npm - nsauditor-ai - Versions diffs - 0.1.54 → 0.1.56 - Mend

nsauditor-ai 0.1.54 → 0.1.56

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -17,20 +17,18 @@ NSAuditor AI is the open-source core of a privacy-first security intelligence pl
 ## What's New
-- **0.1.54 (current)** — docs-only patch announcing **EE 0.6.0 release** (paired release narrative — minor-version milestone). **EE plugin count 20 → 21** — EE-RT.19 v1 NEW plugin 1160 AWS VPC Endpoints / PrivateLink Auditor. **First plugin to specifically audit the PrivateLink isolation boundary** (complements plugin 1170 layer-4 SG perimeter with SERVICE-LAYER perimeter audit). **4 SOC 2 dimensions**: endpoint resource policy permissive principals (CC6.6 CRITICAL on unconditional wildcard); PrivateDNS enabled (CC6.6 MEDIUM silent-bypass when Interface + disabled); endpoint state (A1.2 + CC7.2 HIGH on `failed`); endpoint type substrate disclosure. **Clean reviewer pass** (0 R-CRITICAL + 0 R-HIGH; 2 R-MEDIUM/NIT folded same-session). **+59 new tests**; EE regression: 5044/5044 across 792 suites; 51-session 100% green streak. **7 new soc2.json rules** (5 CC6.6 + 2 CC7.2/A1.2 dual-mapped). Coverage matrix UNCHANGED at 10/4/33. CE binary unchanged. **Eleventh consecutive trio-publish across EE + CE + agent-skill** — 0.4.5–0.6.0.
-- **0.1.53 (deprecated)** — docs-only patch announcing **EE 0.5.4 release** (paired release narrative). **EE plugin count UNCHANGED at 20** (no new plugin in 0.5.4; cross-plugin Thread H sweep). **§7.5 closure**: `_promote*FromKms` cross-plugin signature hardening on plugin 1140 v2 + plugin 1180 v2 — Map-form lookup replaces caller-side parallel-threading (closes false-CLEAN class). **§8 closure**: operator-config DoS caps on plugin 1170 v2 (`_OPERATOR_CONFIG_MAX_ENTRIES = 1000`). **Clean reviewer pass** (0 R-CRITICAL + 0 R-HIGH; 3 R-MEDIUM/LOW coverage pins folded same-session). **+20 new tests** cross-plugin; EE full regression: 4982/4982; 50-session 100% green streak preserved. **Coverage matrix UNCHANGED at 10/4/33** — pure structural-discipline tightening. CE binary unchanged. **Tenth consecutive trio-publish across EE + CE + agent-skill** — 0.4.5–0.5.4. **v0.5.x close-out cycle**; ready for 0.6.0 milestone.
-- **0.1.52 (deprecated)** — docs-only patch announcing **EE 0.5.3 release** (paired release narrative). **EE plugin count UNCHANGED at 20** (no new plugin in 0.5.3; existing plugin 1190 `aws-ses-auditor` extended via **EE-RT.18 v3**: Part A DKIM public-key fingerprint capture/pin + Part B in-band DMARC alignment classifier). **5 same-session reviewer folds** (1 R-CRITICAL + 3 R-HIGH + 1 R-MEDIUM). **R-CRITICAL closure (discovered via test)**: `_stripControlChars` 256-char truncation corrupted long DKIM keys producing wrong SHA-256 fingerprints — new `_stripControlCharsNoTruncate` helper for cryptographic-data surface. **R-HIGH closures**: empty/short-key floor (≥128 bytes catches `p=` empty-key substitution attacks) + multiple-DKIM1-records LOW + evidenceGap (no silent [0] truncation) + DMARC alignment double-failure visibility. **R-MEDIUM closure**: pin-store + failed-capture-on-pinned-token downgraded to LOW + evidenceGap. **Coverage matrix UNCHANGED at 10/4/33** — 8 new aws-ses-auditor mapping rules (CC6.1 + Privacy). **+61 new tests this cycle** (45 v3 base + 16 reviewer-fold pins); plugin 1190 test count grew 248 → 309 across 49 → 60 suites. **EE full regression: 4962/4962; 49-session 100% green streak preserved**. **No new SDK dependencies** — v3 uses existing node:dns/promises + node:crypto. CE binary unchanged in 0.1.52 (code identical to 0.1.40 → 0.1.51). **Ninth consecutive trio-publish across EE + CE + agent-skill in a single session**. Memory tag closures: `conservative_classifier_principle` reinforced in 5 new fold sites; `emit_literal_set_drift` extended with 8 new named emission categories + 1 frozen Set + 1 new regex pin + 1 new no-truncate helper; `aws_string_case_normalization` reinforced via case-insensitive pin compare.
