@blamejs/exceptd-skills 0.9.4 → 0.10.0

package/lib/verify.js

@@ -161,6 +161,41 @@ function loadManifest() {
   return JSON.parse(fs.readFileSync(MANIFEST_PATH, 'utf8'));
 }
 
+/**
+ * Public key fingerprint(s) of the DER-encoded SPKI public key,
+ * base64-encoded. Emits both:
+ *
+ *   - SHA-256: the universal convention. Matches `ssh-keygen -lf`
+ *     output for the same key, matches GPG / npm provenance / CT log
+ *     fingerprints. Operators cross-referencing the key against an
+ *     external pin will use this line.
+ *
+ *   - SHA3-512: SHA-3 family (Keccak / sponge construction), different
+ *     mathematical foundation than SHA-2. Hedges against future SHA-2
+ *     weaknesses. 512-bit output (~88 b64 chars) so collision +
+ *     second-preimage resistance both exceed the 256-bit Ed25519 key
+ *     itself. SHA-3 is also the hash family ML-KEM / ML-DSA use
+ *     internally, so this fingerprint travels well with the project's
+ *     PQ posture.
+ *
+ * @param {string|null} pemKey  PEM-encoded public key (or null)
+ * @returns {{sha256: string, sha3_512: string}|{error: string}}
+ */
+function publicKeyFingerprint(pemKey) {
+  if (!pemKey) return { sha256: '(no key)', sha3_512: '(no key)' };
+  try {
+    const keyObj = crypto.createPublicKey(pemKey);
+    const der = keyObj.export({ type: 'spki', format: 'der' });
+    return {
+      sha256: 'SHA256:' + crypto.createHash('sha256').update(der).digest('base64'),
+      sha3_512: 'SHA3-512:' + crypto.createHash('sha3-512').update(der).digest('base64'),
+    };
+  } catch (err) {
+    const errStr = `(invalid: ${err.message})`;
+    return { sha256: errStr, sha3_512: errStr };
+  }
+}
+
 // --- CLI ---
 
 if (require.main === module) {
@@ -203,7 +238,17 @@ if (require.main === module) {
   if (result.no_key) process.exit(1);
 
   const total = Object.values(result).filter(Array.isArray).flat().length;
+  // Compute + print the public key fingerprints so operators can pin
+  // the key out-of-band. Without this, a swapped keys/public.pem
+  // would still produce a "verified" message — undetectable from the
+  // exit code alone. Dual fingerprint (SHA-256 + SHA3-512) gives
+  // ssh-keygen compatibility AND a SHA-3 family diversity hedge.
+  const pubKey = loadPublicKey();
+  const fp = publicKeyFingerprint(pubKey);
   console.log(`\n[verify] ${result.valid.length}/${total} skills passed Ed25519 verification.`);
+  console.log(`[verify] Public key: keys/public.pem`);
+  console.log(`[verify] ${fp.sha256}`);
+  console.log(`[verify] ${fp.sha3_512}`);
 
   if (result.invalid.length > 0) { console.error('[verify] TAMPERED:', result.invalid.join(', ')); process.exit(1); }
   if (result.missing_sig.length > 0) { console.warn('[verify] UNSIGNED:', result.missing_sig.join(', ')); process.exit(1); }

package/manifest-snapshot.json

@@ -1,6 +1,6 @@
 {
   "_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
-  "_generated_at": "2026-05-12T03:27:57.933Z",
+  "_generated_at": "2026-05-12T05:39:54.946Z",
   "atlas_version": "5.1.0",
   "skill_count": 38,
   "skills": [

