muaddib-scanner 1.8.1 → 2.0.0

package/README.fr.md

@@ -30,7 +30,7 @@
 
 Les attaques supply-chain npm et PyPI explosent. Shai-Hulud a compromis 25K+ repos en 2025. Les outils existants détectent, mais n'aident pas à répondre.
 
-MUAD'DIB combine analyse statique + analyse dynamique (sandbox Docker) pour détecter les menaces ET guider votre réponse.
+MUAD'DIB combine analyse statique + analyse dynamique (sandbox Docker) + **détection comportementale d'anomalies** (v2.0) pour détecter les menaces ET guider votre réponse — même avant leur apparition dans une base d'IOC.
 
 ---
 
@@ -392,6 +392,119 @@ Détecte les patterns malveillants dans les fichiers YAML `.github/workflows/`,
 | Supply chain compromise | T1195.002 | IOC matching |
 | Package PyPI malveillant | T1195.002 | IOC matching |
 | Sandbox analyse dynamique | Multiple | Docker + strace + tcpdump |
+| Ajout soudain de script lifecycle | T1195.002 | Analyse temporelle |
+| Injection d'API dangereuse entre versions | T1195.002 | Diff AST temporel |
+| Anomalie de fréquence de publication | T1195.002 | Métadonnées registre |
+| Changement de maintainer/publisher | T1195.002 | Métadonnées registre |
+| Exfiltration de canary tokens | T1552.001 | Honey tokens sandbox |
+
+---
+
+## Détection d'anomalies supply chain (v2.0)
+
+MUAD'DIB 2.0 introduit un changement de paradigme : de la **détection par IOC** (réactive, nécessite des menaces connues) à la **détection comportementale d'anomalies** (proactive, détecte les menaces inconnues en repérant les changements suspects).
+
+Les scanners supply-chain traditionnels reposent sur des listes de packages malveillants connus. Le problème : ils ne détectent les menaces qu'APRÈS leur identification et signalement. Des attaques comme **ua-parser-js** (2021), **event-stream** (2018) et **Shai-Hulud** (2025) sont passées inaperçues pendant des heures ou des jours car aucun IOC n'existait encore.
+
+MUAD'DIB 2.0 ajoute 5 features de détection comportementale capables d'attraper ces attaques **avant** leur apparition dans une base d'IOC, en analysant ce qui a changé entre les versions d'un package.
+
+### Nouvelles features
+
+#### 1. Détection soudaine de scripts lifecycle (`--temporal`)
+
+Détecte quand des scripts `preinstall`, `install` ou `postinstall` apparaissent soudainement dans une nouvelle version d'un package qui n'en avait jamais. C'est le vecteur d'attaque #1 des attaques supply-chain.
+
+```bash
+muaddib scan . --temporal
+```
+
+#### 2. Diff AST temporel (`--temporal-ast`)
+
+Télécharge les deux dernières versions de chaque dépendance et compare leur AST (Abstract Syntax Tree) pour détecter les APIs dangereuses nouvellement ajoutées : `child_process`, `eval`, `Function`, `net.connect`, `process.env`, `fetch`, etc.
+
+```bash
+muaddib scan . --temporal-ast
+```
+
+#### 3. Anomalie de fréquence de publication (`--temporal-publish`)
+
+Détecte les patterns de publication anormaux : rafale de versions en 24h, package dormant soudainement mis à jour après 6+ mois, succession rapide de versions (plusieurs releases en moins d'1h).
+
+```bash
+muaddib scan . --temporal-publish
+```
+
