nsauditor-ai 0.1.40 → 0.1.42

package/README.md

@@ -17,11 +17,11 @@ NSAuditor AI is the open-source core of a privacy-first security intelligence pl
 
 ## What's New
 
-- **0.1.40 (current)** — docs-only patch announcing **EE 0.4.0 publish** (paired release). EE plugin count grows **8 → 15** with 7 new AWS auditor plugins: **1070 KMS Auditor** (EE-RT.3, CC6.3 + C1.1), **1080 Lambda Security Auditor** (EE-RT.5, runtime EOL + URL exposure + env-var secret-suggestive names; CC6.1/6.6/7.1/C1.1), **1090 Secrets Manager + SSM Parameter Store Auditor** (EE-RT.8, ZDE-critical metadata-only — never reads secret values; CC6.1/6.6/C1.1), **1100 CodePipeline + CodeBuild Operational Integrity** (EE-RT.9 + 9.1; CC6.1/7.1/8.1/C1.1), **1110 IAM Effective Decrypt-Path Auditor** (EE-RT.10 + 10.1, cross-plugin reconciler; CC6.1/6.6/C1.1/C1.2), **1120 S3 Lifecycle + Cross-Region Replication Auditor** (EE-RT.4 + 4.1; C1.1/C1.2/A1.2), and the **headline thread** — **1130 AWS Backup Auditor** (EE-RT.12 v1 → v1.24, ~7800 lines across 18 sessions / 25 commits / 545 plugin tests / 19 R2-strict recurrence-class same-session closures / 74 new soc2.json titlePattern entries across 7 controls). Plugin 1130's **12-dimension air-gapped vault attestation arc** for `LogicallyAirGappedBackupVault` resources (vault TYPE + ARN account-segment + KMS key-policy + KMS Grants + MRK-replica topology + source-account VPC-endpoint policy, plus 6 substrate dimensions) substantially closes the previously-documented "Backup/recovery posture itself" gap under A1.2 partial coverage. **No coverage matrix shift since 0.3.9** (stays 10 covered / 4 partial / 33 OOS) — every existing covered control gains substantially deeper evidence; matrix-shift opportunity reserved for EE-RT.7 Lambda Runtime Assurance closing PI1.1–PI1.4. EE-side stats: **~200 reviewer folds, 545 new plugin-1130 tests + ~400 across 1070–1120, 3792/3792 regression green**. CE binary unchanged in 0.1.40 (code identical to 0.1.39); the bump exists to carry the EE-paired-release narrative + announce the 7 new plugins to the npm landing page.
-- **0.1.39 (deprecated)** — docs-only patch announcing **EE 0.3.9 publish** (paired release): EE plugin-ID range realignment to 1000+ closes a silent plugin-shadow class that affected EE 0.3.7/0.3.8 (CE plugin 040 TLS Cert Auditor and EE plugin 040 CloudTrail declared the same string ID; CE's `plugin_manager.findPlugin()` first-match-wins resolver routed `--plugins 040` to CE TLS, NOT EE CloudTrail). All 8 EE plugins moved to disjoint 1000+ IDs (1020 S3, 1021 GCP, 1022 Azure, 1023 Zero Trust, 1030 IAM Deep Auditor, 1040 CloudTrail, **NEW 1050 API Gateway Assurance**, **NEW 1060 DynamoDB Audit Integrity**). EE 0.3.9 also ships the **first SOC 2 Processing Integrity evidence stream**: PI1.5 (Stored items) moves from out-of-scope to partial via the new DynamoDB audit-the-auditor plugin — coverage matrix shifts **10 covered / 3 partial / 34 OOS → 10 covered / 4 partial / 33 OOS**. CE binary unchanged in 0.1.39 (code identical to 0.1.38).
-- **0.1.38 (deprecated)** — docs-only. README rewritten to be feature-and-usage focused; release history moved to [CHANGELOG.md](./CHANGELOG.md); new [docs/mcp-verification.md](./docs/mcp-verification.md) for the `nsauditor-ai mcp verify-call` workflow. No functional change vs 0.1.37.
