muaddib-scanner 2.11.113 → 2.11.115

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.113",
+  "version": "2.11.115",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.113.json → self-scan-v2.11.115.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-14T08:06:18.378Z",
+  "timestamp": "2026-06-14T16:22:45.950Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",
@@ -244,7 +244,7 @@
     },
     {
       "type": "credential_regex_harvest",
-      "severity": "HIGH",
+      "severity": "LOW",
       "message": "Credential regex patterns (token/password/secret/Bearer) + network call in same file — stream data credential harvesting.",
       "file": "web-tree-sitter/web-tree-sitter.cjs",
       "count": 1,
@@ -252,6 +252,11 @@
         {
           "rule": "count_threshold_floor",
           "note": "retained one instance at original severity"
+        },
+        {
+          "rule": "sink_coupling",
+          "from": "HIGH",
+          "to": "LOW"
         }
       ],
       "originalSeverity": "HIGH",
@@ -266,7 +271,7 @@
       ],
       "mitre": "T1552",
       "playbook": "Code contient des regex de detection de credentials (Bearer, password, token, API key) combine avec un appel reseau. Technique de harvesting: scanne les donnees en transit (streams HTTP, fichiers) pour extraire des secrets et les exfiltrer. Supprimer le package. Auditer le trafic reseau sortant.",
-      "points": 10
+      "points": 1
     },
     {
       "type": "proxy_data_intercept",
@@ -1823,18 +1828,18 @@
   "summary": {
     "total": 80,
     "critical": 7,
-    "high": 11,
+    "high": 10,
     "medium": 32,
-    "low": 30,
+    "low": 31,
     "riskScore": 35,
     "riskLevel": "MEDIUM",
     "globalRiskScore": 100,
-    "maxFileScore": 51,
+    "maxFileScore": 42,
     "packageScore": 1,
     "mostSuspiciousFile": "web-tree-sitter/web-tree-sitter.cjs",
     "fileScores": {
       "esquery/parser.js": 5,
-      "web-tree-sitter/web-tree-sitter.cjs": 51,
+      "web-tree-sitter/web-tree-sitter.cjs": 42,
       "web-tree-sitter/web-tree-sitter.js": 42,
       "ajv/lib/ajv.js": 25,
       "ajv/scripts/bundle.js": 10,
@@ -1927,12 +1932,6 @@
         "points": 10,
         "reason": "Binary file reference (.png/.jpg/.wasm/etc.) + eval() in same file — possible steganographic payload execution."
       },
-      {
-        "rule": "MUADDIB-AST-041",
-        "type": "credential_regex_harvest",
-        "points": 10,
-        "reason": "Credential regex patterns (token/password/secret/Bearer) + network call in same file — stream data credential harvesting."
-      },
       {
         "rule": "MUADDIB-AST-020",
         "type": "staged_binary_payload",
@@ -2185,6 +2184,12 @@
         "points": 1,
         "reason": "Dangerous call \"eval\" with dynamic expression detected."
       },
+      {
+        "rule": "MUADDIB-AST-041",
+        "type": "credential_regex_harvest",
+        "points": 1,
+        "reason": "Credential regex patterns (token/password/secret/Bearer) + network call in same file — stream data credential harvesting."
+      },
       {
         "rule": "MUADDIB-AST-043",
         "type": "proxy_data_intercept",

package/src/intent-graph.js

@@ -36,180 +36,17 @@ const SOURCE_TYPES = {
 // Sensitive env var patterns — env_access referencing these is credential theft, not config
 const SENSITIVE_ENV_PATTERNS = /TOKEN|KEY|SECRET|PASSWORD|CREDENTIAL|API_KEY|AUTH/i;
 
