@blamejs/exceptd-skills 0.9.1 → 0.9.2

package/CHANGELOG.md

@@ -1,5 +1,62 @@
 # Changelog
 
+## 0.9.2 — 2026-05-12
+
+**Pin: auto-discovery for KEV + IETF catalogs.** The refresh workflow now adds *new* catalog entries automatically instead of only updating existing ones.
+
+### What changed
+
+- **CISA KEV discovery** — when CISA adds a new CVE to the Known Exploited Vulnerabilities list, the next nightly refresh detects it (cached KEV feed entry, not in local `data/cve-catalog.json`) and emits a draft entry. NVD CVSS metrics + EPSS score pulled from the prefetch cache when available; nulled otherwise. Initial RWEP score computed via `lib/scoring.js` with KEV=true + suspected exploitation + reboot-required = baseline ~55.
+- **IETF RFC discovery** — Datatracker query against project-relevant working groups returns recent RFCs not in `data/rfc-references.json`. WG filter is the union of (a) dynamically derived from cached Datatracker docs on currently-cited RFCs, plus (b) a curated seed list of 35 WGs covering crypto/PKI/TLS, identity/auth/SSO, supply chain/attestation (`scitt` / `rats` / `suit` / `teep`), threat intel (`mile` / `sacm`), DNS security, messaging E2E, and IoT mgmt. Seed list documented in `lib/auto-discovery.js`.
+- **Draft entry annotation** — every auto-imported entry carries an `_auto_imported` block:
+  ```jsonc
+  "_auto_imported": {
+    "source": "KEV discovery",
+    "imported_at": "2026-05-12",
+    "curation_needed": [
+      "type (LPE/RCE/SSRF/etc.)",
+      "framework_control_gaps mapping",
+      "atlas_refs + attack_refs categorization",
+      ...
+    ]
+  }
+  ```
+  Mechanical fields (CVSS, KEV, EPSS, name, vendor) get populated; analytical fields (framework_control_gaps, ATLAS/ATT&CK refs, type classification) stay null and are listed for human curation.
+- **PR body** in `refresh.yml` now splits cleanly: **"New entries (auto-imported — needs human curation)"** table first, then **"Updates to existing entries"** table. New label `needs-curation` added alongside the existing `data-refresh` + `automation`.
+- **Volume cap** — 20 new entries per PR per source (configurable via `DEFAULT_CAP`). Spill is reported in the summary so a CISA mass-add doesn't generate an unreviewable PR.
+
+### `lib/auto-discovery.js` (new module, ~280 lines, zero deps)
+
+- `discoverNewKev(ctx, cap?)` — KEV → array of `op:"add"` diffs
+- `discoverNewRfcs(ctx, opts?)` — RFC discovery via Datatracker WG queries
+- `buildKevDraftEntry(kev, nvd?, epss?)` — pure function, no I/O, easy to test
+- `getProjectRfcGroups(ctx)` — union of cache-derived + `SEED_RFC_GROUPS`
+- `SEED_RFC_GROUPS` — curated WG list (exported for testing + transparency)
+
+### `lib/refresh-external.js` changes
+
+- `KEV_SOURCE.fetchDiff` now merges drift-check + discovery in cache mode (`kevDiffWithDiscoveryFromCache`)
+- `RFC_SOURCE.fetchDiff` same pattern (`rfcDiffWithDiscoveryFromCache` — drift from cache, discovery live)
+- `applyDiff` handlers learn the new `op: "add"` diff shape and insert entries verbatim. Returns enriched stats: `{ updated, added, drift_updated, errors }`.
+
+### Tests
+
+`tests/auto-discovery.test.js` — 9 new tests:
+- Seed WG breadth (must include `tls`, `oauth`, `scitt`, `rats`, `dnsop`, `acme`, `mls`, etc.)
+- `buildKevDraftEntry` populates all required schema fields
+- NVD CVSS + CWE extraction
+- EPSS score extraction
+- Empty result when KEV cache missing
+- New CVE detection (filters out CVEs already in local catalog)
+- Volume cap + spill counting
+- RWEP score bounded 0–100
+
+Total: 192 → **201 tests**. 13/13 predeploy gates green.
+
+### Operational note
+
+The first run after deploy will likely pick up **8 new KEV entries** from the past ~5 days of CISA activity (visible in `/api/intel` already). These appear in the next auto-PR as a curated batch.
+
 ## 0.9.1 — 2026-05-11
 
 **Patch: test-runner concurrency fix for first npm publish.**

package/data/_indexes/_meta.json

@@ -1,10 +1,10 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-11T23:30:53.944Z",
+  "generated_at": "2026-05-12T03:19:12.090Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 49,
   "source_hashes": {
-    "manifest.json": "c4569222d4863d33008f65256fc2081364ed3fe6f69ec019a2a79b9d6ec2496b",
+    "manifest.json": "05cbd5fc644f6681abd62ce63f393112511a06df1db74a366ee8156447ba0427",
     "data/atlas-ttps.json": "1500b5830dab070c4252496964a8c0948e1052a656e2c7c6e1efaf0350645e13",
     "data/cve-catalog.json": "a81d3e4b491b27ccc084596b063a6108ff10c9eb01d7776922fc393980b534fe",
     "data/cwe-catalog.json": "c3367d469b4b3d31e4c56397dd7a8305a0be338ecd85afa27804c0c9ce12157b",

