nsauditor-ai 0.1.44 → 0.1.45

package/README.md

@@ -17,7 +17,8 @@ NSAuditor AI is the open-source core of a privacy-first security intelligence pl
 
 ## What's New
 
-- **0.1.44 (current)** — docs-only patch announcing **EE 0.4.5 release** (paired release narrative). EE plugin count grows **17 → 18** with **plugin 1170 AWS EC2 SG Perimeter Auditor** (EE-RT.16 v1 — first plugin in the 1160-1170 ID range; orthogonal evidence to plugin 1023 zero-trust-checker — 1023 reads OBSERVED open ports, 1170 reads DECLARED SG policy via AWS API). Plus **EE-RT.14 v2** — plugin 1140 AWS RDS Auditor grown from 3 dims → 7 dims (adds BackupRetentionPeriod A1.2 / PubliclyAccessible CC6.6 / IAMDatabaseAuthenticationEnabled CC6.1 / snapshot encryption C1.1) with the headline `kms:DescribeKey` cross-reference path that promotes UNVERIFIABLE `:key/UUID` ARN shapes to deterministic PASS/MEDIUM via `KeyMetadata.KeyManager`. Plugin 1170 v1 dimensions: IPv4 0.0.0.0/0 to RESTRICTED_PORTS (CRITICAL) + IPv6 ::/0 sibling (CRITICAL) + all-protocol (-1) wildcard (CRITICAL) + public ingress to non-restricted ports (INFO substrate) + egress 0.0.0.0/0 (INFO substrate) + orphan SGs (LOW governance). RESTRICTED_PORTS covers 13 ports (SSH/RDP/MS SQL/MySQL/Postgres/Redis/Memcached/MongoDB/Elasticsearch/CouchDB/Docker/Kubelet). **9 same-session reviewer folds across both ships** (5 EE-RT.14 v2 + 4 EE-RT.16 v1). **No coverage matrix shift** since 0.3.9 (stays 10/4/33 — institutional honesty per the matrix-shift discipline; EE 0.4.5 adds evidence depth on already-covered CC6.1 / CC6.2 / CC6.6 / A1.2 / C1.1). EE-side stats: **+106 new tests** (52 EE-RT.14 v2 + 54 EE-RT.16 v1); **EE full regression: 4361/4361; 40-session 100% green streak preserved**. CE binary unchanged in 0.1.44 (code identical to 0.1.40 / 0.1.41 / 0.1.42 / 0.1.43); the bump carries the EE-paired-release narrative + announces plugin 1170 to the npm landing page. Memory tags: `emit_literal_set_drift` at **17×** cross-codebase recurrence (+3 EE-RT.14 v2 fold-sites); `aws_string_case_normalization` at **17×** (+1 preemptive in plugin 1170 IpProtocol normalization); `conservative_classifier_principle` reinforced in 5 fold sites across the cycle.
+- **0.1.45 (current)** — docs-only patch announcing **EE 0.4.6 release** (paired release narrative). EE plugin count grows **18 → 19** with **plugin 1180 AWS ElastiCache Redis Auditor** (EE-RT.17 v1 — first plugin in the 1170-1180 ID range; closes the highest-priority gap from the AWS SOC 2 audit-canonical compliance checklist). Plus **EE-RT.16 v2** — plugin 1170 AWS EC2 SG Perimeter Auditor extension; **RESTRICTED_PORTS grown 13 → 23 ports** per CIS AWS Foundations Benchmark v3.0 (adds Redshift 5439, K8s API 6443, etcd 2379-2380, Kibana 5601, InfluxDB 8086, Kafka 9092, Consul 8500, ZooKeeper 2181, Vault 8200) + new `opts.additionalRestrictedPorts` operator-config knob + per-SG cardinality cap with rollup trailer + system-managed-SG name-prefix exclusion list (excludes ElasticMapReduce-, eks-cluster-sg-, AWSServiceRole, awseb- prefixes from orphan-detection). Plugin 1180 v1 dimensions: **transit encryption** (C1.1 PASS/HIGH — TransitEncryptionEnabled wraps RESP in TLS) + **at-rest encryption with KMS key custody** (C1.1 four-tier ladder: HIGH disabled → MEDIUM AWS-owned-default → MEDIUM alias/aws/elasticache → PASS customer-CMK + LOW+evidenceGap on `:key/UUID` per `conservative_classifier_principle`) + **Redis AUTH / IAM-auth user groups** (CC6.1 + CC6.2 PASS on UserGroupIds; MEDIUM no-authentication) + **Multi-AZ deployment** (A1.2 HIGH disabled / INFO standalone-not-applicable / INFO transient enabling/disabling) + **SnapshotRetentionLimit cadence** (A1.2 HIGH=0 / MEDIUM 1-6 / PASS ≥7; operator-tunable `opts.snapshotRetentionPassMinDays` clamped 1..35) + **subnet placement** (CC6.6 INFO + walkthroughRequired on default subnet group). Dual API enumeration (DescribeReplicationGroups + DescribeCacheClusters) with inter-API dedup; Memcached out-of-scope by design. **10 same-session reviewer folds across both ships** (7 EE-RT.16 v2 incl. **2 CONVERGENT-CRITICAL findings** — C1 fixed a pre-existing v1 PASS-tier titlePattern bug, C2 added 2 cardinality-cap-trailer titlePatterns silently-dropped pre-fold; 3 EE-RT.17 v1). **No coverage matrix shift** since 0.3.9 (stays 10/4/33). EE-side stats: **+97 new tests** (56 EE-RT.16 v2 + 41 EE-RT.17 v1); **EE full regression: 4458/4458; 42-session 100% green streak preserved**. **Third EE plugin to ship without smoke-time SDK hotfix** (`@aws-sdk/client-elasticache` preemptively added; plugins 1150, 1170, 1180 all shipped without hotfix). Real-AWS smoke-validated against `test-infra-builder` paired fixtures (account 522412052794, plugins 1170 v2 + 1180): `findingCount: 21`. CE binary unchanged in 0.1.45 (code identical to 0.1.40 / 0.1.41 / 0.1.42 / 0.1.43 / 0.1.44); the bump carries the EE-paired-release narrative + announces plugin 1180 to the npm landing page. **Second trio-publish across EE + CE + agent-skill in a single session** (after the 0.4.5 cycle institutionalized the pattern); paired agent-skill 0.1.12 catalog refresh adds plugin 1180 + plugin 1170 v2 to AI-coding-agent knowledge surface. Memory tag closures: `aws_string_case_normalization` at **19×** (+2 fold-sites this cycle); `conservative_classifier_principle` reinforced in 6 fold sites; `emit_literal_set_drift` holds at 17×.
+- **0.1.44 (deprecated)** — docs-only patch announcing **EE 0.4.5 release** (paired release narrative). EE plugin count grows **17 → 18** with **plugin 1170 AWS EC2 SG Perimeter Auditor** (EE-RT.16 v1 — first plugin in the 1160-1170 ID range; orthogonal evidence to plugin 1023 zero-trust-checker — 1023 reads OBSERVED open ports, 1170 reads DECLARED SG policy via AWS API). Plus **EE-RT.14 v2** — plugin 1140 AWS RDS Auditor grown from 3 dims → 7 dims (adds BackupRetentionPeriod A1.2 / PubliclyAccessible CC6.6 / IAMDatabaseAuthenticationEnabled CC6.1 / snapshot encryption C1.1) with the headline `kms:DescribeKey` cross-reference path that promotes UNVERIFIABLE `:key/UUID` ARN shapes to deterministic PASS/MEDIUM via `KeyMetadata.KeyManager`. Plugin 1170 v1 dimensions: IPv4 0.0.0.0/0 to RESTRICTED_PORTS (CRITICAL) + IPv6 ::/0 sibling (CRITICAL) + all-protocol (-1) wildcard (CRITICAL) + public ingress to non-restricted ports (INFO substrate) + egress 0.0.0.0/0 (INFO substrate) + orphan SGs (LOW governance). RESTRICTED_PORTS covers 13 ports (SSH/RDP/MS SQL/MySQL/Postgres/Redis/Memcached/MongoDB/Elasticsearch/CouchDB/Docker/Kubelet). **9 same-session reviewer folds across both ships** (5 EE-RT.14 v2 + 4 EE-RT.16 v1). **No coverage matrix shift** since 0.3.9 (stays 10/4/33 — institutional honesty per the matrix-shift discipline; EE 0.4.5 adds evidence depth on already-covered CC6.1 / CC6.2 / CC6.6 / A1.2 / C1.1). EE-side stats: **+106 new tests** (52 EE-RT.14 v2 + 54 EE-RT.16 v1); **EE full regression: 4361/4361; 40-session 100% green streak preserved**. CE binary unchanged in 0.1.44 (code identical to 0.1.40 / 0.1.41 / 0.1.42 / 0.1.43); the bump carries the EE-paired-release narrative + announces plugin 1170 to the npm landing page. Memory tags: `emit_literal_set_drift` at **17×** cross-codebase recurrence (+3 EE-RT.14 v2 fold-sites); `aws_string_case_normalization` at **17×** (+1 preemptive in plugin 1170 IpProtocol normalization); `conservative_classifier_principle` reinforced in 5 fold sites across the cycle.
