muaddib-scanner 2.11.117 → 2.11.119

package/README.md

@@ -30,7 +30,7 @@
 
 npm and PyPI supply-chain attacks are exploding. Shai-Hulud compromised 25K+ repos in 2025. Existing tools detect threats but don't help you respond.
 
-MUAD'DIB combines **20 parallel scanners** (264 detection rules), a **deobfuscation engine**, **inter-module dataflow analysis**, **compound scoring** (17 compound rules), and a gVisor/Docker sandbox to detect known threats and suspicious behavioral patterns in npm and PyPI packages. An XGBoost classifier exists in the codebase but is **currently inactive** (see [Evaluation Metrics](#evaluation-metrics) → ML Classifier section).
+MUAD'DIB combines **20 parallel scanners** (266 detection rules), a **deobfuscation engine**, **inter-module dataflow analysis**, **compound scoring** (17 compound rules), and a gVisor/Docker sandbox to detect known threats and suspicious behavioral patterns in npm and PyPI packages. An XGBoost classifier exists in the codebase but is **currently inactive** (see [Evaluation Metrics](#evaluation-metrics) → ML Classifier section).
 
 ---
 
@@ -202,9 +202,9 @@ muaddib replay                     # Ground truth validation (90/94 TPR@3, v2.11
 | Python Source (PYSRC) | Import-time / install-time RCE patterns in `__init__.py` / `setup.py` (v2.11.41 — closes TrapDoor PyPI gap) |
 | Python AST (PYAST) | Tree-sitter-Python AST with taint-aware detectors (v2.11.42+) |
 
-### 264 detection rules
+### 266 detection rules
 
-All rules (259 RULES + 5 PARANOID) are mapped to MITRE ATT&CK techniques. See [SECURITY.md](SECURITY.md#detection-rules-v21176) for the complete rules reference.
+All rules (261 RULES + 5 PARANOID) are mapped to MITRE ATT&CK techniques. See [SECURITY.md](SECURITY.md#detection-rules-v211117) for the complete rules reference.
 
 ### Detected campaigns
 
@@ -278,7 +278,7 @@ With pre-commit framework:
 ```yaml
 repos:
   - repo: https://github.com/DNSZLSK/muad-dib
-    rev: v2.11.76
+    rev: v2.11.117
     hooks:
       - id: muaddib-scan
 ```
@@ -303,7 +303,7 @@ These are the numbers a user gets when running `muaddib scan` against npm or PyP
 | **FPR PyPI** (v2.11.48, first honest measurement) | **9.68%** (12/124 scanned, 132 total) | **Track D fixed the PyPI downloader** — removed `pip --no-binary :all:` flag (forced compile of wheel-only packages, timed out 38% of the time) + added `.whl` extraction via `extractArchive()`. Brought 42 previously-skipped giants (numpy/pandas/django/matplotlib/scikit-learn/...) into scope. All 12 FPs cluster at score 25-35: this is the cap-PyPI-35 artifact, not new rule misfires. Lifting the cap (Track E) would drop FPR PyPI to ≈0%. 8 residual fails are >500MB packages (torch, tensorflow, scipy, opencv-python, ansible…) hitting the 30s `PACK_TIMEOUT_MS`. |
 | **ADR** (Adversarial + Holdout, v2.11.48) | **96.26%** (103/107) | 67 adversarial + 40 holdout, global threshold=20. Stable vs v2.10.95. |
 
-**4132 tests** across 115 files. **264 rules** (259 RULES + 5 PARANOID; v2.11.67/70 Phantom Gyp added PKG-023 + COMPOUND-017).
+**4414 tests** across 141 files. **266 rules** (261 RULES + 5 PARANOID; v2.11.67/70 Phantom Gyp added PKG-023 + COMPOUND-017).
 
 **Known issues (v2.11.48):**
 - *Cap PyPI à 35/100*: Python samples plafonnent à `riskScore=35` even when `globalRiskScore=100`. Confirmed empirically — all 12 PyPI FPs at score 25-35 (flask 32, django 35, tornado 35, bottle 30, pandas 25, matplotlib 25, plotly 25, bokeh 25, pymongo 35, coverage 32, fabric 35, websockets 35). Lifting the cap will simultaneously drop FPR PyPI to ≈0% and unblock PyPI MALWARE detection at higher thresholds. Track E target.
@@ -380,7 +380,7 @@ npm test
 
 ### Testing
 
-- **4132 tests** across 115 modular test files
+- **4414 tests** across 141 modular test files
 - **56 fuzz tests** - Malformed inputs, ReDoS, unicode, binary
 - **Datadog 17K benchmark** - 14,587 confirmed malware samples (in-scope)
 - **Ground truth validation** - 96 real-world attacks (95.74% TPR@3, 88.30% TPR@20 — v2.11.48 full measure on 94 in-scope)
@@ -401,7 +401,7 @@ npm test
 - [Documentation Index](docs/INDEX.md) - All documentation in one place
 - [Evaluation Methodology](docs/EVALUATION_METHODOLOGY.md) - Experimental protocol, holdout scores
 - [Threat Model](docs/threat-model.md) - What MUAD'DIB detects and doesn't detect
-- [Security Policy](SECURITY.md) - Detection rules reference (259 rules)
+- [Security Policy](SECURITY.md) - Detection rules reference (261 rules)
 - [Security Audit](docs/SECURITY_AUDIT.md) - Bypass validation report
 - [FP Analysis](docs/EVALUATION.md) - Historical false positive analysis
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.117",
+  "version": "2.11.119",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.117.json → self-scan-v2.11.119.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-14T18:18:10.262Z",
+  "timestamp": "2026-06-16T08:29:32.212Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/integrations/webhook.js

