Add n8n S3 workflow audit helper

[its-amann]

/claim #55

Summary

• Adds an offline n8n workflow and credential metadata audit CLI for the Phase 6 n8n-s3-access investigation path.
• Flags workflows or credentials that reference AWS/S3, StudentHub buckets, exposed key suffixes, or bucket-admin operations such as lifecycle, CORS, policy, logging, replication, and public-access changes.
• Emits Markdown or CSV reports with access-key-looking values and secret-shaped fields redacted.
• Documents the safety boundary so maintainers can run it on private n8n exports without giving contributors live n8n/AWS access.

Scope

This is a separate Phase 6 helper slice. It does not overlap with the Civil ID backend/frontend PRs, S3 env-var credential PRs, IAM credential CSV review, CloudTrail event export audit, S3 bucket posture audit, bucket guardrails, or AWS Support evidence-package helpers.

No live AWS/IAM/S3/n8n calls are made. No key rotation, deletion, bucket policy change, workflow mutation, candidate data access, or real credential export is included.

Verification

• node tools/check-n8n-s3-workflow-audit.mjs
• node tools/audit-n8n-s3-workflows.mjs --workflows tools/fixtures/n8n-s3-workflows.sample.json --format markdown
• node tools/audit-n8n-s3-workflows.mjs --workflows tools/fixtures/n8n-s3-workflows.sample.json --format csv
• git diff --check

The fixture uses synthetic placeholder values and avoids real AWS-key-shaped sample credentials.

[coderabbitai]

Warning

Rate limit exceeded

@its-amann has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 51 minutes and 3 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1c00ce63-e2cb-41a8-a4c5-0848ebe26543

📥 Commits

Reviewing files that changed from the base of the PR and between 7b023ff and 335a261.

📒 Files selected for processing (4)

• docs/security/n8n-s3-workflow-audit.md
• tools/audit-n8n-s3-workflows.mjs
• tools/check-n8n-s3-workflow-audit.mjs
• tools/fixtures/n8n-s3-workflows.sample.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}