@blamejs/exceptd-skills 0.16.25 → 0.16.28

package/skills/policy-exception-gen/skill.md

@@ -23,7 +23,7 @@ forward_watch:
   - EU CRA exceptions for AI pipeline components
   - NIST SP 800-204 series updates for microservices
   - FedRAMP updates for container/serverless authorization
-last_threat_review: "2026-05-22"
+last_threat_review: "2026-06-10"
 ---
 
 # Policy Exception Generation
@@ -88,7 +88,7 @@ This skill's exceptions exist precisely because the framework language has not c
 
 ---
 
-## TTP Mapping (MITRE ATLAS v5.6.0 and ATT&CK)
+## TTP Mapping (MITRE ATLAS v2026.05 and ATT&CK)
 
 A granted exception does not remove the threat — it shifts the burden onto compensating controls. For each exception in this skill, the residual TTPs the compensating controls MUST still disrupt:
 
@@ -99,7 +99,7 @@ A granted exception does not remove the threat — it shifts the burden onto com
 | Exception 3 — Zero Trust Architecture Network Segmentation | T1021 (Remote Services), T1570 (Lateral Tool Transfer), T1078 (Valid Accounts), T1199 (Trusted Relationship) | Workload identity (SPIFFE/SPIRE), per-request mTLS, device-posture verification, east-west behavioral analytics |
 | Exception 4 — Critical Systems No-Reboot Kernel Patching | T1068 (Exploitation for Privilege Escalation — Copy Fail class), T1548.001 (Setuid and Setgid), T1611 (Escape to Host) | Live kernel patch deployed and verified (`kpatch list` / `canonical-livepatch status`), eBPF/auditd exploitation-pattern rules, network-layer isolation if no live patch available, scheduled reboot window |
 
-The TTP source-of-truth is `data/atlas-ttps.json` (MITRE ATLAS v5.6.0, May 2026) supplemented by ATT&CK Enterprise. No orphaned controls: no exception in this skill is granted without an enumerated residual-TTP set; an exception with no listed residual is theater.
+The TTP source-of-truth is `data/atlas-ttps.json` (MITRE ATLAS v2026.05, May 2026) supplemented by ATT&CK Enterprise. No orphaned controls: no exception in this skill is granted without an enumerated residual-TTP set; an exception with no listed residual is theater.
 
 ---
 

package/skills/pqc-first/skill.md

@@ -53,7 +53,7 @@ cwe_refs:
 d3fend_refs:
   - D3-FE
   - D3-MENCR
-last_threat_review: "2026-05-22"
+last_threat_review: "2026-06-10"
 ---
 
 # PQC-First Mentality
@@ -139,7 +139,7 @@ This skill addresses a **future-state attack class** that is not yet represented
 |---|---|---|
 | MITRE ATT&CK T1557 (Adversary-in-the-Middle) | Partial — operational family | T1557 covers AitM credential capture and traffic interception. The capture half of HNDL falls into T1557 operationally; the later decrypt phase has no ATT&CK technique. |
 | MITRE ATT&CK T1040 (Network Sniffing) | Partial — capture phase | Covers passive traffic capture. Does not cover the strategic-archive intent of HNDL, where the captured data has no immediate use and is stored for future decryption. |
-| MITRE ATT&CK — "Cryptanalysis via CRQC" | **MISSING** | No technique presently captures CRQC-enabled decryption of previously-captured ciphertext. Known gap through ATT&CK v19.0 (April 2026). |
+| MITRE ATT&CK — "Cryptanalysis via CRQC" | **MISSING** | No technique presently captures CRQC-enabled decryption of previously-captured ciphertext. Known gap through ATT&CK v19.1 (May 2026). |
 | MITRE ATLAS | **MISSING (out of scope)** | ATLAS scope is ML/AI system attacks. CRQC cryptanalysis is not in ATLAS scope. |
 | CAPEC-114 (Authentication Abuse) | Indirect | Forged signatures via broken signature scheme would manifest as authentication abuse, but CAPEC does not enumerate "signature scheme broken by CRQC" as a precondition. |
 | CAPEC-475 (Signature Spoofing by Improper Validation) | Indirect | Same — the post-CRQC equivalent has no CAPEC entry. |

package/skills/rag-pipeline-security/skill.md

@@ -41,7 +41,7 @@ d3fend_refs:
   - D3-NTA
 forward_watch:
   - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Chroma vector DB CWE-190 + CWE-362 chain by haehae; impacts RAG vector store integrity (integer overflow + race condition); track patch and downstream RAG pipeline advisory
-last_threat_review: "2026-05-22"
+last_threat_review: "2026-06-10"
 ---
 
 # RAG Pipeline Security Assessment
@@ -182,9 +182,9 @@ This attack requires:
 
 ---
 
-## TTP Mapping (MITRE ATLAS v5.6.0)
+## TTP Mapping (MITRE ATLAS v2026.05)
 
-Descriptions sourced verbatim from `data/atlas-ttps.json` (ATLAS v5.6.0, released 2026-05-08). Partial-coverage controls from `data/framework-control-gaps.json`.
+Descriptions sourced verbatim from `data/atlas-ttps.json` (ATLAS v2026.05, released 2026-05-27). Partial-coverage controls from `data/framework-control-gaps.json`.
 
 | ATLAS ID | ATLAS Name | RAG Attack Class | Control Gap That Lets It Land | Controls That Partially Cover It |
 |---|---|---|---|---|
@@ -198,7 +198,7 @@ Descriptions sourced verbatim from `data/atlas-ttps.json` (ATLAS v5.6.0, release
 
