@blamejs/exceptd-skills 0.16.22 → 0.16.24

package/lib/verify.js

@@ -602,13 +602,14 @@ function validateAgainstSchema(value, schema, here, root) {
  * and returns the first non-comment / non-empty line. Returns null if
  * the file is unreadable / empty.
  *
- * Shared across four sites so every loader normalises identically:
+ * Shared across five sites so every loader normalises identically:
  *   - lib/verify.js              (manifest signature gate)
  *   - lib/refresh-network.js     (refresh-network pre-swap gate)
  *   - scripts/verify-shipped-tarball.js (predeploy gate)
  *   - bin/exceptd.js             (attestation pin)
- * tests/normalize-contract.test.js asserts byte-identical output across all
- * four sites under a BOM + CRLF fuzz corpus.
+ *   - lib/prefetch.js            (cache-consume index signature pin)
+ * tests/normalize-contract.test.js asserts byte-identical output across the
+ * sites under a BOM + CRLF fuzz corpus.
  */
 function loadExpectedFingerprintFirstLine(pinPath) {
   let buf;

package/manifest-snapshot.json

@@ -1,6 +1,6 @@
 {
   "_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
-  "_generated_at": "2026-06-02T19:58:16.286Z",
+  "_generated_at": "2026-06-05T18:14:35.343Z",
   "atlas_version": "5.6.0",
   "skill_count": 51,
   "skills": [
@@ -155,7 +155,9 @@
         "RFC-9421",
         "RFC-9458"
       ],
-      "cwe_refs": [],
+      "cwe_refs": [
+        "CWE-918"
+      ],
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",

package/manifest-snapshot.sha256

@@ -1 +1 @@
-faa01f939b1473c436cd81d614612593e92034e1119518e4e44f61e37b35de8b  manifest-snapshot.json
+507b7d47541c9a338602aee3fcedac2233ca1c0046bd41735adbf5b87cd0f50b  manifest-snapshot.json

