@blamejs/exceptd-skills 0.16.25 → 0.16.29

package/AGENTS.md

@@ -44,9 +44,9 @@ Each rule below carries a **Forcing function** annotation declaring whether it i
 12. **External data version pinning** — Every reference to external data (MITRE ATLAS, MITRE ATT&CK, NIST frameworks, CISA KEV, IETF RFCs and Internet-Drafts) must pin to a specific version. When a new version is released: (a) audit for breaking changes (renamed TTPs, tactic-split moves, replaced RFCs, deprecated controls), (b) bump `last_threat_review` in all affected skills, (c) update `_meta` version fields in the relevant `data/*.json` file, (d) update `last_verified` on affected `data/rfc-references.json` entries, (e) never silently inherit version changes. Frameworks lag RFCs; RFCs lag attacker innovation — skills must track lag at every layer.
     *Forcing function:* `_meta` version fields are schema-required; reviewer-checked for cross-file version consistency.
 
-    **Pinned ATLAS version: v5.6.0 (May 2026), Secure AI v2 layer (May 2026). Audit cadence: monthly** (ATLAS now ships monthly per CTID; the Secure AI v2 layered set and per-technique maturity classification are tracked separately in `data/atlas-ttps.json` via the `secure_ai_v2_layer` and `maturity` fields).
+    **Pinned ATLAS version: v2026.05 (May 2026), Secure AI v2 layer (May 2026). Audit cadence: monthly** (ATLAS now ships monthly per CTID; the Secure AI v2 layered set and per-technique maturity classification are tracked separately in `data/atlas-ttps.json` via the `secure_ai_v2_layer` and `maturity` fields).
 
-    **Pinned ATT&CK version: v19.0 (April 2026). Audit cadence: semi-annual** (April and October releases). v19 split Defense Evasion (TA0005) into Stealth (TA0005) and Defense Impairment (TA0112) — affected entries in `data/attack-techniques.json` carry `tactic_moved_from` for traceability. v18 introduced Detection Strategies (DSxxxx) as first-class objects; record applicable strategy IDs on entries where canonical strategies exist.
+    **Pinned ATT&CK version: v19.1 (May 2026). Audit cadence: semi-annual** (April and October releases). v19 split Defense Evasion (TA0005) into Stealth (TA0005) and Defense Impairment (TA0112) — affected entries in `data/attack-techniques.json` carry `tactic_moved_from` for traceability. v18 introduced Detection Strategies (DSxxxx) as first-class objects; record applicable strategy IDs on entries where canonical strategies exist.
 
     The IETF RFC / Internet-Draft catalog lives at `data/rfc-references.json`; each entry tracks status, errata count, replaces / replaced-by, and `last_verified`.
 
@@ -206,7 +206,7 @@ Wrong: adding a new CVE to `data/cve-catalog.json` without completing all requir
 Right: every new entry requires all fields defined in the CVE catalog schema. Partial entries fail the schema validation in `lib/scoring.js`.
 
 **DR-7: Stale ATLAS / ATT&CK version**
-Current pinned ATLAS version: **v5.6.0 (May 2026)** with the **CTID Secure AI v2 layer (May 2026)**. ATLAS audit cadence is **monthly** (CTID now ships monthly). Current pinned ATT&CK version: **v19.0 (April 2026)**, semi-annual cadence (April + October). When either source updates: audit all TTP IDs for changes (including v19's Defense Evasion → Stealth / Defense Impairment split), bump `last_threat_review` in affected skills, update `_meta` version fields in `data/atlas-ttps.json` and `data/attack-techniques.json`. Never silently upgrade.
+Current pinned ATLAS version: **v2026.05 (May 2026)** with the **CTID Secure AI v2 layer (May 2026)**. ATLAS audit cadence is **monthly** (CTID now ships monthly). Current pinned ATT&CK version: **v19.1 (May 2026)**, semi-annual cadence (April + October). When either source updates: audit all TTP IDs for changes (including v19's Defense Evasion → Stealth / Defense Impairment split), bump `last_threat_review` in affected skills, update `_meta` version fields in `data/atlas-ttps.json` and `data/attack-techniques.json`. Never silently upgrade.
 
 **DR-8: Missing zero-day learning loop**
 Wrong: adding a new entry to `data/cve-catalog.json` without running the learning loop.
@@ -407,8 +407,8 @@ When in doubt, ship the playbook without a collector and open the gap as a follo
 - [ ] All new CVEs have complete `data/cve-catalog.json` entries
 - [ ] All new CVEs have `data/zeroday-lessons.json` entries
 - [ ] All skill `data_deps` resolve to existing files
-- [ ] All ATLAS refs are valid v5.6.0 IDs (current pinned version); Secure AI v2 layer flags + maturity present on AI-pipeline entries
-- [ ] All ATT&CK refs are valid v19.0 IDs (current pinned version); post-split tactics (Stealth / Defense Impairment) used where applicable
+- [ ] All ATLAS refs are valid v2026.05 IDs (current pinned version); Secure AI v2 layer flags + maturity present on AI-pipeline entries
+- [ ] All ATT&CK refs are valid v19.1 IDs (current pinned version); post-split tactics (Stealth / Defense Impairment) used where applicable
 - [ ] All framework control IDs resolve in `data/framework-control-gaps.json`
 - [ ] No skill body contains placeholder language (TODO, TBD, coming soon, placeholder)
 - [ ] No skill uses CVSS as sole risk metric