package/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "exceptd-security",
-  "version": "0.9.4",
+  "version": "0.10.0",
   "description": "AI security skills grounded in mid-2026 threat reality, not stale framework documentation",
   "homepage": "https://exceptd.com",
   "license": "Apache-2.0",
@@ -52,7 +52,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "WprHkO1KOjQtCBj6/EJghBTNyNKJhn7O2HDbAQZPi5jn4flwHpSrtP8LC15a4Unoh+xiIIgGhvTHZIQFHGMpBQ==",
-      "signed_at": "2026-05-12T03:27:57.857Z",
+      "signed_at": "2026-05-12T05:39:54.542Z",
       "cwe_refs": [
         "CWE-125",
         "CWE-362",
@@ -116,7 +116,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "fg20bOXGRkPUdLmegeXpTM4hnzl/ArgcVc88rItZN5DdsnFnzPgUU1PwCI82zooyj2GfxJHYjxNkq5qd2zNPBg==",
-      "signed_at": "2026-05-12T03:27:57.858Z",
+      "signed_at": "2026-05-12T05:39:54.544Z",
       "cwe_refs": [
         "CWE-1039",
         "CWE-1426",
@@ -179,7 +179,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "6JuSzkSSFzFHEZ3ANzqjtIbKPOkwJeKhQ+8WAPB4+dTRvDSeg46n3D88XfGaNd2z7pmg/i8p9ZoImQcHFS4BCg==",
-      "signed_at": "2026-05-12T03:27:57.859Z",
+      "signed_at": "2026-05-12T05:39:54.544Z",
       "cwe_refs": [
         "CWE-22",
         "CWE-345",
@@ -225,7 +225,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "PYSw9abiYfW+y7IkY8udJG5LSds2a4rMimlw3rrdD0zE3vunEeV/y7oTmDD4o83OqHSCKNzF/7vMhvd/noqICQ==",
-      "signed_at": "2026-05-12T03:27:57.859Z"
+      "signed_at": "2026-05-12T05:39:54.545Z"
     },
     {
       "name": "compliance-theater",
@@ -256,7 +256,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "BMFmmJYP3HsHIjUqnhw8E3MiMGZJsI/eDq51we+nxUicZ8nFUQT9DhmRntAqOs6BUnsfiQNNLc/rrsNh8yg1CQ==",
-      "signed_at": "2026-05-12T03:27:57.860Z"
+      "signed_at": "2026-05-12T05:39:54.545Z"
     },
     {
       "name": "exploit-scoring",
@@ -285,7 +285,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "VGPyDwy5BRlpn1lZthhPB6ytb4ZcU2j0KtCZbaMkyLdMugQJtK2yEuwrsDH4yEtAhTB6/A4B3eSygJckum49Ag==",
-      "signed_at": "2026-05-12T03:27:57.860Z"
+      "signed_at": "2026-05-12T05:39:54.546Z"
     },
     {
       "name": "rag-pipeline-security",
@@ -322,7 +322,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "XkFGpsNnXBVslkQ48usEu9l1LjPiV2ppW+M4B63zXFBP2Puh52qYCffEPjUHYhoO5bjgTM7yCbK8XF/Dzk5wBw==",
-      "signed_at": "2026-05-12T03:27:57.860Z",
+      "signed_at": "2026-05-12T05:39:54.546Z",
       "cwe_refs": [
         "CWE-1395",
         "CWE-1426"
@@ -379,7 +379,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "1Xqy7Kxxy6GpTvuYJPdllPzVDRFxb7N6AuxKuoaO4v91CiZLmiXt0sTIWImKJ3p9Eup6rJNDdsY71dolFhHNBA==",
-      "signed_at": "2026-05-12T03:27:57.861Z",
+      "signed_at": "2026-05-12T05:39:54.546Z",
       "d3fend_refs": [
         "D3-CA",
         "D3-CSPP",
@@ -414,7 +414,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "QNLOmAL54S/Cmk4cdO4L2BCGkqZ/FgY4UBsKWtg/EEW+YXF5ev+a8XsUT8q5veuUa2VYcYna7rD1iAnE+2PDBA==",
-      "signed_at": "2026-05-12T03:27:57.861Z",
+      "signed_at": "2026-05-12T05:39:54.546Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -442,7 +442,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "aFHq4cSl3CKchnVITxx+BrAEWD33WtFFJoQtwAug5g9R3/3ABtjaXYGVQaZcdcG1AIZkMoGSPywgLQWDY7ZDCw==",
-      "signed_at": "2026-05-12T03:27:57.861Z"
+      "signed_at": "2026-05-12T05:39:54.547Z"
     },
     {
       "name": "global-grc",
