nsauditor-ai-agent-skill 0.1.16 → 0.1.18
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +58 -0
- package/SKILL.md +14 -7
- package/package.json +1 -1
- package/references/plugins.md +2 -2
package/CHANGELOG.md
CHANGED
|
@@ -4,6 +4,64 @@ Release notes for **`nsauditor-ai-agent-skill`** — installable knowledge packa
|
|
|
4
4
|
|
|
5
5
|
---
|
|
6
6
|
|
|
7
|
+
## 0.1.18 — Catalog refresh: plugin 1190 AWS SES Email Integrity Auditor v2.1 deferred-items sweep (7 deferred reviewer-fold items closed from 0.5.0 cycle + 6 same-session reviewer folds incl. 1 CRITICAL soc2 mapping closure + silent-loss-class closure on SES classic API quota exhaustion) — EE 0.5.2; plugin count UNCHANGED at 20
|
|
8
|
+
|
|
9
|
+
**Trio-publish institutionalization continued.** Paired with EE 0.5.2 + CE 0.1.51 — **eighth consecutive trio-publish across EE + CE + agent-skill in a single session** (after 0.4.5/0.4.6/0.4.7/0.4.8/0.4.9/0.5.0/0.5.1). The 0.1.18 refresh keeps the AI-coding-agent knowledge surface current with the latest EE plugin consolidation.
|
|
10
|
+
|
|
11
|
+
### What changed
|
|
12
|
+
|
|
13
|
+
- **`references/plugins.md`** — **plugin 1190 row** updated v2 → v2.1: 7 deferred reviewer-fold items closed. NEW emission category `ses-dkim-dns-partial-with-transients` MEDIUM (matched>0 + transient on remainder — preserves partial-match evidence rather than collapsing to LOW). NEW named Sets `_DNS_TRANSIENT_ERROR_CODES` + `_SES_CLASSIC_NOT_FOUND_ERROR_NAMES` + `_SES_CLASSIC_QUOTA_ERROR_NAMES` per [[emit_literal_set_drift]] discipline. NEW module-load-time disjointness IIFE `_assertDnsErrorCodeSetsDisjoint()` promotes invariant from test-time to Node startup. R-LOW-6 producer→consumer identityType normalization at both promoter sites.
|
|
14
|
+
- **`SKILL.md`** — plugin 1190 v2.1 narrative added; "post-EE 0.5.1" → "post-EE 0.5.2". EE plugin count UNCHANGED at 20.
|
|
15
|
+
- **`peerDependencies`** floor: unchanged at `nsauditor-ai >=0.1.40`.
|
|
16
|
+
|
|
17
|
+
### Why
|
|
18
|
+
|
|
19
|
+
The agent-skill catalog must stay current with EE plugin consolidation cycles so that AI coding agents (Claude Code / Cursor / Windsurf / VS Code Copilot) querying the skill for plugin-1190 capabilities get accurate guidance on the v2.1 emission categories (especially the new `ses-dkim-dns-partial-with-transients` MEDIUM and the `cause: "classic-sdk-quota-exhausted"` LOW + evidenceGap) — without the catalog refresh, agents would incorrectly tell users that plugin 1190 only emits 4 DKIM-DNS categories and 3 classic-policy categories.
|
|
20
|
+
|
|
21
|
+
### Recommended upgrade path
|
|
22
|
+
|
|
23
|
+
```bash
|
|
24
|
+
npm install nsauditor-ai-agent-skill@0.1.18
|
|
25
|
+
# (paired with EE 0.5.2 + CE 0.1.51; AI-coding-agent users only)
|
|
26
|
+
```
|
|
27
|
+
|
|
28
|
+
### Notes
|
|
29
|
+
|
|
30
|
+
- No SKILL contract changes; pure catalog refresh.
|
|
31
|
+
- `references/schemas.md` + `references/workflows.md` unchanged (no plugin-schema or workflow changes in EE 0.5.2; plugin 1190 v2.1 consolidation uses the same `cloudScanners` capability + same `run()` envelope established in EE-RT.12.25).
|
|
32
|
+
- Eighth consecutive trio-publish institutionalizes the discipline across 8 ship cycles.
