nsauditor-ai 0.1.42 → 0.1.43

package/README.md

@@ -17,7 +17,8 @@ NSAuditor AI is the open-source core of a privacy-first security intelligence pl
 
 ## What's New
 
-- **0.1.42 (current)** — docs-only patch announcing **EE 0.4.3 publish** (paired release narrative). EE plugin count grows **15 → 16** with the **first new EE plugin since the 0.4.0 cohort**: **plugin 1140 AWS RDS Auditor** (EE-RT.14 v1) covering 3 SOC 2 substrate dimensions — **Multi-AZ deployment** (A1.2 availability), **storage encryption at rest with KMS-key custody classification** (C1.1 confidentiality; four-tier severity ladder with conservative LOW+evidenceGap on `:key/UUID` ARN shapes per institutional `conservative_classifier_principle` memory), and **parameter-group SSL enforcement** (C1.1 transit-encryption — postgres `rds.force_ssl` + mysql `require_secure_transport`). v2+ defers 4 more dimensions (BackupRetentionPeriod / PubliclyAccessible / IAMDatabaseAuthentication / snapshot encryption) + `kms:DescribeKey` cross-reference. EE 0.4.3 also ships **EE-RT.13** — structural fix for the EE-0.4.2-HOTFIX regression class (PLUGIN_ID lifted to plugin-exported constants imported by `CLOUD_PLUGIN_SOURCE_MAP` via computed-key syntax; 16-file refactor with module-load-time guarantee) — and **EE-RT.10.x.1** (plugin 1110 effective-decrypt whitespace defense; 8th sibling `aws_string_case_normalization` fold; memory tag at 15× recurrence). **No coverage matrix shift** since 0.3.9 (stays 10/4/33 — institutional honesty per the matrix-shift discipline; matrix-shift opportunity reserved for EE-RT.7 PI1.1–PI1.4). EE-side stats: **+63 new tests** (8 EE-RT.10.x.1 + 51 EE-RT.14 v1 + 4 EE-RT.13 reviewer-fold); **EE full regression: 4160/4160; 37-session 100% green streak preserved**. CE binary unchanged in 0.1.42 (code identical to 0.1.40 / 0.1.41); the bump exists to carry the EE-paired-release narrative + announce plugin 1140 to the npm landing page. **Real-AWS smoke-validated** against `test-infra-builder` paired fixtures (account 522412052794): `findingCount: 0 → 6`; A1.2 → FAIL; C1.1 → FAIL.
+- **0.1.43 (current)** — docs-only patch announcing **EE 0.4.4 publish** (paired release narrative). EE plugin count grows **16 → 17** with **plugin 1150 AWS SQS/SNS Auditor** (EE-RT.15 v1) — second new EE plugin in the 0.4.x cycle. Covers 5 SOC 2 substrate-evidence dimensions: **SQS encryption at rest** (C1.1; SqsManagedSseEnabled OR KmsMasterKeyId with the same four-tier severity ladder as plugin 1140 — HIGH unencrypted → MEDIUM SQS-managed-SSE / `alias/aws/sqs` → PASS customer-managed CMK alias → LOW+evidenceGap on bare-UUID / `:key/UUID` form per `conservative_classifier_principle`), **SQS transit-encryption policy** (CC6.6; `aws:SecureTransport=false` Deny statement on the queue resource policy), **SNS topic encryption at rest** (C1.1; `KmsMasterKeyId` — SNS has no SQS-managed-SSE equivalent so absent = HIGH), **SNS topic-policy permissive-Principal** (CC6.6; wildcard-Principal on sensitive actions Publish/Subscribe/SetTopicAttributes/AddPermission/RemovePermission/DeleteTopic, with full **NotAction-Allow + NotPrincipal-Allow + Resource-scope** filtering per the EE-RT.15 R-HIGH-1 + R-HIGH-2 same-session reviewer folds — closes the AWS-documented wildcard-equivalent classes that plugins 1070 + 1110 already handle), and **SQS dead-letter queue presence** (A1.2 availability + CC7.1 anomaly-detection, dual-mapped — missing DLQ is the canonical silent-message-loss class for event-driven architectures). EE-RT.15 also closed **R-MEDIUM-1** (per-resource AccessDenied evidenceGap finding rather than silent-omit — same false-CLEAN class family as the EE-RT.14 v1 hotfix lineage). **No coverage matrix shift** since 0.3.9 (stays 10/4/33 — institutional honesty per the matrix-shift discipline; EE-RT.15 v1 adds SQS/SNS substrate evidence under already-covered C1.1 + CC6.6 + A1.2 + CC7.1). EE-side stats: **+95 new tests** (78 EE-RT.15 v1 unit-test suite + 17 same-session reviewer-fold tests); **EE full regression: 4255/4255; 38-session 100% green streak preserved**. **First EE plugin to ship WITHOUT a smoke-time SDK hotfix** — `@aws-sdk/client-sqs` + `@aws-sdk/client-sns` were added to `optionalDependencies` PREEMPTIVELY per the 11th pre-implementation checklist item (EE-RT.14 v1 lesson). CE binary unchanged in 0.1.43 (code identical to 0.1.40 / 0.1.41 / 0.1.42); the bump exists to carry the EE-paired-release narrative + announce plugin 1150 to the npm landing page. **Real-AWS smoke-validated** against `test-infra-builder` paired fixtures (account 522412052794, 4 resources): `findingCount: 0 → 10` (3 dims × 2 queues + 2 dims × 2 topics); **C1.1 → FAIL (4)**, **CC6.6 → FAIL (4)**, **A1.2 → FAIL (2)**, **CC7.1 → FAIL (2)**; all 10 classifications match ground truth (AWS-managed `alias/aws/sqs` correctly = MEDIUM not PASS; SNS default policy wildcard-Principal-WITH-Condition correctly = HIGH not CRITICAL).
+- **0.1.42 (deprecated)** — docs-only patch announcing the EE 0.4.3 paired release (first new EE plugin since the 0.4.0 cohort — plugin 1140 AWS RDS Auditor covering 3 SOC 2 substrate dimensions + EE-RT.13 structural fix for the EE-0.4.2-HOTFIX regression class via PLUGIN_ID lift + EE-RT.10.x.1 plugin 1110 effective-decrypt whitespace defense; EE regression 4160/4160 green).
 - **0.1.41 (deprecated)** — docs-only patch carrying the EE 0.4.2 paired-release narrative (CRITICAL HOTFIX closing the silent false-clean SOC 2 reporting regression that affected EE 0.3.9 / 0.4.0 / 0.4.1 + 31 recurrence-class surface closures across 7 plugins + EE-RT.12.25 cross-plugin run()-level integration scaffold).
 - **0.1.40 (deprecated)** — docs-only patch announcing the EE 0.4.0 cohort (EE plugin count grew **8 → 15** with 7 new AWS auditor plugins 1070–1130; the headline `1130 AWS Backup Auditor` is the largest single-plugin institutional-hardening arc in the EE codebase — ~7800 lines, 545 tests, 12-dimension air-gapped vault attestation arc). See [CHANGELOG.md](./CHANGELOG.md) for the per-release detail.
 