 ## Exploit Availability Matrix
 
-**No CVE catalog entry as of 2026-05 maps directly to RAG embedding manipulation, vector store poisoning, or RAG indirect prompt injection.** These attack classes are tracked via MITRE ATLAS TTPs (v5.6.0) and public incident reporting rather than vendor CVEs, because they exploit architectural properties of the RAG pattern rather than a single vendor's implementation flaw. `data/exploit-availability.json` therefore has no RAG-specific rows; the rows below source ATLAS `real_world_instances` and the framework-gap entries.
+**No CVE catalog entry as of 2026-05 maps directly to RAG embedding manipulation, vector store poisoning, or RAG indirect prompt injection.** These attack classes are tracked via MITRE ATLAS TTPs (v2026.05) and public incident reporting rather than vendor CVEs, because they exploit architectural properties of the RAG pattern rather than a single vendor's implementation flaw. `data/exploit-availability.json` therefore has no RAG-specific rows; the rows below source ATLAS `real_world_instances` and the framework-gap entries.
 
 | ATLAS Technique | PoC / Public Demo Available? | CISA KEV? | AI-Accelerated? | Patch Available? | Reboot / Version Bump Required? |
 |---|---|---|---|---|---|

package/skills/ransomware-response/skill.md

@@ -62,7 +62,7 @@ forward_watch:
   - HIPAA Security Rule update (NPRM late 2024 → final rule expected 2026) — explicit ransomware-recovery and encryption-at-rest requirements
   - No More Ransom Project decryptor releases — affiliate-takedown decryptor drops (Operation Cronos LockBit decryptor, BlackCat post-exit-scam decryptors)
   - SCOTUS or circuit-court rulings on ransomware payment, sanctions liability, and insurance-policy enforcement
-last_threat_review: "2026-05-22"
+last_threat_review: "2026-06-10"
 ---
 
 # Ransomware Response Playbook
@@ -129,7 +129,7 @@ Cross-cutting gap: **no security framework treats the four ransomware-specific d
 
 Shadow Copy deletion and exfil-staging via Web Service align to the parent IR playbook's `T1486` and `T1567` entries; the parent's `AML.T0096 / T0017 / T0051` entries do not apply to ransomware-as-a-class but may apply if AI-system data is exfiltrated within the ransomware operation.
 
-ATLAS pinned to v5.6.0 (May 2026). ATT&CK pinned to v19.0 (April 2026). Both are explicit version pins — never silently upgraded.
+ATLAS pinned to v2026.05 (May 2026). ATT&CK pinned to v19.1 (May 2026). Both are explicit version pins — never silently upgraded.
 
 ---
 

package/skills/sector-energy/skill.md

@@ -56,7 +56,7 @@ forward_watch:
   - UL 2941 (DER cybersecurity) and IEEE 1547.3-2023 (DER cyber) adoption into US state PUC interconnection rules
   - MadIoT-class research on consumer-IoT-driven grid frequency manipulation moving from proof-of-concept to attributed campaigns
   - ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-06-10"
 discovery_mode: "standalone"  # operator-reached via `exceptd brief sector-energy` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
@@ -133,7 +133,7 @@ Energy-sector TTPs span ATT&CK for ICS, ATT&CK Enterprise (for the IT side of th
 | Hard-coded / shared / default credentials in energy assets | CWE-798 | CWE | Vendor default credentials on PLC, RTU, smart inverter, smart meter, EVSE, OCPP back-end; shared substation operator accounts | NERC CIP-007 R5 partially addresses but exempts asset classes lacking user-account features; AWWA guidance non-binding for water |
 | Firmware-image integrity at L1 | CWE-1037 + CWE-345 family (insufficient verification of data authenticity) | CWE | Unsigned firmware accepted by relay, RTU, smart inverter; vendor build-pipeline compromise propagating to substation fleet | NERC CIP-010 baseline-change management does not require firmware-image signature verification at install time; signed-firmware support varies by vendor and product line |
 | Authentication weakness in energy protocols | CWE-287 + CWE-306 | CWE | IEC 60870-5-104 and IEC 61850 MMS deployed without IEC 62351 authentication retrofit; DNP3 deployed without DNP3-SA; Modbus/TCP without any authentication layer | IEC 62443-3-3 SR 1.1/1.2 unenforceable at protocol layer for installed brownfield; retrofit cost and operational risk routinely defer indefinitely |
-| AI-pipeline poisoning in dispatch / forecasting | (closest ATLAS mapping addressed in `ai-attack-surface`) | ATLAS v5.6.0 | ML-poisoning of load forecast inputs, renewables forecast inputs, congestion model training data, or unit-commitment optimization features | No ATT&CK for ICS technique for AI-mediated market or dispatch manipulation; NERC CIP-007 R4 silent on AI event sources; NIST 800-82r3 silent. Cross-reference `ai-attack-surface`, `rag-pipeline-security`. |
+| AI-pipeline poisoning in dispatch / forecasting | (closest ATLAS mapping addressed in `ai-attack-surface`) | ATLAS v2026.05 | ML-poisoning of load forecast inputs, renewables forecast inputs, congestion model training data, or unit-commitment optimization features | No ATT&CK for ICS technique for AI-mediated market or dispatch manipulation; NERC CIP-007 R4 silent on AI event sources; NIST 800-82r3 silent. Cross-reference `ai-attack-surface`, `rag-pipeline-security`. |
 
 **Note on ATT&CK for ICS ID format.** ATT&CK for ICS uses `T0xxx` IDs (T0855, T0883, T0867). The linter regex `^T\d{4}(\.\d{3})?$` accepts this shape. ATT&CK Enterprise IDs (T1190, T1078, T1068) are cited alongside for IT/OT pivot.
 