|
|
33
|
+
|
|
34
|
+
---
|
|
35
|
+
|
|
36
|
+
## 0.1.17 — Catalog refresh: plugin 1150 AWS SQS/SNS Auditor v2 extension (5 → 7 dimensions: CloudWatch alarm coverage on SQS ApproximateAgeOfOldestMessage + SNS NumberOfNotificationsFailed; first plugin-1150 dim to cross an SDK boundary — SQS+SNS → CloudWatch) — EE 0.5.1; plugin count UNCHANGED at 20
|
|
37
|
+
|
|
38
|
+
**Trio-publish institutionalization continued.** Paired with EE 0.5.1 + CE 0.1.50 — **seventh consecutive trio-publish across EE + CE + agent-skill in a single session** (after 0.4.5/0.4.6/0.4.7/0.4.8/0.4.9/0.5.0). The 0.1.17 refresh keeps the AI-coding-agent knowledge surface current with the latest EE plugin extension.
|
|
39
|
+
|
|
40
|
+
### What changed
|
|
41
|
+
|
|
42
|
+
- **`references/plugins.md`** — **plugin 1150 row** updated v1 → v2: 5 → 7 dimensions. v1 dims preserved (encryption + transit-policy + topic-policy + DLQ). v2 NEW dims: **dim 6 SQS ApproximateAgeOfOldestMessage CloudWatch alarm coverage** (CC7.2 + A1.2 dual-mapped) — per-queue PASS / MEDIUM (silent backlog growth) / LOW (actions-disabled OR empty AlarmActions) / LOW + evidenceGap (CW SDK unavailable / AccessDenied / name un-extractable / truncated); **dim 7 SNS NumberOfNotificationsFailed CloudWatch alarm coverage** (CC7.2 + A1.2 dual-mapped) — per-topic analogue with same severity ladder. v2 single-fetch budget via `_enumerateMetricAlarms` + `_buildAlarmIndex` (mirrors plugin 1040's `_auditAlarmCoverage` scaffold). Soft-degrade contract: CW SDK load failure routes per-resource to LOW + evidenceGap rather than blocking primary substrate audit. **R-CRITICAL v2 fold (false-CLEAN closure)**: `actionable` requires BOTH `ActionsEnabled=true` AND non-empty `AlarmActions[]` (CloudWatch fires NO operator paging when AlarmActions=[] even with ActionsEnabled=true). **R-HIGH v2 fold**: soc2.json PASS-tier titlePatterns narrowed to anchor on namespace:metric clauses.
|
|
43
|
+
- **`SKILL.md`** — plugin 1150 v2 narrative added to enumeration; "post-EE 0.5.0" → "post-EE 0.5.1". EE plugin count UNCHANGED at 20 (no new plugin in 0.5.1; existing plugin 1150 grew in scope across new dims 6 + 7).
|
|
44
|
+
- **`peerDependencies`** floor: unchanged at `nsauditor-ai >=0.1.40`.
|
|
45
|
+
|
|
46
|
+
### Why
|
|
47
|
+
|
|
48
|
+
The agent-skill catalog must stay current with EE plugin extensions so that AI coding agents (Claude Code / Cursor / Windsurf / VS Code Copilot) querying the skill for plugin-1150 capabilities get accurate guidance on the v2 alarm-coverage dimensions — without the catalog refresh, agents would incorrectly tell users that plugin 1150 only has 5 dimensions and miss the CC7.2 + A1.2 alarm-coverage outcomes.
|
|
49
|
+
|
|
50
|
+
### Recommended upgrade path
|
|
51
|
+
|
|
52
|
+
```bash
|
|
53
|
+
npm install nsauditor-ai-agent-skill@0.1.17
|
|
54
|
+
# (paired with EE 0.5.1 + CE 0.1.50; AI-coding-agent users only)
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
### Notes
|
|
58
|
+
|
|
59
|
+
- No SKILL contract changes; pure catalog refresh.
|
|
60
|
+
- `references/schemas.md` + `references/workflows.md` unchanged (no plugin-schema or workflow changes in EE 0.5.1; plugin 1150 v2 extension uses the same `cloudScanners` capability + same `run()` envelope established in EE-RT.12.25).
|
|
61
|
+
- Seventh consecutive trio-publish institutionalizes the discipline across 7 ship cycles (0.4.5/0.4.6/0.4.7/0.4.8/0.4.9/0.5.0/0.5.1).
