@blamejs/exceptd-skills 0.16.25 → 0.16.29

package/scripts/build-indexes.js

@@ -266,6 +266,13 @@ const OUTPUTS = [
       for (const s of ctx.skills) {
         const body = ctx.skillBodies[s.name];
         for (const code of codes) {
+          // Skip bare 2-letter ISO codes in free-text matching. `\bID\b`,
+          // `\bCA\b`, `\bNO\b` etc. collide with prose words ("the ID",
+          // "US-based") and control/countermeasure id grammar (`\bCA\b` matches
+          // inside `D3-CA`, `\bSA\b` inside `SA-12`), polluting coverage
+          // (Indonesia landed on 41/51 skills). These jurisdictions are mapped
+          // via the curated NAME_TO_CODE regulation-name table below instead.
+          if (code.length <= 2) continue;
           const re = new RegExp("\\b" + code + "\\b");
           if (re.test(body) && !out[code].skills.includes(s.name)) out[code].skills.push(s.name);
         }
@@ -499,7 +506,7 @@ const OUTPUTS = [
   {
     name: "stale-content",
     file: "stale-content.json",
-    deps: [isManifest, isAnySkillBody, isAnyCatalog],
+    deps: [isManifest, isAnySkillBody, isAnyCatalog, (p) => p === "README.md"],
     build: (ctx) => {
       const { buildStaleContent } = require("./builders/stale-content");
       return buildStaleContent({ root: ctx.root, manifest: ctx.manifest, skills: ctx.skills, catalogFiles: ctx.catalogFiles });
@@ -518,6 +525,10 @@ function loadPriorMeta() {
 function liveSourceSet(ctx) {
   const out = new Set();
   out.add("manifest.json");
+  // README.md is consumed by the stale-content builder (badge-count drift), so
+  // it must be a hashed source — otherwise a README edit is invisible to
+  // --changed and the validate-indexes freshness gate.
+  if (fs.existsSync(ABS("README.md"))) out.add("README.md");
   for (const c of ctx.catalogFiles) out.add(c);
   for (const s of ctx.skills) out.add(s.path);
   return out;

package/scripts/builders/catalog-summaries.js

@@ -18,7 +18,7 @@ const path = require("path");
 const CATALOG_PURPOSES = {
   "cve-catalog.json": "Per-CVE record (CVSS, EPSS, CISA KEV, RWEP, AI-discovery, vendor advisories, framework gaps, ATLAS/ATT&CK mappings). Cross-validated against NVD + CISA KEV + FIRST EPSS via validate-cves.",
   "cwe-catalog.json": "MITRE CWE entries used by the project (subset with skill citations), with severity hint and category. Pinned to a CWE catalog version.",
-  "atlas-ttps.json": "MITRE ATLAS TTPs (AML.T0xxx) cited by skills, with tactic, name, description. Pinned to ATLAS v5.6.0 (May 2026).",
+  "atlas-ttps.json": "MITRE ATLAS TTPs (AML.T0xxx) cited by skills, with tactic, name, description. Pinned to ATLAS v2026.05 (May 2026).",
   "d3fend-catalog.json": "MITRE D3FEND countermeasures (D3-xxx) keyed by id, with tactic + name. Pinned to D3FEND v1.3.0 release.",
   "framework-control-gaps.json": "Per-control framework gap declarations: SI-2, A.8.8, PCI 6.3.3, etc. Each entry names the control, the lag, the evidence CVE, and remediation guidance.",
   "global-frameworks.json": "Multi-jurisdiction framework registry: per-jurisdiction applicable frameworks × patch_sla / notification_sla / critical_controls / framework_gaps (jurisdiction count is reported by entry_count, not duplicated here). Cross-cutting authority for jurisdiction-clocks index.",

package/scripts/builders/recipes.js

@@ -21,7 +21,7 @@ const RECIPES = [
     when_to_use: "Before scoping or executing a red-team engagement against a model, agentic system, or AI feature.",
     typical_jurisdictions: ["US", "EU", "UK", "GLOBAL"],
     steps: [
-      { skill: "ai-attack-surface", why: "Comprehensive attack-surface inventory mapped to ATLAS v5.6.0 with gap flags." },
+      { skill: "ai-attack-surface", why: "Comprehensive attack-surface inventory mapped to ATLAS v2026.05 with gap flags." },
       { skill: "ai-c2-detection", why: "Detection coverage for AI-as-C2 (PROMPTFLUX / SesameOp / AI-API egress) before testing." },
       { skill: "mcp-agent-trust", why: "MCP server trust boundary for the engineering toolchain side of the surface." },
       { skill: "rag-pipeline-security", why: "RAG ingestion provenance + prompt-injection chain coverage." },

