npm - @blamejs/exceptd-skills - Versions diffs - 0.15.53 → 0.16.0 - Mend

@blamejs/exceptd-skills 0.15.53 → 0.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,11 @@
 # Changelog
+## 0.16.0 — 2026-05-31
+Supply-chain playbook gains reachability-aware triage and publisher-identity detection. A CVE-reachability demoter flags a matched-CVE dependency whose vulnerable module is never imported on a path from your own code, supporting exploit-priority triage of the runtime-vs-build-only distinction — it over-approximates toward reachable (any dynamic / plugin / reflective load counts as reachable) so it only demotes a match when reachability is explicitly attested, and the CVE matcher itself is unchanged. A publisher-identity-change detector flags an account-takeover precursor: a dependency whose publishing account, maintainer set, or provenance identity changed across an update while its capability surface stayed identical — the silent ownership-handoff release that precedes a payload, which the capability-creep detector cannot see.
+Two compliance-theater fingerprints are added — a declared license policy that no build gate actually enforces against the resolved tree, and a declared publisher-trust control (maintainer vetting / MFA-on-publish / registry cooldown) that no intake gate blocks on.
 ## 0.15.53 — 2026-05-30
 Catalog: package-class entries can now carry an optional package-confidence signal — a 0–100 supply-chain trustworthiness score with inverse polarity to RWEP (high = trustworthy provenance, low = behaves like malware), derived from maintainer, code-quality, behavioral, and provenance sub-signals. It is surfaced alongside RWEP and never feeds or replaces it: RWEP answers "how urgently must I act on this known vulnerability," while package-confidence answers "how much do I trust this package's provenance." Populated on the supply-chain malware entries (the MOIKA dependency-confusion campaign, TrapDoor, Shai-Hulud, the node-ipc credential-stealer, and the node-ipc protestware incident).

package/data/_indexes/_meta.json CHANGED Viewed

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-31T05:03:02.966Z",
+  "generated_at": "2026-05-31T10:26:41.259Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "4359446f2ab6bfb0484b716ca15b81755ca4075d941b0c8caa5d2d4ad1c4f0a7",
+    "manifest.json": "b2470edc747a7cb7f4d2d31e94bccead4ac79a5b605ea67ef12757c9353c186d",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
     "data/attack-techniques.json": "318bf8e9c5aee1d0a4a1dc37c4b211f2fbc937bf332a401a22483cc7d0547252",
     "data/cve-catalog.json": "1aac7e75eae24ece2ef09d1c63977bdd7a1f81a9f11609ebb966109be316426c",

package/data/playbooks/sbom.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "_meta": {
     "id": "sbom",
-    "version": "1.3.1",
+    "version": "1.4.0",
     "last_threat_review": "2026-05-13",
     "threat_currency_score": 96,
     "changelog": [
@@ -58,6 +58,11 @@
         "version": "1.3.1",
         "date": "2026-05-30",
         "summary": "Add three supply-chain detection-depth indicators: typosquat/homoglyph package-name detection (reusing the vendored codepoint-class confusable tables), a static content red-flag screen (obfuscation / high-entropy / trivial-package / eval+dynamic-require, T1027), and a dependency-confusion resolution-source check (internal scope served by the public registry / inflated-version squat, correlating to MAL-2026-MOIKA-DEPCONFUSION) — each with a paired look artifact and false-positive profile."
+      },
+      {
+        "version": "1.4.0",
+        "date": "2026-05-31",
+        "summary": "Add a CVE-reachability demoter (dependency-cve-unreachable: flags a matched-CVE dependency whose vulnerable module is not imported on a first-party path, over-approximating to reachable so it only demotes with an explicit reachability attestation; the package-matches-catalogued-cve matcher is unchanged), a publisher-identity-change detector (account-takeover/ownership-handoff precursor that fires on a publisher/provenance-identity change absent a capability change), and two compliance-theater fingerprints (license-policy and publisher-trust attested-but-not-enforced). Theater-fingerprint count 6 -> 8."
