@blamejs/exceptd-skills 0.15.0 → 0.15.2

package/skills/age-gates-child-safety/skill.md

@@ -59,7 +59,7 @@ forward_watch:
   - France SREN (Securing and Regulating the Digital Space) Act 2024 — ARCOM age-verification referential for adult content services; double-anonymity model under deployment
   - US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states
 last_threat_review: "2026-05-11"
-discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief age-gates-child-safety` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
+discovery_mode: "standalone"  # operator-reached via `exceptd brief age-gates-child-safety` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 # Age Gates and Child Online Safety (mid-2026)
@@ -119,7 +119,7 @@ Classical security and privacy frameworks (NIST 800-53 r5, ISO/IEC 27001:2022, S
 | AI-vendor age policies (OpenAI 13+ w/ parental consent for under-18, Anthropic 18+ consumer / age-gated, Google Gemini 13+ w/ Workspace Edu carve-outs, Meta AI 18+, Character.ai 13+ then 17+ for chat post-2024 settlement) | Vendor terms-of-service age minimums | Self-declared | None of the major frontier AI vendors deploys verifiable age assurance at signup as of mid-2026. Terms-of-service are post-hoc liability shields, not technical controls. Character.ai litigation (FL wrongful-death suit 2024, additional complaints 2024-2025) is the leading-edge test of duty-of-care theory for AI companion services. |
 | NCMEC CyberTipline (18 U.S.C. §2258A) + EU CSAM Regulation (proposed) | CSAM reporting obligation for US electronic-service-providers; (proposed) EU detection / reporting obligation | US ESPs (mandatory); EU services (if Regulation adopted) | §2258A is a reporting obligation, not a detection obligation — but operational reality is that hash-matching (PhotoDNA, NCMEC hash, Apple NeuralHash family) is the de facto detection layer. AI-generated CSAM is criminal under existing US obscenity / child-pornography law and is reportable under §2258A as apparent CSAM. EU CSAM Regulation contested; if adopted, expands detection mandate. |
 
-**Cross-jurisdiction posture (per AGENTS.md rule #5).** Any age-gate / child-online-safety posture for a multi-jurisdiction operator must explicitly enumerate the regulator and primary instrument for: US (FTC for COPPA + AADC + KOSA-if-enacted; state AGs for state laws), EU (each Member State DPA + Commission for DSA + national audiovisual regulators for AVMSD), UK (ICO + Ofcom), AU (eSafety Commissioner + OAIC), IN (Data Protection Board, when operational, + MeitY for DPDP Rules), BR (ANPD), CN (CAC + MIIT for industry-specific obligations), SG (IMDA + PDPC), JP (PPC + per-prefecture authorities), KR (PIPC + KCC), CA / QC (CAI), and US-state (CA AG + NY AG plus comparable). ISO/IEC 27001:2022 + IEEE 2089-2021 + (when published) ISO/IEC 27566 + NIST IR on age assurance form the technical-reference layer. US-only (COPPA + state laws) is incomplete for any multinational service likely-accessed-by-children.
+**Cross-jurisdiction posture (global-first, not US-centric).** Any age-gate / child-online-safety posture for a multi-jurisdiction operator must explicitly enumerate the regulator and primary instrument for: US (FTC for COPPA + AADC + KOSA-if-enacted; state AGs for state laws), EU (each Member State DPA + Commission for DSA + national audiovisual regulators for AVMSD), UK (ICO + Ofcom), AU (eSafety Commissioner + OAIC), IN (Data Protection Board, when operational, + MeitY for DPDP Rules), BR (ANPD), CN (CAC + MIIT for industry-specific obligations), SG (IMDA + PDPC), JP (PPC + per-prefecture authorities), KR (PIPC + KCC), CA / QC (CAI), and US-state (CA AG + NY AG plus comparable). ISO/IEC 27001:2022 + IEEE 2089-2021 + (when published) ISO/IEC 27566 + NIST IR on age assurance form the technical-reference layer. US-only (COPPA + state laws) is incomplete for any multinational service likely-accessed-by-children.
 
 ---
 
@@ -134,7 +134,7 @@ This skill is primarily a compliance + privacy-engineering skill rather than a t
 | AI-generated CSAM creation / distribution | Not catalogued in ATLAS or ATT&CK as of v5.6.0 | Generative-AI image / video synthesis depicting children | Direct criminal exposure under 18 U.S.C. §§2251, 2252, 2252A, 2256 (Protect Act / Mash-Up Act framework); mandatory NCMEC reporting per §2258A. Multiple 2024-2025 prosecutions (US v. Anderegg WD-Wis 2024 — first federal AI-CSAM prosecution; UK National Crime Agency campaign 2024-2025). | No formal TTP class. Evidence stream: NCMEC CyberTipline reports + EU IWF reports. Hand off to `ai-attack-surface` for generative-model content-policy red-team and to `incident-response-playbook` for reporting workflow. |
 | AI chatbot grooming / harmful-content engagement with children | Not catalogued | Long-context AI chatbot interactions with children steering toward harm | Research and litigation evidence: Character.ai litigation 2024 (FL wrongful-death suit alleging companion-chatbot contribution to minor suicide; additional 2024-2025 complaints); UK NCA campaign 2024 documenting grooming attempts via AI chatbots; ESRC / RAND research 2024-2025. | No formal TTP class. EU DSA Art. 28 + UK OSA + AU OSA + KOSA-if-enacted all frame this as a platform duty-of-care obligation. Hand off to `ai-risk-management` for AI-product age policy enforcement. |
 
-**Honest scope statement (per AGENTS.md rule #10).** This skill does not invent TTP IDs to fill gaps in the ATLAS or ATT&CK matrices. AI-generated CSAM and AI-chatbot-mediated harm to children are real-world threat classes documented through prosecution records, NCMEC / IWF reporting, and litigation — not novel ATLAS techniques. Citation is to the evidence stream, not to a TTP ID.
+**Honest scope statement (no fabricated TTP IDs).** This skill does not invent TTP IDs to fill gaps in the ATLAS or ATT&CK matrices. AI-generated CSAM and AI-chatbot-mediated harm to children are real-world threat classes documented through prosecution records, NCMEC / IWF reporting, and litigation — not novel ATLAS techniques. Citation is to the evidence stream, not to a TTP ID.
 
 ---
 
@@ -163,7 +163,7 @@ For this skill, "exploit availability" maps to "what child-exposure violations h
 
 ## Analysis Procedure
 
-The procedure threads the three foundational design principles required by AGENTS.md skill-format spec — defense in depth, least privilege, zero trust — through every step before stepping through the audit.
+The procedure threads the three foundational design principles — defense in depth, least privilege, zero trust — through every step before stepping through the audit.
 
 ### Principle 1 — Defense in depth
 
@@ -281,7 +281,7 @@ Apply the tests in the Compliance Theater Check section below.
 
 **Step 12 — Cross-jurisdiction output reconciliation.**
 
-Produce a single per-control mapping across all in-scope jurisdictions; disparate findings for the same control deficiency across jurisdictions are themselves a finding (DR-4).
+Produce a single per-control mapping across all in-scope jurisdictions; disparate findings for the same control deficiency across jurisdictions are themselves a finding (reconcile to one consolidated per-control row).
 
 ---
 
@@ -420,9 +420,9 @@ Ask: "Under COPPA, AADC, DSA Art. 28(2), and ANPD 2024 Guide, behavioural advert
 
 ## Defensive Countermeasure Mapping
 
-Per AGENTS.md optional 8th section (required for skills shipped on or after 2026-05-11). Maps the offensive findings of this skill to MITRE D3FEND v1.3.0+ countermeasure references from `data/d3fend-catalog.json`, with explicit defense-in-depth layer position, least-privilege scope, zero-trust posture, and AI-pipeline applicability per Hard Rule #9.
+Maps the offensive findings of this skill to MITRE D3FEND v1.3.0+ countermeasure references from `data/d3fend-catalog.json`, with explicit defense-in-depth layer position, least-privilege scope, zero-trust posture, and AI-pipeline applicability (controls that are architecturally impossible in serverless / ephemeral / AI-pipeline contexts must name an explicit scoped alternative).
 