 - **0.1.43 (deprecated)** — docs-only patch announcing **EE 0.4.4 publish** (paired release narrative). EE plugin count grows **16 → 17** with **plugin 1150 AWS SQS/SNS Auditor** (EE-RT.15 v1) — second new EE plugin in the 0.4.x cycle. Covers 5 SOC 2 substrate-evidence dimensions: **SQS encryption at rest** (C1.1; SqsManagedSseEnabled OR KmsMasterKeyId with the same four-tier severity ladder as plugin 1140 — HIGH unencrypted → MEDIUM SQS-managed-SSE / `alias/aws/sqs` → PASS customer-managed CMK alias → LOW+evidenceGap on bare-UUID / `:key/UUID` form per `conservative_classifier_principle`), **SQS transit-encryption policy** (CC6.6; `aws:SecureTransport=false` Deny statement on the queue resource policy), **SNS topic encryption at rest** (C1.1; `KmsMasterKeyId` — SNS has no SQS-managed-SSE equivalent so absent = HIGH), **SNS topic-policy permissive-Principal** (CC6.6; wildcard-Principal on sensitive actions Publish/Subscribe/SetTopicAttributes/AddPermission/RemovePermission/DeleteTopic, with full **NotAction-Allow + NotPrincipal-Allow + Resource-scope** filtering per the EE-RT.15 R-HIGH-1 + R-HIGH-2 same-session reviewer folds — closes the AWS-documented wildcard-equivalent classes that plugins 1070 + 1110 already handle), and **SQS dead-letter queue presence** (A1.2 availability + CC7.1 anomaly-detection, dual-mapped — missing DLQ is the canonical silent-message-loss class for event-driven architectures). EE-RT.15 also closed **R-MEDIUM-1** (per-resource AccessDenied evidenceGap finding rather than silent-omit — same false-CLEAN class family as the EE-RT.14 v1 hotfix lineage). **No coverage matrix shift** since 0.3.9 (stays 10/4/33 — institutional honesty per the matrix-shift discipline; EE-RT.15 v1 adds SQS/SNS substrate evidence under already-covered C1.1 + CC6.6 + A1.2 + CC7.1). EE-side stats: **+95 new tests** (78 EE-RT.15 v1 unit-test suite + 17 same-session reviewer-fold tests); **EE full regression: 4255/4255; 38-session 100% green streak preserved**. **First EE plugin to ship WITHOUT a smoke-time SDK hotfix** — `@aws-sdk/client-sqs` + `@aws-sdk/client-sns` were added to `optionalDependencies` PREEMPTIVELY per the 11th pre-implementation checklist item (EE-RT.14 v1 lesson). CE binary unchanged in 0.1.43 (code identical to 0.1.40 / 0.1.41 / 0.1.42); the bump exists to carry the EE-paired-release narrative + announce plugin 1150 to the npm landing page. **Real-AWS smoke-validated** against `test-infra-builder` paired fixtures (account 522412052794, 4 resources): `findingCount: 0 → 10` (3 dims × 2 queues + 2 dims × 2 topics); **C1.1 → FAIL (4)**, **CC6.6 → FAIL (4)**, **A1.2 → FAIL (2)**, **CC7.1 → FAIL (2)**; all 10 classifications match ground truth (AWS-managed `alias/aws/sqs` correctly = MEDIUM not PASS; SNS default policy wildcard-Principal-WITH-Condition correctly = HIGH not CRITICAL).
 - **0.1.42 (deprecated)** — docs-only patch announcing the EE 0.4.3 paired release (first new EE plugin since the 0.4.0 cohort — plugin 1140 AWS RDS Auditor covering 3 SOC 2 substrate dimensions + EE-RT.13 structural fix for the EE-0.4.2-HOTFIX regression class via PLUGIN_ID lift + EE-RT.10.x.1 plugin 1110 effective-decrypt whitespace defense; EE regression 4160/4160 green).
