nsauditor-ai-agent-skill 0.1.52 → 0.1.54

package/CHANGELOG.md

@@ -4,7 +4,15 @@ Release notes for **`nsauditor-ai-agent-skill`** — installable knowledge packa
 
 ---
 
-## 0.1.52 (STAGED on `main` 2026-05-28) — Paired-release pin for EE 0.15.4 + CE 0.1.85 — plugin 1020 non-current-version ACL sampling + public WRITE-vs-READ differentiation
+## 0.1.54 (2026-05-28) — Paired-release pin for EE 0.15.6 + CE 0.1.87 — compliance-mapping correctness
+
+Paired no-op bump (no standalone agent-skill content change; SKILL.md + `references/plugins.md` UNCHANGED). EE 0.15.6 closes two cross-framework defects in the S3 public-exposure compliance routing: a publicly-accessible bucket (public policy / bucket ACL / object ACL / non-current version) now correctly maps to NIST CSF PR.AA-05 + PR.DS-01 and PCI DSS 7.2.1 — it previously showed CLEAN on those two frameworks — and the missing-Public-Access-Block MEDIUM (a defense-in-depth guardrail gap, not a confirmed exposure) no longer false-FAILs the confidentiality-exposure controls (the `"publicly accessible"` anchor was tightened to confirmed-public-only across all six frameworks). No plugin count / matrix / behavior change (plugin count 28; all six matrices UNCHANGED).
+
+## 0.1.53 (2026-05-28) — Paired-release pin for EE 0.15.5 + CE 0.1.86 — dependency-hygiene / institutional-trust patch
+
+Paired no-op bump (no standalone agent-skill content change; SKILL.md + `references/plugins.md` UNCHANGED). EE 0.15.5 + CE 0.1.86 remove npm deprecation warnings + advisories institutional clients see on install: dropped unused `puppeteer`/`better-sqlite3`/`pg` (EE); replaced the abandoned `simple-wappalyzer`/`wappalyzer-core` with an in-house zero-dep tech fingerprinter (CE); bumped `@anthropic-ai/sdk` past its advisory range + `uuid`→`crypto.randomUUID()` (CE); NEW `SECURITY.md` in both. No plugin count / matrix / behavior change.
+
+## 0.1.52 (PUBLISHED 2026-05-28) — Paired-release pin for EE 0.15.4 + CE 0.1.85 — plugin 1020 non-current-version ACL sampling + public WRITE-vs-READ differentiation
 
 Paired-release pin for the EE 0.15.4 patch cycle: closes the two residuals the 0.15.3 spec §8 carried as deferred. **(R-MEDIUM-2)** NEW step 2c-v samples public ACLs on **non-current** object versions — on versioning-Enabled/Suspended buckets plugin 1020 calls `ListObjectVersions` (first-page, bounded by `AWS_S3_AUDIT_OBJECT_SAMPLE_CAP`), filters to `IsLatest !== true`, skips `DeleteMarkers`, reads each via `GetObjectAcl({Key, VersionId})`; closes the Class-B miss where a private current object retains a public-ACL overwritten version still served at `?versionId=`. Public `AllUsers`/`AuthenticatedUsers` grant → CRITICAL via the existing `"publicly accessible"` anchor; skipped on `BucketOwnerEnforced`. **(R-LOW-1)** NEW `extractPublicWriteGroups` helper flags public WRITE/WRITE_ACP/FULL_CONTROL grants (anyone-can-overwrite) distinctly from READ-only as an enrichment line on the already-CRITICAL finding. New evidence-gaps (`ListObjectVersions AccessDenied` naming `s3:ListBucketVersions`; per-version aggregate-failure threshold; version-list truncation; a folded `GetBucketVersioning AccessDenied` gap) reuse the existing `"S3 object-ACL evidence-gap"` anchor — never a silent PASS. **Plugin count UNCHANGED at 28 (cloud-substrate 27); all six coverage matrices UNCHANGED; ZERO framework-JSON edits.** No new dependencies; EE regression 6628/6628 GREEN (+27 tests vs the 6601 baseline). No standalone agent-skill code changes — `SKILL.md` + `references/plugins.md` use generic framing (no plugin row change). _(Staged on `main`; awaiting live AWS smoke + trio publish.)_
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nsauditor-ai-agent-skill",
-  "version": "0.1.52",
+  "version": "0.1.54",
   "description": "AI Agent Skill for NSAuditor AI — gives any AI coding agent built-in knowledge of NSAuditor's MCP tools, schemas, plugins, and security audit workflows.",
   "keywords": [
     "nsauditor",