@blamejs/exceptd-skills 0.16.30 → 0.16.31

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.16.31 — 2026-06-13
+
+The data refresh no longer overwrites a curator-pinned CVSS score or vector with NVD's same-version re-score. A curated catalog entry — the hand-verified norm — keeps its maintainer-set CVSS; the NVD delta is surfaced in the refresh report for a maintainer to accept deliberately, instead of silently lowering a curated 10.0 to NVD's 9.8. Raw auto-imported drafts, which are not yet curated, still take NVD's score directly. This extends the existing curated-data protections — the CVSS version-downgrade guard and the CISA-KEV de-listing guard — to same-version CVSS re-scores: an upstream that disagrees with curated intel is surfaced, never silently applied.
+
 ## 0.16.30 — 2026-06-12
 
 The analyze-phase cross-reference layer now returns the correlations it always claimed to. The `byCwe`/`byTtp`/`bySkill` skill links, the per-CVE framework-gap and compliance-theater-test correlations, and the global framework context were reading index and catalog records under field names the data never carried, so every lookup came back empty. They now read the real fields and populate — a CWE resolves its skills, a CVE resolves its framework gaps and theater tests, and the global framework context spans the catalogs it documents.

package/data/_indexes/_meta.json

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-06-13T06:23:47.498Z",
+  "generated_at": "2026-06-13T14:42:56.398Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 64,
   "source_hashes": {
-    "manifest.json": "70fea689545e1145b6e4e55621b07083d54e657372d1293406697cbcdd216fbb",
+    "manifest.json": "c11cdd490e2de2c62ce2d25caa613abdf8d425419efe1e9e7b3ab356686c664f",
     "README.md": "e7b854e7db9a364a1b368b5084b4f0c2a8282f0459ce39800ac1d1dabdc06074",
     "data/atlas-ttps.json": "29f3447ac5c45f42f50b3ed8a46010c2b8ecbcc8094bb19b5db57ba4707b396c",
     "data/attack-techniques.json": "6506db66fdd69bb3564e12aef8f727edddc55d0e6e99f60833a200a57e8ee65e",

package/lib/refresh-external.js

@@ -444,7 +444,7 @@ const NVD_SOURCE = {
       if (r.status === "unreachable") errors++;
       for (const d of r.discrepancies || []) {
         if (d.field === "cvss_score" || d.field === "cvss_vector") {
-          diffs.push({ id: r.cve_id, field: d.field, before: d.local, after: d.fetched, severity: d.severity });
+          diffs.push(cvssDiff(r.cve_id, d.field, d.local, d.fetched, d.severity, ctx.cveCatalog?.[r.cve_id]));
         }
       }
     }
@@ -461,6 +461,10 @@ const NVD_SOURCE = {
     const catalogPath = ctx.cvePath || ABS("data/cve-catalog.json");
     await withCatalogLock(catalogPath, (catalog) => {
       for (const d of diffs) {
+        // A curator-owned CVSS re-score is surfaced in the report but not
+        // applied — the curated value is preserved until a maintainer accepts
+        // the upstream delta (symmetric with the KEV review_only path).
+        if (d.review_only) continue;
         if (!catalog[d.id]) {
           errors.push(`NVD: no local entry for ${d.id}`);
           continue;
@@ -885,6 +889,32 @@ function hasCuratedExploitSignal(entry) {
   return false;
 }
 
+// A catalog entry is curator-owned (its CVSS is hand-verified, not an upstream
+// auto-import) unless it carries `_auto_imported: true`. An NVD CVSS re-score on
+// a curator-owned entry is surfaced for review rather than auto-applied — the
+// same principle as the curated-KEV de-listing guard above. The version-
+// downgrade guards already suppress a v3.x→v2 regression; this additionally
+// keeps a *same-version* NVD re-score (e.g. a curated 10.0 the maintainer pinned
+// dropping to NVD's 9.8) from silently overwriting the curated value. Raw
+// auto-imported drafts (`_auto_imported: true`) are not yet curated, so NVD is
+// their source of truth and their CVSS applies normally.
+function isCuratorOwnedCvss(entry) {
+  return !!entry && typeof entry === "object" && entry._auto_imported !== true;
+}
+
+// Build an NVD CVSS diff, marking it review-only when the local entry is
+// curator-owned so applyDiff preserves the curated value while the report still
+// surfaces the upstream delta for a maintainer to accept deliberately.