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.16.22",
+  "version": "0.16.24",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "0H+JfyUVmo/pVFEi5rLENATHjlukPVUqnOWmNPEH77wm8svKGK0aNJ46k6QU5GdHb8c9X9pVJKiuhON6AxDjDw==",
-      "signed_at": "2026-06-05T14:36:05.079Z",
+      "signed_at": "2026-06-05T21:54:10.774Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -123,7 +123,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "PHwHEsoy7ctBYOtlAfAdCDVfsq2Bpk9+qESSF+5dVkDcez2zp2v9Ihsv2vqMEs3QxMndyQ+t7NVezyt5VamSCg==",
-      "signed_at": "2026-06-05T14:36:05.081Z",
+      "signed_at": "2026-06-05T21:54:10.776Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -196,7 +196,7 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "dD4p7lcRtMyfITOncqLkpOeMy6x6gM0V7UlWHgLEdcxqODb1s75ar1cBtTqDWPbMv6ZAzVo2HJLDK1hVjjU2AQ==",
-      "signed_at": "2026-06-05T14:36:05.081Z",
+      "signed_at": "2026-06-05T21:54:10.776Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -248,7 +248,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "wsw8Mlr/gyw6S7Iaao9BVHdU5LFPWl8WVymW17Lkq9J1Mui0+fCrTg6UbrsaeE3s7EW3TVgzBuK+8EFd1+H5AA==",
-      "signed_at": "2026-06-05T14:36:05.082Z"
+      "signed_at": "2026-06-05T21:54:10.776Z"
     },
     {
       "name": "compliance-theater",
@@ -279,7 +279,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "uVTc1QRKOKcIVDajBz+q2egjiEAyOQaDNsvVI2ghj5FD0VvquoUBBE5Naca2FkaZa790EHWCsVZ4hhdaSQs2DQ==",
-      "signed_at": "2026-06-05T14:36:05.082Z"
+      "signed_at": "2026-06-05T21:54:10.777Z"
     },
     {
       "name": "exploit-scoring",
@@ -307,8 +307,8 @@
         "CIS-Controls-v8-Control7"
       ],
       "last_threat_review": "2026-05-18",
-      "signature": "QuNpwnZ6HkCEAXTPC/jLbXSmMIc1JnBczqZAAIZmZj8OcEMVnw9mJYAnU3CxaEI7rvbcMkN2uS5E8yUCm/NiAg==",
-      "signed_at": "2026-06-05T14:36:05.083Z"
+      "signature": "Vne6mNYAubRMzF8Fz6CrU/hbvV+UzkGbpmWQrRSGlqNTGPHgzKOhDcZ2cqgRAI9AGz4IBE79dMaQrXqsnni9AQ==",
+      "signed_at": "2026-06-05T21:54:10.778Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -345,7 +345,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "5rw2i39SxY2WphBbDLEP28wufnbPPE9+PWt54hmaGdwHXr9RLiVt5liL/5xp14sehlVgFsfpR/bg9vy//xV0DA==",
-      "signed_at": "2026-06-05T14:36:05.083Z",
+      "signed_at": "2026-06-05T21:54:10.778Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -405,7 +405,10 @@
       ],
       "last_threat_review": "2026-05-17",
       "signature": "Vqu49nzntFWjn9A/QeJzm7q/2xk/cZJ6HFQKtiNi1zgcxzXKm+MlFdkaLgYHWj5/9HJohxyIDyBJQTvcJ20eDQ==",
-      "signed_at": "2026-06-05T14:36:05.084Z",
+      "signed_at": "2026-06-05T21:54:10.778Z",
+      "cwe_refs": [
+        "CWE-918"
+      ],
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -440,7 +443,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-22",
       "signature": "W87VdyVdAxAdcRI6P/8StaV+MS8ZSPKM9HOCK9n/bBO6BM3ZSE3uImVoyJVpAXQlUpUGN+A3lCJZXv64LuxwDg==",
-      "signed_at": "2026-06-05T14:36:05.084Z",
+      "signed_at": "2026-06-05T21:54:10.779Z",
       "cwe_refs": [
         "CWE-1188"
       ],
@@ -474,7 +477,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "wdVX+edeNekpaIldqkhvtraV6DquLvIsKAjuZVwPQYn3l1vS99HXuFxmNsD7UeMlO3qgC6Dysfsto9EnuH0RBg==",
-      "signed_at": "2026-06-05T14:36:05.084Z",
+      "signed_at": "2026-06-05T21:54:10.779Z",
       "forward_watch": [
         "New AI attack classes as ATLAS v6 publishes",
         "Post-quantum adversary capability timeline",
