nsauditor-ai-agent-skill 0.2.3 → 0.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/CHANGELOG.md +8 -0
  2. package/SKILL.md +1 -1
  3. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -4,6 +4,14 @@ Release notes for **`nsauditor-ai-agent-skill`** — installable knowledge packa
4
4
 
5
5
  ---
6
6
 
7
+ ## 0.2.5 (2026-06-07) — Paired-release pin for EE 0.19.0 + CE 0.2.5 — No silent false-clean
8
+
9
+ Paired no-op bump (SKILL.md version banner only; SKILL.md body + `references/plugins.md` UNCHANGED). EE 0.19.0 is the largest false-clean-class closure since the framework cycles: an un-scanned cloud region, a denied API call, or a logging-but-not-delivering trail can no longer read CLEAN at EITHER the compliance verdict OR the MCP `scan_cloud` transport. The shared `forEachRegion` fan-out (all 16 regional AWS plugins) now emits a per-region `region-scan-evidence-gap` LOW+evidenceGap finding for every errored/access-denied region — pre-fix an errored region was recorded in scanScope but emitted ZERO findings, so the findings-only compliance engine + the MCP summary saw it as CLEAN; class-O routing then fail-closes EXACTLY that source's native attested controls across all six frameworks (208 additive titlePattern anchors; matrices UNCHANGED at the count level). Four per-plugin swallow→gap retrofits: 1150 SQS/SNS region AccessDenied, 1022 Azure storage enumeration-error (SDK-absent soft-degrade vs real failure), 1200 GuardDuty `ListDetectors` AccessDenied no longer mis-classified as a definitive "NOT ENABLED" HIGH, and 1040 CloudTrail now reads `LatestDeliveryError` so a trail that is logging but failing to deliver to S3 is flagged HIGH. Plus two air-gapped/IAM criticals from the Mythos review (offline CVE matcher fails-CLOSED on distro/epoch/build-suffixed versions; plugin 1110 keeps HIGH on the AWS-default root-delegation key policy) and the EE AI-enrichment prompt no longer leaks the scan target (public IP/hostname/MAC/secrets) to the external LLM — every target host is anonymized to a deterministic `[target-N]` label and routed through CE's content-scrubber. No skill-logic change. **Plugin count UNCHANGED at 28; all six coverage matrices UNCHANGED** (SOC 2 + HIPAA + NIST CSF 2.0 + PCI DSS v4.0.1 + ISO 27001:2022 + CIS Controls v8). STAGED (pre-publish).
10
+
11
+ ## 0.2.4 (2026-06-05) — Paired-release pin for EE 0.18.3 + CE 0.2.4 — GCP IAM + Azure Key Vault false-negative hardening III
12
+
13
+ Paired no-op bump (SKILL.md version banner only; SKILL.md body + `references/plugins.md` UNCHANGED). EE 0.18.3 closes three cloud false-negatives: Azure Key Vault narrow-verb custom roles — a role granting only a data-plane crypto/extraction verb (`decrypt`/`wrap`/`unwrap`/`release`/`backup`/…) is now flagged (plugin 1222); the GCP IAM impersonation-BFS depth-cap truncation now fail-closes to a completeness evidence-gap instead of "zero reachability paths" (plugin 1025 H3); and the googleapis-SDK-absent path now fail-closes the GCP IAM dims to compliance-routed evidence-gaps (plugin 1025 M2). Plugin count UNCHANGED at 28; all six coverage matrices UNCHANGED at the count level.
14
+
7
15
  ## 0.2.3 (2026-06-05) — Paired-release pin for EE 0.18.2 + CE 0.2.3 — scan_cloud evidence-gap visibility (end-to-end)
8
16
 
9
17
  Paired no-op bump (no agent-skill content change beyond the SKILL.md version banner; SKILL.md body + `references/plugins.md` UNCHANGED). EE 0.18.2 + CE 0.2.3 make the no-false-clean evidence-gaps the cloud plugins emit **visible through the MCP `scan_cloud` transport, end-to-end**: the CE collector renders a dedicated "Evidence gaps (unverified)" section, and a new EE CI producer-contract guarantees every cloud plugin (AWS / Azure / GCP) marks its scan-coverage gaps so they reach it (retrofitted AWS S3 1020 + Azure 1220/1221/1222 + AWS IAM 1030). EE 0.18.2 also hardens the hand-rolled source scanners against a regex-literal desync (including the ZDE read-only security meta-test, where it could have masked a mutating cloud call) and adds the proprietary `LICENSE` / EULA (now shipped in the package) + per-file copyright headers. Plugin count UNCHANGED at 28; all six coverage matrices UNCHANGED.
package/SKILL.md CHANGED
@@ -16,7 +16,7 @@ description: >
16
16
 
17
17
  # NSAuditor AI — Agent Skill
18
18
 
19
- > **Version:** 0.2.3 (post-EE 0.18.2scan_cloud evidence-gap visibility end-to-end) · **Source:** [github.com/nsasoft/nsauditor-ai](https://github.com/nsasoft/nsauditor-ai) · **npm:** `nsauditor-ai` · **License:** MIT (CE)
19
+ > **Version:** 0.2.5 (post-EE 0.19.0No silent false-clean: per-region evidence-gap + class-O routing + swallow retrofits + air-gapped CVE/KMS criticals + AI-egress redaction) · **Source:** [github.com/nsasoft/nsauditor-ai](https://github.com/nsasoft/nsauditor-ai) · **npm:** `nsauditor-ai` · **License:** MIT (CE)
20
20
 
21
21
  NSAuditor AI is a modular, AI-assisted network security audit platform with 27+ scanner
22
22
  plugins, CVE matching, MITRE ATT&CK mapping, and Zero Data Exfiltration by design. This
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "nsauditor-ai-agent-skill",
3
- "version": "0.2.3",
3
+ "version": "0.2.5",
4
4
  "description": "AI Agent Skill for NSAuditor AI — gives any AI coding agent built-in knowledge of NSAuditor's MCP tools, schemas, plugins, and security audit workflows.",
5
5
  "keywords": [
6
6
  "nsauditor",