@@ -406,7 +406,7 @@ async function resolveHostWithRetry(hostname, opts = {}) {
         dns.promises.resolve4(hostname).catch(() => []),
         dns.promises.resolve6(hostname).catch(() => [])
       ]);
-    } catch (e) { lastErr = e; }
+    } catch { /* DNS threw — ipv4/ipv6 stay [], handled by the no-records path below */ }
     const all = [...ipv4, ...ipv6];
     if (all.length > 0) return { ipv4, ipv6, all };
     lastErr = new Error(`Webhook blocked: no DNS records found for ${hostname}`);

package/src/monitor/daemon.js

@@ -9,7 +9,7 @@ const { setVerboseMode, isSandboxEnabled, isCanaryEnabled, isLlmDetectiveEnabled
 const { loadState, saveState, loadDailyStats, saveDailyStats, purgeTarballCache, isDailyReportDue, atomicWriteFileSync, saveNpmSeq, ALERTS_FILE, runStateMigrations, loadRecentlyScanned, saveRecentlyScanned } = require('./state.js');
 const { isTemporalEnabled, isTemporalAstEnabled, isTemporalPublishEnabled, isTemporalMaintainerEnabled } = require('./temporal.js');
 const { pendingGrouped, flushScopeGroup, sendDailyReport, redeliverPendingReportOnBoot, alertedPackageRules, ALERTED_PACKAGES_MAX: MAX_ALERTED_PACKAGES } = require('./webhook.js');
-const { poll, getPollBackoffMs } = require('./ingestion.js');
+const { poll, getPollBackoffMs, SOFT_BACKPRESSURE_THRESHOLD } = require('./ingestion.js');
 const { ensureWorkers, drainWorkers, getTargetConcurrency, setTargetConcurrency, getActiveWorkers, terminateAllWorkers, getInFlightItems, computeInterruptDisposition } = require('./queue.js');
 const { computeTarget, ADJUST_INTERVAL_MS, BASE_CONCURRENCY } = require('./adaptive-concurrency.js');
 const { startHealthcheck } = require('./healthcheck.js');
@@ -42,9 +42,25 @@ const SHUTDOWN_DRAIN_MAX_MS = (() => {
   return Number.isFinite(v) && v > 0 ? v : 20_000;
 })();
 
+// Drain ceiling (marge): re-ingest from the spill backlog as long as the live
+// queue stays a safe margin BELOW the ingestion backpressure point. The old
+// default (500) was unreachable in steady state — the live queue structurally
+// sits in the thousands (μ scan ≈ λ ingest in active hours), so the backlog
+// drained ~never and grew toward its cap (a one-way street). Tying the ceiling
+// to SOFT_BACKPRESSURE_THRESHOLD makes the drain a self-throttling trickle: it
+// fires during any non-congested window (pressure NONE + headroom) and stops as
+// the queue approaches the point where ingestion would pause anyway, so the
+// backlog never starves fresh ingestion. Env-tunable for live ops.
+const SPILL_DRAIN_MARGIN = (() => {
+  const v = parseInt(process.env.MUADDIB_SPILL_DRAIN_MARGIN, 10);
+  return Number.isFinite(v) && v > 0 ? v : 5_000;
+})();
 const SPILL_DRAIN_THRESHOLD = (() => {
   const v = parseInt(process.env.MUADDIB_SPILL_DRAIN_THRESHOLD, 10);
-  return Number.isFinite(v) && v > 0 ? v : 500;
+  if (Number.isFinite(v) && v > 0) return v;
+  // Default: a fixed margin below backpressure (30K - 5K = 25K). Clamp to >= 1
+  // in case a future backpressure value is smaller than the margin.
+  return Math.max(1, SOFT_BACKPRESSURE_THRESHOLD - SPILL_DRAIN_MARGIN);
 })();
 const SPILL_DRAIN_BATCH = (() => {
   const v = parseInt(process.env.MUADDIB_SPILL_DRAIN_BATCH, 10);