-- **0.1.37 — 🛑 security fix**, upgrade if you're on anything earlier. The MCP bin shim (`nsauditor-ai-mcp`) was bypassing both `NSA_MCP_AUTH_KEY` enforcement and license verification on every spawn. Defense-in-depth degradation, plus paid Pro/Enterprise customers were stuck at CE tier through MCP. `npm install -g nsauditor-ai@latest` + restart your MCP client.
-- **Authenticated MCP server, Keychain-backed secrets, per-call sentinel UUIDs, multi-source license loader, `--version` / `validate` / `license install` subcommands.** All shipped across 0.1.30 → 0.1.37 — see [CHANGELOG.md](./CHANGELOG.md) for the per-release detail.
+- **0.1.42 (current)** — docs-only patch announcing **EE 0.4.3 publish** (paired release narrative). EE plugin count grows **15 → 16** with the **first new EE plugin since the 0.4.0 cohort**: **plugin 1140 AWS RDS Auditor** (EE-RT.14 v1) covering 3 SOC 2 substrate dimensions — **Multi-AZ deployment** (A1.2 availability), **storage encryption at rest with KMS-key custody classification** (C1.1 confidentiality; four-tier severity ladder with conservative LOW+evidenceGap on `:key/UUID` ARN shapes per institutional `conservative_classifier_principle` memory), and **parameter-group SSL enforcement** (C1.1 transit-encryption — postgres `rds.force_ssl` + mysql `require_secure_transport`). v2+ defers 4 more dimensions (BackupRetentionPeriod / PubliclyAccessible / IAMDatabaseAuthentication / snapshot encryption) + `kms:DescribeKey` cross-reference. EE 0.4.3 also ships **EE-RT.13** — structural fix for the EE-0.4.2-HOTFIX regression class (PLUGIN_ID lifted to plugin-exported constants imported by `CLOUD_PLUGIN_SOURCE_MAP` via computed-key syntax; 16-file refactor with module-load-time guarantee) — and **EE-RT.10.x.1** (plugin 1110 effective-decrypt whitespace defense; 8th sibling `aws_string_case_normalization` fold; memory tag at 15× recurrence). **No coverage matrix shift** since 0.3.9 (stays 10/4/33 — institutional honesty per the matrix-shift discipline; matrix-shift opportunity reserved for EE-RT.7 PI1.1–PI1.4). EE-side stats: **+63 new tests** (8 EE-RT.10.x.1 + 51 EE-RT.14 v1 + 4 EE-RT.13 reviewer-fold); **EE full regression: 4160/4160; 37-session 100% green streak preserved**. CE binary unchanged in 0.1.42 (code identical to 0.1.40 / 0.1.41); the bump exists to carry the EE-paired-release narrative + announce plugin 1140 to the npm landing page. **Real-AWS smoke-validated** against `test-infra-builder` paired fixtures (account 522412052794): `findingCount: 0 → 6`; A1.2 → FAIL; C1.1 → FAIL.
+- **0.1.41 (deprecated)** — docs-only patch carrying the EE 0.4.2 paired-release narrative (CRITICAL HOTFIX closing the silent false-clean SOC 2 reporting regression that affected EE 0.3.9 / 0.4.0 / 0.4.1 + 31 recurrence-class surface closures across 7 plugins + EE-RT.12.25 cross-plugin run()-level integration scaffold).
+- **0.1.40 (deprecated)** — docs-only patch announcing the EE 0.4.0 cohort (EE plugin count grew **8 → 15** with 7 new AWS auditor plugins 1070–1130; the headline `1130 AWS Backup Auditor` is the largest single-plugin institutional-hardening arc in the EE codebase — ~7800 lines, 545 tests, 12-dimension air-gapped vault attestation arc). See [CHANGELOG.md](./CHANGELOG.md) for the per-release detail.
+
+For 0.1.30 → 0.1.39 release notes (authenticated MCP server, Keychain-backed secrets, per-call sentinel UUIDs, multi-source license loader, security fix for the bin-shim auth bypass, etc.), see [CHANGELOG.md](./CHANGELOG.md).
 