-| D3FEND ID | Technique | Child-Safeguarding Layer Position | Least-Privilege Scope | Zero-Trust Posture | AI-Pipeline Applicability (Hard Rule #9) |
+| D3FEND ID | Technique | Child-Safeguarding Layer Position | Least-Privilege Scope | Zero-Trust Posture | AI-Pipeline Applicability |
 |---|---|---|---|---|---|
 | D3-MFA | Multi-Factor Authentication | Verifiable Parental Consent (VPC) flow as multi-channel verification — government-ID + photo-match, credit-card + transaction, knowledge-based + return-channel, video-conference, signed-form + return; child-account MFA at signup and on high-risk actions (purchase, friend-request, location-share, livestream initiate); parental-tool access bound to a separate parental identity with its own MFA. | Per-cohort × per-feature: parental identity distinct from child identity; school-tenant teacher identity distinct from child-student identity; AI-companion feature gated to over-18 cohort or to parental-approved over-13 cohort. | Every cohort-sensitive action re-verifies; cohort attribute provisioned by the verifier with limited lifetime; cohort attribute revocable on parental-revocation. | VPC flow applies to AI products whose terms-of-service require under-18 parental approval; for ephemeral / serverless AI-product backends, the VPC verification point is the identity-provider gateway, not the ephemeral compute — never recommend host-agent-only VPC for ephemeral AI workloads. |
 | D3-IOPR | Input / Output Profiling | AI chatbot input / output profiling for child-online-safety content moderation including CSAM detection on generative-image output, grooming / sextortion / self-harm / eating-disorder conversation classifier on chat flow, and crisis-detection routing. | Per-cohort classifier sensitivity; under-13 strictest; 13-17 cohort-appropriate; over-18 standard; per-feature scope (companion-mode classifiers stricter than information-mode). | Default-deny on generative output until classifier verdict; conversation continuously profiled with classifier decision logged; vendor-side and operator-side classifier evidence both required (do not rely on vendor attestation alone). | Required for every AI feature reachable by children. For serverless / API-only AI integrations, the profiling point is the API-gateway sidecar layer, not the ephemeral inference compute. |

package/skills/ai-attack-surface/skill.md

@@ -325,7 +325,7 @@ D3FEND v1.3.0+ references from `data/d3fend-catalog.json`. The AI attack surface
 
 **Zero-trust posture:** every prompt is verified content-shape and origin-identity before downstream tool invocation; every RAG retrieval is clearance-checked at retrieval time (not just at index time); every MCP tool call has its args inspected at the gateway before reaching the tool. No "trusted prompt" exemption — AML.T0051 indirect prompt injection enters via documents and tool outputs, not just user prompts.
 
-**AI-pipeline applicability (per AGENTS.md Hard Rule #9):** `D3-EAL` is not applicable to serverless inference endpoints (no executable to allowlist on the consumer side). The scoped alternative is `D3-CSPP` at the gateway plus signed-image attestation at the provider — the model-serving container is the executable surface, and its provenance is the prerequisite. `D3-FAPA` on ephemeral RAG indices degrades to per-query retrieval logging (`D3-IOPR`) plus index-build provenance signed at construction.
+**AI-pipeline applicability:** `D3-EAL` is not applicable to serverless inference endpoints (no executable to allowlist on the consumer side). The scoped alternative is `D3-CSPP` at the gateway plus signed-image attestation at the provider — the model-serving container is the executable surface, and its provenance is the prerequisite. `D3-FAPA` on ephemeral RAG indices degrades to per-query retrieval logging (`D3-IOPR`) plus index-build provenance signed at construction.
 
 ---
 

package/skills/ai-c2-detection/skill.md

@@ -431,7 +431,7 @@ D3FEND v1.3.0+ references from `data/d3fend-catalog.json`. Maps the SesameOp / P
 
 **Zero-trust posture:** every prompt is logged and identity-bound regardless of source host trust level; `D3-CSPP` and `D3-IOPR` verify content shape on every call rather than sampling. The verification primitive at the gateway is entropy + identity + business-reason; at the SDK layer it is full prompt + identity + retention. No "trusted developer" exemption — PROMPTFLUX is delivered to developer workstations as readily as to production hosts.
 
-**AI-pipeline applicability (per AGENTS.md Hard Rule #9):** `D3-IOPR` is the only control that survives serverless / ephemeral runtimes; per-host `D3-NTA` and `D3-CA` cannot baseline a host whose lifetime is shorter than the correlation window. The scoped alternative for ephemeral workloads is workload-identity-bound `D3-IOPR` correlated by IAM role / service-account identity rather than by host — preserving the PROMPTFLUX cadence shape and PROMPTSTEAL credential-access correlation across short-lived function invocations.
+**AI-pipeline applicability:** `D3-IOPR` is the only control that survives serverless / ephemeral runtimes; per-host `D3-NTA` and `D3-CA` cannot baseline a host whose lifetime is shorter than the correlation window. The scoped alternative for ephemeral workloads is workload-identity-bound `D3-IOPR` correlated by IAM role / service-account identity rather than by host — preserving the PROMPTFLUX cadence shape and PROMPTSTEAL credential-access correlation across short-lived function invocations.
 
 ---
 
@@ -482,6 +482,6 @@ After producing the AI C2 detection assessment, the operator should chain into t
 - **`defensive-countermeasure-mapping`** — map AI C2 findings to D3FEND: D3-NTA / D3-NTPM (network traffic analysis plus policy mapping for AI provider egress, including the QUIC / HTTP/3 path called out in the RFC Transport Reality section), D3-IOPR (prompt-shape profiling per identity baseline), D3-CSPP (client-server payload profiling on prompt and completion bodies when TLS-inspected). The Layer 1–4 detection architecture maps directly to these counters.
 - **`mcp-agent-trust`** — AI-API-mediated C2 frequently routes through MCP tools whose privilege scope exceeds the documented business reason. When PROMPTSTEAL-pattern correlations surface (AI API call + credential-store access + large-egress), pivot into MCP trust assessment as a compensating control: tightening MCP tool allowlists and removing shell/process-execution-capable servers reduces the blast radius of the AI agent that the C2 is steering.
 - **`attack-surface-pentest`** — AI-API egress channels must be enumerated in attack-surface management and exercised in adversary-emulation engagements. Most pen-test scopes test for outbound DNS / generic HTTPS C2 and do not specifically exercise legitimate-AI-SaaS-as-C2. Without this, the SesameOp / PROMPTFLUX / PROMPTSTEAL signature shapes are detected only post-incident.
-- **`compliance-theater`** — test whether the org's SC-7 boundary-protection claim is satisfied by domain allowlisting alone. It is theater: see the SC-7 entry the project added in v0.3.0 of `data/framework-control-gaps.json`, which names the real requirement (identity-bound business-reason allowlist plus SDK-level prompt logging). Boundary inspection of an allowlisted AI provider domain cannot distinguish a developer prompt from a C2-encoded prompt.
+- **`compliance-theater`** — test whether the org's SC-7 boundary-protection claim is satisfied by domain allowlisting alone. It is theater: see the SC-7 boundary-protection entry in `data/framework-control-gaps.json`, which names the real requirement (identity-bound business-reason allowlist plus SDK-level prompt logging). Boundary inspection of an allowlisted AI provider domain cannot distinguish a developer prompt from a C2-encoded prompt.
 
-For ephemeral / serverless workloads (per AGENTS.md rule #9): per-host EDR-side correlation (Layer 2) is architecturally impossible when the host's lifetime is shorter than the correlation window. The scoped alternative is identity-bound prompt logging at the SDK layer combined with workload-identity correlation in the SIEM (e.g., correlate AI API calls by IAM role / service-account identity rather than by host), which preserves the SesameOp / PROMPTFLUX / PROMPTSTEAL signature shapes across short-lived function invocations.
+For ephemeral / serverless workloads: per-host EDR-side correlation (Layer 2) is architecturally impossible when the host's lifetime is shorter than the correlation window. The scoped alternative is identity-bound prompt logging at the SDK layer combined with workload-identity correlation in the SIEM (e.g., correlate AI API calls by IAM role / service-account identity rather than by host), which preserves the SesameOp / PROMPTFLUX / PROMPTSTEAL signature shapes across short-lived function invocations.

package/skills/ai-risk-management/skill.md

@@ -45,7 +45,7 @@ cwe_refs:
 d3fend_refs:
   - D3-IOPR
 last_threat_review: "2026-05-15"
-discovery_mode: "standalone"  # v0.13.2: operator-reached via `exceptd brief ai-risk-management` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
+discovery_mode: "standalone"  # operator-reached via `exceptd brief ai-risk-management` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
 # AI Risk Management (Governance Layer)
@@ -88,7 +88,7 @@ AI as adversary is now operational reality, not forecast: 41% of 2025 zero-days
 
 ## Framework Lag Declaration
 
-AI governance lag is global and asymmetric. Regulatory expectation outruns operational capability everywhere except Israel and (provisionally) the EU. Per Hard Rule AGENTS.md #5, the comparison spans EU, UK, AU, JP, IL, ID, and US-state (NYDFS) frameworks alongside ISO and NIST.
+AI governance lag is global and asymmetric. Regulatory expectation outruns operational capability everywhere except Israel and (provisionally) the EU. The comparison is global-first: it spans EU, UK, AU, JP, IL, ID, and US-state (NYDFS) frameworks alongside ISO and NIST.
 
 | Jurisdiction | Framework | Control / Article | What it misses for AI governance |
 |---|---|---|---|
@@ -128,7 +128,7 @@ Supporting weakness classes consumed from `data/cwe-catalog.json`:
 Defensive technique consumed from `data/d3fend-catalog.json`:
 - **D3-IOPR** (Input / Output Profiling) — the closest D3FEND-mapped defensive technique to "AI prompt / response governance". Governance does not implement D3-IOPR — it *commissions and audits* the implementation done by `defensive-countermeasure-mapping`.
 
-Threats with no TTP attachment are escalated to `zeroday-gap-learn` per Hard Rule AGENTS.md #6.
+Threats with no TTP attachment are escalated to `zeroday-gap-learn` (the zero-day learning loop, so no threat is left orphaned without a mapped technique).
 