package/lib/auto-discovery.js

@@ -0,0 +1,480 @@
+"use strict";
+/**
+ * lib/auto-discovery.js
+ *
+ * Discovers NEW catalog entries upstream and builds draft entries for
+ * `refresh-external.js` to include as `op:"add"` diffs in its auto-PR.
+ *
+ * Sources covered:
+ *   - KEV: every CVE in the CISA KEV feed that's not in local
+ *     data/cve-catalog.json. NVD + EPSS data is pulled from the same
+ *     prefetch cache the drift-check uses; missing cache entries fall
+ *     through to a draft with null mechanical fields.
+ *   - RFC: every recent IETF RFC published in a working group the
+ *     project's existing rfc-references.json already cites. Queried
+ *     live against Datatracker (small N — typically 1-5 RFCs per
+ *     month across all project-relevant WGs).
+ *
+ * Each draft entry carries an `_auto_imported` block with the source,
+ * import date, and a `curation_needed` list of analytical fields a
+ * human still needs to fill (framework_control_gaps, atlas_refs,
+ * attack_refs, type classification, etc.). `validate-cve-catalog.js`
+ * is tolerant of this annotation; the audit / stale-content index
+ * surfaces uncurated entries so they don't sit indefinitely.
+ *
+ * Both discovery functions accept a `cap` (default 20) so a burst
+ * upstream addition doesn't generate an unreviewable PR. Items past
+ * the cap spill to the next run.
+ */
+
+const fs = require("fs");
+const path = require("path");
+const { scoreCustom } = require("./scoring");
+
+const TODAY = new Date().toISOString().slice(0, 10);
+const TIMEOUT_MS = 10_000;
+const USER_AGENT = "exceptd-security/auto-discovery (+https://exceptd.com)";
+const DEFAULT_CAP = 20;
+
+// IETF Datatracker codes → human-readable status strings used in
+// data/rfc-references.json.
+const RFC_STATUS_MAP = {
+  std: "Internet Standard",
+  ps:  "Proposed Standard",
+  ds:  "Draft Standard",
+  bcp: "Best Current Practice",
+  inf: "Informational",
+  exp: "Experimental",
+  his: "Historic",
+  unkn: "Unknown",
+};
+
+function readCachedJson(cacheDir, source, id) {
+  if (!cacheDir) return null;
+  const safe = String(id).replace(/[^A-Za-z0-9._-]/g, "_");
+  const p = path.join(cacheDir, source, `${safe}.json`);
+  if (!fs.existsSync(p)) return null;
+  try { return JSON.parse(fs.readFileSync(p, "utf8")); } catch { return null; }
+}
+
+function extractNvdMetrics(payload) {
+  const vuln = payload?.vulnerabilities?.[0]?.cve;
+  if (!vuln) return null;
+  const m = vuln.metrics || {};
+  const ordered = [
+    ...(m.cvssMetricV31 || []),
+    ...(m.cvssMetricV30 || []),
+    ...(m.cvssMetricV2 || []),
+  ];
+  const primary = ordered.find((x) => x.type === "Primary") || ordered[0];
+  return {
+    cvss_score: typeof primary?.cvssData?.baseScore === "number" ? primary.cvssData.baseScore : null,
+    cvss_vector: primary?.cvssData?.vectorString || null,
+    description: (vuln.descriptions || []).find((d) => d.lang === "en")?.value || null,
+    cwe_refs: ((vuln.weaknesses || [])
+      .flatMap((w) => (w.description || []))
+      .map((d) => d.value)
+      .filter((v) => /^CWE-\d+$/.test(v))
+    ),
+  };
+}
+
+function extractEpss(payload, id) {
+  const data = Array.isArray(payload?.data) ? payload.data : [];
+  const row = data.find((r) => r?.cve === id) || data[0];
+  if (!row) return null;
+  return {
+    score: row.epss != null ? Number(row.epss) : null,
+    percentile: row.percentile != null ? Number(row.percentile) : null,
+    date: typeof row.date === "string" ? row.date : null,
+  };
+}
+
+// --- KEV discovery -----------------------------------------------------
+
+/**
+ * Build a draft CVE catalog entry from a KEV record + optional cached
+ * NVD/EPSS payloads. Required-schema fields are populated where
+ * mechanically derivable; analytical fields are nulled and listed in
+ * `_auto_imported.curation_needed`.
+ *
+ * @param {object} kevEntry  Single vulnerability from CISA KEV feed
+ * @param {object|null} nvdPayload  Cached NVD 2.0 response (or null)
+ * @param {object|null} epssPayload  Cached EPSS response (or null)
+ */
+function buildKevDraftEntry(kevEntry, nvdPayload, epssPayload) {
+  const id = String(kevEntry.cveID);
+  const nvd = nvdPayload ? extractNvdMetrics(nvdPayload) : null;
+  const epss = epssPayload ? extractEpss(epssPayload, id) : null;
+
+  const knownRansomware =
+    String(kevEntry.knownRansomwareCampaignUse || "").toLowerCase() === "known";
+
+  // Compute initial RWEP. KEV → +25, suspected exploitation → +10.
+  // Unknown PoC/AI flags default to false (conservative — we don't
+  // claim more than we know). Blast radius defaults to 15 (mid-range)
+  // since we can't infer it from KEV metadata alone.
+  const rwep_factors = {
+    cisa_kev: true,
+    poc_available: null,                  // unknown — curation needed
+    ai_assisted_weapon: null,
+    ai_discovered: null,
+    active_exploitation: "suspected",     // KEV listing implies exploitation
+    blast_radius: 15,
+    patch_available: null,
+    live_patch_available: null,
+    reboot_required: null,
+  };
+  // scoreCustom() treats null fields as false, which under-counts the
+  // score. Pass concrete defaults for unknowns: poc_available=true is
+  // the conservative assumption for KEV entries (CISA generally only
+  // adds entries with documented exploitation), and reboot_required=
+  // true biases toward urgency.
+  const rwep_score = scoreCustom({
+    cisa_kev: true,
+    poc_available: true,
+    ai_assisted_weapon: false,
+    ai_discovered: false,
+    active_exploitation: "suspected",
+    blast_radius: 15,
+    patch_available: false,
+    live_patch_available: false,
+    reboot_required: true,
+  });
+
+  const product = [kevEntry.vendorProject, kevEntry.product]
+    .filter(Boolean)
+    .join(" ");
+
+  return {
+    name: String(kevEntry.vulnerabilityName || "TBD — verify against vendor advisory"),
+    type: "TBD",
+    cvss_score: nvd?.cvss_score ?? null,
+    cvss_vector: nvd?.cvss_vector ?? null,
+    cisa_kev: true,
+    cisa_kev_date: kevEntry.dateAdded || null,
+    cisa_kev_due_date: kevEntry.dueDate || null,
+    poc_available: null,
+    poc_description: null,
+    ai_discovered: null,
+    ai_discovery_notes: null,
+    ai_assisted_weaponization: null,
+    active_exploitation: "suspected",
+    affected: product || "See vendor advisory",
+    affected_versions: [],
+    vector: nvd?.description || kevEntry.shortDescription || "TBD",
+    complexity: null,
+    complexity_notes: null,
+    patch_available: null,
+    patch_required_reboot: null,
+    live_patch_available: null,
+    live_patch_tools: [],
+    live_patch_notes: null,
+    framework_control_gaps: {},
+    atlas_refs: [],
+    attack_refs: [],
+    cwe_refs: nvd?.cwe_refs || [],
+    known_ransomware_use: knownRansomware,
+    epss_score: epss?.score ?? null,
+    epss_percentile: epss?.percentile ?? null,
+    epss_date: epss?.date ?? null,
+    rwep_score,
+    rwep_factors,
+    verification_sources: [
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      kevEntry.notes ? String(kevEntry.notes) : null,
+    ].filter(Boolean),
+    source_verified: false,
+    last_updated: TODAY,
+    last_verified: TODAY,
+    _auto_imported: {
+      source: "KEV discovery",
+      imported_at: TODAY,
+      curation_needed: [
+        "type (LPE/RCE/SSRF/etc.)",
+        "poc_available + poc_description (link to public PoC if any)",
+        "ai_discovered + ai_assisted_weaponization classification",
+        "active_exploitation upgrade from 'suspected' to 'confirmed' once a campaign is documented",
+        "framework_control_gaps mapping (NIST/ISO/PCI/SOC 2 controls this defeats)",
+        "atlas_refs + attack_refs categorization",
+        "complexity assessment + complexity_notes",
+        "patch_available + live_patch_available + live_patch_tools",
+        "blast_radius numeric in rwep_factors (currently default 15)",
+        "RWEP score recompute after the above land",
+        "source_verified once a project maintainer has confirmed the upstream",
+      ],
+    },
+  };
+}
+
+/**
+ * Find KEV entries upstream that are not in local cve-catalog.json.
+ * Returns an array of { id, op:"add", entry, severity } diffs capped
+ * at `cap` items. Spill past the cap is logged on the diff object's
+ * `_spilled` count so the PR body can mention it.
+ */
+function discoverNewKev(ctx, cap = DEFAULT_CAP) {
+  const feed = readCachedJson(ctx.cacheDir, "kev", "known_exploited_vulnerabilities");
+  if (!feed || !Array.isArray(feed.vulnerabilities)) {
+    return { diffs: [], errors: 1, spilled: 0, summary: "KEV discovery: no cached feed" };
+  }
+
+  const localCves = new Set(
+    Object.keys(ctx.cveCatalog).filter((k) => /^CVE-\d{4}-\d{4,7}$/.test(k))
+  );
+
+  // Sort by dateAdded descending so the most recent additions are kept
+  // when the cap clips the list.
+  const candidates = feed.vulnerabilities
+    .filter((v) => v && v.cveID && !localCves.has(String(v.cveID)))