+#### 4. Détection de changement de maintainer (`--temporal-maintainer`)
+
+Détecte les changements de maintainers entre versions : nouveau maintainer ajouté, seul maintainer remplacé (pattern event-stream), noms de maintainers suspects, nouveau publisher.
+
+```bash
+muaddib scan . --temporal-maintainer
+```
+
+#### 5. Canary Tokens / Honey Tokens (sandbox)
+
+Injecte de faux credentials (GITHUB_TOKEN, NPM_TOKEN, clés AWS) dans l'environnement sandbox avant d'installer un package. Si le package tente d'exfiltrer ces honey tokens via HTTP, DNS ou stdout, il est signalé comme malveillant confirmé.
+
+```bash
+muaddib sandbox suspicious-package
+```
+
+### Scan temporel complet
+
+Activer toutes les features d'analyse temporelle en une commande :
+
+```bash
+muaddib scan . --temporal-full
+```
+
+### Exemples d'utilisation
+
+```bash
+# Scan comportemental complet (5 features)
+muaddib scan . --temporal-full
+
+# Détection lifecycle scripts uniquement
+muaddib scan . --temporal
+
+# Diff AST + changement maintainer
+muaddib scan . --temporal-ast --temporal-maintainer
+
+# Sandbox avec canary tokens (activé par défaut)
+muaddib sandbox suspicious-package
+
+# Sandbox sans canary tokens
+muaddib sandbox suspicious-package --no-canary
+```
+
+### Nouvelles règles de détection (v2.0)
+
+| Rule ID | Nom | Sévérité | Feature |
+|---------|-----|----------|---------|
+| MUADDIB-TEMPORAL-001 | Ajout soudain de script lifecycle (Critique) | CRITICAL | `--temporal` |
+| MUADDIB-TEMPORAL-002 | Ajout soudain de script lifecycle | HIGH | `--temporal` |
+| MUADDIB-TEMPORAL-003 | Script lifecycle modifié | MEDIUM | `--temporal` |
+| MUADDIB-TEMPORAL-AST-001 | API dangereuse ajoutée (Critique) | CRITICAL | `--temporal-ast` |
+| MUADDIB-TEMPORAL-AST-002 | API dangereuse ajoutée (High) | HIGH | `--temporal-ast` |
+| MUADDIB-TEMPORAL-AST-003 | API dangereuse ajoutée (Medium) | MEDIUM | `--temporal-ast` |
+| MUADDIB-PUBLISH-001 | Rafale de publications détectée | HIGH | `--temporal-publish` |
+| MUADDIB-PUBLISH-002 | Pic de package dormant | HIGH | `--temporal-publish` |
+| MUADDIB-PUBLISH-003 | Succession rapide de versions | MEDIUM | `--temporal-publish` |
+| MUADDIB-MAINTAINER-001 | Nouveau maintainer ajouté | HIGH | `--temporal-maintainer` |
+| MUADDIB-MAINTAINER-002 | Maintainer suspect détecté | CRITICAL | `--temporal-maintainer` |
+| MUADDIB-MAINTAINER-003 | Seul maintainer changé | HIGH | `--temporal-maintainer` |
+| MUADDIB-MAINTAINER-004 | Nouveau publisher détecté | MEDIUM | `--temporal-maintainer` |
+| MUADDIB-CANARY-001 | Exfiltration de canary token | CRITICAL | sandbox |
+
+### Pourquoi c'est important
+
+Ces features détectent des attaques comme :
+- **Shai-Hulud** (2025) : Détecté par temporal lifecycle + AST diff (ajout soudain de `postinstall` + `child_process`)
+- **ua-parser-js** (2021) : Détecté par changement maintainer + détection lifecycle
+- **event-stream** (2018) : Détecté par changement de seul maintainer + AST diff (nouvelle dépendance `flatmap-stream` avec `eval`)
+- **coa/rc** (2021) : Détecté par rafale de publications + détection lifecycle
+
+Le tout sans avoir besoin d'un seul IOC.
 
