muaddib-scanner 2.11.114 → 2.11.116

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.114",
+  "version": "2.11.116",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.114.json → self-scan-v2.11.116.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-14T12:30:49.542Z",
+  "timestamp": "2026-06-14T17:31:14.864Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/intent-graph.js

@@ -36,180 +36,17 @@ const SOURCE_TYPES = {
 // Sensitive env var patterns — env_access referencing these is credential theft, not config
 const SENSITIVE_ENV_PATTERNS = /TOKEN|KEY|SECRET|PASSWORD|CREDENTIAL|API_KEY|AUTH/i;
 
-// ============================================
-// DESTINATION-AWARE SDK DETECTION
-// ============================================
-// Curated allowlist: when an env var matching the pattern is sent to a matching domain,
-// it is legitimate SDK usage, not credential exfiltration.
-// Safe-by-default: unknown env vars or unknown domains remain CRITICAL.
-const SDK_ENV_DOMAIN_MAP = [
-  { envPattern: /^AWS_/i, domains: ['amazonaws.com', 'aws.amazon.com'] },
-  { envPattern: /^AZURE_/i, domains: ['azure.com', 'microsoft.com'] },
-  { envPattern: /^GOOGLE_|^GCP_/i, domains: ['googleapis.com', 'google.com'] },
-  { envPattern: /^FIREBASE_/i, domains: ['firebase.com', 'googleapis.com'] },
-  { envPattern: /^SALESFORCE_/i, domains: ['salesforce.com', 'force.com'] },
-  { envPattern: /^SUPABASE_/i, domains: ['supabase.co', 'supabase.com'] },
-  { envPattern: /^MAILGUN_/i, domains: ['mailgun.net', 'mailgun.com'] },
-  { envPattern: /^STRIPE_/i, domains: ['stripe.com'] },
-  { envPattern: /^TWILIO_/i, domains: ['twilio.com'] },
-  { envPattern: /^SENDGRID_/i, domains: ['sendgrid.com', 'sendgrid.net'] },
-  { envPattern: /^DATADOG_/i, domains: ['datadoghq.com'] },
-  { envPattern: /^SENTRY_/i, domains: ['sentry.io'] },
-  { envPattern: /^SLACK_/i, domains: ['slack.com'] },
-  { envPattern: /^GITHUB_/i, domains: ['github.com', 'githubusercontent.com'] },
-  { envPattern: /^GITLAB_/i, domains: ['gitlab.com'] },
-  { envPattern: /^CLOUDFLARE_/i, domains: ['cloudflare.com'] },
-  { envPattern: /^OPENAI_/i, domains: ['openai.com'] },
-  { envPattern: /^ANTHROPIC_/i, domains: ['anthropic.com'] },
-  { envPattern: /^MONGODB_|^MONGO_/i, domains: ['mongodb.com', 'mongodb.net'] },
-  { envPattern: /^AUTH0_/i, domains: ['auth0.com'] },
-  { envPattern: /^HUBSPOT_/i, domains: ['hubspot.com', 'hubapi.com'] },
-  { envPattern: /^CONTENTFUL_/i, domains: ['contentful.com'] },
-];
-
-// Tokens stripped when extracting brand keyword from env var name
-const ENV_NOISE_TOKENS = new Set([
-  'API', 'KEY', 'SECRET', 'TOKEN', 'PASSWORD', 'CREDENTIAL',
-  'AUTH', 'ACCESS', 'PRIVATE', 'PUBLIC', 'CLIENT', 'ID', 'URL'
-]);
-
-// Suspicious tunneling/proxy domains — never considered legitimate SDK destinations
-const SUSPICIOUS_DOMAIN_PATTERNS = /ngrok|serveo|localtunnel|burpcollaborator|requestbin|pipedream|webhook\.site/i;
-
-// URL extraction regex (matches http/https URLs in source code)
-const URL_EXTRACT_RE = /https?:\/\/[a-zA-Z0-9\-._~:/?#[\]@!$&'()*+,;=%]+/g;
-
-// Hostname extraction from Node.js request options: hostname: 'domain.com' or host: 'domain.com'
-const HOSTNAME_OPTION_RE = /(?:hostname|host)\s*:\s*['"`]([a-zA-Z0-9\-._]+)['"`]/g;
-
-/**
- * Extract env var name from an intent source threat message.
- * Messages look like: "process.env.SALESFORCE_API_KEY", "env var MAILGUN_API_KEY accessed"
- */
-function extractEnvVarFromMessage(sourceThreats) {
-  for (const t of sourceThreats) {
-    if (!t.message) continue;
-    // Match process.env.VAR_NAME pattern
-    const envMatch = t.message.match(/process\.env\.([A-Z_][A-Z0-9_]*)/i);
-    if (envMatch) return envMatch[1];
-    // Match standalone VAR_NAME patterns (e.g., "SALESFORCE_API_KEY")
-    const varMatch = t.message.match(/\b([A-Z][A-Z0-9]*(?:_[A-Z0-9]+)+)\b/);
-    if (varMatch) return varMatch[1];
-  }
-  return null;
-}
-
-/**
- * Extract brand keyword from env var name by removing noise tokens.
- * MAILGUN_API_KEY → MAILGUN, SALESFORCE_CLIENT_SECRET → SALESFORCE
- */
-function extractBrandFromEnvVar(envVarName) {
-  const parts = envVarName.toUpperCase().split('_');
-  const brandParts = parts.filter(p => !ENV_NOISE_TOKENS.has(p) && p.length > 0);
-  return brandParts.length > 0 ? brandParts[0] : null;
-}
-
-/**
- * Extract domain from a URL string.
- * Returns the hostname (without port).
- */
-function extractDomain(url) {
-  try {
-    const match = url.match(/^https?:\/\/([^/:?#]+)/i);
-    return match ? match[1].toLowerCase() : null;
-  } catch {
-    return null;
-  }
-}
-
-/**
- * Check if a domain matches any of the expected SDK domains (suffix match).
- * api.mailgun.net matches mailgun.net, sub.api.stripe.com matches stripe.com
- */
-function domainMatchesSuffix(domain, expectedDomains) {
-  for (const expected of expectedDomains) {
-    if (domain === expected || domain.endsWith('.' + expected)) return true;
-  }
-  return false;
-}
-
-/**
- * Check if an env var + file content represents a legitimate SDK pattern.
- *
- * Returns true ONLY if:
- * 1. The env var matches a known SDK mapping (allowlist) OR heuristic brand match
- * 2. ALL URLs in the file point to domains matching the expected SDK
- * 3. No suspicious tunneling/proxy domains are present
- *
- * @param {string} envVarName - e.g., "SALESFORCE_API_KEY"
- * @param {string} fileContent - source code of the file
- * @returns {boolean} true if SDK pattern (should skip intent pair)
- */
-function isSDKPattern(envVarName, fileContent) {
-  // Extract domains from full URLs (https://api.stripe.com/v1/charges)
-  const urls = fileContent.match(URL_EXTRACT_RE) || [];
-  const domains = urls.map(u => extractDomain(u)).filter(Boolean);
-
-  // Also extract hostnames from Node.js request options (hostname: 'api.stripe.com')
-  let hostnameMatch;
-  const hostnameRe = new RegExp(HOSTNAME_OPTION_RE.source, 'g');
-  while ((hostnameMatch = hostnameRe.exec(fileContent)) !== null) {
-    const hostname = hostnameMatch[1].toLowerCase();
-    if (hostname && !domains.includes(hostname)) {
-      domains.push(hostname);
-    }
-  }
-
-  // No URLs found — can't confirm SDK pattern, default to suspicious
-  if (domains.length === 0) return false;
-
-  // Check for suspicious tunneling domains — immediate fail
-  for (const domain of domains) {
-    if (SUSPICIOUS_DOMAIN_PATTERNS.test(domain)) return false;
-  }
-
-  // Check for raw IP addresses — immediate fail
-  for (const domain of domains) {
-    if (/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(domain)) return false;
-  }
-
-  // 1. Try curated allowlist first (strict: ALL domains must match)
-  // Curated allowlist is authoritative — no relaxation here to prevent
-  // attacker injecting a legitimate domain alongside their C2 domain.
-  for (const mapping of SDK_ENV_DOMAIN_MAP) {
-    if (mapping.envPattern.test(envVarName)) {
-      return domains.every(d => domainMatchesSuffix(d, mapping.domains));
-    }
-  }
-
-  // R2: credential-suffixed env vars get relaxed domain matching (at least ONE match).
-  // SDKs commonly call their own API + CDN/logging/analytics domains.
-  // Safety: suspicious domains and raw IPs are already rejected above.
-  // Only applies to the heuristic fallback — curated allowlist stays strict.
-  const CREDENTIAL_SUFFIXES = ['_API_KEY', '_SECRET', '_TOKEN', '_SECRET_KEY', '_ACCESS_KEY'];
-  const upperName = envVarName.toUpperCase();
-  const hasCredentialSuffix = CREDENTIAL_SUFFIXES.some(s => upperName.endsWith(s));
-
-  // 2. Heuristic fallback: extract brand keyword and check domain labels
-  const brand = extractBrandFromEnvVar(envVarName);
-  if (!brand || brand.length < 3) return false; // Too short for reliable matching
-
-  const brandLower = brand.toLowerCase();
-  // 2a. Strict check: every domain matches brand (existing behavior)
-  // e.g., brand "ACME" matches "api.acme.com" (label "acme") but not "api.acmetech.com"
-  if (domains.every(d => {
-    const labels = d.split('.');
-    return labels.some(label => label === brandLower);
-  })) return true;
-
-  // 2b. R2 relaxed: credential suffix + at least one domain matches brand
-  if (hasCredentialSuffix && domains.some(d => {
-    const labels = d.split('.');
-    return labels.some(label => label === brandLower);
-  })) return true;
-
-  return false;
-}
+// Destination-aware SDK detection — extracted to a shared leaf module
+// (src/sdk-destination.js) so the same logic gates dataflow.js and the cross-file /
+// detached taint detectors, not just intent coherence. Re-exported below for
+// backward compatibility (dataflow.js imports isSDKPattern from this module).
+const {
+  isSDKPattern,
+  networkDestinationsAllBenign,
+  extractEnvVarFromMessage,
+  extractBrandFromEnvVar,
+  SDK_ENV_DOMAIN_MAP,
+} = require('./sdk-destination.js');
 
