@blamejs/exceptd-skills 0.15.43 → 0.15.45

package/bin/exceptd.js

@@ -564,6 +564,31 @@ function main() {
     };
   }
 
+  // --quiet: suppress advisory stderr chatter — the "[exceptd] note:" and
+  // "[exceptd] tip:" lines, the deprecation banner, and the unsigned-
+  // attestation warning — while keeping the actual result on stdout and all
+  // errors on stderr. Narrower than --json-stdout-only, which silences ALL
+  // stderr and forces JSON output; --quiet preserves human-readable output and
+  // exit codes and only drops the non-essential advisories. Skipped when
+  // --json-stdout-only is also present (that flag already silenced everything
+  // and patched stderr first; double-wrapping would be redundant).
+  if (argv.includes("--quiet") && !argv.includes("--json-stdout-only")) {
+    global.__exceptdQuiet = true;
+    process.env.EXCEPTD_DEPRECATION_SHOWN = "1";
+    process.env.EXCEPTD_UNSIGNED_WARNED = "1";
+    const origStderrWrite = process.stderr.write.bind(process.stderr);
+    process.stderr.write = (chunk, encoding, cb) => {
+      // Drop only the advisory-prefixed lines. Contract-violation notes
+      // ("[exceptd run] ..."), error frames, and uncaught exceptions still
+      // surface so --quiet never hides why a run failed or exited non-zero.
+      if (typeof chunk === "string" && /^\[exceptd\] (note|tip):/.test(chunk)) {
+        if (typeof cb === "function") cb();
+        return true;
+      }
+      return origStderrWrite(chunk, encoding, cb);
+    };
+  }
+
   if (argv.length === 0) {
     printWelcome();
     process.exit(0);
@@ -752,7 +777,7 @@ function main() {
   // verbs that lack their own help handler, so spawns that do (refresh,
   // prefetch) keep their detailed usage.
   const SPAWN_HELP_USAGE = {
-    skill: "exceptd skill <name>          Show the full context document for one skill.",
+    skill: "exceptd skill <name>          Show the full context document for one skill. Run `exceptd skill` with no arguments to list all skill IDs.",
     "framework-gap": "exceptd framework-gap <framework> <cve-or-scenario>   One-framework gap analysis.",
     "framework-gap-analysis": "exceptd framework-gap <framework> <cve-or-scenario>   One-framework gap analysis.",
     cve: "exceptd cve <CVE-ID> [--json] [--air-gap|--no-network]   Resolve a CVE: published/rejected/disputed/fabricated/nonexistent (catalog -> cache -> NVD). Exit 2 when the citation won't stand up (rejected/fabricated/nonexistent/withdrawn).",
@@ -761,7 +786,7 @@ function main() {
     // to spawning the blocking daemon, hanging the operator's terminal.
     watch: "exceptd watch          Long-running forward-watch daemon (blocks; Ctrl-C to stop). For a one-shot aggregator use `exceptd watchlist`.",
     watchlist: "exceptd watchlist [--alerts] [--org-scan --org <login>] [--by-skill] [--json]   One-shot forward-watch aggregator across skills.",
-    report: "exceptd report [executive] [--json]   Structured posture report.",
+    report: "exceptd report [executive] [--json]   Structured posture report. Markdown by default; pass --json for machine-readable output.",
     scan: "exceptd scan [--json]          [legacy] Working-directory CVE/KEV scan (orchestrator). See `exceptd discover`.",
     dispatch: "exceptd dispatch [--json]      [legacy] Scan + route findings to skills (orchestrator). See `exceptd discover`.",
     currency: "exceptd currency [--json]      [legacy] Skill threat-currency report. See `exceptd doctor --currency`.",
@@ -981,7 +1006,7 @@ function asEvidenceObject(parsed) {
   return parsed;
 }
 
