nsauditor-ai 0.1.54 → 0.1.55

package/README.md

@@ -17,20 +17,17 @@ NSAuditor AI is the open-source core of a privacy-first security intelligence pl
 
 ## What's New
 
-- **0.1.54 (current)** — docs-only patch announcing **EE 0.6.0 release** (paired release narrative — minor-version milestone). **EE plugin count 20 → 21** — EE-RT.19 v1 NEW plugin 1160 AWS VPC Endpoints / PrivateLink Auditor. **First plugin to specifically audit the PrivateLink isolation boundary** (complements plugin 1170 layer-4 SG perimeter with SERVICE-LAYER perimeter audit). **4 SOC 2 dimensions**: endpoint resource policy permissive principals (CC6.6 CRITICAL on unconditional wildcard); PrivateDNS enabled (CC6.6 MEDIUM silent-bypass when Interface + disabled); endpoint state (A1.2 + CC7.2 HIGH on `failed`); endpoint type substrate disclosure. **Clean reviewer pass** (0 R-CRITICAL + 0 R-HIGH; 2 R-MEDIUM/NIT folded same-session). **+59 new tests**; EE regression: 5044/5044 across 792 suites; 51-session 100% green streak. **7 new soc2.json rules** (5 CC6.6 + 2 CC7.2/A1.2 dual-mapped). Coverage matrix UNCHANGED at 10/4/33. CE binary unchanged. **Eleventh consecutive trio-publish across EE + CE + agent-skill** — 0.4.5–0.6.0.
-- **0.1.53 (deprecated)** — docs-only patch announcing **EE 0.5.4 release** (paired release narrative). **EE plugin count UNCHANGED at 20** (no new plugin in 0.5.4; cross-plugin Thread H sweep). **§7.5 closure**: `_promote*FromKms` cross-plugin signature hardening on plugin 1140 v2 + plugin 1180 v2 — Map-form lookup replaces caller-side parallel-threading (closes false-CLEAN class). **§8 closure**: operator-config DoS caps on plugin 1170 v2 (`_OPERATOR_CONFIG_MAX_ENTRIES = 1000`). **Clean reviewer pass** (0 R-CRITICAL + 0 R-HIGH; 3 R-MEDIUM/LOW coverage pins folded same-session). **+20 new tests** cross-plugin; EE full regression: 4982/4982; 50-session 100% green streak preserved. **Coverage matrix UNCHANGED at 10/4/33** — pure structural-discipline tightening. CE binary unchanged. **Tenth consecutive trio-publish across EE + CE + agent-skill** — 0.4.5–0.5.4. **v0.5.x close-out cycle**; ready for 0.6.0 milestone.
-- **0.1.52 (deprecated)** — docs-only patch announcing **EE 0.5.3 release** (paired release narrative). **EE plugin count UNCHANGED at 20** (no new plugin in 0.5.3; existing plugin 1190 `aws-ses-auditor` extended via **EE-RT.18 v3**: Part A DKIM public-key fingerprint capture/pin + Part B in-band DMARC alignment classifier). **5 same-session reviewer folds** (1 R-CRITICAL + 3 R-HIGH + 1 R-MEDIUM). **R-CRITICAL closure (discovered via test)**: `_stripControlChars` 256-char truncation corrupted long DKIM keys producing wrong SHA-256 fingerprints — new `_stripControlCharsNoTruncate` helper for cryptographic-data surface. **R-HIGH closures**: empty/short-key floor (≥128 bytes catches `p=` empty-key substitution attacks) + multiple-DKIM1-records LOW + evidenceGap (no silent [0] truncation) + DMARC alignment double-failure visibility. **R-MEDIUM closure**: pin-store + failed-capture-on-pinned-token downgraded to LOW + evidenceGap. **Coverage matrix UNCHANGED at 10/4/33** — 8 new aws-ses-auditor mapping rules (CC6.1 + Privacy). **+61 new tests this cycle** (45 v3 base + 16 reviewer-fold pins); plugin 1190 test count grew 248 → 309 across 49 → 60 suites. **EE full regression: 4962/4962; 49-session 100% green streak preserved**. **No new SDK dependencies** — v3 uses existing node:dns/promises + node:crypto. CE binary unchanged in 0.1.52 (code identical to 0.1.40 → 0.1.51). **Ninth consecutive trio-publish across EE + CE + agent-skill in a single session**. Memory tag closures: `conservative_classifier_principle` reinforced in 5 new fold sites; `emit_literal_set_drift` extended with 8 new named emission categories + 1 frozen Set + 1 new regex pin + 1 new no-truncate helper; `aws_string_case_normalization` reinforced via case-insensitive pin compare.