 
 // ============================================
@@ -384,26 +221,31 @@ function buildIntentPairs(threats, targetPath) {
         const pairKey = `${srcType}:${sinkType}:${file}`;
         if (pairSet.has(pairKey)) continue;
 
-        // Destination-aware SDK check: credential_read → network_external
-        // If the env var matches the API domain, this is legitimate SDK usage
+        // Destination-aware check: credential_read → network_external. Two
+        // complementary gates, EITHER ⇒ legitimate, skip the pair:
+        //  (1) isSDKPattern — per-env-var: the env var brand matches its API domain
+        //      (e.g. STRIPE_API_KEY → stripe.com).
+        //  (2) networkDestinationsAllBenign — env-var-independent: EVERY network host
+        //      in the file is a provider/local/reserved destination. Catches multi-
+        //      provider CLIs (reads GEMINI_API_KEY *and* ANTHROPIC_API_KEY, calls both)
+        //      and providers absent from the curated env→domain map. Same anti-evasion
+        //      floor (any suspicious/unknown/public-IP host ⇒ keep firing).
         if (srcType === 'credential_read' && sinkType === 'network_external' && targetPath) {
-          const envVarName = extractEnvVarFromMessage(sourceThreats);
-          if (envVarName) {
-            try {
-              let content = fileContentCache.get(file);
-              if (content === undefined) {
-                const filePath = path.join(targetPath, file);
-                content = fs.readFileSync(filePath, 'utf8');
-                fileContentCache.set(file, content);
-              }
-              if (isSDKPattern(envVarName, content)) {
-                // SDK pattern confirmed — skip this pair
-                pairSet.add(pairKey); // Mark as seen to avoid re-checking
-                continue;
-              }
-            } catch {
-              // File read error — default to suspicious (CRITICAL)
+          try {
+            let content = fileContentCache.get(file);
+            if (content === undefined) {
+              const filePath = path.join(targetPath, file);
+              content = fs.readFileSync(filePath, 'utf8');
+              fileContentCache.set(file, content);
+            }
+            const envVarName = extractEnvVarFromMessage(sourceThreats);
+            if ((envVarName && isSDKPattern(envVarName, content)) || networkDestinationsAllBenign(content)) {
+              // First-party/SDK destination — skip this pair
+              pairSet.add(pairKey); // Mark as seen to avoid re-checking
+              continue;
             }
+          } catch {
+            // File read error — default to suspicious (CRITICAL)
           }
         }
 

package/src/pipeline/executor.js

@@ -17,7 +17,7 @@ const { scanGitHubActions } = require('../scanner/github-actions.js');
 const { scanEntropy } = require('../scanner/entropy.js');
 const { scanAIConfig } = require('../scanner/ai-config.js');
 const { deobfuscate } = require('../scanner/deobfuscate.js');
-const { buildModuleGraph, annotateTaintedExports, detectCrossFileFlows, annotateSinkExports, detectCallbackCrossFileFlows, detectEventEmitterFlows } = require('../scanner/module-graph');
+const { buildModuleGraph, annotateTaintedExports, detectCrossFileFlows, filterFirstPartyNetworkFlows, annotateSinkExports, detectCallbackCrossFileFlows, detectEventEmitterFlows } = require('../scanner/module-graph');
 const { loadCachedIOCs } = require('../ioc/updater.js');
 const { normalizePythonName } = require('../scanner/python.js');
 const { scanPythonSource } = require('../scanner/python-source.js');
@@ -173,6 +173,10 @@ async function execute(targetPath, options, pythonDeps, warnings) {
       // EventEmitter cross-module flow detection
       const emitterFlows = await yieldThen(() => detectEventEmitterFlows(graph, tainted, sinkAnnotations, targetPath));
       crossFileFlows = crossFileFlows.concat(emitterFlows);
+      // FP gate (segment A): drop cross_file_dataflow flows whose network sink targets
+      // only first-party/local/provider destinations — legit SDK calls, not exfil.
+      // Suspicious/unknown/public-IP destinations and exec sinks are kept (ecto stays).
+      crossFileFlows = filterFirstPartyNetworkFlows(crossFileFlows, targetPath);
     };
     let graphTimerId;
     const timeout = new Promise((_, reject) => {

package/src/pipeline/processor.js

@@ -8,6 +8,7 @@ const { applyFPReductions, applyCompoundBoosts, calculateRiskScore, getSeverityW
 const { loadPriorVersionSignatures, computeSignatures, saveCachedSignatures } = require('../scoring/delta-multiplier.js');
 const { annotateConfidenceTiers } = require('../rules/confidence-tiers.js');
 const { buildIntentPairs } = require('../intent-graph.js');
+const { networkDestinationsAllBenign } = require('../sdk-destination.js');
 const { debugLog } = require('../utils.js');
 const { getPackageMetadata } = require('../scanner/npm-registry.js');
 const { checkReleaseZero } = require('../scanner/release-zero.js');
@@ -351,13 +352,20 @@ async function process(threats, targetPath, options, pythonDeps, warnings, scann
       const hasCredFlow = fileThreats.some(t => t.type === 'suspicious_dataflow');
       const alreadyCompound = fileThreats.some(t => t.type === 'detached_credential_exfil');
       if (hasDetached && hasCredFlow && !alreadyCompound) {
-        deduped.push({
-          type: 'detached_credential_exfil',
-          severity: 'CRITICAL',
-          message: 'Detached process + credential dataflow — background exfiltration (cross-scanner compound).',
-          file,
-          count: 1
-        });
+        // FP gate (segment A): skip when the file's network destinations are ALL
+        // first-party/local/provider (legit SDK/agent), not exfil. Unknown/suspicious/
+        // public-IP host — or unreadable file — keeps it firing (confirmed-benign only).
+        let destAllBenign = false;
+        try { destAllBenign = networkDestinationsAllBenign(fs.readFileSync(path.join(targetPath, file), 'utf8')); } catch { /* unreadable → not benign */ }
+        if (!destAllBenign) {
+          deduped.push({
+            type: 'detached_credential_exfil',
+            severity: 'CRITICAL',
+            message: 'Detached process + credential dataflow — background exfiltration (cross-scanner compound).',
+            file,
+            count: 1
+          });
+        }
       }
     }
   }

package/src/scanner/ast-detectors/handle-post-walk.js

@@ -1,5 +1,7 @@
 'use strict';
 
