nsauditor-ai-agent-skill 0.1.38 → 0.1.40
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +23 -1
- package/SKILL.md +1 -1
- package/package.json +1 -1
- package/references/plugins.md +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -4,7 +4,29 @@ Release notes for **`nsauditor-ai-agent-skill`** — installable knowledge packa
|
|
|
4
4
|
|
|
5
5
|
---
|
|
6
6
|
|
|
7
|
-
## 0.1.
|
|
7
|
+
## 0.1.40 (STAGED 2026-05-23 — pending trio-publish) — Paired-release pin for EE 0.11.1 + CE 0.1.73 — PCI DSS v4.0.1 patch cycle (CAO authorship + 4 R-MEDIUM folds + `license --reset` subcommand)
|
|
8
|
+
|
|
9
|
+
**Cycle hook**: EE 0.11.1 ships the PCI DSS v4.0.1 patch cycle — the 4 R-MEDIUM authoring folds deferred from the EE 0.11.0 reviewer pass (CDE-scope badge + Req 12.8.5 TPSP matrix renderer + QSA enforcement-priority ranked view + CAO authorship for all 26 customized-eligible sub-requirements per Appendix D) PLUS the operator-discovered `nsauditor-ai license --reset` subcommand on the CE side. No agent-skill code changes — paired-publish for trio-publish discipline + customer discoverability.
|
|
10
|
+
|
|
11
|
+
**Plugin catalog**: UNCHANGED at 24 plugins; MCP tool signatures unchanged; schemas unchanged; workflows unchanged. **Coverage matrices ALL UNCHANGED** (SOC 2 10/4/33 + HIPAA 7/3/45 + NIST CSF 2.0 13/10/83 + PCI DSS 20/8/39 MVP-67 — pure patch cycle, no framework expansion).
|
|
12
|
+
|
|
13
|
+
**THIRTIETH consecutive trio-publish** institutionalized 0.4.5–0.11.1.
|
|
14
|
+
|
|
15
|
+
---
|
|
16
|
+
|
|
17
|
+
## 0.1.39 (PUBLISHED 2026-05-23) — Paired-release pin for EE 0.11.0 + CE 0.1.72 — PCI DSS v4.0.1 Track 3 fourth-framework cycle
|
|
18
|
+
|
|
19
|
+
**Cycle hook**: EE 0.11.0 introduces PCI DSS v4.0.1 (PCI SSC, June 2024 errata; supersedes v4.0 March 2022; v3.2.1 retired March 31, 2024) as the fourth compliance framework alongside SOC 2 (AICPA TSC 2017), HIPAA Security Rule §164.312, and NIST Cybersecurity Framework 2.0. The agent-skill catalog updates accordingly:
|
|
20
|
+
|
|
21
|
+
- `compliance_check` MCP tool description widened from "SOC 2 + HIPAA + NIST CSF 2.0" to "SOC 2 + HIPAA + NIST CSF 2.0 + PCI DSS v4.0.1" with the matching `--compliance soc2,hipaa,nist-csf,pci-dss` CSV invocation hint. PCI DSS sub-requirement examples baked into tool description: `Req 1.2.1` NSC config standards, `Req 8.4.1` MFA on non-console admin, `Req 10.2.1` audit logs enabled, `Req 11.3.1` quarterly internal vuln scans. Defined-vs-Customized Approach discipline per PCI DSS v4.0.1 Appendix E (15 Defined-only sub-requirements enforced at schema layer) + CHD Scope operator-attested via CDE Data Flow Diagram per Req 1.2.4 + card-brand AOC enforcement view (Visa CISP / Mastercard SDP / Amex DSOP / Discover DISC).
|
|
22
|
+
- `SKILL.md` framework-coverage table extended with PCI DSS v4.0.1 sub-requirement-level matrix (**20 covered / 8 partial / 39 OOS across 67 of ~250 sub-requirements at MVP-67 density**).
