nsauditor-ai-agent-skill 0.1.39 → 0.1.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/CHANGELOG.md +21 -1
  2. package/SKILL.md +1 -1
  3. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -4,7 +4,27 @@ Release notes for **`nsauditor-ai-agent-skill`** — installable knowledge packa
4
4
 
5
5
  ---
6
6
 
7
- ## 0.1.39 (STAGED 2026-05-23 — pending trio-publish) — Paired-release pin for EE 0.11.0 + CE 0.1.72PCI DSS v4.0.1 Track 3 fourth-framework cycle
7
+ ## 0.1.41 (STAGED 2026-05-24 — pending trio-publish) — Paired-release pin for EE 0.12.0 + CE 0.1.74ISO/IEC 27001:2022 fifth-framework introduction
8
+
9
+ **Cycle hook**: EE 0.12.0 ships ISO/IEC 27001:2022 as the fifth Track 3 framework — 17 covered + 14 partial + 62 OOS across 93 Annex A controls (the complete Annex A universe across 4 themes). Statement of Applicability per Clause 6.1.3.d discipline + ISMS Clauses 4-10 OOS-by-design framing + 11 NEW 2022 controls + 5-attribute taxonomy + 2013-to-2022 transition discipline. Skill #18 `audit-iso-27001-2022-statement-of-applicability` authored 2026-05-24 via /skill-creator (705 lines / 5 files) per the institutional Per-Framework Adversarial-Audit Skill Pairing pattern. No agent-skill code changes — paired-publish for trio-publish discipline + customer discoverability.
10
+
11
+ **Plugin catalog**: UNCHANGED at 24 plugins; MCP tool signatures unchanged; schemas unchanged; workflows unchanged. **SOC 2 + HIPAA + NIST CSF + PCI DSS matrices ALL UNCHANGED**; **ISO/IEC 27001:2022 matrix NEW at 17/14/62 across 93 Annex A controls**.
12
+
13
+ **THIRTY-FIRST consecutive trio-publish** institutionalized 0.4.5–0.12.0.
14
+
15
+ ---
16
+
17
+ ## 0.1.40 (PUBLISHED 2026-05-23 to npm as `latest`) — Paired-release pin for EE 0.11.1 + CE 0.1.73 — PCI DSS v4.0.1 patch cycle (CAO authorship + 4 R-MEDIUM folds + `license --reset` subcommand)
18
+
19
+ **Cycle hook**: EE 0.11.1 ships the PCI DSS v4.0.1 patch cycle — the 4 R-MEDIUM authoring folds deferred from the EE 0.11.0 reviewer pass (CDE-scope badge + Req 12.8.5 TPSP matrix renderer + QSA enforcement-priority ranked view + CAO authorship for all 26 customized-eligible sub-requirements per Appendix D) PLUS the operator-discovered `nsauditor-ai license --reset` subcommand on the CE side. No agent-skill code changes — paired-publish for trio-publish discipline + customer discoverability.
20
+
21
+ **Plugin catalog**: UNCHANGED at 24 plugins; MCP tool signatures unchanged; schemas unchanged; workflows unchanged. **Coverage matrices ALL UNCHANGED** (SOC 2 10/4/33 + HIPAA 7/3/45 + NIST CSF 2.0 13/10/83 + PCI DSS 20/8/39 MVP-67 — pure patch cycle, no framework expansion).
22
+
23
+ **THIRTIETH consecutive trio-publish** institutionalized 0.4.5–0.11.1.
24
+
25
+ ---
26
+
27
+ ## 0.1.39 (PUBLISHED 2026-05-23) — Paired-release pin for EE 0.11.0 + CE 0.1.72 — PCI DSS v4.0.1 Track 3 fourth-framework cycle
8
28
 
9
29
  **Cycle hook**: EE 0.11.0 introduces PCI DSS v4.0.1 (PCI SSC, June 2024 errata; supersedes v4.0 March 2022; v3.2.1 retired March 31, 2024) as the fourth compliance framework alongside SOC 2 (AICPA TSC 2017), HIPAA Security Rule §164.312, and NIST Cybersecurity Framework 2.0. The agent-skill catalog updates accordingly:
10
30
 