 ---
 
@@ -163,7 +163,7 @@ Every AI risk-management exercise must explicitly thread three foundational desi
 - **Least privilege (per principal, per use case).** Every AI use case is scoped to the least data and least authority required. Agentic systems get the narrowest action set required, never the model's full tool-call surface. Every agent's service-account permissions are an explicit risk-treatment decision recorded in the register.
 - **Zero trust (AI vendors and internal AI tooling are untrusted suppliers).** AI vendor data-retention claims require contractual *and* technical verification (vendor-side audit log access, encryption-in-transit verification, zero-data-retention attestation tied to specific endpoints, not the vendor's marketing page). Internal AI tooling (Copilot, Cursor, Windsurf, Claude Code, agent runtimes, internal RAG) receives the same posture: traffic is logged, principals are authenticated, capabilities are scoped, trust boundaries are explicit.
 
-For ephemeral / serverless / AI-pipeline contexts (Hard Rule AGENTS.md #9), governance applies to the *use case*, not to the runtime — the AI inventory entry is per use case, the impact assessment is per use case, and the risk treatment is per use case, regardless of whether the underlying runtime is a long-lived server, a serverless function, or an ephemeral agent invocation.
+For ephemeral / serverless / AI-pipeline contexts, governance applies to the *use case*, not to the runtime — the AI inventory entry is per use case, the impact assessment is per use case, and the risk treatment is per use case, regardless of whether the underlying runtime is a long-lived server, a serverless function, or an ephemeral agent invocation.
 
 ### Step 1 — Build the AI inventory ledger
 
@@ -183,7 +183,7 @@ For each inventory row above the minimal-risk threshold, run the ISO/IEC 23894 c
 
 ### Step 4 — Log every risk-treatment decision
 
-The risk-treatment register is the artefact auditors and regulators ask for first. Every entry: risk identifier (linked to the ATLAS TTP and any relevant CVE in `data/cve-catalog.json`), treatment decision (accept / mitigate / transfer / avoid), owner, residual-risk justification (cross-walked to RWEP per `lib/scoring.js`, never CVSS alone — Hard Rule AGENTS.md #3), review cadence, last review date.
+The risk-treatment register is the artefact auditors and regulators ask for first. Every entry: risk identifier (linked to the ATLAS TTP and any relevant CVE in `data/cve-catalog.json`), treatment decision (accept / mitigate / transfer / avoid), owner, residual-risk justification (cross-walked to RWEP per `lib/scoring.js`, never CVSS alone), review cadence, last review date.
 
 Acceptance decisions require sign-off from the risk-accepting authority. Acceptance without sign-off is theatre (Compliance Theater Check (c) below).
 
@@ -215,7 +215,7 @@ Hand off to `identity-assurance`: every AI agent that takes action requires its
 
 The above steps are the operational inputs to the AIMS. Per ISO/IEC 42001 the management system also requires: AI policy, leadership commitment, roles/responsibilities, competence/training records, communication, documented information, operational planning, performance evaluation (internal audit, management review), improvement (corrective actions, continual improvement). The AIMS is the meta-artefact that contains all of the above as evidence.
 
-Re-run cadence: per Hard Rule AGENTS.md #12, when ATLAS, EU AI Act implementing measures, ISO/IEC 42001, ISO/IEC 23894, NIST AI RMF, or any data-dep version pin advances, re-run the affected layers. The minimum cadence is annual for the AIMS as a whole; quarterly for the risk-treatment register; per-use-case-change for inventory; per-incident for the incident playbook.
+Re-run cadence: when ATLAS, EU AI Act implementing measures, ISO/IEC 42001, ISO/IEC 23894, NIST AI RMF, or any data-dep version pin advances, re-run the affected layers. The minimum cadence is annual for the AIMS as a whole; quarterly for the risk-treatment register; per-use-case-change for inventory; per-incident for the incident playbook.
 
 ---
 
@@ -289,7 +289,7 @@ Apply each test. A "no" on any of (a)–(e) means the AI governance posture is p
 
 (e) **Show me your acceptance sign-off for the prompt-injection residual risk.** Per AML.T0051 and the bypass rates >85% against SOTA defences (per `ai-attack-surface`), every organisation deploying LLMs with tool-call capability is operating with non-trivial residual prompt-injection risk. That residual must be a *signed-off acceptance decision* by the risk-accepting authority — not a silent assumption that prompt-injection classifiers handle it. If the residual is not documented, the AIMS is missing its highest-priority risk treatment.
 
-(f) **Show me the framework-gap declaration for ISO/IEC 42001 in your AIMS.** Per Hard Rule AGENTS.md #2, the AIMS must explicitly declare what ISO/IEC 42001 controls are insufficient for current TTPs. If the AIMS implies that 42001 certification is adequate evidence of AI security posture, the framework-lag rule is breached. Hand-off to `framework-gap-analysis` is then required.
+(f) **Show me the framework-gap declaration for ISO/IEC 42001 in your AIMS.** The AIMS must explicitly declare what ISO/IEC 42001 controls are insufficient for current TTPs (framework lag is first-class). If the AIMS implies that 42001 certification is adequate evidence of AI security posture, the framework-lag rule is breached. Hand-off to `framework-gap-analysis` is then required.
 
 ---
 
@@ -301,7 +301,7 @@ For each governance finding produced by this skill that maps to a technical risk
 - **Defense-in-depth layer position** — the AIMS audits that every accepted residual has at least two defensive layers, or a signed acceptance for the shallow-defence position.
 - **Least-privilege scope** — the AIMS verifies that every AI principal's authorisation surface is the minimum required and is recorded in the risk-treatment register.
 - **Zero-trust posture** — the AIMS verifies that every boundary crossing in the AI inventory has a stated verification primitive.
-- **AI-pipeline applicability** (Hard Rule AGENTS.md #9) — the AIMS rejects governance recommendations that are architecturally infeasible for the runtime in question and requires an explicitly scoped alternative or an "accept residual or redesign" entry.
+- **AI-pipeline applicability** — the AIMS rejects governance recommendations that are architecturally infeasible for the runtime in question and requires an explicitly scoped alternative or an "accept residual or redesign" entry.
 
 Per the broader `defensive-countermeasure-mapping` cross-walk, the AIMS is the place where D3FEND coverage gaps are *owned*: a missing D3FEND layer is not a defect the technical team carries alone — it is a residual-risk entry the risk-accepting authority owns.
 
@@ -318,5 +318,5 @@ Per the broader `defensive-countermeasure-mapping` cross-walk, the AIMS is the p
 - **`coordinated-vuln-disclosure`** — AI vulnerability intake. The AIMS owns the policy; CVD owns the procedure. AI-specific vulnerabilities flow through CVD; the AIMS consumes the resulting evidence.
 - **`global-grc`** — cross-jurisdictional obligations. The AIMS produces a jurisdictional obligation summary (section 9 of Output Format); `global-grc` is the canonical comparator for the cross-jurisdiction matrix.
 - **`framework-gap-analysis`** — invoked when an AI use case is not adequately covered by ISO/IEC 42001 / 23894 / NIST AI RMF / EU AI Act. Runs the EU+UK+AU+ISO+IL+JP+ID+NYDFS comparison.
-- **`zeroday-gap-learn`** — receives any threat enumerated in the impact-assessment register that has no ATLAS or ATT&CK TTP attachment, per Hard Rule AGENTS.md #6.
+- **`zeroday-gap-learn`** — receives any threat enumerated in the impact-assessment register that has no ATLAS or ATT&CK TTP attachment, feeding the zero-day learning loop.
 - **`compliance-theater`** — runs the broader theatre detection against the AIMS as a whole when an audit cycle approaches.

package/skills/api-security/skill.md

@@ -193,7 +193,7 @@ Wire-level RFC mappings cited below resolve against `data/rfc-references.json` (
 - Origin validation at WebSocket upgrade handshake; CSRF tokens or sender-constrained tokens for any cookie-authenticated API.
 - Internal-network position grants nothing — SSRF assumes the attacker is already inside (per API7 / CWE-918).
 
-**Ephemeral / serverless caveat (per AGENTS.md Hard Rule #9):** session-level controls (in-process rate limiters, sticky-session anti-automation) are architecturally impossible. Replace with per-request stateless equivalents: short-TTL signed tokens (RFC 8725), gateway-enforced quotas in a distributed store (Redis-class), per-request workload identity, per-request egress allow-list. Do not require in-process state where the platform forbids it.
+**Ephemeral / serverless caveat:** session-level controls (in-process rate limiters, sticky-session anti-automation) are architecturally impossible. Replace with per-request stateless equivalents: short-TTL signed tokens (RFC 8725), gateway-enforced quotas in a distributed store (Redis-class), per-request workload identity, per-request egress allow-list. Do not require in-process state where the platform forbids it.
 
 ### The 10-step assessment
 
@@ -269,11 +269,11 @@ The skill produces an API Security Assessment covering REST / GraphQL / gRPC / W
 
 Each test below distinguishes paper compliance from real posture. A "no" or hand-waving answer to any of (a)–(d) means the corresponding control claim is theater.
 
