nsauditor-ai-agent-skill 0.1.49 → 0.1.51
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +8 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -4,6 +4,14 @@ Release notes for **`nsauditor-ai-agent-skill`** — installable knowledge packa
|
|
|
4
4
|
|
|
5
5
|
---
|
|
6
6
|
|
|
7
|
+
## 0.1.51 (2026-05-28) — Paired-release pin for EE 0.15.3 + CE 0.1.84 — plugin 1020 object-level ACL enumeration + BucketOwnerEnforced short-circuit
|
|
8
|
+
|
|
9
|
+
Paired-release pin for the EE 0.15.3 patch cycle: closes the 4th and final S3 public-exposure vector (object-level ACLs) documented as a residual in the 0.15.2 closure. Plugin 1020 gains NEW step 2c sampled `GetObjectAcl` enumeration over first-page objects (`AWS_S3_AUDIT_OBJECT_SAMPLE_CAP` default 10, clamped `[1, 1000]`; `AWS_S3_AUDIT_OBJECT_RATE_MS` default 50ms throttle BEFORE each call) + NEW step 2a `GetBucketOwnershipControls` upstream short-circuit that skips both 2b (bucket-ACL) and 2c (object-ACL) on `BucketOwnerEnforced` buckets — the default on every bucket created after April 2023; saves 11+ API calls per BOE bucket on modern estates AND closes a false-positive class. **INTENTIONAL MATRIX DELTA from 0.15.2**: BOE buckets with legacy stored public bucket-ACL grants previously emitted CRITICAL via 2b; they now emit informational only (downgraded to the BOE informational) because S3 structurally ignores ACL grants under BOE — the prior CRITICAL was a false-positive class. BOE short-circuit is unconditional (no env-var override). NEW shared `extractPublicGroups` helper used by BOTH step 2b (refactored byte-identical) AND step 2c. 4 LOW evidence-gap emissions via NEW `"S3 object-ACL evidence-gap"` substring anchor on SOC 2 CC7.1 + HIPAA §164.312(b). **Plugin count UNCHANGED at 28 (cloud-substrate 27); all six coverage matrices UNCHANGED**. No new dependencies; EE regression 6601/6601 GREEN (+33 tests vs the 6568 baseline). Live AWS smoke against acct 522412052794 — all 4 spot-checks PASS (BOE detection; E1 CRITICAL en-dash byte preservation; cap clamping; objectRateMs throttling). No standalone agent-skill code changes.
|
|
10
|
+
|
|
11
|
+
## 0.1.50 (2026-05-27) — Paired-release pin for EE 0.15.2 + CE 0.1.83 — audit-accuracy calibration + CloudTrail hardening + Azure 1221/1222 folds
|
|
12
|
+
|
|
13
|
+
Paired-release pin for the EE 0.15.2 patch cycle: four real-production-account-driven folds. **Fold 1** — plugin 1020 (S3) effective-public-exposure calibration: missing/partial Public Access Block downgraded CRITICAL→MEDIUM (a guardrail gap, not a current exposure) + NEW `GetBucketAcl` check completing the ACL × bucket-policy × PAB join (a public `AllUsers`/`AuthenticatedUsers` ACL grant → CRITICAL unless neutralized by PAB `IgnorePublicAcls`) — fixes false-CRITICALs AND closes a public-via-ACL false-negative. **Fold 2** — plugin 1040 (CloudTrail) KMS-CMK calibration: trail-level "KmsKeyId not set" downgraded MEDIUM→LOW when the destination bucket has default SSE-KMS. **Fold 3** — plugin 1040 (CloudTrail) multi-region timeout hardening: an `AbortController` tied to the soft-budget deadline lets a hung disabled-region abort so the plugin finalizes PARTIAL evidence. **Fold 4** — plugin 1221 (Azure NSG) +10 restricted UDP ports (RADIUS 1812/1813/1645/1646, L2TP 1701, SIP 5060, mDNS 5353, RIP 520, XDMCP 177, chargen 19) + plugin 1222 (Azure Key Vault) F-2 custom-role resolution (via `roleDefinitions.getById` + KV-privilege inspection) + F-7.2 HSM dim (software-vs-HSM `key.kty` LOW hardening rec). **Plugin count UNCHANGED at 28 (cloud-substrate 26); all six coverage matrices UNCHANGED.** No new dependencies; EE regression 6568/6568 GREEN (+42 tests vs the 6526 baseline). No standalone agent-skill code changes.
|
|
14
|
+
|
|
7
15
|
## 0.1.49 (PUBLISHED 2026-05-27) — Paired-release pin for EE 0.15.1 + CE 0.1.82 — plugin 1222 hotfix (Dim-3 SDK-shape + Dim-4 inherited-admin re-tune)
|
|
8
16
|
|
|
9
17
|
Paired-release pin for the EE 0.15.1 hotfix cycle: two defects in plugin 1222 (`azure-keyvault-deep-auditor`) surfaced by the 0.15.0 published-build live smoke. **H-1** — the Dim-3 diagnostic-logging probe `for await`-ed `@azure/arm-monitor`'s `diagnosticSettings.list()`, which returns a `Promise<{value:[]}>` collection object (NOT a paged async-iterator), so the dim always threw and degraded to a non-functional evidence-gap; fixed to `await` + read `.value` (confirmed against live Azure; the unit-test mock corrected to the real `Promise<{value}>` shape — the mock-vs-real-SDK mismatch that masked the bug). **H-2** — the Dim-4 privileged-access dim flagged inherited subscription/management-group-scope Owner/Contributor as HIGH on every RBAC vault (a ubiquitous Azure control-plane reality); re-tuned so inherited Owner/User-Access-Administrator → MEDIUM, inherited Contributor → LOW, with HIGH reserved for VAULT-scoped control-plane god roles + Key Vault Administrator at any scope. **Plugin count UNCHANGED at 28 (cloud-substrate 26); all six coverage matrices UNCHANGED.** EE regression 6526/6526 GREEN. `references/plugins.md` 1222 row Dim-3/Dim-4 wording refined. No standalone agent-skill code changes.
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "nsauditor-ai-agent-skill",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.51",
|
|
4
4
|
"description": "AI Agent Skill for NSAuditor AI — gives any AI coding agent built-in knowledge of NSAuditor's MCP tools, schemas, plugins, and security audit workflows.",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"nsauditor",
|