@blamejs/exceptd-skills 0.16.24 → 0.16.28

package/data/atlas-ttps.json

@@ -1,14 +1,14 @@
 {
   "_meta": {
     "schema_version": "1.0.0",
-    "atlas_version": "5.6.0",
-    "atlas_release_date": "2026-05-08",
+    "atlas_version": "2026.05",
+    "atlas_release_date": "2026-05-27",
     "secure_ai_v2_release_date": "2026-05-06",
     "secure_ai_v2_source": "https://ctid.mitre.org/blog/2026/05/06/secure-ai-v2-release",
-    "last_updated": "2026-05-19",
-    "last_threat_review": "2026-05-19",
+    "last_updated": "2026-06-10",
+    "last_threat_review": "2026-06-10",
     "source": "https://atlas.mitre.org",
-    "note": "AI-relevant ATLAS v5.6.0 TTPs with framework_gap field. framework_gap: no framework has a control that addresses this TTP. secure_ai_v2_layer flags entries included in the CTID Secure AI v2 layered set (May 2026); maturity reflects CTID's technique-maturity classification (low / moderate / high).",
+    "note": "AI-relevant ATLAS v2026.05 TTPs with framework_gap field. ATLAS content now follows a YYYY.MM calendar-versioning scheme; v2026.05 adds platform tags (Predictive AI, Generative AI, Agentic AI, Enterprise) to every technique, with no technique-ID removals or renames. framework_gap: no framework has a control that addresses this TTP. secure_ai_v2_layer flags entries included in the CTID Secure AI v2 layered set (May 2026); maturity reflects CTID's technique-maturity classification (low / moderate / high).",
     "tlp": "CLEAR",
     "source_confidence": {
       "scheme": "Admiralty (A-F + 1-6)",
@@ -21,7 +21,7 @@
       "rebuild_after_days": 365,
       "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
     },
-    "bulk_intake_note": " v0.13.18: +137 AML.* techniques from MITRE ATLAS STIX bundle (atlas-navigator-data dist/stix-atlas.json). Now tracking ATLAS v5.6.0 (May 2026 release). Auto-imported entries flagged _auto_imported:true + _intake_method:v0.13.18-bulk-mitre-atlas-stix for downstream curation."
+    "bulk_intake_note": " v0.13.18: +137 AML.* techniques from MITRE ATLAS STIX bundle (atlas-navigator-data dist/stix-atlas.json). Now tracking ATLAS v2026.05 (May 2026 release). Auto-imported entries flagged _auto_imported:true + _intake_method:v0.13.18-bulk-mitre-atlas-stix for downstream curation."
   },
   "AML.T0001": {
     "id": "AML.T0001",
@@ -536,7 +536,7 @@
       "Multiple production AI assistant prompt injection incidents 2025-2026"
     ],
     "framework_gap": true,
-    "framework_gap_detail": "No framework has a control for prompt injection as an access control failure vector. The attack uses the AI service account's authorized permissions — from AC-2's perspective, the access is authorized. MITRE ATLAS v5.6.0 documents the technique; no framework has implemented controls. OWASP LLM Top 10 documents the class; it is not incorporated in any compliance framework.",
+    "framework_gap_detail": "No framework has a control for prompt injection as an access control failure vector. The attack uses the AI service account's authorized permissions — from AC-2's perspective, the access is authorized. MITRE ATLAS v2026.05 documents the technique; no framework has implemented controls. OWASP LLM Top 10 documents the class; it is not incorporated in any compliance framework.",
     "controls_that_partially_help": [
       "NIST-800-53-AC-2",
       "ISO-27001-2022-A.8.28"