-- **0.1.51 (deprecated)** — docs-only patch announcing **EE 0.5.2 release** (paired release narrative). **EE plugin count UNCHANGED at 20** (no new plugin in 0.5.2; existing plugin 1190 `aws-ses-auditor` underwent pure v2.1 consolidation via **EE-RT.18 v2.1** — closes 7 deferred reviewer-fold items from the 0.5.0 cycle). **6 same-session reviewer folds** (1 CRITICAL + 3 HIGH + 2 MEDIUM): **R-CRITICAL closure**: missing soc2.json titlePattern for new `ses-dkim-dns-partial-with-transients` MEDIUM emission — same false-mapping class as 0.5.1 R-HIGH soc2-anchoring fold. **R-HIGH closure (silent-loss class)**: SES classic API quota exhaustion now routes post-retry-exhaustion bubble to `ses-classic-policy-unverifiable` LOW + evidenceGap with `cause: "classic-sdk-quota-exhausted"` (pre-fold this fell through to silent loss via warnings.push). **R-HIGH closures**: unknown-DNS-code call-site fail-safe pin + identityType producer→consumer round-trip. **R-MEDIUM closures**: mixed-failure-mode test + module-load-time disjointness IIFE (`_assertDnsErrorCodeSetsDisjoint()` promotes the invariant from test-time to Node startup enforcement). **7 deferred items closed**: DKIM partial-match severity tier (new MEDIUM `ses-dkim-dns-partial-with-transients`) + explicit `_DNS_TRANSIENT_ERROR_CODES` named Set + broadened classic-side error taxonomy (`IdentityNotVerified` / `ConfigurationSetDoesNotExist` / quota-error names) + DMARC chunk-split end-to-end + DKIM special-chars + identityType normalization + cosmetic constant-casing. **Coverage matrix UNCHANGED at 10/4/33** — pure evidence-quality uplift on already-covered CC6.1 + CC6.6 + A1.2 + CC7.1 + CC7.2 controls via 1 new aws-ses-auditor mapping rule + 5 reinforced classifier contracts. **+41 new tests this cycle** (34 deferred-items sweep base + 7 reviewer-fold pins); plugin 1190 test count grew 207 → 248 across 40 → 49 suites. **EE full regression: 4901/4901; 48-session 100% green streak preserved**. **No new SDK dependencies** — pure v2 consolidation. CE binary unchanged in 0.1.51 (code identical to 0.1.40 → 0.1.50). **Eighth consecutive trio-publish across EE + CE + agent-skill in a single session** — institutionalized discipline now spans 8 ship cycles (0.4.5 / 0.4.6 / 0.4.7 / 0.4.8 / 0.4.9 / 0.5.0 / 0.5.1 / 0.5.2). Paired agent-skill 0.1.18 catalog refresh reflects plugin 1190 v2.1 consolidation. Memory tag closures: `conservative_classifier_principle` reinforced in 3 new fold sites; `emit_literal_set_drift` extended with 3 new named Sets + 1 new named category + module-load-time disjointness IIFE; `aws_string_case_normalization` reinforced via identityType normalization at promoter consumer sites.
-- **0.1.50 (deprecated)** — paired with EE 0.5.1. EE-RT.15 v2 plugin 1150 SQS/SNS Auditor 5 → 7 dimensions (CloudWatch alarm coverage). Closes the **"messaging monitoring" SOC 2 dimension** per `tasks/things-to-check.md` §4 institutional checklist. **First plugin-1150 dim to cross an SDK boundary** (SQS+SNS → CloudWatch); single-fetch budget — `_enumerateMetricAlarms` paginates `cloudwatch:DescribeAlarms` once, `_buildAlarmIndex` builds per-resource Maps for O(1) lookup. **Dim 6 — SQS age-alarm coverage** (CC7.2 + A1.2; per-queue PASS / MEDIUM / LOW / LOW + evidenceGap). **Dim 7 — SNS failure-alarm coverage** (CC7.2 + A1.2; per-topic analogue). **Soft-degrade contract** — CW SDK load failure routes per-resource classifier to LOW + evidenceGap rather than blocking SQS+SNS primary substrate audit. **7 same-session reviewer folds** (1 CRITICAL + 1 HIGH + 2 MEDIUM + 1 LOW + 1 NIT; 6 folded same-session, 1 NIT deferred). **R-CRITICAL closure**: `ActionsEnabled=true + AlarmActions=[]` was silent PASS pre-fold (CloudWatch fires NO operator paging on empty AlarmActions); `actionable` filter now requires BOTH `ActionsEnabled=true` AND non-empty `AlarmActions[]`. Discriminates "all disabled" vs "all empty actions" in remediation narrative. **R-HIGH closure**: soc2.json PASS-tier titlePatterns narrowed to anchor on `AWS/SQS:ApproximateAgeOfOldestMessage` / `AWS/SNS:NumberOfNotificationsFailed` clauses. **R-MEDIUM-1/2 + R-LOW closures**: defensive shape guard + multi-alarm collision tests + FIFO end-to-end + corrupted-shape defensive tests. **+52 new tests this cycle** (41 v2 base + 11 reviewer-fold pins); plugin 1150 test count grew 116 → 168 across 22 → 33 suites. **EE full regression: 