muaddib-scanner 2.10.29 → 2.10.31

package/README.md

@@ -30,7 +30,7 @@
 
 npm and PyPI supply-chain attacks are exploding. Shai-Hulud compromised 25K+ repos in 2025. Existing tools detect threats but don't help you respond.
 
-MUAD'DIB combines **14 parallel scanners** (176 detection rules), a **deobfuscation engine**, **inter-module dataflow analysis**, **compound scoring**, **ML classifiers** (XGBoost), and Docker sandbox to detect known threats and suspicious behavioral patterns in npm and PyPI packages.
+MUAD'DIB combines **14 parallel scanners** (195 detection rules), a **deobfuscation engine**, **inter-module dataflow analysis**, **compound scoring**, **ML classifiers** (XGBoost), and Docker sandbox to detect known threats and suspicious behavioral patterns in npm and PyPI packages.
 
 ---
 
@@ -195,7 +195,7 @@ muaddib replay                     # Ground truth validation (46/49 TPR)
 | GitHub Actions | Shai-Hulud backdoor detection |
 | Hash Scanner | Known malicious file hashes |
 
-### 176 detection rules
+### 195 detection rules
 
 All rules are mapped to MITRE ATT&CK techniques. See [SECURITY.md](SECURITY.md#detection-rules-v21021) for the complete rules reference.
 
@@ -271,7 +271,7 @@ With pre-commit framework:
 ```yaml
 repos:
   - repo: https://github.com/DNSZLSK/muad-dib
-    rev: v2.10.21
+    rev: v2.10.31
     hooks:
       - id: muaddib-scan
 ```
@@ -288,7 +288,7 @@ repos:
 | **FPR** (Benign random) | **7.5%** (15/200) | 200 random npm packages, stratified sampling |
 | **ADR** (Adversarial + Holdout) | **94.0%** (101/107) | 67 adversarial + 40 holdout (107 available on disk), global threshold=20 |
 
-**2793 tests** across 57 files. **176 rules** (171 RULES + 5 PARANOID).
+**2868 tests** across 62 files. **195 rules** (190 RULES + 5 PARANOID).
 
 > **Methodology caveats:**
 > - TPR measured on 49 Node.js attack samples (3 browser-only excluded from 51 total)
@@ -329,7 +329,7 @@ npm test
 
 ### Testing
 
-- **2793 tests** across 57 modular test files
+- **2868 tests** across 62 modular test files
 - **56 fuzz tests** - Malformed inputs, ReDoS, unicode, binary
 - **Datadog 17K benchmark** - 14,587 confirmed malware samples (in-scope)
 - **Ground truth validation** - 51 real-world attacks (93.9% TPR)
@@ -351,7 +351,7 @@ npm test
 - [Evaluation Methodology](docs/EVALUATION_METHODOLOGY.md) - Experimental protocol, holdout scores
 - [Threat Model](docs/threat-model.md) - What MUAD'DIB detects and doesn't detect
 - [Adversarial Evaluation](ADVERSARIAL.md) - Red team samples and ADR results
-- [Security Policy](SECURITY.md) - Detection rules reference (176 rules)
+- [Security Policy](SECURITY.md) - Detection rules reference (195 rules)
 - [Security Audit](docs/SECURITY_AUDIT.md) - Bypass validation report
 - [FP Analysis](docs/EVALUATION.md) - Historical false positive analysis
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.10.29",
+  "version": "2.10.31",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/commands/hooks-init.js

@@ -5,7 +5,7 @@ const path = require('path');
 // Read version from package.json for pre-commit config
 const PKG_VERSION = (() => {
   try {
-    return 'v' + JSON.parse(fs.readFileSync(path.join(__dirname, '..', 'package.json'), 'utf8')).version;
+    return 'v' + JSON.parse(fs.readFileSync(path.join(__dirname, '..', '..', 'package.json'), 'utf8')).version;
   } catch {
     return 'v1.0.0';
   }

package/src/commands/interactive.js

@@ -107,7 +107,7 @@ async function interactiveMenu() {
         message: 'Webhook URL:'
       });
     }
-    const { startDaemon } = require('../src/daemon.js');
+    const { startDaemon } = require('../daemon.js');
     startDaemon({ webhook });
   }
 
@@ -146,14 +146,14 @@ async function interactiveMenu() {
   }
 
   if (action === 'feed') {
-    const { getFeed } = require('../src/threat-feed.js');
+    const { getFeed } = require('../threat-feed.js');
     const result = getFeed();
     console.log(JSON.stringify(result, null, 2));
     process.exit(0);
   }
 
   if (action === 'serve') {
-    const { startServer } = require('../src/serve.js');
+    const { startServer } = require('../serve.js');
     startServer({ port: 3000 });
     // Server runs indefinitely
   }

package/src/index.js

@@ -6,29 +6,30 @@ const { process: processThreats } = require('./pipeline/processor.js');
 const { output } = require('./pipeline/outputter.js');
 
 async function run(targetPath, options = {}) {
-  // Phase 1: Initialization (validate, IOCs, config, Python detection)
-  const { pythonDeps, configApplied, configResult, warnings } = await initialize(targetPath, options);
+  try {
+    // Phase 1: Initialization (validate, IOCs, config, Python detection)
+    const { pythonDeps, configApplied, configResult, warnings } = await initialize(targetPath, options);
 
