nsauditor-ai-agent-skill 0.1.51 → 0.1.53
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +8 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -4,6 +4,14 @@ Release notes for **`nsauditor-ai-agent-skill`** — installable knowledge packa
|
|
|
4
4
|
|
|
5
5
|
---
|
|
6
6
|
|
|
7
|
+
## 0.1.53 (2026-05-28) — Paired-release pin for EE 0.15.5 + CE 0.1.86 — dependency-hygiene / institutional-trust patch
|
|
8
|
+
|
|
9
|
+
Paired no-op bump (no standalone agent-skill content change; SKILL.md + `references/plugins.md` UNCHANGED). EE 0.15.5 + CE 0.1.86 remove npm deprecation warnings + advisories institutional clients see on install: dropped unused `puppeteer`/`better-sqlite3`/`pg` (EE); replaced the abandoned `simple-wappalyzer`/`wappalyzer-core` with an in-house zero-dep tech fingerprinter (CE); bumped `@anthropic-ai/sdk` past its advisory range + `uuid`→`crypto.randomUUID()` (CE); NEW `SECURITY.md` in both. No plugin count / matrix / behavior change.
|
|
10
|
+
|
|
11
|
+
## 0.1.52 (PUBLISHED 2026-05-28) — Paired-release pin for EE 0.15.4 + CE 0.1.85 — plugin 1020 non-current-version ACL sampling + public WRITE-vs-READ differentiation
|
|
12
|
+
|
|
13
|
+
Paired-release pin for the EE 0.15.4 patch cycle: closes the two residuals the 0.15.3 spec §8 carried as deferred. **(R-MEDIUM-2)** NEW step 2c-v samples public ACLs on **non-current** object versions — on versioning-Enabled/Suspended buckets plugin 1020 calls `ListObjectVersions` (first-page, bounded by `AWS_S3_AUDIT_OBJECT_SAMPLE_CAP`), filters to `IsLatest !== true`, skips `DeleteMarkers`, reads each via `GetObjectAcl({Key, VersionId})`; closes the Class-B miss where a private current object retains a public-ACL overwritten version still served at `?versionId=`. Public `AllUsers`/`AuthenticatedUsers` grant → CRITICAL via the existing `"publicly accessible"` anchor; skipped on `BucketOwnerEnforced`. **(R-LOW-1)** NEW `extractPublicWriteGroups` helper flags public WRITE/WRITE_ACP/FULL_CONTROL grants (anyone-can-overwrite) distinctly from READ-only as an enrichment line on the already-CRITICAL finding. New evidence-gaps (`ListObjectVersions AccessDenied` naming `s3:ListBucketVersions`; per-version aggregate-failure threshold; version-list truncation; a folded `GetBucketVersioning AccessDenied` gap) reuse the existing `"S3 object-ACL evidence-gap"` anchor — never a silent PASS. **Plugin count UNCHANGED at 28 (cloud-substrate 27); all six coverage matrices UNCHANGED; ZERO framework-JSON edits.** No new dependencies; EE regression 6628/6628 GREEN (+27 tests vs the 6601 baseline). No standalone agent-skill code changes — `SKILL.md` + `references/plugins.md` use generic framing (no plugin row change). _(Staged on `main`; awaiting live AWS smoke + trio publish.)_
|
|
14
|
+
|
|
7
15
|
## 0.1.51 (2026-05-28) — Paired-release pin for EE 0.15.3 + CE 0.1.84 — plugin 1020 object-level ACL enumeration + BucketOwnerEnforced short-circuit
|
|
8
16
|
|
|
9
17
|
Paired-release pin for the EE 0.15.3 patch cycle: closes the 4th and final S3 public-exposure vector (object-level ACLs) documented as a residual in the 0.15.2 closure. Plugin 1020 gains NEW step 2c sampled `GetObjectAcl` enumeration over first-page objects (`AWS_S3_AUDIT_OBJECT_SAMPLE_CAP` default 10, clamped `[1, 1000]`; `AWS_S3_AUDIT_OBJECT_RATE_MS` default 50ms throttle BEFORE each call) + NEW step 2a `GetBucketOwnershipControls` upstream short-circuit that skips both 2b (bucket-ACL) and 2c (object-ACL) on `BucketOwnerEnforced` buckets — the default on every bucket created after April 2023; saves 11+ API calls per BOE bucket on modern estates AND closes a false-positive class. **INTENTIONAL MATRIX DELTA from 0.15.2**: BOE buckets with legacy stored public bucket-ACL grants previously emitted CRITICAL via 2b; they now emit informational only (downgraded to the BOE informational) because S3 structurally ignores ACL grants under BOE — the prior CRITICAL was a false-positive class. BOE short-circuit is unconditional (no env-var override). NEW shared `extractPublicGroups` helper used by BOTH step 2b (refactored byte-identical) AND step 2c. 4 LOW evidence-gap emissions via NEW `"S3 object-ACL evidence-gap"` substring anchor on SOC 2 CC7.1 + HIPAA §164.312(b). **Plugin count UNCHANGED at 28 (cloud-substrate 27); all six coverage matrices UNCHANGED**. No new dependencies; EE regression 6601/6601 GREEN (+33 tests vs the 6568 baseline). Live AWS smoke against acct 522412052794 — all 4 spot-checks PASS (BOE detection; E1 CRITICAL en-dash byte preservation; cap clamping; objectRateMs throttling). No standalone agent-skill code changes.
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "nsauditor-ai-agent-skill",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.53",
|
|
4
4
|
"description": "AI Agent Skill for NSAuditor AI — gives any AI coding agent built-in knowledge of NSAuditor's MCP tools, schemas, plugins, and security audit workflows.",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"nsauditor",
|