4860/4860; 47-session 100% green streak preserved**. **12 new soc2.json titlePattern entries** (8 CC7.2 + 4 A1.2 dual-mapped). **Synthetic-mock validation only** this cycle — real-AWS smoke deferred (no SQS/SNS paired fixtures yet in test-infra-builder; ship-without per documented gap, EE 0.5.0 SES precedent). **No new SDK dependencies** — `@aws-sdk/client-cloudwatch` already declared in optionalDependencies since EE 0.4.0. CE binary unchanged in 0.1.50 (code identical to 0.1.40 → 0.1.49); the bump carries the EE-paired-release narrative. **Seventh consecutive trio-publish across EE + CE + agent-skill in a single session** — institutionalized discipline now spans 7 ship cycles (0.4.5 / 0.4.6 / 0.4.7 / 0.4.8 / 0.4.9 / 0.5.0 / 0.5.1). Paired agent-skill 0.1.17 catalog refresh reflects plugin 1150 v2 extension. Memory tag closures: `aws_string_case_normalization` reinforced via split-surface QueueName/TopicName discipline; `conservative_classifier_principle` reinforced in 4 new fold sites; `emit_literal_set_drift` extended with 7 new named CW constants.
-- **0.1.49 (deprecated)** — paired with EE 0.5.0. EE-RT.18 v2 plugin 1190 SES Email Integrity Auditor extension (DKIM CNAME DNS resolution + DMARC TXT record parser + SES classic API parity). **First ship to add NETWORK-LAYER cross-reference** (live DNS resolution via `node:dns/promises`) to the AWS-SDK-substrate evidence baseline — structurally distinct evidence-acquisition surface from prior 0.4.x cycles, which justifies the 0.5.0 minor-version milestone bump even without a coverage matrix shift. **Part A — DKIM CNAME DNS resolution promotion** (dim 1) — closes canonical false-CLEAN window where SES reports `Status=SUCCESS` but DNS CNAMEs were subsequently rotated/removed. Four outcomes: PASS `ses-dkim-dns-verified` / MEDIUM `ses-dkim-dns-partial` / HIGH `ses-dkim-dns-missing` (false-CLEAN closure) / LOW + evidenceGap `ses-dkim-dns-unverifiable`. **Part B — DMARC TXT record parser + MailFrom promotion** (dim 2) — RFC 7489 §6.4 tag-list parser. Five outcomes: PASS `ses-dmarc-policy-reject` / MEDIUM `ses-dmarc-policy-quarantine` / HIGH `ses-dmarc-policy-none` / HIGH `ses-dmarc-missing` / LOW + evidenceGap `ses-dmarc-unverifiable`. **Part C — SES classic GetIdentityPolicies parity** (dim 4) — cross-API discrepancy detection emits HIGH `ses-classic-policy-discrepancy` on classic-only policy (canonical false-NEGATIVE class). **8 same-session reviewer folds** (1 CRITICAL + 3 HIGH + 2 MEDIUM + 2 LOW). **R-CRITICAL-1 closure**: DMARC `pct=0` silent-PASS false-CLEAN — `pct=0` on `p=reject`/`p=quarantine` functionally equivalent to `p=none` (zero percent enforced); now routes to HIGH `ses-dmarc-policy-none`. **R-HIGH-1 closure**: DMARC `sp` subdomain-policy override now evaluated — `p=reject; sp=none` downgrades to HIGH (subdomain-takeover false-NEGATIVE class previously silent CLEAN). **R-HIGH-2 closure**: brittle `inTestMode = !!opts._client` coupling replaced with explicit `_skipV2Promotion` master switch + 3 orthogonal kill-switches. **R-HIGH-3/MEDIUM-1/MEDIUM-3/LOW-1/2/3 closures**: defensive guards + JSON deep-equal policy-doc compare + RFC-tolerant DMARC prefix + parser symmetry + ZDE sanitization + cardinality-cap discipline. **+91 new tests this cycle** (53 v2 base + 19 reviewer-fold pins + 19 others); plugin 1190 test count grew 116 → 207 across 24 → 40 suites. **EE full regression: 4787/4787; 46-session 100% green streak preserved**. **Real-DNS smoke validation END-TO-END** against production resolvers (`_dmarc.nsasoft.us` parsed correctly: `p=reject, sp=reject (default), pct=100`; forward-compat `fo=1` tag preserved in `rawTags`). Empty-account SESv2 enumeration baseline succeeded end-to-end against `522412052794` (no SES identities provisioned — fixture-provisioning gap carries over from v1). CE binary unchanged in 0.1.49 (code identical to 0.1.40 → 0.1.48); the bump carries the EE-paired-release narrative. **Sixth consecutive trio-publish across EE + CE + agent-skill in a single session** — institutionalized discipline now spans 6 ship cycles (0.4.5 / 0.4.6 / 0.4.7 / 0.4.8 / 0.4.9 / 0.5.0). Paired agent-skill 0.1.16 catalog refresh reflects plugin 1190 v2 extension. Memory tag closures: `aws_string_case_normalization` holds at **20×**; `conservative_classifier_principle` reinforced in 7 new fold sites; `emit_literal_set_drift` extended with 13 new named constants.
