muaddib-scanner 2.11.118 → 2.11.120

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.118",
+  "version": "2.11.120",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.118.json → self-scan-v2.11.120.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-15T12:53:45.305Z",
+  "timestamp": "2026-06-18T19:56:37.339Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/monitor/daemon.js

@@ -9,10 +9,11 @@ const { setVerboseMode, isSandboxEnabled, isCanaryEnabled, isLlmDetectiveEnabled
 const { loadState, saveState, loadDailyStats, saveDailyStats, purgeTarballCache, isDailyReportDue, atomicWriteFileSync, saveNpmSeq, ALERTS_FILE, runStateMigrations, loadRecentlyScanned, saveRecentlyScanned } = require('./state.js');
 const { isTemporalEnabled, isTemporalAstEnabled, isTemporalPublishEnabled, isTemporalMaintainerEnabled } = require('./temporal.js');
 const { pendingGrouped, flushScopeGroup, sendDailyReport, redeliverPendingReportOnBoot, alertedPackageRules, ALERTED_PACKAGES_MAX: MAX_ALERTED_PACKAGES } = require('./webhook.js');
-const { poll, getPollBackoffMs } = require('./ingestion.js');
+const { poll, getPollBackoffMs, SOFT_BACKPRESSURE_THRESHOLD } = require('./ingestion.js');
 const { ensureWorkers, drainWorkers, getTargetConcurrency, setTargetConcurrency, getActiveWorkers, terminateAllWorkers, getInFlightItems, computeInterruptDisposition } = require('./queue.js');
 const { computeTarget, ADJUST_INTERVAL_MS, BASE_CONCURRENCY } = require('./adaptive-concurrency.js');
 const { startHealthcheck } = require('./healthcheck.js');
+const { startLagSampler } = require('./event-loop-monitor.js');
 const { startDeferredWorker, stopDeferredWorker, persistDeferredQueue, restoreDeferredQueue, clearDeferredQueue } = require('./deferred-sandbox.js');
 const { evictFromScanQueueBulk, enqueueScan } = require('./scan-queue.js');
 const { isSpillEnabled, shouldDrain, drainBacklog, getBacklogSize } = require('./spill.js');
@@ -42,9 +43,25 @@ const SHUTDOWN_DRAIN_MAX_MS = (() => {
   return Number.isFinite(v) && v > 0 ? v : 20_000;
 })();
 
+// Drain ceiling (marge): re-ingest from the spill backlog as long as the live
+// queue stays a safe margin BELOW the ingestion backpressure point. The old
+// default (500) was unreachable in steady state — the live queue structurally
+// sits in the thousands (μ scan ≈ λ ingest in active hours), so the backlog
+// drained ~never and grew toward its cap (a one-way street). Tying the ceiling
+// to SOFT_BACKPRESSURE_THRESHOLD makes the drain a self-throttling trickle: it
+// fires during any non-congested window (pressure NONE + headroom) and stops as
+// the queue approaches the point where ingestion would pause anyway, so the
+// backlog never starves fresh ingestion. Env-tunable for live ops.
+const SPILL_DRAIN_MARGIN = (() => {
+  const v = parseInt(process.env.MUADDIB_SPILL_DRAIN_MARGIN, 10);
+  return Number.isFinite(v) && v > 0 ? v : 5_000;
+})();
 const SPILL_DRAIN_THRESHOLD = (() => {
   const v = parseInt(process.env.MUADDIB_SPILL_DRAIN_THRESHOLD, 10);
-  return Number.isFinite(v) && v > 0 ? v : 500;
+  if (Number.isFinite(v) && v > 0) return v;
+  // Default: a fixed margin below backpressure (30K - 5K = 25K). Clamp to >= 1
+  // in case a future backpressure value is smaller than the margin.
+  return Math.max(1, SOFT_BACKPRESSURE_THRESHOLD - SPILL_DRAIN_MARGIN);
 })();
 const SPILL_DRAIN_BATCH = (() => {
   const v = parseInt(process.env.MUADDIB_SPILL_DRAIN_BATCH, 10);
@@ -950,6 +967,7 @@ async function startMonitor(options, stats, dailyAlerts, recentlyScanned, downlo
   let pollIntervalHandle = null;   // Decoupled poll timer — set after initial poll
   let queuePersistHandle = null;   // Queue persistence timer
   let concurrencyAdjustHandle = null; // Adaptive concurrency timer
+  let loopLagSamplerStop = null;   // Event-loop stall attribution (instrumentation)
 