 ---
 
@@ -488,7 +601,7 @@ Les alertes apparaissent dans Security > Code scanning alerts.
 ## Architecture
 
 ```
-MUAD'DIB Scanner
+MUAD'DIB 2.0 Scanner
 |
 +-- IOC Match (225 000+ packages, JSON DB)
 |   +-- OSV.dev npm dump (200K+ entrées MAL-*)
@@ -500,14 +613,24 @@ MUAD'DIB Scanner
 |   +-- Snyk Known Malware
 |   +-- Static IOCs (Socket, Phylum)
 |
-+-- AST Parse (acorn)
-+-- Pattern Matching (shell, scripts)
-+-- Typosquat Detection (npm + PyPI, Levenshtein)
-+-- Python Scanner (requirements.txt, setup.py, pyproject.toml)
-+-- Analyse Entropie Shannon
-+-- GitHub Actions Scanner
++-- 12 Scanners Parallèles
+|   +-- AST Parse (acorn)
+|   +-- Pattern Matching (shell, scripts)
+|   +-- Typosquat Detection (npm + PyPI, Levenshtein)
+|   +-- Python Scanner (requirements.txt, setup.py, pyproject.toml)
+|   +-- Analyse Entropie Shannon
+|   +-- GitHub Actions Scanner
+|   +-- Package, Dependencies, Hash, npm-registry, Dataflow scanners
+|
++-- Détection d'Anomalies Supply Chain (v2.0)
+|   +-- Détection Lifecycle Script Temporelle (--temporal)
+|   +-- Diff AST Temporel (--temporal-ast)
+|   +-- Anomalie Fréquence de Publication (--temporal-publish)
+|   +-- Détection Changement Maintainer (--temporal-maintainer)
+|   +-- Canary Tokens / Honey Tokens (sandbox)
+|
 +-- Paranoid Mode (ultra-strict)
-+-- Docker Sandbox (behavioral analysis, network capture)
++-- Docker Sandbox (analyse comportementale, capture réseau, canary tokens)
 +-- Moniteur Zero-Day (polling RSS npm + PyPI, alertes Discord, rapport quotidien)
 |
 v
@@ -552,7 +675,7 @@ npm test
 
 ### Tests
 
-- **326 tests unitaires/intégration** - 80% coverage via [Codecov](https://codecov.io/gh/DNSZLSK/muad-dib)
+- **541 tests unitaires/intégration** - 80% coverage via [Codecov](https://codecov.io/gh/DNSZLSK/muad-dib)
 - **56 tests de fuzzing** - YAML malformé, JSON invalide, fichiers binaires, ReDoS, unicode, inputs 10MB
 - **15 tests adversariaux** - Packages malveillants simulés, taux de détection 15/15
 - **8 tests multi-facteur typosquat** - Cas limites et comportement cache

package/README.md

@@ -30,7 +30,7 @@
 
 npm and PyPI supply-chain attacks are exploding. Shai-Hulud compromised 25K+ repos in 2025. Existing tools detect threats but don't help you respond.
 
-MUAD'DIB combines static analysis + dynamic analysis (Docker sandbox) to detect threats AND guide your response.
+MUAD'DIB combines static analysis + dynamic analysis (Docker sandbox) + **behavioral anomaly detection** (v2.0) to detect threats AND guide your response — even before they appear in any IOC database.
 
 ---
 
@@ -393,6 +393,119 @@ Detects malicious patterns in `.github/workflows/` YAML files, including Shai-Hu
 | Supply chain compromise | T1195.002 | IOC matching |
 | PyPI malicious package | T1195.002 | IOC matching |
 | Sandbox dynamic analysis | Multiple | Docker + strace + tcpdump |
+| Sudden lifecycle script addition | T1195.002 | Temporal analysis |
+| Dangerous API injection between versions | T1195.002 | Temporal AST diff |
+| Publish frequency anomaly | T1195.002 | Registry metadata |
+| Maintainer/publisher change | T1195.002 | Registry metadata |
+| Canary token exfiltration | T1552.001 | Sandbox honey tokens |
+
+---
+
+## Supply Chain Anomaly Detection (v2.0)
+
+MUAD'DIB 2.0 introduces a paradigm shift: from **IOC-based detection** (reactive, requires known threats) to **behavioral anomaly detection** (proactive, detects unknown threats by spotting suspicious changes).
+
+Traditional supply-chain scanners rely on blocklists of known malicious packages. The problem: they can only detect threats AFTER they've been identified and reported. Attacks like **ua-parser-js** (2021), **event-stream** (2018), and **Shai-Hulud** (2025) went undetected for hours or days because no IOC existed yet.
+
+MUAD'DIB 2.0 adds 5 behavioral detection features that can catch these attacks **before** they appear in any IOC database, by analyzing what changed between package versions.
+
+### New features
+