-- **0.1.48 (deprecated)** — paired with EE 0.4.9. EE-RT.17 v2 plugin 1180 ElastiCache Redis Auditor extension (kms:DescribeKey cross-reference promotion + subnet route-table verifier); 7 same-session reviewer folds incl. 1 MEDIUM false-NEGATIVE closure (default-VPC main-RT inheritance escalated to LOW + evidenceGap).
-- **0.1.47 (deprecated)** — paired with EE 0.4.8. EE-RT.14 v3 plugin 1140 RDS Auditor grown 7 → 10 dimensions (database audit-logging: pgAudit + CloudWatch Logs exports + retention); 9 same-session reviewer folds incl. HIGH Aurora cluster log-path false-INFO closure + MEDIUM pgAudit-without-SPL false-PASS closure. Real-AWS smoke validation PASS + HIGH path end-to-end.
-- **0.1.46 (deprecated)** — paired with EE 0.4.7. NEW plugin 1190 AWS SES Email Integrity Auditor (DKIM / MailFrom / TLS / sending-auth wildcard principals / dedicated IPs / suppression-list); 11 same-session reviewer folds incl. CRITICAL NotPrincipal+Allow false-CLEAN closure. Plugin count 19 → 20.
-
-For 0.1.30 → 0.1.45 release notes (full per-release history of EE plugin 1140/1150/1160/1170/1180 cohort + the EE 0.4.x multi-ship cycle institutionalization + EE 0.4.0 cohort with 7 new AWS auditor plugins 1070–1130 anchored by the 1130 AWS Backup Auditor 12-dimension air-gapped vault attestation arc), see [CHANGELOG.md](./CHANGELOG.md).
+For complete per-release history, see [CHANGELOG.md](./CHANGELOG.md). The Community Edition binary has been unchanged since 0.1.40; recent CE patches are documentation refreshes paired with Enterprise Edition (`@nsasoft/nsauditor-ai-ee`) ships.
+
+- **0.1.55 (current)** — Paired with EE 0.6.1: NEW EE plugin 1200 AWS Inspector2 / GuardDuty Enablement Auditor (CC7.1 + CC7.2).
+- **0.1.54** — Paired with EE 0.6.0: NEW EE plugin 1160 AWS VPC Endpoints / PrivateLink Auditor (CC6.6 + A1.2 + CC7.2).
+- **0.1.50 – 0.1.53** — Paired with EE 0.5.x line (SES / SQS-SNS / cross-plugin hardening cycles).
+- **0.1.46 – 0.1.49** — Paired with EE 0.4.7 – 0.4.9 (SES / RDS / ElastiCache Redis extensions).
+- **Earlier** — CE 0.1.30 → 0.1.45 release notes (full per-release history) live in [CHANGELOG.md](./CHANGELOG.md).
 
 ---
 
+
 ## What It Does
 
 ```
@@ -183,7 +180,9 @@ Results land in `./out/<host>_<timestamp>/`:
 
 ### Pro/Enterprise Plugins (via @nsasoft/nsauditor-ai-ee)
 
-**EE 0.6.0 ships 21 enterprise plugins** (UP FROM 20 — the 0.6.0 minor-version milestone is the first new plugin since EE 0.4.7: EE-RT.19 v1 NEW plugin 1160 AWS VPC Endpoints / PrivateLink Auditor; first plugin to specifically audit the PrivateLink isolation boundary; 4 SOC 2 dimensions; clean reviewer pass).
+**EE 0.6.1 ships 22 enterprise plugins** (UP FROM 21 — the 0.6.1 patch-level new-plugin extension is EE-RT.20 v1 NEW plugin 1200 AWS Inspector2 / GuardDuty Enablement Auditor; first AWS-managed-threat-detection substrate audit; 4 active SOC 2 dimensions; 6 same-session R1 reviewer folds incl. R1-CRITICAL-1 soc2.json titlePattern misalignment closure preventing a shipping false-CLEAN on the compliance-mapping layer).