-  // Phase 2: Execute all scanners
-  const { threats, scannerErrors } = await execute(targetPath, options, pythonDeps, warnings);
+    // Phase 2: Execute all scanners
+    const { threats, scannerErrors } = await execute(targetPath, options, pythonDeps, warnings);
 
-  // Phase 3: Process threats (sandbox, dedup, compounds, FP reduction, intent, scoring)
-  const processed = await processThreats(threats, targetPath, options, pythonDeps, warnings, scannerErrors);
-  const { result } = processed;
+    // Phase 3: Process threats (sandbox, dedup, compounds, FP reduction, intent, scoring)
+    const processed = await processThreats(threats, targetPath, options, pythonDeps, warnings, scannerErrors);
+    const { result } = processed;
 
-  // _capture mode: return result directly without printing (used by diff.js)
-  if (options._capture) {
-    resetAll();
-    return result;
-  }
-
-  // Phase 4: Output (CLI formatting, webhook, exit code)
-  const exitCode = await output(result, options, processed);
+    // _capture mode: return result directly without printing (used by diff.js)
+    if (options._capture) {
+      return result;
+    }
 
-  // Clear all per-scan mutable state
-  resetAll();
+    // Phase 4: Output (CLI formatting, webhook, exit code)
+    const exitCode = await output(result, options, processed);
 
-  return exitCode;
+    return exitCode;
+  } finally {
+    // Clear all per-scan mutable state — even on exception
+    resetAll();
+  }
 }
 
 module.exports = { run, isPackageLevelThreat, computeGroupScore };

package/src/monitor/webhook.js

@@ -1059,7 +1059,7 @@ async function sendReportNow(stats) {
     pypiLastPackage: stateRaw.pypiLastPackage || ''
   };
   stats.lastDailyReportDate = today;
-  saveState(state);
+  saveState(state, stats);
   saveLastDailyReportDate(today);
 
   return { sent: true, message: 'Daily report sent' };

package/src/output/sarif.js

@@ -4,7 +4,7 @@ const { RULES } = require('../rules/index.js');
 
 const pkgVersion = (() => {
   try {
-    return JSON.parse(fs.readFileSync(path.join(__dirname, '..', 'package.json'), 'utf8')).version;
+    return JSON.parse(fs.readFileSync(path.join(__dirname, '..', '..', 'package.json'), 'utf8')).version;
   } catch {
     return '0.0.0';
   }

package/src/response/playbooks.js

@@ -511,6 +511,13 @@ const PLAYBOOKS = {
     'CRITIQUE: Un Proxy JavaScript avec trap set/get/apply est combine avec un appel reseau. ' +
     'Technique d\'interception: le Proxy capture toutes les ecritures de proprietes (credentials, tokens, config) ' +
     'et les exfiltre via HTTPS/fetch/dgram. Supprimer le package. Auditer tous les modules qui importent ce package.',
+  proxy_globalthis_intercept:
+    'CRITIQUE: new Proxy(globalThis/global) intercepte tous les acces au scope global. ' +
+    'L\'attaquant peut hooker eval, Function, require de maniere transparente via le handler Proxy. ' +
+    'Supprimer le package immediatement.',
+  reflect_bind_code_execution:
+    'CRITIQUE: Reflect.apply() avec methode prototype (bind/call/apply) et thisArg=Function/eval. ' +
+    'Evasion de 2nd niveau contournant la detection Reflect.apply(eval). Supprimer le package.',
   detached_credential_exfil:
     'CRITIQUE: Process detache avec acces aux credentials et exfiltration reseau. ' +
     'Technique DPRK/Lazarus: le process fils survit au parent (detached:true, unref()) et exfiltre des secrets en arriere-plan. ' +

package/src/rules/index.js

@@ -2142,6 +2142,24 @@ const RULES = {
     ],
     mitre: 'T1082'
   },
+  proxy_globalthis_intercept: {
+    id: 'MUADDIB-AST-083',
+    name: 'Proxy GlobalThis Interception',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'new Proxy(globalThis/global/window/self) — intercepts all global scope access, enabling transparent hooking of eval/Function/require.',
+    references: ['https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Proxy'],
+    mitre: 'T1574'
+  },
+  reflect_bind_code_execution: {
+    id: 'MUADDIB-AST-084',
+    name: 'Reflect.apply Prototype Method Code Execution',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Reflect.apply(Function.prototype.bind/call/apply, Function, [...]) — indirect code execution via Reflect with prototype method as target.',
+    references: ['https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Reflect/apply'],
+    mitre: 'T1059'
+  },
   lifecycle_missing_script: {
     id: 'MUADDIB-PKG-017',
     name: 'Phantom Lifecycle Script',

package/src/sandbox/index.js

@@ -115,7 +115,7 @@ async function buildSandboxImage() {
   console.log('[SANDBOX] Building Docker image...');
 
   return new Promise((resolve) => {
-    const dockerfilePath = path.join(__dirname, '..', 'docker').replace(/\\/g, '/');
+    const dockerfilePath = path.join(__dirname, '..', '..', 'docker').replace(/\\/g, '/');
     const proc = spawn('docker', ['build', '-t', DOCKER_IMAGE, dockerfilePath], {
       stdio: 'inherit'
     });