|
|
23
|
+
- `references/plugins.md` framework-bullet extended from "three compliance frameworks" to "four compliance frameworks" with PCI DSS v4.0.1 sub-requirement examples + Req 12 OOS-by-design entirely framing + Req 5 + Req 9 OOS-entirely framing + Drata PCI / Vanta PCI / AuditBoard PCI / OneTrust GRC pairing-platform names.
|
|
24
|
+
|
|
25
|
+
**Plugin catalog**: UNCHANGED at 24 plugins; MCP tool signatures unchanged; schemas unchanged; workflows unchanged. **Twenty-ninth consecutive trio-publish** institutionalized 0.4.5–0.11.0.
|
|
26
|
+
|
|
27
|
+
---
|
|
28
|
+
|
|
29
|
+
## 0.1.38 (PUBLISHED 2026-05-22) — Paired-release pin for EE 0.10.0 + CE 0.1.71 — NIST CSF 2.0 Track 3 third-framework cycle
|
|
8
30
|
|
|
9
31
|
**Cycle hook**: EE 0.10.0 introduces NIST Cybersecurity Framework 2.0 (NIST CSWP 29, February 2024) as the third compliance framework alongside SOC 2 (AICPA TSC 2017) and HIPAA Security Rule §164.312. The agent-skill catalog updates accordingly:
|
|
10
32
|
|
package/SKILL.md
CHANGED
|
@@ -144,7 +144,7 @@ These tools return a license upgrade prompt on CE installations:
|
|
|
144
144
|
| `save_finding` | Pro | Persist a validated finding to the finding queue |
|
|
145
145
|
| `start_assessment` | Enterprise | Multi-host orchestrated security assessment |
|
|
146
146
|
| `prioritize_risks` | Enterprise | Cross-host risk prioritization and ranking |
|
|
147
|
-
| `compliance_check` | Enterprise | SOC 2 (AICPA TSC 2017) + HIPAA (§164.312 Technical Safeguards) + NIST CSF 2.0 Core gap analysis — all
|
|
147
|
+
| `compliance_check` | Enterprise | SOC 2 (AICPA TSC 2017) + HIPAA (§164.312 Technical Safeguards) + NIST CSF 2.0 Core + **PCI DSS v4.0.1** (sub-requirement-level for QSA RoC; PCI SSC June 2024 errata) gap analysis — all four shipped (SOC 2 EE 0.3.x; HIPAA EE 0.9.0; NIST CSF 2.0 EE 0.10.0; **PCI DSS v4.0.1 EE 0.11.0**). ISO 27001:2022 / CIS Controls v8 planned. Multi-framework via `--compliance soc2,hipaa,nist-csf,pci-dss` (any CSV subset; quad-framework one-scan produces four complete auditor-ready evidence packs). PCI DSS sub-requirement examples: `Req 1.2.1` NSC config standards, `Req 8.4.1` MFA on non-console admin, `Req 10.2.1` audit logs enabled, `Req 11.3.1` quarterly internal vuln scans. Defined-vs-Customized Approach discipline per Appendix E (15 Defined-only sub-requirements enforced at schema layer; CHD Scope operator-attested via CDE DFD per Req 1.2.4; card-brand AOC enforcement view — Visa CISP / Mastercard SDP / Amex DSOP / Discover DISC). |
|
|
148
148
|
| `export_report` | Enterprise | Formatted compliance/risk report (PDF, HTML) |
|
|
149
149
|
|
|
150
150
|
---
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "nsauditor-ai-agent-skill",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.40",
|
|
4
4
|
"description": "AI Agent Skill for NSAuditor AI — gives any AI coding agent built-in knowledge of NSAuditor's MCP tools, schemas, plugins, and security audit workflows.",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"nsauditor",
|
package/references/plugins.md
CHANGED
|
@@ -161,7 +161,7 @@ listings, and default pages.