|
|
62
|
+
|
|
63
|
+
---
|
|
64
|
+
|
|
7
65
|
## 0.1.16 — Catalog refresh: plugin 1190 AWS SES Email Integrity Auditor v2 extension (DKIM CNAME DNS resolution + DMARC TXT record parser + SES classic API parity; first plugin in EE to depend on node:dns/promises for live DNS cross-reference) — EE 0.5.0; plugin count UNCHANGED at 20
|
|
8
66
|
|
|
9
67
|
**Trio-publish institutionalization continued.** Paired with EE 0.5.0 + CE 0.1.49 — **sixth consecutive trio-publish across EE + CE + agent-skill in a single session** (after 0.4.5/0.4.6/0.4.7/0.4.8/0.4.9). The 0.1.16 refresh keeps the AI-coding-agent knowledge surface current with the latest EE plugin extension.
|
package/SKILL.md
CHANGED
|
@@ -200,20 +200,27 @@ Operational Integrity (1100), AWS IAM Effective Decrypt-Path Auditor (1110), AWS
|
|
|
200
200
|
Lifecycle + Cross-Region Replication Auditor (1120), AWS Backup Auditor (1130), AWS
|
|
201
201
|
RDS Auditor (1140 v3 — extended in EE 0.4.8 with database audit-logging; 7→10 dims:
|
|
202
202
|
+pgAudit / +CloudWatch Logs exports / +CloudWatch Logs retention; aurora-aware
|
|
203
|
-
log-path detection per R-HIGH-1 reviewer-fold), AWS SQS/SNS Auditor (1150
|
|
203
|
+
log-path detection per R-HIGH-1 reviewer-fold), AWS SQS/SNS Auditor (1150 v2 —
|
|
204
|
+
extended in EE 0.5.1: 5 → 7 dims with CloudWatch alarm coverage on SQS
|
|
205
|
+
ApproximateAgeOfOldestMessage + SNS NumberOfNotificationsFailed; closes 1 CRITICAL
|
|
206
|
+
false-CLEAN class on empty-AlarmActions silent-PASS per R-CRITICAL fold; first
|
|
207
|
+
plugin-1150 dim to cross an SDK boundary — SQS+SNS → CloudWatch), AWS EC2
|
|
204
208
|
SG Perimeter Auditor (1170 v2 — RESTRICTED_PORTS 23 ports per CIS AWS Foundations
|
|
205
209
|
v3.0), AWS ElastiCache Redis Auditor (1180 v2 — extended in EE 0.4.9: kms:DescribeKey
|
|
206
210
|
promotion + subnet route-table verifier; closes both v1 deferred items R-MEDIUM-3 +
|
|
207
211
|
R-LOW-2; main-RT-inheritance false-NEGATIVE closure per R-MEDIUM-2 reviewer-fold),
|
|
208
|
-
AWS SES Email Integrity Auditor (1190 v2 — extended in EE 0.5.0
|
|
209
|
-
resolution + DMARC TXT record parser + SES classic API parity
|
|
210
|
-
false-CLEAN class on DMARC pct=0 per
|
|
211
|
-
|
|
212
|
-
|
|
212
|
+
AWS SES Email Integrity Auditor (1190 v2.1 — extended in EE 0.5.0 + consolidated in
|
|
213
|
+
EE 0.5.2: DKIM CNAME DNS resolution + DMARC TXT record parser + SES classic API parity
|
|
214
|
+
+ deferred-items sweep; closes 1 CRITICAL false-CLEAN class on DMARC pct=0 per
|
|
215
|
+
R-CRITICAL-1 fold + 1 HIGH false-NEGATIVE class on DMARC sp subdomain-policy override
|
|
216
|
+
per R-HIGH-1 fold + new MEDIUM ses-dkim-dns-partial-with-transients per v2.1 R-MEDIUM-2
|
|
217
|
+
fold + silent-loss-class closure on SES classic API quota exhaustion via cause:
|
|
218
|
+
"classic-sdk-quota-exhausted" per v2.1 R-HIGH-2 reviewer-fold; first plugin in EE to
|
|
219
|
+
depend on node:dns/promises for live DNS cross-reference).
|
|
213
220
|
**EE plugin IDs use the disjoint 1000+ range** (per EE 0.3.9 renumbering) to avoid
|
|
214
221
|
CE collision. CE reserves 001-099.