+#### 1. Sudden Lifecycle Script Detection (`--temporal`)
+
+Detects when `preinstall`, `install`, or `postinstall` scripts suddenly appear in a new version of a package that never had them before. This is the #1 attack vector for supply-chain attacks.
+
+```bash
+muaddib scan . --temporal
+```
+
+#### 2. Temporal AST Diff (`--temporal-ast`)
+
+Downloads the two latest versions of each dependency and compares their AST (Abstract Syntax Tree) to detect newly added dangerous APIs: `child_process`, `eval`, `Function`, `net.connect`, `process.env`, `fetch`, etc.
+
+```bash
+muaddib scan . --temporal-ast
+```
+
+#### 3. Publish Frequency Anomaly (`--temporal-publish`)
+
+Detects abnormal publishing patterns: burst of versions in 24h, dormant package suddenly updated after 6+ months, rapid version succession (multiple releases in under 1h).
+
+```bash
+muaddib scan . --temporal-publish
+```
+
+#### 4. Maintainer Change Detection (`--temporal-maintainer`)
+
+Detects changes in package maintainers between versions: new maintainer added, sole maintainer replaced (event-stream pattern), suspicious maintainer names, new publisher.
+
+```bash
+muaddib scan . --temporal-maintainer
+```
+
+#### 5. Canary Tokens / Honey Tokens (sandbox)
+
+Injects fake credentials (GITHUB_TOKEN, NPM_TOKEN, AWS keys) into the sandbox environment before installing a package. If the package attempts to exfiltrate these honey tokens via HTTP, DNS, or stdout, it's flagged as confirmed malicious.
+
+```bash
+muaddib sandbox suspicious-package
+```
+
+### Full temporal scan
+
+Enable all temporal analysis features at once:
+
+```bash
+muaddib scan . --temporal-full
+```
+
+### Usage examples
+
+```bash
+# Full behavioral scan (all 5 features)
+muaddib scan . --temporal-full
+
+# Only lifecycle script detection
+muaddib scan . --temporal
+
+# AST diff + maintainer change
+muaddib scan . --temporal-ast --temporal-maintainer
+
+# Sandbox with canary tokens (enabled by default)
+muaddib sandbox suspicious-package
+
+# Sandbox without canary tokens
+muaddib sandbox suspicious-package --no-canary
+```
+
+### New detection rules (v2.0)
+
+| Rule ID | Name | Severity | Feature |
+|---------|------|----------|---------|
+| MUADDIB-TEMPORAL-001 | Sudden Lifecycle Script Added (Critical) | CRITICAL | `--temporal` |
+| MUADDIB-TEMPORAL-002 | Sudden Lifecycle Script Added | HIGH | `--temporal` |
+| MUADDIB-TEMPORAL-003 | Lifecycle Script Modified | MEDIUM | `--temporal` |
+| MUADDIB-TEMPORAL-AST-001 | Dangerous API Added (Critical) | CRITICAL | `--temporal-ast` |
+| MUADDIB-TEMPORAL-AST-002 | Dangerous API Added (High) | HIGH | `--temporal-ast` |
+| MUADDIB-TEMPORAL-AST-003 | Dangerous API Added (Medium) | MEDIUM | `--temporal-ast` |
+| MUADDIB-PUBLISH-001 | Publish Burst Detected | HIGH | `--temporal-publish` |
+| MUADDIB-PUBLISH-002 | Dormant Package Spike | HIGH | `--temporal-publish` |
+| MUADDIB-PUBLISH-003 | Rapid Version Succession | MEDIUM | `--temporal-publish` |
+| MUADDIB-MAINTAINER-001 | New Maintainer Added | HIGH | `--temporal-maintainer` |
+| MUADDIB-MAINTAINER-002 | Suspicious Maintainer Detected | CRITICAL | `--temporal-maintainer` |
+| MUADDIB-MAINTAINER-003 | Sole Maintainer Changed | HIGH | `--temporal-maintainer` |
+| MUADDIB-MAINTAINER-004 | New Publisher Detected | MEDIUM | `--temporal-maintainer` |
+| MUADDIB-CANARY-001 | Canary Token Exfiltration | CRITICAL | sandbox |
+
+### Why it matters
+
+These features detect attacks like:
+- **Shai-Hulud** (2025): Would be caught by temporal lifecycle + AST diff (sudden `postinstall` + `child_process` added)
+- **ua-parser-js** (2021): Would be caught by maintainer change + lifecycle script detection
+- **event-stream** (2018): Would be caught by sole maintainer change + AST diff (new `flatmap-stream` dependency with `eval`)
+- **coa/rc** (2021): Would be caught by publish burst + lifecycle script detection
+
+All without needing a single IOC entry.
 
 ---
 
@@ -489,7 +602,7 @@ Alerts appear in Security > Code scanning alerts.
 ## Architecture
 
