nsauditor-ai 0.1.41 → 0.1.43

package/README.md

@@ -17,11 +17,12 @@ NSAuditor AI is the open-source core of a privacy-first security intelligence pl
 
 ## What's New
 
-- **0.1.40 (current)** — docs-only patch announcing **EE 0.4.0 publish** (paired release). EE plugin count grows **8 → 15** with 7 new AWS auditor plugins: **1070 KMS Auditor** (EE-RT.3, CC6.3 + C1.1), **1080 Lambda Security Auditor** (EE-RT.5, runtime EOL + URL exposure + env-var secret-suggestive names; CC6.1/6.6/7.1/C1.1), **1090 Secrets Manager + SSM Parameter Store Auditor** (EE-RT.8, ZDE-critical metadata-only — never reads secret values; CC6.1/6.6/C1.1), **1100 CodePipeline + CodeBuild Operational Integrity** (EE-RT.9 + 9.1; CC6.1/7.1/8.1/C1.1), **1110 IAM Effective Decrypt-Path Auditor** (EE-RT.10 + 10.1, cross-plugin reconciler; CC6.1/6.6/C1.1/C1.2), **1120 S3 Lifecycle + Cross-Region Replication Auditor** (EE-RT.4 + 4.1; C1.1/C1.2/A1.2), and the **headline thread** — **1130 AWS Backup Auditor** (EE-RT.12 v1 → v1.24, ~7800 lines across 18 sessions / 25 commits / 545 plugin tests / 19 R2-strict recurrence-class same-session closures / 74 new soc2.json titlePattern entries across 7 controls). Plugin 1130's **12-dimension air-gapped vault attestation arc** for `LogicallyAirGappedBackupVault` resources (vault TYPE + ARN account-segment + KMS key-policy + KMS Grants + MRK-replica topology + source-account VPC-endpoint policy, plus 6 substrate dimensions) substantially closes the previously-documented "Backup/recovery posture itself" gap under A1.2 partial coverage. **No coverage matrix shift since 0.3.9** (stays 10 covered / 4 partial / 33 OOS) — every existing covered control gains substantially deeper evidence; matrix-shift opportunity reserved for EE-RT.7 Lambda Runtime Assurance closing PI1.1–PI1.4. EE-side stats: **~200 reviewer folds, 545 new plugin-1130 tests + ~400 across 1070–1120, 3792/3792 regression green**. CE binary unchanged in 0.1.40 (code identical to 0.1.39); the bump exists to carry the EE-paired-release narrative + announce the 7 new plugins to the npm landing page.
-- **0.1.39 (deprecated)** — docs-only patch announcing **EE 0.3.9 publish** (paired release): EE plugin-ID range realignment to 1000+ closes a silent plugin-shadow class that affected EE 0.3.7/0.3.8 (CE plugin 040 TLS Cert Auditor and EE plugin 040 CloudTrail declared the same string ID; CE's `plugin_manager.findPlugin()` first-match-wins resolver routed `--plugins 040` to CE TLS, NOT EE CloudTrail). All 8 EE plugins moved to disjoint 1000+ IDs (1020 S3, 1021 GCP, 1022 Azure, 1023 Zero Trust, 1030 IAM Deep Auditor, 1040 CloudTrail, **NEW 1050 API Gateway Assurance**, **NEW 1060 DynamoDB Audit Integrity**). EE 0.3.9 also ships the **first SOC 2 Processing Integrity evidence stream**: PI1.5 (Stored items) moves from out-of-scope to partial via the new DynamoDB audit-the-auditor plugin — coverage matrix shifts **10 covered / 3 partial / 34 OOS → 10 covered / 4 partial / 33 OOS**. CE binary unchanged in 0.1.39 (code identical to 0.1.38).
-- **0.1.38 (deprecated)** — docs-only. README rewritten to be feature-and-usage focused; release history moved to [CHANGELOG.md](./CHANGELOG.md); new [docs/mcp-verification.md](./docs/mcp-verification.md) for the `nsauditor-ai mcp verify-call` workflow. No functional change vs 0.1.37.
-- **0.1.37 — 🛑 security fix**, upgrade if you're on anything earlier. The MCP bin shim (`nsauditor-ai-mcp`) was bypassing both `NSA_MCP_AUTH_KEY` enforcement and license verification on every spawn. Defense-in-depth degradation, plus paid Pro/Enterprise customers were stuck at CE tier through MCP. `npm install -g nsauditor-ai@latest` + restart your MCP client.
-- **Authenticated MCP server, Keychain-backed secrets, per-call sentinel UUIDs, multi-source license loader, `--version` / `validate` / `license install` subcommands.** All shipped across 0.1.30 → 0.1.37 — see [CHANGELOG.md](./CHANGELOG.md) for the per-release detail.
