nsauditor-ai 0.1.42 → 0.1.44

package/README.md

@@ -17,7 +17,9 @@ NSAuditor AI is the open-source core of a privacy-first security intelligence pl
 
 ## What's New
 
-- **0.1.42 (current)** — docs-only patch announcing **EE 0.4.3 publish** (paired release narrative). EE plugin count grows **15 → 16** with the **first new EE plugin since the 0.4.0 cohort**: **plugin 1140 AWS RDS Auditor** (EE-RT.14 v1) covering 3 SOC 2 substrate dimensions — **Multi-AZ deployment** (A1.2 availability), **storage encryption at rest with KMS-key custody classification** (C1.1 confidentiality; four-tier severity ladder with conservative LOW+evidenceGap on `:key/UUID` ARN shapes per institutional `conservative_classifier_principle` memory), and **parameter-group SSL enforcement** (C1.1 transit-encryption — postgres `rds.force_ssl` + mysql `require_secure_transport`). v2+ defers 4 more dimensions (BackupRetentionPeriod / PubliclyAccessible / IAMDatabaseAuthentication / snapshot encryption) + `kms:DescribeKey` cross-reference. EE 0.4.3 also ships **EE-RT.13** — structural fix for the EE-0.4.2-HOTFIX regression class (PLUGIN_ID lifted to plugin-exported constants imported by `CLOUD_PLUGIN_SOURCE_MAP` via computed-key syntax; 16-file refactor with module-load-time guarantee) — and **EE-RT.10.x.1** (plugin 1110 effective-decrypt whitespace defense; 8th sibling `aws_string_case_normalization` fold; memory tag at 15× recurrence). **No coverage matrix shift** since 0.3.9 (stays 10/4/33 — institutional honesty per the matrix-shift discipline; matrix-shift opportunity reserved for EE-RT.7 PI1.1–PI1.4). EE-side stats: **+63 new tests** (8 EE-RT.10.x.1 + 51 EE-RT.14 v1 + 4 EE-RT.13 reviewer-fold); **EE full regression: 4160/4160; 37-session 100% green streak preserved**. CE binary unchanged in 0.1.42 (code identical to 0.1.40 / 0.1.41); the bump exists to carry the EE-paired-release narrative + announce plugin 1140 to the npm landing page. **Real-AWS smoke-validated** against `test-infra-builder` paired fixtures (account 522412052794): `findingCount: 0 → 6`; A1.2 → FAIL; C1.1 → FAIL.
+- **0.1.44 (current)** — docs-only patch announcing **EE 0.4.5 release** (paired release narrative). EE plugin count grows **17 → 18** with **plugin 1170 AWS EC2 SG Perimeter Auditor** (EE-RT.16 v1 — first plugin in the 1160-1170 ID range; orthogonal evidence to plugin 1023 zero-trust-checker — 1023 reads OBSERVED open ports, 1170 reads DECLARED SG policy via AWS API). Plus **EE-RT.14 v2** — plugin 1140 AWS RDS Auditor grown from 3 dims → 7 dims (adds BackupRetentionPeriod A1.2 / PubliclyAccessible CC6.6 / IAMDatabaseAuthenticationEnabled CC6.1 / snapshot encryption C1.1) with the headline `kms:DescribeKey` cross-reference path that promotes UNVERIFIABLE `:key/UUID` ARN shapes to deterministic PASS/MEDIUM via `KeyMetadata.KeyManager`. Plugin 1170 v1 dimensions: IPv4 0.0.0.0/0 to RESTRICTED_PORTS (CRITICAL) + IPv6 ::/0 sibling (CRITICAL) + all-protocol (-1) wildcard (CRITICAL) + public ingress to non-restricted ports (INFO substrate) + egress 0.0.0.0/0 (INFO substrate) + orphan SGs (LOW governance). RESTRICTED_PORTS covers 13 ports (SSH/RDP/MS SQL/MySQL/Postgres/Redis/Memcached/MongoDB/Elasticsearch/CouchDB/Docker/Kubelet). **9 same-session reviewer folds across both ships** (5 EE-RT.14 v2 + 4 EE-RT.16 v1). **No coverage matrix shift** since 0.3.9 (stays 10/4/33 — institutional honesty per the matrix-shift discipline; EE 0.4.5 adds evidence depth on already-covered CC6.1 / CC6.2 / CC6.6 / A1.2 / C1.1). EE-side stats: **+106 new tests** (52 EE-RT.14 v2 + 54 EE-RT.16 v1); **EE full regression: 4361/4361; 40-session 100% green streak preserved**. CE binary unchanged in 0.1.44 (code identical to 0.1.40 / 0.1.41 / 0.1.42 / 0.1.43); the bump carries the EE-paired-release narrative + announces plugin 1170 to the npm landing page. Memory tags: `emit_literal_set_drift` at **17×** cross-codebase recurrence (+3 EE-RT.14 v2 fold-sites); `aws_string_case_normalization` at **17×** (+1 preemptive in plugin 1170 IpProtocol normalization); `conservative_classifier_principle` reinforced in 5 fold sites across the cycle.