-// ============================================
-// DESTINATION-AWARE SDK DETECTION
-// ============================================
-// Curated allowlist: when an env var matching the pattern is sent to a matching domain,
-// it is legitimate SDK usage, not credential exfiltration.
-// Safe-by-default: unknown env vars or unknown domains remain CRITICAL.
-const SDK_ENV_DOMAIN_MAP = [
-  { envPattern: /^AWS_/i, domains: ['amazonaws.com', 'aws.amazon.com'] },
-  { envPattern: /^AZURE_/i, domains: ['azure.com', 'microsoft.com'] },
-  { envPattern: /^GOOGLE_|^GCP_/i, domains: ['googleapis.com', 'google.com'] },
-  { envPattern: /^FIREBASE_/i, domains: ['firebase.com', 'googleapis.com'] },
-  { envPattern: /^SALESFORCE_/i, domains: ['salesforce.com', 'force.com'] },
-  { envPattern: /^SUPABASE_/i, domains: ['supabase.co', 'supabase.com'] },
-  { envPattern: /^MAILGUN_/i, domains: ['mailgun.net', 'mailgun.com'] },
-  { envPattern: /^STRIPE_/i, domains: ['stripe.com'] },
-  { envPattern: /^TWILIO_/i, domains: ['twilio.com'] },
-  { envPattern: /^SENDGRID_/i, domains: ['sendgrid.com', 'sendgrid.net'] },
-  { envPattern: /^DATADOG_/i, domains: ['datadoghq.com'] },
-  { envPattern: /^SENTRY_/i, domains: ['sentry.io'] },
-  { envPattern: /^SLACK_/i, domains: ['slack.com'] },
-  { envPattern: /^GITHUB_/i, domains: ['github.com', 'githubusercontent.com'] },
-  { envPattern: /^GITLAB_/i, domains: ['gitlab.com'] },
-  { envPattern: /^CLOUDFLARE_/i, domains: ['cloudflare.com'] },
-  { envPattern: /^OPENAI_/i, domains: ['openai.com'] },
-  { envPattern: /^ANTHROPIC_/i, domains: ['anthropic.com'] },
-  { envPattern: /^MONGODB_|^MONGO_/i, domains: ['mongodb.com', 'mongodb.net'] },
-  { envPattern: /^AUTH0_/i, domains: ['auth0.com'] },
-  { envPattern: /^HUBSPOT_/i, domains: ['hubspot.com', 'hubapi.com'] },
-  { envPattern: /^CONTENTFUL_/i, domains: ['contentful.com'] },
-];
-
-// Tokens stripped when extracting brand keyword from env var name
-const ENV_NOISE_TOKENS = new Set([
-  'API', 'KEY', 'SECRET', 'TOKEN', 'PASSWORD', 'CREDENTIAL',
-  'AUTH', 'ACCESS', 'PRIVATE', 'PUBLIC', 'CLIENT', 'ID', 'URL'
-]);
-
-// Suspicious tunneling/proxy domains — never considered legitimate SDK destinations
-const SUSPICIOUS_DOMAIN_PATTERNS = /ngrok|serveo|localtunnel|burpcollaborator|requestbin|pipedream|webhook\.site/i;
-
-// URL extraction regex (matches http/https URLs in source code)
-const URL_EXTRACT_RE = /https?:\/\/[a-zA-Z0-9\-._~:/?#[\]@!$&'()*+,;=%]+/g;
-
-// Hostname extraction from Node.js request options: hostname: 'domain.com' or host: 'domain.com'
-const HOSTNAME_OPTION_RE = /(?:hostname|host)\s*:\s*['"`]([a-zA-Z0-9\-._]+)['"`]/g;
-
-/**
- * Extract env var name from an intent source threat message.
- * Messages look like: "process.env.SALESFORCE_API_KEY", "env var MAILGUN_API_KEY accessed"
- */
-function extractEnvVarFromMessage(sourceThreats) {
-  for (const t of sourceThreats) {
-    if (!t.message) continue;
-    // Match process.env.VAR_NAME pattern
-    const envMatch = t.message.match(/process\.env\.([A-Z_][A-Z0-9_]*)/i);
-    if (envMatch) return envMatch[1];
-    // Match standalone VAR_NAME patterns (e.g., "SALESFORCE_API_KEY")
-    const varMatch = t.message.match(/\b([A-Z][A-Z0-9]*(?:_[A-Z0-9]+)+)\b/);
-    if (varMatch) return varMatch[1];
-  }
-  return null;
-}
-
-/**
- * Extract brand keyword from env var name by removing noise tokens.
- * MAILGUN_API_KEY → MAILGUN, SALESFORCE_CLIENT_SECRET → SALESFORCE
- */
-function extractBrandFromEnvVar(envVarName) {
-  const parts = envVarName.toUpperCase().split('_');
-  const brandParts = parts.filter(p => !ENV_NOISE_TOKENS.has(p) && p.length > 0);
-  return brandParts.length > 0 ? brandParts[0] : null;
-}
-
-/**
- * Extract domain from a URL string.
- * Returns the hostname (without port).
- */
-function extractDomain(url) {
-  try {
-    const match = url.match(/^https?:\/\/([^/:?#]+)/i);
-    return match ? match[1].toLowerCase() : null;
-  } catch {
-    return null;
-  }
-}
-
-/**
- * Check if a domain matches any of the expected SDK domains (suffix match).
- * api.mailgun.net matches mailgun.net, sub.api.stripe.com matches stripe.com