-**(a) API inventory completeness.** "List every API in your environment — REST, GraphQL, gRPC, WebSocket, MCP — including every AI-API your services consume. Produce the list now from a system of record (gateway log, service mesh, secret inventory), not from memory." If the team cannot produce an inventory, or the inventory excludes AI-API consumption, **API9 Improper Inventory Management is the posture**, regardless of policy. Per AGENTS.md DR-1, "we have an API catalogue" without a current list is theater.
+**(a) API inventory completeness.** "List every API in your environment — REST, GraphQL, gRPC, WebSocket, MCP — including every AI-API your services consume. Produce the list now from a system of record (gateway log, service mesh, secret inventory), not from memory." If the team cannot produce an inventory, or the inventory excludes AI-API consumption, **API9 Improper Inventory Management is the posture**, regardless of policy. "We have an API catalogue" without a current list is theater — never treat a control as adequate when it cannot be demonstrated against a live inventory.
 
 **(b) BOLA test result.** "Show your BOLA test output for the last sprint. What percentage of object-ID-bearing routes have per-object authorisation asserted by an integration test or by a contract test (Burp Autorize, Schemathesis, equivalent)?" If the answer is "we have auth on every route" without per-resource scoping verification, the auth claim is BFLA-only at best and the API1 risk is unmanaged. Per CWE-863 / CWE-862 — these are not tested into existence by route-level guards.
 
-**(c) Rate-limit policy for AI-API consumption — denial-of-wallet exposure.** "For each AI-API your services consume (OpenAI, Anthropic, Gemini, Bedrock, Azure OpenAI, other), what is the per-user-per-day USD cost cap, where is it enforced, and when was it last tested by triggering it deliberately?" If there is no cost cap, or it has never been deliberately triggered, **denial-of-wallet exposure is open**. A leaked key over a weekend is a real budget event — not a theoretical one. Per AGENTS.md DR-3: control existence requires operational SLA, not policy language.
+**(c) Rate-limit policy for AI-API consumption — denial-of-wallet exposure.** "For each AI-API your services consume (OpenAI, Anthropic, Gemini, Bedrock, Azure OpenAI, other), what is the per-user-per-day USD cost cap, where is it enforced, and when was it last tested by triggering it deliberately?" If there is no cost cap, or it has never been deliberately triggered, **denial-of-wallet exposure is open**. A leaked key over a weekend is a real budget event — not a theoretical one. Control existence requires an operational SLA, not policy language.
 
 **(d) MCP transport policy.** "What is your MCP transport policy? Specifically: which MCP servers are sanctioned, what is the auth model on each, what is the per-tool token scope, what is on the egress allow-list, and how is anomalous MCP traffic surfaced to SIEM?" If the answer is "we just allow it through the proxy" or "we trust the agent to call only sanctioned tools," **MCP transport is unmanaged** and BOLA / SSRF on tool calls is the live risk. Hand off to `mcp-agent-trust` for the trust-model specifics; the API-security posture is the necessary precondition.
 
@@ -281,7 +281,7 @@ Each test below distinguishes paper compliance from real posture. A "no" or hand
 
 ## Defensive Countermeasure Mapping
 
-Each D3FEND technique below maps an offensive API-security finding to a defensive control, with explicit defense-in-depth layer position, least-privilege scope, zero-trust posture, and AI-pipeline applicability per AGENTS.md Hard Rule #9.
+Each D3FEND technique below maps an offensive API-security finding to a defensive control, with explicit defense-in-depth layer position, least-privilege scope, zero-trust posture, and AI-pipeline applicability (controls impossible in serverless / ephemeral contexts name an explicit scoped alternative).
 
 | D3FEND ID | Technique | Layer (defense in depth) | Least-Privilege Scope | Zero-Trust Posture | AI-Pipeline Applicability |
 |---|---|---|---|---|---|

package/skills/cloud-security/skill.md

@@ -89,7 +89,7 @@ Cloud is where AI runs. Every consequential AI service — OpenAI, Anthropic, Go
 
 **Cloud runtime security has shifted from agent-based to eBPF-based.** Falco (CNCF, primary upstream maintained by Sysdig) is the reference open-source eBPF-based runtime detector. Tetragon (Isovalent / now part of Cisco) is the Cilium-aligned alternative. Tracee (Aqua) is a third-party option. All major CWPP vendors (Sysdig, CrowdStrike, Microsoft Defender for Containers, Palo Alto Prisma Cloud Runtime, Wiz Runtime Sensor, Aqua) ship eBPF-based runtime detection as the default agent in 2026 because agent-in-container approaches do not scale to ephemeral workloads and confidential-computing modes. eBPF coverage of confidential-computing enclaves (AWS Nitro Enclaves, Azure Confidential VMs, GCP Confidential Space) is partial as of mid-2026 — the trade-off between confidentiality from the CSP and observability for the consumer is unresolved.
 
-**Cloud is the canonical ephemeral environment per AGENTS.md Hard Rule #9.** Lambda / Cloud Functions / Azure Functions / Cloud Run / ECS Fargate / AKS Pod / EKS Pod / Knative workloads have lifetimes measured in milliseconds to minutes. Patch-cycle-based controls are architecturally inapplicable; rebuild-on-change is the norm; runtime detection must record sufficient telemetry within the workload's lifetime to enable post-hoc analysis after the workload no longer exists. Compensating-control programmes built for long-lived VMs do not transfer; this is the opposite of the OT/ICS inversion documented in `ot-ics-security`. Every recommendation in this skill is scoped to the ephemeral reality of cloud-native workloads first, with the long-lived VM-and-managed-services case treated as a secondary applicability note.
+**Cloud is the canonical ephemeral environment.** Lambda / Cloud Functions / Azure Functions / Cloud Run / ECS Fargate / AKS Pod / EKS Pod / Knative workloads have lifetimes measured in milliseconds to minutes. Patch-cycle-based controls are architecturally inapplicable; rebuild-on-change is the norm; runtime detection must record sufficient telemetry within the workload's lifetime to enable post-hoc analysis after the workload no longer exists. Compensating-control programmes built for long-lived VMs do not transfer; this is the opposite of the OT/ICS inversion documented in `ot-ics-security`. Every recommendation in this skill is scoped to the ephemeral reality of cloud-native workloads first, with the long-lived VM-and-managed-services case treated as a secondary applicability note.
 
 ---
 
@@ -119,7 +119,7 @@ Cloud is where AI runs. Every consequential AI service — OpenAI, Anthropic, Go
 | CN Cybersecurity Review (CAC) + MLPS 2.0 | National security review for cross-border data and cloud services | CN cross-border cloud and CN-located CSP operations | Cybersecurity Review (Measures, July 2022) applies to CSPs handling >1m users' personal data planning overseas listing or significant data exports. MLPS 2.0 grading determines control baseline (Levels 1–5); Levels 3+ require government accreditation. The 2024 Network Data Security Management Regulations layer additional cross-border data obligations. |
 | NYDFS 23 NYCRR 500.11 + Amendment 2 | NY financial-services third-party service provider security policy | NY-regulated entities (banks, insurers, money services) | Section 500.11 requires third-party CSP risk assessment; Amendment 2 (Nov 2024) phased MFA, encryption, asset inventory, and incident-response uplifts through Nov 2026. CSPs are explicitly in scope as third-party service providers. |
 
-**Cross-jurisdiction posture (per AGENTS.md rule #5).** Any cloud security assessment for a multi-jurisdiction operator must cite at minimum EU NIS2 + DORA + GDPR + CRA + EUCS, UK GovAssure + NCSC Cloud Principles, AU IRAP + PSPF + Essential Eight, JP ISMAP, IL INCD cloud directives, SG MTCS, IN MeitY + Cert-In, BR LGPD + ANPD, CN Cybersecurity Review + MLPS 2.0, NYDFS 500.11, alongside ISO 27001:2022 + ISO/IEC 27017 (cloud-specific) + ISO/IEC 27018 (PII in public clouds) + CSA CCM v4. US-only (NIST 800-53, FedRAMP, SOC 2) is insufficient for any operator with multinational data flows, which in cloud is essentially every operator.
+**Cross-jurisdiction posture (global-first, not US-centric).** Any cloud security assessment for a multi-jurisdiction operator must cite at minimum EU NIS2 + DORA + GDPR + CRA + EUCS, UK GovAssure + NCSC Cloud Principles, AU IRAP + PSPF + Essential Eight, JP ISMAP, IL INCD cloud directives, SG MTCS, IN MeitY + Cert-In, BR LGPD + ANPD, CN Cybersecurity Review + MLPS 2.0, NYDFS 500.11, alongside ISO 27001:2022 + ISO/IEC 27017 (cloud-specific) + ISO/IEC 27018 (PII in public clouds) + CSA CCM v4. US-only (NIST 800-53, FedRAMP, SOC 2) is insufficient for any operator with multinational data flows, which in cloud is essentially every operator.
 