+const { networkDestinationsAllBenign } = require('../../sdk-destination.js');
+
 function handlePostWalk(ctx) {
   // SANDWORM_MODE: zlib inflate + base64 decode + eval/Function/Module._compile = obfuscated payload
   if (ctx.hasZlibInflate && ctx.hasBase64Decode && ctx.hasDynamicExec) {
@@ -322,7 +324,12 @@ function handlePostWalk(ctx) {
   const hasSensitiveEnvInFile = ctx.threats.some(t =>
     t.file === ctx.relFile && t.type === 'env_access' && t.severity === 'HIGH'
   );
-  if (hasDetachedInFile && hasSensitiveEnvInFile && ctx.hasNetworkCallInFile) {
+  // FP gate (segment A): suppress this credential→network compound when EVERY network
+  // destination in the file is first-party/local/provider (e.g. an otel collector on
+  // localhost, an SDK POST to its own API). A suspicious/unknown/public-IP host — or no
+  // literal host at all — leaves it firing (conservative: confirmed-benign only).
+  const destAllBenign = ctx._content ? networkDestinationsAllBenign(ctx._content) : false;
+  if (hasDetachedInFile && hasSensitiveEnvInFile && ctx.hasNetworkCallInFile && !destAllBenign) {
     ctx.threats.push({
       type: 'detached_credential_exfil',
       severity: 'CRITICAL',
@@ -334,7 +341,7 @@ function handlePostWalk(ctx) {
   // Audit v3 bypass fix: uncaughtException + env access + network = silent exfiltration
   // Pattern: process.on('uncaughtException', handler) that reads env vars and sends to network.
   // Never legitimate — error handlers don't need to send credentials to external servers.
-  if (ctx.hasUncaughtExceptionHandler && hasSensitiveEnvInFile && ctx.hasNetworkCallInFile) {
+  if (ctx.hasUncaughtExceptionHandler && hasSensitiveEnvInFile && ctx.hasNetworkCallInFile && !destAllBenign) {
     ctx.threats.push({
       type: 'uncaught_exception_exfil',
       severity: 'CRITICAL',

package/src/scanner/ast.js

@@ -17,6 +17,13 @@ const {
 // Check if credential keywords appear INSIDE regex literals or new RegExp() patterns.
 // Only true when the keyword is part of the regex pattern itself, not just a string elsewhere in the file.
 const CREDENTIAL_REGEX_KEYWORDS = /bearer|password|secret|token|credential|api.?key/i;
+// axios call shapes — a network call the legacy regexes miss (caught only by ioc_string_match).
+// Covers BOTH the identifier form (axios(...) / axios.get|post|...(...)) and the inline-require
+// form (require('axios').get(...) — the chalk-pro/jsonkeeper staged-loader shape). Call-shaped
+// only, so it never matches a bare `require('axios')` import, `import axios`, `myaxios.get`, or
+// `axios` in a comment/string. Bare instance-var calls (const c = axios.create(); c.get()) are a
+// known follow-up gap; the create() verb catches the create site itself.
+const AXIOS_NETWORK_CALL_RE = /(?:\baxios|require\s*\(\s*['"]axios['"]\s*\))\s*(?:\(|\.\s*(?:get|post|put|patch|delete|request|head|options|create)\s*\()/;
 function hasCredentialInsideRegex(content) {
   // Check regex literals: /...pattern.../flags
   const regexLiteralRe = /\/(?!\*)(?:[^/\\]|\\.)+\/[gimsuy]*/g;
@@ -172,9 +179,9 @@ function analyzeFile(content, filePath, basePath) {
     // SANDWORM_MODE P2: env harvesting co-occurrence
     hasEnvEnumeration: false,  // Object.entries/keys/values(process.env)
     hasEnvHarvestPattern: /\b(KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL|NPM|AWS|SSH|WEBHOOK)\b/.test(content),
-    hasNetworkCallInFile: /\b(fetch|https?\.request|https?\.get|dns\.resolve)\b/.test(content),
-    // C5: Non-fetch network calls indicate independent network channel (NOT WASM loading)
-    hasNonFetchNetworkCall: /\bhttps?\.request\b|\bhttps?\.get\b|\bdns\.resolve\b/.test(content),
+    hasNetworkCallInFile: /\b(fetch|https?\.request|https?\.get|dns\.resolve)\b/.test(content) || AXIOS_NETWORK_CALL_RE.test(content),
+    // C5: Non-fetch network calls indicate independent network channel (NOT WASM loading). axios is non-fetch.
+    hasNonFetchNetworkCall: /\bhttps?\.request\b|\bhttps?\.get\b|\bdns\.resolve\b/.test(content) || AXIOS_NETWORK_CALL_RE.test(content),
     // Credential regex harvesting: regex literals or new RegExp() whose PATTERN contains credential keywords
     // Must check that the keyword is inside the regex, not just anywhere in the file
     hasCredentialRegex: hasCredentialInsideRegex(content),
@@ -197,7 +204,7 @@ function analyzeFile(content, filePath, basePath) {
     gitHooksPathVars: new Map(),
     ideConfigPathVars: new Map(),
     // Wave 4: compound detection — fetch + decrypt + eval chain
-    hasRemoteFetch: /\bhttps?\.(get|request)\b/.test(content) || /\bfetch\s*\(/.test(content),
+    hasRemoteFetch: /\bhttps?\.(get|request)\b/.test(content) || /\bfetch\s*\(/.test(content) || AXIOS_NETWORK_CALL_RE.test(content),
     // Safe domain exclusion: if ALL URLs in file are from known registries, suppress download_exec_binary
     fetchOnlySafeDomains: false, // computed below after URL extraction
     hasCryptoDecipher: /\bcreateDecipher(iv)?\s*\(/.test(content),

package/src/scanner/dataflow.js

@@ -1149,58 +1149,10 @@ function isCredentialPath(arg, sensitivePathVars) {
   return false;
 }
 