-function readEvidence(evidenceFlag) {
+function readEvidence(evidenceFlag, opts = {}) {
   if (!evidenceFlag) return {};
   // v0.12.12: file-path branch enforces a max size to defend against an
   // operator accidentally passing a multi-gigabyte file (binary, log, or
@@ -1017,11 +1042,20 @@ function readEvidence(evidenceFlag) {
       // certainly meant to pipe something. Don't change exit semantics;
       // the empty-payload path is still legitimately useful for posture-
       // only playbooks (govern + direct + look-only walks).
-      process.stderr.write(
-        `[exceptd] note: --evidence - read 0 bytes from stdin. Treating as empty evidence {}. ` +
-        `If you meant to pipe a submission, run \`exceptd brief <playbook>\` to see the expected shape; ` +
-        `if you wanted a posture-only walk, this message is informational and the run will proceed.\n`,
-      );
+      //
+      // Only nudge when `--evidence -` was EXPLICITLY requested. On the stdin
+      // auto-promotion path (no --evidence flag, just a non-TTY handle such as
+      // `run kernel </dev/null` or a CI runner) the operator never asked to
+      // read stdin, so an empty read is not a mistake to flag — and emitting to
+      // stderr there corrupted `run ... 2>&1 | jq` pipelines that worked at a
+      // TTY but broke in CI.
+      if (opts.explicit !== false) {
+        process.stderr.write(
+          `[exceptd] note: --evidence - read 0 bytes from stdin. Treating as empty evidence {}. ` +
+          `If you meant to pipe a submission, run \`exceptd brief <playbook>\` to see the expected shape; ` +
+          `if you wanted a posture-only walk, this message is informational and the run will proceed.\n`,
+        );
+      }
       return {};
     }
     return asEvidenceObject(JSON.parse(text));
@@ -1853,6 +1887,13 @@ function editDistance(a, b) {
 
 function printPlaybookVerbHelp(verb) {
   const cmds = {
+    recipes: `recipes [<id>] — curated multi-skill workflows (use-case → ordered skill chain).
+
+With no id: lists every recipe with its "when to use" guidance.
+With <id>:  expands that recipe's ordered skill_chain and notes.
+
+Flags:
+  --json   Machine-readable output.`,
     plan: `plan — list playbooks + directives, grouped by scope.
 