package/ARCHITECTURE.md

@@ -36,7 +36,7 @@ data_deps:
   - cve-catalog.json          # files in data/ this skill reads
   - atlas-ttps.json
 atlas_refs:
-  - AML.T0043                 # MITRE ATLAS v5.6.0 TTP IDs
+  - AML.T0043                 # MITRE ATLAS v2026.05 TTP IDs
   - AML.T0054
 attack_refs:
   - T1068                     # MITRE ATT&CK TTP IDs
@@ -124,7 +124,7 @@ Schema per entry:
   "AML.T0043": {
     "name": "Craft Adversarial Data",
     "tactic": "ML Attack Staging",
-    "atlas_version": "5.6.0",
+    "atlas_version": "2026.05",
     "description": "...",
     "framework_coverage": {
       "NIST-800-53": {"covered": false, "nearest_control": null, "gap_description": "..."},
@@ -204,7 +204,7 @@ RWEP (Real-World Exploit Priority) scoring engine.
 
 - `score(cveId)` — Return RWEP score for a CVE in the catalog
 - `scoreCustom(factors)` — Score a custom factor set (for CVEs not yet in catalog)
-- `validate()` — Schema validation: check all skill data_deps resolve, all CVE entries are complete, all ATLAS refs are valid v5.6.0 IDs
+- `validate()` — Schema validation: check all skill data_deps resolve, all CVE entries are complete, all ATLAS refs are valid v2026.05 IDs
 - `compare(cveId)` — Return CVSS vs. RWEP comparison with explanation of the delta
 
 RWEP factor weights:

package/CHANGELOG.md

@@ -1,5 +1,33 @@
 # Changelog
 
+## 0.16.29 — 2026-06-12
+
+A correctness pass across the refresh pipeline, scoring, attestation, the collectors, and offline mode.
+
+`refresh --apply` over the network no longer downgrades a curated CVSS 3.1 score and vector to NVD's legacy v2 metric on older CVEs — the offline cache path already guarded this in 0.16.27, and the live path now applies the same cross-version guard. New-RFC discovery now honors `--air-gap` (it previously queried IETF Datatracker live regardless), and an intrinsically air-gapped playbook — secrets, cred-stores, containers — refuses the `--upstream-check` npm-registry probe without the explicit flag. The `--from-cache` help no longer implies new-RFC discovery is offline; it stays live unless `--air-gap` is also passed.
+
+A CVE that a VEX statement marks fixed no longer inflates a finding's adjusted RWEP through its exploitation, KEV, and proof-of-concept multipliers, and a patched CVE's exploitation status no longer drives the notification draft. Jurisdiction coverage no longer attributes a skill to a jurisdiction from a bare two-letter ISO code that appears only in prose or inside a control identifier; coverage is driven by the regulation-name mapping. The skill-currency staleness check can now reach the warn and critical tiers it gates on — they were unreachable, so the scheduled currency workflow could never flag a skill past its review window; a genuinely abandoned skill now scores into them while a maintained one does not.
+
+`attest diff --against` now verifies the comparison attestation's Ed25519 signature, not only the local side, and refuses a tampered `--against` attestation (exit 6; `--force-replay` overrides). Both sides' verification is recorded in the output.
+
+The collectors no longer raise false findings from `#`-commented YAML — a commented `npm install`, `runs-on: self-hosted`, or `secrets.NPM_TOKEN` is no longer read as the real thing — and a commented `npm publish --provenance` no longer suppresses the missing-build-provenance finding. A documentation or redaction-pattern snippet of a service-account private key no longer registers as an embedded secret. A skill.md with CRLF line endings no longer produces a misleading frontmatter-parse error, and the `run --format` reference now lists `json`, which the runtime already accepts.
+
+The scheduled external-data refresh keeps the package description's entry counts in sync with the data it applies, so an auto-refresh that changes a count no longer fails the SBOM currency check on its pull request.
+
+## 0.16.28 — 2026-06-10
+
+Refreshes the pinned MITRE threat-framework versions. MITRE ATLAS is now pinned to v2026.05: its content moved to a YYYY.MM calendar-versioning scheme, and the release adds platform tags (Predictive AI, Generative AI, Agentic AI, Enterprise) to every technique. MITRE ATT&CK is pinned to v19.1, a point release of typo and data corrections over v19.0. Both bumps were audited against every ATLAS and ATT&CK technique ID the catalog cites: none was removed, renamed, or revoked, so all existing references remain valid.
+
+## 0.16.27 — 2026-06-08
+
+The automated external-data refresh runs to completion again, and the NVD score sync no longer regresses curated severities.
+
+Warming the upstream cache fans out hundreds (daily) to thousands (weekly) of rate-limited per-CVE and per-RFC requests, and a single transient fetch error — a timeout or a rate-limit response, counted only after its retries are exhausted — previously aborted the entire refresh before any data was applied. The cache warm now tolerates a bounded number of transient per-entry errors, but still fails when the error count signals a systemic upstream outage or when any single feed is entirely unreachable (so a dead KEV feed can no longer be silently skipped). The affected sources are named in the summary, and on the error channel under `--quiet`, so a recurring dead source is visible in the run log.
+
+The NVD synchronization no longer downgrades a curated CVSS 3.1 entry to NVD's legacy CVSS 2.0 score. NVD marks the v2 metric as the primary score on many pre-2016 CVEs even when a 3.1 re-score is present, and emits that v2 vector without its `CVSS:2.0/` prefix; the refresh selected the v2 metric and overwrote the catalog's curated 3.1 score and vector, producing an unprefixed vector the catalog validator rejects and silently regressing the score. The refresh now selects the newest CVSS version a CVE carries (4.0, then 3.1, then 3.0, then 2.0), normalizes a bare v2 vector to its canonical prefixed form, and never replaces a curated score or vector with an older CVSS version — a genuine same-version or newer re-score still flows through. The same selection applies on the live network refresh path and to auto-imported draft entries.
+
+The end-to-end scenario runner no longer passes a scenario that did not actually exercise the CLI. A run killed by the 60-second timeout, or one that failed to launch, was read only through its exit status — so it surfaced as a confusing JSON-parse failure (or, with no assertions, as a pass); the runner now reports the spawn error and the terminating signal directly. A scenario that declares neither an expected exit code nor any output assertion is now a configuration error rather than a silent pass, so an empty expectation can no longer green-light any CLI behavior, including a crash.
+
 ## 0.16.25 — 2026-06-05
 