@@ -474,7 +474,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "viCTUWdy6euvd2KTAo6sLvarK/FZkDtYGocxBt0H+fY94kLQGW8K5cSpqIWdUF5NUytSHBCiG4YcSze8P9Z/BQ==",
-      "signed_at": "2026-05-12T03:27:57.862Z"
+      "signed_at": "2026-05-12T05:39:54.547Z"
     },
     {
       "name": "zeroday-gap-learn",
@@ -501,7 +501,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-01",
       "signature": "6PkUaHQi3Hxuqq/Jp4GYckvfqVEofmeT87NUH0T+pwyjlc+xZkoqNPn65f7ldciEPL86JIPi3/dDTKQbIFFBCw==",
-      "signed_at": "2026-05-12T03:27:57.862Z"
+      "signed_at": "2026-05-12T05:39:54.547Z"
     },
     {
       "name": "pqc-first",
@@ -553,7 +553,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "ZenFTEzWx+DzrSXlNXhbZ70vOdJSXfrnKkAwqMlBf5nlDf38V1/hG4XCKj43snQXWr4mVJOX6ilqFLTYNIjnBw==",
-      "signed_at": "2026-05-12T03:27:57.862Z",
+      "signed_at": "2026-05-12T05:39:54.548Z",
       "cwe_refs": [
         "CWE-327"
       ],
@@ -600,7 +600,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "ih0vpd2v2zS31JSJv7SnABoya8JlJdrXZXx4rBnrsV3Assj+dbjAP0pQ1HMT/5RX8yTTswRQsg0bJV3qmbJ3Bw==",
-      "signed_at": "2026-05-12T03:27:57.863Z"
+      "signed_at": "2026-05-12T05:39:54.548Z"
     },
     {
       "name": "security-maturity-tiers",
@@ -637,7 +637,7 @@
       ],
       "last_threat_review": "2026-05-01",
       "signature": "Lv8dHiwIqUbNsywCCB/+pYWGF+MHCvxVn1IAvR7Cnif5fy0sICv0N4SVsSb621qAAkHNshpfxqwuhbuQnE1TBA==",
-      "signed_at": "2026-05-12T03:27:57.863Z",
+      "signed_at": "2026-05-12T05:39:54.549Z",
       "cwe_refs": [
         "CWE-1188"
       ]
@@ -672,7 +672,7 @@
       "framework_gaps": [],
       "last_threat_review": "2026-05-11",
       "signature": "BS+wrL28HHYhBpe+v84VLoq9KPBXu6alfG968katfGIoLNYQueaHP931bRmlkrjfeb6qbDf067GWdPEh7nroAw==",
-      "signed_at": "2026-05-12T03:27:57.863Z"
+      "signed_at": "2026-05-12T05:39:54.549Z"
     },
     {
       "name": "attack-surface-pentest",
@@ -743,7 +743,7 @@
         "PTES revision incorporating AI-surface enumeration"
       ],
       "signature": "vLhIYT/CC3IzxMRa+UPeqGSZTvthuwUeTMGNFMm37+TaEk0TtfwPrPyrBJLHw4W6Wt7+pufjHs46X3nTgzoRAg==",
-      "signed_at": "2026-05-12T03:27:57.864Z"
+      "signed_at": "2026-05-12T05:39:54.549Z"
     },
     {
       "name": "fuzz-testing-strategy",
@@ -803,7 +803,7 @@
         "OSS-Fuzz-Gen / AI-assisted harness generation becoming the default expectation for OSS maintainers"
       ],
       "signature": "TOcQLy/427cuf0Lw90J7A0oIeuhUmf9NXb6tOUS5K3SazCKTJujPgYSVAPZOYf1zZrRAY/aq0iqELd5cLyk5DA==",
-      "signed_at": "2026-05-12T03:27:57.864Z"
+      "signed_at": "2026-05-12T05:39:54.549Z"
     },
     {
       "name": "dlp-gap-analysis",
@@ -878,7 +878,7 @@
         "Quebec Law 25, India DPDPA, KSA PDPL enforcement actions naming AI-tool prompt data as in-scope personal information"
       ],
       "signature": "u4IN7escQa5V+OgdtaJXLdvhmNiGZsdmGOvebTLZ30WoImT+WiksvaqSa0POGdbr6HzFkALe2RrZEH9Tr0U6Dg==",
-      "signed_at": "2026-05-12T03:27:57.864Z"
+      "signed_at": "2026-05-12T05:39:54.550Z"
     },
     {
       "name": "supply-chain-integrity",
@@ -955,7 +955,7 @@
         "OpenSSF model-signing — emerging Sigstore-based signing standard for ML model weights; track for production adoption"
       ],
       "signature": "eTGQJ3gnG24WggfwuFNNIFOWV/ttPxTa3pvx9OH28m5KDS1a4ZmOR7K8y01wk/su8bH0ClYYRfoBfKQOtRswAg==",
-      "signed_at": "2026-05-12T03:27:57.864Z"