-- **0.1.51 (deprecated)** — docs-only patch announcing **EE 0.5.2 release** (paired release narrative). **EE plugin count UNCHANGED at 20** (no new plugin in 0.5.2; existing plugin 1190 `aws-ses-auditor` underwent pure v2.1 consolidation via **EE-RT.18 v2.1** — closes 7 deferred reviewer-fold items from the 0.5.0 cycle). **6 same-session reviewer folds** (1 CRITICAL + 3 HIGH + 2 MEDIUM): **R-CRITICAL closure**: missing soc2.json titlePattern for new `ses-dkim-dns-partial-with-transients` MEDIUM emission — same false-mapping class as 0.5.1 R-HIGH soc2-anchoring fold. **R-HIGH closure (silent-loss class)**: SES classic API quota exhaustion now routes post-retry-exhaustion bubble to `ses-classic-policy-unverifiable` LOW + evidenceGap with `cause: "classic-sdk-quota-exhausted"` (pre-fold this fell through to silent loss via warnings.push). **R-HIGH closures**: unknown-DNS-code call-site fail-safe pin + identityType producer→consumer round-trip. **R-MEDIUM closures**: mixed-failure-mode test + module-load-time disjointness IIFE (`_assertDnsErrorCodeSetsDisjoint()` promotes the invariant from test-time to Node startup enforcement). **7 deferred items closed**: DKIM partial-match severity tier (new MEDIUM `ses-dkim-dns-partial-with-transients`) + explicit `_DNS_TRANSIENT_ERROR_CODES` named Set + broadened classic-side error taxonomy (`IdentityNotVerified` / `ConfigurationSetDoesNotExist` / quota-error names) + DMARC chunk-split end-to-end + DKIM special-chars + identityType normalization + cosmetic constant-casing. **Coverage matrix UNCHANGED at 10/4/33** — pure evidence-quality uplift on already-covered CC6.1 + CC6.6 + A1.2 + CC7.1 + CC7.2 controls via 1 new aws-ses-auditor mapping rule + 5 reinforced classifier contracts. **+41 new tests this cycle** (34 deferred-items sweep base + 7 reviewer-fold pins); plugin 1190 test count grew 207 → 248 across 40 → 49 suites. **EE full regression: 4901/4901; 48-session 100% green streak preserved**. **No new SDK dependencies** — pure v2 consolidation. CE binary unchanged in 0.1.51 (code identical to 0.1.40 → 0.1.50). **Eighth consecutive trio-publish across EE + CE + agent-skill in a single session** — institutionalized discipline now spans 8 ship cycles (0.4.5 / 0.4.6 / 0.4.7 / 0.4.8 / 0.4.9 / 0.5.0 / 0.5.1 / 0.5.2). Paired agent-skill 0.1.18 catalog refresh reflects plugin 1190 v2.1 consolidation. Memory tag closures: `conservative_classifier_principle` reinforced in 3 new fold sites; `emit_literal_set_drift` extended with 3 new named Sets + 1 new named category + module-load-time disjointness IIFE; `aws_string_case_normalization` reinforced via identityType normalization at promoter consumer sites.
-- **0.1.50 (deprecated)** — paired with EE 0.5.1. EE-RT.15 v2 plugin 1150 SQS/SNS Auditor 5 → 7 dimensions (CloudWatch alarm coverage). Closes the **"messaging monitoring" SOC 2 dimension** per `tasks/things-to-check.md` §4 institutional checklist. **First plugin-1150 dim to cross an SDK boundary** (SQS+SNS → CloudWatch); single-fetch budget — `_enumerateMetricAlarms` paginates `cloudwatch:DescribeAlarms` once, `_buildAlarmIndex` builds per-resource Maps for O(1) lookup. **Dim 6 — SQS age-alarm coverage** (CC7.2 + A1.2; per-queue PASS / MEDIUM / LOW / LOW + evidenceGap). **Dim 7 — SNS failure-alarm coverage** (CC7.2 + A1.2; per-topic analogue). **Soft-degrade contract** — CW SDK load failure routes per-resource classifier to LOW + evidenceGap rather than blocking SQS+SNS primary substrate audit. **7 same-session reviewer folds** (1 CRITICAL + 1 HIGH + 2 MEDIUM + 1 LOW + 1 NIT; 6 folded same-session, 1 NIT deferred). **R-CRITICAL closure**: `ActionsEnabled=true + AlarmActions=[]` was silent PASS pre-fold (CloudWatch fires NO operator paging on empty AlarmActions); `actionable` filter now requires BOTH `ActionsEnabled=true` AND non-empty `AlarmActions[]`. Discriminates "all disabled" vs "all empty actions" in remediation narrative. **R-HIGH closure**: soc2.json PASS-tier titlePatterns narrowed to anchor on `AWS/SQS:ApproximateAgeOfOldestMessage` / `AWS/SNS:NumberOfNotificationsFailed` clauses. **R-MEDIUM-1/2 + R-LOW closures**: defensive shape guard + multi-alarm collision tests + FIFO end-to-end + corrupted-shape defensive tests. **+52 new tests this cycle** (41 v2 base + 11 reviewer-fold pins); plugin 1150 test count grew 116 → 168 across 22 → 33 suites. **EE full regression: 4860/4860; 47-session 100% green streak preserved**. **12 new soc2.json titlePattern entries** (8 CC7.2 + 4 A1.2 dual-mapped). **Synthetic-mock validation only** this cycle — real-AWS smoke deferred (no SQS/SNS paired fixtures yet in test-infra-builder; ship-without per documented gap, EE 0.5.0 SES precedent). **No new SDK dependencies** — `@aws-sdk/client-cloudwatch` already declared in optionalDependencies since EE 0.4.0. CE binary unchanged in 0.1.50 (code identical to 0.1.40 → 0.1.49); the bump carries the EE-paired-release narrative. **Seventh consecutive trio-publish across EE + CE + agent-skill in a single session** — institutionalized discipline now spans 7 ship cycles (0.4.5 / 0.4.6 / 0.4.7 / 0.4.8 / 0.4.9 / 0.5.0 / 0.5.1). Paired agent-skill 0.1.17 catalog refresh reflects plugin 1150 v2 extension. Memory tag closures: `aws_string_case_normalization` reinforced via split-surface QueueName/TopicName discipline; `conservative_classifier_principle` reinforced in 4 new fold sites; `emit_literal_set_drift` extended with 7 new named CW constants.