package/data/attack-techniques.json

@@ -1,13 +1,13 @@
 {
   "_meta": {
     "schema_version": "1.0.0",
-    "last_updated": "2026-05-19",
-    "last_threat_review": "2026-05-19",
-    "attack_version": "19.0",
-    "attack_version_date": "2026-04-28",
+    "last_updated": "2026-06-10",
+    "last_threat_review": "2026-06-10",
+    "attack_version": "19.1",
+    "attack_version_date": "2026-05-12",
     "tactic_split_note": "ATT&CK v19 split Defense Evasion (TA0005) into Stealth (TA0005) and Defense Impairment (TA0112). Entries here record their post-split tactic; entries whose tactic moved carry `tactic_moved_from: \"Defense Evasion\"` for traceability.",
     "detection_strategies_note": "ATT&CK v18 introduced Detection Strategies as first-class objects (691 strategies, 1739 analytics at v18 release). Entries reference applicable strategy IDs (DSxxxx) where the technique has canonical strategy coverage; absence does not imply lack of detection.",
-    "source": "https://attack.mitre.org — MITRE ATT&CK Enterprise + ICS, v19.0 (April 2026). Only techniques currently referenced by shipped exceptd skills and playbooks. The full ATT&CK matrix is intentionally not duplicated here; this is a resolution catalog for cross-reference validation, not a substitute for attack.mitre.org. See `npm run refresh-attack-techniques` (v0.13.0+) for the full corpus.",
+    "source": "https://attack.mitre.org — MITRE ATT&CK Enterprise + ICS, v19.1 (May 2026). Only techniques currently referenced by shipped exceptd skills and playbooks. The full ATT&CK matrix is intentionally not duplicated here; this is a resolution catalog for cross-reference validation, not a substitute for attack.mitre.org. See `npm run refresh-attack-techniques` (v0.13.0+) for the full corpus.",
     "tlp": "CLEAR",
     "source_confidence": {
       "scheme": "Admiralty (A-F + 1-6)",

package/data/framework-control-gaps.json

@@ -468,7 +468,7 @@
       "Treating 'Top 25 addressed' as a compliance signal creates a compliance-theatre risk for organisations with significant AI surface",
       "No cross-walk requirement to ATLAS TTPs — CWE addresses weaknesses; ATLAS addresses adversary techniques. Both are needed for AI coverage"
     ],
-    "real_requirement": "Programmes that claim 'Top 25 addressed' as compliance evidence must additionally: (1) enumerate AI-relevant CWEs outside the Top 25 (CWE-1426 Improper Output Validation, CWE-1039 Inadequate Detection of Adversarial Input, CWE-1230 Exposure of Sensitive Info Through Metadata) with explicit treatment, (2) cross-walk to ATLAS v5.6.0 TTPs for adversarial coverage, (3) re-baseline against the next-published Top 25 with delta analysis. Aligns with EU CRA Annex I, UK NCSC, AU ISM, ISO 27001 A.8.28.",
+    "real_requirement": "Programmes that claim 'Top 25 addressed' as compliance evidence must additionally: (1) enumerate AI-relevant CWEs outside the Top 25 (CWE-1426 Improper Output Validation, CWE-1039 Inadequate Detection of Adversarial Input, CWE-1230 Exposure of Sensitive Info Through Metadata) with explicit treatment, (2) cross-walk to ATLAS v2026.05 TTPs for adversarial coverage, (3) re-baseline against the next-published Top 25 with delta analysis. Aligns with EU CRA Annex I, UK NCSC, AU ISM, ISO 27001 A.8.28.",
     "status": "open",
     "opened_date": "2026-05-11",
     "evidence_cves": [],
@@ -1804,7 +1804,7 @@
       "LLM-API-as-C2 (SesameOp pattern, ATLAS AML.T0096) is not in the clause 6.1.2 example threat list — risk register templates omit it",
       "No requirement to link AI risk register entries to specific TTP IDs (ATLAS / ATT&CK) — risks remain framework-internal abstractions"
     ],
-    "real_requirement": "Clause 6.1.2 risk registers must (1) ingest ATLAS v5.6.0 TTPs as enumerated AI-specific threat sources, (2) cross-reference jurisdictional obligations (EU AI Act Annex III, NIS2 Art. 21, DORA Art. 28, UK CAF B4, AU ISM AI annex, ISO 27001:2022 A.5.7), (3) include AI-API-as-C2 and prompt-injection-as-RCE as named scenarios, (4) be re-run on threat-intel triggers, not only on calendar cycles.",
+    "real_requirement": "Clause 6.1.2 risk registers must (1) ingest ATLAS v2026.05 TTPs as enumerated AI-specific threat sources, (2) cross-reference jurisdictional obligations (EU AI Act Annex III, NIS2 Art. 21, DORA Art. 28, UK CAF B4, AU ISM AI annex, ISO 27001:2022 A.5.7), (3) include AI-API-as-C2 and prompt-injection-as-RCE as named scenarios, (4) be re-run on threat-intel triggers, not only on calendar cycles.",
     "status": "open",
     "opened_date": "2026-05-11",
     "evidence_cves": [],
@@ -7145,7 +7145,7 @@
     }
   },
   "ATLAS-AML.T0048": {
-    "framework": "MITRE ATLAS v5.6.0",
+    "framework": "MITRE ATLAS v2026.05",
     "control_id": "AML.T0048",
     "control_name": "External Harms — ML Supply Chain Compromise (bundled-codec / inference-server class)",
     "designed_for": "ATLAS AML.T0048 catalogues external harms from ML supply-chain compromise, including malicious model weights, poisoned training data, and compromised ML libraries. The technique-level guidance covers detection and mitigation at the model-artifact and library-consumption layer.",

package/lib/auto-discovery.js

@@ -31,6 +31,7 @@ const fs = require("fs");
 const path = require("path");
 const crypto = require("crypto");
 const { scoreCustom, RWEP_WEIGHTS, ACTIVE_EXPLOITATION_LADDER } = require("./scoring");
+const { selectNvdCvss } = require("./cvss");
 