-// System identity env vars used for fingerprinting/exfiltration
-const SYSTEM_IDENTITY_ENVS = new Set([
-  'USER', 'USERNAME', 'LOGNAME', 'HOME', 'HOSTNAME',
-  'USERPROFILE', 'COMPUTERNAME', 'WHOAMI'
-]);
-
-// Env var prefixes for tool-internal configuration (not external credentials)
-const SAFE_ENV_PREFIXES = ['MUADDIB_', 'npm_config_', 'npm_lifecycle_', 'npm_package_'];
-
-// P6: Node.js runtime config env vars that are not credentials.
-// NODE_TLS_REJECT_UNAUTHORIZED matches "AUTH" in "UNAUTHORIZED" → false positive.
-// Real credential exfiltration targets API_KEY, TOKEN, SECRET, PASSWORD.
-const DATAFLOW_SAFE_ENV_VARS = new Set([
-  'NODE_TLS_REJECT_UNAUTHORIZED', 'NODE_OPTIONS', 'NODE_EXTRA_CA_CERTS',
-  'NODE_ENV', 'NODE_PATH', 'NODE_DEBUG',
-  'DEBUG', 'CI', 'HTTPS_PROXY', 'HTTP_PROXY', 'NO_PROXY',
-  'LANG', 'TZ', 'PORT', 'HOST'
-  // Note: HOME, USER, HOSTNAME stay sensitive — fingerprint exfiltration detection.
-]);
-
-function isSensitiveEnv(name) {
-  const upper = name.toUpperCase();
-  if (DATAFLOW_SAFE_ENV_VARS.has(upper)) return false;
-  if (SYSTEM_IDENTITY_ENVS.has(upper)) return true;
-  if (SAFE_ENV_PREFIXES.some(p => upper.startsWith(p))) return false;
-  const sensitive = ['TOKEN', 'SECRET', 'KEY', 'PASSWORD', 'CREDENTIAL', 'AUTH', 'NPM', 'AWS', 'AZURE', 'GCP'];
-  return sensitive.some(s => upper.includes(s));
-}
-
-// Audit 2026-05 DF-C4: credential-tier env vars distinguished from generic env_read.
-// These represent authentication material (NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY,
-// STRIPE_API_KEY etc.) — strictly narrower than isSensitiveEnv. Sources of this type
-// participate in hasHighRiskSource so credential exfil patterns are NOT downgraded by the
-// HIGH→MEDIUM graduation. System identity vars (HOME, USER) remain plain env_read since
-// they are fingerprinting signals, not credentials.
-const KNOWN_CREDENTIAL_ENV_VARS = new Set([
-  'NPM_TOKEN', 'GITHUB_TOKEN', 'GH_TOKEN', 'NODE_AUTH_TOKEN',
-  'CIRCLE_TOKEN', 'GITLAB_TOKEN', 'CARGO_REGISTRY_TOKEN', 'PYPI_TOKEN',
-  'GOOGLE_APPLICATION_CREDENTIALS', 'AZURE_CLIENT_SECRET',
-  'SENTRY_AUTH_TOKEN', 'NPM_AUTH_TOKEN', 'NPM_CONFIG_AUTHTOKEN'
-]);
-
-const CREDENTIAL_ENV_SUFFIX_RE = /(?:^|_)(?:TOKEN|SECRET|PASSWORD|PASSPHRASE|CREDENTIAL|CREDENTIALS|API_KEY|ACCESS_KEY|ACCESS_KEY_ID|SECRET_KEY|PRIVATE_KEY|SIGNING_KEY|SESSION_TOKEN|REFRESH_TOKEN|AUTH_TOKEN)$/;
-
-function isCredentialEnv(name) {
-  const upper = name.toUpperCase();
-  // System identity vars are fingerprinting, not credentials
-  if (SYSTEM_IDENTITY_ENVS.has(upper)) return false;
-  // Public keys are not credentials (e.g., SSH_PUBLIC_KEY, GPG_PUBLIC_KEY)
-  if (upper.includes('PUBLIC_KEY') || upper.includes('PUBKEY')) return false;
-  if (KNOWN_CREDENTIAL_ENV_VARS.has(upper)) return true;
-  return CREDENTIAL_ENV_SUFFIX_RE.test(upper);
-}
+// Env-var credential classification (isSensitiveEnv / isCredentialEnv + their sets) was
+// extracted to a shared leaf module so the module-graph cross-file taint can apply the EXACT
+// same credential-vs-config distinction (it previously tainted any process.env read). Imported
+// at module load → in scope for the analyzeDataFlow call sites above. Behavior unchanged here.
+const { isSensitiveEnv, isCredentialEnv } = require('./env-var-classification.js');
 
 module.exports = { analyzeDataFlow };

package/src/scanner/env-var-classification.js

@@ -0,0 +1,75 @@
+'use strict';
+
+// Environment-variable credential classification (shared leaf module).
+// Extracted verbatim from dataflow.js so the SAME credential-vs-config distinction can
+// gate every taint source — dataflow (scanner/dataflow.js) AND the module-graph cross-file
+// taint (scanner/module-graph/annotate-tainted.js), which previously tainted ANY process.env
+// read indiscriminately (config vars like STORYBOARD_SERVER_URL → false credential_exfil).
+// No project dependencies → safe to require from any scanner, no cycles.
+
+// System identity env vars used for fingerprinting/exfiltration
+const SYSTEM_IDENTITY_ENVS = new Set([
+  'USER', 'USERNAME', 'LOGNAME', 'HOME', 'HOSTNAME',
+  'USERPROFILE', 'COMPUTERNAME', 'WHOAMI'
+]);
+
+// Env var prefixes for tool-internal configuration (not external credentials)
+const SAFE_ENV_PREFIXES = ['MUADDIB_', 'npm_config_', 'npm_lifecycle_', 'npm_package_'];
+
+// P6: Node.js runtime config env vars that are not credentials.
+// NODE_TLS_REJECT_UNAUTHORIZED matches "AUTH" in "UNAUTHORIZED" → false positive.
+// Real credential exfiltration targets API_KEY, TOKEN, SECRET, PASSWORD.
+const DATAFLOW_SAFE_ENV_VARS = new Set([
+  'NODE_TLS_REJECT_UNAUTHORIZED', 'NODE_OPTIONS', 'NODE_EXTRA_CA_CERTS',
+  'NODE_ENV', 'NODE_PATH', 'NODE_DEBUG',
+  'DEBUG', 'CI', 'HTTPS_PROXY', 'HTTP_PROXY', 'NO_PROXY',
+  'LANG', 'TZ', 'PORT', 'HOST'
+  // Note: HOME, USER, HOSTNAME stay sensitive — fingerprint exfiltration detection.
+]);
+
+// True when an env var name is a sensitive source (credential material OR system-identity
+// fingerprinting). Config vars (URL/HOST/PORT/NODE_ENV/proxy/...) return false. This is the
+// classification module-graph cross-file taint now shares (it formerly tainted every read).
+function isSensitiveEnv(name) {
+  const upper = name.toUpperCase();
+  if (DATAFLOW_SAFE_ENV_VARS.has(upper)) return false;
+  if (SYSTEM_IDENTITY_ENVS.has(upper)) return true;
+  if (SAFE_ENV_PREFIXES.some(p => upper.startsWith(p))) return false;
+  const sensitive = ['TOKEN', 'SECRET', 'KEY', 'PASSWORD', 'CREDENTIAL', 'AUTH', 'NPM', 'AWS', 'AZURE', 'GCP'];
+  return sensitive.some(s => upper.includes(s));
+}
+
+// Audit 2026-05 DF-C4: credential-tier env vars distinguished from generic env_read.
+// These represent authentication material (NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY,
+// STRIPE_API_KEY etc.) — strictly narrower than isSensitiveEnv. Sources of this type
+// participate in hasHighRiskSource so credential exfil patterns are NOT downgraded by the
+// HIGH→MEDIUM graduation. System identity vars (HOME, USER) remain plain env_read since
+// they are fingerprinting signals, not credentials.
+const KNOWN_CREDENTIAL_ENV_VARS = new Set([
+  'NPM_TOKEN', 'GITHUB_TOKEN', 'GH_TOKEN', 'NODE_AUTH_TOKEN',
+  'CIRCLE_TOKEN', 'GITLAB_TOKEN', 'CARGO_REGISTRY_TOKEN', 'PYPI_TOKEN',
+  'GOOGLE_APPLICATION_CREDENTIALS', 'AZURE_CLIENT_SECRET',
+  'SENTRY_AUTH_TOKEN', 'NPM_AUTH_TOKEN', 'NPM_CONFIG_AUTHTOKEN'
+]);
+
+const CREDENTIAL_ENV_SUFFIX_RE = /(?:^|_)(?:TOKEN|SECRET|PASSWORD|PASSPHRASE|CREDENTIAL|CREDENTIALS|API_KEY|ACCESS_KEY|ACCESS_KEY_ID|SECRET_KEY|PRIVATE_KEY|SIGNING_KEY|SESSION_TOKEN|REFRESH_TOKEN|AUTH_TOKEN)$/;
+
+function isCredentialEnv(name) {
+  const upper = name.toUpperCase();
+  // System identity vars are fingerprinting, not credentials
+  if (SYSTEM_IDENTITY_ENVS.has(upper)) return false;
+  // Public keys are not credentials (e.g., SSH_PUBLIC_KEY, GPG_PUBLIC_KEY)
+  if (upper.includes('PUBLIC_KEY') || upper.includes('PUBKEY')) return false;
+  if (KNOWN_CREDENTIAL_ENV_VARS.has(upper)) return true;
+  return CREDENTIAL_ENV_SUFFIX_RE.test(upper);
+}
+
+module.exports = {
+  SYSTEM_IDENTITY_ENVS,
+  SAFE_ENV_PREFIXES,
+  DATAFLOW_SAFE_ENV_VARS,
+  KNOWN_CREDENTIAL_ENV_VARS,
+  CREDENTIAL_ENV_SUFFIX_RE,
+  isSensitiveEnv,
+  isCredentialEnv,
+};

