nsauditor-ai 0.1.38 → 0.1.40

package/README.md

@@ -17,7 +17,9 @@ NSAuditor AI is the open-source core of a privacy-first security intelligence pl
 
 ## What's New
 
-- **0.1.38 (current)** — docs-only. README rewritten to be feature-and-usage focused; release history moved to [CHANGELOG.md](./CHANGELOG.md); new [docs/mcp-verification.md](./docs/mcp-verification.md) for the `nsauditor-ai mcp verify-call` workflow. No functional change vs 0.1.37.
+- **0.1.40 (current)** — docs-only patch announcing **EE 0.4.0 publish** (paired release). EE plugin count grows **8 → 15** with 7 new AWS auditor plugins: **1070 KMS Auditor** (EE-RT.3, CC6.3 + C1.1), **1080 Lambda Security Auditor** (EE-RT.5, runtime EOL + URL exposure + env-var secret-suggestive names; CC6.1/6.6/7.1/C1.1), **1090 Secrets Manager + SSM Parameter Store Auditor** (EE-RT.8, ZDE-critical metadata-only — never reads secret values; CC6.1/6.6/C1.1), **1100 CodePipeline + CodeBuild Operational Integrity** (EE-RT.9 + 9.1; CC6.1/7.1/8.1/C1.1), **1110 IAM Effective Decrypt-Path Auditor** (EE-RT.10 + 10.1, cross-plugin reconciler; CC6.1/6.6/C1.1/C1.2), **1120 S3 Lifecycle + Cross-Region Replication Auditor** (EE-RT.4 + 4.1; C1.1/C1.2/A1.2), and the **headline thread** — **1130 AWS Backup Auditor** (EE-RT.12 v1 → v1.24, ~7800 lines across 18 sessions / 25 commits / 545 plugin tests / 19 R2-strict recurrence-class same-session closures / 74 new soc2.json titlePattern entries across 7 controls). Plugin 1130's **12-dimension air-gapped vault attestation arc** for `LogicallyAirGappedBackupVault` resources (vault TYPE + ARN account-segment + KMS key-policy + KMS Grants + MRK-replica topology + source-account VPC-endpoint policy, plus 6 substrate dimensions) substantially closes the previously-documented "Backup/recovery posture itself" gap under A1.2 partial coverage. **No coverage matrix shift since 0.3.9** (stays 10 covered / 4 partial / 33 OOS) — every existing covered control gains substantially deeper evidence; matrix-shift opportunity reserved for EE-RT.7 Lambda Runtime Assurance closing PI1.1–PI1.4. EE-side stats: **~200 reviewer folds, 545 new plugin-1130 tests + ~400 across 1070–1120, 3792/3792 regression green**. CE binary unchanged in 0.1.40 (code identical to 0.1.39); the bump exists to carry the EE-paired-release narrative + announce the 7 new plugins to the npm landing page.
+- **0.1.39 (deprecated)** — docs-only patch announcing **EE 0.3.9 publish** (paired release): EE plugin-ID range realignment to 1000+ closes a silent plugin-shadow class that affected EE 0.3.7/0.3.8 (CE plugin 040 TLS Cert Auditor and EE plugin 040 CloudTrail declared the same string ID; CE's `plugin_manager.findPlugin()` first-match-wins resolver routed `--plugins 040` to CE TLS, NOT EE CloudTrail). All 8 EE plugins moved to disjoint 1000+ IDs (1020 S3, 1021 GCP, 1022 Azure, 1023 Zero Trust, 1030 IAM Deep Auditor, 1040 CloudTrail, **NEW 1050 API Gateway Assurance**, **NEW 1060 DynamoDB Audit Integrity**). EE 0.3.9 also ships the **first SOC 2 Processing Integrity evidence stream**: PI1.5 (Stored items) moves from out-of-scope to partial via the new DynamoDB audit-the-auditor plugin — coverage matrix shifts **10 covered / 3 partial / 34 OOS → 10 covered / 4 partial / 33 OOS**. CE binary unchanged in 0.1.39 (code identical to 0.1.38).
+- **0.1.38 (deprecated)** — docs-only. README rewritten to be feature-and-usage focused; release history moved to [CHANGELOG.md](./CHANGELOG.md); new [docs/mcp-verification.md](./docs/mcp-verification.md) for the `nsauditor-ai mcp verify-call` workflow. No functional change vs 0.1.37.
 - **0.1.37 — 🛑 security fix**, upgrade if you're on anything earlier. The MCP bin shim (`nsauditor-ai-mcp`) was bypassing both `NSA_MCP_AUTH_KEY` enforcement and license verification on every spawn. Defense-in-depth degradation, plus paid Pro/Enterprise customers were stuck at CE tier through MCP. `npm install -g nsauditor-ai@latest` + restart your MCP client.
 - **Authenticated MCP server, Keychain-backed secrets, per-call sentinel UUIDs, multi-source license loader, `--version` / `validate` / `license install` subcommands.** All shipped across 0.1.30 → 0.1.37 — see [CHANGELOG.md](./CHANGELOG.md) for the per-release detail.
 