+- **0.1.43 (current)** — docs-only patch announcing **EE 0.4.4 publish** (paired release narrative). EE plugin count grows **16 → 17** with **plugin 1150 AWS SQS/SNS Auditor** (EE-RT.15 v1) — second new EE plugin in the 0.4.x cycle. Covers 5 SOC 2 substrate-evidence dimensions: **SQS encryption at rest** (C1.1; SqsManagedSseEnabled OR KmsMasterKeyId with the same four-tier severity ladder as plugin 1140 — HIGH unencrypted → MEDIUM SQS-managed-SSE / `alias/aws/sqs` → PASS customer-managed CMK alias → LOW+evidenceGap on bare-UUID / `:key/UUID` form per `conservative_classifier_principle`), **SQS transit-encryption policy** (CC6.6; `aws:SecureTransport=false` Deny statement on the queue resource policy), **SNS topic encryption at rest** (C1.1; `KmsMasterKeyId` — SNS has no SQS-managed-SSE equivalent so absent = HIGH), **SNS topic-policy permissive-Principal** (CC6.6; wildcard-Principal on sensitive actions Publish/Subscribe/SetTopicAttributes/AddPermission/RemovePermission/DeleteTopic, with full **NotAction-Allow + NotPrincipal-Allow + Resource-scope** filtering per the EE-RT.15 R-HIGH-1 + R-HIGH-2 same-session reviewer folds — closes the AWS-documented wildcard-equivalent classes that plugins 1070 + 1110 already handle), and **SQS dead-letter queue presence** (A1.2 availability + CC7.1 anomaly-detection, dual-mapped — missing DLQ is the canonical silent-message-loss class for event-driven architectures). EE-RT.15 also closed **R-MEDIUM-1** (per-resource AccessDenied evidenceGap finding rather than silent-omit — same false-CLEAN class family as the EE-RT.14 v1 hotfix lineage). **No coverage matrix shift** since 0.3.9 (stays 10/4/33 — institutional honesty per the matrix-shift discipline; EE-RT.15 v1 adds SQS/SNS substrate evidence under already-covered C1.1 + CC6.6 + A1.2 + CC7.1). EE-side stats: **+95 new tests** (78 EE-RT.15 v1 unit-test suite + 17 same-session reviewer-fold tests); **EE full regression: 4255/4255; 38-session 100% green streak preserved**. **First EE plugin to ship WITHOUT a smoke-time SDK hotfix** — `@aws-sdk/client-sqs` + `@aws-sdk/client-sns` were added to `optionalDependencies` PREEMPTIVELY per the 11th pre-implementation checklist item (EE-RT.14 v1 lesson). CE binary unchanged in 0.1.43 (code identical to 0.1.40 / 0.1.41 / 0.1.42); the bump exists to carry the EE-paired-release narrative + announce plugin 1150 to the npm landing page. **Real-AWS smoke-validated** against `test-infra-builder` paired fixtures (account 522412052794, 4 resources): `findingCount: 0 → 10` (3 dims × 2 queues + 2 dims × 2 topics); **C1.1 → FAIL (4)**, **CC6.6 → FAIL (4)**, **A1.2 → FAIL (2)**, **CC7.1 → FAIL (2)**; all 10 classifications match ground truth (AWS-managed `alias/aws/sqs` correctly = MEDIUM not PASS; SNS default policy wildcard-Principal-WITH-Condition correctly = HIGH not CRITICAL).
+- **0.1.42 (deprecated)** — docs-only patch announcing the EE 0.4.3 paired release (first new EE plugin since the 0.4.0 cohort — plugin 1140 AWS RDS Auditor covering 3 SOC 2 substrate dimensions + EE-RT.13 structural fix for the EE-0.4.2-HOTFIX regression class via PLUGIN_ID lift + EE-RT.10.x.1 plugin 1110 effective-decrypt whitespace defense; EE regression 4160/4160 green).
+- **0.1.41 (deprecated)** — docs-only patch carrying the EE 0.4.2 paired-release narrative (CRITICAL HOTFIX closing the silent false-clean SOC 2 reporting regression that affected EE 0.3.9 / 0.4.0 / 0.4.1 + 31 recurrence-class surface closures across 7 plugins + EE-RT.12.25 cross-plugin run()-level integration scaffold).
+- **0.1.40 (deprecated)** — docs-only patch announcing the EE 0.4.0 cohort (EE plugin count grew **8 → 15** with 7 new AWS auditor plugins 1070–1130; the headline `1130 AWS Backup Auditor` is the largest single-plugin institutional-hardening arc in the EE codebase — ~7800 lines, 545 tests, 12-dimension air-gapped vault attestation arc). See [CHANGELOG.md](./CHANGELOG.md) for the per-release detail.
+
+For 0.1.30 → 0.1.39 release notes (authenticated MCP server, Keychain-backed secrets, per-call sentinel UUIDs, multi-source license loader, security fix for the bin-shim auth bypass, etc.), see [CHANGELOG.md](./CHANGELOG.md).
 