@@ -513,7 +516,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "b5miTiY0cnxETd2btxorfZBdJKt/fLnQx20sGYUb9zEqGqtm0LMLpghkW68j4/9k48KNyuGMtNWiKTSnodUGBw==",
-      "signed_at": "2026-06-05T14:36:05.085Z"
+      "signed_at": "2026-06-05T21:54:10.779Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -540,7 +543,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-18",
       "signature": "xbkip0AQtWQKAu+O6r/gYECNjezS6O9k9xkkJsYbMlr+j8CdqH3p5/0l+GZmDidImRC/DL07GCnKrk9HRR/yDQ==",
-      "signed_at": "2026-06-05T14:36:05.085Z",
+      "signed_at": "2026-06-05T21:54:10.780Z",
       "forward_watch": [
         "New CISA KEV entries",
         "New ATLAS TTP additions in each ATLAS release",
@@ -604,7 +607,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "li2NnC1oeVIr22ComP5QbcQoh5xpWITuaKpza1s2SsUkH6kGnnt4wFfFAzaC1ORmH9x2cr8hN8kaNANG/eIMBQ==",
-      "signed_at": "2026-06-05T14:36:05.085Z",
+      "signed_at": "2026-06-05T21:54:10.780Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -652,7 +655,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "sZHlJ7ueHPdtzVbR+yXQ5+wKgNyjWsa1LKVg9aWTmg/Onl71DvEILMyJiLpPQjseT56Mnr1DMYJE8xOGlffBAw==",
-      "signed_at": "2026-06-05T14:36:05.086Z"
+      "signed_at": "2026-06-05T21:54:10.781Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -689,7 +692,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "3AwFnEJu6DukPPNep/3SnuPWEuV060fJEQIwThFm7ujmdbFk0/Ii0XwGv1dkvbbK7ymMdOQpp35l4aLONAucDA==",
-      "signed_at": "2026-06-05T14:36:05.086Z",
+      "signed_at": "2026-06-05T21:54:10.781Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -724,7 +727,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "iJWevUBurLvt2v8X+Ch2eHmZkPWpKeAtIpxTIP4MwbUHyco3igDeBywJCyaR2vURYRx8LkzzIMM8DxQM4LAXBQ==",
-      "signed_at": "2026-06-05T14:36:05.086Z"
+      "signed_at": "2026-06-05T21:54:10.781Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -796,7 +799,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Microsoft Edge 4-bug sandbox escape by Orange Tsai (DEVCORE); forward-watch only (browser sandbox, out of current playbook scope); track Microsoft Edge security advisory and KEV add"
       ],
       "signature": "DDMzI+4En4aIkwBUCGW6nj1eEkCyLqHGn2LJ2rnwWfYatjPI1U5HrTZNAN/n9JqWtAzk8F3rmsKehaaz5iNWDA==",
-      "signed_at": "2026-06-05T14:36:05.087Z"
+      "signed_at": "2026-06-05T21:54:10.782Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -856,7 +859,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "dJB0iAstIUbyny+udl3OIkaLScEmqS97LNP73yQ8mxt+0bcqxZjpfXaWLzLuIQblGYvUvz75/H6rO2EJuGd4AQ==",
-      "signed_at": "2026-06-05T14:36:05.087Z"
+      "signed_at": "2026-06-05T21:54:10.782Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -931,7 +934,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "KEAoMji3VcPX/ZXXqVe6OStxSkTssfY9fIRPyPcDYqh50GzOFQ6koNOTBVAiWOvjDjQ38g12xun5srbqgmvRAw==",
-      "signed_at": "2026-06-05T14:36:05.088Z"
+      "signed_at": "2026-06-05T21:54:10.782Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -1010,7 +1013,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM-attestation impact"
       ],
       "signature": "zuW8T0EMbVV83GsUP/W20Use2gBTicBW021T0sY7qsRY/U5qsPWkXYIWp3SdiKLTIKqTEd/0T7LQebjIs2QKCA==",
-      "signed_at": "2026-06-05T14:36:05.088Z"
+      "signed_at": "2026-06-05T21:54:10.783Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1067,7 +1070,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "Qe0Hg9BrX3Zm5pj0n2z/oiHbAXWdA2Dq461zc4izkkUjEX2CZ02rODjCI2ELbrVOU3GC7edxqAxA+5U/ObnHDQ==",
-      "signed_at": "2026-06-05T14:36:05.088Z"
+      "signed_at": "2026-06-05T21:54:10.783Z"