 ---
 
@@ -177,7 +177,7 @@ Results land in `./out/<host>_<timestamp>/`:
 
 ### Pro/Enterprise Plugins (via @nsasoft/nsauditor-ai-ee)
 
-**EE 0.4.0 ships 15 enterprise plugins** (up from 8 in 0.3.8 — the largest single-release coverage expansion since the SOC 2 compliance engine itself shipped at EE 0.3.0). EE plugins use the disjoint 1000+ ID range; CE reserves 001-099. Plugins audit AWS / GCP / Azure cloud substrate end-to-end against the AICPA Trust Services Criteria 2017 framework; every plugin is enterprise-gated by the `cloudScanners` capability and runs against customer-supplied cloud credentials. Once licensed, the EE package installs alongside the CE binary; auditor-facing TSC mapping documentation (`CHANGELOG.md` + `docs/soc2-coverage.md`) ships bundled.
+**EE 0.4.3 ships 16 enterprise plugins** (up from 15 at EE 0.4.0 — first plugin-count growth since the 0.4.0 cohort, adding plugin 1140 AWS RDS Auditor). EE plugins use the disjoint 1000+ ID range; CE reserves 001-099. Plugins audit AWS / GCP / Azure cloud substrate end-to-end against the AICPA Trust Services Criteria 2017 framework; every plugin is enterprise-gated by the `cloudScanners` capability and runs against customer-supplied cloud credentials. Once licensed, the EE package installs alongside the CE binary; auditor-facing TSC mapping documentation (`CHANGELOG.md` + `docs/soc2-coverage.md`) ships bundled.
 
 **All EE plugins follow the same institutional plumbing pattern:**
 
@@ -204,6 +204,7 @@ Results land in `./out/<host>_<timestamp>/`:
 | **1110** | **IAM Effective Decrypt-Path Auditor** (NEW EE 0.4.0) | Enterprise | Cross-plugin reconciler: walks IAM policies for `kms:Decrypt` / `kms:ReEncrypt*` / `kms:GenerateDataKey` grants and cross-references against destination KMS key policies (plugin 1070) to compute the **effective decrypt path**. Closes institutional NotAction-implicit-decrypt false-PASS class (`Allow + NotAction:[...] + Resource:*` over-grants decrypt implicitly). Cross-plugin sister-fix in 1030: Effect + Action case-normalization at IAM-graph BFS boundary. CC6.1 / CC6.6 / C1.1 / C1.2. |
 | **1120** | **AWS S3 Lifecycle + Cross-Region Replication Auditor** (NEW EE 0.4.0) | Enterprise | S3 lifecycle policy enumeration (CC7.1 retention-cadence evidence) + cross-region replication topology (A1.2 disaster-recovery substrate). Cross-region destination-bucket reachability verification closes silent-PASS class where replication source FAILED but emitted clean. C1.1 / C1.2 / A1.2. |
 | **1130** | **AWS Backup Auditor — headline thread** (NEW EE 0.4.0; EE-RT.12 v1 → v1.24, 18-session institutional hardening arc) | Enterprise | The **largest single-plugin institutional-hardening arc in the EE codebase**: ~7800 lines / 545 plugin tests / 19 R2-strict recurrence-class same-session closures / 74 new soc2.json titlePattern entries across 7 controls. Audits the AWS Backup substrate end-to-end: Plans + Vaults + Recovery Points + Selections + Frameworks + Restore Testing + ReportPlans + Legal Holds + VaultType + Vault Tags + Vault Access Policy. **Headline capability: 12-dimension air-gapped vault attestation arc** for `LogicallyAirGappedBackupVault` resources — 6 cryptographic-isolation mechanisms (vault TYPE air-gapped + ARN account-segment-separation + destination KMS key-policy clean + destination KMS Grants clean + MRK-replica topology clean + source-account VPC-endpoint policy clean) PLUS 6 substrate dimensions (PITR / retention / encryption / RestoreTesting / Legal Holds / vault Access Policy). Cross-service SDK integration (`@aws-sdk/client-kms`, `@aws-sdk/client-ec2`, `@aws-sdk/client-config-service`, `@aws-sdk/client-backup`). CC6.3 / **CC6.6** / CC7.1 / CC8.1 / C1.1 / **C1.2** / **A1.2**. |
+| **1140** | **AWS RDS Auditor** (NEW EE 0.4.3; EE-RT.14 v1 — first new EE plugin since the 0.4.0 cohort) | Enterprise | Audits AWS RDS DB instances against 3 SOC 2 substrate-evidence dimensions: **Multi-AZ deployment** (A1.2 availability — `MultiAZ=false` = HIGH; True = PASS), **storage encryption at rest with KMS-key custody classification** (C1.1 confidentiality — four-tier severity ladder: HIGH unencrypted → MEDIUM AWS-managed `alias/aws/rds` → PASS customer-managed CMK alias → LOW+evidenceGap on `:key/UUID` ARN form per institutional `conservative_classifier_principle` memory; v2 will add automatic `kms:DescribeKey` cross-reference to promote LOW unverifiable → deterministic PASS/MEDIUM), and **parameter-group SSL enforcement** (C1.1 transit-encryption — postgres `rds.force_ssl=1` / mysql `require_secure_transport=ON` = PASS; not enforced or unset = CRITICAL; supports postgres / aurora-postgresql / mysql / mariadb / aurora-mysql engines). v2+ defers 4 more dimensions (BackupRetentionPeriod A1.2 + PubliclyAccessible CC6.6 + IAMDatabaseAuthenticationEnabled CC6.1 + snapshot encryption C1.1). 8 new soc2.json titlePattern entries (2 under A1.2 + 6 under C1.1). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). Smoke-validated against `test-infra-builder` paired fixtures (`rds-compliant-cluster` + `rds-violator-db`) in account 522412052794. **A1.2 / C1.1**. |
 | — | SOC 2 Compliance Engine | Enterprise | AICPA TSC 2017 control mapping (10 covered + 4 partial controls post-EE 0.3.9 / 0.4.0), chain-of-custody, RFC 3161 timestamps, suppression workflow |
 | — | SLA & MTTR Tracking | Enterprise | Per-severity SLA targets, compensating-control flow, finding lifecycle |
 | — | Recurring-Scan Attestation | Enterprise | Multi-scan chronological matrix, cadence gap detection, scope drift (CC8.1) |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nsauditor-ai",
-  "version": "0.1.40",
+  "version": "0.1.42",
   "description": "Modular AI-assisted network security audit platform — Community Edition",
   "type": "module",
   "private": false,

