@blamejs/exceptd-skills 0.9.1

package/data/_indexes/summary-cards.json

@@ -0,0 +1,1736 @@
+{
+  "_meta": {
+    "schema_version": "1.0.0",
+    "note": "Compact per-skill abstract for researcher dispatch and AI consumer planning. See scripts/builders/summary-cards.js."
+  },
+  "skills": {
+    "kernel-lpe-triage": {
+      "description": "Assess Linux kernel LPE exposure — Copy Fail, Dirty Frag, live-patch vs. reboot remediation",
+      "threat_context_excerpt": "An AI system discovered this vulnerability in approximately one hour. It is a page-cache copy-on-write (CoW) primitive in the Linux kernel affecting all major distributions since kernel 4.14 (2017). Every major Linux distribution is affected: RHEL 7–9, Ubuntu 18.04–24.04, Debian 9–12, CentOS, Fedora, Amazon Linux 2/2023, SUSE 12/15, Alpine, and derivatives.",
+      "produces": "Produce this structure:\n\n```\n## Kernel LPE Exposure Assessment\n\n**Assessment Date:** YYYY-MM-DD  \n**Kernel Version:** x.x.x  \n**Distribution:** [name + version]\n\n### Exposure Summary\n| CVE | Status | Severity |\n|-----|--------|----------|\n| CVE-2026-31431 (Copy Fail) | [Exposed / Live-patched / Patched] | [Critical/High/Medium/Low] |\n| CVE-2026-43284 (Dirty Frag ESP) | [Exposed / Patched] | [Critical/High/Medium/Low] |\n| CVE-2026-43500 (Dirty Frag RxRPC) | [Exposed / Patched] | [Critical/High/Medium/Low] |\n\n### IPsec Control Impact\n[If applicable: which network controls are affected by Dirty F ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-125",
+          "CWE-362",
+          "CWE-416",
+          "CWE-672",
+          "CWE-787"
+        ],
+        "d3fend_refs": [
+          "D3-ASLR",
+          "D3-EAL",
+          "D3-PHRA",
+          "D3-PSEP"
+        ],
+        "framework_gaps": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "PCI-DSS-4.0-6.3.3",
+          "NIS2-Art21-patch-management",
+          "NIST-800-53-SC-8",
+          "CIS-Controls-v8-Control7"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T1068",
+          "T1548.001"
+        ],
+        "rfc_refs": [
+          "RFC-4301",
+          "RFC-4303",
+          "RFC-7296"
+        ],
+        "dlp_refs": []
+      },
+      "trigger_count": 9,
+      "atlas_count": 0,
+      "attack_count": 2,
+      "framework_gap_count": 6,
+      "cwe_count": 5,
+      "d3fend_count": 4,
+      "rfc_count": 3,
+      "last_threat_review": "2026-05-01",
+      "path": "skills/kernel-lpe-triage/skill.md",
+      "handoff_targets": [
+        "attack-surface-pentest",
+        "compliance-theater",
+        "defensive-countermeasure-mapping",
+        "exploit-scoring",
+        "policy-exception-gen"
+      ]
+    },
+    "ai-attack-surface": {
+      "description": "Comprehensive AI/ML attack surface assessment mapped to MITRE ATLAS v5.1.0 with gap flags",
+      "threat_context_excerpt": "The AI attack surface is not speculative. It is actively exploited. The following are confirmed, documented threats as of mid-2026.",
+      "produces": "```\n## AI Attack Surface Assessment\n\n**Assessment Date:** YYYY-MM-DD\n**Scope:** [systems/applications assessed]\n\n### Surface Inventory\n| Component | Type | External Input | Tool Use | Risk Level |\n|-----------|------|---------------|----------|------------|\n| [name] | [LLM app / MCP server / coding assistant] | [Yes/No] | [Yes/No] | [Critical/High/Medium/Low] |\n\n### Prompt Injection Exposure\n[Per component: injection surface score, current defenses, estimated bypass rate, recommended controls]\n\n### MCP Trust Assessment\n[Per installed MCP server: signed/unsigned, allowlist status, auth status,  ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-1039",
+          "CWE-1426",
+          "CWE-94"
+        ],
+        "d3fend_refs": [
+          "D3-IOPR",
+          "D3-NTA"
+        ],
+        "framework_gaps": [
+          "ALL-AI-PIPELINE-INTEGRITY",
+          "ALL-PROMPT-INJECTION-ACCESS-CONTROL",
+          "ISO-27001-2022-A.8.28",
+          "ISO-IEC-23894-2023-clause-7",
+          "NIST-800-53-AC-2",
+          "NIST-800-53-SI-3",
+          "OWASP-LLM-Top-10-2025-LLM01",
+          "OWASP-LLM-Top-10-2025-LLM02",
+          "SOC2-CC6-logical-access"
+        ],
+        "atlas_refs": [
+          "AML.T0043",
+          "AML.T0051",
+          "AML.T0054",
+          "AML.T0020",
+          "AML.T0096",
+          "AML.T0016",
+          "AML.T0017",
+          "AML.T0018"
+        ],
+        "attack_refs": [
+          "T1566",
+          "T1059",
+          "T1190"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 9,
+      "atlas_count": 8,
+      "attack_count": 3,
+      "framework_gap_count": 9,
+      "cwe_count": 3,
+      "d3fend_count": 2,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-01",
+      "path": "skills/ai-attack-surface/skill.md",
+      "handoff_targets": []
+    },
+    "mcp-agent-trust": {
+      "description": "Enumerate MCP trust boundary failures — tool allowlisting, signed manifests, bearer auth, zero-interaction RCE",
+      "threat_context_excerpt": "The Model Context Protocol (MCP) is an open protocol for connecting AI assistants to external tools and data sources. It is now the standard integration layer for AI coding assistants: Cursor, VS Code + GitHub Copilot, Windsurf, Claude Code, and Gemini CLI all support MCP servers.",
+      "produces": "```\n## MCP Trust Assessment\n\n**Assessment Date:** YYYY-MM-DD\n**Scope:** [workstations / AI systems assessed]\n\n### Installed MCP Server Inventory\n| Server | Version | Source | Tools Exposed | Filesystem | Network | Shell | Auth Required | Allowlist |\n|--------|---------|--------|---------------|------------|---------|-------|---------------|-----------|\n\n### CVE-2026-30615 Exposure\n[Windsurf version check — patched/unpatched]\n\n### Trust Posture Score\n[Per server: Critical/High/Medium/Low with factor breakdown]\n\n### Immediate Actions Required\n[Servers to remove, versions to pin, configs to lock] ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-22",
+          "CWE-345",
+          "CWE-352",
+          "CWE-434",
+          "CWE-494",
+          "CWE-77",
+          "CWE-918",
+          "CWE-94"
+        ],
+        "d3fend_refs": [
+          "D3-CBAN",
+          "D3-CSPP",
+          "D3-EAL",
+          "D3-EHB",
+          "D3-MFA"
+        ],
+        "framework_gaps": [
+          "ALL-MCP-TOOL-TRUST",
+          "ISO-27001-2022-A.8.30",
+          "NIST-800-53-CM-7",
+          "NIST-800-53-SA-12",
+          "OWASP-LLM-Top-10-2025-LLM06",
+          "SOC2-CC9-vendor-management",
+          "SWIFT-CSCF-v2026-1.1"
+        ],
+        "atlas_refs": [
+          "AML.T0010",
+          "AML.T0016",
+          "AML.T0096"
+        ],
+        "attack_refs": [
+          "T1195.001",
+          "T1059",
+          "T1190"
+        ],
+        "rfc_refs": [
+          "RFC-6749",
+          "RFC-7519",
+          "RFC-8446",
+          "RFC-8725",
+          "RFC-9114",
+          "RFC-9421",
+          "RFC-9700"
+        ],
+        "dlp_refs": []
+      },
+      "trigger_count": 10,
+      "atlas_count": 3,
+      "attack_count": 3,
+      "framework_gap_count": 7,
+      "cwe_count": 8,
+      "d3fend_count": 5,
+      "rfc_count": 7,
+      "last_threat_review": "2026-05-01",
+      "path": "skills/mcp-agent-trust/skill.md",
+      "handoff_targets": [
+        "attack-surface-pentest",
+        "defensive-countermeasure-mapping",
+        "dlp-gap-analysis",
+        "framework-gap-analysis",
+        "supply-chain-integrity"
+      ]
+    },
+    "framework-gap-analysis": {
+      "description": "Feed a framework control ID and threat scenario — receive the gap between what the control covers and what current TTPs require",
+      "threat_context_excerpt": "Compliance frameworks lag the threat environment by years. Most active controls in NIST 800-53, ISO 27001:2022, SOC 2, PCI DSS 4.0, NIS2, and DORA were drafted against assumptions (human-speed exploit development, persistent inventoriable assets, human-controlled accounts) that current attacker TTPs no longer respect. Three concrete mid-2026 instances anchor the lag:",
+      "produces": "Every framework gap analysis this skill produces uses the following literal template. Sections are mandatory; empty sections fail Hard Rule #11 (no-MVP ban).\n\n```\n## Framework Lag Declaration\n\n**Control:** [Control ID] — [Control name]\n**Framework:** [Framework name, version, and section reference]\n**Threat:** [CVE ID / ATLAS TTP ID / ATT&CK TTP ID / threat scenario description]\n\n### 1. What the control was designed for\n[Plain-language statement of the control's original intent and the era/threat model\nit was drafted against. Cite the control text verbatim where possible.]\n\n### 2. What current ...",
+      "key_xrefs": {
+        "cwe_refs": [],
+        "d3fend_refs": [],
+        "framework_gaps": [],
+        "atlas_refs": [],
+        "attack_refs": [],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 9,
+      "atlas_count": 0,
+      "attack_count": 0,
+      "framework_gap_count": 0,
+      "cwe_count": 0,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-01",
+      "path": "skills/framework-gap-analysis/skill.md",
+      "handoff_targets": []
+    },
+    "compliance-theater": {
+      "description": "Detect where an organization passes an audit but remains exposed — seven documented compliance theater patterns",
+      "threat_context_excerpt": "The defining mid-2026 reality is that an organization can pass a clean ISO 27001:2022, SOC 2 Type II, or PCI DSS 4.0 audit while remaining exposed to KEV-listed deterministic LPEs and zero-interaction RCEs. The contrast cases drive every theater pattern below:",
+      "produces": "```\n## Compliance Theater Assessment\n\n**Date:** YYYY-MM-DD\n**Framework(s):** [in scope]\n\n### Theater Detection Results\n\n| Pattern | Finding | Key Evidence |\n|---------|---------|--------------|\n| Patch Management | THEATER / CLEAR | [e.g., \"CISA KEV average remediation time: 18 days\"] |\n| Network Segmentation (IPsec) | THEATER / CLEAR | [e.g., \"CVE-2026-43284 unpatched on 12 of 40 hosts using IPsec\"] |\n| Access Control (AI Agents) | THEATER / CLEAR | [e.g., \"No prompt-level logging on Copilot deployments\"] |\n| Incident Response (AI) | THEATER / CLEAR | [e.g., \"Zero AI-specific playbooks in IR  ...",