+
+**EE 0.6.0 (superseded)** —**EE 0.6.0 ships 21 enterprise plugins** (UP FROM 20 — the 0.6.0 minor-version milestone is the first new plugin since EE 0.4.7: EE-RT.19 v1 NEW plugin 1160 AWS VPC Endpoints / PrivateLink Auditor; first plugin to specifically audit the PrivateLink isolation boundary; 4 SOC 2 dimensions; clean reviewer pass).
 
 **EE 0.5.4 (superseded)** —**EE 0.5.4 ships 20 enterprise plugins** (UNCHANGED from EE 0.5.3 — the 0.5.4 bump is a cross-plugin Thread H sweep: §7.5 `_promote*FromKms` signature hardening on plugin 1140 v2 + 1180 v2 + §8 operator-config DoS caps on plugin 1170 v2; clean reviewer pass with 0 R-CRITICAL + 0 R-HIGH; final v0.5.x close-out cycle).
 
@@ -222,6 +221,7 @@ Results land in `./out/<host>_<timestamp>/`:
 | **1170** | **AWS EC2 SG Perimeter Auditor** (EE 0.4.5 v1; **EXTENDED in EE 0.4.6 v2** — RESTRICTED_PORTS 13 → 23 ports per CIS AWS Foundations v3.0 + operator-config + per-SG cardinality cap) | Enterprise | Audits AWS EC2 Security Groups against SOC 2 CC6.6 network-segmentation evidence — reads the AWS-API DECLARED SG policy via `DescribeSecurityGroups`. **Orthogonal evidence to plugin 1023 zero-trust-checker** (1023 reads OBSERVED open ports from prior network probes; 1170 reads DECLARED SG policy). The pair gives auditors complete coverage of "is this port reachable, and is it supposed to be?" **Cross-plugin sister of EE-RT.14 v2 `_classifyPublicAccessibility`** dimension in plugin 1140 (which emits "auditor walkthrough required for SG analysis"; plugin 1170 closes that walkthrough deterministically). **6 audit dimensions:** **IPv4 0.0.0.0/0 ingress to RESTRICTED_PORTS** (CC6.6 perimeter — CRITICAL; **v2 RESTRICTED_PORTS covers 23 ports** per CIS AWS Foundations v3.0 alignment + emerging-data-tier coverage: SSH (22), RDP (3389), MS SQL (1433), MySQL (3306), Postgres (5432), Redshift (5439 — NEW v2), Redis (6379), Memcached (11211), MongoDB (27017), Elasticsearch (9200, 9300), CouchDB (5984), Docker daemon (2375), Kubelet API (10250), **K8s API server (6443 — NEW v2), etcd (2379-2380 — NEW v2), Kibana (5601 — NEW v2), InfluxDB (8086 — NEW v2), Kafka (9092 — NEW v2), Consul (8500 — NEW v2), ZooKeeper (2181 — NEW v2), Vault (8200 — NEW v2)**); **IPv6 ::/0 ingress to RESTRICTED_PORTS** (CC6.6 — CRITICAL IPv6 sibling; operators often miss while locking IPv4 down); **all-protocol (-1) ingress from 0.0.0.0/0** (CC6.6 — CRITICAL worst-possible perimeter posture; **per R-MEDIUM-1 fold suppresses dim 1+2 emissions at SG-scope** — auditor pack stays at one CRITICAL/SG instead of N+1); **public ingress to non-restricted ports** (CC6.6 substrate — INFO + walkthroughRequired; 80/443/8080-style web tier likely intentional, auditor verifies intent); **egress 0.0.0.0/0** (CC6.6 substrate — INFO; AWS-default posture; out-of-scope for SG-layer DLP concerns); **orphan SGs** (CC6.2 governance — LOW; SG with no attached ENI via `DescribeNetworkInterfaces` cross-reference; AWS-default `default` SGs per-VPC excluded; **v2 system-managed-SG name-prefix exclusion list** excludes `ElasticMapReduce-`, `eks-cluster-sg-`, `AWSServiceRole`, `awseb-` etc. from orphan-detection — these are AWS-service-controlled and structurally non-deletable). **v2 operator-config knob `opts.additionalRestrictedPorts`** — lets tenants add custom ports beyond the baseline (validated 0-65535 integer + deduped against baseline). **v2 per-SG cardinality cap via `_USER_GROUP_DISPLAY_CAP = 10`** with rollup trailer (`...and N more`) defends against finding-size DoS on 1000+ SG accounts. **`UserIdGroupPairs` (SG-as-source) rules** surfaced as INFO + evidenceGap + walkthroughRequired per R-HIGH-1 fold — v1 only analyzes CIDR-source rules; transitive SG→SG chain reachability deferred to v3 (EE-RT.16 v3). 10 new soc2.json titlePattern entries across v1 + v2 (6 CC6.6 + 1 CC6.2 from v1; 1 PASS-tier fix + 2 cardinality-cap trailers from v2). Full institutional contract applied day-1. **7 same-session v2 reviewer folds including 2 CONVERGENT-CRITICAL findings** (C1 pre-existing v1 PASS-tier titlePattern bug; C2 cardinality-cap-trailer titlePatterns silently dropped at framework-engine harvest pre-fold). Smoke-validated against `test-infra-builder` paired fixtures (`nsauditor-secure-sg` + `nsauditor-exposed-sg`) in account 522412052794. **CC6.6 / CC6.2**. |
