nsauditor-ai 0.1.39 → 0.1.40
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +39 -5
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -17,7 +17,8 @@ NSAuditor AI is the open-source core of a privacy-first security intelligence pl
|
|
|
17
17
|
|
|
18
18
|
## What's New
|
|
19
19
|
|
|
20
|
-
- **0.1.
|
|
20
|
+
- **0.1.40 (current)** — docs-only patch announcing **EE 0.4.0 publish** (paired release). EE plugin count grows **8 → 15** with 7 new AWS auditor plugins: **1070 KMS Auditor** (EE-RT.3, CC6.3 + C1.1), **1080 Lambda Security Auditor** (EE-RT.5, runtime EOL + URL exposure + env-var secret-suggestive names; CC6.1/6.6/7.1/C1.1), **1090 Secrets Manager + SSM Parameter Store Auditor** (EE-RT.8, ZDE-critical metadata-only — never reads secret values; CC6.1/6.6/C1.1), **1100 CodePipeline + CodeBuild Operational Integrity** (EE-RT.9 + 9.1; CC6.1/7.1/8.1/C1.1), **1110 IAM Effective Decrypt-Path Auditor** (EE-RT.10 + 10.1, cross-plugin reconciler; CC6.1/6.6/C1.1/C1.2), **1120 S3 Lifecycle + Cross-Region Replication Auditor** (EE-RT.4 + 4.1; C1.1/C1.2/A1.2), and the **headline thread** — **1130 AWS Backup Auditor** (EE-RT.12 v1 → v1.24, ~7800 lines across 18 sessions / 25 commits / 545 plugin tests / 19 R2-strict recurrence-class same-session closures / 74 new soc2.json titlePattern entries across 7 controls). Plugin 1130's **12-dimension air-gapped vault attestation arc** for `LogicallyAirGappedBackupVault` resources (vault TYPE + ARN account-segment + KMS key-policy + KMS Grants + MRK-replica topology + source-account VPC-endpoint policy, plus 6 substrate dimensions) substantially closes the previously-documented "Backup/recovery posture itself" gap under A1.2 partial coverage. **No coverage matrix shift since 0.3.9** (stays 10 covered / 4 partial / 33 OOS) — every existing covered control gains substantially deeper evidence; matrix-shift opportunity reserved for EE-RT.7 Lambda Runtime Assurance closing PI1.1–PI1.4. EE-side stats: **~200 reviewer folds, 545 new plugin-1130 tests + ~400 across 1070–1120, 3792/3792 regression green**. CE binary unchanged in 0.1.40 (code identical to 0.1.39); the bump exists to carry the EE-paired-release narrative + announce the 7 new plugins to the npm landing page.
|
|
21
|
+
- **0.1.39 (deprecated)** — docs-only patch announcing **EE 0.3.9 publish** (paired release): EE plugin-ID range realignment to 1000+ closes a silent plugin-shadow class that affected EE 0.3.7/0.3.8 (CE plugin 040 TLS Cert Auditor and EE plugin 040 CloudTrail declared the same string ID; CE's `plugin_manager.findPlugin()` first-match-wins resolver routed `--plugins 040` to CE TLS, NOT EE CloudTrail). All 8 EE plugins moved to disjoint 1000+ IDs (1020 S3, 1021 GCP, 1022 Azure, 1023 Zero Trust, 1030 IAM Deep Auditor, 1040 CloudTrail, **NEW 1050 API Gateway Assurance**, **NEW 1060 DynamoDB Audit Integrity**). EE 0.3.9 also ships the **first SOC 2 Processing Integrity evidence stream**: PI1.5 (Stored items) moves from out-of-scope to partial via the new DynamoDB audit-the-auditor plugin — coverage matrix shifts **10 covered / 3 partial / 34 OOS → 10 covered / 4 partial / 33 OOS**. CE binary unchanged in 0.1.39 (code identical to 0.1.38).
|
|
21
22
|
- **0.1.38 (deprecated)** — docs-only. README rewritten to be feature-and-usage focused; release history moved to [CHANGELOG.md](./CHANGELOG.md); new [docs/mcp-verification.md](./docs/mcp-verification.md) for the `nsauditor-ai mcp verify-call` workflow. No functional change vs 0.1.37.
|
|
22
23
|
- **0.1.37 — 🛑 security fix**, upgrade if you're on anything earlier. The MCP bin shim (`nsauditor-ai-mcp`) was bypassing both `NSA_MCP_AUTH_KEY` enforcement and license verification on every spawn. Defense-in-depth degradation, plus paid Pro/Enterprise customers were stuck at CE tier through MCP. `npm install -g nsauditor-ai@latest` + restart your MCP client.