@@ -57,7 +59,7 @@ NSAuditor AI is available in three editions:
 | Advanced CTEM + trend analysis | — | ✅ | ✅ |
 | Cloud scanners (AWS/GCP/Azure) | — | — | ✅ |
 | Zero Trust assessment | — | — | ✅ |
-| SOC 2 compliance (8 covered + 5 partial controls; AWS + Azure evidence streams) | — | — | ✅ |
+| SOC 2 compliance (10 covered + 4 partial controls post-EE 0.3.9; AWS + Azure + GCP evidence streams; PI1.5 stored-items partial via DynamoDB audit-the-auditor) | — | — | ✅ |
 | SLA/MTTR tracking + compensating controls | — | — | ✅ |
 | Recurring-scan attestation (Type II evidence) | — | — | ✅ |
 | GRC platform connector (Vanta) | — | — | ✅ |
@@ -175,20 +177,58 @@ Results land in `./out/<host>_<timestamp>/`:
 
 ### Pro/Enterprise Plugins (via @nsasoft/nsauditor-ai-ee)
 
+**EE 0.4.0 ships 15 enterprise plugins** (up from 8 in 0.3.8 — the largest single-release coverage expansion since the SOC 2 compliance engine itself shipped at EE 0.3.0). EE plugins use the disjoint 1000+ ID range; CE reserves 001-099. Plugins audit AWS / GCP / Azure cloud substrate end-to-end against the AICPA Trust Services Criteria 2017 framework; every plugin is enterprise-gated by the `cloudScanners` capability and runs against customer-supplied cloud credentials. Once licensed, the EE package installs alongside the CE binary; auditor-facing TSC mapping documentation (`CHANGELOG.md` + `docs/soc2-coverage.md`) ships bundled.
+
+**All EE plugins follow the same institutional plumbing pattern:**
+
+- **Thread H `_instrumentSdkClient` wrap** — per-API AccessDenied counter + ZDE structural guard (verb-prefix denylist regex blocks `Get*` / `Retrieve*` / `Read*` value-reading APIs at SDK boundary) + idempotency sentinel
+- **EE-RT.1.5 throttle-retry** — exponential-backoff retry on `Throttling*` / `RequestLimitExceeded` / `TooManyRequestsException` with per-command wall-clock budget
+- **Thread F `conclude()` field-selection allowlist** — structured-data ZDE: only AWS-public-namespace identifiers + integer counts flow through to findings; customer policy content / key material / encrypted payloads NEVER propagate
+- **`conservative_classifier_principle`** — emit INFO+evidenceGap with verification prompt when ARN-shape disambiguation needs a follow-up API call; vacuous PASS on partial substrate evidence is treated as the worst SOC 2 reporting outcome
+- **`aws_string_case_normalization`** — trim + lowercase AWS-returned strings at SDK-helper boundary; protects against the 7+ recurrent classes of case-sensitivity fail-open (IAM Condition keys, Lambda runtimes, KMS aliases, Effect/Action discriminators, FULL_ADMIN sentinel, S3 region)
+
 | ID | Name | Tier | Purpose |
 |---|---|---|---|
-| 020 | AWS Cloud Scanner | Enterprise | S3 bucket hardening, security group + IAM policy analysis with SOC 2 evidence mapping |
-| 021 | GCP Cloud Scanner | Enterprise | Firewall rules + IAM bindings |
-| 022 | Azure Cloud Scanner | Enterprise | NSG rules + RBAC role assignments + Storage account hardening, SOC 2 evidence mapping (CC6.1 / CC6.6 / C1.1) |
-| 023 | Zero Trust Checker | Enterprise | Segmentation, encryption, identity, lateral movement scoring |
-| 030 | AWS IAM Deep Auditor | Enterprise | Shadow-admin path detection via BFS over PassRole / AssumeRole / federated trust; per-finding remediation pointers; SOC 2 CC6.1 evidence |
-| — | SOC 2 Compliance Engine | Enterprise | AICPA TSC 2017 control mapping, chain-of-custody, RFC 3161 timestamps, suppression workflow |
+| 1020 | AWS Cloud Scanner | Enterprise | S3 bucket hardening (PAB, encryption, versioning, Object Lock, MFA Delete, logging), SOC 2 evidence mapping |
+| 1021 | GCP Cloud Scanner | Enterprise | Firewall rules + IAM bindings + Storage bucket public-access (CC6.1 / CC6.6 / C1.1) |
+| 1022 | Azure Cloud Scanner | Enterprise | NSG rules + RBAC role assignments + Storage account hardening, SOC 2 evidence mapping (CC6.1 / CC6.6 / C1.1) |
+| 1023 | Zero Trust Checker | Enterprise | Segmentation, encryption, identity, lateral movement scoring |
+| 1030 | AWS IAM Deep Auditor | Enterprise | Shadow-admin path detection via BFS over PassRole / AssumeRole / federated trust; per-finding remediation pointers; restrictive-Condition allowlist (Auth0 / Okta / Cognito User Pool OIDC heuristic); SOC 2 CC6.1 evidence |
+| 1040 | AWS CloudTrail Operational Integrity | Enterprise | CloudTrail trail health (multi-region default-ON, log-file validation, KMS-CMK, IsLogging); CloudWatch alarm coverage against CIS AWS Foundations Benchmark v1.5 §3.1–3.14 (v2 auditor-canonical `logs:DescribeMetricFilters` evidence stream); AWS Config + ConfigurationAggregator detection + STS `GetCallerIdentity` deterministic account-coverage check; cross-account S3 trail-destination WORM verification (SEC 17a-4 / FINRA 4511). CC7.2 + CC7.3 covered. |
+| 1050 | AWS API Gateway Assurance (EE 0.3.9) | Enterprise | Entry-point evidence for Serverless-Framework deployments. Per-method/route authorization classifier (NONE = CRITICAL; AWS_IAM / Cognito / JWT = PASS; Lambda authorizer = INFO); custom-domain TLS policy (TLS_1_0 = HIGH); stage-level access logging / throttling / WAF; public-endpoint exposure. CC6.1 / CC6.6 / CC6.7 / CC7.1 / A1.2. |