 - **0.1.41 (deprecated)** — docs-only patch carrying the EE 0.4.2 paired-release narrative (CRITICAL HOTFIX closing the silent false-clean SOC 2 reporting regression that affected EE 0.3.9 / 0.4.0 / 0.4.1 + 31 recurrence-class surface closures across 7 plugins + EE-RT.12.25 cross-plugin run()-level integration scaffold).
@@ -179,7 +180,7 @@ Results land in `./out/<host>_<timestamp>/`:
 
 ### Pro/Enterprise Plugins (via @nsasoft/nsauditor-ai-ee)
 
-**EE 0.4.5 ships 18 enterprise plugins** (up from 17 at EE 0.4.4 — third plugin-count growth in the 0.4.x cycle, adding plugin 1170 AWS EC2 SG Perimeter Auditor; plugin 1140 AWS RDS Auditor also grew from 3 dims → 7 dims in this release per EE-RT.14 v2). EE plugins use the disjoint 1000+ ID range; CE reserves 001-099. Plugins audit AWS / GCP / Azure cloud substrate end-to-end against the AICPA Trust Services Criteria 2017 framework; every plugin is enterprise-gated by the `cloudScanners` capability and runs against customer-supplied cloud credentials. Once licensed, the EE package installs alongside the CE binary; auditor-facing TSC mapping documentation (`CHANGELOG.md` + `docs/soc2-coverage.md`) ships bundled.
+**EE 0.4.6 ships 19 enterprise plugins** (up from 18 at EE 0.4.5 — fourth plugin-count growth in the 0.4.x cycle, adding plugin 1180 AWS ElastiCache Redis Auditor; plugin 1170 AWS EC2 SG Perimeter Auditor also grew RESTRICTED_PORTS 13 → 23 ports in this release per EE-RT.16 v2). EE plugins use the disjoint 1000+ ID range; CE reserves 001-099. Plugins audit AWS / GCP / Azure cloud substrate end-to-end against the AICPA Trust Services Criteria 2017 framework; every plugin is enterprise-gated by the `cloudScanners` capability and runs against customer-supplied cloud credentials. Once licensed, the EE package installs alongside the CE binary; auditor-facing TSC mapping documentation (`CHANGELOG.md` + `docs/soc2-coverage.md`) ships bundled.
 
 **All EE plugins follow the same institutional plumbing pattern:**
 
@@ -208,7 +209,8 @@ Results land in `./out/<host>_<timestamp>/`:
 | **1130** | **AWS Backup Auditor — headline thread** (NEW EE 0.4.0; EE-RT.12 v1 → v1.24, 18-session institutional hardening arc) | Enterprise | The **largest single-plugin institutional-hardening arc in the EE codebase**: ~7800 lines / 545 plugin tests / 19 R2-strict recurrence-class same-session closures / 74 new soc2.json titlePattern entries across 7 controls. Audits the AWS Backup substrate end-to-end: Plans + Vaults + Recovery Points + Selections + Frameworks + Restore Testing + ReportPlans + Legal Holds + VaultType + Vault Tags + Vault Access Policy. **Headline capability: 12-dimension air-gapped vault attestation arc** for `LogicallyAirGappedBackupVault` resources — 6 cryptographic-isolation mechanisms (vault TYPE air-gapped + ARN account-segment-separation + destination KMS key-policy clean + destination KMS Grants clean + MRK-replica topology clean + source-account VPC-endpoint policy clean) PLUS 6 substrate dimensions (PITR / retention / encryption / RestoreTesting / Legal Holds / vault Access Policy). Cross-service SDK integration (`@aws-sdk/client-kms`, `@aws-sdk/client-ec2`, `@aws-sdk/client-config-service`, `@aws-sdk/client-backup`). CC6.3 / **CC6.6** / CC7.1 / CC8.1 / C1.1 / **C1.2** / **A1.2**. |