package/src/monitor/deferred-sandbox.js

@@ -6,11 +6,12 @@
  * Items are sorted by riskScore DESC (highest-risk first) to defend
  * against queue-poisoning attacks.
  *
- * The worker owns a dedicated sandbox slot (_deferredSlotBusy) that is
- * completely independent from the shared semaphore used by T1a/T1b/T2.
- * This guarantees the deferred worker can always process, regardless of
- * how many main-path sandboxes are running. The VPS supports N+1
- * concurrent gVisor containers (3 main + 1 deferred).
+ * The worker owns a dedicated POOL of sandbox slots (DEFERRED_SANDBOX_SLOTS,
+ * _deferredSlotsActive) that is completely independent from the shared semaphore
+ * used by the synchronous path. This guarantees the deferred worker can always
+ * process, regardless of how many main-path sandboxes are running, and runs
+ * several items concurrently so the queue actually drains (a single slot
+ * serialized all T1a deep sandboxes and the queue stayed permanently full).
  */
 const fs = require('fs');
 const path = require('path');
@@ -32,10 +33,23 @@ const DEFERRED_STATE_FILE = path.join(__dirname, '..', '..', 'data', 'deferred-q
 // slot. HIGH=10 pts is the intended T1b floor — values below 5 are LOW-only
 // aggregates which carry no actionable sandbox signal.
 const DEFERRED_MIN_SCORE = 5;
-// Hard ceiling on a single deferred sandbox run so the dedicated slot
-// (_deferredSlotBusy) can never wedge. maxRuns=1 self-bounds at ~SINGLE_RUN_TIMEOUT
-// (90s) + the sandbox watchdog grace; this AbortController is belt-and-suspenders.
+// Hard ceiling on a single deferred sandbox run so a deferred slot can never
+// wedge. maxRuns=1 self-bounds at ~SINGLE_RUN_TIMEOUT (90s) + the sandbox
+// watchdog grace; this AbortController is belt-and-suspenders.
 const DEFERRED_SANDBOX_TIMEOUT_MS = 150_000;
+// Number of CONCURRENT deferred sandbox runs. The old design used a single
+// boolean slot (1 at a time), which serialized ALL deferred T1a deep sandboxes
+// — measured at ~1 run / several minutes, so the queue (cap DEFERRED_QUEUE_MAX)
+// sat permanently full with items aging out at TTL. Phase 3 routed T1a's sandbox
+// here AND bypasses the shared semaphore, so the main pool (MUADDIB_SANDBOX_CONCURRENCY)
+// was sitting idle while everything queued behind one deferred slot. This pool
+// uses that idle capacity. Default 3 (conservative under the typical 4-slot main
+// pool); each gVisor container is ~512 MB, so 3 ≈ 1.5 GB — keep an eye on host
+// RSS if raised. Env-tunable for live ops.
+const DEFERRED_SANDBOX_SLOTS = (() => {
+  const v = parseInt(process.env.MUADDIB_DEFERRED_SANDBOX_SLOTS, 10);
+  return Number.isFinite(v) && v >= 1 ? v : 3;
+})();
 
 // Tier priority for the deferred queue. Phase 3 routes T1a's sandbox here (async)
 // instead of block-waiting a scan worker, so T1a is the highest-confidence tier and
@@ -61,7 +75,10 @@ const _deferredQueue = [];
 const _deferredSeen = new Set(); // name@version dedup
 let _workerHandle = null;
 let _stats = null; // reference to shared stats object
-let _deferredSlotBusy = false;   // Dedicated slot: true while deferred sandbox is running
+let _deferredSlotsActive = 0;    // Concurrent deferred sandbox runs in flight (0..DEFERRED_SANDBOX_SLOTS)
+// Indirection so tests can inject a controllable async sandbox without Docker
+// (the concurrency contract is verified behaviorally, not by source-grep).
+let _runSandboxFn = runSandbox;
 
 // ── Queue management ──
 
@@ -204,8 +221,11 @@ async function processDeferredItem(stats) {
 
   if (_deferredQueue.length === 0) return null;
 
-  // 2. Dedicated slot check — completely independent from main semaphore
-  if (_deferredSlotBusy) {
+  // 2. Pool slot check — completely independent from main semaphore. The
+  // synchronous prefix below (shift + increment) runs before the first await,
+  // so processDeferredBatch can launch several of these in a tight loop without
+  // over-subscribing: each increment is visible to the next iteration.
+  if (_deferredSlotsActive >= DEFERRED_SANDBOX_SLOTS) {
     if (stats) stats.deferredSkipped = (stats.deferredSkipped || 0) + 1;
     return null;
   }
@@ -215,10 +235,10 @@ async function processDeferredItem(stats) {
   const key = `${item.name}@${item.version}`;
   _deferredSeen.delete(key);
 
-  console.log(`[DEFERRED] PROCESSING: ${key} (tier=${_tierLabel(item.tier)}, score=${item.riskScore}, retries=${item.retries})`);
+  console.log(`[DEFERRED] PROCESSING: ${key} (tier=${_tierLabel(item.tier)}, score=${item.riskScore}, retries=${item.retries}, slots=${_deferredSlotsActive + 1}/${DEFERRED_SANDBOX_SLOTS})`);
 