+    .sort((a, b) => String(b.dateAdded || "").localeCompare(String(a.dateAdded || "")));
+
+  const total = candidates.length;
+  const picks = candidates.slice(0, cap);
+  const spilled = Math.max(0, total - picks.length);
+
+  const diffs = picks.map((kev) => {
+    const id = String(kev.cveID);
+    const nvd = readCachedJson(ctx.cacheDir, "nvd", id);
+    const epss = readCachedJson(ctx.cacheDir, "epss", id);
+    const entry = buildKevDraftEntry(kev, nvd, epss);
+    return {
+      id,
+      op: "add",
+      target: "cveCatalog",
+      entry,
+      severity: "high",
+      meta: {
+        date_added: kev.dateAdded || null,
+        vendor: kev.vendorProject || null,
+        product: kev.product || null,
+      },
+    };
+  });
+
+  return {
+    diffs,
+    errors: 0,
+    spilled,
+    summary: total === 0
+      ? "KEV discovery: no new entries"
+      : `KEV discovery: ${diffs.length} new entries${spilled > 0 ? ` (+${spilled} spilled past cap)` : ""}`,
+  };
+}
+
+// --- RFC discovery -----------------------------------------------------
+
+async function fetchDatatracker(url) {
+  const ac = new AbortController();
+  const t = setTimeout(() => ac.abort(), TIMEOUT_MS);
+  try {
+    const res = await fetch(url, {
+      signal: ac.signal,
+      headers: { "User-Agent": USER_AGENT, Accept: "application/json" },
+    });
+    if (!res.ok) return null;
+    return await res.json();
+  } catch {
+    return null;
+  } finally {
+    clearTimeout(t);
+  }
+}
+
+/**
+ * Derive the set of IETF working-group acronyms the project already
+ * cares about. Reads each entry in data/rfc-references.json, looks up
+ * its Datatracker doc in the prefetch cache, extracts the group
+ * acronym, returns the union.
+ *
+ * Two layers in the result:
+ *
+ *   1. DYNAMICALLY DERIVED — every WG that appears on a project-cited
+ *      RFC's Datatracker record. Grows organically as catalog grows.
+ *
+ *   2. SEEDED — a curated baseline of IETF WGs that publish RFCs
+ *      directly relevant to the project's mid-2026 threat model and
+ *      compliance frameworks, even when the catalog doesn't yet cite
+ *      one of their RFCs. Without this, RFC discovery would be blind
+ *      to e.g. SCITT (supply chain) until a SCITT RFC was already
+ *      manually added — defeating the point of discovery.
+ *
+ * SEED groups by project area:
+ *
+ *   Transport / crypto / PKI:
+ *     tls, uta, cfrg, lamps, ipsecme
+ *   HTTP / web / QUIC:
+ *     httpbis, quic, ohai, privacypass, httpapi
+ *   Identity / auth / SSO / cert mgmt:
+ *     oauth, jose, cose, kitten, emu, secevent, scim, acme
+ *   DNS security + privacy:
+ *     dnsop, dprive, add
+ *   Supply chain + attestation + firmware:
+ *     scitt, rats, suit, teep
+ *   Threat intel + security automation:
+ *     mile, sacm, i2nsf
+ *   Messaging + E2E:
+ *     mls, moq, sframe
+ *   Network / IoT mgmt:
+ *     anima, drip, iotops, netconf
+ */
+const SEED_RFC_GROUPS = [
+  // Transport / crypto / PKI
+  "tls", "uta", "cfrg", "lamps", "ipsecme",
+  // HTTP / web / QUIC
+  "httpbis", "quic", "ohai", "privacypass", "httpapi",
+  // Identity / auth / SSO / cert mgmt
+  "oauth", "jose", "cose", "kitten", "emu", "secevent", "scim", "acme",
+  // DNS security + privacy
+  "dnsop", "dprive", "add",
+  // Supply chain + attestation + firmware
+  "scitt", "rats", "suit", "teep",
+  // Threat intel + security automation
+  "mile", "sacm", "i2nsf",
+  // Messaging + E2E
+  "mls", "moq", "sframe",
+  // Network / IoT mgmt
+  "anima", "drip", "iotops", "netconf",
+];
+
+function getProjectRfcGroups(ctx) {
+  const groups = new Set();
+  const ids = Object.keys(ctx.rfcCatalog).filter((k) => !k.startsWith("_"));
+  for (const id of ids) {
+    let docName;
+    if (id.startsWith("RFC-")) docName = `rfc${id.slice(4)}`;
+    else if (id.startsWith("DRAFT-")) docName = `draft-${id.slice(6).toLowerCase()}`;
+    if (!docName) continue;
+    const payload = readCachedJson(ctx.cacheDir, "rfc", docName);
+    const obj = payload?.objects?.[0];
+    const acronym = obj?.group?.acronym || (typeof obj?.group === "string" ? extractAcronymFromGroupUri(obj.group) : null);
+    if (acronym) groups.add(String(acronym).toLowerCase());
+  }
+  // Always union the seed list — dynamic derivation covers the WGs we
+  // already cite; the seed covers WGs we SHOULD watch for our skill
+  // coverage even if no RFC from that WG is in the catalog yet.
+  for (const g of SEED_RFC_GROUPS) groups.add(g);
+  return groups;
+}
+
+function extractAcronymFromGroupUri(uri) {
+  // Group URIs from Datatracker look like /api/v1/group/group/12345/.
+  // Group acronym is in the doc object's full record but not in the URI.
+  // Returning null means we have to live-fetch later.
+  void uri;
+  return null;
+}
+
+/**
+ * Find recent RFCs published in any project-relevant working group
+ * that aren't already in data/rfc-references.json. Queries Datatracker
+ * live (small N — runs once per refresh, ~9 WG queries).
+ *
+ * @param {object} ctx
+ * @param {object} opts  { cap?: number, sinceDays?: number }
+ */
+async function discoverNewRfcs(ctx, opts = {}) {
+  const cap = opts.cap ?? DEFAULT_CAP;
+  const sinceDays = opts.sinceDays ?? 180;
+  const cutoff = new Date(Date.now() - sinceDays * 86_400_000).toISOString().slice(0, 10);
+
+  const groups = [...getProjectRfcGroups(ctx)];
+  if (groups.length === 0) {
+    return { diffs: [], errors: 0, spilled: 0, summary: "RFC discovery: no project WGs derived" };
+  }
+
+  const localIds = new Set(Object.keys(ctx.rfcCatalog).filter((k) => !k.startsWith("_")));
+
+  let candidates = [];
+  let errors = 0;
+
+  for (const wg of groups) {
+    // Datatracker filter: RFCs in this WG, time > cutoff. Ordered by time descending.
+    const url =
+      `https://datatracker.ietf.org/api/v1/doc/document/` +
+      `?type=rfc&group__acronym=${encodeURIComponent(wg)}` +
+      `&time__gt=${cutoff}&order_by=-time&limit=20&format=json`;
+    const payload = await fetchDatatracker(url);
+    if (!payload || !Array.isArray(payload.objects)) {
+      errors++;
+      continue;
+    }
+    for (const obj of payload.objects) {
+      const docName = String(obj.name || "");
+      const m = docName.match(/^rfc(\d+)$/i);
+      if (!m) continue;
+      const number = Number(m[1]);
+      const localKey = `RFC-${number}`;
+      if (localIds.has(localKey)) continue;
+      candidates.push({ obj, number, localKey, wg });
+    }
+  }
+
+  // Dedupe across overlapping WG membership (an RFC can list multiple
+  // groups). Keep the first occurrence (alphabetically first WG match).
+  const seen = new Set();
+  candidates = candidates.filter((c) => {
+    if (seen.has(c.localKey)) return false;
+    seen.add(c.localKey);
+    return true;
+  });
+
+  // Sort by published time descending so we keep the most recent under the cap.
+  candidates.sort((a, b) => String(b.obj.time || "").localeCompare(String(a.obj.time || "")));
+
+  const total = candidates.length;
+  const picks = candidates.slice(0, cap);
+  const spilled = Math.max(0, total - picks.length);
+
+  const diffs = picks.map(({ obj, number, localKey, wg }) => {
+    const status = RFC_STATUS_MAP[obj.std_level] || "Unknown";
+    const entry = {
+      number,
+      title: String(obj.title || `RFC ${number}`),
+      status,
+      published: typeof obj.time === "string" ? obj.time.slice(0, 7) : null,
+      tracker: `https://www.rfc-editor.org/info/rfc${number}`,
+      relevance: `AUTO-IMPORTED from IETF ${wg.toUpperCase()} working group. Project already cites other RFCs in this WG — this candidate surfaced via the auto-discovery filter and needs a curated relevance statement before merge.`,
+      lag_notes: null,
+      skills_referencing: [],
+      errata_count: null,
+      last_verified: TODAY,
+      _auto_imported: {
+        source: `RFC discovery (IETF ${wg} working group)`,
+        imported_at: TODAY,
+        curation_needed: [
+          "relevance — project-specific framing of how this RFC matters for mid-2026 threats",
+          "lag_notes — what gaps remain or where the RFC falls short",
+          "skills_referencing — list of skills that should cite this RFC",
+          "errata_count — populate from <rfc-editor.org/errata/rfc${number}>",
+        ],
+      },
+    };
+    return {
+      id: localKey,
+      op: "add",
+      target: "rfcCatalog",
+      entry,
+      severity: "low",
+      meta: { wg, published: entry.published, title: entry.title },
+    };
+  });
+
+  return {
+    diffs,
+    errors,
+    spilled,
+    summary: total === 0
+      ? "RFC discovery: no new entries in project WGs"
+      : `RFC discovery: ${diffs.length} new entries${spilled > 0 ? ` (+${spilled} spilled past cap)` : ""} across ${groups.length} WG(s)`,
+  };
+}
+
+module.exports = {
+  discoverNewKev,
+  discoverNewRfcs,
+  buildKevDraftEntry,
+  getProjectRfcGroups,
+  SEED_RFC_GROUPS,
+  DEFAULT_CAP,
+};