package/src/scanner/module-graph/annotate-sinks.js

@@ -1,10 +1,10 @@
 'use strict';
 
 const path = require('path');
-const { SINK_CALLEE_NAMES, SINK_MEMBER_METHODS, SINK_INSTANCE_METHODS } = require('./constants.js');
+const { SINK_CALLEE_NAMES, SINK_MEMBER_METHODS, SINK_INSTANCE_METHODS, NON_NETWORK_SINK_RECEIVER_ROOTS } = require('./constants.js');
 const {
   parseFile, walkAST, isRequireCall, isModuleExportsAssign,
-  getExportName, getFunctionBody, getMemberChain
+  getExportName, getFunctionBody, getMemberChain, getReceiverRootName
 } = require('./parse-utils.js');
 
 /**
@@ -87,11 +87,14 @@ function analyzeSinkExports(filePath) {
               return;
             }
           }
-          // .write(), .send(), .connect()
+          // .write(), .send(), .connect() — but not process.*/console.* (local I/O, not network)
           const method = node.callee.property.name || node.callee.property.value;
           if (SINK_INSTANCE_METHODS.has(method)) {
-            found = method + '()';
-            return;
+            const root = getReceiverRootName(node.callee);
+            if (!(root && NON_NETWORK_SINK_RECEIVER_ROOTS.has(root))) {
+              found = method + '()';
+              return;
+            }
           }
         }
       }

package/src/scanner/module-graph/annotate-tainted.js

@@ -2,6 +2,7 @@
 
 const path = require('path');
 const { SENSITIVE_MODULES } = require('./constants.js');
+const { isSensitiveEnv } = require('../env-var-classification.js');
 const {
   parseFile, walkAST, isRequireCall, isModuleExportsAssign,
   getExportName, getFunctionBody, getMemberChain, extractLiteralArg
@@ -272,6 +273,11 @@ function checkNodeTaint(node, moduleVars) {
     const chain = getMemberChain(node);
     if (chain.startsWith('process.env')) {
       const detail = chain.length > 'process.env'.length ? chain.slice('process.env.'.length) : '';
+      // Source-precision (segment A): a SPECIFIC non-credential config var (URL/HOST/PORT/
+      // NODE_ENV/...) is not a credential taint source — consistent with dataflow.js's
+      // isSensitiveEnv (DF-C4). Whole-object `process.env` (detail '') stays tainted: an env
+      // dump exfiltrates every secret. System-identity vars (HOME/USER) stay tainted too.
+      if (detail && !isSensitiveEnv(detail)) return null;
       return { source: 'process.env', detail };
     }
   }
@@ -332,9 +338,21 @@ function scanBodyForTaint(body, moduleVars, taintedVars) {
   // Collect local tainted vars within this function scope too
   const localTainted = Object.assign(Object.create(null), taintedVars);
 
+  // A `process.env.X` read is matched as a unit by checkNodeTaint (gated on isSensitiveEnv).
+  // Record the inner bare `process.env` node of each so the pre-order walker does not RE-match
+  // it standalone (detail '' = whole-env dump), which would defeat the per-var gate for config
+  // vars. A genuinely standalone `process.env` (a different node) still taints as a dump.
+  const innerEnvNodes = new WeakSet();
+
   let found = null;
   walkAST({ type: 'Program', body }, (node) => {
     if (found) return;
+    if (innerEnvNodes.has(node)) return;
+
+    if (node.type === 'MemberExpression' && node.object &&
+        node.object.type === 'MemberExpression' && getMemberChain(node.object) === 'process.env') {
+      innerEnvNodes.add(node.object);
+    }
 
     // Variable assignment inside function
     if (node.type === 'VariableDeclaration') {

package/src/scanner/module-graph/constants.js

@@ -18,16 +18,29 @@ const ACORN_OPTIONS = {
 };
 
 // --- Sink patterns for cross-file detection ---
-const SINK_CALLEE_NAMES = new Set(['fetch', 'eval', 'Function', 'WebSocket', 'XMLHttpRequest']);
+const SINK_CALLEE_NAMES = new Set(['fetch', 'eval', 'Function', 'WebSocket', 'XMLHttpRequest', 'axios']);
 const SINK_MEMBER_METHODS = new Set([
   'https.request', 'https.get', 'http.request', 'http.get',
   'child_process.exec', 'child_process.execSync', 'child_process.spawn',
   'dns.resolveTxt', 'dns.resolve', 'dns.resolve4', 'dns.resolve6',
+  // axios as a cross-file network sink (axios.get(taintedData) etc.). Instance form
+  // (const c = axios.create(); c.get(...)) is NOT added to SINK_INSTANCE_METHODS — that
+  // would match every .get/.post receiver and explode FPs; it's a known follow-up gap.
+  'axios.get', 'axios.post', 'axios.put', 'axios.patch', 'axios.delete', 'axios.request',
 ]);
 const SINK_INSTANCE_METHODS = new Set(['connect', 'write', 'send']);
 
+// Receiver roots that make connect/write/send LOCAL I/O or IPC, never external-network
+// exfil: `process.stdout/stderr.write`, `process.send` (child IPC to the parent), and any
+// `console.*`. SINK_INSTANCE_METHODS matches by method name alone, so without this a
+// console/stderr write of a tainted value reads as a cross-file network sink (segment-A FP
+// driver: contextdevkit, amicus). Real socket/ws/req sinks (receivers `socket`/`ws`/`req`/
+// `net.connect()`…) are unaffected. Globals are trusted here as they are everywhere else.
+const NON_NETWORK_SINK_RECEIVER_ROOTS = new Set(['process', 'console']);
+
 
 module.exports = {
   MAX_GRAPH_NODES, MAX_GRAPH_EDGES, MAX_FLOWS, MAX_TAINT_DEPTH,
-  SENSITIVE_MODULES, ACORN_OPTIONS, SINK_CALLEE_NAMES, SINK_MEMBER_METHODS, SINK_INSTANCE_METHODS
+  SENSITIVE_MODULES, ACORN_OPTIONS, SINK_CALLEE_NAMES, SINK_MEMBER_METHODS, SINK_INSTANCE_METHODS,
+  NON_NETWORK_SINK_RECEIVER_ROOTS
 };

package/src/scanner/module-graph/detect-cross-file.js

@@ -1,11 +1,13 @@
 'use strict';
 
 const path = require('path');
+const fs = require('fs');
 const { debugLog } = require('../../utils');
-const { MAX_FLOWS, SINK_CALLEE_NAMES, SINK_MEMBER_METHODS, SINK_INSTANCE_METHODS } = require('./constants.js');
+const { networkDestinationsAllBenign } = require('../../sdk-destination.js');
+const { MAX_FLOWS, SINK_CALLEE_NAMES, SINK_MEMBER_METHODS, SINK_INSTANCE_METHODS, NON_NETWORK_SINK_RECEIVER_ROOTS } = require('./constants.js');
 const {
   parseFile, walkAST, isRequireCall, isLocalImport, isModuleExportsAssign,
-  getExportName, getMemberChain, resolveLocal
+  getExportName, getMemberChain, getReceiverRootName, resolveLocal
 } = require('./parse-utils.js');
 