-  // 4. Run sandbox on dedicated slot (bypasses shared semaphore)
-  _deferredSlotBusy = true;
+  // 4. Run sandbox on a pool slot (bypasses shared semaphore)
+  _deferredSlotsActive++;
   let sandboxResult;
   const ac = new AbortController();
   const deadline = setTimeout(() => ac.abort(), DEFERRED_SANDBOX_TIMEOUT_MS);
@@ -230,7 +250,7 @@ async function processDeferredItem(stats) {
     // single-run (maxRuns=1, ~90s vs ~270s) for fast deferred-queue drain.
     const maxRuns = item.tier === '1a' ? undefined : 1;
     markSandboxed(item.name); // stamp for sandbox-revalidation cadence (matches the synchronous path)
-    sandboxResult = await runSandbox(item.name, { canary, skipSemaphore: true, maxRuns, signal: ac.signal });
+    sandboxResult = await _runSandboxFn(item.name, { canary, skipSemaphore: true, maxRuns, signal: ac.signal });
     console.log(`[DEFERRED] SANDBOX COMPLETE: ${key} -> score=${sandboxResult.score}, severity=${sandboxResult.severity}`);
   } catch (err) {
     console.error(`[DEFERRED] SANDBOX ERROR: ${key} — ${err.message}`);
@@ -247,7 +267,7 @@ async function processDeferredItem(stats) {
     return null;
   } finally {
     clearTimeout(deadline);
-    _deferredSlotBusy = false;
+    _deferredSlotsActive--;
   }
 
   // 5. Follow-up webhook if sandbox found something
@@ -302,6 +322,31 @@ async function processDeferredItem(stats) {
   return sandboxResult;
 }
 
+/**
+ * Tick dispatcher: launch deferred items CONCURRENTLY up to the free pool slots.
+ * processDeferredItem runs its slot-acquire (shift + increment) synchronously
+ * before its first await, so each launch is visible to the next loop iteration —
+ * no over-subscription past DEFERRED_SANDBOX_SLOTS. Calls are fire-and-forget:
+ * processDeferredItem is fully self-contained (its try/catch/finally swallows
+ * sandbox errors and always releases the slot), so a launched run never rejects
+ * the dispatcher. Returns the number launched this tick (for tests/observability).
+ * @returns {number}
+ */
+function processDeferredBatch(stats) {
+  let launched = 0;
+  // Bound the loop by the free slot count so a transient queue can't spin it.
+  while (_deferredSlotsActive < DEFERRED_SANDBOX_SLOTS && _deferredQueue.length > 0) {
+    const before = _deferredSlotsActive;
+    const p = processDeferredItem(stats);
+    // If the slot wasn't acquired (e.g. queue emptied by pruning inside the call),
+    // stop — otherwise the guard above could loop without progress.
+    if (_deferredSlotsActive === before) break;
+    launched++;
+    if (p && typeof p.catch === 'function') p.catch(() => { /* self-handled */ });
+  }
+  return launched;
+}
+
 /**
  * Build Discord embed for deferred sandbox follow-up.
  */
@@ -348,10 +393,14 @@ function buildDeferredFollowUpEmbed(name, version, ecosystem, sandboxResult, sta
 function startDeferredWorker(stats) {
   _stats = stats;
   if (_workerHandle) return _workerHandle;
-  console.log(`[DEFERRED] Worker started (interval=${DEFERRED_WORKER_INTERVAL_MS / 1000}s, max=${DEFERRED_QUEUE_MAX}, ttl=${DEFERRED_TTL_MS / 3600000}h)`);
-  _workerHandle = setInterval(async () => {
+  console.log(`[DEFERRED] Worker started (interval=${DEFERRED_WORKER_INTERVAL_MS / 1000}s, max=${DEFERRED_QUEUE_MAX}, slots=${DEFERRED_SANDBOX_SLOTS}, ttl=${DEFERRED_TTL_MS / 3600000}h)`);
+  _workerHandle = setInterval(() => {
     try {
-      await processDeferredItem(_stats);
+      // Fill free pool slots each tick. The dispatcher launches concurrent runs
+      // (fire-and-forget); long-running sandboxes keep their slots across ticks,
+      // so steady state is DEFERRED_SANDBOX_SLOTS in flight while the queue drains.
+      pruneExpired(_stats);
+      processDeferredBatch(_stats);
     } catch (err) {
       console.error(`[DEFERRED] Worker tick error: ${err.message}`);
     }
@@ -465,12 +514,25 @@ function _resetDeferredQueue() {
   _deferredQueue.length = 0;
   _deferredSeen.clear();
   _stats = null;
-  _deferredSlotBusy = false;
+  _deferredSlotsActive = 0;
+  _runSandboxFn = runSandbox;
   stopDeferredWorker();
 }
 
+// Test seam: inject a controllable sandbox runner (restored by _resetDeferredQueue).
+function _setRunSandboxForTest(fn) {
+  _runSandboxFn = fn || runSandbox;
+}
+
+// True while at least one deferred sandbox is in flight. Kept for back-compat
+// (callers/tests that only care "is the deferred path active"); use
+// getDeferredSlotsActive() for the concurrent count.
 function isDeferredSlotBusy() {
-  return _deferredSlotBusy;
+  return _deferredSlotsActive > 0;
+}
+
+function getDeferredSlotsActive() {
+  return _deferredSlotsActive;
 }
 