package/src/scanner/ast-detectors/handle-call-expression.js

@@ -1496,6 +1496,26 @@ function handleCallExpression(node, ctx) {
           file: ctx.relFile
         });
       }
+      // Bypass fix: Reflect.apply(Function.prototype.bind/call/apply, Function, [...])
+      if (target.type === 'MemberExpression') {
+        const methodProp = target.property;
+        const methodName = methodProp?.type === 'Identifier' ? methodProp.name :
+                           (methodProp?.type === 'Literal' ? String(methodProp.value) : null);
+        if (methodName === 'bind' || methodName === 'call' || methodName === 'apply') {
+          const thisArg = node.arguments[1];
+          if (thisArg?.type === 'Identifier' &&
+              (thisArg.name === 'Function' || thisArg.name === 'eval' ||
+               ctx.evalAliases?.has(thisArg.name))) {
+            ctx.hasDynamicExec = true;
+            ctx.threats.push({
+              type: 'reflect_bind_code_execution',
+              severity: 'CRITICAL',
+              message: `Reflect.apply(*.${methodName}, ${thisArg.name}, [...]) — indirect ${thisArg.name} invocation via prototype method, bypasses Reflect.apply(${thisArg.name}) detection.`,
+              file: ctx.relFile
+            });
+          }
+        }
+      }
       // B1: Reflect.apply(require, null, ['child_process']) — bypasses require() call detection
       if (target.type === 'Identifier' && target.name === 'require') {
         const argsArray = node.arguments[2];

package/src/scanner/ast-detectors/handle-new-expression.js

@@ -58,6 +58,18 @@ function handleNewExpression(node, ctx) {
         file: ctx.relFile
       });
     }
+    // Detect new Proxy(globalThis/global/window/self, handler) — intercepts all global access
+    if (target.type === 'Identifier' &&
+        (target.name === 'globalThis' || target.name === 'global' ||
+         target.name === 'window' || target.name === 'self' ||
+         ctx.globalThisAliases.has(target.name))) {
+      ctx.threats.push({
+        type: 'proxy_globalthis_intercept',
+        severity: 'CRITICAL',
+        message: `new Proxy(${target.name}, handler) — intercepts all global object access. Attacker can hook eval/Function/require transparently.`,
+        file: ctx.relFile
+      });
+    }
     // Detect new Proxy(obj, handler) where handler has set/get traps — data interception
     // Real-world technique: export a Proxy that intercepts all property sets/gets to exfiltrate
     // data flowing through the module. Combined with network (hasNetworkInFile) → credential theft.

package/src/scanner/ast-detectors/handle-variable-declarator.js

@@ -58,6 +58,19 @@ function handleVariableDeclarator(node, ctx) {
       ctx.globalThisAliases.add(node.id.name);
     }
 
+    // Track Proxy(globalThis) as globalThis alias for downstream detection
+    if (node.init?.type === 'NewExpression' &&
+        node.init.callee?.type === 'Identifier' && node.init.callee.name === 'Proxy' &&
+        node.init.arguments?.length >= 2) {
+      const proxyTarget = node.init.arguments[0];
+      if (proxyTarget?.type === 'Identifier' &&
+          (proxyTarget.name === 'globalThis' || proxyTarget.name === 'global' ||
+           proxyTarget.name === 'window' || proxyTarget.name === 'self' ||
+           ctx.globalThisAliases.has(proxyTarget.name))) {
+        ctx.globalThisAliases.add(node.id.name);
+      }
+    }
+
     // B1: const E = eval; const F = Function;
     if (node.init?.type === 'Identifier' &&
         (node.init.name === 'eval' || node.init.name === 'Function')) {