package/scripts/check-sbom-currency.js

@@ -136,19 +136,42 @@ function checkSbomCurrency(root) {
     );
   }
 
-  // component-level cross-check. A renamed or version-bumped
-  // skill that never made it into the SBOM refresh will pass the count
-  // check (the cardinality is unchanged) but the per-component name +
-  // version comparison surfaces it. Two component classes are recognised:
-  //
-  //   1. Skill components — bom-ref begins with "skill:" OR the component
-  //      name matches a manifest.skills[].name. Each one must exist in
-  //      manifest.skills with the same version.
-  //   2. Vendor components — bom-ref begins with "vendor:". Validated
-  //      against vendor/blamejs/_PROVENANCE.json when present.
-  //
-  // Components that don't fit either pattern are surfaced as warnings
-  // (not errors) so the gate isn't brittle against future component types.
+  // The "N catalogs" and "N jurisdictions" free-text counts in the same
+  // description string were never validated — only the per-catalog entry tokens
+  // and the skill count were. Pin them to the live values so a stale
+  // description (e.g. after an auto-refresh changed a count) fails the gate.
+  const catalogMatch = description.match(/(\d+)\s+catalogs?\b/i);
+  if (catalogMatch && Number(catalogMatch[1]) !== liveCatalogs) {
+    errors.push(
+      `SBOM description catalog count is ${Number(catalogMatch[1])} but live data/ has ${liveCatalogs} catalogs — description is stale; update package.json.description and \`npm run refresh-sbom\``
+    );
+  }
+  const liveJurisdictions = (() => {
+    try {
+      const gf = JSON.parse(fs.readFileSync(path.join(dataDir, "global-frameworks.json"), "utf8"));
+      // Non-underscore top-level keys — the canonical jurisdiction count the
+      // README badge and catalog-summaries use.
+      return Object.keys(gf).filter((k) => !k.startsWith("_")).length;
+    } catch {
+      return null;
+    }
+  })();
+  const jurisdictionMatch = description.match(/(\d+)\s+jurisdictions?\b/i);
+  if (liveJurisdictions !== null && jurisdictionMatch && Number(jurisdictionMatch[1]) !== liveJurisdictions) {
+    errors.push(
+      `SBOM description jurisdiction count is ${Number(jurisdictionMatch[1])} but live global-frameworks.json has ${liveJurisdictions} — description is stale; update package.json.description and \`npm run refresh-sbom\``
+    );
+  }
+
+  // Component-level cross-check (defense-in-depth). In normal operation
+  // refresh-sbom emits NO per-skill "skill:" components — skill drift is caught
+  // by the file:skills/<name>/skill.md and file:manifest.json content hashes in
+  // the file: component pass below (a bumped or renamed skill changes those
+  // bytes). This branch is therefore not exercised by a clean SBOM, but it is
+  // retained as a tamper guard: a forged or buggy SBOM that injected a skill
+  // component with a stale version (or a skill name no longer in the manifest)
+  // is still caught here. Vendor components are validated against
+  // vendor/blamejs/_PROVENANCE.json.
   const components = Array.isArray(sbom.components) ? sbom.components : [];
   const skillByName = new Map(
     (manifest.skills || []).map((s) => [s.name, s])
@@ -281,6 +304,45 @@ function checkSbomCurrency(root) {
     fileComponentsChecked++;
   }
 
+  // Completeness + bundle-digest integrity. The per-file pass above verifies
+  // every RECORDED file: component, but never checked that every SHIPPED file
+  // (the package.json.files expansion) actually HAS a component — a
+  // newly-shipped file would ship unhashed and silent. And the aggregate
+  // bundle digest in metadata.component.hashes[] was never recomputed. Reuse
+  // refresh-sbom's exact allowlist expansion + digest so the gate can't drift
+  // from the generator.
+  try {
+    const { expandAllowlist, bundleDigest } = require("./refresh-sbom");
+    const pkg = JSON.parse(fs.readFileSync(path.join(root, "package.json"), "utf8"));
+    const expected = expandAllowlist(pkg.files || []);
+    const fileComps = components.filter(
+      (c) => typeof c["bom-ref"] === "string" && c["bom-ref"].startsWith("file:")
+    );
+    const fileCompNames = new Set(fileComps.map((c) => c.name));
+    for (const rel of expected) {
+      if (!fileCompNames.has(rel)) {
+        errors.push(
+          `Shipped file "${rel}" (package.json.files) has no file: component in the SBOM — run \`npm run refresh-sbom\``
+        );
+      }
+    }
+    // Recompute the aggregate bundle digest from the file: components' recorded
+    // SHA-256 hashes and compare to metadata.component.hashes[] (the per-file
+    // pass already tied each recorded hash to live bytes).
+    const compHashes = (sbom.metadata && sbom.metadata.component && sbom.metadata.component.hashes) || [];
+    const recorded = (compHashes.find((h) => h && h.alg === "SHA-256") || {}).content;
+    if (recorded && fileComps.length) {
+      const recomputed = bundleDigest(fileComps);
+      if (recomputed !== recorded) {
+        errors.push(
+          `SBOM bundle digest mismatch: metadata.component.hashes SHA-256 ${String(recorded).slice(0, 12)}… != recomputed ${recomputed.slice(0, 12)}… from file: components — run \`npm run refresh-sbom\``
+        );
+      }
+    }
+  } catch (e) {
+    errors.push(`SBOM completeness/bundle-digest check failed: ${e.message}`);
+  }
+
   return {
     ok: errors.length === 0,
     errors,
@@ -310,6 +372,6 @@ function main() {
   );
 }
 
-module.exports = { checkSbomCurrency, resolveRoot };
+module.exports = { checkSbomCurrency, resolveRoot, DESCRIPTION_ENTRY_TOKENS, catalogEntryCount };
 
 if (require.main === module) main();

package/scripts/refresh-sbom.js

@@ -409,4 +409,4 @@ if (require.main === module) {
   main();
 }
 
-module.exports = { buildSbom };
+module.exports = { buildSbom, expandAllowlist, bundleDigest };

package/scripts/run-e2e-scenarios.js

@@ -110,6 +110,47 @@ function tryParseJson(s) {
   return null;
 }
 
+// Evaluate a spawnSync result against a scenario's expectations. Pure: takes
+// the raw spawnSync result so the failure logic is unit-testable without
+// spawning a process. Surfaces spawn-level failures (timeout/launch error)
+// that res.status alone hides, and refuses to pass a scenario that binds no
+// assertion.
+function evaluateScenario(scenario, expect, res) {
+  const stdout = res.stdout || "";
+  const stderr = res.stderr || "";
+  const status = res.status;
+  const body = tryParseJson(stdout);
+  const failures = [];
+
+  // spawnSync failure channels: a timeout sets res.error (ETIMEDOUT) +
+  // res.signal 'SIGTERM' with status null; a launch failure (ENOENT/EACCES)
+  // sets res.error with status null. Reading only res.status lets a killed-
+  // or-never-launched run masquerade as a plain non-zero exit or a JSON-parse
+  // failure, hiding the real cause.
+  if (res.error) failures.push(`spawn error: ${res.error.code || res.error.message}`);
+  if (res.signal) failures.push(`killed by signal ${res.signal}${res.signal === "SIGTERM" ? " (likely the 60s timeout)" : ""}`);
+
+  // Assertion floor: every scenario must bind at least one positive check.
+  // Without an expect_exit or a json_path_* matcher, both gates below are
+  // skipped and the scenario would pass for ANY CLI behavior, including a
+  // crash. (stderr_must_not_match is a negative guard and cannot bind
+  // behavior on its own, so it does not satisfy the floor.)
+  const hasExitAssertion = typeof scenario.expect_exit === "number";
+  const hasJsonAssertion = !!(expect.json_path_equals || expect.json_path_present || expect.json_path_min || expect.json_path_match);
+  if (!hasExitAssertion && !hasJsonAssertion) {
+    failures.push("scenario has no binding assertion (set expect_exit or an expect.json_path_* matcher) — refusing to pass vacuously");
+  }
+
+  if (hasExitAssertion && status !== scenario.expect_exit) {
+    failures.push(`exit: want ${scenario.expect_exit}, got ${status}`);
+  }
+  if (!body && hasJsonAssertion) {
+    failures.push(`stdout did not parse as JSON; first 200 chars: ${stdout.slice(0, 200)}`);
+  }
+  if (body) failures.push(...diffExpect(body, expect, { stdout, stderr, status }));
+  return failures;
+}
+
 function runScenario(scenarioPath) {
   const name = path.basename(scenarioPath);
   const scenarioFile = path.join(scenarioPath, "scenario.json");
@@ -165,28 +206,16 @@ function runScenario(scenarioPath) {
       timeout: 60000,
     });
 