 Flags:
@@ -2884,7 +2925,8 @@ function cmdBrief(runner, args, runOpts, pretty) {
         lines.push(`  ${p.id} (${p.on_fail}): ${pdesc.length > 80 ? pdesc.slice(0, 80) + "…" : pdesc}`);
       }
     }
-    lines.push(`\nRun: exceptd run ${obj.playbook_id} --evidence <file|-> --json`);
+    lines.push(`\nCollect evidence: exceptd collect ${obj.playbook_id} | exceptd run ${obj.playbook_id} --evidence -`);
+    lines.push(`Run with your own evidence: exceptd run ${obj.playbook_id} --evidence <file|-> --json`);
     lines.push(`Full structured doc: --json or --pretty`);
     return lines.join("\n");
   });
@@ -3223,6 +3265,19 @@ function cmdRun(runner, args, runOpts, pretty) {
   // Single-playbook path (existing behavior).
   const playbookId = positional;
   if (refuseInvalidPlaybookId("run", playbookId, pretty)) return;
+  // --evidence-dir is a contract input: cmdRunMulti reads one
+  // <playbook-id>.json per playbook in an --all / --scope run. With a single
+  // named playbook it was silently ignored, so `run secrets --evidence-dir ./ev`
+  // ran against EMPTY evidence and reported a clean "not_detected" verdict — a
+  // falsely-reassuring result from a security tool. Refuse loudly and point the
+  // operator at the flag that actually loads evidence for one playbook.
+  if (args["evidence-dir"]) {
+    return emitError(
+      `run ${playbookId}: --evidence-dir applies to contract runs (exceptd run --all / --scope <type>), where it reads one <playbook-id>.json per playbook. For a single playbook, pass its evidence directly: exceptd collect ${playbookId} | exceptd run ${playbookId} --evidence -  (or --evidence ${playbookId}.json).`,
+      { playbook: playbookId, provided: "--evidence-dir", use_instead: "--evidence <file|->" },
+      pretty
+    );
+  }
   const pb = runner.loadPlaybook(playbookId);
   const directiveId = args.directive || (pb.directives[0] && pb.directives[0].id);
   if (!directiveId) return refuseNoDirectives("run", playbookId, pretty);
@@ -3286,12 +3341,16 @@ function cmdRun(runner, args, runOpts, pretty) {
   // first, then falls back to a strict isTTY===false check only on Windows
   // (where fstat on a pipe is unreliable). MSYS-bash on win32 reports
   // isTTY === false for genuine piped input, so that path still works.
-  if (!args.evidence && hasReadableStdin()) {
+  const autoStdin = !args.evidence && hasReadableStdin();
+  if (autoStdin) {
     args.evidence = "-";
   }
   if (args.evidence) {
     try {
-      submission = readEvidence(args.evidence);
+      // explicit:false on the auto-promotion path suppresses the empty-stdin
+      // nudge (which otherwise writes to stderr and breaks `run ... 2>&1 | jq`
+      // on every no-evidence CI run); an explicit `--evidence -` still nudges.
+      submission = readEvidence(args.evidence, { explicit: !autoStdin });
     } catch (e) {
       return emitError(`run: failed to read evidence: ${e.message}`, { evidence: args.evidence }, pretty);
     }
@@ -3531,7 +3590,40 @@ function cmdRun(runner, args, runOpts, pretty) {
     // Set exitCode BEFORE emit(): emit's ok:false fallback only fires when
     // exitCode is not already set, so the BLOCKED override survives.
     process.exitCode = args.ci ? EXIT_CODES.BLOCKED : EXIT_CODES.GENERIC_FAILURE;
-    emit(result, pretty);
+    emit(result, pretty, (obj) => {
+      // Human renderer for a halted run. Without this, a blocked verdict
+      // (preflight precondition unmet, mutex conflict, stale currency,
+      // corrupt catalog) dumped the raw ok:false JSON envelope even in human
+      // mode — so a non-Linux operator's first `run` against any Linux-gated
+      // playbook was a wall of JSON instead of one line saying why it stopped
+      // and what to do. --json / --pretty still return the full envelope.
+      const v = obj.verdict || "error";
+      const tag = v === "blocked" ? "[blocked]" : "[error]";
+      const lines = [`${tag}  ${obj.playbook_id || "run"}${obj.directive_id ? ` (${obj.directive_id})` : ""}`];
+      // summary_line is already a complete sentence ("<pb>: blocked at
+      // preflight (<cause>) — <reason>"); prefer it, else fall back to reason.
+      const detail = obj.summary_line || obj.reason;
+      if (detail) lines.push(`  ${detail}`);
+      // remediation is the engine's own actionable next step when it has one;
+      // otherwise synthesize a hint from blocked_by so the operator never hits
+      // a dead end. Hints reference only current verbs (plan/direct were
+      // removed in v0.13.0; brief --all is the replacement listing verb).
+      if (obj.remediation) {
+        lines.push(`  → ${obj.remediation}`);
+      } else {
+        const hints = {
+          precondition: "→ Preconditions are not met on this host (often a platform gate, e.g. a Linux-only playbook). List playbooks that fit your platform: exceptd brief --all",
+          mutex: "→ Another run holds this playbook's mutex. Wait for it to finish, then retry.",
+          currency: "→ Threat intel is stale. Refresh sources (exceptd refresh) or re-run with --force-stale to override.",
+          catalog_corrupt: "→ The CVE catalog failed to load. Reinstall the package or run: exceptd doctor",
+          playbook_not_found: "→ Unknown playbook. List available playbooks: exceptd brief --all",
+          directive_not_found: `→ Unknown directive for this playbook. See its directives: exceptd brief ${obj.playbook_id || "<playbook>"}`,
+        };
+        if (obj.blocked_by && hints[obj.blocked_by]) lines.push(`  ${hints[obj.blocked_by]}`);
+      }
+      lines.push("  Full envelope: re-run with --json");
+      return lines.join("\n");
+    });
     return;
   }
 
