@lateos/npm-scan 0.18.3 → 1.0.0

package/backend/scripts/analyze-validation.js

@@ -0,0 +1,151 @@
+#!/usr/bin/env node
+import { readFileSync, existsSync, writeFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+
+async function analyzeValidation(resultsFile) {
+  const stats = {
+    total_packages: 0,
+    total_detections: 0,
+    total_expected: 0,
+    total_matched: 0,
+    campaigns: {},
+    detectors: {},
+    detection_matrix: {},
+  };
+
+  const absPath = resolve(resultsFile);
+  if (!existsSync(absPath)) {
+    console.error(`[ERROR] Results file not found: ${absPath}`);
+    process.exit(1);
+  }
+
+  const text = readFileSync(absPath, 'utf-8');
+  const lines = text.split('\n').filter(l => l.trim());
+
+  for (const line of lines) {
+    const result = JSON.parse(line);
+    if (result.error) continue;
+
+    stats.total_packages += 1;
+    stats.total_detections += result.detection_count;
+
+    const campaignId = result.campaign_id;
+    if (!stats.campaigns[campaignId]) {
+      stats.campaigns[campaignId] = {
+        name: result.campaign_name,
+        total: 0,
+        detected: 0,
+        detection_rate: 0,
+        total_expected: 0,
+        total_matched: 0,
+        avg_confidence: 0,
+        confidences: [],
+      };
+    }
+
+    const campaign = stats.campaigns[campaignId];
+    campaign.total += 1;
+    campaign.total_expected += result.expected_detectors.length;
+
+    const matched = result.expected_detectors.filter(
+      id => result.detected_detectors.includes(id)
+    );
+    campaign.total_matched += matched.length;
+    stats.total_expected += result.expected_detectors.length;
+    stats.total_matched += matched.length;
+
+    if (matched.length > 0) {
+      campaign.detected += 1;
+    }
+
+    for (const detection of result.detections) {
+      const detectorName = detection.id || detection.detector;
+      if (!stats.detectors[detectorName]) {
+        stats.detectors[detectorName] = {
+          total_hits: 0,
+          expected_count: 0,
+          avg_confidence: 0,
+          confidences: [],
+          severities: [],
+        };
+      }
+
+      stats.detectors[detectorName].total_hits += 1;
+      stats.detectors[detectorName].confidences.push(detection.confidenceScore);
+      stats.detectors[detectorName].severities.push(detection.severity);
+
+      if (result.expected_detectors.includes(detectorName)) {
+        stats.detectors[detectorName].expected_count += 1;
+      }
+
+      if (!stats.detection_matrix[campaignId]) {
+        stats.detection_matrix[campaignId] = {};
+      }
+      if (!stats.detection_matrix[campaignId][detectorName]) {
+        stats.detection_matrix[campaignId][detectorName] = 0;
+      }
+      stats.detection_matrix[campaignId][detectorName] += 1;
+    }
+  }
+
+  for (const campaignId of Object.keys(stats.campaigns)) {
+    const campaign = stats.campaigns[campaignId];
+    campaign.detection_rate = campaign.total > 0
+      ? ((campaign.detected / campaign.total) * 100).toFixed(1) + '%'
+      : '0%';
+    campaign.expected_match_rate = campaign.total_expected > 0
+      ? ((campaign.total_matched / campaign.total_expected) * 100).toFixed(1) + '%'
+      : '0%';
+  }
+
+  for (const detectorName of Object.keys(stats.detectors)) {
+    const detector = stats.detectors[detectorName];
+    detector.avg_confidence = detector.confidences.length > 0
+      ? (detector.confidences.reduce((a, b) => a + b, 0) / detector.confidences.length).toFixed(1)
+      : '0.0';
+    detector.precision = detector.total_hits > 0
