nsauditor-ai 0.1.51 → 0.1.53

package/README.md

@@ -17,7 +17,9 @@ NSAuditor AI is the open-source core of a privacy-first security intelligence pl
 
 ## What's New
 
-- **0.1.51 (current)** — docs-only patch announcing **EE 0.5.2 release** (paired release narrative). **EE plugin count UNCHANGED at 20** (no new plugin in 0.5.2; existing plugin 1190 `aws-ses-auditor` underwent pure v2.1 consolidation via **EE-RT.18 v2.1** — closes 7 deferred reviewer-fold items from the 0.5.0 cycle). **6 same-session reviewer folds** (1 CRITICAL + 3 HIGH + 2 MEDIUM): **R-CRITICAL closure**: missing soc2.json titlePattern for new `ses-dkim-dns-partial-with-transients` MEDIUM emission — same false-mapping class as 0.5.1 R-HIGH soc2-anchoring fold. **R-HIGH closure (silent-loss class)**: SES classic API quota exhaustion now routes post-retry-exhaustion bubble to `ses-classic-policy-unverifiable` LOW + evidenceGap with `cause: "classic-sdk-quota-exhausted"` (pre-fold this fell through to silent loss via warnings.push). **R-HIGH closures**: unknown-DNS-code call-site fail-safe pin + identityType producer→consumer round-trip. **R-MEDIUM closures**: mixed-failure-mode test + module-load-time disjointness IIFE (`_assertDnsErrorCodeSetsDisjoint()` promotes the invariant from test-time to Node startup enforcement). **7 deferred items closed**: DKIM partial-match severity tier (new MEDIUM `ses-dkim-dns-partial-with-transients`) + explicit `_DNS_TRANSIENT_ERROR_CODES` named Set + broadened classic-side error taxonomy (`IdentityNotVerified` / `ConfigurationSetDoesNotExist` / quota-error names) + DMARC chunk-split end-to-end + DKIM special-chars + identityType normalization + cosmetic constant-casing. **Coverage matrix UNCHANGED at 10/4/33** — pure evidence-quality uplift on already-covered CC6.1 + CC6.6 + A1.2 + CC7.1 + CC7.2 controls via 1 new aws-ses-auditor mapping rule + 5 reinforced classifier contracts. **+41 new tests this cycle** (34 deferred-items sweep base + 7 reviewer-fold pins); plugin 1190 test count grew 207 → 248 across 40 → 49 suites. **EE full regression: 4901/4901; 48-session 100% green streak preserved**. **No new SDK dependencies** — pure v2 consolidation. CE binary unchanged in 0.1.51 (code identical to 0.1.40 → 0.1.50). **Eighth consecutive trio-publish across EE + CE + agent-skill in a single session** — institutionalized discipline now spans 8 ship cycles (0.4.5 / 0.4.6 / 0.4.7 / 0.4.8 / 0.4.9 / 0.5.0 / 0.5.1 / 0.5.2). Paired agent-skill 0.1.18 catalog refresh reflects plugin 1190 v2.1 consolidation. Memory tag closures: `conservative_classifier_principle` reinforced in 3 new fold sites; `emit_literal_set_drift` extended with 3 new named Sets + 1 new named category + module-load-time disjointness IIFE; `aws_string_case_normalization` reinforced via identityType normalization at promoter consumer sites.
+- **0.1.53 (current)** — docs-only patch announcing **EE 0.5.4 release** (paired release narrative). **EE plugin count UNCHANGED at 20** (no new plugin in 0.5.4; cross-plugin Thread H sweep). **§7.5 closure**: `_promote*FromKms` cross-plugin signature hardening on plugin 1140 v2 + plugin 1180 v2 — Map-form lookup replaces caller-side parallel-threading (closes false-CLEAN class). **§8 closure**: operator-config DoS caps on plugin 1170 v2 (`_OPERATOR_CONFIG_MAX_ENTRIES = 1000`). **Clean reviewer pass** (0 R-CRITICAL + 0 R-HIGH; 3 R-MEDIUM/LOW coverage pins folded same-session). **+20 new tests** cross-plugin; EE full regression: 4982/4982; 50-session 100% green streak preserved. **Coverage matrix UNCHANGED at 10/4/33** — pure structural-discipline tightening. CE binary unchanged. **Tenth consecutive trio-publish across EE + CE + agent-skill** — 0.4.5–0.5.4. **v0.5.x close-out cycle**; ready for 0.6.0 milestone.