 // Stored rwep_factors must reproduce the stored rwep_score.
 // `buildScoringInputs` is the single source of truth for both — it captures
@@ -187,16 +188,13 @@ function readCachedJson(cacheDir, source, id) {
 function extractNvdMetrics(payload) {
   const vuln = payload?.vulnerabilities?.[0]?.cve;
   if (!vuln) return null;
-  const m = vuln.metrics || {};
-  const ordered = [
-    ...(m.cvssMetricV31 || []),
-    ...(m.cvssMetricV30 || []),
-    ...(m.cvssMetricV2 || []),
-  ];
-  const primary = ordered.find((x) => x.type === "Primary") || ordered[0];
+  // Prefer the newest CVSS version (Primary within it) and normalize a bare
+  // v2 vector to its canonical prefix so an auto-imported draft never carries
+  // an unprefixed vector that the strict catalog validator would reject.
+  const up = selectNvdCvss(vuln.metrics);
   return {
-    cvss_score: typeof primary?.cvssData?.baseScore === "number" ? primary.cvssData.baseScore : null,
-    cvss_vector: primary?.cvssData?.vectorString || null,
+    cvss_score: up ? up.baseScore : null,
+    cvss_vector: up ? up.vector : null,
     description: (vuln.descriptions || []).find((d) => d.lang === "en")?.value || null,
     cwe_refs: ((vuln.weaknesses || [])
       .flatMap((w) => (w.description || []))