+      ? ((detector.expected_count / detector.total_hits) * 100).toFixed(1) + '%'
+      : '0%';
+  }
+
+  return stats;
+}
+
+const resultsFile = process.argv[2] || 'validation-results.jsonl';
+
+console.log(`[INFO] Analyzing ${resultsFile}...`);
+const stats = await analyzeValidation(resultsFile);
+
+console.log('\n=== CAMPAIGN DETECTION RATES ===');
+console.log('Campaign                         Packages  Detected  Rate     Expected  Matched  Match%');
+console.log('─'.repeat(95));
+for (const [id, campaign] of Object.entries(stats.campaigns)) {
+  const name = campaign.name.padEnd(33).slice(0, 33);
+  console.log(
+    `${name} ${String(campaign.total).padStart(8)} ${String(campaign.detected).padStart(9)} ` +
+    `${campaign.detection_rate.padStart(7)} ${String(campaign.total_expected).padStart(9)} ` +
+    `${String(campaign.total_matched).padStart(8)} ${campaign.expected_match_rate.padStart(7)}`
+  );
+}
+console.log(`\nTotal: ${stats.total_packages} packages, ${stats.total_detections} detections`);
+
+console.log('\n=== DETECTOR PERFORMANCE ===');
+console.log('Detector                          Hits  Expected  Precision  Avg Confidence');
+console.log('─'.repeat(80));
+for (const [name, detector] of Object.entries(stats.detectors).sort(
+  (a, b) => b[1].total_hits - a[1].total_hits
+)) {
+  const dName = name.padEnd(32).slice(0, 32);
+  console.log(
+    `${dName} ${String(detector.total_hits).padStart(5)} ${String(detector.expected_count).padStart(9)} ` +
+    `${detector.precision.padStart(10)} ${detector.avg_confidence.padStart(14)}`
+  );
+}
+
+console.log('\n=== DETECTION MATRIX (Hits per Campaign × Detector) ===');
+console.log(JSON.stringify(stats.detection_matrix, null, 2));
+
+writeFileSync('detection-rates.json', JSON.stringify(stats, null, 2), 'utf-8');
+console.log('\n[INFO] Full results written to detection-rates.json');
+
+process.exit(0);

package/backend/scripts/detect-false-positives.js

@@ -0,0 +1,93 @@
+#!/usr/bin/env node
+import { readFileSync, writeFileSync, existsSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { runAll } from '../detectors/index.js';
+import whitelist from '../detectors/config/whitelist.json' with { type: 'json' };
+
+const WHITELIST_MAP = new Map();
+for (const entry of whitelist.packages) {
+  WHITELIST_MAP.set(entry.name, new Set(entry.detectors));
+}
+
+async function detectFalsePositives(topPackagesFile, confidenceThreshold = 70) {
+  const absPath = resolve(topPackagesFile);
+  if (!existsSync(absPath)) {
+    console.error(`[ERROR] Top packages file not found: ${absPath}`);
+    console.error('       Run fetch-top-packages.js first');
+    process.exit(1);
+  }
+
+  const text = readFileSync(absPath, 'utf-8');
+  const lines = text.split('\n').filter(l => l.trim());
+  console.log(`[INFO] Loaded ${lines.length} packages from ${topPackagesFile}`);
+
+  const falsePositives = [];
+  let count = 0;
+  let skipped = 0;
+
+  for (const line of lines) {
+    const pkg = JSON.parse(line);
+    count += 1;
+
+    const pkgName = pkg.name;
+    const whitelistedDetectors = WHITELIST_MAP.get(pkgName);
+
+    if (whitelistedDetectors) {
+      skipped += 1;
+      if (count % 200 === 0 || count <= 5) {
+        console.log(`[SKIP] ${pkgName} (whitelisted for ${[...whitelistedDetectors].join(', ')})`);
+      }
+    } else {
+      if (count % 100 === 0) {
+        console.log(`[PROGRESS] Processed ${count}/${lines.length} packages...`);
+      }
+    }
+
+    try {
+      const pkgJson = { name: pkgName, version: pkg.version };