package/src/sandbox.js

@@ -1,663 +0,0 @@
-const { execSync, execFileSync, spawn } = require('child_process');
-const crypto = require('crypto');
-const fs = require('fs');
-const path = require('path');
-const {
-  generateCanaryTokens,
-  createCanaryEnvFile,
-  createCanaryNpmrc,
-  detectCanaryExfiltration,
-  detectCanaryInOutput
-} = require('./canary-tokens.js');
-
-const { NPM_PACKAGE_REGEX } = require('./shared/constants.js');
-
-const DOCKER_IMAGE = 'muaddib-sandbox';
-const CONTAINER_TIMEOUT = 120000; // 120 seconds
-
-// Domains excluded from network findings (false positives)
-const SAFE_DOMAINS = [
-  'registry.npmjs.org',
-  'github.com',
-  'objects.githubusercontent.com',
-  'api.github.com',
-  'raw.githubusercontent.com',
-  'codeload.github.com',
-  'npmjs.com',
-  'npmjs.org',
-  'yarnpkg.com',
-  'googleapis.com',
-  'cloudflare.com'
-];
-
-// IPs/ports excluded from connection findings (false positives)
-const SAFE_IPS = ['127.0.0.1'];
-const PROBE_PORTS = [65535]; // Node.js internal connectivity checks
-
-// Commands that are always suspicious in a sandbox
-const DANGEROUS_CMDS = ['curl', 'wget', 'nc', 'netcat', 'python', 'python3', 'bash', 'sh'];
-
-// Static canary tokens injected by sandbox-runner.sh (fallback honeypots).
-// These are searched in the sandbox report as a complement to the dynamic
-// tokens from canary-tokens.js (which use random suffixes per session).
-const STATIC_CANARY_TOKENS = {
-  GITHUB_TOKEN: 'ghp_R8kLmN2pQ4vW7xY9aB3cD5eF6gH8jK0mN2pQ4vW',
-  NPM_TOKEN: 'npm_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8',
-  AWS_ACCESS_KEY_ID: 'AKIAIOSFODNN7EXAMPLE',
-  AWS_SECRET_ACCESS_KEY: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',
-  SLACK_WEBHOOK_URL: 'https://hooks.example.com/services/TCANARY/BCANARY/canary-slack-token',
-  DISCORD_WEBHOOK_URL: 'https://discord.com/api/webhooks/000000000000000000/abcdefghijklmnopqrstuvwxyz'
-};
-
-// Patterns indicating data exfiltration in HTTP bodies
-const EXFIL_PATTERNS = [
-  { pattern: /\bNPM_TOKEN\b/i, label: 'npm token', severity: 'CRITICAL' },
-  { pattern: /\bGITHUB_TOKEN\b/i, label: 'GitHub token', severity: 'CRITICAL' },
-  { pattern: /\bAWS_SECRET/i, label: 'AWS credentials', severity: 'CRITICAL' },
-  { pattern: /npmrc/i, label: '.npmrc content', severity: 'CRITICAL' },
-  { pattern: /\bssh-rsa\b|\bssh-ed25519\b/i, label: 'SSH key', severity: 'CRITICAL' },
-  { pattern: /BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY/, label: 'private key', severity: 'CRITICAL' },
-  { pattern: /\bpassword\b/i, label: 'password', severity: 'CRITICAL' },
-  { pattern: /\btoken\b/i, label: 'token', severity: 'CRITICAL' },
-  { pattern: /\/etc\/passwd/, label: 'passwd file', severity: 'HIGH' },
-  { pattern: /\.env\b/, label: '.env content', severity: 'HIGH' }
-];
-
-// ── Docker availability checks ──
-
-function isDockerAvailable() {
-  try {
-    execSync('docker info', { stdio: 'pipe', timeout: 10000 });
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-function imageExists() {
-  try {
-    execFileSync('docker', ['image', 'inspect', DOCKER_IMAGE], { stdio: 'pipe', timeout: 10000 });
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-// ── Build image (with cache) ──
-
-async function buildSandboxImage() {
-  if (!isDockerAvailable()) {
-    console.log('[SANDBOX] Docker is not installed or not running. Skipping sandbox analysis.');
-    return false;
-  }
-
-  if (imageExists()) {
-    console.log('[SANDBOX] Using cached Docker image.');
-    return true;
-  }
-
-  console.log('[SANDBOX] Building Docker image...');
-
-  return new Promise((resolve) => {
-    const dockerfilePath = path.join(__dirname, '..', 'docker').replace(/\\/g, '/');
-    const proc = spawn('docker', ['build', '-t', DOCKER_IMAGE, dockerfilePath], {
-      stdio: 'inherit'
-    });
-
-    proc.on('close', (code) => {
-      if (code === 0) {
-        console.log('[SANDBOX] Image built successfully.');
-        resolve(true);
-      } else {
-        console.log('[SANDBOX] Docker build failed.');
-        resolve(false);
-      }
-    });
-
-    proc.on('error', () => {
-      console.log('[SANDBOX] Docker error during build.');
-      resolve(false);
-    });
-  });
-}
-
-// ── Run sandbox analysis ──
-
-async function runSandbox(packageName, options = {}) {
-  const cleanResult = { score: 0, severity: 'CLEAN', findings: [], raw_report: null, suspicious: false };
-
-  const strict = options.strict || false;
-  const canaryEnabled = options.canary !== false; // enabled by default
-  const local = options.local || false;
-  const mode = strict ? 'strict' : 'permissive';
-
-  // Validate inputs before checking Docker availability
-  let localAbsPath = null;
-  let displayName = packageName;
-
-  if (local) {
-    localAbsPath = path.resolve(packageName);
-    if (!fs.existsSync(localAbsPath)) {
-      console.log('[SANDBOX] Local path does not exist: ' + localAbsPath);
-      return cleanResult;
-    }