package/skills/sector-federal-government/skill.md

@@ -60,7 +60,7 @@ forward_watch:
   - UK GovAssure replacing the legacy IT Health Check (ITHC) scheme — phased rollout for departments and ALBs through 2026
   - EU Cybersecurity Certification Scheme on Common Criteria (EUCC) operational — first certificates issued 2024; high-assurance level for government use cases ramping
   - Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-06-10"
 discovery_mode: "standalone"  # operator-reached via `exceptd brief sector-federal-government` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
@@ -299,7 +299,7 @@ Forward-watch: CMMC Level 3 (NIST 800-172 enhanced practices) addresses APT-rele
 - **`supply-chain-integrity`** — SSDF practice evidence, SLSA L3 attestation, in-toto chain, Sigstore / cosign keyless signing, SBOM (CycloneDX 1.6 / SPDX 3.0), VEX via CSAF 2.0 for federal procurement.
 - **`attack-surface-pentest`** — Federal red-team and High-Value Asset assessment scoping; CISA penetration testing program alignment; allied-government red-team baselines.
 - **`identity-assurance`** — NIST 800-63 IAL / AAL / FAL; PIV / CAC issuance; FIDO2 / WebAuthn for federal external users; M-22-09 identity pillar evidence.
-- **`ai-attack-surface`** — Federal AI use cases under OMB M-24-04; NIST AI RMF Generative AI Profile (NIST AI 600-1); MITRE ATLAS v5.6.0 TTP coverage for federal AI threat modeling.
+- **`ai-attack-surface`** — Federal AI use cases under OMB M-24-04; NIST AI RMF Generative AI Profile (NIST AI 600-1); MITRE ATLAS v2026.05 TTP coverage for federal AI threat modeling.
 - **`ai-c2-detection`** — Detection of agentic-AI command-and-control inside federal networks.
 - **`compliance-theater`** — Distinguishing FedRAMP / CMMC paper compliance from operational federal security; ConMon substance audit; SPRS-score-vs-evidence reconciliation.
 - **`framework-gap-analysis`** — Per-control gap analysis when an explicit framework-vs-threat reconciliation is requested by an auditor or AO.

package/skills/sector-financial/skill.md

@@ -70,7 +70,7 @@ forward_watch:
   - BCB Resolução BCB 85 (cyber policy for FIs) and Brazil PIX fraud-typology updates
   - OSFI B-13 (Technology and Cyber Risk Management) post-2024 examination findings
   - TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST
-last_threat_review: "2026-05-15"
+last_threat_review: "2026-06-10"
 ---
 
 # Sector — Financial Services Cybersecurity (mid-2026)
@@ -152,14 +152,14 @@ In all three, the SCA evidence chain (the customer's authenticated session, the
 | Internet-banking / treasury portal exploit | T1190 — Exploit Public-Facing Application | ATT&CK Enterprise | Ivanti VPN, MOVEit-class file-transfer, web-portal SSRF, JWT validation flaws (RFC 8725 best-current-practice violations) | DORA Art. 6-15 ICT risk-management requirements general; CWE-862 (Missing Authorization) and CWE-352 (CSRF) common findings; SWIFT CSCF v2026 covers SWIFT zone, not customer-facing portals |
 | Ransomware against banking infrastructure | T1486 — Data Encrypted for Impact | ATT&CK Enterprise | LockBit-class, BlackBasta, ALPHV/BlackCat residuals 2024-2026; double-extortion + regulatory-threat-of-disclosure | NYDFS 500.17 ransom-payment notification (72h) + DORA major-incident reporting (Art. 19, 24h initial) + APRA CPS 234 para 26 (72h) — notification cadences harmonising slowly; ransom-payment legality fragmented (NYDFS reporting only, OFAC sanctions-screening, EU sanctions overlay) |
 | Data exfiltration including LLM-channel | T1567 — Exfiltration Over Web Service | ATT&CK Enterprise | LLM API egress (OpenAI, Anthropic, Google) as covert channel; AI-coding-assistant context leaks; KYC-document upload to consumer-grade AI | DLP controls in `data/dlp-controls.json` apply; SWIFT CSCF v2026 1.1 segregation assumption violated when AI-API egress crosses administrative jump zone |
-| AI-as-covert-C2 in trading / treasury systems | AML.T0096 — Use AI for C2 Communications | ATLAS v5.6.0 | Steganographic encoding in trading-assistant prompts; LLM response decodes operator instructions; multi-agent covert relay in market-making bots | No ATT&CK Enterprise mapping; ATLAS v5.6.0 names the technique but no financial-sector-specific detection. SOC tooling rarely monitors trading-system AI tool-use. |
-| Fraud-detection model extraction | AML.T0017 — Discover ML Model Ontology | ATLAS v5.6.0 | Adversarial probing of card-not-present fraud models; chargeback-pattern fingerprinting; transaction-monitoring threshold discovery via test transactions | Fraud-model lifecycle governance under MAS TRM / OSFI B-13 / NYDFS 500.13 (asset management) — model-extraction probes are not classified as a cyber event in most institutions |
+| AI-as-covert-C2 in trading / treasury systems | AML.T0096 — Use AI for C2 Communications | ATLAS v2026.05 | Steganographic encoding in trading-assistant prompts; LLM response decodes operator instructions; multi-agent covert relay in market-making bots | No ATT&CK Enterprise mapping; ATLAS v2026.05 names the technique but no financial-sector-specific detection. SOC tooling rarely monitors trading-system AI tool-use. |
+| Fraud-detection model extraction | AML.T0017 — Discover ML Model Ontology | ATLAS v2026.05 | Adversarial probing of card-not-present fraud models; chargeback-pattern fingerprinting; transaction-monitoring threshold discovery via test transactions | Fraud-model lifecycle governance under MAS TRM / OSFI B-13 / NYDFS 500.13 (asset management) — model-extraction probes are not classified as a cyber event in most institutions |
 | Hard-coded credentials in financial mobile / API clients | CWE-798 | CWE | Mobile-banking apps shipping API keys; partner-integration API tokens checked into Git; treasury-management-system local config | PSD2 RTS-SCA covers customer SCA, silent on partner-API credential hygiene; SWIFT CSCF 5.1/5.2 covers credential management for SWIFT users only |
 | Agent-initiated payment via prompt injection | (No native TTP — closest: T1078 + AML.T0051) | ATT&CK + ATLAS | LLM agent with payment-initiation tool-use receives injected instruction via email / document / web content; transaction executes under customer's authenticated session | RTS-SCA evidence chain is fully compliant; injected intent invisible. Captured in `data/framework-control-gaps.json#PSD2-RTS-SCA`. |
 | AI-generated SWIFT MT/MX message draft poisoning | (No native TTP — closest: T1565 + AML.T0051) | ATT&CK + ATLAS | LLM-assisted operator drafting tool produces subtly-wrong beneficiary BIC or amount; reviewer fatigue lets it pass 4-eyes principle | Captured in `data/framework-control-gaps.json#SWIFT-CSCF-v2026-1.1`. |
 | Deepfake-mediated SCA bypass / KYC bypass | T1556 — Modify Authentication Process (closest) | ATT&CK Enterprise | Voice-clone defeating remote-KYC liveness; deepfake-video defeating high-value-transaction step-up | RTS-SCA "inherence" factor (biometric) implementation-dependent; liveness-detection vendor-fragmented. CWE-287 underlying weakness. |
 
