feat(skills): adversary-emulation playbooks + expanded APT threat-profile catalog

[VoidChecksum]

Summary

Adds a per-actor adversary-emulation lane under soundwave/threat-profile/ and expands the APT/eCrime reference catalog the threat-profile planning skill consults. Each emulation playbook converts a named threat actor into an RoE-bounded Decepticon kill chain — a ThreatProfile seed, an ordered CONOPS kill_chain, and a phase → technique → skill map the orchestrator turns into OPPLAN objectives for the operational agents.

Fills the gap left open by the (unmerged) feat/skills-adversary-emulation branch referenced in #431's collision check — emulation/ is not present on main.

Additive markdown only — no Python/source changes.

New skills (8)

File	What it adds
…/threat-profile/emulation/SKILL.md	Catalog/routing hub: actor → playbook, tier, skills exercised; how Soundwave consumes a playbook (and that the referenced operational skills are loaded by the executing agents, not Soundwave)
…/emulation/apt29/SKILL.md	APT29 (Cozy Bear / Midnight Blizzard) — cloud-identity espionage: no-MFA password spray, OAuth/token abuse, Golden SAML, mailbox collection
…/emulation/sandworm/SKILL.md	Sandworm (APT44) — IT→OT intrusion ending in ICS manipulation / destructive impact; ICS-write + destructive steps are canary/lab-only and gated on explicit OT authorization
…/emulation/scattered-spider/SKILL.md	Scattered Spider (UNC3944) — help-desk vishing → MFA takeover → cloud/SaaS privilege expansion → RMM persistence → extortion
…/emulation/volt-typhoon/SKILL.md	Volt Typhoon — edge-device access, living-off-the-land-only, long-dwell pre-positioning, multi-hop proxy egress
…/emulation/lazarus/SKILL.md	Lazarus — crypto/DeFi theft + supply chain; on-chain DeFi/bridge steps run on testnet/fork only
…/emulation/fin7/SKILL.md	FIN7 — revenue-targeted spearphishing + EDR evasion → big-game-hunting ransomware
…/emulation/lockbit/SKILL.md	LockBit / generic RaaS-affiliate kill chain — reusable template (retarget ALPHV/Akira/Black Basta)

Changed files (3)

• …/threat-profile/references/apt-groups.md — 5 → 19 actor cards (adds Sandworm, Volt/Salt Typhoon, Scattered Spider, APT40, APT10, OilRig, MuddyWater, Kimsuky, Turla, LockBit, ALPHV/BlackCat, Cl0p), a MITRE Group-ID crosswalk (feeds threat-profile.json.group_id), and an industry → actor map expanded 8 → 15 rows. LockBit/ALPHV are recorded as — because MITRE tracks them as software (S1202 / S1068), not group pages.
• …/threat-profile/SKILL.md — Step 2 + a new Step 5 route named actors to the emulation catalog.
• .typos.toml — scope-exclude the jargon-dense emulation/ + references/ dirs (matches the existing ics-ot / iot exclusion pattern; OT, HPE, MOVEit are correct terms, not typos).

All MITRE technique IDs were verified against MITRE ATT&CK Groups pages + CISA advisories.

Verification

• uv run pytest packages/decepticon/tests/unit/tools/test_skills_registry.py packages/decepticon/tests/unit/backends/test_skills_path.py -q → 33 passed
• Production iter_skill_records walks the real skills tree → all 8 new skills discovered, slug == name == dir, 0 parse errors
• All 34 /skills/standard/... cross-references resolve (no dangling links); no new slug collisions
• typos → clean (exit 0) after the scoped exclude; no trailing whitespace / CRLF; final newlines OK; .markdownlint.yaml (MD013/MD022 off) matches the additions
• ruff N/A — no .py files changed

Notes

• Frontmatter follows the house schema (name, description, allowed-tools, metadata.{subdomain, when_to_use, tags, mitre_attack}); leaf name matches its directory, the hub uses the -overview suffix (like ics-ot-overview / cloud-overview).
• Merge is manual per operator convention.

Related Issues