 ```
-MUAD'DIB Scanner
+MUAD'DIB 2.0 Scanner
 |
 +-- IOC Match (225,000+ packages, JSON DB)
 |   +-- OSV.dev npm dump (200K+ MAL-* entries)
@@ -512,8 +625,15 @@ MUAD'DIB Scanner
 |   +-- GitHub Actions Scanner
 |   +-- Package, Dependencies, Hash, npm-registry, Dataflow scanners
 |
++-- Supply Chain Anomaly Detection (v2.0)
+|   +-- Temporal Lifecycle Script Detection (--temporal)
+|   +-- Temporal AST Diff (--temporal-ast)
+|   +-- Publish Frequency Anomaly (--temporal-publish)
+|   +-- Maintainer Change Detection (--temporal-maintainer)
+|   +-- Canary Tokens / Honey Tokens (sandbox)
+|
 +-- Paranoid Mode (ultra-strict)
-+-- Docker Sandbox (behavioral analysis, network capture)
++-- Docker Sandbox (behavioral analysis, network capture, canary tokens)
 +-- Zero-Day Monitor (npm + PyPI RSS polling, Discord alerts, daily report)
 |
 v
@@ -558,7 +678,7 @@ npm test
 
 ### Testing
 
-- **326 unit/integration tests** - 80% code coverage via [Codecov](https://codecov.io/gh/DNSZLSK/muad-dib)
+- **541 unit/integration tests** - 80% code coverage via [Codecov](https://codecov.io/gh/DNSZLSK/muad-dib)
 - **56 fuzz tests** - Malformed YAML, invalid JSON, binary files, ReDoS, unicode, 10MB inputs
 - **15 adversarial tests** - Simulated malicious packages, 15/15 detection rate
 - **8 multi-factor typosquat tests** - Edge cases and cache behavior

package/bin/muaddib.js

@@ -25,6 +25,11 @@ let webhookUrl = null;
 let paranoidMode = false;
 let excludeDirs = [];
 let entropyThreshold = null;
+let temporalMode = false;
+let temporalAstMode = false;
+let temporalPublishMode = false;
+let temporalMaintainerMode = false;
+let temporalFullMode = false;
 
 for (let i = 0; i < options.length; i++) {
   if (options[i] === '--json') {
@@ -90,8 +95,20 @@ for (let i = 0; i < options.length; i++) {
     i++;
   } else if (options[i] === '--paranoid') {
     paranoidMode = true;
+  } else if (options[i] === '--temporal-full') {
+    temporalFullMode = true;
+  } else if (options[i] === '--temporal-ast') {
+    temporalAstMode = true;
+  } else if (options[i] === '--temporal-publish') {
+    temporalPublishMode = true;
+  } else if (options[i] === '--temporal-maintainer') {
+    temporalMaintainerMode = true;
+  } else if (options[i] === '--temporal') {
+    temporalMode = true;
   } else if (options[i] === '--strict') {
     // Sandbox strict mode flag (parsed here, used by sandbox commands)
+  } else if (options[i] === '--no-canary') {
+    // Sandbox canary disable flag (parsed here, used by sandbox commands)
   } else if (!options[i].startsWith('-')) {
     target = options[i];
   }
@@ -301,7 +318,7 @@ const helpText = `
     muaddib remove-hooks [path]      Remove MUAD'DIB git hooks
     muaddib update                   Update IOCs
     muaddib scrape                   Scrape new IOCs
-    muaddib sandbox <pkg> [--strict]  Analyze in isolated Docker container
+    muaddib sandbox <pkg> [--strict] [--no-canary]  Analyze in isolated Docker container
     muaddib sandbox-report <pkg>     Sandbox + detailed network report
     muaddib version                  Show version
 
