NSAuditor AI EE 0.5.2 Ships SES Auditor v2.1 Consolidation — 7 Deferred Items Closed Plus R-CRITICAL soc2.json Mapping Closure and Silent-Loss-Class Closure on SES Classic API Quota Exhaustion

What’s new: Nsasoft US LLC has shipped NSAuditor AI Enterprise Edition 0.5.2 — a patch-level consolidation cycle in the v0.5.x line and the eighth consecutive trio-publish across EE + paired CE 0.1.51 + agent-skill 0.1.18. EE 0.5.2 ships EE-RT.18 v2.1 — a pure plugin 1190 SES Email Integrity Auditor deferred-items sweep that closes all 7 deferred reviewer-fold items from the 0.5.0 cycle plus 6 new same-session reviewer folds. EE plugin count remains 20; coverage matrix remains unchanged at 10/4/33 — pure evidence-quality uplift.

7 deferred items closed

1. R-MEDIUM-2 (DKIM partial-match severity tier). New emission category ses-dkim-dns-partial-with-transients MEDIUM. Pre-fold, when some DKIM tokens cleanly matched in DNS and others hit transient resolver failures, the classifier collapsed to flat LOW + evidenceGap, losing the partial-match information. Post-fold emits MEDIUM with dkimTokensMatched + dkimTokensTransient + perTokenErrors for evidence-pack completeness.
2. R-MEDIUM-4 (explicit _DNS_TRANSIENT_ERROR_CODES Set). Lifted the implicit “not-in-norecord-set-must-be-transient” classification to an explicit named set. 20 transient codes seeded.
3. R-MEDIUM-5 (broadened classic-side error taxonomy). v2.1 additions: IdentityNotVerified + ConfigurationSetDoesNotExist treated as silent-skip same family. New _SES_CLASSIC_QUOTA_ERROR_NAMES set routes post-retry-exhaustion bubble to sdkError=true.
4. R-LOW-4 (DMARC TXT chunk-split end-to-end). 4 new test cases cover real-world chunked TXT records (>255 chars per chunk forces resolvers to return Array<chunk> per record).
5. R-LOW-5 (DKIM token with special chars). 4 new test cases cover base64 padding + percent-encoded chars + plus chars + mixed-case-with-special-chars.
6. R-LOW-6 (identityType producer→consumer normalization). Defensive _stripControlChars + .trim() + "UNKNOWN" fallback at both promoter sites.
7. R-NIT-1/2 (constant-casing alignment + producer-side normalization assertion). New named constants exported for test-side pinning + module-load IIFE assertion.

R-CRITICAL — soc2.json mapping closure

The new ses-dkim-dns-partial-with-transients MEDIUM emission category had no corresponding titlePattern in data/compliance/soc2.json. Without the mapping, the framework engine would have silently dropped the new finding at SOC 2 report generation — same false-mapping class as the EE-RT.15 v2 R-HIGH fold from the 0.5.1 cycle. Caught pre-publish; added CC6.1 titlePattern with rationale documenting the R-MEDIUM-2 fold semantics.

R-HIGH — Silent-loss-class closure on SES classic API quota exhaustion

R-MEDIUM-5 set sdkError=true for quota errors (ServiceQuotaExceededException + RequestLimitExceeded), but run() only emitted the unverifiable LOW finding on accessDenied, NOT on sdkError. Pre-fold the sdkError case fell through to silent loss (only warnings.push). Post-fold run() emits ses-classic-policy-unverifiable LOW + evidenceGap with cause: "classic-sdk-quota-exhausted".

Module-load-time disjointness IIFE

The new _assertDnsErrorCodeSetsDisjoint() validates _DNS_NORECORD_ERROR_CODES ∩ _DNS_TRANSIENT_ERROR_CODES = ∅ at Node startup. Promotes the test-time disjointness invariant to load-time enforcement — same fail-fast pattern as the EE-RT.13 PLUGIN_ID-key invariant. Future maintainer adding an error code to both sets fails import immediately.

Stats

• Plugin count UNCHANGED at 20 (pure consolidation cycle; no new SDK boundary)
• +41 new tests (34 deferred-items sweep base + 7 reviewer-fold pin; plugin 1190 test count 207 → 248 across 40 → 49 suites)
• EE full regression: 4901/4901 across 767 suites (was 4860/4860 across 760 at 0.5.1)
• 48-session 100% green streak preserved
• 1 new aws-ses-auditor soc2.json mapping rule + 5 reinforced classifier contracts
• Memory closures: conservative_classifier_principle reinforced in 3 new fold sites; emit_literal_set_drift extended with 3 new named Sets + 1 named category + module-load-time disjointness IIFE; aws_string_case_normalization reinforced via R-LOW-6 normalization at promoter consumer sites

Coverage matrix unchanged at 10/4/33

Pure evidence-quality uplift on already-covered CC6.1 + CC6.6 + A1.2 + CC7.1 + CC7.2 controls. The 0.5.x line continues its evidence-quality discipline: 0.5.0 added network-layer DNS, 0.5.1 added cross-SDK CloudWatch alarm coverage, 0.5.2 consolidates evidence-quality on the SES surface.

Who’s affected

AWS SES adopters with existing v0.5.0 DKIM/DMARC posture (the new partial-with-transients MEDIUM category surfaces actionable evidence rather than silent loss); operators of SES classic-API-policy identities (the silent-loss-class closure on quota exhaustion gives auditors the evidence gap rather than nothing); CC6.1 / CC6.6 / A1.2 / CC7.1 / CC7.2 substrate-evidence buyers; SOC 2 readiness teams; AI-coding-agent users.

Recommended install (0.5.2)

npm install -g nsauditor-ai@0.1.51 @nsasoft/nsauditor-ai-ee@0.5.2
nsauditor-ai scan --host aws --plugins all --compliance soc2 --out evidence.json

# AI-coding-agent users also pull the refreshed skill:
npm install nsauditor-ai-agent-skill@0.1.18

Sources

• NSAuditor AI Enterprise — official documentation
• @nsasoft/nsauditor-ai-ee on npm
• nsauditor-ai (Community Edition) on npm