+      const findings = await runAll(pkgJson, [], null, []);
+
+      for (const detection of findings) {
+        if (detection.confidenceScore < confidenceThreshold) continue;
+        if (whitelistedDetectors && whitelistedDetectors.has(detection.id)) continue;
+
+        falsePositives.push({
+          package: pkgName,
+          version: pkg.version,
+          detector: detection.id,
+          confidence: detection.confidenceScore,
+          severity: detection.severity,
+          subtype: detection.subtype,
+          message: detection.message,
+          evidence: detection.evidence,
+          timestamp: new Date().toISOString(),
+        });
+
+        if (falsePositives.length <= 10) {
+          console.log(`[FLAG] ${pkgName}@${pkg.version}: ${detection.id} (${detection.confidenceScore}%)`);
+        }
+      }
+    } catch (err) {
+      console.error(`[ERROR] ${pkgName}: ${err.message}`);
+    }
+  }
+
+  const outPath = resolve('false-positives.jsonl');
+  const outputData = falsePositives.map(fp => JSON.stringify(fp)).join('\n') + '\n';
+  writeFileSync(outPath, outputData, 'utf-8');
+
+  const scannedCount = count - skipped;
+  console.log(`\n[SUMMARY] Scanned ${scannedCount} packages (skipped ${skipped} whitelisted)`);
+  console.log(`[SUMMARY] Found ${falsePositives.length} potential false positives (${(falsePositives.length / scannedCount * 100).toFixed(1)}% FP rate)`);
+  console.log(`[INFO] Written to ${outPath}`);
+
+  return falsePositives;
+}
+
+const topPackagesFile = process.argv[2] || 'top-packages.jsonl';
+const confidenceThreshold = parseInt(process.argv[3]) || 70;
+
+detectFalsePositives(topPackagesFile, confidenceThreshold).then(() => process.exit(0)).catch(err => {
+  console.error(`[FATAL] ${err.message}`);
+  process.exit(1);
+});

package/backend/scripts/fetch-top-packages.js

@@ -0,0 +1,129 @@
+#!/usr/bin/env node
+import { writeFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+
+async function fetchTopPackages(limit = 1000) {
+  console.log(`[INFO] Fetching top ${limit} npm packages via npms.io...`);
+
+  const packages = [];
+  const pageSize = 50;
+  const numPages = Math.ceil(limit / pageSize);
+
+  for (let page = 0; page < numPages; page++) {
+    const from = page * pageSize;
+    const q = encodeURIComponent('not:deprecated');
+    const url = `https://api.npms.io/v2/search?q=${q}&size=${pageSize}&from=${from}`;
+
+    console.log(`[INFO] Fetching page ${page + 1}/${numPages} (offset ${from})...`);
+
+    try {
+      const response = await fetch(url, { signal: AbortSignal.timeout(15000) });
+      if (!response.ok) {
+        console.error(`[ERROR] npms.io returned ${response.status} for page ${page + 1}`);
+        continue;
+      }
+
+      const data = await response.json();
+
+      for (const result of data.results || []) {
+        if (packages.length >= limit) break;
+        packages.push({
+          name: result.package.name,
+          version: result.package.version,
+          description: result.package.description || '',
+          keywords: result.package.keywords || [],
+          publisher: result.package.publisher ? result.package.publisher.username : null,
+          date: result.package.date,
+          score: result.score ? {
+            final: result.score.final,
+            quality: result.score.detail?.quality,
+            popularity: result.score.detail?.popularity,
+            maintenance: result.score.detail?.maintenance,
+          } : null,
+        });
+      }
+
+      console.log(`  Retrieved ${packages.length} packages so far`);