+      "key_xrefs": {
+        "cwe_refs": [],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "ALL-AI-PIPELINE-INTEGRITY",
+          "ALL-PROMPT-INJECTION-ACCESS-CONTROL",
+          "FedRAMP-Rev5-Moderate",
+          "CMMC-2.0-Level-2"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 7,
+      "atlas_count": 0,
+      "attack_count": 0,
+      "framework_gap_count": 4,
+      "cwe_count": 0,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-01",
+      "path": "skills/compliance-theater/skill.md",
+      "handoff_targets": []
+    },
+    "exploit-scoring": {
+      "description": "Real-World Exploit Priority (RWEP) scoring — CVSS plus KEV, PoC, AI-acceleration, blast radius, live-patch factors",
+      "threat_context_excerpt": "RWEP exists because the exploit development cycle has compressed. The factors that CVSS does not model are now the dominant signal in real-world prioritization.",
+      "produces": "```\n## Exploit Priority Assessment\n\n**CVE:** [ID]\n**Assessment Date:** YYYY-MM-DD\n\n### CVSS vs. RWEP\n| Metric | Score | Priority Band |\n|--------|-------|---------------|\n| CVSS | [score] | [None/Low/Medium/High/Critical] |\n| RWEP | [score] | [see table above] |\n| Delta | [RWEP - CVSS×10] | [Explain if significant] |\n\n### RWEP Factor Breakdown\n| Factor | Value | Points |\n|--------|-------|--------|\n| CISA KEV | Yes/No | +25/0 |\n| PoC Public | Yes/No | +20/0 |\n| AI-Assisted | Yes/No | +15/0 |\n| Active Exploitation | Confirmed/Suspected/No | +20/+10/0 |\n| Blast Radius | [description] | [0-15] |\n ...",
+      "key_xrefs": {
+        "cwe_refs": [],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "CWE-Top-25-2024-meta",
+          "CIS-Controls-v8-Control7"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 8,
+      "atlas_count": 0,
+      "attack_count": 0,
+      "framework_gap_count": 2,
+      "cwe_count": 0,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-01",
+      "path": "skills/exploit-scoring/skill.md",
+      "handoff_targets": []
+    },
+    "rag-pipeline-security": {
+      "description": "RAG-specific threat model — embedding manipulation, vector store poisoning, retrieval filter bypass, indirect prompt injection",
+      "threat_context_excerpt": "Retrieval-Augmented Generation (RAG) pipelines introduce a unique attack surface that exists at the intersection of traditional data security and AI-specific vulnerabilities. No current compliance framework has adequate controls for this attack surface. The threats in this skill are not theoretical — they have been demonstrated in research and observed in production incidents.",
+      "produces": "```\n## RAG Pipeline Security Assessment\n\n**Date:** YYYY-MM-DD\n**Knowledge Base:** [description]\n**Query Volume:** [requests/day estimate]\n\n### Pipeline Map\n[Ingestion → Chunking → Embedding → Store → Retrieval → Context → LLM → Output]\n\n### Attack Class Exposure\n| Attack Class | Possible | Attacker Access Required | Current Mitigations | Risk |\n|---|---|---|---|---|\n| Embedding manipulation (exfil) | | | | |\n| Vector store poisoning | | | | |\n| Chunking exploitation | | | | |\n| Retrieval filter bypass | | | | |\n| Indirect prompt injection | | | | |\n\n### RAG Security Score: [X/80]\n\n### Priority ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-1395",
+          "CWE-1426"
+        ],
+        "d3fend_refs": [
+          "D3-CSPP",
+          "D3-IOPR",
+          "D3-NTA"
+        ],
+        "framework_gaps": [
+          "ISO-27001-2022-A.8.28",
+          "NIST-800-53-SI-12",
+          "NIST-AI-RMF-MEASURE-2.5",
+          "OWASP-LLM-Top-10-2025-LLM08"
+        ],
+        "atlas_refs": [
+          "AML.T0020",
+          "AML.T0043",
+          "AML.T0051",
+          "AML.T0054"
+        ],
+        "attack_refs": [
+          "T1565"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 7,
+      "atlas_count": 4,
+      "attack_count": 1,
+      "framework_gap_count": 4,
+      "cwe_count": 2,
+      "d3fend_count": 3,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-01",
+      "path": "skills/rag-pipeline-security/skill.md",
+      "handoff_targets": [
+        "ai-attack-surface",
+        "attack-surface-pentest",
+        "defensive-countermeasure-mapping",
+        "dlp-gap-analysis",
+        "supply-chain-integrity"
+      ]
+    },
+    "ai-c2-detection": {
+      "description": "Detect adversary use of AI APIs as covert C2 — SesameOp pattern, PROMPTFLUX/PROMPTSTEAL behavioral signatures",
+      "threat_context_excerpt": "The SesameOp campaign documented a technique that has since been replicated and expanded: adversaries repurposing legitimate AI agent APIs as covert command-and-control channels.",
+      "produces": "```\n## AI C2 Detection Assessment\n\n**Date:** YYYY-MM-DD\n**Scope:** [hosts / network segments assessed]\n\n### Current Detection Coverage\n| Detection Layer | Deployed | Coverage |\n|---|---|---|\n| Process-level AI API baseline | Yes/No | [% of host types covered] |\n| Behavioral correlation (AI + file/cred/scan) | Yes/No | [configured correlations] |\n| TLS inspection for AI traffic | Yes/No | [% of AI API traffic] |\n| Response monitoring | Yes/No | [coverage] |\n\n### Coverage Gaps\n[What's missing from the detection architecture]\n\n### Active Indicators\n[If this is a live investigation: current IOCs,  ...",
+      "key_xrefs": {
+        "cwe_refs": [],
+        "d3fend_refs": [
+          "D3-CA",
+          "D3-CSPP",
+          "D3-DA",
+          "D3-IOPR",
+          "D3-NI",
+          "D3-NTA",
+          "D3-NTPM"
+        ],
+        "framework_gaps": [
+          "NIST-800-53-SI-3",
+          "NIST-800-53-SC-7",
+          "ISO-27001-2022-A.8.16",
+          "SOC2-CC7-anomaly-detection"
+        ],
+        "atlas_refs": [
+          "AML.T0096",
+          "AML.T0017"
+        ],
+        "attack_refs": [
+          "T1071",
+          "T1102",
+          "T1568"
+        ],
+        "rfc_refs": [
+          "RFC-8446",
+          "RFC-9180",
+          "RFC-9458",
+          "RFC-9421",
+          "RFC-9114",
+          "RFC-9000"
+        ],
+        "dlp_refs": []
+      },
+      "trigger_count": 9,
+      "atlas_count": 2,
+      "attack_count": 3,
+      "framework_gap_count": 4,
+      "cwe_count": 0,
+      "d3fend_count": 7,
+      "rfc_count": 6,
+      "last_threat_review": "2026-05-01",
+      "path": "skills/ai-c2-detection/skill.md",
+      "handoff_targets": [
+        "attack-surface-pentest",
+        "compliance-theater",
+        "defensive-countermeasure-mapping",
+        "dlp-gap-analysis",
+        "mcp-agent-trust"
+      ]
+    },
+    "policy-exception-gen": {
+      "description": "Generate defensible policy exceptions for architectural realities — ephemeral infra, AI pipelines, ZTA, no-reboot patching",
+      "threat_context_excerpt": "Most non-trivial mid-2026 production architectures break the literal reading of at least one major framework control. Serverless functions break asset-inventory language; immutable container images break in-place patch-window language; LLM API dependencies break change-management language; Zero Trust environments break network-segmentation language. Where the organization has no defensible exception process, only two outcomes remain: (1) the organization claims compliance falsely (theater) or (2) the audit blocks the architecture entirely.",
+      "produces": "Produce a complete, signed exception document using the applicable template above, populated with:\n- Specific control ID and text\n- Specific system or environment scope\n- Specific architectural constraint\n- Specific compensating controls with tool names and SLAs\n- Residual risk statement\n- Named risk owner\n- Expiration date or condition\n\n---",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-1188"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [],
+        "atlas_refs": [],
+        "attack_refs": [],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 8,
+      "atlas_count": 0,
+      "attack_count": 0,
+      "framework_gap_count": 0,
+      "cwe_count": 1,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-01",
+      "path": "skills/policy-exception-gen/skill.md",
+      "handoff_targets": []
+    },
+    "threat-model-currency": {
+      "description": "Score how current an org's threat model is against 2026 reality — 14-item checklist, currency percentage, prioritized update roadmap",
+      "threat_context_excerpt": "Most organizational threat models in circulation today are 2022–2024 vintage. They were written before the operational reality of mid-2026:",
+      "produces": "```\n## Threat Model Currency Assessment\n\n**Date:** YYYY-MM-DD\n**Threat Model Version:** [document version / last update date]\n\n### Currency Score: [X / 28] = [percentage]%\n**Rating:** [Current / Mostly current / Partially current / Significantly stale / Critically stale]\n\n### Class-by-Class Scoring\n| # | Threat Class | Score | Finding |\n|---|---|---|---|\n| 1 | AI-Discovered Kernel Vulnerabilities | 0/1/2 | [specific gap or confirmation] |\n| 2 | Deterministic Kernel LPE | 0/1/2 | |\n| 3 | IPsec Subsystem Exploitation | 0/1/2 | |\n| 4 | Prompt Injection as Enterprise RCE | 0/1/2 | |\n| 5 | MCP Supp ...",
+      "key_xrefs": {
+        "cwe_refs": [],
+        "d3fend_refs": [],
+        "framework_gaps": [],
+        "atlas_refs": [],
+        "attack_refs": [],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 6,
+      "atlas_count": 0,
+      "attack_count": 0,
+      "framework_gap_count": 0,
+      "cwe_count": 0,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-01",
+      "path": "skills/threat-model-currency/skill.md",
+      "handoff_targets": []
+    },
+    "global-grc": {
+      "description": "Multi-jurisdiction GRC mapping — EU (GDPR/NIS2/DORA/EU AI Act/CRA), UK, AU, SG, JP, IN, CA, ISO 27001:2022, CSA CCM v4",
+      "threat_context_excerpt": "US-only GRC posture is structurally incomplete for any organisation operating across EU, UK, AU, SG, IN, JP, or CA in mid-2026. The following regulatory instruments are in force or about to be, and have no direct US-framework equivalent:",
