docs(ttp): sync A.10 + rewrite §9 drift runbook + DEBT.md markers

Appendix A.10 corrected to match the post-2026-05-02-audit reality:
AbuseIPDB cat 7/13/16/17 land on their canonical AbuseIPDB names
(Phishing / VPN IP / SQL Injection / Spoofing); cats 4 and 10 carry
explicit "drop" annotations so the next reviewer sees the intent
rather than guessing. ThreatFox table re-keys on `threat_type` (the
canonical taxonomy field) and adds the `payload` and `cc_skimming`
rows. GreyNoise table promotes bare-malicious to a half-multiplier
emission of T1071.

§"Hard parts §9 Intel provider drift" replaces the prose handwave
with a runnable check: provider URLs, the ThreatFox curl invocation
that needs DECNET_THREATFOX_API_KEY, the rule_version + emits +
attack_catalog co-evolution rules, and the full chain of files to
exercise. Adds a "Ship-time audit log" subsection so future quarterly
runs have a known-good baseline to diff against.

DEBT.md item #1 records LAST_REVIEWED: 2026-05-02 / NEXT_REVIEW:
2026-08-02 and points at §9 for the runbook. DEBT.md item #3 (the
attacker.email.received producer) flags its gating premise as
potentially stale — ANTI noted SMTP honeypots already persist
received messages, contradicting the "no source row" claim that
deferred the wiring.

DEBT.md

@@ -14,11 +14,22 @@ Feodo Tracker catalogues for new categories or classification changes.
 Reconcile against `rules/ttp/R0054..R0058` (the intel-verdict rule
 pack) and bump rule versions for any drift. See
 `development/TTP_TAGGING.md` §"Hard parts §9 Intel provider drift" for
-the operational rationale.
+the operational runbook.
 
 Owner: TTP rule maintainer (currently ANTI).
 Cadence: every quarter, first week of the month.
-Trigger: calendar reminder; no automated probe today.
+Trigger: rule YAML `next_review` markers (canonical), with a
+calendar reminder as backup.
+
+Last reviewed: **2026-05-02** (ship-time audit — see
+`development/TTP_TAGGING.md` §9 "Ship-time audit log"; corrected
+two AbuseIPDB code typos, expanded the R0054/R0055/R0057 emits
+lists to cover the full predicate technique universe, repointed
+ThreatFox dispatch from `ioc_type` to `threat_type`, wired the
+`AttackerIntel.{abuseipdb_categories, greynoise_tags,
+greynoise_name, feodo_malware_family, threatfox_*_types,
+threatfox_malware_families}` columns + producer parsing).
+Next review: **2026-08-02**.
 
 ## One-shot
 
@@ -45,6 +56,13 @@ collector persist log events, so there is no source row to fan out
 on. See `development/TTP_TAGGING.md` §"Bus topics → Producer
 wiring" for the full producer audit.
 
+**STALE PREMISE (2026-05-02):** ANTI noted during the intel audit
+that the SMTP honeypots DO persist all received messages today.
+Re-triage this entry — the gating premise above may no longer
+hold and the producer wiring may be paydown-able directly. Map
+the actual SMTP-receive persistence to `ReceivedEmail` (or its
+extant analogue), then wire the publisher.
+
 Trigger: SMTP-receive persistence model lands (a `ReceivedEmail`
 SQLModel + ingest path). Wire the publisher in the same PR.
 Owner: TBD.