+function cvssDiff(id, field, before, after, severity, local) {
+  const d = { id, field, before, after, severity };
+  if (isCuratorOwnedCvss(local)) {
+    d.review_only = true;
+    d.cvss_review = true;
+    d.note = `NVD ${field} change held for review: ${id} is curator-owned (hand-verified CVSS). Confirm and re-curate to accept NVD's ${after} over the curated ${before}; not auto-applied so the curated value is preserved.`;
+  }
+  return d;
+}
+
 // Below this many entries the cached KEV feed is treated as truncated /
 // incomplete rather than a genuine CISA snapshot. CISA KEV has carried well
 // over a thousand entries since 2021 and only grows; a feed this small means
@@ -1006,10 +1036,10 @@ function nvdDiffFromCache(ctx) {
       up.version != null && localVersion != null && up.version < localVersion;
     if (!isDowngrade) {
       if (up.baseScore != null && local.cvss_score != null && Math.abs(up.baseScore - local.cvss_score) > 0.05) {
-        diffs.push({ id, field: "cvss_score", before: local.cvss_score, after: up.baseScore, severity: "high" });
+        diffs.push(cvssDiff(id, "cvss_score", local.cvss_score, up.baseScore, "high", local));
       }
       if (up.vector && local.cvss_vector && up.vector !== local.cvss_vector) {
-        diffs.push({ id, field: "cvss_vector", before: local.cvss_vector, after: up.vector, severity: "medium" });
+        diffs.push(cvssDiff(id, "cvss_vector", local.cvss_vector, up.vector, "medium", local));
       }
     }
   }

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.16.30",
+  "version": "0.16.31",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -53,7 +53,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "0H+JfyUVmo/pVFEi5rLENATHjlukPVUqnOWmNPEH77wm8svKGK0aNJ46k6QU5GdHb8c9X9pVJKiuhON6AxDjDw==",
-      "signed_at": "2026-06-13T05:43:10.918Z",
+      "signed_at": "2026-06-13T14:38:15.676Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -123,7 +123,7 @@
       ],
       "last_threat_review": "2026-06-10",
       "signature": "WfqxU2x/feWgatYrCeO9PD3dIY0FAfs4nkVdQRac4fg5BDQPG/vhzhvYVN6Mg11oITACghbPOtZXvS37sACsCA==",
-      "signed_at": "2026-06-13T05:43:10.920Z",
+      "signed_at": "2026-06-13T14:38:15.678Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -196,7 +196,7 @@
       ],
       "last_threat_review": "2026-06-10",
       "signature": "9bNOW4MzmUlFgkXH5tIZkq8YpzhMM+r8YVcNEM39kdEZwfRNG4Bj+Dgr7v4Qgp9D4q7hGNFpK0ywX+dPd3VWAg==",
-      "signed_at": "2026-06-13T05:43:10.920Z",
+      "signed_at": "2026-06-13T14:38:15.679Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -248,7 +248,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-06-10",
       "signature": "5A08+nAu5jwNQ1+vGbFgFAJA/kYD3oiaevhCxT4/2FeW++F070Pm4MD1+oXdv8R2DbtYr+7yXnCGM7UbUPR2AA==",
-      "signed_at": "2026-06-13T05:43:10.921Z"
+      "signed_at": "2026-06-13T14:38:15.679Z"
     },
     {
       "name": "compliance-theater",
@@ -279,7 +279,7 @@
       ],
       "last_threat_review": "2026-06-10",
       "signature": "RCgbI0sMNTKAscXUtrVU25u7OuE64uQvO5JKsB8vIJFWguvT6nZyD7euKuIxIzYhLTyHBiD7Rhp70btlK+JkCg==",
-      "signed_at": "2026-06-13T05:43:10.921Z"
+      "signed_at": "2026-06-13T14:38:15.680Z"
     },
     {
       "name": "exploit-scoring",
@@ -308,7 +308,7 @@
       ],
       "last_threat_review": "2026-06-10",
       "signature": "JJrs+B22/hYxvdYs+abmoire5PbQXPb2uVYyjInZ3UbT8gEjs/5SyfGKx7z86jbtvB3ItApQVAx1AuseIgdyAQ==",