   // Restore queue from previous run (if file exists and is < 24h old)
   const restoredCount = restoreQueue(scanQueue);
@@ -985,6 +1003,10 @@ async function startMonitor(options, stats, dailyAlerts, recentlyScanned, downlo
       clearInterval(concurrencyAdjustHandle);
       concurrencyAdjustHandle = null;
     }
+    if (loopLagSamplerStop) {
+      loopLagSamplerStop();
+      loopLagSamplerStop = null;
+    }
     // Bounded drain (phase C, C7). The old unbounded `await drainWorkers()`
     // could outlive systemd's TimeoutStopSec (scans run up to 300s): SIGKILL
     // then landed MID-drain, persistQueue never ran, and every in-flight scan
@@ -1093,6 +1115,24 @@ async function startMonitor(options, stats, dailyAlerts, recentlyScanned, downlo
     }
   }, ADJUST_INTERVAL_MS);
 
+  // ─── Event-loop stall attribution (instrumentation only — see event-loop-monitor.js) ───
+  // The RSS breaker, governor RSS feed and EMERGENCY purge all live on these
+  // main-thread timers; a long SYNC op (extractAllTo) that wedges the loop
+  // disables them silently → unchecked RSS climb → cgroup OOM (4-6 min of zero
+  // completions/logs before every kill, 2026-06-17/18). NAME the culprit op so the
+  // real fix targets it. Off-switch: MUADDIB_LOOP_MONITOR=0.
+  if (process.env.MUADDIB_LOOP_MONITOR !== '0') {
+    loopLagSamplerStop = startLagSampler({
+      onStall: (r) => {
+        const o = r.op;
+        const where = o
+          ? ` during op=${o.label}${o.meta && o.meta.name ? ` ${o.meta.name}@${o.meta.version || '?'}${o.meta.unpackedSizeMb != null ? ` (${o.meta.unpackedSizeMb}MB)` : ''}` : ''}${o.running ? ', STILL RUNNING' : ''}`
+          : ' (no op breadcrumb — widen instrumentation)';
+        console.warn(`[MONITOR] LOOP-STALL: event loop blocked ${r.blockedSec}s${where} | rss=${r.rssMb}MB`);
+      }
+    });
+  }
+
   // ─── Decoupled polling ───
   // Poll runs on its own interval, independent of processing.
   // This ensures new packages are ingested even while a large batch is being scanned.

package/src/monitor/deferred-sandbox.js

@@ -6,11 +6,12 @@
  * Items are sorted by riskScore DESC (highest-risk first) to defend
  * against queue-poisoning attacks.
  *
- * The worker owns a dedicated sandbox slot (_deferredSlotBusy) that is
- * completely independent from the shared semaphore used by T1a/T1b/T2.
- * This guarantees the deferred worker can always process, regardless of
- * how many main-path sandboxes are running. The VPS supports N+1
- * concurrent gVisor containers (3 main + 1 deferred).
+ * The worker owns a dedicated POOL of sandbox slots (DEFERRED_SANDBOX_SLOTS,
+ * _deferredSlotsActive) that is completely independent from the shared semaphore
+ * used by the synchronous path. This guarantees the deferred worker can always
+ * process, regardless of how many main-path sandboxes are running, and runs
+ * several items concurrently so the queue actually drains (a single slot
+ * serialized all T1a deep sandboxes and the queue stayed permanently full).
  */
 const fs = require('fs');
 const path = require('path');
@@ -32,10 +33,23 @@ const DEFERRED_STATE_FILE = path.join(__dirname, '..', '..', 'data', 'deferred-q
 // slot. HIGH=10 pts is the intended T1b floor — values below 5 are LOW-only
 // aggregates which carry no actionable sandbox signal.
 const DEFERRED_MIN_SCORE = 5;
-// Hard ceiling on a single deferred sandbox run so the dedicated slot
-// (_deferredSlotBusy) can never wedge. maxRuns=1 self-bounds at ~SINGLE_RUN_TIMEOUT
-// (90s) + the sandbox watchdog grace; this AbortController is belt-and-suspenders.
+// Hard ceiling on a single deferred sandbox run so a deferred slot can never
+// wedge. maxRuns=1 self-bounds at ~SINGLE_RUN_TIMEOUT (90s) + the sandbox
+// watchdog grace; this AbortController is belt-and-suspenders.
 const DEFERRED_SANDBOX_TIMEOUT_MS = 150_000;
+// Number of CONCURRENT deferred sandbox runs. The old design used a single
+// boolean slot (1 at a time), which serialized ALL deferred T1a deep sandboxes
+// — measured at ~1 run / several minutes, so the queue (cap DEFERRED_QUEUE_MAX)
+// sat permanently full with items aging out at TTL. Phase 3 routed T1a's sandbox
+// here AND bypasses the shared semaphore, so the main pool (MUADDIB_SANDBOX_CONCURRENCY)
+// was sitting idle while everything queued behind one deferred slot. This pool
+// uses that idle capacity. Default 3 (conservative under the typical 4-slot main
+// pool); each gVisor container is ~512 MB, so 3 ≈ 1.5 GB — keep an eye on host
+// RSS if raised. Env-tunable for live ops.
+const DEFERRED_SANDBOX_SLOTS = (() => {
+  const v = parseInt(process.env.MUADDIB_DEFERRED_SANDBOX_SLOTS, 10);
+  return Number.isFinite(v) && v >= 1 ? v : 3;
+})();
 