+      "produces": "```\n## Global GRC Assessment\n\n**Date:** YYYY-MM-DD\n**Jurisdictions in scope:** [list]\n**Sectors:** [list]\n\n### Applicable Framework Matrix\n| Framework | Jurisdiction | Trigger | Notification | Penalties | AI Coverage |\n|-----------|-------------|---------|--------------|-----------|-------------|\n\n### Fastest Notification Requirement\n[Which jurisdiction, which framework, what timeline]\n\n### Strictest AI/Security Requirements\n[For current threats: which framework is most demanding]\n\n### Universal Gaps\n[Threats that no applicable framework covers adequately]\n\n### Per-Threat Framework Mapping\n[Fo ...",
+      "key_xrefs": {
+        "cwe_refs": [],
+        "d3fend_refs": [],
+        "framework_gaps": [],
+        "atlas_refs": [],
+        "attack_refs": [],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 13,
+      "atlas_count": 0,
+      "attack_count": 0,
+      "framework_gap_count": 0,
+      "cwe_count": 0,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-01",
+      "path": "skills/global-grc/skill.md",
+      "handoff_targets": []
+    },
+    "zeroday-gap-learn": {
+      "description": "Run the zero-day learning loop — CVE to attack vector to control gap to framework gap to new control requirement",
+      "threat_context_excerpt": "The zero-day learning cycle has compressed. The frameworks have not.",
+      "produces": "```\n## Zero-Day Learning Loop: [CVE-ID / Vulnerability Name]\n\n**Date:** YYYY-MM-DD\n**RWEP:** [score]\n\n### Attack Vector\n[Extracted attack vector analysis]\n\n### Defense Chain Analysis\n| Layer | Required Control | Framework Coverage |\n|---|---|---|\n| Prevention | [control] | [Covered/Insufficient/Missing] |\n| Detection | [control] | [Covered/Insufficient/Missing] |\n| Response | [control] | [Covered/Insufficient/Missing] |\n\n### Framework Coverage Matrix\n[Per-framework table]\n\n### Gap Classification\n[Missing entirely / Insufficient / Compliant-but-exposed]\n\n### New Control Requirements\n[Generated  ...",
+      "key_xrefs": {
+        "cwe_refs": [],
+        "d3fend_refs": [],
+        "framework_gaps": [],
+        "atlas_refs": [],
+        "attack_refs": [],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 7,
+      "atlas_count": 0,
+      "attack_count": 0,
+      "framework_gap_count": 0,
+      "cwe_count": 0,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-01",
+      "path": "skills/zeroday-gap-learn/skill.md",
+      "handoff_targets": []
+    },
+    "pqc-first": {
+      "description": "Post-quantum cryptography first mentality — hard version gates (OpenSSL 3.5+), algorithm sunset tracking, HNDL assessment, loopback learning for NIST/IETF evolution",
+      "threat_context_excerpt": "The post-quantum migration is not a planning exercise. It is an operational deadline against an adversary that is already collecting ciphertext.",
+      "produces": "```\n## PQC Readiness Assessment\n\n**Date:** YYYY-MM-DD\n**OpenSSL version:** [X.X.X] — [Pass ≥3.5.0 / FAIL]\n\n### Algorithm Inventory\n| Usage | Current Algorithm | PQC Status | Version Gate | Migration Required |\n|---|---|---|---|---|\n\n### HNDL Exposure\n| Data Type | Sensitivity Window | Key Exchange | HNDL Risk | Action |\n|---|---|---|---|---|\n\n### Version Gate Compliance\n[Per library: pass/fail with specific version found]\n\n### Migration Roadmap\n[Priority-ordered, specific to this system's algorithm inventory]\n\n### Forward Watch Status\n[Which tracked standards have updated since last review; wh ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-327"
+        ],
+        "d3fend_refs": [
+          "D3-FE",
+          "D3-MENCR"
+        ],
+        "framework_gaps": [
+          "NIST-800-53-SC-8",
+          "NIST-800-53-SC-28"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [],
+        "rfc_refs": [
+          "RFC-8446",
+          "DRAFT-IETF-TLS-ECDHE-MLKEM",
+          "DRAFT-IETF-TLS-HYBRID-DESIGN",
+          "RFC-9180",
+          "RFC-9420",
+          "RFC-9794",
+          "RFC-8032",
+          "RFC-9106"
+        ],
+        "dlp_refs": []
+      },
+      "trigger_count": 14,
+      "atlas_count": 0,
+      "attack_count": 0,
+      "framework_gap_count": 2,
+      "cwe_count": 1,
+      "d3fend_count": 2,
+      "rfc_count": 8,
+      "last_threat_review": "2026-05-01",
+      "path": "skills/pqc-first/skill.md",
+      "handoff_targets": []
+    },
+    "skill-update-loop": {
+      "description": "Meta-skill for keeping all exceptd skills current — CISA KEV triggers, ATLAS version updates, framework amendments, forward_watch resolution, currency scoring",
+      "threat_context_excerpt": null,
+      "produces": "```\n## Skill Update Loop Report\n\n**Date:** YYYY-MM-DD\n**Last Full Review:** [date from manifest.json]\n\n### Unprocessed Triggers\n| Trigger Type | Item | Affected Skills | Urgency |\n|---|---|---|---|\n\n### Skill Currency Scores\n| Skill | Last Review | Currency Score | Status |\n|---|---|---|---|\n\n### Prioritized Update Tasks\n[Ordered by urgency: specific skill, specific section, specific required change]\n\n### Forward Watch Status\n[Per skill's forward_watch items: resolved/pending/newly added]\n```\n\n---",
+      "key_xrefs": {
+        "cwe_refs": [],
+        "d3fend_refs": [],
+        "framework_gaps": [],
+        "atlas_refs": [],
+        "attack_refs": [],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 10,
+      "atlas_count": 0,
+      "attack_count": 0,
+      "framework_gap_count": 0,
+      "cwe_count": 0,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-01",
+      "path": "skills/skill-update-loop/skill.md",
+      "handoff_targets": []
+    },
+    "security-maturity-tiers": {
+      "description": "Three-tier implementation roadmap — MVP (ship this week), Practical (scalable today), Overkill (defense-in-depth)",
+      "threat_context_excerpt": "The 2026 threat baseline forces an MVP that would have looked like a Practical tier in 2022. The cardinal observed change: attacker capability now compresses the time from disclosure to reliable exploitation to hours for an entire class of vulnerabilities, and AI-mediated attack surfaces (prompt injection, MCP supply chain, AI-API C2) sit outside the perimeter and identity controls every framework relies on. The implications by tier:",
+      "produces": "```\n## Security Maturity Roadmap\n\n**Date:** YYYY-MM-DD\n**Domains in scope:** [list]\n**Current state:** [assessment]\n**Constraint:** [time / team / compliance / budget]\n\n### Priority Sequence\n[Week 1 / Month 1 / Quarter 1 / Year 1 items]\n\n### Domain: [name]\n\n#### Tier 1 — MVP (Ship this week)\n[Specific commands, configurations, verification steps]\n**Done when:** [concrete completion criteria]\n**Cost:** [hours, no new tools needed / minimal tooling]\n\n#### Tier 2 — Practical (Quarter 1)\n[Scalable, monitored, sustainable]\n**Adds:** [what Tier 1 misses that Tier 2 provides]\n**Cost:** [operational o ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-1188"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [],
+        "atlas_refs": [],
+        "attack_refs": [],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 12,
+      "atlas_count": 0,
+      "attack_count": 0,
+      "framework_gap_count": 0,
+      "cwe_count": 1,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-01",
+      "path": "skills/security-maturity-tiers/skill.md",
+      "handoff_targets": []
+    },
+    "researcher": {
+      "description": "Triage entry-point for raw threat intel — researches an input across all exceptd data catalogs, RWEP-scores it, and routes the operator to the right specialized skill(s)",
+      "threat_context_excerpt": "Most security teams in mid-2026 sit on a torrent of raw threat input: CISA KEV additions, vendor advisories, ATLAS updates, red-team reports, internal SIEM alerts, framework amendment bulletins, supply-chain notices. The two failure modes are symmetric and equally damaging.",
+      "produces": "```\n# Researcher Triage Report — <input>\n\n## What this is\n<one-line classification + canonical reference>\nExample: \"CVE — Linux kernel LPE. Canonical: CVE-2026-31431 (Copy Fail).\"\n\n## RWEP-anchored priority\nRWEP: <score> / 100   CVSS: <score> (for compatibility, not primary)\nDrivers: <CISA KEV: yes/no> | <Public PoC: yes/no> | <AI-discovered/AI-accelerated: yes/no> | <Blast radius: scope> | <Live-patch: available/unavailable> | <Reboot required: yes/no>\nDeterminism: <deterministic / probabilistic with race> | Exploit size: <bytes or LOC if known>\nCatalog status: <full entry present | partial | ...",
+      "key_xrefs": {
+        "cwe_refs": [],
+        "d3fend_refs": [],
+        "framework_gaps": [],
+        "atlas_refs": [],
+        "attack_refs": [],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 10,
+      "atlas_count": 0,
+      "attack_count": 0,
+      "framework_gap_count": 0,
+      "cwe_count": 0,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/researcher/skill.md",
+      "handoff_targets": []
+    },
+    "attack-surface-pentest": {
+      "description": "Modern attack surface management + pen testing methodology for AI-era environments — NIST 800-115, OWASP WSTG, PTES, ATT&CK-driven adversary emulation, TIBER-EU",
+      "threat_context_excerpt": "The attack surface is no longer a list of internet-facing IPs and web apps. By mid-2026 the surface a competent adversary maps for a target enterprise includes seven distinct, simultaneously exploitable layers — and the typical pen test scope covers two of them.",
+      "produces": "```\n## Penetration Test Report — [Engagement Name]\n\n**Engagement window:** [start] – [end]\n**Tester(s) / firm:** [names + certifications]\n**Authorising party:** [client representative]\n**Scope reference:** [PTES Pre-engagement document / TIBER-EU TI-Provider report / equivalent]\n\n### 1. Executive summary\n- Top 5 findings by RWEP, one sentence each.\n- Defense-in-depth verdict: which layers held, which failed.\n- Zero-trust verdict: were implicit-trust crossings reachable?\n- Overall posture characterisation against the mid-2026 attack surface.\n\n### 2. Scope and rules of engagement\n[Verbatim or re ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-1395",
+          "CWE-22",
+          "CWE-269",
+          "CWE-352",
+          "CWE-434",
+          "CWE-732",
+          "CWE-78",
+          "CWE-787",
+          "CWE-79",
+          "CWE-89",
+          "CWE-918"
+        ],
+        "d3fend_refs": [
+          "D3-CSPP",
+          "D3-EAL",