-    // Read package name for display
-    const pkgJsonPath = path.join(localAbsPath, 'package.json');
-    if (fs.existsSync(pkgJsonPath)) {
-      try {
-        const pkg = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf8'));
-        displayName = pkg.name || path.basename(localAbsPath);
-      } catch { displayName = path.basename(localAbsPath); }
-    } else {
-      displayName = path.basename(localAbsPath);
-    }
-  } else {
-    if (!NPM_PACKAGE_REGEX.test(packageName)) {
-      console.log('[SANDBOX] Invalid package name: ' + packageName);
-      return cleanResult;
-    }
-  }
-
-  if (!isDockerAvailable()) {
-    console.log('[SANDBOX] Docker is not installed or not running. Skipping.');
-    return cleanResult;
-  }
-
-  // Generate canary tokens for this sandbox session
-  let canaryTokens = null;
-  if (canaryEnabled) {
-    const canary = generateCanaryTokens();
-    canaryTokens = canary.tokens;
-  }
-
-  console.log(`[SANDBOX] Analyzing "${displayName}" in isolated container (mode: ${mode}${canaryEnabled ? ', canary: on' : ''}${local ? ', local' : ''})...`);
-
-  return new Promise((resolve) => {
-    let stdout = '';
-    let stderr = '';
-    let timedOut = false;
-    const containerName = `muaddib-sandbox-${Date.now()}-${crypto.randomBytes(4).toString('hex')}`;
-
-    const dockerArgs = [
-      'run',
-      '--rm',
-      `--name=${containerName}`,
-      '--network=bridge',
-      '--memory=512m',
-      '--cpus=1',
-      '--pids-limit=100',
-      '--cap-drop=ALL'
-    ];
-
-    // Inject canary tokens as environment variables
-    if (canaryTokens) {
-      for (const [key, value] of Object.entries(canaryTokens)) {
-        dockerArgs.push('-e', `${key}=${value}`);
-      }
-      // Also inject canary file contents as env vars for the entrypoint to write
-      dockerArgs.push('-e', `CANARY_ENV_CONTENT=${createCanaryEnvFile(canaryTokens).replace(/\r?\n/g, '\\n')}`);
-      dockerArgs.push('-e', `CANARY_NPMRC_CONTENT=${createCanaryNpmrc(canaryTokens).replace(/\r?\n/g, '\\n')}`);
-    }
-
-    // Both modes need NET_RAW for tcpdump (runs as root in entrypoint).
-    // Strict mode also needs NET_ADMIN for iptables network blocking.
-    // SYS_PTRACE is not needed: strace traces its own child (npm install via su).
-    dockerArgs.push('--cap-add=NET_RAW');
-    if (strict) {
-      dockerArgs.push('--cap-add=NET_ADMIN');
-    }
-
-    dockerArgs.push('--tmpfs', '/tmp:rw,nosuid,size=64m');
-    dockerArgs.push('--tmpfs', '/sandbox/install:rw,nosuid,size=256m');
-    dockerArgs.push('--tmpfs', '/home/sandboxuser:rw,noexec,nosuid,size=16m');
-    dockerArgs.push('--read-only');
-
-    dockerArgs.push('--security-opt', 'no-new-privileges');
-
-    if (local) {
-      dockerArgs.push('-v', `${localAbsPath}:/sandbox/local-pkg:ro`);
-    }
-
-    dockerArgs.push(DOCKER_IMAGE);
-    dockerArgs.push(local ? '/sandbox/local-pkg' : packageName);
-    dockerArgs.push(mode);
-
-    const proc = spawn('docker', dockerArgs);
-
-    // Timeout: kill container after 120s
-    const timer = setTimeout(() => {
-      timedOut = true;
-      console.log('[SANDBOX] Timeout (120s). Killing container...');
-      try {
-        execFileSync('docker', ['kill', containerName], { stdio: 'pipe', timeout: 5000 });
-      } catch {
-        proc.kill('SIGKILL');
-      }
-    }, CONTAINER_TIMEOUT);
-
-    proc.stdout.on('data', (data) => {
-      stdout += data.toString();
-    });
-
-    proc.stderr.on('data', (data) => {
-      stderr += data.toString();
-      // Forward sandbox progress logs (sanitize ANSI escape sequences)
-      const text = data.toString().replace(/\x1b\[[0-9;]*[a-zA-Z]/g, '');
-      for (const line of text.split(/\r?\n/)) {
-        if (line.includes('[SANDBOX]')) {
-          console.log(line.trim());
-        }
-      }
-    });
-
-    proc.on('close', () => {
-      clearTimeout(timer);
-
-      if (timedOut) {
-        const result = {
-          score: 100,
-          severity: 'CRITICAL',
-          findings: [{
-            type: 'timeout',
-            severity: 'CRITICAL',
-            detail: 'Container exceeded 120s timeout',
-            evidence: `Killed after ${CONTAINER_TIMEOUT}ms`
-          }],
-          raw_report: null,
-          suspicious: true
-        };
-        displayResults(result);
-        resolve(result);
-        return;
-      }
-
-      // Parse JSON from container stdout using delimiter
-      let report;
-      try {
-        const REPORT_DELIMITER = '---MUADDIB-REPORT-START---';
-        const delimIdx = stdout.indexOf(REPORT_DELIMITER);
-        let jsonStr;
-        if (delimIdx !== -1) {
-          // Reliable: use delimiter to skip any package output before the report
-          jsonStr = stdout.substring(delimIdx + REPORT_DELIMITER.length).trim();
-        } else {
-          // Fallback: find first '{' (backward compat with older images)
-          const jsonStart = stdout.indexOf('{');
-          const jsonEnd = stdout.lastIndexOf('}');