|
|
215
222
|
|
|
216
|
-
**EE SOC 2 substrate-evidence coverage (post-EE 0.5.
|
|
223
|
+
**EE SOC 2 substrate-evidence coverage (post-EE 0.5.2):** 10 covered controls (CC6.1 /
|
|
217
224
|
CC6.2 / CC6.6 / CC6.7 / CC6.8 / CC7.1 / CC7.2 / CC7.3 / C1.1 / C1.2) + 4 partial
|
|
218
225
|
(CC6.3 / CC8.1 / A1.2 / PI1.5) + 33 OOS for static substrate scanning. Coverage matrix
|
|
219
226
|
is institutionally honest: substrate-evidence depth grows release-over-release without
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "nsauditor-ai-agent-skill",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.18",
|
|
4
4
|
"description": "AI Agent Skill for NSAuditor AI — gives any AI coding agent built-in knowledge of NSAuditor's MCP tools, schemas, plugins, and security audit workflows.",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"nsauditor",
|
package/references/plugins.md
CHANGED
|
@@ -181,10 +181,10 @@ listings, and default pages.
|
|
|
181
181
|
| 1120 | AWS S3 Lifecycle + Cross-Region Replication Auditor | Enterprise | S3 lifecycle policy enumeration (CC7.1 retention-cadence) + cross-region replication topology (A1.2 DR substrate); destination-bucket reachability verification closes silent-PASS class where replication source FAILED but emitted clean | C1.1 / C1.2 / A1.2 |
|
|
182
182
|
| 1130 | AWS Backup Auditor — headline thread | Enterprise | The largest single-plugin institutional-hardening arc in the EE codebase (~7800 lines, 545 tests). Audits Plans + Vaults + Recovery Points + Selections + Frameworks + Restore Testing + ReportPlans + Legal Holds + VaultType + Vault Tags + Vault Access Policy. **12-dimension air-gapped vault attestation arc** for LogicallyAirGappedBackupVault: 6 cryptographic-isolation mechanisms (vault TYPE + ARN account-segment-separation + destination KMS key-policy clean + destination KMS Grants clean + MRK-replica topology clean + source-account VPC-endpoint policy clean) + 6 substrate dimensions (PITR/retention/encryption/RestoreTesting/Legal Holds/vault Access Policy) | CC6.3 / CC6.6 / CC7.1 / CC8.1 / C1.1 / C1.2 / A1.2 |
|
|
183
183
|
| 1140 | AWS RDS Auditor (v3 — extended in EE 0.4.8) | Enterprise | **10 SOC 2 substrate-evidence dimensions** (v1=3 + v2=4 + v3=3). **v1+v2 (preserved):** Multi-AZ (A1.2) + storage encryption at rest with KMS-key custody classification + **kms:DescribeKey cross-reference promotes UNVERIFIABLE `:key/UUID` ARN shapes to deterministic PASS/MEDIUM** + parameter-group SSL enforcement (postgres rds.force_ssl + mysql require_secure_transport) + BackupRetentionPeriod (7-day baseline) + PubliclyAccessible + IAMDatabaseAuthenticationEnabled + snapshot encryption. **v3 NEW (database audit-logging, EE 0.4.8 EE-RT.14 v3):** **dim 8 pgAudit enabled** (postgres-only — `DescribeDBParameters → pgaudit.log` non-empty AND `shared_preload_libraries` contains `pgaudit` token per R-MEDIUM-2 reviewer-fold **false-PASS closure** — Postgres silently ignores the GUC when SPL omits pgaudit; new MEDIUM `rds-pgaudit-misconfigured` category; non-postgres engines = INFO + engine-not-applicable) + **dim 9 CloudWatch Logs exports** (`EnabledCloudwatchLogsExports` engine-dispatched: postgres essential=`postgresql`; mysql/mariadb essential=`error`; oracle essential=`audit`+`trace`; sqlserver essential=`error`; empty=HIGH / partial=MEDIUM / complete=PASS) + **dim 10 CloudWatch Logs retention** (`logs:DescribeLogGroups` enumeration on engine-dispatched prefix per R-HIGH-1 reviewer-fold **false-INFO closure**: `/aws/rds/instance/<id>/` for non-Aurora, `/aws/rds/cluster/<DBClusterIdentifier>/` for `aurora-*` engines — pre-fold hard-coded the instance path → 0 log groups on every Aurora node = false-INFO MEDIUM across the whole Aurora fleet; 30-day institutional baseline operator-tunable via `opts.auditLogRetentionPassMinDays` clamped 1..3653). **9 same-session v3 reviewer folds** (HIGH-1 Aurora cluster log-path; MEDIUM-2 pgAudit-SPL cross-check; MEDIUM-3/4/5 cwl-opt-out + retentionDistribution + transient-error distinct categories; LOW-8/9/10 + NIT-12). **Real-AWS smoke END-TO-END against `522412052794`** (in-place modification of rds-compliant-cluster; cost $0): ALL 3 v3 PASS-path classifiers validated + unmodified rds-violator-db validates HIGH path. **First 0.4.x extension cycle to validate BOTH PASS-path AND HIGH-path classifiers** against real AWS in the same smoke run. | A1.2 / CC6.1 / CC6.6 / C1.1 / CC7.2 / CC7.3 |
|
|
184
|
-
| 1150 | AWS SQS/SNS Auditor (NEW EE 0.4.4) | Enterprise | First multi-service plugin in EE codebase.