-      "signed_at": "2026-06-13T05:43:10.922Z"
+      "signed_at": "2026-06-13T14:38:15.680Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -345,7 +345,7 @@
       ],
       "last_threat_review": "2026-06-10",
       "signature": "Z6WbTqG98bQVRd6+kXDb6xIEe0ZryAeGxVSuKKxdK1PoZqew7NJcMsa6sJVSq+0r7KMsFwfTEdKorp6UDdhpCA==",
-      "signed_at": "2026-06-13T05:43:10.922Z",
+      "signed_at": "2026-06-13T14:38:15.681Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -405,7 +405,7 @@
       ],
       "last_threat_review": "2026-06-10",
       "signature": "DLKcrgon+MZrqmivlFLBH4vlzZbJSW1531RsYDm9/KdW2CgcUUHwNMSzAfU1mAsFwFkAHjy/a8e1FbS9msTvDA==",
-      "signed_at": "2026-06-13T05:43:10.923Z",
+      "signed_at": "2026-06-13T14:38:15.681Z",
       "cwe_refs": [
         "CWE-918"
       ],
@@ -443,7 +443,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-06-10",
       "signature": "eWCOD+mR1c6B8vKDBot8y8UkQrKPCIEBHU3JRQET9xZnYGx8hrOyeRUElcKqCO5aG/2LISs9Atg1H+ehWDNbCw==",
-      "signed_at": "2026-06-13T05:43:10.923Z",
+      "signed_at": "2026-06-13T14:38:15.682Z",
       "cwe_refs": [
         "CWE-1188"
       ],
@@ -477,7 +477,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-06-10",
       "signature": "kZca725/+BFr1mpxL29+cGzjqsiYhChWScf7VjU6vCTBZrmCps6W9gYYjf4lVORXaM4DAg3UVBOXyhpTst0rAw==",
-      "signed_at": "2026-06-13T05:43:10.923Z",
+      "signed_at": "2026-06-13T14:38:15.682Z",
       "forward_watch": [
         "New AI attack classes as ATLAS v6 publishes",
         "Post-quantum adversary capability timeline",
@@ -516,7 +516,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "b5miTiY0cnxETd2btxorfZBdJKt/fLnQx20sGYUb9zEqGqtm0LMLpghkW68j4/9k48KNyuGMtNWiKTSnodUGBw==",
-      "signed_at": "2026-06-13T05:43:10.924Z"
+      "signed_at": "2026-06-13T14:38:15.683Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -543,7 +543,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-06-10",
       "signature": "NVBY4I5a+v2/nUeCYcy3LLVKk3Tg9gmz+sCKyvnf8t2fXMNSIGtoy+P8K4Gfos1rGzRRMaU01V7L4kh/IQ8UBQ==",
-      "signed_at": "2026-06-13T05:43:10.924Z",
+      "signed_at": "2026-06-13T14:38:15.683Z",
       "forward_watch": [
         "New CISA KEV entries",
         "New ATLAS TTP additions in each ATLAS release",
@@ -607,7 +607,7 @@
       ],
       "last_threat_review": "2026-06-10",
       "signature": "U54OxIjPT+W9yafjpeFgY7klXMltLYBuSCtu/AAlXxOIPehJrbf/vbGgnBn58nqOd7RjoKjmKz9WQs4DMqWcDw==",
-      "signed_at": "2026-06-13T05:43:10.924Z",
+      "signed_at": "2026-06-13T14:38:15.683Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -655,7 +655,7 @@
       ],
       "last_threat_review": "2026-06-10",
       "signature": "QsJMwvnUJXHwoBPJ4BiUx3FO9giXfos/sMbx5tyO83AJ2JxdVskeC6g/WDfO+rVkWNXRgWi4h1eSYz6T8/tpAg==",
-      "signed_at": "2026-06-13T05:43:10.925Z"
+      "signed_at": "2026-06-13T14:38:15.684Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -692,7 +692,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "8KbLVVPI1QgYa+HAnEYvKf1cXnxQ3zsncqTGrAOrBP4rwUeZsxJm8KyFCwI0XytnZG35PZ830BFlG/okPW3sBQ==",
-      "signed_at": "2026-06-13T05:43:10.925Z",
+      "signed_at": "2026-06-13T14:38:15.684Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -727,7 +727,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "iJWevUBurLvt2v8X+Ch2eHmZkPWpKeAtIpxTIP4MwbUHyco3igDeBywJCyaR2vURYRx8LkzzIMM8DxQM4LAXBQ==",
-      "signed_at": "2026-06-13T05:43:10.925Z"