       }
     ],
     "owner": "@blamejs/supply-chain",
@@ -321,6 +326,26 @@
             "openssf-model-signing",
             "atlas-aml-t0018"
           ]
+        },
+        {
+          "pattern_id": "license-policy-attested-but-not-enforced",
+          "claim": "We have an approved open-source license policy — copyleft / non-permissive dependencies are governed.",
+          "fast_detection_test": "Locate the declared license policy (allowlist/denylist in a LICENSE-POLICY doc, OSS-governance config, or contractual SBOM clause). Then walk the resolved dependency tree (license field per node in package-lock.json/yarn.lock/pnpm-lock.yaml, PyPI METADATA, Cargo metadata, go-licenses) and confirm a build-time gate actually fails the build on a policy-violating, license-change-across-version, or missing/ambiguous license. Theater if the policy exists as a document but (a) no CI/build step enforces it (no license-check / dependency-review / scancode / FOSSA gate wired into the pipeline that can BLOCK a merge or build), OR (b) the produced SBOM carries no per-component license field to enforce against, OR (c) dependencies resolve with missing/UNKNOWN license strings that the gate does not reject. Policy-as-attestation without a blocking gate against the live resolved tree = paper compliance.",
+          "implicated_controls": [
+            "eu-cra-art13",
+            "nist-800-218-SSDF-PS-3",
+            "cyclonedx-1-6"
+          ]
+        },
+        {
+          "pattern_id": "publisher-trust-attested-but-not-enforced",
+          "claim": "We vet upstream package publishers — maintainer identity, account MFA, and publish recency are part of our supply-chain controls.",
+          "fast_detection_test": "Locate the declared publisher-trust control (a maintainer-vetting policy, an MFA-on-publish requirement, a registry-cooldown / minimumReleaseAge setting, an abandoned/unmaintained-dependency review). Then confirm a build-time or intake gate actually ENFORCES it against the live resolved tree: does any pipeline step BLOCK on a dependency whose publishing account changed (ownership handoff / new-or-nonexistent author), whose maintainer lacks 2FA, that was published inside the cooldown window, or that is deprecated/unmaintained? Theater if the policy exists as a document but (a) no .npmrc before= / minimumReleaseAge cooldown is configured, (b) no dependency-review / publisher-identity gate can fail a build on an ownership change, or (c) deprecated/unmaintained dependencies are not surfaced for review. Publisher-trust as attestation without a blocking intake gate = paper compliance; the identity discontinuity that precedes account-takeover payloads (PyPI Revival Hijack class) passes an unenforced policy untouched.",
+          "implicated_controls": [
+            "nist-800-218-SSDF",
+            "eu-cra-art13",
+            "nist-800-53-SA-12"
+          ]
         }
       ],
       "framework_context": {
@@ -442,7 +467,7 @@
         },
         {
           "skill": "compliance-theater",
-          "purpose": "Run the six theater fingerprints in govern.theater_fingerprints; emit verdict per pattern.",
+          "purpose": "Run the eight theater fingerprints in govern.theater_fingerprints; emit verdict per pattern.",
           "required": true
         },
         {
@@ -645,6 +670,13 @@
           "source": "Read scope-to-registry resolution config: .npmrc + $HOME/.npmrc (@scope:registry= lines, registry=, always-auth), .yarnrc.yml (npmScopes), pip.conf / pip.ini (index-url, extra-index-url), and any private-registry manifest listing internal @scopes / package names. Cross with repo-lockfiles resolved URLs to determine which registry actually served each internal-scope name.",
           "description": "Resolution-source configuration — distinguishes an internal-namespace package correctly pinned to a private registry (safe) from one resolvable off the public registry (dependency-confusion exposed). Without it the indicator can only see inflated-version heuristics; with it the resolution-source check becomes high-confidence.",
           "required": false
+        },
+        {
+          "id": "cve-reachability-surface",
+          "type": "config_file",
+          "source": "For each dependency that matched a catalogued CVE (the package-matches-catalogued-cve hit set), statically resolve whether the catalogued-vulnerable module is imported on a first-party call path: grep the repo's own source for import/require of the matched package's vulnerable module/submodule/symbol; build the first-party import graph through direct dependencies; flag uncertainty edges (dynamic import, plugin discovery, native/FFI). Records reachable | unreachable | uncertain per matched CVE; uncertainty is recorded as reachable.",
+          "description": "CVE reachability surface — the static import-graph evidence the dependency-cve-unreachable demoter reads. Over-approximates: any uncertainty is recorded as reachable so the demoter cannot fire on it. Optional sweep; absence leaves every matched CVE treated as reachable (the matcher stands unchanged).",
+          "required": false
         }
       ],
       "collection_scope": {
@@ -924,6 +956,39 @@
             "Distinguish an inflated version that reflects a real (if unusual) upstream release from a squat. Check the package real release history on the AUTHORITATIVE registry for this scope: a genuine 99.x maintained release is not a squat. Demote when the inflated version is the legitimate publisher actual latest on the correct registry.",
             "Confirm the resolved artifact actually came from the public registry for this run (lockfile resolved/resolution URL host = registry.npmjs.org / files.pythonhosted.org), not the private mirror that merely proxies public names. A private proxy serving a vetted copy under the internal scope is not confusion-exposed. Demote when the resolution host is the internal/proxy registry."
