NSAuditor AI EE 0.15.9: Cross-Cloud Scan Isolation Hardens Multi-Cloud Audit Pack Provenance
EE 0.15.9 hardens multi-cloud audit pack provenance: a GCP-targeted scan yields zero AWS resources even with AWS credentials present. GCP SDK refresh folded in.
NSAuditor AI EE 0.15.9 ships today as the forty-seventh consecutive trio-publish on npm (EE 0.15.9 + CE 0.1.90 + agent-skill 0.1.57), hardening multi-cloud audit pack provenance at the load-bearing path. The release also folds in the EE 0.15.7 GCP SDK refresh and the first live GCP audit.
What changed
When you run a GCP-targeted scan, the resulting audit pack must contain only GCP resources — not AWS resources that happened to be discoverable because AWS credentials were on the workstation. The same guarantee applies in reverse: an AWS scan run on a machine that also has Azure or GCP credentials must produce an AWS-only attestation pack.
EE 0.15.9 ships that guarantee at the load-bearing path. Each AWS plugin’s main execution entry now consults a lenient CLOUD_PROVIDER gate and short-circuits when the scan targets a non-AWS cloud — before any AWS API call. The gate stays lenient: an AWS-only run that doesn’t set CLOUD_PROVIDER is unaffected, preserving the existing default behavior for single-cloud customers.
End-to-end bleed-gone proof, done on the published build
A real CLI GCP scan with AWS credentials present yields a GCP audit pack containing zero AWS resources, while the genuine GCP findings remain — the three default-allow firewall findings the GCP auditor surfaces against the test-infrastructure project. The same proof applies to the signed attestation pack: the cryptographic evidence stream for a GCP scan now contains only GCP resources.
GCP SDK refresh folded into this cycle
EE 0.15.7 shipped the GCP SDK major bump (@google-cloud/compute ^4 → ^6, @google-cloud/iam ^1 → ^2, googleapis ^144 → ^173) alongside the first live GCP audit on real Google Cloud infrastructure. The GCP scan path runs on the pure-ADC / key-file authentication chain; the impersonation gap and the contract a future authentication bridge would need to satisfy are documented in the plugin source for the next maintainer — no speculative shim shipped, no overrides that would force untested versions on transitive dependencies.
Engineering discipline
The multi-cloud isolation guarantee was caught by dogfooding — a full multi-cloud smoke of the prior published build surfaced the cross-cloud bleed, and the validation rebuilt for 0.15.9 exercises the same code path the scan orchestrator dispatches through, not the pre-flight readiness check the orchestrator skips. The institutional lesson is plain: a guard is only proven by exercising the path that runs in production. The published-build validation is an actual CLI scan that greps the GCP audit pack for AWS resources and requires zero.
Scope
- No new plugin, plugin count UNCHANGED at 28 (cloud-audit 27).
- All six coverage matrices UNCHANGED — this is a runtime-isolation guarantee, not a scope change: SOC 2 10/4/33 · HIPAA 7/3/45 · NIST CSF 2.0 13/10/83 · PCI DSS 20/8/39 · ISO 27001 17/14/62 · CIS v8 17/22/114.
- No dependency change in 0.15.9 itself.
- EE full regression 6741/6745 GREEN (the four non-passing are a pre-existing environmental license-fixture artifact in the test harness, unrelated to this change).
Hexa-framework one-scan workflow
--compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8 produces six separate auditor-ready evidence packs from a single scan. Zero data exfiltration — all evidence generated inside your infrastructure. CE 0.1.90 + agent-skill 0.1.57 are paired no-op bumps preserving the @latest pin alignment across the trio.
Install
npm install -g nsauditor-ai@latest @nsasoft/nsauditor-ai-ee@latest nsauditor-ai-agent-skill@latestForty-seventh consecutive trio-publish — LIVE on npm 2026-05-29. Learn more about NSAuditor AI Enterprise Edition.