 // Tier priority for the deferred queue. Phase 3 routes T1a's sandbox here (async)
 // instead of block-waiting a scan worker, so T1a is the highest-confidence tier and
@@ -61,7 +75,10 @@ const _deferredQueue = [];
 const _deferredSeen = new Set(); // name@version dedup
 let _workerHandle = null;
 let _stats = null; // reference to shared stats object
-let _deferredSlotBusy = false;   // Dedicated slot: true while deferred sandbox is running
+let _deferredSlotsActive = 0;    // Concurrent deferred sandbox runs in flight (0..DEFERRED_SANDBOX_SLOTS)
+// Indirection so tests can inject a controllable async sandbox without Docker
+// (the concurrency contract is verified behaviorally, not by source-grep).
+let _runSandboxFn = runSandbox;
 
 // ── Queue management ──
 
@@ -204,8 +221,11 @@ async function processDeferredItem(stats) {
 
   if (_deferredQueue.length === 0) return null;
 
-  // 2. Dedicated slot check — completely independent from main semaphore
-  if (_deferredSlotBusy) {
+  // 2. Pool slot check — completely independent from main semaphore. The
+  // synchronous prefix below (shift + increment) runs before the first await,
+  // so processDeferredBatch can launch several of these in a tight loop without
+  // over-subscribing: each increment is visible to the next iteration.
+  if (_deferredSlotsActive >= DEFERRED_SANDBOX_SLOTS) {
     if (stats) stats.deferredSkipped = (stats.deferredSkipped || 0) + 1;
     return null;
   }
@@ -215,10 +235,10 @@ async function processDeferredItem(stats) {
   const key = `${item.name}@${item.version}`;
   _deferredSeen.delete(key);
 
-  console.log(`[DEFERRED] PROCESSING: ${key} (tier=${_tierLabel(item.tier)}, score=${item.riskScore}, retries=${item.retries})`);
+  console.log(`[DEFERRED] PROCESSING: ${key} (tier=${_tierLabel(item.tier)}, score=${item.riskScore}, retries=${item.retries}, slots=${_deferredSlotsActive + 1}/${DEFERRED_SANDBOX_SLOTS})`);
 
-  // 4. Run sandbox on dedicated slot (bypasses shared semaphore)
-  _deferredSlotBusy = true;
+  // 4. Run sandbox on a pool slot (bypasses shared semaphore)
+  _deferredSlotsActive++;
   let sandboxResult;
   const ac = new AbortController();
   const deadline = setTimeout(() => ac.abort(), DEFERRED_SANDBOX_TIMEOUT_MS);
@@ -230,7 +250,7 @@ async function processDeferredItem(stats) {
     // single-run (maxRuns=1, ~90s vs ~270s) for fast deferred-queue drain.
     const maxRuns = item.tier === '1a' ? undefined : 1;
     markSandboxed(item.name); // stamp for sandbox-revalidation cadence (matches the synchronous path)
-    sandboxResult = await runSandbox(item.name, { canary, skipSemaphore: true, maxRuns, signal: ac.signal });
+    sandboxResult = await _runSandboxFn(item.name, { canary, skipSemaphore: true, maxRuns, signal: ac.signal });
     console.log(`[DEFERRED] SANDBOX COMPLETE: ${key} -> score=${sandboxResult.score}, severity=${sandboxResult.severity}`);
   } catch (err) {
     console.error(`[DEFERRED] SANDBOX ERROR: ${key} — ${err.message}`);
@@ -247,7 +267,7 @@ async function processDeferredItem(stats) {
     return null;
   } finally {
     clearTimeout(deadline);
-    _deferredSlotBusy = false;
+    _deferredSlotsActive--;
   }
 
