@blamejs/exceptd-skills 0.14.20 → 0.14.21

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.14.21 — 2026-05-27
+
+The survey/meta skills `framework-gap-analysis`, `threat-modeling-methodology`, and `global-grc` now document why their `atlas_refs` / `attack_refs` are intentionally empty (they correlate or teach across other skills' technique mappings rather than owning a native TTP set), matching the "Frontmatter Scope" note the other meta skills already carry. A reader inspecting the frontmatter alone no longer sees zero technique coverage and assumes the skill maps to nothing.
+
 ## 0.14.20 — 2026-05-27
 
 Skill content cleanup:

package/data/_indexes/_meta.json

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-28T02:33:36.583Z",
+  "generated_at": "2026-05-28T04:10:43.581Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "dc4cdb2fa56243e42a1989558997a236e564176fa6c8e5dcae9de9d2dad8399b",
+    "manifest.json": "238a94feb0967eb74eedd99084ecf49ee6a20cbf04e9f704a6a3526fdddb6363",
     "data/atlas-ttps.json": "d24bc02859d40ccf1615db75cca68c077585904e41e0d8f6de448121e9b1abb0",
     "data/attack-techniques.json": "fa193f0d2d248176a8beddb641e9fe56ba4faa9e15dc253ff876dbf0c5d58a77",
     "data/cve-catalog.json": "03d8071c7ae244ccda7611c3bc66a5581c21e790d158c2948c3001f55aa5aac9",
@@ -19,14 +19,14 @@
     "skills/kernel-lpe-triage/skill.md": "08b3e9815ba481c57c80f5fc0ccbf5bb7cbb41f570c235ba6ff9596b8c07354d",
     "skills/ai-attack-surface/skill.md": "c4c1eb22a38ca7a959b5725222bab8fbd4f4044a548a93f3e288e6f698334b72",
     "skills/mcp-agent-trust/skill.md": "89ac89084391d2341b6513fefb1be2d36b93de1c130f057696219c1c59440f13",
-    "skills/framework-gap-analysis/skill.md": "17249909697a9c61b71f6885a1f4888ab1e727909ddb487ed82aeef535884a4f",
+    "skills/framework-gap-analysis/skill.md": "f7092b8d3efbcbf0b7af9a712a6705ad07ce4dd1abbd92762b5b395d6cbe6cca",
     "skills/compliance-theater/skill.md": "d656444bb1987f43ae61374f210977d0c1f247f54d7318fdd639dd0cfdbef392",
     "skills/exploit-scoring/skill.md": "f55e9aa4985ebad8a2a12092c937deb6939a639dc1e16e2214ecfa1c9b9402c4",
     "skills/rag-pipeline-security/skill.md": "792c6f48a7ff06785c24258cac1714068feafefb3f8f05e6c62ddce2f2f9128d",
     "skills/ai-c2-detection/skill.md": "de83dc284dc4f85a8a383c0b715ec7b9ea127ec49c3227bf4c72344bad4008ed",
     "skills/policy-exception-gen/skill.md": "238074319b57399c75d76439ef1ff67153b5a3207adf1556f3ca1e68cfe7cfaa",
     "skills/threat-model-currency/skill.md": "637861b4dcd2cb608c08c5aa62a8ef73efc976584f901e612c73cf53b3559422",
-    "skills/global-grc/skill.md": "57ca729034e9d33c527d869c1c4aa82fe37e496878a3cbcd9e5043cb62b7105d",
+    "skills/global-grc/skill.md": "6d9722b7a85b8ad1150a61188b578f380e9c9685118028e134a0ba5804dae708",
     "skills/zeroday-gap-learn/skill.md": "d8872a4f5e5e927ae087e8319996ec3b9e010aa23fca32248c0909051032db48",
     "skills/pqc-first/skill.md": "8b77569100d10201044d63a69cbc83c9cfe6d2c3568884aa900ef0eb72ba99c3",
     "skills/skill-update-loop/skill.md": "f7cd18df293b90c0d2afb6ba8b87664419becea6b63221f03efaf09c69586025",
@@ -40,7 +40,7 @@
     "skills/identity-assurance/skill.md": "f3c29ce17aaa426b65b58238e5bc9ccabcda23a8d350e597840e5d6d664aa102",
     "skills/ot-ics-security/skill.md": "0acb7c105c87c523720bc19fdb4b6922cbf4f63054396e38b498528cfde02d76",
     "skills/coordinated-vuln-disclosure/skill.md": "dc7a29a0d503d7e3a55ba9afd963630329397577ca4e6be124c0263c315acca3",
-    "skills/threat-modeling-methodology/skill.md": "0a115fb8bf2ddd8e97d5ff49d61ffb1d221f1ce9f37f19b4ba86edbf765f632c",
+    "skills/threat-modeling-methodology/skill.md": "964e90dd9ba632926414987ab7c26cac881ff1b36ff161172271ad8c94bcc49d",
     "skills/webapp-security/skill.md": "6d29b944d841b8d21d19edce6b98be20dc2c2b1360ccb946cb2be5a58a0b3e7b",
     "skills/ai-risk-management/skill.md": "686f53c2aee3a44108d1fa3e5f52fc7d971edc00946cfc1f082e4658af25fddc",
     "skills/sector-healthcare/skill.md": "c27672afe6abc2b293e213d8482e5e0d1e16a9ed4986d2637d1d586a14598238",
@@ -78,7 +78,7 @@
     "handoff_dag_nodes": 42,
     "summary_cards": 42,
     "section_offsets_skills": 42,
-    "token_budget_total_approx": 418226,
+    "token_budget_total_approx": 418611,
     "recipes": 8,
     "jurisdiction_clocks": 29,
     "did_ladders": 8,