@@ -6386,8 +6478,10 @@ function cmdDoctor(runner, args, runOpts, pretty) {
     "json", "pretty", "fix", "air-gap",
     "signatures", "currency", "cves", "rfcs", "registry-check",
     "ai-config", "collectors", "exit-codes", "shipped-tarball",
-    // Global flags the parser may inject regardless of verb.
-    "_", "json-stdout-only", "_jsonMode",
+    // Global flags the parser may inject regardless of verb. Keep in sync
+    // with VERB_FLAG_ALLOWLIST._global in lib/flag-suggest.js — quiet/verbose
+    // are accepted on every verb, so doctor must not refuse them as typos.
+    "_", "json-stdout-only", "_jsonMode", "quiet", "verbose",
   ]);
   const unknownFlags = Object.keys(args).filter(k => !KNOWN_DOCTOR_FLAGS.has(k));
   if (unknownFlags.length > 0) {
@@ -7285,7 +7379,7 @@ function cmdDoctor(runner, args, runOpts, pretty) {
     if (c.ahead) {
       return `npm registry: local v${c.local_version ?? "?"} AHEAD of published v${c.published_version ?? "?"} (unreleased / dev install)`;
     }
-    return `npm registry: check returned no comparison (raw exit=${c.exit_code ?? "?"})`;
+    return "npm registry: could not compare versions (registry unreachable, offline, or no published version yet). Run `npm view @blamejs/exceptd-skills version` to see the latest, then `npm install -g @blamejs/exceptd-skills@latest` if you are behind.";
   });
   // v0.12.9 (P3 #10): surface shipped_tarball sub-check when --shipped-tarball was used.
   if (checks.signatures?.shipped_tarball) {

