nsauditor-ai-agent-skill 0.1.21 → 0.1.23

package/CHANGELOG.md

@@ -4,6 +4,58 @@ Release notes for **`nsauditor-ai-agent-skill`** — installable knowledge packa
 
 ---
 
+## 0.1.23 — Catalog refresh: plugin 1200 v2 evidence-acquisition extension — paired with EE 0.6.2 trio-publish (patch-level extension: multi-region GuardDuty + Inspector2 enumeration + GovCloud / ISO region support + `FindingPublishingFrequency` check + Inspector2 baseline expansion; plugin count UNCHANGED at 22; thirteenth consecutive trio-publish)
+
+**Trio-publish institutionalization continued.** Paired with EE 0.6.2 + CE 0.1.56 — **thirteenth consecutive trio-publish across EE + CE + agent-skill in a single session** (0.4.5–0.6.2).
+
+### What changed
+
+- **`references/plugins.md`** — plugin 1200 row updated with v2 dim list. Multi-region enumeration (item a) replaces single-region scope; `FindingPublishingFrequency` check (item b) added as CC7.1 detection-latency dimension; Inspector2 baseline expansion (item e) grows scan-target baseline from {ec2, ecr, lambda} → {ec2, ecr, lambda, lambdaCode, codeRepository}. 4 same-session R1 reviewer folds applied (0 R-CRITICAL clean review pass): R-HIGH-1 region regex GovCloud + ISO support (closes FedRAMP / StateRAMP / IL5+ false-PASS class) + R-HIGH-2 frequency ordering not equality + R-MEDIUM-1 region cap defensibility + R-LOW-1 EC2 client instrumentation parity.
+- **`SKILL.md`** — "post-EE 0.6.1" → "post-EE 0.6.2"; plugin count enumeration stays at 22 (existing plugin grew in scope).
+- **`peerDependencies`** floor: unchanged at `nsauditor-ai >=0.1.40`.
+
+### Why the catalog refresh matters
+
+AI coding agents using this skill now know that plugin 1200:
+
+- Audits GuardDuty and Inspector2 across **all opted-in regions** by default (not just the client's configured region).
+- Supports **GovCloud (`us-gov-*`) and ISO (`us-iso*-*`) regions** — operators on those substrates were silently skipped pre-0.6.2.
+- Classifies the GuardDuty `FindingPublishingFrequency` against an institutional baseline of 15 minutes (operator-tunable).
+- Treats Inspector2 Lambda code scanning and code-repository scanning as part of the institutional baseline (Inspector2 GA 2024+ scan-target additions).
+- Exposes operator opts: `regions: string[]` / `skipMultiRegion: true` / `regionListCap: 1..256` / `gdFrequencyPassFrequency: FIFTEEN_MINUTES | ONE_HOUR | SIX_HOURS`.
+
+### Compatibility
+
+No agent-skill API surface changes; pure documentation refresh. AI agents using earlier agent-skill versions against EE 0.6.2 still work, they just lack the v2 dim awareness.
+
+**Customer install (paired):**
+
+```bash
+npm install -g nsauditor-ai@0.1.56 @nsasoft/nsauditor-ai-ee@0.6.2
+npm install nsauditor-ai-agent-skill@0.1.23
+```
+
+---
+
+## 0.1.22 — Catalog refresh: NEW plugin 1200 AWS Inspector2 / GuardDuty Enablement Auditor — paired with EE 0.6.1 trio-publish (patch-level new-plugin extension — first AWS-managed-threat-detection substrate audit; plugin count 21 → 22)
+
+**Trio-publish institutionalization continued.** Paired with EE 0.6.1 + CE 0.1.55 — **twelfth consecutive trio-publish across EE + CE + agent-skill in a single session** (0.4.5–0.6.1).
+
+### What changed
+
+- **`references/plugins.md`** — **NEW plugin 1200 row** added: 4 active SOC 2 dimensions (GuardDuty Detector enablement per region CC7.1, GuardDuty protection-feature coverage CC7.1 — institutional baseline S3_DATA_EVENTS / EKS_AUDIT_LOGS / EBS_MALWARE_PROTECTION / RDS_LOGIN_EVENTS / LAMBDA_NETWORK_LOGS / RUNTIME_MONITORING, Inspector2 enablement CC7.1+CC7.2, Inspector2 scan-target coverage CC7.1 zero / CC7.2 partial). First AWS-managed-threat-detection substrate audit. HIGH on `gd-not-enabled` silent-blind class; HIGH on `inspector2-disabled` / SUSPENDED silent-blind class for CVE coverage on EC2/ECR/Lambda; HIGH on `inspector2-coverage-zero` (enabled overall but zero scan targets active); MEDIUM on partial coverage with explicit `disabledResources`. **6 same-session R1 reviewer folds applied** including R1-CRITICAL-1 soc2.json titlePattern misalignment closure (4 patterns; would have silently failed CC7.1/CC7.2 compliance routing) + R1-CRITICAL-1 AccessDenied distinct findings + R1-CRITICAL-2 legacy DataSources case normalization + R1-HIGH-2 SUSPENDED/DISABLED Detector silent-blind closure + R1-HIGH-3/4 dead-code drift closures.
+- **`SKILL.md`** — plugin count enumeration 21 → 22; "post-EE 0.6.0" → "post-EE 0.6.1".
+- **`peerDependencies`** floor: unchanged at `nsauditor-ai >=0.1.40`.
+
+### Recommended upgrade path
+
+```bash
+npm install nsauditor-ai-agent-skill@0.1.22
+# (paired with EE 0.6.1 + CE 0.1.55; AI-coding-agent users only)
+```
+
+---
+
 ## 0.1.21 — Catalog refresh: NEW plugin 1160 AWS VPC Endpoints / PrivateLink Auditor — paired with EE 0.6.0 trio-publish (minor-version milestone — first new plugin since EE 0.4.7; plugin count 20 → 21)
 