           ]
+        },
+        {
+          "id": "dependency-cve-unreachable",
+          "type": "behavioral_signal",
+          "value": "For a dependency that already fired package-matches-catalogued-cve, statically determine whether the catalogued-vulnerable module is reachable from first-party code: within the cve-reachability-surface artifact, the matched package's vulnerable entry-point (the import name / submodule / exported symbol associated with the catalogued CVE) is NOT imported/required on any static call path originating in the repo's own source. FIRES as an INFORMATIONAL demotion candidate — the matched CVE is present in the dependency tree but no first-party import reaches the vulnerable module. OVER-APPROXIMATES toward reachable: any uncertainty (dynamic import, plugin loader, reflective require, unresolved alias, native/FFI edge) is treated as REACHABLE and this indicator does NOT fire. Surfaces ALONGSIDE package-matches-catalogued-cve; never replaces or suppresses it.",
+          "description": "Reachability demoter — flags a matched-CVE dependency whose vulnerable module has no static import/require path from first-party source, to support RWEP triage (the runtime-presence-vs-build-only distinction the matcher does not compute). Low-confidence + non-deterministic, so a firing hit never reaches the 'detected' classification branch and cannot mute a real match; the package-matches-catalogued-cve matcher remains high-confidence on tree presence and is unchanged. Behavior note: when this fires unattested, the false-positive gate downgrades it to inconclusive, so a tree whose ONLY signal is an unreachable matched-CVE reports inconclusive rather than not_detected — the intended, correctly-surfaced reachability question.",
+          "confidence": "low",
+          "deterministic": false,
+          "attack_ref": "T1195.002",
+          "atlas_ref": "AML.T0010",
+          "false_positive_checks_required": [
+            "Over-approximate uncertain to reachable: any dynamic-import / dynamic-require / reflective or computed module load (require(variable), import(expr), importlib.import_module, __import__, entry-point/plugin discovery, dependency-injection wiring, monkeypatch) anywhere in scope means the vulnerable module reachability cannot be statically excluded — do NOT fire; treat as reachable and let the unchanged matcher stand. This is the load-bearing check: it makes the indicator demote-only-with-attestation, never mute-by-default.",
+            "Plugin-loader / framework auto-registration reachability: confirm the matched package is not loaded implicitly by a framework's convention-based discovery (webpack/vite plugin arrays, pytest entry-points, setuptools console_scripts, Spring/DI auto-wiring, eager package __init__ side effects). Do NOT fire when implicit loading is possible.",
+            "Build/dev-only carve-out: a vulnerable module reachable ONLY from devDependencies / build tooling / test harness (not bundled into and not loaded by the shipped runtime artifact) is lower-priority, but confirm it is build/dev-only by checking the dependency manifest section AND that no runtime code path imports it. Record build-dev-only=true rather than asserting full unreachability when the only reachers are build/test files.",
+            "Transitive-only relocation: when the matched package is transitive-only, confirm the first-party graph does not reach it through an intermediate direct dependency that re-exports or proxies the vulnerable symbol. Walk the effective import graph through direct deps, not just first-party files; do NOT fire when an in-path direct dependency reaches the vulnerable module."
+          ]
+        },
+        {
+          "id": "dependency-publisher-identity-change-without-capability-change",
+          "type": "behavioral_signal",
+          "value": "For any dependency present in repo-lockfiles / npm-global-packages / container-image-layers whose resolved version advanced (or whose content changed under an unchanged version string) since the last recorded inventory, compare PUBLISHER IDENTITY across the two points WITHOUT requiring any capability-surface change. PUBLISHER IDENTITY = (a) the npm/PyPI publishing account(s) / maintainer set on the package metadata, (b) the provenance/signing identity (npm --provenance OIDC subject, Sigstore certificate identity, GPG/maintainer key fingerprint), (c) the publish-source repository / CI identity in the provenance statement. FIRES when ANY of: the maintainer set gained a new or previously-unseen publisher, the sole prior maintainer was replaced (ownership handoff), the publishing account is newly-created / has no prior publish history on this package (new-author), the named maintainer account no longer resolves (non-existent-author / deleted-then-reclaimed handle), or the provenance/signing identity changed — AND the capability surface is UNCHANGED across the bump (so dependency-capability-creep-across-version-bump did not fire). The defining condition is identity discontinuity ABSENT a behavior delta: a silent ownership handoff that ships no new capability yet — the trust-establishment release that precedes a payload release (PyPI Revival Hijack / abandoned-package re-registration / account-takeover staging).",
+          "description": "Publisher-identity-change detector — flags a same-name dependency whose publishing account, maintainer set, or provenance/signing identity changed across an update while its capability surface stayed identical. Catches the account-takeover / ownership-handoff PRECURSOR that capability-creep cannot see: capability-creep only fires on a behavior delta, so a takeover release that ships no new capability (the trust-staging version before the payload version) is invisible to it. Pre-disclosure, identity-axis signal complementary to the capability, name-similarity, and resolution-source axes.",
+          "confidence": "medium",
+          "deterministic": false,
+          "attack_ref": "T1195.001",
+          "atlas_ref": "AML.T0010",
+          "false_positive_checks_required": [
+            "Confirm the identity change is not a documented, legitimate maintainer transition: many healthy projects hand off to a new maintainer, add a co-maintainer, or migrate the org scope. Benign when the new publisher is announced in the project release notes / GOVERNANCE / README / a pinned issue AND the handoff is corroborated by the project own VCS (the new identity is an existing committer with merge rights, not an outside account). Demote to inconclusive and record the citation when the transition is publicly documented and VCS-corroborated.",
+            "Distinguish an identity-STRING change from an identity-PRINCIPAL change: npm provenance OIDC subjects, CI runner identities, and signing-key rotations change routinely on legitimate infra migrations. Demote when the underlying principal is unchanged — same GitHub org/repo as the provenance source, key rotation cross-signed by the prior key, or 2FA-enforced account simply re-issuing a token. Elevate only when the principal itself (the human/org behind the publish) changed.",
+            "Rule out first-publish / metadata-backfill noise: a package that had no prior recorded publisher in scope (first time this dependency entered the inventory) has nothing to diff against. Require a recorded prior publisher identity for this exact package before firing; demote to inconclusive when the prior-inventory identity is simply missing.",
+            "Confirm the new release publish age and cadence: a documented handoff that then publishes on the project normal cadence (not a sub-72h fresh publish, npm before=/minimumReleaseAge cooldown satisfied) is far lower risk. Demote normal-cadence post-handoff releases; ELEVATE when the identity change co-occurs with an off-cadence / sub-cooldown publish, a deleted-then-reclaimed maintainer handle, or a publishing account with zero prior history on any package.",
+            "Verify the package is actually a trust-bearing dependency in scope, not a dev/test-only artifact whose maintainer change cannot reach a runtime or build-output path. Confirm runtime or build-pipeline reachability before elevating; demote dev-only to low."
