nsauditor-ai-agent-skill 0.2.14 → 0.2.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -4,6 +4,14 @@ Release notes for **`nsauditor-ai-agent-skill`** — installable knowledge packa
4
4
 
5
5
  ---
6
6
 
7
+ ## 0.2.16 (2026-06-25) — Paired content bump for EE 0.31.4 (cloud-scan presentation false-clean fix + `--compliance all` / fail-fast validation)
8
+
9
+ Paired content bump — no new framework, no new plugins (still 28), all seven coverage matrices UNCHANGED. EE 0.31.4 is a report-surface + CLI-UX hardening patch: a cloud scan (`--host aws|azure|gcp`) with real findings no longer surfaces the CE network concluder's *"Host is UP — No open services detected"* headline (the conclusion is rewritten to a cloud-appropriate N-by-severity summary with top risks), and a plugin that **times out or errors** routes to **coverage UNVERIFIED** rather than an affirmative clean verdict — the cardinal presentation-layer false-clean, closed (detection unchanged, oracle-validated). `--compliance all` expands to all seven frameworks; an unknown token **fails fast** (no "Framework load failed" stub). The skill's `compliance_check` tool reference + HIPAA usage example now document `--compliance all`; the version blurb is refreshed. Paired with EE 0.31.4 + CE 0.2.16. **EE 0.31.4 requires CE 0.2.8+.**
10
+
11
+ ## 0.2.15 (2026-06-24) — Paired content bump for EE 0.31.3 (Enumeration-failure fleet sweep + Aurora DB-cluster snapshot dimension)
12
+
13
+ Paired content bump — no new framework. EE 0.31.3 closes a fleet-wide class of **enumeration-failure** false-cleans across **12 AWS plugins**: a scanner that cannot enumerate a resource population (a generic throw that escapes `run()`, a throw caught inside the per-region body, or an AccessDenied that returns without throwing) now fails **CLOSED** with a routed evidence-gap == the source's native control set, instead of letting the region/source read CLEAN. It also adds the Aurora **DB-cluster snapshot** dimension to plugin 1140 — `DescribeDBClusterSnapshots` reads the cluster snapshot surface member instances never see (a public `restore=all` cluster snapshot is CRITICAL, cross-account HIGH, unencrypted HIGH on the cluster `.StorageEncrypted` field), with a Multi-AZ DB cluster fail-close. The skill version blurb is refreshed; plugin count UNCHANGED at 28; all seven coverage matrices UNCHANGED. Paired with EE 0.31.3 + CE 0.2.15.
14
+
7
15
  ## 0.2.14 (2026-06-22) — Paired content bump for EE 0.31.2 (At-rest → ISO A.8.24 fleet sweep + cross-cloud KEY-CUSTODY-HOME doctrine + SOC 2 file-lock fix)
8
16
 
