npm - nsauditor-ai - Versions diffs - 0.1.64 → 0.1.65 - Mend

nsauditor-ai 0.1.64 → 0.1.65

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -17,7 +17,9 @@ NSAuditor AI is the open-source core of a privacy-first security intelligence pl
 ## What's New
-- **CE 0.1.64** (current) — paired with **EE 0.7.0** (May 2026). **24 enterprise plugins** across AWS / Azure / GCP, mapped to 10 fully-covered + 4 partial AICPA TSC controls. **MINOR-VERSION MILESTONE** opening the v0.7.x cross-cloud-parity line with **NEW plugin 1025 GCP IAM Project-Level Auditor** — first plugin in the GCP-IAM-deep-audit cohort; mirrors plugin 1030 AWS IAM Deep Auditor's shadow-admin discipline adapted to the GCP IAM data model. 3 audit dimensions: project-scope public-member bindings (CC6.1; allUsers = CRITICAL, allAuthenticatedUsers = HIGH at the project root), admin-equivalent role inventory across 12 predefined sensitive roles (CC6.1 + CC6.6 substrate evidence), IAM Conditions classifier on sensitive-role bindings (CC6.1 narrowing substrate; restrictive CEL = PASS, absent on sensitive = MEDIUM, vacuous = LOW + evidenceGap). 11 new soc2.json mappings. Plugin count 23 → 24; coverage matrix UNCHANGED at 10/4/33.
+- **CE 0.1.65** (current) — paired with **EE 0.7.1** (May 2026). **24 enterprise plugins** across AWS / Azure / GCP, mapped to 10 fully-covered + 4 partial AICPA TSC controls. **EE-RT.22 v2 plugin 1025 R2 expansion** — extends GCP IAM Project-Level Auditor from 3 dims to **7 dims**: + custom-role permission audit (CC6.1; `*` wildcard = CRITICAL, admin-equivalent permission intersection across 16-entry allowlist = HIGH) + SA key custody (CC6.1 + C1.1; user-managed keys = HIGH; 90-day rotation narrative-uplift threshold) + SA impersonation graph BFS (CC6.1; mirrors plugin 1030 shadow-admin BFS adapted to GCP — 2-hop = HIGH, 3+ hop = CRITICAL; per-PATH visited Set + depth cap = 4; project-scope grants surface independently as CRITICAL) + Organization Policy constraint enumeration (CC6.6 + C1.1; 4 sensitive constraints incl. `iam.disableServiceAccountKeyCreation`). NEW `utils/gcp_auth.mjs` honors `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` env var. **17 same-session reviewer folds applied — NEW HIGH-WATER MARK** vs 0.7.0's 12 (1 R-CRITICAL EE-RT.20 class recurrence catch + 7 R-HIGH + 8 R-MEDIUM + 1 R-LOW(+1 grouped)). **+22 new soc2.json mappings** (plugin 1025 total 11 → 33). **Plugin count UNCHANGED at 24**; coverage matrix UNCHANGED at 10/4/33 (pure substrate-evidence depth uplift). NEW SDK deps: `googleapis` + `@google-cloud/org-policy` in optionalDependencies.
+- **CE 0.1.64** — paired with **EE 0.7.0** (May 2026). **MINOR-VERSION MILESTONE** opening the v0.7.x cross-cloud-parity line with **NEW plugin 1025 GCP IAM Project-Level Auditor (EE-RT.22 v1)**; 3 audit dimensions (project-scope public-member bindings + sensitive-role inventory + IAM Conditions classifier). Plugin count 23 → 24. 12 same-session reviewer folds (clean pass). 11 new soc2.json mappings.
 For prior releases, see [CHANGELOG.md](./CHANGELOG.md).
@@ -203,7 +205,7 @@ Results land in `./out/<host>_<timestamp>/`:
 | 1022 | Azure Cloud Scanner | Enterprise | NSG rules + RBAC role assignments + Storage account hardening. **CC6.1 / CC6.6 / C1.1** |
 | 1023 | Zero Trust Checker | Enterprise | Segmentation, encryption, identity, lateral-movement scoring across the network surface. **CC6.1 / CC6.6** |
 | 1024 | GCP Cloud Storage Auditor | Enterprise | Multi-cloud parity sister of plugin 1020 AWS S3. 6 dimensions: bucket-level IAM public bindings (allUsers = CRITICAL, allAuthenticatedUsers = HIGH), Uniform Bucket-Level Access (closes legacy bucket-ACL false-PASS class), Object Versioning, Bucket Lock retention policy (SEC 17a-4 / FINRA 4511 WORM-alignment), CMEK via Cloud KMS (four-tier custody ladder), bucket-level access logging. **CC6.1 / CC6.6 / CC7.1 / C1.1 / C1.2 / A1.2** |
