@blamejs/exceptd-skills 0.15.0 → 0.15.1

package/skills/security-maturity-tiers/skill.md

@@ -384,7 +384,7 @@ The skill produces a Security Maturity Roadmap that scores each in-scope domain
 
 Apply this check to every maturity-tier engagement before recommending a roadmap:
 
-> "Your security program currently sits at Tier <N> by self-assessment for domain <D>. The compliance framework you cite (e.g. NIST CSF 2.0 / ISO 27001:2022 / NIS2 Art. 21 / UK-CAF / AU Essential 8) classifies your posture as <attested-tier>. If the threats now in scope for this domain (specific CVE / TTP from `data/cve-catalog.json` and `data/atlas-ttps.json`) include a class where the framework control is structurally insufficient (Hard Rule #2 framework-lag), then your attested tier and your operational tier diverge by exactly that gap. Which of the controls you would cite for your attested tier would survive a primary-source IoC test against the highest-RWEP CVE in scope?"
+> "Your security program currently sits at Tier <N> by self-assessment for domain <D>. The compliance framework you cite (e.g. NIST CSF 2.0 / ISO 27001:2022 / NIS2 Art. 21 / UK-CAF / AU Essential 8) classifies your posture as <attested-tier>. If the threats now in scope for this domain (specific CVE / TTP from `data/cve-catalog.json` and `data/atlas-ttps.json`) include a class where the framework control is structurally insufficient (the framework-lag class — framework controls trail current threats), then your attested tier and your operational tier diverge by exactly that gap. Which of the controls you would cite for your attested tier would survive a primary-source IoC test against the highest-RWEP CVE in scope?"
 
 **Theater fingerprints for tier conflation:**
 
@@ -394,7 +394,7 @@ Apply this check to every maturity-tier engagement before recommending a roadmap
 - Tier-3 controls audited annually, Tier-1 controls (patching, MFA on privileged identities, secrets in git) never re-audited because they "passed once."
 - The roadmap promotes the org from Tier 1 to Tier 3 in a single budget cycle, skipping the Tier 2 operational work that converts point-in-time controls into continuous ones.
 
-**Real requirement:** maturity assessed per domain, not org-wide; the assessed tier matches operational behavior (not the audit attestation); promotion happens domain-by-domain with explicit Tier-2 instrumentation between Tier-1 controls and Tier-3 sophistication; the same CVE-anchored primary-source IoC test (Hard Rule #14) applies at every tier — if a Tier-3 control cannot defend against the published PoC of the highest-RWEP CVE in scope, the tier classification is theater.
+**Real requirement:** maturity assessed per domain, not org-wide; the assessed tier matches operational behavior (not the audit attestation); promotion happens domain-by-domain with explicit Tier-2 instrumentation between Tier-1 controls and Tier-3 sophistication; the same CVE-anchored primary-source IoC test applies at every tier — if a Tier-3 control cannot defend against the published PoC of the highest-RWEP CVE in scope, the tier classification is theater.
 
 ---
 
@@ -446,7 +446,7 @@ Each tier diverges from at least one widely-cited framework control because the
 | Overkill | ISO 27001:2022 A.8.31 (Separation of development, test, production) | Environment separation | Add: sandboxed MCP servers with seccomp+netns enforcement | A.8.31 does not contemplate developer-installed AI tool plugins as a privilege-bearing execution surface |
 | Overkill | EU AI Act Art. 15 (Cybersecurity for high-risk AI) | "Appropriate level" of cybersecurity | Continuous adversarial testing of AI surfaces in CI | "Appropriate" is interpretive; the tier operationalises it |
 
-Per AGENTS.md hard rule #5, the divergences above are surfaced against US, EU, UK, AU and ISO 27001:2022 — every tier's framework lag declaration is global by construction.
+The divergences above are surfaced against US, EU, UK, AU and ISO 27001:2022 — every tier's framework lag declaration is global by construction.
 
 ---
 
@@ -482,7 +482,7 @@ Tiered to the current `data/cve-catalog.json`, using RWEP (`lib/scoring.js`) as
 | Practical | RWEP >= 30 | CVE-2026-31431 (90), CVE-2026-30615 (Windsurf MCP local-vector RCE, 35, CVSS 8.0), CVE-2025-53773 (Copilot YOLO-mode RCE, 30, CVSS 7.8) | Copy Fail as above; CVE-2026-30615 + CVE-2025-53773 both AV:L local-vector, demonstrated PoC, vendor-patchable; AI-coding-assistant scope | All MVP coverage plus: prompt-injection classifier in front of any LLM processing external content; phishing simulation using AI-generated content; org-wide AI-coding-assistant version management; MCP server allowlisting with signed manifests |
 | Overkill | All catalog entries regardless of RWEP | CVE-2026-31431 (90), CVE-2026-43284 (Dirty Frag ESP/IPsec, 38, CVSS 7.8), CVE-2026-30615 (Windsurf MCP local-vector RCE, 35, CVSS 8.0), CVE-2026-43500 (Dirty Frag RxRPC, 32, CVSS 7.6), CVE-2025-53773 (Copilot YOLO-mode RCE, 30, CVSS 7.8) | Public PoC for all; Dirty Frag pair has no live patch (kpatch RHEL-only); Windsurf is local-vector supply-chain class; chained Dirty Frag requires kernel-version fingerprinting | All Practical coverage plus: kernel hardening (unprivileged_userns_clone=0, unprivileged_userfaultfd=0, kptr_restrict=2); seccomp profiles on all containers; eBPF runtime detection; immutable infrastructure for the workloads that tolerate it; sandboxed MCP execution; per-invocation capability tokens for AI agents |
 
-Refresh trigger: re-run `node lib/scoring.js` and rebuild this matrix whenever `data/cve-catalog.json` is updated. Per AGENTS.md hard rule #6 the zero-day learning loop also feeds back into the tier mapping when a new CVE is added.
+Refresh trigger: re-run `node lib/scoring.js` and rebuild this matrix whenever `data/cve-catalog.json` is updated. The zero-day learning loop also feeds back into the tier mapping when a new CVE is added.
 