-          if (jsonStart === -1 || jsonEnd === -1) {
-            throw new Error('No JSON found in output');
-          }
-          jsonStr = stdout.substring(jsonStart, jsonEnd + 1);
-        }
-        report = JSON.parse(jsonStr);
-        if (local && report) {
-          report.package = displayName;
-        }
-      } catch (e) {
-        console.log('[SANDBOX] Failed to parse container output:', e.message);
-        resolve(cleanResult);
-        return;
-      }
-
-      const { score, findings } = scoreFindings(report);
-
-      // Canary token exfiltration detection (dynamic tokens)
-      if (canaryTokens) {
-        const networkExfil = detectCanaryExfiltration(report.network || {}, canaryTokens);
-        const outputExfil = detectCanaryInOutput(stdout, stderr, canaryTokens);
-
-        for (const exfil of [...networkExfil.exfiltrations, ...outputExfil.exfiltrations]) {
-          findings.push({
-            type: 'canary_exfiltration',
-            severity: 'CRITICAL',
-            detail: `Package attempted to exfiltrate ${exfil.token} (${exfil.foundIn})`,
-            evidence: exfil.value
-          });
-        }
-      }
-
-      // Static canary token detection (fallback for shell-injected tokens)
-      const staticExfil = detectStaticCanaryExfiltration(report);
-      for (const { token, value } of staticExfil) {
-        const alreadyDetected = findings.some(f =>
-          f.type === 'canary_exfiltration' && f.detail && f.detail.includes(token)
-        );
-        if (!alreadyDetected) {
-          findings.push({
-            type: 'canary_exfiltration',
-            severity: 'CRITICAL',
-            detail: `Canary token exfiltration detected: ${token}`,
-            evidence: value
-          });
-        }
-      }
-
-      const finalScore = Math.min(100, findings.reduce((s, f) => {
-        if (f.type === 'canary_exfiltration') return s + 50;
-        return s;
-      }, score));
-      const severity = getSeverity(finalScore);
-      const result = { score: finalScore, severity, findings, raw_report: report, suspicious: finalScore > 0 };
-
-      displayResults(result);
-      resolve(result);
-    });
-
-    proc.on('error', (err) => {
-      clearTimeout(timer);
-      if (err.code === 'ENOENT') {
-        console.log('[SANDBOX] Docker not found. Please install Docker.');
-      } else {
-        console.log(`[SANDBOX] Error: ${err.message}`);
-      }
-      resolve(cleanResult);
-    });
-  });
-}
-
-// ── Static canary detection ──
-
-/**
- * Detect static canary token exfiltration in a sandbox report.
- * Searches HTTP bodies, DNS queries, HTTP request URLs, TLS domains,
- * filesystem changes, process commands, and install output.
- * @param {object} report - Parsed sandbox report JSON
- * @returns {Array<{token: string, value: string}>} Exfiltrated tokens
- */
-function detectStaticCanaryExfiltration(report) {
-  const exfiltrated = [];
-  if (!report) return exfiltrated;
-
-  const searchable = [];
-
-  // Network data
-  for (const body of (report.network?.http_bodies || [])) if (body) searchable.push(body);
-  for (const domain of (report.network?.dns_queries || [])) if (domain) searchable.push(domain);
-  for (const req of (report.network?.http_requests || [])) {
-    searchable.push(`${req.method || ''} ${req.host || ''}${req.path || ''}`);
-  }
-  for (const tls of (report.network?.tls_connections || [])) if (tls.domain) searchable.push(tls.domain);
-
-  // Filesystem + processes
-  for (const file of (report.filesystem?.created || [])) if (file) searchable.push(file);
-  for (const proc of (report.processes?.spawned || [])) if (proc.command) searchable.push(proc.command);
-
-  // Install + entrypoint output
-  if (report.install_output) searchable.push(report.install_output);
-  if (report.entrypoint_output) searchable.push(report.entrypoint_output);
-
-  const allOutput = searchable.join('\n');
-
-  for (const [tokenName, tokenValue] of Object.entries(STATIC_CANARY_TOKENS)) {
-    if (allOutput.includes(tokenValue)) {
-      exfiltrated.push({ token: tokenName, value: tokenValue });
-    }
-  }
-
-  return exfiltrated;
-}
-
-// ── Scoring engine ──
-
-function scoreFindings(report) {
-  let score = 0;
-  const findings = [];
-
-  // 1. Sensitive file reads
-  for (const file of (report.sensitive_files?.read || [])) {
-    if (/\.npmrc/.test(file) || /\.ssh/.test(file) || /\.aws/.test(file)) {
-      score += 40;
-      findings.push({ type: 'sensitive_file_read', severity: 'CRITICAL', detail: `Read credential file: ${file}`, evidence: file });
-    } else if (/\/etc\/passwd/.test(file) || /\/etc\/shadow/.test(file)) {
-      score += 25;
-      findings.push({ type: 'sensitive_file_read', severity: 'HIGH', detail: `Read system file: ${file}`, evidence: file });
-    } else if (/\.env/.test(file) || /\.gitconfig/.test(file) || /\.bash_history/.test(file)) {
-      score += 15;