- */
-function domainMatchesSuffix(domain, expectedDomains) {
-  for (const expected of expectedDomains) {
-    if (domain === expected || domain.endsWith('.' + expected)) return true;
-  }
-  return false;
-}
-
-/**
- * Check if an env var + file content represents a legitimate SDK pattern.
- *
- * Returns true ONLY if:
- * 1. The env var matches a known SDK mapping (allowlist) OR heuristic brand match
- * 2. ALL URLs in the file point to domains matching the expected SDK
- * 3. No suspicious tunneling/proxy domains are present
- *
- * @param {string} envVarName - e.g., "SALESFORCE_API_KEY"
- * @param {string} fileContent - source code of the file
- * @returns {boolean} true if SDK pattern (should skip intent pair)
- */
-function isSDKPattern(envVarName, fileContent) {
-  // Extract domains from full URLs (https://api.stripe.com/v1/charges)
-  const urls = fileContent.match(URL_EXTRACT_RE) || [];
-  const domains = urls.map(u => extractDomain(u)).filter(Boolean);
-
-  // Also extract hostnames from Node.js request options (hostname: 'api.stripe.com')
-  let hostnameMatch;
-  const hostnameRe = new RegExp(HOSTNAME_OPTION_RE.source, 'g');
-  while ((hostnameMatch = hostnameRe.exec(fileContent)) !== null) {
-    const hostname = hostnameMatch[1].toLowerCase();
-    if (hostname && !domains.includes(hostname)) {
-      domains.push(hostname);
-    }
-  }
-
-  // No URLs found — can't confirm SDK pattern, default to suspicious
-  if (domains.length === 0) return false;
-
-  // Check for suspicious tunneling domains — immediate fail
-  for (const domain of domains) {
-    if (SUSPICIOUS_DOMAIN_PATTERNS.test(domain)) return false;
-  }
-
-  // Check for raw IP addresses — immediate fail
-  for (const domain of domains) {
-    if (/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(domain)) return false;
-  }
-
-  // 1. Try curated allowlist first (strict: ALL domains must match)
-  // Curated allowlist is authoritative — no relaxation here to prevent
-  // attacker injecting a legitimate domain alongside their C2 domain.
-  for (const mapping of SDK_ENV_DOMAIN_MAP) {
-    if (mapping.envPattern.test(envVarName)) {
-      return domains.every(d => domainMatchesSuffix(d, mapping.domains));
-    }
-  }
-
-  // R2: credential-suffixed env vars get relaxed domain matching (at least ONE match).
-  // SDKs commonly call their own API + CDN/logging/analytics domains.
-  // Safety: suspicious domains and raw IPs are already rejected above.
-  // Only applies to the heuristic fallback — curated allowlist stays strict.
-  const CREDENTIAL_SUFFIXES = ['_API_KEY', '_SECRET', '_TOKEN', '_SECRET_KEY', '_ACCESS_KEY'];
-  const upperName = envVarName.toUpperCase();
-  const hasCredentialSuffix = CREDENTIAL_SUFFIXES.some(s => upperName.endsWith(s));
-
-  // 2. Heuristic fallback: extract brand keyword and check domain labels
-  const brand = extractBrandFromEnvVar(envVarName);
-  if (!brand || brand.length < 3) return false; // Too short for reliable matching
-
-  const brandLower = brand.toLowerCase();
-  // 2a. Strict check: every domain matches brand (existing behavior)
-  // e.g., brand "ACME" matches "api.acme.com" (label "acme") but not "api.acmetech.com"
-  if (domains.every(d => {
-    const labels = d.split('.');
-    return labels.some(label => label === brandLower);
-  })) return true;
-
-  // 2b. R2 relaxed: credential suffix + at least one domain matches brand
-  if (hasCredentialSuffix && domains.some(d => {
-    const labels = d.split('.');
-    return labels.some(label => label === brandLower);
-  })) return true;
-
-  return false;
-}
+// Destination-aware SDK detection — extracted to a shared leaf module
+// (src/sdk-destination.js) so the same logic gates dataflow.js and the cross-file /
+// detached taint detectors, not just intent coherence. Re-exported below for
+// backward compatibility (dataflow.js imports isSDKPattern from this module).
+const {
+  isSDKPattern,
+  networkDestinationsAllBenign,
+  extractEnvVarFromMessage,
+  extractBrandFromEnvVar,
+  SDK_ENV_DOMAIN_MAP,
+} = require('./sdk-destination.js');
 