 The `refresh` air-gap guidance now consistently names `--prefetch` as the cache-populate command. The `refresh --help` synopsis and the `--from-cache` missing-path error hint previously presented `--no-network` as a populate alias — but `--no-network` is the report-only dry run that writes nothing, so an operator following that guidance produced an empty cache and then hit a confusing "path does not exist" on the offline host. `--no-network` is now documented as the report-only mode it actually is, and the air-gap hint points at `--prefetch`.

package/CONTEXT.md

@@ -114,7 +114,7 @@ Skills and playbooks read from `data/`. Authoritative catalog inventory:
 | File | Entries | Purpose |
 |------|---------|---------|
 | `cve-catalog.json` | 439 | CVEs with CVSS, RWEP score, EPSS estimates, CISA KEV flags, PoC and live-patch availability |
-| `atlas-ttps.json` | 170 | MITRE ATLAS v5.6.0 (May 2026) techniques with framework gap flags |
+| `atlas-ttps.json` | 170 | MITRE ATLAS v2026.05 (May 2026) techniques with framework gap flags |
 | `attack-techniques.json` | 805 | MITRE ATT&CK techniques with framework coverage mappings |
 | `framework-control-gaps.json` | 194 | Framework control gap entries: designed-for vs. what each control misses |
 | `exploit-availability.json` | 28 | Per-CVE PoC locations, weaponization stage, AI-acceleration factor, live-patch status |
@@ -245,7 +245,7 @@ The `researcher` **skill** (front-door dispatcher) and `threat-researcher` **age
 |------|------------|
 | RWEP | Real-World Exploit Priority — risk score beyond CVSS |
 | KEV | CISA Known Exploited Vulnerabilities catalog |
-| ATLAS | MITRE ATLAS v5.6.0 — AI threat framework |
+| ATLAS | MITRE ATLAS v2026.05 — AI threat framework |
 | MCP | Model Context Protocol — AI tool integration standard |
 | HNDL | Harvest-Now-Decrypt-Later — quantum threat to current crypto |
 | Framework lag | Gap between what a framework requires and what current TTPs demand |

package/README.md

@@ -15,8 +15,8 @@
 [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/blamejs/exceptd-skills/badge)](https://scorecard.dev/viewer/?uri=github.com/blamejs/exceptd-skills)
 [![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0)
 [![Skills](https://img.shields.io/badge/skills-51-d946ef)](#skill-inventory)
-[![ATLAS](https://img.shields.io/badge/MITRE%20ATLAS-v5.6.0-d946ef)](https://atlas.mitre.org)
-[![ATT&CK](https://img.shields.io/badge/MITRE%20ATT%26CK-v19.0-d946ef)](https://attack.mitre.org)
+[![ATLAS](https://img.shields.io/badge/MITRE%20ATLAS-v2026.05-d946ef)](https://atlas.mitre.org)
+[![ATT&CK](https://img.shields.io/badge/MITRE%20ATT%26CK-v19.1-d946ef)](https://attack.mitre.org)
 [![Ed25519-signed](https://img.shields.io/badge/skills-Ed25519--signed-2ea043)](AGENTS.md)
 [![Jurisdictions](https://img.shields.io/badge/jurisdictions-35-blue)](data/global-frameworks.json)
 
@@ -49,7 +49,7 @@ Assess Linux kernel local privilege escalation exposure. Covers Copy Fail (CVE-2
 ### AI-Specific Attack Surface
 