+| 1060 | AWS DynamoDB Audit Integrity (EE 0.3.9 — PI1.5 matrix shift) | Enterprise | First PI1-class evidence plugin ("audit-the-auditor"). Per-table PITR + deletion protection + KMS-CMK (conservative LOW-unverifiable when `:key/UUID` form); resource-policy presence; CloudTrail DynamoDB data-event coverage cross-reference. **Opens partial PI1.5 (Stored items)**. CC6.6 / CC7.1 / C1.1 / **PI1.5**. |
+| **1070** | **AWS KMS Auditor** (NEW EE 0.4.0) | Enterprise | Cryptographic boundary integrity + key governance. Per-key rotation status; **wildcard-principal classifier across 5 severity tiers** (CRITICAL unconditional `kms:*` takeover; HIGH for sensitive actions; INFO read-only; PASS no-wildcard) covering Principal.AWS / Federated / Service / CanonicalUser shapes + case-insensitive AWS/action matching + NotPrincipal-Allow + NotAction-Allow + glob-action (`kms:Encrypt*` / `kms:Sign*`). Exports `_describeKeyManager()` helper for plugin 1060 cross-reference (closes EE-RT.2.1.1). CC6.3 / C1.1. |
+| **1080** | **AWS Lambda Security Auditor** (NEW EE 0.4.0) | Enterprise | Runtime EOL detection (institutional-CRITICAL on `nodejs16.x` / `python3.7` etc. — case-normalized at boundary), public function-URL exposure, resource-policy permissive principals, environment-variable secret-suggestive name detection (ZDE-safe: VALUES never inspected — only names + presence), VPC configuration, KMS-CMK vs AWS-managed key custody, DLQ + reserved concurrency posture. CC6.1 / CC6.6 / CC7.1 / C1.1. |
+| **1090** | **AWS Secrets Manager + SSM Parameter Store Auditor** (NEW EE 0.4.0) | Enterprise | Secrets Manager `ListSecrets` + `DescribeSecret` (rotation cadence, KMS-CMK custody, tag-driven prod-tier classification) + SSM Parameter Store `DescribeParameters` (String/SecureString classification + secret-suggestive name detection). **ZDE-critical**: scanner NEVER calls `GetSecretValue` / `GetParameter` — only `Describe*` / `List*` (metadata only). Defense-in-depth: verb-prefix denylist regex blocks `Get*` / `Retrieve*` / `Read*` at SDK boundary. CC6.1 / CC6.6 / C1.1. |
+| **1100** | **AWS CodePipeline + CodeBuild Operational Integrity** (NEW EE 0.4.0) | Enterprise | Pipeline source-stage encryption, CodeBuild `privilegedMode` detection (HIGH for non-Docker-image), buildspec inlined-vs-S3 (drift surface), secrets via env vars vs Secrets Manager reference, IAM role wildcard-Action detection, S3 artifact-store encryption. Runtime-state audit surfaces stale-execution detection (pipeline's latest execution older than configured cadence). CC6.1 / CC7.1 / CC8.1 / C1.1. |
+| **1110** | **IAM Effective Decrypt-Path Auditor** (NEW EE 0.4.0) | Enterprise | Cross-plugin reconciler: walks IAM policies for `kms:Decrypt` / `kms:ReEncrypt*` / `kms:GenerateDataKey` grants and cross-references against destination KMS key policies (plugin 1070) to compute the **effective decrypt path**. Closes institutional NotAction-implicit-decrypt false-PASS class (`Allow + NotAction:[...] + Resource:*` over-grants decrypt implicitly). Cross-plugin sister-fix in 1030: Effect + Action case-normalization at IAM-graph BFS boundary. CC6.1 / CC6.6 / C1.1 / C1.2. |
+| **1120** | **AWS S3 Lifecycle + Cross-Region Replication Auditor** (NEW EE 0.4.0) | Enterprise | S3 lifecycle policy enumeration (CC7.1 retention-cadence evidence) + cross-region replication topology (A1.2 disaster-recovery substrate). Cross-region destination-bucket reachability verification closes silent-PASS class where replication source FAILED but emitted clean. C1.1 / C1.2 / A1.2. |
+| **1130** | **AWS Backup Auditor — headline thread** (NEW EE 0.4.0; EE-RT.12 v1 → v1.24, 18-session institutional hardening arc) | Enterprise | The **largest single-plugin institutional-hardening arc in the EE codebase**: ~7800 lines / 545 plugin tests / 19 R2-strict recurrence-class same-session closures / 74 new soc2.json titlePattern entries across 7 controls. Audits the AWS Backup substrate end-to-end: Plans + Vaults + Recovery Points + Selections + Frameworks + Restore Testing + ReportPlans + Legal Holds + VaultType + Vault Tags + Vault Access Policy. **Headline capability: 12-dimension air-gapped vault attestation arc** for `LogicallyAirGappedBackupVault` resources — 6 cryptographic-isolation mechanisms (vault TYPE air-gapped + ARN account-segment-separation + destination KMS key-policy clean + destination KMS Grants clean + MRK-replica topology clean + source-account VPC-endpoint policy clean) PLUS 6 substrate dimensions (PITR / retention / encryption / RestoreTesting / Legal Holds / vault Access Policy). Cross-service SDK integration (`@aws-sdk/client-kms`, `@aws-sdk/client-ec2`, `@aws-sdk/client-config-service`, `@aws-sdk/client-backup`). CC6.3 / **CC6.6** / CC7.1 / CC8.1 / C1.1 / **C1.2** / **A1.2**. |
+| — | SOC 2 Compliance Engine | Enterprise | AICPA TSC 2017 control mapping (10 covered + 4 partial controls post-EE 0.3.9 / 0.4.0), chain-of-custody, RFC 3161 timestamps, suppression workflow |
 | — | SLA & MTTR Tracking | Enterprise | Per-severity SLA targets, compensating-control flow, finding lifecycle |
 | — | Recurring-Scan Attestation | Enterprise | Multi-scan chronological matrix, cadence gap detection, scope drift (CC8.1) |
 | — | GRC Platform Connector | Enterprise | Native API push to Vanta with retry/backoff, idempotency, rate-limit handling |
 | — | WORM Evidence Storage | Enterprise | S3 Object Lock COMPLIANCE-mode, resource redaction, SHA-256 manifest |
 | — | Tabletop Simulation | Enterprise | Probe-event manifest + SIEM detection correlation, configurable coverage bands |
 