package/lib/cvss.js

@@ -0,0 +1,108 @@
+"use strict";
+/**
+ * lib/cvss.js
+ *
+ * Shared CVSS metric-selection and vector-normalization helpers for every
+ * site that ingests NIST NVD scoring (the cache-backed refresh diff, the
+ * live per-CVE validator, and the KEV auto-discovery importer).
+ *
+ * Two properties of NVD's data make naive ingestion lossy:
+ *
+ *   1. NVD tags the legacy CVSS v2 metric as `type: "Primary"` on pre-v3
+ *      CVEs, while a modern v3.1 re-score (often supplied by a CNA) rides as
+ *      `type: "Secondary"`. Selecting a metric by `type === "Primary"` alone
+ *      therefore picks the *older* v2 score over a newer v3.1 one — silently
+ *      downgrading a curated v3.1 entry to v2 on every refresh.
+ *
+ *   2. NVD's `cvssMetricV2` entries carry a bare base vector
+ *      ("AV:N/AC:L/Au:N/C:C/I:C/A:C") with no "CVSS:2.0/" prefix, whereas
+ *      v3.x/v4.0 carry the prefix. The catalog schema (and
+ *      validate-cve-catalog --strict) require the canonical "CVSS:<x.y>/"
+ *      prefix, so writing a bare v2 vector produces an invalid entry.
+ *
+ * `selectNvdCvss` resolves (1) by preferring the newest CVSS version present
+ * and choosing Primary only *within* that version; it resolves (2) by
+ * normalizing the returned vector. Callers additionally guard against
+ * cross-version downgrades using `cvssVersionOf` on the locally-curated
+ * vector.
+ *
+ * Zero npm deps. Node stdlib only.
+ */
+
+// A bare (unprefixed) CVSS v2 base vector. v2 is the only version NVD emits
+// without a "CVSS:x/" prefix, and its grammar carries the Au: (Authentication)
+// metric that v3/v4 dropped — the unambiguous discriminator for a bare v2.
+const BARE_V2_RE = /^AV:[NAL]\/AC:[HML]\/Au:[MSN]\//;
+
+// The four canonical version prefixes the catalog accepts (mirrors
+// validate-cve-catalog.js STRICT_CVSS_PATTERN).
+const PREFIXED_RE = /^CVSS:(2\.0|3\.0|3\.1|4\.0)\//;
+
+/**
+ * The CVSS version a vector declares, as a comparable number (2.0 < 3.0 < 3.1
+ * < 4.0). Recognizes the four canonical "CVSS:x.y/" prefixes plus NVD's bare
+ * v2 base vector. Returns null for anything unrecognized so callers can treat
+ * an unknown version as "do not block" rather than mis-suppressing a diff.
+ *
+ * @param {string} vector
+ * @returns {number|null}
+ */
+function cvssVersionOf(vector) {
+  if (typeof vector !== "string" || vector.length === 0) return null;
+  const m = vector.match(PREFIXED_RE);
+  if (m) return Number(m[1]);
+  if (BARE_V2_RE.test(vector)) return 2.0;
+  return null;
+}
+
+/**
+ * Ensure a vector carries a canonical "CVSS:x.y/" prefix. A bare v2 base
+ * vector is prefixed with "CVSS:2.0/"; already-prefixed vectors (and anything
+ * unrecognized) pass through unchanged. The output of a recognized vector
+ * always satisfies validate-cve-catalog --strict.
+ *
+ * @param {string} vector
+ * @returns {string}
+ */
+function normalizeCvssVector(vector) {
+  if (typeof vector !== "string" || vector.length === 0) return vector;
+  if (PREFIXED_RE.test(vector)) return vector;
+  if (BARE_V2_RE.test(vector)) return `CVSS:2.0/${vector}`;
+  return vector;
+}
+
+/**
+ * Select the most authoritative CVSS metric from an NVD `metrics` object.
+ * Prefers the newest CVSS version present (4.0 > 3.1 > 3.0 > 2.0); within the
+ * chosen version prefers NVD's "Primary" analyst score over a "Secondary"
+ * (CNA) one, falling back to the first entry when no Primary exists in that
+ * version. The returned vector is normalized to the canonical prefix form.
+ *
+ * @param {object} metrics  The `vulnerabilities[0].cve.metrics` object.
+ * @returns {{version:number|null, baseScore:number|null, vector:string|null, source:string|null}|null}
+ */
+function selectNvdCvss(metrics) {
+  const m = metrics || {};
+  const buckets = [
+    [4.0, m.cvssMetricV40],
+    [3.1, m.cvssMetricV31],
+    [3.0, m.cvssMetricV30],
+    [2.0, m.cvssMetricV2],
+  ];
+  for (const [bucketVersion, bucket] of buckets) {
+    const arr = Array.isArray(bucket) ? bucket : [];
+    if (arr.length === 0) continue;
+    const chosen = arr.find((x) => x && x.type === "Primary") || arr[0];
+    const data = chosen && chosen.cvssData ? chosen.cvssData : null;
+    const declared = data && data.version != null ? Number(data.version) : null;
+    return {
+      version: Number.isFinite(declared) ? declared : bucketVersion,
+      baseScore: typeof data?.baseScore === "number" ? data.baseScore : null,
+      vector: data?.vectorString ? normalizeCvssVector(data.vectorString) : null,
+      source: chosen && chosen.source ? chosen.source : null,
+    };
+  }
+  return null;
+}
+
+module.exports = { cvssVersionOf, normalizeCvssVector, selectNvdCvss };

package/lib/prefetch.js

@@ -108,7 +108,7 @@ const SOURCES = {
 };
 
 function parseArgs(argv) {
-  const out = { maxAgeMs: 24 * 3600 * 1000, source: null, force: false, noNetwork: false, cacheDir: DEFAULT_CACHE, quiet: false, help: false };
+  const out = { maxAgeMs: 24 * 3600 * 1000, source: null, force: false, noNetwork: false, cacheDir: DEFAULT_CACHE, quiet: false, help: false, maxErrors: 0 };
   for (let i = 2; i < argv.length; i++) {
     const a = argv[i];
     if (a === "--force") out.force = true;
@@ -121,6 +121,12 @@ function parseArgs(argv) {
     else if (a.startsWith("--max-age=")) out.maxAgeMs = parseDuration(a.slice("--max-age=".length));
     else if (a === "--cache-dir") out.cacheDir = path.resolve(argv[++i]);
     else if (a.startsWith("--cache-dir=")) out.cacheDir = path.resolve(a.slice("--cache-dir=".length));
+    // Per-entry fetch-error tolerance. An integer is an absolute budget; an
+    // "<N>%" string is a fraction of the planned fetch count. A malformed
+    // value is recorded as an arg error so main() refuses with exit 2 rather
+    // than silently falling back to an unbounded tolerance.
+    else if (a === "--max-errors") { try { out.maxErrors = parseErrorThreshold(argv[++i]); } catch (e) { out._argError = e.message; } }
+    else if (a.startsWith("--max-errors=")) { try { out.maxErrors = parseErrorThreshold(a.slice("--max-errors=".length)); } catch (e) { out._argError = e.message; } }
     // Any remaining --flag is an unrecognized typo. Record it; main() refuses
     // before any network work rather than silently dropping it.
     else if (typeof a === "string" && a.startsWith("--")) {
@@ -145,6 +151,73 @@ function parseDuration(s) {
   return n * mult;
 }
 
