NSAuditor AI CE 0.2.10 — MCP Affordance II: When the Summary Hides the Finding
CE 0.2.10 makes count-only MEDIUM/LOW cloud findings visible on the first scan_cloud call and adds an Enterprise-gated get_findings drill-down.
NSAuditor AI Community Edition 0.2.10 (“MCP affordance II”) is live on npm, paired with agent-skill 0.2.10 (Enterprise stays at 0.19.4). It closes the last transport-layer variant of the audit false-clean: a finding the scanner produced but the reader never counted.
The EE 0.19.4 Claude Desktop validation caught it live. The MCP scan_cloud summary itemized only CRITICAL/HIGH findings plus evidence-gaps, so actionable MEDIUM/LOW findings were count-only — and a Desktop agent narrated “the alarm dimension came back clean” while plugin 1150 had emitted four SQS/SNS no-alarm MEDIUMs. To an AI agent reading the summary, “there’s a count of medium findings” is indistinguishable from “there’s nothing there.”
CE 0.2.10 makes those findings visible on the first call. The summary now rolls up MEDIUM and LOW findings, per provider, grouped by category, count-descending — and it is no-silent-cap: the line compacts (eight rows to one) but never caps; nothing is hidden. Gap-marked findings stay in their own evidence-gap channel (no double-count); a per-plugin fallback keeps the rollup actionable even for plugins that don’t yet emit a category.
A new Enterprise-gated tool, get_findings, drills the most recent scan’s findings — filter by provider, plugin, severity, or category; paginate; and read the full untruncated finding text. The cache is per-provider, per-session, keyed by a scanId the summary footer carries, so an agent goes from a category to the specific resources without re-scanning and without falling back to a raw cloud-provider API — a fallback that, in the validation, mis-routed to the production account. The Enterprise license boundary holds before the cache is ever read: a Community or Pro caller gets the same upgrade denial as scan_cloud, never cached Enterprise findings — proven by a committed leak-path test.
A green compliance verdict the customer can’t trust is worse than no verdict. CE 0.2.10 closes the gap between what the scanner produces and what the agent reads. Community Edition is MIT and free; the cloud audit surface and get_findings require an Enterprise license. https://www.nsauditor.com/ai/enterprise/