+          "D3-NTA"
+        ],
+        "framework_gaps": [
+          "NIST-800-115",
+          "OWASP-Pen-Testing-Guide-v5",
+          "PTES-Pre-engagement",
+          "NIS2-Art21-patch-management"
+        ],
+        "atlas_refs": [
+          "AML.T0043",
+          "AML.T0051",
+          "AML.T0010"
+        ],
+        "attack_refs": [
+          "T1190",
+          "T1133",
+          "T1059",
+          "T1078"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 11,
+      "atlas_count": 3,
+      "attack_count": 4,
+      "framework_gap_count": 4,
+      "cwe_count": 11,
+      "d3fend_count": 3,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/attack-surface-pentest/skill.md",
+      "handoff_targets": []
+    },
+    "fuzz-testing-strategy": {
+      "description": "Continuous fuzzing as a security control — coverage-guided fuzz (AFL++/libFuzzer), AI-assisted fuzz, OSS-Fuzz integration, kernel fuzz (syzkaller), AI-API fuzz, integration into CI/CD as compliance evidence",
+      "threat_context_excerpt": "By mid-2026 the asymmetry between offensive and defensive fuzzing has flipped. The defender's question is no longer \"should we fuzz?\" — it is \"are we fuzzing as fast as attackers are fuzzing us?\"",
+      "produces": "```\n## Fuzz Posture Assessment\n\n**Assessment Date:** YYYY-MM-DD\n**Component / Estate:** [scope]\n**Assessor:** [role]\n\n### Fuzz-Eligible Interface Inventory\n| Interface | Class | Harness Present | Tool | CI-Gated | Last Run |\n|---|---|---|---|---|---|\n| [name] | parser/IPC/API/kernel/LLM | Yes/No | [AFL++/libFuzzer/syzkaller/RESTler/garak/...] | Yes/No | YYYY-MM-DD |\n\n### Coverage Report\n| Harness | Line Coverage | Branch Coverage | CPU-Hours / Release | Uncovered Reachable Code |\n|---|---|---|---|---|\n| [name] | [N]% | [N]% | [N] | [list of un-fuzzed reachable functions] |\n\n### Crash Inventory ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-125",
+          "CWE-20",
+          "CWE-362",
+          "CWE-416",
+          "CWE-78",
+          "CWE-787"
+        ],
+        "d3fend_refs": [
+          "D3-EAL",
+          "D3-IOPR",
+          "D3-PSEP"
+        ],
+        "framework_gaps": [
+          "NIST-800-218-SSDF",
+          "NIST-800-115",
+          "OWASP-ASVS-v5.0-V14"
+        ],
+        "atlas_refs": [
+          "AML.T0043"
+        ],
+        "attack_refs": [
+          "T1190"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 11,
+      "atlas_count": 1,
+      "attack_count": 1,
+      "framework_gap_count": 3,
+      "cwe_count": 6,
+      "d3fend_count": 3,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/fuzz-testing-strategy/skill.md",
+      "handoff_targets": []
+    },
+    "dlp-gap-analysis": {
+      "description": "DLP gap analysis for mid-2026 — legacy DLP misses LLM prompts, MCP tool args, RAG retrievals, embedding-store exfil, and code-completion telemetry. Audit channels, classifiers, protected surfaces, enforcement actions, and evidence trails against modern threat reality and cross-jurisdictional privacy regimes",
+      "threat_context_excerpt": "DLP's protected surface inverted between 2024 and 2026. Crown-jewel data is no longer \"rows in this database\" — it is \"anything that crosses an LLM context window.\" Legacy DLP (outbound email, web upload, USB removable media) is solved in the sense that every commercial DLP suite covers those channels and every prescriptive framework cites them. The compliance-relevant exfiltration channels of 2026 are different: free-form LLM prompts, file attachments and RAG retrievals placed into model context, MCP tool-call arguments, code-completion context windows, IDE and dev-tool telemetry, and ...",
+      "produces": "```\n## DLP Gap Analysis\n\n**Date:** YYYY-MM-DD\n**Scope:** [org units, tenants, network segments assessed]\n**Frameworks in scope:** [list, including jurisdictions]\n\n### AI Tool Inventory (Step 1)\n| Tool | Sanctioned? | Identities Using | First Seen | Channel(s) |\n|---|---|---|---|---|\n\n### Channel × Surface × Control Matrix (Steps 2–4)\nFor each tool × channel × protected surface intersection: which DLP control applies (ID from `data/dlp-controls.json`), deployment state (Deployed / Deployed-untuned-for-AI / Absent), residual risk note.\n\n### Gap Register (Step 5)\n| Gap ID | Channel × Surface | Mi ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-1426",
+          "CWE-200"
+        ],
+        "d3fend_refs": [
+          "D3-CSPP",
+          "D3-EAL",
+          "D3-IOPR",
+          "D3-NTA",
+          "D3-NTPM"
+        ],
+        "framework_gaps": [
+          "NIST-800-53-SC-7",
+          "ISO-27001-2022-A.8.16",
+          "ISO-IEC-42001-2023-clause-6.1.2",
+          "HIPAA-Security-Rule-164.312(a)(1)",
+          "SOC2-CC7-anomaly-detection",
+          "NIST-800-53-SC-28"
+        ],
+        "atlas_refs": [
+          "AML.T0096",
+          "AML.T0017",
+          "AML.T0051"
+        ],
+        "attack_refs": [
+          "T1567",
+          "T1530",
+          "T1213",
+          "T1041"
+        ],
+        "rfc_refs": [
+          "RFC-8446",
+          "RFC-9458"
+        ],
+        "dlp_refs": []
+      },
+      "trigger_count": 14,
+      "atlas_count": 3,
+      "attack_count": 4,
+      "framework_gap_count": 6,
+      "cwe_count": 2,
+      "d3fend_count": 5,
+      "rfc_count": 2,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/dlp-gap-analysis/skill.md",
+      "handoff_targets": []
+    },
+    "supply-chain-integrity": {
+      "description": "Supply-chain integrity for mid-2026 — SLSA L3+, in-toto attestations, Sigstore signing, SBOM (CycloneDX/SPDX), VEX via CSAF 2.0, AI-generated code provenance, model weights as supply-chain artifacts",
+      "threat_context_excerpt": "The supply chain has expanded far beyond \"a vulnerable dependency in npm or PyPI.\" In mid-2026 the in-scope artifacts are every build-pipeline input, every CI runner image, every container base, every transitive package, every model weight loaded at inference time, and every snippet of code generated by an AI coding assistant and committed to the repository.",
+      "produces": "```\n## Supply-Chain Integrity Assessment\n\n**Assessment Date:** YYYY-MM-DD\n**Scope:** [pipelines / repositories / model registries / runtime environments assessed]\n**Frameworks in scope:** [NIST 800-218 SSDF | NIST 800-161 | ISO 27001:2022 A.5.21 | EU CRA | EU AI Act | UK NCSC | AU ISM / IRAP | PCI 4.0]\n\n### Pipeline SLSA Scorecard\n| Pipeline | Type (CI / model-train / AI-codegen) | Runner | Current SLSA Level | Provenance Signed? | Attestation Chain? | Gap |\n\n### SBOM Coverage\n| Artifact Class | Format (CycloneDX 1.6 / SPDX 3.0) | Build-Time SBOM | Deploy-Time SBOM | ML-BOM Where Applicable |  ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-1357",
+          "CWE-1395",
+          "CWE-494",
+          "CWE-502",
+          "CWE-829"
+        ],
+        "d3fend_refs": [
+          "D3-CBAN",
+          "D3-EAL",
+          "D3-EHB"
+        ],
+        "framework_gaps": [
+          "NIST-800-218-SSDF",
+          "SLSA-v1.0-Build-L3",
+          "VEX-CSAF-v2.1",
+          "CycloneDX-v1.6-SBOM",
+          "SPDX-v3.0-SBOM",
+          "NIST-800-53-SA-12",
+          "HITRUST-CSF-v11.4-09.l",
+          "SWIFT-CSCF-v2026-1.1",
+          "FedRAMP-Rev5-Moderate",
+          "CMMC-2.0-Level-2"
+        ],
+        "atlas_refs": [
+          "AML.T0010",
+          "AML.T0018"
+        ],
+        "attack_refs": [
+          "T1195.001",
+          "T1195.002",
+          "T1554"
+        ],
+        "rfc_refs": [
+          "RFC-8032"
+        ],
+        "dlp_refs": []
+      },
+      "trigger_count": 14,
+      "atlas_count": 2,
+      "attack_count": 3,
+      "framework_gap_count": 10,
+      "cwe_count": 5,
+      "d3fend_count": 3,
+      "rfc_count": 1,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/supply-chain-integrity/skill.md",
+      "handoff_targets": []
+    },
+    "defensive-countermeasure-mapping": {
+      "description": "Map offensive findings (CVE / TTP / framework gap) to MITRE D3FEND defensive countermeasures with explicit defense-in-depth, least-privilege, and zero-trust layering",
+      "threat_context_excerpt": "ATT&CK and ATLAS are now load-bearing in SOC detection engineering. Detection content is written against technique IDs; red-team reports are mapped to technique IDs; threat intel feeds emit technique IDs. The result: the offensive side of every blue-team discussion is technique-grained and crisp.",
+      "produces": "```\n# Defensive Countermeasure Map — <input>\n\n## What this is\n<one-line classification + canonical reference>\nExample: \"CVE — Linux kernel LPE. Canonical: CVE-2026-31431 (Copy Fail).\"\n\n## Offensive technique set (input to D3FEND query)\n- <AML.Txxxx / Txxxx / CWE-xxx list, with one-line descriptions>\n\n## Defensive-coverage map\n| D3FEND ID | Name | Tactic (DiD layer) | Privilege scope | ZT posture | Deployed? | AI-pipeline applicable? | Framework controls partially mapped | Live-tunable? |\n|-----------|------|--------------------|-----------------|------------|-----------|----------------------- ...",
+      "key_xrefs": {
+        "cwe_refs": [],
+        "d3fend_refs": [
+          "D3-ASLR",
+          "D3-CA",
+          "D3-CBAN",
+          "D3-CSPP",
+          "D3-DA",
+          "D3-EAL",
+          "D3-EHB",
+          "D3-FAPA",
+          "D3-FE",
+          "D3-IOPR",
+          "D3-MENCR",
+          "D3-MFA",
+          "D3-NI",
+          "D3-NTA",
+          "D3-NTPM",
+          "D3-PA",
+          "D3-PHRA",
+          "D3-PSEP",
+          "D3-RPA",
+          "D3-SCP"
+        ],
+        "framework_gaps": [],
+        "atlas_refs": [],
+        "attack_refs": [],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 11,
+      "atlas_count": 0,
+      "attack_count": 0,
+      "framework_gap_count": 0,
+      "cwe_count": 0,
+      "d3fend_count": 20,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/defensive-countermeasure-mapping/skill.md",
+      "handoff_targets": []
+    },
+    "identity-assurance": {
+      "description": "Identity assurance for mid-2026 — NIST 800-63 AAL/IAL/FAL, FIDO2/WebAuthn passkeys, OIDC/SAML/SCIM, agent-as-principal identity, short-lived workload tokens, OAuth 2.0 + RFC 9700 BCP",