 
 // ============================================
@@ -384,26 +221,31 @@ function buildIntentPairs(threats, targetPath) {
         const pairKey = `${srcType}:${sinkType}:${file}`;
         if (pairSet.has(pairKey)) continue;
 
-        // Destination-aware SDK check: credential_read → network_external
-        // If the env var matches the API domain, this is legitimate SDK usage
+        // Destination-aware check: credential_read → network_external. Two
+        // complementary gates, EITHER ⇒ legitimate, skip the pair:
+        //  (1) isSDKPattern — per-env-var: the env var brand matches its API domain
+        //      (e.g. STRIPE_API_KEY → stripe.com).
+        //  (2) networkDestinationsAllBenign — env-var-independent: EVERY network host
+        //      in the file is a provider/local/reserved destination. Catches multi-
+        //      provider CLIs (reads GEMINI_API_KEY *and* ANTHROPIC_API_KEY, calls both)
+        //      and providers absent from the curated env→domain map. Same anti-evasion
+        //      floor (any suspicious/unknown/public-IP host ⇒ keep firing).
         if (srcType === 'credential_read' && sinkType === 'network_external' && targetPath) {
-          const envVarName = extractEnvVarFromMessage(sourceThreats);
-          if (envVarName) {
-            try {
-              let content = fileContentCache.get(file);
-              if (content === undefined) {
-                const filePath = path.join(targetPath, file);
-                content = fs.readFileSync(filePath, 'utf8');
-                fileContentCache.set(file, content);
-              }
-              if (isSDKPattern(envVarName, content)) {
-                // SDK pattern confirmed — skip this pair
-                pairSet.add(pairKey); // Mark as seen to avoid re-checking
-                continue;
-              }
-            } catch {
-              // File read error — default to suspicious (CRITICAL)
+          try {
+            let content = fileContentCache.get(file);
+            if (content === undefined) {
+              const filePath = path.join(targetPath, file);
+              content = fs.readFileSync(filePath, 'utf8');
+              fileContentCache.set(file, content);
+            }
+            const envVarName = extractEnvVarFromMessage(sourceThreats);
+            if ((envVarName && isSDKPattern(envVarName, content)) || networkDestinationsAllBenign(content)) {
+              // First-party/SDK destination — skip this pair
+              pairSet.add(pairKey); // Mark as seen to avoid re-checking
+              continue;
             }
+          } catch {
+            // File read error — default to suspicious (CRITICAL)
           }
         }
 