package/lib/refresh-external.js

@@ -112,13 +112,15 @@ AGENTS.md Hard Rule #12 and are surfaced as report-only findings.
  *     mutates local catalog and writes it
  */
 
+const { discoverNewKev, discoverNewRfcs } = require("./auto-discovery");
+
 const KEV_SOURCE = {
   name: "kev",
   description: "CISA Known Exploited Vulnerabilities",
   applies_to: "data/cve-catalog.json",
   async fetchDiff(ctx) {
     if (ctx.fixtures?.kev) return synthesizeFromFixture(ctx, "kev");
-    if (ctx.cacheDir) return kevDiffFromCache(ctx);
+    if (ctx.cacheDir) return kevDiffWithDiscoveryFromCache(ctx);
     const { validateAllCves } = require("../sources/validators");
     const report = await validateAllCves(ctx.cveCatalog, { concurrency: 4 });
     const diffs = [];
@@ -140,8 +142,17 @@ const KEV_SOURCE = {
   },
   async applyDiff(ctx, diffs) {
     let updated = 0;
+    let added = 0;
     const errors = [];
     for (const d of diffs) {
+      if (d.op === "add") {
+        // Auto-discovered new entry. Refuse to overwrite if the entry
+        // somehow exists (race condition / stale fixture); skip silently.
+        if (ctx.cveCatalog[d.id]) continue;
+        ctx.cveCatalog[d.id] = d.entry;
+        added++;
+        continue;
+      }
       if (!ctx.cveCatalog[d.id]) {
         errors.push(`KEV: no local entry for ${d.id}`);
         continue;
@@ -153,10 +164,32 @@ const KEV_SOURCE = {
     ctx.cveCatalog._meta = ctx.cveCatalog._meta || {};
     ctx.cveCatalog._meta.last_updated = TODAY;
     writeJson(ABS("data/cve-catalog.json"), ctx.cveCatalog);
-    return { updated, errors };
+    return { updated: updated + added, added, drift_updated: updated, errors };
   },
 };
 
+/**
+ * Cache-mode KEV with auto-discovery merged in. Standard drift-check
+ * for existing entries plus discoverNewKev() for entries upstream that
+ * aren't in the local catalog. Spill count is surfaced in the summary.
+ */
+function kevDiffWithDiscoveryFromCache(ctx) {
+  const drift = kevDiffFromCache(ctx);
+  const discovery = discoverNewKev(ctx);
+  const diffs = [...drift.diffs, ...discovery.diffs];
+  const summary =
+    `${drift.diffs.length} KEV drifts + ${discovery.diffs.length} new entries` +
+    (discovery.spilled > 0 ? ` (+${discovery.spilled} spilled past cap)` : "") +
+    " (from cache)";
+  return {
+    status: drift.status,
+    diffs,
+    errors: drift.errors + discovery.errors,
+    spilled: discovery.spilled,
+    summary,
+  };
+}
+
 const EPSS_SOURCE = {
   name: "epss",
   description: "FIRST.org EPSS scores",
@@ -257,11 +290,11 @@ const NVD_SOURCE = {
 
 const RFC_SOURCE = {
   name: "rfc",
-  description: "IETF Datatracker RFC status",
+  description: "IETF Datatracker RFC status + auto-discovery",
   applies_to: "data/rfc-references.json",
   async fetchDiff(ctx) {
     if (ctx.fixtures?.rfc) return synthesizeFromFixture(ctx, "rfc");
-    if (ctx.cacheDir) return rfcDiffFromCache(ctx);
+    if (ctx.cacheDir) return rfcDiffWithDiscoveryFromCache(ctx);
     const { validateAllRfcs } = require("../sources/validators");
     const results = await validateAllRfcs(ctx.rfcCatalog, { concurrency: 4 });
     const diffs = [];
@@ -293,8 +326,15 @@ const RFC_SOURCE = {
   },
   async applyDiff(ctx, diffs) {
     let updated = 0;
+    let added = 0;
     const errors = [];
     for (const d of diffs) {
+      if (d.op === "add") {
+        if (ctx.rfcCatalog[d.id]) continue;
+        ctx.rfcCatalog[d.id] = d.entry;
+        added++;
+        continue;
+      }
       if (d.field !== "status") continue; // notes are informational
       const entry = ctx.rfcCatalog[d.id];
       if (!entry) {
@@ -308,10 +348,34 @@ const RFC_SOURCE = {
     ctx.rfcCatalog._meta = ctx.rfcCatalog._meta || {};
     ctx.rfcCatalog._meta.last_updated = TODAY;
     writeJson(ABS("data/rfc-references.json"), ctx.rfcCatalog);
-    return { updated, errors };
+    return { updated: updated + added, added, drift_updated: updated, errors };
   },
 };
 