-      findings.push({ type: 'sensitive_file_read', severity: 'MEDIUM', detail: `Read config file: ${file}`, evidence: file });
-    }
-  }
-
-  // 2. Sensitive file writes (from strace)
-  for (const file of (report.sensitive_files?.written || [])) {
-    if (/\.npmrc/.test(file) || /\.ssh/.test(file) || /\.aws/.test(file)) {
-      score += 40;
-      findings.push({ type: 'sensitive_file_write', severity: 'CRITICAL', detail: `Write to credential file: ${file}`, evidence: file });
-    } else if (/\/etc\/passwd/.test(file) || /\/etc\/shadow/.test(file)) {
-      score += 25;
-      findings.push({ type: 'sensitive_file_write', severity: 'HIGH', detail: `Write to system file: ${file}`, evidence: file });
-    } else {
-      score += 15;
-      findings.push({ type: 'sensitive_file_write', severity: 'MEDIUM', detail: `Write to sensitive file: ${file}`, evidence: file });
-    }
-  }
-
-  // 3. Filesystem changes — files created in suspicious locations
-  for (const file of (report.filesystem?.created || [])) {
-    if (/^\/usr\/bin\//.test(file) || /crontab/.test(file) || /\/cron\.d\//.test(file)) {
-      score += 50;
-      findings.push({ type: 'suspicious_filesystem', severity: 'CRITICAL', detail: `File created in system path: ${file}`, evidence: file });
-    } else if (/^\/tmp\//.test(file)) {
-      score += 30;
-      findings.push({ type: 'suspicious_filesystem', severity: 'HIGH', detail: `File created in /tmp: ${file}`, evidence: file });
-    }
-  }
-
-  // 4a. DNS queries (exclude safe domains)
-  for (const domain of (report.network?.dns_queries || [])) {
-    if (isSafeDomain(domain)) continue;
-    score += 20;
-    findings.push({ type: 'suspicious_dns', severity: 'HIGH', detail: `DNS query to non-registry domain: ${domain}`, evidence: domain });
-  }
-
-  // 4b. DNS resolutions — extra detail
-  for (const res of (report.network?.dns_resolutions || [])) {
-    if (isSafeDomain(res.domain)) continue;
-    // Already scored in 4a via dns_queries, but flag the resolution for reporting
-    findings.push({ type: 'dns_resolution', severity: 'INFO', detail: `${res.domain} → ${res.ip}`, evidence: `${res.domain}:${res.ip}` });
-  }
-
-  // 5a. TCP connections (exclude safe hosts, probe ports, localhost)
-  for (const conn of (report.network?.http_connections || [])) {
-    if (isSafeHost(conn.host)) continue;
-    if (SAFE_IPS.includes(conn.host)) continue;
-    if (PROBE_PORTS.includes(conn.port)) continue;
-    score += 25;
-    findings.push({ type: 'suspicious_connection', severity: 'HIGH', detail: `TCP connection to ${conn.host}:${conn.port}`, evidence: `${conn.host}:${conn.port}` });
-  }
-
-  // 5b. TLS connections — non-safe domains
-  for (const tls of (report.network?.tls_connections || [])) {
-    if (isSafeDomain(tls.domain)) continue;
-    score += 20;
-    findings.push({ type: 'suspicious_tls', severity: 'HIGH', detail: `TLS connection to ${tls.domain} (${tls.ip}:${tls.port})`, evidence: tls.domain });
-  }
-
-  // 5c. HTTP exfiltration detection — scan body snippets for sensitive data
-  for (const body of (report.network?.http_bodies || [])) {
-    for (const pat of EXFIL_PATTERNS) {
-      if (pat.pattern.test(body)) {
-        score += 50;
-        findings.push({
-          type: 'data_exfiltration',
-          severity: pat.severity,
-          detail: `HTTP body contains ${pat.label}`,
-          evidence: body.substring(0, 200)
-        });
-        break; // One match per body is enough
-      }
-    }
-  }
-
-  // 5d. HTTP requests to non-safe hosts
-  for (const req of (report.network?.http_requests || [])) {
-    if (isSafeDomain(req.host)) continue;
-    score += 20;
-    findings.push({ type: 'suspicious_http_request', severity: 'HIGH', detail: `${req.method} ${req.host}${req.path}`, evidence: `${req.method} ${req.host}${req.path}` });
-  }
-
-  // 5e. Blocked connections (strict mode)
-  for (const blocked of (report.network?.blocked_connections || [])) {
-    score += 30;
-    findings.push({ type: 'blocked_connection', severity: 'HIGH', detail: `Blocked outbound to ${blocked.ip}:${blocked.port}`, evidence: `${blocked.ip}:${blocked.port}` });
-  }
-
-  // 6. Suspicious processes
-  for (const p of (report.processes?.spawned || [])) {
-    const cmd = p.command || '';
-    const basename = path.basename(cmd);
-    if (DANGEROUS_CMDS.some(d => basename === d)) {
-      score += 40;
-      findings.push({ type: 'suspicious_process', severity: 'CRITICAL', detail: `Dangerous command spawned: ${cmd}`, evidence: cmd });
-    } else if (cmd) {
-      score += 15;
-      findings.push({ type: 'unknown_process', severity: 'MEDIUM', detail: `Unknown process spawned: ${cmd}`, evidence: cmd });
-    }
-  }
-
-  score = Math.min(100, score);
-  return { score, findings };
-}
-
-// ── Network report (detailed, colored) ──
-
-function generateNetworkReport(report) {
-  const lines = [];
-  const RED = '\x1b[31m';
-  const YELLOW = '\x1b[33m';
-  const GREEN = '\x1b[32m';
-  const CYAN = '\x1b[36m';