+      "signed_at": "2026-05-12T05:39:54.550Z"
     },
     {
       "name": "defensive-countermeasure-mapping",
@@ -1012,7 +1012,7 @@
       ],
       "last_threat_review": "2026-05-11",
       "signature": "q7gFLPoqf/8bqATR6gt/nj0EoyUOlfzi+bZ0bT3pC9KW7O6M/ji9fT+AXSGNp6PKd+70ACb3mkMGmWgjLpQXCg==",
-      "signed_at": "2026-05-12T03:27:57.865Z"
+      "signed_at": "2026-05-12T05:39:54.550Z"
     },
     {
       "name": "identity-assurance",
@@ -1079,7 +1079,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "pX8rhrrzuyG3iRrPORLqTZAjzGdWK/bKPUGJG5WHSZcv4LB0kQXOit4sHG0exdXxI6HY8jyX67QY4r5vEHHACw==",
-      "signed_at": "2026-05-12T03:27:57.865Z"
+      "signed_at": "2026-05-12T05:39:54.550Z"
     },
     {
       "name": "ot-ics-security",
@@ -1135,7 +1135,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ypb8kNZQRdyu5mWeveB7sjCjNKXS1yXvjDJv88muzwhOs/a4Fu/Gb532js5NKyy+eCw/emrphpTZaL8R9a2lBA==",
-      "signed_at": "2026-05-12T03:27:57.865Z"
+      "signed_at": "2026-05-12T05:39:54.551Z"
     },
     {
       "name": "coordinated-vuln-disclosure",
@@ -1187,7 +1187,7 @@
         "NYDFS 23 NYCRR 500 amendments potentially adding explicit CVD program requirements"
       ],
       "signature": "346Lt+277ycRNsyAOGwLSONi4awgxKy3hP9G+BWjwaa8ySmTeqbYsbyyhtxjeohk9bV2SF+Hl2q4JdSvc/2qCQ==",
-      "signed_at": "2026-05-12T03:27:57.865Z"
+      "signed_at": "2026-05-12T05:39:54.551Z"
     },
     {
       "name": "threat-modeling-methodology",
@@ -1237,7 +1237,7 @@
         "PASTA v2 updates incorporating AI/ML application threats"
       ],
       "signature": "ewTvG5vu3ngFHyXgBur5vSKDFQsOZx0x79djGMricl7LCvQf5//OG6LZKXa+AOuEq58prRS+HgzrFA1DiTfeCQ==",
-      "signed_at": "2026-05-12T03:27:57.866Z"
+      "signed_at": "2026-05-12T05:39:54.551Z"
     },
     {
       "name": "webapp-security",
@@ -1311,7 +1311,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "ZHjbKu0Em92Kimr2esL1g93mf9TmcsChBhVEMWf/lFrjeLcg8nyHEIcDstIZ3FWYgc6MQNHnc3Rup3Xp/Za1Cw==",
-      "signed_at": "2026-05-12T03:27:57.866Z"
+      "signed_at": "2026-05-12T05:39:54.552Z"
     },
     {
       "name": "ai-risk-management",
@@ -1361,7 +1361,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "1KRxjCbAX0Rs5NTOioi1w/f1SOzDQrtRoXjTDtzEwJ+d1QzFf9cqmBlp0uXmGpL0bzEaHWIctjigSychmoL2Dw==",
-      "signed_at": "2026-05-12T03:27:57.866Z"
+      "signed_at": "2026-05-12T05:39:54.552Z"
     },
     {
       "name": "sector-healthcare",
@@ -1421,7 +1421,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "eiajFh7w7d4g+/crGalTtw9Qsu0deVsdHkdthZSy595ifGmgu0zaFD8usKThbPhOdUCCclTYkZYz5GalQmkhCw==",
-      "signed_at": "2026-05-12T03:27:57.867Z"
+      "signed_at": "2026-05-12T05:39:54.552Z"
     },
     {
       "name": "sector-financial",
@@ -1502,7 +1502,7 @@
         "TIBER-EU framework v2.0 alignment with DORA TLPT RTS (JC 2024/40); cross-recognition with CBEST and iCAST"
       ],
       "signature": "iSZR/fYESQVyjkcqj+O+yzU0BQfaELH5s7WizzUTWvDPDTD2ZyOnZTT1r/Zfx2l4mbPmVeFGWdYnnVFTk/i3Aw==",
-      "signed_at": "2026-05-12T03:27:57.867Z"
+      "signed_at": "2026-05-12T05:39:54.553Z"
     },
     {
       "name": "sector-federal-government",
@@ -1571,7 +1571,7 @@
         "Australia PSPF 2024 revision and ISM quarterly updates — track for Essential Eight Maturity Level requirements for federal entities"
       ],
       "signature": "Wjdo5YXEL8XeNZkaEueG1DOUoyalstNPzQkxD/cwP5iMrJWg/Ly+sC0Oluuqm3aU7d63z55PrbGQCJD0XVZqBg==",
