iam-policy-validator 1.15.0__tar.gz → 1.15.2__tar.gz

{iam_policy_validator-1.15.0 → iam_policy_validator-1.15.2}/CHANGELOG.md

@@ -8,18 +8,139 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Planned
-- NotAction/NotResource validation support
+
 - Enhanced PR comment management with configurable limits
 
 ---
 
+## [1.15.2] - 2025-01-26
+
+### Added
+
+**Confused Deputy Protection**
+
+- Service principal wildcard detection (`{"Service": "*"}`) - critical severity
+  - Detects dangerous patterns allowing any AWS service to access resources or assume roles
+  - Enabled by default via `block_service_principal_wildcard: true`
+  - Only checks `Principal` field (not `NotPrincipal`, which is an exclusion)
+- New configuration options for `principal_validation`:
+  - `block_wildcard_principal` - strict mode to block `*` entirely (default: false)
+  - `block_service_principal_wildcard` - block `{"Service": "*"}` patterns (default: true)
+- Improved handling of `Principal: "*"` with conditions for confused deputy prevention
+  - Default requires source verification (`aws:SourceArn`, `aws:SourceAccount`, `aws:SourceVpce`, or `aws:SourceIp`)
+
+**Condition Type Validation Improvements**
+
+- Enhanced ISO 8601 date validation with semantic checks:
+  - Validates month range (1-12)
+  - Validates day range based on month (1-28/29/30/31)
+  - Validates hour (0-23), minute (0-59), second (0-59)
+  - Leap year detection for February 29
+  - Timezone offset validation
+
+### Changed
+
+- `principal_validation` default behavior now allows `*` with conditions
+  - Use `block_wildcard_principal: true` to restore strict blocking
+- Duplicate findings avoided when service principal wildcard is detected
+
+---
+
+## [1.15.1] - 2025-01-24
+
+### Fixed
+
+**Condition Key Validation for aws:RequestTag and aws:ResourceTag**
+
+- `aws:RequestTag/${TagKey}` and `aws:ResourceTag/${TagKey}` now correctly validated as action/resource-specific condition keys (not global)
+- These keys are only valid for actions that create/modify tagged resources (e.g., `iam:CreatePolicy`, `iam:CreateRole`)
+- Invalid usage now flagged with descriptive error messages explaining the key is only for tagging operations
+- Example: `iam:SetDefaultPolicyVersion` with `aws:RequestTag/owner` now correctly fails validation
+
+---
+
+## [1.15.0] - 2025-01-22
+
+### Added
+
+**MCP Server Integration**
+
+- Full FastMCP server with 25+ tools for AI assistants (`iam-validator mcp` command)
+- Standalone `iam-validator-mcp` entry point for easy integration
+- Policy validation, generation, and AWS service querying tools
+- 15 built-in secure policy templates for common use cases
+- Session-wide organization configuration management
+- MCP Prompts for guided workflows (generate_secure_policy, fix_policy_issues_workflow, review_policy_security)
+- Custom instructions support via YAML config, environment variable, CLI, or MCP tools
+- Comprehensive MCP documentation with usage examples
+
+**New Security Check**
+
+- `not_action_not_resource` check for detecting dangerous NotAction/NotResource patterns (high severity)
+
+**Query Command Enhancements**
+
+- Support multiple actions in single query (`--name s3:GetObject dynamodb:Query`)
+- Wildcard pattern expansion (`--name "iam:Get*"` or `--name "s3:*Object*"`)
+- Field filter options: `--show-condition-keys`, `--show-resource-types`, `--show-access-level`
+- Allow service prefix in `--name`, making `--service` optional (`--name s3:GetObject`)
+- Deduplicate results when querying overlapping patterns
+
+**Validation Improvements**
+
+- `action_validation` now validates wildcard patterns (e.g., `s3:Get*`) to ensure they match real AWS actions
+- `action_validation` now validates NotAction field
+- `resource_validation` now validates NotResource field
+- `wildcard_resource` check has condition-aware severity adjustment:
+  - MEDIUM → LOW when global resource-scoping conditions present (aws:ResourceAccount, aws:ResourceOrgID, aws:ResourceOrgPaths)
+  - MEDIUM → LOW when aws:ResourceTag/\* conditions are used AND all actions support the condition key
+
+**Configuration**
+
+- Add `hide_severities` option for severity-based finding filtering (global and per-check)
+- Add `iam-policy-validator` CLI alias matching PyPI package name
+
+**Cache Improvements**
+
+- Cache refresh now updates all cached services (not just common ones)
+- Expired cache files are kept for refresh instead of deleted
+- Stale cache fallback when AWS API fails for graceful degradation
+
+**SDK**
+
+- Export `extract_condition_keys_from_statement()` in public API
+- Add `is_condition_key_supported()` to AWSServiceFetcher
+
+### Changed
+
+- Development status upgraded to Production/Stable
+- Batch operations use `asyncio.gather()` for parallel execution
+- Template listing includes full variable metadata (name, description, required)
+- Simplified condition key pattern matching for tag-key placeholders (forward-compatible)
+- Test suite consolidated using `@pytest.mark.parametrize` (919 → 850 tests)
+
+### Fixed
+
+- Support parameterized condition key patterns like `s3:RequestObjectTag/<key>`
+- MCP tests skip properly when fastmcp is not installed
+- Improved loop prevention guidance for LLM clients
+
+### Dependencies
+
+- fastmcp as optional dependency (install with `[mcp]` extra)
+- Updated CI dependencies (actions/cache, codeql-action, setup-uv, upload-pages-artifact)
+
+---
+
 ## [1.14.7] - 2025-12-17
 