 ---
 
@@ -149,13 +149,13 @@ Cloud is where AI runs. Every consequential AI service — OpenAI, Anthropic, Go
 | Cross-tenant control-plane bug (Wiz "ChaosDB" Cosmos DB 2021; "OMIGOD" 2021; "AzureScape" 2021; Sysrv-K Storm-0558 Microsoft signing-key 2023; "GhostToken" GCP 2023; recurring 2024–2025 cross-tenant findings) | varies | varies; KEV listing inconsistent | Some incidents added to KEV; many handled via CSP-private remediation without CVE issuance — itself a tracked gap | Vendor disclosure varies; PoC public for some, embargoed for others | Yes — substantial AI-assisted bug-bounty research at Wiz, Orca, MSRC, GCP VRP | Active campaign discovery 2023–2025 | CSP-side patch (consumer cannot patch); CSP transparency reports vary | No (CSP-side only) | CSP detection (Defender for Cloud, GCP SCC, CloudTrail behaviour) lags the disclosure cycle |
 | AI workload egress to third-party inference (api.openai.com, api.anthropic.com, generativelanguage.googleapis.com from a cloud workload) | n/a | n/a | n/a | n/a (legitimate channel reused for data exfil) | n/a | Suspected — pattern surfaces in DLP/red-team assessments 2024–2025 | Egress allow-listing (VPC SC, AWS Network Firewall, Azure Firewall, GCP Cloud NGFW); per-endpoint TLS inspection where feasible | n/a | DLP-via-AI requires LLM-aware egress inspection — almost never present; hand off to `dlp-gap-analysis` |
 
-**Honest gap statement (per AGENTS.md Hard Rule #10).** This project's `data/cve-catalog.json` does not contain an exhaustive inventory of CSP-specific control-plane CVEs; many cross-tenant findings (ChaosDB, OMIGOD, AzureScape, GhostToken, Storm-0558 signing-key abuse) were resolved CSP-side without consumer-actionable CVE issuance — itself a transparency gap to track. Authoritative sources: AWS Security Bulletins (https://aws.amazon.com/security/security-bulletins/), Azure Security Advisories (MSRC), GCP Vulnerability Reward Program disclosures and GCP Security Bulletins, CISA Cybersecurity Advisories (https://www.cisa.gov/news-events/cybersecurity-advisories). Captured in `forward_watch` for catalog inclusion at next data refresh. Do not invent CVE IDs to fill the matrix.
+**Honest gap statement (no fabricated CVE data).** This project's `data/cve-catalog.json` does not contain an exhaustive inventory of CSP-specific control-plane CVEs; many cross-tenant findings (ChaosDB, OMIGOD, AzureScape, GhostToken, Storm-0558 signing-key abuse) were resolved CSP-side without consumer-actionable CVE issuance — itself a transparency gap to track. Authoritative sources: AWS Security Bulletins (https://aws.amazon.com/security/security-bulletins/), Azure Security Advisories (MSRC), GCP Vulnerability Reward Program disclosures and GCP Security Bulletins, CISA Cybersecurity Advisories (https://www.cisa.gov/news-events/cybersecurity-advisories). Captured in `forward_watch` for catalog inclusion at next data refresh. Do not invent CVE IDs to fill the matrix.
 
 ---
 
 ## Analysis Procedure
 
-This procedure threads the three foundational design principles required by AGENTS.md skill-format spec (defense in depth, least privilege, zero trust) and the AGENTS.md Hard Rule #9 ephemeral-environment reality through every step.
+This procedure threads the three foundational design principles (defense in depth, least privilege, zero trust) and the ephemeral-environment reality through every step.
 
 **Defense in depth.** Six layered controls, no single layer relied on alone:
 
@@ -170,7 +170,7 @@ This procedure threads the three foundational design principles required by AGEN
 
 **Zero trust.** No implicit trust between cloud workloads. Service-to-service authentication via mutual TLS (mesh) or signed-token presentation per RFC-7519 / RFC-8725, validated per-request, not per-session. AI inference services authenticated per request (Bedrock Guardrails for identity-bound invocation; Azure OpenAI managed-identity-bound deployments; Vertex with workload-identity-bound endpoints). Cross-account / cross-tenant access requires explicit trust-policy review at every assumption point; no transitive trust.
 
-**Ephemeral-environment reality (per Hard Rule #9).** Lambda / Cloud Functions / Azure Functions / Cloud Run / Fargate / Knative / Pod workloads have lifetimes too short for agent-install, signature-update, or patch-cycle controls. The compensating-control programme is image-time hardening (image scanning, distroless base, signed images via Sigstore Cosign), workload-identity-federation (no embedded credentials), eBPF-based runtime telemetry recording sufficient evidence within the workload lifetime, and aggressive egress allow-listing.
+**Ephemeral-environment reality.** Lambda / Cloud Functions / Azure Functions / Cloud Run / Fargate / Knative / Pod workloads have lifetimes too short for agent-install, signature-update, or patch-cycle controls. The compensating-control programme is image-time hardening (image scanning, distroless base, signed images via Sigstore Cosign), workload-identity-federation (no embedded credentials), eBPF-based runtime telemetry recording sufficient evidence within the workload lifetime, and aggressive egress allow-listing.
 
 ### Step 1 — Multi-cloud asset inventory
 
@@ -351,7 +351,7 @@ Ask: "What is the egress policy for every workload that invokes Bedrock / Azure
 
 ## Defensive Countermeasure Mapping
 
-Per AGENTS.md optional 8th section (required for skills shipped on or after 2026-05-11). Maps cloud-security offensive findings to MITRE D3FEND IDs from `data/d3fend-catalog.json`, with explicit defense-in-depth layer position, least-privilege scope, zero-trust posture, and AI-pipeline applicability per Hard Rule #9.
+Maps cloud-security offensive findings to MITRE D3FEND IDs from `data/d3fend-catalog.json`, with explicit defense-in-depth layer position, least-privilege scope, zero-trust posture, and AI-pipeline applicability (controls impossible in serverless / ephemeral contexts name an explicit scoped alternative).
 
 | D3FEND ID | Technique | Cloud Layer Position | Least-Privilege Scope | Zero-Trust Posture | AI-Pipeline / Ephemeral Applicability |
 |---|---|---|---|---|---|
@@ -361,7 +361,7 @@ Per AGENTS.md optional 8th section (required for skills shipped on or after 2026
 | D3-IOPR | Input/Output Profiling | DLP / DSPM tooling profiling workload data flows; CASB profiling SaaS access; AI-inference prompt and completion logging with anomaly profiling | Per-workload, per-data-class profile | Behavioural deviation from baseline triggers verification | Critical for AI workloads — prompt and completion content is the new high-value channel for exfil; baseline profiling is essential to detect novel high-volume or sensitive-content prompts. Chain to `dlp-gap-analysis`. |
 | D3-CBAN | Certificate-Based Authentication | mTLS for service-to-service (mesh-managed certificate issuance — Istio Citadel, SPIFFE/SPIRE SVIDs, Linkerd identity, Consul Connect); CSP-managed certificate authorities (AWS Private CA, Azure Key Vault Certificates, GCP Certificate Authority Service); short-lived federation tokens per RFC-7519 / RFC-8725; TLS per RFC-8446 (PQC hybrid where supported); hybrid encryption per RFC-9180 for envelope patterns | Per-workload identity bound to certificate; cross-workload presentation is per-request, not per-session | Verify-not-assume between every service pair; revocation surfaced to relying parties in real time | Applicable across the cloud-native stack. SPIFFE/SPIRE is the cross-CSP option for federation. AI-service invocation can be identity-bound via workload identity federation; the cert/token presentation per request is the zero-trust anchor for AI calls. |
 
-**Ephemerality posture (per Hard Rule #9).** Cloud is the canonical ephemeral environment for this project. Controls must be expressible at image-build time (D3-EAL via Sigstore Cosign, SLSA attestation), at workload-schedule time (D3-NTPM via mesh policy, IRSA / Pod Identity / Workload Identity binding), at workload-runtime via kernel-level eBPF telemetry (D3-NTA, D3-IOPR), and at identity layer via short-lived federation tokens (D3-CBAN). Patch-cycle and signature-update controls inherited from on-prem programmes are architecturally inapplicable to sub-minute-lifetime workloads; the compensating-control programme is image-time hardening + runtime detection + aggressive egress allow-listing + ephemeral-credential-only identity. Recommendations that read "install agent X on the Lambda" are operationally indefensible — agents do not survive workload lifetimes; the eBPF-host-level alternative is the operational form.
+**Ephemerality posture.** Cloud is the canonical ephemeral environment for this project. Controls must be expressible at image-build time (D3-EAL via Sigstore Cosign, SLSA attestation), at workload-schedule time (D3-NTPM via mesh policy, IRSA / Pod Identity / Workload Identity binding), at workload-runtime via kernel-level eBPF telemetry (D3-NTA, D3-IOPR), and at identity layer via short-lived federation tokens (D3-CBAN). Patch-cycle and signature-update controls inherited from on-prem programmes are architecturally inapplicable to sub-minute-lifetime workloads; the compensating-control programme is image-time hardening + runtime detection + aggressive egress allow-listing + ephemeral-credential-only identity. Recommendations that read "install agent X on the Lambda" are operationally indefensible — agents do not survive workload lifetimes; the eBPF-host-level alternative is the operational form.
 