   // 5. Follow-up webhook if sandbox found something
@@ -302,6 +322,31 @@ async function processDeferredItem(stats) {
   return sandboxResult;
 }
 
+/**
+ * Tick dispatcher: launch deferred items CONCURRENTLY up to the free pool slots.
+ * processDeferredItem runs its slot-acquire (shift + increment) synchronously
+ * before its first await, so each launch is visible to the next loop iteration —
+ * no over-subscription past DEFERRED_SANDBOX_SLOTS. Calls are fire-and-forget:
+ * processDeferredItem is fully self-contained (its try/catch/finally swallows
+ * sandbox errors and always releases the slot), so a launched run never rejects
+ * the dispatcher. Returns the number launched this tick (for tests/observability).
+ * @returns {number}
+ */
+function processDeferredBatch(stats) {
+  let launched = 0;
+  // Bound the loop by the free slot count so a transient queue can't spin it.
+  while (_deferredSlotsActive < DEFERRED_SANDBOX_SLOTS && _deferredQueue.length > 0) {
+    const before = _deferredSlotsActive;
+    const p = processDeferredItem(stats);
+    // If the slot wasn't acquired (e.g. queue emptied by pruning inside the call),
+    // stop — otherwise the guard above could loop without progress.
+    if (_deferredSlotsActive === before) break;
+    launched++;
+    if (p && typeof p.catch === 'function') p.catch(() => { /* self-handled */ });
+  }
+  return launched;
+}
+
 /**
  * Build Discord embed for deferred sandbox follow-up.
  */
@@ -348,10 +393,14 @@ function buildDeferredFollowUpEmbed(name, version, ecosystem, sandboxResult, sta
 function startDeferredWorker(stats) {
   _stats = stats;
   if (_workerHandle) return _workerHandle;
-  console.log(`[DEFERRED] Worker started (interval=${DEFERRED_WORKER_INTERVAL_MS / 1000}s, max=${DEFERRED_QUEUE_MAX}, ttl=${DEFERRED_TTL_MS / 3600000}h)`);
-  _workerHandle = setInterval(async () => {
+  console.log(`[DEFERRED] Worker started (interval=${DEFERRED_WORKER_INTERVAL_MS / 1000}s, max=${DEFERRED_QUEUE_MAX}, slots=${DEFERRED_SANDBOX_SLOTS}, ttl=${DEFERRED_TTL_MS / 3600000}h)`);
+  _workerHandle = setInterval(() => {
     try {
-      await processDeferredItem(_stats);
+      // Fill free pool slots each tick. The dispatcher launches concurrent runs
+      // (fire-and-forget); long-running sandboxes keep their slots across ticks,
+      // so steady state is DEFERRED_SANDBOX_SLOTS in flight while the queue drains.
+      pruneExpired(_stats);
+      processDeferredBatch(_stats);
     } catch (err) {
       console.error(`[DEFERRED] Worker tick error: ${err.message}`);
     }
@@ -465,12 +514,25 @@ function _resetDeferredQueue() {
   _deferredQueue.length = 0;
   _deferredSeen.clear();
   _stats = null;
-  _deferredSlotBusy = false;
+  _deferredSlotsActive = 0;
+  _runSandboxFn = runSandbox;
   stopDeferredWorker();
 }
 
+// Test seam: inject a controllable sandbox runner (restored by _resetDeferredQueue).
+function _setRunSandboxForTest(fn) {
+  _runSandboxFn = fn || runSandbox;
+}
+
+// True while at least one deferred sandbox is in flight. Kept for back-compat
+// (callers/tests that only care "is the deferred path active"); use
+// getDeferredSlotsActive() for the concurrent count.
 function isDeferredSlotBusy() {
-  return _deferredSlotBusy;
+  return _deferredSlotsActive > 0;
+}
+
+function getDeferredSlotsActive() {
+  return _deferredSlotsActive;
 }
 