+- **0.1.52 (deprecated)** — docs-only patch announcing **EE 0.5.3 release** (paired release narrative). **EE plugin count UNCHANGED at 20** (no new plugin in 0.5.3; existing plugin 1190 `aws-ses-auditor` extended via **EE-RT.18 v3**: Part A DKIM public-key fingerprint capture/pin + Part B in-band DMARC alignment classifier). **5 same-session reviewer folds** (1 R-CRITICAL + 3 R-HIGH + 1 R-MEDIUM). **R-CRITICAL closure (discovered via test)**: `_stripControlChars` 256-char truncation corrupted long DKIM keys producing wrong SHA-256 fingerprints — new `_stripControlCharsNoTruncate` helper for cryptographic-data surface. **R-HIGH closures**: empty/short-key floor (≥128 bytes catches `p=` empty-key substitution attacks) + multiple-DKIM1-records LOW + evidenceGap (no silent [0] truncation) + DMARC alignment double-failure visibility. **R-MEDIUM closure**: pin-store + failed-capture-on-pinned-token downgraded to LOW + evidenceGap. **Coverage matrix UNCHANGED at 10/4/33** — 8 new aws-ses-auditor mapping rules (CC6.1 + Privacy). **+61 new tests this cycle** (45 v3 base + 16 reviewer-fold pins); plugin 1190 test count grew 248 → 309 across 49 → 60 suites. **EE full regression: 4962/4962; 49-session 100% green streak preserved**. **No new SDK dependencies** — v3 uses existing node:dns/promises + node:crypto. CE binary unchanged in 0.1.52 (code identical to 0.1.40 → 0.1.51). **Ninth consecutive trio-publish across EE + CE + agent-skill in a single session**. Memory tag closures: `conservative_classifier_principle` reinforced in 5 new fold sites; `emit_literal_set_drift` extended with 8 new named emission categories + 1 frozen Set + 1 new regex pin + 1 new no-truncate helper; `aws_string_case_normalization` reinforced via case-insensitive pin compare.
+- **0.1.51 (deprecated)** — docs-only patch announcing **EE 0.5.2 release** (paired release narrative). **EE plugin count UNCHANGED at 20** (no new plugin in 0.5.2; existing plugin 1190 `aws-ses-auditor` underwent pure v2.1 consolidation via **EE-RT.18 v2.1** — closes 7 deferred reviewer-fold items from the 0.5.0 cycle). **6 same-session reviewer folds** (1 CRITICAL + 3 HIGH + 2 MEDIUM): **R-CRITICAL closure**: missing soc2.json titlePattern for new `ses-dkim-dns-partial-with-transients` MEDIUM emission — same false-mapping class as 0.5.1 R-HIGH soc2-anchoring fold. **R-HIGH closure (silent-loss class)**: SES classic API quota exhaustion now routes post-retry-exhaustion bubble to `ses-classic-policy-unverifiable` LOW + evidenceGap with `cause: "classic-sdk-quota-exhausted"` (pre-fold this fell through to silent loss via warnings.push). **R-HIGH closures**: unknown-DNS-code call-site fail-safe pin + identityType producer→consumer round-trip. **R-MEDIUM closures**: mixed-failure-mode test + module-load-time disjointness IIFE (`_assertDnsErrorCodeSetsDisjoint()` promotes the invariant from test-time to Node startup enforcement). **7 deferred items closed**: DKIM partial-match severity tier (new MEDIUM `ses-dkim-dns-partial-with-transients`) + explicit `_DNS_TRANSIENT_ERROR_CODES` named Set + broadened classic-side error taxonomy (`IdentityNotVerified` / `ConfigurationSetDoesNotExist` / quota-error names) + DMARC chunk-split end-to-end + DKIM special-chars + identityType normalization + cosmetic constant-casing. **Coverage matrix UNCHANGED at 10/4/33** — pure evidence-quality uplift on already-covered CC6.1 + CC6.6 + A1.2 + CC7.1 + CC7.2 controls via 1 new aws-ses-auditor mapping rule + 5 reinforced classifier contracts. **+41 new tests this cycle** (34 deferred-items sweep base + 7 reviewer-fold pins); plugin 1190 