muaddib-scanner 2.10.81 → 2.10.84

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.10.81",
+  "version": "2.10.84",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/monitor/adaptive-concurrency.js

@@ -17,7 +17,7 @@ const os = require('os');
 
 const MIN_CONCURRENCY = 4;
 const BASE_CONCURRENCY = Math.max(MIN_CONCURRENCY, parseInt(process.env.MUADDIB_SCAN_CONCURRENCY, 10) || 8);
-const MAX_CONCURRENCY = Math.max(BASE_CONCURRENCY, parseInt(process.env.MUADDIB_MAX_CONCURRENCY, 10) || 32);
+const MAX_CONCURRENCY = Math.max(BASE_CONCURRENCY, parseInt(process.env.MUADDIB_MAX_CONCURRENCY, 10) || 16);
 const ADJUST_INTERVAL_MS = 30_000;
 
 // Queue depth thresholds
@@ -37,6 +37,12 @@ const TIMEOUT_RATE_MIN_SAMPLES = 20;
 let _prevScanned = 0;
 let _prevTimeouts = 0;
 
+// Throughput plateau detection: if we scaled up but throughput didn't increase,
+// we've hit I/O saturation (npm registry rate limiting, disk contention).
+// More workers would make it worse — scale back instead.
+let _prevThroughput = 0;
+let _lastScaleDirection = 0; // +1 = scaled up, -1 = scaled down, 0 = stable
+
 /**
  * Compute new target concurrency from system signals.
  * Uses stats deltas (not cumulative) for timeout rate — avoids stale data.
@@ -74,21 +80,39 @@ function computeTarget(current, queueDepth, stats) {
   // Priority 2: High timeout rate — system saturated, adding workers makes it worse
   if (timeoutRate > TIMEOUT_RATE_THRESHOLD) {
     const target = clamp(current - 2);
+    _prevThroughput = scannedDelta;
+    _lastScaleDirection = target < current ? -1 : 0;
     return { target, reason: `high_timeout_rate (${(timeoutRate * 100).toFixed(0)}%, ${timeoutDelta}/${scannedDelta})` };
   }
 
-  // Priority 3: Queue depth — scale up for backlog, down toward base when idle
+  // Priority 3: Throughput plateau — scaled up last tick but throughput flat/down.
+  // This catches I/O saturation: more workers = more concurrent HTTP to npm registry
+  // = rate limiting + contention = scan times 10s→90s = throughput drops.
+  // Scale back instead of continuing to add workers.
+  if (_lastScaleDirection > 0 && _prevThroughput > 0 && scannedDelta > 0 && scannedDelta <= _prevThroughput) {
+    const prevTp = _prevThroughput;
+    _prevThroughput = scannedDelta;
+    _lastScaleDirection = -1;
+    return { target: clamp(current - 2), reason: `throughput_plateau (${prevTp}→${scannedDelta} scans/30s, more workers didn't help)` };
+  }
+
+  // Priority 4: Queue depth — scale up for backlog, down toward base when idle
   if (queueDepth > QUEUE_BACKLOG_THRESHOLD) {
     const target = clamp(current + 4);
+    // Record throughput at the point of scale-up — next tick compares against this
+    _prevThroughput = scannedDelta;
+    _lastScaleDirection = target > current ? 1 : 0;
     return { target, reason: `backlog (queue=${queueDepth})` };
   }
 
   if (queueDepth < QUEUE_IDLE_THRESHOLD) {
     // Converge toward BASE, not MIN — normal traffic needs BASE capacity
     const target = Math.max(BASE_CONCURRENCY, clamp(current - 2));
+    _lastScaleDirection = target < current ? -1 : 0;
     return { target, reason: `idle (queue=${queueDepth})` };
   }
 
+  _lastScaleDirection = 0;
   return { target: current, reason: 'stable' };
 }
 
@@ -102,6 +126,8 @@ function clamp(n) {
 function resetDeltas() {
   _prevScanned = 0;
   _prevTimeouts = 0;
+  _prevThroughput = 0;
+  _lastScaleDirection = 0;
 }
 
 module.exports = {

package/src/monitor/ingestion.js

@@ -442,6 +442,10 @@ async function pollNpmChanges(state, scanQueue, stats) {
       // Layer 3: Evaluate if this package should be cached
       const cacheTrigger = evaluateCacheTrigger(name, docMeta, change.doc || null);
 