+    } catch (err) {
+      console.error(`[ERROR] Failed page ${page + 1}: ${err.message}`);
+    }
+
+    if (packages.length >= limit) break;
+
+    if (page < numPages - 1) {
+      await new Promise(r => setTimeout(r, 2000));
+    }
+  }
+
+  if (packages.length === 0) {
+    console.log('[ERROR] No packages fetched. Using fallback known-top list.');
+    return await fallbackList(limit);
+  }
+
+  const outPath = resolve('top-packages.jsonl');
+  const lines = packages.map(pkg => JSON.stringify(pkg)).join('\n') + '\n';
+  writeFileSync(outPath, lines, 'utf-8');
+  console.log(`\n[INFO] Written ${packages.length} packages to ${outPath}`);
+  return packages;
+}
+
+async function fallbackList(limit) {
+  const knownTop = [
+    'lodash', 'chalk', 'react', 'express', 'commander', 'axios', 'moment',
+    'webpack', 'eslint', 'typescript', 'prettier', 'babel', 'next', 'vue',
+    'angular', 'redux', 'jest', 'mocha', 'chai', 'sinon', 'nodemon',
+    'debug', 'async', 'request', 'colors', 'mkdirp', 'fs-extra', 'glob',
+    'yargs', 'minimist', 'uuid', 'date-fns', 'crypto-js', 'jsonwebtoken',
+    'passport', 'socket.io', 'ws', 'graphql', 'apollo', 'prisma',
+    'mongoose', 'pg', 'mysql2', 'redis', 'sequelize', 'typeorm',
+    'dotenv', 'cross-env', 'rimraf', 'semver', 'rimraf', 'tar',
+    'inquirer', 'ora', 'listr', 'conf', 'env-paths', 'find-up',
+    'p-locate', 'locate-path', 'path-exists', 'y18n', 'yallist',
+    'minipass', 'minizlib', 'supports-color', 'has-flag', 'wrap-ansi',
+    'string-width', 'strip-ansi', 'ansi-regex', 'is-fullwidth-code-point',
+    'emoji-regex', 'cliui', 'escalade', 'get-caller-file', 'require-directory',
+    'npm', 'node-fetch', 'got', 'phin', 'undici', 'make-fetch-happen',
+    'cacache', 'ssri', 'unique-filename', 'unique-slug', 'imurmurhash',
+    'signal-exit', 'which', 'isexe', 'minimatch', 'brace-expansion',
+    'balanced-match', 'concat-map', 'lru-cache', 'yallist', 'semver',
+    'json5', 'tslib', 'source-map', 'source-map-js', 'ms', 'mime',
+    'cookie', 'express-session', 'body-parser', 'cors', 'helmet',
+    'morgan', 'compression', 'serve-static', 'send', 'fresh',
+    'etag', 'parseurl', 'utils-merge', 'methods', 'array-flatten',
+    'qs', 'merge-descriptors', 'path-to-regexp', 'iconv-lite',
+    'raw-body', 'on-finished', 'ee-first', 'inherits', 'depd',
+    'http-errors', 'statuses', 'setprototypeof', 'toidentifier',
+    'content-type', 'negotiator', 'accepts', 'type-is', 'vary',
+    'encodeurl', 'escape-html', 'destroy', 'bytes', 'unpipe',
+    'finalhandler', 'media-typer', 'http-proxy', 'http-proxy-middleware',
+    'morgan', 'connect', 'pino', 'winston', 'bunyan', 'log4js',
+    'nanoid', 'uid', 'ulid', 'cuid', 'shortid', 'uuidv4', 'uuidv7',
+    'bcrypt', 'bcryptjs', 'argon2', 'scrypt', 'pbkdf2', 'crypto',
+    'node-forge', 'pkijs', 'asn1js', 'jsrsasign', 'jose', 'jwk',
+  ];
+  const pkgs = knownTop.slice(0, limit).map((name, i) => ({
+    name,
+    version: '1.0.0',
+    description: '',
+    keywords: [],
+    publisher: null,
+    date: null,
+    score: { final: 1 - i / knownTop.length, quality: 0.9, popularity: 0.9, maintenance: 0.9 },
+  }));
+  console.log(`[FALLBACK] Using ${pkgs.length} known top packages`);
+
+  const outPath = resolve('top-packages.jsonl');
+  const lines = pkgs.map(pkg => JSON.stringify(pkg)).join('\n') + '\n';
+  writeFileSync(outPath, lines, 'utf-8');
+  console.log(`[INFO] Written ${pkgs.length} packages to ${outPath}`);
+  return pkgs;
+}
+