     },
     {
       "name": "identity-assurance",
@@ -1134,7 +1137,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "UV3458QXSkEpenzrOmdlTTfPHUD4hNyKMDHoeZDq/kiFb4mAG0ghQGTTgI9Ru8cJbSmYM1++m9N5TFIJ6JJPBg==",
-      "signed_at": "2026-06-05T14:36:05.089Z"
+      "signed_at": "2026-06-05T21:54:10.783Z"
     },
     {
       "name": "ot-ics-security",
@@ -1190,7 +1193,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "kIVzsPsJ72PzzWQwTuvjoHHoVEDCday5I52M9ohjB3/Ak+zlA8oyWLO/BKb/XuYY4fOApjfxTErSWv5uHQ2zDw==",
-      "signed_at": "2026-06-05T14:36:05.089Z"
+      "signed_at": "2026-06-05T21:54:10.784Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1242,7 +1245,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "bWr27Q1uN9xCe1ib4QulszBa7YIDNkGqo72k5nm2cK98LyPblicD+sO9MnGckAyB22BTN/cIB+FwFMcI5IxvBw==",
-      "signed_at": "2026-06-05T14:36:05.089Z"
+      "signed_at": "2026-06-05T21:54:10.784Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1292,7 +1295,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "Q854yzLqXdOazc6EyQbZzgAlivuq2vGFDVUCrxSldSvx/HX/ZM/uzmJyP7aBG7ZsMHxj6Lmj/H82YQoo1e+NCQ==",
-      "signed_at": "2026-06-05T14:36:05.090Z"
+      "signed_at": "2026-06-05T21:54:10.784Z"
     },
     {
       "name": "webapp-security",
@@ -1366,7 +1369,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "4ccahkJpGJZtwD7EBpnGcN0sEGPMEw8eqV+tvePVS04YAkLgYVWtlkasI/8n0be9xB+77x+Sjj3kIi2j2Lf9CA==",
-      "signed_at": "2026-06-05T14:36:05.090Z",
+      "signed_at": "2026-06-05T21:54:10.785Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments"
       ]
@@ -1419,7 +1422,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "SBB7c3wNYfIdkyOp4g4nW0WP7xS+YokMzg32aaeJdbf14LTGQRzQUvSqb2TCj2HFUSHESOyKT1JpkAfyHLSQBQ==",
-      "signed_at": "2026-06-05T14:36:05.090Z"
+      "signed_at": "2026-06-05T21:54:10.785Z"
     },
     {
       "name": "sector-healthcare",
@@ -1479,7 +1482,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "U04GNLyRas1VmfEsB8khH4iqFZPwx96sPY0Kw9iVsSPU+KTeEFqwgtWK1X1pzgb+T16Pc7HSrCaXDOpTFvQEDw==",
-      "signed_at": "2026-06-05T14:36:05.091Z"
+      "signed_at": "2026-06-05T21:54:10.786Z"
     },
     {
       "name": "sector-financial",
@@ -1560,7 +1563,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "xbylLqNPBuEsFE/MNVeGy/01K6yiJXMxQbzC1F4RWU5aseDGbNy5HrAv2JWI2+Aft05ozreNPjccvu66yJ5EBw==",
-      "signed_at": "2026-06-05T14:36:05.091Z"
+      "signed_at": "2026-06-05T21:54:10.786Z"
     },
     {
       "name": "sector-federal-government",
@@ -1629,7 +1632,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "C9c3JuBhUbwcb7uZpDdy+PNT8sYmYIxzD4uRHu421ePW1aSFJ8fkMvuTzSO8vD/F/jOOg5opM4kov/xSAn+qCg==",
-      "signed_at": "2026-06-05T14:36:05.092Z"
+      "signed_at": "2026-06-05T21:54:10.787Z"
     },
     {
       "name": "sector-energy",
@@ -1694,7 +1697,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "oz8Q5WVaY8au4IjbaZahx/DSaC00Q44ylSL3mDkTerCEpW/EyPUeiLeGxSrWxBCwVFEKSSJvnhJjhvX5lDPcCg==",
-      "signed_at": "2026-06-05T14:36:05.092Z"
+      "signed_at": "2026-06-05T21:54:10.787Z"
     },
     {
       "name": "sector-telecom",
@@ -1780,7 +1783,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "NAtyzfLPXlUuB78Snb9nWmbZalC1CNlIYN9rYhdEmtB/xQGC6vVnThgrEAHlm7v/jMCFuknvEpUHKdscUnUADw==",
-      "signed_at": "2026-06-05T14:36:05.092Z"
+      "signed_at": "2026-06-05T21:54:10.787Z"
     },
     {
       "name": "api-security",
@@ -1849,7 +1852,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "1UTjZNC5Lyrgw93LAizdXVeSmv3jS8YQNT1db5OKsldub50+o1FXmAH4+3MxZozaOGDCX3yXbdDJSJaaSmfuAA==",