|
|
184
|
+
| 1150 | AWS SQS/SNS Auditor (NEW EE 0.4.4 v1; **EXTENDED EE 0.5.1 v2** — 5 → 7 dimensions: CloudWatch alarm coverage on SQS ApproximateAgeOfOldestMessage + SNS NumberOfNotificationsFailed; first plugin-1150 dim to cross an SDK boundary — SQS+SNS → CloudWatch) | Enterprise | First multi-service plugin in EE codebase. **7 dimensions total** (v1: 5; v2 EE 0.5.1 added dims 6 + 7). **v1 dims preserved:** SQS encryption at rest (SqsManagedSseEnabled OR KmsMasterKeyId; four-tier classification) + SQS transit-encryption policy (aws:SecureTransport Deny statement) + SNS topic encryption at rest + SNS topic-policy permissive-Principal (full NotAction-Allow + NotPrincipal-Allow + Resource-scope filtering per plugin 1070 + 1110 precedent) + SQS dead-letter queue presence (dual-mapped A1.2 + CC7.1). **v2 EE 0.5.1 NEW dims:** **dim 6 — SQS ApproximateAgeOfOldestMessage CloudWatch alarm coverage** (CC7.2 + A1.2 dual-mapped) — per-queue classifier `_classifySqsAgeAlarmCoverage` checks for at least one `AWS/SQS:ApproximateAgeOfOldestMessage` MetricAlarm with the queue's `QueueName` dimension AND **both** `ActionsEnabled=true` AND non-empty `AlarmActions[]`. Four outcomes: PASS `sqs-age-alarm-covered` / MEDIUM `sqs-age-alarm-missing` (silent backlog growth class) / LOW `sqs-age-alarm-actions-disabled` (matching alarm with all disabled OR empty AlarmActions — informational-only) / LOW + evidenceGap `sqs-age-alarm-coverage-unverifiable` (CW SDK unavailable / DescribeAlarms AccessDenied / queue name un-extractable / pagination truncated). **dim 7 — SNS NumberOfNotificationsFailed CloudWatch alarm coverage** (CC7.2 + A1.2 dual-mapped) — per-topic analogue with `AWS/SNS:NumberOfNotificationsFailed` metric + `TopicName` dimension; same four-tier severity ladder. **v2 single-fetch budget pattern** (mirrors plugin 1040): `_enumerateMetricAlarms` paginates `cloudwatch:DescribeAlarms` ONCE per scan; `_buildAlarmIndex` builds per-resource Maps (`sqsAgeByQueueName` + `snsFailureByTopicName`) for O(1) per-resource lookup. Pagination cap default 20 pages × 100 alarms = 2000 alarm ceiling, operator-tunable via `opts.cwAlarmPageCap`. **Soft-degrade contract** — CW SDK load failure routes per-resource classifier to LOW + evidenceGap rather than blocking SQS+SNS primary substrate audit. **R-CRITICAL v2 fold (false-CLEAN closure)**: `actionable` requires BOTH `ActionsEnabled=true` AND non-empty `AlarmActions[]` array — CloudWatch fires NO operator paging when AlarmActions=[] even with ActionsEnabled=true; pre-fold an `{ActionsEnabled:true, AlarmActions:[]}` alarm passed as PASS-tier evidence on a structurally broken alarm. Discriminates "all disabled" vs "all empty actions" in remediation narrative. **R-HIGH v2 fold**: soc2.json PASS-tier titlePatterns narrowed to anchor on `AWS/SQS:ApproximateAgeOfOldestMessage` / `AWS/SNS:NumberOfNotificationsFailed` clauses. **R-MEDIUM/R-LOW v2 folds**: defensive shape guard + multi-alarm collision tests + FIFO end-to-end + corrupted-shape defensive tests. **7 same-session v2 reviewer folds** (1 CRITICAL + 1 HIGH + 2 MEDIUM + 1 LOW + 1 NIT; 6 folded same-session, 1 NIT deferred). **No new SDK dependencies** — `@aws-sdk/client-cloudwatch` already declared in optionalDependencies since EE 0.4.0 (used by plugin 1040). **23 soc2.json titlePattern entries total** (11 v1 + 12 v2: 8 CC7.2 + 4 A1.2 dual-mapped). **Synthetic-mock validation only** this cycle for v2 — real-AWS smoke deferred (no SQS/SNS paired fixtures yet in test-infra-builder; ship-without per documented gap, EE 0.5.0 SES precedent). Closes the **"messaging monitoring" SOC 2 dimension** per `tasks/things-to-check.md` §4 institutional checklist: *"Track SQS ApproximateAgeOfOldestMessage and SNS delivery failure metrics inside CloudWatch to prove operational monitoring."* | C1.1 / CC6.6 / A1.2 / CC7.1 / CC7.2 |