-    const stdout = res.stdout || "";
-    const stderr = res.stderr || "";
-    const status = res.status;
-    const body = tryParseJson(stdout);
-
-    const failures = [];
-    if (typeof scenario.expect_exit === "number" && status !== scenario.expect_exit) {
-      failures.push(`exit: want ${scenario.expect_exit}, got ${status}`);
-    }
-    if (!body && (expect.json_path_equals || expect.json_path_present || expect.json_path_min || expect.json_path_match)) {
-      failures.push(`stdout did not parse as JSON; first 200 chars: ${stdout.slice(0, 200)}`);
-    }
-    if (body) failures.push(...diffExpect(body, expect, { stdout, stderr, status }));
+    const failures = evaluateScenario(scenario, expect, res);
 
     return {
       name,
       description: scenario.description || "",
       ok: failures.length === 0,
-      exit_status: status,
+      exit_status: res.status,
       failures,
-      stdout_preview: stdout.slice(0, 200),
-      stderr_preview: stderr.slice(0, 200),
+      stdout_preview: (res.stdout || "").slice(0, 200),
+      stderr_preview: (res.stderr || "").slice(0, 200),
     };
   } finally {
     fs.rmSync(work, { recursive: true, force: true });
@@ -237,4 +266,6 @@ function main() {
   process.exit(failed.length === 0 ? 0 : 1);
 }
 
-main();
+module.exports = { evaluateScenario, diffExpect, runScenario };
+
+if (require.main === module) main();

package/scripts/sync-package-description.js

@@ -0,0 +1,74 @@
+'use strict';
+
+/**
+ * scripts/sync-package-description.js
+ *
+ * Regenerate the count-bearing tokens embedded in package.json.description from
+ * the live catalogs + manifest, so the description stays in sync when an
+ * auto-refresh changes an entry count. refresh-sbom copies the description into
+ * sbom.cdx.json, and check-sbom-currency validates every token against the live
+ * counts — without this sync, the first refresh that changes a count would fail
+ * the SBOM description-token gate on the auto-PR.
+ *
+ * Targeted, format-preserving: replaces only the integer in each known
+ * "<N> <label>" token (skills / catalogs / jurisdictions / per-catalog entry
+ * counts). Reuses check-sbom-currency's token table so the two can't drift.
+ *
+ * Run before refresh-sbom in the refresh apply path (and idempotent locally).
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+const { DESCRIPTION_ENTRY_TOKENS, catalogEntryCount } = require('./check-sbom-currency');
+
+function syncPackageDescription(root = path.join(__dirname, '..')) {
+  const pkgPath = path.join(root, 'package.json');
+  const dataDir = path.join(root, 'data');
+  const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+  const manifest = JSON.parse(fs.readFileSync(path.join(root, 'manifest.json'), 'utf8'));
+
+  const before = pkg.description || '';
+  let desc = before;
+
+  const liveSkills = Array.isArray(manifest.skills) ? manifest.skills.length : 0;
+  const liveCatalogs = fs.readdirSync(dataDir).filter((f) => f.endsWith('.json')).length;
+  let liveJurisdictions = null;
+  try {
+    const gf = JSON.parse(fs.readFileSync(path.join(dataDir, 'global-frameworks.json'), 'utf8'));
+    liveJurisdictions = Object.keys(gf).filter((k) => !k.startsWith('_')).length;
+  } catch { /* leave null — skip the jurisdiction token */ }
+
+  // Replace only the integer in "<N> <label>"; `labelRe` is the same (already
+  // regex-escaped) pattern check-sbom-currency matches, and $2 preserves the
+  // matched label text verbatim.
+  const sub = (n, labelRe) => {
+    if (n == null) return;
+    desc = desc.replace(new RegExp('(\\d+)(\\s+' + labelRe + '\\b)'), String(n) + '$2');
+  };
+
+  sub(liveSkills, 'skills');
+  sub(liveCatalogs, 'catalogs?');
+  sub(liveJurisdictions, 'jurisdictions?');
+  for (const { file, label } of DESCRIPTION_ENTRY_TOKENS) {
+    sub(catalogEntryCount(dataDir, file), label);
+  }
+
+  const changed = desc !== before;
+  if (changed) {
+    pkg.description = desc;
+    fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + '\n');
+  }
+  return { changed, description: desc };
+}
+
+if (require.main === module) {
+  const r = syncPackageDescription();
+  process.stdout.write(
+    r.changed
+      ? `package.json description synced from live counts:\n  ${r.description}\n`
+      : 'package.json description already in sync with live counts.\n'
+  );
+}
+
+module.exports = { syncPackageDescription };

package/scripts/verify-shipped-tarball.js

@@ -119,9 +119,15 @@ module.exports = {
 const ROOT = path.resolve(__dirname, "..");
 
 function emit(msg) { process.stdout.write(`[verify-shipped-tarball] ${msg}\n`); }
+// Sentinel thrown by fail() so the script body's try/finally still runs its
+// temp-dir cleanup. process.exit() would preempt the finally, leaking the
+// npm-pack temp dir on every run (predeploy gate + `npm test`). Abort by
+// throwing instead and set the exit code via process.exitCode.
+const ABORT = Symbol("verify-shipped-tarball:abort");
 function fail(msg, code = 1) {
   process.stderr.write(`[verify-shipped-tarball] FAIL: ${msg}\n`);
-  process.exit(code);
+  process.exitCode = code;
+  throw ABORT;
 }
 