+const limit = parseInt(process.argv[2]) || 1000;
+fetchTopPackages(limit).then(pkgs => {
+  console.log(`[DONE] ${pkgs.length} packages fetched`);
+  process.exit(0);
+}).catch(err => {
+  console.error(`[FATAL] ${err.message}`);
+  process.exit(1);
+});

package/backend/scripts/validate-detectors.js

@@ -0,0 +1,142 @@
+#!/usr/bin/env node
+import { readFileSync, writeFileSync, existsSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { runAll } from '../detectors/index.js';
+
+const CAMPAIGN_FIXTURES = {
+  'campaign-1': 'fixtures/campaigns/campaign-1-dependency-confusion.jsonl',
+  'campaign-2': 'fixtures/campaigns/campaign-2-mini-shai-hulud.jsonl',
+  'campaign-3': 'fixtures/campaigns/campaign-3-bitwarden-impersonation.jsonl',
+};
+
+function loadFixture(filePath) {
+  const abs = resolve(filePath);
+  if (!existsSync(abs)) {
+    console.error(`[ERROR] Fixture not found: ${abs}`);
+    return [];
+  }
+  const text = readFileSync(abs, 'utf-8');
+  return text.split('\n').filter(l => l.trim()).map(l => JSON.parse(l));
+}
+
+async function fetchNpmMetadata(pkgName, version) {
+  try {
+    const url = `https://registry.npmjs.org/${encodeURIComponent(pkgName)}/${version}`;
+    const response = await fetch(url, { signal: AbortSignal.timeout(5000) });
+    if (!response.ok) return null;
+    return await response.json();
+  } catch {
+    console.warn(`  [WARN] Registry fetch failed for ${pkgName}@${version}; using fixture data`);
+    return null;
+  }
+}
+
+function constructRegistryMeta(pkg, liveMeta) {
+  if (liveMeta) return liveMeta;
+  if (pkg.mockRegistryMeta) return pkg.mockRegistryMeta;
+  return null;
+}
+
+function constructPkgJson(pkg) {
+  const base = { name: pkg.package, version: pkg.version };
+  if (pkg.mockPackageJson) {
+    return { ...base, ...pkg.mockPackageJson };
+  }
+  return base;
+}
+
+async function validateDetectors(campaigns, outputFile) {
+  const allResults = [];
+
+  const campaignKeys = campaigns === 'all'
+    ? Object.keys(CAMPAIGN_FIXTURES)
+    : [campaigns];
+
+  for (const campaignKey of campaignKeys) {
+    const fixturePath = CAMPAIGN_FIXTURES[campaignKey];
+    if (!fixturePath) {
+      console.error(`[ERROR] Unknown campaign: ${campaignKey}`);
+      continue;
+    }
+
+    console.log(`\n[${new Date().toISOString()}] Validating ${campaignKey}...`);
+    const packages = loadFixture(fixturePath);
+    console.log(`  Loaded ${packages.length} packages from fixture`);
+
+    for (const pkg of packages) {
+      try {
+        const pkgJson = constructPkgJson(pkg);
+        const liveMeta = await fetchNpmMetadata(pkg.package, pkg.version);
+        const registryMeta = constructRegistryMeta(pkg, liveMeta);
+
+        const findings = await runAll(pkgJson, [], registryMeta, []);
+
+        const detectedIds = [...new Set(findings.map(f => f.id))];
+
+        const result = {
+          package: pkg.package,
+          version: pkg.version,
+          campaign_id: pkg.campaign_id,
+          campaign_name: pkg.campaign_name,
+          attack_vector: pkg.attack_vector,
+          expected_detectors: pkg.expected_detectors,
+          detected_detectors: detectedIds,
+          detection_count: findings.length,
+          detections: findings.map(f => ({
+            id: f.id,
+            detector: f.detector,
+            severity: f.severity,
+            confidence: f.confidence,
+            confidenceScore: f.confidenceScore,
+            subtype: f.subtype,
+            message: f.message,
+          })),
+          metadata_available: !!liveMeta,