+      "threat_context_excerpt": "Identity is the new perimeter, and the perimeter expanded. The 2026 principal population is no longer \"humans + service accounts\" — it now includes AI agents acting on behalf of users, MCP servers exchanging short-lived tokens, and ephemeral workload identities minted per function invocation. Each of these is a principal that authenticates, holds scopes, and shows up in audit logs — and each was outside the design envelope of every identity standard in production use before NIST 800-63 rev 4 (Q4 2025).",
+      "produces": "```\n## Identity Assurance Assessment\n\n**Assessment Date:** YYYY-MM-DD\n**Scope:** [org units / IdPs / SaaS apps / workload clusters / AI-agent fleets in scope]\n**Jurisdictions:** [EU NIS2 / DORA, UK CAF, AU ISM, ISO 27001, plus IL INCD / CH FINMA / JP FISC / SG MAS / IN CERT-In / NY DFS where applicable]\n\n### Per-Principal Assurance Scorecard\n| Principal | Class (Human/Service/Agent) | Current AAL | Target AAL | Current IAL | Target IAL | Current FAL | Target FAL | Gap |\n|-----------|----------------------------|-------------|------------|-------------|------------|-------------|------------|-- ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-269",
+          "CWE-287",
+          "CWE-306",
+          "CWE-732",
+          "CWE-798",
+          "CWE-862",
+          "CWE-863"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-63B-rev4",
+          "NIST-800-53-AC-2",
+          "ISO-27001-2022-A.8.30",
+          "SOC2-CC6-logical-access",
+          "PSD2-RTS-SCA"
+        ],
+        "atlas_refs": [
+          "AML.T0051"
+        ],
+        "attack_refs": [
+          "T1078",
+          "T1556",
+          "T1110"
+        ],
+        "rfc_refs": [
+          "RFC-7519",
+          "RFC-8725",
+          "RFC-6749",
+          "RFC-9700",
+          "RFC-8032"
+        ],
+        "dlp_refs": []
+      },
+      "trigger_count": 16,
+      "atlas_count": 1,
+      "attack_count": 3,
+      "framework_gap_count": 5,
+      "cwe_count": 7,
+      "d3fend_count": 0,
+      "rfc_count": 5,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/identity-assurance/skill.md",
+      "handoff_targets": [
+        "compliance-theater",
+        "defensive-countermeasure-mapping",
+        "dlp-gap-analysis",
+        "mcp-agent-trust",
+        "supply-chain-integrity"
+      ]
+    },
+    "ot-ics-security": {
+      "description": "OT / ICS security for mid-2026 — NIST 800-82r3, IEC 62443-3-3, NERC CIP, IT/OT convergence risks, AI-augmented HMI threats, ICS-specific TTPs (ATT&CK for ICS)",
+      "threat_context_excerpt": "OT is no longer air-gapped. The \"air gap\" is a label on a Visio file, not a property of the production network. IT/OT convergence is a fait decompli at every Tier-1 operator and most Tier-2/3 manufacturers, utilities, and water authorities:",
+      "produces": "Produce this structure verbatim:\n\n```\n## OT / ICS Security Posture Assessment\n\n**Assessment Date:** YYYY-MM-DD\n**Site / Operator:** [name]\n**Process(es) in scope:** [e.g., crude distillation unit; 500kV substation; water treatment Train A]\n**Regulatory jurisdictions:** [US/NERC, EU/NIS2, UK/CAF, AU/SOCI+AESCSF, ...]\n\n### Purdue-Level Asset Inventory\n| Level | Assets (count + class) | OS / Firmware Range | Avg Age (years) | Patch Posture |\n|-------|------------------------|---------------------|-----------------|----------------|\n| L0    | ...                    | ...                 | ...      ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-287",
+          "CWE-798",
+          "CWE-306",
+          "CWE-1037"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-82r3",
+          "IEC-62443-3-3",
+          "NERC-CIP-007-6-R4",
+          "NIS2-Art21-patch-management"
+        ],
+        "atlas_refs": [
+          "AML.T0010"
+        ],
+        "attack_refs": [
+          "T0855",
+          "T0883",
+          "T1190",
+          "T1068"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 15,
+      "atlas_count": 1,
+      "attack_count": 4,
+      "framework_gap_count": 4,
+      "cwe_count": 4,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/ot-ics-security/skill.md",
+      "handoff_targets": [
+        "ai-attack-surface",
+        "attack-surface-pentest",
+        "compliance-theater",
+        "defensive-countermeasure-mapping",
+        "framework-gap-analysis",
+        "global-grc",
+        "identity-assurance",
+        "kernel-lpe-triage",
+        "mcp-agent-trust",
+        "policy-exception-gen",
+        "supply-chain-integrity"
+      ]
+    },
+    "coordinated-vuln-disclosure": {
+      "description": "Coordinated Vulnerability Disclosure for mid-2026 — ISO 29147 (disclosure) + ISO 30111 (handling) + VDP + bug bounty + CSAF 2.0 advisories + security.txt + EU CRA / NIS2 regulator-mandated disclosure + AI vulnerability classes",
+      "threat_context_excerpt": "CVD is no longer optional, and \"we have a security@ alias\" is no longer a program.",
+      "produces": "The skill produces seven artifacts per program assessment:\n\n### 1. CVD Policy Text (ISO 29147 template)\n\n```\n# Coordinated Vulnerability Disclosure Policy — <Organization>\n\n## Scope\nIn scope: <list of products / services / AI systems>\nOut of scope: <list of assets / behaviors>\nAI-systems statement: <explicit scope for model behavior, prompt-injection classes,\ntraining-data, RAG corpora, agent toolchains — or explicit exclusion>\n\n## Safe Harbor\nWe will not pursue legal action for security research conducted in good faith\nwithin the scope and rules below. Specifically: ...\n\n## How to Report\nCont ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-1357"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-218-SSDF",
+          "ISO-27001-2022-A.8.8",
+          "SOC2-CC9-vendor-management"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 12,
+      "atlas_count": 0,
+      "attack_count": 0,
+      "framework_gap_count": 3,
+      "cwe_count": 1,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/coordinated-vuln-disclosure/skill.md",
+      "handoff_targets": [
+        "attack-surface-pentest",
+        "compliance-theater",
+        "defensive-countermeasure-mapping",
+        "exploit-scoring",
+        "framework-gap-analysis",
+        "fuzz-testing-strategy",
+        "global-grc",
+        "supply-chain-integrity",
+        "zeroday-gap-learn"
+      ]
+    },
+    "threat-modeling-methodology": {
+      "description": "Threat modeling methodologies for mid-2026 — STRIDE, PASTA, LINDDUN (privacy), Cyber Kill Chain, Diamond Model, MITRE Unified Kill Chain, AI-system threat modeling, agent-based threat modeling",
+      "threat_context_excerpt": "Most \"threat models\" in circulation in mid-2026 are STRIDE diagrams of 2018–2022 vintage. Their failure modes are concrete and current:",
+      "produces": "```\n## Threat Model — <system name>\n**Date:** YYYY-MM-DD\n**Methodology:** <STRIDE-ML + LINDDUN + Diamond | Unified Kill Chain v3.0 | composite ...>\n**Methodology rationale:** <why this combination, not others>\n**Currency triggers:** <list of upstream changes that will require re-run>\n\n### 1. Scope and Actor Inventory\n| Actor | Type (human/service/AI/data) | Trust boundary | Minimum-scope authorisation | Notes |\n|---|---|---|---|---|\n\n### 2. AI / Agent Inventory (required if any AI actor present)\n| Agent | Runtime | Tool-call surface | Plugins / MCP servers | Decides on its own | Escalates to | ...",
+      "key_xrefs": {
+        "cwe_refs": [],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "ISO-27001-2022-A.8.28",
+          "ISO-IEC-23894-2023-clause-7",
+          "ISO-IEC-42001-2023-clause-6.1.2",
+          "NIST-800-218-SSDF"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 13,
+      "atlas_count": 0,
+      "attack_count": 0,
+      "framework_gap_count": 4,
+      "cwe_count": 0,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/threat-modeling-methodology/skill.md",
+      "handoff_targets": [
+        "ai-attack-surface",
+        "defensive-countermeasure-mapping",
+        "framework-gap-analysis",
+        "mcp-agent-trust",
+        "rag-pipeline-security",
+        "researcher",
+        "threat-model-currency",
+        "zeroday-gap-learn"
+      ]
+    },
+    "webapp-security": {
+      "description": "Web application security for mid-2026 — OWASP Top 10 2025, OWASP ASVS v5, CWE root-cause coverage, AI-generated code weakness drift, server-rendered vs SPA tradeoffs, defense-in-depth across the request lifecycle",
+      "threat_context_excerpt": "Webapps still ship CWE-79 (Cross-Site Scripting), CWE-89 (SQL Injection), and CWE-22 (Path Traversal) at rates the industry was supposed to have engineered out of existence by 2018. The reason is not mystery — it is AI codegen drift. Coding assistants (GitHub Copilot, Cursor, Windsurf, Claude Code, Codex, Gemini Code Assist) reintroduce OWASP-Top-10-class weaknesses into new code at roughly the rate human review removed them during the 2010s. Industry analysis published in early 2026 across several large-codebase studies converges on the same order of magnitude: approximately **30% of ...",
+      "produces": "```\n## Web Application Security Assessment\n\n**Assessment Date:** YYYY-MM-DD\n**Scope:** [app/repo names, route count, in-scope environments]\n**ASVS Target Level:** [L1 / L2 / L3, with justification by data sensitivity]\n\n### Per-Route Risk Matrix\n| Route | Auth Required | Data Class | CWE Root-Cause Risks | Current Controls | AI-Codegen Blast Radius | RWEP | Remediation |\n|-------|---------------|------------|----------------------|------------------|-------------------------|------|-------------|\n| POST /api/upload | role:editor | regulated | CWE-434, CWE-22, CWE-78 | content-type allowlist; ma ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-22",
+          "CWE-77",
+          "CWE-78",
+          "CWE-79",
+          "CWE-89",
+          "CWE-94",
+          "CWE-200",
+          "CWE-269",
+          "CWE-287",
+          "CWE-352",
+          "CWE-434",
+          "CWE-502",
+          "CWE-732",
+          "CWE-862",
+          "CWE-863",
+          "CWE-918",
+          "CWE-1188"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "OWASP-ASVS-v5.0-V14",
+          "OWASP-LLM-Top-10-2025-LLM01",
+          "NIST-800-218-SSDF",