package/plugins/040_tls_cert_auditor.mjs

@@ -548,11 +548,12 @@ export default {
   tier: "community",
   protocols: ["tcp"],
   ports: [443, 465, 587, 636, 853, 993, 995, 8443, 8883, 9443],
+  // single invocation: run() iterates this.ports internally so failed ports
+  // can be rolled up into one INFO instead of N per-port empty placeholders.
+  runStrategy: "single",
 
   requirements: {
     host: "up",
-    // Note: requirements are OR-logic for ports — any open TLS port triggers the plugin.
-    // The plugin itself will skip ports that don't respond to TLS handshake.
   },
 
   // ── Pre-flight ──────────────────────────────────────────────────────────
@@ -620,7 +621,10 @@ export default {
 
   // ── Conclude ────────────────────────────────────────────────────────────
   conclude({ result, host }) {
-    if (!result.portResults || result.portResults.length === 0) {
+    const portResults = Array.isArray(result?.portResults) ? result.portResults : [];
+    const failedPorts = Array.isArray(result?.failedPorts) ? result.failedPorts : [];
+
+    if (portResults.length === 0 && failedPorts.length === 0) {
       return [{
         protocol: "tcp",
         service: "tls",
@@ -633,7 +637,7 @@ export default {
 
     const items = [];
 
-    for (const pr of result.portResults) {
+    for (const pr of portResults) {
       // Compute status label
       let status;
       if (pr.certificate.expired) {
@@ -687,6 +691,25 @@ export default {
       });
     }
 
+    if (failedPorts.length > 0) {
+      const probedTotal = portResults.length + failedPorts.length;
+      items.push({
+        port: 0,
+        protocol: "tcp",
+        service: "tls",
+        status: "tls-not-responding",
+        severity: SEVERITY.INFO,
+        info: `${failedPorts.length}/${probedTotal} TLS ports did not respond (${failedPorts.map((f) => `${f.port}: ${f.error}`).join(", ")})`,
+        issues: [],
+        details: {
+          failedPorts,
+          activePorts: portResults.map((pr) => pr.port),
+        },
+        source: "tls-cert-auditor",
+        authoritative: false,
+      });
+    }
+
     return items;
   },