package/data/_indexes/section-offsets.json

@@ -301,8 +301,8 @@
     },
     "framework-gap-analysis": {
       "path": "skills/framework-gap-analysis/skill.md",
-      "total_bytes": 32006,
-      "total_lines": 406,
+      "total_bytes": 32609,
+      "total_lines": 410,
       "frontmatter": {
         "line_start": 1,
         "line_end": 24,
@@ -311,92 +311,101 @@
       },
       "sections": [
         {
-          "name": "Threat Context (mid-2026)",
-          "normalized_name": "threat-context",
+          "name": "Frontmatter Scope",
+          "normalized_name": "frontmatter-scope",
           "line": 30,
           "byte_start": 815,
-          "byte_end": 2631,
+          "byte_end": 1418,
+          "bytes": 603,
+          "h3_count": 0
+        },
+        {
+          "name": "Threat Context (mid-2026)",
+          "normalized_name": "threat-context",
+          "line": 34,
+          "byte_start": 1418,
+          "byte_end": 3234,
           "bytes": 1816,
           "h3_count": 0
         },
         {
           "name": "Framework Lag Declaration",
           "normalized_name": "framework-lag-declaration",
-          "line": 40,
-          "byte_start": 2631,
-          "byte_end": 5906,
+          "line": 44,
+          "byte_start": 3234,
+          "byte_end": 6509,
           "bytes": 3275,
           "h3_count": 1
         },
         {
           "name": "TTP Mapping (MITRE ATLAS v5.6.0 and ATT&CK)",
           "normalized_name": "ttp-mapping",
-          "line": 70,
-          "byte_start": 5906,
-          "byte_end": 7990,
+          "line": 74,
+          "byte_start": 6509,
+          "byte_end": 8593,
           "bytes": 2084,
           "h3_count": 0
         },
         {
           "name": "Exploit Availability Matrix",
           "normalized_name": "exploit-availability-matrix",
-          "line": 89,
-          "byte_start": 7990,
-          "byte_end": 9526,
+          "line": 93,
+          "byte_start": 8593,
+          "byte_end": 10129,
           "bytes": 1536,
           "h3_count": 0
         },
         {
           "name": "Built-In Gap Catalog",
           "normalized_name": "built-in-gap-catalog",
-          "line": 103,
-          "byte_start": 9526,
-          "byte_end": 20205,
+          "line": 107,
+          "byte_start": 10129,
+          "byte_end": 20808,
           "bytes": 10679,
           "h3_count": 9
         },
         {
           "name": "Analysis Procedure",
           "normalized_name": "analysis-procedure",
-          "line": 235,
-          "byte_start": 20205,
-          "byte_end": 21923,
+          "line": 239,
+          "byte_start": 20808,
+          "byte_end": 22526,
           "bytes": 1718,
           "h3_count": 9
         },
         {
           "name": "Universal Gaps (No Framework Covers These Adequately)",
           "normalized_name": "universal-gaps-no-framework-covers-these-adequately",
-          "line": 293,
-          "byte_start": 21923,
-          "byte_end": 23018,
+          "line": 297,
+          "byte_start": 22526,
+          "byte_end": 23621,
           "bytes": 1095,
           "h3_count": 0
         },
         {
           "name": "Output Format",
           "normalized_name": "output-format",
-          "line": 313,
-          "byte_start": 23018,
-          "byte_end": 24952,
+          "line": 317,
+          "byte_start": 23621,
+          "byte_end": 25555,
           "bytes": 1934,
           "h3_count": 6
         },
         {
           "name": "Compliance Theater Check",
           "normalized_name": "compliance-theater-check",
-          "line": 356,
-          "byte_start": 24952,
-          "byte_end": 27419,
+          "line": 360,
+          "byte_start": 25555,
+          "byte_end": 28022,
           "bytes": 2467,
           "h3_count": 0
         },
         {
           "name": "Defensive Countermeasure Mapping",
           "normalized_name": "defensive-countermeasure-mapping",
-          "line": 382,
-          "byte_start": 27419,
-          "byte_end": 32006,
+          "line": 386,
+          "byte_start": 28022,
+          "byte_end": 32609,
           "bytes": 4587,
           "h3_count": 0
         }
@@ -1112,8 +1121,8 @@
     },
     "global-grc": {
       "path": "skills/global-grc/skill.md",
-      "total_bytes": 40604,
-      "total_lines": 569,
+      "total_bytes": 41029,
+      "total_lines": 573,
       "frontmatter": {
         "line_start": 1,
         "line_end": 28,
@@ -1121,93 +1130,102 @@
         "byte_end": 621
       },
       "sections": [
+        {
+          "name": "Frontmatter Scope",
+          "normalized_name": "frontmatter-scope",
+          "line": 34,
+          "byte_start": 960,
+          "byte_end": 1390,
+          "bytes": 430,
+          "h3_count": 0
+        },
         {
           "name": "Framework Registry (mid-2026 currency)",
           "normalized_name": "framework-registry-mid-2026-currency",
-          "line": 36,
-          "byte_start": 965,
-          "byte_end": 18713,
+          "line": 40,
+          "byte_start": 1390,
+          "byte_end": 19138,
           "bytes": 17748,
           "h3_count": 8
         },
         {
           "name": "Universal Gaps (No Jurisdiction Covers These)",
           "normalized_name": "universal-gaps-no-jurisdiction-covers-these",
-          "line": 348,
-          "byte_start": 18713,
-          "byte_end": 19817,
+          "line": 352,
+          "byte_start": 19138,
+          "byte_end": 20242,
           "bytes": 1104,
           "h3_count": 0
         },
         {
           "name": "Notification Timeline Summary",
           "normalized_name": "notification-timeline-summary",
-          "line": 366,
-          "byte_start": 19817,
-          "byte_end": 20741,
+          "line": 370,
+          "byte_start": 20242,
+          "byte_end": 21166,
           "bytes": 924,
           "h3_count": 0
         },
         {
           "name": "Threat Context",
           "normalized_name": "threat-context",
-          "line": 386,
-          "byte_start": 20741,
-          "byte_end": 23303,
+          "line": 390,
+          "byte_start": 21166,
+          "byte_end": 23728,
           "bytes": 2562,
           "h3_count": 0
         },
         {
           "name": "Framework Lag Declaration",
           "normalized_name": "framework-lag-declaration",
-          "line": 402,
-          "byte_start": 23303,
-          "byte_end": 31063,
+          "line": 406,
+          "byte_start": 23728,
+          "byte_end": 31488,
           "bytes": 7760,
           "h3_count": 0
         },
         {
           "name": "TTP Mapping",
           "normalized_name": "ttp-mapping",
-          "line": 445,
-          "byte_start": 31063,
-          "byte_end": 33199,
+          "line": 449,
+          "byte_start": 31488,
+          "byte_end": 33624,
           "bytes": 2136,
           "h3_count": 0
         },
         {
           "name": "Exploit Availability Matrix",
           "normalized_name": "exploit-availability-matrix",
-          "line": 468,
-          "byte_start": 33199,
-          "byte_end": 36098,
+          "line": 472,
+          "byte_start": 33624,
+          "byte_end": 36523,
           "bytes": 2899,
           "h3_count": 0
         },
         {
           "name": "Compliance Theater Check",
           "normalized_name": "compliance-theater-check",
-          "line": 496,
-          "byte_start": 36098,
-          "byte_end": 38061,
+          "line": 500,
+          "byte_start": 36523,
+          "byte_end": 38486,
           "bytes": 1963,
           "h3_count": 0
         },
         {
           "name": "Analysis Procedure",
           "normalized_name": "analysis-procedure",
-          "line": 510,
-          "byte_start": 38061,
-          "byte_end": 39097,
+          "line": 514,
+          "byte_start": 38486,
+          "byte_end": 39522,
           "bytes": 1036,
           "h3_count": 4
         },
         {
           "name": "Output Format",
           "normalized_name": "output-format",
-          "line": 539,
-          "byte_start": 39097,
-          "byte_end": 40604,
+          "line": 543,
+          "byte_start": 39522,
+          "byte_end": 41029,
           "bytes": 1507,
           "h3_count": 6
         }
@@ -2554,8 +2572,8 @@
     },
     "threat-modeling-methodology": {
       "path": "skills/threat-modeling-methodology/skill.md",
-      "total_bytes": 31561,
-      "total_lines": 320,
+      "total_bytes": 32085,
+      "total_lines": 324,
       "frontmatter": {
         "line_start": 1,
         "line_end": 48,
@@ -2564,92 +2582,101 @@
       },
       "sections": [
         {
-          "name": "Purpose",
-          "normalized_name": "purpose",
+          "name": "Frontmatter Scope",
+          "normalized_name": "frontmatter-scope",
           "line": 52,
           "byte_start": 1575,
-          "byte_end": 2259,
+          "byte_end": 2099,
+          "bytes": 524,
+          "h3_count": 0
+        },
+        {
+          "name": "Purpose",
+          "normalized_name": "purpose",
+          "line": 56,
+          "byte_start": 2099,
+          "byte_end": 2783,
           "bytes": 684,
           "h3_count": 0
         },
         {
           "name": "Threat Context",
           "normalized_name": "threat-context",
-          "line": 60,
-          "byte_start": 2259,
-          "byte_end": 6664,
+          "line": 64,
+          "byte_start": 2783,
+          "byte_end": 7188,
           "bytes": 4405,
           "h3_count": 0
         },
         {
           "name": "Framework Lag Declaration",
           "normalized_name": "framework-lag-declaration",
-          "line": 86,
-          "byte_start": 6664,
-          "byte_end": 11235,
+          "line": 90,
+          "byte_start": 7188,
+          "byte_end": 11759,
           "bytes": 4571,
           "h3_count": 0
         },
         {
           "name": "TTP Mapping",
           "normalized_name": "ttp-mapping",
-          "line": 116,
-          "byte_start": 11235,
-          "byte_end": 15137,
+          "line": 120,
+          "byte_start": 11759,
+          "byte_end": 15661,
           "bytes": 3902,
           "h3_count": 0
         },
         {
           "name": "Exploit Availability Matrix",
           "normalized_name": "exploit-availability-matrix",
-          "line": 138,
-          "byte_start": 15137,
-          "byte_end": 17460,
+          "line": 142,
+          "byte_start": 15661,
+          "byte_end": 17984,
           "bytes": 2323,
           "h3_count": 0
         },
         {
           "name": "Analysis Procedure",
           "normalized_name": "analysis-procedure",
-          "line": 160,
-          "byte_start": 17460,
-          "byte_end": 24067,
+          "line": 164,
+          "byte_start": 17984,
+          "byte_end": 24591,
           "bytes": 6607,
           "h3_count": 10
         },
         {
           "name": "Output Format",
           "normalized_name": "output-format",
-          "line": 235,
-          "byte_start": 24067,
-          "byte_end": 26375,
+          "line": 239,
+          "byte_start": 24591,
+          "byte_end": 26899,
           "bytes": 2308,
           "h3_count": 9
         },
         {
           "name": "Compliance Theater Check",
           "normalized_name": "compliance-theater-check",
-          "line": 279,
-          "byte_start": 26375,
-          "byte_end": 28299,
+          "line": 283,
+          "byte_start": 26899,
+          "byte_end": 28823,
           "bytes": 1924,
           "h3_count": 0
         },
         {
           "name": "Defensive Countermeasure Mapping",
           "normalized_name": "defensive-countermeasure-mapping",
-          "line": 297,
-          "byte_start": 28299,
-          "byte_end": 30003,
+          "line": 301,
+          "byte_start": 28823,
+          "byte_end": 30527,
           "bytes": 1704,
           "h3_count": 0
         },
         {
           "name": "Hand-Off / Related Skills",
           "normalized_name": "hand-off",
-          "line": 310,
-          "byte_start": 30003,
-          "byte_end": 31561,
+          "line": 314,
+          "byte_start": 30527,
+          "byte_end": 32085,
           "bytes": 1558,
           "h3_count": 0
         }