+          "ISO-27001-2022-A.8.28"
+        ],
+        "atlas_refs": [
+          "AML.T0051"
+        ],
+        "attack_refs": [
+          "T1190",
+          "T1059",
+          "T1505"
+        ],
+        "rfc_refs": [
+          "RFC-8446",
+          "RFC-9114",
+          "RFC-7519",
+          "RFC-8725"
+        ],
+        "dlp_refs": []
+      },
+      "trigger_count": 15,
+      "atlas_count": 1,
+      "attack_count": 3,
+      "framework_gap_count": 4,
+      "cwe_count": 17,
+      "d3fend_count": 0,
+      "rfc_count": 4,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/webapp-security/skill.md",
+      "handoff_targets": [
+        "ai-attack-surface",
+        "ai-c2-detection",
+        "attack-surface-pentest",
+        "defensive-countermeasure-mapping",
+        "fuzz-testing-strategy",
+        "identity-assurance",
+        "supply-chain-integrity",
+        "threat-modeling-methodology"
+      ]
+    },
+    "ai-risk-management": {
+      "description": "AI governance and risk management for mid-2026 — ISO/IEC 23894 risk process, ISO/IEC 42001 management system, NIST AI RMF, EU AI Act high-risk obligations, AI impact assessments, AI red-team programs, AI incident lifecycle",
+      "threat_context_excerpt": "AI governance moved from voluntary to mandatory between 2024 and 2026. The transition has three concrete dates that anchor the current state of the practice:",
+      "produces": "```\n## AI Risk Management Programme — <organisation / scope>\n**Assessment Date:** YYYY-MM-DD\n**Standards in scope:** ISO/IEC 42001:2023 | ISO/IEC 23894:2023 | NIST AI RMF 1.0 | EU AI Act (2024/1689) | <jurisdiction-specific frameworks>\n**EU AI Act enforcement reference date:** 2026-08-02 (high-risk system obligations fully enforceable)\n\n### 1. AI Inventory Ledger\n| ID | Name | Owner | Runtime | Data tier | EU AI Act risk tier | Personal data? | Tool-call surface | MCP servers | Dependencies |\n|---|---|---|---|---|---|---|---|---|---|\n\n### 2. AI Impact Assessment Register\n| Use case ID | EU AI  ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-1426",
+          "CWE-1039"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "ISO-IEC-42001-2023-clause-6.1.2",
+          "ISO-IEC-23894-2023-clause-7",
+          "NIST-AI-RMF-MEASURE-2.5",
+          "OWASP-LLM-Top-10-2025-LLM01"
+        ],
+        "atlas_refs": [
+          "AML.T0051",
+          "AML.T0096",
+          "AML.T0017"
+        ],
+        "attack_refs": [],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 13,
+      "atlas_count": 3,
+      "attack_count": 0,
+      "framework_gap_count": 4,
+      "cwe_count": 2,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/ai-risk-management/skill.md",
+      "handoff_targets": [
+        "ai-attack-surface",
+        "compliance-theater",
+        "coordinated-vuln-disclosure",
+        "dlp-gap-analysis",
+        "framework-gap-analysis",
+        "global-grc",
+        "identity-assurance",
+        "mcp-agent-trust",
+        "rag-pipeline-security",
+        "threat-modeling-methodology",
+        "zeroday-gap-learn"
+      ]
+    },
+    "sector-healthcare": {
+      "description": "Healthcare sector cybersecurity for mid-2026 — HIPAA + HITRUST + HL7 FHIR security, medical device cyber (FDA + EU MDR), AI-in-healthcare under EU AI Act + FDA AI/ML SaMD guidance, patient data flows through LLM clinical tools",
+      "threat_context_excerpt": "Healthcare has been the most targeted sector for ransomware for three consecutive years, and that ranking has not changed entering mid-2026:",
+      "produces": "Produce this structure verbatim:\n\n```\n## Healthcare Sector Security Posture Assessment\n\n**Assessment Date:** YYYY-MM-DD\n**Entity:** [name] (covered entity / business associate / device vendor / digital-health platform)\n**Scope:** [e.g., EHR + ambient-doc pilots + 3 device families; HMO national; payer + provider arms]\n**Regulatory jurisdictions:** [US HHS-OCR + FDA, EU AI Act + MDR, UK ICO + MHRA, ...]\n\n### HIPAA Technical-Safeguard Scorecard\n| §164.312 Control | Implementation | Adequacy vs current TTPs | Theater Risk |\n|------------------|----------------|--------------------------|--------- ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-200",
+          "CWE-287",
+          "CWE-862",
+          "CWE-1426"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "HIPAA-Security-Rule-164.312(a)(1)",
+          "HITRUST-CSF-v11.4-09.l",
+          "ISO-27001-2022-A.8.30",
+          "NIST-800-53-AC-2"
+        ],
+        "atlas_refs": [
+          "AML.T0051",
+          "AML.T0017"
+        ],
+        "attack_refs": [
+          "T1078",
+          "T1530",
+          "T1567"
+        ],
+        "rfc_refs": [
+          "RFC-7519",
+          "RFC-9421"
+        ],
+        "dlp_refs": []
+      },
+      "trigger_count": 14,
+      "atlas_count": 2,
+      "attack_count": 3,
+      "framework_gap_count": 4,
+      "cwe_count": 4,
+      "d3fend_count": 0,
+      "rfc_count": 2,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/sector-healthcare/skill.md",
+      "handoff_targets": [
+        "ai-attack-surface",
+        "compliance-theater",
+        "coordinated-vuln-disclosure",
+        "dlp-gap-analysis",
+        "exploit-scoring",
+        "framework-gap-analysis",
+        "global-grc",
+        "identity-assurance",
+        "mcp-agent-trust",
+        "ot-ics-security",
+        "policy-exception-gen",
+        "supply-chain-integrity"
+      ]
+    },
+    "sector-financial": {
+      "description": "Financial services cybersecurity for mid-2026 — EU DORA TLPT, PSD2 RTS-SCA, SWIFT CSCF v2026, NYDFS 23 NYCRR 500, FFIEC CAT, MAS TRM, APRA CPS 234, IL BoI Directive 361, OSFI B-13; Threat-Led Pen Testing schemes TIBER-EU + CBEST + iCAST",
+      "threat_context_excerpt": "Financial services is the most-regulated sector for cybersecurity globally and the regulation cadence is accelerating, not slowing. As of mid-2026 every Tier-1 bank, payments processor, broker-dealer, insurer, and significant financial-market infrastructure operates under multiple binding cyber regimes simultaneously. The threat landscape that drives those regimes has shifted materially since 2023.",
+      "produces": "Produce this structure verbatim:\n\n```\n## Financial Sector Cybersecurity Posture Assessment\n\n**Assessment Date:** YYYY-MM-DD\n**Institution / Entity:** [name]\n**Regulatory exposure:** [EU DORA / UK FCA+PRA / US NYDFS / AU APRA / SG MAS / HK HKMA / IL BoI / CA OSFI / JP FISC / BR BCB / ...]\n**Critical or important functions in scope:** [list per DORA Art. 8 / equivalent]\n\n### DORA Register of Information Snapshot (where applicable)\n| ICT Third-Party | Service | Critical/Important Function Supported | Concentration Risk | Exit Strategy | Last Assessment |\n\n### PSD2 RTS-SCA Evidence Pack\n| Payment  ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-287",
+          "CWE-862",
+          "CWE-863",
+          "CWE-798",
+          "CWE-352"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "PSD2-RTS-SCA",
+          "SWIFT-CSCF-v2026-1.1",
+          "NIST-800-53-AC-2",
+          "SOC2-CC6-logical-access"
+        ],
+        "atlas_refs": [
+          "AML.T0096",
+          "AML.T0017"
+        ],
+        "attack_refs": [
+          "T1078",
+          "T1190",
+          "T1486",
+          "T1567"
+        ],
+        "rfc_refs": [
+          "RFC-8446",
+          "RFC-7519",
+          "RFC-8725",
+          "RFC-9421"
+        ],
+        "dlp_refs": []
+      },
+      "trigger_count": 17,
+      "atlas_count": 2,
+      "attack_count": 4,
+      "framework_gap_count": 4,
+      "cwe_count": 5,
+      "d3fend_count": 0,
+      "rfc_count": 4,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/sector-financial/skill.md",
+      "handoff_targets": [
+        "ai-attack-surface",
+        "attack-surface-pentest",
+        "compliance-theater",
+        "coordinated-vuln-disclosure",
+        "dlp-gap-analysis",
+        "framework-gap-analysis",
+        "global-grc",
+        "identity-assurance",
+        "mcp-agent-trust",
+        "policy-exception-gen",
+        "supply-chain-integrity"
+      ]
+    },
+    "sector-federal-government": {
+      "description": "Federal government + defense contractor cybersecurity for mid-2026 — FedRAMP Rev5, CMMC 2.0, EO 14028, NIST 800-171/172 CUI, FISMA, M-22-09 federal Zero Trust, OMB M-24-04 AI risk, CISA BOD/ED; cross-jurisdiction NCSC UK, ENISA EUCC, AU PSPF, IL government cyber methodology",
+      "threat_context_excerpt": "Federal government and defense industrial base (DIB) cybersecurity in mid-2026 is defined by five overlapping transformations driven by Executive Order 14028 (May 2021) and its successor directives:",
+      "produces": "```\n## Federal Government / DIB Cybersecurity Assessment\n\n**Assessment Date:** YYYY-MM-DD\n**Scope:** [federal agency / DIB contractor / federal cloud workload / multi-jurisdiction government]\n**Baselines in scope:** [FedRAMP Rev5 Moderate | FedRAMP Rev5 High | CMMC 2.0 Level 1/2/3 | NIST 800-171 Rev 2/3 | NIST 800-172 | FISMA | M-22-09 | M-24-04 | UK GovAssure | EU NIS2 public admin | AU PSPF/ISM E8 | IL CDM v2.1]\n**Phased rollout exposure (CMMC):** [Phase 1 / 2 / 3 / 4]\n\n### FedRAMP Package Status\n| Attribute | Value | Gap |\n| Authorization type | JAB P-ATO / Agency ATO | |\n| Baseline | Moder ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-1357",
+          "CWE-1395",
+          "CWE-829"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "FedRAMP-Rev5-Moderate",
+          "CMMC-2.0-Level-2",
+          "NIST-800-218-SSDF",
+          "SLSA-v1.0-Build-L3"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T1190",
+          "T1195.001",
+          "T1554"
+        ],
+        "rfc_refs": [
+          "RFC-8032",
+          "RFC-8446"
+        ],
+        "dlp_refs": []
+      },
+      "trigger_count": 16,
+      "atlas_count": 0,
+      "attack_count": 3,
+      "framework_gap_count": 4,
+      "cwe_count": 3,
+      "d3fend_count": 0,
+      "rfc_count": 2,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/sector-federal-government/skill.md",
+      "handoff_targets": [
+        "ai-attack-surface",
+        "ai-c2-detection",
+        "attack-surface-pentest",
+        "compliance-theater",
+        "framework-gap-analysis",