|
|
23
24
|
- **Authenticated MCP server, Keychain-backed secrets, per-call sentinel UUIDs, multi-source license loader, `--version` / `validate` / `license install` subcommands.** All shipped across 0.1.30 → 0.1.37 — see [CHANGELOG.md](./CHANGELOG.md) for the per-release detail.
|
|
@@ -176,7 +177,15 @@ Results land in `./out/<host>_<timestamp>/`:
|
|
|
176
177
|
|
|
177
178
|
### Pro/Enterprise Plugins (via @nsasoft/nsauditor-ai-ee)
|
|
178
179
|
|
|
179
|
-
EE plugins
|
|
180
|
+
**EE 0.4.0 ships 15 enterprise plugins** (up from 8 in 0.3.8 — the largest single-release coverage expansion since the SOC 2 compliance engine itself shipped at EE 0.3.0). EE plugins use the disjoint 1000+ ID range; CE reserves 001-099. Plugins audit AWS / GCP / Azure cloud substrate end-to-end against the AICPA Trust Services Criteria 2017 framework; every plugin is enterprise-gated by the `cloudScanners` capability and runs against customer-supplied cloud credentials. Once licensed, the EE package installs alongside the CE binary; auditor-facing TSC mapping documentation (`CHANGELOG.md` + `docs/soc2-coverage.md`) ships bundled.
|
|
181
|
+
|
|
182
|
+
**All EE plugins follow the same institutional plumbing pattern:**
|
|
183
|
+
|
|
184
|
+
- **Thread H `_instrumentSdkClient` wrap** — per-API AccessDenied counter + ZDE structural guard (verb-prefix denylist regex blocks `Get*` / `Retrieve*` / `Read*` value-reading APIs at SDK boundary) + idempotency sentinel
|
|
185
|
+
- **EE-RT.1.5 throttle-retry** — exponential-backoff retry on `Throttling*` / `RequestLimitExceeded` / `TooManyRequestsException` with per-command wall-clock budget
|
|
186
|
+
- **Thread F `conclude()` field-selection allowlist** — structured-data ZDE: only AWS-public-namespace identifiers + integer counts flow through to findings; customer policy content / key material / encrypted payloads NEVER propagate
|
|
187
|
+
- **`conservative_classifier_principle`** — emit INFO+evidenceGap with verification prompt when ARN-shape disambiguation needs a follow-up API call; vacuous PASS on partial substrate evidence is treated as the worst SOC 2 reporting outcome
|
|
188
|
+
- **`aws_string_case_normalization`** — trim + lowercase AWS-returned strings at SDK-helper boundary; protects against the 7+ recurrent classes of case-sensitivity fail-open (IAM Condition keys, Lambda runtimes, KMS aliases, Effect/Action discriminators, FULL_ADMIN sentinel, S3 region)
|
|
180
189
|
|
|
181
190
|
| ID | Name | Tier | Purpose |
|
|
182
191
|
|---|---|---|---|
|
|
@@ -186,15 +195,40 @@ EE plugins use the disjoint 1000+ ID range to avoid collision with CE plugins (C
|
|
|
186
195
|
| 1023 | Zero Trust Checker | Enterprise | Segmentation, encryption, identity, lateral movement scoring |
|
|
187
196
|
| 1030 | AWS IAM Deep Auditor | Enterprise | Shadow-admin path detection via BFS over PassRole / AssumeRole / federated trust; per-finding remediation pointers; restrictive-Condition allowlist (Auth0 / Okta / Cognito User Pool OIDC heuristic); SOC 2 CC6.1 evidence |
|
|
188
197
|
| 1040 | AWS CloudTrail Operational Integrity | Enterprise | CloudTrail trail health (multi-region default-ON, log-file validation, KMS-CMK, IsLogging); CloudWatch alarm coverage against CIS AWS Foundations Benchmark v1.5 §3.1–3.14 (v2 auditor-canonical `logs:DescribeMetricFilters` evidence stream); AWS Config + ConfigurationAggregator detection + STS `GetCallerIdentity` deterministic account-coverage check; cross-account S3 trail-destination WORM verification (SEC 17a-4 / FINRA 4511). CC7.2 + CC7.3 covered. |
|
|
189
|
-
|
|
|
190
|
-
|
|
|
191
|
-
|
|
|
198
|
+