+          ]
         }
       ],
       "false_positive_profile": [
@@ -966,6 +1031,16 @@
           "indicator_id": "dependency-confusion-internal-scope-public-resolution",
           "benign_pattern": "An org legitimately consumes a public scoped package (@types/*, @babel/*, @aws-sdk/*) that superficially resembles an internal naming convention; OR an internal scope is already correctly pinned to the private registry so the public squat cannot win resolution.",
           "distinguishing_test": "Resolve each flagged @scope against (1) the org private-registry internal-scope list and (2) the .npmrc/.yarnrc/pip index scope-to-registry mapping. Dependency-confusion-exposed only when ALL hold: the scope is an internal namespace, a same-name private package exists, the scope is NOT pinned to the private registry, and the lockfile resolved host is the public registry. If any fails, downgrade to medium/informational."
+        },
+        {
+          "indicator_id": "dependency-cve-unreachable",
+          "benign_pattern": "A matched CVE whose vulnerable module IS reached — directly imported, loaded by a framework plugin convention, pulled in by a direct dependency that re-exports it, or reachable through a dynamic/reflective import the static walk cannot exclude.",
+          "distinguishing_test": "Likely-unreachable (demote the match in RWEP triage) ONLY when ALL hold: a cve-reachability-surface walk ran, no first-party static import path reaches the vulnerable module, no dynamic/plugin/reflective edge introduces uncertainty, and no in-path direct dependency re-exports the vulnerable symbol. Any uncertainty -> reachable -> do not fire. Reachable or uncertain demotes this indicator to a miss and leaves package-matches-catalogued-cve standing at high confidence."
+        },
+        {
+          "indicator_id": "dependency-publisher-identity-change-without-capability-change",
+          "benign_pattern": "A healthy open-source project legitimately transitions maintainers, adds a co-maintainer, migrates its org scope, or rotates its signing key / CI provenance identity on a scheduled infra change. The new publisher is an existing committer, the handoff is announced, and releases continue on normal cadence with no new capability and no off-cadence fresh publish.",
+          "distinguishing_test": "Takeover-precursor-leaning only when ALL hold: a recorded prior publisher identity existed for this exact package, the new publishing principal (not merely an OIDC-subject/CI string) differs, the transition is NOT documented in the project release notes/governance and NOT corroborated by the VCS committer history, and the identity change co-occurs with at least one of {off-cadence or sub-cooldown fresh publish, a deleted-then-reclaimed maintainer handle, a zero-history publishing account, an abandoned/revived package}. A documented, VCS-corroborated, normal-cadence handoff with no capability change demotes to informational."
         }
       ],
       "minimum_signal": {

package/manifest.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.15.53",
+  "version": "0.16.0",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "0H+JfyUVmo/pVFEi5rLENATHjlukPVUqnOWmNPEH77wm8svKGK0aNJ46k6QU5GdHb8c9X9pVJKiuhON6AxDjDw==",
-      "signed_at": "2026-05-31T04:48:21.114Z",
+      "signed_at": "2026-05-31T10:22:24.320Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -123,7 +123,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "PHwHEsoy7ctBYOtlAfAdCDVfsq2Bpk9+qESSF+5dVkDcez2zp2v9Ihsv2vqMEs3QxMndyQ+t7NVezyt5VamSCg==",
-      "signed_at": "2026-05-31T04:48:21.116Z",
+      "signed_at": "2026-05-31T10:22:24.321Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -196,7 +196,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "dD4p7lcRtMyfITOncqLkpOeMy6x6gM0V7UlWHgLEdcxqODb1s75ar1cBtTqDWPbMv6ZAzVo2HJLDK1hVjjU2AQ==",
-      "signed_at": "2026-05-31T04:48:21.116Z",
+      "signed_at": "2026-05-31T10:22:24.322Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -248,7 +248,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "wsw8Mlr/gyw6S7Iaao9BVHdU5LFPWl8WVymW17Lkq9J1Mui0+fCrTg6UbrsaeE3s7EW3TVgzBuK+8EFd1+H5AA==",