-      "signed_at": "2026-06-05T14:36:05.093Z",
+      "signed_at": "2026-06-05T21:54:10.788Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments",
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments",
@@ -1935,7 +1938,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "EdsY4xe7YA8X8m+KZUbq49JwoCXgRKEz2eg3m86O37rvBmpm8ppvl9hrsekygvpBh2VmCHL2dEYiOD8OM2n7CA==",
-      "signed_at": "2026-06-05T14:36:05.093Z"
+      "signed_at": "2026-06-05T21:54:10.788Z"
     },
     {
       "name": "container-runtime-security",
@@ -1997,7 +2000,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "fnLKPLkjjRCJ/F9wdmZ1w1lXmqEJvTYkv6Uu+9OTd5vZTWKz3QMuxKOsas+ctCdOvTaeloqPUUprXx+ZZdDpCg==",
-      "signed_at": "2026-06-05T14:36:05.093Z",
+      "signed_at": "2026-06-05T21:54:10.789Z",
       "forward_watch": [
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Container Toolkit container escape ($50K award) by chompie / IBM X-Force XOR; high-severity container/hypervisor boundary break; track patch and KEV add post-embargo"
       ]
@@ -2071,7 +2074,7 @@
         "MITRE ATLAS v5.6.0 (released May 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
       "signature": "t3dkdpTX04zvjitEeOJThpgjurLd1UO9GOut4LXSZgY3ULhfknI4zT7G5+m2RSZZTo7yyeZrwpg+7vEg9K6mAw==",
-      "signed_at": "2026-06-05T14:36:05.094Z"
+      "signed_at": "2026-06-05T21:54:10.789Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2133,7 +2136,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "+1kmtA6rAvIyDjjy+cJHK6BcfylyVsa5cUjRFijlFR9GsQfB93JnmkEJOqML50pdlcxtJI3yUodHpL3/YJGtCA==",
-      "signed_at": "2026-06-05T14:36:05.094Z"
+      "signed_at": "2026-06-05T21:54:10.789Z"
     },
     {
       "name": "ransomware-response",
@@ -2213,7 +2216,7 @@
       ],
       "last_threat_review": "2026-05-22",
       "signature": "h48ASCz63aBfHzLKxMVDADMuT4atriK0iE6bJeVzZTsx/e8+hyv4fLP7+zYxT9Oe0Gss3v/Xy+t+Wd9uwzV+Aw==",
-      "signed_at": "2026-06-05T14:36:05.095Z"
+      "signed_at": "2026-06-05T21:54:10.790Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2266,7 +2269,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "FVBn4ex2qPIo9SHMVJ6tntoz4tVwjbIq3m6wDjjZyv2JODlS+90GBYCOkNamxxkmw/6de6SMs0YHQiF/xjo/DQ==",
-      "signed_at": "2026-06-05T14:36:05.095Z"
+      "signed_at": "2026-06-05T21:54:10.790Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2334,7 +2337,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "ZHVdGWCcfG98tSVB0b9mwrsYwv71V3uUEl+6ss7omSQhmNvqV5s6MAZM5YladBt9MK/8T/zBrTYN4gAonOP+BQ==",
-      "signed_at": "2026-06-05T14:36:05.095Z"
+      "signed_at": "2026-06-05T21:54:10.791Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2414,7 +2417,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "r9ii4nb3HJELdtKCGF5qy9PHOiot3GC24yfxfGAKlLENHkdRvRkvvL99eV/6RXyfUaMyrnc2Te8tPQcNu5bsDg==",
-      "signed_at": "2026-06-05T14:36:05.096Z",
+      "signed_at": "2026-06-05T21:54:10.791Z",
       "forward_watch": [
         "AWS IAM Identity Center session-policy refresh and step-up-on-admin enforcement (anticipated 2026-H2 release)",
         "GCP Workload Identity Federation principal-set attribute mapping tightening (post-2026 Q3 Federation hardening guide)",
@@ -2508,7 +2511,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "9mfDtMApMAg9V/lmwpniNxo/6gNZoOEoYDfyFvyWvKrPMtc7H9F8uz06FVoARe/J49saAKTVXOurNE1D/KtpCQ==",
-      "signed_at": "2026-06-05T14:36:05.096Z",
+      "signed_at": "2026-06-05T21:54:10.791Z",
       "forward_watch": [