+**Running EE plugins** (after `nsauditor-ai license install <key>`):
+
+```bash
+# Run a single EE plugin
+nsauditor-ai scan --host aws --plugins 1130 --compliance soc2 --out evidence.json
+
+# Run multiple EE plugins
+nsauditor-ai scan --host aws --plugins 1030,1040,1070,1130 --compliance soc2
+
+# Run all EE plugins (auto-discovered via plugin manager)
+nsauditor-ai scan --host aws --plugins all --compliance soc2
+
+# Tune plugin parameters (e.g., raise VPC-endpoint PAGE_CAP for large-fleet customers)
+nsauditor-ai scan --host aws --plugins 1130 --plugin-opts '{"1130":{"vpcEndpointsPageCap":50}}'
+```
+
+The auditor evidence pack is emitted under `out/` — cover-page Scope Attestation, SHA-256 chain-of-custody sidecars, RFC 3161 trusted-timestamps, suppression workflow, identity verification. EE is available at [`www.nsauditor.com/ai/pricing`](https://www.nsauditor.com/ai/pricing).
+
 ---
 
 ## How Results Are Fused

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nsauditor-ai",
-  "version": "0.1.38",
+  "version": "0.1.40",
   "description": "Modular AI-assisted network security audit platform — Community Edition",
   "type": "module",
   "private": false,