@@ -323,6 +340,12 @@ const helpText = `
     --fail-on [level]   Fail level (critical|high|medium|low)
     --webhook [url]     Discord/Slack webhook
     --paranoid          Ultra-strict mode
+    --temporal          Detect sudden lifecycle script changes (network requests per package)
+    --temporal-ast      Detect sudden dangerous API additions via AST diff (downloads tarballs)
+    --temporal-publish  Detect publish frequency anomalies (bursts, dormant spikes)
+    --temporal-maintainer  Detect maintainer changes (new maintainer, account takeover)
+    --temporal-full     All temporal analyses (lifecycle + AST + publish + maintainer)
+    --no-canary         Disable honey token injection in sandbox
     --exclude [dir]     Exclude directory from scan (repeatable)
     --entropy-threshold [n]  Custom string-level entropy threshold (default: 5.5)
     --save-dev, -D      Install as dev dependency
@@ -353,6 +376,10 @@ if (command === 'version' || command === '--version' || command === '-v') {
     failLevel: failLevel,
     webhook: webhookUrl,
     paranoid: paranoidMode,
+    temporal: temporalMode || temporalFullMode,
+    temporalAst: temporalAstMode || temporalFullMode,
+    temporalPublish: temporalPublishMode || temporalFullMode,
+    temporalMaintainer: temporalMaintainerMode || temporalFullMode,
     exclude: excludeDirs,
     entropyThreshold: entropyThreshold
   }).then(exitCode => {
@@ -378,6 +405,92 @@ if (command === 'version' || command === '--version' || command === '-v') {
     console.error('[ERROR]', err.message);
     process.exit(1);
   });
+} else if (command === 'monitor') {
+  const testPkg = options.filter(o => !o.startsWith('-'));
+  const isTemporal = options.includes('--temporal');
+  const isTemporalAst = options.includes('--temporal-ast');
+  const isTest = options.includes('--test');
+
+  if (isTemporalAst && isTest) {
+    const actualPkg = options.filter(o => !o.startsWith('-')).pop();
+    if (!actualPkg) {
+      console.log('Usage: muaddib monitor --temporal-ast --test <package-name>');
+      process.exit(1);
+    }
+    const { detectSuddenAstChanges } = require('../src/temporal-ast-diff.js');
+    console.log(`[TEMPORAL-AST] Analyzing ${actualPkg}...\n`);
+    detectSuddenAstChanges(actualPkg).then(result => {
+      console.log(`Package:          ${result.packageName}`);
+      console.log(`Latest version:   ${result.latestVersion || 'N/A'}`);
+      console.log(`Previous version: ${result.previousVersion || 'N/A'}`);
+      console.log(`Suspicious:       ${result.suspicious ? 'YES' : 'NO'}`);
+      if (result.metadata.latestPublishedAt) {
+        console.log(`Published:        ${result.metadata.latestPublishedAt}`);
+      }
+      if (result.findings.length > 0) {
+        console.log(`\nFindings:`);
+        for (const f of result.findings) {
+          console.log(`  [${f.severity}] ${f.pattern}: ${f.description}`);
+        }
+      } else {
+        console.log(`\nNo dangerous API changes detected between the last two versions.`);
+      }
+      process.exit(result.suspicious ? 1 : 0);
+    }).catch(err => {
+      console.error(`[ERROR] ${err.message}`);
+      process.exit(1);
+    });
+  } else if (isTemporal && isTest && testPkg.length > 0) {
+    const { detectSuddenLifecycleChange } = require('../src/temporal-analysis.js');
+    const pkgName = testPkg[testPkg.indexOf('--test') !== -1 ? testPkg.length - 1 : 0] || testPkg[0];
+    // Find the package name: it's the non-flag argument
+    const actualPkg = options.filter(o => !o.startsWith('-')).pop();
+    if (!actualPkg) {
+      console.log('Usage: muaddib monitor --temporal --test <package-name>');
+      process.exit(1);
+    }
+    console.log(`[TEMPORAL] Analyzing ${actualPkg}...\n`);
+    detectSuddenLifecycleChange(actualPkg).then(result => {
+      console.log(`Package:          ${result.packageName}`);
+      console.log(`Latest version:   ${result.latestVersion || 'N/A'}`);
+      console.log(`Previous version: ${result.previousVersion || 'N/A'}`);
+      console.log(`Suspicious:       ${result.suspicious ? 'YES' : 'NO'}`);
+      if (result.metadata.note) {
+        console.log(`Note:             ${result.metadata.note}`);
+      }
+      if (result.metadata.latestPublishedAt) {
+        console.log(`Published:        ${result.metadata.latestPublishedAt}`);
+      }
+      if (result.metadata.maintainers && result.metadata.maintainers.length > 0) {
+        const names = result.metadata.maintainers.map(m => m.name || m.email).join(', ');
+        console.log(`Maintainers:      ${names}`);
+      }
+      if (result.findings.length > 0) {
+        console.log(`\nFindings:`);
+        for (const f of result.findings) {
+          const action = f.type === 'lifecycle_added' ? 'ADDED' : f.type === 'lifecycle_modified' ? 'MODIFIED' : 'REMOVED';
+          const value = f.type === 'lifecycle_modified' ? f.newValue : f.value;
+          console.log(`  [${f.severity}] ${f.script} script ${action}: "${value}"`);
+        }
+      } else {
+        console.log(`\nNo lifecycle script changes detected between the last two versions.`);
+      }
+      process.exit(result.suspicious ? 1 : 0);
+    }).catch(err => {
+      console.error(`[ERROR] ${err.message}`);
+      process.exit(1);
+    });
+  } else if (isTemporal && isTest) {
+    console.log('Usage: muaddib monitor --temporal --test <package-name>');
+    process.exit(1);
+  } else {
+    // Start full monitor
+    const { startMonitor } = require('../src/monitor.js');
+    startMonitor().catch(err => {
+      console.error('[ERROR]', err.message);
+      process.exit(1);
+    });
+  }
 } else if (command === 'daemon') {
   startDaemon({ webhook: webhookUrl });
 } else if (command === 'install' || command === 'i') {
@@ -404,13 +517,14 @@ if (command === 'version' || command === '--version' || command === '-v') {
   const sandboxOpts = options.filter(o => !o.startsWith('-'));
   const packageName = sandboxOpts[0];
   const strict = options.includes('--strict');
+  const canary = !options.includes('--no-canary');
   if (!packageName) {
-    console.log('Usage: muaddib sandbox <package-name> [--strict]');
+    console.log('Usage: muaddib sandbox <package-name> [--strict] [--no-canary]');
     process.exit(1);
   }
 