test count grew 207 → 248 across 40 → 49 suites. **EE full regression: 4901/4901; 48-session 100% green streak preserved**. **No new SDK dependencies** — pure v2 consolidation. CE binary unchanged in 0.1.51 (code identical to 0.1.40 → 0.1.50). **Eighth consecutive trio-publish across EE + CE + agent-skill in a single session** — institutionalized discipline now spans 8 ship cycles (0.4.5 / 0.4.6 / 0.4.7 / 0.4.8 / 0.4.9 / 0.5.0 / 0.5.1 / 0.5.2). Paired agent-skill 0.1.18 catalog refresh reflects plugin 1190 v2.1 consolidation. Memory tag closures: `conservative_classifier_principle` reinforced in 3 new fold sites; `emit_literal_set_drift` extended with 3 new named Sets + 1 new named category + module-load-time disjointness IIFE; `aws_string_case_normalization` reinforced via identityType normalization at promoter consumer sites.
 - **0.1.50 (deprecated)** — paired with EE 0.5.1. EE-RT.15 v2 plugin 1150 SQS/SNS Auditor 5 → 7 dimensions (CloudWatch alarm coverage). Closes the **"messaging monitoring" SOC 2 dimension** per `tasks/things-to-check.md` §4 institutional checklist. **First plugin-1150 dim to cross an SDK boundary** (SQS+SNS → CloudWatch); single-fetch budget — `_enumerateMetricAlarms` paginates `cloudwatch:DescribeAlarms` once, `_buildAlarmIndex` builds per-resource Maps for O(1) lookup. **Dim 6 — SQS age-alarm coverage** (CC7.2 + A1.2; per-queue PASS / MEDIUM / LOW / LOW + evidenceGap). **Dim 7 — SNS failure-alarm coverage** (CC7.2 + A1.2; per-topic analogue). **Soft-degrade contract** — CW SDK load failure routes per-resource classifier to LOW + evidenceGap rather than blocking SQS+SNS primary substrate audit. **7 same-session reviewer folds** (1 CRITICAL + 1 HIGH + 2 MEDIUM + 1 LOW + 1 NIT; 6 folded same-session, 1 NIT deferred). **R-CRITICAL closure**: `ActionsEnabled=true + AlarmActions=[]` was silent PASS pre-fold (CloudWatch fires NO operator paging on empty AlarmActions); `actionable` filter now requires BOTH `ActionsEnabled=true` AND non-empty `AlarmActions[]`. Discriminates "all disabled" vs "all empty actions" in remediation narrative. **R-HIGH closure**: soc2.json PASS-tier titlePatterns narrowed to anchor on `AWS/SQS:ApproximateAgeOfOldestMessage` / `AWS/SNS:NumberOfNotificationsFailed` clauses. **R-MEDIUM-1/2 + R-LOW closures**: defensive shape guard + multi-alarm collision tests + FIFO end-to-end + corrupted-shape defensive tests. **+52 new tests this cycle** (41 v2 base + 11 reviewer-fold pins); plugin 1150 test count grew 116 → 168 across 22 → 33 suites. **EE full regression: 4860/4860; 47-session 100% green streak preserved**. **12 new soc2.json titlePattern entries** (8 CC7.2 + 4 A1.2 dual-mapped). **Synthetic-mock validation only** this cycle — real-AWS smoke deferred (no SQS/SNS paired fixtures yet in test-infra-builder; ship-without per documented gap, EE 0.5.0 SES precedent). **No new SDK dependencies** — `@aws-sdk/client-cloudwatch` already declared in optionalDependencies since EE 0.4.0. CE binary unchanged in 0.1.50 (code identical to 0.1.40 → 0.1.49); the bump carries the EE-paired-release narrative. **Seventh consecutive trio-publish across EE + CE + agent-skill in a single session** — institutionalized discipline now spans 7 ship cycles (0.4.5 / 0.4.6 / 0.4.7 / 0.4.8 / 0.4.9 / 0.5.0 / 0.5.1). Paired agent-skill 0.1.17 catalog refresh reflects plugin 1150 v2 extension. Memory tag closures: `aws_string_case_normalization` reinforced via split-surface QueueName/TopicName discipline; `conservative_classifier_principle` reinforced in 4 new fold sites; `emit_literal_set_drift` extended with 7 new named CW constants.