 /**
@@ -492,14 +554,18 @@ module.exports = {
   startDeferredWorker,
   stopDeferredWorker,
   processDeferredItem,
+  processDeferredBatch,
   persistDeferredQueue,
   restoreDeferredQueue,
   buildDeferredFollowUpEmbed,
   pruneExpired,
   isDeferredSlotBusy,
+  getDeferredSlotsActive,
   clearDeferredQueue,
   _resetDeferredQueue,
+  _setRunSandboxForTest,
   DEFERRED_QUEUE_MAX,
+  DEFERRED_SANDBOX_SLOTS,
   DEFERRED_TTL_MS,
   DEFERRED_MAX_RETRIES,
   DEFERRED_WORKER_INTERVAL_MS,

package/src/monitor/ingestion.js

@@ -1528,6 +1528,7 @@ module.exports = {
   POLL_INTERVAL,
   POLL_MAX_BACKOFF,
   MAX_RESPONSE_BYTES,
+  SOFT_BACKPRESSURE_THRESHOLD,
 
   // Mutable state
   getConsecutivePollErrors,

package/src/monitor/spill.js

@@ -182,7 +182,13 @@ function _compactBacklog(file, ledgerFn = null) {
 
 /**
  * Pure drain predicate (exported for tests + the daemon main loop): drain only
- * when memory pressure is fully cleared AND the live queue has headroom.
+ * when memory pressure is fully cleared AND the live queue is below the drain
+ * ceiling. `threshold` is a MARGE ceiling (a margin below the ingestion
+ * backpressure point — see daemon.js SPILL_DRAIN_THRESHOLD), NOT a "queue nearly
+ * empty" low-water mark: the latter (the old 500/5000) was unreachable in steady
+ * state, so the backlog never drained. With the marge ceiling the drain is a
+ * self-throttling trickle — it auto-stops the moment pressure rises (≥ ELEVATED)
+ * or the queue climbs toward backpressure, so it never starves fresh ingestion.
  */
 function shouldDrain(pressureLevel, queueLen, threshold) {
   return pressureLevel === 0 && queueLen < threshold;

package/src/scanner/ast-detectors/handle-import-expression.js

@@ -3,6 +3,55 @@
 const {
   SOLANA_PACKAGES
 } = require('./constants.js');
+const { containsDecodePattern } = require('./helpers.js');
+
+// Gate #2 (FPR 2026-06-15 — Étape 0 adjudication): a computed dynamic import() is only
+// remote-code-loading when there is positive evidence of a remote/decoded/env-driven target
+// (URL literal, .replace() URL manipulation, atob/Buffer decode, or a process.env-sourced
+// specifier). Bounded-local imports — CLI subcommand dispatchers (import(MAP[cmd])), layout/i18n
+// loaders (import(`../x/${name}.js`)), dep-resolve / own-dist shims (import(join(dir,'dist/main.js')))
+// — were ~19% of the band-20-49 false positives with 0 TP. Without evidence, computed imports
+// stay HIGH (still fires, but ~25→10 pts: sub-threshold alone) instead of CRITICAL. Flag-gated;
+// when the flag is off the legacy CRITICAL-on-Identifier/TemplateLiteral behavior is preserved.
+function _importStaticText(node) {
+  if (!node) return '';
+  if (node.type === 'Literal') return typeof node.value === 'string' ? node.value : '';
+  if (node.type === 'TemplateLiteral') {
+    return (node.quasis || [])
+      .map(q => (q.value && (q.value.cooked != null ? q.value.cooked : q.value.raw)) || '')
+      .join(' ');
+  }
+  if (node.type === 'BinaryExpression' && node.operator === '+') {
+    return _importStaticText(node.left) + ' ' + _importStaticText(node.right);
+  }
+  return '';
+}
+
+function _isProcessEnvMember(node) {
+  return !!node && node.type === 'MemberExpression' &&
+    node.object && node.object.type === 'MemberExpression' &&
+    node.object.object && node.object.object.type === 'Identifier' && node.object.object.name === 'process' &&
+    node.object.property && node.object.property.type === 'Identifier' && node.object.property.name === 'env';
+}
+
+function _importRemoteEvidence(src, ctx) {
+  // URL manipulation (GlassWorm): import(x.replace(...))
+  if (src.type === 'CallExpression' && src.callee && src.callee.type === 'MemberExpression' &&
+      src.callee.property && src.callee.property.name === 'replace') return true;
+  // env-driven specifier: import(process.env.X), or import(v) where v was assigned from process.env.X
+  if (_isProcessEnvMember(src)) return true;
+  if (src.type === 'Identifier' && ctx.varSource && ctx.varSource.get(src.name) === 'env_var') return true;
+  // identifier resolving to a URL string literal: const u = 'https://evil/x.js'; import(u)
+  if (src.type === 'Identifier' && ctx.stringVarValues) {
+    const resolved = ctx.stringVarValues.get(src.name);
+    if (resolved && /https?:|:\/\//i.test(resolved)) return true;
+  }
+  // runtime decode: import(atob(...)) / import(Buffer.from(...).toString())
+  if (containsDecodePattern(src)) return true;
+  // explicit URL scheme in the static parts of the specifier
+  if (/https?:|:\/\//i.test(_importStaticText(src))) return true;
+  return false;
+}
 