+/**
+ * Cache-mode RFC with auto-discovery merged in. Drift-check for
+ * existing entries (cache only) plus discoverNewRfcs() which hits
+ * Datatracker live for new RFCs in project-relevant working groups.
+ * Discovery makes ~30 HTTP calls (one per project WG) per refresh —
+ * Datatracker's read budget is generous so this is well within limit.
+ */
+async function rfcDiffWithDiscoveryFromCache(ctx) {
+  const drift = rfcDiffFromCache(ctx);
+  const discovery = await discoverNewRfcs(ctx);
+  const diffs = [...drift.diffs, ...discovery.diffs];
+  const summary =
+    `${drift.diffs.length} RFC drifts + ${discovery.diffs.length} new entries` +
+    (discovery.spilled > 0 ? ` (+${discovery.spilled} spilled past cap)` : "") +
+    " (drift from cache, discovery live)";
+  return {
+    status: drift.status,
+    diffs,
+    errors: drift.errors + discovery.errors,
+    spilled: discovery.spilled,
+    summary,
+  };
+}
+
 const PINS_SOURCE = {
   name: "pins",
   description: "MITRE ATLAS / ATT&CK / D3FEND / CWE upstream release pins",

package/manifest-snapshot.json

@@ -1,6 +1,6 @@
 {
   "_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
-  "_generated_at": "2026-05-11T23:30:00.566Z",
+  "_generated_at": "2026-05-12T03:18:21.622Z",
   "atlas_version": "5.1.0",
   "skill_count": 38,
   "skills": [