9
17
  Paired content bump — no new framework. EE 0.31.2 completes **every AWS at-rest-encryption source** (RDS · S3 · EC2/EBS · SQS/SNS · ElastiCache) to the canonical 7-control at-rest set {SOC 2 C1.1 / HIPAA 164.312(a)(2)(iv) / NIST PR.DS-01 / PCI 3.5.1 / ISO A.8.24 / CIS 3.11 / GDPR Art.32(1)(a)}, fixes the DynamoDB + EC2-indeterminate class-O false-cleans (an unverifiable/unclassifiable encryption posture now fails-close instead of reading CLEAN), and establishes the **cross-cloud KEY-CUSTODY-HOME doctrine** — a provider-managed key on an always-encrypted service routes to {SOC 2 C1.1 (GCP CC6.1) / HIPAA / ISO A.8.24} (key management), NOT the encryption-presence set, closing a live PCI 3.5.1 + GDPR Art.32(1)(a) over-claim on always-encrypted Azure storage (GDPR scope-doctrine held — Art. 32 infrastructure substrate only; the GDPR-touching copy carries the operator legal review). It also fixes a SOC 2 "no silent data loss" mutual-exclusion bug in the Enterprise-side suppression/WORM file lock (in-process mutex + re-entrancy guard + EINVAL fold). The skill version blurb is refreshed; plugin count UNCHANGED at 28; all seven coverage matrices UNCHANGED. Paired with EE 0.31.2 + CE 0.2.14.
package/README.md CHANGED
@@ -74,7 +74,7 @@ When an AI agent loads this skill, it gains:
74
74
  | **Workflow patterns** | Multi-step chains: scan → CVE lookup → remediation report |
75
75
  | **Schema knowledge** | Complete data structures for parsing and presenting results |
76
76
  | **CPE construction** | How to map detected services to NVD vulnerability lookups |
77
- | **Plugin awareness** | 55 scanner plugins (27 Community incl. 3 Pro + 28 Enterprise) with protocols, ports, capabilities, and six-framework (SOC 2 · HIPAA §164.312 · NIST CSF 2.0 · PCI DSS v4.0.1 · ISO/IEC 27001:2022 · CIS Controls v8) substrate-evidence dimensions |
77
+ | **Plugin awareness** | 55 scanner plugins (27 Community incl. 3 Pro + 28 Enterprise) with protocols, ports, capabilities, and seven-framework (SOC 2 · HIPAA §164.312 · NIST CSF 2.0 · PCI DSS v4.0.1 · ISO/IEC 27001:2022 · CIS Controls v8 · GDPR Art. 32) substrate-evidence dimensions |
78
78
  | **Compliance frameworks** | **Six frameworks, one scan** — SOC 2 (AICPA TSC 2017) · HIPAA Security Rule §164.312 Technical Safeguards (HHS Required/Addressable discipline per control) · NIST CSF 2.0 (Subcategory-level) · PCI DSS v4.0.1 (QSA RoC sub-requirement-level) · ISO/IEC 27001:2022 (per-Annex-A-code, SoA discipline) · CIS Controls v8 (per-Safeguard; Implementation Group IG1/IG2/IG3 cumulative discipline). Any CSV subset via `--compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8`. Zero BAA required for HIPAA — ePHI never leaves customer infrastructure. |
79
79
  | **Security rules** | ZDE, SSRF protection, redaction, scan authorization requirements |
80
80
  | **Error handling** | License gates, SSRF blocks, timeout resolution, CPE format errors |
@@ -110,7 +110,7 @@ This package provides **knowledge about** NSAuditor AI. To actually **run** scan
110
110
  |---------|-------|-----------|
111
111
  | **Community** | Free / MIT | 27 plugins (service probes + host/network discovery + intelligence/meta), basic AI, SARIF, CTEM, scan history |
112
112
  | **Pro** | $49/mo | + CVE matching, verification probes, risk scoring, 3 Pro plugins (040 TLS / 050 TRIBE / 060 DNS) |
113
- | **Enterprise** | $2k+/yr | + 28 cloud-substrate auditor plugins (1020-1222 range; AWS / Azure / GCP six-framework evidence-pack — SOC 2 / HIPAA / NIST CSF 2.0 / PCI DSS v4.0.1 / ISO 27001:2022 / CIS Controls v8), Zero Trust, RFC 3161 timestamps, chain-of-custody attestations, air-gapped deployment |
113
+ | **Enterprise** | $2k+/yr | + 28 cloud-substrate auditor plugins (1020-1222 range; AWS / Azure / GCP seven-framework evidence-pack — SOC 2 / HIPAA / NIST CSF 2.0 / PCI DSS v4.0.1 / ISO 27001:2022 / CIS Controls v8 / GDPR Art. 32), Zero Trust, RFC 3161 timestamps, chain-of-custody attestations, air-gapped deployment |
114
114
 