 function handleImportExpression(node, ctx) {
   if (node.source) {
@@ -25,11 +74,29 @@ function handleImportExpression(node, ctx) {
       if (SOLANA_PACKAGES.some(pkg => src.value === pkg)) {
         ctx.hasSolanaImport = true;
       }
+    } else if (process.env.MUADDIB_DYNIMPORT_BOUNDED === '1') {
+      // Gate #2 (downgrade-only — never escalates above legacy severity, so it cannot raise FPR):
+      // a legacy-CRITICAL computed import (Identifier / TemplateLiteral / .replace URL) drops to HIGH
+      // when there is NO remote/decode/env evidence (bounded/local: CLI dispatchers, layout/i18n
+      // loaders, dep-resolve shims). With evidence it stays CRITICAL; a legacy-HIGH argument stays HIGH.
+      const legacyCritical = src.type === 'Identifier' || src.type === 'TemplateLiteral' ||
+        (src.type === 'CallExpression' && src.callee?.property?.name === 'replace');
+      const bounded = legacyCritical && !_importRemoteEvidence(src, ctx);
+      ctx.threats.push({
+        type: 'dynamic_import',
+        severity: bounded ? 'HIGH' : (legacyCritical ? 'CRITICAL' : 'HIGH'),
+        message: bounded
+          ? 'Dynamic import() with computed (bounded/local) argument — possible obfuscation.'
+          : (legacyCritical
+              ? 'Dynamic import() with computed URL argument — remote code loading from dynamically constructed URL.'
+              : 'Dynamic import() with computed argument (possible obfuscation).'),
+        file: ctx.relFile
+      });
     } else {
-      // Blue Team v8b (C6): Dynamic import with non-literal arg — if it's a variable
-      // built from URL manipulation, this is remote code loading
-      const isCritical = node.source.type === 'Identifier' || node.source.type === 'TemplateLiteral' ||
-        (node.source.type === 'CallExpression' && node.source.callee?.property?.name === 'replace');
+      // Legacy behavior (gate off): Blue Team v8b (C6) — non-literal arg is CRITICAL when it
+      // looks like a constructed URL (Identifier / TemplateLiteral / .replace()).
+      const isCritical = src.type === 'Identifier' || src.type === 'TemplateLiteral' ||
+        (src.type === 'CallExpression' && src.callee?.property?.name === 'replace');
       ctx.threats.push({
         type: 'dynamic_import',
         severity: isCritical ? 'CRITICAL' : 'HIGH',

package/src/scanner/ast-detectors/handle-post-walk.js

@@ -216,6 +216,11 @@ function handlePostWalk(ctx) {
     });
   }
 
+  // Per-file network-destination verdict (decoy-safe): true iff every literal host is
+  // local/reserved or a curated provider; any public-IP/suspicious/unknown host — or no host —
+  // ⇒ false. Reused by the detached/uncaught-exfil compounds below.
+  const destAllBenign = ctx._content ? networkDestinationsAllBenign(ctx._content) : false;
+
   // Credential regex harvesting: credential-matching regex + network call in same file
   // Real-world pattern: Transform/stream that scans data for tokens/passwords and exfiltrates
   if (ctx.hasCredentialRegex && ctx.hasNetworkCallInFile) {
@@ -328,7 +333,7 @@ function handlePostWalk(ctx) {
   // destination in the file is first-party/local/provider (e.g. an otel collector on
   // localhost, an SDK POST to its own API). A suspicious/unknown/public-IP host — or no
   // literal host at all — leaves it firing (conservative: confirmed-benign only).
-  const destAllBenign = ctx._content ? networkDestinationsAllBenign(ctx._content) : false;
+  // (destAllBenign is computed once above, at the credential_regex_harvest emission site.)
   if (hasDetachedInFile && hasSensitiveEnvInFile && ctx.hasNetworkCallInFile && !destAllBenign) {
     ctx.threats.push({
       type: 'detached_credential_exfil',

package/src/scanner/dataflow.js

@@ -1043,6 +1043,40 @@ function analyzeFile(content, filePath, basePath) {
       }
     }
 