+      // Layer 2: Extract tarball URL from CouchDB doc (eliminates lazy resolution 404 race)
+      // NOTE: fastTrack flag is computed in resolveTarballAndScan() AFTER metadata
+      // resolution via getNpmLatestTarball(). It cannot be computed here because
+      // post-May 2025, include_docs is deprecated and change.doc is always null.
       scanQueue.push({
         name,
         version: docMeta ? docMeta.version : '',
@@ -643,13 +647,20 @@ async function pollPyPI(state, scanQueue) {
  * @param {Array} scanQueue - Mutable scan queue array
  * @param {Object} stats - Mutable stats object
  */
+const SOFT_BACKPRESSURE_THRESHOLD = 30_000;
+
 async function poll(state, scanQueue, stats) {
-  // Backpressure removed: polling ALWAYS runs regardless of queue depth.
-  // The queue can grow unbounded in memory (entries are ~300 bytes, 100K = 30MB).
-  // This prevents the data loss scenario where the CouchDB seq advances but
-  // queued items are not persisted — packages would be permanently invisible.
+  // Soft backpressure: skip poll when queue is very deep.
+  // Safe because: CouchDB seq is NOT advanced (stays in memory only, persisted
+  // by daemon.js AFTER poll returns) — next poll resumes from the same point.
+  // Combined with adaptive concurrency: workers scale up → queue drains → poll resumes.
+  // This prevents the queue from growing to 30-40K during catch-up (OOM risk).
+  if (scanQueue.length >= SOFT_BACKPRESSURE_THRESHOLD) {
+    console.log(`[MONITOR] BACKPRESSURE: skipping poll (queue ${scanQueue.length} >= ${SOFT_BACKPRESSURE_THRESHOLD}) — seq not advanced, 0 packages lost`);
+    return;
+  }
   if (scanQueue.length > 5_000) {
-    console.log(`[MONITOR] QUEUE_DEPTH: ${scanQueue.length} items — polling continues (no backpressure skip)`);
+    console.log(`[MONITOR] QUEUE_DEPTH: ${scanQueue.length} items — polling continues`);
   }
 
   const timestamp = new Date().toISOString().slice(0, 19).replace('T', ' ');

package/src/monitor/queue.js

@@ -336,7 +336,7 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
     let alreadyExtracted = false;
     let extractedDir = null;
 
-    if (unpackedSize > LARGE_PACKAGE_SIZE) {
+    if (unpackedSize > LARGE_PACKAGE_SIZE || meta.fastTrack) {
       // Exception 1: IOC match — always full scan
       let isKnownIOC = false;
       try {
@@ -678,7 +678,10 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
         stats.suspect++;
 
         // Fire-and-forget tarball archiving — never blocks the pipeline
-        archiveSuspectTarball(name, version, tarballUrl, {
+        // Skip for fast-track packages (large boring enterprise packages — not worth archiving)
+        if (meta.fastTrack) {
+          console.log(`[MONITOR] FAST-TRACK SKIP: ${name}@${version} — skipping archive + LLM (static-only)`);
+        } else archiveSuspectTarball(name, version, tarballUrl, {
           score: riskScore,
           priority: tierLabel,
           rulesTriggered: (result.threats || []).map(t => t.ruleId || t.type).filter(Boolean),
@@ -687,13 +690,35 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
           console.warn(`[Archive] Failed for ${name}@${version}: ${err.message}`);
         });
 