+      "signed_at": "2026-06-13T14:38:15.684Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -799,7 +799,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — Microsoft Edge 4-bug sandbox escape by Orange Tsai (DEVCORE); forward-watch only (browser sandbox, out of current playbook scope); track Microsoft Edge security advisory and KEV add"
       ],
       "signature": "ZnFi+Rk4CWrjFEVU4hC6Q66UbDmndNL/ICLWQNA1TQYFGSTnng+nboM4tfi6h0yMbbDj7dOXYqqeHNK+M5ZiBA==",
-      "signed_at": "2026-06-13T05:43:10.926Z"
+      "signed_at": "2026-06-13T14:38:15.685Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -859,7 +859,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "45ICz7vcnmHYE1+RIDv8wQjScKj6p8hqJQ5m6I0tDdKVnGdMXCYIgZnYqFJgHBDXYAXlGx7D7UxhFz6WOCDqAQ==",
-      "signed_at": "2026-06-13T05:43:10.926Z"
+      "signed_at": "2026-06-13T14:38:15.685Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -934,7 +934,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "k6A7QcFEzgGXYWftt/elhQe7kU4F67c0ol3a8DZfj1XW4UrH99SLhPHr6ih3R3EYCl/Ey/zXt/x3a9fDT3RmAw==",
-      "signed_at": "2026-06-13T05:43:10.926Z"
+      "signed_at": "2026-06-13T14:38:15.686Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -1013,7 +1013,7 @@
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Megatron Bridge path traversal by haehae; AI training-stack file-system trust boundary; track patch and SBOM-attestation impact"
       ],
       "signature": "5shKqNcLC8Obt0EdvKnck8OwWIuRMgZuuZd12pvWqJIltsYMyTrw2M+lgbQfqg3x2KO6qsJljGAhTew5jM58DQ==",
-      "signed_at": "2026-06-13T05:43:10.927Z"
+      "signed_at": "2026-06-13T14:38:15.687Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1070,7 +1070,7 @@
       ],
       "last_threat_review": "2026-06-10",
       "signature": "lfa5Wgep26mK3o2ZSe5qN2vVxg+xRRURRpmnqP4JdQvvecW3T2+PxHqjT48DegXJHRXJ6DPzyIElFc7no86TAg==",
-      "signed_at": "2026-06-13T05:43:10.927Z"
+      "signed_at": "2026-06-13T14:38:15.688Z"
     },
     {
       "name": "identity-assurance",
@@ -1137,7 +1137,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "UV3458QXSkEpenzrOmdlTTfPHUD4hNyKMDHoeZDq/kiFb4mAG0ghQGTTgI9Ru8cJbSmYM1++m9N5TFIJ6JJPBg==",
-      "signed_at": "2026-06-13T05:43:10.927Z"
+      "signed_at": "2026-06-13T14:38:15.688Z"
     },
     {
       "name": "ot-ics-security",
@@ -1193,7 +1193,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-10",
       "signature": "afJ00EDXgARQJrbRqN6xe1+E/kbHF7O2fxQFVvrLLXdrKfK86RK/oJU1AwpxX6mclX9f+5ivy6FvFIuRMA4dBQ==",
-      "signed_at": "2026-06-13T05:43:10.928Z"
+      "signed_at": "2026-06-13T14:38:15.690Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1245,7 +1245,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "VzivMW82mRrG9+07ZX8sj4j9O9YjE/m07m1UHgSwEgex+FLaVPvIj3y1Vk6qeFOvDURmtVaztWlpSlk7iSn0DA==",
-      "signed_at": "2026-06-13T05:43:10.928Z"
+      "signed_at": "2026-06-13T14:38:15.691Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1295,7 +1295,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "Fk5LzzeS/bH5SQJNySgZqSdeQf1udwdRs3FVLwig5kuqyyKkuIJcF4HW+xHF/1e66HR+gjgRUoqWZGsv58lLAg==",
-      "signed_at": "2026-06-13T05:43:10.928Z"
+      "signed_at": "2026-06-13T14:38:15.693Z"
     },
     {
       "name": "webapp-security",
@@ -1369,7 +1369,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-10",
       "signature": "1skHJsPPOIXLQdU5MGHirP/Q07aCYTirtDmfWDO7ZNuto58NlCttW5ZjCpyh37vASlMljIZx0/R+PIl2PfwTBw==",
-      "signed_at": "2026-06-13T05:43:10.929Z",