-      "signed_at": "2026-05-12T03:27:57.867Z"
+      "signed_at": "2026-05-12T05:39:54.553Z"
     },
     {
       "name": "sector-energy",
@@ -1636,7 +1636,7 @@
         "ICS-CERT advisory feed (https://www.cisa.gov/news-events/cybersecurity-advisories/ics-advisories) for vendor CVEs in Siemens, Rockwell, Schneider Electric, ABB, GE Vernova, Hitachi Energy, AVEVA / OSIsoft PI"
       ],
       "signature": "c/l7dOHe0Zj6Ag3abUaEie6o0f8M4rhY5aPI9/wG4z6FDue9PzCVw8vUGoITFgg89g97lMfy2C3CE2PegQoFCw==",
-      "signed_at": "2026-05-12T03:27:57.868Z"
+      "signed_at": "2026-05-12T05:39:54.553Z"
     },
     {
       "name": "api-security",
@@ -1705,7 +1705,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "9FgcJvYeo07QxQ+mnVRQk4jYLDMO/AVSXMs8cueO2f/qMOTQmrhBMVhj5ze7hzvXpGkp7EK/3Q1XKqde61JMAg==",
-      "signed_at": "2026-05-12T03:27:57.868Z"
+      "signed_at": "2026-05-12T05:39:54.554Z"
     },
     {
       "name": "cloud-security",
@@ -1786,7 +1786,7 @@
         "CISA KEV additions for cloud-control-plane CVEs (IMDSv1 abuses, federation token mishandling, cross-tenant boundary failures); CISA Cybersecurity Advisories for cross-cloud advisories"
       ],
       "signature": "xRA0XZf7VPtuBtbsm41bay9yBLphw/hlL3YxIUrpko5g9ldM3oJe9o1qSwzIj/wSnQSI29qqPpNsnlks+HEOCA==",
-      "signed_at": "2026-05-12T03:27:57.868Z"
+      "signed_at": "2026-05-12T05:39:54.554Z"
     },
     {
       "name": "container-runtime-security",
@@ -1848,7 +1848,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "GcU50DStuN1gU/Evm/sFRgeieQbqffVp12rgbGnasRX89Q7kM4ltFXB+bgCXHIvICzYb78hPIifWQb9UVupWBQ==",
-      "signed_at": "2026-05-12T03:27:57.869Z"
+      "signed_at": "2026-05-12T05:39:54.554Z"
     },
     {
       "name": "mlops-security",
@@ -1919,7 +1919,7 @@
         "MITRE ATLAS v5.2 — track AML.T0010 sub-technique expansion and any new MLOps-pipeline-specific TTPs"
       ],
       "signature": "onIazpFoL1t4PMNRsoF06ggnl7BzCKjt0x+ZmVfWfyt1V06DgllsrbN3AAz4+g4jW2Sc71q0vIFKfwEUWpGVAQ==",
-      "signed_at": "2026-05-12T03:27:57.869Z"
+      "signed_at": "2026-05-12T05:39:54.555Z"
     },
     {
       "name": "incident-response-playbook",
@@ -1981,7 +1981,7 @@
         "NYDFS 23 NYCRR 500.17 amendments tightening ransom-payment 24h disclosure operationalization"
       ],
       "signature": "P0Yv4CtqbnBNP6nSIxQUYYHL7T7ci+iE7iE2UXVfnMPeWVdKG2nvRePjBXc3JZTLima1Txn/I5ocDNhLTIeUAQ==",
-      "signed_at": "2026-05-12T03:27:57.869Z"
+      "signed_at": "2026-05-12T05:39:54.555Z"
     },
     {
       "name": "email-security-anti-phishing",
@@ -2034,7 +2034,7 @@
       "d3fend_refs": [],
       "last_threat_review": "2026-05-11",
       "signature": "2pv81lLRbazpHqundCANb3YiLB4lkVsYctIDvI8rxSvHxhPS9jYXqmAoB5APSdDuOaew6XqpfZOehQUj9WmyBw==",
-      "signed_at": "2026-05-12T03:27:57.870Z"
+      "signed_at": "2026-05-12T05:39:54.555Z"
     },
     {
       "name": "age-gates-child-safety",
@@ -2102,7 +2102,7 @@
         "US state adult-site age-verification laws — 19+ states by mid-2026 (TX HB 18 upheld by SCOTUS June 2025 in Free Speech Coalition v. Paxton); track ongoing challenges in remaining states"
       ],
       "signature": "BJ/YYnGVXeSBaR9oWAVrcNX7Wz+kE8R4CghX6+XEI/qY89fyrkKNNwo2veqqf49wffJhHVJ1wTp8ZDECjNp+Dw==",
-      "signed_at": "2026-05-12T03:27:57.870Z"
+      "signed_at": "2026-05-12T05:39:54.556Z"
     }
   ]
 }