         "Entra ID conditional access evolution post-Midnight Blizzard — Microsoft's 2025-2026 commitments on legacy-tenant MFA enforcement and OAuth-app consent gating",
         "Okta IPSIE (Interoperability Profile for Secure Identity in the Enterprise) OpenID Foundation working-group output and adoption timeline",
@@ -2580,7 +2583,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-02",
       "signature": "dOFgANMtHm64uSFRjMfeA0fWZS9ISwMTt59I2CbjaF1PgTtbtb8yg/f+3pC4eXcXIET0KPGxRRmENycfIz3rAw==",
-      "signed_at": "2026-06-05T14:36:05.097Z"
+      "signed_at": "2026-06-05T21:54:10.792Z"
     },
     {
       "name": "mail-server-hardening",
@@ -2639,7 +2642,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-02",
       "signature": "5x8RGzKo/T2IbYnFkYMZs16ThD9a5FEdrKHsnwvtMuGxdyyfZsKNIJVWw2I8O0um0UOXwwkl17Z3zhch26ymCQ==",
-      "signed_at": "2026-06-05T14:36:05.097Z"
+      "signed_at": "2026-06-05T21:54:10.792Z"
     },
     {
       "name": "network-trust",
@@ -2695,7 +2698,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-02",
       "signature": "C/RdmnGjXKreKiGkwJfUESIxUwQzisGJ9A7KBdE9cBRBHBYHkAcScV89L+Z3kOG032Qax6LeIQai7Lr3nrQBCA==",
-      "signed_at": "2026-06-05T14:36:05.097Z"
+      "signed_at": "2026-06-05T21:54:10.792Z"
     },
     {
       "name": "audit-log-integrity",
@@ -2750,7 +2753,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-02",
       "signature": "LvUAq+rXCA8PgNy9lTKOmFqa8T9EJg4JEH0axXvEAf9MIHqbR51ergUkFMLaTuvFuApwsPu0r1C30QgScZbiAw==",
-      "signed_at": "2026-06-05T14:36:05.097Z"
+      "signed_at": "2026-06-05T21:54:10.793Z"
     },
     {
       "name": "self-update-integrity",
@@ -2804,7 +2807,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-02",
       "signature": "BOQZ8G9LdyG/tfpz6rCU4THz5Dq2HGJkUV7uCqSTCMrqnXH6seNXKM41FWawYo0s2VUlXtRgaO7ETp5qgxw+CQ==",
-      "signed_at": "2026-06-05T14:36:05.098Z"
+      "signed_at": "2026-06-05T21:54:10.793Z"
     },
     {
       "name": "multitenancy-isolation",
@@ -2862,7 +2865,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-02",
       "signature": "bncN0VE4ns0lxtPe48xDR33lerw54BPVkSwX7XlrLQcMHTrV94lmjO8z4ZP4Ko61n+KpuP2SNU8v9JT0bGMmAA==",
-      "signed_at": "2026-06-05T14:36:05.098Z"
+      "signed_at": "2026-06-05T21:54:10.793Z"
     },
     {
       "name": "decompression-dos",
@@ -2920,7 +2923,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-02",
       "signature": "03i0ZO5ScHIOjGvDKUEsws6m+20fnlJrEhSBtMU7PJzQutrPpmW9gULE0wbayTD5H9URh5nSKZuuVjvjVhZNCg==",
-      "signed_at": "2026-06-05T14:36:05.098Z"
+      "signed_at": "2026-06-05T21:54:10.793Z"
     },
     {
       "name": "log-injection-telemetry",
@@ -2975,7 +2978,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-02",
       "signature": "twTmA2l+Am2k2PCzB2DNxDQwoYlGopJp/3QgQwBsP7h2LF+uNudisqfuOVV/bYnWfrUhuYZUWbsR3mhzbJCUBw==",
-      "signed_at": "2026-06-05T14:36:05.098Z"
+      "signed_at": "2026-06-05T21:54:10.794Z"
     },
     {
       "name": "privacy-consent-ops",
@@ -3030,11 +3033,11 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-02",
       "signature": "0sfKSVrIf555c9bDGkXB96fUClN52fMAMYoQsNQ9eUUSzDiWUwdou+q0gYt43nObtj3m9Yb9X6q3oCXDVMgUDg==",
-      "signed_at": "2026-06-05T14:36:05.099Z"
+      "signed_at": "2026-06-05T21:54:10.794Z"
     }
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "M6/54yATUpoQoKpa2XTdQtrhRJFf7lf/3i6uQa3i/f3dGXNEc8zENbjYEr7C0xt13cto2oMT/5zxeRQzrCc4BQ=="
+    "signature_base64": "mV0pAkSn14nwUzoUbvbXQqctfe42CQBEKApecPrRWWOxhyI7mjM2XhYoHDdogS6sDtQhJZgcUSZm0+rs1ITkDw=="
   }
 }