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.9.1",
+  "version": "0.9.2",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -52,7 +52,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "WprHkO1KOjQtCBj6/EJghBTNyNKJhn7O2HDbAQZPi5jn4flwHpSrtP8LC15a4Unoh+xiIIgGhvTHZIQFHGMpBQ==",
-      "signed_at": "2026-05-11T23:30:00.498Z",
+      "signed_at": "2026-05-12T03:18:21.555Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -116,7 +116,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "fg20bOXGRkPUdLmegeXpTM4hnzl/ArgcVc88rItZN5DdsnFnzPgUU1PwCI82zooyj2GfxJHYjxNkq5qd2zNPBg==",
-      "signed_at": "2026-05-11T23:30:00.500Z",
+      "signed_at": "2026-05-12T03:18:21.557Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -179,7 +179,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "6JuSzkSSFzFHEZ3ANzqjtIbKPOkwJeKhQ+8WAPB4+dTRvDSeg46n3D88XfGaNd2z7pmg/i8p9ZoImQcHFS4BCg==",
-      "signed_at": "2026-05-11T23:30:00.500Z",
+      "signed_at": "2026-05-12T03:18:21.557Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -225,7 +225,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "PYSw9abiYfW+y7IkY8udJG5LSds2a4rMimlw3rrdD0zE3vunEeV/y7oTmDD4o83OqHSCKNzF/7vMhvd/noqICQ==",
-      "signed_at": "2026-05-11T23:30:00.500Z"
+      "signed_at": "2026-05-12T03:18:21.558Z"
     },
     {
       "name": "compliance-theater",
@@ -256,7 +256,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "BMFmmJYP3HsHIjUqnhw8E3MiMGZJsI/eDq51we+nxUicZ8nFUQT9DhmRntAqOs6BUnsfiQNNLc/rrsNh8yg1CQ==",
-      "signed_at": "2026-05-11T23:30:00.501Z"
+      "signed_at": "2026-05-12T03:18:21.558Z"
     },
     {
       "name": "exploit-scoring",
@@ -285,7 +285,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "VGPyDwy5BRlpn1lZthhPB6ytb4ZcU2j0KtCZbaMkyLdMugQJtK2yEuwrsDH4yEtAhTB6/A4B3eSygJckum49Ag==",
-      "signed_at": "2026-05-11T23:30:00.502Z"
+      "signed_at": "2026-05-12T03:18:21.559Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -322,7 +322,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "XkFGpsNnXBVslkQ48usEu9l1LjPiV2ppW+M4B63zXFBP2Puh52qYCffEPjUHYhoO5bjgTM7yCbK8XF/Dzk5wBw==",
-      "signed_at": "2026-05-11T23:30:00.502Z",
+      "signed_at": "2026-05-12T03:18:21.559Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -379,7 +379,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "1Xqy7Kxxy6GpTvuYJPdllPzVDRFxb7N6AuxKuoaO4v91CiZLmiXt0sTIWImKJ3p9Eup6rJNDdsY71dolFhHNBA==",
-      "signed_at": "2026-05-11T23:30:00.502Z",
+      "signed_at": "2026-05-12T03:18:21.559Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -414,7 +414,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "QNLOmAL54S/Cmk4cdO4L2BCGkqZ/FgY4UBsKWtg/EEW+YXF5ev+a8XsUT8q5veuUa2VYcYna7rD1iAnE+2PDBA==",
-      "signed_at": "2026-05-11T23:30:00.502Z",
+      "signed_at": "2026-05-12T03:18:21.560Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -442,7 +442,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "aFHq4cSl3CKchnVITxx+BrAEWD33WtFFJoQtwAug5g9R3/3ABtjaXYGVQaZcdcG1AIZkMoGSPywgLQWDY7ZDCw==",
-      "signed_at": "2026-05-11T23:30:00.503Z"
+      "signed_at": "2026-05-12T03:18:21.560Z"
     },
     {
       "name": "global-grc",
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "viCTUWdy6euvd2KTAo6sLvarK/FZkDtYGocxBt0H+fY94kLQGW8K5cSpqIWdUF5NUytSHBCiG4YcSze8P9Z/BQ==",
-      "signed_at": "2026-05-11T23:30:00.503Z"
+      "signed_at": "2026-05-12T03:18:21.560Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -501,7 +501,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "6PkUaHQi3Hxuqq/Jp4GYckvfqVEofmeT87NUH0T+pwyjlc+xZkoqNPn65f7ldciEPL86JIPi3/dDTKQbIFFBCw==",
-      "signed_at": "2026-05-11T23:30:00.503Z"
+      "signed_at": "2026-05-12T03:18:21.560Z"
     },
     {
       "name": "pqc-first",
@@ -553,7 +553,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "ZenFTEzWx+DzrSXlNXhbZ70vOdJSXfrnKkAwqMlBf5nlDf38V1/hG4XCKj43snQXWr4mVJOX6ilqFLTYNIjnBw==",
-      "signed_at": "2026-05-11T23:30:00.504Z",
+      "signed_at": "2026-05-12T03:18:21.561Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -600,7 +600,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "ih0vpd2v2zS31JSJv7SnABoya8JlJdrXZXx4rBnrsV3Assj+dbjAP0pQ1HMT/5RX8yTTswRQsg0bJV3qmbJ3Bw==",
-      "signed_at": "2026-05-11T23:30:00.504Z"
+      "signed_at": "2026-05-12T03:18:21.561Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -637,7 +637,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "Lv8dHiwIqUbNsywCCB/+pYWGF+MHCvxVn1IAvR7Cnif5fy0sICv0N4SVsSb621qAAkHNshpfxqwuhbuQnE1TBA==",
-      "signed_at": "2026-05-11T23:30:00.505Z",
+      "signed_at": "2026-05-12T03:18:21.562Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -672,7 +672,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "BS+wrL28HHYhBpe+v84VLoq9KPBXu6alfG968katfGIoLNYQueaHP931bRmlkrjfeb6qbDf067GWdPEh7nroAw==",
-      "signed_at": "2026-05-11T23:30:00.505Z"
+      "signed_at": "2026-05-12T03:18:21.562Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -743,7 +743,7 @@
         "PTES revision incorporating AI-surface enumeration"
       ],
       "signature": "vLhIYT/CC3IzxMRa+UPeqGSZTvthuwUeTMGNFMm37+TaEk0TtfwPrPyrBJLHw4W6Wt7+pufjHs46X3nTgzoRAg==",
-      "signed_at": "2026-05-11T23:30:00.505Z"
+      "signed_at": "2026-05-12T03:18:21.562Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -803,7 +803,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "TOcQLy/427cuf0Lw90J7A0oIeuhUmf9NXb6tOUS5K3SazCKTJujPgYSVAPZOYf1zZrRAY/aq0iqELd5cLyk5DA==",
-      "signed_at": "2026-05-11T23:30:00.506Z"
+      "signed_at": "2026-05-12T03:18:21.563Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -878,7 +878,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "u4IN7escQa5V+OgdtaJXLdvhmNiGZsdmGOvebTLZ30WoImT+WiksvaqSa0POGdbr6HzFkALe2RrZEH9Tr0U6Dg==",
-      "signed_at": "2026-05-11T23:30:00.506Z"
+      "signed_at": "2026-05-12T03:18:21.563Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -955,7 +955,7 @@
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