package/src/pipeline/executor.js

@@ -17,7 +17,7 @@ const { scanGitHubActions } = require('../scanner/github-actions.js');
 const { scanEntropy } = require('../scanner/entropy.js');
 const { scanAIConfig } = require('../scanner/ai-config.js');
 const { deobfuscate } = require('../scanner/deobfuscate.js');
-const { buildModuleGraph, annotateTaintedExports, detectCrossFileFlows, annotateSinkExports, detectCallbackCrossFileFlows, detectEventEmitterFlows } = require('../scanner/module-graph');
+const { buildModuleGraph, annotateTaintedExports, detectCrossFileFlows, filterFirstPartyNetworkFlows, annotateSinkExports, detectCallbackCrossFileFlows, detectEventEmitterFlows } = require('../scanner/module-graph');
 const { loadCachedIOCs } = require('../ioc/updater.js');
 const { normalizePythonName } = require('../scanner/python.js');
 const { scanPythonSource } = require('../scanner/python-source.js');
@@ -173,6 +173,10 @@ async function execute(targetPath, options, pythonDeps, warnings) {
       // EventEmitter cross-module flow detection
       const emitterFlows = await yieldThen(() => detectEventEmitterFlows(graph, tainted, sinkAnnotations, targetPath));
       crossFileFlows = crossFileFlows.concat(emitterFlows);
+      // FP gate (segment A): drop cross_file_dataflow flows whose network sink targets
+      // only first-party/local/provider destinations — legit SDK calls, not exfil.
+      // Suspicious/unknown/public-IP destinations and exec sinks are kept (ecto stays).
+      crossFileFlows = filterFirstPartyNetworkFlows(crossFileFlows, targetPath);
     };
     let graphTimerId;
     const timeout = new Promise((_, reject) => {

package/src/pipeline/processor.js

@@ -8,6 +8,7 @@ const { applyFPReductions, applyCompoundBoosts, calculateRiskScore, getSeverityW
 const { loadPriorVersionSignatures, computeSignatures, saveCachedSignatures } = require('../scoring/delta-multiplier.js');
 const { annotateConfidenceTiers } = require('../rules/confidence-tiers.js');
 const { buildIntentPairs } = require('../intent-graph.js');
+const { networkDestinationsAllBenign } = require('../sdk-destination.js');
 const { debugLog } = require('../utils.js');
 const { getPackageMetadata } = require('../scanner/npm-registry.js');
 const { checkReleaseZero } = require('../scanner/release-zero.js');
@@ -351,13 +352,20 @@ async function process(threats, targetPath, options, pythonDeps, warnings, scann
       const hasCredFlow = fileThreats.some(t => t.type === 'suspicious_dataflow');
       const alreadyCompound = fileThreats.some(t => t.type === 'detached_credential_exfil');
       if (hasDetached && hasCredFlow && !alreadyCompound) {
-        deduped.push({
-          type: 'detached_credential_exfil',
-          severity: 'CRITICAL',
-          message: 'Detached process + credential dataflow — background exfiltration (cross-scanner compound).',
-          file,
-          count: 1
-        });
+        // FP gate (segment A): skip when the file's network destinations are ALL
+        // first-party/local/provider (legit SDK/agent), not exfil. Unknown/suspicious/
+        // public-IP host — or unreadable file — keeps it firing (confirmed-benign only).
+        let destAllBenign = false;
+        try { destAllBenign = networkDestinationsAllBenign(fs.readFileSync(path.join(targetPath, file), 'utf8')); } catch { /* unreadable → not benign */ }
+        if (!destAllBenign) {
+          deduped.push({
+            type: 'detached_credential_exfil',
+            severity: 'CRITICAL',
+            message: 'Detached process + credential dataflow — background exfiltration (cross-scanner compound).',
+            file,
+            count: 1
+          });
+        }
       }
     }
   }

package/src/scanner/ast-detectors/handle-post-walk.js

@@ -1,5 +1,7 @@
 'use strict';
 