 /**
@@ -492,14 +554,18 @@ module.exports = {
   startDeferredWorker,
   stopDeferredWorker,
   processDeferredItem,
+  processDeferredBatch,
   persistDeferredQueue,
   restoreDeferredQueue,
   buildDeferredFollowUpEmbed,
   pruneExpired,
   isDeferredSlotBusy,
+  getDeferredSlotsActive,
   clearDeferredQueue,
   _resetDeferredQueue,
+  _setRunSandboxForTest,
   DEFERRED_QUEUE_MAX,
+  DEFERRED_SANDBOX_SLOTS,
   DEFERRED_TTL_MS,
   DEFERRED_MAX_RETRIES,
   DEFERRED_WORKER_INTERVAL_MS,

package/src/monitor/event-loop-monitor.js

@@ -0,0 +1,186 @@
+'use strict';
+
+/**
+ * Event-loop stall ATTRIBUTION (2026-06-18). Pure observability — NO change to
+ * scan behavior, scoring, or detection.
+ *
+ * Why: every in-process OOM defense — the RSS circuit breaker, the memory
+ * governor's RSS feed (`updateGovernorRss`), the EMERGENCY queue purge — runs on
+ * the main-thread `setInterval` poll loop (`daemon.js`). A long SYNCHRONOUS op on
+ * that loop wedges it: none of those timers fire, so RSS climbs to the cgroup
+ * MemoryMax (9.5G) unchecked → kernel SIGKILL (cgroup OOM). Measured signature
+ * 2026-06-17/18: 4-6 min of ZERO scan completions AND zero daemon log lines
+ * immediately before EVERY OOM kill. Leading suspect for the block: adm-zip
+ * `extractAllTo` (synchronous), which `extractArchive` runs on the main thread for
+ * the large-package quick-scan (4071 size_skip/24h) and pre-worker extraction.
+ *
+ * This module does NOT fix the stall — it NAMES it, so the next refactor targets
+ * the confirmed culprit instead of a guess:
+ *   - `beginOp`/`endOp` leave a breadcrumb naming the op (and package) in flight.
+ *   - `startLagSampler` runs its OWN low-frequency timer; its tardiness measures
+ *     how long the loop was blocked (the sampler is starved the same way the
+ *     breaker is, but decoupled so it can't perturb the breaker). On a stall it
+ *     reports the op whose lifetime OVERLAPS the blocked window — the still-running
+ *     op, or the one that just ended (the blocking op has usually returned by the
+ *     time the loop frees and the sampler can finally fire).
+ * Resolving stalls share their source with the fatal one, so attributing the
+ * resolving precursors pins the culprit.
+ *
+ * Bounded (CLAUDE.md §2): a single current + single last-ended breadcrumb slot;
+ * the stall log is size-capped. Instrumentation NEVER throws.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+const STALL_LOG_FILE = process.env.MUADDIB_LOOP_STALL_FILE
+  || path.join(__dirname, '..', '..', 'data', 'loop-stalls.jsonl');
+const STALL_LOG_MAX_BYTES = 256 * 1024; // bounded: truncate-then-append past this
+
+// Threshold 5s: far above normal GC/IO jitter (sub-100ms) and a full scan's
+// main-thread slice, far below the multi-minute fatal stalls — catches the
+// resolving precursors without noise. Sampler cadence 1s.
+const DEFAULT_INTERVAL_MS = 1000;
+const DEFAULT_THRESHOLD_MS = 5000;
+
+// Injectable clock (tests drive it via _reset(clockFn)); default real time.
+let _clock = () => Date.now();
+function _now() { return _clock(); }
+
+// ─── Breadcrumb: the op currently / most-recently on the main thread ───
+let _current = null;   // { label, meta, startedAt }
+let _lastEnded = null; // { label, meta, startedAt, endedAt }
+
+/** Mark the start of a (potentially blocking, synchronous) main-thread op. */
+function beginOp(label, meta) {
+  _current = { label: String(label || 'op'), meta: meta || null, startedAt: _now() };
+  return _current;
+}
+
+/** Mark it done. Token optional; a mismatched token is ignored (nesting-safe). */
+function endOp(token) {
+  if (!_current) return;
+  if (token && token !== _current) return;
+  _lastEnded = { ..._current, endedAt: _now() };
+  _current = null;
+}
+
+/**
+ * The op whose lifetime overlaps [windowStartMs, windowEndMs] — i.e. the op on
+ * the thread during the blocked window. Prefers the still-running op, else the
+ * one that ended inside the window. Null when nothing was instrumented (a real
+ * signal: widen the breadcrumbs).
+ */
+function opOverlapping(windowStartMs, windowEndMs) {
+  if (_current && _current.startedAt <= windowEndMs) {