 - **0.1.49 (deprecated)** — paired with EE 0.5.0. EE-RT.18 v2 plugin 1190 SES Email Integrity Auditor extension (DKIM CNAME DNS resolution + DMARC TXT record parser + SES classic API parity). **First ship to add NETWORK-LAYER cross-reference** (live DNS resolution via `node:dns/promises`) to the AWS-SDK-substrate evidence baseline — structurally distinct evidence-acquisition surface from prior 0.4.x cycles, which justifies the 0.5.0 minor-version milestone bump even without a coverage matrix shift. **Part A — DKIM CNAME DNS resolution promotion** (dim 1) — closes canonical false-CLEAN window where SES reports `Status=SUCCESS` but DNS CNAMEs were subsequently rotated/removed. Four outcomes: PASS `ses-dkim-dns-verified` / MEDIUM `ses-dkim-dns-partial` / HIGH `ses-dkim-dns-missing` (false-CLEAN closure) / LOW + evidenceGap `ses-dkim-dns-unverifiable`. **Part B — DMARC TXT record parser + MailFrom promotion** (dim 2) — RFC 7489 §6.4 tag-list parser. Five outcomes: PASS `ses-dmarc-policy-reject` / MEDIUM `ses-dmarc-policy-quarantine` / HIGH `ses-dmarc-policy-none` / HIGH `ses-dmarc-missing` / LOW + evidenceGap `ses-dmarc-unverifiable`. **Part C — SES classic GetIdentityPolicies parity** (dim 4) — cross-API discrepancy detection emits HIGH `ses-classic-policy-discrepancy` on classic-only policy (canonical false-NEGATIVE class). **8 same-session reviewer folds** (1 CRITICAL + 3 HIGH + 2 MEDIUM + 2 LOW). **R-CRITICAL-1 closure**: DMARC `pct=0` silent-PASS false-CLEAN — `pct=0` on `p=reject`/`p=quarantine` functionally equivalent to `p=none` (zero percent enforced); now routes to HIGH `ses-dmarc-policy-none`. **R-HIGH-1 closure**: DMARC `sp` subdomain-policy override now evaluated — `p=reject; sp=none` downgrades to HIGH (subdomain-takeover false-NEGATIVE class previously silent CLEAN). **R-HIGH-2 closure**: brittle `inTestMode = !!opts._client` coupling replaced with explicit `_skipV2Promotion` master switch + 3 orthogonal kill-switches. **R-HIGH-3/MEDIUM-1/MEDIUM-3/LOW-1/2/3 closures**: defensive guards + JSON deep-equal policy-doc compare + RFC-tolerant DMARC prefix + parser symmetry + ZDE sanitization + cardinality-cap discipline. **+91 new tests this cycle** (53 v2 base + 19 reviewer-fold pins + 19 others); plugin 1190 test count grew 116 → 207 across 24 → 40 suites. **EE full regression: 4787/4787; 46-session 100% green streak preserved**. **Real-DNS smoke validation END-TO-END** against production resolvers (`_dmarc.nsasoft.us` parsed correctly: `p=reject, sp=reject (default), pct=100`; forward-compat `fo=1` tag preserved in `rawTags`). Empty-account SESv2 enumeration baseline succeeded end-to-end against `522412052794` (no SES identities provisioned — fixture-provisioning gap carries over from v1). CE binary unchanged in 0.1.49 (code identical to 0.1.40 → 0.1.48); the bump carries the EE-paired-release narrative. **Sixth consecutive trio-publish across EE + CE + agent-skill in a single session** — institutionalized discipline now spans 6 ship cycles (0.4.5 / 0.4.6 / 0.4.7 / 0.4.8 / 0.4.9 / 0.5.0). Paired agent-skill 0.1.16 catalog refresh reflects plugin 1190 v2 extension. Memory tag closures: `aws_string_case_normalization` holds at **20×**; `conservative_classifier_principle` reinforced in 7 new fold sites; `emit_literal_set_drift` extended with 13 new named constants.