@@ -177,7 +178,7 @@ Results land in `./out/<host>_<timestamp>/`:
 
 ### Pro/Enterprise Plugins (via @nsasoft/nsauditor-ai-ee)
 
-**EE 0.4.3 ships 16 enterprise plugins** (up from 15 at EE 0.4.0 — first plugin-count growth since the 0.4.0 cohort, adding plugin 1140 AWS RDS Auditor). EE plugins use the disjoint 1000+ ID range; CE reserves 001-099. Plugins audit AWS / GCP / Azure cloud substrate end-to-end against the AICPA Trust Services Criteria 2017 framework; every plugin is enterprise-gated by the `cloudScanners` capability and runs against customer-supplied cloud credentials. Once licensed, the EE package installs alongside the CE binary; auditor-facing TSC mapping documentation (`CHANGELOG.md` + `docs/soc2-coverage.md`) ships bundled.
+**EE 0.4.4 ships 17 enterprise plugins** (up from 16 at EE 0.4.3 — second plugin-count growth in the 0.4.x cycle, adding plugin 1150 AWS SQS/SNS Auditor on top of the EE 0.4.3 addition of plugin 1140 AWS RDS Auditor). EE plugins use the disjoint 1000+ ID range; CE reserves 001-099. Plugins audit AWS / GCP / Azure cloud substrate end-to-end against the AICPA Trust Services Criteria 2017 framework; every plugin is enterprise-gated by the `cloudScanners` capability and runs against customer-supplied cloud credentials. Once licensed, the EE package installs alongside the CE binary; auditor-facing TSC mapping documentation (`CHANGELOG.md` + `docs/soc2-coverage.md`) ships bundled.
 