+    return { label: _current.label, meta: _current.meta, running: true, elapsedMs: _now() - _current.startedAt };
+  }
+  if (_lastEnded && _lastEnded.endedAt >= windowStartMs && _lastEnded.startedAt <= windowEndMs) {
+    return { label: _lastEnded.label, meta: _lastEnded.meta, running: false, durationMs: _lastEnded.endedAt - _lastEnded.startedAt };
+  }
+  return null;
+}
+
+// ─── Lag core (pure, unit-testable: timestamps in, no timers) ───
+const _state = { lastTickMs: null, intervalMs: DEFAULT_INTERVAL_MS, thresholdMs: DEFAULT_THRESHOLD_MS, maxLagMs: 0, stalls: 0 };
+
+function configure(opts = {}) {
+  if (Number.isFinite(opts.intervalMs)) _state.intervalMs = opts.intervalMs;
+  if (Number.isFinite(opts.thresholdMs)) _state.thresholdMs = opts.thresholdMs;
+}
+
+/**
+ * Feed one sampler tick. Returns { lagMs, windowStartMs, firstTick }. lagMs = how
+ * much LATER than the configured interval this tick fired = the time the loop was
+ * blocked since the previous tick. First call seeds (lag 0).
+ */
+function observeTick(nowMs) {
+  if (_state.lastTickMs === null) {
+    _state.lastTickMs = nowMs;
+    return { lagMs: 0, windowStartMs: nowMs, firstTick: true };
+  }
+  const windowStartMs = _state.lastTickMs;
+  const lagMs = Math.max(0, nowMs - _state.lastTickMs - _state.intervalMs);
+  _state.lastTickMs = nowMs;
+  if (lagMs > _state.maxLagMs) _state.maxLagMs = lagMs;
+  return { lagMs, windowStartMs, firstTick: false };
+}
+
+function isStall(lagMs, thresholdMs = _state.thresholdMs) { return lagMs >= thresholdMs; }
+function getMaxLagMs() { return _state.maxLagMs; }
+function getStallCount() { return _state.stalls; }
+
+function _appendStall(record) {
+  try {
+    try {
+      const st = fs.statSync(STALL_LOG_FILE);
+      if (st.size > STALL_LOG_MAX_BYTES) fs.truncateSync(STALL_LOG_FILE, 0); // bounded
+    } catch { /* absent — first write */ }
+    fs.appendFileSync(STALL_LOG_FILE, JSON.stringify(record) + '\n');
+  } catch { /* instrumentation must never throw */ }
+}
+
+/** Build the structured stall record for a detected lag (pure; exported for tests). */
+function buildStallRecord(lagMs, windowStartMs, nowMs) {
+  const op = opOverlapping(windowStartMs, nowMs);
+  return {
+    ts: new Date(nowMs).toISOString(),
+    lagMs,
+    blockedSec: Math.round(lagMs / 100) / 10,
+    op: op
+      ? { label: op.label, meta: op.meta, running: op.running, durationMs: op.running ? op.elapsedMs : op.durationMs }
+      : null,
+    rssMb: Math.round(process.memoryUsage().rss / 1024 / 1024)
+  };
+}
+
+/**
+ * Start the lag sampler. Its OWN tardiness measures loop lag. unref'd: a pure
+ * monitor never keeps the process alive on its own. Returns a stop fn.
+ * onStall(record) is an optional extra sink (the daemon logs it); every stall is
+ * also appended to STALL_LOG_FILE for post-hoc analysis.
+ */
+function startLagSampler(opts = {}) {
+  configure(opts);
+  _state.lastTickMs = null;
+  const onStall = typeof opts.onStall === 'function' ? opts.onStall : null;
+  const timer = setInterval(() => {
+    const now = Date.now();
+    const { lagMs, windowStartMs, firstTick } = observeTick(now);
+    if (firstTick || !isStall(lagMs)) return;
+    _state.stalls += 1;
+    const record = buildStallRecord(lagMs, windowStartMs, now);
+    _appendStall(record);
+    if (onStall) { try { onStall(record); } catch { /* ignore */ } }
+  }, _state.intervalMs);
+  if (timer && typeof timer.unref === 'function') timer.unref();
+  return () => clearInterval(timer);
+}
+
+/** Test helper: clear all state; optionally install a deterministic clock. */
+function _reset(clockFn) {
+  _current = null;
+  _lastEnded = null;
+  _state.lastTickMs = null;
+  _state.intervalMs = DEFAULT_INTERVAL_MS;
+  _state.thresholdMs = DEFAULT_THRESHOLD_MS;
+  _state.maxLagMs = 0;
+  _state.stalls = 0;
+  _clock = typeof clockFn === 'function' ? clockFn : (() => Date.now());
+}
+
+module.exports = {
+  beginOp,
+  endOp,
+  opOverlapping,
+  configure,
+  observeTick,
+  isStall,
+  getMaxLagMs,
+  getStallCount,
+  buildStallRecord,
+  startLagSampler,
+  _reset,
+  _state,
+  STALL_LOG_FILE
+};