|
|
185
185
|
| 1170 | AWS EC2 SG Perimeter Auditor (v2 — extended in EE 0.4.6) | Enterprise | Orthogonal evidence to plugin 1023 zero-trust-checker (1023 reads OBSERVED open ports; 1170 reads DECLARED SG policy via DescribeSecurityGroups). 6 dimensions: IPv4 0.0.0.0/0 ingress to **RESTRICTED_PORTS (v2: 23 ports per CIS AWS Foundations v3.0)** — SSH/RDP/MS SQL/MySQL/Postgres/Redshift/Redis/Memcached/MongoDB/Elasticsearch/CouchDB/Docker/Kubelet/K8s-API/etcd/Kibana/InfluxDB/Kafka/Consul/ZooKeeper/Vault CRITICAL + IPv6 ::/0 sibling CRITICAL + all-protocol (-1) wildcard CRITICAL + public ingress to non-restricted ports INFO + egress 0.0.0.0/0 INFO + orphan SG (no attached ENI) LOW governance. **v2: `opts.additionalRestrictedPorts` operator-config knob** + **per-SG cardinality cap with rollup trailer** (defends against finding-size DoS on 1000+ SG accounts) + **system-managed-SG name-prefix exclusion list** (ElasticMapReduce- / eks-cluster-sg- / AWSServiceRole / awseb- prefixes excluded from orphan-detection). UserIdGroupPairs rules surfaced as INFO + evidenceGap; transitive SG→SG chain analysis deferred to v3 | CC6.6 / CC6.2 |
|
|
186
186
|
| 1180 | AWS ElastiCache Redis Auditor (v2 — extended in EE 0.4.9) | Enterprise | First plugin in 1170-1180 ID range. **6 SOC 2 substrate-evidence dimensions** (v1 unchanged in count; v2 grew dims 2 + 6 in scope). **v1 dims preserved:** transit encryption (TransitEncryptionEnabled wraps RESP in TLS; HIGH on disabled) + Redis AUTH/IAM-auth user groups (PASS on UserGroupIds; MEDIUM no-authentication) + Multi-AZ deployment (HIGH disabled / INFO standalone-not-applicable / INFO+evidenceGap on transient enabling/disabling states) + SnapshotRetentionLimit cadence (HIGH=0 / MEDIUM 1-6 / PASS ≥7; operator-tunable `opts.snapshotRetentionPassMinDays`). Dual API enumeration (DescribeReplicationGroups + DescribeCacheClusters) with inter-API dedup. **v2 GROWN dims (EE 0.4.9 EE-RT.17 v2):** **dim 2 at-rest encryption + KMS key custody** — original four-tier ladder (HIGH disabled → MEDIUM AWS-owned-default → MEDIUM `alias/aws/elasticache` → PASS customer-managed CMK + LOW+evidenceGap on `:key/UUID` per conservative-classifier-principle) **PLUS v2 kms:DescribeKey cross-reference promotion** (mirrors plugin 1140 v2): UNVERIFIABLE `:key/UUID` ARN shapes promoted via KeyMetadata.KeyManager to deterministic PASS `elasticache-at-rest-customer-managed-kms-promoted` (CUSTOMER) / MEDIUM `elasticache-at-rest-aws-managed-kms-promoted` (AWS); conservative on AccessDenied/NotFound/unknown KeyManager. **dim 6 subnet routing** — v1 INFO substrate (`elasticache-subnet-group-substrate`) plus **v2 ec2:DescribeRouteTables verifier** that walks the cache subnet group's subnets via elasticache:DescribeCacheSubnetGroups + filtered ec2:DescribeRouteTables, classifying each subnet on Internet Gateway route presence via /^igw-[a-f0-9]+$/i (correctly excludes egress-only eigw-): HIGH `elasticache-subnet-public-route-detected` (with per-subnet `igwDestinationsBySubnet` evidence per R-HIGH-1 fold) / PASS `elasticache-subnet-private-verified` (all subnets verified IGW-free) / LOW + evidenceGap `elasticache-subnet-main-rt-inheritance` per R-MEDIUM-2 false-NEGATIVE closure (default-VPC main-RT typically routes `0.0.0.0/0 → igw-*`) / LOW + evidenceGap `elasticache-subnet-verification-unverifiable` on AccessDenied. **Cross-plugin sister of plugin 1170 SG perimeter** (layer-3 subnet→IGW vs layer-4 SG ingress policy). **7 same-session v2 reviewer folds** (HIGH-1 IGW destination evidence; MEDIUM-2 main-RT-inheritance false-NEGATIVE closure; MEDIUM-3 cache-key naming; LOW-6/7/9/10/11 + NIT-12). **Per-resource caching** prevents N×M API explosion (kmsKeyManagerCache + subnetGroupCache + subnetSetRoutingCache). **No new SDK deps** — @aws-sdk/client-kms + @aws-sdk/client-ec2 reused from EE 0.4.5. **Real-AWS smoke END-TO-END against 522412052794**: R-MEDIUM-2 fold escalation demonstrably firing in production (`redis-leaky-cache` → dim 6 LOW main-RT-inheritance). | CC6.1 / CC6.2 / CC6.6 / A1.2 / C1.1 |
|
|
187
|
-
| 1190 | AWS SES Email Integrity Auditor (NEW EE 0.4.7;
|
|
187
|
+
| 1190 | AWS SES Email Integrity Auditor (NEW EE 0.4.7; EXTENDED EE 0.5.0 v2; **CONSOLIDATED EE 0.5.2 v2.1** — 7 deferred reviewer-fold items closed + new MEDIUM `ses-dkim-dns-partial-with-transients` category + module-load-time disjointness IIFE + silent-loss-class closure on SES classic API quota exhaustion via `cause: "classic-sdk-quota-exhausted"`) | Enterprise | **v2 EE 0.5.0 GROWN dims:** **dim 1 DKIM** — original substrate **PLUS v2 DKIM CNAME DNS resolution promotion**: each `<token>._domainkey.<domain>` CNAME resolved via node:dns/promises + matched against `<token>.dkim.amazonses.com` (case-insensitive per RFC 1035 §2.3.3); four outcomes PASS `ses-dkim-dns-verified` / MEDIUM `ses-dkim-dns-partial` / **HIGH `ses-dkim-dns-missing` (false-CLEAN closure: SES Status=SUCCESS but DNS removed)** / LOW + evidenceGap `ses-dkim-dns-unverifiable`. **dim 2 MailFrom** — original substrate **PLUS v2 DMARC TXT record parser + MailFrom promotion**: RFC 7489 §6.4 tag-list parser + `_dmarc.<identityDomain>` TXT lookup; five outcomes PASS `ses-dmarc-policy-reject` / MEDIUM `ses-dmarc-policy-quarantine` / HIGH `ses-dmarc-policy-none` / HIGH `ses-dmarc-missing` / LOW + evidenceGap `ses-dmarc-unverifiable`. **R-CRITICAL-1 fold (false-CLEAN closure)**: `pct=0` on `p=reject`/`p=quarantine` functionally equivalent to `p=none`; now routes to HIGH `ses-dmarc-policy-none`. **R-HIGH-1 fold (subdomain-takeover false-NEGATIVE closure)**: `sp` subdomain-policy override now evaluated — `p=reject; sp=none` downgrades to HIGH with `dmarcSpWeakens` (subdomain phishing wide open while apex protected). **dim 4 sending-auth policies** — original IAM-policy classifier **PLUS v2 SES classic GetIdentityPolicies parity**: `_loadSesClassicSdk` restored; cross-API discrepancy emits HIGH `ses-classic-policy-discrepancy` (classic-only — canonical false-NEGATIVE class) / MEDIUM (`_canonicalSort` JSON deep-equal ignores whitespace + key-order drift) / INFO (v2-only benign). Conservative on classic SDK unavailable / AccessDenied → LOW + evidenceGap. **v1 dims preserved unchanged:** TLS enforcement (dim 3) + dedicated IP