-**Note on TTP coverage.** ATT&CK Enterprise does not yet have a financial-sector matrix (unlike ATT&CK for ICS). ATLAS v5.6.0 covers AI-specific techniques. The gap between (a) the customer's authenticated session and (b) the AI agent's injected intent within that session is not currently named in either matrix — this is a tracked gap in `forward_watch`.
+**Note on TTP coverage.** ATT&CK Enterprise does not yet have a financial-sector matrix (unlike ATT&CK for ICS). ATLAS v2026.05 covers AI-specific techniques. The gap between (a) the customer's authenticated session and (b) the AI agent's injected intent within that session is not currently named in either matrix — this is a tracked gap in `forward_watch`.
 
 ---
 

package/skills/sector-healthcare/skill.md

@@ -47,7 +47,7 @@ d3fend_refs:
   - D3-IOPR
   - D3-CSPP
   - D3-MFA
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-06-10"
 ---
 
 # Healthcare Sector Cybersecurity (mid-2026)
@@ -111,8 +111,8 @@ Healthcare has been the most targeted sector for ransomware for three consecutiv
 | Clinician credential phishing for EHR / VPN / Citrix access | T1078 — Valid Accounts | ATT&CK Enterprise | Targeted phishing of physicians and nurses using lookalike Epic / Cerner / Workday portals; MFA-fatigue against Duo/Microsoft Authenticator; SIM-swap on on-call physician phones | HIPAA §164.312(d) person/entity authentication does not specify AAL; many CEs accept SMS-OTP MFA — fails NIST 800-63B AAL2 phishing-resistance bar. Hand off to identity-assurance. |
 | Bulk EHR / FHIR / data-warehouse exfiltration | T1530 — Data from Cloud Storage Object | ATT&CK Enterprise | FHIR `$export` Bulk Data over-broad scopes; cloud data warehouse (Snowflake / BigQuery / Redshift) credential theft from clinician laptop; AWS S3 misconfiguration on de-identification staging buckets | HIPAA §164.312(c) integrity controls do not address bulk-API exfil semantics; HITRUST CSF 09.l information-transfer-policies treats bulk data flow at a policy layer. CWE-200 (Information Exposure), CWE-862 (Missing Authorization). |
 | PHI exfiltration via clinician prompt to consumer LLM | T1567 — Exfiltration Over Web Service | ATT&CK Enterprise | Clinician pastes patient note into ChatGPT / Claude / Gemini for differential diagnosis or letter drafting; ambient-doc tool retains and forwards transcript to vendor cloud outside BAA | No HIPAA control specifically names this channel; HHS-OCR Bulletin reasoning applies. Hand off to dlp-gap-analysis. CWE-200 (Information Exposure). |
-| Prompt injection of clinical decision-support copilot | AML.T0051 — LLM Prompt Injection (with .000/.001/.002 sub-techniques) | ATLAS v5.6.0 | Indirect prompt injection via referenced lab report PDF, OCR'd intake form, or patient-portal message that exploits an EHR-integrated copilot; instruction to suppress allergy alert, reorder medications, or fabricate trend in vital signs | EU AI Act Art 15 cybersecurity obligation applies but lacks concrete healthcare-AI threshold; HIPAA silent on prompt-injection-as-disclosure-vector. CWE-1426 (Improper Validation of Generative AI Output). |
-| Model extraction / membership inference against clinical AI | AML.T0017 — Discover ML Model Ontology (inference-API probing for system-prompt, guardrail, training-data signal); AML.T0016 — Obtain Capabilities: Develop Capabilities (adversarial-ML weaponization) | ATLAS v5.6.0 | Adversarial probing of a clinical-decision-support API to determine whether specific patient records were in training set; reconstruction of de-identified training examples from inference behaviour | EU AI Act Art 10 data-governance applies to training-data quality; does not codify membership-inference defence. CWE-1426 covers output-validation gap. |
+| Prompt injection of clinical decision-support copilot | AML.T0051 — LLM Prompt Injection (with .000/.001/.002 sub-techniques) | ATLAS v2026.05 | Indirect prompt injection via referenced lab report PDF, OCR'd intake form, or patient-portal message that exploits an EHR-integrated copilot; instruction to suppress allergy alert, reorder medications, or fabricate trend in vital signs | EU AI Act Art 15 cybersecurity obligation applies but lacks concrete healthcare-AI threshold; HIPAA silent on prompt-injection-as-disclosure-vector. CWE-1426 (Improper Validation of Generative AI Output). |
+| Model extraction / membership inference against clinical AI | AML.T0017 — Discover ML Model Ontology (inference-API probing for system-prompt, guardrail, training-data signal); AML.T0016 — Obtain Capabilities: Develop Capabilities (adversarial-ML weaponization) | ATLAS v2026.05 | Adversarial probing of a clinical-decision-support API to determine whether specific patient records were in training set; reconstruction of de-identified training examples from inference behaviour | EU AI Act Art 10 data-governance applies to training-data quality; does not codify membership-inference defence. CWE-1426 covers output-validation gap. |
 | Medical-device firmware tamper / exploit | T1190 (IT-side initial access to device-network) chained with vendor-specific device CVEs | ATT&CK Enterprise + ICS where applicable | Insulin pumps, cardiac monitors, infusion pumps (BD Alaris), sequencers (Illumina firmware), patient-monitoring (BD, Philips, GE Healthcare), bedside imaging | FDA 524B PMA/510(k) cyber obligations only apply to devices submitted after March 2023; brownfield fleet pre-dates it. EU MDR Annex I 17.2 silent on AI-augmented devices. Hand off to ot-ics-security for device-network treatment, and coordinated-vuln-disclosure for vendor reporting. |
 | FHIR / SMART on FHIR session token theft | T1078 chained with T1530 | ATT&CK Enterprise | Stolen JWT / OAuth2 bearer for SMART-on-FHIR launch; over-broad scopes (`*/*.read`, `patient/*.read`); refresh-token theft persists access; CWE-287 (improper authentication) and CWE-862 (missing authorization) | RFC-7519 JWT validation must enforce `iss`, `aud`, `exp`, signature algorithm, key rotation; RFC-9421 HTTP message signatures for FHIR API integrity in flight; HL7 FHIR R5 does not mandate either. |
 | EHR over-privileged break-glass / shared-account access | T1078.002 — Valid Accounts: Domain Accounts | ATT&CK Enterprise | Shared "Nurse" account on med-cart Windows; break-glass clinician account auditing gap; service account for EHR-integrated copilot with patient/* scope rather than encounter-bound | HIPAA §164.312(a)(2)(i) unique user identification is met technically by user-account-per-clinician but break-glass and AI-service-principals are commonly outside that boundary. NIST 800-53 AC-2 account management does not codify AI-service-principal scoping. |