 /**
@@ -596,7 +598,12 @@ function getSinkName(callNode) {
     // instance.connect(), socket.write(), ws.send()
     const method = callee.property.name || callee.property.value;
     if (SINK_INSTANCE_METHODS.has(method)) {
-      return `${method}()`;
+      // Reject process.*/console.* receivers: process.stdout/stderr.write,
+      // process.send (IPC), console.* are local I/O, never external-network exfil.
+      const root = getReceiverRootName(callee);
+      if (!(root && NON_NETWORK_SINK_RECEIVER_ROOTS.has(root))) {
+        return `${method}()`;
+      }
     }
   }
 
@@ -954,4 +961,49 @@ function findPipeChainCrossFileFlows(ast, relFile, graph, taintedExports, sinkEx
 }
 
 
-module.exports = { detectCrossFileFlows, expandTaintThroughReexports, collectImportTaint, propagateLocalTaint, getSinkName, findTaintedArgument };
+// A network sink carries a destination host we can judge; exec/command sinks
+// (eval, Function, child_process.*) do not, and are never destination-gated.
+function isNetworkSinkDescriptor(sink) {
+  const s = String(sink || '');
+  if (/^(eval|Function)\(\)$/.test(s)) return false;   // exec sink
+  if (/^child_process\./.test(s)) return false;        // command sink
+  return true; // fetch / http(s).request|get / WebSocket / XMLHttpRequest / connect|write|send
+}
+
+/**
+ * FP gate (segment A — destination-aware). Drop a cross_file_dataflow whose NETWORK
+ * sink targets ONLY benign destinations (loopback/private/reserved IP or a curated
+ * provider API) — a legitimate SDK that reads a key and POSTs to its provider is not
+ * exfiltration. Untouched (kept CRITICAL): exec/command sinks, and any flow whose sink
+ * file references a suspicious/paste host, a public IP, or any unknown domain (so a real
+ * exfil like ecto — webhook.site + direct-IP — keeps firing). The package stays visible
+ * via its other (lower-severity) signals, the same way intent-graph skips SDK pairs.
+ * Rationale + corpus: FPR-segment-A-diagnosis-2026-06-14.md.
+ *
+ * @param {Array} flows - assembled cross-file flows (main + callback + emitter)
+ * @param {string} packagePath - package root, to resolve sink file content
+ * @returns {Array} flows with first-party network FPs removed
+ */
+function filterFirstPartyNetworkFlows(flows, packagePath) {
+  if (!Array.isArray(flows) || flows.length === 0) return flows;
+  const contentCache = new Map();
+  const kept = [];
+  for (const flow of flows) {
+    if (flow && flow.type === 'cross_file_dataflow' && flow.sinkFile && isNetworkSinkDescriptor(flow.sink)) {
+      let content = contentCache.get(flow.sinkFile);
+      if (content === undefined) {
+        try { content = fs.readFileSync(path.resolve(packagePath, flow.sinkFile), 'utf8'); }
+        catch { content = ''; }
+        contentCache.set(flow.sinkFile, content);
+      }
+      if (content && networkDestinationsAllBenign(content)) {
+        debugLog(`[MODULE-GRAPH] cross_file_dataflow suppressed (first-party/local dest): ${flow.sourceFile} -> ${flow.sink} in ${flow.sinkFile}`);
+        continue; // first-party/local network destination → FP, drop
+      }
+    }
+    kept.push(flow);
+  }
+  return kept;
+}
+
+module.exports = { detectCrossFileFlows, expandTaintThroughReexports, collectImportTaint, propagateLocalTaint, getSinkName, findTaintedArgument, isNetworkSinkDescriptor, filterFirstPartyNetworkFlows };

package/src/scanner/module-graph/index.js

@@ -4,13 +4,13 @@ const { MAX_GRAPH_NODES, MAX_GRAPH_EDGES, MAX_FLOWS, MAX_TAINT_DEPTH } = require
 const { parseFile, resolveLocal, isLocalImport, toRel, isFileExists } = require('./parse-utils.js');
 const { buildModuleGraph, extractLocalImports, tryResolveConcatRequire } = require('./build-graph.js');
 const { annotateTaintedExports } = require('./annotate-tainted.js');
-const { detectCrossFileFlows } = require('./detect-cross-file.js');
+const { detectCrossFileFlows, filterFirstPartyNetworkFlows } = require('./detect-cross-file.js');
 const { annotateSinkExports } = require('./annotate-sinks.js');
 const { detectCallbackCrossFileFlows } = require('./detect-callback-flows.js');
 const { detectEventEmitterFlows } = require('./detect-event-flows.js');
 
 module.exports = {
-  buildModuleGraph, annotateTaintedExports, detectCrossFileFlows,
+  buildModuleGraph, annotateTaintedExports, detectCrossFileFlows, filterFirstPartyNetworkFlows,
   annotateSinkExports, detectCallbackCrossFileFlows, detectEventEmitterFlows,
   resolveLocal, extractLocalImports, parseFile, isLocalImport, toRel, isFileExists,
   tryResolveConcatRequire,

package/src/scanner/module-graph/parse-utils.js

@@ -107,6 +107,18 @@ function getMemberChain(node, depth) {
   return '';
 }
 
+// Root identifier of a call's receiver, e.g. `process` for (process.stdout).write(),
+// `process` for process.send(), `console` for console.error(), `sender` for sender.send().
+// Returns null when the receiver root is not a plain Identifier (e.g. this.x.write(),
+// foo().bar()). Used to reject local-IO/IPC receivers (process/console) from the
+// write/send/connect instance-method sink set, which matches by method name alone.
+function getReceiverRootName(callee) {
+  if (!callee || callee.type !== 'MemberExpression') return null;
+  let obj = callee.object;
+  while (obj && obj.type === 'MemberExpression') obj = obj.object;
+  return obj && obj.type === 'Identifier' ? obj.name : null;
+}
+
 function extractLiteralArg(args) {
   if (!args || args.length === 0) return '';
   const first = args[0];
@@ -136,6 +148,6 @@ function toRel(abs, packagePath) {
 
 module.exports = {
   parseFile, walkAST, isRequireCall, isLocalImport, isModuleExportsAssign,
-  getExportName, getFunctionBody, getMemberChain, extractLiteralArg,
+  getExportName, getFunctionBody, getMemberChain, getReceiverRootName, extractLiteralArg,
   resolveLocal, isFileExists, toRel
 };