-| 1025 | GCP IAM Project-Level Auditor | Enterprise | First plugin in the v0.7.x GCP-IAM-deep-audit cohort. Mirrors plugin 1030 AWS IAM Deep Auditor's shadow-admin discipline adapted to the GCP IAM data model. 3 dimensions: project-scope public-member bindings (allUsers = CRITICAL, allAuthenticatedUsers = HIGH at the project root), admin-equivalent role inventory across 12 predefined sensitive roles, IAM Conditions classifier on sensitive-role bindings (restrictive CEL = PASS, absent on sensitive = MEDIUM, vacuous = LOW + evidenceGap). **CC6.1 / CC6.6** |
+| 1025 | GCP IAM Project-Level Auditor (v2 — EE 0.7.1) | Enterprise | First plugin in the v0.7.x GCP-IAM-deep-audit cohort. Mirrors plugin 1030 AWS IAM Deep Auditor's shadow-admin discipline adapted to the GCP IAM data model. **7 dimensions (EE 0.7.1 v2 expansion):** project-scope public-member bindings (allUsers = CRITICAL, allAuthenticatedUsers = HIGH at the project root), admin-equivalent role inventory across 12 predefined sensitive roles, IAM Conditions classifier on sensitive-role bindings (restrictive CEL = PASS, absent on sensitive = MEDIUM, vacuous = LOW + evidenceGap), **custom-role permission audit** (`*` wildcard = CRITICAL; admin-equivalent permission intersection across 16-entry allowlist = HIGH), **SA key custody** (user-managed long-lived keys = HIGH; 90-day rotation threshold uplift), **SA impersonation graph BFS** (transitive `serviceAccountTokenCreator`/`User`/`OpenIdTokenCreator` chains — 2-hop = HIGH, 3+ hop = CRITICAL; project-scope grants surface independently as CRITICAL), **Organization Policy constraint enumeration** (4 sensitive constraints incl. `iam.disableServiceAccountKeyCreation`). Honors `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` via `utils/gcp_auth.mjs`. **CC6.1 / CC6.6 / C1.1** |
 | 1030 | AWS IAM Deep Auditor | Enterprise | Shadow-admin path detection via BFS over PassRole / AssumeRole / federated trust. Restrictive-Condition allowlist for Auth0 / Okta / Cognito OIDC patterns. **CC6.1** |
 | 1040 | AWS CloudTrail Operational Integrity | Enterprise | Trail health + CloudWatch alarm coverage against CIS AWS Benchmark §3.1–3.14 + AWS Config + cross-account S3 trail-destination WORM verification (SEC 17a-4 / FINRA 4511). **CC7.2 / CC7.3** |
 | 1050 | AWS API Gateway Assurance | Enterprise | Per-route authz classifier (`NONE`=CRITICAL), custom-domain TLS policy, stage-level access logging + WAF, public-endpoint exposure. Entry-point evidence for serverless deployments. **CC6.1 / CC6.6 / CC6.7 / CC7.1 / A1.2** |

package/mcp_server.mjs CHANGED Viewed

@@ -108,7 +108,7 @@ export function _setValidateHost(fn) {
 //
 // Why this exists: even after CE 0.1.34 embedded the resolved tier and CE 0.1.35
 // added a CLI provenance footer, Claude Desktop was empirically observed
-// (2026-05-09, kankanyan@gmail.com) fabricating list_plugins responses
+// (operator session, 2026-05-09) fabricating list_plugins responses
 // WITHOUT routing to this server (per-server log: 0 tools/call entries
 // while other configured MCP servers received 50+ in the same session).
 // A fabricated response can copy any text it has seen — including version

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "nsauditor-ai",
-  "version": "0.1.64",
+  "version": "0.1.65",
   "description": "Modular AI-assisted network security audit platform — Community Edition",
   "type": "module",
   "private": false,