| 1050 | AWS API Gateway Assurance (EE 0.3.9) | Enterprise | Entry-point evidence for Serverless-Framework deployments. Per-method/route authorization classifier (NONE = CRITICAL; AWS_IAM / Cognito / JWT = PASS; Lambda authorizer = INFO); custom-domain TLS policy (TLS_1_0 = HIGH); stage-level access logging / throttling / WAF; public-endpoint exposure. CC6.1 / CC6.6 / CC6.7 / CC7.1 / A1.2. |
|
|
199
|
+
| 1060 | AWS DynamoDB Audit Integrity (EE 0.3.9 — PI1.5 matrix shift) | Enterprise | First PI1-class evidence plugin ("audit-the-auditor"). Per-table PITR + deletion protection + KMS-CMK (conservative LOW-unverifiable when `:key/UUID` form); resource-policy presence; CloudTrail DynamoDB data-event coverage cross-reference. **Opens partial PI1.5 (Stored items)**. CC6.6 / CC7.1 / C1.1 / **PI1.5**. |
|
|
200
|
+
| **1070** | **AWS KMS Auditor** (NEW EE 0.4.0) | Enterprise | Cryptographic boundary integrity + key governance. Per-key rotation status; **wildcard-principal classifier across 5 severity tiers** (CRITICAL unconditional `kms:*` takeover; HIGH for sensitive actions; INFO read-only; PASS no-wildcard) covering Principal.AWS / Federated / Service / CanonicalUser shapes + case-insensitive AWS/action matching + NotPrincipal-Allow + NotAction-Allow + glob-action (`kms:Encrypt*` / `kms:Sign*`). Exports `_describeKeyManager()` helper for plugin 1060 cross-reference (closes EE-RT.2.1.1). CC6.3 / C1.1. |
|
|
201
|
+
| **1080** | **AWS Lambda Security Auditor** (NEW EE 0.4.0) | Enterprise | Runtime EOL detection (institutional-CRITICAL on `nodejs16.x` / `python3.7` etc. — case-normalized at boundary), public function-URL exposure, resource-policy permissive principals, environment-variable secret-suggestive name detection (ZDE-safe: VALUES never inspected — only names + presence), VPC configuration, KMS-CMK vs AWS-managed key custody, DLQ + reserved concurrency posture. CC6.1 / CC6.6 / CC7.1 / C1.1. |
|
|
202
|
+
| **1090** | **AWS Secrets Manager + SSM Parameter Store Auditor** (NEW EE 0.4.0) | Enterprise | Secrets Manager `ListSecrets` + `DescribeSecret` (rotation cadence, KMS-CMK custody, tag-driven prod-tier classification) + SSM Parameter Store `DescribeParameters` (String/SecureString classification + secret-suggestive name detection). **ZDE-critical**: scanner NEVER calls `GetSecretValue` / `GetParameter` — only `Describe*` / `List*` (metadata only). Defense-in-depth: verb-prefix denylist regex blocks `Get*` / `Retrieve*` / `Read*` at SDK boundary. CC6.1 / CC6.6 / C1.1. |
|
|
203
|
+
| **1100** | **AWS CodePipeline + CodeBuild Operational Integrity** (NEW EE 0.4.0) | Enterprise | Pipeline source-stage encryption, CodeBuild `privilegedMode` detection (HIGH for non-Docker-image), buildspec inlined-vs-S3 (drift surface), secrets via env vars vs Secrets Manager reference, IAM role wildcard-Action detection, S3 artifact-store encryption. Runtime-state audit surfaces stale-execution detection (pipeline's latest execution older than configured cadence). CC6.1 / CC7.1 / CC8.1 / C1.1. |
|
|
204
|
+
| **1110** | **IAM Effective Decrypt-Path Auditor** (NEW EE 0.4.0) | Enterprise | Cross-plugin reconciler: walks IAM policies for `kms:Decrypt` / `kms:ReEncrypt*` / `kms:GenerateDataKey` grants and cross-references against destination KMS key policies (plugin 1070) to compute the **effective decrypt path**. Closes institutional NotAction-implicit-decrypt false-PASS class (`Allow + NotAction:[...] + Resource:*` over-grants decrypt implicitly). Cross-plugin sister-fix in 1030: Effect + Action case-normalization at IAM-graph BFS boundary. CC6.1 / CC6.6 / C1.1 / C1.2. |
|
|
205
|
+