-        // Sandbox decision based on tier
+        // Sandbox decision based on tier + smart skip for large low-signal packages.
+        // Large packages (>15MB or >80 deps) with only MEDIUM/LOW findings timeout
+        // systematically (90s × 3 = INCONCLUSIVE = 0 detection). Skipping frees slots
+        // for real suspects. Guard-fous: any HIGH/CRITICAL, temporal anomaly, maintainer
+        // change, or dormant spike → sandbox runs regardless of size.
+        const SANDBOX_SIZE_SKIP_BYTES = 15 * 1024 * 1024; // 15MB
+        const SANDBOX_DEPS_SKIP = 80;
+        const isLargePackage = (meta.unpackedSize || 0) > SANDBOX_SIZE_SKIP_BYTES ||
+          (meta.dependencyCount || 0) > SANDBOX_DEPS_SKIP;
+        const hasHighOrCriticalFinding = (result.summary.critical || 0) > 0 || (result.summary.high || 0) > 0;
+        const hasTemporalSignal = (result.threats || []).some(t =>
+          t.type === 'postinstall_added' || t.type === 'preinstall_added' ||
+          t.type === 'install_added' || t.type === 'maintainer_change' ||
+          t.type === 'dormant_spike' || t.type === 'publish_anomaly'
+        );
+        const skipSandboxLargePackage = (isLargePackage || meta.fastTrack) && !hasHighOrCriticalFinding && !hasTemporalSignal;
+
+        if (skipSandboxLargePackage && meta.fastTrack) {
+          console.log(`[MONITOR] FAST-TRACK: ${name}@${version} — large package static-only (${((meta.unpackedSize || 0) / 1024 / 1024).toFixed(1)}MB, no lifecycle scripts)`);
+        } else if (skipSandboxLargePackage) {
+          console.log(`[MONITOR] SANDBOX SKIP (large low-signal): ${name}@${version} (${((meta.unpackedSize || 0) / 1024 / 1024).toFixed(1)}MB, deps=${meta.dependencyCount || '?'}, no HIGH/CRIT, no temporal)`);
+        }
+
         // T1a: mandatory sandbox (HC malice types, TIER1_TYPES non-LOW, lifecycle + intent compound)
         // T1b: conditional sandbox (HIGH/CRITICAL without HC type — bundler FP zone)
         //       → sandbox only if score >= 25 (significant risk) or queue pressure is low
         // T2: sandbox if queue < 50 (as before)
         let sandboxResult = null;
-        const shouldSandbox = isSandboxEnabled() && sandboxAvailable && (
+        const shouldSandbox = !skipSandboxLargePackage && isSandboxEnabled() && sandboxAvailable && (
           tier === '1a' ||
           (tier === '1b' && (riskScore >= 25 || scanQueue.length < 20)) ||
           (tier === 2 && scanQueue.length < 50)
@@ -845,8 +870,9 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
         // Record daily alert with post-reputation score for top suspects ranking
         dailyAlerts.push({ name, version, ecosystem, findingsCount: result.summary.total, score: adjustedResult.summary.riskScore || 0, tier });
         // LLM Detective: AI-powered analysis for T1a/T1b suspects
+        // Skip for fast-track (large boring packages — LLM analysis adds 10-30s for no value)
         let llmResult = null;
-        if ((tier === '1a' || tier === '1b') && (adjustedResult.summary.riskScore || 0) >= 25) {
+        if (!meta.fastTrack && (tier === '1a' || tier === '1b') && (adjustedResult.summary.riskScore || 0) >= 25) {
           try {
             const { investigatePackage, isLlmEnabled, getLlmMode } = require('../ml/llm-detective.js');
             if (isLlmEnabled()) {
@@ -1057,6 +1083,19 @@ async function resolveTarballAndScan(item, stats, dailyAlerts, recentlyScanned,
       if (npmInfo.version) item.version = npmInfo.version;
       if (npmInfo.unpackedSize) item.unpackedSize = npmInfo.unpackedSize;
       if (npmInfo.scripts) item.registryScripts = npmInfo.scripts;
+
+      // Fast-track decision: large packages (>15MB) with no lifecycle scripts and no IOC match.
+      // Computed HERE (after metadata resolution), not at ingestion time — post-May 2025
+      // CouchDB changes feed has no docs, so metadata is only available after lazy fetch.
+      // Fast-track packages get: quick static scan (package.json + shell only), no AST,
+      // no sandbox, no LLM, no archiving. Exits in ~2-3s instead of 30-300s.
+      const FAST_TRACK_SIZE_BYTES = 15 * 1024 * 1024;
+      if (!item.isIOCMatch && (item.unpackedSize || 0) > FAST_TRACK_SIZE_BYTES) {
+        const scripts = item.registryScripts || {};
+        if (!scripts.preinstall && !scripts.postinstall && !scripts.install) {
+          item.fastTrack = true;
+        }
+      }
     } catch (err) {
       console.error(`[MONITOR] ERROR resolving npm tarball for ${item.name}: ${err.message}`);
       recordError(err, stats);
@@ -1114,9 +1153,11 @@ async function resolveTarballAndScan(item, stats, dailyAlerts, recentlyScanned,
   let publishResult = null;
   let maintainerResult = null;
 