 | **1140** | **AWS RDS Auditor** (EE 0.4.3 v1; **GROWN in EE 0.4.5 v2** — 3 dims → 7 dims + kms:DescribeKey cross-reference) | Enterprise | Audits AWS RDS DB instances against **7 SOC 2 substrate-evidence dimensions** (v1 = 3 + v2 = 4): **Multi-AZ deployment** (A1.2 availability — `MultiAZ=false` = HIGH; True = PASS), **storage encryption at rest with KMS-key custody classification** (C1.1 confidentiality — four-tier severity ladder: HIGH unencrypted → MEDIUM AWS-managed `alias/aws/rds` → PASS customer-managed CMK alias → LOW+evidenceGap on `:key/UUID` ARN form per institutional `conservative_classifier_principle` memory; **v2 kms:DescribeKey cross-reference** promotes UNVERIFIABLE `:key/UUID` shapes to deterministic PASS/MEDIUM via `KeyMetadata.KeyManager` — conservative on AccessDenied/NotFound/unknown KeyManager: leaves at UNVERIFIABLE LOW, no false-CLEAN promotion), **parameter-group SSL enforcement** (C1.1 transit-encryption — postgres `rds.force_ssl=1` / mysql `require_secure_transport=ON` = PASS; not enforced or unset = CRITICAL), **backup retention period** (A1.2 cadence — v2; `BackupRetentionPeriod=0` = HIGH disabled / 1-6 days = MEDIUM below 7-day baseline / ≥7 days = PASS; operator-tunable via `opts.backupRetentionPassMinDays`), **public accessibility** (CC6.6 perimeter — v2; `PubliclyAccessible=true` = HIGH; cross-plugin sister with plugin 1170 SG perimeter audit), **IAM database authentication** (CC6.1 password-less auth — v2; `IAMDatabaseAuthenticationEnabled=true` on supported engine = PASS / disabled = INFO + walkthroughRequired / unsupported engine = INFO + engine-not-supported), and **snapshot encryption** (C1.1 cross-cycle — v2; `DescribeDBSnapshots` per-snapshot Encrypted field with explicit `IncludeShared=false` + `IncludePublic=false` defense-in-depth; any unencrypted snapshot = HIGH). 18 new soc2.json titlePattern entries across A1.2 / CC6.1 / CC6.6 / C1.1. Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). 5 same-session v2 reviewer folds (R-HIGH-1 `_IAM_AUTH_SUPPORTED_ENGINES` lifted + frozen, R-MEDIUM-1 `RDS_STORAGE_KMS_UNVERIFIABLE_CATEGORY` named constant, R-MEDIUM-3 `_isUnverifiableKmsShape` single source, R-LOW-1 upper-bound clamp, R-NIT-1 explicit IncludeShared=false). Smoke-validated against `test-infra-builder` paired fixtures (`rds-compliant-cluster` + `rds-violator-db`) in account 522412052794. **A1.2 / CC6.1 / CC6.6 / C1.1**. |
 | **1150** | **AWS SQS/SNS Auditor** (NEW EE 0.4.4; EE-RT.15 v1 — second new EE plugin in the 0.4.x cycle) | Enterprise | Audits AWS SQS queues + SNS topics against **5 SOC 2 substrate-evidence dimensions** spanning two services in one plugin (institutional bundling — both substrate-evidence event-driven-architecture stores, both use the same SDK auth surface). **SQS encryption at rest** (C1.1 confidentiality — `GetQueueAttributes → SqsManagedSseEnabled` OR `KmsMasterKeyId`; four-tier severity ladder: HIGH unencrypted → MEDIUM AWS-managed-SSE OR `alias/aws/sqs` → PASS customer-managed CMK alias → LOW+evidenceGap on bare-UUID / `:key/UUID` ARN form per `conservative_classifier_principle`); **SQS transit-encryption policy** (CC6.6 segmentation — `aws:SecureTransport=false` Deny statement defense-in-depth over the HTTPS-only transport-layer guarantee); **SNS topic encryption at rest** (C1.1 confidentiality — `GetTopicAttributes → KmsMasterKeyId`; SNS has no SQS-managed-SSE equivalent so absent = HIGH); **SNS topic-policy permissive-Principal** (CC6.6 segmentation — wildcard-Principal classifier on sensitive actions sns:Publish / Subscribe / SetTopicAttributes / AddPermission / RemovePermission / DeleteTopic + `sns:*` / `*` wildcards; includes **NotAction-Allow** handling per plugin 1110 precedent + **NotPrincipal-Allow** handling per plugin 1070 precedent + **Resource-scope filtering** to prevent false-positive emissions on statements scoped to other topics' ARNs; severity ladder CRITICAL unconditional-wildcard → HIGH wildcard-WITH-Condition → PASS no-wildcard-sensitive); and **SQS dead-letter queue presence** (A1.2 availability + CC7.1 anomaly-detection, **dual-mapped** — `RedrivePolicy` analysis; missing DLQ is the canonical silent-message-loss class for event-driven architectures where failed message processing routes through SQS to downstream Lambda/ECS consumers). **First EE plugin to ship WITHOUT a smoke-time SDK hotfix** — `@aws-sdk/client-sqs` + `@aws-sdk/client-sns` were added to `optionalDependencies` PREEMPTIVELY per the 11th pre-implementation checklist item (EE-RT.14 v1 lesson applied institutionally). 