 Note on CVSS divergence: every CVE in this catalog has a CVSS in the 7.6–8.0 range — CVSS alone would prioritise the highest-band CVE without distinguishing the AI-discovered KEV-listed deterministic LPE (Copy Fail) from the local-vector MCP supply-chain class (Windsurf). RWEP correctly ranks Copy Fail (90) above Windsurf (35) because KEV listing, deterministic exploitability, AI discovery, and broad blast radius dominate. The MVP tier protects against the right thing first.
 

package/skills/skill-update-loop/skill.md

@@ -34,7 +34,7 @@ forward_watch:
   - Framework publication updates (NIST SP updates, ISO amendments, NIS2 implementing acts)
   - IETF RFC publications and draft status changes (datatracker.ietf.org, rfc-editor.org); run `npm run validate-rfcs` quarterly
 last_threat_review: "2026-05-22"
-discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief skill-update-loop` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
+discovery_mode: "standalone"  # operator-reached via `exceptd brief skill-update-loop` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 # Skill Update Loop
@@ -259,7 +259,7 @@ When a new attack class is documented in research, CVE disclosures, or threat in
 
 **Monitor:** IETF Datatracker (https://datatracker.ietf.org), RFC Editor (https://www.rfc-editor.org). Run `npm run validate-rfcs` (which calls `node orchestrator/index.js validate-rfcs --live`) on a quarterly cadence or whenever a tracked RFC/draft is known to have advanced.
 
-Per AGENTS.md hard rule #12 (external data version pinning), RFCs are tracked alongside ATLAS, NIST, CISA KEV. The catalog lives at `data/rfc-references.json`. Drift surfaces:
+Under the external-data version-pinning discipline, RFCs are tracked alongside ATLAS, NIST, CISA KEV. The catalog lives at `data/rfc-references.json`. Drift surfaces:
 
 - A draft advances to Proposed Standard, Internet Standard, or Best Current Practice.
 - A new RFC errata is published.
@@ -319,7 +319,7 @@ When a sector publishes an update:
 2. Check `data/framework-control-gaps.json` for affected control IDs — mark `status: "closed"` with the update reference if the update addresses the gap, otherwise update `gap_analysis` notes to reflect partial improvement or residual gap.
 3. Update the relevant sector skill's body (regulator-specific sections, control mapping tables, output-format examples) and bump `last_threat_review`.
 4. Bump `last_verified` on affected source entries in `sources/index.json` and in any source-tracking entries in `data/exploit-availability.json` or `data/rfc-references.json` that depend on the sector publication.
-5. If the update introduces a new control class not currently covered by any skill, evaluate whether to extend an existing sector skill or to add a new skill per AGENTS.md "Adding a New Skill" procedure.
+5. If the update introduces a new control class not currently covered by any skill, evaluate whether to extend an existing sector skill or to author a new skill following the project's skill-authoring procedure.
 
 **Affected skills (by default):** sector-healthcare, sector-financial, sector-federal-government, sector-energy, global-grc, framework-gap-analysis, compliance-theater.
 
@@ -331,7 +331,7 @@ When a sector publishes an update:
 
 **Monitor:** Gartner Magic Quadrant and Forrester Wave annual reports for the relevant vendor categories (CSPM, CWPP, CNAPP, EDR/XDR, secure email gateway / ICES, MLOps platforms, container security, API security), CNCF security TAG output (whitepapers, project graduations, and security-tooling assessments), OpenSSF working-group output (SLSA, Sigstore, model-signing, scorecard, secure-supply-chain consumption working groups), and vendor public roadmaps (AWS / Azure / GCP security service launches, Wiz / Lacework / Prisma / Sysdig / CrowdStrike / SentinelOne / Microsoft Defender / Proofpoint / Abnormal / Mimecast / Cloudflare / Akamai / Salt / Noname / Databricks / HuggingFace public capability announcements). Run a vendor-capability check at minimum semi-annually, and immediately on any new Magic Quadrant / Wave release or any vendor's general-availability announcement of a category-shifting capability.
 
-Per AGENTS.md Hard Rule #2 (framework lag is a first-class concept), a skill's framework-gap declaration is only valid as long as the vendor capability landscape behind those frameworks is unchanged. When a major vendor category ships a new detection or enforcement capability that closes a gap the skill currently maps as open, the skill body drifts from operational reality regardless of whether any CVE, ATLAS TTP, or framework amendment has fired. The reverse drift also matters: a vendor category that loses a previously-shipped capability (deprecation, acquisition-driven product collapse, or documented bypass that re-opens the gap) re-opens a skill's gap line and must be reflected promptly.
+Because framework lag is a first-class concept (framework controls trail current threats), a skill's framework-gap declaration is only valid as long as the vendor capability landscape behind those frameworks is unchanged. When a major vendor category ships a new detection or enforcement capability that closes a gap the skill currently maps as open, the skill body drifts from operational reality regardless of whether any CVE, ATLAS TTP, or framework amendment has fired. The reverse drift also matters: a vendor category that loses a previously-shipped capability (deprecation, acquisition-driven product collapse, or documented bypass that re-opens the gap) re-opens a skill's gap line and must be reflected promptly.
 
 When a vendor category ships a new capability (or loses one):
 
@@ -339,7 +339,7 @@ When a vendor category ships a new capability (or loses one):
 2. Update the affected skill's body — move language from "this is the gap" to "this is the new capability" (or vice versa), refresh the framework-lag declaration table, and update any TTP-to-control mapping rows that now resolve differently.
 3. Bump `last_threat_review` on each affected skill.
 4. Update `sources/index.json` if a new vendor primary-source (vendor public-documentation URL, capability-announcement post, security-tooling assessment) needs to be registered or if an existing source's `last_verified` needs to be refreshed.
-5. If the capability shift introduces a new control class not currently covered by any skill, evaluate whether to extend an existing skill or add a new skill per AGENTS.md "Adding a New Skill" procedure.
+5. If the capability shift introduces a new control class not currently covered by any skill, evaluate whether to extend an existing skill or author a new skill following the project's skill-authoring procedure.
 
 **Affected skills (by default):** cloud-security, container-runtime-security, mlops-security, email-security-anti-phishing, defensive-countermeasure-mapping, dlp-gap-analysis.
 