 // Gate the script body behind require.main === module so tests can
@@ -374,15 +380,20 @@ try {
   emit(`tarball verify result: ${pass}/${total} pass, ${fail_count} fail, ${miss} missing`);
   if (fail_count === 0 && miss === 0 && pass === total) {
     emit(`PASS — shipped tarball is internally consistent`);
-    process.exit(0);
+    process.exitCode = 0;
+  } else {
+    for (const f of failures.slice(0, 10)) emit(`  - ${f}`);
+    if (failures.length > 10) emit(`  ... and ${failures.length - 10} more`);
+    emit(`FAIL — shipped tarball would be broken on every fresh install. Refusing to publish.`);
+    process.exitCode = 1;
   }
-  for (const f of failures.slice(0, 10)) emit(`  - ${f}`);
-  if (failures.length > 10) emit(`  ... and ${failures.length - 10} more`);
-  emit(`FAIL — shipped tarball would be broken on every fresh install. Refusing to publish.`);
-  process.exit(1);
+} catch (e) {
+  // ABORT is the fail() sentinel — cleanup still runs via finally below. Any
+  // other error is unexpected: let finally run, then re-propagate it.
+  if (e !== ABORT) throw e;
 } finally {
   // Best-effort cleanup; leave on failure for diagnostics.
-  if (process.exitCode === 0) {
+  if (process.exitCode === 0 || process.exitCode === undefined) {
     try { fs.rmSync(tmpRoot, { recursive: true, force: true }); } catch {}
   } else {
     emit(`temp dir preserved for inspection: ${tmpRoot}`);

package/skills/age-gates-child-safety/skill.md

@@ -58,7 +58,7 @@ forward_watch:
   - AI product age policy enforcement — Character.ai litigation (2024 child-suicide complaint) testing duty-of-care for AI companion apps; ChatGPT / Claude / Gemini under-13 / under-18 enforcement evolving via FTC + state AG actions
   - France SREN (Securing and Regulating the Digital Space) Act 2024 — ARCOM age-verification referential for adult content services; double-anonymity model under deployment
   - US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-06-10"
 discovery_mode: "standalone"  # operator-reached via `exceptd brief age-gates-child-safety` or `exceptd ask`; not chained into any playbook's direct.skill_chain by design
 ---
 
@@ -125,13 +125,13 @@ Classical security and privacy frameworks (NIST 800-53 r5, ISO/IEC 27001:2022, S
 
 ## TTP Mapping
 
-This skill is primarily a compliance + privacy-engineering skill rather than a technical-exploit skill. There are no ATLAS-catalogued AI-attack TTPs that are child-specific as of v5.6.0, and most relevant attacker activity intersects general ATT&CK techniques rather than child-targeted novel TTPs. The relevant mapping is therefore narrower and explicitly flagged as such — `atlas_refs` is empty by design, not omission.
+This skill is primarily a compliance + privacy-engineering skill rather than a technical-exploit skill. There are no ATLAS-catalogued AI-attack TTPs that are child-specific as of v2026.05, and most relevant attacker activity intersects general ATT&CK techniques rather than child-targeted novel TTPs. The relevant mapping is therefore narrower and explicitly flagged as such — `atlas_refs` is empty by design, not omission.
 
 | ID | Source | Technique | Child-Safeguarding Relevance | Gap Flag |
 |---|---|---|---|---|
 | T1078 | ATT&CK Enterprise | Valid Accounts | Account takeover targeting child accounts (compromised parental controls; sextortion via stolen accounts; grooming via account hijack) — child accounts are under-protected because MFA roll-out lags adult user populations. | NIST 800-53 AC-2 + COPPA / AADC / Children's Code silent on MFA-for-child requirement; the AC-2 gap entry in `data/framework-control-gaps.json` covers AI-service-principals not child identities. Hand off to `identity-assurance` for AAL2+ on child accounts where vendor terms permit. |
 | T1567 | ATT&CK Enterprise | Exfiltration Over Web Service | Child PI exfiltrated via AI-tool / SaaS egress — additional liability under COPPA (no behavioral-ad use of under-13 PI), AADC (DPIA failure), GDPR Art. 8 (no lawful basis), DPDPA (default-VPC bypass), CN PIPL Art. 31 (child PI = sensitive PI requiring separate consent). | Hand off to `dlp-gap-analysis` for child-PI as a protected data class; COPPA / AADC / Children's Code do not name DLP technical controls; the SOC2-CC7 anomaly-detection gap entry applies. |
-| AI-generated CSAM creation / distribution | Not catalogued in ATLAS or ATT&CK as of v5.6.0 | Generative-AI image / video synthesis depicting children | Direct criminal exposure under 18 U.S.C. §§2251, 2252, 2252A, 2256 (Protect Act / Mash-Up Act framework); mandatory NCMEC reporting per §2258A. Multiple 2024-2025 prosecutions (US v. Anderegg WD-Wis 2024 — first federal AI-CSAM prosecution; UK National Crime Agency campaign 2024-2025). | No formal TTP class. Evidence stream: NCMEC CyberTipline reports + EU IWF reports. Hand off to `ai-attack-surface` for generative-model content-policy red-team and to `incident-response-playbook` for reporting workflow. |
+| AI-generated CSAM creation / distribution | Not catalogued in ATLAS or ATT&CK as of v2026.05 | Generative-AI image / video synthesis depicting children | Direct criminal exposure under 18 U.S.C. §§2251, 2252, 2252A, 2256 (Protect Act / Mash-Up Act framework); mandatory NCMEC reporting per §2258A. Multiple 2024-2025 prosecutions (US v. Anderegg WD-Wis 2024 — first federal AI-CSAM prosecution; UK National Crime Agency campaign 2024-2025). | No formal TTP class. Evidence stream: NCMEC CyberTipline reports + EU IWF reports. Hand off to `ai-attack-surface` for generative-model content-policy red-team and to `incident-response-playbook` for reporting workflow. |
 | AI chatbot grooming / harmful-content engagement with children | Not catalogued | Long-context AI chatbot interactions with children steering toward harm | Research and litigation evidence: Character.ai litigation 2024 (FL wrongful-death suit alleging companion-chatbot contribution to minor suicide; additional 2024-2025 complaints); UK NCA campaign 2024 documenting grooming attempts via AI chatbots; ESRC / RAND research 2024-2025. | No formal TTP class. EU DSA Art. 28 + UK OSA + AU OSA + KOSA-if-enacted all frame this as a platform duty-of-care obligation. Hand off to `ai-risk-management` for AI-product age policy enforcement. |
 