 **Trio-publish institutionalization continued.** Paired with EE 0.6.0 + CE 0.1.54 — **eleventh consecutive trio-publish across EE + CE + agent-skill in a single session** (0.4.5–0.6.0). Opens the v0.6.x line with new plugin breadth.

package/README.md

@@ -106,11 +106,11 @@ This package provides **knowledge about** NSAuditor AI. To actually **run** scan
 
 | Edition | Price | Highlights |
 |---------|-------|-----------|
-| **Community** | Free / MIT | 23 plugins (17 core + 6 discovery), basic AI, SARIF, CTEM, scan history |
+| **Community** | Free / MIT | 27 plugins (service probes + host/network discovery + intelligence/meta), basic AI, SARIF, CTEM, scan history |
 | **Pro** | $49/mo | + CVE matching, verification probes, risk scoring, 3 Pro plugins (040 TLS / 050 TRIBE / 060 DNS) |
-| **Enterprise** | $2k+/yr | + 20 cloud-substrate auditor plugins (1020-1190 range; AWS / GCP / Azure SOC 2 evidence-pack), Zero Trust, RFC 3161 timestamps, chain-of-custody attestations, air-gapped deployment |
+| **Enterprise** | $2k+/yr | + 22 cloud-substrate auditor plugins (1020-1200 range; AWS / GCP / Azure SOC 2 evidence-pack), Zero Trust, RFC 3161 timestamps, chain-of-custody attestations, air-gapped deployment |
 
-→ [Pricing](https://www.nsauditor.com/ai/pricing) · [Free trial](https://www.nsauditor.com/ai/trial)
+→ [Pricing](https://www.nsauditor.com/ai/pricing/)
 