package/data/_indexes/token-budget.json

@@ -3,8 +3,8 @@
     "schema_version": "1.0.0",
     "tokenizer_note": "Character-density approximation: 1 token ≈ 4 chars. This is the canonical rule-of-thumb for OpenAI tokenizers on English+technical text. Claude's tokenizer is typically more efficient on prose; treat this as an upper-bound budget for both. Consumers with stricter precision needs should re-tokenize with their own tokenizer.",
     "approx_chars_per_token": 4,
-    "total_chars": 1672872,
-    "total_approx_tokens": 418226,
+    "total_chars": 1674420,
+    "total_approx_tokens": 418611,
     "skill_count": 42
   },
   "skills": {
@@ -175,12 +175,17 @@
     },
     "framework-gap-analysis": {
       "path": "skills/framework-gap-analysis/skill.md",
-      "bytes": 32006,
-      "chars": 31898,
-      "lines": 406,
-      "approx_tokens": 7975,
+      "bytes": 32609,
+      "chars": 32501,
+      "lines": 410,
+      "approx_tokens": 8125,
       "approx_chars_per_token": 4,
       "sections": {
+        "frontmatter-scope": {
+          "bytes": 603,
+          "chars": 603,
+          "approx_tokens": 151
+        },
         "threat-context": {
           "bytes": 1816,
           "chars": 1804,
@@ -645,12 +650,17 @@
     },
     "global-grc": {
       "path": "skills/global-grc/skill.md",
-      "bytes": 40604,
-      "chars": 40406,
-      "lines": 569,
-      "approx_tokens": 10102,
+      "bytes": 41029,
+      "chars": 40829,
+      "lines": 573,
+      "approx_tokens": 10207,
       "approx_chars_per_token": 4,
       "sections": {
+        "frontmatter-scope": {
+          "bytes": 430,
+          "chars": 428,
+          "approx_tokens": 107
+        },
         "framework-registry-mid-2026-currency": {
           "bytes": 17748,
           "chars": 17650,
@@ -1485,12 +1495,17 @@
     },
     "threat-modeling-methodology": {
       "path": "skills/threat-modeling-methodology/skill.md",
-      "bytes": 31561,
-      "chars": 31382,
-      "lines": 320,
-      "approx_tokens": 7846,
+      "bytes": 32085,
+      "chars": 31904,
+      "lines": 324,
+      "approx_tokens": 7976,
       "approx_chars_per_token": 4,
       "sections": {
+        "frontmatter-scope": {
+          "bytes": 524,
+          "chars": 522,
+          "approx_tokens": 131
+        },
         "purpose": {
           "bytes": 684,
           "chars": 684,