+const { networkDestinationsAllBenign } = require('../../sdk-destination.js');
+
 function handlePostWalk(ctx) {
   // SANDWORM_MODE: zlib inflate + base64 decode + eval/Function/Module._compile = obfuscated payload
   if (ctx.hasZlibInflate && ctx.hasBase64Decode && ctx.hasDynamicExec) {
@@ -322,7 +324,12 @@ function handlePostWalk(ctx) {
   const hasSensitiveEnvInFile = ctx.threats.some(t =>
     t.file === ctx.relFile && t.type === 'env_access' && t.severity === 'HIGH'
   );
-  if (hasDetachedInFile && hasSensitiveEnvInFile && ctx.hasNetworkCallInFile) {
+  // FP gate (segment A): suppress this credential→network compound when EVERY network
+  // destination in the file is first-party/local/provider (e.g. an otel collector on
+  // localhost, an SDK POST to its own API). A suspicious/unknown/public-IP host — or no
+  // literal host at all — leaves it firing (conservative: confirmed-benign only).
+  const destAllBenign = ctx._content ? networkDestinationsAllBenign(ctx._content) : false;
+  if (hasDetachedInFile && hasSensitiveEnvInFile && ctx.hasNetworkCallInFile && !destAllBenign) {
     ctx.threats.push({
       type: 'detached_credential_exfil',
       severity: 'CRITICAL',
@@ -334,7 +341,7 @@ function handlePostWalk(ctx) {
   // Audit v3 bypass fix: uncaughtException + env access + network = silent exfiltration
   // Pattern: process.on('uncaughtException', handler) that reads env vars and sends to network.
   // Never legitimate — error handlers don't need to send credentials to external servers.
-  if (ctx.hasUncaughtExceptionHandler && hasSensitiveEnvInFile && ctx.hasNetworkCallInFile) {
+  if (ctx.hasUncaughtExceptionHandler && hasSensitiveEnvInFile && ctx.hasNetworkCallInFile && !destAllBenign) {
     ctx.threats.push({
       type: 'uncaught_exception_exfil',
       severity: 'CRITICAL',

package/src/scanner/module-graph/annotate-sinks.js

@@ -1,10 +1,10 @@
 'use strict';
 
 const path = require('path');
-const { SINK_CALLEE_NAMES, SINK_MEMBER_METHODS, SINK_INSTANCE_METHODS } = require('./constants.js');
+const { SINK_CALLEE_NAMES, SINK_MEMBER_METHODS, SINK_INSTANCE_METHODS, NON_NETWORK_SINK_RECEIVER_ROOTS } = require('./constants.js');
 const {
   parseFile, walkAST, isRequireCall, isModuleExportsAssign,
-  getExportName, getFunctionBody, getMemberChain
+  getExportName, getFunctionBody, getMemberChain, getReceiverRootName
 } = require('./parse-utils.js');
 
 /**
@@ -87,11 +87,14 @@ function analyzeSinkExports(filePath) {
               return;
             }
           }
-          // .write(), .send(), .connect()
+          // .write(), .send(), .connect() — but not process.*/console.* (local I/O, not network)
           const method = node.callee.property.name || node.callee.property.value;
           if (SINK_INSTANCE_METHODS.has(method)) {
-            found = method + '()';
-            return;
+            const root = getReceiverRootName(node.callee);
+            if (!(root && NON_NETWORK_SINK_RECEIVER_ROOTS.has(root))) {
+              found = method + '()';
+              return;
+            }
           }
         }
       }

package/src/scanner/module-graph/constants.js

@@ -26,8 +26,17 @@ const SINK_MEMBER_METHODS = new Set([
 ]);
 const SINK_INSTANCE_METHODS = new Set(['connect', 'write', 'send']);
 
