nsauditor-ai-agent-skill 0.2.13 → 0.2.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -4,6 +4,14 @@ Release notes for **`nsauditor-ai-agent-skill`** — installable knowledge packa
4
4
 
5
5
  ---
6
6
 
7
+ ## 0.2.15 (2026-06-24) — Paired content bump for EE 0.31.3 (Enumeration-failure fleet sweep + Aurora DB-cluster snapshot dimension)
8
+
9
+ Paired content bump — no new framework. EE 0.31.3 closes a fleet-wide class of **enumeration-failure** false-cleans across **12 AWS plugins**: a scanner that cannot enumerate a resource population (a generic throw that escapes `run()`, a throw caught inside the per-region body, or an AccessDenied that returns without throwing) now fails **CLOSED** with a routed evidence-gap == the source's native control set, instead of letting the region/source read CLEAN. It also adds the Aurora **DB-cluster snapshot** dimension to plugin 1140 — `DescribeDBClusterSnapshots` reads the cluster snapshot surface member instances never see (a public `restore=all` cluster snapshot is CRITICAL, cross-account HIGH, unencrypted HIGH on the cluster `.StorageEncrypted` field), with a Multi-AZ DB cluster fail-close. The skill version blurb is refreshed; plugin count UNCHANGED at 28; all seven coverage matrices UNCHANGED. Paired with EE 0.31.3 + CE 0.2.15.
10
+
11
+ ## 0.2.14 (2026-06-22) — Paired content bump for EE 0.31.2 (At-rest → ISO A.8.24 fleet sweep + cross-cloud KEY-CUSTODY-HOME doctrine + SOC 2 file-lock fix)
12
+
13
+ Paired content bump — no new framework. EE 0.31.2 completes **every AWS at-rest-encryption source** (RDS · S3 · EC2/EBS · SQS/SNS · ElastiCache) to the canonical 7-control at-rest set {SOC 2 C1.1 / HIPAA 164.312(a)(2)(iv) / NIST PR.DS-01 / PCI 3.5.1 / ISO A.8.24 / CIS 3.11 / GDPR Art.32(1)(a)}, fixes the DynamoDB + EC2-indeterminate class-O false-cleans (an unverifiable/unclassifiable encryption posture now fails-close instead of reading CLEAN), and establishes the **cross-cloud KEY-CUSTODY-HOME doctrine** — a provider-managed key on an always-encrypted service routes to {SOC 2 C1.1 (GCP CC6.1) / HIPAA / ISO A.8.24} (key management), NOT the encryption-presence set, closing a live PCI 3.5.1 + GDPR Art.32(1)(a) over-claim on always-encrypted Azure storage (GDPR scope-doctrine held — Art. 32 infrastructure substrate only; the GDPR-touching copy carries the operator legal review). It also fixes a SOC 2 "no silent data loss" mutual-exclusion bug in the Enterprise-side suppression/WORM file lock (in-process mutex + re-entrancy guard + EINVAL fold). The skill version blurb is refreshed; plugin count UNCHANGED at 28; all seven coverage matrices UNCHANGED. Paired with EE 0.31.2 + CE 0.2.14.
14
+
7
15
  ## 0.2.13 (2026-06-21) — Paired content bump for EE 0.30.1 (AWS RDS + API Gateway false-negative depth pass + AXIS_MAP graduation)
8
16
 