package/orchestrator/dispatcher.js

@@ -37,6 +37,17 @@ function dispatch(findings) {
       if (seen.has(skill.name)) continue;
       seen.add(skill.name);
 
+      // Preserve per-CVE evidence so operators see the actual CVE IDs
+      // (not just an aggregate count). Earlier output read "1 CISA
+      // KEV CVE with RWEP >= 90" — the entry below now also carries
+      // the CVE ID + RWEP score so the print path can render
+      // "1 CISA KEV CVE with RWEP >= 90 (CVE-2026-31431 / Copy Fail
+      // RWEP 90)".
+      const evidence = {};
+      if (Array.isArray(finding.items) && finding.items.length > 0) evidence.items = finding.items;
+      if (finding.cve_id) evidence.cve_id = finding.cve_id;
+      if (finding.rwep_score !== undefined) evidence.rwep_score = finding.rwep_score;
+
       plan.push({
         skill_name: skill.name,
         skill_path: path.join(SKILLS_DIR, skill.name, 'skill.md'),
@@ -45,7 +56,8 @@ function dispatch(findings) {
         finding_severity: finding.severity,
         action_required: finding.action_required,
         priority: severityToPriority(finding.severity),
-        last_threat_review: skill.last_threat_review || 'unknown'
+        last_threat_review: skill.last_threat_review || 'unknown',
+        evidence,
       });
     }
   }

package/orchestrator/index.js

@@ -59,12 +59,105 @@ async function main() {
     case 'watchlist':
       runWatchlist(args);
       break;
+    case 'framework-gap':
+    case 'framework-gap-analysis':
+      runFrameworkGap(args);
+      break;
     case 'help':
     default:
       printHelp();
   }
 }
 