+      "signed_at": "2026-06-13T14:38:15.693Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; AI-assisted discovery angle; track for active-exploitation confirmation and patch advisory affecting front-door web app deployments"
       ]
@@ -1422,7 +1422,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-15",
       "signature": "SBB7c3wNYfIdkyOp4g4nW0WP7xS+YokMzg32aaeJdbf14LTGQRzQUvSqb2TCj2HFUSHESOyKT1JpkAfyHLSQBQ==",
-      "signed_at": "2026-06-13T05:43:10.929Z"
+      "signed_at": "2026-06-13T14:38:15.695Z"
     },
     {
       "name": "sector-healthcare",
@@ -1482,7 +1482,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-10",
       "signature": "yyAGG3nUC6/XWQGRF2ufzILfiJitMFczqWNY83lZShCgYSxfFCul0UsICClOc7Xjw76052uydm8kLH9gIzhsAg==",
-      "signed_at": "2026-06-13T05:43:10.930Z"
+      "signed_at": "2026-06-13T14:38:15.695Z"
     },
     {
       "name": "sector-financial",
@@ -1563,7 +1563,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "/+df91Qhl1TIxEAqzgqB7+YJ6mneX6Dif+h6RaCbxOLGE6KRTFst1Q/Fu5SStt8Zx5JI62bkQ2BBrNOKfUlPBg==",
-      "signed_at": "2026-06-13T05:43:10.930Z"
+      "signed_at": "2026-06-13T14:38:15.696Z"
     },
     {
       "name": "sector-federal-government",
@@ -1632,7 +1632,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "k6MAPS8HJivu0DNwC1azPvyKeig2xLGz/hcqYd8T+s5GvIypPGfkeYRRKmdqMgHUe24f7bQeRZ7AxcQ9Bi6SCg==",
-      "signed_at": "2026-06-13T05:43:10.931Z"
+      "signed_at": "2026-06-13T14:38:15.697Z"
     },
     {
       "name": "sector-energy",
@@ -1697,7 +1697,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "IYKXn009jfhpKdQKiGB4xb7VgxsJXa6PZawoguP42khU6S/TTemp/YsK1YQCUyabE+2biElL/PP1Hi8zCkSSBw==",
-      "signed_at": "2026-06-13T05:43:10.932Z"
+      "signed_at": "2026-06-13T14:38:15.697Z"
     },
     {
       "name": "sector-telecom",
@@ -1783,7 +1783,7 @@
         "O-RAN SFG / WG11 security specifications"
       ],
       "signature": "NAtyzfLPXlUuB78Snb9nWmbZalC1CNlIYN9rYhdEmtB/xQGC6vVnThgrEAHlm7v/jMCFuknvEpUHKdscUnUADw==",
-      "signed_at": "2026-06-13T05:43:10.932Z"
+      "signed_at": "2026-06-13T14:38:15.698Z"
     },
     {
       "name": "api-security",
@@ -1852,7 +1852,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-10",
       "signature": "HUjhPGpZeZeVi1nzBIsEAYh18x5ltlIXnt1yQ5YKz+jC2Dvxw7vV/Clx1/1gDBLAuBvRW9wcNtDr4c0RxhfGDQ==",
-      "signed_at": "2026-06-13T05:43:10.932Z",
+      "signed_at": "2026-06-13T14:38:15.698Z",
       "forward_watch": [
         "NGINX Rift CVE-2026-42945 (disclosed 2026-05-13, source depthfirst) — KEV-watch predicted CISA KEV listing by 2026-05-29; track for active-exploitation confirmation and patch advisory affecting API gateway / reverse-proxy deployments",
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — LiteLLM 3-bug SSRF + Code Injection chain by k3vg3n; LLM-proxy API surface; track upstream patch and CVE assignments",
@@ -1938,7 +1938,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "xa1kr/92/0fBds7LVtRy9aCM2tQRWAfNSFoC6ygbOU7QjamUo8Wt2h2n9W+nZT34STN3woYhXqtfmm8NSjXdBQ==",
-      "signed_at": "2026-06-13T05:43:10.933Z"
+      "signed_at": "2026-06-13T14:38:15.698Z"
     },
     {
       "name": "container-runtime-security",
@@ -2000,7 +2000,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-10",
       "signature": "60hyXAiYfY9lI+EpHG3iFFxa+oF5n71c0tTMa6iXFLNjBJKPevTsdNgQlQsBEnmRJ+dWtOjb/GNBW1KiBx4XAQ==",