9
17
  Paired content bump — no new framework. EE 0.30.1 closes the last two AWS sources' silent false-cleans: **RDS (1140)** snapshot-sharing exposure (a `restore=all` shared snapshot is CRITICAL even when encrypted) + a `DescribeDBInstances` evidence-gap, and **API Gateway (1050)** WAF deep-audit gap arm (6 evidence-gaps now fail-close the WAF native set == the positives) + unknown-auth + WebSocket-skip + deleted-WebACL + unencrypted-cache routing — and graduates both `KNOWN_UNCOVERED → AXIS_MAP`, so every AWS source now has a dedicated false-negative pass. Cross-framework parity folds route the API Gateway resource-policy public-grant to **PCI 7.2.1 + GDPR Art.32(1)(b)**, the deleted-WebACL to **PCI 6.4.1 / ISO A.8.21**, and the unencrypted cache to **ISO A.8.24** (GDPR scope-doctrine held — Art. 32 infrastructure substrate only; the GDPR-touching copy carries the operator legal review). The skill version blurb is refreshed; plugin count UNCHANGED at 28; all seven coverage matrices UNCHANGED. Paired with EE 0.30.1 + CE 0.2.13.
package/README.md CHANGED
@@ -74,7 +74,7 @@ When an AI agent loads this skill, it gains:
74
74
  | **Workflow patterns** | Multi-step chains: scan → CVE lookup → remediation report |
75
75
  | **Schema knowledge** | Complete data structures for parsing and presenting results |
76
76
  | **CPE construction** | How to map detected services to NVD vulnerability lookups |
77
- | **Plugin awareness** | 55 scanner plugins (27 Community incl. 3 Pro + 28 Enterprise) with protocols, ports, capabilities, and six-framework (SOC 2 · HIPAA §164.312 · NIST CSF 2.0 · PCI DSS v4.0.1 · ISO/IEC 27001:2022 · CIS Controls v8) substrate-evidence dimensions |
77
+ | **Plugin awareness** | 55 scanner plugins (27 Community incl. 3 Pro + 28 Enterprise) with protocols, ports, capabilities, and seven-framework (SOC 2 · HIPAA §164.312 · NIST CSF 2.0 · PCI DSS v4.0.1 · ISO/IEC 27001:2022 · CIS Controls v8 · GDPR Art. 32) substrate-evidence dimensions |
78
78
  | **Compliance frameworks** | **Six frameworks, one scan** — SOC 2 (AICPA TSC 2017) · HIPAA Security Rule §164.312 Technical Safeguards (HHS Required/Addressable discipline per control) · NIST CSF 2.0 (Subcategory-level) · PCI DSS v4.0.1 (QSA RoC sub-requirement-level) · ISO/IEC 27001:2022 (per-Annex-A-code, SoA discipline) · CIS Controls v8 (per-Safeguard; Implementation Group IG1/IG2/IG3 cumulative discipline). Any CSV subset via `--compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8`. Zero BAA required for HIPAA — ePHI never leaves customer infrastructure. |
79
79
  | **Security rules** | ZDE, SSRF protection, redaction, scan authorization requirements |
80
80
  | **Error handling** | License gates, SSRF blocks, timeout resolution, CPE format errors |
@@ -110,7 +110,7 @@ This package provides **knowledge about** NSAuditor AI. To actually **run** scan
110
110
  |---------|-------|-----------|
111
111
  | **Community** | Free / MIT | 27 plugins (service probes + host/network discovery + intelligence/meta), basic AI, SARIF, CTEM, scan history |
112
112
  | **Pro** | $49/mo | + CVE matching, verification probes, risk scoring, 3 Pro plugins (040 TLS / 050 TRIBE / 060 DNS) |
113
- | **Enterprise** | $2k+/yr | + 28 cloud-substrate auditor plugins (1020-1222 range; AWS / Azure / GCP six-framework evidence-pack — SOC 2 / HIPAA / NIST CSF 2.0 / PCI DSS v4.0.1 / ISO 27001:2022 / CIS Controls v8), Zero Trust, RFC 3161 timestamps, chain-of-custody attestations, air-gapped deployment |
113
+ | **Enterprise** | $2k+/yr | + 28 cloud-substrate auditor plugins (1020-1222 range; AWS / Azure / GCP seven-framework evidence-pack — SOC 2 / HIPAA / NIST CSF 2.0 / PCI DSS v4.0.1 / ISO 27001:2022 / CIS Controls v8 / GDPR Art. 32), Zero Trust, RFC 3161 timestamps, chain-of-custody attestations, air-gapped deployment |
114
114
 