 | **1190** | **AWS SES Email Integrity Auditor** (NEW EE 0.4.7; **EXTENDED EE 0.5.0 v2** — dims 1 + 2 + 4 grown in scope: DKIM CNAME DNS resolution + DMARC TXT record parser + SES classic API parity; first plugin in EE to depend on `node:dns/promises` for live DNS cross-reference) | Enterprise | Audits AWS SES + SESv2 email-sending substrate against **6 SOC 2 evidence dimensions** spanning confidentiality + email-integrity. Closes the next-highest-priority gap from the AWS SOC 2 audit-canonical compliance checklist after Redis closed in EE 0.4.6. **DKIM enablement + signing status** (CC6.1 / Privacy — `DkimAttributes.SigningEnabled` + 5-enum Status classifier: SUCCESS PASS / PENDING-TEMPORARY_FAILURE-NOT_STARTED INFO+walkthroughRequired transient / FAILED MEDIUM on DNS drift / unknown LOW+evidenceGap per `conservative_classifier_principle`; HIGH on SigningEnabled=false because outbound mail unsigned defeats SPF+DKIM+DMARC trust chain). **Custom MailFrom domain alignment** (Privacy substrate — `MailFromAttributes.MailFromDomain` + `MailFromDomainStatus`; INFO + walkthroughRequired on default amazonses.com because DMARC strict alignment impossible without custom MailFrom subdomain; PASS on custom + Status=SUCCESS). **Configuration set TLS enforcement** (C1.1 transit — `DeliveryOptions.TlsPolicy`; REQUIRE PASS / OPTIONAL HIGH opens SMTP-downgrade-attack window where network-layer adversary can strip STARTTLS from EHLO response forcing cleartext delivery of message body + headers; **distinct LOW + `tlsPolicyType` evidence branch** per R-MEDIUM-7 reviewer-fold catches non-string SDK-contract violations separately from missing-field unverifiable — pre-fold both flowed through identical narrative with empty quotes). **Identity sending authorization policy permissive principals** (CC6.6 — JSON-parsed IAM policy with **multi-class wildcard detector** covering bare `"*"` + `{AWS:"*"}` + `{Service:"*"}` + `{Federated:"*"}` + `{CanonicalUser:"*"}` + array-form `[*]` per R-HIGH-4 reviewer-fold walking every Principal class value; **distinct HIGH `ses-sending-auth-notprincipal-allow`** per R-CRITICAL-1 reviewer-fold catches NotPrincipal+Effect=Allow wildcard-EQUIVALENT class (universal grant minus exclusion list — pre-fold silently classified as bounded = false-CLEAN; matches plugins 1070 + 1150 NotPrincipal+Allow discipline); **LOW + evidenceGap `ses-sending-auth-malformed-statement`** per R-HIGH-2 reviewer-fold surfaces Effect-missing send-action statements that pre-fold were silently dropped). **Dedicated IP pool sending posture** (CC7.1 substrate, account-level — `ListDedicatedIpPools`; INFO + walkthroughRequired on configured pools / INFO on shared-pool default). **Suppression list state** (CC7.1 deliverability substrate, account-level — `ListSuppressedDestinations`; **ZDE invariant: NEVER reads suppressed-destination email addresses** — count + reason only; verified at run() envelope boundary via sentinel-string assertion per R-LOW-8 reviewer-fold). **Dual API surface discipline:** v1 uses SESv2 only (canonical modern API surface covers all 6 dimensions); `@aws-sdk/client-ses` declared in optionalDependencies for v2+ cross-API parity (per the dual-API discipline established in plugin 1180) — `_loadSesClassicSdk` dead-code load-check REMOVED per R-MEDIUM-6 reviewer-fold (false-degraded risk: pre-fold a missing classic SDK in production forced run() into "Plugin skipped" path even though v1 never exercises any classic export). 8 new soc2.json titlePattern entries (3 CC6.1 + 3 CC6.6 + 2 C1.1). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). **11 same-session reviewer folds applied** — ties the single-cycle reviewer-fold record (independent `general-purpose-agent` review yielded 12 findings; 11 folded same-session, 1 deferred to cross-plugin Thread H sweep). **Fourth EE plugin to ship without smoke-time SDK hotfix** (`@aws-sdk/client-ses` + `@aws-sdk/client-sesv2` both preemptively added to optionalDependencies). **No real-AWS smoke against violation-tier fixtures** — test-infra-builder has NO SES paired fixtures yet (full-stack fixtures deferred to EE-RT.18 v2 alongside DKIM CNAME DNS resolution + DMARC TXT record parsing). Empty-account smoke baseline against 522412052794 DID succeed end-to-end: plugin loads via CE→EE binding, all 4 SESv2 API enumerations succeed, baseline 2 INFO findings emit correctly, durationMs=842, ZDE invariant preserved. **CC6.1 / CC6.6 / C1.1 / CC7.1 (substrate) / Privacy (substrate)**. |
 | **1180** | **AWS ElastiCache Redis Auditor** (EE 0.4.6 v1; **EXTENDED in EE 0.4.9 v2** — dims 2 + 6 grown in scope: kms:DescribeKey promotion + subnet route-table verifier; closes both v1 deferred items R-MEDIUM-3 + R-LOW-2) | Enterprise | Audits AWS ElastiCache Redis clusters against **6 SOC 2 substrate-evidence dimensions** spanning confidentiality + availability + segmentation. Closes the highest-priority gap from the AWS SOC 2 audit-canonical compliance checklist. **Transit encryption** (C1.1 PASS/HIGH — `TransitEncryptionEnabled=true` wraps RESP in TLS for client→cluster + primary→replica connections; HIGH on disabled — cleartext RESP on wire + AUTH tokens flow cleartext; cannot be toggled in place, requires snapshot+restore). **At-rest encryption with KMS key custody** (C1.1 four-tier ladder — HIGH disabled → MEDIUM AWS-owned-default (encrypted but no customer KmsKeyId) → MEDIUM `alias/aws/elasticache` (AWS-managed alias via `_AWS_MANAGED_ELASTICACHE_ALIAS_RE`) → PASS customer-managed CMK + LOW+evidenceGap on `:key/UUID` ARN form per `conservative_classifier_principle`). **Redis AUTH / IAM-auth user groups** (CC6.1 + CC6.2 — PASS on UserGroupIds configured (Redis 7+ ACL/IAM-auth user groups replace long-lived AUTH passwords); MEDIUM on no-authentication (cluster relies solely on SG perimeter — cross-plugin sister with plugin 1170 SG-perimeter audit); UserGroupIds cardinality cap 10 + "...and N more" overflow per R-MEDIUM-1 fold). **Multi-AZ deployment** (A1.2 availability — HIGH on `MultiAZ=disabled` for replication groups; INFO + standalone-not-applicable on single-node CacheClusters; INFO + evidenceGap on transient states `enabling` / `disabling` per `conservative_classifier_principle`). **SnapshotRetentionLimit cadence** (A1.2 — 0 = HIGH (no snapshots), 1-6 days = MEDIUM (below 7-day baseline), ≥7 days = PASS; operator-tunable via `opts.snapshotRetentionPassMinDays` clamped 1..35). **Subnet placement** (CC6.6 perimeter — INFO + walkthroughRequired on `default` subnet group per `conservative_classifier_principle` — operator may have private subnets named "default"). **Dual API enumeration with inter-API dedup**: `DescribeReplicationGroups` + `DescribeCacheClusters` covers both replication-group and standalone-CacheCluster surfaces; CacheClusters with `ReplicationGroupId` set are skipped (member-of-replication-group rule) to avoid double-emission. `_ELASTICACHE_SUPPORTED_ENGINES = Object.freeze(new Set(["redis"]))` — Memcached is out-of-scope by design (no native AUTH; no transit encryption substrate). 16 new soc2.json titlePattern entries (4 CC6.1 + 1 CC6.6 + 5 A1.2 + 8 C1.1). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). 3 same-session reviewer folds applied (R-MEDIUM-1 UserGroupIds cardinality cap canonical-parity, R-LOW-1 transient Multi-AZ state INFO + evidenceGap, R-LOW-2 inter-API dedup test pin). **Third EE plugin to ship without smoke-time SDK hotfix** (`@aws-sdk/client-elasticache` preemptively added to optionalDependencies). Smoke-validated against `test-infra-builder` paired fixtures (`redis-secure-cache` + `redis-leaky-cache`) in account 522412052794. **CC6.1 / CC6.2 / CC6.6 / A1.2 / C1.1**. |