 ### Added
+
 - MkDocs documentation site deployed to GitHub Pages
 - Comprehensive SDK API reference documentation
 
 ### Fixed
+
 - Correct repository name in all documentation links (iam-policy-auditor → iam-policy-validator)
 - Fix SDK docstring formatting for proper mkdocstrings rendering
 - Update PyPI metadata with correct documentation and changelog URLs
@@ -29,6 +150,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.14.6] - 2025-12-15
 
 ### Fixed
+
 - Separate security findings from validity errors in PR comments
 - Respect ignored findings when managing PR labels and review state
 
@@ -37,6 +159,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.14.5] - 2025-12-15
 
 ### Fixed
+
 - Respect ignored findings when managing PR labels and review state
 
 ---
@@ -44,6 +167,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.14.4] - 2025-12-12
 
 ### Fixed
+
 - Show pass status and list ignored findings in summary when all blocking issues are ignored
 
 ---
@@ -51,6 +175,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.14.3] - 2025-12-12
 
 ### Fixed
+
 - Add pattern matching for service-specific condition keys with tag validation
 
 ---
@@ -58,6 +183,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.14.2] - 2025-12-12
 
 ### Fixed
+
 - Use APPROVE review event when validation passes to dismiss REQUEST_CHANGES
 
 ---
@@ -65,10 +191,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.14.1] - 2025-12-11
 
 ### Fixed
+
 - Enhanced SARIF formatter with dynamic rules and rich context
 - Improved finding fingerprints for better PR comment deduplication
 
 ### Changed
+
 - Updated dependencies (setup-uv, actions/checkout, codeql-action)
 
 ---
@@ -76,11 +204,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.14.0] - 2024-12-10
 
 ### Added
+
 - Enhanced PR comments with fingerprint-based matching
 - Finding ignore system via PR comment replies
 - Improved review comment deduplication
 
 ### Changed
+
 - Better production readiness for GitHub Action integration
 
 ---
@@ -88,6 +218,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.13.1] - 2024-12
 
 ### Fixed
+
 - Bug fixes and stability improvements
 
 ---
@@ -95,6 +226,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.13.0] - 2024-12
 
 ### Added
+
 - Query command for exploring AWS service definitions
 - Shell completion support (bash, zsh, fish)
 
@@ -103,10 +235,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.12.0] - 2024-11
 
 ### Added
+
 - Trust policy validation check
 - Enhanced condition type mismatch detection
 
 ### Changed
+
 - Improved AWS service fetcher performance
 
 ---
@@ -114,10 +248,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.11.0] - 2024-11
 
 ### Added
+
 - Action-resource matching validation
 - Set operator validation for conditions (ForAllValues/ForAnyValue)
 
 ### Changed
+
 - Expanded sensitive actions database (490+ actions)
 
 ---
@@ -125,10 +261,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.10.0] - 2024-10
 
 ### Added
+
 - MFA condition check for sensitive operations
 - Condition key validation improvements
 
 ### Changed
+
 - Better error messages for validation failures
 
 ---
@@ -136,6 +274,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.9.0] - 2024-10
 
 ### Added
+
 - GitHub PR review comments (inline comments on changed lines)
 - Multiple output formats (JSON, SARIF, CSV, HTML, Markdown)
 
@@ -144,6 +283,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.8.0] - 2024-09
 