115
115
  → [Pricing](https://www.nsauditor.com/ai/pricing/)
116
116
 
package/SKILL.md CHANGED
@@ -16,7 +16,7 @@ description: >
16
16
 
17
17
  # NSAuditor AI — Agent Skill
18
18
 
19
- > **Version:** 0.2.13 (post-EE-0.30.1 — the **AWS RDS + API Gateway false-negative depth pass + AXIS_MAP graduation** cycle: **no new framework** — the Enterprise engine closes the last two AWS sources' silent false-cleans (RDS snapshot-sharing exposure that fires **even when encrypted** · API Gateway WAF deep-audit gap-arm + unknown-auth + deleted-WebACL routing) and graduates both to AXIS_MAP, so **every AWS source now has a dedicated false-negative pass**; cross-framework parity folds route the API Gateway resource-policy public-grant to **PCI 7.2.1 + GDPR Art.32(1)(b)** and the unencrypted cache to **ISO A.8.24**. Plugin count UNCHANGED at 28; all seven coverage matrices UNCHANGED. The seven frameworks: SOC 2 · HIPAA · NIST CSF 2.0 · PCI DSS v4.0.1 · ISO/IEC 27001:2022 · CIS Controls v8 · **GDPR Article 32** — the last is **Art. 32 infrastructure substrate ONLY, NOT GDPR compliance** [Art. 32 is the only one of GDPR's 99 articles an infrastructure scanner can evidence; the rest is operator-side, out of scope by design], carrying four-factor proportionality + personal-data-scope attestation + the Art. 83(4) LOWER fine tier [€10M/2%, not the €20M/4% headline tier]. Paired CE 0.2.13 + EE 0.30.1) · **Source:** [github.com/nsasoft/nsauditor-ai](https://github.com/nsasoft/nsauditor-ai) · **npm:** `nsauditor-ai` · **License:** MIT (CE)
19
+ > **Version:** 0.2.15 (post-EE-0.31.3 — the **Enumeration-failure fleet sweep (no-silent-false-clean) + Aurora DB-cluster snapshot dimension** cycle: **no new framework** — the Enterprise engine closes a fleet-wide class of enumeration-failure false-cleans across **12 AWS plugins** (a scanner that cannot enumerate a resource population now fails **CLOSED** with a routed evidence-gap `==` the source's native controls, instead of reading CLEAN — covering the uncaught-escape, in-region-catch, and AccessDenied-arm variants), and adds the Aurora **DB-cluster snapshot** dimension to plugin 1140 (`DescribeDBClusterSnapshots` reads the cluster surface member instances never see a public `restore=all` cluster snapshot is CRITICAL, an unencrypted one HIGH on the cluster `.StorageEncrypted` field), with a Multi-AZ DB cluster fail-close. Plugin count UNCHANGED at 28; all seven coverage matrices UNCHANGED. The seven frameworks: SOC 2 · HIPAA · NIST CSF 2.0 · PCI DSS v4.0.1 · ISO/IEC 27001:2022 · CIS Controls v8 · **GDPR Article 32** — the last is **Art. 32 infrastructure substrate ONLY, NOT GDPR compliance** [Art. 32 is the only one of GDPR's 99 articles an infrastructure scanner can evidence; the rest is operator-side, out of scope by design], carrying four-factor proportionality + personal-data-scope attestation + the Art. 83(4) LOWER fine tier [€10M/2%, not the €20M/4% headline tier]. Paired CE 0.2.15 + EE 0.31.3) · **Source:** [github.com/nsasoft/nsauditor-ai](https://github.com/nsasoft/nsauditor-ai) · **npm:** `nsauditor-ai` · **License:** MIT (CE)
20
20
 
21
21
  NSAuditor AI is a modular, AI-assisted network security audit platform with 27+ scanner
22
22
  plugins, CVE matching, MITRE ATT&CK mapping, and Zero Data Exfiltration by design. This
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "nsauditor-ai-agent-skill",
3
- "version": "0.2.13",
3
+ "version": "0.2.15",
4
4
  "description": "AI Agent Skill for NSAuditor AI — gives any AI coding agent built-in knowledge of NSAuditor's MCP tools, schemas, plugins, and security audit workflows.",
5
5
  "keywords": [
6
6
  "nsauditor",