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.14.20",
+  "version": "0.14.21",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "lXhZgoIrrVloO3XaTvo/43AxZn4mwErstd7DR0O/oVhD3AOGODM4HqrageYEou9WKOdMEGP5mJNTjJsXdP5NDA==",
-      "signed_at": "2026-05-28T02:32:11.254Z",
+      "signed_at": "2026-05-28T04:09:16.149Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -123,7 +123,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "ztSKk/zFMFbT12qRcEeBKpydBn7fTT86KxMmor0DTCoKQWk5fJ0fSInfP1XMSB6rFk4/SuSjKVxQRMKVJ5a+Cg==",
-      "signed_at": "2026-05-28T02:32:11.256Z",
+      "signed_at": "2026-05-28T04:09:16.151Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -196,7 +196,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "K6QdPHNK5c4K5QFjrW0QsUhjp71D7SOisSoulwPNSvKRdi2rY+yg0kdckijBMkLMsVPyUvcC9giu93mKJ1OZDg==",
-      "signed_at": "2026-05-28T02:32:11.256Z",
+      "signed_at": "2026-05-28T04:09:16.151Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -247,8 +247,8 @@
       "attack_refs": [],
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
-      "signature": "Qd3SBWmUAaaT++e1Ry2wBIz/dCBmNBMl0+4Rb0etvJLES0fIBEAkU1mTbgNZnT5XOg9J5twdUpymWtmKnDDQCQ==",
-      "signed_at": "2026-05-28T02:32:11.257Z"
+      "signature": "zbr8CbOe2rIPuxj2bCl8mVc3YgLsRHnx3/UU7MmyMLNg4c13q6LEBglC1A7cjhfblfHsX/1rxNLaukDzc65lAw==",
+      "signed_at": "2026-05-28T04:09:16.152Z"
     },
     {
       "name": "compliance-theater",
@@ -279,7 +279,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "F2Shxae0ua0gPtvwzTRVzzHaIgJcFDRT3/akLUAZ4aaMQhkleKkcTaTpkjp+pTVEdPfLeLGNCeAOMs+whVYOBg==",
-      "signed_at": "2026-05-28T02:32:11.257Z"
+      "signed_at": "2026-05-28T04:09:16.152Z"
     },
     {
       "name": "exploit-scoring",
@@ -308,7 +308,7 @@
       ],
       "last_threat_review": "2026-05-18",
       "signature": "NA1hoQycvQhSUoG5rwlXX0mOVmGxoXRVezkELGEA2nZOdGis4gXkHT3O6Sfw7zxE4JuMrsCb65TEeOWk9WEPDg==",
-      "signed_at": "2026-05-28T02:32:11.258Z"
+      "signed_at": "2026-05-28T04:09:16.153Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -345,7 +345,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "W3pS8lnaCP96TQzsJpG5d5yv5IwgaQyS4Z2Ctcz5BOJf6LbajSIgeDgTZ4f4Bhr5m4E7KsgWGjZS4x7Fwd33BQ==",
-      "signed_at": "2026-05-28T02:32:11.258Z",
+      "signed_at": "2026-05-28T04:09:16.153Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -405,7 +405,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "/WDGygh1Ck4yWlBWDGtEUVCqKB8d+UaJXoAoBXujtt+GAl8JbMNpaN1TvI0WkEltQ9dTxaAzSn20/eVDqv8iDQ==",
-      "signed_at": "2026-05-28T02:32:11.258Z",
+      "signed_at": "2026-05-28T04:09:16.154Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -440,7 +440,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "za1NKBpy9LC91F/ESO/qhUfmvVr8GNItQOjR5OJLeHm+2dQ9HHiFWQK2eo53V/n/0uhubuggURA3yS6kJuWwBg==",
-      "signed_at": "2026-05-28T02:32:11.259Z",
+      "signed_at": "2026-05-28T04:09:16.154Z",
       "cwe_refs": [
         "CWE-1188"
       ],
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "1853tUUOO35GCXP4vn4qYdBDCdGJu2/WXCNOShhEt69G6BUoq9C3gYGjKWwEPxRKjwjyMtb2nmsL2BZFHRIADw==",
-      "signed_at": "2026-05-28T02:32:11.259Z",
+      "signed_at": "2026-05-28T04:09:16.154Z",
       "forward_watch": [
         "New AI attack classes as ATLAS v6 publishes",
         "Post-quantum adversary capability timeline",
@@ -512,8 +512,8 @@
       "attack_refs": [],
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
-      "signature": "oYsSk35N2Uzq7MRofACykylcVwkgPhI4luWZ14vmQT+gUKLyZiKVOUJbe1+7lGl6BYPRN0sUDQ0f7S5Eu5w2Ag==",
-      "signed_at": "2026-05-28T02:32:11.259Z"
+      "signature": "ZoFh0msOLToS9Xntp9e6zAcg8mE5TOsm7Tq9EYybKL7midjQ5z+aue1Uhp4+xjMRRqVtj8F2W0PvIBTYkYlyAg==",
+      "signed_at": "2026-05-28T04:09:16.155Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -540,7 +540,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "igRqYyU1unRFH40BsPyAR62SPrk8QZv8dPGb8S9O9EvLCNOZAzm3t+HdT/NKqzWHwrpomOzkkkyLfYI/0qTUDA==",
-      "signed_at": "2026-05-28T02:32:11.260Z",
+      "signed_at": "2026-05-28T04:09:16.155Z",
       "forward_watch": [
         "New CISA KEV entries",
         "New ATLAS TTP additions in each ATLAS release",
@@ -604,7 +604,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "XJFnPtu9tG23qlHGUJulQ0/Vu/p41qFrQng0fE3+GpCPD35+oipdlDXvf9zFo6A6i4OVj601qNuXKh9/kfcHDw==",
-      "signed_at": "2026-05-28T02:32:11.260Z",
+      "signed_at": "2026-05-28T04:09:16.155Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -652,7 +652,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "QuOVaQ4E2Sl39TClbhZ7HA9XrYAyRrDL44HY3RTE7aWLue0hV2cxaBt40ALGmHS++631QGFDlZTLZI77Tr6nAA==",
-      "signed_at": "2026-05-28T02:32:11.260Z"