 **Honest scope statement (no fabricated TTP IDs).** This skill does not invent TTP IDs to fill gaps in the ATLAS or ATT&CK matrices. AI-generated CSAM and AI-chatbot-mediated harm to children are real-world threat classes documented through prosecution records, NCMEC / IWF reporting, and litigation — not novel ATLAS techniques. Citation is to the evidence stream, not to a TTP ID.

package/skills/ai-attack-surface/skill.md

@@ -1,7 +1,7 @@
 ---
 name: ai-attack-surface
 version: "1.0.0"
-description: Comprehensive AI/ML attack surface assessment mapped to MITRE ATLAS v5.6.0 with explicit framework gap flags
+description: Comprehensive AI/ML attack surface assessment mapped to MITRE ATLAS v2026.05 with explicit framework gap flags
 triggers:
   - ai attack surface
   - prompt injection
@@ -59,7 +59,7 @@ forward_watch:
   - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Chroma vector DB CWE-190 + CWE-362 chain by haehae; impacts RAG vector store integrity; track patch and downstream RAG advisory
   - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge overly permissive allowed list by Satoki Tsuji; AI training-stack supply-chain exposure; track patch and SBOM advisory
   - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM advisory
-last_threat_review: "2026-05-17"
+last_threat_review: "2026-06-10"
 ---
 
 # AI Attack Surface Assessment
@@ -156,7 +156,7 @@ AI-assisted reconnaissance is observed at 36,000 probes per second per campaign.
 | SOC 2 | CC6 (Logical and Physical Access) | Access control via IAM, authentication, authorization. Prompt injection is an access control failure that routes around CC6 entirely — the authorized model account takes the action, not the attacker. Audit trails show the model's service account performed the action. |
 | SOC 2 | CC7 (System Operations) | Anomaly detection for system operations. No guidance for AI API baseline, AI C2 detection, or PROMPTFLUX behavioral patterns. |
 | PCI DSS 4.0 | 6.4.1 | Web application protection (WAF). WAFs operate on HTTP request/response patterns. They have no semantic understanding of prompt injection embedded in JSON `message` fields. |
-| MITRE ATT&CK | Enterprise | Does not include prompt injection as a technique. AI-as-C2 (SesameOp) is not in ATT&CK as of mid-2026. ATLAS v5.6.0 covers these but is not part of SOC detection engineering programs that are ATT&CK-mapped. |
+| MITRE ATT&CK | Enterprise | Does not include prompt injection as a technique. AI-as-C2 (SesameOp) is not in ATT&CK as of mid-2026. ATLAS v2026.05 covers these but is not part of SOC detection engineering programs that are ATT&CK-mapped. |
 | NIST AI RMF | MEASURE 2.5 | Measure AI risks during operation. Provides a framework for thinking about AI risk but no specific controls for prompt injection, MCP supply chain, or AI-as-C2. |
 | EU NIS2 | Art. 21(2)(d) (supply-chain security) + Art. 21(2)(e) (security in acquisition, development and maintenance) | "Appropriate and proportionate" supply-chain language. Member-state transpositions (BSI IT-SiG 2.0, ANSSI) do not enumerate MCP servers or LLM API providers as in-scope supply-chain components. An essential entity can meet NIS2 supplier-management obligations with traditional SaaS vendor reviews while having zero coverage of AI-assistant tool ecosystems. |
 | EU DORA | Art. 8 (ICT asset management) + Art. 28 (ICT third-party register) + Art. 30 (key contractual provisions) | Financial-entity ICT third-party language scoped to traditional ICT providers. LLM API providers acting as data processors for prompt content and developer-environment MCP servers are not enumerated as ICT third-party service providers. ESAs RTS on subcontracting (JC 2024/53) is silent on AI/ML SaaS dependency classes. |
@@ -170,7 +170,7 @@ AI-assisted reconnaissance is observed at 36,000 probes per second per campaign.
 
 ---
 
-## TTP Mapping (MITRE ATLAS v5.6.0)
+## TTP Mapping (MITRE ATLAS v2026.05)
 
 | ATLAS ID | Technique | Framework Coverage | Gap Description | Exploitation Example |
 |---|---|---|---|---|

package/skills/ai-c2-detection/skill.md

@@ -49,7 +49,7 @@ d3fend_refs:
   - D3-NI
   - D3-NTA
   - D3-NTPM
-last_threat_review: "2026-05-17"
+last_threat_review: "2026-06-10"
 ---
 
 # AI C2 Detection
@@ -330,13 +330,13 @@ level: medium
 
 ---
 
-## TTP Mapping (MITRE ATLAS v5.6.0 + MITRE ATT&CK)
+## TTP Mapping (MITRE ATLAS v2026.05 + MITRE ATT&CK)
 