|
|
|
161
161
|
|
|
162
162
|
## Enterprise Plugins (24)
|
|
163
163
|
|
|
164
|
-
> **EE plugin ID range.** As of EE 0.3.9 (2026-05-12), all EE plugins use the disjoint **1000+ ID range** to avoid CE collision. The earlier 020/021/022/023/030/040/050/060 IDs were renumbered to 1020/1021/1022/1023/1030/1040/1050/1060. CE reserves 001-099. EE plugins audit AWS / GCP / Azure cloud substrate end-to-end against **
|
|
164
|
+
> **EE plugin ID range.** As of EE 0.3.9 (2026-05-12), all EE plugins use the disjoint **1000+ ID range** to avoid CE collision. The earlier 020/021/022/023/030/040/050/060 IDs were renumbered to 1020/1021/1022/1023/1030/1040/1050/1060. CE reserves 001-099. EE plugins audit AWS / GCP / Azure cloud substrate end-to-end against **four compliance frameworks** (post-EE 0.11.0): the AICPA Trust Services Criteria 2017 (SOC 2), the HIPAA Security Rule §164.312 Technical Safeguards (2013 Final Rule), **NIST Cybersecurity Framework 2.0 Core** (NIST CSWP 29, February 2024), and **PCI DSS v4.0.1** (PCI SSC, June 2024 errata; supersedes v4.0 March 2022; v3.2.1 retired March 31, 2024). Each plugin's findings route to ALL FOUR frameworks via the framework-agnostic engine + per-framework control-citation map (renderer cites SOC 2 CC IDs in SOC 2 reports, HIPAA §164.312 in HIPAA reports, NIST CSF Subcategory IDs like PR.AA-01 / DE.CM-01 / RC.RP-03 in NIST reports, and PCI DSS sub-requirement IDs like `Req 1.2.1` / `Req 8.4.1` / `Req 10.2.1` / `Req 11.3.1` in PCI reports — closes cross-framework citation leak in all **6 pair-directions** C(4,2)=6). Every plugin is enterprise-gated by the `cloudScanners` capability and runs against customer-supplied cloud credentials. Multi-framework workflow: `--compliance soc2,hipaa,nist-csf,pci-dss` (any CSV subset) produces separate per-framework artifact sets in one scan (quad-framework one-scan produces four complete auditor-ready evidence packs). **Zero BAA required** for HIPAA — Zero Data Exfiltration architecture means ePHI never leaves customer infrastructure (and CHD never leaves for PCI DSS CDE-isolation threat models). **NIST CSF 2.0 Implementation Tiers 1-4** (Partial / Risk-Informed / Repeatable / Adaptive) are organizational-maturity claims explicitly OOS for infrastructure scanning — surfaced in renderer as cover-page Tiers OOS disclaimer section (markdown + HTML parity); pair with NIST-aware GRC platforms (Tugboat Logic, Drata NIST CSF, Vanta NIST CSF, AuditBoard). **PCI DSS v4.0.1 specifics**: sub-requirement-level mapping for QSA Report on Compliance workflow (MVP-67: 20 covered + 8 partial + 39 OOS across 67 of ~250 sub-requirements). **Req 12 Information Security Program OOS-by-design entirely** (Targeted Risk Analysis Req 12.3.1 + Customized Approach Documentation Req 12.3.2 + TPSP Responsibility Matrix Req 12.8.5 + IR personnel training Req 12.10.4 all Defined-only per Appendix E). **Req 5 anti-malware + Req 9 physical OOS-entirely** (endpoint EDR + facility-tier). **Req 3 stored CHD OOS-by-design at technical-control layer** pending operator CDE attestation via CDE Data Flow Diagram per Req 1.2.4 + Req 12.5.1. **Defined-vs-Customized Approach discipline per Appendix E** — 15 Defined-only sub-requirements enforced at schema layer. CAO text MVP-deferred to EE 0.11.1 patch. **Card-brand AOC enforcement priority view** (Visa CISP / Mastercard SDP / Amex DSOP / Discover DISC — the actual penalty mechanism). Pair with PCI-aware GRC platforms (Drata PCI, Vanta PCI, AuditBoard PCI module, OneTrust GRC).
|
|
165
165
|
|
|
166
166
|
| ID | Name | Tier | Purpose | SOC 2 Controls |
|
|
167
167
|
|----|------|------|---------|----------------|
|