 **All EE plugins follow the same institutional plumbing pattern:**
 
@@ -205,6 +206,7 @@ Results land in `./out/<host>_<timestamp>/`:
 | **1120** | **AWS S3 Lifecycle + Cross-Region Replication Auditor** (NEW EE 0.4.0) | Enterprise | S3 lifecycle policy enumeration (CC7.1 retention-cadence evidence) + cross-region replication topology (A1.2 disaster-recovery substrate). Cross-region destination-bucket reachability verification closes silent-PASS class where replication source FAILED but emitted clean. C1.1 / C1.2 / A1.2. |
 | **1130** | **AWS Backup Auditor — headline thread** (NEW EE 0.4.0; EE-RT.12 v1 → v1.24, 18-session institutional hardening arc) | Enterprise | The **largest single-plugin institutional-hardening arc in the EE codebase**: ~7800 lines / 545 plugin tests / 19 R2-strict recurrence-class same-session closures / 74 new soc2.json titlePattern entries across 7 controls. Audits the AWS Backup substrate end-to-end: Plans + Vaults + Recovery Points + Selections + Frameworks + Restore Testing + ReportPlans + Legal Holds + VaultType + Vault Tags + Vault Access Policy. **Headline capability: 12-dimension air-gapped vault attestation arc** for `LogicallyAirGappedBackupVault` resources — 6 cryptographic-isolation mechanisms (vault TYPE air-gapped + ARN account-segment-separation + destination KMS key-policy clean + destination KMS Grants clean + MRK-replica topology clean + source-account VPC-endpoint policy clean) PLUS 6 substrate dimensions (PITR / retention / encryption / RestoreTesting / Legal Holds / vault Access Policy). Cross-service SDK integration (`@aws-sdk/client-kms`, `@aws-sdk/client-ec2`, `@aws-sdk/client-config-service`, `@aws-sdk/client-backup`). CC6.3 / **CC6.6** / CC7.1 / CC8.1 / C1.1 / **C1.2** / **A1.2**. |
 | **1140** | **AWS RDS Auditor** (NEW EE 0.4.3; EE-RT.14 v1 — first new EE plugin since the 0.4.0 cohort) | Enterprise | Audits AWS RDS DB instances against 3 SOC 2 substrate-evidence dimensions: **Multi-AZ deployment** (A1.2 availability — `MultiAZ=false` = HIGH; True = PASS), **storage encryption at rest with KMS-key custody classification** (C1.1 confidentiality — four-tier severity ladder: HIGH unencrypted → MEDIUM AWS-managed `alias/aws/rds` → PASS customer-managed CMK alias → LOW+evidenceGap on `:key/UUID` ARN form per institutional `conservative_classifier_principle` memory; v2 will add automatic `kms:DescribeKey` cross-reference to promote LOW unverifiable → deterministic PASS/MEDIUM), and **parameter-group SSL enforcement** (C1.1 transit-encryption — postgres `rds.force_ssl=1` / mysql `require_secure_transport=ON` = PASS; not enforced or unset = CRITICAL; supports postgres / aurora-postgresql / mysql / mariadb / aurora-mysql engines). v2+ defers 4 more dimensions (BackupRetentionPeriod A1.2 + PubliclyAccessible CC6.6 + IAMDatabaseAuthenticationEnabled CC6.1 + snapshot encryption C1.1). 8 new soc2.json titlePattern entries (2 under A1.2 + 6 under C1.1). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). Smoke-validated against `test-infra-builder` paired fixtures (`rds-compliant-cluster` + `rds-violator-db`) in account 522412052794. **A1.2 / C1.1**. |