+- **0.1.43 (deprecated)** — docs-only patch announcing **EE 0.4.4 publish** (paired release narrative). EE plugin count grows **16 → 17** with **plugin 1150 AWS SQS/SNS Auditor** (EE-RT.15 v1) — second new EE plugin in the 0.4.x cycle. Covers 5 SOC 2 substrate-evidence dimensions: **SQS encryption at rest** (C1.1; SqsManagedSseEnabled OR KmsMasterKeyId with the same four-tier severity ladder as plugin 1140 — HIGH unencrypted → MEDIUM SQS-managed-SSE / `alias/aws/sqs` → PASS customer-managed CMK alias → LOW+evidenceGap on bare-UUID / `:key/UUID` form per `conservative_classifier_principle`), **SQS transit-encryption policy** (CC6.6; `aws:SecureTransport=false` Deny statement on the queue resource policy), **SNS topic encryption at rest** (C1.1; `KmsMasterKeyId` — SNS has no SQS-managed-SSE equivalent so absent = HIGH), **SNS topic-policy permissive-Principal** (CC6.6; wildcard-Principal on sensitive actions Publish/Subscribe/SetTopicAttributes/AddPermission/RemovePermission/DeleteTopic, with full **NotAction-Allow + NotPrincipal-Allow + Resource-scope** filtering per the EE-RT.15 R-HIGH-1 + R-HIGH-2 same-session reviewer folds — closes the AWS-documented wildcard-equivalent classes that plugins 1070 + 1110 already handle), and **SQS dead-letter queue presence** (A1.2 availability + CC7.1 anomaly-detection, dual-mapped — missing DLQ is the canonical silent-message-loss class for event-driven architectures). EE-RT.15 also closed **R-MEDIUM-1** (per-resource AccessDenied evidenceGap finding rather than silent-omit — same false-CLEAN class family as the EE-RT.14 v1 hotfix lineage). **No coverage matrix shift** since 0.3.9 (stays 10/4/33 — institutional honesty per the matrix-shift discipline; EE-RT.15 v1 adds SQS/SNS substrate evidence under already-covered C1.1 + CC6.6 + A1.2 + CC7.1). EE-side stats: **+95 new tests** (78 EE-RT.15 v1 unit-test suite + 17 same-session reviewer-fold tests); **EE full regression: 4255/4255; 38-session 100% green streak preserved**. **First EE plugin to ship WITHOUT a smoke-time SDK hotfix** — `@aws-sdk/client-sqs` + `@aws-sdk/client-sns` were added to `optionalDependencies` PREEMPTIVELY per the 11th pre-implementation checklist item (EE-RT.14 v1 lesson). CE binary unchanged in 0.1.43 (code identical to 0.1.40 / 0.1.41 / 0.1.42); the bump exists to carry the EE-paired-release narrative + announce plugin 1150 to the npm landing page. **Real-AWS smoke-validated** against `test-infra-builder` paired fixtures (account 522412052794, 4 resources): `findingCount: 0 → 10` (3 dims × 2 queues + 2 dims × 2 topics); **C1.1 → FAIL (4)**, **CC6.6 → FAIL (4)**, **A1.2 → FAIL (2)**, **CC7.1 → FAIL (2)**; all 10 classifications match ground truth (AWS-managed `alias/aws/sqs` correctly = MEDIUM not PASS; SNS default policy wildcard-Principal-WITH-Condition correctly = HIGH not CRITICAL).
+- **0.1.42 (deprecated)** — docs-only patch announcing the EE 0.4.3 paired release (first new EE plugin since the 0.4.0 cohort — plugin 1140 AWS RDS Auditor covering 3 SOC 2 substrate dimensions + EE-RT.13 structural fix for the EE-0.4.2-HOTFIX regression class via PLUGIN_ID lift + EE-RT.10.x.1 plugin 1110 effective-decrypt whitespace defense; EE regression 4160/4160 green).