115
115
  → [Pricing](https://www.nsauditor.com/ai/pricing/)
116
116
 
package/SKILL.md CHANGED
@@ -16,7 +16,7 @@ description: >
16
16
 
17
17
  # NSAuditor AI — Agent Skill
18
18
 
19
- > **Version:** 0.2.14 (post-EE-0.31.2 — the **At-rest encryption ISO A.8.24 fleet sweep + cross-cloud KEY-CUSTODY-HOME doctrine** cycle: **no new framework** the Enterprise engine completes **every AWS at-rest-encryption source** (RDS · S3 · EC2/EBS · SQS/SNS · ElastiCache) to the canonical 7-control at-rest set, fixes the DynamoDB + EC2-indeterminate class-O false-cleans (an unverifiable encryption posture no longer reads CLEAN), and establishes a **cross-cloud key-custody routing doctrine** (a provider-managed key on an always-encrypted service is a key-management observation **ISO A.8.24**, not an encryption-presence violation closing a live PCI 3.5.1 + GDPR Art.32(1)(a) over-claim on Azure storage), plus a SOC 2 "no silent data loss" file-lock fix. Plugin count UNCHANGED at 28; all seven coverage matrices UNCHANGED. The seven frameworks: SOC 2 · HIPAA · NIST CSF 2.0 · PCI DSS v4.0.1 · ISO/IEC 27001:2022 · CIS Controls v8 · **GDPR Article 32** — the last is **Art. 32 infrastructure substrate ONLY, NOT GDPR compliance** [Art. 32 is the only one of GDPR's 99 articles an infrastructure scanner can evidence; the rest is operator-side, out of scope by design], carrying four-factor proportionality + personal-data-scope attestation + the Art. 83(4) LOWER fine tier [€10M/2%, not the €20M/4% headline tier]. Paired CE 0.2.14 + EE 0.31.2) · **Source:** [github.com/nsasoft/nsauditor-ai](https://github.com/nsasoft/nsauditor-ai) · **npm:** `nsauditor-ai` · **License:** MIT (CE)
19
+ > **Version:** 0.2.16 (post-EE-0.31.4 — the **Cloud-scan presentation false-clean fix + `--compliance all` / fail-fast validation** cycle: **no new framework, no new plugins (still 28), all seven coverage matrices UNCHANGED** a report-surface + CLI-UX hardening release. A cloud scan (`--host aws|azure|gcp`) with real findings no longer headlines the CE network concluder's *"Host is UP No open services detected"*; it now shows a cloud-appropriate summary (N findings by severity + top risks), and a plugin that **times out or errors** routes to **coverage UNVERIFIED** rather than an affirmative clean verdict the cardinal presentation-layer false-clean, closed (detection itself is unchanged, oracle-validated). `--compliance all` expands to all seven frameworks; an unknown `--compliance` token now **fails fast** with the valid set (no more *"Framework load failed"* stub file); an omitted framework on a cloud scan nudges the operator. The seven frameworks: SOC 2 · HIPAA · NIST CSF 2.0 · PCI DSS v4.0.1 · ISO/IEC 27001:2022 · CIS Controls v8 · **GDPR Article 32** — the last is **Art. 32 infrastructure substrate ONLY, NOT GDPR compliance** [Art. 32 is the only one of GDPR's 99 articles an infrastructure scanner can evidence; the rest is operator-side, out of scope by design], carrying four-factor proportionality + personal-data-scope attestation + the Art. 83(4) LOWER fine tier [€10M/2%, not the €20M/4% headline tier]. Paired CE 0.2.16 + EE 0.31.4) · **Source:** [github.com/nsasoft/nsauditor-ai](https://github.com/nsasoft/nsauditor-ai) · **npm:** `nsauditor-ai` · **License:** MIT (CE)
20
20
 