11 new soc2.json titlePattern entries (9 under C1.1 + 6 under CC6.6 + 2 under A1.2 + 1 dual-mapped DLQ under CC7.1). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap on BOTH SQS + SNS clients independently + ZDE sanitizer at every AWS-returned string surface + conservative classifier on UNVERIFIABLE KMS shapes + EE-RT.12.25 v1 run() scaffold + 4 preemptive `aws_string_case_normalization` fold-sites for the 16× recurrence-class memory). Three same-session reviewer folds applied (R-HIGH-1 NotAction/NotPrincipal bypass class, R-HIGH-2 Resource-scope filter, R-MEDIUM-1 per-resource AccessDenied evidenceGap — same false-CLEAN-class family as the EE-RT.14 v1 hotfix lineage). Smoke-validated against `test-infra-builder` paired fixtures (`sqs-encrypted-queue` + `sqs-cleartext-queue` + `sns-encrypted-topic` + `sns-cleartext-topic`) in account 522412052794: `findingCount: 10`, all 10 classifications match ground truth (AWS-managed `alias/aws/sqs` correctly = MEDIUM not PASS; SNS default topic policy wildcard-Principal-WITH-Condition correctly = HIGH not CRITICAL). **C1.1 / CC6.6 / A1.2 / CC7.1**. |
-| **1170** | **AWS EC2 SG Perimeter Auditor** (NEW EE 0.4.5; EE-RT.16 v1 — first plugin in 1160-1170 ID range) | Enterprise | Audits AWS EC2 Security Groups against SOC 2 CC6.6 network-segmentation evidence — reads the AWS-API DECLARED SG policy via `DescribeSecurityGroups`. **Orthogonal evidence to plugin 1023 zero-trust-checker** (1023 reads OBSERVED open ports from prior network probes; 1170 reads DECLARED SG policy). The pair gives auditors complete coverage of "is this port reachable, and is it supposed to be?" **Cross-plugin sister of EE-RT.14 v2 `_classifyPublicAccessibility`** dimension in plugin 1140 (which emits "auditor walkthrough required for SG analysis"; plugin 1170 closes that walkthrough deterministically). **6 audit dimensions:** **IPv4 0.0.0.0/0 ingress to RESTRICTED_PORTS** (CC6.6 perimeter — CRITICAL; RESTRICTED_PORTS covers 13 management/data-tier/AI-infra ports: SSH (22), RDP (3389), MS SQL (1433), MySQL (3306), Postgres (5432), Redis (6379), Memcached (11211), MongoDB (27017), Elasticsearch (9200, 9300), CouchDB (5984), Docker daemon (2375), Kubelet API (10250)); **IPv6 ::/0 ingress to RESTRICTED_PORTS** (CC6.6 — CRITICAL IPv6 sibling; operators often miss while locking IPv4 down); **all-protocol (-1) ingress from 0.0.0.0/0** (CC6.6 — CRITICAL worst-possible perimeter posture; **per R-MEDIUM-1 fold suppresses dim 1+2 emissions at SG-scope** — auditor pack stays at one CRITICAL/SG instead of N+1); **public ingress to non-restricted ports** (CC6.6 substrate — INFO + walkthroughRequired; 80/443/8080-style web tier likely intentional, auditor verifies intent); **egress 0.0.0.0/0** (CC6.6 substrate — INFO; AWS-default posture; out-of-scope for SG-layer DLP concerns); **orphan SGs** (CC6.2 governance — LOW; SG with no attached ENI via `DescribeNetworkInterfaces` cross-reference; AWS-default `default` SGs per-VPC excluded). **`UserIdGroupPairs` (SG-as-source) rules** surfaced as INFO + evidenceGap + walkthroughRequired per R-HIGH-1 fold — v1 only analyzes CIDR-source rules; transitive SG→SG chain reachability deferred to v2 (EE-RT.16 v2). 7 new soc2.json titlePattern entries (6 under CC6.6 + 1 under CC6.2). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). 4 same-session reviewer folds applied (R-HIGH-1 UserIdGroupPairs evidenceGap + softened PASS narrative, R-MEDIUM-1 all-protocol SG-scope suppression, R-MEDIUM-1 CONVERGENT SG-list + ENI AccessDenied account-level evidenceGap findings, NIT-3 header comment accuracy). Pre-existing test-infra-builder paired fixtures support smoke validation: `nsauditor-secure-sg` (443 from 10.0.0.0/16 → PASS) + `nsauditor-exposed-sg` (22/5432/6379 from 0.0.0.0/0 → 3 CRITICALs). **CC6.6 / CC6.2**. |