 **[ai-attack-surface](skills/ai-attack-surface/skill.md)**
-Comprehensive AI/ML attack surface assessment mapped to MITRE ATLAS v5.6.0 with explicit gap flags. Covers prompt injection as enterprise RCE (CVE-2025-53773 CVSS 7.8, 85%+ bypass rate against SOTA defenses), MCP supply chain RCE (CVE-2026-30615, zero user interaction, 150M+ downloads), RAG exfiltration, model poisoning, AI-assisted exploit development (41% of 2025 zero-days), credential theft acceleration (160% increase).
+Comprehensive AI/ML attack surface assessment mapped to MITRE ATLAS v2026.05 with explicit gap flags. Covers prompt injection as enterprise RCE (CVE-2025-53773 CVSS 7.8, 85%+ bypass rate against SOTA defenses), MCP supply chain RCE (CVE-2026-30615, zero user interaction, 150M+ downloads), RAG exfiltration, model poisoning, AI-assisted exploit development (41% of 2025 zero-days), credential theft acceleration (160% increase).
 
 **[mcp-agent-trust](skills/mcp-agent-trust/skill.md)**
 Enumerate MCP (Model Context Protocol) trust boundary failures. Covers tool allowlisting gaps, unsigned server manifests, prompt injection via tool responses, supply chain compromise. CVE-2026-30615 (Windsurf, zero-interaction RCE). Generates: tool allowlist policy, server signing requirements, bearer auth config, output sanitization requirements.
@@ -228,7 +228,7 @@ exceptd run [playbook]                Phases 4-7. Auto-detects cwd context when
   --evidence-dir <dir>                Per-playbook submission files (cron-friendly).
   --scope <type> | --all              Multi-playbook run.
   --vex <file>                        CycloneDX / OpenVEX filter (drop not_affected).
-  --format <fmt> ...                  csaf-2.0 | sarif | openvex | markdown | summary.
+  --format <fmt> ...                  csaf-2.0 | sarif | openvex | markdown | summary | json.
                                       Repeatable. CSAF is primary; extras go to
                                       close.evidence_package.bundles_by_format.
   --diff-from-latest                  Drift vs prior attestation for same playbook.
@@ -622,7 +622,7 @@ All skills pull from `data/`. Cross-validated against canonical upstream sources
 To resolve a single citation rather than refresh the whole catalog, `exceptd cve <CVE-ID>` and `exceptd rfc <number>` return a status verdict for one id (catalog → resolved cache → one NVD / datatracker lookup, offline-capable). The lookup caches, so a fan-out of agents shares the answer instead of each independently re-researching the same citation.
 
 - `cve-catalog.json` — CVE metadata with RWEP scores, CISA KEV status, PoC availability, live-patch info
-- `atlas-ttps.json` — MITRE ATLAS v5.6.0 TTPs with gap flags and exploitation examples. Each TTP now carries a `cve_refs[]` back-edge — operators reading an ATLAS entry see the catalogued CVEs that cite it without grepping `cve-catalog.json`. The same back-edge is populated on `attack-techniques.json`, and each playbook carries a `_meta.fed_by[]` reverse field naming the upstream playbooks that chain into it.
+- `atlas-ttps.json` — MITRE ATLAS v2026.05 TTPs with gap flags and exploitation examples. Each TTP now carries a `cve_refs[]` back-edge — operators reading an ATLAS entry see the catalogued CVEs that cite it without grepping `cve-catalog.json`. The same back-edge is populated on `attack-techniques.json`, and each playbook carries a `_meta.fed_by[]` reverse field naming the upstream playbooks that chain into it.
 - `framework-control-gaps.json` — Per-framework, per-control: what it was designed for vs. what it misses
 - `exploit-availability.json` — PoC locations, weaponization status, AI-assist factor
 - `global-frameworks.json` — All major global compliance frameworks (35 jurisdictions) with control inventories and lag scores
@@ -638,7 +638,7 @@ To resolve a single citation rather than refresh the whole catalog, `exceptd cve
 
 **Compliance is not security.** A SOC 2 Type II report confirms that controls existed and operated effectively during the audit period. It says nothing about whether those controls are adequate for current attack patterns. When NIST 800-53 SI-2 says "apply security patches in a timely manner" and Copy Fail is a 732-byte deterministic root with a public PoC and no race condition, "timely" is the wrong frame entirely.
 
-**Framework lag is measured in months.** MITRE ATLAS v5.6.0 (May 2026) is the most current AI threat framework available. It still lags real exploitation by 3-6 months. NIST AI RMF lags by years. ISO 27001:2022 has no AI-specific controls. These skills explicitly flag every place where framework coverage ends and real attacker capability begins.
+**Framework lag is measured in months.** MITRE ATLAS v2026.05 (May 2026) is the most current AI threat framework available. It still lags real exploitation by 3-6 months. NIST AI RMF lags by years. ISO 27001:2022 has no AI-specific controls. These skills explicitly flag every place where framework coverage ends and real attacker capability begins.
 