+| **1150** | **AWS SQS/SNS Auditor** (NEW EE 0.4.4; EE-RT.15 v1 — second new EE plugin in the 0.4.x cycle) | Enterprise | Audits AWS SQS queues + SNS topics against **5 SOC 2 substrate-evidence dimensions** spanning two services in one plugin (institutional bundling — both substrate-evidence event-driven-architecture stores, both use the same SDK auth surface). **SQS encryption at rest** (C1.1 confidentiality — `GetQueueAttributes → SqsManagedSseEnabled` OR `KmsMasterKeyId`; four-tier severity ladder: HIGH unencrypted → MEDIUM AWS-managed-SSE OR `alias/aws/sqs` → PASS customer-managed CMK alias → LOW+evidenceGap on bare-UUID / `:key/UUID` ARN form per `conservative_classifier_principle`); **SQS transit-encryption policy** (CC6.6 segmentation — `aws:SecureTransport=false` Deny statement defense-in-depth over the HTTPS-only transport-layer guarantee); **SNS topic encryption at rest** (C1.1 confidentiality — `GetTopicAttributes → KmsMasterKeyId`; SNS has no SQS-managed-SSE equivalent so absent = HIGH); **SNS topic-policy permissive-Principal** (CC6.6 segmentation — wildcard-Principal classifier on sensitive actions sns:Publish / Subscribe / SetTopicAttributes / AddPermission / RemovePermission / DeleteTopic + `sns:*` / `*` wildcards; includes **NotAction-Allow** handling per plugin 1110 precedent + **NotPrincipal-Allow** handling per plugin 1070 precedent + **Resource-scope filtering** to prevent false-positive emissions on statements scoped to other topics' ARNs; severity ladder CRITICAL unconditional-wildcard → HIGH wildcard-WITH-Condition → PASS no-wildcard-sensitive); and **SQS dead-letter queue presence** (A1.2 availability + CC7.1 anomaly-detection, **dual-mapped** — `RedrivePolicy` analysis; missing DLQ is the canonical silent-message-loss class for event-driven architectures where failed message processing routes through SQS to downstream Lambda/ECS consumers). **First EE plugin to ship WITHOUT a smoke-time SDK hotfix** — `@aws-sdk/client-sqs` + `@aws-sdk/client-sns` were added to `optionalDependencies` PREEMPTIVELY per the 11th pre-implementation checklist item (EE-RT.14 v1 lesson applied institutionally). 11 new soc2.json titlePattern entries (9 under C1.1 + 6 under CC6.6 + 2 under A1.2 + 1 dual-mapped DLQ under CC7.1). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap on BOTH SQS + SNS clients independently + ZDE sanitizer at every AWS-returned string surface + conservative classifier on UNVERIFIABLE KMS shapes + EE-RT.12.25 v1 run() scaffold + 4 preemptive `aws_string_case_normalization` fold-sites for the 16× recurrence-class memory). Three same-session reviewer folds applied (R-HIGH-1 NotAction/NotPrincipal bypass class, R-HIGH-2 Resource-scope filter, R-MEDIUM-1 per-resource AccessDenied evidenceGap — same false-CLEAN-class family as the EE-RT.14 v1 hotfix lineage). Smoke-validated against `test-infra-builder` paired fixtures (`sqs-encrypted-queue` + `sqs-cleartext-queue` + `sns-encrypted-topic` + `sns-cleartext-topic`) in account 522412052794: `findingCount: 10`, all 10 classifications match ground truth (AWS-managed `alias/aws/sqs` correctly = MEDIUM not PASS; SNS default topic policy wildcard-Principal-WITH-Condition correctly = HIGH not CRITICAL). **C1.1 / CC6.6 / A1.2 / CC7.1**. |
 | — | SOC 2 Compliance Engine | Enterprise | AICPA TSC 2017 control mapping (10 covered + 4 partial controls post-EE 0.3.9 / 0.4.0), chain-of-custody, RFC 3161 timestamps, suppression workflow |
 | — | SLA & MTTR Tracking | Enterprise | Per-severity SLA targets, compensating-control flow, finding lifecycle |
 | — | Recurring-Scan Attestation | Enterprise | Multi-scan chronological matrix, cadence gap detection, scope drift (CC8.1) |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nsauditor-ai",
-  "version": "0.1.42",
+  "version": "0.1.43",
   "description": "Modular AI-assisted network security audit platform — Community Edition",
   "type": "module",
   "private": false,