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-30T07:08:37.048Z",
+  "generated_at": "2026-05-30T16:43:35.543Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "970c197defcefa117bffcd713b167e14c90f36506e496794485d7bcb2e1789b0",
+    "manifest.json": "0b52ef7f74953dd925a1a5e718c30e8d4c9b4bb0d43da3109e0e0276837cca68",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "6255e929454291c9f2ab48b600bbedf68a1678c5eb04504e5323a2d6ff5f3e36",
-    "data/cve-catalog.json": "6a081bf58b2aafc37b7c297b63edb8bca7db6ee93ec69014d34ab9fc764cbb98",
+    "data/attack-techniques.json": "84fad74c8497cab922ed64b814752f54aa4620c2a938cb06642ff1510e1c5cb3",
+    "data/cve-catalog.json": "7a5f4e31401505e53330cdc4b54b39f8a8b04459d6b9411676d291c583ae535f",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "5337ae234da930e89a31d185d739f081cd95086223006ae7b5121f1ab7674791",
+    "data/zeroday-lessons.json": "acf9b2b001844dd2cacf1d29c7175d60db49b103847c9fddd242d2a98087541d",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",
@@ -32,7 +32,7 @@
     "skills/skill-update-loop/skill.md": "16cd5a61ccd87c61901e9b209fff0e26ca6540c0cfcb8e231ac17917c50d56bb",
     "skills/security-maturity-tiers/skill.md": "de7a67b1f6ae79be490656939ac59b5772aa648dae4759733d80d6bf4595c278",
     "skills/researcher/skill.md": "9f1211d177c64e4c465407a45ad9e2901c5c6c0af410a0d0a51cc8fb780420d4",
-    "skills/attack-surface-pentest/skill.md": "6174a20b777a82c83941ef64d27e8c7e4091649358930ac1ba564a0ad4d9399f",
+    "skills/attack-surface-pentest/skill.md": "8d1137c3270763f1c90a3fa8c1c19ab5dc769623c1a35d6a71859bdb8cca2a3e",
     "skills/fuzz-testing-strategy/skill.md": "07e2ee5f773a3f0e82bd21b8a7e8cf6d5b1a8bf3ac6f71602f16550561ade553",
     "skills/dlp-gap-analysis/skill.md": "89dedc6c062fa2afd2284e608f4a51effda819e9288fbf38ab16a7891ccd8a10",
     "skills/supply-chain-integrity/skill.md": "7c568ee9805f4c822c16c266348e35fa6f2d7a3c76135fa34b0cfa77f003a878",
@@ -44,7 +44,7 @@
     "skills/webapp-security/skill.md": "9dc8c0e51c78ad93ef9de91dd9054370dfebeea2161a87f909202ecacfad1504",
     "skills/ai-risk-management/skill.md": "3e116dc6f03f31e32f1ee885516d72d9c11d3ff67d2184108b13dcbdf5f417bf",
     "skills/sector-healthcare/skill.md": "148520af64959a60018a24f4368670925980db3e73aa09af73194f8ea61f1fcc",
-    "skills/sector-financial/skill.md": "eb526fdd9fff84943fff951ca7762de4304adbf3212eb26c73521a8979bb776d",
+    "skills/sector-financial/skill.md": "ad33faa8dddbeb23fed88f464205c630e3fa50c669d3e1ba7ed54f23719efd55",
     "skills/sector-federal-government/skill.md": "870dead2eae1b2664b1e151dd73d8fa240a62a297bdbcddee37bd1cb60e5e5f4",
     "skills/sector-energy/skill.md": "432213dfc9ee271631ce3171daf62a103a010b27a51911dd1112bd5d8bc6c152",
     "skills/sector-telecom/skill.md": "4b80771e78a474e3f43227ecc730ddda1684bff98d7e6e53f5ec373e1e886f34",
@@ -56,7 +56,7 @@
     "skills/ransomware-response/skill.md": "d0f456f1c31ec2968bb4c2cea67eb628d5baf857f17650ab204cf7931b3317ef",
     "skills/email-security-anti-phishing/skill.md": "0965eca982e8fc633b85e70c0ba6becb8c0f5ee7bdd0be96ad73a9a222bb8816",
     "skills/age-gates-child-safety/skill.md": "6d4d29e54a115314c3c0ea9f5df47bdc2828f3b226fff4b5974d898b56c0cd73",
-    "skills/cloud-iam-incident/skill.md": "5ec3800a0049b2123aff67bfab4ff28491a86d2daeb712283e5e88b10c3d5d7b",
+    "skills/cloud-iam-incident/skill.md": "6aab2e400d1e87df7ac2b6f0a17dac6aa99723b217258c4a7b446703d1521775",
     "skills/idp-incident-response/skill.md": "cb2f2c5b90de4592bfd66dcd55f9bf2004f370746d519cad577fcbaf36125878"
   },
   "skill_count": 42,
@@ -78,7 +78,7 @@
     "handoff_dag_nodes": 42,
     "summary_cards": 42,
     "section_offsets_skills": 42,
-    "token_budget_total_approx": 418479,
+    "token_budget_total_approx": 418426,
     "recipes": 8,
     "jurisdiction_clocks": 29,
     "did_ladders": 8,

package/data/_indexes/activity-feed.json

@@ -5,6 +5,14 @@
     "event_count": 54
   },
   "events": [
+    {
+      "date": "2026-05-30",
+      "type": "catalog_update",
+      "artifact": "data/cve-catalog.json",
+      "path": "data/cve-catalog.json",
+      "schema_version": "1.0.0",
+      "entry_count": 427
+    },
     {
       "date": "2026-05-27",
       "type": "catalog_update",
@@ -143,14 +151,6 @@
       "path": "skills/email-security-anti-phishing/skill.md",
       "note": "Email security + anti-phishing for mid-2026 — SPF/DKIM/DMARC/BIMI/ARC/MTA-STS/TLSRPT, AI-augmented phishing (vishing, deepfake video, hyperpersonalized email), Business Email Compromise, secure email gateways"
     },
-    {
-      "date": "2026-05-18",
-      "type": "catalog_update",
-      "artifact": "data/cve-catalog.json",
-      "path": "data/cve-catalog.json",
-      "schema_version": "1.0.0",
-      "entry_count": 427
-    },
     {
       "date": "2026-05-18",
       "type": "catalog_update",