 ---
 
@@ -177,7 +178,7 @@ Results land in `./out/<host>_<timestamp>/`:
 
 ### Pro/Enterprise Plugins (via @nsasoft/nsauditor-ai-ee)
 
-**EE 0.4.0 ships 15 enterprise plugins** (up from 8 in 0.3.8 — the largest single-release coverage expansion since the SOC 2 compliance engine itself shipped at EE 0.3.0). EE plugins use the disjoint 1000+ ID range; CE reserves 001-099. Plugins audit AWS / GCP / Azure cloud substrate end-to-end against the AICPA Trust Services Criteria 2017 framework; every plugin is enterprise-gated by the `cloudScanners` capability and runs against customer-supplied cloud credentials. Once licensed, the EE package installs alongside the CE binary; auditor-facing TSC mapping documentation (`CHANGELOG.md` + `docs/soc2-coverage.md`) ships bundled.
+**EE 0.4.4 ships 17 enterprise plugins** (up from 16 at EE 0.4.3 — second plugin-count growth in the 0.4.x cycle, adding plugin 1150 AWS SQS/SNS Auditor on top of the EE 0.4.3 addition of plugin 1140 AWS RDS Auditor). EE plugins use the disjoint 1000+ ID range; CE reserves 001-099. Plugins audit AWS / GCP / Azure cloud substrate end-to-end against the AICPA Trust Services Criteria 2017 framework; every plugin is enterprise-gated by the `cloudScanners` capability and runs against customer-supplied cloud credentials. Once licensed, the EE package installs alongside the CE binary; auditor-facing TSC mapping documentation (`CHANGELOG.md` + `docs/soc2-coverage.md`) ships bundled.
 