+          registry_source: liveMeta ? 'live' : 'fixture',
+          timestamp: new Date().toISOString(),
+        };
+
+        allResults.push(result);
+
+        const expectedCount = pkg.expected_detectors.length;
+        const hitCount = detectedIds.filter(id => pkg.expected_detectors.includes(id)).length;
+        console.log(
+          `  ${hitCount > 0 ? '✓' : '✗'} ${pkg.package}@${pkg.version}: ${hitCount}/${expectedCount} expected detectors fired`
+        );
+        for (const f of findings) {
+          console.log(`      ${f.id} (${f.confidenceScore}%, ${f.severity})`);
+        }
+      } catch (err) {
+        console.error(`  ✗ ${pkg.package}@${pkg.version}: ${err.message}`);
+        allResults.push({
+          package: pkg.package,
+          version: pkg.version,
+          campaign_id: pkg.campaign_id,
+          error: err.message,
+          timestamp: new Date().toISOString(),
+        });
+      }
+    }
+  }
+
+  if (outputFile) {
+    const lines = allResults.map(r => JSON.stringify(r)).join('\n') + '\n';
+    writeFileSync(outputFile, lines, 'utf-8');
+  }
+
+  const processed = allResults.filter(r => !r.error).length;
+  const errors = allResults.filter(r => r.error).length;
+  console.log(`\n[SUMMARY] Processed ${processed} packages, ${errors} errors`);
+  console.log(`[INFO] Results written to ${outputFile}`);
+
+  return allResults;
+}
+
+const args = process.argv.slice(2);
+const campaignArg = args[0] || 'all';
+const outputArg = args[1] ? resolve(args[1]) : resolve('validation-results.jsonl');
+
+validateDetectors(campaignArg, outputArg).then(() => process.exit(0)).catch(err => {
+  console.error(`[ERROR] ${err.message}`);
+  process.exit(1);
+});

package/backend/tests-d5-enhanced.test.js

@@ -0,0 +1,46 @@
+import { test, describe } from 'node:test';
+import assert from 'assert/strict';
+import * as detectors from './detectors/index.js';
+
+describe('D5: Binary Embed Enhancement', () => {
+  test('D5: flags cross-platform campaign-1 binary set with high confidence', async () => {
+    const allFiles = [
+      { path: 'bin/agent-linux-x64', content: String.fromCharCode(0x7f) + 'ELF' },
+      { path: 'bin/agent-macos-arm64', content: String.fromCharCode(0xcf, 0xfa, 0xed, 0xfe) },
+      { path: 'bin/agent-windows-x86.exe', content: String.fromCharCode(0x4d, 0x5a) },
+    ];
+    const pkg = { name: 'suspicious-pkg', version: '1.0.0' };
+    const findings = await detectors.runAll(pkg, [], null, allFiles);
+    const matches = findings.filter(f => f.id === 'TIER1-BINARY-EMBED');
+    assert(matches.length > 0, 'Expected TIER1-BINARY-EMBED finding');
+    const hasCrossPlatform = matches.some(m =>
+      m.evidence.some(e => e.includes('cross-platform')),
+    );
+    assert(hasCrossPlatform, 'Expected cross-platform binary set evidence');
+  });
+
+  test('D5: cross-platform binary set scores > 85', async () => {
+    const allFiles = [
+      { path: 'bin/agent-linux-x64', content: String.fromCharCode(0x7f) + 'ELF' },
+      { path: 'bin/agent-macos-arm64', content: String.fromCharCode(0xcf, 0xfa, 0xed, 0xfe) },
+    ];
+    const pkg = { name: 'suspicious-pkg', version: '1.0.0' };
+    const findings = await detectors.runAll(pkg, [], null, allFiles);
+    const matches = findings.filter(f => f.id === 'TIER1-BINARY-EMBED');
+    const hasHighScore = matches.some(m => m.confidenceScore > 85);
+    assert(hasHighScore, `No finding with confidenceScore > 85; scores: ${matches.map(m => m.confidenceScore).join(', ')}`);
+  });
+
+  test('D5: single binary not flagged as cross-platform', async () => {
