nsauditor-ai 0.1.27 → 0.1.29

package/cli.mjs

@@ -90,7 +90,7 @@ function redactSensitiveForAI(input, targetHost) {
 
 /* ------------------------- OpenAI & reporting -------------------------- */
 
-async function maybeSendToOpenAI({ host, results, conclusion, promptMode = 'basic' }) {
+async function maybeSendToOpenAI({ host, results, conclusion, promptMode = 'basic', outDir: presetOutDir = null }) {
   // --- env & opts -----------------------------------------------------------
   const sendEnabled   = parseBool(process.env.AI_ENABLED);
   const redactEnabled = parseBool(process.env.OPENAI_REDACT, true);
@@ -108,17 +108,17 @@ async function maybeSendToOpenAI({ host, results, conclusion, promptMode = 'basi
     : await resolveSecret(process.env.OPENAI_API_KEY);
   const key           = keyRaw ? String(keyRaw).trim() : null;
 
-  // Base output folder (resolved via the shared helper — honors --out and
-  // the SCAN_OUT_PATH / OPENAI_OUT_PATH env vars consistently with the
-  // SARIF/CSV/MD writers below).
-  const baseOutDir  = resolveBaseOutDir();
-
-  await fsp.mkdir(baseOutDir, { recursive: true });
-
-  // Per-scan folder
-  const ts       = nowStamp();
-  const runDir   = `${safeHost(host)}_${ts}`;
-  const outDir   = path.join(baseOutDir, runDir);
+  // Per-scan folder. Caller (scanSingleHost) may pass a pre-computed outDir so
+  // that EE enrichment + compliance artifacts share the same folder as the AI
+  // outputs — otherwise compute one here for legacy callers.
+  let outDir = presetOutDir;
+  if (!outDir) {
+    const baseOutDir = resolveBaseOutDir();
+    await fsp.mkdir(baseOutDir, { recursive: true });
+    const ts     = nowStamp();
+    const runDir = `${safeHost(host)}_${ts}`;
+    outDir       = path.join(baseOutDir, runDir);
+  }
   await fsp.mkdir(outDir, { recursive: true });
 
   // Paths (fixed names inside per-scan folder)
@@ -522,6 +522,14 @@ async function maybeSendToOpenAI({ host, results, conclusion, promptMode = 'basi
 async function parseArgs(argv) {
   const args = { cmd: 'scan', host: undefined, plugins: 'all', insecureHttps: false };
   const a = argv.slice(2);
+  // Help: bare `--help`/`-h`/`help` or completely empty invocation.
+  // Recognized before the scan-default so it doesn't crash with
+  // "--host or --host-file is required" on a help request.
+  if (a.length === 0 || a[0] === '--help' || a[0] === '-h' || a[0] === 'help' ||
+      a.includes('--help') || a.includes('-h')) {
+    args.cmd = 'help';
+    return args;
+  }
   if (a.length && !a[0].startsWith('--')) args.cmd = a[0];
 
   const get = (name) => {
@@ -536,7 +544,7 @@ async function parseArgs(argv) {
   const p = get('plugins');
   if (p && p !== true && p.toLowerCase() !== 'all') {
     args.plugins = p.split(',').map((s) => s.trim()).filter(Boolean);
-  } else if (p && p.toLowerCase() === 'all') {
+  } else if (p && p !== true && p.toLowerCase() === 'all') {
     args.plugins = 'all';
   }
   args.insecureHttps = !!(get('insecure-https') || get('insecure_https'));
@@ -570,6 +578,13 @@ async function parseArgs(argv) {
   const alertSev = get('alert-severity') || get('alert_severity') || null;
   args.alertSeverity = (alertSev && alertSev !== true) ? alertSev.toLowerCase() : 'high';
 
+  // Compliance: framework selector + scope file. Forwarded to EE's
+  // runCompliancePhase via enrichScan(). No-op without an EE Enterprise license.
+  const complianceVal = get('compliance');
+  args.compliance = (complianceVal && complianceVal !== true) ? complianceVal : null;
+  const complianceScopeVal = get('compliance-scope') || get('compliance_scope');
+  args.complianceScope = (complianceScopeVal && complianceScopeVal !== true) ? complianceScopeVal : null;
+
   return args;
 }
 
@@ -599,17 +614,34 @@ async function scanSingleHost(pm, host, plugins, opts, promptMode) {
     conclusion.result.techniques = techniques;
   }
 
+  // Pre-compute the per-scan output folder so EE enrichment, compliance
+  // artifacts, and AI outputs all land in the same directory. maybeSendToOpenAI
+  // will reuse this presetOutDir below.
+  const baseOutDir = resolveBaseOutDir();
+  await fsp.mkdir(baseOutDir, { recursive: true });
+  const ts        = nowStamp();
+  const outDir    = path.join(baseOutDir, `${safeHost(host)}_${ts}`);
+  await fsp.mkdir(outDir, { recursive: true });
+
   // EE enrichment hook — no-op if @nsasoft/nsauditor-ai-ee is not installed
+  // or the license tier doesn't grant intelligenceEngine. Compliance + outDir
+  // are forwarded so EE can write scan_finding_queue.json and SOC 2 artifacts.
   try {
     const { enrichScan } = await import('@nsasoft/nsauditor-ai-ee');
-    const eeEnrichment = await enrichScan(conclusion, { host });
+    const eeEnrichment = await enrichScan(conclusion, {
+      host,
+      outDir,
+      compliance:      opts.compliance ?? process.env.COMPLIANCE_FRAMEWORKS ?? null,
+      complianceScope: opts.complianceScope ?? null,
+      onWarn: (msg) => console.warn(`[EE] ${msg}`),
+    });
     if (eeEnrichment?.enrichedPrompt) {
       conclusion.result = conclusion.result || {};
       conclusion.result.eeEnrichment = eeEnrichment;
     }
   } catch { /* EE not installed — CE proceeds unchanged */ }
 