+| **1170** | **AWS EC2 SG Perimeter Auditor** (EE 0.4.5 v1; **EXTENDED in EE 0.4.6 v2** — RESTRICTED_PORTS 13 → 23 ports per CIS AWS Foundations v3.0 + operator-config + per-SG cardinality cap) | Enterprise | Audits AWS EC2 Security Groups against SOC 2 CC6.6 network-segmentation evidence — reads the AWS-API DECLARED SG policy via `DescribeSecurityGroups`. **Orthogonal evidence to plugin 1023 zero-trust-checker** (1023 reads OBSERVED open ports from prior network probes; 1170 reads DECLARED SG policy). The pair gives auditors complete coverage of "is this port reachable, and is it supposed to be?" **Cross-plugin sister of EE-RT.14 v2 `_classifyPublicAccessibility`** dimension in plugin 1140 (which emits "auditor walkthrough required for SG analysis"; plugin 1170 closes that walkthrough deterministically). **6 audit dimensions:** **IPv4 0.0.0.0/0 ingress to RESTRICTED_PORTS** (CC6.6 perimeter — CRITICAL; **v2 RESTRICTED_PORTS covers 23 ports** per CIS AWS Foundations v3.0 alignment + emerging-data-tier coverage: SSH (22), RDP (3389), MS SQL (1433), MySQL (3306), Postgres (5432), Redshift (5439 — NEW v2), Redis (6379), Memcached (11211), MongoDB (27017), Elasticsearch (9200, 9300), CouchDB (5984), Docker daemon (2375), Kubelet API (10250), **K8s API server (6443 — NEW v2), etcd (2379-2380 — NEW v2), Kibana (5601 — NEW v2), InfluxDB (8086 — NEW v2), Kafka (9092 — NEW v2), Consul (8500 — NEW v2), ZooKeeper (2181 — NEW v2), Vault (8200 — NEW v2)**); **IPv6 ::/0 ingress to RESTRICTED_PORTS** (CC6.6 — CRITICAL IPv6 sibling; operators often miss while locking IPv4 down); **all-protocol (-1) ingress from 0.0.0.0/0** (CC6.6 — CRITICAL worst-possible perimeter posture; **per R-MEDIUM-1 fold suppresses dim 1+2 emissions at SG-scope** — auditor pack stays at one CRITICAL/SG instead of N+1); **public ingress to non-restricted ports** (CC6.6 substrate — INFO + walkthroughRequired; 80/443/8080-style web tier likely intentional, auditor verifies intent); **egress 0.0.0.0/0** (CC6.6 substrate — INFO; AWS-default posture; out-of-scope for SG-layer DLP concerns); **orphan SGs** (CC6.2 governance — LOW; SG with no attached ENI via `DescribeNetworkInterfaces` cross-reference; AWS-default `default` SGs per-VPC excluded; **v2 system-managed-SG name-prefix exclusion list** excludes `ElasticMapReduce-`, `eks-cluster-sg-`, `AWSServiceRole`, `awseb-` etc. from orphan-detection — these are AWS-service-controlled and structurally non-deletable). **v2 operator-config knob `opts.additionalRestrictedPorts`** — lets tenants add custom ports beyond the baseline (validated 0-65535 integer + deduped against baseline). **v2 per-SG cardinality cap via `_USER_GROUP_DISPLAY_CAP = 10`** with rollup trailer (`...and N more`) defends against finding-size DoS on 1000+ SG accounts. **`UserIdGroupPairs` (SG-as-source) rules** surfaced as INFO + evidenceGap + walkthroughRequired per R-HIGH-1 fold — v1 only analyzes CIDR-source rules; transitive SG→SG chain reachability deferred to v3 (EE-RT.16 v3). 10 new soc2.json titlePattern entries across v1 + v2 (6 CC6.6 + 1 CC6.2 from v1; 1 PASS-tier fix + 2 cardinality-cap trailers from v2). Full institutional contract applied day-1. **7 same-session v2 reviewer folds including 2 CONVERGENT-CRITICAL findings** (C1 pre-existing v1 PASS-tier titlePattern bug; C2 cardinality-cap-trailer titlePatterns silently dropped at framework-engine harvest pre-fold). Smoke-validated against `test-infra-builder` paired fixtures (`nsauditor-secure-sg` + `nsauditor-exposed-sg`) in account 522412052794. **CC6.6 / CC6.2**. |