 **AI changed the exploit development timeline.** Copy Fail was discovered by an AI system in approximately one hour. 41% of 2025 zero-days involved AI-assisted reverse engineering on the attacker side. The time between vulnerability introduction and reliable exploitation is compressing faster than patch management processes can adapt. Risk scoring must reflect this.
 

package/agents/threat-researcher.md

@@ -52,9 +52,9 @@ Research and validate new threat intelligence — CVEs, attack campaigns, new AT
    - Distinguish: "CISA KEV confirmed" vs. "suspected" vs. "no evidence"
 
 6. **Map to ATLAS/ATT&CK**
-   - Identify which ATLAS v5.6.0 TTPs are relevant to this CVE's attack vector
+   - Identify which ATLAS v2026.05 TTPs are relevant to this CVE's attack vector
    - Identify which ATT&CK techniques are relevant
-   - Flag any ATLAS gaps (attack pattern not in ATLAS v5.6.0)
+   - Flag any ATLAS gaps (attack pattern not in ATLAS v2026.05)
 
 7. **Identify affected skills**
    - Which skills cover the CVE's technology domain?

package/bin/exceptd.js

@@ -3406,8 +3406,10 @@ function cmdRun(runner, args, runOpts, pretty) {
     // Audit 3 A.6: --air-gap must refuse the registry probe. The
     // upstream-check helper has no air-gap awareness of its own; the
     // central refusal lives here so any future caller of --upstream-check
-    // inherits it.
-    if (runOpts.airGap || process.env.EXCEPTD_AIR_GAP === "1") {
+    // inherits it. Mirror the line-3444 hoist: an intrinsically air-gapped
+    // playbook (_meta.air_gap_mode — secrets / cred-stores / containers) must
+    // refuse the egress too, even without the explicit --air-gap flag.
+    if (runOpts.airGap || process.env.EXCEPTD_AIR_GAP === "1" || pb._meta?.air_gap_mode) {
       upstreamCheck = {
         ok: false,
         source: "air-gap",
@@ -5641,24 +5643,26 @@ function cmdAttest(runner, args, runOpts, pretty) {
       //      attestation.json cannot shadow the real attestation in the
       //      diff.
       let other = null;
+      let otherPath = null;
       const otherAttestationPath = path.join(otherDir, "attestation.json");
       if (fs.existsSync(otherAttestationPath)) {
         try {
           const parsed = JSON.parse(fs.readFileSync(otherAttestationPath, "utf8"));
-          if (parsed && parsed.kind !== "replay") other = parsed;
+          if (parsed && parsed.kind !== "replay") { other = parsed; otherPath = otherAttestationPath; }
         } catch { /* fall through to scan */ }
       }
       if (!other) {
         const candidates = [];
         for (const f of otherFiles) {
           try {
-            const parsed = JSON.parse(fs.readFileSync(path.join(otherDir, f), "utf8"));
+            const fp = path.join(otherDir, f);
+            const parsed = JSON.parse(fs.readFileSync(fp, "utf8"));
             if (!parsed || parsed.kind === "replay") continue;
-            candidates.push(parsed);
+            candidates.push({ parsed, file: fp });
           } catch { /* skip malformed */ }
         }
-        candidates.sort((a, b) => (b.captured_at || "").localeCompare(a.captured_at || ""));
-        other = candidates[0] || null;
+        candidates.sort((a, b) => (b.parsed.captured_at || "").localeCompare(a.parsed.captured_at || ""));
+        if (candidates[0]) { other = candidates[0].parsed; otherPath = candidates[0].file; }
       }
       if (!other) {
         return emitError(`attest diff --against ${args.against}: no attestations under that session id.`, null, pretty);
@@ -5673,6 +5677,33 @@ function cmdAttest(runner, args, runOpts, pretty) {
           pretty
         );
       }
+      // Verify BOTH attestations' sidecars — the --against (B-side) drives the
+      // drift verdict as much as the A-side, so a forged comparison attestation
+      // must be refused too, not silently diffed under an A-only green sidecar
+      // line. Mirrors reattest's tamper-refusal contract (exit TAMPERED unless
+      // --force-replay); surfaces a_/b_sidecar_verify either way.
+      const aSidecarVerify = verifyAttestationSidecar(path.join(dir, "attestation.json"));
+      const bSidecarVerify = otherPath
+        ? verifyAttestationSidecar(otherPath)
+        : { file: null, signed: false, verified: false, reason: "no B-side attestation file resolved" };
+      const aTampered = isTamperedSidecarVerify(aSidecarVerify);
+      const bTampered = isTamperedSidecarVerify(bSidecarVerify);
+      if ((aTampered || bTampered) && !args["force-replay"]) {
+        const sides = [aTampered && "A-side", bTampered && "--against (B-side)"].filter(Boolean).join(" + ");
+        process.stderr.write(`[exceptd attest diff] TAMPERED: ${sides} attestation failed Ed25519 verification. Refusing to diff against forged input. Pass --force-replay to override (the output records a_sidecar_verify + b_sidecar_verify).\n`);
+        emit({
+          ok: false,
+          error: `attest diff: ${sides} attestation failed signature verification — refusing to diff`,
+          verb: "attest diff",
+          a_session: sessionId,
+          b_session: args.against,
+          a_sidecar_verify: aSidecarVerify,
+          b_sidecar_verify: bSidecarVerify,
+          hint: "If a sidecar was intentionally removed/rotated and you have inspected the attestation, pass --force-replay.",
+        }, pretty);
+        process.exitCode = EXIT_CODES.TAMPERED;
+        return;
+      }
       emit({
         verb: "attest diff",
         a_session: sessionId,
@@ -5683,7 +5714,9 @@ function cmdAttest(runner, args, runOpts, pretty) {
         a_evidence_hash: self.evidence_hash,
         b_evidence_hash: other.evidence_hash,
         status: self.evidence_hash === other.evidence_hash ? "unchanged" : "drifted",
-        sidecar_verify: verifyAttestationSidecar(path.join(dir, "attestation.json")),
+        sidecar_verify: aSidecarVerify,
+        a_sidecar_verify: aSidecarVerify,
+        b_sidecar_verify: bSidecarVerify,
         // v0.11.8 (#102): normalize submissions before diffing so flat-shape
         // (observations + verdict) submissions emit meaningful artifact_diff
         // counts. Pre-0.11.8 (self.submission||{}).artifacts was undefined