 **All EE plugins follow the same institutional plumbing pattern:**
 
@@ -204,6 +205,8 @@ Results land in `./out/<host>_<timestamp>/`:
 | **1110** | **IAM Effective Decrypt-Path Auditor** (NEW EE 0.4.0) | Enterprise | Cross-plugin reconciler: walks IAM policies for `kms:Decrypt` / `kms:ReEncrypt*` / `kms:GenerateDataKey` grants and cross-references against destination KMS key policies (plugin 1070) to compute the **effective decrypt path**. Closes institutional NotAction-implicit-decrypt false-PASS class (`Allow + NotAction:[...] + Resource:*` over-grants decrypt implicitly). Cross-plugin sister-fix in 1030: Effect + Action case-normalization at IAM-graph BFS boundary. CC6.1 / CC6.6 / C1.1 / C1.2. |
 | **1120** | **AWS S3 Lifecycle + Cross-Region Replication Auditor** (NEW EE 0.4.0) | Enterprise | S3 lifecycle policy enumeration (CC7.1 retention-cadence evidence) + cross-region replication topology (A1.2 disaster-recovery substrate). Cross-region destination-bucket reachability verification closes silent-PASS class where replication source FAILED but emitted clean. C1.1 / C1.2 / A1.2. |
 | **1130** | **AWS Backup Auditor — headline thread** (NEW EE 0.4.0; EE-RT.12 v1 → v1.24, 18-session institutional hardening arc) | Enterprise | The **largest single-plugin institutional-hardening arc in the EE codebase**: ~7800 lines / 545 plugin tests / 19 R2-strict recurrence-class same-session closures / 74 new soc2.json titlePattern entries across 7 controls. Audits the AWS Backup substrate end-to-end: Plans + Vaults + Recovery Points + Selections + Frameworks + Restore Testing + ReportPlans + Legal Holds + VaultType + Vault Tags + Vault Access Policy. **Headline capability: 12-dimension air-gapped vault attestation arc** for `LogicallyAirGappedBackupVault` resources — 6 cryptographic-isolation mechanisms (vault TYPE air-gapped + ARN account-segment-separation + destination KMS key-policy clean + destination KMS Grants clean + MRK-replica topology clean + source-account VPC-endpoint policy clean) PLUS 6 substrate dimensions (PITR / retention / encryption / RestoreTesting / Legal Holds / vault Access Policy). Cross-service SDK integration (`@aws-sdk/client-kms`, `@aws-sdk/client-ec2`, `@aws-sdk/client-config-service`, `@aws-sdk/client-backup`). CC6.3 / **CC6.6** / CC7.1 / CC8.1 / C1.1 / **C1.2** / **A1.2**. |
+| **1140** | **AWS RDS Auditor** (NEW EE 0.4.3; EE-RT.14 v1 — first new EE plugin since the 0.4.0 cohort) | Enterprise | Audits AWS RDS DB instances against 3 SOC 2 substrate-evidence dimensions: **Multi-AZ deployment** (A1.2 availability — `MultiAZ=false` = HIGH; True = PASS), **storage encryption at rest with KMS-key custody classification** (C1.1 confidentiality — four-tier severity ladder: HIGH unencrypted → MEDIUM AWS-managed `alias/aws/rds` → PASS customer-managed CMK alias → LOW+evidenceGap on `:key/UUID` ARN form per institutional `conservative_classifier_principle` memory; v2 will add automatic `kms:DescribeKey` cross-reference to promote LOW unverifiable → deterministic PASS/MEDIUM), and **parameter-group SSL enforcement** (C1.1 transit-encryption — postgres `rds.force_ssl=1` / mysql `require_secure_transport=ON` = PASS; not enforced or unset = CRITICAL; supports postgres / aurora-postgresql / mysql / mariadb / aurora-mysql engines). v2+ defers 4 more dimensions (BackupRetentionPeriod A1.2 + PubliclyAccessible CC6.6 + IAMDatabaseAuthenticationEnabled CC6.1 + snapshot encryption C1.1). 8 new soc2.json titlePattern entries (2 under A1.2 + 6 under C1.1). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). Smoke-validated against `test-infra-builder` paired fixtures (`rds-compliant-cluster` + `rds-violator-db`) in account 522412052794. **A1.2 / C1.1**. |