+// Receiver roots that make connect/write/send LOCAL I/O or IPC, never external-network
+// exfil: `process.stdout/stderr.write`, `process.send` (child IPC to the parent), and any
+// `console.*`. SINK_INSTANCE_METHODS matches by method name alone, so without this a
+// console/stderr write of a tainted value reads as a cross-file network sink (segment-A FP
+// driver: contextdevkit, amicus). Real socket/ws/req sinks (receivers `socket`/`ws`/`req`/
+// `net.connect()`…) are unaffected. Globals are trusted here as they are everywhere else.
+const NON_NETWORK_SINK_RECEIVER_ROOTS = new Set(['process', 'console']);
+
 
 module.exports = {
   MAX_GRAPH_NODES, MAX_GRAPH_EDGES, MAX_FLOWS, MAX_TAINT_DEPTH,
-  SENSITIVE_MODULES, ACORN_OPTIONS, SINK_CALLEE_NAMES, SINK_MEMBER_METHODS, SINK_INSTANCE_METHODS
+  SENSITIVE_MODULES, ACORN_OPTIONS, SINK_CALLEE_NAMES, SINK_MEMBER_METHODS, SINK_INSTANCE_METHODS,
+  NON_NETWORK_SINK_RECEIVER_ROOTS
 };

package/src/scanner/module-graph/detect-cross-file.js

@@ -1,11 +1,13 @@
 'use strict';
 
 const path = require('path');
+const fs = require('fs');
 const { debugLog } = require('../../utils');
-const { MAX_FLOWS, SINK_CALLEE_NAMES, SINK_MEMBER_METHODS, SINK_INSTANCE_METHODS } = require('./constants.js');
+const { networkDestinationsAllBenign } = require('../../sdk-destination.js');
+const { MAX_FLOWS, SINK_CALLEE_NAMES, SINK_MEMBER_METHODS, SINK_INSTANCE_METHODS, NON_NETWORK_SINK_RECEIVER_ROOTS } = require('./constants.js');
 const {
   parseFile, walkAST, isRequireCall, isLocalImport, isModuleExportsAssign,
-  getExportName, getMemberChain, resolveLocal
+  getExportName, getMemberChain, getReceiverRootName, resolveLocal
 } = require('./parse-utils.js');
 
 /**
@@ -596,7 +598,12 @@ function getSinkName(callNode) {
     // instance.connect(), socket.write(), ws.send()
     const method = callee.property.name || callee.property.value;
     if (SINK_INSTANCE_METHODS.has(method)) {
-      return `${method}()`;
+      // Reject process.*/console.* receivers: process.stdout/stderr.write,
+      // process.send (IPC), console.* are local I/O, never external-network exfil.
+      const root = getReceiverRootName(callee);
+      if (!(root && NON_NETWORK_SINK_RECEIVER_ROOTS.has(root))) {
+        return `${method}()`;
+      }
     }
   }
 
@@ -954,4 +961,49 @@ function findPipeChainCrossFileFlows(ast, relFile, graph, taintedExports, sinkEx
 }
 
 
-module.exports = { detectCrossFileFlows, expandTaintThroughReexports, collectImportTaint, propagateLocalTaint, getSinkName, findTaintedArgument };
+// A network sink carries a destination host we can judge; exec/command sinks
+// (eval, Function, child_process.*) do not, and are never destination-gated.
+function isNetworkSinkDescriptor(sink) {
+  const s = String(sink || '');
+  if (/^(eval|Function)\(\)$/.test(s)) return false;   // exec sink
+  if (/^child_process\./.test(s)) return false;        // command sink
+  return true; // fetch / http(s).request|get / WebSocket / XMLHttpRequest / connect|write|send
+}
+
+/**
+ * FP gate (segment A — destination-aware). Drop a cross_file_dataflow whose NETWORK
+ * sink targets ONLY benign destinations (loopback/private/reserved IP or a curated
+ * provider API) — a legitimate SDK that reads a key and POSTs to its provider is not
+ * exfiltration. Untouched (kept CRITICAL): exec/command sinks, and any flow whose sink
+ * file references a suspicious/paste host, a public IP, or any unknown domain (so a real
+ * exfil like ecto — webhook.site + direct-IP — keeps firing). The package stays visible
+ * via its other (lower-severity) signals, the same way intent-graph skips SDK pairs.
+ * Rationale + corpus: FPR-segment-A-diagnosis-2026-06-14.md.
+ *
+ * @param {Array} flows - assembled cross-file flows (main + callback + emitter)
+ * @param {string} packagePath - package root, to resolve sink file content
+ * @returns {Array} flows with first-party network FPs removed
+ */
+function filterFirstPartyNetworkFlows(flows, packagePath) {
+  if (!Array.isArray(flows) || flows.length === 0) return flows;
+  const contentCache = new Map();
+  const kept = [];
+  for (const flow of flows) {
+    if (flow && flow.type === 'cross_file_dataflow' && flow.sinkFile && isNetworkSinkDescriptor(flow.sink)) {
+      let content = contentCache.get(flow.sinkFile);
+      if (content === undefined) {
+        try { content = fs.readFileSync(path.resolve(packagePath, flow.sinkFile), 'utf8'); }
+        catch { content = ''; }
+        contentCache.set(flow.sinkFile, content);
+      }
+      if (content && networkDestinationsAllBenign(content)) {
+        debugLog(`[MODULE-GRAPH] cross_file_dataflow suppressed (first-party/local dest): ${flow.sourceFile} -> ${flow.sink} in ${flow.sinkFile}`);
+        continue; // first-party/local network destination → FP, drop
+      }
+    }
+    kept.push(flow);
+  }
+  return kept;
+}
+
+module.exports = { detectCrossFileFlows, expandTaintThroughReexports, collectImportTaint, propagateLocalTaint, getSinkName, findTaintedArgument, isNetworkSinkDescriptor, filterFirstPartyNetworkFlows };