+// Parse a --max-errors value into either an absolute integer budget or a
+// percentage marker ("<N>%"). Throws on anything else so a typo can't degrade
+// into an unbounded tolerance.
+function parseErrorThreshold(s) {
+  const str = String(s == null ? "" : s).trim();
+  const m = str.match(/^(\d+)(%?)$/);
+  if (!m) throw new Error(`prefetch: invalid --max-errors "${s}" (expected an integer or a percentage like "50" or "5%")`);
+  return m[2] === "%" ? `${m[1]}%` : Number(m[1]);
+}
+
+// Total entries a run planned to fetch (fetched + skipped-fresh + errored).
+// The denominator for a percentage error budget.
+function plannedCount(result) {
+  if (!result) return 0;
+  return (result.fetched || 0) + (result.skipped_fresh || 0) + (result.errors || 0);
+}
+
+// Resolve a --max-errors value (absolute number, "<N>%" string, or null) into
+// an absolute count against the planned total.
+function errorBudget(maxErrors, planned) {
+  if (maxErrors == null) return 0;
+  if (typeof maxErrors === "number") return Number.isFinite(maxErrors) ? maxErrors : 0;
+  const m = String(maxErrors).match(/^(\d+)%$/);
+  if (m) return Math.floor((Number(m[1]) / 100) * (planned || 0));
+  const n = Number(maxErrors);
+  return Number.isFinite(n) ? n : 0;
+}
+
+// Decide prefetch's 0-vs-1 exit code from a completed run. Per-entry fetch
+// errors are counted only after the job queue exhausts its retries, so they
+// are genuine failures — but a best-effort cache warm should tolerate a few
+// transient upstream misses. `opts.maxErrors` is the budget (default 0, so any
+// error exits 1 — the strict contract a manual operator expects). Fatal
+// errors (bad flags, an unhandled throw) are handled in main() and exit 2.
+function exitCodeForResult(result, opts = {}) {
+  const errors = (result && result.errors) || 0;
+  if (errors === 0) return 0;
+  // A source that landed no usable entries this run — nothing freshly fetched
+  // and nothing already fresh in the cache, yet errors recorded — is entirely
+  // unreachable, and the refresh would silently skip it. A dead KEV feed is
+  // only one error (well under any global budget) but means the run missed
+  // every new KEV flag. Fail regardless of the budget so a single fully-dead
+  // feed can't pass quietly.
+  const bySource = (result && result.by_source) || {};
+  for (const s of Object.values(bySource)) {
+    if (s && (s.errors || 0) > 0 && (s.fetched || 0) === 0 && (s.skipped_fresh || 0) === 0) {
+      return 1;
+    }
+  }
+  const budget = errorBudget(opts.maxErrors, plannedCount(result));
+  return errors > budget ? 1 : 0;
+}
+
+// One-line run summary. When a run has errors, names the per-source counts so
+// "1 error(s)" in a --quiet log is actionable instead of a blind count.
+function formatSummary(result, opts = {}) {
+  let line = `prefetch summary: ${result.fetched} fetched, ${result.skipped_fresh} fresh, ${result.errors} error(s)`;
+  if (result.errors > 0 && result.by_source) {
+    const parts = Object.entries(result.by_source)
+      .filter(([, s]) => s && s.errors > 0)
+      .map(([name, s]) => `${name}=${s.errors}`);
+    if (parts.length) line += ` [${parts.join(", ")}]`;
+  }
+  if (opts.noNetwork) line += " (dry-run)";
+  return line;
+}
+
 function printHelp() {
   console.log(`prefetch — warm a local cache of every upstream artifact this project consumes.
 
