Las Vegas, NV — 2026-05-27 — Nsasoft US LLC shipped the NSAuditor AI Enterprise Edition 0.15.x line as three same-day trio-publishes on 2026-05-27. 0.15.0 introduced the NEW plugin 1222 Azure Key Vault Deep Auditor — the 27 → 28 plugin-count driver. 0.15.1 patched two defects the published-build live smoke surfaced in that new plugin. 0.15.2 added four real-production-account-driven audit-accuracy calibration and CloudTrail hardening folds, including two long-planned plugin-1222 depth items folded into the same release window. This post covers the cumulative story. Plugin count moved 27 → 28; all six compliance coverage matrices are unchanged across the entire line; the cumulative regression is 6568/6568 GREEN; and the cycle institutionalizes the fortieth consecutive trio-publish.

Why three same-day publishes

The institutional bargain on a security auditor is that the published artifact tells the truth on a real account. The test fixtures got the auditor close; the live smoke surfaced what the fixtures never could. Each intermediate published-build smoke uncovered a new fold; rather than wait days, the team patched, re-smoked, and re-published until the line was stable. Marketing was held until 0.15.2 so the public copy reflected the line that customers would actually install.

EE 0.15.0 — NEW plugin 1222 Azure Key Vault Deep Auditor (Move C-2.3)

The third dedicated Azure auditor in the platform, after plugin 1220 (storage hardening) and plugin 1221 (NSG perimeter). The Key Vault analog of how plugin 1221 deepens plugin 1022’s flat NSG dim. Plugin count 27 → 28 (cloud-audit 26 → 27; ID range now 1020–1222). Four dimensions across each vault’s keys, role assignments, and diagnostic settings:

• Key auto-rotation policy
• Key expiry (epoch-s/ms/Date/string coerced)
• Diagnostic logging → Log Analytics via @azure/arm-monitor
• Privileged-access depth: RBAC roleAssignments with admin / data-plane / scope-aware tiering + legacy accessPolicies for export and wide-crypto breadth

Deliberately orthogonal to plugin 1022’s vault-property dims (purge / soft-delete / network-ACL / RBAC-mode) — no double-emission of a verdict. Secret and certificate expiry are a stated data-plane scope boundary, not a silent miss.

Six-framework routing — substrate-depth uplift; all matrices UNCHANGED: SOC 2 CC6.3 / C1.1 / CC6.1 / CC7.2 · HIPAA §164.312(a)(2)(iv) / (b) / (a)(1) · NIST CSF PR.DS-01 / DE.CM-09 / PR.AA-05 · PCI DSS 3.5.1 / 10.2.1 / 7.2.1 · ISO 27001 A.8.24 / A.8.15 / A.5.15 + A.8.2 · CIS v8 3.11 / 8.2 / 5.4. Adversarial review (audit-cloud-plugin-false-negatives lens): SHIP-WITH-FOLDS, four folds applied same-session. Tests: +28 versus the 0.14.1 baseline (6523/6523 GREEN). @azure/arm-monitor@^7.0.0 added to optionalDependencies — Dim 3 soft-degrades to an evidence-gap if absent.

EE 0.15.1 — plugin 1222 follow-up patches

The 0.15.0 published-build live smoke surfaced two defects in the new plugin. Both were fixed within hours.

H-1 — Dim-3 diagnostic-logging SDK-shape fix. The diagnostic-logging dim for await-ed @azure/arm-monitor‘s diagnosticSettings.list(), which actually returns Promise<{value:[]}> — a collection object, not a paged async-iterator. The for await always threw, and the dim degraded to an evidence-gap: fail-safe but non-functional. The unit-test mock had the wrong shape too — the mock-versus-real-SDK mismatch was exactly what masked the defect through 0.15.0. Fixed to await the call and read .value, with the mock corrected to the real Promise<{value}> shape.

H-2 — Dim-4 inherited-admin severity re-tune. The privileged-access dim was flagging inherited subscription-scope and management-group-scope Owner / Contributor role assignments at the top severity tier on every RBAC vault — a ubiquitous Azure control-plane reality, so essentially every vault produced a top-tier false alarm. Re-tuned: inherited Owner / User Access Administrator → MEDIUM; inherited Contributor → LOW; top severity reserved for VAULT-scoped control-plane god roles and Key Vault Administrator at any scope. The severity now matches real Azure RBAC inheritance reality.

Tests: +3 versus the 0.15.0 baseline (6526/6526 GREEN).

EE 0.15.2 — audit-accuracy calibration and CloudTrail hardening (four folds)

A second published-build re-smoke on 0.15.1, this time against a real production Serverless account, surfaced four further calibration and hardening folds. Three were real-prod-driven; two were long-planned Azure depth items folded into the same window.

Fold 1 — plugin 1020 (AWS S3): effective-public-exposure calibration

The S3 auditor was rating buckets at the top severity tier on missing Public Access Block alone, without checking whether the bucket was actually public. On the live account, 11 buckets so flagged were verified IsPublic=False with no public ACL and no public policy. Missing or partial PAB now escalates to MEDIUM — a guardrail gap, not current exposure. Top severity is now reserved for confirmed-public. A new GetBucketAcl check completes the public-exposure join (ACL × policy × PAB): a public AllUsers or AuthenticatedUsers ACL grant is top-severity unless the PAB IgnorePublicAcls neutralizes it (then LOW). The ACL leg is load-bearing — without it, lowering missing-PAB to MEDIUM would have silently downgraded a bucket public-via-ACL-alone. This fold closes a public-via-ACL false-negative class while it fixes the false-positive class.