+// Programmatic runner for the framework-gap-analysis skill. Closes the
+// dispatch loop — previously `exceptd dispatch` would say "run
+// framework-gap-analysis" but the only thing the CLI could actually do
+// was print the skill body. This subcommand executes the analytical
+// path in lib/framework-gap.js so an operator (or a CI gate) can pipe
+// the JSON into another tool.
+//
+// Usage:
+//   exceptd framework-gap <FRAMEWORK_ID|all> <SCENARIO|CVE-ID>
+//   exceptd framework-gap NIST-800-53 CVE-2026-31431
+//   exceptd framework-gap PCI-DSS-4.0 "prompt injection"
+//   exceptd framework-gap all CVE-2025-53773 --json
+function runFrameworkGap(rawArgs) {
+  const fs = require('fs');
+  const path = require('path');
+  const { gapReport, theaterCheck } = require('../lib/framework-gap');
+
+  const args = rawArgs.filter(a => !a.startsWith('--'));
+  const flags = new Set(rawArgs.filter(a => a.startsWith('--')));
+  const jsonOut = flags.has('--json');
+
+  if (args.length < 2) {
+    console.error(`Usage: exceptd framework-gap <FRAMEWORK_ID|all> <SCENARIO|CVE-ID> [--json]
+Examples:
+  exceptd framework-gap NIST-800-53 CVE-2026-31431
+  exceptd framework-gap PCI-DSS-4.0 "prompt injection"
+  exceptd framework-gap all CVE-2025-53773 --json`);
+    process.exit(2);
+  }
+
+  const root = path.join(__dirname, '..');
+  let controlGaps, cveCatalog;
+  try {
+    controlGaps = JSON.parse(fs.readFileSync(path.join(root, 'data', 'framework-control-gaps.json'), 'utf8'));
+    cveCatalog = JSON.parse(fs.readFileSync(path.join(root, 'data', 'cve-catalog.json'), 'utf8'));
+  } catch (err) {
+    console.error(`[framework-gap] cannot read catalog: ${err.message}`);
+    process.exit(2);
+  }
+
+  const requested = args[0].toLowerCase() === 'all'
+    ? [...new Set(Object.values(controlGaps).flatMap(g =>
+        Array.isArray(g.framework) ? g.framework : [g.framework]
+      ).filter(f => f && f !== 'ALL'))]
+    : [args[0]];
+  const scenario = args[1];
+
+  const report = gapReport(requested, scenario, controlGaps, cveCatalog);
+  const theater = theaterCheck(controlGaps, cveCatalog);
+
+  if (jsonOut) {
+    console.log(JSON.stringify({ ...report, theater_findings: theater.findings, theater_score: theater.theater_score }, null, 2));
+    return;
+  }
+
+  // Human-readable output.
+  console.log(`\nFramework gap analysis — ${new Date().toISOString().slice(0, 10)}`);
+  console.log(`Scenario: ${scenario}`);
+  console.log(`Frameworks: ${requested.join(', ')}\n`);
+
+  for (const [fwId, result] of Object.entries(report.frameworks)) {
+    const flag = result.theater_exposure ? '⚠ THEATER RISK' : '✓ no scoped gaps';
+    console.log(`### ${fwId} — ${result.gap_count} matching control gap(s) — ${flag}`);
+    for (const g of result.gaps) {
+      console.log(`  - ${g.id} (${g.control}) — status: ${g.status}`);
+      if (g.real_requirement) console.log(`    real-requirement: ${g.real_requirement.slice(0, 160)}${g.real_requirement.length > 160 ? '…' : ''}`);
+    }
+    console.log();
+  }
+
+  if (report.universal_gaps.length > 0) {
+    console.log(`### Universal gaps (no jurisdiction covers these) — ${report.universal_gaps.length}`);
+    for (const g of report.universal_gaps) {
+      console.log(`  - ${g.id || g.name}: ${(g.real_requirement || '').slice(0, 140)}`);
+    }
+    console.log();
+  }
+
+  if (report.theater_risks.length > 0) {
+    console.log(`### Theater risk controls (compliant but exposed) — ${report.theater_risks.length}`);
+    for (const t of report.theater_risks) {
+      console.log(`  - ${t.control} → ${t.pattern} (framework: ${t.framework})`);
+    }
+    console.log();
+  }
+
+  console.log(`Summary: ${report.summary.total_gaps} matching gaps, ${report.summary.universal_gaps} universal, ${report.summary.theater_risk_controls} theater-risk controls`);
+}
+
 // --- command implementations ---
 