+| **1200** | **AWS Inspector2 / GuardDuty Enablement Auditor** (**NEW EE 0.6.1** — first AWS-managed-threat-detection substrate audit; second multi-service plugin in EE after plugin 1150 SQS+SNS) | Enterprise | Audits AWS GuardDuty + AWS Inspector2 enablement state — the **foundation-layer institutional evidence for CC7.1 detection procedures + CC7.2 monitoring** (an audit pack without managed-threat-detection evidence has no AWS-native anomaly-detection or CVE-detection stream). **4 active SOC 2 dimensions** (dim 5 org-scope deferred to v2 per EE-RT.20.1): **Dim 1 — GuardDuty Detector enablement per region** (CC7.1 — `guardduty:ListDetectors`; zero detectors = HIGH `gd-not-enabled` institutional silent-blind class — GuardDuty would catch reconnaissance / credential exfiltration / crypto-mining / malicious-IP communication). **Dim 2 — GuardDuty protection-feature coverage** (CC7.1 evidence depth — per-detector `guardduty:GetDetector`; institutional baseline S3_DATA_EVENTS / EKS_AUDIT_LOGS / EBS_MALWARE_PROTECTION / **RDS_LOGIN_EVENTS (R1-HIGH-3 fold)** / LAMBDA_NETWORK_LOGS / RUNTIME_MONITORING; modern Features[] + legacy DataSources fallback both supported with shared case-insensitive `_statusEnabled` predicate per `[[aws_string_case_normalization]]` R1-CRITICAL-2 fold). **Dim 3 — Inspector2 enablement** (CC7.1 + CC7.2 — `inspector2:BatchGetAccountStatus`; DISABLED/SUSPENDED = HIGH silent-blind for CVE coverage on EC2/ECR/Lambda; transient = INFO; unknown enum = LOW + evidenceGap per `[[conservative_classifier_principle]]`). **Dim 4 — Inspector2 scan-target coverage** (CC7.1 zero / CC7.2 partial — institutional baseline {EC2, ECR, Lambda}; zero resource types active = HIGH `inspector2-coverage-zero` silent-blind class; partial = MEDIUM with explicit `disabledResources` list). **6 same-session R1 reviewer folds** (network-security + Explore in parallel; 2 R-CRITICAL + 3 R-HIGH + 1 institutional-discipline): **R1-CRITICAL-1 soc2.json titlePattern misalignment closure** — 4 patterns would have silently failed CC7.1/CC7.2 compliance routing; all re-anchored to actual emission strings. **R1-CRITICAL-1 AccessDenied distinct findings** — distinct `_CAT_GD_ACCESSDENIED` / `_CAT_INS_ACCESSDENIED` categories so auditor walkthrough knows the cause is auditor-IAM gap not service absence. **R1-CRITICAL-2 legacy DataSources case normalization** via shared `_statusEnabled` predicate. **R1-HIGH-2 SUSPENDED/DISABLED Detector silent-blind closure** — Status guard added → HIGH `_CAT_GD_DETECTOR_NOT_ENABLED`. **R1-HIGH-3/4 dead-code drift closures**. **4 R2 reviewer-deferred** (queued in EE-RT.20.1): all-regions enumeration / FindingPublishingFrequency check / alerting-destination check / BatchGetAccountStatus contract verification. **No new SDK dependencies** — `@aws-sdk/client-guardduty` + `@aws-sdk/client-inspector2` added to optionalDependencies. 7 new soc2.json titlePattern entries (4 CC7.1 + 3 CC7.2) — all anchored to actual plugin emission strings after R1-CRITICAL-1 fold. Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID + Thread H wrap on BOTH GuardDuty + Inspector2 clients + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). 48 plugin tests + 4 R1-fold regression pins (52 total). Synthetic-mock validation only — no GuardDuty/Inspector2 paired fixtures yet in test-infra-builder. **CC7.1 / CC7.2**. |
 | — | SOC 2 Compliance Engine | Enterprise | AICPA TSC 2017 control mapping (10 covered + 4 partial controls post-EE 0.3.9 / 0.4.0), chain-of-custody, RFC 3161 timestamps, suppression workflow |
 | — | SLA & MTTR Tracking | Enterprise | Per-severity SLA targets, compensating-control flow, finding lifecycle |
 | — | Recurring-Scan Attestation | Enterprise | Multi-scan chronological matrix, cadence gap detection, scope drift (CC8.1) |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nsauditor-ai",
-  "version": "0.1.54",
+  "version": "0.1.55",
   "description": "Modular AI-assisted network security audit platform — Community Edition",
   "type": "module",
   "private": false,