+        "global-grc",
+        "identity-assurance",
+        "pqc-first",
+        "supply-chain-integrity"
+      ]
+    },
+    "sector-energy": {
+      "description": "Electric power + oil & gas + water/wastewater + renewable-integration cybersecurity for mid-2026 — NERC CIP v6/v7, NIST 800-82r3, TSA Pipeline SD-2021-02C, AWWA cyber, EU NIS2 energy + NCCS-G (cross-border electricity), AU AESCSF + SOCI, ENISA energy sector",
+      "threat_context_excerpt": "State-sponsored targeting of energy infrastructure has escalated, not plateaued.",
+      "produces": "Produce this structure verbatim:\n\n```\n## Energy-Sector Cybersecurity Posture Assessment\n\n**Assessment Date:** YYYY-MM-DD\n**Operator / Site:** [name]\n**Sub-sector(s):** [electric T&D / generation / market ops / pipeline / water / DER aggregation / EV charging]\n**Regulatory jurisdictions:** [US/NERC + TSA + AWWA + state PUCs; EU/NIS2 + NCCS-G + CER; UK/CAF; AU/SOCI+AESCSF; JP/NISC+METI; IL/INCD; other]\n\n### Asset Class Inventory (Purdue + Energy Overlay)\n| Class | Count | Vendor Mix | Protocol Mix | IEC 62351 Status | Avg Age (years) | Patch Posture |\n|-------|-------|------------|-------------- ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-287",
+          "CWE-798",
+          "CWE-306",
+          "CWE-1037"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NERC-CIP-007-6-R4",
+          "NIST-800-82r3",
+          "IEC-62443-3-3",
+          "NIS2-Art21-patch-management"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T0855",
+          "T0883",
+          "T1190",
+          "T1078"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 15,
+      "atlas_count": 0,
+      "attack_count": 4,
+      "framework_gap_count": 4,
+      "cwe_count": 4,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/sector-energy/skill.md",
+      "handoff_targets": [
+        "ai-attack-surface",
+        "attack-surface-pentest",
+        "compliance-theater",
+        "coordinated-vuln-disclosure",
+        "framework-gap-analysis",
+        "global-grc",
+        "identity-assurance",
+        "kernel-lpe-triage",
+        "mcp-agent-trust",
+        "ot-ics-security",
+        "policy-exception-gen",
+        "rag-pipeline-security",
+        "supply-chain-integrity"
+      ]
+    },
+    "api-security": {
+      "description": "API security for mid-2026 — OWASP API Top 10 2023, AI-API specific (rate limits, prompt-shape egress, MCP HTTP transport), GraphQL + gRPC + REST + WebSocket attack surfaces, API gateway posture, BOLA/BFLA/SSRF/Mass Assignment",
+      "threat_context_excerpt": "APIs are now the integration substrate of every non-trivial system. The mid-2026 enterprise app is a thin shell of UI calling a fan-out of REST, GraphQL, gRPC, and WebSocket APIs — many of which themselves call **AI-API services** (OpenAI, Anthropic, Google Gemini, AWS Bedrock, Azure OpenAI) on the user's behalf. Legacy web-application firewalls were built for HTML form posts and inspect REST badly, GraphQL barely, gRPC binary framing not at all, and AI-API egress not at all. The defensive perimeter has moved from the WAF to the **API gateway and the egress policy**.",
+      "produces": "```\n## API Security Assessment\n\n**Assessment Date:** YYYY-MM-DD\n**Scope:** [API surfaces in scope — REST / GraphQL / gRPC / WebSocket / MCP — environments]\n**OWASP API Top 10 2023 Target:** [verification level + justification by data sensitivity]\n\n### API Inventory (by Protocol)\n| Protocol | Endpoint / Service | Auth Model | Schema Source | Data Class | AI-API Consumption | Provenance | Inventory Status |\n|----------|--------------------|------------|---------------|------------|--------------------|------------|------------------|\n| REST | GET /api/v1/orders/{id} | OAuth bearer (JWT) | OpenAP ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-287",
+          "CWE-862",
+          "CWE-863",
+          "CWE-918",
+          "CWE-200",
+          "CWE-352",
+          "CWE-22",
+          "CWE-77",
+          "CWE-1188"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "OWASP-ASVS-v5.0-V14",
+          "NIST-800-218-SSDF",
+          "ISO-27001-2022-A.8.28",
+          "NIST-800-53-AC-2"
+        ],
+        "atlas_refs": [
+          "AML.T0096",
+          "AML.T0017"
+        ],
+        "attack_refs": [
+          "T1190",
+          "T1078",
+          "T1567"
+        ],
+        "rfc_refs": [
+          "RFC-8446",
+          "RFC-9114",
+          "RFC-7519",
+          "RFC-8725",
+          "RFC-6749",
+          "RFC-9700",
+          "RFC-9421"
+        ],
+        "dlp_refs": []
+      },
+      "trigger_count": 14,
+      "atlas_count": 2,
+      "attack_count": 3,
+      "framework_gap_count": 4,
+      "cwe_count": 9,
+      "d3fend_count": 0,
+      "rfc_count": 7,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/api-security/skill.md",
+      "handoff_targets": [
+        "ai-c2-detection",
+        "defensive-countermeasure-mapping",
+        "dlp-gap-analysis",
+        "identity-assurance",
+        "mcp-agent-trust",
+        "webapp-security"
+      ]
+    },
+    "cloud-security": {
+      "description": "Cloud security for mid-2026 — CSPM/CWPP/CNAPP posture, CSA CCM v4, AWS/Azure/GCP shared responsibility, cloud workload identity federation, runtime security with eBPF, AI workloads on cloud",
+      "threat_context_excerpt": "Cloud is where AI runs. Every consequential AI service — OpenAI, Anthropic, Google Gemini, AWS Bedrock, Azure OpenAI, GCP Vertex AI — is a multi-tenant cloud workload. Every enterprise that consumes those services is exposing some portion of its corpus, its prompts, and its access tokens across a shared-tenancy boundary that the consumer does not administer. Every enterprise that hosts its own AI inference (Bedrock with custom models, Azure OpenAI deployments, SageMaker endpoints, Vertex endpoints, GKE/EKS/AKS-hosted vLLM / TGI / Triton) inherits the full posture of the underlying cloud ...",
+      "produces": "Produce this structure verbatim:\n\n```\n## Cloud Security Posture Assessment\n\n**Assessment Date:** YYYY-MM-DD\n**Operator:** [name]\n**Clouds in scope:** [AWS, Azure, GCP, OCI, Alibaba, ...]\n**AI-service providers in scope:** [Bedrock, Azure OpenAI, Vertex, OpenAI, Anthropic, ...]\n**Regulatory jurisdictions:** [US/FedRAMP/NYDFS, EU/NIS2/DORA/GDPR, UK/GovAssure, AU/IRAP, JP/ISMAP, SG/MTCS, IN/MeitY, BR/LGPD, CN/MLPS2.0, ...]\n\n### Multi-Cloud Account Inventory\n| CSP | Accounts / Subscriptions / Projects | Regions Active | IaC Coverage | Governance (Org / MG / Folder) |\n\n### CSPM Scorecard (per accou ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-287",
+          "CWE-862",
+          "CWE-732",
+          "CWE-200",
+          "CWE-1188",
+          "CWE-798"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-53-CM-7",
+          "ISO-27001-2022-A.8.30",
+          "SOC2-CC9-vendor-management",
+          "FedRAMP-Rev5-Moderate"
+        ],
+        "atlas_refs": [
+          "AML.T0010",
+          "AML.T0017"
+        ],
+        "attack_refs": [
+          "T1078",
+          "T1530",
+          "T1190",
+          "T1552"
+        ],
+        "rfc_refs": [
+          "RFC-8446",
+          "RFC-9180",
+          "RFC-7519",
+          "RFC-8725"
+        ],
+        "dlp_refs": []
+      },
+      "trigger_count": 15,
+      "atlas_count": 2,
+      "attack_count": 4,
+      "framework_gap_count": 4,
+      "cwe_count": 6,
+      "d3fend_count": 0,
+      "rfc_count": 4,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/cloud-security/skill.md",
+      "handoff_targets": [
+        "ai-c2-detection",
+        "api-security",
+        "compliance-theater",
+        "defensive-countermeasure-mapping",
+        "dlp-gap-analysis",
+        "framework-gap-analysis",
+        "global-grc",
+        "identity-assurance",
+        "kernel-lpe-triage",
+        "mcp-agent-trust",
+        "policy-exception-gen",
+        "supply-chain-integrity"
+      ]
+    },
+    "container-runtime-security": {
+      "description": "Container + Kubernetes runtime security for mid-2026 — CIS K8s Benchmark, NSA/CISA Hardening, Pod Security Standards, Kyverno/Gatekeeper admission, Sigstore policy-controller, eBPF runtime detection (Falco/Tetragon), AI inference workload hardening",
+      "threat_context_excerpt": "Kubernetes is no longer \"the cloud-native orchestrator.\" It is the AI inference runtime. KServe, vLLM, Triton Inference Server, Ray Serve, Seldon, BentoML, and the Hugging Face TGI / text-generation-inference family all ship as K8s workloads. Anywhere there is a production LLM endpoint in mid-2026 there is a K8s cluster underneath it, and the cluster's hardening posture is the LLM endpoint's hardening posture.",
+      "produces": "Produce this structure verbatim:\n\n```\n## Container + Kubernetes Runtime Security Posture Assessment\n\n**Assessment Date:** YYYY-MM-DD\n**Cluster(s) in scope:** [cluster name + K8s version + distribution (EKS / GKE / AKS / OpenShift / Rancher / k0s / Talos / kubeadm) + node OS]\n**Workload classes in scope:** [general microservices / AI inference (KServe / vLLM / Triton / Ray Serve) / data / batch]\n**Regulatory jurisdictions:** [US / EU NIS2+CRA / UK NCSC CAF / AU ISM / IL INCD / SG GovTech / TW CSMA / sector-specific]\n\n### CIS Kubernetes Benchmark Scorecard\n| Section | Total Checks | Pass | Fail  ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-269",
+          "CWE-732",
+          "CWE-1188",
+          "CWE-787",
+          "CWE-1395"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-53-CM-7",
+          "ISO-27001-2022-A.8.28",
+          "SLSA-v1.0-Build-L3"
+        ],
+        "atlas_refs": [
+          "AML.T0010"
+        ],
+        "attack_refs": [
+          "T1610",
+          "T1611",
+          "T1068",
+          "T1190"
+        ],
+        "rfc_refs": [
+          "RFC-8446",
+          "RFC-8032"
+        ],
+        "dlp_refs": []
+      },
+      "trigger_count": 17,
+      "atlas_count": 1,
+      "attack_count": 4,
+      "framework_gap_count": 3,
+      "cwe_count": 5,
+      "d3fend_count": 0,
+      "rfc_count": 2,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/container-runtime-security/skill.md",
+      "handoff_targets": [
+        "ai-attack-surface",
+        "ai-risk-management",