@@ -518,4 +518,4 @@ The drift attack against skill currency is structural, not technical — there i
 | **D3-IOPR** (Input/Output Profiling Resource) | Lint-skills body / frontmatter parsing is the profiling step: every skill body is parsed against the canonical section template (Threat Context, TTP Mapping, Framework Lag Declaration, Exploit Availability Matrix, Analysis Procedure, Output Format, Compliance Theater Check, DCM). A drifted skill that drops a required section is caught at lint time. | Layer 2 (Harden — schema). | Per-skill — schema is per-skill body. | Default-deny missing sections; the v0.13.0 lint upgrade makes DCM a hard-fail. |
 | **D3-PA** (Process Analysis) | The watchlist / dispatch / scan log every load and signature-check event so a forensic reader can reconstruct which skill version produced which finding. Without a per-invocation evidence stream, a stale skill body whose timestamp says "current" cannot be detected after the fact. | Layer 5 (Detect — runtime). | Per-invocation — every CLI invocation emits a structured log entry. | Treat every invocation as untrusted until the signature chain is verified at load time; persist the verification result alongside the finding. |
 
-**Defense-in-depth posture:** signature integrity (D3-CA) and snapshot-pinning (D3-EHB) are the hard gates that prevent a tampered skill body from shipping; lint-schema (D3-IOPR) and currency timestamps (D3-FAPA) are the audit gates that catch silent drift inside an intentional release; D3-PA is the per-invocation evidence stream that lets the operator answer "which version of the skill produced this finding" post-hoc. Per AGENTS.md hard rule #8 (pinned ATLAS / ATT&CK version), every layer's evidence is keyed off the pinned version — a manifest snapshot taken against ATLAS v5.6.0 is not interchangeable with one taken against a later release.
+**Defense-in-depth posture:** signature integrity (D3-CA) and snapshot-pinning (D3-EHB) are the hard gates that prevent a tampered skill body from shipping; lint-schema (D3-IOPR) and currency timestamps (D3-FAPA) are the audit gates that catch silent drift inside an intentional release; D3-PA is the per-invocation evidence stream that lets the operator answer "which version of the skill produced this finding" post-hoc. Because the ATLAS / ATT&CK version is pinned, every layer's evidence is keyed off the pinned version — a manifest snapshot taken against ATLAS v5.6.0 is not interchangeable with one taken against a later release.

package/skills/supply-chain-integrity/skill.md

@@ -161,7 +161,7 @@ Cross-walk to CWE (see `data/cwe-catalog.json`):
 
 ## Exploit Availability Matrix
 
-Sourced from `data/cve-catalog.json`, `data/exploit-availability.json`, and public incident history as of 2026-05-11. Per AGENTS.md hard rule #1, every CVE reference includes CVSS, KEV status, PoC availability, AI-discovery flag, active-exploitation status, and patch availability. Technique-class rows (no single CVE) are scored as ongoing class risks per AGENTS.md hard rule #3 — RWEP is not assigned because the field is defined for individual CVEs in `data/cve-catalog.json`.
+Sourced from `data/cve-catalog.json`, `data/exploit-availability.json`, and public incident history as of 2026-05-11. Every CVE reference includes CVSS, KEV status, PoC availability, AI-discovery flag, active-exploitation status, and patch availability. Technique-class rows (no single CVE) are scored as ongoing class risks — RWEP is not assigned because the field is defined for individual CVEs in `data/cve-catalog.json`.
 
 | Incident / Class | CVSS | RWEP | PoC Public? | CISA KEV? | AI-Accelerated? | Patch / Mitigation | SLSA-Detectable? | SBOM-Detectable? | VEX-Helpful? |
 |---|---|---|---|---|---|---|---|---|---|

package/skills/threat-model-currency/skill.md

@@ -23,7 +23,7 @@ forward_watch:
   - New MCP or agent protocol security disclosures
   - Emerging malware families using AI for evasion
 last_threat_review: "2026-05-18"
-discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief threat-model-currency` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
+discovery_mode: "standalone"  # operator-reached via `exceptd brief threat-model-currency` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 # Threat Model Currency Assessment
@@ -374,7 +374,7 @@ For each gap, produce a specific, actionable update:
 