-  if (item.ecosystem === 'npm') {
+  if (item.ecosystem === 'npm' && !item.fastTrack) {
     // Run all 4 temporal checks in parallel — each is independent.
     // With metadata cache (temporal-analysis.js), the 4 modules share 1 HTTP request.
+    // Skipped for fast-track packages (large boring packages — temporal checks make
+    // 4 HTTP requests to npm registry per package, pointless for 50MB enterprise packages).
     const [tempRes, astRes, pubRes, maintRes] = await Promise.allSettled([
       runTemporalCheck(item.name, dailyAlerts),
       runTemporalAstCheck(item.name, dailyAlerts),
@@ -1135,7 +1176,8 @@ async function resolveTarballAndScan(item, stats, dailyAlerts, recentlyScanned,
   const scanResult = await scanPackage(item.name, item.version, item.ecosystem, item.tarballUrl, {
     unpackedSize: item.unpackedSize || 0,
     registryScripts: item.registryScripts || null,
-    _cacheTrigger: item._cacheTrigger || null
+    _cacheTrigger: item._cacheTrigger || null,
+    fastTrack: item.fastTrack || false
   }, stats, dailyAlerts, recentlyScanned, downloadsCache, scanQueue, sandboxAvailable);
   const sandboxResult = scanResult && scanResult.sandboxResult;
   const staticClean = scanResult && scanResult.staticClean;

package/src/sandbox/index.js

@@ -224,7 +224,12 @@ async function runSingleSandbox(packageName, options = {}) {
       '--cap-drop=ALL'
     ];
 
-    // gVisor runtime: use runsc instead of default runc
+    // gVisor runtime: use runsc instead of default runc.
+    // Performance: configure --directfs and --overlay2=all:memory in daemon.json:
+    //   "runsc": { "path": "/usr/bin/runsc", "runtimeArgs": ["--directfs", "--overlay2=all:memory"] }
+    // --directfs: bypass gofer process for direct filesystem access (fewer RPCs, faster I/O)
+    // --overlay2=all:memory: sandbox writes go to tmpfs instead of host (faster, isolated)
+    // These flags require gVisor >= 2023-06-01.
     if (gvisorMode) {
       dockerArgs.push('--runtime=runsc');
       dockerArgs.push('-e', 'MUADDIB_GVISOR=1');

package/src/shared/download.js

@@ -171,6 +171,12 @@ function downloadToFile(url, destPath, timeoutMs = DOWNLOAD_TIMEOUT) {
             }
             return doRequest(absoluteLocation, redirectCount + 1);
           }
+          if (res.statusCode === 429) {
+            res.resume();
+            // Signal rate limiter to back off — drains tokens, forces ~1s pause
+            try { require('./http-limiter.js').signal429(); } catch {}
+            return reject(new Error(`HTTP 429 rate limited for ${requestUrl}`));
+          }
           if (res.statusCode < 200 || res.statusCode >= 300) {
             res.resume();
             return reject(new Error(`HTTP ${res.statusCode} for ${requestUrl}`));

package/src/shared/http-limiter.js

@@ -1,29 +1,35 @@
 'use strict';
 