-      "signed_at": "2026-06-13T05:43:10.934Z",
+      "signed_at": "2026-06-13T14:38:15.699Z",
       "forward_watch": [
         "Pwn2Own Berlin 2026 (disclosed 2026-05-14, embargo ends 2026-08-12) — NVIDIA Container Toolkit container escape ($50K award) by chompie / IBM X-Force XOR; high-severity container/hypervisor boundary break; track patch and KEV add post-embargo"
       ]
@@ -2074,7 +2074,7 @@
         "MITRE ATLAS v2026.05 (released May 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques (\"Publish Poisoned AI Agent Tool\", \"Escape to Host\"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: subsequent ATLAS minor and major releases — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques"
       ],
       "signature": "IEECw5lO6ZdpkE/j7Hv6/3Jg2vj9fpXlozY+h85Hrn9QYOJuI0gfBjHoBEchJ2GUTmPwUKoiBoI72PBAQw9RCQ==",
-      "signed_at": "2026-06-13T05:43:10.934Z"
+      "signed_at": "2026-06-13T14:38:15.699Z"
     },
     {
       "name": "incident-response-playbook",
@@ -2136,7 +2136,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "pN1Qa5NRyNJ6h0pmbbqpy3xWdkMANDMUbBst5SKR5fmmqMFopmyrzwIGagiiNgqxjjCunj9J9Wbzs1sL48sMCQ==",
-      "signed_at": "2026-06-13T05:43:10.935Z"
+      "signed_at": "2026-06-13T14:38:15.700Z"
     },
     {
       "name": "ransomware-response",
@@ -2216,7 +2216,7 @@
       ],
       "last_threat_review": "2026-06-10",
       "signature": "sXPA1lvWvZpf5sHxZXRkO0Kcs6gnXiYq0mWA53y1HeBwQGJ+viSPMt5IMobkjd5qLFYchg0CpW/nBUIvUE6/DA==",
-      "signed_at": "2026-06-13T05:43:10.936Z"
+      "signed_at": "2026-06-13T14:38:15.700Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2269,7 +2269,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-18",
       "signature": "FVBn4ex2qPIo9SHMVJ6tntoz4tVwjbIq3m6wDjjZyv2JODlS+90GBYCOkNamxxkmw/6de6SMs0YHQiF/xjo/DQ==",
-      "signed_at": "2026-06-13T05:43:10.936Z"
+      "signed_at": "2026-06-13T14:38:15.701Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2337,7 +2337,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "7Wdii9uwYmDrzQohoWRWDa5A4aDRKOmdLPq5Jsql86O0Gm7pQANnj9tX+cHpQcQ/Ui8VLuNVP8UFdKxxHeDnBg==",
-      "signed_at": "2026-06-13T05:43:10.937Z"
+      "signed_at": "2026-06-13T14:38:15.701Z"
     },
     {
       "name": "cloud-iam-incident",
@@ -2417,7 +2417,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "r9ii4nb3HJELdtKCGF5qy9PHOiot3GC24yfxfGAKlLENHkdRvRkvvL99eV/6RXyfUaMyrnc2Te8tPQcNu5bsDg==",
-      "signed_at": "2026-06-13T05:43:10.937Z",
+      "signed_at": "2026-06-13T14:38:15.702Z",
       "forward_watch": [
         "AWS IAM Identity Center session-policy refresh and step-up-on-admin enforcement (anticipated 2026-H2 release)",
         "GCP Workload Identity Federation principal-set attribute mapping tightening (post-2026 Q3 Federation hardening guide)",
@@ -2511,7 +2511,7 @@
       ],
       "last_threat_review": "2026-05-15",
       "signature": "9mfDtMApMAg9V/lmwpniNxo/6gNZoOEoYDfyFvyWvKrPMtc7H9F8uz06FVoARe/J49saAKTVXOurNE1D/KtpCQ==",
-      "signed_at": "2026-06-13T05:43:10.937Z",
+      "signed_at": "2026-06-13T14:38:15.702Z",
       "forward_watch": [
         "Entra ID conditional access evolution post-Midnight Blizzard — Microsoft's 2025-2026 commitments on legacy-tenant MFA enforcement and OAuth-app consent gating",
         "Okta IPSIE (Interoperability Profile for Secure Identity in the Enterprise) OpenID Foundation working-group output and adoption timeline",