 ## Output Format
 
-The skill produces a structured Threat Model Currency Assessment that scores the threat model against each of the 14 threat classes, computes a currency percentage, and emits a priority update roadmap. The shape below is consumed downstream by `framework-gap-analysis` (which converts per-class gaps into Framework Lag Declarations), by `policy-exception-gen` (which generates defensible exceptions for any class the operator cannot remediate immediately), and by `global-grc` (which rolls up the currency score across EU/UK/AU/ISO jurisdictions per Hard Rule #5). Preserve the per-class scoring rows verbatim — they are the auditable derivation of the currency percentage.
+The skill produces a structured Threat Model Currency Assessment that scores the threat model against each of the 14 threat classes, computes a currency percentage, and emits a priority update roadmap. The shape below is consumed downstream by `framework-gap-analysis` (which converts per-class gaps into Framework Lag Declarations), by `policy-exception-gen` (which generates defensible exceptions for any class the operator cannot remediate immediately), and by `global-grc` (which rolls up the currency score across EU/UK/AU/ISO jurisdictions for global-first coverage). Preserve the per-class scoring rows verbatim — they are the auditable derivation of the currency percentage.
 
 ```
 ## Threat Model Currency Assessment
@@ -444,4 +444,4 @@ A threat model is current only when each of the 14 threat classes above has a na
 
 **Zero-trust posture:** every class above is verified in production before the currency score credits it. A class scored as "addressed" with a D3FEND technique that is policy-approved but not deployed, or deployed but not monitored, or monitored but not tested against the cited TTP, is over-credited. The Priority Update Roadmap field (per the Output Format) must list verification tests alongside the technique deployment plan.
 
-**AI-pipeline applicability (per AGENTS.md Hard Rule #9):** Classes 4, 5, 7, 8, 9, 10, 11, 12, 13 are AI-pipeline-applicable. `D3-EAL` does not apply to serverless inference endpoints; the scoped alternative is `D3-CSPP` at the gateway plus signed-image attestation at the provider. `D3-FAPA` on ephemeral RAG indices degrades to per-query retrieval logging via `D3-IOPR` plus index-build provenance signed at construction. The currency assessment must record these degradations explicitly when scoring AI-pipeline classes.
+**AI-pipeline applicability:** Classes 4, 5, 7, 8, 9, 10, 11, 12, 13 are AI-pipeline-applicable. `D3-EAL` does not apply to serverless inference endpoints; the scoped alternative is `D3-CSPP` at the gateway plus signed-image attestation at the provider. `D3-FAPA` on ephemeral RAG indices degrades to per-query retrieval logging via `D3-IOPR` plus index-build provenance signed at construction. The currency assessment must record these degradations explicitly when scoring AI-pipeline classes.

package/skills/threat-modeling-methodology/skill.md

@@ -44,7 +44,7 @@ forward_watch:
   - LINDDUN-GO and LINDDUN-PRO updates incorporating LLM privacy threats
   - PASTA v2 updates incorporating AI/ML application threats
 last_threat_review: "2026-05-11"
-discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief threat-modeling-methodology` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
+discovery_mode: "standalone"  # operator-reached via `exceptd brief threat-modeling-methodology` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 # Threat Modeling Methodology
@@ -152,7 +152,7 @@ Methodologies are catalog consumers, not catalog producers. The matrix shows the
 | Trike | Authorised/unauthorised action gaps | Indirectly | Indirectly | No | No |
 | OCTAVE Allegro | Asset areas-of-concern | Indirectly | No | No | No |
 | Cyber Kill Chain | Intrusion phases | Yes (KEV common in initial-access phase) | Yes | Yes | No |
-| Diamond Model | Adversary–capability–infrastructure–victim | Yes (capabilities include live CVEs) | Yes | Yes (campaigns increasingly use AI-developed capabilities per Hard Rule AGENTS.md #1 / DR-5) | Yes (Diamond pivots into IR and IR drives live-patch decisions) |
+| Diamond Model | Adversary–capability–infrastructure–victim | Yes (capabilities include live CVEs) | Yes | Yes (campaigns increasingly use AI-developed capabilities — AI-assisted attack development is current operational reality) | Yes (Diamond pivots into IR and IR drives live-patch decisions) |
 | MITRE Unified Kill Chain v3.0 | Full ATLAS + ATT&CK across 18 phases | Yes | Yes | Yes | Yes (phases 14–18 include impact stages where live-patch SLAs are decisive) |
 | AI-system composite | Full ATLAS catalogue | Yes (CVE-2025-53773 prompt-injection RCE, CVE-2026-30615 MCP RCE, both in `data/cve-catalog.json`) | Yes | Yes | Yes (CVE-2025-53773 is SaaS live-patchable; CVE-2026-30615 is IDE-update live-patchable) |
 | Agent-based composite | ATLAS subset (AML.T0010, AML.T0051, AML.T0096) + MCP-class CVEs | Yes | Yes | Yes | Yes |
@@ -169,7 +169,7 @@ Every threat-modelling exercise must explicitly thread three foundational princi
 - **Least privilege.** Every actor in the model — human, service, AI agent, MCP plugin, RAG retriever, tool-call target — must be documented with a trust boundary and a minimum-scope authorisation statement. The model surfaces excess privilege as a finding, not as an implicit assumption.
 - **Zero trust.** Trust boundaries are explicit. Every boundary crossing requires verification (mutual auth, signed input, capability-scoped token, prompt-injection-resistant context boundary). The model must answer, for each boundary, *what is verified and how* — not "the network is internal".
 
-For ephemeral / serverless / AI-pipeline contexts (Hard Rule AGENTS.md #9), classical STRIDE-per-element applies poorly: there is no persistent attack surface to decompose. Use the modified procedure: model the *invocation lifecycle* (cold-start → execution → state externalisation → teardown) as the unit of analysis, attach trust boundaries to invocation-context inputs (event payload, IAM-scoped role, retrieved secrets, AI model context window), and treat the absence of persistent state as a control to be verified, not assumed.
+For ephemeral / serverless / AI-pipeline contexts, classical STRIDE-per-element applies poorly: there is no persistent attack surface to decompose. Use the modified procedure: model the *invocation lifecycle* (cold-start → execution → state externalisation → teardown) as the unit of analysis, attach trust boundaries to invocation-context inputs (event payload, IAM-scoped role, retrieved secrets, AI model context window), and treat the absence of persistent state as a control to be verified, not assumed.
 
 ### Step 1 — Scope the system and inventory actors (including AI agents)
 
@@ -178,7 +178,7 @@ List every actor with a trust boundary and an authorisation scope:
 - Human actors (end users, operators, developers, admins, contractors).
 - Service actors (microservices, batch jobs, cron tasks, queues).
 - External-system actors (third-party APIs, identity providers, SaaS).