-- **0.1.49 (deprecated)** — paired with EE 0.5.0. EE-RT.18 v2 plugin 1190 SES Email Integrity Auditor extension (DKIM CNAME DNS resolution + DMARC TXT record parser + SES classic API parity). **First ship to add NETWORK-LAYER cross-reference** (live DNS resolution via `node:dns/promises`) to the AWS-SDK-substrate evidence baseline — structurally distinct evidence-acquisition surface from prior 0.4.x cycles, which justifies the 0.5.0 minor-version milestone bump even without a coverage matrix shift. **Part A — DKIM CNAME DNS resolution promotion** (dim 1) — closes canonical false-CLEAN window where SES reports `Status=SUCCESS` but DNS CNAMEs were subsequently rotated/removed. Four outcomes: PASS `ses-dkim-dns-verified` / MEDIUM `ses-dkim-dns-partial` / HIGH `ses-dkim-dns-missing` (false-CLEAN closure) / LOW + evidenceGap `ses-dkim-dns-unverifiable`. **Part B — DMARC TXT record parser + MailFrom promotion** (dim 2) — RFC 7489 §6.4 tag-list parser. Five outcomes: PASS `ses-dmarc-policy-reject` / MEDIUM `ses-dmarc-policy-quarantine` / HIGH `ses-dmarc-policy-none` / HIGH `ses-dmarc-missing` / LOW + evidenceGap `ses-dmarc-unverifiable`. **Part C — SES classic GetIdentityPolicies parity** (dim 4) — cross-API discrepancy detection emits HIGH `ses-classic-policy-discrepancy` on classic-only policy (canonical false-NEGATIVE class). **8 same-session reviewer folds** (1 CRITICAL + 3 HIGH + 2 MEDIUM + 2 LOW). **R-CRITICAL-1 closure**: DMARC `pct=0` silent-PASS false-CLEAN — `pct=0` on `p=reject`/`p=quarantine` functionally equivalent to `p=none` (zero percent enforced); now routes to HIGH `ses-dmarc-policy-none`. **R-HIGH-1 closure**: DMARC `sp` subdomain-policy override now evaluated — `p=reject; sp=none` downgrades to HIGH (subdomain-takeover false-NEGATIVE class previously silent CLEAN). **R-HIGH-2 closure**: brittle `inTestMode = !!opts._client` coupling replaced with explicit `_skipV2Promotion` master switch + 3 orthogonal kill-switches. **R-HIGH-3/MEDIUM-1/MEDIUM-3/LOW-1/2/3 closures**: defensive guards + JSON deep-equal policy-doc compare + RFC-tolerant DMARC prefix + parser symmetry + ZDE sanitization + cardinality-cap discipline. **+91 new tests this cycle** (53 v2 base + 19 reviewer-fold pins + 19 others); plugin 1190 test count grew 116 → 207 across 24 → 40 suites. **EE full regression: 4787/4787; 46-session 100% green streak preserved**. **Real-DNS smoke validation END-TO-END** against production resolvers (`_dmarc.nsasoft.us` parsed correctly: `p=reject, sp=reject (default), pct=100`; forward-compat `fo=1` tag preserved in `rawTags`). Empty-account SESv2 enumeration baseline succeeded end-to-end against `522412052794` (no SES identities provisioned — fixture-provisioning gap carries over from v1). CE binary unchanged in 0.1.49 (code identical to 0.1.40 → 0.1.48); the bump carries the EE-paired-release narrative. **Sixth consecutive trio-publish across EE + CE + agent-skill in a single session** — institutionalized discipline now spans 6 ship cycles (0.4.5 / 0.4.6 / 0.4.7 / 0.4.8 / 0.4.9 / 0.5.0). Paired agent-skill 0.1.16 catalog refresh reflects plugin 1190 v2 extension. Memory tag closures: `aws_string_case_normalization` holds at **20×**; `conservative_classifier_principle` reinforced in 7 new fold sites; `emit_literal_set_drift` extended with 13 new named constants.