+    // Gate #1 (FPR 2026-06-15 — Étape 0 adjudication): the C7 block above only covers pure
+    // env_read sources; the dominant live FP cluster (~25% of band 20-49, 0 TP) is a
+    // credential_env_read API key (OPENAI_API_KEY, YINGDAO_ACCESS_TOKEN, …) flowing to the
+    // package's OWN first-party API or a curated provider. The decoy-safe discriminant is
+    // brand coherence (env-var brand ↔ host label) + curated providers + local hosts, applied
+    // to EVERY destination. Limited to env-like sources (a credential_read FILE, command_output,
+    // or fingerprint_read source stays CRITICAL — those are genuinely higher-risk). Downgrade to
+    // MEDIUM so the signal survives; residual = compromised first-party domain, the same risk the
+    // mature/MT-1 cap already accepts. Flag-gated (default off) for measure-then-flip rollout.
+    if (process.env.MUADDIB_DF_SDK_GATE === '1' &&
+        (severity === 'CRITICAL' || severity === 'HIGH')) {
+      const envLike = sources.filter(s => s.type === 'env_read' || s.type === 'credential_env_read');
+      const onlyEnvLike = sources.every(s =>
+        s.type === 'env_read' || s.type === 'credential_env_read' || s.type === 'telemetry_read');
+      if (envLike.length > 0 && onlyEnvLike) {
+        try {
+          const { extractBrandFromEnvVar, networkDestinationsAllBenignOrBrand } = require('../sdk-destination.js');
+          const gateContent = fs.readFileSync(filePath, 'utf8');
+          const brands = envLike.map(s => {
+            const envVar = s.name
+              .replace(/^process\.env\./, '')
+              .replace(/^process\.env\[['"]/, '')
+              .replace(/['"]\]$/, '');
+            return extractBrandFromEnvVar(envVar);
+          }).filter(Boolean);
+          if (networkDestinationsAllBenignOrBrand(gateContent, brands)) {
+            severity = 'MEDIUM';
+          }
+        } catch {
+          // sdk-destination / file read unavailable — keep severity
+        }
+      }
+    }
+
     const sourceDesc = hasCommandOutput ? 'command output' : 'credentials read';
     threats.push({
       type: 'suspicious_dataflow',

package/src/scanner/module-graph/detect-cross-file.js

@@ -978,7 +978,7 @@ function isNetworkSinkDescriptor(sink) {
  * file references a suspicious/paste host, a public IP, or any unknown domain (so a real
  * exfil like ecto — webhook.site + direct-IP — keeps firing). The package stays visible
  * via its other (lower-severity) signals, the same way intent-graph skips SDK pairs.
- * Rationale + corpus: FPR-segment-A-diagnosis-2026-06-14.md.
+ * Rationale + corpus: chantier FPR segment A (2026-06).
  *
  * @param {Array} flows - assembled cross-file flows (main + callback + emitter)
  * @param {string} packagePath - package root, to resolve sink file content

package/src/scoring.js

@@ -1051,6 +1051,25 @@ function _hasExfilSink(threats) {
   return threats.some(t => EXFIL_SINK_TYPES.has(t.type) && t.severity !== 'LOW');
 }
 
+// Sink-coupling (chantier 2026-06-15): the subset of EXFIL_SINK_TYPES that PROVES taint or
+// unambiguous structural malice — NOT mere host-reputation string presence. When one of these
+// co-occurs with credential_regex_harvest it stays HIGH (anti-FN floor: protects cross-file
+// read→exfil and the intent/detached/staged compounds). The complement (suspicious_domain,
+// direct_ip_exfil, ioc_string_match, ioc_match) is host-reputation-only.
+const PROVEN_EXFIL_SINK_TYPES = new Set([
+  'known_malicious_package', 'pypi_malicious_package', 'shai_hulud_marker',
+  'detached_credential_exfil', 'silent_stealth_process',
+  'curl_pipe_shell', 'curl_env_exfil', 'reverse_shell', 'dns_exfil', 'oast_callback',
+  'function_constructor_require', 'staged_remote_loader', 'staged_eval_decode',
+  'fetch_decrypt_exec', 'download_exec_binary', 'self_destruct_eval',
+  'newsletter_auto_follow', 'cross_file_dataflow', 'intent_credential_exfil',
+  'intent_command_exfil', 'sandbox_known_exfil_domain', 'sandbox_network_after_sensitive_read'
+]);
+function _hasProvenExfilSink(threats) {
+  if (!Array.isArray(threats)) return false;
+  return threats.some(t => PROVEN_EXFIL_SINK_TYPES.has(t.type) && t.severity !== 'LOW');
+}
+
 function applyFPReductions(threats, reachableFiles, packageName, packageDeps, reachableFunctions) {
   // Initialize reductions audit trail on each threat
   // Store original severity before any FP reductions, so compound
@@ -1196,7 +1215,7 @@ function applyFPReductions(threats, reachableFiles, packageName, packageDeps, re
     }
   }
 