-      "signed_at": "2026-05-31T04:48:21.117Z"
+      "signed_at": "2026-05-31T10:22:24.322Z"
     },
     {
       "name": "compliance-theater",
@@ -279,7 +279,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "uVTc1QRKOKcIVDajBz+q2egjiEAyOQaDNsvVI2ghj5FD0VvquoUBBE5Naca2FkaZa790EHWCsVZ4hhdaSQs2DQ==",
-      "signed_at": "2026-05-31T04:48:21.117Z"
+      "signed_at": "2026-05-31T10:22:24.323Z"
     },
     {
       "name": "exploit-scoring",
@@ -308,7 +308,7 @@
       ],
       "last_threat_review": "2026-05-18",
       "signature": "QuNpwnZ6HkCEAXTPC/jLbXSmMIc1JnBczqZAAIZmZj8OcEMVnw9mJYAnU3CxaEI7rvbcMkN2uS5E8yUCm/NiAg==",
-      "signed_at": "2026-05-31T04:48:21.118Z"
+      "signed_at": "2026-05-31T10:22:24.323Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -345,7 +345,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "5rw2i39SxY2WphBbDLEP28wufnbPPE9+PWt54hmaGdwHXr9RLiVt5liL/5xp14sehlVgFsfpR/bg9vy//xV0DA==",
-      "signed_at": "2026-05-31T04:48:21.118Z",
+      "signed_at": "2026-05-31T10:22:24.323Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -405,7 +405,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "Vqu49nzntFWjn9A/QeJzm7q/2xk/cZJ6HFQKtiNi1zgcxzXKm+MlFdkaLgYHWj5/9HJohxyIDyBJQTvcJ20eDQ==",
-      "signed_at": "2026-05-31T04:48:21.118Z",
+      "signed_at": "2026-05-31T10:22:24.324Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -440,7 +440,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "W87VdyVdAxAdcRI6P/8StaV+MS8ZSPKM9HOCK9n/bBO6BM3ZSE3uImVoyJVpAXQlUpUGN+A3lCJZXv64LuxwDg==",
-      "signed_at": "2026-05-31T04:48:21.119Z",
+      "signed_at": "2026-05-31T10:22:24.324Z",
       "cwe_refs": [
         "CWE-1188"
       ],
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "wdVX+edeNekpaIldqkhvtraV6DquLvIsKAjuZVwPQYn3l1vS99HXuFxmNsD7UeMlO3qgC6Dysfsto9EnuH0RBg==",
-      "signed_at": "2026-05-31T04:48:21.119Z",
+      "signed_at": "2026-05-31T10:22:24.324Z",
       "forward_watch": [
         "New AI attack classes as ATLAS v6 publishes",
         "Post-quantum adversary capability timeline",
@@ -513,7 +513,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "b5miTiY0cnxETd2btxorfZBdJKt/fLnQx20sGYUb9zEqGqtm0LMLpghkW68j4/9k48KNyuGMtNWiKTSnodUGBw==",
-      "signed_at": "2026-05-31T04:48:21.119Z"
+      "signed_at": "2026-05-31T10:22:24.325Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -540,7 +540,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "xbkip0AQtWQKAu+O6r/gYECNjezS6O9k9xkkJsYbMlr+j8CdqH3p5/0l+GZmDidImRC/DL07GCnKrk9HRR/yDQ==",
-      "signed_at": "2026-05-31T04:48:21.120Z",
+      "signed_at": "2026-05-31T10:22:24.325Z",
       "forward_watch": [
         "New CISA KEV entries",
         "New ATLAS TTP additions in each ATLAS release",
@@ -604,7 +604,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "li2NnC1oeVIr22ComP5QbcQoh5xpWITuaKpza1s2SsUkH6kGnnt4wFfFAzaC1ORmH9x2cr8hN8kaNANG/eIMBQ==",
-      "signed_at": "2026-05-31T04:48:21.120Z",
+      "signed_at": "2026-05-31T10:22:24.325Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -652,7 +652,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "sZHlJ7ueHPdtzVbR+yXQ5+wKgNyjWsa1LKVg9aWTmg/Onl71DvEILMyJiLpPQjseT56Mnr1DMYJE8xOGlffBAw==",
-      "signed_at": "2026-05-31T04:48:21.121Z"
+      "signed_at": "2026-05-31T10:22:24.326Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -689,7 +689,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "3AwFnEJu6DukPPNep/3SnuPWEuV060fJEQIwThFm7ujmdbFk0/Ii0XwGv1dkvbbK7ymMdOQpp35l4aLONAucDA==",
-      "signed_at": "2026-05-31T04:48:21.121Z",
+      "signed_at": "2026-05-31T10:22:24.326Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -724,7 +724,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "iJWevUBurLvt2v8X+Ch2eHmZkPWpKeAtIpxTIP4MwbUHyco3igDeBywJCyaR2vURYRx8LkzzIMM8DxQM4LAXBQ==",
-      "signed_at": "2026-05-31T04:48:21.121Z"
+      "signed_at": "2026-05-31T10:22:24.327Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -796,7 +796,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Microsoft Edge 4-bug sandbox escape by Orange Tsai (DEVCORE); forward-watch only (browser sandbox, out of current playbook scope); track Microsoft Edge security advisory and KEV add"