-  const MAGENTA = '\x1b[35m';
-  const BOLD = '\x1b[1m';
-  const DIM = '\x1b[2m';
-  const RESET = '\x1b[0m';
-
-  lines.push('');
-  lines.push(`${BOLD}${MAGENTA}╔══════════════════════════════════════════════════╗${RESET}`);
-  lines.push(`${BOLD}${MAGENTA}║   MUAD'DIB — Sandbox Network Report              ║${RESET}`);
-  lines.push(`${BOLD}${MAGENTA}╚══════════════════════════════════════════════════╝${RESET}`);
-  lines.push('');
-  lines.push(`  Package: ${BOLD}${report.package}${RESET}`);
-  lines.push(`  Mode:    ${report.mode === 'strict' ? RED + 'STRICT' : GREEN + 'permissive'}${RESET}`);
-  lines.push(`  Time:    ${report.timestamp}`);
-  lines.push(`  Duration: ${report.duration_ms}ms`);
-
-  // DNS Resolutions
-  const dnsRes = report.network?.dns_resolutions || [];
-  lines.push('');
-  lines.push(`${BOLD}${CYAN}── DNS Resolutions (${dnsRes.length}) ──${RESET}`);
-  if (dnsRes.length === 0) {
-    lines.push(`  ${DIM}No DNS resolutions captured${RESET}`);
-  } else {
-    for (const r of dnsRes) {
-      const safe = isSafeDomain(r.domain);
-      const icon = safe ? GREEN + '[OK]' : YELLOW + '[!!]';
-      lines.push(`  ${icon}${RESET} ${r.domain} → ${r.ip}`);
-    }
-  }
-
-  // HTTP Requests
-  const httpReqs = report.network?.http_requests || [];
-  lines.push('');
-  lines.push(`${BOLD}${CYAN}── HTTP Requests (${httpReqs.length}) ──${RESET}`);
-  if (httpReqs.length === 0) {
-    lines.push(`  ${DIM}No HTTP requests captured${RESET}`);
-  } else {
-    for (const req of httpReqs) {
-      const safe = isSafeDomain(req.host);
-      const icon = safe ? GREEN + '[OK]' : RED + '[!!]';
-      lines.push(`  ${icon}${RESET} ${req.method} ${req.host}${req.path}`);
-    }
-  }
-
-  // TLS Connections
-  const tlsConns = report.network?.tls_connections || [];
-  lines.push('');
-  lines.push(`${BOLD}${CYAN}── TLS Connections (${tlsConns.length}) ──${RESET}`);
-  if (tlsConns.length === 0) {
-    lines.push(`  ${DIM}No TLS connections captured${RESET}`);
-  } else {
-    for (const tls of tlsConns) {
-      const safe = isSafeDomain(tls.domain);
-      const icon = safe ? GREEN + '[OK]' : YELLOW + '[!!]';
-      lines.push(`  ${icon}${RESET} ${tls.domain} (${tls.ip}:${tls.port})`);
-    }
-  }
-
-  // Blocked Connections (strict mode)
-  const blocked = report.network?.blocked_connections || [];
-  if (blocked.length > 0) {
-    lines.push('');
-    lines.push(`${BOLD}${RED}── Blocked Connections (${blocked.length}) ──${RESET}`);
-    for (const b of blocked) {
-      lines.push(`  ${RED}[BLOCKED]${RESET} ${b.ip}:${b.port}`);
-    }
-  }
-
-  // Data Exfiltration Alerts
-  const bodies = report.network?.http_bodies || [];
-  const exfilAlerts = [];
-  for (const body of bodies) {
-    for (const pat of EXFIL_PATTERNS) {
-      if (pat.pattern.test(body)) {
-        exfilAlerts.push({ label: pat.label, severity: pat.severity, snippet: body.substring(0, 100) });
-        break;
-      }
-    }
-  }
-  if (exfilAlerts.length > 0) {
-    lines.push('');
-    lines.push(`${BOLD}${RED}── Data Exfiltration Alerts (${exfilAlerts.length}) ──${RESET}`);
-    for (const alert of exfilAlerts) {
-      lines.push(`  ${RED}[${alert.severity}]${RESET} ${alert.label} detected in HTTP body`);
-      lines.push(`    ${DIM}${alert.snippet}...${RESET}`);
-    }
-  }
-
-  // Raw TCP connections
-  const conns = report.network?.http_connections || [];
-  if (conns.length > 0) {
-    lines.push('');
-    lines.push(`${BOLD}${CYAN}── Raw TCP Connections (${conns.length}) ──${RESET}`);
-    for (const c of conns) {
-      const safe = isSafeHost(c.host);
-      const icon = safe ? GREEN + '[OK]' : YELLOW + '[!!]';
-      lines.push(`  ${icon}${RESET} ${c.host}:${c.port} (${c.protocol})`);
-    }
-  }
-
-  lines.push('');
-  return lines.join('\n');
-}
-
-// ── Helpers ──
-
-function isSafeDomain(domain) {
-  return SAFE_DOMAINS.some(safe => domain === safe || domain.endsWith('.' + safe));
-}
-
-function isSafeHost(host) {
-  return SAFE_DOMAINS.some(safe => host === safe || host.endsWith('.' + safe));
-}
-
-function getSeverity(score) {
-  if (score === 0) return 'CLEAN';
-  if (score <= 20) return 'LOW';
-  if (score <= 50) return 'MEDIUM';
-  if (score <= 80) return 'HIGH';
-  return 'CRITICAL';
-}
-
-function displayResults(result) {
-  console.log(`\n[SANDBOX] Score: ${result.score}/100 — ${result.severity}`);
-  if (result.findings.length === 0) {
-    console.log('[SANDBOX] No suspicious behavior detected.');
-  } else {
-    const actionable = result.findings.filter(f => f.severity !== 'INFO');
-    console.log(`[SANDBOX] ${actionable.length} finding(s):`);
-    for (const f of actionable) {
-      console.log(`  [${f.severity}] ${f.type}: ${f.detail}`);
-    }
-  }
-}
-
-module.exports = { buildSandboxImage, runSandbox, scoreFindings, generateNetworkReport, EXFIL_PATTERNS, SAFE_DOMAINS, getSeverity, displayResults, isDockerAvailable, imageExists, STATIC_CANARY_TOKENS, detectStaticCanaryExfiltration };