What’s new: NSAuditor AI EE 0.5.0 — the minor-version milestone bump from 0.4.x — extends the SES Email Integrity Auditor (plugin 1190) with DKIM CNAME DNS resolution, a DMARC TXT record parser, and SES classic API parity. It’s the first ship to add a network-layer cross-reference (live DNS via node:dns/promises) to the AWS-SDK-substrate evidence baseline.
The headline closures
- DKIM CNAME DNS resolution — closes the false-CLEAN window where SES says
Status=SUCCESSbut the DNS records were rotated/removed without re-verifying. - DMARC
pct=0false-CLEAN closure (R-CRITICAL-1):p=reject; pct=0is functionallyp=none— zero percent of failing mail enforced. v2 now flags this as HIGH instead of silently emitting PASS. - DMARC
spsubdomain-policy override (R-HIGH-1):p=reject; sp=nonedowngrades to HIGH — closes the subdomain-takeover false-NEGATIVE class. - SES classic API parity: catches operator-added classic-API policies that SESv2-only enumeration would silently miss.
Numbers
- Plugin count UNCHANGED at 20 (existing 1190 grew in scope)
- +91 new tests; EE full regression 4787/4787
- 46-session 100% green streak preserved
- 8 same-session reviewer folds (1 CRITICAL + 1 HIGH false-NEGATIVE closure)
- Sixth consecutive EE + CE + agent-skill trio-publish
- Coverage matrix unchanged at 10/4/33 (substrate depth, not new tile claims)
Install
npm install -g nsauditor-ai@0.1.49 @nsasoft/nsauditor-ai-ee@0.5.0
npm install nsauditor-ai-agent-skill@0.1.16