-- **AI actors** — AI coding assistants, MCP servers, LLM endpoints, agent runtimes, autonomous workflows. Per AGENTS.md every AI actor is named, with trust boundary, with minimum-scope authorisation, with an explicit answer to "what does this agent decide on its own and what does it escalate?"
+- **AI actors** — AI coding assistants, MCP servers, LLM endpoints, agent runtimes, autonomous workflows. Every AI actor is named, with trust boundary, with minimum-scope authorisation, with an explicit answer to "what does this agent decide on its own and what does it escalate?"
 - Data actors — vector embedding stores, RAG corpora, training data manifests, model weight artefacts. Treated as crown-jewel data even when they appear as "metadata" elsewhere.
 
 ### Step 2 — Choose methodology or methodology mix
@@ -220,7 +220,7 @@ For each technical threat, attach the relevant CWE class from `data/cwe-catalog.
 
 ### Step 7 — Score known CVEs per RWEP
 
-For each threat that maps to a known CVE in `data/cve-catalog.json`, score per RWEP (`lib/scoring.js`) — not CVSS alone (Hard Rule AGENTS.md #3, DR-2). RWEP outputs feed prioritisation in step 8.
+For each threat that maps to a known CVE in `data/cve-catalog.json`, score per RWEP (`lib/scoring.js`) — not CVSS alone (CVSS-only risk scoring is prohibited; report CVSS alongside RWEP, never alone). RWEP outputs feed prioritisation in step 8.
 
 ### Step 8 — Produce mitigations (hand off to defensive-countermeasure-mapping)
 
@@ -232,7 +232,7 @@ The output of this skill feeds `threat-model-currency` as the model under test.
 
 ### Step 10 — Re-run on cadence
 
-Per Hard Rule AGENTS.md #12 (external data version pinning): when ATLAS, ATT&CK, NIST 800-218 SSDF, ISO/IEC 42001, or any data-dep version pin advances, re-run the model. Currency triggers also include: any new CVE in scope (`data/cve-catalog.json` change), any new zero-day lesson (`data/zeroday-lessons.json` change), any change to actor inventory (new agent, new MCP server, new RAG corpus).
+Under the external-data version-pinning discipline: when ATLAS, ATT&CK, NIST 800-218 SSDF, ISO/IEC 42001, or any data-dep version pin advances, re-run the model. Currency triggers also include: any new CVE in scope (`data/cve-catalog.json` change), any new zero-day lesson (`data/zeroday-lessons.json` change), any change to actor inventory (new agent, new MCP server, new RAG corpus).
 
 ---
 
@@ -292,7 +292,7 @@ Apply each test. A "no" on any of (a)–(e) means the threat-model is paper.
 
 (d) **Right methodology for privacy.** "For your privacy threats, did you use STRIDE or LINDDUN?" STRIDE for privacy is the wrong methodology — InfoDisclose compresses seven LINDDUN categories into one. If the DPIA / RIPD / PIPIA referenced this model and it used STRIDE alone for privacy, the privacy assessment is theater.
 
-(e) **Cross-jurisdiction.** "Did your model include cross-jurisdiction threats — EU AI Act high-risk categorisation, NIS2 incident-reporting timelines, DORA ICT third-party register, UK CAF B4, AU ISM AI annex, IL INCD methodology, JP NISC, SG CCoP 2.0?" Hard Rule AGENTS.md #5: a model citing only US frameworks does not meet the bar.
+(e) **Cross-jurisdiction.** "Did your model include cross-jurisdiction threats — EU AI Act high-risk categorisation, NIS2 incident-reporting timelines, DORA ICT third-party register, UK CAF B4, AU ISM AI annex, IL INCD methodology, JP NISC, SG CCoP 2.0?" Global-first, not US-centric: a model citing only US frameworks does not meet the bar.
 
 (f) **Methodology rationale.** "Why did you choose this methodology mix?" If the answer is "because that's what we always do" or "because STRIDE is the standard", the methodology choice was not reviewed. Document the rationale or it is theater.
 
@@ -305,7 +305,7 @@ Threat modelling produces an enumerated threat set; mitigations come from the `d
 - **Defense-in-depth layer position.** Each D3FEND mapping is annotated with its layer (network, host, identity, application, data, agent context). Threats that map to only one layer are flagged for additional layering.
 - **Least-privilege scope.** Each mapping is annotated with the principal whose privilege is being scoped (human user, service identity, agent, plugin). Mappings that do not narrow privilege are flagged as monitoring-only.
 - **Zero-trust posture.** Each mapping declares the verification primitive at the boundary it covers (mutual auth, signed input, prompt-injection-resistant context boundary, capability-scoped token).
-- **AI-pipeline applicability (Hard Rule AGENTS.md #9).** Each mapping declares whether it is architecturally feasible for serverless / containerised / AI-pipeline targets. Mappings that are infeasible are paired with an explicitly scoped alternative or marked "no compensating control available — accept residual or redesign".
+- **AI-pipeline applicability.** Each mapping declares whether it is architecturally feasible for serverless / containerised / AI-pipeline targets. Mappings that are infeasible are paired with an explicitly scoped alternative or marked "no compensating control available — accept residual or redesign".
 
 For each threat enumerated in this skill's output, the receiving `defensive-countermeasure-mapping` invocation must produce at least one D3FEND ID at two distinct defense-in-depth layers (per "Defense in depth" in Analysis Procedure step 0). Threats with only one layer of D3FEND coverage are flagged as defense-shallow and routed back to design.
 
@@ -316,7 +316,7 @@ For each threat enumerated in this skill's output, the receiving `defensive-coun
 - **`threat-model-currency`** — runs after this skill to score the produced model against 14 currency classes. The two skills are companion artefacts: methodology builds the model, currency keeps it fresh.
 - **`defensive-countermeasure-mapping`** — receives the threat enumeration from section 4 of Output Format and produces D3FEND mitigations. Mandatory hand-off for any shipped threat model.
 - **`researcher`** — dispatcher for "what skill addresses this specific threat I just enumerated?" Use when a threat in section 4 does not have an obvious skill home.
-- **`zeroday-gap-learn`** — receives any threat enumerated in section 4 that has no ATLAS or ATT&CK TTP attachment. New threats feed back into the learning loop per Hard Rule AGENTS.md #6.
+- **`zeroday-gap-learn`** — receives any threat enumerated in section 4 that has no ATLAS or ATT&CK TTP attachment. New threats feed back into the zero-day learning loop.
 - **`framework-gap-analysis`** — receives any threat enumerated in section 4 that is not addressed by an existing framework control. The model exposes framework gaps as a natural by-product of cross-walk; framework-gap-analysis then runs the global EU+UK+AU+ISO+IL+JP+SG comparison.
 - **`ai-attack-surface`** — runs alongside this skill when the actor inventory includes any AI agent. Produces the AI-specific TTP set that feeds the threat enumeration.
 - **`mcp-agent-trust`** — runs alongside this skill when the actor inventory includes any MCP server or agent plugin. Produces the trust-boundary specification for MCP edges.

package/skills/webapp-security/skill.md

@@ -66,7 +66,7 @@ d3fend_refs:
 forward_watch:
   - NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments
 last_threat_review: "2026-05-11"
-discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief webapp-security` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
+discovery_mode: "standalone"  # operator-reached via `exceptd brief webapp-security` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 # Web Application Security Assessment
@@ -79,7 +79,7 @@ Webapps still ship CWE-79 (Cross-Site Scripting), CWE-89 (SQL Injection), and CW
 
 **Architectural reaction: server-rendered apps regained share.** Through 2023–2025 the SPA-everything trend pushed business logic, auth state, and access decisions into the client. With AI codegen now producing client-side TypeScript at industrial volume, the per-route client attack surface compounded — every route became a potential CWE-200 (Information Exposure) and CWE-862 (Missing Authorization) carrier because client-side checks are advisory, not authoritative. Mid-2026 architectures favour **server-rendered-by-default with interactive islands**: React Server Components, Next.js App Router, Remix, Phoenix LiveView, HTMX, Rails Hotwire. Auth lives on the server. State changes traverse server actions. SPAs survive where a true client-side data model exists (collaborative editing, offline-first), and they pay for it with explicit zero-trust auth on every endpoint.
 
-**Exploit acceleration is current operational reality, not a forecast.** Agentic exploitation frameworks emerging through 2025–2026 (PentestGPT lineage, autonomous-recon-and-exploit toolchains) compress the time from CVE disclosure to mass exploitation for known webapp weakness classes. The defender's working assumption must be: any CVE-2025/2026 RCE in a public webapp framework is being scanned for within hours of disclosure, not days (per DR-5: AI acceleration is current operational reality).
+**Exploit acceleration is current operational reality, not a forecast.** Agentic exploitation frameworks emerging through 2025–2026 (PentestGPT lineage, autonomous-recon-and-exploit toolchains) compress the time from CVE disclosure to mass exploitation for known webapp weakness classes. The defender's working assumption must be: any CVE-2025/2026 RCE in a public webapp framework is being scanned for within hours of disclosure, not days (AI acceleration is current operational reality).
 
 **Transport is no longer a choice.** RFC 8446 (TLS 1.3) is baseline; RFC 9114 (HTTP/3 over QUIC) is the production transport for any public webapp serving a global audience. Skills citing TLS 1.2 as adequate in 2026 are citing a deprecated threat model. JWT-based session tokens must be issued and validated per RFC 7519 with RFC 8725 (JWT BCP) — the BCP is non-optional because the original RFC 7519 threat model under-specified algorithm pinning, audience checks, and key confusion.
 
@@ -171,9 +171,9 @@ The procedure threads three foundational design principles end-to-end. They are
 ### The 10-step assessment
 
 1. **Inventory routes + auth requirements + data sensitivity.** Enumerate every HTTP route (or GraphQL operation, gRPC method). For each: required role, request schema, response schema, data classification, AI-codegen provenance flag (was this handler suggested by an assistant?).
-2. **Map each route to CWE-Top-25-class risk.** Score by CWE class × data sensitivity × external reachability. Apply the RWEP model — CVSS alone fails per AGENTS.md Hard Rule #3.
+2. **Map each route to CWE-Top-25-class risk.** Score by CWE class × data sensitivity × external reachability. Apply the RWEP model — CVSS alone fails as a prioritization signal; report CVSS alongside RWEP, never alone.
 3. **Audit AI-generated code separately from human-written code.** Require commit-time provenance markers (git trailer, commit-message tag, or co-author metadata) identifying AI-assisted commits. Re-review AI-suggested handlers on every AI-codegen-CVE wave (e.g. CVE-2025-53773, CVSS 7.8 / AV:L — re-review every Copilot agent-mode-generated handler in the affected window, with priority on those that read external content into the agent context). If provenance is not captured, the org cannot answer "what code do we need to re-review?" — this is a compliance-theater indicator.
-4. **SAST + DAST coverage measurement.** Report: % of routes covered by SAST sinks, % covered by DAST in staging, findings-to-fix ratio over trailing 90 days. A SAST programme that finds and does not fix is theater (AGENTS.md DR-1 / Hard Rule #8).
+4. **SAST + DAST coverage measurement.** Report: % of routes covered by SAST sinks, % covered by DAST in staging, findings-to-fix ratio over trailing 90 days. A SAST programme that finds and does not fix is theater (control existence requires an operational fix SLA, not just tooling).
 5. **IAST in staging.** Instrumented runtime testing covers what SAST cannot (intent-dependent authorisation, runtime config). Required for any app handling regulated data (PII, PCI, PHI).
 6. **Fuzz parser surfaces.** Hand off to `fuzz-testing-strategy` for any parser, deserialiser, or media-handler reachable from a public route. Fuzz corpus seeded from production traffic samples (sanitised).
 7. **Server-rendered-by-default decision.** Justify any SPA-only route against the AI-codegen blast radius. SPAs allowed where a true client-side data model exists; not allowed by default for CRUD with auth checks.
@@ -248,19 +248,19 @@ The skill produces a Web Application Security Assessment covering OWASP ASVS-map
 
 Each test below distinguishes paper compliance from real posture. A "no" answer to any of (a)–(d) means the corresponding control claim is theater.
 
-**(a) SAST findings-to-fix ratio.** "Show me the most recent SAST report for this codebase. What was the findings-to-fix ratio over the last 90 days?" If SAST runs but findings sit in a backlog with no SLA — or if the team's first response is "we have a SAST tool" without producing the ratio — the SAST control is theater (AGENTS.md DR-1).
+**(a) SAST findings-to-fix ratio.** "Show me the most recent SAST report for this codebase. What was the findings-to-fix ratio over the last 90 days?" If SAST runs but findings sit in a backlog with no SLA — or if the team's first response is "we have a SAST tool" without producing the ratio — the SAST control is theater (a control exists only when it has an operational SLA, not when the tool is merely owned).
 
 **(b) Auth-failure test coverage.** "What percentage of routes have unit or integration tests that assert auth failure modes — 401 when unauthenticated, 403 when authenticated as a non-authorised role, 404-or-403 (depending on policy) when the resource exists but the caller has no access?" If the answer is qualitative ("we test auth") rather than a number, the auth-control claim is paper (CWE-862 / CWE-863 / CWE-1188 are not tested into existence by the framework alone).
 
 **(c) AI-codegen provenance.** "Is AI-generated code marked at commit time — git trailer, commit message tag, or co-author metadata — so it can be re-reviewed at the next AI-codegen-CVE wave?" If there is no provenance signal, the org cannot answer "what code do we need to re-review when the next CVE-2025-53773-class issue lands?" — and the re-review claim is theater.
 
-**(d) Bug-bounty time-to-fix for Critical.** "For your last 10 bug-bounty payouts (or your last 10 internal security findings classified Critical), what was the time-to-fix? Provide the dates." If the median time-to-fix for Critical exceeds 30 days, the vulnerability-management claim is theater regardless of what the policy document says. For Critical RCE in an AI-codegen reintroduction class (CWE-89, CWE-78, CWE-502, CWE-918), the operational target should be measured in hours-to-days, not weeks (AGENTS.md DR-3 — control existence requires operational SLA, not policy language).