 | ID | Source | Technique | C2 Relevance | Gap Flag — Which Detection Control Fails |
 |---|---|---|---|---|
-| AML.T0096 | ATLAS v5.6.0 | LLM API as covert C2 / LLM Integration Abuse | Direct: SesameOp encodes commands and exfiltrated data in prompt and completion fields against api.openai.com, api.anthropic.com, generativelanguage.googleapis.com. AI provider domain is the relay, not the attacker C2 endpoint. | NIST-800-53-SC-7 (Boundary Protection) — AI provider domains are allowlisted in most enterprise egress for legitimate developer and product use, so boundary inspection cannot distinguish benign developer prompts from C2-encoded prompts. See SC-7 entry in `data/framework-control-gaps.json` — real requirement is SDK-level prompt logging with identity binding, anomaly detection on prompt-shape and token-volume, and an allowlist that enumerates the sanctioned business reason per identity. Boundary-only SC-7 evidence is incomplete for any org with AI API access in production. |
-| AML.T0017 | ATLAS v5.6.0 | Discover ML Model Ontology — adversary maps the deployed LLM's family, system-prompt structure, guardrail surface via inference-API probing | PROMPTFLUX queries public LLMs to generate per-execution evasion code; PROMPTSTEAL uses LLMs to prioritise exfiltration targets — both depend on first discovering what the target model will answer. The inference API is the discovery surface. | NIST-800-53-SI-3 fails — there is no static signature for code generated per-event by a public LLM. NIST-800-53-SI-4 fails as commonly deployed — no AI-API behavioural baseline per process/identity. |
-| AML.T0016 | ATLAS v5.6.0 | Obtain Capabilities: Develop Capabilities — adversary use of inference APIs to generate / refine malware, evasion, phishing payloads | PROMPTFLUX and PROMPTSTEAL both consume public LLMs as a real-time capability-development service. The inference API is doing weaponization work for the adversary. | NIST-800-53-SI-3 fails for the same reason. SC-7 boundary control treats the AI provider as allowlisted SaaS. |
+| AML.T0096 | ATLAS v2026.05 | LLM API as covert C2 / LLM Integration Abuse | Direct: SesameOp encodes commands and exfiltrated data in prompt and completion fields against api.openai.com, api.anthropic.com, generativelanguage.googleapis.com. AI provider domain is the relay, not the attacker C2 endpoint. | NIST-800-53-SC-7 (Boundary Protection) — AI provider domains are allowlisted in most enterprise egress for legitimate developer and product use, so boundary inspection cannot distinguish benign developer prompts from C2-encoded prompts. See SC-7 entry in `data/framework-control-gaps.json` — real requirement is SDK-level prompt logging with identity binding, anomaly detection on prompt-shape and token-volume, and an allowlist that enumerates the sanctioned business reason per identity. Boundary-only SC-7 evidence is incomplete for any org with AI API access in production. |
+| AML.T0017 | ATLAS v2026.05 | Discover ML Model Ontology — adversary maps the deployed LLM's family, system-prompt structure, guardrail surface via inference-API probing | PROMPTFLUX queries public LLMs to generate per-execution evasion code; PROMPTSTEAL uses LLMs to prioritise exfiltration targets — both depend on first discovering what the target model will answer. The inference API is the discovery surface. | NIST-800-53-SI-3 fails — there is no static signature for code generated per-event by a public LLM. NIST-800-53-SI-4 fails as commonly deployed — no AI-API behavioural baseline per process/identity. |
+| AML.T0016 | ATLAS v2026.05 | Obtain Capabilities: Develop Capabilities — adversary use of inference APIs to generate / refine malware, evasion, phishing payloads | PROMPTFLUX and PROMPTSTEAL both consume public LLMs as a real-time capability-development service. The inference API is doing weaponization work for the adversary. | NIST-800-53-SI-3 fails for the same reason. SC-7 boundary control treats the AI provider as allowlisted SaaS. |
 | T1071 | ATT&CK | Application Layer Protocol (C2) | AI C2 traffic is standard HTTPS REST to api.openai.com or equivalent. Application-protocol C2 detection that looks for DGA, unusual TLS, or beaconing does not fire. | SC-7 boundary control sees only the destination domain (allowlisted) — no protocol anomaly to alert on. Detection requires identity-bound prompt content inspection, which SC-7 as written does not require. |
 | T1102 | ATT&CK | Web Service (C2 via legitimate web service) | AI API endpoints are exactly the "legitimate web service used as C2" pattern that T1102 describes — but at scale and pre-allowlisted in nearly every enterprise. | SOC 2 CC7 anomaly-detection control: AI API traffic shares the SaaS blind spot — typically not baselined per process or identity. ISO 27001 A.8.16 monitoring activities: no guidance for AI-API-shaped traffic. |
 | T1568 | ATT&CK | Dynamic Resolution | AI provider responses can carry encoded instructions that dynamically determine the next-hop behaviour for the malware (effectively model-mediated dynamic resolution of the next attacker instruction). | No standard DNS-tunnelling or DGA detection applies — the "resolution" happens inside an HTTPS payload to a trusted endpoint. SC-7 cannot see it without SDK-level prompt + response logging. |

package/skills/api-security/skill.md

@@ -67,7 +67,7 @@ forward_watch:
   - NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments
   - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments
   - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM full SSRF + Code Injection by Out Of Bounds (Byung Young Yi); duplicate-class with the k3vg3n entry; track unified patch advisory
-last_threat_review: "2026-05-18"
+last_threat_review: "2026-06-10"
 ---
 
 # API Security Assessment
@@ -126,7 +126,7 @@ APIs are now the integration substrate of every non-trivial system. The mid-2026
 
 ---
 
-## TTP Mapping (MITRE ATT&CK Enterprise + ATLAS v5.6.0)
+## TTP Mapping (MITRE ATT&CK Enterprise + ATLAS v2026.05)
 
 | TTP ID | Technique | API Manifestation | CWE Root-Causes | Framework Coverage |
 |---|---|---|---|---|

package/skills/attack-surface-pentest/skill.md

@@ -60,7 +60,7 @@ d3fend_refs:
   - D3-CSPP
   - D3-EAL
   - D3-NTA
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-06-10"
 ---
 
 # Attack Surface Management + Penetration Testing
@@ -115,17 +115,17 @@ A pen test scoped to layers 1 and (partly) 7 — i.e. "web app + network + nomin
 | CBEST (Bank of England / PRA / FCA) | Whole framework | UK equivalent to TIBER-EU for systemically important financial firms. Same lag pattern as TIBER-EU. CBEST-certified providers are not required to demonstrate competence in AI-surface attack emulation as of mid-2026. |
 | Australian ISM (Information Security Manual) + ACSC Essential 8 | ISM controls on penetration testing; Essential 8 Maturity Level 3 testing requirements | Essential 8 mandates regular testing of mitigation strategies (patching, app control, MFA, etc.). The testing requirements do not extend to AI-API egress as C2, MCP trust, or RAG poisoning. ISM control set is network/endpoint centric. |
 | ISO/IEC 27001:2022 | A.5.34 (Privacy and protection of PII) — note: the actually relevant clause for independent review is **A.5.35 (Independent review of information security)** and **A.8.29 (Security testing in development and acceptance)** | A.5.35 requires independent review of the information security approach at planned intervals or when significant changes occur. The clause is methodology-agnostic — auditors accept a network/web pen test as evidence even when AI surfaces are in production. A.8.29 mandates security testing of new and changed information systems, but does not define what an adequate test of an AI system looks like. |
-| MITRE ATT&CK Enterprise (v19.0) | Whole matrix | The enterprise matrix does not contain prompt-injection as a technique. AI-as-C2 (SesameOp pattern) is absent from ATT&CK as of mid-2026. Adversary emulation programs that are ATT&CK-only and not ATLAS-extended will not include the mid-2026 dominant new tradecraft in their playbooks. ATLAS v5.6.0 covers it — but ATLAS is not yet a standard requirement for pen testing certification or scoping. |
+| MITRE ATT&CK Enterprise (v19.1) | Whole matrix | The enterprise matrix does not contain prompt-injection as a technique. AI-as-C2 (SesameOp pattern) is absent from ATT&CK as of mid-2026. Adversary emulation programs that are ATT&CK-only and not ATLAS-extended will not include the mid-2026 dominant new tradecraft in their playbooks. ATLAS v2026.05 covers it — but ATLAS is not yet a standard requirement for pen testing certification or scoping. |
 
 > Global coverage note: the above table spans US (NIST 800-115, ATT&CK), EU (NIS2, TIBER-EU under DORA), UK (CBEST), AU (ISM/Essential 8), and ISO 27001:2022. US-only pen test scoping is incomplete.
 