@@ -589,7 +662,10 @@ async function prefetch(options = {}) {
       .catch((err) => {
         result.errors++;
         result.by_source[item.source].errors++;
-        log(`  [${item.source}] ${item.id} — error: ${err.message}`);
+        // Errors go to stderr unconditionally — they are diagnostics, not the
+        // per-entry success chatter --quiet suppresses. A CI run with --quiet
+        // still surfaces which source/id failed.
+        console.error(`  [${item.source}] ${item.id} — error: ${err.message}`);
       });
   });
 
@@ -618,7 +694,7 @@ async function prefetch(options = {}) {
   // (the noisy part) but the operator still needs one line confirming success.
   // Without this, --quiet + --no-network was zero output even on dry-run
   // success, leaving operators unsure if the command had run at all.
-  console.log(`prefetch summary: ${result.fetched} fetched, ${result.skipped_fresh} fresh, ${result.errors} error(s)${opts.noNetwork ? " (dry-run)" : ""}`);
+  console.log(formatSummary(result, { noNetwork: opts.noNetwork }));
   return result;
 }
 
@@ -683,7 +759,7 @@ function readCached(cacheDir, source, id, opts = {}) {
 // message's known list.
 const PREFETCH_KNOWN_FLAGS = Object.freeze([
   "--force", "--no-network", "--dry-run", "--air-gap", "--quiet", "--help", "-h",
-  "--source", "--max-age", "--cache-dir",
+  "--source", "--max-age", "--cache-dir", "--max-errors",
 ]);
 
 async function main() {
@@ -693,6 +769,19 @@ async function main() {
     return;
   }
 
+  // A malformed --max-errors value is a usage error — refuse with exit 2
+  // (prefetch's usage-error convention) rather than running with an
+  // unintended tolerance.
+  if (opts._argError) {
+    process.stderr.write(JSON.stringify({
+      ok: false,
+      verb: "prefetch",
+      error: opts._argError,
+    }) + "\n");
+    process.exitCode = 2;
+    return;
+  }
+
   // Reject unknown flags BEFORE any network work. A swallowed typo (e.g.
   // `--max-aeg 12h`) previously fell through to a default full-cache fetch.
   // Exit 2 matches prefetch's existing usage-error convention (invalid
@@ -723,7 +812,7 @@ async function main() {
   // the `ci` #100 stdout-flush regression.
   try {
     const result = await prefetch(opts);
-    process.exitCode = result.errors > 0 ? 1 : 0;
+    process.exitCode = exitCodeForResult(result, opts);
   } catch (err) {
     console.error(`prefetch: fatal: ${err.message}`);
     process.exitCode = 2;
@@ -736,6 +825,9 @@ module.exports = {
   prefetch,
   readCached,
   parseArgs,
+  parseErrorThreshold,
+  exitCodeForResult,
+  formatSummary,
   SOURCES,
   DEFAULT_CACHE,
   // Ed25519 _index.json signing + verification. Exported so

package/lib/refresh-external.js

@@ -38,6 +38,7 @@
 const fs = require("fs");
 const path = require("path");
 const { execFileSync } = require("child_process");
+const { selectNvdCvss, cvssVersionOf } = require("./cvss");
 
