v1.9.5 – v1.9.9 — 2026-05-07

• fix(cluster): close 3 single-sender gaps + drift-hash regression guard
• fix(rspamd): close inbound-composite evasion via forged ESMTPSA header
• fix(rspamd): close outbound-auth bypass — phishing got through with -10 bonus
• fix(rspamd): wire neural autotrain + surface corpus state in UI
• fix(scheduler): single-sender gate for domain reports — was double-sending