 - **0.1.41 (deprecated)** — docs-only patch carrying the EE 0.4.2 paired-release narrative (CRITICAL HOTFIX closing the silent false-clean SOC 2 reporting regression that affected EE 0.3.9 / 0.4.0 / 0.4.1 + 31 recurrence-class surface closures across 7 plugins + EE-RT.12.25 cross-plugin run()-level integration scaffold).
 - **0.1.40 (deprecated)** — docs-only patch announcing the EE 0.4.0 cohort (EE plugin count grew **8 → 15** with 7 new AWS auditor plugins 1070–1130; the headline `1130 AWS Backup Auditor` is the largest single-plugin institutional-hardening arc in the EE codebase — ~7800 lines, 545 tests, 12-dimension air-gapped vault attestation arc). See [CHANGELOG.md](./CHANGELOG.md) for the per-release detail.
 
@@ -177,7 +179,7 @@ Results land in `./out/<host>_<timestamp>/`:
 
 ### Pro/Enterprise Plugins (via @nsasoft/nsauditor-ai-ee)
 
-**EE 0.4.3 ships 16 enterprise plugins** (up from 15 at EE 0.4.0 — first plugin-count growth since the 0.4.0 cohort, adding plugin 1140 AWS RDS Auditor). EE plugins use the disjoint 1000+ ID range; CE reserves 001-099. Plugins audit AWS / GCP / Azure cloud substrate end-to-end against the AICPA Trust Services Criteria 2017 framework; every plugin is enterprise-gated by the `cloudScanners` capability and runs against customer-supplied cloud credentials. Once licensed, the EE package installs alongside the CE binary; auditor-facing TSC mapping documentation (`CHANGELOG.md` + `docs/soc2-coverage.md`) ships bundled.
+**EE 0.4.5 ships 18 enterprise plugins** (up from 17 at EE 0.4.4 — third plugin-count growth in the 0.4.x cycle, adding plugin 1170 AWS EC2 SG Perimeter Auditor; plugin 1140 AWS RDS Auditor also grew from 3 dims → 7 dims in this release per EE-RT.14 v2). EE plugins use the disjoint 1000+ ID range; CE reserves 001-099. Plugins audit AWS / GCP / Azure cloud substrate end-to-end against the AICPA Trust Services Criteria 2017 framework; every plugin is enterprise-gated by the `cloudScanners` capability and runs against customer-supplied cloud credentials. Once licensed, the EE package installs alongside the CE binary; auditor-facing TSC mapping documentation (`CHANGELOG.md` + `docs/soc2-coverage.md`) ships bundled.
 
 **All EE plugins follow the same institutional plumbing pattern:**
 
@@ -204,7 +206,9 @@ Results land in `./out/<host>_<timestamp>/`:
 | **1110** | **IAM Effective Decrypt-Path Auditor** (NEW EE 0.4.0) | Enterprise | Cross-plugin reconciler: walks IAM policies for `kms:Decrypt` / `kms:ReEncrypt*` / `kms:GenerateDataKey` grants and cross-references against destination KMS key policies (plugin 1070) to compute the **effective decrypt path**. Closes institutional NotAction-implicit-decrypt false-PASS class (`Allow + NotAction:[...] + Resource:*` over-grants decrypt implicitly). Cross-plugin sister-fix in 1030: Effect + Action case-normalization at IAM-graph BFS boundary. CC6.1 / CC6.6 / C1.1 / C1.2. |
 | **1120** | **AWS S3 Lifecycle + Cross-Region Replication Auditor** (NEW EE 0.4.0) | Enterprise | S3 lifecycle policy enumeration (CC7.1 retention-cadence evidence) + cross-region replication topology (A1.2 disaster-recovery substrate). Cross-region destination-bucket reachability verification closes silent-PASS class where replication source FAILED but emitted clean. C1.1 / C1.2 / A1.2. |