+        "attack-surface-pentest",
+        "cloud-security",
+        "compliance-theater",
+        "defensive-countermeasure-mapping",
+        "framework-gap-analysis",
+        "global-grc",
+        "identity-assurance",
+        "kernel-lpe-triage",
+        "mcp-agent-trust",
+        "mlops-security",
+        "policy-exception-gen",
+        "rag-pipeline-security",
+        "sector-federal-government",
+        "sector-financial",
+        "supply-chain-integrity"
+      ]
+    },
+    "mlops-security": {
+      "description": "MLOps pipeline security for mid-2026 — training data integrity, model registry signing, deployment pipeline provenance, inference serving hardening, drift detection, feedback loop integrity; covers MLflow / Kubeflow / Vertex AI / SageMaker / Azure ML / Hugging Face",
+      "threat_context_excerpt": "MLOps replaced ad-hoc ML by 2023 — MLflow, Kubeflow Pipelines, Weights & Biases, Vertex AI Pipelines, SageMaker Pipelines, Azure ML Studio, and Hugging Face Hub are now the operational substrate for most production ML. By mid-2026, adversarial pressure has caught up. The MLOps lifecycle (data ingestion → feature store → training pipeline → experiment tracking → model registry → deployment pipeline → inference serving → monitoring → feedback loop) is now a contiguous supply chain whose every handoff is a documented attack class.",
+      "produces": "```\n## MLOps Pipeline Security Assessment\n\n**Assessment Date:** YYYY-MM-DD\n**Scope:** [MLOps stack(s): MLflow / Kubeflow / Vertex AI / SageMaker / Azure ML / Hugging Face / DIY]\n**Models in Scope:** [count, classification, deployment surfaces]\n**Frameworks in scope:** [NIST 800-218 SSDF | SLSA v1.0 | ISO/IEC 42001:2023 | NIST AI RMF | OWASP LLM Top 10 | EU AI Act | UK DSIT AI Cyber Code | AU AI Safety Standard | JP Society Principles | IL INCD AI | SG AI Verify | IN MeitY draft | NYDFS Part 500]\n\n### MLOps Stack Inventory\n| Stage | Tooling | Hosted / Self-Managed | Auth Model | Notes |\n|---|-- ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-1426",
+          "CWE-1395",
+          "CWE-1357",
+          "CWE-502"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-218-SSDF",
+          "SLSA-v1.0-Build-L3",
+          "ISO-IEC-42001-2023-clause-6.1.2",
+          "NIST-AI-RMF-MEASURE-2.5",
+          "OWASP-LLM-Top-10-2025-LLM08"
+        ],
+        "atlas_refs": [
+          "AML.T0010",
+          "AML.T0018",
+          "AML.T0020",
+          "AML.T0043",
+          "AML.T0017"
+        ],
+        "attack_refs": [
+          "T1195.001",
+          "T1565"
+        ],
+        "rfc_refs": [
+          "RFC-8032"
+        ],
+        "dlp_refs": []
+      },
+      "trigger_count": 16,
+      "atlas_count": 5,
+      "attack_count": 2,
+      "framework_gap_count": 5,
+      "cwe_count": 4,
+      "d3fend_count": 0,
+      "rfc_count": 1,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/mlops-security/skill.md",
+      "handoff_targets": [
+        "ai-attack-surface",
+        "ai-risk-management",
+        "cloud-security",
+        "container-runtime-security",
+        "coordinated-vuln-disclosure",
+        "rag-pipeline-security",
+        "supply-chain-integrity"
+      ]
+    },
+    "incident-response-playbook": {
+      "description": "Incident response playbook design for mid-2026 — NIST 800-61r3, ISO 27035, ATT&CK-driven detection, PICERL phases, AI-class incident handling (prompt injection breach, model exfiltration, AI-API C2), cross-jurisdiction breach notification timing",
+      "threat_context_excerpt": "The incident-response landscape in mid-2026 is materially different from the regime the legacy guides describe.",
+      "produces": "The skill produces seven artifacts per IR program assessment or live incident.\n\n### 1. Incident Classification Record\n\n```\nIncident ID: INC-<YYYY>-<NNNN>\nAwareness timestamp: <ISO timestamp — the regulator-clock anchor>\nDeclared severity: <Sev1/2/3>\nIncident commander: <named>\nClassification:\n  ATT&CK techniques: <T-IDs with sub-techniques>\n  ATLAS techniques: <AML.T-IDs, if applicable>\n  Incident class: <ransomware/exfiltration/identity/supply-chain/AI-system/BEC/DoS/insider/other>\n  Sector flag: <healthcare/financial/energy/federal/none>\n  AI-class flag: <victim/vector/attacker/none>\n  Cross ...",
+      "key_xrefs": {
+        "cwe_refs": [],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-53-AC-2",
+          "ISO-27001-2022-A.8.16",
+          "SOC2-CC7-anomaly-detection"
+        ],
+        "atlas_refs": [
+          "AML.T0096",
+          "AML.T0017",
+          "AML.T0051"
+        ],
+        "attack_refs": [
+          "T1486",
+          "T1041",
+          "T1567",
+          "T1078"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 13,
+      "atlas_count": 3,
+      "attack_count": 4,
+      "framework_gap_count": 3,
+      "cwe_count": 0,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/incident-response-playbook/skill.md",
+      "handoff_targets": [
+        "ai-attack-surface",
+        "ai-c2-detection",
+        "compliance-theater",
+        "coordinated-vuln-disclosure",
+        "defensive-countermeasure-mapping",
+        "dlp-gap-analysis",
+        "framework-gap-analysis",
+        "global-grc",
+        "mcp-agent-trust",
+        "rag-pipeline-security",
+        "sector-energy",
+        "sector-federal-government",
+        "sector-financial",
+        "sector-healthcare",
+        "skill-update-loop",
+        "threat-model-currency",
+        "zeroday-gap-learn"
+      ]
+    },
+    "email-security-anti-phishing": {
+      "description": "Email security + anti-phishing for mid-2026 — SPF/DKIM/DMARC/BIMI/ARC/MTA-STS/TLSRPT, AI-augmented phishing (vishing, deepfake video, hyperpersonalized email), Business Email Compromise, secure email gateways",
+      "threat_context_excerpt": "Phishing remained the #1 initial-access vector through 2025 (Verizon DBIR 2025) and into 2026. The structural shift between 2024 and 2026 is **AI-augmentation of the phishing kill-chain** — content generation, voice synthesis, and live deepfake video have all collapsed from \"demonstrated in research\" to \"deployed against treasury, IT-helpdesk, and executive offices.\"",
+      "produces": "The skill produces a structured assessment with these sections:\n\n1. **DMARC enforcement scorecard** — table of all owned domains × `{SPF, DKIM, DMARC policy, sp=, pct=, RUA destination, BIMI, ARC verification, MTA-STS, TLSRPT}`; aggregate score = (# domains at `p=reject` with `pct=100`) / (total sending domains).\n2. **Email-auth coverage matrix** — per-protocol deployment status (SPF / DKIM / DMARC / BIMI / ARC / MTA-STS / TLSRPT) with gap flags.\n3. **Passkey rollout percentage** — overall and per-role-class (executive, finance, IT-admin, helpdesk, general workforce), with target = 100% for pr ...",
+      "key_xrefs": {
+        "cwe_refs": [],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "NIST-800-53-SI-3",
+          "ISO-27001-2022-A.8.16",
+          "SOC2-CC7-anomaly-detection"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T1566",
+          "T1566.001",
+          "T1566.002",
+          "T1566.003",
+          "T1078"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 17,
+      "atlas_count": 0,
+      "attack_count": 5,
+      "framework_gap_count": 3,
+      "cwe_count": 0,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/email-security-anti-phishing/skill.md",
+      "handoff_targets": [
+        "ai-attack-surface",
+        "compliance-theater",
+        "dlp-gap-analysis",
+        "identity-assurance",
+        "incident-response-playbook",
+        "sector-financial"
+      ]
+    },
+    "age-gates-child-safety": {
+      "description": "Age-related gates and child online safety for mid-2026 — COPPA + CIPA + California AADC + GDPR Art. 8 + DSA Art. 28 + UK Online Safety Act + UK Children's Code + AU Online Safety Act + IN DPDPA child provisions + KOSA pending; age verification standards (IEEE 2089-2021, OpenID Connect age claims); AI product age policies",
+      "threat_context_excerpt": "The age-related regulatory wave that began with the UK Children's Code (in force Sept 2021) and California AADC (signed Sept 2022) crested in 2023-2025 and is in active enforcement entering mid-2026. The compliance surface for any consumer-facing product reachable by users under 18 is now approximately twenty-five overlapping jurisdictional regimes plus emerging AI-specific obligations, with enforcement asymmetry that punishes \"we don't track children\" as ignorance, not exemption.",
+      "produces": "Produce this structure verbatim:\n\n```\n## Age Gates and Child-Safeguarding Posture Assessment\n\n**Assessment Date:** YYYY-MM-DD\n**Entity:** [operator name]\n**Scope:** [products / services in scope; cohorts served; jurisdictions]\n**Regulatory jurisdictions:** [US COPPA + CIPA + AADC + state laws + KOSA-if-enacted; EU GDPR Art. 8 + DSA Art. 28 + AVMSD + CSAM-Regulation-pending; UK OSA + Children's Code; AU OSA + under-16; IN DPDPA; BR LGPD; CN Minors Protection Law + PIPL Art. 31; SG OSA; JP youth protection; KR PIPA; QC Law 25]\n\n### Likely-Accessed-By-Children Inventory (Step 1)\n| Product / Servi ...",
+      "key_xrefs": {
+        "cwe_refs": [
+          "CWE-200",
+          "CWE-287",
+          "CWE-862"
+        ],
+        "d3fend_refs": [],
+        "framework_gaps": [
+          "ISO-27001-2022-A.8.30",
+          "NIST-800-53-AC-2",
+          "SOC2-CC6-logical-access"
+        ],
+        "atlas_refs": [],
+        "attack_refs": [
+          "T1078",
+          "T1567"
+        ],
+        "rfc_refs": [],
+        "dlp_refs": []
+      },
+      "trigger_count": 19,
+      "atlas_count": 0,
+      "attack_count": 2,
+      "framework_gap_count": 3,
+      "cwe_count": 3,
+      "d3fend_count": 0,
+      "rfc_count": 0,
+      "last_threat_review": "2026-05-11",
+      "path": "skills/age-gates-child-safety/skill.md",
+      "handoff_targets": [
+        "ai-attack-surface",
+        "ai-risk-management",
+        "compliance-theater",
+        "coordinated-vuln-disclosure",
+        "dlp-gap-analysis",
+        "framework-gap-analysis",
+        "global-grc",
+        "identity-assurance",
+        "incident-response-playbook",
+        "sector-healthcare"
+      ]
+    }
+  }
+}