 /**
- * Centralized HTTP concurrency limiter for npm registry requests.
+ * Centralized HTTP concurrency + rate limiter for npm registry requests.
  *
- * With 16 monitor workers × 7+ HTTP requests/package, uncapped concurrency
- * reaches 112+ simultaneous requests — well above npm's implicit rate limit.
- * This module caps ALL registry.npmjs.org requests to a single semaphore
- * so that no more than REGISTRY_SEMAPHORE_MAX requests are in-flight at once.
+ * Two layers of protection:
+ *   1. Concurrency semaphore (REGISTRY_SEMAPHORE_MAX = 10) — caps in-flight requests
+ *   2. Rate limiter (RATE_LIMIT_PER_SEC = 30) — caps requests/second via token bucket
  *
- * Consumers: temporal-analysis.js, temporal-ast-diff.js, monitor.js (getNpmLatestTarball),
- *            npm-registry.js (fetchWithRetry to registry.npmjs.org).
+ * Without rate limiting, 10 concurrent slots × fast-completing requests = 100+ req/s
+ * bursts that trigger npm 429 responses → exponential backoff → scan times 10s→90s.
+ *
+ * Consumers: queue.js (downloadToFile), temporal-analysis.js, npm-registry.js.
  * NOT covered: api.npmjs.org (different server), replicate.npmjs.com (CouchDB changes stream).
  */
 
 const REGISTRY_SEMAPHORE_MAX = 10;
+const RATE_LIMIT_PER_SEC = 30;
+
+// --- Concurrency semaphore ---
 
 const _semaphore = { active: 0, queue: [] };
 
 function acquireRegistrySlot() {
   if (_semaphore.active < REGISTRY_SEMAPHORE_MAX) {
     _semaphore.active++;
-    return Promise.resolve();
+    return _acquireRateToken();
   }
   return new Promise(resolve => {
-    _semaphore.queue.push(resolve);
+    _semaphore.queue.push(() => {
+      _acquireRateToken().then(resolve);
+    });
   });
 }
 
@@ -36,9 +42,64 @@ function releaseRegistrySlot() {
   }
 }
 
+// --- Token bucket rate limiter ---
+// Refills RATE_LIMIT_PER_SEC tokens per second. Each request consumes 1 token.
+// If no tokens available, waits until the next refill.
+
+let _tokens = RATE_LIMIT_PER_SEC;
+let _lastRefill = Date.now();
+
+function _refillTokens() {
+  const now = Date.now();
+  const elapsed = now - _lastRefill;
+  if (elapsed >= 1000) {
+    _tokens = Math.min(RATE_LIMIT_PER_SEC, _tokens + Math.floor(elapsed / 1000) * RATE_LIMIT_PER_SEC);
+    _lastRefill = now;
+  }
+}
+
+function _acquireRateToken() {
+  _refillTokens();
+  if (_tokens > 0) {
+    _tokens--;
+    return Promise.resolve();
+  }
+  // Wait until next refill
+  const waitMs = 1000 - (Date.now() - _lastRefill);
+  return new Promise(resolve => {
+    setTimeout(() => {
+      _refillTokens();
+      _tokens = Math.max(0, _tokens - 1);
+      resolve();
+    }, Math.max(10, waitMs));
+  });
+}
+
+// --- 429 backoff helper ---
+// Call this when a 429 response is received. Drains all tokens to force
+// a ~1s pause on subsequent requests (token bucket naturally refills).
+
+let _backoffCount = 0;
+
+function signal429() {
+  _tokens = 0;
+  _lastRefill = Date.now() + 1000; // Force 1s pause
+  _backoffCount++;
+  if (_backoffCount % 10 === 1) {
+    console.warn(`[HTTP-LIMITER] 429 rate limited by npm registry (total: ${_backoffCount})`);
+  }
+}
+
+function getBackoffCount() {
+  return _backoffCount;
+}
+
 function resetLimiter() {
   _semaphore.active = 0;
   _semaphore.queue.length = 0;
+  _tokens = RATE_LIMIT_PER_SEC;
+  _lastRefill = Date.now();
+  _backoffCount = 0;
 }
 
 function getActiveSemaphore() {
@@ -47,8 +108,11 @@ function getActiveSemaphore() {
 
 module.exports = {
   REGISTRY_SEMAPHORE_MAX,
+  RATE_LIMIT_PER_SEC,
   acquireRegistrySlot,
   releaseRegistrySlot,
+  signal429,
+  getBackoffCount,
   resetLimiter,
   getActiveSemaphore
 };