidence bundle returned by phase 5 + 6 has this shape:
+The investigation evidence bundle has this shape:
 
 ```json
 {
@@ -251,6 +251,6 @@ Theater patterns specific to telecom posture:
 
 - **incident-response-playbook** — parent IR flow; sector-telecom extends the IR contract with telecom-specific evidence and jurisdictional clocks.
 - **framework-gap-analysis** — invoke for downstream Hard-Rule-5 gap mapping against catalog framework_gaps.
-- **cred-stores** — LI-gateway operator credential storage falls under the cred-stores skill for secret-management depth.
+- **cred-stores** *(playbook chain, not a skill)* — LI-gateway operator credential storage falls under the `cred-stores` playbook for secret-management depth.
 - **sector-federal-government** — national-security adjacency on LI-system compromise touches federal investigation scope.
 - **mcp-agent-trust** — AI-RAN xApp / rApp compromise (ATLAS AML.T0040 class) crosses into MCP-class agent-tool trust boundaries.

package/skills/threat-model-currency/skill.md

@@ -288,7 +288,7 @@ The truth set: every `AML.T*` key in `data/atlas-ttps.json` (excluding `_meta`)
 
 ## Exploit Availability Matrix
 
-A threat model is "current" only if it accounts for every `data/cve-catalog.json` entry with RWEP >= 50 — with either a deployed mitigation or a documented, accepted residual risk. As of `last_threat_review: 2026-05-14`:
+A threat model is "current" only if it accounts for every `data/cve-catalog.json` entry with RWEP >= 50 — with either a deployed mitigation or a documented, accepted residual risk. As of the frontmatter `last_threat_review`:
 
 | CVE | Name | CVSS | RWEP | KEV | PoC | AI factor | Live-patchable | Required threat-model treatment |
 |---|---|---|---|---|---|---|---|---|

package/skills/threat-modeling-methodology/skill.md

@@ -49,6 +49,10 @@ discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief thr
 
 # Threat Modeling Methodology
 
+## Frontmatter Scope
+
+The `atlas_refs` and `attack_refs` arrays are intentionally empty. This skill teaches the *method* for selecting and combining threat-modeling frameworks and mapping threats to techniques — it does not own a fixed TTP set. The specific TTPs cited in the body are illustrative of the method; the authoritative technique attachment lives on the domain skill or playbook that detects each threat. Duplicating those IDs here would create a divergence surface the next time a downstream mapping changes.
+
 ## Purpose
 
 The companion skill `threat-model-currency` measures *when* a threat model is stale. This skill governs *how* a threat model is built. Currency without methodology yields opinion; methodology without currency yields a current-looking 2022 artefact. Both are required.