package/data/_indexes/_meta.json

@@ -1,61 +1,62 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-06-06T00:45:44.721Z",
+  "generated_at": "2026-06-12T07:53:17.256Z",
   "generator": "scripts/build-indexes.js",
-  "source_count": 63,
+  "source_count": 64,
   "source_hashes": {
-    "manifest.json": "9e5780f8d8bec94d6cff2d22e16c940f63e7a38d8dfefe17a201cf93eaeabf93",
-    "data/atlas-ttps.json": "f66b456cf82a3c20575d8479de41f7b11b7ee5693eb1fcf64a67e162ae1b88a2",
-    "data/attack-techniques.json": "c39f28e3402ef13ad9b7076819f63fda67a22f97e3e375cfe01c4a4e0beff7c9",
+    "manifest.json": "7cdbf86213bc03cc55f8cd1ec5516f7c492177f0968c27216beabf68fdd68ef1",
+    "README.md": "e7b854e7db9a364a1b368b5084b4f0c2a8282f0459ce39800ac1d1dabdc06074",
+    "data/atlas-ttps.json": "29f3447ac5c45f42f50b3ed8a46010c2b8ecbcc8094bb19b5db57ba4707b396c",
+    "data/attack-techniques.json": "6506db66fdd69bb3564e12aef8f727edddc55d0e6e99f60833a200a57e8ee65e",
     "data/cve-catalog.json": "51d8425a49e5cc0375d0a154a83a16816e99c3141a5bbafe6383607ca11be240",
     "data/cwe-catalog.json": "b398003b68b0d9539d13a5536e933005149fd05f3d33978297c870987542cd86",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
     "data/exploit-availability.json": "ec2656f0d9a893610e27b43eb6035fe9b18e057c9f6dfaac7e7d4959bbcbb795",
-    "data/framework-control-gaps.json": "3f9ad83198da40d920e70933e615ac14ade4add037e1c664586c2ee3524edec4",
+    "data/framework-control-gaps.json": "b0ad6a39648322df7f5c596238acdc791631eb1d047171be53576808c64b03ce",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
     "data/zeroday-lessons.json": "b6403d31f06e8f081217c338d2d5c515f8352295fbf58395f3c571cd95a05de0",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
-    "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
-    "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",
-    "skills/framework-gap-analysis/skill.md": "c2da8cc184ac4277309896bf4fe6afe23c419575b297734a8fc168f42d1805e9",
-    "skills/compliance-theater/skill.md": "02b51b932ded4b9b74844ecf842ee3f4d6b09699ebe9cdba457e2c9b7da10ebd",
-    "skills/exploit-scoring/skill.md": "628f4853e8d6b6ac2ad8ad159f1c9d74c392727f4ebf9bc1d7d8e43074b08a3a",
-    "skills/rag-pipeline-security/skill.md": "49b1910e996f01df1382714f9307ead98028fb5b6911bb9022cb8e5c0edf0723",
-    "skills/ai-c2-detection/skill.md": "08fee5607e4972a3c0e1e31d58d4ddfeffeae1302df22416f3e24c20229fb782",
-    "skills/policy-exception-gen/skill.md": "c549f48c2e44759a74c2c6306f0eb34ea26152fb2a3b0e7e96505d5b174f1bd4",
-    "skills/threat-model-currency/skill.md": "30fbe6f6d589331c0640d3238d1681905e37307171c8d78df1f753bc36259356",
+    "skills/ai-attack-surface/skill.md": "6eefa7772f1faf9c8ed971f2a827cd48398a12ab3b691b258c7c8364a5deb39c",
+    "skills/mcp-agent-trust/skill.md": "bda6842bfa3b8bfd5edb3ef37751c493ff32a3ca80f771c3d988ede4176f0803",
+    "skills/framework-gap-analysis/skill.md": "fdc5a60f63af6050a2a89d123bc99b63196b1dbd64b3d22259a423b5b560d125",
+    "skills/compliance-theater/skill.md": "72f97f85ff93894ce3d514d5c6ebb8d843be4c0eb5f5f5dce079eaa90738309a",
+    "skills/exploit-scoring/skill.md": "b59a24c70e79c0fc5a389f095a07a07c9a96e266fa37f507d886daa4df535abc",
+    "skills/rag-pipeline-security/skill.md": "c839de2fe1efc23c4c89745cea953f8e81de43c55117a4192e80b7e487670078",
+    "skills/ai-c2-detection/skill.md": "ac555b9c9a59a26655bfa79cbccd8aa1bd2773c1314abf33546353e852939ff9",