Fold 2 — plugin 1040 (CloudTrail): KMS-CMK calibration

The trail-level “log files not encrypted with a KMS-CMK (KmsKeyId not set)” MEDIUM was firing even when the trail’s destination bucket has default SSE-KMS — i.e. the log files are CMK-encrypted at rest, and trail-level KMS would only be additive. When the destination bucket is confirmed SSE-KMS via a new GetBucketEncryption check, the finding downgrades to LOW and is reworded as an additive defense-in-depth note. The “not encrypted” anchor string is dropped so the finding no longer routes to the CC7.1 “unencrypted” control — because the logs are encrypted. Where the bucket is AES256, none, or unverifiable, the original MEDIUM anchor stands verbatim.

Fold 3 — plugin 1040 (CloudTrail): multi-region timeout hardening via AbortSignal

Plugin 1040 enumerates up to 40 regions; disabled and opt-in regions can hang inside the region-enumeration Promise.all because the SDK sends had no per-call abort. The plugin’s 80% soft-budget, checked only between phases, never fired, and the orchestrator hard-cancelled at the timeout with no output. An AbortController tied to the soft-budget deadline is now threaded into the region-enumeration and per-trail SDK sends: a hung region aborts, the inter-phase budget check fires, and the existing partial-evidence finalization emits. The plugin reports partial multi-region evidence with an explicit coverage caveat instead of nothing. The no-abort path — the common case, accounts that finish under budget — is unchanged. The 40-region default is deliberately preserved.

Fold 4 — plugin 1221 (Azure NSG): restricted-UDP port-set expansion

Ten more sensitive UDP ports added to the perimeter auditor’s restricted set: RADIUS (1812/1813 with legacy 1645/1646), L2TP (1701), SIP (5060), mDNS (5353), RIP (520), XDMCP (177), chargen (19). Authentication backplanes, VPN endpoints, amplification and recon vectors. Rides the existing CC6.6 (?:TCP|UDP) titlePatterns generalized in 0.14.1 — no mapping change.

Fold 5 — plugin 1222 (Azure Key Vault): F-2 custom-role resolution and F-7.2 HSM-backing dim

F-2 custom-role resolution. A custom Azure role granting Key Vault key or secret privileges was previously unclassified — a silent false negative the auditor read as no-broad-grant. Each non-built-in role is now resolved via roleDefinitions.getById and its actions / dataActions inspected for Key Vault wildcards or sensitive verbs. A privileged custom role is tiered exactly like the built-in admin path. An unresolvable role becomes a LOW evidence-gap — never a silent PASS.

F-7.2 HSM-backing dim. Each key’s kty is read; a software-backed key (RSA or EC, not the *-HSM variants) emits a LOW hardening recommendation toward HSM-backed keys (FIPS 140-2 Level 2/3 assurance).

Tests: +42 versus 0.15.1 (6568/6568 GREEN — the cumulative cycle total).

Six-framework routing — all matrices unchanged across the line

Every fold across the entire 0.15.x line either re-uses an existing titlePattern or emits a LOW informational finding that intentionally does not route. No framework JSON changed; no control gained or lost a first-mapping. All six matrices verified unchanged: SOC 2 10/4/33 · HIPAA 7/3/45 · NIST CSF 2.0 13/10/83 · PCI DSS 20/8/39 · ISO 27001 17/14/62 · CIS v8 17/22/114. Plugin count 27 → 28 (cloud-audit 26 → 27) — the 0.15.0 driver.

Adversarial review and cumulative regression

Each cloud-plugin change was reviewed through the audit-cloud-plugin-false-negatives lens. SHIP across all four 0.15.2 folds; SHIP-WITH-FOLDS on the 0.15.0 plugin 1222 introduction (four same-session folds applied at author time). The H-1 SDK-shape and H-2 RBAC re-tune in 0.15.1 were live-smoke-driven additions outside the adversarial lens — both verified against a live Azure account before publish. Cumulative regression: 6568/6568 GREEN (+73 versus the 0.14.1 baseline of 6495).

Three same-day trio-publishes — predecessors deprecated

The 38th, 39th, and 40th consecutive trio-publishes are LIVE on npm as of 2026-05-27: EE 0.15.0 / 0.15.1 / 0.15.2 with paired CE 0.1.81 / 0.1.82 / 0.1.83 and agent-skill 0.1.48 / 0.1.49 / 0.1.50. Each tagged from its own repository. Predecessors deprecated with paired-pointer upgrade messages. Install:

npm install -g nsauditor-ai@latest @nsasoft/nsauditor-ai-ee@latest nsauditor-ai-agent-skill@latest

Availability and posture

EE 0.15.2 is recommended for every existing customer running AWS workloads with public-or-near-public S3 buckets, multi-region CloudTrail with disabled regions, Azure Key Vaults of any RBAC topology, Azure NSGs exposing UDP services, or Azure Storage / NSG fleets already audited by plugins 1220 / 1221. The hexa-framework one-scan workflow — --compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8 — produces six separate auditor-ready evidence packs from a single scan. Zero data exfiltration: all evidence is generated inside the customer’s infrastructure.

Product page: nsauditor.com/ai/enterprise · Press contact: info@nsasoft.us · Enterprise sales: enterprise@nsasoft.us · Security advisories: security@nsasoft.us