 | **1130** | **AWS Backup Auditor — headline thread** (NEW EE 0.4.0; EE-RT.12 v1 → v1.24, 18-session institutional hardening arc) | Enterprise | The **largest single-plugin institutional-hardening arc in the EE codebase**: ~7800 lines / 545 plugin tests / 19 R2-strict recurrence-class same-session closures / 74 new soc2.json titlePattern entries across 7 controls. Audits the AWS Backup substrate end-to-end: Plans + Vaults + Recovery Points + Selections + Frameworks + Restore Testing + ReportPlans + Legal Holds + VaultType + Vault Tags + Vault Access Policy. **Headline capability: 12-dimension air-gapped vault attestation arc** for `LogicallyAirGappedBackupVault` resources — 6 cryptographic-isolation mechanisms (vault TYPE air-gapped + ARN account-segment-separation + destination KMS key-policy clean + destination KMS Grants clean + MRK-replica topology clean + source-account VPC-endpoint policy clean) PLUS 6 substrate dimensions (PITR / retention / encryption / RestoreTesting / Legal Holds / vault Access Policy). Cross-service SDK integration (`@aws-sdk/client-kms`, `@aws-sdk/client-ec2`, `@aws-sdk/client-config-service`, `@aws-sdk/client-backup`). CC6.3 / **CC6.6** / CC7.1 / CC8.1 / C1.1 / **C1.2** / **A1.2**. |
-| **1140** | **AWS RDS Auditor** (NEW EE 0.4.3; EE-RT.14 v1 — first new EE plugin since the 0.4.0 cohort) | Enterprise | Audits AWS RDS DB instances against 3 SOC 2 substrate-evidence dimensions: **Multi-AZ deployment** (A1.2 availability — `MultiAZ=false` = HIGH; True = PASS), **storage encryption at rest with KMS-key custody classification** (C1.1 confidentiality — four-tier severity ladder: HIGH unencrypted → MEDIUM AWS-managed `alias/aws/rds` → PASS customer-managed CMK alias → LOW+evidenceGap on `:key/UUID` ARN form per institutional `conservative_classifier_principle` memory; v2 will add automatic `kms:DescribeKey` cross-reference to promote LOW unverifiable → deterministic PASS/MEDIUM), and **parameter-group SSL enforcement** (C1.1 transit-encryption — postgres `rds.force_ssl=1` / mysql `require_secure_transport=ON` = PASS; not enforced or unset = CRITICAL; supports postgres / aurora-postgresql / mysql / mariadb / aurora-mysql engines). v2+ defers 4 more dimensions (BackupRetentionPeriod A1.2 + PubliclyAccessible CC6.6 + IAMDatabaseAuthenticationEnabled CC6.1 + snapshot encryption C1.1). 8 new soc2.json titlePattern entries (2 under A1.2 + 6 under C1.1). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). Smoke-validated against `test-infra-builder` paired fixtures (`rds-compliant-cluster` + `rds-violator-db`) in account 522412052794. **A1.2 / C1.1**. |
+| **1140** | **AWS RDS Auditor** (EE 0.4.3 v1; **GROWN in EE 0.4.5 v2** — 3 dims → 7 dims + kms:DescribeKey cross-reference) | Enterprise | Audits AWS RDS DB instances against **7 SOC 2 substrate-evidence dimensions** (v1 = 3 + v2 = 4): **Multi-AZ deployment** (A1.2 availability — `MultiAZ=false` = HIGH; True = PASS), **storage encryption at rest with KMS-key custody classification** (C1.1 confidentiality — four-tier severity ladder: HIGH unencrypted → MEDIUM AWS-managed `alias/aws/rds` → PASS customer-managed CMK alias → LOW+evidenceGap on `:key/UUID` ARN form per institutional `conservative_classifier_principle` memory; **v2 kms:DescribeKey cross-reference** promotes UNVERIFIABLE `:key/UUID` shapes to deterministic PASS/MEDIUM via `KeyMetadata.KeyManager` — conservative on AccessDenied/NotFound/unknown KeyManager: leaves at UNVERIFIABLE LOW, no false-CLEAN promotion), **parameter-group SSL enforcement** (C1.1 transit-encryption — postgres `rds.force_ssl=1` / mysql `require_secure_transport=ON` = PASS; not enforced or unset = CRITICAL), **backup retention period** (A1.2 cadence — v2; `BackupRetentionPeriod=0` = HIGH disabled / 1-6 days = MEDIUM below 7-day baseline / ≥7 days = PASS; operator-tunable via `opts.backupRetentionPassMinDays`), **public accessibility** (CC6.6 perimeter — v2; `PubliclyAccessible=true` = HIGH; cross-plugin sister with plugin 1170 SG perimeter audit), **IAM database authentication** (CC6.1 password-less auth — v2; `IAMDatabaseAuthenticationEnabled=true` on supported engine = PASS / disabled = INFO + walkthroughRequired / unsupported engine = INFO + engine-not-supported), and **snapshot encryption** (C1.1 cross-cycle — v2; `DescribeDBSnapshots` per-snapshot Encrypted field with explicit `IncludeShared=false` + `IncludePublic=false` defense-in-depth; any unencrypted snapshot = HIGH). 