-- **0.1.48 (deprecated)** — paired with EE 0.4.9. EE-RT.17 v2 plugin 1180 ElastiCache Redis Auditor extension (kms:DescribeKey cross-reference promotion + subnet route-table verifier); 7 same-session reviewer folds incl. 1 MEDIUM false-NEGATIVE closure (default-VPC main-RT inheritance escalated to LOW + evidenceGap).
-- **0.1.47 (deprecated)** — paired with EE 0.4.8. EE-RT.14 v3 plugin 1140 RDS Auditor grown 7 → 10 dimensions (database audit-logging: pgAudit + CloudWatch Logs exports + retention); 9 same-session reviewer folds incl. HIGH Aurora cluster log-path false-INFO closure + MEDIUM pgAudit-without-SPL false-PASS closure. Real-AWS smoke validation PASS + HIGH path end-to-end.
-- **0.1.46 (deprecated)** — paired with EE 0.4.7. NEW plugin 1190 AWS SES Email Integrity Auditor (DKIM / MailFrom / TLS / sending-auth wildcard principals / dedicated IPs / suppression-list); 11 same-session reviewer folds incl. CRITICAL NotPrincipal+Allow false-CLEAN closure. Plugin count 19 → 20.
-For 0.1.30 → 0.1.45 release notes (full per-release history of EE plugin 1140/1150/1160/1170/1180 cohort + the EE 0.4.x multi-ship cycle institutionalization + EE 0.4.0 cohort with 7 new AWS auditor plugins 1070–1130 anchored by the 1130 AWS Backup Auditor 12-dimension air-gapped vault attestation arc), see [CHANGELOG.md](./CHANGELOG.md).
+For complete per-release history, see [CHANGELOG.md](./CHANGELOG.md). The Community Edition binary has been unchanged since 0.1.40; recent CE patches are documentation refreshes paired with Enterprise Edition (`@nsasoft/nsauditor-ai-ee`) ships.
+- **0.1.56 (current)** — Paired with EE 0.6.2: plugin 1200 v2 evidence-acquisition extension — multi-region GuardDuty + Inspector2 enumeration (closes the single-region false-PASS class), GovCloud + ISO region support (closes a FedRAMP / StateRAMP / IL5+ false-PASS class), GuardDuty `FindingPublishingFrequency` check, Inspector2 baseline expansion (lambdaCode + codeRepository for Inspector2 GA 2024+).
+- **0.1.55** — Paired with EE 0.6.1: NEW EE plugin 1200 AWS Inspector2 / GuardDuty Enablement Auditor (CC7.1 + CC7.2).
+- **0.1.54** — Paired with EE 0.6.0: NEW EE plugin 1160 AWS VPC Endpoints / PrivateLink Auditor (CC6.6 + A1.2 + CC7.2).
+- **0.1.50 – 0.1.53** — Paired with EE 0.5.x line (SES / SQS-SNS / cross-plugin hardening cycles).
+- **0.1.46 – 0.1.49** — Paired with EE 0.4.7 – 0.4.9 (SES / RDS / ElastiCache Redis extensions).
+- **Earlier** — CE 0.1.30 → 0.1.45 release notes (full per-release history) live in [CHANGELOG.md](./CHANGELOG.md).
 ---
 ## What It Does
 ```
@@ -183,7 +181,9 @@ Results land in `./out/<host>_<timestamp>/`:
 ### Pro/Enterprise Plugins (via @nsasoft/nsauditor-ai-ee)
-**EE 0.6.0 ships 21 enterprise plugins** (UP FROM 20 — the 0.6.0 minor-version milestone is the first new plugin since EE 0.4.7: EE-RT.19 v1 NEW plugin 1160 AWS VPC Endpoints / PrivateLink Auditor; first plugin to specifically audit the PrivateLink isolation boundary; 4 SOC 2 dimensions; clean reviewer pass).
+**EE 0.6.1 ships 22 enterprise plugins** (UP FROM 21 — the 0.6.1 patch-level new-plugin extension is EE-RT.20 v1 NEW plugin 1200 AWS Inspector2 / GuardDuty Enablement Auditor; first AWS-managed-threat-detection substrate audit; 4 active SOC 2 dimensions; 6 same-session R1 reviewer folds incl. R1-CRITICAL-1 soc2.json titlePattern misalignment closure preventing a shipping false-CLEAN on the compliance-mapping layer).
+**EE 0.6.0 (superseded)** —**EE 0.6.0 ships 21 enterprise plugins** (UP FROM 20 — the 0.6.0 minor-version milestone is the first new plugin since EE 0.4.7: EE-RT.19 v1 NEW plugin 1160 AWS VPC Endpoints / PrivateLink Auditor; first plugin to specifically audit the PrivateLink isolation boundary; 4 SOC 2 dimensions; clean reviewer pass).