       ],
       "signature": "DDMzI+4En4aIkwBUCGW6nj1eEkCyLqHGn2LJ2rnwWfYatjPI1U5HrTZNAN/n9JqWtAzk8F3rmsKehaaz5iNWDA==",
-      "signed_at": "2026-05-31T04:48:21.121Z"
+      "signed_at": "2026-05-31T10:22:24.327Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -856,7 +856,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "dJB0iAstIUbyny+udl3OIkaLScEmqS97LNP73yQ8mxt+0bcqxZjpfXaWLzLuIQblGYvUvz75/H6rO2EJuGd4AQ==",
-      "signed_at": "2026-05-31T04:48:21.122Z"
+      "signed_at": "2026-05-31T10:22:24.327Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -931,7 +931,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "KEAoMji3VcPX/ZXXqVe6OStxSkTssfY9fIRPyPcDYqh50GzOFQ6koNOTBVAiWOvjDjQ38g12xun5srbqgmvRAw==",
-      "signed_at": "2026-05-31T04:48:21.122Z"
+      "signed_at": "2026-05-31T10:22:24.328Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -1010,7 +1010,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM-attestation impact"
       ],
       "signature": "zuW8T0EMbVV83GsUP/W20Use2gBTicBW021T0sY7qsRY/U5qsPWkXYIWp3SdiKLTIKqTEd/0T7LQebjIs2QKCA==",
-      "signed_at": "2026-05-31T04:48:21.123Z"
+      "signed_at": "2026-05-31T10:22:24.328Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1067,7 +1067,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "Qe0Hg9BrX3Zm5pj0n2z/oiHbAXWdA2Dq461zc4izkkUjEX2CZ02rODjCI2ELbrVOU3GC7edxqAxA+5U/ObnHDQ==",
-      "signed_at": "2026-05-31T04:48:21.123Z"
+      "signed_at": "2026-05-31T10:22:24.328Z"
     },
     {
       "name": "identity-assurance",
@@ -1134,7 +1134,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "UV3458QXSkEpenzrOmdlTTfPHUD4hNyKMDHoeZDq/kiFb4mAG0ghQGTTgI9Ru8cJbSmYM1++m9N5TFIJ6JJPBg==",
-      "signed_at": "2026-05-31T04:48:21.123Z"
+      "signed_at": "2026-05-31T10:22:24.329Z"
     },
     {
       "name": "ot-ics-security",
@@ -1190,7 +1190,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "kIVzsPsJ72PzzWQwTuvjoHHoVEDCday5I52M9ohjB3/Ak+zlA8oyWLO/BKb/XuYY4fOApjfxTErSWv5uHQ2zDw==",
-      "signed_at": "2026-05-31T04:48:21.123Z"
+      "signed_at": "2026-05-31T10:22:24.329Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1242,7 +1242,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "bWr27Q1uN9xCe1ib4QulszBa7YIDNkGqo72k5nm2cK98LyPblicD+sO9MnGckAyB22BTN/cIB+FwFMcI5IxvBw==",
-      "signed_at": "2026-05-31T04:48:21.124Z"
+      "signed_at": "2026-05-31T10:22:24.329Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1292,7 +1292,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "Q854yzLqXdOazc6EyQbZzgAlivuq2vGFDVUCrxSldSvx/HX/ZM/uzmJyP7aBG7ZsMHxj6Lmj/H82YQoo1e+NCQ==",
-      "signed_at": "2026-05-31T04:48:21.124Z"
+      "signed_at": "2026-05-31T10:22:24.330Z"
     },
     {
       "name": "webapp-security",
@@ -1366,7 +1366,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "4ccahkJpGJZtwD7EBpnGcN0sEGPMEw8eqV+tvePVS04YAkLgYVWtlkasI/8n0be9xB+77x+Sjj3kIi2j2Lf9CA==",
-      "signed_at": "2026-05-31T04:48:21.124Z",
+      "signed_at": "2026-05-31T10:22:24.330Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments"
       ]
@@ -1419,7 +1419,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "SBB7c3wNYfIdkyOp4g4nW0WP7xS+YokMzg32aaeJdbf14LTGQRzQUvSqb2TCj2HFUSHESOyKT1JpkAfyHLSQBQ==",
-      "signed_at": "2026-05-31T04:48:21.125Z"
+      "signed_at": "2026-05-31T10:22:24.331Z"
     },
     {
       "name": "sector-healthcare",
@@ -1479,7 +1479,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "U04GNLyRas1VmfEsB8khH4iqFZPwx96sPY0Kw9iVsSPU+KTeEFqwgtWK1X1pzgb+T16Pc7HSrCaXDOpTFvQEDw==",
-      "signed_at": "2026-05-31T04:48:21.125Z"
+      "signed_at": "2026-05-31T10:22:24.331Z"
     },
     {
       "name": "sector-financial",
@@ -1560,7 +1560,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "xbylLqNPBuEsFE/MNVeGy/01K6yiJXMxQbzC1F4RWU5aseDGbNy5HrAv2JWI2+Aft05ozreNPjccvu66yJ5EBw==",
-      "signed_at": "2026-05-31T04:48:21.126Z"
+      "signed_at": "2026-05-31T10:22:24.331Z"
     },
     {
       "name": "sector-federal-government",