 ---
 

package/skills/compliance-theater/skill.md

@@ -92,7 +92,7 @@ Each theater pattern below maps to one or more attacker TTPs in `data/atlas-ttps
 | Vendor/Third-Party Risk Theater — AI APIs (Pattern 6) | AML.T0010 (ML Supply Chain Compromise) | MCP servers and LLM APIs sit outside the vendor-management scope |
 | Security Awareness Theater — AI Phishing (Pattern 7) | T1566 (Phishing), AML.T0016 (Obtain Capabilities: Develop Capabilities — misuse of public AI APIs for payload crafting) | AI-generated content evades grammar/style heuristics and template-matching detectors |
 
-Source-of-truth TTP catalog: `data/atlas-ttps.json` (pinned to MITRE ATLAS v5.6.0, May 2026). Any theater claim in an assessment must cite at least one TTP ID from that catalog or an ATT&CK Enterprise ID — claims without a mapped TTP fail Hard Rule #4 (no orphaned controls).
+Source-of-truth TTP catalog: `data/atlas-ttps.json` (pinned to MITRE ATLAS v5.6.0, May 2026). Any theater claim in an assessment must cite at least one TTP ID from that catalog or an ATT&CK Enterprise ID — claims without a mapped TTP are orphaned controls and are rejected.
 
 ---
 
@@ -325,7 +325,7 @@ For each relevant theater pattern:
 