@@ -2583,7 +2583,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-02",
       "signature": "dOFgANMtHm64uSFRjMfeA0fWZS9ISwMTt59I2CbjaF1PgTtbtb8yg/f+3pC4eXcXIET0KPGxRRmENycfIz3rAw==",
-      "signed_at": "2026-06-13T05:43:10.938Z"
+      "signed_at": "2026-06-13T14:38:15.702Z"
     },
     {
       "name": "mail-server-hardening",
@@ -2642,7 +2642,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-02",
       "signature": "5x8RGzKo/T2IbYnFkYMZs16ThD9a5FEdrKHsnwvtMuGxdyyfZsKNIJVWw2I8O0um0UOXwwkl17Z3zhch26ymCQ==",
-      "signed_at": "2026-06-13T05:43:10.938Z"
+      "signed_at": "2026-06-13T14:38:15.703Z"
     },
     {
       "name": "network-trust",
@@ -2698,7 +2698,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-02",
       "signature": "C/RdmnGjXKreKiGkwJfUESIxUwQzisGJ9A7KBdE9cBRBHBYHkAcScV89L+Z3kOG032Qax6LeIQai7Lr3nrQBCA==",
-      "signed_at": "2026-06-13T05:43:10.938Z"
+      "signed_at": "2026-06-13T14:38:15.703Z"
     },
     {
       "name": "audit-log-integrity",
@@ -2753,7 +2753,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-02",
       "signature": "LvUAq+rXCA8PgNy9lTKOmFqa8T9EJg4JEH0axXvEAf9MIHqbR51ergUkFMLaTuvFuApwsPu0r1C30QgScZbiAw==",
-      "signed_at": "2026-06-13T05:43:10.938Z"
+      "signed_at": "2026-06-13T14:38:15.704Z"
     },
     {
       "name": "self-update-integrity",
@@ -2807,7 +2807,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-02",
       "signature": "BOQZ8G9LdyG/tfpz6rCU4THz5Dq2HGJkUV7uCqSTCMrqnXH6seNXKM41FWawYo0s2VUlXtRgaO7ETp5qgxw+CQ==",
-      "signed_at": "2026-06-13T05:43:10.939Z"
+      "signed_at": "2026-06-13T14:38:15.704Z"
     },
     {
       "name": "multitenancy-isolation",
@@ -2865,7 +2865,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-02",
       "signature": "bncN0VE4ns0lxtPe48xDR33lerw54BPVkSwX7XlrLQcMHTrV94lmjO8z4ZP4Ko61n+KpuP2SNU8v9JT0bGMmAA==",
-      "signed_at": "2026-06-13T05:43:10.939Z"
+      "signed_at": "2026-06-13T14:38:15.705Z"
     },
     {
       "name": "decompression-dos",
@@ -2923,7 +2923,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-02",
       "signature": "03i0ZO5ScHIOjGvDKUEsws6m+20fnlJrEhSBtMU7PJzQutrPpmW9gULE0wbayTD5H9URh5nSKZuuVjvjVhZNCg==",
-      "signed_at": "2026-06-13T05:43:10.939Z"
+      "signed_at": "2026-06-13T14:38:15.705Z"
     },
     {
       "name": "log-injection-telemetry",
@@ -2978,7 +2978,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-02",
       "signature": "twTmA2l+Am2k2PCzB2DNxDQwoYlGopJp/3QgQwBsP7h2LF+uNudisqfuOVV/bYnWfrUhuYZUWbsR3mhzbJCUBw==",
-      "signed_at": "2026-06-13T05:43:10.939Z"
+      "signed_at": "2026-06-13T14:38:15.705Z"
     },
     {
       "name": "privacy-consent-ops",
@@ -3033,11 +3033,11 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-06-02",
       "signature": "0sfKSVrIf555c9bDGkXB96fUClN52fMAMYoQsNQ9eUUSzDiWUwdou+q0gYt43nObtj3m9Yb9X6q3oCXDVMgUDg==",
-      "signed_at": "2026-06-13T05:43:10.939Z"
+      "signed_at": "2026-06-13T14:38:15.706Z"
     }
   ],
   "manifest_signature": {
     "algorithm": "Ed25519",
-    "signature_base64": "r2EdGnvzgmAPlQQHQoYB9mq2yyKuHwPLGDJbXMIrMsWLIA1mSCQMyGwWgzuqNb+OomenyPW9IiUKM1v4EmigAQ=="
+    "signature_base64": "NTNls4grN7uk3xPYIs49FaFMGLxP4uq6eoqH6TPn9z/aZRTmY5PWi6eNP48q3+IAQPdOvqD/B5bdDMyomkCcCw=="
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.16.30",
+  "version": "0.16.31",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 51 skills, 11 catalogs (439 CVEs / 177 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json