 ---
 
-## TTP Mapping (MITRE ATLAS v5.6.0 + MITRE ATT&CK v19.0)
+## TTP Mapping (MITRE ATLAS v2026.05 + MITRE ATT&CK v19.1)
 
 Pen testers must emulate both classical and AI-class chains. The table below maps the kill-chain phases a mid-2026 adversary emulation engagement must cover.
 
-| Phase | Classical TTP (ATT&CK v19.0) | AI-Class TTP (ATLAS v5.6.0) | Framework Gap Flag |
+| Phase | Classical TTP (ATT&CK v19.1) | AI-Class TTP (ATLAS v2026.05) | Framework Gap Flag |
 |---|---|---|---|
 | Reconnaissance | T1595 (Active Scanning) — implied by T1190 setup | AML.TA0002 (Reconnaissance tactic) — model card / dataset / API endpoint discovery, system-prompt probing | NIST 800-115 §3.x recon guidance is network-only |
 | Initial Access | T1190 (Exploit Public-Facing Application) | AML.T0051 (LLM Prompt Injection) — entered via PR description, support ticket, retrieved doc | OWASP WSTG covers webapp; not prompt-injection as entry vector |

package/skills/cloud-security/skill.md

@@ -70,7 +70,7 @@ forward_watch:
   - AWS Bedrock, Azure OpenAI, GCP Vertex AI shared-responsibility documentation drift — each major CSP refreshes the AI-service responsibility line every 6–12 months; track for control-mapping breakage
   - eBPF-based runtime detection coverage of confidential-computing enclaves (AWS Nitro Enclaves, Azure Confidential VMs, GCP Confidential Space) — partial visibility is a tracked detection gap
   - CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories
-last_threat_review: "2026-05-11"
+last_threat_review: "2026-06-10"
 ---
 
 # Cloud Security (mid-2026)
@@ -131,8 +131,8 @@ Cloud is where AI runs. Every consequential AI service — OpenAI, Anthropic, Go
 | Cloud data exfiltration | T1530 — Data from Cloud Storage Object | ATT&CK Enterprise | Public S3 / GCS / Blob storage discovery via Wiz-style external attack-surface scan; legitimate IAM principal exfil via federated workload; cross-tenant boundary failure on SaaS | NIST 800-53 SC-28 (encryption at rest) does not address access-policy errors; CWE-200, CWE-732, CWE-862 |
 | Cloud-facing application | T1190 — Exploit Public-Facing Application | ATT&CK Enterprise | API Gateway / Load Balancer / managed-WAF-bypass; managed-database exposure (RDS / SQL DB / Cloud SQL public IP); container-registry public image abuse; Lambda / Cloud Functions / Azure Functions endpoint exploit | NIST 800-53 SC-7 perimeter assumption inadequate; CSA CCM AIS-04 and IVS-08 partial; CWE-1188 (Insecure Default Initialization) |
 | Cloud-credential exposure | T1552 — Unsecured Credentials (incl. T1552.001 Files, T1552.005 Cloud Instance Metadata API, T1552.007 Container API) | ATT&CK Enterprise | IMDSv1 SSRF on EC2 / GCE; static cloud credentials in git / images / env vars; container API and kubeconfig theft; workload-identity-federation trust-policy abuse | CWE-798 (hardcoded credentials), CWE-200; NIST 800-53 IA-5 method-neutral |
-| AI model registry / cloud-hosted model | AML.T0010 — ML Supply Chain Compromise | ATLAS v5.6.0 | Bedrock / SageMaker custom model from poisoned upstream; Azure ML model registry tampering; Vertex Model Garden mirror tampering; HF model pulled into Bedrock / SageMaker / Vertex with weights backdoor | CSA CCM CCC-09 (vendor / supply chain) silent on model-supply-chain specifics; SLSA / in-toto / Sigstore for models still maturing |
-| Cloud inference API abuse / model extraction | AML.T0017 — Discover ML Model Ontology (inference-API probing for system-prompt, guardrail, model-family signal against cloud-hosted endpoints); AML.T0016 — Obtain Capabilities: Develop Capabilities (downstream weaponization) | ATLAS v5.6.0 | Programmatic query of Bedrock / Azure OpenAI / Vertex endpoint to extract model behaviour, training-data inference, system-prompt leakage | No cloud-specific ATLAS control mapping for inference-API rate-limit / anomaly detection; chain to `ai-attack-surface` |
+| AI model registry / cloud-hosted model | AML.T0010 — ML Supply Chain Compromise | ATLAS v2026.05 | Bedrock / SageMaker custom model from poisoned upstream; Azure ML model registry tampering; Vertex Model Garden mirror tampering; HF model pulled into Bedrock / SageMaker / Vertex with weights backdoor | CSA CCM CCC-09 (vendor / supply chain) silent on model-supply-chain specifics; SLSA / in-toto / Sigstore for models still maturing |
+| Cloud inference API abuse / model extraction | AML.T0017 — Discover ML Model Ontology (inference-API probing for system-prompt, guardrail, model-family signal against cloud-hosted endpoints); AML.T0016 — Obtain Capabilities: Develop Capabilities (downstream weaponization) | ATLAS v2026.05 | Programmatic query of Bedrock / Azure OpenAI / Vertex endpoint to extract model behaviour, training-data inference, system-prompt leakage | No cloud-specific ATLAS control mapping for inference-API rate-limit / anomaly detection; chain to `ai-attack-surface` |
 
 **Note on ATT&CK Enterprise cloud-platform sub-techniques.** ATT&CK Enterprise has cloud-platform-specific matrices (IaaS, SaaS, Office 365, Azure AD / Entra ID, Google Workspace). T1078.004 (Cloud Accounts), T1552.005 (Cloud Instance Metadata API), T1552.007 (Container API), T1190 with cloud-service variants, T1530 with managed-storage variants are the most operationally relevant. The frontmatter pins the parent IDs; analysis should descend to the sub-technique appropriate to the cloud(s) in scope.
 