 **EE 0.5.4 (superseded)** —**EE 0.5.4 ships 20 enterprise plugins** (UNCHANGED from EE 0.5.3 — the 0.5.4 bump is a cross-plugin Thread H sweep: §7.5 `_promote*FromKms` signature hardening on plugin 1140 v2 + 1180 v2 + §8 operator-config DoS caps on plugin 1170 v2; clean reviewer pass with 0 R-CRITICAL + 0 R-HIGH; final v0.5.x close-out cycle).
@@ -222,6 +222,7 @@ Results land in `./out/<host>_<timestamp>/`:
 | **1170** | **AWS EC2 SG Perimeter Auditor** (EE 0.4.5 v1; **EXTENDED in EE 0.4.6 v2** — RESTRICTED_PORTS 13 → 23 ports per CIS AWS Foundations v3.0 + operator-config + per-SG cardinality cap) | Enterprise | Audits AWS EC2 Security Groups against SOC 2 CC6.6 network-segmentation evidence — reads the AWS-API DECLARED SG policy via `DescribeSecurityGroups`. **Orthogonal evidence to plugin 1023 zero-trust-checker** (1023 reads OBSERVED open ports from prior network probes; 1170 reads DECLARED SG policy). The pair gives auditors complete coverage of "is this port reachable, and is it supposed to be?" **Cross-plugin sister of EE-RT.14 v2 `_classifyPublicAccessibility`** dimension in plugin 1140 (which emits "auditor walkthrough required for SG analysis"; plugin 1170 closes that walkthrough deterministically). **6 audit dimensions:** **IPv4 0.0.0.0/0 ingress to RESTRICTED_PORTS** (CC6.6 perimeter — CRITICAL; **v2 RESTRICTED_PORTS covers 23 ports** per CIS AWS Foundations v3.0 alignment + emerging-data-tier coverage: SSH (22), RDP (3389), MS SQL (1433), MySQL (3306), Postgres (5432), Redshift (5439 — NEW v2), Redis (6379), Memcached (11211), MongoDB (27017), Elasticsearch (9200, 9300), CouchDB (5984), Docker daemon (2375), Kubelet API (10250), **K8s API server (6443 — NEW v2), etcd (2379-2380 — NEW v2), Kibana (5601 — NEW v2), InfluxDB (8086 — NEW v2), Kafka (9092 — NEW v2), Consul (8500 — NEW v2), ZooKeeper (2181 — NEW v2), Vault (8200 — NEW v2)**); **IPv6 ::/0 ingress to RESTRICTED_PORTS** (CC6.6 — CRITICAL IPv6 sibling; operators often miss while locking IPv4 down); **all-protocol (-1) ingress from 0.0.0.0/0** (CC6.6 — CRITICAL worst-possible perimeter posture; **per R-MEDIUM-1 fold suppresses dim 1+2 emissions at SG-scope** — auditor pack stays at one CRITICAL/SG instead of N+1); **public ingress to non-restricted ports** (CC6.6 substrate — INFO + walkthroughRequired; 80/443/8080-style web tier likely intentional, auditor verifies intent); **egress 0.0.0.0/0** (CC6.6 substrate — INFO; AWS-default posture; out-of-scope for SG-layer DLP concerns); **orphan SGs** (CC6.2 governance — LOW; SG with no attached ENI via `DescribeNetworkInterfaces` cross-reference; AWS-default `default` SGs per-VPC excluded; **v2 system-managed-SG name-prefix exclusion list** excludes `ElasticMapReduce-`, `eks-cluster-sg-`, `AWSServiceRole`, `awseb-` etc. from orphan-detection — these are AWS-service-controlled and structurally non-deletable). **v2 operator-config knob `opts.additionalRestrictedPorts`** — lets tenants add custom ports beyond the baseline (validated 0-65535 integer + deduped against baseline). **v2 per-SG cardinality cap via `_USER_GROUP_DISPLAY_CAP = 10`** with rollup trailer (`...and N more`) defends against finding-size DoS on 1000+ SG accounts. **`UserIdGroupPairs` (SG-as-source) rules** surfaced as INFO + evidenceGap + walkthroughRequired per R-HIGH-1 fold — v1 only analyzes CIDR-source rules; transitive SG→SG chain reachability deferred to v3 (EE-RT.16 v3). 10 new soc2.json titlePattern entries across v1 + v2 (6 CC6.6 + 1 CC6.2 from v1; 1 PASS-tier fix + 2 cardinality-cap trailers from v2). Full institutional contract applied day-1. **7 same-session v2 reviewer folds including 2 CONVERGENT-CRITICAL findings** (C1 pre-existing v1 PASS-tier titlePattern bug; C2 cardinality-cap-trailer titlePatterns silently dropped at framework-engine harvest pre-fold). Smoke-validated against `test-infra-builder` paired fixtures (`nsauditor-secure-sg` + `nsauditor-exposed-sg`) in account 522412052794. **CC6.6 / CC6.2**. |
 | **1190** | **AWS SES Email Integrity Auditor** (NEW EE 0.4.7; **EXTENDED EE 0.5.0 v2** — dims 1 + 2 + 4 grown in scope: DKIM CNAME DNS resolution + DMARC TXT record parser + SES classic API parity; first plugin in EE to depend on `node:dns/promises` for live DNS cross-reference) | Enterprise | Audits AWS SES + SESv2 email-sending substrate against **6 SOC 2 evidence dimensions** spanning confidentiality + email-integrity. Closes the next-highest-priority gap from the AWS SOC 2 audit-canonical compliance checklist after Redis closed in EE 0.4.6. **DKIM enablement + signing status** (CC6.1 / Privacy — `DkimAttributes.SigningEnabled` + 5-enum Status classifier: SUCCESS PASS / PENDING-TEMPORARY_FAILURE-NOT_STARTED INFO+walkthroughRequired transient / FAILED MEDIUM on DNS drift / unknown LOW+evidenceGap per `conservative_classifier_principle`; HIGH on SigningEnabled=false because outbound mail unsigned defeats SPF+DKIM+DMARC trust chain). **Custom MailFrom domain alignment** (Privacy substrate — `MailFromAttributes.MailFromDomain` + `MailFromDomainStatus`; INFO + walkthroughRequired on default amazonses.com because DMARC strict alignment impossible without custom MailFrom subdomain; PASS on custom + Status=SUCCESS). **Configuration set TLS enforcement** (C1.1 transit — `DeliveryOptions.TlsPolicy`; REQUIRE PASS / OPTIONAL HIGH opens SMTP-downgrade-attack window where network-layer adversary can strip STARTTLS from EHLO response forcing cleartext delivery of message body + headers; **distinct LOW + `tlsPolicyType` evidence branch** per R-MEDIUM-7 reviewer-fold catches non-string SDK-contract violations separately from missing-field unverifiable — pre-fold both flowed through identical narrative with empty quotes). **Identity sending authorization policy permissive principals** (CC6.6 — JSON-parsed IAM policy with **multi-class wildcard detector** covering bare `"*"` + `{AWS:"*"}` + `{Service:"*"}` + `{Federated:"*"}` + `{CanonicalUser:"*"}` + array-form `[*]` per R-HIGH-4 reviewer-fold walking every Principal class value; **distinct HIGH `ses-sending-auth-notprincipal-allow`** per R-CRITICAL-1 reviewer-fold catches NotPrincipal+Effect=Allow wildcard-EQUIVALENT class (universal grant minus exclusion list — pre-fold silently classified as bounded = false-CLEAN; matches plugins 1070 + 1150 NotPrincipal+Allow discipline); **LOW + evidenceGap `ses-sending-auth-malformed-statement`** per R-HIGH-2 reviewer-fold surfaces Effect-missing send-action statements that pre-fold were silently dropped). **Dedicated IP pool sending posture** (CC7.1 substrate, account-level — `ListDedicatedIpPools`; INFO + walkthroughRequired on configured pools / INFO on shared-pool default). **Suppression list state** (CC7.1 deliverability substrate, account-level — `ListSuppressedDestinations`; **ZDE invariant: NEVER reads suppressed-destination email addresses** — count + reason only; verified at run() envelope boundary via sentinel-string assertion per R-LOW-8 reviewer-fold). **Dual API surface discipline:** v1 uses SESv2 only (canonical modern API surface covers all 6 dimensions); `@aws-sdk/client-ses` declared in optionalDependencies for v2+ cross-API parity (per the dual-API discipline established in plugin 1180) — `_loadSesClassicSdk` dead-code load-check REMOVED per R-MEDIUM-6 reviewer-fold (false-degraded risk: pre-fold a missing classic SDK in production forced run() into "Plugin skipped" path even though v1 never exercises any classic export). 8 new soc2.json titlePattern entries (3 CC6.1 + 3 CC6.6 + 2 C1.1). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). **11 same-session reviewer folds applied** — ties the single-cycle reviewer-fold record (independent `general-purpose-agent` review yielded 12 findings; 11 folded same-session, 1 deferred to cross-plugin Thread H sweep). **Fourth EE plugin to ship without smoke-time SDK hotfix** (`@aws-sdk/client-ses` + `@aws-sdk/client-sesv2` both preemptively added to optionalDependencies). **No real-AWS smoke against violation-tier fixtures** — test-infra-builder has NO SES paired fixtures yet (full-stack fixtures deferred to EE-RT.18 v2 alongside DKIM CNAME DNS resolution + DMARC TXT record parsing). Empty-account smoke baseline against 522412052794 DID succeed end-to-end: plugin loads via CE→EE binding, all 4 SESv2 API enumerations succeed, baseline 2 INFO findings emit correctly, durationMs=842, ZDE invariant preserved. **CC6.1 / CC6.6 / C1.1 / CC7.1 (substrate) / Privacy (substrate)**. |