package/skills/security-maturity-tiers/skill.md

@@ -452,7 +452,7 @@ The divergences above are surfaced against US, EU, UK, AU and ISO 27001:2022 —
 
 ## TTP Mapping
 
-Per-tier TTP coverage is cumulative: Practical includes MVP's coverage plus additions; Overkill includes both plus additions. Source-of-truth: `data/atlas-ttps.json` (MITRE ATLAS v5.6.0) and ATT&CK references in `data/cve-catalog.json`.
+Per-tier TTP coverage is cumulative: Practical includes MVP's coverage plus additions; Overkill includes both plus additions. Source-of-truth: `data/atlas-ttps.json` (MITRE ATLAS v2026.05) and ATT&CK references in `data/cve-catalog.json`.
 
 | Tier | Must cover | TTP | Source | Tier-specific control element |
 |---|---|---|---|---|

package/skills/skill-update-loop/skill.md

@@ -33,7 +33,7 @@ forward_watch:
   - AI/MCP platform CVEs (GitHub Security Advisories, OSV database)
   - Framework publication updates (NIST SP updates, ISO amendments, NIS2 implementing acts)
   - IETF RFC publications and draft status changes (datatracker.ietf.org, rfc-editor.org); run `npm run validate-rfcs` quarterly
-last_threat_review: "2026-05-22"
+last_threat_review: "2026-06-10"
 discovery_mode: "standalone"  # operator-reached via `exceptd brief skill-update-loop` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
@@ -55,7 +55,7 @@ The threat context this skill defends against is not a specific adversary techni
 
 Real-world manifestations in mid-2026:
 
-- ATLAS v5.6.0 (May 2026) added TTPs that bind to operational reality (AML.T0096 AI-API C2, AML.T0048 erode-integrity-via-drift). A skill pinned to ATLAS v4 cannot route these. **AML.T0010** family was expanded to cover MCP supply-chain compromise mid-cycle.
+- ATLAS v2026.05 (May 2026) added TTPs that bind to operational reality (AML.T0096 AI-API C2, AML.T0048 erode-integrity-via-drift). A skill pinned to ATLAS v4 cannot route these. **AML.T0010** family was expanded to cover MCP supply-chain compromise mid-cycle.
 - CVE-2026-31431 (Copy Fail) joined CISA KEV on 2026-05-01 with a 2026-05-15 federal due date. Any skill whose `last_threat_review` predates that listing and whose body recommends "patch on 30-day SLA" is recommending against a threat model that KEV escalated to days, not weeks.
 - NIST SP 800-63B updated PBKDF2 iteration guidance to ≥ 600,000 in 2022; many compliance attestations still cite the 2017 numbers. A skill that does not track that lag perpetuates the theater.
 - IETF RFC 9116 (security.txt) and the CSAF 2.0 transition both have hard cutover signals that change how `coordinated-vuln-disclosure` should advise.
@@ -283,7 +283,7 @@ When drift is detected:
 
 **Monitor:** Microsoft STRIDE updates (microsoft.com/en-us/securityengineering/sdl/threatmodeling), Linddun-go updates (linddun.org), Pol's Unified Kill Chain repository (https://www.unifiedkillchain.com/), MITRE D3FEND ontology releases (d3fend.mitre.org).
 
-Threat modeling methodologies evolve. STRIDE has periodic Microsoft revisions; LINDDUN's privacy-extension catalog grows as new privacy-violating AI patterns are documented; the Unified Kill Chain is versioned by Pol et al. and absorbs new phase definitions as adversary behavior shifts; MITRE D3FEND adds defensive-technique IDs and reorganizes its ontology on a published release cadence. A skill that names a methodology without tracking its version is the same drift class as a skill that names ATLAS without pinning v5.6.0.
+Threat modeling methodologies evolve. STRIDE has periodic Microsoft revisions; LINDDUN's privacy-extension catalog grows as new privacy-violating AI patterns are documented; the Unified Kill Chain is versioned by Pol et al. and absorbs new phase definitions as adversary behavior shifts; MITRE D3FEND adds defensive-technique IDs and reorganizes its ontology on a published release cadence. A skill that names a methodology without tracking its version is the same drift class as a skill that names ATLAS without pinning v2026.05.
 