+| **1180** | **AWS ElastiCache Redis Auditor** (NEW EE 0.4.6; EE-RT.17 v1 — first plugin in 1170-1180 ID range) | Enterprise | Audits AWS ElastiCache Redis clusters against **6 SOC 2 substrate-evidence dimensions** spanning confidentiality + availability + segmentation. Closes the highest-priority gap from the AWS SOC 2 audit-canonical compliance checklist. **Transit encryption** (C1.1 PASS/HIGH — `TransitEncryptionEnabled=true` wraps RESP in TLS for client→cluster + primary→replica connections; HIGH on disabled — cleartext RESP on wire + AUTH tokens flow cleartext; cannot be toggled in place, requires snapshot+restore). **At-rest encryption with KMS key custody** (C1.1 four-tier ladder — HIGH disabled → MEDIUM AWS-owned-default (encrypted but no customer KmsKeyId) → MEDIUM `alias/aws/elasticache` (AWS-managed alias via `_AWS_MANAGED_ELASTICACHE_ALIAS_RE`) → PASS customer-managed CMK + LOW+evidenceGap on `:key/UUID` ARN form per `conservative_classifier_principle`). **Redis AUTH / IAM-auth user groups** (CC6.1 + CC6.2 — PASS on UserGroupIds configured (Redis 7+ ACL/IAM-auth user groups replace long-lived AUTH passwords); MEDIUM on no-authentication (cluster relies solely on SG perimeter — cross-plugin sister with plugin 1170 SG-perimeter audit); UserGroupIds cardinality cap 10 + "...and N more" overflow per R-MEDIUM-1 fold). **Multi-AZ deployment** (A1.2 availability — HIGH on `MultiAZ=disabled` for replication groups; INFO + standalone-not-applicable on single-node CacheClusters; INFO + evidenceGap on transient states `enabling` / `disabling` per `conservative_classifier_principle`). **SnapshotRetentionLimit cadence** (A1.2 — 0 = HIGH (no snapshots), 1-6 days = MEDIUM (below 7-day baseline), ≥7 days = PASS; operator-tunable via `opts.snapshotRetentionPassMinDays` clamped 1..35). **Subnet placement** (CC6.6 perimeter — INFO + walkthroughRequired on `default` subnet group per `conservative_classifier_principle` — operator may have private subnets named "default"). **Dual API enumeration with inter-API dedup**: `DescribeReplicationGroups` + `DescribeCacheClusters` covers both replication-group and standalone-CacheCluster surfaces; CacheClusters with `ReplicationGroupId` set are skipped (member-of-replication-group rule) to avoid double-emission. `_ELASTICACHE_SUPPORTED_ENGINES = Object.freeze(new Set(["redis"]))` — Memcached is out-of-scope by design (no native AUTH; no transit encryption substrate). 16 new soc2.json titlePattern entries (4 CC6.1 + 1 CC6.6 + 5 A1.2 + 8 C1.1). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). 3 same-session reviewer folds applied (R-MEDIUM-1 UserGroupIds cardinality cap canonical-parity, R-LOW-1 transient Multi-AZ state INFO + evidenceGap, R-LOW-2 inter-API dedup test pin). **Third EE plugin to ship without smoke-time SDK hotfix** (`@aws-sdk/client-elasticache` preemptively added to optionalDependencies). Smoke-validated against `test-infra-builder` paired fixtures (`redis-secure-cache` + `redis-leaky-cache`) in account 522412052794. **CC6.1 / CC6.2 / CC6.6 / A1.2 / C1.1**. |
 | — | SOC 2 Compliance Engine | Enterprise | AICPA TSC 2017 control mapping (10 covered + 4 partial controls post-EE 0.3.9 / 0.4.0), chain-of-custody, RFC 3161 timestamps, suppression workflow |
 | — | SLA & MTTR Tracking | Enterprise | Per-severity SLA targets, compensating-control flow, finding lifecycle |
 | — | Recurring-Scan Attestation | Enterprise | Multi-scan chronological matrix, cadence gap detection, scope drift (CC8.1) |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nsauditor-ai",
-  "version": "0.1.44",
+  "version": "0.1.45",
   "description": "Modular AI-assisted network security audit platform — Community Edition",
   "type": "module",
   "private": false,