+    "skills/policy-exception-gen/skill.md": "1a2dbb8e836277cddba0e24c86e57088b36a9a766bf907adb21d7ce4a487277f",
+    "skills/threat-model-currency/skill.md": "a784c2b9f00aa259c1612eb9983cc8a53a91331a800831d2cda5301ea951a914",
     "skills/global-grc/skill.md": "8d1dfbae79153d403d543b3481f463260a89a35d068db0fa9eeda21c01c78e09",
-    "skills/zeroday-gap-learn/skill.md": "158aebcff94cb30a4503bc0fb1b867fff0b42bb0e5f4b8c2e43bee86b8178317",
-    "skills/pqc-first/skill.md": "c48ee7dbaebb748211aac7364b81bb853a9f99059c860557b203d424407d218a",
-    "skills/skill-update-loop/skill.md": "16cd5a61ccd87c61901e9b209fff0e26ca6540c0cfcb8e231ac17917c50d56bb",
-    "skills/security-maturity-tiers/skill.md": "de7a67b1f6ae79be490656939ac59b5772aa648dae4759733d80d6bf4595c278",
+    "skills/zeroday-gap-learn/skill.md": "b0d81f110d4aac3dbcf605c638b9cb4b5b377a2589ac98de60a72445368ed903",
+    "skills/pqc-first/skill.md": "803b3dc39eba4caa4f08980806b5fd02fb20b3655625cf014adccd85e4320e16",
+    "skills/skill-update-loop/skill.md": "d3514386d1fa04d21998991a0681c8dc154867f3ebe24a85131d526264ecd68c",
+    "skills/security-maturity-tiers/skill.md": "376e104f8a3f8aa2951825aa90de1acc2282ccc87a87615610277bffd1239db1",
     "skills/researcher/skill.md": "9f1211d177c64e4c465407a45ad9e2901c5c6c0af410a0d0a51cc8fb780420d4",
-    "skills/attack-surface-pentest/skill.md": "8d1137c3270763f1c90a3fa8c1c19ab5dc769623c1a35d6a71859bdb8cca2a3e",
-    "skills/fuzz-testing-strategy/skill.md": "07e2ee5f773a3f0e82bd21b8a7e8cf6d5b1a8bf3ac6f71602f16550561ade553",
-    "skills/dlp-gap-analysis/skill.md": "89dedc6c062fa2afd2284e608f4a51effda819e9288fbf38ab16a7891ccd8a10",
-    "skills/supply-chain-integrity/skill.md": "23d15c234afedec011d9c3e588334132373a22d09ef33cd2d943e479c88fcb43",
-    "skills/defensive-countermeasure-mapping/skill.md": "212c0c31dcdaf30dfc68d870e43015dc1420674563e47e6cfb7036067a1b8713",
+    "skills/attack-surface-pentest/skill.md": "014863752eee05b8538aa8401511295c37df94fdb2936828ef37b66ed5388b11",
+    "skills/fuzz-testing-strategy/skill.md": "636a2d1d5846ecad3d75c48425d85b8a463fa68eca98858d5d96aca205905c4f",
+    "skills/dlp-gap-analysis/skill.md": "85f4025b41ab0ad6560155842b04a400c0f1a34bf89164f2d2bf4df05753c2dc",
+    "skills/supply-chain-integrity/skill.md": "b1fa90145a886e2943d89fc588fae6dccac2fec21a5068fd5b009a0e8b0efe8c",
+    "skills/defensive-countermeasure-mapping/skill.md": "48f140a265a96cd8c2d065f63a351ad02bbcbca5f75a686f3e8094e93f2d0383",
     "skills/identity-assurance/skill.md": "86649aa573bde5b2ef2456a77d2fbfa9d1b623a4ef1326dd7a7ab384d0419307",
-    "skills/ot-ics-security/skill.md": "583f758ace33e638ddbbc985eda1ffc711bb040ce24f528d502fc13e5f7bb46e",
-    "skills/coordinated-vuln-disclosure/skill.md": "5c089e27e06e16201d1035038ef3c6ecbb7121f18ebb296eb8bb6022cbf522ec",
-    "skills/threat-modeling-methodology/skill.md": "4e77ce72fbeff93fa1c6674528dcfc4a8411caac230d0f0c0d28780b56cc0452",
-    "skills/webapp-security/skill.md": "9dc8c0e51c78ad93ef9de91dd9054370dfebeea2161a87f909202ecacfad1504",
+    "skills/ot-ics-security/skill.md": "80aa5a27ba31e57a80eb6d6fb8c8319a17e036ab341fc203515619b334449ab4",
+    "skills/coordinated-vuln-disclosure/skill.md": "8b752a1c7cafcb414ed32ef573ec62542e1e55872aa51157e86289deb0acb3f9",
+    "skills/threat-modeling-methodology/skill.md": "b67ce043e018df5079a7d7d5708687a63af177ea915aff52baaee1aa7b19e606",
+    "skills/webapp-security/skill.md": "d9817acfc1b52025857303d2839e2d9b4e87ee963c7ab9ffdc356d938eed0c72",