 | **1180** | **AWS ElastiCache Redis Auditor** (EE 0.4.6 v1; **EXTENDED in EE 0.4.9 v2** — dims 2 + 6 grown in scope: kms:DescribeKey promotion + subnet route-table verifier; closes both v1 deferred items R-MEDIUM-3 + R-LOW-2) | Enterprise | Audits AWS ElastiCache Redis clusters against **6 SOC 2 substrate-evidence dimensions** spanning confidentiality + availability + segmentation. Closes the highest-priority gap from the AWS SOC 2 audit-canonical compliance checklist. **Transit encryption** (C1.1 PASS/HIGH — `TransitEncryptionEnabled=true` wraps RESP in TLS for client→cluster + primary→replica connections; HIGH on disabled — cleartext RESP on wire + AUTH tokens flow cleartext; cannot be toggled in place, requires snapshot+restore). **At-rest encryption with KMS key custody** (C1.1 four-tier ladder — HIGH disabled → MEDIUM AWS-owned-default (encrypted but no customer KmsKeyId) → MEDIUM `alias/aws/elasticache` (AWS-managed alias via `_AWS_MANAGED_ELASTICACHE_ALIAS_RE`) → PASS customer-managed CMK + LOW+evidenceGap on `:key/UUID` ARN form per `conservative_classifier_principle`). **Redis AUTH / IAM-auth user groups** (CC6.1 + CC6.2 — PASS on UserGroupIds configured (Redis 7+ ACL/IAM-auth user groups replace long-lived AUTH passwords); MEDIUM on no-authentication (cluster relies solely on SG perimeter — cross-plugin sister with plugin 1170 SG-perimeter audit); UserGroupIds cardinality cap 10 + "...and N more" overflow per R-MEDIUM-1 fold). **Multi-AZ deployment** (A1.2 availability — HIGH on `MultiAZ=disabled` for replication groups; INFO + standalone-not-applicable on single-node CacheClusters; INFO + evidenceGap on transient states `enabling` / `disabling` per `conservative_classifier_principle`). **SnapshotRetentionLimit cadence** (A1.2 — 0 = HIGH (no snapshots), 1-6 days = MEDIUM (below 7-day baseline), ≥7 days = PASS; operator-tunable via `opts.snapshotRetentionPassMinDays` clamped 1..35). **Subnet placement** (CC6.6 perimeter — INFO + walkthroughRequired on `default` subnet group per `conservative_classifier_principle` — operator may have private subnets named "default"). **Dual API enumeration with inter-API dedup**: `DescribeReplicationGroups` + `DescribeCacheClusters` covers both replication-group and standalone-CacheCluster surfaces; CacheClusters with `ReplicationGroupId` set are skipped (member-of-replication-group rule) to avoid double-emission. `_ELASTICACHE_SUPPORTED_ENGINES = Object.freeze(new Set(["redis"]))` — Memcached is out-of-scope by design (no native AUTH; no transit encryption substrate). 16 new soc2.json titlePattern entries (4 CC6.1 + 1 CC6.6 + 5 A1.2 + 8 C1.1). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). 3 same-session reviewer folds applied (R-MEDIUM-1 UserGroupIds cardinality cap canonical-parity, R-LOW-1 transient Multi-AZ state INFO + evidenceGap, R-LOW-2 inter-API dedup test pin). **Third EE plugin to ship without smoke-time SDK hotfix** (`@aws-sdk/client-elasticache` preemptively added to optionalDependencies). Smoke-validated against `test-infra-builder` paired fixtures (`redis-secure-cache` + `redis-leaky-cache`) in account 522412052794. **CC6.1 / CC6.2 / CC6.6 / A1.2 / C1.1**. |
+| **1200** | **AWS Inspector2 / GuardDuty Enablement Auditor** (**NEW EE 0.6.1** — first AWS-managed-threat-detection substrate audit; second multi-service plugin in EE after plugin 1150 SQS+SNS) | Enterprise | Audits AWS GuardDuty + AWS Inspector2 enablement state — the **foundation-layer institutional evidence for CC7.1 detection procedures + CC7.2 monitoring** (an audit pack without managed-threat-detection evidence has no AWS-native anomaly-detection or CVE-detection stream). **4 active SOC 2 dimensions** (dim 5 org-scope deferred to v2 per EE-RT.20.1): **Dim 1 — GuardDuty Detector enablement per region** (CC7.1 — `guardduty:ListDetectors`; zero detectors = HIGH `gd-not-enabled` institutional silent-blind class — GuardDuty would catch reconnaissance / credential exfiltration / crypto-mining / malicious-IP communication). **Dim 2 — GuardDuty protection-feature coverage** (CC7.1 evidence depth — per-detector `guardduty:GetDetector`; institutional baseline S3_DATA_EVENTS / EKS_AUDIT_LOGS / EBS_MALWARE_PROTECTION / **RDS_LOGIN_EVENTS (R1-HIGH-3 fold)** / LAMBDA_NETWORK_LOGS / RUNTIME_MONITORING; modern Features[] + legacy DataSources fallback both supported with shared case-insensitive `_statusEnabled` predicate per `[[aws_string_case_normalization]]` R1-CRITICAL-2 fold). **Dim 3 — Inspector2 enablement** (CC7.1 + CC7.2 — `inspector2:BatchGetAccountStatus`; DISABLED/SUSPENDED = HIGH silent-blind for CVE coverage on EC2/ECR/Lambda; transient = INFO; unknown enum = LOW + evidenceGap per `[[conservative_classifier_principle]]`). **Dim 4 — Inspector2 scan-target coverage** (CC7.1 zero / CC7.2 partial — institutional baseline {EC2, ECR, Lambda}; zero resource types active = HIGH `inspector2-coverage-zero` silent-blind class; partial = MEDIUM with explicit `disabledResources` list). **6 same-session R1 reviewer folds** (network-security + Explore in parallel; 2 R-CRITICAL + 3 R-HIGH + 1 institutional-discipline): **R1-CRITICAL-1 soc2.json titlePattern misalignment closure** — 4 patterns would have silently failed CC7.1/CC7.2 compliance routing; all re-anchored to actual emission strings. **R1-CRITICAL-1 AccessDenied distinct findings** — distinct `_CAT_GD_ACCESSDENIED` / `_CAT_INS_ACCESSDENIED` categories so auditor walkthrough knows the cause is auditor-IAM gap not service absence. **R1-CRITICAL-2 legacy DataSources case normalization** via shared `_statusEnabled` predicate. **R1-HIGH-2 SUSPENDED/DISABLED Detector silent-blind closure** — Status guard added → HIGH `_CAT_GD_DETECTOR_NOT_ENABLED`. **R1-HIGH-3/4 dead-code drift closures**. **4 R2 reviewer-deferred** (queued in EE-RT.20.1): all-regions enumeration / FindingPublishingFrequency check / alerting-destination check / BatchGetAccountStatus contract verification. **No new SDK dependencies** — `@aws-sdk/client-guardduty` + `@aws-sdk/client-inspector2` added to optionalDependencies. 7 new soc2.json titlePattern entries (4 CC7.1 + 3 CC7.2) — all anchored to actual plugin emission strings after R1-CRITICAL-1 fold. Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID + Thread H wrap on BOTH GuardDuty + Inspector2 clients + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). 48 plugin tests + 4 R1-fold regression pins (52 total). Synthetic-mock validation only — no GuardDuty/Inspector2 paired fixtures yet in test-infra-builder. **CC7.1 / CC7.2**. |
 | — | SOC 2 Compliance Engine | Enterprise | AICPA TSC 2017 control mapping (10 covered + 4 partial controls post-EE 0.3.9 / 0.4.0), chain-of-custody, RFC 3161 timestamps, suppression workflow |
 | — | SLA & MTTR Tracking | Enterprise | Per-severity SLA targets, compensating-control flow, finding lifecycle |
 | — | Recurring-Scan Attestation | Enterprise | Multi-scan chronological matrix, cadence gap detection, scope drift (CC8.1) |

package/cli.mjs CHANGED Viewed

@@ -930,7 +930,7 @@ Docs: https://www.nsauditor.com/ai/   |   Pricing: https://www.nsauditor.com/ai/
         console.log(`✗ ${tierLabel[result.tier] ?? 'Community Edition (CE)'}`);
         console.log(`  Reason: ${result.reason}`);
         if (!key) {
-          console.log('\n→ Start a free 14-day Pro trial: https://www.nsauditor.com/ai/trial');
+          console.log('\n→ View Pro/Enterprise pricing: https://www.nsauditor.com/ai/pricing/');
         }
       }
       // CE 0.1.35 (Thread L mitigation v2): version provenance footer

package/mcp_server.mjs CHANGED Viewed

@@ -59,7 +59,7 @@ function requireProCapability(toolName) {
   return {
     content: [{
       type: 'text',
-      text: `🔒 **${toolName}** requires a Pro license.\n\nUpgrade at https://www.nsauditor.com/ai/pricing or start a free 14-day trial (no credit card) at https://www.nsauditor.com/ai/trial\n\n**CE tools available:** scan_host, list_plugins`,
+      text: `🔒 **${toolName}** requires a Pro license.\n\nView Pro/Enterprise pricing at https://www.nsauditor.com/ai/pricing/\n\n**CE tools available:** scan_host, list_plugins`,
     }],
     isError: true,
   };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "nsauditor-ai",
-  "version": "0.1.54",
+  "version": "0.1.56",
   "description": "Modular AI-assisted network security audit platform — Community Edition",
   "type": "module",
   "private": false,