 ## Related
 

package/SKILL.md

@@ -206,22 +206,39 @@ ApproximateAgeOfOldestMessage + SNS NumberOfNotificationsFailed; closes 1 CRITIC
 false-CLEAN class on empty-AlarmActions silent-PASS per R-CRITICAL fold; first
 plugin-1150 dim to cross an SDK boundary — SQS+SNS → CloudWatch), AWS EC2
 SG Perimeter Auditor (1170 v2 — RESTRICTED_PORTS 23 ports per CIS AWS Foundations
-v3.0), AWS ElastiCache Redis Auditor (1180 v2 — extended in EE 0.4.9: kms:DescribeKey
-promotion + subnet route-table verifier; closes both v1 deferred items R-MEDIUM-3 +
-R-LOW-2; main-RT-inheritance false-NEGATIVE closure per R-MEDIUM-2 reviewer-fold),
-AWS SES Email Integrity Auditor (1190 v3 — extended in EE 0.5.0 + consolidated in
-EE 0.5.2 + v3 extension in EE 0.5.3: DKIM CNAME DNS resolution + DMARC TXT record
-parser + SES classic API parity + deferred-items sweep + DKIM public-key fingerprint
-capture/pin + in-band DMARC alignment classifier; closes 1 CRITICAL false-CLEAN class on DMARC pct=0 per
-R-CRITICAL-1 fold + 1 HIGH false-NEGATIVE class on DMARC sp subdomain-policy override
-per R-HIGH-1 fold + new MEDIUM ses-dkim-dns-partial-with-transients per v2.1 R-MEDIUM-2
-fold + silent-loss-class closure on SES classic API quota exhaustion via cause:
-"classic-sdk-quota-exhausted" per v2.1 R-HIGH-2 reviewer-fold; first plugin in EE to
-depend on node:dns/promises for live DNS cross-reference).
+v3.0), AWS VPC Endpoints / PrivateLink Auditor (1160 — NEW in EE 0.6.0; first plugin
+to audit the PrivateLink isolation boundary; 4 dims: endpoint policy permissive
+principals CC6.6, PrivateDNS enabled CC6.6, endpoint state A1.2+CC7.2, type substrate
+Privacy+CC6.6), AWS ElastiCache Redis Auditor (1180 v2 — extended in EE 0.4.9:
+kms:DescribeKey promotion + subnet route-table verifier; closes both v1 deferred items
+R-MEDIUM-3 + R-LOW-2; main-RT-inheritance false-NEGATIVE closure per R-MEDIUM-2
+reviewer-fold), AWS SES Email Integrity Auditor (1190 v3 — extended in EE 0.5.0 +
+consolidated in EE 0.5.2 + v3 extension in EE 0.5.3: DKIM CNAME DNS resolution + DMARC
+TXT record parser + SES classic API parity + deferred-items sweep + DKIM public-key
+fingerprint capture/pin + in-band DMARC alignment classifier; closes 1 CRITICAL
+false-CLEAN class on DMARC pct=0 per R-CRITICAL-1 fold + 1 HIGH false-NEGATIVE class
+on DMARC sp subdomain-policy override per R-HIGH-1 fold + new MEDIUM
+ses-dkim-dns-partial-with-transients per v2.1 R-MEDIUM-2 fold + silent-loss-class
+closure on SES classic API quota exhaustion via cause: "classic-sdk-quota-exhausted"
+per v2.1 R-HIGH-2 reviewer-fold; first plugin in EE to depend on node:dns/promises
+for live DNS cross-reference), AWS Inspector2 / GuardDuty Enablement Auditor (1200 v2 —
+NEW in EE 0.6.1, extended in EE 0.6.2; first AWS-managed-threat-detection substrate
+audit; bundles two services per the plugin 1150 precedent; v2 grows scope across
+multi-region enumeration via ec2:DescribeRegions / per-region dispatch / per-region
+finding tags + GuardDuty FindingPublishingFrequency check (CC7.1 detection-latency;
+operator-tunable baseline; ordering-based comparison via `_GD_FREQUENCY_RANK`) +
+Inspector2 baseline expansion (+lambdaCode +codeRepository per Inspector2 GA 2024+);
+operator opts `regions[]` / `skipMultiRegion` / `regionListCap` (1..256 clamp) /
+`gdFrequencyPassFrequency`; closes FedRAMP / StateRAMP / IL5+ false-PASS class via
+R-HIGH-1 4-part region regex fold admitting `us-gov-*` + `us-iso*-*` IDs;
+soft-degrade on DescribeRegions AccessDenied → fall back to client's configured
+region + distinct LOW finding; 4 dims active dim 5 org-scope deferred to 0.6.3
+R-MEDIUM-2; 6 R1 reviewer folds in 0.6.1 incl. R1-CRITICAL-1 soc2.json titlePattern
+misalignment closure + 4 R1 folds in 0.6.2 — 0 R-CRITICAL clean review pass).
 **EE plugin IDs use the disjoint 1000+ range** (per EE 0.3.9 renumbering) to avoid
 CE collision. CE reserves 001-099.
 
-**EE SOC 2 substrate-evidence coverage (post-EE 0.6.0):** 10 covered controls (CC6.1 /
+**EE SOC 2 substrate-evidence coverage (post-EE 0.6.2):** 10 covered controls (CC6.1 /
 CC6.2 / CC6.6 / CC6.7 / CC6.8 / CC7.1 / CC7.2 / CC7.3 / C1.1 / C1.2) + 4 partial
 (CC6.3 / CC8.1 / A1.2 / PI1.5) + 33 OOS for static substrate scanning. Coverage matrix
 is institutionally honest: substrate-evidence depth grows release-over-release without
@@ -383,11 +400,11 @@ Add to your MCP configuration with the same command/args pattern.
 