+**(d) Bug-bounty time-to-fix for Critical.** "For your last 10 bug-bounty payouts (or your last 10 internal security findings classified Critical), what was the time-to-fix? Provide the dates." If the median time-to-fix for Critical exceeds 30 days, the vulnerability-management claim is theater regardless of what the policy document says. For Critical RCE in an AI-codegen reintroduction class (CWE-89, CWE-78, CWE-502, CWE-918), the operational target should be measured in hours-to-days, not weeks (control existence requires an operational SLA, not policy language).
 
 ---
 
 ## Defensive Countermeasure Mapping
 
-Each D3FEND technique below maps an offensive finding from the assessment to a defensive control, with explicit defense-in-depth layer position, least-privilege scope, zero-trust posture, and AI-pipeline applicability per AGENTS.md Hard Rule #9.
+Each D3FEND technique below maps an offensive finding from the assessment to a defensive control, with explicit defense-in-depth layer position, least-privilege scope, zero-trust posture, and AI-pipeline applicability.
 
 | D3FEND ID | Technique | Layer (defense in depth) | Least-Privilege Scope | Zero-Trust Posture | AI-Pipeline Applicability |
 |---|---|--------------------------|-----------------------|--------------------|---------------------------|

package/skills/zeroday-gap-learn/skill.md

@@ -24,7 +24,7 @@ forward_watch:
   - Framework updates that close previously open gaps
   - Vendor advisories for MCP/AI tool supply chain CVEs
 last_threat_review: "2026-05-18"
-discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief zeroday-gap-learn` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
+discovery_mode: "standalone"  # operator-reached via `exceptd brief zeroday-gap-learn` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 # Zero-Day Learning Loop
@@ -45,7 +45,7 @@ The `atlas_refs`, `attack_refs`, and `framework_gaps` arrays are intentionally e
 
 The zero-day learning cycle has compressed. The frameworks have not.
 
-- **41% of 2025 zero-days were discovered by attackers using AI-assisted reverse engineering** (AGENTS.md DR-5 / GTIG 2025). Copy Fail (CVE-2026-31431) was AI-found in approximately one hour; Fragnesia (CVE-2026-46300, 2026-05-13) is the canonical 2026 anchor case — Zellic's agentic code-auditing tool surfaced an 18-year-old Linux kernel page-cache primitive in load-bearing OSS. The first documented AI-built in-the-wild zero-day surfaced 2026-05-11 (GTIG AI 2FA-bypass case). The exceptd catalog's 2026 AI-discovery rate now stands at 40% (4/10), tracking the GTIG reference. The historical learning rhythm — researcher disclosure → industry analysis → framework update cycle measured in quarters or years — is incompatible with AI-discovery cadence measured in weeks. CTID Secure AI v2 (2026-05-06) replaces v1 as the alignment target for the learning-loop outputs.
+- **41% of 2025 zero-days were discovered by attackers using AI-assisted reverse engineering** (GTIG 2025). Copy Fail (CVE-2026-31431) was AI-found in approximately one hour; Fragnesia (CVE-2026-46300, 2026-05-13) is the canonical 2026 anchor case — Zellic's agentic code-auditing tool surfaced an 18-year-old Linux kernel page-cache primitive in load-bearing OSS. The first documented AI-built in-the-wild zero-day surfaced 2026-05-11 (GTIG AI 2FA-bypass case). The exceptd catalog's 2026 AI-discovery rate now stands at 40% (4/10), tracking the GTIG reference. The historical learning rhythm — researcher disclosure → industry analysis → framework update cycle measured in quarters or years — is incompatible with AI-discovery cadence measured in weeks. CTID Secure AI v2 (2026-05-06) replaces v1 as the alignment target for the learning-loop outputs.
 - **The compounding consequence**: when a zero-day is announced, the relevant question is no longer "when will the patch ship?" but "what control, if it had existed, would have stopped this, and how do we add that control to the next thousand systems before the AI-generated variant lands?" Without a running learning loop, every novel TTP becomes a one-off incident response rather than a control-system improvement.
 - **AI-acceleration also compresses variant generation.** A single disclosed primitive (Copy Fail's deterministic page-cache CoW; SesameOp's AI-API C2 channel) can be re-applied by AI tooling to adjacent code paths within days. Frameworks that only respond to specific CVE-IDs miss the class-level lesson entirely.
 - **Compliance frameworks do not include zero-day learning as a required control category.** The "learn from incidents" language in NIST CSF 2.0 IMPROVE and ISO 27001:2022 A.5.7 is process-only, no required artifact. An org can be fully compliant while patching every CVE and learning nothing.
@@ -78,7 +78,7 @@ This skill is meta — it does not pin to a single TTP class. The learning loop
 
 | Input Catalog | Role in the Learning Loop |
 |---|---|
-| `data/cve-catalog.json` | The CVE-level corpus: each entry is a candidate lesson input. New entries trigger a new loop run per AGENTS.md DR-8. |
+| `data/cve-catalog.json` | The CVE-level corpus: each entry is a candidate lesson input. New entries trigger a new loop run. |
 | `data/atlas-ttps.json` (MITRE ATLAS v5.6.0) | The AI/ML TTP taxonomy. Attack-vector extraction maps the CVE's mechanism to an ATLAS ID (e.g., AML.T0096 for SesameOp AI-as-C2). |
 | `data/framework-control-gaps.json` | The control-gap corpus. Framework-coverage assessment writes into this file via new entries or `status` updates. |
 | `data/zeroday-lessons.json` | The output corpus. Each completed loop produces one entry here — the durable artifact of the lesson. |
@@ -102,7 +102,7 @@ Status of the learning-loop entry for each CVE currently in `data/cve-catalog.js
 | MAL-2026-3083 (Elementary-Data PyPI worm — forged release via GitHub Actions script-injection) | No (OSSF Malicious Packages dataset; CISA KEV catalogues vendor CVEs only) | Yes (orphan commit + exfil domain confirmed in-wild during 8h window) | No (manual chain) | n/a | Pre-run exemplar lesson encoded below; control requirements GHACTIONS-EVENT-INTERPOLATION-BAN, INSTALL-HOOK-AUDIT, OSSF-MALPACKAGES-INGEST generated |
 | CVE-2026-46300 (Fragnesia — Dirty Frag sequel) | No (candidate within days) | Yes (one-liner vs /usr/bin/su) | No (human-discovered by V12 security team) | 20 | Complete — pre-run lesson encoded below; control requirements PAGE-CACHE-INTEGRITY-VERIFICATION, BUG-FAMILY-MITIGATION-PERSISTENCE, SCANNER-PAPER-COMPLIANCE-TEST generated. Pattern: a patch for one bug class introduced a sibling bug in the same primitive class. |
 