+      "signed_at": "2026-05-28T04:09:16.156Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -689,7 +689,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "8Px1s2lDj10/Q6erwEQlXgUHM1+OTruUR8qAHPX7Oo3k/l69N6P9sm0PsafS9wDFtj9l5C/OiLiFgzMlMt6vBw==",
-      "signed_at": "2026-05-28T02:32:11.261Z",
+      "signed_at": "2026-05-28T04:09:16.156Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -724,7 +724,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "urRcataVWg6/utyEkSiOWoNxTL8sABRjPR7ShyDfZGnAozFph/yDktSoaPVxQDXwu9EfJE+qhUW5OYR/yJECBQ==",
-      "signed_at": "2026-05-28T02:32:11.261Z"
+      "signed_at": "2026-05-28T04:09:16.156Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -796,7 +796,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Microsoft Edge 4-bug sandbox escape by Orange Tsai (DEVCORE); forward-watch only (browser sandbox, out of current playbook scope); track Microsoft Edge security advisory and KEV add"
       ],
       "signature": "C7lv65/Ecm8JJgSKxrX5lxx0YFzKWtrIQSKp+vy50I5e8945s1JmifGUUrnQwRQhq/Pkv7EmfiH5XSO8h75bDg==",
-      "signed_at": "2026-05-28T02:32:11.261Z"
+      "signed_at": "2026-05-28T04:09:16.157Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -856,7 +856,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "Z7ypCUnXx8JpLtgxxB6RHNi39w74AmrGY1N4ofAGCXhkuM2EaFVm1AU0dvl9UQ1bVLfHKEDGqMO/TwlIY7RABg==",
-      "signed_at": "2026-05-28T02:32:11.261Z"
+      "signed_at": "2026-05-28T04:09:16.157Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -931,7 +931,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "IgEnpHOhCftAyfUNdKsjbrd169T9pJkk/rRM2ZEna+H18y7p5x48+1kME2sJMZjJuyAdQFBJi8PJXZFwLGI+DQ==",
-      "signed_at": "2026-05-28T02:32:11.262Z"
+      "signed_at": "2026-05-28T04:09:16.157Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -1010,7 +1010,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM-attestation impact"
       ],
       "signature": "pcLrM98A3vUSZRjwNAk0aZ9umvOwB41XCLLsCOy/IebB2F/06oIrGUKkMHtHwm4pTVPShMMcKdZQQ3jz30FnCg==",
-      "signed_at": "2026-05-28T02:32:11.262Z"
+      "signed_at": "2026-05-28T04:09:16.157Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1067,7 +1067,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "G5q5elh7Q7eu2xcwTVQJGDTGfvZR0OGQaLSLJPb2wjzCHFF8PWuZfCHZdjjqisiRzRWPyLlzgfHeMJqOdy7cBw==",
-      "signed_at": "2026-05-28T02:32:11.262Z"
+      "signed_at": "2026-05-28T04:09:16.158Z"
     },
     {
       "name": "identity-assurance",
@@ -1134,7 +1134,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "Wv5hGMeHjlaQK1zwicVCA7AvdKgJBgvcjdpGM9Ywahh9tagAKhbkOjybowDQZzu7OZ3bDkbh6pBYc1Sdwr6NAA==",
-      "signed_at": "2026-05-28T02:32:11.263Z"
+      "signed_at": "2026-05-28T04:09:16.158Z"
     },
     {
       "name": "ot-ics-security",
@@ -1190,7 +1190,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "8t5qKHd3yWi57dvG36YQkLN/X9bQWqtEiYjay4IfSmqhJpM/xXPaQVKNGz3wscrO8OLKUZ0OaX7Mj5kzpgBKBQ==",
-      "signed_at": "2026-05-28T02:32:11.263Z"
+      "signed_at": "2026-05-28T04:09:16.158Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1242,7 +1242,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "GDGt4UPqBa04PjlpSmpyihGzd3OgfBN7jaAK5tfwp+LRSs3ygKOdbeivUCCHNagTY1hE6hG2Ou40ADfBFuXeAg==",
-      "signed_at": "2026-05-28T02:32:11.263Z"
+      "signed_at": "2026-05-28T04:09:16.159Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1291,8 +1291,8 @@
         "LINDDUN-GO and LINDDUN-PRO updates incorporating LLM privacy threats",
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
-      "signature": "rFBpOQEJUPpl+v88Lw/WqVJRhTl80vy0VbPAbzQj3Q0suJRRrJg368I9uKu5LXIBKFDvKxnGIcIzbGg9NUtaCA==",
-      "signed_at": "2026-05-28T02:32:11.264Z"
+      "signature": "t6IgW+ciQMuY5uvLD0HDDB/U1TjZmgAy76bvH0526QcqPMCz27CWX3cdyJ6nxpg3rYrx93xAawu0opw/ZZckCw==",
+      "signed_at": "2026-05-28T04:09:16.159Z"
     },
     {
       "name": "webapp-security",
@@ -1366,7 +1366,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ux85YI4t2mVHOyt744Yin1HHy+z11JIFygjKfFfQOBBl5QVV3A267jeIy7utix85irMcpZm/T3yx/ooqiK2tBA==",
-      "signed_at": "2026-05-28T02:32:11.264Z",
+      "signed_at": "2026-05-28T04:09:16.159Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments"
       ]
@@ -1419,7 +1419,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "IIXnkZ5ZNqFwOto5KfytADTLLZLoyXNZACD1ORZ40P1HUAQxe6u2uyXFzzsfuob4Uy06jNkRGr2FFgCphUH1Cw==",
-      "signed_at": "2026-05-28T02:32:11.265Z"
+      "signed_at": "2026-05-28T04:09:16.160Z"
     },
     {
       "name": "sector-healthcare",
@@ -1479,7 +1479,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "AhF9KF8ZBlDteciV+F8IBSmFVYCvQOn44GmD4rZjgLoPxfIv/QE1/vSkK32zyqDKtHWkLSXExbkkPkxA/V6dDw==",
-      "signed_at": "2026-05-28T02:32:11.265Z"
+      "signed_at": "2026-05-28T04:09:16.160Z"
     },
     {
       "name": "sector-financial",
@@ -1560,7 +1560,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "HQgZvb4ReziEz5rNFr8i/O8/rJEZR+iHRROT7m/D2QUqhrcNISPkYXENsUZlG8xapzy/Ik92ehkseyj4hdmhCQ==",