 | Edition | Price | Key Features |
 |---------|-------|-------------|
-| **Community** | Free / MIT | 23 plugins (17 core + 6 discovery), basic AI, CTEM, SARIF, scan history |
+| **Community** | Free / MIT | 27 plugins (service probes + host/network discovery + intelligence/meta), basic AI, CTEM, SARIF, scan history |
 | **Pro** | $49/mo | + CVE matching, verification probes, risk scoring, Pro plugins (040 TLS / 050 TRIBE / 060 DNS) |
-| **Enterprise** | $2k+/yr | + 20 cloud-substrate auditor plugins (1020-1190 range) covering AWS / GCP / Azure against SOC 2 (10 covered + 4 partial controls); Zero Trust; SOC 2 evidence-pack generation; RFC 3161 timestamps; chain-of-custody attestations; air-gapped deployment |
+| **Enterprise** | $2k+/yr | + 22 cloud-substrate auditor plugins (1020-1200 range) covering AWS / GCP / Azure against SOC 2 (10 covered + 4 partial controls); Zero Trust; SOC 2 evidence-pack generation; RFC 3161 timestamps; chain-of-custody attestations; air-gapped deployment |
 
-→ [Pricing](https://www.nsauditor.com/ai/pricing) · [Free trial](https://www.nsauditor.com/ai/trial)
+→ [Pricing](https://www.nsauditor.com/ai/pricing/)
 
 ---
 

package/examples/agent-interactions.md

@@ -199,7 +199,7 @@ Scan history is stored in .scan_history/ as JSONL for trend analysis."
 3. Agent response:
    "CVE lookup via NSAuditor requires a Pro license. Here are your options:
 
-   1. Start a free trial: nsauditor.com/ai/trial
+   1. View Pro/Enterprise pricing: https://www.nsauditor.com/ai/pricing/
    2. Set NSAUDITOR_LICENSE_KEY in your MCP server environment
    3. Manual lookup: search nvd.nist.gov for 'openssh 8.9' directly
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nsauditor-ai-agent-skill",
-  "version": "0.1.21",
+  "version": "0.1.23",
   "description": "AI Agent Skill for NSAuditor AI — gives any AI coding agent built-in knowledge of NSAuditor's MCP tools, schemas, plugins, and security audit workflows.",
   "keywords": [
     "nsauditor",