21
21
  NSAuditor AI is a modular, AI-assisted network security audit platform with 27+ scanner
22
22
  plugins, CVE matching, MITRE ATT&CK mapping, and Zero Data Exfiltration by design. This
@@ -148,7 +148,7 @@ These tools return a license upgrade prompt on CE installations:
148
148
  > **Full all-region coverage — discover then batch** (use ONLY when the user explicitly asked for all/every/whole-account/complete/full region coverage; NEVER for a plain or "quick" request — those stay single-region per the `regions` default above): a single `regions:["all"]` call usually exceeds the host's MCP tool-call timeout (e.g. Claude Desktop's) and returns nothing. Reliable pattern: (1) run a default scan (omit `regions`) — its GuardDuty/Inspector findings enumerate every enabled region, giving you the full list while auditing the default region; (2) scan the REMAINING regions in small batches (3–5 region codes per `regions:[...]` call) across successive calls until every enabled region is covered; (3) merge and report the TOTAL number of regions actually covered — **count** them, don't guess. If you try `["all"]` and it times out, that result is INCOMPLETE — fall back to batching and continue until complete; never report a timed-out or partial scan as full coverage.
149
149
  | `start_assessment` | Enterprise | Multi-host orchestrated security assessment |
150
150
  | `prioritize_risks` | Enterprise | Cross-host risk prioritization and ranking |
151
- | `compliance_check` | Enterprise | SOC 2 (AICPA TSC 2017) + HIPAA (§164.312 Technical Safeguards) + NIST CSF 2.0 Core + PCI DSS v4.0.1 (sub-requirement-level for QSA RoC; PCI SSC June 2024 errata) + ISO/IEC 27001:2022 (per-Annex-A-code-level for ISO/IEC 17021-1 certification body assessors; ISO + IEC October 2022; 2013 edition retired October 31, 2025) + **CIS Critical Security Controls v8** (per-Safeguard-level; Center for Internet Security May 2021, v8.1 errata June 2024) + **GDPR Article 32 (Security of Processing)** (sub-measure-level; Regulation (EU) 2016/679; **Art. 32 infrastructure substrate only, NOT GDPR compliance**) gap analysis — all seven shipped (SOC 2 EE 0.3.x; HIPAA EE 0.9.0; NIST CSF 2.0 EE 0.10.0; PCI DSS v4.0.1 EE 0.11.0; ISO/IEC 27001:2022 EE 0.12.0; CIS Controls v8 EE 0.13.0; **GDPR Article 32 EE 0.20.0**). Multi-framework via `--compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8,gdpr` (any CSV subset; hepta-framework one-scan produces seven complete auditor-ready evidence packs). **CIS Controls v8**: 17 covered + 22 partial + 114 OOS across 153 Safeguards / 18 Controls. **Implementation Group cumulative discipline** — IG1=56 (cyber-insurance baseline; ~50-70% of mid-market policies require IG1 attestation), IG2 cumulative=130, IG3 cumulative=153; smallest-IG-membership tagging (NEVER report IG2 as 74-of-74 in isolation). **No-certification-body attestation discipline** — engine output is INPUT to CSAT / CIS-CAT Pro self-attestation OR a SOC 2 auditor cross-validating CIS scope, never "CIS certified." Cloud Companion Guide v8 shared-responsibility + CIS-Hardened-Image substrate-evidence credit (Safeguards 4.1/4.2/4.6) + 5 Security Functions (NOT 6 — no Govern) + 6 Asset Types + MS-ISAC/EI-ISAC/H-ISAC sector baselines + v7.1-to-v8 cross-reference. CIS Safeguard examples: `3.3` Data Access Control Lists, `5.4` Restrict Administrator Privileges, `6.3` MFA for Externally-Exposed Applications, `8.2` Collect Audit Logs, `11.4` Isolated Recovery Data Instance. ISO 27001 Annex A code examples: `A.5.15` Access control, `A.5.23` NEW 2022 Cloud services, `A.8.5` Secure authentication, `A.8.9` NEW 2022 Configuration management, `A.8.16` NEW 2022 Monitoring activities, `A.8.24` Use of cryptography. Statement of Applicability per Clause 6.1.3.d discipline + ISMS Clauses 4-10 OOS-by-design framing (7 Major Nonconformity classes — absence of internal audit per Clause 9.2 or management review per Clause 9.3 = auto-fail Stage 2) + 5-attribute taxonomy NEW in 2022 (controlType / informationSecurityProperties / cybersecurityConcepts [5 categories, NOT 6 like NIST CSF 2.0] / operationalCapabilities / securityDomains) + 2013-to-2022 transition discipline. Pair with ISO-aware GRC (Drata ISO 27001 / Vanta ISO 27001 / AuditBoard / OneTrust ISMS / Secureframe ISO 27001) for SoA workflow + internal audit + management review. PCI DSS sub-requirement examples: `Req 1.2.1` NSC config standards, `Req 8.4.1` MFA on non-console admin, `Req 10.2.1` audit logs enabled, `Req 11.3.1` quarterly internal vuln scans. Defined-vs-Customized Approach discipline per Appendix E (15 Defined-only sub-requirements enforced at schema layer; CHD Scope operator-attested via CDE DFD per Req 1.2.4; card-brand AOC enforcement view — Visa CISP / Mastercard SDP / Amex DSOP / Discover DISC). |
151
+ | `compliance_check` | Enterprise | SOC 2 (AICPA TSC 2017) + HIPAA (§164.312 Technical Safeguards) + NIST CSF 2.0 Core + PCI DSS v4.0.1 (sub-requirement-level for QSA RoC; PCI SSC June 2024 errata) + ISO/IEC 27001:2022 (per-Annex-A-code-level for ISO/IEC 17021-1 certification body assessors; ISO + IEC October 2022; 2013 edition retired October 31, 2025) + **CIS Critical Security Controls v8** (per-Safeguard-level; Center for Internet Security May 2021, v8.1 errata June 2024) + **GDPR Article 32 (Security of Processing)** (sub-measure-level; Regulation (EU) 2016/679; **Art. 32 infrastructure substrate only, NOT GDPR compliance**) gap analysis — all seven shipped (SOC 2 EE 0.3.x; HIPAA EE 0.9.0; NIST CSF 2.0 EE 0.10.0; PCI DSS v4.0.1 EE 0.11.0; ISO/IEC 27001:2022 EE 0.12.0; CIS Controls v8 EE 0.13.0; **GDPR Article 32 EE 0.20.0**). Multi-framework via `--compliance all` (shorthand for all seven frameworks; EE 0.31.4) or `--compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8,gdpr` (any CSV subset; aliases `nist`/`pci`/`iso`/`cis`); an unknown token **fails fast** (no "Framework load failed" stub). The hepta-framework one-scan produces seven complete auditor-ready evidence packs. **CIS Controls v8**: 17 covered + 22 partial + 114 OOS across 153 Safeguards / 18 Controls. **Implementation Group cumulative discipline** — IG1=56 (cyber-insurance baseline; ~50-70% of mid-market policies require IG1 attestation), IG2 cumulative=130, IG3 cumulative=153; smallest-IG-membership tagging (NEVER report IG2 as 74-of-74 in isolation). **No-certification-body attestation discipline** — engine output is INPUT to CSAT / CIS-CAT Pro self-attestation OR a SOC 2 auditor cross-validating CIS scope, never "CIS certified." Cloud Companion Guide v8 shared-responsibility + CIS-Hardened-Image substrate-evidence credit (Safeguards 4.1/4.2/4.6) + 5 Security Functions (NOT 6 — no Govern) + 6 Asset Types + MS-ISAC/EI-ISAC/H-ISAC sector baselines + v7.1-to-v8 cross-reference. CIS Safeguard examples: `3.3` Data Access Control Lists, `5.4` Restrict Administrator Privileges, `6.3` MFA for Externally-Exposed Applications, `8.2` Collect Audit Logs, `11.4` Isolated Recovery Data Instance. ISO 27001 Annex A code examples: `A.5.15` Access control, `A.5.23` NEW 2022 Cloud services, `A.8.5` Secure authentication, `A.8.9` NEW 2022 Configuration management, `A.8.16` NEW 2022 Monitoring activities, `A.8.24` Use of cryptography. Statement of Applicability per Clause 6.1.3.d discipline + ISMS Clauses 4-10 OOS-by-design framing (7 Major Nonconformity classes — absence of internal audit per Clause 9.2 or management review per Clause 9.3 = auto-fail Stage 2) + 5-attribute taxonomy NEW in 2022 (controlType / informationSecurityProperties / cybersecurityConcepts [5 categories, NOT 6 like NIST CSF 2.0] / operationalCapabilities / securityDomains) + 2013-to-2022 transition discipline. Pair with ISO-aware GRC (Drata ISO 27001 / Vanta ISO 27001 / AuditBoard / OneTrust ISMS / Secureframe ISO 27001) for SoA workflow + internal audit + management review. PCI DSS sub-requirement examples: `Req 1.2.1` NSC config standards, `Req 8.4.1` MFA on non-console admin, `Req 10.2.1` audit logs enabled, `Req 11.3.1` quarterly internal vuln scans. Defined-vs-Customized Approach discipline per Appendix E (15 Defined-only sub-requirements enforced at schema layer; CHD Scope operator-attested via CDE DFD per Req 1.2.4; card-brand AOC enforcement view — Visa CISP / Mastercard SDP / Amex DSOP / Discover DISC). |
152
152
  | `export_report` | Enterprise | Formatted compliance/risk report (PDF, HTML) |
153
153
 