pool (dim 5) + suppression list (dim 6 ZDE — count + reason only). **v2 promoter pattern**: sync v1 classifiers unchanged; async promoters walk collected findings post-classification. **R-HIGH-2 fold**: brittle `inTestMode = !!opts._client` coupling replaced with explicit `_skipV2Promotion` master switch + 3 orthogonal kill-switches. **First plugin in EE to depend on node:dns/promises** for live DNS cross-reference. **8 same-session v2 reviewer folds** (1 CRITICAL + 3 HIGH + 2 MEDIUM + 2 LOW); 6 queued in Pick-up Block. **Real-DNS smoke validation END-TO-END** against production resolvers (`_dmarc.nsasoft.us` parsed correctly: `p=reject, sp=reject, pct=100`; forward-compat `fo=1` tag preserved). Empty-account SESv2 enumeration baseline succeeded end-to-end against 522412052794. **v1 base (preserved):** First plugin in 1190-1199 ID range. Closes the next-highest-priority gap from `tasks/things-to-check.md` AWS SOC 2 audit-canonical compliance checklist after Redis closed in 0.4.6. **6 audit dimensions:** **DKIM enablement + signing status** (CC6.1 / Privacy — HIGH on `SigningEnabled=false`; transient PENDING/TEMPORARY_FAILURE/NOT_STARTED INFO + walkthroughRequired; FAILED MEDIUM on DNS drift; unknown enum LOW + evidenceGap per conservative-classifier-principle) + **custom MailFrom domain alignment** (Privacy substrate — INFO + walkthroughRequired on default amazonses.com / PASS on custom + Status=SUCCESS) + **configuration set TLS enforcement** (C1.1 — REQUIRE PASS / OPTIONAL HIGH SMTP-downgrade-attack window / non-string-but-truthy distinct LOW with `tlsPolicyType` evidence per R-MEDIUM-7 fold) + **identity sending authorization policy permissive principals** (CC6.6 — multi-class wildcard detector covering bare `"*"` / `{AWS:"*"}` / `{Service:"*"}` / `{Federated:"*"}` / `{CanonicalUser:"*"}` / array-form `[*]` per R-HIGH-4 fold + distinct HIGH `ses-sending-auth-notprincipal-allow` per R-CRITICAL-1 fold catching NotPrincipal+Allow wildcard-EQUIVALENT class + LOW + evidenceGap `ses-sending-auth-malformed-statement` per R-HIGH-2 fold) + **dedicated IP pool sending posture** (CC7.1 substrate, account-level — INFO + walkthroughRequired on configured pools / INFO on shared-pool default) + **suppression list state** (CC7.1 deliverability substrate — **ZDE invariant: NEVER reads suppressed-destination email addresses**; count + reason only; verified at run() envelope boundary via sentinel-string assertion per R-LOW-8 fold). Dual API surface discipline: v1 uses SESv2 only (canonical modern API); `@aws-sdk/client-ses` declared in optionalDependencies for v2+ cross-API parity. **11 same-session reviewer folds** — ties single-cycle reviewer-fold record. **CRITICAL-1 closure**: NotPrincipal+Allow false-CLEAN class (matches plugins 1070 + 1150 discipline). **HIGH-4 closure**: `_isWildcardPrincipal` walks every Principal class value (pre-fold only `principal.AWS` inspected, leaking `{Service:"*"}` + `{Federated:"*"}` as silent CLEAN). **No real-AWS smoke against violation-tier fixtures** — test-infra-builder has NO SES paired fixtures yet (full-stack fixtures deferred to v2 alongside DKIM CNAME DNS resolution + DMARC TXT record parsing); empty-account smoke baseline against 522412052794 DID succeed end-to-end. | CC6.1 / CC6.6 / C1.1 / CC7.1 (substrate) / Privacy (substrate) |
|
|
188
188
|
|
|
189
189
|
---
|
|
190
190
|
|