-      "signed_at": "2026-05-28T02:32:11.266Z"
+      "signed_at": "2026-05-28T04:09:16.161Z"
     },
     {
       "name": "sector-federal-government",
@@ -1629,7 +1629,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "linxmsXZiOYtcs71sSWgGCrvb8xQfmxmtTY5PRvZJ0/8FgJulo0tQtejzexYG775s7XhjAmGsDP238BQTQ8ADA==",
-      "signed_at": "2026-05-28T02:32:11.266Z"
+      "signed_at": "2026-05-28T04:09:16.161Z"
     },
     {
       "name": "sector-energy",
@@ -1694,7 +1694,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "JjBfc0ovta560Clk0x3QGRM5osFJDwcvpy3rT7QEGdCIL827jzE8QCow1C8deXq+4JhY2sA/d7/8IsxikdlkCg==",
-      "signed_at": "2026-05-28T02:32:11.266Z"
+      "signed_at": "2026-05-28T04:09:16.161Z"
     },
     {
       "name": "sector-telecom",
@@ -1780,7 +1780,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "QpfWU8d2FFbo/Kt0Be2jcyDM9JPhKOiwKSi+RWmtPa2SrBVzFNYdC3T23fQXxHDEC2iyApEbXnwk8KN4d6PuBQ==",
-      "signed_at": "2026-05-28T02:32:11.267Z"
+      "signed_at": "2026-05-28T04:09:16.162Z"
     },
     {
       "name": "api-security",
@@ -1849,7 +1849,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "BmCRCestWqr55+fCynEhtAl5NWLT+xLTkpwS0Icp3SaoZOw/ce3Y6TtqjHRSKn4CBJq7YDiLRWxmhO3MStvOAA==",
-      "signed_at": "2026-05-28T02:32:11.267Z",
+      "signed_at": "2026-05-28T04:09:16.162Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments",
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments",
@@ -1935,7 +1935,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "/DV3pmZwrRySrk1OCbyI+0BQESacjupJfUX3eC2NGtXuYOBro0vndIP+z27heFxumnjU3a9sfla7/U9X+pqnDw==",
-      "signed_at": "2026-05-28T02:32:11.267Z"
+      "signed_at": "2026-05-28T04:09:16.162Z"
     },
     {
       "name": "container-runtime-security",
@@ -1997,7 +1997,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "E2UGSf9ATyYgzBr8uM/0ubOUmDqo1jVA7f9mVxv6LHfWGCNuQNXDyuNou9VAmUCeeXEeUYIi3AFjXkJqpOkxDA==",
-      "signed_at": "2026-05-28T02:32:11.268Z",
+      "signed_at": "2026-05-28T04:09:16.163Z",
       "forward_watch": [
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Container Toolkit container escape ($50K award) by chompie / IBM X-Force XOR; high-severity container/hypervisor boundary break; track patch and KEV add post-embargo"
       ]
@@ -2071,7 +2071,7 @@
         "MITRE ATLAS v5.6.0 (released May 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
       "signature": "IL+DlRCDJN/p08iiJCFkasKcoyjcB0uWrJ6ORLjQcS1HrUa5Xt62QxVjYPHzaevlm5y36ZdmfESqsZJmzK3lCg==",
-      "signed_at": "2026-05-28T02:32:11.268Z"
+      "signed_at": "2026-05-28T04:09:16.163Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2133,7 +2133,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "MmjLjlmOMLjhJJ4ZfR8MYlHam+ZB+eSqfh6Nv+DecaG4O5zeo9DBP/iL3cbyDVZxmhnhivgJild2ccYeWTeZAg==",
-      "signed_at": "2026-05-28T02:32:11.269Z"
+      "signed_at": "2026-05-28T04:09:16.163Z"
     },
     {
       "name": "ransomware-response",
@@ -2213,7 +2213,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "ssueL03g9fWlhXpTe+IiY5l7RqQkunN4DTN5QETKE+VOX+qggdjAR8PONxk77ol4xWYmHrM/VcH8CNtXUEvgBA==",
-      "signed_at": "2026-05-28T02:32:11.269Z"
+      "signed_at": "2026-05-28T04:09:16.164Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2266,7 +2266,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "oAFeZmci6BN7Xlu0oOThrazZNBQBIWeCQnoZDqjXo9cs1hIe/6ZijSEr3R3hFQSXH3c1KAbhPw+InR9Gc0HIBQ==",
-      "signed_at": "2026-05-28T02:32:11.269Z"
+      "signed_at": "2026-05-28T04:09:16.164Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2334,7 +2334,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "Rgho5TOFUL1txOzcVR0kASCNdovSU4yt99JlGilJlJRyg0A+BdeeQYrZrhPF6Vx2reUAVG0BeHfcZtSbi+cwCg==",
-      "signed_at": "2026-05-28T02:32:11.270Z"
+      "signed_at": "2026-05-28T04:09:16.164Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2414,7 +2414,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "e/kij7GtKaytROyIj7V5RH+FC9WtmVFzrmG2kIlNDNn29ep/CRNlIQKwXLpzo/81AIf634pmdr1qy/+vwIuUDA==",
-      "signed_at": "2026-05-28T02:32:11.270Z",
+      "signed_at": "2026-05-28T04:09:16.165Z",
       "forward_watch": [
         "AWS IAM Identity Center session-policy refresh and step-up-on-admin enforcement (anticipated 2026-H2 release)",
         "GCP Workload Identity Federation principal-set attribute mapping tightening (post-2026 Q3 Federation hardening guide)",
@@ -2508,7 +2508,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "ew9Kglc9fAZzbn0ZIfGP7WSK/j4eV2VhSvpy+s5bEfNEVYIMa2kZjnGBapgUsyGDLes9H9K2ovjQyX17+GKiBw==",
-      "signed_at": "2026-05-28T02:32:11.270Z",
+      "signed_at": "2026-05-28T04:09:16.165Z",
       "forward_watch": [
         "Entra ID conditional access evolution post-Midnight Blizzard — Microsoft's 2025-2026 commitments on legacy-tenant MFA enforcement and OAuth-app consent gating",