package/src/sdk-destination.js

@@ -0,0 +1,328 @@
+'use strict';
+
+// ============================================
+// DESTINATION-AWARE SDK DETECTION (shared leaf module)
+// ============================================
+// Extracted from intent-graph.js (v2.11.x) so the same destination logic can gate
+// every credential→network taint detector — intent coherence (intent-graph.js),
+// dataflow (scanner/dataflow.js), cross-file flow (scanner/module-graph) and the
+// detached/uncaught compounds (scanner/ast-detectors). No project dependencies
+// (only the Node stdlib via callers) → safe to require from any scanner, no cycles.
+//
+// Curated allowlist: when an env var matching the pattern is sent to a matching domain,
+// it is legitimate SDK usage, not credential exfiltration.
+// Safe-by-default: unknown env vars or unknown domains remain CRITICAL.
+const SDK_ENV_DOMAIN_MAP = [
+  { envPattern: /^AWS_/i, domains: ['amazonaws.com', 'aws.amazon.com'] },
+  { envPattern: /^AZURE_/i, domains: ['azure.com', 'microsoft.com'] },
+  { envPattern: /^GOOGLE_|^GCP_/i, domains: ['googleapis.com', 'google.com'] },
+  { envPattern: /^FIREBASE_/i, domains: ['firebase.com', 'googleapis.com'] },
+  { envPattern: /^SALESFORCE_/i, domains: ['salesforce.com', 'force.com'] },
+  { envPattern: /^SUPABASE_/i, domains: ['supabase.co', 'supabase.com'] },
+  { envPattern: /^MAILGUN_/i, domains: ['mailgun.net', 'mailgun.com'] },
+  { envPattern: /^STRIPE_/i, domains: ['stripe.com'] },
+  { envPattern: /^TWILIO_/i, domains: ['twilio.com'] },
+  { envPattern: /^SENDGRID_/i, domains: ['sendgrid.com', 'sendgrid.net'] },
+  { envPattern: /^DATADOG_/i, domains: ['datadoghq.com'] },
+  { envPattern: /^SENTRY_/i, domains: ['sentry.io'] },
+  { envPattern: /^SLACK_/i, domains: ['slack.com'] },
+  { envPattern: /^GITHUB_/i, domains: ['github.com', 'githubusercontent.com'] },
+  { envPattern: /^GITLAB_/i, domains: ['gitlab.com'] },
+  { envPattern: /^CLOUDFLARE_/i, domains: ['cloudflare.com'] },
+  { envPattern: /^OPENAI_/i, domains: ['openai.com'] },
+  { envPattern: /^ANTHROPIC_/i, domains: ['anthropic.com'] },
+  { envPattern: /^MONGODB_|^MONGO_/i, domains: ['mongodb.com', 'mongodb.net'] },
+  { envPattern: /^AUTH0_/i, domains: ['auth0.com'] },
+  { envPattern: /^HUBSPOT_/i, domains: ['hubspot.com', 'hubapi.com'] },
+  { envPattern: /^CONTENTFUL_/i, domains: ['contentful.com'] },
+];
+
+// Tokens stripped when extracting brand keyword from env var name
+const ENV_NOISE_TOKENS = new Set([
+  'API', 'KEY', 'SECRET', 'TOKEN', 'PASSWORD', 'CREDENTIAL',
+  'AUTH', 'ACCESS', 'PRIVATE', 'PUBLIC', 'CLIENT', 'ID', 'URL'
+]);
+
+// Suspicious tunneling/proxy domains — never considered legitimate SDK destinations
+const SUSPICIOUS_DOMAIN_PATTERNS = /ngrok|serveo|localtunnel|burpcollaborator|requestbin|pipedream|webhook\.site/i;
+
+// URL extraction regex (matches http/https URLs in source code)
+const URL_EXTRACT_RE = /https?:\/\/[a-zA-Z0-9\-._~:/?#[\]@!$&'()*+,;=%]+/g;
+
+// Hostname extraction from Node.js request options: hostname: 'domain.com' or host: 'domain.com'
+const HOSTNAME_OPTION_RE = /(?:hostname|host)\s*:\s*['"`]([a-zA-Z0-9\-._]+)['"`]/g;
+
+/**
+ * Extract env var name from an intent source threat message.
+ * Messages look like: "process.env.SALESFORCE_API_KEY", "env var MAILGUN_API_KEY accessed"
+ */
+function extractEnvVarFromMessage(sourceThreats) {
+  for (const t of sourceThreats) {
+    if (!t.message) continue;
+    // Match process.env.VAR_NAME pattern
+    const envMatch = t.message.match(/process\.env\.([A-Z_][A-Z0-9_]*)/i);
+    if (envMatch) return envMatch[1];
+    // Match standalone VAR_NAME patterns (e.g., "SALESFORCE_API_KEY")
+    const varMatch = t.message.match(/\b([A-Z][A-Z0-9]*(?:_[A-Z0-9]+)+)\b/);
+    if (varMatch) return varMatch[1];
+  }
+  return null;
+}
+
+/**
+ * Extract brand keyword from env var name by removing noise tokens.
+ * MAILGUN_API_KEY → MAILGUN, SALESFORCE_CLIENT_SECRET → SALESFORCE
+ */
+function extractBrandFromEnvVar(envVarName) {
+  const parts = envVarName.toUpperCase().split('_');
+  const brandParts = parts.filter(p => !ENV_NOISE_TOKENS.has(p) && p.length > 0);
+  return brandParts.length > 0 ? brandParts[0] : null;
+}
+
+/**
+ * Extract domain from a URL string.
+ * Returns the hostname (without port).
+ */
+function extractDomain(url) {
+  try {
+    // Capture only valid hostname characters so a path-less URL immediately followed by
+    // a quote/paren (e.g. fetch('https://api.openai.com')) does not absorb the trailing
+    // ')" into the host. Stops at /, :, ?, #, quotes, parens, etc.
+    const match = url.match(/^https?:\/\/([a-zA-Z0-9.\-]+)/i);
+    return match ? match[1].toLowerCase() : null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Check if a domain matches any of the expected SDK domains (suffix match).
+ * api.mailgun.net matches mailgun.net, sub.api.stripe.com matches stripe.com
+ */
+function domainMatchesSuffix(domain, expectedDomains) {
+  for (const expected of expectedDomains) {
+    if (domain === expected || domain.endsWith('.' + expected)) return true;
+  }
+  return false;
+}
+
+/**
+ * Check if an env var + file content represents a legitimate SDK pattern.
+ *
+ * Returns true ONLY if:
+ * 1. The env var matches a known SDK mapping (allowlist) OR heuristic brand match
+ * 2. ALL URLs in the file point to domains matching the expected SDK
+ * 3. No suspicious tunneling/proxy domains are present
+ *
+ * @param {string} envVarName - e.g., "SALESFORCE_API_KEY"
+ * @param {string} fileContent - source code of the file
+ * @returns {boolean} true if SDK pattern (should skip intent pair)
+ */
+function isSDKPattern(envVarName, fileContent) {
+  // Extract domains from full URLs (https://api.stripe.com/v1/charges)
+  const urls = fileContent.match(URL_EXTRACT_RE) || [];
+  const domains = urls.map(u => extractDomain(u)).filter(Boolean);
+
+  // Also extract hostnames from Node.js request options (hostname: 'api.stripe.com')
+  let hostnameMatch;
+  const hostnameRe = new RegExp(HOSTNAME_OPTION_RE.source, 'g');
+  while ((hostnameMatch = hostnameRe.exec(fileContent)) !== null) {
+    const hostname = hostnameMatch[1].toLowerCase();
+    if (hostname && !domains.includes(hostname)) {
+      domains.push(hostname);
+    }
+  }
+
+  // No URLs found — can't confirm SDK pattern, default to suspicious
+  if (domains.length === 0) return false;
+
+  // Check for suspicious tunneling domains — immediate fail
+  for (const domain of domains) {
+    if (SUSPICIOUS_DOMAIN_PATTERNS.test(domain)) return false;
+  }
+
+  // Check for raw IP addresses — immediate fail
+  for (const domain of domains) {
+    if (/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(domain)) return false;
+  }
+
+  // 1. Try curated allowlist first (strict: ALL domains must match)
+  // Curated allowlist is authoritative — no relaxation here to prevent
+  // attacker injecting a legitimate domain alongside their C2 domain.
+  for (const mapping of SDK_ENV_DOMAIN_MAP) {
+    if (mapping.envPattern.test(envVarName)) {
+      return domains.every(d => domainMatchesSuffix(d, mapping.domains));
+    }
+  }
+
+  // R2: credential-suffixed env vars get relaxed domain matching (at least ONE match).
+  // SDKs commonly call their own API + CDN/logging/analytics domains.
+  // Safety: suspicious domains and raw IPs are already rejected above.
+  // Only applies to the heuristic fallback — curated allowlist stays strict.
+  const CREDENTIAL_SUFFIXES = ['_API_KEY', '_SECRET', '_TOKEN', '_SECRET_KEY', '_ACCESS_KEY'];
+  const upperName = envVarName.toUpperCase();
+  const hasCredentialSuffix = CREDENTIAL_SUFFIXES.some(s => upperName.endsWith(s));
+