@@ -1,22 +1,22 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:a7c95fa5-56fc-47e1-9190-3c7136d591ca",
+  "serialNumber": "urn:uuid:348fa4b0-bb90-421a-94dd-b1f2046bd8e2",
   "version": 1,
   "metadata": {
-    "timestamp": "2115-03-16T22:18:13.000Z",
+    "timestamp": "2053-12-11T08:30:40.000Z",
     "tools": [
       {
         "vendor": "blamejs",
         "name": "scripts/refresh-sbom.js",
-        "version": "0.16.30"
+        "version": "0.16.31"
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.16.30",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.16.31",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.16.30",
+      "version": "0.16.31",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 51 skills, 11 catalogs (439 CVEs / 177 CWEs / 805 ATT&CK + ICS / 170 ATLAS / 468 D3FEND / 8888 RFCs), 35 jurisdictions, 10-class catalog gap detector + budget gate, real XML parser + canonical-form diff + content-pattern regression detection, Ed25519-signed.",
       "licenses": [
         {
@@ -25,17 +25,17 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.16.30",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.16.31",
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "c1bd30e9ed811a98d591a42f6afbfbaa84fd44ef183e7897ad80551fc28b9736"
+          "content": "50ec4d5be25e973de59e250637e07fe71543f583d23bad37702beb0b65fa72e4"
         }
       ],
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.16.30"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.16.31"
         },
         {
           "type": "vcs",
@@ -116,11 +116,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "673ca71c12d4d15633bb8aef96c9894e153d2ef878c51ace03de99e3ef59e924"
+          "content": "6097a6845e555e87c9c223a4188eeef48a7def06da030bc5b40b083dd13f41aa"
         },
         {
           "alg": "SHA3-512",
-          "content": "ae11ee07cfeff030fa9cab9d3a668b160a8859d27fa15abad8c2fa9f63f39eaeb45806cd64cc45f23b919a74b682ca0122df10270b3bc10cdb3c56c470f0da5e"
+          "content": "af78e89ae5c4f83624a2b21321bf3456075807b790e4f9186d6a22cc4eaa1809fdce9a9e6d76eef6fe9a3b131ce6c3bc49058ed0ea23c23ddbead8738e23f56a"
         }
       ]
     },
@@ -1496,11 +1496,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "ad595c63a137b7bb85ff581897cfc8bbdf7e7f46a247e40245a14f564b8a1c07"
+          "content": "970cc8f57019847aaed4277a132be4755c25de5834d6eb10761683ffee355e3e"
         },
         {
           "alg": "SHA3-512",
-          "content": "8cfd603e5d873730e393d678380568d29725e05d37f1d6cf876e54ea186c0912ad30aa0f5135a23fa959fe141b40034f08742e5aac07b0303e4a728e192b8070"
+          "content": "dc337dceeaf1e40b95d95147d2fd16025de1c1c670bff9d0e8a05ca048d8d61c17c448137cb83b1cd18da92b57b4319f057d34f908cbb9781822336060baef60"
         }
       ]
     },
@@ -1901,11 +1901,11 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "70fea689545e1145b6e4e55621b07083d54e657372d1293406697cbcdd216fbb"
+          "content": "c11cdd490e2de2c62ce2d25caa613abdf8d425419efe1e9e7b3ab356686c664f"
         },
         {
           "alg": "SHA3-512",
-          "content": "1bf4b7ec8dfa0661f5219a20572816d8bfc9b3c4bb83651f4ba07959063d28099ea519ca0401fcc1d38d5fb7658699453ba1ed71fa6dfdaca7fd615b056ffadc"
+          "content": "d17602bb378c59e4cf2f087d74aecbb64d955935f3159f8f5da338295dd07d4911423de0c2eb93008fbdd253d8f117a7d500db7128388c35a8a144740b2bf150"
         }
       ]
     },