package/references/plugins.md

@@ -185,6 +185,7 @@ listings, and default pages.
 | 1160 | AWS VPC Endpoints / PrivateLink Auditor (**NEW EE 0.6.0** — first new plugin since EE 0.4.7; first plugin to audit the PrivateLink isolation boundary; plugin count 20 → 21) | Enterprise | Audits AWS VPC endpoints (Interface + Gateway flavors) against **4 SOC 2 substrate-evidence dimensions** — VPC endpoints govern VPC-to-managed-service traffic without public-internet traversal (PrivateLink primitive). **Complements plugin 1170 SG perimeter** (1170 = layer-4 ingress; 1160 = service-layer perimeter). **Dim 1 — Endpoint policy permissive principals** (CC6.6 segmentation; wildcard-Principal classifier mirroring plugin 1150 SNS topic-policy discipline; NotPrincipal-Allow + Action-sensitivity filter via `_VPCE_SENSITIVE_ACTIONS` frozen Set; unconditional wildcard on sensitive action = CRITICAL — PrivateLink isolation BROKEN at policy layer; WITH Condition = HIGH walkthroughRequired). **Dim 2 — PrivateDNS enabled** (CC6.6; Interface + PrivateDnsEnabled=false = MEDIUM silent-bypass class — clients still resolve service-public hostname → traffic over public internet; Gateway = INFO not-applicable). **Dim 3 — Endpoint state** (A1.2 + CC7.2; `available` = PASS / `failed` = HIGH silent-failure / transient = INFO / unknown enum = LOW + evidenceGap). **Dim 4 — Endpoint type substrate disclosure** (Privacy + CC6.6; INFO substrate evidence per VPC). **2 same-session reviewer folds** (R-MEDIUM unknown-type fail-safe defaults to Interface — safer audit path; R-NIT Effect case-insensitivity regression pin). **No new SDK deps** — `@aws-sdk/client-ec2` already declared since EE 0.4.5 (used by plugin 1170 + plugin 1180 v2). 7 new soc2.json titlePattern entries (5 CC6.6 + 2 CC7.2/A1.2 dual-mapped). 57 plugin tests + 2 reviewer-fold pins (59 total). Synthetic-mock validation only — no VPC endpoint paired fixtures yet in test-infra-builder. | CC6.6 / A1.2 / CC7.2 / Privacy (substrate) |
 | 1170 | AWS EC2 SG Perimeter Auditor (v2 — extended in EE 0.4.6) | Enterprise | Orthogonal evidence to plugin 1023 zero-trust-checker (1023 reads OBSERVED open ports; 1170 reads DECLARED SG policy via DescribeSecurityGroups). 6 dimensions: IPv4 0.0.0.0/0 ingress to **RESTRICTED_PORTS (v2: 23 ports per CIS AWS Foundations v3.0)** — SSH/RDP/MS SQL/MySQL/Postgres/Redshift/Redis/Memcached/MongoDB/Elasticsearch/CouchDB/Docker/Kubelet/K8s-API/etcd/Kibana/InfluxDB/Kafka/Consul/ZooKeeper/Vault CRITICAL + IPv6 ::/0 sibling CRITICAL + all-protocol (-1) wildcard CRITICAL + public ingress to non-restricted ports INFO + egress 0.0.0.0/0 INFO + orphan SG (no attached ENI) LOW governance. **v2: `opts.additionalRestrictedPorts` operator-config knob** + **per-SG cardinality cap with rollup trailer** (defends against finding-size DoS on 1000+ SG accounts) + **system-managed-SG name-prefix exclusion list** (ElasticMapReduce- / eks-cluster-sg- / AWSServiceRole / awseb- prefixes excluded from orphan-detection). UserIdGroupPairs rules surfaced as INFO + evidenceGap; transitive SG→SG chain analysis deferred to v3 | CC6.6 / CC6.2 |
 | 1180 | AWS ElastiCache Redis Auditor (v2 — extended in EE 0.4.9) | Enterprise | First plugin in 1170-1180 ID range. **6 SOC 2 substrate-evidence dimensions** (v1 unchanged in count; v2 grew dims 2 + 6 in scope). **v1 dims preserved:** transit encryption (TransitEncryptionEnabled wraps RESP in TLS; HIGH on disabled) + Redis AUTH/IAM-auth user groups (PASS on UserGroupIds; MEDIUM no-authentication) + Multi-AZ deployment (HIGH disabled / INFO standalone-not-applicable / INFO+evidenceGap on transient enabling/disabling states) + SnapshotRetentionLimit cadence (HIGH=0 / MEDIUM 1-6 / PASS ≥7; operator-tunable `opts.snapshotRetentionPassMinDays`). Dual API enumeration (DescribeReplicationGroups + DescribeCacheClusters) with inter-API dedup. **v2 GROWN dims (EE 0.4.9 EE-RT.17 v2):** **dim 2 at-rest encryption + KMS key custody** — original four-tier ladder (HIGH disabled → MEDIUM AWS-owned-default → MEDIUM `alias/aws/elasticache` → PASS customer-managed CMK + LOW+evidenceGap on `:key/UUID` per conservative-classifier-principle) **PLUS v2 kms:DescribeKey