-Per AGENTS.md DR-8: every new entry added to `data/cve-catalog.json` must produce a corresponding entry here and in `data/zeroday-lessons.json` before the catalog change ships. Any CVE in the catalog without a complete lesson entry is a pre-ship-checklist failure.
+Every new entry added to `data/cve-catalog.json` must produce a corresponding entry here and in `data/zeroday-lessons.json` before the catalog change ships. Any CVE in the catalog without a complete lesson entry is a pre-ship-checklist failure.
 
 ---
 
@@ -301,7 +301,7 @@ Output: Lesson entry for data/zeroday-lessons.json
 **What control should have prevented this:**
 - Workflow-privilege isolation: `pull_request_target` should never run fork-PR code with base-repo permissions in the same job as cache writes. The chain is broken if the bundle-size workflow runs with `permissions: contents: read` and writes to a separate cache key.
 - Cache integrity: `actions/cache` keyed by `hashFiles('**/pnpm-lock.yaml')` is attacker-influenceable when the same key is restored by a privileged downstream workflow. Restore-only-on-verified-publisher caches or per-job cache namespacing breaks the link.
-- OIDC token scoping: the publish job's `id-token: write` should be bound to a job that does *not* restore externally-influenced caches. Token scope minimisation per AGENTS.md DR-1 (no orphaned-privilege workflows).
+- OIDC token scoping: the publish job's `id-token: write` should be bound to a job that does *not* restore externally-influenced caches. Token scope minimisation (no orphaned-privilege workflows).
 
 **New control requirements generated:**
 
@@ -328,7 +328,7 @@ Output: Lesson entry for data/zeroday-lessons.json
 
 1. **GHACTIONS-EVENT-INTERPOLATION-BAN**: Static-analysis gate on every CI pipeline: reject any workflow that interpolates `${{ github.event.* }}` (or `github.head_ref`, `inputs.*` from untrusted sources) directly into `run:` shell. Required tooling: `zizmor` / `Octoscan` / `actionlint` with the script-injection rule enabled. Hard fail on PR merge.
 2. **INSTALL-HOOK-AUDIT**: Pre-install scan of every wheel / sdist for install-time hooks (`.pth` files, `setup.py` execution, `pyproject.toml` build hooks). Any package adding a `.pth` file that imports network code at module-load time gets quarantined for review. Tooling: `pip-audit` plus a custom `.pth`-file diff rule.
-3. **OSSF-MALPACKAGES-INGEST**: Subscribe to the OSSF Malicious Packages OSV feed with sub-hour latency and apply it as a hard-block at the dependency resolver. Any organisation whose dependency pipeline is anchored to NVD CVE feeds alone misses MAL-2026-3083 entirely — there is no CVE ID, just an OSSF / Snyk / kam193 advisory. This control closes the AGENTS.md DR-1 (no stale threat intel) loop for the OSV-native malicious-package class.
+3. **OSSF-MALPACKAGES-INGEST**: Subscribe to the OSSF Malicious Packages OSV feed with sub-hour latency and apply it as a hard-block at the dependency resolver. Any organisation whose dependency pipeline is anchored to NVD CVE feeds alone misses MAL-2026-3083 entirely — there is no CVE ID, just an OSSF / Snyk / kam193 advisory. This control closes the no-stale-threat-intel loop for the OSV-native malicious-package class.
 
 **Exposure scoring:**
 - Anyone who `pip install`-ed `elementary-data` between 2026-04-24 22:20Z and 2026-04-25 ~06:30Z inside a dbt analytics pipeline (or any virtualenv where `elementary-data==0.23.3` resolved) was hit. The install-hook fires at the *next* import in the affected venv, which can be hours-to-days after the install.
@@ -441,7 +441,7 @@ Run this check against any organization claiming a mature vulnerability-manageme
 
 > "Pull the org's vulnerability-management runbook for the most recent five CISA-KEV-listed zero-days. For each: was the CVE patched? Almost certainly yes. Now ask the harder question: for each, where is the artifact that says (a) what attack vector this zero-day used, (b) what control would have caught it pre-patch, (c) which framework control was responsible for that detection/prevention, (d) was that framework control adequate, and (e) what new internal control requirement, if any, was created? If the answer is `we patched it, ticket closed` with no artifact, the program is patching CVEs and learning nothing. The next AI-generated variant of the same primitive will land against the same unchanged control surface. That is compliance theater for the threat-intel function — process compliance (A.5.7) with zero learning-loop output."
 
-> "Open `data/zeroday-lessons.json` (or the org's equivalent). Count the entries. Compare to the count of CVEs the org actually responded to in the same period. If the lesson-entry count is < CVE-response count, the loop is partial. Per AGENTS.md DR-8, partial is failure: every zero-day-in-scope must produce a lesson entry. The gap between CVEs-patched and lessons-learned is the size of the theater. The org's `Improve` function (NIST CSF 2.0) is not running."
+> "Open `data/zeroday-lessons.json` (or the org's equivalent). Count the entries. Compare to the count of CVEs the org actually responded to in the same period. If the lesson-entry count is < CVE-response count, the loop is partial. Partial is failure: every zero-day-in-scope must produce a lesson entry. The gap between CVEs-patched and lessons-learned is the size of the theater. The org's `Improve` function (NIST CSF 2.0) is not running."
 
 > "Ask: in the last 12 months, has a single internal control requirement been created or modified as a result of a public zero-day the org was NOT directly hit by? If no, the org's threat-intelligence control (ISO A.5.7) is consumption-only — collecting feeds, not changing controls. Threat-intel without control-system change is library subscription, not security capability."
 
@@ -473,4 +473,4 @@ The learning loop's output is a new control requirement. The mapping below conve
 
 **Zero-trust posture:** a lesson entry closes only when the new control requirement is deployed and verified in production, not when the lesson is recorded. The Output Format's "Exposure Scoring" section must track lesson-deployment latency alongside lesson-creation latency — a lesson recorded but not deployed is the same operational state as no lesson at all.
 
-**AI-pipeline applicability (per AGENTS.md Hard Rule #9):** lessons targeting AML.T0010 (MCP / model-serving supply chain) must record AI-pipeline degradations explicitly. `D3-EAL` does not apply to serverless inference endpoints — the scoped alternative is `D3-CSPP` at the gateway plus signed-image attestation at the provider. `D3-FAPA` on ephemeral RAG indices degrades to per-query retrieval logging via `D3-IOPR` plus index-build provenance signed at construction. Lessons that omit these degradations propagate the framework-lag they were meant to close.
+**AI-pipeline applicability:** lessons targeting AML.T0010 (MCP / model-serving supply chain) must record AI-pipeline degradations explicitly. `D3-EAL` does not apply to serverless inference endpoints — the scoped alternative is `D3-CSPP` at the gateway plus signed-image attestation at the provider. `D3-FAPA` on ephemeral RAG indices degrades to per-query retrieval logging via `D3-IOPR` plus index-build provenance signed at construction. Lessons that omit these degradations propagate the framework-lag they were meant to close.