 const ROOT = path.join(__dirname, "..");
 const ABS = (p) => path.join(ROOT, p);
@@ -109,13 +110,17 @@ function parseArgs(argv) {
     // older than 7d or one that was prefetched without a signing keypair.
     // EXCEPTD_FORCE_STALE=1 mirrors for non-interactive automation.
     else if (a === "--force-stale") out.forceStale = true;
-    // Aliases that bin/exceptd.js may pass through or translate; accept them
-    // here so the unknown-flag guard below doesn't false-reject a legitimate
-    // operator invocation. (--no-network / --indexes-only / --network /
-    // --curate / --prefetch are normally rewritten upstream, but tolerate
-    // them when refresh-external is invoked directly.)
+    // --prefetch / --no-network are prefetch-cache operations. Capture them so
+    // main() can delegate to lib/prefetch.js (the same routing bin/exceptd.js
+    // performs) when this script is invoked directly — otherwise the help
+    // text's "report-only, no cache write" promise for --no-network is a lie
+    // on the direct path, which would fall through to the live refresh loop.
+    else if (a === "--no-network") { out.noNetwork = true; }
+    else if (a === "--prefetch") { out.prefetch = true; }
+    // Remaining bin-translated aliases are tolerated as no-ops at this layer
+    // so the unknown-flag guard below doesn't false-reject them.
     else if (
-      a === "--no-network" || a === "--prefetch" || a === "--indexes-only" ||
+      a === "--indexes-only" ||
       a === "--network" || a === "--curate" || a === "--force-stale-acked"
     ) { /* accepted, no-op at this layer */ }
     // Any remaining --flag is an unrecognized typo. Record it; refuse after
@@ -148,8 +153,10 @@ Modes:
                      place. Same trust anchor as \`npm update -g\`, only the
                      data slice changes — useful when you want fresher
                      intel without re-resolving CLI/lib code.
-  --prefetch         (alias: --no-network) populate the cache for offline use.
-                     Equivalent to \`exceptd prefetch\`.
+  --prefetch         populate the cache for offline use. Equivalent to
+                     \`exceptd prefetch\`.
+  --no-network       report-only: list what would be fetched, WITHOUT writing
+                     the cache (the dry-run opposite of --prefetch).
   --from-cache [<p>] read from prefetch cache (default .cache/upstream).
                      Combine with --apply to upsert against cached data
                      entirely offline. Cache must be pre-populated via --prefetch.
@@ -926,17 +933,27 @@ function nvdDiffFromCache(ctx) {
     if (!payload) { errors++; continue; }
     const vuln = payload.vulnerabilities?.[0]?.cve;
     if (!vuln) continue;
-    const m = vuln.metrics || {};
-    const ordered = [...(m.cvssMetricV31 || []), ...(m.cvssMetricV30 || []), ...(m.cvssMetricV2 || [])];
-    const primary = ordered.find((x) => x.type === "Primary") || ordered[0];
-    const upScore = typeof primary?.cvssData?.baseScore === "number" ? primary.cvssData.baseScore : null;
-    const upVector = primary?.cvssData?.vectorString || null;
+    // Prefer the newest CVSS version NVD publishes (Primary within that
+    // version), and normalize a bare v2 vector to its canonical prefix.
+    const up = selectNvdCvss(vuln.metrics);
+    if (!up) continue;
     const local = ctx.cveCatalog[id];
-    if (upScore != null && local.cvss_score != null && Math.abs(upScore - local.cvss_score) > 0.05) {
-      diffs.push({ id, field: "cvss_score", before: local.cvss_score, after: upScore, severity: "high" });
-    }
-    if (upVector && local.cvss_vector && upVector !== local.cvss_vector) {
-      diffs.push({ id, field: "cvss_vector", before: local.cvss_vector, after: upVector, severity: "medium" });
+    // Never regress a curated higher-version CVSS to an older upstream metric.
+    // NVD keeps many pre-2016 CVEs at v2 only (or tags v2 "Primary" over a
+    // v3.1 "Secondary"); the catalog has been curated to v3.1. When the
+    // selected upstream metric is an older CVSS version than the curated one,
+    // suppress both the score and the vector diff. A same-version drift (a
+    // genuine NVD re-score) still flows through.
+    const localVersion = cvssVersionOf(local.cvss_vector);
+    const isDowngrade =
+      up.version != null && localVersion != null && up.version < localVersion;
+    if (!isDowngrade) {
+      if (up.baseScore != null && local.cvss_score != null && Math.abs(up.baseScore - local.cvss_score) > 0.05) {
+        diffs.push({ id, field: "cvss_score", before: local.cvss_score, after: up.baseScore, severity: "high" });
+      }
+      if (up.vector && local.cvss_vector && up.vector !== local.cvss_vector) {
+        diffs.push({ id, field: "cvss_vector", before: local.cvss_vector, after: up.vector, severity: "medium" });
+      }
     }
   }
   const status = errors === 0 ? "ok" : errors === cves.length ? "unreachable" : "partial";
@@ -1099,15 +1116,16 @@ function loadCtx(opts) {
     const abs = path.resolve(opts.fromCache);
     ctx.cacheDir = abs;
     if (!fs.existsSync(abs)) {
-      // v0.11.14 (#129): operators following the website's air-gap workflow
-      // hit this with an unhelpful "path does not exist" stack trace. The
-      // cache is populated by `exceptd refresh --no-network` (which routes
-      // to prefetch). Tell them exactly that, and emit a structured JSON
-      // error to stderr instead of a fatal stack trace.
+      // Operators following the air-gap workflow hit this with an unhelpful
+      // "path does not exist" stack trace. The cache is populated by
+      // `exceptd refresh --prefetch` (which routes to prefetch) — NOT by
+      // `--no-network`, which is the report-only dry run that writes nothing.
+      // Tell them exactly that, and emit a structured JSON error to stderr
+      // instead of a fatal stack trace.
       const err = new Error(
         `refresh: --from-cache path does not exist: ${abs}\n` +
-        `Hint: the cache is populated by running \`exceptd refresh --no-network\` (or \`exceptd refresh --prefetch\`) ` +
-        `on a connected host first. Air-gap workflow: (1) on connected host: \`exceptd refresh --no-network\`, ` +
+        `Hint: the cache is populated by running \`exceptd refresh --prefetch\` ` +
+        `on a connected host first. Air-gap workflow: (1) on connected host: \`exceptd refresh --prefetch\`, ` +
         `(2) copy .cache/upstream/ across the boundary, (3) on offline host: \`exceptd refresh --from-cache --apply\`.`
       );
       err._exceptd_hint = true;
@@ -1526,6 +1544,24 @@ async function main() {
     return;
   }
 