+    const allFiles = [
+      { path: 'bin/agent-linux-x64', content: String.fromCharCode(0x7f) + 'ELF' },
+    ];
+    const pkg = { name: 'normal-pkg', version: '1.0.0' };
+    const findings = await detectors.runAll(pkg, [], null, allFiles);
+    const matches = findings.filter(f => f.id === 'TIER1-BINARY-EMBED');
+    const hasPlatformLabel = matches.some(m =>
+      m.evidence.some(e => e.includes('cross-platform')),
+    );
+    assert(!hasPlatformLabel, 'Single binary should not be flagged as cross-platform');
+  });
+});

package/backend/tests-d6-version-anomaly.test.js

@@ -0,0 +1,58 @@
+import { test, describe } from 'node:test';
+import assert from 'assert/strict';
+import * as detectors from './detectors/index.js';
+
+describe('D6: Version Anomaly', () => {
+  test('D6: flags 99.99.99 when legitimate max is 5.3.2', async () => {
+    const pkg = { name: '@widget/core', version: '99.99.99' };
+    const registryMeta = ['1.0.0', '1.5.0', '2.0.0', '2.1.0', '3.0.0', '4.0.0', '5.0.0', '5.3.2'];
+    const findings = await detectors.runAll(pkg, [], registryMeta);
+    const match = findings.find(f => f.id === 'TIER1-VERSION-ANOMALY');
+    assert(match, 'Expected TIER1-VERSION-ANOMALY finding');
+    assert(match.confidenceScore > 90, `confidenceScore ${match.confidenceScore} <= 90`);
+  });
+
+  test('D6: flags 11.11.11 with high confidence', async () => {
+    const pkg = { name: 'internal-utils', version: '11.11.11' };
+    const registryMeta = ['1.0.0', '1.0.1', '1.1.0', '1.2.0', '2.0.0'];
+    const findings = await detectors.runAll(pkg, [], registryMeta);
+    const match = findings.find(f => f.id === 'TIER1-VERSION-ANOMALY');
+    assert(match, 'Expected TIER1-VERSION-ANOMALY finding');
+    assert(match.confidenceScore > 85, `confidenceScore ${match.confidenceScore} <= 85`);
+  });
+
+  test('D6: does NOT flag legitimate 2.0.0 jump from 1.9.9', async () => {
+    const pkg = { name: 'stable-lib', version: '2.0.0' };
+    const registryMeta = [
+      '1.0.0', '1.1.0', '1.2.0', '1.3.0', '1.4.0', '1.5.0',
+      '1.6.0', '1.7.0', '1.8.0', '1.9.0', '1.9.9',
+    ];
+    const findings = await detectors.runAll(pkg, [], registryMeta);
+    const match = findings.find(f => f.id === 'TIER1-VERSION-ANOMALY');
+    assert(!match, 'Should not flag legitimate 2.0.0 major bump');
+  });
+
+  test('D6: handles null registry gracefully — degrades confidence', async () => {
+    const pkg = { name: 'offline-pkg', version: '99.99.99' };
+    const findings = await detectors.runAll(pkg);
+    const match = findings.find(f => f.id === 'TIER1-VERSION-ANOMALY');
+    assert(match, 'Expected TIER1-VERSION-ANOMALY finding');
+    assert(match.confidenceScore < 70, `confidenceScore ${match.confidenceScore} >= 70`);
+  });
+
+  test('D6: no finding on KNOWN_REPUTABLE_PACKAGES regardless of version', async () => {
+    const pkg = { name: 'react', version: '99.99.99' };
+    const registryMeta = ['1.0.0', '2.0.0'];
+    const findings = await detectors.runAll(pkg, [], registryMeta);
+    const match = findings.find(f => f.id === 'TIER1-VERSION-ANOMALY');
+    assert(!match);
+  });
+
+  test('D6: no finding on normal semver within range', async () => {
+    const pkg = { name: 'widget-core', version: '5.4.1' };
+    const registryMeta = ['1.0.0', '2.0.0', '3.0.0', '4.0.0', '5.0.0', '5.4.0'];
+    const findings = await detectors.runAll(pkg, [], registryMeta);
+    const match = findings.find(f => f.id === 'TIER1-VERSION-ANOMALY');
+    assert(!match);
+  });
+});