-  const { file_paths: ai_file_paths, ai_conclusion } = await maybeSendToOpenAI({ host, results, conclusion, promptMode });
+  const { file_paths: ai_file_paths, ai_conclusion } = await maybeSendToOpenAI({ host, results, conclusion, promptMode, outDir });
 
   // --- Scan history: record & compare ---
   let scanDiff = null;
@@ -724,7 +756,64 @@ function maxSeverityInConclusion(conclusion) {
 }
 
 async function main() {
-  const { cmd, host, plugins, insecureHttps, hostFile, parallel, failOn, outputFormat, watch, intervalMinutes, webhookUrl, alertSeverity, ports } = await parseArgs(process.argv);
+  const { cmd, host, plugins, insecureHttps, hostFile, parallel, failOn, outputFormat, watch, intervalMinutes, webhookUrl, alertSeverity, ports, compliance, complianceScope } = await parseArgs(process.argv);
+
+  // Help: handled before license verification so it works without a key.
+  if (cmd === 'help') {
+    console.log(`nsauditor-ai — Modular AI-assisted network security audit platform
+
+Usage:
+  nsauditor-ai [scan] --host <ip|cidr|hostname> [options]
+  nsauditor-ai [scan] --host-file <path> [options]
+  nsauditor-ai license <subcommand>
+  nsauditor-ai security <subcommand>
+  nsauditor-ai validate
+  nsauditor-ai help
+
+Scan options:
+  --host, --ip, --target <h>   Target host, IP, or CIDR
+  --host-file <path>           File with one host per line
+  --plugins <list|all>         Plugins to run (e.g. 001,003,020 or "all"; default: all)
+  --ports <range>              Override port list (e.g. 22,80,443 or 1-1000)
+  --out <dir>                  Output directory for scan artifacts
+  --parallel <n>               Parallel host concurrency (default 1)
+  --fail-on <severity>         Exit non-zero if any finding ≥ severity
+  --output-format <fmt>        Additional report format: sarif | csv | md
+  --insecure-https             Skip TLS validation on probed HTTPS targets
+  --watch                      CTEM continuous mode
+  --interval <minutes>         Watch interval (default 60)
+  --webhook-url <url>          Send delta alerts (must be public; private/loopback blocked)
+  --alert-severity <sev>       Min severity to alert on (default: high)
+  --compliance <framework>     Run compliance mapping (e.g. soc2). Enterprise only.
+  --compliance-scope <path>    JSON file describing the assessment scope
+
+License subcommands:
+  nsauditor-ai license --status         Show active tier, org, seats, expiry
+  nsauditor-ai license --capabilities   List active capabilities for current tier
+
+Security subcommands (macOS Keychain):
+  nsauditor-ai security set <KEY>       Store a secret (read from stdin)
+  nsauditor-ai security delete <KEY>    Remove a secret
+  nsauditor-ai security list            List stored secrets (masked)
+  nsauditor-ai security get <KEY>       Echo a secret (avoid in shared shells)
+
+Environment:
+  NSAUDITOR_LICENSE_KEY          Pro/Enterprise license JWT (env var; takes precedence)
+  NSA_ALLOW_ALL_HOSTS=1          Permit RFC1918 / loopback (local-network auditing)
+  CLOUD_PROVIDER=aws|gcp|azure   Required for cloud scanner plugins (020/021/022)
+  AI_PROVIDER=openai|claude|ollama   AI provider for report generation
+  COMPLIANCE_TSA_URL             RFC 3161 timestamp authority for SOC 2 attestation
+
+Examples:
+  nsauditor-ai scan --host 10.0.0.1 --plugins all
+  CLOUD_PROVIDER=aws AWS_PROFILE=default \\
+    nsauditor-ai scan --host aws --plugins 020
+  nsauditor-ai scan --host 10.0.0.0/24 --plugins all --compliance soc2
+  nsauditor-ai license --status
+
+Docs: https://www.nsauditor.com/ai/   |   Pricing: https://www.nsauditor.com/ai/pricing/`);
+    process.exit(0);
+  }
 
   // Verify license JWT at startup (~5ms for ES256). Populates _verifiedTier
   // so all subsequent getTierFromEnv() calls return the cryptographically
@@ -844,6 +933,8 @@ async function main() {
 
   const opts = { insecureHttps };
   if (ports) opts.ports = ports;
+  if (compliance) opts.compliance = compliance;
+  if (complianceScope) opts.complianceScope = complianceScope;
   const pm = await PluginManager.create(`${__dirname}/plugins`);
   const promptMode = String(process.env.OPENAI_PROMPT_MODE || 'basic').toLowerCase().trim();
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nsauditor-ai",
-  "version": "0.1.27",
+  "version": "0.1.29",
   "description": "Modular AI-assisted network security audit platform — Community Edition",
   "type": "module",
   "private": false,