       "signature": "eTGQJ3gnG24WggfwuFNNIFOWV/ttPxTa3pvx9OH28m5KDS1a4ZmOR7K8y01wk/su8bH0ClYYRfoBfKQOtRswAg==",
-      "signed_at": "2026-05-11T23:30:00.506Z"
+      "signed_at": "2026-05-12T03:18:21.563Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1012,7 +1012,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "q7gFLPoqf/8bqATR6gt/nj0EoyUOlfzi+bZ0bT3pC9KW7O6M/ji9fT+AXSGNp6PKd+70ACb3mkMGmWgjLpQXCg==",
-      "signed_at": "2026-05-11T23:30:00.506Z"
+      "signed_at": "2026-05-12T03:18:21.563Z"
     },
     {
       "name": "identity-assurance",
@@ -1079,7 +1079,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "pX8rhrrzuyG3iRrPORLqTZAjzGdWK/bKPUGJG5WHSZcv4LB0kQXOit4sHG0exdXxI6HY8jyX67QY4r5vEHHACw==",
-      "signed_at": "2026-05-11T23:30:00.507Z"
+      "signed_at": "2026-05-12T03:18:21.564Z"
     },
     {
       "name": "ot-ics-security",
@@ -1135,7 +1135,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ypb8kNZQRdyu5mWeveB7sjCjNKXS1yXvjDJv88muzwhOs/a4Fu/Gb532js5NKyy+eCw/emrphpTZaL8R9a2lBA==",
-      "signed_at": "2026-05-11T23:30:00.507Z"
+      "signed_at": "2026-05-12T03:18:21.564Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1187,7 +1187,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "346Lt+277ycRNsyAOGwLSONi4awgxKy3hP9G+BWjwaa8ySmTeqbYsbyyhtxjeohk9bV2SF+Hl2q4JdSvc/2qCQ==",
-      "signed_at": "2026-05-11T23:30:00.507Z"
+      "signed_at": "2026-05-12T03:18:21.564Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1237,7 +1237,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "ewTvG5vu3ngFHyXgBur5vSKDFQsOZx0x79djGMricl7LCvQf5//OG6LZKXa+AOuEq58prRS+HgzrFA1DiTfeCQ==",
-      "signed_at": "2026-05-11T23:30:00.508Z"
+      "signed_at": "2026-05-12T03:18:21.565Z"
     },
     {
       "name": "webapp-security",
@@ -1311,7 +1311,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ZHjbKu0Em92Kimr2esL1g93mf9TmcsChBhVEMWf/lFrjeLcg8nyHEIcDstIZ3FWYgc6MQNHnc3Rup3Xp/Za1Cw==",
-      "signed_at": "2026-05-11T23:30:00.508Z"
+      "signed_at": "2026-05-12T03:18:21.565Z"
     },
     {
       "name": "ai-risk-management",
@@ -1361,7 +1361,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "1KRxjCbAX0Rs5NTOioi1w/f1SOzDQrtRoXjTDtzEwJ+d1QzFf9cqmBlp0uXmGpL0bzEaHWIctjigSychmoL2Dw==",
-      "signed_at": "2026-05-11T23:30:00.508Z"
+      "signed_at": "2026-05-12T03:18:21.565Z"
     },
     {
       "name": "sector-healthcare",
@@ -1421,7 +1421,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "eiajFh7w7d4g+/crGalTtw9Qsu0deVsdHkdthZSy595ifGmgu0zaFD8usKThbPhOdUCCclTYkZYz5GalQmkhCw==",
-      "signed_at": "2026-05-11T23:30:00.509Z"
+      "signed_at": "2026-05-12T03:18:21.566Z"
     },
     {
       "name": "sector-financial",
@@ -1502,7 +1502,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "iSZR/fYESQVyjkcqj+O+yzU0BQfaELH5s7WizzUTWvDPDTD2ZyOnZTT1r/Zfx2l4mbPmVeFGWdYnnVFTk/i3Aw==",
-      "signed_at": "2026-05-11T23:30:00.509Z"
+      "signed_at": "2026-05-12T03:18:21.566Z"
     },
     {
       "name": "sector-federal-government",
@@ -1571,7 +1571,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "Wjdo5YXEL8XeNZkaEueG1DOUoyalstNPzQkxD/cwP5iMrJWg/Ly+sC0Oluuqm3aU7d63z55PrbGQCJD0XVZqBg==",
-      "signed_at": "2026-05-11T23:30:00.509Z"
+      "signed_at": "2026-05-12T03:18:21.566Z"
     },
     {
       "name": "sector-energy",
@@ -1636,7 +1636,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "c/l7dOHe0Zj6Ag3abUaEie6o0f8M4rhY5aPI9/wG4z6FDue9PzCVw8vUGoITFgg89g97lMfy2C3CE2PegQoFCw==",
-      "signed_at": "2026-05-11T23:30:00.510Z"
+      "signed_at": "2026-05-12T03:18:21.567Z"
     },
     {
       "name": "api-security",
@@ -1705,7 +1705,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "9FgcJvYeo07QxQ+mnVRQk4jYLDMO/AVSXMs8cueO2f/qMOTQmrhBMVhj5ze7hzvXpGkp7EK/3Q1XKqde61JMAg==",
-      "signed_at": "2026-05-11T23:30:00.510Z"
+      "signed_at": "2026-05-12T03:18:21.567Z"
     },
     {
       "name": "cloud-security",
@@ -1786,7 +1786,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "xRA0XZf7VPtuBtbsm41bay9yBLphw/hlL3YxIUrpko5g9ldM3oJe9o1qSwzIj/wSnQSI29qqPpNsnlks+HEOCA==",
-      "signed_at": "2026-05-11T23:30:00.510Z"
+      "signed_at": "2026-05-12T03:18:21.567Z"
     },
     {
       "name": "container-runtime-security",
@@ -1848,7 +1848,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "GcU50DStuN1gU/Evm/sFRgeieQbqffVp12rgbGnasRX89Q7kM4ltFXB+bgCXHIvICzYb78hPIifWQb9UVupWBQ==",
-      "signed_at": "2026-05-11T23:30:00.511Z"
+      "signed_at": "2026-05-12T03:18:21.568Z"
     },
     {
       "name": "mlops-security",
@@ -1919,7 +1919,7 @@
         "MITRE ATLAS v5.2 — track AML.T0010 sub-technique expansion and any new MLOps-pipeline-specific TTPs"
       ],
       "signature": "onIazpFoL1t4PMNRsoF06ggnl7BzCKjt0x+ZmVfWfyt1V06DgllsrbN3AAz4+g4jW2Sc71q0vIFKfwEUWpGVAQ==",
-      "signed_at": "2026-05-11T23:30:00.511Z"
+      "signed_at": "2026-05-12T03:18:21.568Z"
     },
     {
       "name": "incident-response-playbook",
@@ -1981,7 +1981,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "P0Yv4CtqbnBNP6nSIxQUYYHL7T7ci+iE7iE2UXVfnMPeWVdKG2nvRePjBXc3JZTLima1Txn/I5ocDNhLTIeUAQ==",
-      "signed_at": "2026-05-11T23:30:00.512Z"
+      "signed_at": "2026-05-12T03:18:21.569Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2034,7 +2034,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "2pv81lLRbazpHqundCANb3YiLB4lkVsYctIDvI8rxSvHxhPS9jYXqmAoB5APSdDuOaew6XqpfZOehQUj9WmyBw==",
-      "signed_at": "2026-05-11T23:30:00.512Z"
+      "signed_at": "2026-05-12T03:18:21.569Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2102,7 +2102,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "BJ/YYnGVXeSBaR9oWAVrcNX7Wz+kE8R4CghX6+XEI/qY89fyrkKNNwo2veqqf49wffJhHVJ1wTp8ZDECjNp+Dw==",
-      "signed_at": "2026-05-11T23:30:00.512Z"
+      "signed_at": "2026-05-12T03:18:21.569Z"
     }
   ]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/exceptd-skills",
-  "version": "0.9.1",
+  "version": "0.9.2",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
   "keywords": [
     "ai-security",