package/orchestrator/README.md

@@ -88,7 +88,7 @@ The orchestrator produces output in three formats:
 | Format | Audience | File |
 |--------|----------|------|
 | `executive` | CISO / Board | `reports/templates/executive-summary.md` |
-| `technical` | Security Engineers | `reports/templates/technical-assessment.md` |
+| `technical` | Security Engineers | (no canonical template — assembled by report-generator) |
 | `compliance` | Auditors / GRC | `reports/templates/compliance-gap-report.md` |
 | `zero-day` | Incident Response | `reports/templates/zero-day-response.md` |
 

package/orchestrator/index.js

@@ -195,7 +195,14 @@ Examples:
     controlGaps = JSON.parse(fs.readFileSync(path.join(root, 'data', 'framework-control-gaps.json'), 'utf8'));
     cveCatalog = JSON.parse(fs.readFileSync(path.join(root, 'data', 'cve-catalog.json'), 'utf8'));
   } catch (err) {
-    console.error(`[framework-gap] cannot read catalog: ${err.message}`);
+    // Honor --json on the catalog-read failure path too: a JSON consumer must
+    // get the same structured ok:false envelope the other error exits emit.
+    const msg = `framework-gap: cannot read catalog: ${err.message}`;
+    if (jsonOut) {
+      process.stdout.write(JSON.stringify({ ok: false, verb: 'framework-gap', error: msg }) + '\n');
+    } else {
+      console.error(`[framework-gap] cannot read catalog: ${err.message}`);
+    }
     safeExit(EXIT_CODES.GENERIC_FAILURE);
     return;
   }
@@ -697,10 +704,24 @@ function _acquireWatchLock() {
       e.code = 'EWATCHLOCKED';
       throw e;
     }
-    // Stale — reclaim atomically. unlink + re-create with O_EXCL so a race
-    // with another reclaimer surfaces as EEXIST cleanly.
+    // Stale — reclaim atomically. unlink + re-create with O_EXCL. If another
+    // reclaimer won the race between our unlink and our re-create, the O_EXCL
+    // create throws EEXIST; that is contention, not a generic failure, so
+    // re-tag it as EWATCHLOCKED to map onto the EX_TEMPFAIL "retry later"
+    // exit rather than the GENERIC_FAILURE the bare EEXIST would fall to.
     try { fsMod.unlinkSync(lockPath); } catch { /* concurrent reclaim, fine */ }
-    tryCreate();
+    try {
+      tryCreate();
+    } catch (recreateErr) {
+      if (recreateErr.code === 'EEXIST') {
+        const e = new Error(
+          `another exceptd watch process reclaimed ${lockPath} concurrently; retry`
+        );
+        e.code = 'EWATCHLOCKED';
+        throw e;
+      }
+      throw recreateErr;
+    }
   }
 
   return {
@@ -755,7 +776,11 @@ async function runWatch() {
     lock = _acquireWatchLock();
   } catch (err) {
     console.error(`[orchestrator] cannot start watch: ${err.message}`);
-    process.exitCode = err.code === 'EWATCHLOCKED' ? 75 : 1;
+    // sysexits EX_TEMPFAIL: the watch daemon lock is held; retry later. Read
+    // the value from the canonical exit-code table when it carries it so the
+    // `doctor --exit-codes` dump and this path share one source of truth.
+    const watchLocked = EXIT_CODES.WATCH_LOCK_CONTENTION || 75;
+    process.exitCode = err.code === 'EWATCHLOCKED' ? watchLocked : 1;
     return;
   }
 