154
154
  ---
@@ -326,9 +326,10 @@ disposal]). The §164.308 + §164.310 OOS sets are *architecturally* OOS for any
326
326
  infrastructure scanner — pair with HIPAA-focused GRC platforms (Drata HIPAA, Vanta HIPAA,
327
327
  Compliancy Group, Tugboat Logic) for those families. HHS Required vs Addressable
328
328
  discipline surfaced per control. **Zero BAA required** — Zero Data Exfiltration
329
- architecture means ePHI never leaves customer infrastructure. Use `--compliance hipaa`
330
- or `--compliance soc2,hipaa` (CSV; wired since EE 0.3.0) for HIPAA-only or dual-framework
331
- evidence packs from a single scan. 175 mappings inherited from soc2.json's grep-verified
329
+ architecture means ePHI never leaves customer infrastructure. Use `--compliance hipaa`,
330
+ `--compliance soc2,hipaa` (CSV; wired since EE 0.3.0), or `--compliance all` (all seven
331
+ frameworks; EE 0.31.4) for HIPAA-only, dual-, or full-framework evidence packs from a
332
+ single scan. 175 mappings inherited from soc2.json's grep-verified
332
333
  pattern set with HIPAA-grounded rationales. New `data/compliance/hipaa.json`. New
333
334
  `docs/hipaa-coverage.md`. **EE regression: 5890/5890 across 928 suites; 69-session
334
335
  100% green streak preserved.** AWS-dogfood verified against operator's test account
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "nsauditor-ai-agent-skill",
3
- "version": "0.2.14",
3
+ "version": "0.2.16",
4
4
  "description": "AI Agent Skill for NSAuditor AI — gives any AI coding agent built-in knowledge of NSAuditor's MCP tools, schemas, plugins, and security audit workflows.",
5
5
  "keywords": [
6
6
  "nsauditor",