cross-reference promotion** (mirrors plugin 1140 v2): UNVERIFIABLE `:key/UUID` ARN shapes promoted via KeyMetadata.KeyManager to deterministic PASS `elasticache-at-rest-customer-managed-kms-promoted` (CUSTOMER) / MEDIUM `elasticache-at-rest-aws-managed-kms-promoted` (AWS); conservative on AccessDenied/NotFound/unknown KeyManager. **dim 6 subnet routing** — v1 INFO substrate (`elasticache-subnet-group-substrate`) plus **v2 ec2:DescribeRouteTables verifier** that walks the cache subnet group's subnets via elasticache:DescribeCacheSubnetGroups + filtered ec2:DescribeRouteTables, classifying each subnet on Internet Gateway route presence via /^igw-[a-f0-9]+$/i (correctly excludes egress-only eigw-): HIGH `elasticache-subnet-public-route-detected` (with per-subnet `igwDestinationsBySubnet` evidence per R-HIGH-1 fold) / PASS `elasticache-subnet-private-verified` (all subnets verified IGW-free) / LOW + evidenceGap `elasticache-subnet-main-rt-inheritance` per R-MEDIUM-2 false-NEGATIVE closure (default-VPC main-RT typically routes `0.0.0.0/0 → igw-*`) / LOW + evidenceGap `elasticache-subnet-verification-unverifiable` on AccessDenied. **Cross-plugin sister of plugin 1170 SG perimeter** (layer-3 subnet→IGW vs layer-4 SG ingress policy). **7 same-session v2 reviewer folds** (HIGH-1 IGW destination evidence; MEDIUM-2 main-RT-inheritance false-NEGATIVE closure; MEDIUM-3 cache-key naming; LOW-6/7/9/10/11 + NIT-12). **Per-resource caching** prevents N×M API explosion (kmsKeyManagerCache + subnetGroupCache + subnetSetRoutingCache). **No new SDK deps** — @aws-sdk/client-kms + @aws-sdk/client-ec2 reused from EE 0.4.5. **Real-AWS smoke END-TO-END against 522412052794**: R-MEDIUM-2 fold escalation demonstrably firing in production (`redis-leaky-cache` → dim 6 LOW main-RT-inheritance). | CC6.1 / CC6.2 / CC6.6 / A1.2 / C1.1 |
+| 1200 | AWS Inspector2 / GuardDuty Enablement Auditor (NEW EE 0.6.1, **EXTENDED EE 0.6.2 v2** — multi-region enumeration + FindingPublishingFrequency check + Inspector2 baseline expansion; closes FedRAMP / StateRAMP / IL5+ false-PASS class for GovCloud + ISO regions; plugin count UNCHANGED at 22 — existing plugin grew ~870 → ~1400 lines) | Enterprise | Audits AWS GuardDuty + AWS Inspector2 enablement state across **all opted-in regions** — **foundation-layer institutional evidence for CC7.1 detection procedures + CC7.2 monitoring** (an audit pack without managed-threat-detection evidence has no AWS-native anomaly-detection or CVE-detection stream). **v2 EE 0.6.2 GROWN scope** (closes 3 of 4 R2-deferred items from EE-RT.20 v1): **(a) Multi-region enumeration** — `ec2:DescribeRegions` enumerates opted-in regions (AllRegions=false defensively); per-region GuardDuty + Inspector2 dispatch; per-region findings carry region tag. Operator opts: `regions: string[]` (filter to subset, validated + deduped + capped 64 default), `skipMultiRegion: true` (cost-sensitive opt-out), `regionListCap` (1..256 clamp). Soft-degrade: EC2 SDK load failure / DescribeRegions AccessDenied → fall back to `config.region` + distinct `_CAT_REGION_ENUM_ACCESSDENIED` LOW finding. Back-compat: legacy single-region opts (`_guardDutyClient` / `_inspector2Client` singular) still respected. **(b) GuardDuty FindingPublishingFrequency check** — CC7.1 detection-latency. `_classifyGuardDutyFrequency` 4 outcomes: PASS `gd-frequency-optimal` / LOW `gd-frequency-suboptimal` / LOW `gd-frequency-unverifiable` (null detector or unknown enum). Operator-tunable: `gdFrequencyPassFrequency` (FIFTEEN_MINUTES / ONE_HOUR / SIX_HOURS; default FIFTEEN_MINUTES). **Ordering-based comparison** via `_GD_FREQUENCY_RANK` map (R-HIGH-2 fold) — stricter actual = PASS even when operator tuned baseline upward. **(e) Inspector2 baseline expansion** — `lambdaCode` (Lambda code scanning) + `codeRepository` (Inspector2 GitHub/GitLab scanning, GA 2024+) added to `_INS_INSTITUTIONAL_BASELINE_RESOURCES` (was {ec2, ecr, lambda}; now {ec2, ecr, lambda, lambdaCode, codeRepository}). **v1 dims preserved (4 active dims; dim 5 org-scope deferred to 0.6.3):** Dim 1 GuardDuty Detector enablement per region (CC7.1 — HIGH `gd-not-enabled`) + Dim 2 GuardDuty protection-feature coverage (CC7.1 — institutional baseline S3_DATA_EVENTS / EKS_AUDIT_LOGS / EBS_MALWARE_PROTECTION / RDS_LOGIN_EVENTS / LAMBDA_NETWORK_LOGS / RUNTIME_MONITORING) + Dim 3 Inspector2 enablement (CC7.1 + CC7.2 — DISABLED/SUSPENDED = HIGH) + Dim 4 Inspector2 scan-target coverage (CC7.1 zero / CC7.2 partial). **4 same-session R1 v2 reviewer folds** (network-security + Explore in parallel; 0 R-CRITICAL clean review pass): **R-HIGH-1 region regex GovCloud + ISO support** — pre-fold `^[a-z]{2,}-[a-z]+-[0-9]+$` silently dropped 4-part region IDs (`us-gov-east-1` / `us-iso-east-1` / `us-isob-east-1` / `us-isof-south-1`); operator passing `regions: ["us-gov-east-1"]` got silent skip + false-PASS — institutional-critical for FedRAMP / StateRAMP / IL5+ scope. Post-fold `^[a-z]{2,}(-[a-z]+){1,2}-[0-9]+$` admits 3- AND 4-part IDs. + **R-HIGH-2 frequency ordering not equality** (described above). + **R-MEDIUM-1 `_REGION_LIST_CAP` defensibility** — pre-fold hardcoded 32 silently truncated 4-part regions (AWS has ~40+ regions in 2026); post-fold default raised to 64 + operator-tunable + explicit truncation warning. + **R-LOW-1 EC2 client instrumentation** — operator-supplied `_ec2Client` now receives Thread-H AccessDenied counter + throttle-retry contract uniformly. **R2 reviewer-deferred** (queued in EE-RT.20.2 / 0.6.3): alerting-destination check (item c — needs `@aws-sdk/client-eventbridge` + `@aws-sdk/client-securityhub` integrations) + BatchGetAccountStatus contract verification (item d) + R-MEDIUM-2 `_getInspector2AccountStatus` return-shape refactor + optional dim 5 org-scope. **6 R1 v1 folds (EE 0.6.1) preserved as regression pins**: R1-CRITICAL-1 soc2.json titlePattern misalignment closure (4 patterns) + R1-CRITICAL-1 AccessDenied distinct findings + R1-CRITICAL-2 legacy DataSources case normalization + R1-HIGH-2 SUSPENDED/DISABLED Detector Status guard + R1-HIGH-3/4 dead-code drift closures. **No new SDK deps** — `@aws-sdk/client-guardduty` + `@aws-sdk/client-inspector2` + `@aws-sdk/client-ec2` already in optionalDependencies. 7 new soc2.json titlePattern entries from v1 still anchored. v2 tests: +27 (21 base + 6 R1-fold regression pins). Synthetic-mock validation only — no multi-region GuardDuty/Inspector2 paired fixtures yet in test-infra-builder. | CC7.1 / CC7.2 |
 | 1190 | AWS SES Email Integrity Auditor (NEW EE 0.4.7; EXTENDED EE 0.5.0 v2; CONSOLIDATED EE 0.5.2 v2.1; **EXTENDED EE 0.5.3 v3** — Part A DKIM public-key fingerprint capture/pin + Part B in-band DMARC alignment classifier; 5 same-session reviewer folds incl. 1 R-CRITICAL false-CLEAN closure on truncated DKIM keys via new `_stripControlCharsNoTruncate` helper; v2.1 closed — 7 deferred reviewer-fold items closed + new MEDIUM `ses-dkim-dns-partial-with-transients` category + module-load-time disjointness IIFE + silent-loss-class closure on SES classic API quota exhaustion via `cause: "classic-sdk-quota-exhausted"`) | Enterprise | **v2 EE 0.5.0 GROWN dims:** **dim 1 DKIM** — original substrate **PLUS v2 DKIM CNAME DNS resolution promotion**: each `<token>._domainkey.<domain>` CNAME resolved via node:dns/promises + matched against `<token>.dkim.amazonses.com` (case-insensitive per RFC 1035 §2.3.3); four outcomes PASS `ses-dkim-dns-verified` / MEDIUM `ses-dkim-dns-partial` / **HIGH `ses-dkim-dns-missing` (false-CLEAN closure: SES Status=SUCCESS but DNS removed)** / LOW + evidenceGap `ses-dkim-dns-unverifiable`. **dim 2 MailFrom** — original substrate **PLUS v2 DMARC TXT record parser + MailFrom promotion**: RFC 7489 §6.4 tag-list parser + `_dmarc.<identityDomain>` TXT lookup; five outcomes PASS `ses-dmarc-policy-reject` / MEDIUM `ses-dmarc-policy-quarantine` / HIGH `ses-dmarc-policy-none` / HIGH `ses-dmarc-missing` / LOW + evidenceGap `ses-dmarc-unverifiable`. **R-CRITICAL-1 fold (false-CLEAN closure)**: `pct=0` on `p=reject`/`p=quarantine` functionally equivalent to `p=none`; now routes to HIGH `ses-dmarc-policy-none`. **R-HIGH-1 fold (subdomain-takeover false-NEGATIVE closure)**: `sp` subdomain-policy override now evaluated — `p=reject; sp=none` downgrades to HIGH with `dmarcSpWeakens` (subdomain phishing wide open while apex protected). **dim 4 sending-auth policies** — original