 When a new methodology version drops:
 1. Update `threat-modeling-methodology` skill body — refresh the methodology-version table, the DFD templates, and the attack-tree templates in its Output Format section to match the new release.
@@ -482,10 +482,10 @@ This skill does not have a single exploited target — its "exploit surface" is
 | Source | What It Provides | Cadence | Pinned Version / Anchor | Tracked In |
 |---|---|---|---|---|
 | CISA KEV catalog | Confirmed in-the-wild exploitation flag per CVE | Real-time (RSS / JSON API) | cisa.gov/known-exploited-vulnerabilities-catalog | `data/exploit-availability.json` (`cisa_kev`, `cisa_kev_date`) |
-| MITRE ATLAS changelog | TTP additions, renames, removals for AI/ML threat domain | Quarterly check; immediate on minor-version release | ATLAS v5.6.0 (May 2026) — pinned in AGENTS.md and `data/atlas-ttps.json._meta.atlas_version` | `_meta.atlas_version` |
+| MITRE ATLAS changelog | TTP additions, renames, removals for AI/ML threat domain | Quarterly check; immediate on minor-version release | ATLAS v2026.05 (May 2026) — pinned in AGENTS.md and `data/atlas-ttps.json._meta.atlas_version` | `_meta.atlas_version` |
 | NVD CVE 2.0 API | Authoritative CVE metadata, CVSS vectors, references | Real-time on new CVE in covered domain | services.nvd.nist.gov/rest/json/cves/2.0 | `data/cve-catalog.json` |
 | NIST FIPS publication tracker | PQC and crypto-standard finalizations | Per-publication (event-driven) | csrc.nist.gov/publications | pqc-first `forward_watch` + manifest `last_threat_review` |
-| MITRE ATT&CK Enterprise | Non-AI TTP additions/renames | Per ATT&CK version release | attack.mitre.org (current pinned: v19.0, 2026-04-28) | Skill `attack_refs` fields |
+| MITRE ATT&CK Enterprise | Non-AI TTP additions/renames | Per ATT&CK version release | attack.mitre.org (current pinned: v19.1, 2026-05-12) | Skill `attack_refs` fields |
 | GitHub Security Advisories / OSV | CVEs for AI assistants, MCP clients/servers, supply-chain JS/Python packages | Real-time on covered repos | osv.dev, github.com/advisories | `data/cve-catalog.json` |
 | Framework publisher feeds | NIST SP revisions, ISO amendments, NIS2 implementing acts, EU Official Journal, ENISA, NCSC, ASD | RSS / changelog per publisher | csrc.nist.gov, iso.org, eur-lex.europa.eu | `data/framework-control-gaps.json`, `data/global-frameworks.json` |
 | Kernel CNA / distro advisories | Kernel LPE, container-escape, page-cache CVEs | Per advisory | kernel.org, RHEL/Ubuntu/Debian security advisories | `data/cve-catalog.json`, kernel-lpe-triage |
@@ -518,4 +518,4 @@ The drift attack against skill currency is structural, not technical — there i
 | **D3-IOPR** (Input/Output Profiling Resource) | Lint-skills body / frontmatter parsing is the profiling step: every skill body is parsed against the canonical section template (Threat Context, TTP Mapping, Framework Lag Declaration, Exploit Availability Matrix, Analysis Procedure, Output Format, Compliance Theater Check, DCM). A drifted skill that drops a required section is caught at lint time. | Layer 2 (Harden — schema). | Per-skill — schema is per-skill body. | Default-deny missing sections; the v0.13.0 lint upgrade makes DCM a hard-fail. |
 | **D3-PA** (Process Analysis) | The watchlist / dispatch / scan log every load and signature-check event so a forensic reader can reconstruct which skill version produced which finding. Without a per-invocation evidence stream, a stale skill body whose timestamp says "current" cannot be detected after the fact. | Layer 5 (Detect — runtime). | Per-invocation — every CLI invocation emits a structured log entry. | Treat every invocation as untrusted until the signature chain is verified at load time; persist the verification result alongside the finding. |
 
-**Defense-in-depth posture:** signature integrity (D3-CA) and snapshot-pinning (D3-EHB) are the hard gates that prevent a tampered skill body from shipping; lint-schema (D3-IOPR) and currency timestamps (D3-FAPA) are the audit gates that catch silent drift inside an intentional release; D3-PA is the per-invocation evidence stream that lets the operator answer "which version of the skill produced this finding" post-hoc. Because the ATLAS / ATT&CK version is pinned, every layer's evidence is keyed off the pinned version — a manifest snapshot taken against ATLAS v5.6.0 is not interchangeable with one taken against a later release.
+**Defense-in-depth posture:** signature integrity (D3-CA) and snapshot-pinning (D3-EHB) are the hard gates that prevent a tampered skill body from shipping; lint-schema (D3-IOPR) and currency timestamps (D3-FAPA) are the audit gates that catch silent drift inside an intentional release; D3-PA is the per-invocation evidence stream that lets the operator answer "which version of the skill produced this finding" post-hoc. Because the ATLAS / ATT&CK version is pinned, every layer's evidence is keyed off the pinned version — a manifest snapshot taken against ATLAS v2026.05 is not interchangeable with one taken against a later release.

package/skills/supply-chain-integrity/skill.md

@@ -67,7 +67,7 @@ d3fend_refs:
   - D3-CBAN
   - D3-EAL
   - D3-EHB
-last_threat_review: "2026-05-15"
+last_threat_review: "2026-06-10"
 ---
 