package/data/_indexes/catalog-summaries.json

@@ -53,7 +53,7 @@
       "path": "data/cve-catalog.json",
       "purpose": "Per-CVE record (CVSS, EPSS, CISA KEV, RWEP, AI-discovery, vendor advisories, framework gaps, ATLAS/ATT&CK mappings). Cross-validated against NVD + CISA KEV + FIRST EPSS via validate-cves.",
       "schema_version": "1.0.0",
-      "last_updated": "2026-05-18",
+      "last_updated": "2026-05-30",
       "tlp": "CLEAR",
       "source_confidence_default": "A1",
       "freshness_policy": {

package/data/_indexes/section-offsets.json

@@ -1865,7 +1865,7 @@
     },
     "attack-surface-pentest": {
       "path": "skills/attack-surface-pentest/skill.md",
-      "total_bytes": 33291,
+      "total_bytes": 33158,
       "total_lines": 388,
       "frontmatter": {
         "line_start": 1,
@@ -1888,25 +1888,25 @@
           "normalized_name": "framework-lag-declaration",
           "line": 106,
           "byte_start": 6410,
-          "byte_end": 10973,
-          "bytes": 4563,
+          "byte_end": 10953,
+          "bytes": 4543,
           "h3_count": 0
         },
         {
           "name": "TTP Mapping (MITRE ATLAS v5.6.0 + MITRE ATT&CK v19.0)",
           "normalized_name": "ttp-mapping",
           "line": 124,
-          "byte_start": 10973,
-          "byte_end": 13208,
-          "bytes": 2235,
+          "byte_start": 10953,
+          "byte_end": 13162,
+          "bytes": 2209,
           "h3_count": 0
         },
         {
           "name": "Exploit Availability Matrix",
           "normalized_name": "exploit-availability-matrix",
           "line": 143,
-          "byte_start": 13208,
-          "byte_end": 15663,
+          "byte_start": 13162,
+          "byte_end": 15617,
           "bytes": 2455,
           "h3_count": 0
         },
@@ -1914,17 +1914,17 @@
           "name": "Analysis Procedure",
           "normalized_name": "analysis-procedure",
           "line": 160,
-          "byte_start": 15663,
-          "byte_end": 25366,
-          "bytes": 9703,
+          "byte_start": 15617,
+          "byte_end": 25273,
+          "bytes": 9656,
           "h3_count": 4
         },
         {
           "name": "Output Format",
           "normalized_name": "output-format",
           "line": 281,
-          "byte_start": 25366,
-          "byte_end": 29363,
+          "byte_start": 25273,
+          "byte_end": 29270,
           "bytes": 3997,
           "h3_count": 9
         },
@@ -1932,8 +1932,8 @@
           "name": "Compliance Theater Check",
           "normalized_name": "compliance-theater-check",
           "line": 363,
-          "byte_start": 29363,
-          "byte_end": 31679,
+          "byte_start": 29270,
+          "byte_end": 31586,
           "bytes": 2316,
           "h3_count": 0
         },
@@ -1941,9 +1941,9 @@
           "name": "Defensive Countermeasure Mapping (D3FEND)",
           "normalized_name": "defensive-countermeasure-mapping",
           "line": 377,
-          "byte_start": 31679,
-          "byte_end": 33291,
-          "bytes": 1612,
+          "byte_start": 31586,
+          "byte_end": 33158,
+          "bytes": 1572,
           "h3_count": 0
         }
       ]
@@ -2984,7 +2984,7 @@
     },
     "sector-financial": {
       "path": "skills/sector-financial/skill.md",
-      "total_bytes": 50325,
+      "total_bytes": 50285,
       "total_lines": 401,
       "frontmatter": {
         "line_start": 1,
@@ -3034,16 +3034,16 @@