18 new soc2.json titlePattern entries across A1.2 / CC6.1 / CC6.6 / C1.1. Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). 5 same-session v2 reviewer folds (R-HIGH-1 `_IAM_AUTH_SUPPORTED_ENGINES` lifted + frozen, R-MEDIUM-1 `RDS_STORAGE_KMS_UNVERIFIABLE_CATEGORY` named constant, R-MEDIUM-3 `_isUnverifiableKmsShape` single source, R-LOW-1 upper-bound clamp, R-NIT-1 explicit IncludeShared=false). Smoke-validated against `test-infra-builder` paired fixtures (`rds-compliant-cluster` + `rds-violator-db`) in account 522412052794. **A1.2 / CC6.1 / CC6.6 / C1.1**. |
+| **1150** | **AWS SQS/SNS Auditor** (NEW EE 0.4.4; EE-RT.15 v1 — second new EE plugin in the 0.4.x cycle) | Enterprise | Audits AWS SQS queues + SNS topics against **5 SOC 2 substrate-evidence dimensions** spanning two services in one plugin (institutional bundling — both substrate-evidence event-driven-architecture stores, both use the same SDK auth surface). **SQS encryption at rest** (C1.1 confidentiality — `GetQueueAttributes → SqsManagedSseEnabled` OR `KmsMasterKeyId`; four-tier severity ladder: HIGH unencrypted → MEDIUM AWS-managed-SSE OR `alias/aws/sqs` → PASS customer-managed CMK alias → LOW+evidenceGap on bare-UUID / `:key/UUID` ARN form per `conservative_classifier_principle`); **SQS transit-encryption policy** (CC6.6 segmentation — `aws:SecureTransport=false` Deny statement defense-in-depth over the HTTPS-only transport-layer guarantee); **SNS topic encryption at rest** (C1.1 confidentiality — `GetTopicAttributes → KmsMasterKeyId`; SNS has no SQS-managed-SSE equivalent so absent = HIGH); **SNS topic-policy permissive-Principal** (CC6.6 segmentation — wildcard-Principal classifier on sensitive actions sns:Publish / Subscribe / SetTopicAttributes / AddPermission / RemovePermission / DeleteTopic + `sns:*` / `*` wildcards; includes **NotAction-Allow** handling per plugin 1110 precedent + **NotPrincipal-Allow** handling per plugin 1070 precedent + **Resource-scope filtering** to prevent false-positive emissions on statements scoped to other topics' ARNs; severity ladder CRITICAL unconditional-wildcard → HIGH wildcard-WITH-Condition → PASS no-wildcard-sensitive); and **SQS dead-letter queue presence** (A1.2 availability + CC7.1 anomaly-detection, **dual-mapped** — `RedrivePolicy` analysis; missing DLQ is the canonical silent-message-loss class for event-driven architectures where failed message processing routes through SQS to downstream Lambda/ECS consumers). **First EE plugin to ship WITHOUT a smoke-time SDK hotfix** — `@aws-sdk/client-sqs` + `@aws-sdk/client-sns` were added to `optionalDependencies` PREEMPTIVELY per the 11th pre-implementation checklist item (EE-RT.14 v1 lesson applied institutionally). 11 new soc2.json titlePattern entries (9 under C1.1 + 6 under CC6.6 + 2 under A1.2 + 1 dual-mapped DLQ under CC7.1). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap on BOTH SQS + SNS clients independently + ZDE sanitizer at every AWS-returned string surface + conservative classifier on UNVERIFIABLE KMS shapes + EE-RT.12.25 v1 run() scaffold + 4 preemptive `aws_string_case_normalization` fold-sites for the 16× recurrence-class memory). Three same-session reviewer folds applied (R-HIGH-1 NotAction/NotPrincipal bypass class, R-HIGH-2 Resource-scope filter, R-MEDIUM-1 per-resource AccessDenied evidenceGap — same false-CLEAN-class family as the EE-RT.14 v1 hotfix lineage). Smoke-validated against `test-infra-builder` paired fixtures (`sqs-encrypted-queue` + `sqs-cleartext-queue` + `sns-encrypted-topic` + `sns-cleartext-topic`) in account 522412052794: `findingCount: 10`, all 10 classifications match ground truth (AWS-managed `alias/aws/sqs` correctly = MEDIUM not PASS; SNS default topic policy wildcard-Principal-WITH-Condition correctly = HIGH not CRITICAL). **C1.1 / CC6.6 / A1.2 / CC7.1**. |