         "Okta IPSIE (Interoperability Profile for Secure Identity in the Enterprise) OpenID Foundation working-group output and adoption timeline",
@@ -2526,6 +2526,6 @@
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "5OiCS9JG1FyBhcQTjlzV2KgueN5dvuLey3BsQCUskFORk8RMth3VNoYjSCzbaxKo1U3WcqjY21DtpdjPWFXxCg=="
+    "signature_base64": "W7kT6heP1mvpfgQFFeCdpGOGbCZpbIVT9cW+cqlB5ZXqhSbXOHpweL3UfArgFYl8vQGsdk18P0kNJrTGlIwNAw=="
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.14.20",
+  "version": "0.14.21",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (406 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:ad7d6e30-1f30-448b-9b72-08b3725ef84e",
+  "serialNumber": "urn:uuid:f146b015-d9dd-4d2f-838c-622d665d3777",
   "version": 1,
   "metadata": {
-    "timestamp": "2118-03-28T09:49:36.000Z",
+    "timestamp": "2154-04-11T04:14:13.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.14.20"
+        "version": "0.14.21"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.14.20",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.14.21",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.14.20",
+      "version": "0.14.21",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (406 CVEs / 171 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.14.20",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.14.21",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "c1335307705d90a12e6b3d03d0213107590748fbefb17affec2b4134027a2066"
+          "content": "1bc1d2d5014d8a83b8f499cf898b342920cc38777e20b96d9aa0a4809c5e3446"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.14.20"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.14.21"
         },
         {
           "type": "vcs",
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "70237899d20090dad92ebb1847b7645138b1f94f072f0a4c6101e969f30c4049"
+          "content": "e5b92405b978dea5757ad66959b0cc39a1007261f83ffd793d318d2a187df1e0"
         },
         {
           "alg": "SHA3-512",
-          "content": "5d51b673341672c8f0efbca7ba0c7fb85acbc07fda47ec314bd10b2a979a3c736aa5cea78f73f7f259cd5099332bfaa70b8ab59d0d376d1f41b07cd962b88927"
+          "content": "8d872587150b13cefadfdccdb74b2954b129e6fe82177dad98ac3eae5e9bc02efcc75ab1b54c05b66ab24e0d1641cf7e488ef416ac35c318f6b864784907ba6d"
         }
       ]
     },
@@ -1751,11 +1751,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "dc4cdb2fa56243e42a1989558997a236e564176fa6c8e5dcae9de9d2dad8399b"
+          "content": "238a94feb0967eb74eedd99084ecf49ee6a20cbf04e9f704a6a3526fdddb6363"
         },
         {
           "alg": "SHA3-512",
-          "content": "79f50a6fa13bb5b81b29bed3a637e6e94a3df1689ed14d88bfc6ce1bd1df5353044308c3db24c065d69b522dd38de3c37f5bf0efd9b0ccc6c66a3acc163d77b8"
+          "content": "c531fde98b619b4f5438f4aeea5e046b2fc405d6267609e2de0f7430a6a408d3d5a287efe63d78399c8d1dd46ce27079ad6e31d8f5f6cf98fefd4b5e7af85873"
         }
       ]
     },
@@ -2726,11 +2726,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "17249909697a9c61b71f6885a1f4888ab1e727909ddb487ed82aeef535884a4f"
+          "content": "f7092b8d3efbcbf0b7af9a712a6705ad07ce4dd1abbd92762b5b395d6cbe6cca"
         },
         {
           "alg": "SHA3-512",
-          "content": "2d656f044cbfe53cb9e5b630ce50e6d848eb5e0ef3eaad3c9c4b10974ab10776a9be0e03c136e32a62cbce08f59425be15c59624f10e4322396ddf531dfafec5"
+          "content": "893b789ffc99ffd3724aa51eef2254e64c2fea4e28c1b9bb378454dd5c86280c18b92f16d1e4313ae3980cbbcb7d0b728fdead29140f487d50bd313c316c2f2e"
         }
       ]
     },
@@ -2756,11 +2756,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "57ca729034e9d33c527d869c1c4aa82fe37e496878a3cbcd9e5043cb62b7105d"
+          "content": "6d9722b7a85b8ad1150a61188b578f380e9c9685118028e134a0ba5804dae708"
         },
         {
           "alg": "SHA3-512",
-          "content": "fe0573c4c5a22f2fc24ce2b3a54a7695de6fd392cfe3b396a2e4b0eca812989cf33404c6d5cf932ef4a474fd84b900b6d40f1e728357a9df6ade95746e4444ec"
+          "content": "498af3e4d2b94c4312e65d3e266ecc6edebd411ee5da590f4038ac890d0428efc32cdf1754ed472f9fe17d0a1517fd12480a00c3204593a81dfde5c283ac5362"
         }
       ]
     },
@@ -3086,11 +3086,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "0a115fb8bf2ddd8e97d5ff49d61ffb1d221f1ce9f37f19b4ba86edbf765f632c"
+          "content": "964e90dd9ba632926414987ab7c26cac881ff1b36ff161172271ad8c94bcc49d"
         },
         {
           "alg": "SHA3-512",
-          "content": "865782360930bc6fda9c86b8c46b2d30fd65841854c1558ee9c1080fc9123c4defcc32c809f0d72407521c3f456d74c546ea37c75cfd6829e1e01bcf31d251e6"
+          "content": "92777b2822acb929b345c7000def8cbcaaaac82dd5ba4fde2ad7829351c97f3b81d5dee7f53586892fc78ec022aeaabca5d38246fa433a2f9c9a9f50f647f959"
         }
       ]
     },