 - **0.1.48 (deprecated)** — paired with EE 0.4.9. EE-RT.17 v2 plugin 1180 ElastiCache Redis Auditor extension (kms:DescribeKey cross-reference promotion + subnet route-table verifier); 7 same-session reviewer folds incl. 1 MEDIUM false-NEGATIVE closure (default-VPC main-RT inheritance escalated to LOW + evidenceGap).
@@ -180,7 +182,11 @@ Results land in `./out/<host>_<timestamp>/`:
 
 ### Pro/Enterprise Plugins (via @nsasoft/nsauditor-ai-ee)
 
-**EE 0.5.2 ships 20 enterprise plugins** (UNCHANGED from EE 0.5.1 — the 0.5.2 patch-level bump is a pure consolidation cycle: plugin 1190 `aws-ses-auditor` deferred-items sweep via **EE-RT.18 v2.1** closing all 7 deferred reviewer-fold items from the 0.5.0 cycle; 6 same-session reviewer folds incl. 1 CRITICAL soc2 mapping closure + silent-loss-class closure on SES classic API quota exhaustion). EE plugins use the disjoint 1000+ ID range; CE reserves 001-099. Plugins audit AWS / GCP / Azure cloud substrate end-to-end against the AICPA Trust Services Criteria 2017 framework; every plugin is enterprise-gated by the `cloudScanners` capability and runs against customer-supplied cloud credentials. Once licensed, the EE package installs alongside the CE binary; auditor-facing TSC mapping documentation (`CHANGELOG.md` + `docs/soc2-coverage.md`) ships bundled.
+**EE 0.5.4 ships 20 enterprise plugins** (UNCHANGED from EE 0.5.3 — the 0.5.4 bump is a cross-plugin Thread H sweep: §7.5 `_promote*FromKms` signature hardening on plugin 1140 v2 + 1180 v2 + §8 operator-config DoS caps on plugin 1170 v2; clean reviewer pass with 0 R-CRITICAL + 0 R-HIGH; final v0.5.x close-out cycle).
+
+**EE 0.5.3 (superseded)** —**EE 0.5.3 ships 20 enterprise plugins** (UNCHANGED from EE 0.5.2 — the 0.5.3 patch-level bump is a pure plugin 1190 EE-RT.18 v3 extension: Part A DKIM public-key fingerprint capture/pin + Part B in-band DMARC alignment classifier; 5 same-session reviewer folds incl. 1 R-CRITICAL false-CLEAN closure on truncated DKIM keys).
+
+**EE 0.5.2 (superseded)** —**EE 0.5.2 ships 20 enterprise plugins** (UNCHANGED from EE 0.5.1 — the 0.5.2 patch-level bump is a pure consolidation cycle: plugin 1190 `aws-ses-auditor` deferred-items sweep via **EE-RT.18 v2.1** closing all 7 deferred reviewer-fold items from the 0.5.0 cycle; 6 same-session reviewer folds incl. 1 CRITICAL soc2 mapping closure + silent-loss-class closure on SES classic API quota exhaustion). EE plugins use the disjoint 1000+ ID range; CE reserves 001-099. Plugins audit AWS / GCP / Azure cloud substrate end-to-end against the AICPA Trust Services Criteria 2017 framework; every plugin is enterprise-gated by the `cloudScanners` capability and runs against customer-supplied cloud credentials. Once licensed, the EE package installs alongside the CE binary; auditor-facing TSC mapping documentation (`CHANGELOG.md` + `docs/soc2-coverage.md`) ships bundled.
 
 **All EE plugins follow the same institutional plumbing pattern:**
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nsauditor-ai",
-  "version": "0.1.51",
+  "version": "0.1.53",
   "description": "Modular AI-assisted network security audit platform — Community Edition",
   "type": "module",
   "private": false,