+| **1170** | **AWS EC2 SG Perimeter Auditor** (NEW EE 0.4.5; EE-RT.16 v1 — first plugin in 1160-1170 ID range) | Enterprise | Audits AWS EC2 Security Groups against SOC 2 CC6.6 network-segmentation evidence — reads the AWS-API DECLARED SG policy via `DescribeSecurityGroups`. **Orthogonal evidence to plugin 1023 zero-trust-checker** (1023 reads OBSERVED open ports from prior network probes; 1170 reads DECLARED SG policy). The pair gives auditors complete coverage of "is this port reachable, and is it supposed to be?" **Cross-plugin sister of EE-RT.14 v2 `_classifyPublicAccessibility`** dimension in plugin 1140 (which emits "auditor walkthrough required for SG analysis"; plugin 1170 closes that walkthrough deterministically). **6 audit dimensions:** **IPv4 0.0.0.0/0 ingress to RESTRICTED_PORTS** (CC6.6 perimeter — CRITICAL; RESTRICTED_PORTS covers 13 management/data-tier/AI-infra ports: SSH (22), RDP (3389), MS SQL (1433), MySQL (3306), Postgres (5432), Redis (6379), Memcached (11211), MongoDB (27017), Elasticsearch (9200, 9300), CouchDB (5984), Docker daemon (2375), Kubelet API (10250)); **IPv6 ::/0 ingress to RESTRICTED_PORTS** (CC6.6 — CRITICAL IPv6 sibling; operators often miss while locking IPv4 down); **all-protocol (-1) ingress from 0.0.0.0/0** (CC6.6 — CRITICAL worst-possible perimeter posture; **per R-MEDIUM-1 fold suppresses dim 1+2 emissions at SG-scope** — auditor pack stays at one CRITICAL/SG instead of N+1); **public ingress to non-restricted ports** (CC6.6 substrate — INFO + walkthroughRequired; 80/443/8080-style web tier likely intentional, auditor verifies intent); **egress 0.0.0.0/0** (CC6.6 substrate — INFO; AWS-default posture; out-of-scope for SG-layer DLP concerns); **orphan SGs** (CC6.2 governance — LOW; SG with no attached ENI via `DescribeNetworkInterfaces` cross-reference; AWS-default `default` SGs per-VPC excluded). **`UserIdGroupPairs` (SG-as-source) rules** surfaced as INFO + evidenceGap + walkthroughRequired per R-HIGH-1 fold — v1 only analyzes CIDR-source rules; transitive SG→SG chain reachability deferred to v2 (EE-RT.16 v2). 7 new soc2.json titlePattern entries (6 under CC6.6 + 1 under CC6.2). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). 4 same-session reviewer folds applied (R-HIGH-1 UserIdGroupPairs evidenceGap + softened PASS narrative, R-MEDIUM-1 all-protocol SG-scope suppression, R-MEDIUM-1 CONVERGENT SG-list + ENI AccessDenied account-level evidenceGap findings, NIT-3 header comment accuracy). Pre-existing test-infra-builder paired fixtures support smoke validation: `nsauditor-secure-sg` (443 from 10.0.0.0/16 → PASS) + `nsauditor-exposed-sg` (22/5432/6379 from 0.0.0.0/0 → 3 CRITICALs). **CC6.6 / CC6.2**. |
 | — | SOC 2 Compliance Engine | Enterprise | AICPA TSC 2017 control mapping (10 covered + 4 partial controls post-EE 0.3.9 / 0.4.0), chain-of-custody, RFC 3161 timestamps, suppression workflow |
 | — | SLA & MTTR Tracking | Enterprise | Per-severity SLA targets, compensating-control flow, finding lifecycle |
 | — | Recurring-Scan Attestation | Enterprise | Multi-scan chronological matrix, cadence gap detection, scope drift (CC8.1) |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nsauditor-ai",
-  "version": "0.1.42",
+  "version": "0.1.44",
   "description": "Modular AI-assisted network security audit platform — Community Edition",
   "type": "module",
   "private": false,