 ## Output Format
 
-The skill produces a structured Compliance Theater Assessment that scores each of the seven theater patterns and surfaces the auditor-facing remediation language for any flagged pattern. The shape below is consumed downstream by `policy-exception-gen` (which converts theater flags into defensible exceptions with concrete compensating controls), by `framework-gap-analysis` (which escalates any newly discovered theater pattern into a Framework Lag Declaration), and by `global-grc` (which rolls up theater findings across EU/UK/AU/ISO jurisdictions per Hard Rule #5). Auditor-facing remediation language is the load-bearing field — preserve the wording so corrective-action plans can copy it verbatim.
+The skill produces a structured Compliance Theater Assessment that scores each of the seven theater patterns and surfaces the auditor-facing remediation language for any flagged pattern. The shape below is consumed downstream by `policy-exception-gen` (which converts theater flags into defensible exceptions with concrete compensating controls), by `framework-gap-analysis` (which escalates any newly discovered theater pattern into a Framework Lag Declaration), and by `global-grc` (which rolls up theater findings across EU/UK/AU/ISO jurisdictions). Auditor-facing remediation language is the load-bearing field — preserve the wording so corrective-action plans can copy it verbatim.
 
 ```
 ## Compliance Theater Assessment
@@ -381,7 +381,7 @@ Applied at the level of the seven theater patterns:
 | 6 Vendor Management (AI APIs) | DPA + risk assessment for every LLM provider; vendor review record for every installed MCP server | Any AI provider or MCP server without vendor-management evidence |
 | 7 Security Awareness (AI phishing) | AI-generated content proportion in last 3 phishing simulations + phishing-resistant MFA deployment | Zero AI-generated simulation content or SMS/TOTP-only MFA |
 
-The output is consumed by policy-exception-gen (to convert theater flags into defensible exceptions with real compensating controls), framework-gap-analysis (to escalate any newly discovered theater pattern into a Framework Lag Declaration), and global-grc (to roll up theater findings across EU/UK/AU/ISO jurisdictions per Hard Rule #5).
+The output is consumed by policy-exception-gen (to convert theater flags into defensible exceptions with real compensating controls), framework-gap-analysis (to escalate any newly discovered theater pattern into a Framework Lag Declaration), and global-grc (to roll up theater findings across EU/UK/AU/ISO jurisdictions).
 
 ---
 
@@ -405,4 +405,4 @@ This skill produces theater findings, not control prescriptions. The mapping bel
 
 **Zero-trust posture:** a theater flag closes only when the downstream skill's recommended D3FEND technique is deployed, monitored, and tested against the cited offensive TTP — not when a policy document is updated. The Compliance Theater Assessment output (per the Output Format section) must record both the theater finding and the downstream-skill remediation target; auditors converting the finding into a corrective action plan use the downstream skill's verification tests, not this skill's detection tests.
 
-**AI-pipeline applicability (per AGENTS.md Hard Rule #9):** AI-pipeline degradations for each technique (serverless inference endpoints, ephemeral RAG indices) are documented in the cited downstream skill, not duplicated here. This skill's theater-finding format is unchanged across AI and non-AI pipelines — the AI specificity lives in the routing target.
+**AI-pipeline applicability:** AI-pipeline degradations for each technique (serverless inference endpoints, ephemeral RAG indices) are documented in the cited downstream skill, not duplicated here. This skill's theater-finding format is unchanged across AI and non-AI pipelines — the AI specificity lives in the routing target.

package/skills/container-runtime-security/skill.md

@@ -112,7 +112,7 @@ State of standards baselines:
 | US FedRAMP Rev 5 + DoD SRG IL2/IL4/IL5 | Federal cloud authorization baseline + DoD impact-level baselines | Federal cloud workloads | FedRAMP Rev 5 inherits NIST 800-53 CM-7 / SI-7. CIS Kubernetes Benchmark is increasingly expected as ATO evidence but not mandated in Rev 5 baseline text. DoD SRG IL5 in practice requires CIS K8s Benchmark + STIG. |
 | ISO 27001:2022 + ISO/IEC 27017 (cloud) | A.8.28, A.8.9 + cloud sector extension | Cloud-service ISMS | Method-neutral; cloud-sector extension predates K8s-native admission policy. |
 
-**Cross-jurisdiction posture (per AGENTS.md rule #5):** Any container/K8s assessment for a multi-jurisdiction operator must cite at minimum EU NIS2 + CRA, UK NCSC CAF, AU ISM, IL INCD, SG GovTech/MAS TRM, alongside ISO 27001:2022 + ISO/IEC 27017 and NIST 800-53 CM-7. US-only is insufficient.
+**Cross-jurisdiction posture (global-first, not US-centric):** Any container/K8s assessment for a multi-jurisdiction operator must cite at minimum EU NIS2 + CRA, UK NCSC CAF, AU ISM, IL INCD, SG GovTech/MAS TRM, alongside ISO 27001:2022 + ISO/IEC 27017 and NIST 800-53 CM-7. US-only is insufficient.
 
 ---
 
@@ -153,13 +153,13 @@ CWE cross-walk (see `data/cwe-catalog.json`):
 | Unsigned container image admitted to production | n/a (class) | n/a | n/a | n/a | n/a | Pervasive — default cluster posture | Sigstore policy-controller `ClusterImagePolicy` requiring keyless verification against pinned publisher identity; Kyverno `verifyImages` rule | Yes — that is the entire point | n/a |
 | AI-inference image with code-executing model load (PyTorch `.pt` / Python-native serialization) | n/a (class) | n/a | n/a | Trivial — published PoC research | Yes — adversarial-weights research and 2025 incident reports | Suspected in advanced campaigns | Reject code-executing serialization formats; require safetensors; verify model signature pre-load | Partial — admission policy on the model-PVC contents | Yes — Falco rule on unexpected serialization-load syscalls from inference container |
 
-**Honest gap statement (per AGENTS.md rule #10).** `data/cve-catalog.json` does not yet enumerate every ingress-controller, CNI plugin, CSI driver, or admission webhook CVE. The authoritative feeds are upstream advisories (`kubernetes.io/security/`, `kubernetes-announce@googlegroups.com`, vendor PSIRT feeds for managed services, ingress-nginx CHANGELOG, Cilium security advisories). Forward-watch covers ingestion of these feeds.
+**Honest gap statement (no fabricated CVE data).** `data/cve-catalog.json` does not yet enumerate every ingress-controller, CNI plugin, CSI driver, or admission webhook CVE. The authoritative feeds are upstream advisories (`kubernetes.io/security/`, `kubernetes-announce@googlegroups.com`, vendor PSIRT feeds for managed services, ingress-nginx CHANGELOG, Cilium security advisories). Forward-watch covers ingestion of these feeds.
 
 ---
 
 ## Analysis Procedure
 
-This procedure threads the three foundational principles required by AGENTS.md skill-format spec (defense in depth, least privilege, zero trust) through every step. Per AGENTS.md rule #9, containers are the canonical ephemeral runtime — and the audit/forensic implication is that this is the operating reality the program must design for, not work around.
+This procedure threads the three foundational principles (defense in depth, least privilege, zero trust) through every step. Containers are the canonical ephemeral runtime — and the audit/forensic implication is that this is the operating reality the program must design for, not work around.
 
 ### Defense in depth
 
@@ -232,7 +232,7 @@ Six layers, each independently capable of blocking a different attacker stage. A
 
 10. **Supply chain hand-off (`supply-chain-integrity`).** Every image in the admission allowlist must trace to a SLSA L3 build with cosign signature, Rekor inclusion proof, and SBOM. The container-runtime job is to enforce verification at admission; the build-side job is to produce the evidence.
 
-### Ephemeral / audit-forensic posture (AGENTS.md rule #9)
+### Ephemeral / audit-forensic posture
 
 Containers are ephemeral by design: pods die, nodes are replaced, log file paths inside the container are gone the moment the pod is. The audit/forensic implication:
 
@@ -349,7 +349,7 @@ Ask: *"Show me the most recent tabletop exercise where the scenario was a kernel
 
 ## Defensive Countermeasure Mapping
 
-Per AGENTS.md optional 8th section (required for skills shipped on or after 2026-05-11). Maps container/K8s findings to MITRE D3FEND IDs from `data/d3fend-catalog.json`, with explicit defense-in-depth layer position, least-privilege scope, zero-trust posture, and AI-pipeline applicability per Hard Rule #9.
+Maps container/K8s findings to MITRE D3FEND IDs from `data/d3fend-catalog.json`, with explicit defense-in-depth layer position, least-privilege scope, zero-trust posture, and AI-pipeline applicability (controls impossible in serverless / ephemeral contexts name an explicit scoped alternative).
 
 | D3FEND ID | Technique | Cluster Layer Position | Least-Privilege Scope | Zero-Trust Posture | AI-Pipeline Applicability |
 |---|---|---|---|---|---|
@@ -360,7 +360,7 @@ Per AGENTS.md optional 8th section (required for skills shipped on or after 2026
 | D3-NTPM | Network Traffic Policy Mapping | Cilium L7 policy expression of allowed HTTP methods, gRPC services, DNS FQDNs, Kafka topics per workload | Per-workload allowlist of L7 endpoints | Continuous verification of conformance; deviation triggers alert | Highly applicable. AI inference egress should be policy-mapped to specific Hugging Face / vendor registry FQDNs; deviation indicates either model-pull misconfiguration or exfiltration. |
 | D3-IOPR | Input / Output Process Profiling | Falco / Tetragon eBPF syscall + network + process-exec event stream; behavioral baselines per workload class | Per-workload behavioral profile; deviation alerts scoped to that workload's owner | Detection assumes the container is hostile until profile-conformant per-event | Highly applicable. AI inference workloads have a tight behavioral profile (CUDA syscalls, model-PVC reads, inference-result writes); unexpected serialization-load syscalls, `subprocess.Popen`, or `socket(AF_INET)` to non-registry endpoints is a high-confidence alert. The ephemeral nature of pods means baselines should be per-image-digest rather than per-pod-instance. |
 
-**Ephemeral runtime posture (per Hard Rule #9, applied straight).** Containers are the canonical ephemeral runtime: pods die, nodes are replaced, in-pod logs are gone the moment the pod is. Controls that assume a long-lived host (host-based EDR signature DB updated weekly, on-host log retention, in-place patching) are architecturally mismatched. The container-realistic posture: admission policy as the primary preventive layer (D3-EAL, D3-EHB), eBPF runtime detection with out-of-cluster event sink as the primary detective layer (D3-IOPR), node-image swap (Bottlerocket, Talos, Flatcar) as the primary patching pattern, and all audit/forensic data leaving the host before the host can be lost. Recommendations that read "deploy host EDR with weekly signature updates" without specifying how that survives a node replacement are operationally indefensible.
+**Ephemeral runtime posture (applied straight).** Containers are the canonical ephemeral runtime: pods die, nodes are replaced, in-pod logs are gone the moment the pod is. Controls that assume a long-lived host (host-based EDR signature DB updated weekly, on-host log retention, in-place patching) are architecturally mismatched. The container-realistic posture: admission policy as the primary preventive layer (D3-EAL, D3-EHB), eBPF runtime detection with out-of-cluster event sink as the primary detective layer (D3-IOPR), node-image swap (Bottlerocket, Talos, Flatcar) as the primary patching pattern, and all audit/forensic data leaving the host before the host can be lost. Recommendations that read "deploy host EDR with weekly signature updates" without specifying how that survives a node replacement are operationally indefensible.
 
 ---
 

package/skills/coordinated-vuln-disclosure/skill.md

@@ -143,7 +143,7 @@ Translation: the disclosure-clock choice is itself a security decision with down
 
 ## Analysis Procedure
 
-Before stepping through the disclosure-program assessment, thread the three foundational design principles per AGENTS.md Skill File Format requirements:
+Before stepping through the disclosure-program assessment, thread the three foundational design principles (defense in depth, least privilege, zero trust):
 
 **Defense in depth — disclosure intake as multi-layer pipeline.** A CVD program is not one channel; it is a stack:
 - **Layer 1 — public VDP intake**: security.txt (RFC 9116), `/security` web page, published policy, public security@ alias. The minimum visible surface; tested by every script-kiddie scanner before they email the CEO.
@@ -184,7 +184,7 @@ Audit the published CVD policy:
 Walk the internal handling pipeline:
 - **Intake → triage**: how does a report move from VDP queue to product team? Is there a SLA? Is there a named owner per product?
 - **Validation**: who reproduces? In what isolated environment (D3-RPA)? What is the false-positive rate?
-- **Severity scoring**: CVSS for legacy compatibility, RWEP per `lib/scoring.js` for actual prioritization. Per AGENTS.md DR-2: CVSS-only scoring fails.
+- **Severity scoring**: CVSS for legacy compatibility, RWEP per `lib/scoring.js` for actual prioritization. CVSS-only scoring fails — never rank disclosures on CVSS alone.
 - **Remediation routing**: how does a confirmed vulnerability become a fix? What is the engineering SLA per RWEP band?