@@ -1609,6 +1634,7 @@ function runWatchlistAlerts(rawArgs = []) {
 async function validateAllCvesPreferCache(catalog, cacheDir) {
   const fs = require('fs');
   const path = require('path');
+  const crypto = require('crypto');
   const { validateCve } = require('../sources/validators');
 
   // 50 MB cap on any single cache file. Refuses to read past the cap to
@@ -1618,6 +1644,34 @@ async function validateAllCvesPreferCache(catalog, cacheDir) {
   // ~3 MB as of 2026); anything beyond 50 MB is almost certainly damage.
   const CACHE_FILE_MAX_BYTES = 50 * 1024 * 1024;
 
+  // Load the prefetch cache index once. Every payload written by the prefetch
+  // pipeline records a per-entry sha256 here, so a consume-side recompute
+  // catches a payload rewritten on disk after prefetch. The fingerprint is
+  // computed over JSON.stringify(payload) (unindented) at write time, so the
+  // round-trip parse + re-stringify below produces the comparable hash.
+  let cacheIndex = null;
+  try {
+    cacheIndex = JSON.parse(fs.readFileSync(path.join(cacheDir, '_index.json'), 'utf8'));
+  } catch { cacheIndex = null; }
+
+  // Verify a cache payload against its recorded sha256 before it is trusted.
+  // Returns false on any tamper signal: no index, no sha256 entry, or a
+  // mismatch. The caller then refuses the cached value and re-validates the
+  // CVE live, so forged cache contents can no longer mask drift.
+  function cacheEntryVerified(source, id, parsed) {
+    const meta = cacheIndex && cacheIndex.entries && cacheIndex.entries[`${source}/${id}`];
+    if (!meta || typeof meta.sha256 !== 'string') {
+      console.error(`[validate-cves] cache integrity: no recorded sha256 for ${source}/${id}; ignoring cache entry and validating live.`);
+      return false;
+    }
+    const actual = crypto.createHash('sha256').update(JSON.stringify(parsed)).digest('hex');
+    if (actual !== meta.sha256) {
+      console.error(`[validate-cves] cache integrity: sha256 mismatch for ${source}/${id} (expected ${meta.sha256.slice(0, 16)}..., got ${actual.slice(0, 16)}...); ignoring tampered cache entry and validating live.`);
+      return false;
+    }
+    return true;
+  }
+
   function readCached(source, id) {
     const safe = id.replace(/[^A-Za-z0-9._-]/g, '_');
     const p = path.join(cacheDir, source, `${safe}.json`);
@@ -1628,7 +1682,9 @@ async function validateAllCvesPreferCache(catalog, cacheDir) {
         console.error(`[validate-cves] cache file ${p} exceeds ${CACHE_FILE_MAX_BYTES} byte cap (${st.size}); refusing to read.`);
         return null;
       }
-      return JSON.parse(fs.readFileSync(p, 'utf8'));
+      const parsed = JSON.parse(fs.readFileSync(p, 'utf8'));
+      if (!cacheEntryVerified(source, id, parsed)) return null;
+      return parsed;
     }
     catch { return null; }
   }
@@ -2016,7 +2072,9 @@ async function runWatchlistOrgScan(rawArgs = []) {
 // tests and from `bin/exceptd.js`'s programmatic entrypoints.
 if (require.main === module) {
   main().catch(err => {
-    console.error('[orchestrator] Fatal:', err.message);
+    // Match the structured ok:false stderr contract the rest of the surface
+    // uses so a JSON consumer gets a parseable envelope on the fatal path too.
+    console.error(JSON.stringify({ ok: false, verb: cmd, error: String((err && err.message) || err) }));
     process.exitCode = 1;
   });
 }