 async function runScan() {
@@ -108,6 +201,18 @@ async function runDispatch() {
     console.log(`[${urgency}] ${item.skill_name}`);
     console.log(`  Triggered by: ${item.triggered_by} (${item.finding_domain})`);
     console.log(`  Action: ${item.action_required}`);
+    // Surface per-CVE detail when the underlying finding had a list of
+    // CVEs (e.g. cisa_kev_high_rwep). Operators need to know WHICH
+    // CVE — not just an aggregate count.
+    if (item.evidence && Array.isArray(item.evidence.items) && item.evidence.items.length > 0) {
+      console.log(`  Evidence:`);
+      for (const ev of item.evidence.items) {
+        const parts = [ev.id, ev.name && `"${ev.name}"`, ev.rwep != null && `RWEP ${ev.rwep}`].filter(Boolean);
+        console.log(`    - ${parts.join(' · ')}`);
+      }
+    } else if (item.evidence && item.evidence.cve_id) {
+      console.log(`  Evidence: ${item.evidence.cve_id}${item.evidence.rwep_score != null ? ` · RWEP ${item.evidence.rwep_score}` : ''}`);
+    }
     console.log(`  Path: ${item.skill_path}`);
     console.log();
   }
@@ -202,12 +307,21 @@ async function runReport(format) {
   }
 
   console.log('\n## Skill Currency');
-  const stale = currency_report.filter(s => s.currency_score < 70);
-  if (stale.length > 0) {
-    console.log(`${stale.length} skills need review:`);
-    for (const s of stale) console.log(`  - ${s.skill}: ${s.currency_score}% (${s.days_since_review}d old)`);
+  // Two tiers, named consistently and explained inline so the reader
+  // doesn't have to mentally map two thresholds onto the same list.
+  const critical = currency_report.filter(s => s.currency_score < 50);
+  const stale = currency_report.filter(s => s.currency_score >= 50 && s.currency_score < 70);
+  if (critical.length === 0 && stale.length === 0) {
+    console.log('All skills current (>= 70% currency, reviewed within the last 60 days).');
   } else {
-    console.log('All skills current.');
+    if (critical.length > 0) {
+      console.log(`Critical-stale (< 50% currency, > 90 days since review) — ${critical.length}:`);
+      for (const s of critical) console.log(`  - ${s.skill}: ${s.currency_score}% (${s.days_since_review}d old)`);
+    }
+    if (stale.length > 0) {
+      console.log(`Stale (50-69% currency, 30-90 days since review) — ${stale.length}:`);
+      for (const s of stale) console.log(`  - ${s.skill}: ${s.currency_score}% (${s.days_since_review}d old)`);
+    }
   }
 }
 

package/orchestrator/pipeline.js

@@ -181,13 +181,19 @@ function getStageInstructions(stageName, previousOutput) {
   return instructions[stageName] || null;
 }
 
-function _currencyScore(daysSinceReview, forwardWatchCount) {
+function _currencyScore(daysSinceReview, _forwardWatchCount) {
+  // Currency = function of last_threat_review age, period. Earlier
+  // versions subtracted 5 per forward_watch entry, which created a
+  // perverse incentive: skills that diligently track upcoming threats
+  // (e.g. cloud-security with 14 forward_watch items) scored 30%
+  // currency even on the day after a review. forward_watch is a
+  // signal of ACTIVE maintenance, not staleness, so the count no
+  // longer affects the score. The arg is retained for ABI compat.
   let score = 100;
   if (daysSinceReview > 180) score -= 30;
   else if (daysSinceReview > 90) score -= 20;
   else if (daysSinceReview > 60) score -= 10;
   else if (daysSinceReview > 30) score -= 5;
-  score -= forwardWatchCount * 5;
   return Math.max(0, score);
 }