Add n8n S3 workflow audit helper

[its-amann]

/claim #55

Summary

• Adds an offline n8n workflow and credential metadata audit CLI for the Phase 6 n8n-s3-access investigation path.
• Flags workflows or credentials that reference AWS/S3, StudentHub buckets, exposed key suffixes, or bucket-admin operations such as lifecycle, CORS, policy, logging, replication, and public-access changes.
• Emits Markdown or CSV reports with access-key-looking values and secret-shaped fields redacted.
• Documents the safety boundary so maintainers can run it on private n8n exports without giving contributors live n8n/AWS access.

Scope

This is a separate Phase 6 helper slice. It does not overlap with the Civil ID backend/frontend PRs, S3 env-var credential PRs, IAM credential CSV review, CloudTrail event export audit, S3 bucket posture audit, bucket guardrails, or AWS Support evidence-package helpers.

No live AWS/IAM/S3/n8n calls are made. No key rotation, deletion, bucket policy change, workflow mutation, candidate data access, or real credential export is included.

Verification

• node tools/check-n8n-s3-workflow-audit.mjs
• node tools/audit-n8n-s3-workflows.mjs --workflows tools/fixtures/n8n-s3-workflows.sample.json --format markdown
• node tools/audit-n8n-s3-workflows.mjs --workflows tools/fixtures/n8n-s3-workflows.sample.json --format csv
• git diff --check

The fixture uses synthetic placeholder values and avoids real AWS-key-shaped sample credentials.

[coderabbitai]

Warning

Rate limit exceeded

@its-amann has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 51 minutes and 3 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1c00ce63-e2cb-41a8-a4c5-0848ebe26543

📥 Commits

Reviewing files that changed from the base of the PR and between 7b023ff and 335a261.

📒 Files selected for processing (4)

• docs/security/n8n-s3-workflow-audit.md
• tools/audit-n8n-s3-workflows.mjs
• tools/check-n8n-s3-workflow-audit.mjs
• tools/fixtures/n8n-s3-workflows.sample.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[BAWES]

✅ Approved — n8n S3 workflow audit helper

New audit tool. Docs + fixtures included. All checks green.

[its-amann]

Thanks @BAWES for the approval on PR #85.

Claim/status refresh for #55:

• Active submission: Add n8n S3 workflow audit helper #85
• Scope: separate Phase 6 offline n8n S3 workflow/credential metadata audit helper for maintainer-exported workflow JSON and credential metadata, with redacted Markdown/CSV output and synthetic fixtures.
• The 🔐 AWS S3 Security Remediation & Civil ID Upload Fix — IAM Key Rotation, Bucket Hardening & Backend Patches #55 attempt was posted before this PR, and the PR body includes /claim 🔐 AWS S3 Security Remediation & Civil ID Upload Fix — IAM Key Rotation, Bucket Hardening & Backend Patches #55.
• Current PR state: open, non-draft, mergeable clean, maintainer edits enabled.
• Review/checks: BAWES approved on 2026-06-09; CodeRabbit status is success; GitGuardian Security Checks are success.
• Verification is documented in the PR body with the fixture check, Markdown report command, CSV report command, and git diff check.

This is contributor-side ready and waiting on maintainer merge/reward decision under the paused/reorganized #55 bounty process. If a short demo video is still required after approval, I can add one using only the synthetic fixture flow so no live n8n/AWS credentials or candidate data are exposed.

[its-amann]

Final evidence links for the #55 bounty review on PR #85:

• Requirement mapping on issue 🔐 AWS S3 Security Remediation & Civil ID Upload Fix — IAM Key Rotation, Bucket Hardening & Backend Patches #55: 🔐 AWS S3 Security Remediation & Civil ID Upload Fix — IAM Key Rotation, Bucket Hardening & Backend Patches #55 (comment)
• Short synthetic demo GIF on issue 🔐 AWS S3 Security Remediation & Civil ID Upload Fix — IAM Key Rotation, Bucket Hardening & Backend Patches #55: 🔐 AWS S3 Security Remediation & Civil ID Upload Fix — IAM Key Rotation, Bucket Hardening & Backend Patches #55 (comment)

Current contributor-side state rechecked: PR #85 is BAWES-approved, non-draft, mergeable clean, bounty-labeled, has /claim #55, and CodeRabbit/GitGuardian are green. No live n8n/AWS/candidate data is included in the demo or fixtures.