@@ -1629,7 +1629,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "C9c3JuBhUbwcb7uZpDdy+PNT8sYmYIxzD4uRHu421ePW1aSFJ8fkMvuTzSO8vD/F/jOOg5opM4kov/xSAn+qCg==",
-      "signed_at": "2026-05-31T04:48:21.126Z"
+      "signed_at": "2026-05-31T10:22:24.332Z"
     },
     {
       "name": "sector-energy",
@@ -1694,7 +1694,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "oz8Q5WVaY8au4IjbaZahx/DSaC00Q44ylSL3mDkTerCEpW/EyPUeiLeGxSrWxBCwVFEKSSJvnhJjhvX5lDPcCg==",
-      "signed_at": "2026-05-31T04:48:21.126Z"
+      "signed_at": "2026-05-31T10:22:24.332Z"
     },
     {
       "name": "sector-telecom",
@@ -1780,7 +1780,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "NAtyzfLPXlUuB78Snb9nWmbZalC1CNlIYN9rYhdEmtB/xQGC6vVnThgrEAHlm7v/jMCFuknvEpUHKdscUnUADw==",
-      "signed_at": "2026-05-31T04:48:21.127Z"
+      "signed_at": "2026-05-31T10:22:24.332Z"
     },
     {
       "name": "api-security",
@@ -1849,7 +1849,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "1UTjZNC5Lyrgw93LAizdXVeSmv3jS8YQNT1db5OKsldub50+o1FXmAH4+3MxZozaOGDCX3yXbdDJSJaaSmfuAA==",
-      "signed_at": "2026-05-31T04:48:21.127Z",
+      "signed_at": "2026-05-31T10:22:24.333Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments",
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments",
@@ -1935,7 +1935,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "EdsY4xe7YA8X8m+KZUbq49JwoCXgRKEz2eg3m86O37rvBmpm8ppvl9hrsekygvpBh2VmCHL2dEYiOD8OM2n7CA==",
-      "signed_at": "2026-05-31T04:48:21.127Z"
+      "signed_at": "2026-05-31T10:22:24.333Z"
     },
     {
       "name": "container-runtime-security",
@@ -1997,7 +1997,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "fnLKPLkjjRCJ/F9wdmZ1w1lXmqEJvTYkv6Uu+9OTd5vZTWKz3QMuxKOsas+ctCdOvTaeloqPUUprXx+ZZdDpCg==",
-      "signed_at": "2026-05-31T04:48:21.128Z",
+      "signed_at": "2026-05-31T10:22:24.333Z",
       "forward_watch": [
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Container Toolkit container escape ($50K award) by chompie / IBM X-Force XOR; high-severity container/hypervisor boundary break; track patch and KEV add post-embargo"
       ]
@@ -2071,7 +2071,7 @@
         "MITRE ATLAS v5.6.0 (released May 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
       "signature": "t3dkdpTX04zvjitEeOJThpgjurLd1UO9GOut4LXSZgY3ULhfknI4zT7G5+m2RSZZTo7yyeZrwpg+7vEg9K6mAw==",
-      "signed_at": "2026-05-31T04:48:21.128Z"
+      "signed_at": "2026-05-31T10:22:24.334Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2133,7 +2133,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "+1kmtA6rAvIyDjjy+cJHK6BcfylyVsa5cUjRFijlFR9GsQfB93JnmkEJOqML50pdlcxtJI3yUodHpL3/YJGtCA==",
-      "signed_at": "2026-05-31T04:48:21.129Z"
+      "signed_at": "2026-05-31T10:22:24.334Z"
     },
     {
       "name": "ransomware-response",
@@ -2213,7 +2213,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "h48ASCz63aBfHzLKxMVDADMuT4atriK0iE6bJeVzZTsx/e8+hyv4fLP7+zYxT9Oe0Gss3v/Xy+t+Wd9uwzV+Aw==",
-      "signed_at": "2026-05-31T04:48:21.129Z"
+      "signed_at": "2026-05-31T10:22:24.335Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2266,7 +2266,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "FVBn4ex2qPIo9SHMVJ6tntoz4tVwjbIq3m6wDjjZyv2JODlS+90GBYCOkNamxxkmw/6de6SMs0YHQiF/xjo/DQ==",
-      "signed_at": "2026-05-31T04:48:21.129Z"
+      "signed_at": "2026-05-31T10:22:24.335Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2334,7 +2334,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "ZHVdGWCcfG98tSVB0b9mwrsYwv71V3uUEl+6ss7omSQhmNvqV5s6MAZM5YladBt9MK/8T/zBrTYN4gAonOP+BQ==",
-      "signed_at": "2026-05-31T04:48:21.130Z"
+      "signed_at": "2026-05-31T10:22:24.335Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2414,7 +2414,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "r9ii4nb3HJELdtKCGF5qy9PHOiot3GC24yfxfGAKlLENHkdRvRkvvL99eV/6RXyfUaMyrnc2Te8tPQcNu5bsDg==",
-      "signed_at": "2026-05-31T04:48:21.130Z",
+      "signed_at": "2026-05-31T10:22:24.336Z",
       "forward_watch": [
         "AWS IAM Identity Center session-policy refresh and step-up-on-admin enforcement (anticipated 2026-H2 release)",
         "GCP Workload Identity Federation principal-set attribute mapping tightening (post-2026 Q3 Federation hardening guide)",