IAM-policy classifier **PLUS v2 SES classic GetIdentityPolicies parity**: `_loadSesClassicSdk` restored; cross-API discrepancy emits HIGH `ses-classic-policy-discrepancy` (classic-only — canonical false-NEGATIVE class) / MEDIUM (`_canonicalSort` JSON deep-equal ignores whitespace + key-order drift) / INFO (v2-only benign). Conservative on classic SDK unavailable / AccessDenied → LOW + evidenceGap. **v1 dims preserved unchanged:** TLS enforcement (dim 3) + dedicated IP pool (dim 5) + suppression list (dim 6 ZDE — count + reason only). **v2 promoter pattern**: sync v1 classifiers unchanged; async promoters walk collected findings post-classification. **R-HIGH-2 fold**: brittle `inTestMode = !!opts._client` coupling replaced with explicit `_skipV2Promotion` master switch + 3 orthogonal kill-switches. **First plugin in EE to depend on node:dns/promises** for live DNS cross-reference. **8 same-session v2 reviewer folds** (1 CRITICAL + 3 HIGH + 2 MEDIUM + 2 LOW); 6 queued in Pick-up Block. **Real-DNS smoke validation END-TO-END** against production resolvers (`_dmarc.nsasoft.us` parsed correctly: `p=reject, sp=reject, pct=100`; forward-compat `fo=1` tag preserved). Empty-account SESv2 enumeration baseline succeeded end-to-end against 522412052794. **v1 base (preserved):** First plugin in 1190-1199 ID range. Closes the next-highest-priority gap from `tasks/things-to-check.md` AWS SOC 2 audit-canonical compliance checklist after Redis closed in 0.4.6. **6 audit dimensions:** **DKIM enablement + signing status** (CC6.1 / Privacy — HIGH on `SigningEnabled=false`; transient PENDING/TEMPORARY_FAILURE/NOT_STARTED INFO + walkthroughRequired; FAILED MEDIUM on DNS drift; unknown enum LOW + evidenceGap per conservative-classifier-principle) + **custom MailFrom domain alignment** (Privacy substrate — INFO + walkthroughRequired on default amazonses.com / PASS on custom + Status=SUCCESS) + **configuration set TLS enforcement** (C1.1 — REQUIRE PASS / OPTIONAL HIGH SMTP-downgrade-attack window / non-string-but-truthy distinct LOW with `tlsPolicyType` evidence per R-MEDIUM-7 fold) + **identity sending authorization policy permissive principals** (CC6.6 — multi-class wildcard detector covering bare `"*"` / `{AWS:"*"}` / `{Service:"*"}` / `{Federated:"*"}` / `{CanonicalUser:"*"}` / array-form `[*]` per R-HIGH-4 fold + distinct HIGH `ses-sending-auth-notprincipal-allow` per R-CRITICAL-1 fold catching NotPrincipal+Allow wildcard-EQUIVALENT class + LOW + evidenceGap `ses-sending-auth-malformed-statement` per R-HIGH-2 fold) + **dedicated IP pool sending posture** (CC7.1 substrate, account-level — INFO + walkthroughRequired on configured pools / INFO on shared-pool default) + **suppression list state** (CC7.1 deliverability substrate — **ZDE invariant: NEVER reads suppressed-destination email addresses**; count + reason only; verified at run() envelope boundary via sentinel-string assertion per R-LOW-8 fold). Dual API surface discipline: v1 uses SESv2 only (canonical modern API); `@aws-sdk/client-ses` declared in optionalDependencies for v2+ cross-API parity. **11 same-session reviewer folds** — ties single-cycle reviewer-fold record. **CRITICAL-1 closure**: NotPrincipal+Allow false-CLEAN class (matches plugins 1070 + 1150 discipline). **HIGH-4 closure**: `_isWildcardPrincipal` walks every Principal class value (pre-fold only `principal.AWS` inspected, leaking `{Service:"*"}` + `{Federated:"*"}` as silent CLEAN). **No real-AWS smoke against violation-tier fixtures** — test-infra-builder has NO SES paired fixtures yet (full-stack fixtures deferred to v2 alongside DKIM CNAME DNS resolution + DMARC TXT record parsing); empty-account smoke baseline against 522412052794 DID succeed end-to-end. | CC6.1 / CC6.6 / C1.1 / CC7.1 (substrate) / Privacy (substrate) |
 
 ---

package/references/workflows.md

@@ -298,4 +298,4 @@ User wants to...
 1. `probe_service` and `get_vulnerabilities` require Pro license
 2. Set `NSAUDITOR_LICENSE_KEY` environment variable
 3. CE alternative: use `scan_host` (always available) + manual CVE research
-4. Trial available at nsauditor.com/ai/trial
+4. Pro/Enterprise pricing: https://www.nsauditor.com/ai/pricing/