package/SKILL.md CHANGED
@@ -144,7 +144,7 @@ These tools return a license upgrade prompt on CE installations:
144
144
  | `save_finding` | Pro | Persist a validated finding to the finding queue |
145
145
  | `start_assessment` | Enterprise | Multi-host orchestrated security assessment |
146
146
  | `prioritize_risks` | Enterprise | Cross-host risk prioritization and ranking |
147
- | `compliance_check` | Enterprise | SOC 2 (AICPA TSC 2017) + HIPAA (§164.312 Technical Safeguards) + NIST CSF 2.0 Core + **PCI DSS v4.0.1** (sub-requirement-level for QSA RoC; PCI SSC June 2024 errata) gap analysis — all four shipped (SOC 2 EE 0.3.x; HIPAA EE 0.9.0; NIST CSF 2.0 EE 0.10.0; **PCI DSS v4.0.1 EE 0.11.0**). ISO 27001:2022 / CIS Controls v8 planned. Multi-framework via `--compliance soc2,hipaa,nist-csf,pci-dss` (any CSV subset; quad-framework one-scan produces four complete auditor-ready evidence packs). PCI DSS sub-requirement examples: `Req 1.2.1` NSC config standards, `Req 8.4.1` MFA on non-console admin, `Req 10.2.1` audit logs enabled, `Req 11.3.1` quarterly internal vuln scans. Defined-vs-Customized Approach discipline per Appendix E (15 Defined-only sub-requirements enforced at schema layer; CHD Scope operator-attested via CDE DFD per Req 1.2.4; card-brand AOC enforcement view — Visa CISP / Mastercard SDP / Amex DSOP / Discover DISC). |
147
+ | `compliance_check` | Enterprise | SOC 2 (AICPA TSC 2017) + HIPAA (§164.312 Technical Safeguards) + NIST CSF 2.0 Core + PCI DSS v4.0.1 (sub-requirement-level for QSA RoC; PCI SSC June 2024 errata) + **ISO/IEC 27001:2022** (per-Annex-A-code-level for ISO/IEC 17021-1 certification body assessors; ISO + IEC October 2022; 2013 edition retired October 31, 2025) gap analysis — all five shipped (SOC 2 EE 0.3.x; HIPAA EE 0.9.0; NIST CSF 2.0 EE 0.10.0; PCI DSS v4.0.1 EE 0.11.0; **ISO/IEC 27001:2022 EE 0.12.0**). CIS Controls v8 planned. Multi-framework via `--compliance soc2,hipaa,nist-csf,pci-dss,iso-27001` (any CSV subset; penta-framework one-scan produces five complete auditor-ready evidence packs). ISO 27001 Annex A code examples: `A.5.15` Access control, `A.5.23` NEW 2022 Cloud services, `A.8.5` Secure authentication, `A.8.9` NEW 2022 Configuration management, `A.8.16` NEW 2022 Monitoring activities, `A.8.24` Use of cryptography. Statement of Applicability per Clause 6.1.3.d discipline + ISMS Clauses 4-10 OOS-by-design framing (7 Major Nonconformity classes — absence of internal audit per Clause 9.2 or management review per Clause 9.3 = auto-fail Stage 2) + 5-attribute taxonomy NEW in 2022 (controlType / informationSecurityProperties / cybersecurityConcepts [5 categories, NOT 6 like NIST CSF 2.0] / operationalCapabilities / securityDomains) + 2013-to-2022 transition discipline. Pair with ISO-aware GRC (Drata ISO 27001 / Vanta ISO 27001 / AuditBoard / OneTrust ISMS / Secureframe ISO 27001) for SoA workflow + internal audit + management review. PCI DSS sub-requirement examples: `Req 1.2.1` NSC config standards, `Req 8.4.1` MFA on non-console admin, `Req 10.2.1` audit logs enabled, `Req 11.3.1` quarterly internal vuln scans. Defined-vs-Customized Approach discipline per Appendix E (15 Defined-only sub-requirements enforced at schema layer; CHD Scope operator-attested via CDE DFD per Req 1.2.4; card-brand AOC enforcement view — Visa CISP / Mastercard SDP / Amex DSOP / Discover DISC). |
148
148
  | `export_report` | Enterprise | Formatted compliance/risk report (PDF, HTML) |
149
149
 
150
150
  ---
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "nsauditor-ai-agent-skill",
3
- "version": "0.1.39",
3
+ "version": "0.1.41",
4
4
  "description": "AI Agent Skill for NSAuditor AI — gives any AI coding agent built-in knowledge of NSAuditor's MCP tools, schemas, plugins, and security audit workflows.",
5
5
  "keywords": [
6
6
  "nsauditor",