     "skills/ai-risk-management/skill.md": "3e116dc6f03f31e32f1ee885516d72d9c11d3ff67d2184108b13dcbdf5f417bf",
-    "skills/sector-healthcare/skill.md": "148520af64959a60018a24f4368670925980db3e73aa09af73194f8ea61f1fcc",
-    "skills/sector-financial/skill.md": "ad33faa8dddbeb23fed88f464205c630e3fa50c669d3e1ba7ed54f23719efd55",
-    "skills/sector-federal-government/skill.md": "870dead2eae1b2664b1e151dd73d8fa240a62a297bdbcddee37bd1cb60e5e5f4",
-    "skills/sector-energy/skill.md": "432213dfc9ee271631ce3171daf62a103a010b27a51911dd1112bd5d8bc6c152",
+    "skills/sector-healthcare/skill.md": "c8fecc8d7e0d3d88c3134bf9be3e4a9bf3e192b8307d393894bf1dee577ace25",
+    "skills/sector-financial/skill.md": "364839b2ed70e09bbce1db387633c6235422959758f73150d58e5ae728adf21c",
+    "skills/sector-federal-government/skill.md": "35ac67e9c67802b71576b723538704222426781f1feab48e08126c5f71db061a",
+    "skills/sector-energy/skill.md": "8c20e93e687fb41b5880d6f270a26915ecc8efa4b65797f728363dd59d7374fc",
     "skills/sector-telecom/skill.md": "4b80771e78a474e3f43227ecc730ddda1684bff98d7e6e53f5ec373e1e886f34",
-    "skills/api-security/skill.md": "bdd29ba72fd40b9a81228e41b3e27e62dde6de6290b678d5ba282c6436844fb9",
-    "skills/cloud-security/skill.md": "4ca2792b199ea5d3f0ce61ad7dccd31cacd345acb295b872089a4a2ebca973cc",
-    "skills/container-runtime-security/skill.md": "a34221dfd923f8f0d7d03a325cbe5d30de6163e19174f0070b94b4a22b3cd50c",
-    "skills/mlops-security/skill.md": "6ec745030723e1dbc174315ce462a9402641febaf4871960b562827c9801b627",
-    "skills/incident-response-playbook/skill.md": "5a048322fe19833326d2d35ead53c02c2bcada63d64947c6daf0550e7862365a",
-    "skills/ransomware-response/skill.md": "d0f456f1c31ec2968bb4c2cea67eb628d5baf857f17650ab204cf7931b3317ef",
+    "skills/api-security/skill.md": "9cd5bc4b6ae46afade496b0772d013a302a4a6858414dd757f317c1f9c84942d",
+    "skills/cloud-security/skill.md": "128323a2bae6a70e9e8fc31f7bf207688542da7d7f0355fbe72bd6db7dc73768",
+    "skills/container-runtime-security/skill.md": "6d9f3c04e4ae7323d41f66d563d96bbdef2c301459b2bf9d4828a5dbae9ef021",
+    "skills/mlops-security/skill.md": "af4e563f7da7b98c75d56556ec7d1f9bba8f204c586ebd981562c5e3526dbed8",
+    "skills/incident-response-playbook/skill.md": "20e4f0463aea6b1968f1cafb5b682ecdab3b7f38c16c9e051ce9514f50c42faf",
+    "skills/ransomware-response/skill.md": "d2f84694fdfa5fc21a5e959dcc8b4458d595715cb240642f30638ceb3d00c100",
     "skills/email-security-anti-phishing/skill.md": "0965eca982e8fc633b85e70c0ba6becb8c0f5ee7bdd0be96ad73a9a222bb8816",
-    "skills/age-gates-child-safety/skill.md": "6d4d29e54a115314c3c0ea9f5df47bdc2828f3b226fff4b5974d898b56c0cd73",
+    "skills/age-gates-child-safety/skill.md": "2cae96ba7cfde40b98016b8a9bc5450d79c6218cabb7165625cfaf3f5fd06f2e",
     "skills/cloud-iam-incident/skill.md": "6aab2e400d1e87df7ac2b6f0a17dac6aa99723b217258c4a7b446703d1521775",
     "skills/idp-incident-response/skill.md": "cb2f2c5b90de4592bfd66dcd55f9bf2004f370746d519cad577fcbaf36125878",
     "skills/vc-wallet-trust/skill.md": "802dada75d934c9ab322246f650eb2eac9e2f72c1f094b0cebcfa605b56108a5",
@@ -87,7 +88,7 @@
     "handoff_dag_nodes": 51,
     "summary_cards": 51,
     "section_offsets_skills": 51,
-    "token_budget_total_approx": 435955,
+    "token_budget_total_approx": 435989,
     "recipes": 8,
     "jurisdiction_clocks": 29,
     "did_ladders": 8,