 - **Verification**: how is the fix confirmed? Researcher re-verification? Internal regression test?
 - **Disclosure preparation**: who drafts the advisory? Who approves? When does CVE assignment happen (request from CVE.org or via a CNA partner)?
@@ -212,14 +212,14 @@ Audit the bounty program (if operated):
 ### Step 6 — Learning-loop integration (the `zeroday-gap-learn` hand-off)
 
 For every disclosed vulnerability against an org product:
-- Per AGENTS.md DR-8: the CVE entry in `data/cve-catalog.json` triggers a corresponding entry in `data/zeroday-lessons.json`.
+- The CVE entry in `data/cve-catalog.json` triggers a corresponding entry in `data/zeroday-lessons.json` (every disclosed CVE feeds the zero-day learning loop).
 - The CVD program is the source of these entries. If the CVD program is operating but learning-loop entries are not being produced, the hand-off is broken.
 - The internal control gap exposed by each disclosure is the input to `framework-gap-analysis` — is the org's own framework coverage missing this control class?
 
 ### Step 7 — Advisory publication (the CSAF 2.0 / VEX check)
 
 For each disclosed vulnerability, verify advisory output:
-- **CSAF 2.0 advisory** (OASIS CSAF v2.0, published 2022; CSAF 2.1 draft in flight 2026): machine-readable advisory in JSON form, published at `/.well-known/csaf/`. Per AGENTS.md global-first rule, CSAF is the de facto cross-jurisdiction format — CISA, ENISA, BSI, NCSC-NL all consume it.
+- **CSAF 2.0 advisory** (OASIS CSAF v2.0, published 2022; CSAF 2.1 draft in flight 2026): machine-readable advisory in JSON form, published at `/.well-known/csaf/`. CSAF is the de facto cross-jurisdiction format — CISA, ENISA, BSI, NCSC-NL all consume it.
 - **VEX statement** (Vulnerability Exploitability eXchange, CSAF profile): per-product exploitability status. Hand off to `supply-chain-integrity` for SBOM-aligned VEX integration.
 - **CVE Record**: filed via CNA (or via CVE.org if no CNA partner). CVE ID assignment timing matters for regulator-notification (CRA Art. 11 references a specific vulnerability identifier).
 - **Plain-language advisory**: customer-facing version. Translation of CSAF/VEX into operator action.
@@ -249,7 +249,7 @@ Per ISO 30111 §5 (continual improvement) and NIST 800-218 SSDF RV.2 (assess, pr
 - Class-level findings vs instance-level findings (AI-vendor relevance).
 - Hand off to `framework-gap-analysis` whenever metrics show a control class repeatedly absent from intake.
 
-**Ephemeral / serverless / AI-pipeline reality (per AGENTS.md rule #9):** CVD is largely org-process, not infrastructure, so the "is this control architecturally possible in a serverless / AI-pipeline environment" question does not apply in the usual sense. The honest version of the question for THIS skill is: **does your AI / agent pipeline have CVD scope?** Most orgs running production agentic systems do not. The org has a CVD policy covering its web application, its API, and its enterprise software — and silently excludes the LangChain orchestrator, the RAG corpus, the agent toolchain, the MCP-server installations, the model-serving infrastructure, and the fine-tuning pipeline. That silent exclusion is the gap. The fix is to make scope explicit in the published policy: list AI/agent assets in scope or list them as explicitly out-of-scope. Silence is not a posture.
+**Ephemeral / serverless / AI-pipeline reality:** CVD is largely org-process, not infrastructure, so the "is this control architecturally possible in a serverless / AI-pipeline environment" question does not apply in the usual sense. The honest version of the question for THIS skill is: **does your AI / agent pipeline have CVD scope?** Most orgs running production agentic systems do not. The org has a CVD policy covering its web application, its API, and its enterprise software — and silently excludes the LangChain orchestrator, the RAG corpus, the agent toolchain, the MCP-server installations, the model-serving infrastructure, and the fine-tuning pipeline. That silent exclusion is the gap. The fix is to make scope explicit in the published policy: list AI/agent assets in scope or list them as explicitly out-of-scope. Silence is not a posture.
 
 ---
 
@@ -408,7 +408,7 @@ For NYDFS 500.17 / AU SOCI / UK / SG / JP / IL: parallel templates per jurisdict
 | T+30d (RWEP-banded) | Patch shipped | per band | — | Engineering |
 | T+14d (parallel, if exploited) | Final regulator report | 14d | — | Named officer |
 | T+disclosure-day | CSAF advisory published; CVE record live; researcher acknowledged | per agreed window | — | Security + Comms |
-| T+disclosure+1d | Entry filed in `data/zeroday-lessons.json` per AGENTS.md DR-8 | 1d | — | Security |
+| T+disclosure+1d | Entry filed in `data/zeroday-lessons.json` (zero-day learning loop) | 1d | — | Security |
 
 ### 7. Program Metrics Report
 
@@ -435,7 +435,7 @@ Four concrete tests distinguish a real CVD program from CVD theater. Run them in
 
 > **Test 1 — Publish your security.txt URL right now.** Fetch `https://<domain>/.well-known/security.txt`. If it 404s, the org has no public CVD intake — which means no compliance with EU CRA Art. 11 (manufacturers must operate a CVD process; "operate" requires discoverability), no NIS2 Art. 12 coordinator wiring, no RFC 9116 conformance, and the next researcher who finds something will email the CEO or drop on social media. The org will discover this when a Reuters reporter calls. If security.txt exists but `Expires:` is in the past, the org once had a program and stopped operating it — same outcome, with the additional signal that internal ownership has lapsed.
 
-> **Test 2 — Show me your last 12 months of received disclosures and time-to-fix per severity band.** If the answer is "we don't track that," there is no program — only a queue. If the answer is "we track it, here are the numbers," compare time-to-fix against RWEP bands: median time-to-fix for RWEP 90+ must be measured in hours-to-days, not weeks. CVSS-banded SLAs alone are insufficient (per AGENTS.md DR-2). If the org cannot produce metrics, the org cannot demonstrate continuous improvement per ISO 30111 §5 or NIST 800-218 RV.2, so the formal compliance with those controls is theater regardless of policy text.
+> **Test 2 — Show me your last 12 months of received disclosures and time-to-fix per severity band.** If the answer is "we don't track that," there is no program — only a queue. If the answer is "we track it, here are the numbers," compare time-to-fix against RWEP bands: median time-to-fix for RWEP 90+ must be measured in hours-to-days, not weeks. CVSS-banded SLAs alone are insufficient. If the org cannot produce metrics, the org cannot demonstrate continuous improvement per ISO 30111 §5 or NIST 800-218 RV.2, so the formal compliance with those controls is theater regardless of policy text.
 
 > **Test 3 — Show me a single CSAF 2.0 advisory you've published, with a CVE ID, in the last 12 months.** If the answer is "we publish blog posts" or "we wait for the CVE to appear in NVD" or "our security advisories are PDF attachments," downstream consumers (customers, regulators, automated patch-management systems) cannot ingest the disclosures. The org's disclosure posture is theater for the machine-readable era. Under EU CRA Art. 11, the advisory format is left to the manufacturer but consumers and regulators are converging on CSAF 2.0; an org that has never published one is not operating in the de facto downstream ecosystem.
 
@@ -447,7 +447,7 @@ A program passing all four tests is operating CVD as infrastructure. A program f
 
 ## Defensive Countermeasure Mapping
 
-Per AGENTS.md Skill File Format optional 8th section (required for skills shipped on or after 2026-05-11): map this skill's findings to MITRE D3FEND IDs from `data/d3fend-catalog.json` with explicit defense-in-depth layer position, least-privilege scope, zero-trust posture, and AI-pipeline applicability.
+Maps this skill's findings to MITRE D3FEND IDs from `data/d3fend-catalog.json` with explicit defense-in-depth layer position, least-privilege scope, zero-trust posture, and AI-pipeline applicability.
 
 CVD is process infrastructure, not a single technical control — the D3FEND mapping is therefore thin and concentrated at the triage and post-disclosure boundaries.
 
@@ -457,9 +457,9 @@ CVD is process infrastructure, not a single technical control — the D3FEND map
 | **D3-NTA** (Network Traffic Analysis) | Post-disclosure exploitation monitoring. Once an advisory ships, attacker weaponization typically follows within days; egress monitoring detects active exploitation against unpatched customers. | Detection layer (post-disclosure, downstream of CVD output). | Detection scoped to known exploit indicators from disclosed CVE; not all-traffic surveillance. | Assume disclosed CVEs will be exploited; verify exploitation evidence per advisory IOCs. | Limited direct applicability — AI exploitation traffic often blends with legitimate AI API usage (see `ai-c2-detection`); D3-NTA on its own is insufficient. |
 | **D3-EAL** (Executable Allowlisting) | Post-disclosure blocking of known weaponized exploits. When a public PoC ships with the advisory, allowlisting blocks the exploit binary class from execution on patched/unpatched endpoints alike. | Prevention layer (post-disclosure, downstream of CVD output). | Endpoint scope; allowlist administered by endpoint-security team, not application teams. | Default-deny; verify executable signatures and allowlist membership per execution. | Limited — AI exploits are typically prompt-class, not binary-class. D3-EAL applies to traditional-software exploits derived from CVD output, not AI-class disclosures. |
 
-**Explicit statement per AGENTS.md rule #4 (no orphaned controls)**: CVD itself is process infrastructure. The technical defensive layers it *feeds* are the D3FEND techniques above plus the broader cross-walk in `defensive-countermeasure-mapping`. A CVD program with no downstream defensive-control hand-off is producing advisories that no operator action follows — which is the post-disclosure equivalent of compliance theater.
+**Explicit statement (no orphaned controls)**: CVD itself is process infrastructure. The technical defensive layers it *feeds* are the D3FEND techniques above plus the broader cross-walk in `defensive-countermeasure-mapping`. A CVD program with no downstream defensive-control hand-off is producing advisories that no operator action follows — which is the post-disclosure equivalent of compliance theater.
 
-**AI-pipeline statement per AGENTS.md rule #9**: D3FEND's current coverage of AI-vulnerability defenses is sparse. Mid-2026 D3FEND additions (per `data/d3fend-catalog.json` forward-watch) are extending into AI-system telemetry; the gap until then is filled by `ai-attack-surface`, `rag-pipeline-security`, and `ai-c2-detection` skill-specific recommendations.
+**AI-pipeline statement**: D3FEND's current coverage of AI-vulnerability defenses is sparse. Mid-2026 D3FEND additions (per `data/d3fend-catalog.json` forward-watch) are extending into AI-system telemetry; the gap until then is filled by `ai-attack-surface`, `rag-pipeline-security`, and `ai-c2-detection` skill-specific recommendations.
 
 Reference `defensive-countermeasure-mapping` for the full cross-walk; reference `framework-gap-analysis` for the regulatory-control gaps each defensive layer leaves open.
 
@@ -469,8 +469,8 @@ Reference `defensive-countermeasure-mapping` for the full cross-walk; reference
 
 CVD sits at the upstream end of several skill pipelines. Route to the following on the indicated trigger:
 
-- **`zeroday-gap-learn`** — *downstream consumer of CVD reports.* Every disclosed CVE against an org product triggers a learning-loop entry per AGENTS.md DR-8. If CVD output is not producing `data/zeroday-lessons.json` entries, the hand-off is broken. Run `zeroday-gap-learn` for every advisory shipped.
-- **`exploit-scoring`** — *RWEP scoring of disclosed CVEs.* CVSS alone is insufficient per AGENTS.md DR-2; route every confirmed-validated disclosure through RWEP scoring before regulator notification (the "actively exploited" determination depends on it).
+- **`zeroday-gap-learn`** — *downstream consumer of CVD reports.* Every disclosed CVE against an org product triggers a learning-loop entry. If CVD output is not producing `data/zeroday-lessons.json` entries, the hand-off is broken. Run `zeroday-gap-learn` for every advisory shipped.
+- **`exploit-scoring`** — *RWEP scoring of disclosed CVEs.* CVSS alone is insufficient; route every confirmed-validated disclosure through RWEP scoring before regulator notification (the "actively exploited" determination depends on it).
 - **`supply-chain-integrity`** — *CSAF VEX integration with SBOM.* When the disclosure affects a product component shipped to downstream consumers, the CSAF advisory's VEX status profile must align with the SBOM produced under SLSA / CycloneDX / SPDX. Hand off for the supply-chain-shaped output.
 - **`framework-gap-analysis`** — *CVD failures often expose framework gaps.* When a disclosure shows that an existing control (SI-2, A.8.8, CC9.2, SSDF RV.1) was insufficient to prevent or detect the vulnerability, file the gap under the appropriate framework entry per `data/framework-control-gaps.json`.
 - **`compliance-theater`** — *publish-no-VDP theater test.* The four compliance theater checks in this skill compose with the broader theater detection across frameworks; run `compliance-theater` after this skill when the org is claiming SOC 2 / ISO 27001 / NIST CSF maturity that the CVD test results contradict.