| **1120** | **AWS S3 Lifecycle + Cross-Region Replication Auditor** (NEW EE 0.4.0) | Enterprise | S3 lifecycle policy enumeration (CC7.1 retention-cadence evidence) + cross-region replication topology (A1.2 disaster-recovery substrate). Cross-region destination-bucket reachability verification closes silent-PASS class where replication source FAILED but emitted clean. C1.1 / C1.2 / A1.2. |
|
|
206
|
+
| **1130** | **AWS Backup Auditor — headline thread** (NEW EE 0.4.0; EE-RT.12 v1 → v1.24, 18-session institutional hardening arc) | Enterprise | The **largest single-plugin institutional-hardening arc in the EE codebase**: ~7800 lines / 545 plugin tests / 19 R2-strict recurrence-class same-session closures / 74 new soc2.json titlePattern entries across 7 controls. Audits the AWS Backup substrate end-to-end: Plans + Vaults + Recovery Points + Selections + Frameworks + Restore Testing + ReportPlans + Legal Holds + VaultType + Vault Tags + Vault Access Policy. **Headline capability: 12-dimension air-gapped vault attestation arc** for `LogicallyAirGappedBackupVault` resources — 6 cryptographic-isolation mechanisms (vault TYPE air-gapped + ARN account-segment-separation + destination KMS key-policy clean + destination KMS Grants clean + MRK-replica topology clean + source-account VPC-endpoint policy clean) PLUS 6 substrate dimensions (PITR / retention / encryption / RestoreTesting / Legal Holds / vault Access Policy). Cross-service SDK integration (`@aws-sdk/client-kms`, `@aws-sdk/client-ec2`, `@aws-sdk/client-config-service`, `@aws-sdk/client-backup`). CC6.3 / **CC6.6** / CC7.1 / CC8.1 / C1.1 / **C1.2** / **A1.2**. |
|
|
207
|
+
| — | SOC 2 Compliance Engine | Enterprise | AICPA TSC 2017 control mapping (10 covered + 4 partial controls post-EE 0.3.9 / 0.4.0), chain-of-custody, RFC 3161 timestamps, suppression workflow |
|
|
192
208
|
| — | SLA & MTTR Tracking | Enterprise | Per-severity SLA targets, compensating-control flow, finding lifecycle |
|
|
193
209
|
| — | Recurring-Scan Attestation | Enterprise | Multi-scan chronological matrix, cadence gap detection, scope drift (CC8.1) |
|
|
194
210
|
| — | GRC Platform Connector | Enterprise | Native API push to Vanta with retry/backoff, idempotency, rate-limit handling |
|
|
195
211
|
| — | WORM Evidence Storage | Enterprise | S3 Object Lock COMPLIANCE-mode, resource redaction, SHA-256 manifest |
|
|
196
212
|
| — | Tabletop Simulation | Enterprise | Probe-event manifest + SIEM detection correlation, configurable coverage bands |
|
|
197
213
|
|
|
214
|
+
**Running EE plugins** (after `nsauditor-ai license install <key>`):
|
|
215
|
+
|
|
216
|
+
```bash
|
|
217
|
+
# Run a single EE plugin
|
|
218
|
+
nsauditor-ai scan --host aws --plugins 1130 --compliance soc2 --out evidence.json
|
|
219
|
+
|
|
220
|
+
# Run multiple EE plugins
|
|
221
|
+
nsauditor-ai scan --host aws --plugins 1030,1040,1070,1130 --compliance soc2
|
|
222
|
+
|
|
223
|
+
# Run all EE plugins (auto-discovered via plugin manager)
|
|
224
|
+
nsauditor-ai scan --host aws --plugins all --compliance soc2
|
|
225
|
+
|
|
226
|
+
# Tune plugin parameters (e.g., raise VPC-endpoint PAGE_CAP for large-fleet customers)
|
|
227
|
+
nsauditor-ai scan --host aws --plugins 1130 --plugin-opts '{"1130":{"vpcEndpointsPageCap":50}}'
|
|
228
|
+
```
|
|
229
|
+
|
|
230
|
+
The auditor evidence pack is emitted under `out/` — cover-page Scope Attestation, SHA-256 chain-of-custody sidecars, RFC 3161 trusted-timestamps, suppression workflow, identity verification. EE is available at [`www.nsauditor.com/ai/pricing`](https://www.nsauditor.com/ai/pricing).
|
|
231
|
+
|
|
198
232
|
---
|
|
199
233
|
|
|
200
234
|
## How Results Are Fused
|