+  // `--prefetch` / `--no-network` are prefetch-cache operations. The operator
+  // path (bin/exceptd.js) routes them to lib/prefetch.js; when this script is
+  // invoked directly, delegate the SAME way so behavior matches the help text:
+  // --prefetch populates the cache, --no-network is a report-only dry run that
+  // writes nothing. Without this, the direct path fell through to the live
+  // refresh loop and could egress + write refresh-report.json despite
+  // --no-network.
+  if (opts.prefetch || opts.noNetwork) {
+    const { spawnSync } = require("child_process");
+    const pfArgs = [require.resolve("./prefetch.js")];
+    if (opts.noNetwork) pfArgs.push("--no-network");
+    if (opts.source) pfArgs.push("--source", opts.source);
+    if (opts.quiet) pfArgs.push("--quiet");
+    const r = spawnSync(process.execPath, pfArgs, { stdio: "inherit" });
+    process.exitCode = r.status == null ? 1 : r.status;
+    return;
+  }
+
   // v0.12.0: `--advisory <id>` short-circuits the normal source loop and
   // seeds a single CVE catalog entry from GHSA. Exits non-zero ("draft
   // written, please review") so CI pipelines surface the needed editorial
@@ -1703,4 +1739,4 @@ if (require.main === module) {
   });
 }
 
-module.exports = { ALL_SOURCES, loadCtx, parseArgs, seedSingleAdvisory, withCatalogLock, writeJsonAtomic };
+module.exports = { ALL_SOURCES, loadCtx, parseArgs, seedSingleAdvisory, withCatalogLock, writeJsonAtomic, nvdDiffFromCache };

package/lib/schemas/manifest.schema.json

@@ -19,7 +19,7 @@
     "description": { "type": "string", "minLength": 1 },
     "homepage": { "type": "string", "format": "uri" },
     "license": { "type": "string", "minLength": 1 },
-    "atlas_version": { "type": "string", "pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+$" },
+    "atlas_version": { "type": "string", "pattern": "^([0-9]{4}\\.[0-9]{2}(\\.[0-9]+)?|[0-9]+\\.[0-9]+\\.[0-9]+)$", "description": "ATLAS pin: CalVer YYYY.MM[.N] (current upstream scheme since v2026.05) or legacy 3-part semver." },
     "threat_review_date": { "type": "string", "pattern": "^[0-9]{4}-[0-9]{2}-[0-9]{2}$" },
     "sources_dir": { "type": "string" },
     "agents_dir": { "type": "string" },

package/lib/schemas/skill-frontmatter.schema.json

@@ -52,7 +52,7 @@
         "type": "string",
         "pattern": "^AML\\.T[0-9]{4}(\\.[0-9]{3})?$"
       },
-      "description": "MITRE ATLAS TTP IDs at the pinned version (currently v5.6.0)."
+      "description": "MITRE ATLAS TTP IDs at the pinned version (currently v2026.05)."
     },
     "attack_refs": {
       "type": "array",

package/lib/version-pins.js

@@ -30,9 +30,9 @@
  * operator must read.
  *
  * API:
- *   getAtlasVersion() → "5.6.0"
- *   getAttackVersion() → "19.0"
- *   getAtlasReleaseDate() → "2026-05-08"
+ *   getAtlasVersion() → "2026.05"
+ *   getAttackVersion() → "19.1"
+ *   getAtlasReleaseDate() → "2026-05-27"
  *   getAllPins() → { atlas_version, atlas_release_date, attack_version, ... }
  */
 

package/manifest-snapshot.json

@@ -1,7 +1,7 @@
 {
   "_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
-  "_generated_at": "2026-06-05T18:14:35.343Z",
-  "atlas_version": "5.6.0",
+  "_generated_at": "2026-06-10T15:20:38.137Z",
+  "atlas_version": "2026.05",
   "skill_count": 51,
   "skills": [
     {

package/manifest-snapshot.sha256

@@ -1 +1 @@
-507b7d47541c9a338602aee3fcedac2233ca1c0046bd41735adbf5b87cd0f50b  manifest-snapshot.json
+b4e322034ba1ebafa3e706772a9cada8131a52adc42197ecda1705bb13d2b131  manifest-snapshot.json