 # Supply-Chain Integrity Assessment
@@ -142,7 +142,7 @@ The catalog's expansion means a supply-chain assessment that names only NIST 800
 
 | ATLAS / ATT&CK ID | Technique | Supply-Chain Relevance | Gap |
 |---|---|---|---|
-| AML.T0010 | ML Supply Chain Compromise | Direct: malicious model, malicious MCP server, malicious ML library — the umbrella attack class for AI artifact compromise | ATLAS v5.6.0 classifies the attack; no framework mandates the cryptographic control that would detect it at load |
+| AML.T0010 | ML Supply Chain Compromise | Direct: malicious model, malicious MCP server, malicious ML library — the umbrella attack class for AI artifact compromise | ATLAS v2026.05 classifies the attack; no framework mandates the cryptographic control that would detect it at load |
 | AML.T0018 | Backdoor ML Model | Specific: a model weight file with an embedded backdoor (trojaned weights, data poisoning persisted into weights, or executable payload in a code-executing serialization format) is loaded at inference | No framework requires model-weight signature verification; CWE-502 deserialization risk is not mapped to a compliance control |
 | T1195.001 | Supply Chain Compromise: Compromise Software Dependencies and Development Tools | The XZ Utils class, the typosquat class, the dependency-confusion class — directly addressable by SLSA L3 provenance + in-toto attestation chain | Standard SCA tooling detects known-vulnerable dependencies but does not detect novel compromise of an authentic-looking dependency. SLSA L3 + reproducible builds closes this; not required by any framework |
 | T1195.002 | Supply Chain Compromise: Compromise Software Supply Chain | Build pipeline compromise (CI runner, build-time toolchain, signing-key compromise). Defense: hardened builder per SLSA L3, key custody in HSM or cloud KMS, ephemeral CI tokens | NIST 800-218 PS practices are process-level. No framework prescribes hardened-builder requirements. |

package/skills/threat-model-currency/skill.md

@@ -22,7 +22,7 @@ forward_watch:
   - New CISA KEV entries in kernel/AI/supply chain categories
   - New MCP or agent protocol security disclosures
   - Emerging malware families using AI for evasion
-last_threat_review: "2026-05-18"
+last_threat_review: "2026-06-10"
 discovery_mode: "standalone"  # operator-reached via `exceptd brief threat-model-currency` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
@@ -199,14 +199,14 @@ This skill produces a currency score and a specific update roadmap. Currency is
 
 ---
 
-### Class 13: MITRE ATLAS v5.6.0 Coverage
+### Class 13: MITRE ATLAS v2026.05 Coverage
 
-**2026 reality:** MITRE ATLAS (May 2026, v5.6.0) is the primary AI threat framework. Most SOC detection engineering programs are built on ATT&CK, not ATLAS. AI-specific TTPs have zero detection coverage in ATT&CK-only programs.
+**2026 reality:** MITRE ATLAS (May 2026, v2026.05) is the primary AI threat framework. Most SOC detection engineering programs are built on ATT&CK, not ATLAS. AI-specific TTPs have zero detection coverage in ATT&CK-only programs.
 
 **Currency check questions:**
-- Is MITRE ATLAS v5.6.0 incorporated into the threat model?
+- Is MITRE ATLAS v2026.05 incorporated into the threat model?
 - Are ATLAS TTPs mapped to detection controls?
-- What is the current ATLAS version in use? (Current: 5.6.0, May 2026)
+- What is the current ATLAS version in use? (Current: 2026.05, May 2026)
 
 **If unchecked:** AI-specific threat techniques are not covered by the detection architecture. The SOC has no alerts for ATLAS TTPs.
 
@@ -263,7 +263,7 @@ The recurring failure across all of the above: every framework treats threat mod
 
 ## TTP Mapping
 
-The 14-class checklist above *is* the TTP map. Each class is a coverage requirement against the canonical sources of truth: `data/atlas-ttps.json` (MITRE ATLAS v5.6.0) and the ATT&CK techniques referenced in `data/cve-catalog.json`. A current threat model must address — explicitly or by reasoned exclusion — every TTP below.
+The 14-class checklist above *is* the TTP map. Each class is a coverage requirement against the canonical sources of truth: `data/atlas-ttps.json` (MITRE ATLAS v2026.05) and the ATT&CK techniques referenced in `data/cve-catalog.json`. A current threat model must address — explicitly or by reasoned exclusion — every TTP below.
 
 | Class | Primary TTP | Catalog source | Gap if absent |
 |---|---|---|---|
@@ -400,14 +400,14 @@ The skill produces a structured Threat Model Currency Assessment that scores the
 | 10 | Model Poisoning | 0/1/2 | |
 | 11 | AI-Speed Reconnaissance | 0/1/2 | |
 | 12 | AI-Generated Credential Phishing | 0/1/2 | |
-| 13 | MITRE ATLAS v5.6.0 Coverage | 0/1/2 | |
+| 13 | MITRE ATLAS v2026.05 Coverage | 0/1/2 | |
 | 14 | Post-Quantum Adversary Timeline | 0/1/2 | |
 