 ### Added
+
 - AWS Access Analyzer integration
 - Offline validation mode with pre-downloaded service definitions
 
@@ -152,10 +292,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.7.0] - 2024-09
 
 ### Added
+
 - Custom checks support via `--custom-checks-dir`
 - Configuration file support (`iam-validator.yaml`)
 
 ### Changed
+
 - Modular check architecture
 
 ---
@@ -163,6 +305,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.6.0] - 2024-08
 
 ### Added
+
 - Service Control Policy (SCP) validation
 - Principal validation for resource policies
 
@@ -171,17 +314,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.5.0] - 2024-08
 
 ### Added
+
 - Modular Python configuration system (5-10x faster startup)
 - Split security checks into individual modules:
-  - `wildcard_action` - Wildcard actions (Action: "*")
-  - `wildcard_resource` - Wildcard resources (Resource: "*")
-  - `service_wildcard` - Service-level wildcards (e.g., "s3:*")
+  - `wildcard_action` - Wildcard actions (Action: "\*")
+  - `wildcard_resource` - Wildcard resources (Resource: "\*")
+  - `service_wildcard` - Service-level wildcards (e.g., "s3:\*")
   - `sensitive_action` - Sensitive actions without conditions
-  - `full_wildcard` - Action:* + Resource:* (critical)
+  - `full_wildcard` - Action:_ + Resource:_ (critical)
 - GitHub Action RESOURCE_CONTROL_POLICY support
 - GitHub Actions job summary output
 
 ### Changed
+
 - Comprehensive documentation overhaul
 
 ---
@@ -189,9 +334,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.4.0] - 2024-07
 
 ### Added
+
 - Resource Control Policy (RCP) support with 8 validation checks
 - Enhanced principal validation:
-  - Blocked principals (e.g., public access "*")
+  - Blocked principals (e.g., public access "\*")
   - Allowed principals whitelist
   - Required conditions for specific principals
   - Service principal validation
@@ -203,6 +349,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.3.0] - 2024-06
 
 ### Added
+
 - Modular Python configuration system
 - Condition requirement templates
 - Action condition enforcement check
@@ -212,6 +359,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.2.0] - 2024-05
 
 ### Added
+
 - Smart IAM policy detection and filtering
 - YAML policy support
 - Streaming mode for large policy sets
@@ -221,6 +369,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.1.0] - 2024-04
 
 ### Added
+
 - Split security checks into individual modules
 - Configurable check system
 - Per-check severity overrides
@@ -230,6 +379,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.0.0] - 2024-03
 
 ### Added
+
 - Initial release
 - Core IAM policy validation engine
 - AWS service definition fetching with caching
@@ -251,9 +401,8 @@ This project follows [Semantic Versioning](https://semver.org/):
 
 | Version | Support Status        |
 | ------- | --------------------- |
-| 1.14.x  | ✅ Active development  |
-| 1.13.x  | ⚠️ Critical fixes only |
-| < 1.13  | ❌ End of life         |
+| 1.15.x  | ✅ Active development |
+| < 1.15  | ❌ End of life        |
 
 ### Deprecation Policy
 
@@ -270,6 +419,7 @@ This project follows [Semantic Versioning](https://semver.org/):
 The modular configuration system introduced in v1.5.0 changed how checks are configured:
 
 **Before (v1.4.x):**
+
 ```yaml
 checks:
   wildcard: high
@@ -277,6 +427,7 @@ checks:
 ```
 
 **After (v1.5.0+):**
+
 ```yaml
 wildcard_action:
   enabled: true
@@ -298,7 +449,11 @@ iam-validator validate --policy-type RESOURCE_CONTROL_POLICY policies/
 
 ---
 
-[Unreleased]: https://github.com/boogy/iam-policy-validator/compare/v1.14.6...HEAD
+[Unreleased]: https://github.com/boogy/iam-policy-validator/compare/v1.15.2...HEAD
+[1.15.2]: https://github.com/boogy/iam-policy-validator/compare/v1.15.1...v1.15.2
+[1.15.1]: https://github.com/boogy/iam-policy-validator/compare/v1.15.0...v1.15.1
+[1.15.0]: https://github.com/boogy/iam-policy-validator/compare/v1.14.7...v1.15.0
+[1.14.7]: https://github.com/boogy/iam-policy-validator/compare/v1.14.6...v1.14.7
 [1.14.6]: https://github.com/boogy/iam-policy-validator/compare/v1.14.5...v1.14.6
 [1.14.5]: https://github.com/boogy/iam-policy-validator/compare/v1.14.4...v1.14.5
 [1.14.4]: https://github.com/boogy/iam-policy-validator/compare/v1.14.3...v1.14.4

{iam_policy_validator-1.15.0 → iam_policy_validator-1.15.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.15.0
+Version: 1.15.2
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://boogy.github.io/iam-policy-validator
@@ -99,8 +99,16 @@ iam-validator validate --path examples/quick-start/ --format enhanced
 {
   "Version": "2012-10-17",
   "Statement": [
-    {"Effect": "Allow", "Action": "s3:GetObjekt", "Resource": "arn:aws:s3:::my-bucket/*"},
-    {"Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::123456789012:role/lambda-role"}
+    {
+      "Effect": "Allow",
+      "Action": "s3:GetObjekt",
+      "Resource": "arn:aws:s3:::my-bucket/*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "iam:PassRole",
+      "Resource": "arn:aws:iam::123456789012:role/lambda-role"
+    }
   ]
 }
 ```
@@ -111,7 +119,11 @@ iam-validator validate --path examples/quick-start/ --format enhanced
 {
   "Version": "2012-10-17",
   "Statement": [
-    {"Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"}
+    {
+      "Effect": "Allow",
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::my-bucket/*"
+    }
   ]
 }
 ```
@@ -122,7 +134,11 @@ iam-validator validate --path examples/quick-start/ --format enhanced
 {
   "Version": "2012-10-17",
   "Statement": [
-    {"Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function"}
+    {
+      "Effect": "Allow",
+      "Action": "lambda:InvokeFunction",
+      "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function"
+    }
   ]
 }
 ```
@@ -228,7 +244,8 @@ action_condition_enforcement:
           description: "Restrict which services can use passed roles"
 
     # Enforce IP restrictions for privileged actions (automation from CI/CD)
-    - actions: ["iam:AttachUserPolicy", "iam:PutUserPolicy", "iam:CreateAccessKey"]
+    - actions:
+        ["iam:AttachUserPolicy", "iam:PutUserPolicy", "iam:CreateAccessKey"]
       required_conditions:
         - condition_key: "aws:SourceIp"
           expected_value: ["10.0.0.0/8", "172.16.0.0/12"]
@@ -270,9 +287,17 @@ Privilege escalation often occurs when multiple actions are scattered across dif
 ```json
 {
   "Statement": [
-    {"Sid": "AllowUserManagement", "Action": "iam:CreateUser", "Resource": "*"},
-    {"Sid": "AllowS3Read", "Action": "s3:GetObject", "Resource": "*"},
-    {"Sid": "AllowPolicyAttachment", "Action": "iam:AttachUserPolicy", "Resource": "*"}
+    {
+      "Sid": "AllowUserManagement",
+      "Action": "iam:CreateUser",
+      "Resource": "*"
+    },
+    { "Sid": "AllowS3Read", "Action": "s3:GetObject", "Resource": "*" },
+    {
+      "Sid": "AllowPolicyAttachment",
+      "Action": "iam:AttachUserPolicy",
+      "Resource": "*"
+    }
   ]
 }
 ```
@@ -408,9 +433,9 @@ iam-validator validate --path policies/ --aws-services-dir ./aws-services
 - uses: boogy/iam-policy-validator@v1
   with:
     path: policies/
-    github-review: true        # Inline PR comments
-    github-summary: true       # Actions summary tab
-    fail-on-severity: high     # Block merge on high/critical
+    github-review: true # Inline PR comments
+    github-summary: true # Actions summary tab
+    fail-on-severity: high # Block merge on high/critical
 ```
 
 ---
@@ -440,14 +465,14 @@ Validates against official AWS IAM requirements:
 
 Identifies overly permissive configurations:
 
-| Check                     | What It Catches                                        |
-| ------------------------- | ------------------------------------------------------ |
-| **Wildcard Action**       | `Action: "*"` grants all AWS permissions               |
-| **Wildcard Resource**     | `Resource: "*"` applies to all resources               |
-| **Full Wildcard**         | Both `Action: "*"` AND `Resource: "*"` (admin access)  |
-| **Service Wildcards**     | `s3:*`, `iam:*`, `ec2:*` (overly broad)                |
+| Check                     | What It Catches                                          |
+| ------------------------- | -------------------------------------------------------- |
+| **Wildcard Action**       | `Action: "*"` grants all AWS permissions                 |
+| **Wildcard Resource**     | `Resource: "*"` applies to all resources                 |
+| **Full Wildcard**         | Both `Action: "*"` AND `Resource: "*"` (admin access)    |
+| **Service Wildcards**     | `s3:*`, `iam:*`, `ec2:*` (overly broad)                  |
 | **Sensitive Actions**     | 490+ privilege escalation patterns and dangerous actions |
-| **Condition Enforcement** | Organization-specific condition requirements           |
+| **Condition Enforcement** | Organization-specific condition requirements             |
 
 **Note on Sensitive Actions:** This check has two modes:
 
@@ -540,7 +565,7 @@ action_condition_enforcement:
     - actions: ["iam:CreateUser", "iam:DeleteUser", "iam:CreateAccessKey"]
       required_conditions:
         - condition_key: "aws:SourceIp"
-          expected_value: ["10.0.0.0/8", "52.94.76.0/24"]  # Corporate + GitHub Actions
+          expected_value: ["10.0.0.0/8", "52.94.76.0/24"] # Corporate + GitHub Actions
 
 # Ignore patterns
 ignore_patterns:
@@ -677,19 +702,19 @@ iam-validator analyze --path new-policy.json \
 
 ## Comparison Matrix
 
-| Feature                        | IAM Policy Validator             | IAM Lens                      | IAMSpy                 | Policy Sentry              |
-| ------------------------------ | -------------------------------- | ----------------------------- | ---------------------- | -------------------------- |
-| **Primary Purpose**            | Pre-deployment validation        | Runtime permission analysis   | Permission enumeration | Least-privilege generation |
-| **Use Case**                   | CI/CD policy scanning            | "What can this principal do?" | Pentesting/audit       | Policy creation            |
-| **Custom Security Rules**      | ✅ Full support                   | ❌ No                          | ❌ No                   | ❌ No                       |
+| Feature                        | IAM Policy Validator              | IAM Lens                      | IAMSpy                 | Policy Sentry              |
+| ------------------------------ | --------------------------------- | ----------------------------- | ---------------------- | -------------------------- |
+| **Primary Purpose**            | Pre-deployment validation         | Runtime permission analysis   | Permission enumeration | Least-privilege generation |
+| **Use Case**                   | CI/CD policy scanning             | "What can this principal do?" | Pentesting/audit       | Policy creation            |
+| **Custom Security Rules**      | ✅ Full support                   | ❌ No                         | ❌ No                  | ❌ No                      |
 | **Cross-Statement Patterns**   | ✅ Privilege escalation detection | N/A (different purpose)       | N/A                    | N/A                        |
-| **Action-Resource Validation** | ✅ Catches incompatible pairs     | N/A                           | ❌ No                   | ✅ Generates correct        |
-| **Organization Conditions**    | ✅ IP, tags, encryption, etc.     | ❌ No                          | ❌ No                   | ❌ No                       |
-| **CI/CD Ready**                | ✅ GitHub Actions native          | ⚠️ Manual setup                | ⚠️ Manual               | ⚠️ Manual                   |
-| **PR Line Comments**           | ✅ Diff-aware                     | ❌ No                          | ❌ No                   | ❌ No                       |
-| **AWS Service Data**           | ✅ Official API (auto-update)     | ✅ Real AWS account data       | ⚠️ Static               | ✅ Official API             |
-| **Offline Mode**               | ✅ Yes                            | ❌ Needs AWS account           | ✅ Yes                  | ❌ Needs internet           |
-| **Query Permissions**          | ✅ Yes                            | ✅ Yes (different approach)    | ⚠️ Enumerate only       | ✅ Excellent                |
+| **Action-Resource Validation** | ✅ Catches incompatible pairs     | N/A                           | ❌ No                  | ✅ Generates correct       |
+| **Organization Conditions**    | ✅ IP, tags, encryption, etc.     | ❌ No                         | ❌ No                  | ❌ No                      |
+| **CI/CD Ready**                | ✅ GitHub Actions native          | ⚠️ Manual setup               | ⚠️ Manual              | ⚠️ Manual                  |
+| **PR Line Comments**           | ✅ Diff-aware                     | ❌ No                         | ❌ No                  | ❌ No                      |
+| **AWS Service Data**           | ✅ Official API (auto-update)     | ✅ Real AWS account data      | ⚠️ Static              | ✅ Official API            |
+| **Offline Mode**               | ✅ Yes                            | ❌ Needs AWS account          | ✅ Yes                 | ❌ Needs internet          |
+| **Query Permissions**          | ✅ Yes                            | ✅ Yes (different approach)   | ⚠️ Enumerate only      | ✅ Excellent               |
 
 **Choose this tool if you:**