+| **1150** | **AWS SQS/SNS Auditor** (NEW EE 0.4.4; EE-RT.15 v1 — second new EE plugin in the 0.4.x cycle) | Enterprise | Audits AWS SQS queues + SNS topics against **5 SOC 2 substrate-evidence dimensions** spanning two services in one plugin (institutional bundling — both substrate-evidence event-driven-architecture stores, both use the same SDK auth surface). **SQS encryption at rest** (C1.1 confidentiality — `GetQueueAttributes → SqsManagedSseEnabled` OR `KmsMasterKeyId`; four-tier severity ladder: HIGH unencrypted → MEDIUM AWS-managed-SSE OR `alias/aws/sqs` → PASS customer-managed CMK alias → LOW+evidenceGap on bare-UUID / `:key/UUID` ARN form per `conservative_classifier_principle`); **SQS transit-encryption policy** (CC6.6 segmentation — `aws:SecureTransport=false` Deny statement defense-in-depth over the HTTPS-only transport-layer guarantee); **SNS topic encryption at rest** (C1.1 confidentiality — `GetTopicAttributes → KmsMasterKeyId`; SNS has no SQS-managed-SSE equivalent so absent = HIGH); **SNS topic-policy permissive-Principal** (CC6.6 segmentation — wildcard-Principal classifier on sensitive actions sns:Publish / Subscribe / SetTopicAttributes / AddPermission / RemovePermission / DeleteTopic + `sns:*` / `*` wildcards; includes **NotAction-Allow** handling per plugin 1110 precedent + **NotPrincipal-Allow** handling per plugin 1070 precedent + **Resource-scope filtering** to prevent false-positive emissions on statements scoped to other topics' ARNs; severity ladder CRITICAL unconditional-wildcard → HIGH wildcard-WITH-Condition → PASS no-wildcard-sensitive); and **SQS dead-letter queue presence** (A1.2 availability + CC7.1 anomaly-detection, **dual-mapped** — `RedrivePolicy` analysis; missing DLQ is the canonical silent-message-loss class for event-driven architectures where failed message processing routes through SQS to downstream Lambda/ECS consumers). **First EE plugin to ship WITHOUT a smoke-time SDK hotfix** — `@aws-sdk/client-sqs` + `@aws-sdk/client-sns` were added to `optionalDependencies` PREEMPTIVELY per the 11th pre-implementation checklist item (EE-RT.14 v1 lesson applied institutionally). 11 new soc2.json titlePattern entries (9 under C1.1 + 6 under CC6.6 + 2 under A1.2 + 1 dual-mapped DLQ under CC7.1). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap on BOTH SQS + SNS clients independently + ZDE sanitizer at every AWS-returned string surface + conservative classifier on UNVERIFIABLE KMS shapes + EE-RT.12.25 v1 run() scaffold + 4 preemptive `aws_string_case_normalization` fold-sites for the 16× recurrence-class memory). Three same-session reviewer folds applied (R-HIGH-1 NotAction/NotPrincipal bypass class, R-HIGH-2 Resource-scope filter, R-MEDIUM-1 per-resource AccessDenied evidenceGap — same false-CLEAN-class family as the EE-RT.14 v1 hotfix lineage). Smoke-validated against `test-infra-builder` paired fixtures (`sqs-encrypted-queue` + `sqs-cleartext-queue` + `sns-encrypted-topic` + `sns-cleartext-topic`) in account 522412052794: `findingCount: 10`, all 10 classifications match ground truth (AWS-managed `alias/aws/sqs` correctly = MEDIUM not PASS; SNS default topic policy wildcard-Principal-WITH-Condition correctly = HIGH not CRITICAL). **C1.1 / CC6.6 / A1.2 / CC7.1**. |
 | — | SOC 2 Compliance Engine | Enterprise | AICPA TSC 2017 control mapping (10 covered + 4 partial controls post-EE 0.3.9 / 0.4.0), chain-of-custody, RFC 3161 timestamps, suppression workflow |
 | — | SLA & MTTR Tracking | Enterprise | Per-severity SLA targets, compensating-control flow, finding lifecycle |
 | — | Recurring-Scan Attestation | Enterprise | Multi-scan chronological matrix, cadence gap detection, scope drift (CC8.1) |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nsauditor-ai",
-  "version": "0.1.41",
+  "version": "0.1.43",
   "description": "Modular AI-assisted network security audit platform — Community Edition",
   "type": "module",
   "private": false,