-  // FPR sink-coupling gate (chantier 2026-06 — FPR-baseline-2026-06-14.md). credential_regex_harvest
+  // FPR sink-coupling gate (chantier FPR 2026-06). credential_regex_harvest
   // is a weak signal alone: a credential-shaped regex co-located with a network call, with NO proof
   // the matched secret flows out and NO host-reputation check (ast.js:hasCredentialInsideRegex +
   // hasNetworkCallInFile). The blind FPR baseline measured 94.4% FP on it — it fires on nodemailer
@@ -1206,13 +1225,23 @@ function applyFPReductions(threats, reachableFiles, packageName, packageDeps, re
   // taint ...). When no such sink is present, downgrade HIGH/CRITICAL → LOW. Runs after the dilution
   // floor so the floor's restored instance is also gated (the floor protects real exfil; with no sink
   // there is nothing to protect). No GT sample relies on credential_regex_harvest (verified).
-  if (!_hasExfilSink(threats)) {
-    for (const t of threats) {
-      if (t.type === 'credential_regex_harvest' && (t.severity === 'HIGH' || t.severity === 'CRITICAL')) {
-        t.reductions.push({ rule: 'sink_coupling', from: t.severity, to: 'LOW' });
-        t.severity = 'LOW';
-      }
+  // Sink-coupling for credential_regex_harvest (per-instance, two-way): a proven taint /
+  // structural-malice sink ⇒ keep HIGH (anti-FN floor); no exfil sink at all ⇒ LOW.
+  const _crhProvenSink = _hasProvenExfilSink(threats);
+  const _crhAnySink = _hasExfilSink(threats);
+  for (const t of threats) {
+    if (t.type !== 'credential_regex_harvest') continue;
+    if (t.severity !== 'HIGH' && t.severity !== 'CRITICAL') continue;
+    // (1) anti-FN floor: a proven taint / structural-malice sink ⇒ keep HIGH (host/flag irrelevant).
+    if (_crhProvenSink) continue;
+    // (2) no exfil sink at all ⇒ LOW (legacy behavior, flag-independent).
+    if (!_crhAnySink) {
+      t.reductions.push({ rule: 'sink_coupling', from: t.severity, to: 'LOW' });
+      t.severity = 'LOW';
+      continue;
     }
+    // (3) only host-reputation sink(s) co-occur ⇒ keep HIGH (fall-through). A host-coupling
+    //     downgrade here (gate #3, MUADDIB_CRH_HOST_GATE) was measured inert and removed 2026-06-15.
   }
 
   for (const t of threats) {

package/src/sdk-destination.js

@@ -88,7 +88,7 @@ function extractDomain(url) {
     // Capture only valid hostname characters so a path-less URL immediately followed by
     // a quote/paren (e.g. fetch('https://api.openai.com')) does not absorb the trailing
     // ')" into the host. Stops at /, :, ?, #, quotes, parens, etc.
-    const match = url.match(/^https?:\/\/([a-zA-Z0-9.\-]+)/i);
+    const match = url.match(/^https?:\/\/([a-zA-Z0-9.-]+)/i);
     return match ? match[1].toLowerCase() : null;
   } catch {
     return null;
@@ -308,6 +308,45 @@ function networkDestinationsAllBenign(fileContent) {
   return true;
 }
 
+/**
+ * Gate #1 variant of networkDestinationsAllBenign: a host ALSO passes if one of its labels
+ * matches a credential env-var BRAND (e.g. YINGDAO_ACCESS_TOKEN → api.yingdao.com). This covers
+ * the dominant credential→own-API FP cluster (Étape 0 2026-06-15: ~25% of band 20-49, 0 TP) that
+ * networkDestinationsAllBenign rejects because a package's own domain is not a curated provider.
+ * Decoy-safe by construction: EVERY host must be local/reserved OR a curated provider OR
+ * brand-coherent; any unknown / public-IP / suspicious-tunnel host ⇒ false. No hosts ⇒ false.
+ * Brand coherence is not attacker-spoofable for the credential-theft case: stealing a VICTIM's
+ * OTHER-service key (OPENAI_API_KEY) and sending it to attacker.com yields brand "openai" vs label
+ * "attacker" ⇒ mismatch ⇒ keeps firing.
+ *
+ * @param {string} fileContent - source of the file containing the network sink
+ * @param {string[]} brands - brand tokens extracted from the credential env-var names
+ * @returns {boolean}
+ */
+function networkDestinationsAllBenignOrBrand(fileContent, brands) {
+  const hosts = extractHostsFromContent(fileContent);
+  if (hosts.length === 0) return false;
+  // RFC 2606 / 6761 documentation & test placeholders (example.com/.net/.org, *.test, *.invalid)
+  // are NOT real SDK destinations — no benign SDK ships a live credential flow to example.com.
+  // A credential→placeholder flow is either a synthetic exfil sample or an evasion stand-in, so it
+  // must keep firing (it is deliberately NOT in the local-IPC benign class, unlike loopback/RFC1918).
+  const DOC_DOMAIN_RE = /(^|\.)example\.(?:com|net|org)$|\.(?:test|example|invalid)$/i;
+  const brandSet = (brands || [])
+    .map(b => String(b || '').toLowerCase())
+    .filter(b => b.length >= 3);
+  for (const h of hosts) {
+    if (SUSPICIOUS_DOMAIN_PATTERNS.test(h)) return false;
+    if (isPublicIpHost(h)) return false;
+    if (DOC_DOMAIN_RE.test(h)) return false;
+    if (isLocalOrReservedHost(h)) continue;
+    if (PROVIDER_DOMAIN_SUFFIXES.some(s => domainMatchesSuffix(h, [s]))) continue;
+    const labels = String(h).toLowerCase().split('.');
+    if (brandSet.length && labels.some(l => brandSet.includes(l))) continue;
+    return false; // unknown / unrecognised destination → keep firing
+  }
+  return true;
+}
+
 module.exports = {
   SDK_ENV_DOMAIN_MAP,
   ENV_NOISE_TOKENS,
@@ -320,6 +359,7 @@ module.exports = {
   extractDomain,
   domainMatchesSuffix,
   isSDKPattern,
+  networkDestinationsAllBenignOrBrand,
   stripPort,
   isLocalOrReservedHost,
   isPublicIpHost,