 ### Priority Update Roadmap
 [Ordered by current exposure risk: specific additions for each gap]
 
 ### ATLAS Version Check
-Current reference: MITRE ATLAS v5.6.0 (May 2026)
+Current reference: MITRE ATLAS v2026.05 (May 2026)
 Threat model references: [version cited in document]
 Gap: [if different]
 ```

package/skills/threat-modeling-methodology/skill.md

@@ -43,7 +43,7 @@ forward_watch:
   - Unified Kill Chain successor revision (Pols, post-v3.0)
   - LINDDUN-GO and LINDDUN-PRO updates incorporating LLM privacy threats
   - PASTA v2 updates incorporating AI/ML application threats
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-06-10"
 discovery_mode: "standalone"  # operator-reached via `exceptd brief threat-modeling-methodology` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
@@ -132,7 +132,7 @@ Threat-modelling methodologies are *consumers* of the TTP catalog, not contribut
 | Cyber Kill Chain | Linear 7-stage intrusion timeline | Per stage: ATT&CK TTPs | Cloud-native / serverless / AI-pipeline scenarios fit the timeline poorly; lateral movement assumptions break in ephemeral compute. |
 | Diamond Model | Adversary–capability–infrastructure–victim diamond | Per intrusion event: TTPs become adversary capabilities; pivot to other diamonds | Built for IR / SOC, not for design-phase threat modelling — pair with STRIDE/PASTA during design and Diamond during operate phase. |
 | MITRE Unified Kill Chain (v3.0, 2024) | 18 phases spanning initial access through objectives | Per phase: ATLAS and ATT&CK TTPs assigned to phases that cover both classical and AI-augmented attacks | Most comprehensive single methodology, but weak on privacy threats — pair with LINDDUN. |
-| AI-system threat modeling (composite) | Augmented DFD with AI actors and AI trust boundaries | Full ATLAS v5.6.0 catalogue (every `AML.T*` key in `data/atlas-ttps.json`) | Methodology not yet standardised — this skill operationalises it. |
+| AI-system threat modeling (composite) | Augmented DFD with AI actors and AI trust boundaries | Full ATLAS v2026.05 catalogue (every `AML.T*` key in `data/atlas-ttps.json`) | Methodology not yet standardised — this skill operationalises it. |
 | Agent-based threat modeling | Actor graph with autonomous agents, MCP plugins, tool-call boundaries | CVE-2026-30615 (MCP RCE), CVE-2025-53773 (prompt-injection RCE), AML.T0051, AML.T0096 | Methodology not yet standardised — this skill operationalises it. |
 
 The truth set for any composite model is: every `AML.T*` key in `data/atlas-ttps.json`, plus every `attack_refs` entry across every CVE in `data/cve-catalog.json`, plus the CWE root-cause classes in `data/cwe-catalog.json`. A model that does not address each, or document a reasoned exclusion for each, is non-current by construction (and should be re-run through `threat-model-currency`).

package/skills/webapp-security/skill.md

@@ -65,7 +65,7 @@ d3fend_refs:
   - D3-MFA
 forward_watch:
   - NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-06-10"
 discovery_mode: "standalone"  # operator-reached via `exceptd brief webapp-security` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
@@ -105,7 +105,7 @@ Webapps still ship CWE-79 (Cross-Site Scripting), CWE-89 (SQL Injection), and CW
 
 ---
 
-## TTP Mapping (MITRE ATT&CK Enterprise + ATLAS v5.6.0)
+## TTP Mapping (MITRE ATT&CK Enterprise + ATLAS v2026.05)
 
 | TTP ID | Technique | Webapp Manifestation | CWE Root-Causes | Framework Coverage |
 |---|---|---|---|---|

package/skills/zeroday-gap-learn/skill.md

@@ -23,7 +23,7 @@ forward_watch:
   - New ATLAS TTP additions in each ATLAS release
   - Framework updates that close previously open gaps
   - Vendor advisories for MCP/AI tool supply chain CVEs
-last_threat_review: "2026-05-18"
+last_threat_review: "2026-06-10"
 discovery_mode: "standalone"  # operator-reached via `exceptd brief zeroday-gap-learn` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
@@ -79,7 +79,7 @@ This skill is meta — it does not pin to a single TTP class. The learning loop
 | Input Catalog | Role in the Learning Loop |
 |---|---|
 | `data/cve-catalog.json` | The CVE-level corpus: each entry is a candidate lesson input. New entries trigger a new loop run. |
-| `data/atlas-ttps.json` (MITRE ATLAS v5.6.0) | The AI/ML TTP taxonomy. Attack-vector extraction maps the CVE's mechanism to an ATLAS ID (e.g., AML.T0096 for SesameOp AI-as-C2). |
+| `data/atlas-ttps.json` (MITRE ATLAS v2026.05) | The AI/ML TTP taxonomy. Attack-vector extraction maps the CVE's mechanism to an ATLAS ID (e.g., AML.T0096 for SesameOp AI-as-C2). |
 | `data/framework-control-gaps.json` | The control-gap corpus. Framework-coverage assessment writes into this file via new entries or `status` updates. |
 | `data/zeroday-lessons.json` | The output corpus. Each completed loop produces one entry here — the durable artifact of the lesson. |
 
@@ -369,7 +369,7 @@ Run through each applicable framework:
 - CIS Controls v8 (which control?)
 - ASD Essential 8 (which mitigation?)
 - ISO 27001:2022 (which control?)
-- MITRE ATLAS v5.6.0 (which TTP? Is it covered?)
+- MITRE ATLAS v2026.05 (which TTP? Is it covered?)
 
 For each: Covered (adequate) / Covered (insufficient) / Missing entirely
 

package/sources/validators/cve-validator.js

@@ -38,6 +38,8 @@ const NVD_API = 'https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=';
 const KEV_FEED = 'https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json';
 const EPSS_API = 'https://api.first.org/data/v1/epss?cve=';
 const REQUEST_TIMEOUT_MS = 10_000;
+
+const { selectNvdCvss } = require('../../lib/cvss');
 const EPSS_DRIFT_THRESHOLD = 0.05; // |Δscore| or |Δpercentile| > 0.05 flags drift
 const USER_AGENT = 'exceptd-security/cve-validator (+https://exceptd.com)';
 
@@ -93,22 +95,19 @@ function resetKevCache() {
 }
 
 function extractNvdCvss(nvdJson) {
-  // NVD response: vulnerabilities[0].cve.metrics.cvssMetricV31[0].cvssData
+  // NVD response: vulnerabilities[0].cve.metrics.cvssMetricV3x/V2[].cvssData.
+  // Prefer the newest CVSS version present (Primary within it) and normalize a
+  // bare v2 vector to its canonical prefix — NVD tags the legacy v2 metric
+  // "Primary" on pre-v3 CVEs over a v3.1 "Secondary", so selecting by type
+  // alone would report a stale v2 score as the upstream value.
   const vuln = nvdJson?.vulnerabilities?.[0]?.cve;
   if (!vuln) return null;
-  const metrics = vuln.metrics || {};
-  const ordered = [
-    ...(metrics.cvssMetricV31 || []),
-    ...(metrics.cvssMetricV30 || []),
-    ...(metrics.cvssMetricV2 || []),
-  ];
-  // Prefer Primary type if present
-  const primary = ordered.find(m => m.type === 'Primary') || ordered[0];
-  if (!primary?.cvssData) return null;
+  const up = selectNvdCvss(vuln.metrics);
+  if (!up) return null;
   return {
-    score: typeof primary.cvssData.baseScore === 'number' ? primary.cvssData.baseScore : null,
-    vector: primary.cvssData.vectorString || null,
-    source: primary.source || null,
+    score: up.baseScore,
+    vector: up.vector,
+    source: up.source,
   };
 }