   buildSandboxImage()
-    .then(() => runSandbox(packageName, { strict }))
+    .then(() => runSandbox(packageName, { strict, canary }))
     .then((results) => {
       process.exit(results.suspicious ? 1 : 0);
     })
@@ -422,13 +536,14 @@ if (command === 'version' || command === '--version' || command === '-v') {
   const sandboxOpts = options.filter(o => !o.startsWith('-'));
   const packageName = sandboxOpts[0];
   const strict = options.includes('--strict');
+  const canary = !options.includes('--no-canary');
   if (!packageName) {
-    console.log('Usage: muaddib sandbox-report <package-name> [--strict]');
+    console.log('Usage: muaddib sandbox-report <package-name> [--strict] [--no-canary]');
     process.exit(1);
   }
 
   buildSandboxImage()
-    .then(() => runSandbox(packageName, { strict }))
+    .then(() => runSandbox(packageName, { strict, canary }))
     .then((results) => {
       if (results.raw_report) {
         console.log(generateNetworkReport(results.raw_report));

package/docker/sandbox-runner.sh

@@ -46,6 +46,7 @@ sleep 1
 
 # ── 3. npm install with strace ──
 echo "[SANDBOX] Installing $PACKAGE..." >&2
+cd /sandbox/install
 strace -f -e trace=network,process,open,openat,connect,execve,sendto,recvfrom \
   -o /tmp/strace.log \
   npm install "$PACKAGE" --ignore-scripts=false > /tmp/install.log 2>&1
@@ -65,8 +66,8 @@ DURATION_MS=$((END_MS - START_MS))
 
 # ── 5. Filesystem diff ──
 echo "[SANDBOX] Analyzing filesystem changes..." >&2
-comm -13 /tmp/fs-before.txt /tmp/fs-after.txt | grep -v '^/sandbox/node_modules/' | grep -v '^/tmp/' > /tmp/fs-created.txt
-comm -23 /tmp/fs-before.txt /tmp/fs-after.txt | grep -v '^/sandbox/node_modules/' > /tmp/fs-deleted.txt
+comm -13 /tmp/fs-before.txt /tmp/fs-after.txt | grep -v '^/sandbox/install/' | grep -v '^/tmp/' > /tmp/fs-created.txt
+comm -23 /tmp/fs-before.txt /tmp/fs-after.txt | grep -v '^/sandbox/install/' > /tmp/fs-deleted.txt
 
 # ── 6. Parse strace ──
 echo "[SANDBOX] Parsing strace..." >&2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "1.8.1",
+  "version": "2.0.0",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {