NSAuditor AI EE 0.5.4 Closes the v0.5.x Line — Cross-Plugin Thread H §7.5 (KMS-Promoter Map-Form Signature Hardening) + §8 (Operator-Config DoS Caps); Clean Reviewer Pass
EE 0.5.4 closes the v0.5.x line — cross-plugin Thread H §7.5 (KMS-promoter Map-form signature hardening) + §8 (operator-config DoS caps). Clean reviewer pass, 10th consecutive trio-publish, 50-session green streak.
What’s new: Nsasoft US LLC has shipped NSAuditor AI Enterprise Edition 0.5.4 — the final v0.5.x close-out cycle and the tenth consecutive trio-publish across EE + paired CE 0.1.53 + agent-skill 0.1.20. EE 0.5.4 ships the cross-plugin Thread H §7.5 + §8 sweep with a clean reviewer pass (0 R-CRITICAL + 0 R-HIGH) — the first of the entire v0.5.x line. EE plugin count remains 20; coverage matrix unchanged at 10/4/33.
The v0.5.x line — 5 cycles, 9 cumulative false-CLEAN closures
| Cycle | Surface added | False-CLEAN closures |
|---|---|---|
| 0.5.0 | Network-layer DNS (EE-RT.18 v2 DKIM CNAME + DMARC TXT) | 1 (DMARC pct=0) |
| 0.5.1 | Cross-SDK CloudWatch (EE-RT.15 v2 alarm coverage) | 1 (empty AlarmActions) |
| 0.5.2 | EE-RT.18 v2.1 deferred-items sweep | 2 (soc2 mapping + SES classic quota) |
| 0.5.3 | DKIM fingerprint + DMARC alignment (EE-RT.18 v3) | 4 (truncated keys + empty-key floor + multi-records + DMARC double-fail) |
| 0.5.4 | Cross-plugin Thread H §7.5 + §8 | 1 (parallel-threading via Map-form) |
§7.5 — `_promote*FromKms` cross-plugin signature hardening
Affects plugin 1140 v2 (AWS RDS Auditor) and plugin 1180 v2 (AWS ElastiCache Redis Auditor). Pre-fold the promoter signature _promote*FromKms(finding, keyManager) trusted the caller to thread keyManager in lockstep with finding.details.kmsKeyArn — a future orchestrator wiring bug could silently false-CLEAN by passing the wrong key’s KeyManager to the wrong finding.
Post-fold accepts BOTH the legacy keyManager string OR a new keyManagerByArn: Map<arn, keyManager> form. The Map form looks up keyManagerByArn.get(finding.details.kmsKeyArn) inside the promoter — single source of truth, no caller-side parallel-threading bug class possible. Back-compat preserved for legacy callers. Identical signature handling in both plugin 1140 v2 and 1180 v2 — cross-plugin parity verified.
§8 — Operator-config DoS caps
Affects plugin 1170 v2 (AWS EC2 SG Perimeter Auditor). New _OPERATOR_CONFIG_MAX_ENTRIES = 1000 named constant. _buildEffectiveRestrictedPorts caps additionalRestrictedPorts + additionalRestrictedPortNames at 1000 entries. _isSystemManagedSgName caps additionalSystemManagedSgNamePrefixes similarly. Operator-tunable via opts.additionalRestrictedPortsCap + opts.additionalSystemManagedSgNamePrefixesCap.
Defends against hostile config-injection attacks where unbounded operator-supplied arrays could inflate runtime memory and DoS the audit via O(N) per-rule iteration. A 100k-entry hostile config completes in under 1 second post-fold (test-validated).
Clean reviewer pass — first of the v0.5.x line
Independent reviewer pass confirmed clean code review: 0 R-CRITICAL + 0 R-HIGH + 3 R-MEDIUM/LOW folded same-session. Coverage-gap pin tests added for cross-plugin Map-form precedence on plugin 1140 + 1180, and DoS-cap negative/out-of-range entry validation on plugin 1170 hostile mixed-input arrays.
v0.5.x close-out retrospective
The v0.5.x line was about evidence-quality — widening the audit surface beyond AWS-SDK-substrate alone. Across five ship cycles the surface widened to network-layer DNS, cross-SDK CloudWatch, DKIM public-key fingerprint pinning, in-band DMARC alignment classification, and cross-plugin signature hardening. 50-session 100% green streak preserved across the entire line. Ten consecutive trio-publishes (0.4.5 → 0.5.4) institutionalize the EE + CE + agent-skill release discipline.
What’s deferred to the 0.6.x cross-plugin Thread H sweep
- AccessDenied circuit-breaker rollout to 6 plugins (1130 + 1140 + 1150 + 1170 + 1180 + 1190)
- Throttle wall-budget INFO finding emission across 5 plugins
- AccessDenied counter SSOT audit (EE-RT.18 v1 R-HIGH-3)
Next: 0.6.0 milestone
EE-RT.19 VPC Endpoints / PrivateLink Auditor — a NEW plugin in the 1100-1109 ID range. Plugin count grows 20 → 21.
Stats
- Plugin count UNCHANGED at 20
- +20 new tests across the v0.5.4 cycle (7 plugin 1140 R-MEDIUM-4 + 7 plugin 1180 R-MEDIUM-4 + 7 plugin 1170 §8 DoS-cap minus 1 reshuffle)
- EE full regression: 4982/4982 across 778 suites (was 4962/4962 at 0.5.3)
- 50-session 100% green streak preserved
- Memory closure:
emit_literal_set_driftextended with_OPERATOR_CONFIG_MAX_ENTRIES+ cross-plugin signature parity discipline
Recommended install (0.5.4)
npm install -g nsauditor-ai@0.1.53 @nsasoft/nsauditor-ai-ee@0.5.4
nsauditor-ai scan --host aws --plugins all --compliance soc2 --out evidence.json
# AI-coding-agent users also pull the refreshed skill:
npm install nsauditor-ai-agent-skill@0.1.20