package/skills/framework-gap-analysis/skill.md

@@ -27,6 +27,10 @@ last_threat_review: "2026-05-22"
 
 This skill analyzes the gap between what a compliance framework control was designed to address and what current attacker TTPs require. It is the meta-skill that underlies compliance-theater, global-grc, and policy-exception-gen.
 
+## Frontmatter Scope
+
+The `atlas_refs` and `attack_refs` arrays are intentionally empty. This skill is a meta-analysis: its subject is the *gap* between a control's design intent and the live TTP landscape, so its inputs are the TTP-to-control mappings already attached to every other playbook and skill rather than a fixed native TTP set. The specific techniques appear in the body where a given gap is illustrated; the authoritative TTP attachment lives on the skill or playbook that owns that detection. The `framework_gaps` reference set is the populated, authoritative declaration for this skill.
+
 ## Threat Context (mid-2026)
 
 Compliance frameworks lag the threat environment by years. Most active controls in NIST 800-53, ISO 27001:2022, SOC 2, PCI DSS 4.0, NIS2, and DORA were drafted against assumptions (human-speed exploit development, persistent inventoriable assets, human-controlled accounts) that current attacker TTPs no longer respect. Three concrete mid-2026 instances anchor the lag:

package/skills/global-grc/skill.md

@@ -31,6 +31,10 @@ last_threat_review: "2026-05-01"
 
 This skill provides multi-jurisdiction GRC analysis. It maps current security threats against frameworks from 14 jurisdictions and two global standards bodies, identifies universal control gaps that no jurisdiction's framework covers, and surfaces jurisdiction-specific notification and compliance requirements.
 
+## Frontmatter Scope
+
+The `atlas_refs` and `attack_refs` arrays are intentionally empty. This skill is a jurisdiction/framework registry and gap-correlation layer — its subject is regulatory coverage, not a native set of attacker techniques. The TTPs referenced in the body come from the domain skills whose threats each framework is measured against; that downstream skill carries the authoritative technique attachment.
+
 ---
 
 ## Framework Registry (mid-2026 currency)

package/skills/threat-modeling-methodology/skill.md

@@ -49,6 +49,10 @@ discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief thr
 
 # Threat Modeling Methodology
 
+## Frontmatter Scope
+
+The `atlas_refs` and `attack_refs` arrays are intentionally empty. This skill teaches the *method* for selecting and combining threat-modeling frameworks and mapping threats to techniques — it does not own a fixed TTP set. The specific TTPs cited in the body are illustrative of the method; the authoritative technique attachment lives on the domain skill or playbook that detects each threat. Duplicating those IDs here would create a divergence surface the next time a downstream mapping changes.
+
 ## Purpose
 
 The companion skill `threat-model-currency` measures *when* a threat model is stale. This skill governs *how* a threat model is built. Currency without methodology yields opinion; methodology without currency yields a current-looking 2022 artefact. Both are required.