+  // 2. Heuristic fallback: extract brand keyword and check domain labels
+  const brand = extractBrandFromEnvVar(envVarName);
+  if (!brand || brand.length < 3) return false; // Too short for reliable matching
+
+  const brandLower = brand.toLowerCase();
+  // 2a. Strict check: every domain matches brand (existing behavior)
+  // e.g., brand "ACME" matches "api.acme.com" (label "acme") but not "api.acmetech.com"
+  if (domains.every(d => {
+    const labels = d.split('.');
+    return labels.some(label => label === brandLower);
+  })) return true;
+
+  // 2b. R2 relaxed: credential suffix + at least one domain matches brand
+  if (hasCredentialSuffix && domains.some(d => {
+    const labels = d.split('.');
+    return labels.some(label => label === brandLower);
+  })) return true;
+
+  return false;
+}
+
+// ============================================
+// DESTINATION-BENIGNNESS GATE (env-var-independent)
+// ============================================
+// isSDKPattern() needs a single extractable env var + matching domain. That model
+// breaks on (a) multi-provider files (a CLI that reads GEMINI_API_KEY *and*
+// ANTHROPIC_API_KEY and calls both), and (b) flows whose credential source has no
+// extractable env var (cross_file_dataflow / detached compounds). For those, judge the
+// DESTINATIONS, not the env var: a credential→network flow is benign iff EVERY network
+// host in scope is provably non-exfil.
+//
+// Benign classes (NOT attacker-spoofable):
+//   - loopback / RFC1918 private / link-local IPs, localhost, *.local        (local IPC)
+//   - reserved test domains (example.com, *.test, *.invalid)                 (RFC 2606/6761)
+//   - curated SaaS/cloud/AI provider API domains                            (cannot echo a
+//     POST body back to a third party — UNLIKE paste sites / bot webhooks, deliberately
+//     EXCLUDED, see SUSPICIOUS_DOMAIN_PATTERNS + the exclusion note below)
+// Deliberately NOT benign: package "own domain" from package.json (attacker writes it),
+// unknown domains, public IPs, suspicious tunnels/paste hosts. Any of those ⇒ keep firing.
+// Safe-by-default: no extractable host ⇒ NOT benign (do not suppress).
+
+// AI providers (2025-26) absent from the env→domain map. Bot/messaging/paste channels
+// (telegram, discord webhooks, pastebin, gist, transfer.sh, …) are intentionally absent:
+// they CAN relay an exfil POST to the attacker, so they must keep firing.
+const AI_PROVIDER_DOMAIN_SUFFIXES = [
+  'claude.com', 'openrouter.ai', 'deepseek.com', 'x.ai', 'mistral.ai', 'cohere.ai',
+  'cohere.com', 'huggingface.co', 'perplexity.ai', 'groq.com', 'together.ai',
+  'together.xyz', 'replicate.com', 'fireworks.ai', 'anyscale.com', 'ai21.com',
+  'voyageai.com', 'deepinfra.com',
+];
+
+// Flat suffix list = every domain already curated in SDK_ENV_DOMAIN_MAP + the AI extras.
+// Derived (not duplicated) so the two stay in sync. Matched via domainMatchesSuffix, which
+// is label-anchored: 'evilx.ai' does NOT match 'x.ai'.
+const PROVIDER_DOMAIN_SUFFIXES = Array.from(new Set([
+  ...SDK_ENV_DOMAIN_MAP.flatMap(m => m.domains),
+  ...AI_PROVIDER_DOMAIN_SUFFIXES,
+]));
+
+function stripPort(host) {
+  let h = String(host).trim().toLowerCase();
+  // Bracketed IPv6 with optional port: [::1]:443 / [::1] → ::1
+  const br = h.match(/^\[([^\]]+)\]/);
+  if (br) return br[1];
+  // host:port for IPv4 / hostname — only when there's a single colon (bare IPv6 like
+  // ::1 has multiple colons and must NOT be truncated).
+  if ((h.match(/:/g) || []).length === 1) h = h.replace(/:\d+$/, '');
+  return h;
+}
+
+// loopback / RFC1918 private / link-local / localhost / reserved-test domain.
+function isLocalOrReservedHost(host) {
+  const h = stripPort(host);
+  if (!h) return false;
+  if (h === 'localhost' || h.endsWith('.localhost') || h.endsWith('.local')) return true;
+  if (h === '::1' || h === '0:0:0:0:0:0:0:1') return true; // IPv6 loopback
+  if (h === 'example.com' || h === 'example.org' || h === 'example.net') return true;
+  if (h.endsWith('.example.com') || h.endsWith('.example.org') || h.endsWith('.example.net')) return true;
+  if (h.endsWith('.example') || h.endsWith('.test') || h.endsWith('.invalid')) return true;
+  const m = h.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
+  if (m) {
+    const a = +m[1], b = +m[2];
+    if (a === 127 || a === 0) return true;            // loopback / this-host
+    if (a === 10) return true;                        // 10.0.0.0/8
+    if (a === 172 && b >= 16 && b <= 31) return true; // 172.16.0.0/12
+    if (a === 192 && b === 168) return true;          // 192.168.0.0/16
+    if (a === 169 && b === 254) return true;          // 169.254.0.0/16 link-local
+    return false;                                     // any other IPv4 literal = public
+  }
+  return false;
+}
+
+// A public (non-loopback/private) IPv4 literal — a direct-IP exfil endpoint (ecto pattern).
+function isPublicIpHost(host) {
+  const h = stripPort(host);
+  if (!/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(h)) return false;
+  return !isLocalOrReservedHost(h);
+}
+
+// Extract every network host referenced in a file (URLs + Node request options).
+function extractHostsFromContent(fileContent) {
+  if (!fileContent) return [];
+  const urls = fileContent.match(URL_EXTRACT_RE) || [];
+  const hosts = urls.map(u => extractDomain(u)).filter(Boolean);
+  let m;
+  const re = new RegExp(HOSTNAME_OPTION_RE.source, 'g');
+  while ((m = re.exec(fileContent)) !== null) {
+    const h = m[1].toLowerCase();
+    if (h && !hosts.includes(h)) hosts.push(h);
+  }
+  // Bare host literals assigned as defaults, e.g. `process.env.HOST || "127.0.0.1"` then
+  // used as `host: HOST` (common "configurable local collector" shape — the variable host
+  // isn't matched above). Capture quoted IPv4 / localhost / 0.0.0.0 literals. Safe: any
+  // co-present public IP or unknown host still fails the all-benign check downstream, so
+  // this can only RELAX a file whose every literal host is loopback/private.
+  const LITERAL_HOST_RE = /['"`](localhost|0\.0\.0\.0|(?:\d{1,3}\.){3}\d{1,3})['"`]/g;
+  while ((m = LITERAL_HOST_RE.exec(fileContent)) !== null) {
+    const h = m[1].toLowerCase();
+    if (h && !hosts.includes(h)) hosts.push(h);
+  }
+  return hosts;
+}
+
+/**
+ * Destination-benignness gate for credential→network taint flows whose env var is not
+ * (or need not be) known. Returns true ONLY if EVERY extracted host is provably non-exfil
+ * (local/reserved OR a curated provider). Any suspicious/paste host, public IP, or unknown
+ * domain ⇒ false. No hosts found ⇒ false (cannot confirm).
+ *
+ * @param {string} fileContent - source of the file containing the network sink
+ * @returns {boolean} true ⇒ first-party/local, safe to downgrade the taint flow
+ */
+function networkDestinationsAllBenign(fileContent) {
+  const hosts = extractHostsFromContent(fileContent);
+  if (hosts.length === 0) return false;
+  for (const h of hosts) {
+    if (SUSPICIOUS_DOMAIN_PATTERNS.test(h)) return false;
+    if (isPublicIpHost(h)) return false;
+    if (isLocalOrReservedHost(h)) continue;
+    if (PROVIDER_DOMAIN_SUFFIXES.some(s => domainMatchesSuffix(h, [s]))) continue;
+    return false; // unknown / unrecognised destination → keep firing
+  }
+  return true;
+}
+
+module.exports = {
+  SDK_ENV_DOMAIN_MAP,
+  ENV_NOISE_TOKENS,
+  SUSPICIOUS_DOMAIN_PATTERNS,
+  URL_EXTRACT_RE,
+  HOSTNAME_OPTION_RE,
+  PROVIDER_DOMAIN_SUFFIXES,
+  extractEnvVarFromMessage,
+  extractBrandFromEnvVar,
+  extractDomain,
+  domainMatchesSuffix,
+  isSDKPattern,
+  stripPort,
+  isLocalOrReservedHost,
+  isPublicIpHost,
+  extractHostsFromContent,
+  networkDestinationsAllBenign,
+};