@@ -2508,7 +2508,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "9mfDtMApMAg9V/lmwpniNxo/6gNZoOEoYDfyFvyWvKrPMtc7H9F8uz06FVoARe/J49saAKTVXOurNE1D/KtpCQ==",
-      "signed_at": "2026-05-31T04:48:21.130Z",
+      "signed_at": "2026-05-31T10:22:24.336Z",
       "forward_watch": [
         "Entra ID conditional access evolution post-Midnight Blizzard — Microsoft's 2025-2026 commitments on legacy-tenant MFA enforcement and OAuth-app consent gating",
         "Okta IPSIE (Interoperability Profile for Secure Identity in the Enterprise) OpenID Foundation working-group output and adoption timeline",
@@ -2526,6 +2526,6 @@
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "Adyk095vyeY0icGDAti1GLURbVDE5HhVHyMtgeQ8WwncoOKIrngDjqi/VU9junhfoQtMCktYjJFE56yoi2DTCw=="
+    "signature_base64": "ZU/5nhmMlrcEw7gL1fKWdlP5dS70Zyejvg7NA5SbrHl6zm+Tmt6FHwpscYFECUxolA/NUF+TdiVhl0fD9eeNBw=="
   }
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.15.53",
+  "version": "0.16.0",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (427 CVEs / 173 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json CHANGED Viewed

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:347093c0-9155-471a-9a22-58cb926555f2",
+  "serialNumber": "urn:uuid:9bd47470-c59d-4f51-b994-359ef144b4eb",
   "version": 1,
   "metadata": {
-    "timestamp": "2053-11-17T18:58:08.000Z",
+    "timestamp": "2108-11-06T03:58:40.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.15.53"
+        "version": "0.16.0"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.15.53",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.16.0",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.15.53",
+      "version": "0.16.0",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 42 skills, 11 catalogs (427 CVEs / 173 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.15.53",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.16.0",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "5fde4e0c2d0ef764c883ff21dbe1f4c5dbc9e74c675e59c15a6941a7e6d68c70"
+          "content": "1fada9c18f8669821ff1c4a85f283538532fe158641f1029dbf3ddf56a4e04be"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.15.53"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.16.0"
         },
         {
           "type": "vcs",
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "3f31b297747c16270e24932a2d762bc06655b2d4d7bc2a5c9943e7eccf2a6839"
+          "content": "e4a1351eb6f5f70afe3ab2de9241579da509a28a4c8511b22b0ad892b49e9c94"
         },
         {
           "alg": "SHA3-512",
-          "content": "6489d29205b4185795b070e341e3290de0368f0dafb096907c1a912ccb5576dfb096fa020cff503d24bf830a9f1c3170ca8897daebcef3542ee6af6b6fae86b4"
+          "content": "02f1973ac20ca085fdbd22c0e15f178f72511c89eaf55acf454bbe3b03969ce96321c4ac27d2499ecdf4b8eaed46984fd4338d1239fecf1b856b4d3558dff4a2"
         }
       ]
     },
@@ -731,11 +731,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "1e2f307a7207a260f8c9ab23f95e8eebb4950349d79eceb2af5b8c4df2b37dc4"
+          "content": "0aecfdb929d9ab55432905fd8f116f3eaf56d7ebc86a2cc7817686d4ee5e4f8a"
         },
         {
           "alg": "SHA3-512",
-          "content": "9298e037ccac473c5ac994e5ef4804d93a7abfbb3fa14c836a97c4503de2e9d10b1ad8a2f371115bf17c1f63851fd252214cb183c8655f1f4150b0e3a2dc9248"
+          "content": "aa77d3f6b11b13fb5e8745e3ce2f1de20d599efa667c423e454b07d5046188027397b3d52b02c48fc097db276a12611d18a5f329190d92f3295f30d2bc1161c5"
         }
       ]
     },
@@ -1751,11 +1751,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "4359446f2ab6bfb0484b716ca15b81755ca4075d941b0c8caa5d2d4ad1c4f0a7"
+          "content": "b2470edc747a7cb7f4d2d31e94bccead4ac79a5b605ea67ef12757c9353c186d"
         },
         {
           "alg": "SHA3-512",
-          "content": "26d55c25bbbc0e76e1592fd5633b87858c6cf3ba281e0d6b19ce17761af9468992564c0f040110e541a63492f384e3c982c3afd5f4a05596a08f03e9c93ca2fa"
+          "content": "fe54afcaf4a2e0fff7b9d338f235b7d1227547f8f395b5b3b0d3d8bbf7ddb95d4ed7f08d1ef3b8ab6525c478465292597ccb0c781e1ba468f5fc15bb01fbbc08"
         }
       ]
     },