package/src/scanner/module-graph/index.js

@@ -4,13 +4,13 @@ const { MAX_GRAPH_NODES, MAX_GRAPH_EDGES, MAX_FLOWS, MAX_TAINT_DEPTH } = require
 const { parseFile, resolveLocal, isLocalImport, toRel, isFileExists } = require('./parse-utils.js');
 const { buildModuleGraph, extractLocalImports, tryResolveConcatRequire } = require('./build-graph.js');
 const { annotateTaintedExports } = require('./annotate-tainted.js');
-const { detectCrossFileFlows } = require('./detect-cross-file.js');
+const { detectCrossFileFlows, filterFirstPartyNetworkFlows } = require('./detect-cross-file.js');
 const { annotateSinkExports } = require('./annotate-sinks.js');
 const { detectCallbackCrossFileFlows } = require('./detect-callback-flows.js');
 const { detectEventEmitterFlows } = require('./detect-event-flows.js');
 
 module.exports = {
-  buildModuleGraph, annotateTaintedExports, detectCrossFileFlows,
+  buildModuleGraph, annotateTaintedExports, detectCrossFileFlows, filterFirstPartyNetworkFlows,
   annotateSinkExports, detectCallbackCrossFileFlows, detectEventEmitterFlows,
   resolveLocal, extractLocalImports, parseFile, isLocalImport, toRel, isFileExists,
   tryResolveConcatRequire,

package/src/scanner/module-graph/parse-utils.js

@@ -107,6 +107,18 @@ function getMemberChain(node, depth) {
   return '';
 }
 
+// Root identifier of a call's receiver, e.g. `process` for (process.stdout).write(),
+// `process` for process.send(), `console` for console.error(), `sender` for sender.send().
+// Returns null when the receiver root is not a plain Identifier (e.g. this.x.write(),
+// foo().bar()). Used to reject local-IO/IPC receivers (process/console) from the
+// write/send/connect instance-method sink set, which matches by method name alone.
+function getReceiverRootName(callee) {
+  if (!callee || callee.type !== 'MemberExpression') return null;
+  let obj = callee.object;
+  while (obj && obj.type === 'MemberExpression') obj = obj.object;
+  return obj && obj.type === 'Identifier' ? obj.name : null;
+}
+
 function extractLiteralArg(args) {
   if (!args || args.length === 0) return '';
   const first = args[0];
@@ -136,6 +148,6 @@ function toRel(abs, packagePath) {
 
 module.exports = {
   parseFile, walkAST, isRequireCall, isLocalImport, isModuleExportsAssign,
-  getExportName, getFunctionBody, getMemberChain, extractLiteralArg,
+  getExportName, getFunctionBody, getMemberChain, getReceiverRootName, extractLiteralArg,
   resolveLocal, isFileExists, toRel
 };