           "normalized_name": "analysis-procedure",
           "line": 182,
           "byte_start": 26352,
-          "byte_end": 35108,
-          "bytes": 8756,
+          "byte_end": 35068,
+          "bytes": 8716,
           "h3_count": 10
         },
         {
           "name": "Output Format",
           "normalized_name": "output-format",
           "line": 271,
-          "byte_start": 35108,
-          "byte_end": 38515,
+          "byte_start": 35068,
+          "byte_end": 38475,
           "bytes": 3407,
           "h3_count": 15
         },
@@ -3051,8 +3051,8 @@
           "name": "Compliance Theater Check",
           "normalized_name": "compliance-theater-check",
           "line": 335,
-          "byte_start": 38515,
-          "byte_end": 42853,
+          "byte_start": 38475,
+          "byte_end": 42813,
           "bytes": 4338,
           "h3_count": 0
         },
@@ -3060,8 +3060,8 @@
           "name": "Defensive Countermeasure Mapping",
           "normalized_name": "defensive-countermeasure-mapping",
           "line": 370,
-          "byte_start": 42853,
-          "byte_end": 46572,
+          "byte_start": 42813,
+          "byte_end": 46532,
           "bytes": 3719,
           "h3_count": 0
         },
@@ -3069,8 +3069,8 @@
           "name": "Hand-Off / Related Skills",
           "normalized_name": "hand-off",
           "line": 385,
-          "byte_start": 46572,
-          "byte_end": 50325,
+          "byte_start": 46532,
+          "byte_end": 50285,
           "bytes": 3753,
           "h3_count": 0
         }
@@ -4112,7 +4112,7 @@
     },
     "cloud-iam-incident": {
       "path": "skills/cloud-iam-incident/skill.md",
-      "total_bytes": 44474,
+      "total_bytes": 44433,
       "total_lines": 416,
       "frontmatter": {
         "line_start": 1,
@@ -4162,16 +4162,16 @@
           "normalized_name": "analysis-procedure",
           "line": 185,
           "byte_start": 22803,
-          "byte_end": 30428,
-          "bytes": 7625,
+          "byte_end": 30423,
+          "bytes": 7620,
           "h3_count": 12
         },
         {
           "name": "Output Format",
           "normalized_name": "output-format",
           "line": 275,
-          "byte_start": 30428,
-          "byte_end": 32626,
+          "byte_start": 30423,
+          "byte_end": 32621,
           "bytes": 2198,
           "h3_count": 15
         },
@@ -4179,8 +4179,8 @@
           "name": "Compliance Theater Check",
           "normalized_name": "compliance-theater-check",
           "line": 338,
-          "byte_start": 32626,
-          "byte_end": 37225,
+          "byte_start": 32621,
+          "byte_end": 37220,
           "bytes": 4599,
           "h3_count": 0
         },
@@ -4188,17 +4188,17 @@
           "name": "Defensive Countermeasure Mapping",
           "normalized_name": "defensive-countermeasure-mapping",
           "line": 374,
-          "byte_start": 37225,
-          "byte_end": 41301,
-          "bytes": 4076,
+          "byte_start": 37220,
+          "byte_end": 41260,
+          "bytes": 4040,
           "h3_count": 0
         },
         {
           "name": "Hand-Off / Related Skills",
           "normalized_name": "hand-off",
           "line": 396,
-          "byte_start": 41301,
-          "byte_end": 44474,
+          "byte_start": 41260,
+          "byte_end": 44433,
           "bytes": 3173,
           "h3_count": 0
         }