package/sbom.cdx.json

@@ -1,10 +1,10 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:986fb119-b9a5-4395-9a40-62fdd3ab0a7b",
+  "serialNumber": "urn:uuid:80016ac3-f8be-40a6-9293-104d18229e7a",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-11T23:30:00.623Z",
+    "timestamp": "2026-05-12T03:18:21.678Z",
     "tools": [
       {
         "name": "hand-written",
@@ -13,10 +13,10 @@
       }
     ],
     "component": {
-      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.9.1",
+      "bom-ref": "pkg:npm/@blamejs/exceptd-skills@0.9.2",
       "type": "application",
       "name": "@blamejs/exceptd-skills",
-      "version": "0.9.1",
+      "version": "0.9.2",
       "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation. 38 skills, 10 catalogs, 34 jurisdictions, pre-computed indexes, Ed25519-signed.",
       "licenses": [
         {
@@ -25,11 +25,11 @@
           }
         }
       ],
-      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.9.1",
+      "purl": "pkg:npm/%40blamejs/exceptd-skills@0.9.2",
       "externalReferences": [
         {
           "type": "distribution",
-          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.9.1"
+          "url": "https://www.npmjs.com/package/@blamejs/exceptd-skills/v/0.9.2"
         },
         {
           "type": "vcs",