NSAuditor AI EE 0.15.9 shipped today as the forty-seventh consecutive trio-publish on npm (EE 0.15.9 + CE 0.1.90 + agent-skill 0.1.57), hardening multi-cloud audit pack provenance at the load-bearing path. The release also folds in the EE 0.15.7 GCP SDK refresh.

Cross-cloud scan isolation

When you run a GCP-targeted scan, the resulting audit pack must contain only GCP resources — not AWS resources discoverable because AWS credentials were on the workstation. The same guarantee applies in reverse. EE 0.15.9 ships that guarantee at the load-bearing path: each AWS plugin’s main execution entry consults a lenient CLOUD_PROVIDER gate and short-circuits when the scan targets a non-AWS cloud, before any AWS API call. An AWS-only run that doesn’t set CLOUD_PROVIDER is unaffected — single-cloud customers keep the existing default behavior.

End-to-end proof, on the published build

A real CLI GCP scan with AWS credentials present yields a GCP audit pack containing zero AWS resources, while the genuine GCP findings remain — the three default-allow firewall findings the GCP auditor surfaces against the test-infrastructure project. The signed attestation pack inherits the same guarantee: the cryptographic evidence stream for a GCP scan now contains only GCP resources.

GCP SDK refresh folded in

EE 0.15.7 shipped the GCP SDK major bump (@google-cloud/compute ^4 → ^6, @google-cloud/iam ^1 → ^2, googleapis ^144 → ^173) alongside the first live GCP audit. The GCP scan path runs on the pure-ADC / key-file authentication chain; the impersonation gap and the contract a future authentication bridge would need to satisfy are documented in the plugin source for the next maintainer.

Engineering discipline

The multi-cloud isolation guarantee was caught by dogfooding — a full multi-cloud smoke of the prior published build surfaced the cross-cloud bleed, and the validation rebuilt for 0.15.9 exercises the same code path the scan orchestrator dispatches through. The institutional lesson: a guard is only proven by exercising the path that runs in production. The published-build validation is an actual CLI scan that greps the GCP audit pack for AWS resources and requires zero.

Scope

No new plugin, plugin count UNCHANGED at 28 (cloud-audit 27). All six coverage matrices UNCHANGED — this is a runtime-isolation guarantee, not a scope change: SOC 2 10/4/33 · HIPAA 7/3/45 · NIST CSF 2.0 13/10/83 · PCI DSS 20/8/39 · ISO 27001 17/14/62 · CIS v8 17/22/114. No dependency change in 0.15.9 itself. EE full regression 6741/6745 GREEN.

Hexa-framework one-scan workflow

--compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8 produces six separate auditor-ready evidence packs from a single scan. Zero data exfiltration — all evidence generated inside your infrastructure.

Install

npm install -g nsauditor-ai@latest @nsasoft/nsauditor-ai-ee@latest nsauditor-ai-agent-skill@latest

Forty-seventh consecutive trio-publish — LIVE on npm 2026-05-29. Learn more about NSAuditor AI Enterprise Edition.