package/skills/compliance-theater/skill.md

@@ -21,7 +21,7 @@ framework_gaps:
   - ALL-PROMPT-INJECTION-ACCESS-CONTROL
   - FedRAMP-Rev5-Moderate
   - CMMC-2.0-Level-2
-last_threat_review: "2026-05-22"
+last_threat_review: "2026-06-10"
 ---
 
 # Compliance Theater Detection
@@ -78,7 +78,7 @@ The pre-analyzed gaps for these controls live in the framework-gap-analysis skil
 
 ---
 
-## TTP Mapping (MITRE ATLAS v5.6.0 and ATT&CK)
+## TTP Mapping (MITRE ATLAS v2026.05 and ATT&CK)
 
 Each theater pattern below maps to one or more attacker TTPs in `data/atlas-ttps.json` and MITRE ATT&CK Enterprise. The mapping is what distinguishes theater from genuine compliance: a control claimed as compensating must map to a TTP it actually disrupts.
 
@@ -92,7 +92,7 @@ Each theater pattern below maps to one or more attacker TTPs in `data/atlas-ttps
 | Vendor/Third-Party Risk Theater — AI APIs (Pattern 6) | AML.T0010 (ML Supply Chain Compromise) | MCP servers and LLM APIs sit outside the vendor-management scope |
 | Security Awareness Theater — AI Phishing (Pattern 7) | T1566 (Phishing), AML.T0016 (Obtain Capabilities: Develop Capabilities — misuse of public AI APIs for payload crafting) | AI-generated content evades grammar/style heuristics and template-matching detectors |
 
-Source-of-truth TTP catalog: `data/atlas-ttps.json` (pinned to MITRE ATLAS v5.6.0, May 2026). Any theater claim in an assessment must cite at least one TTP ID from that catalog or an ATT&CK Enterprise ID — claims without a mapped TTP are orphaned controls and are rejected.
+Source-of-truth TTP catalog: `data/atlas-ttps.json` (pinned to MITRE ATLAS v2026.05, May 2026). Any theater claim in an assessment must cite at least one TTP ID from that catalog or an ATT&CK Enterprise ID — claims without a mapped TTP are orphaned controls and are rejected.
 
 ---
 

package/skills/container-runtime-security/skill.md

@@ -57,7 +57,7 @@ d3fend_refs:
   - D3-IOPR
 forward_watch:
   - Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Container Toolkit container escape ($50K award) by chompie / IBM X-Force XOR; high-severity container/hypervisor boundary break; track patch and KEV add post-embargo
-last_threat_review: "2026-05-15"
+last_threat_review: "2026-06-10"
 ---
 
 # Container + Kubernetes Runtime Security (mid-2026)
@@ -124,9 +124,9 @@ State of standards baselines:
 | Container escape to host | T1611 — Escape to Host | ATT&CK Enterprise | Kernel LPE (Copy Fail CVE-2026-31431, Dirty Frag CVE-2026-43284 family); historical runc CVE-2024-21626 LeakyVessels family; cgroup v1 release_agent legacy abuses; abuse of overly permissive capabilities (`CAP_SYS_ADMIN`, `CAP_SYS_MODULE`) | NIST 800-190 predates kernel-LPE-as-container-escape as the dominant vector. Defense requires kernel patching cadence (hand off to `kernel-lpe-triage`) plus seccomp default profile, capability drops, read-only rootfs, and runtime detection. None of these are framework-mandated. |
 | Privilege escalation within the container | T1068 — Exploitation for Privilege Escalation | ATT&CK Enterprise | In-container kernel LPE (yields host root via T1611 chain); abuse of writable hostPath; abuse of mounted Docker socket | Method-neutral framework controls; the actual control is seccomp + dropped capabilities + read-only rootfs + non-root runAsUser, all enforced by PSS-Restricted profile |
 | Exploit public-facing K8s component | T1190 — Exploit Public-Facing Application | ATT&CK Enterprise | Exposed kube-apiserver (rare but seen on self-managed clusters); exposed kubelet read-only port (10255) or read/write port (10250) without authentication; exposed Kubernetes Dashboard with no auth; exposed Argo CD or Jenkins on the cluster; ingress controller CVEs (ingress-nginx CVE-2025 family) | NSA/CISA Hardening Guide v1.2 addresses control-plane exposure; managed services close this by default; self-managed clusters in CI/government still expose these |
-| Compromised container image at a public/private registry | AML.T0010 — ML Supply Chain Compromise (umbrella) | ATLAS v5.6.0 | Poisoned base image; backdoored model-serving image; typosquatted MCP server in a sidecar; AI-pipeline-specific (KServe / vLLM / Triton image with embedded malicious payload) | ATLAS classifies; no framework mandates signature verification at admission. Hand off the build-side provenance to `supply-chain-integrity`; the container-runtime control is `ClusterImagePolicy` enforcement |
+| Compromised container image at a public/private registry | AML.T0010 — ML Supply Chain Compromise (umbrella) | ATLAS v2026.05 | Poisoned base image; backdoored model-serving image; typosquatted MCP server in a sidecar; AI-pipeline-specific (KServe / vLLM / Triton image with embedded malicious payload) | ATLAS classifies; no framework mandates signature verification at admission. Hand off the build-side provenance to `supply-chain-integrity`; the container-runtime control is `ClusterImagePolicy` enforcement |
 
-ATT&CK Containers matrix (sub-matrix, since 2021) and ATT&CK for Kubernetes (Microsoft's threat matrix, 2020, since absorbed conceptually into ATT&CK Containers) are both relevant prior art. The Enterprise IDs above are canonical in ATLAS v5.6.0 alignment and pass the linter regex `^T\d{4}(\.\d{3})?$`.
+ATT&CK Containers matrix (sub-matrix, since 2021) and ATT&CK for Kubernetes (Microsoft's threat matrix, 2020, since absorbed conceptually into ATT&CK Containers) are both relevant prior art. The Enterprise IDs above are canonical in ATLAS v2026.05 alignment and pass the linter regex `^T\d{4}(\.\d{3})?$`.
 
 CWE cross-walk (see `data/cwe-catalog.json`):