package/src/monitor/ingestion.js

@@ -1528,6 +1528,7 @@ module.exports = {
   POLL_INTERVAL,
   POLL_MAX_BACKOFF,
   MAX_RESPONSE_BYTES,
+  SOFT_BACKPRESSURE_THRESHOLD,
 
   // Mutable state
   getConsecutivePollErrors,

package/src/monitor/queue.js

@@ -22,6 +22,7 @@ const { buildTrainingRecord } = require('../ml/feature-extractor.js');
 const { appendWorkerMem } = require('./worker-mem.js');
 const { acquireHeavySlot, releaseHeavySlot, isHeavyScan, getHeavyLaneState, heavyWaitMaxMs, HEAVY_REQUEUE_MAX } = require('./heavy-lane.js');
 const { isGovernorEnabled, classifyWeight, acquireMemoryTicket, releaseMemoryTicket, isFrozen: isGovernorFrozen, getGovernorState } = require('./memory-governor.js');
+const { beginOp, endOp } = require('./event-loop-monitor.js');
 const { appendRecord: appendTrainingRecord, relabelRecords } = require('../ml/jsonl-writer.js');
 
 // From ./state.js
@@ -764,7 +765,8 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
         // Validates actual tarball contents (not just registry metadata).
         let bypassQuickScan = false;
         try {
-          extractedDir = extractArchive(tgzPath, tmpDir);
+          const _crumb = beginOp('extract:quickscan', { name, version, unpackedSizeMb: Math.round(unpackedSize / 1024 / 1024) });
+          try { extractedDir = extractArchive(tgzPath, tmpDir); } finally { endOp(_crumb); }
 
           const [pkgThreats, shellThreats] = await Promise.all([
             scanPackageJson(extractedDir),
@@ -813,7 +815,8 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
     }
 
     if (!extractedDir) {
-      extractedDir = extractArchive(tgzPath, tmpDir);
+      const _crumb = beginOp('extract:prework', { name, version, unpackedSizeMb: Math.round((meta.unpackedSize || 0) / 1024 / 1024) });
+      try { extractedDir = extractArchive(tgzPath, tmpDir); } finally { endOp(_crumb); }
     }
 
     // ML Phase 2a: Count JS files and detect test presence for enriched features

package/src/monitor/spill.js

@@ -182,7 +182,13 @@ function _compactBacklog(file, ledgerFn = null) {
 
 /**
  * Pure drain predicate (exported for tests + the daemon main loop): drain only
- * when memory pressure is fully cleared AND the live queue has headroom.
+ * when memory pressure is fully cleared AND the live queue is below the drain
+ * ceiling. `threshold` is a MARGE ceiling (a margin below the ingestion
+ * backpressure point — see daemon.js SPILL_DRAIN_THRESHOLD), NOT a "queue nearly
+ * empty" low-water mark: the latter (the old 500/5000) was unreachable in steady
+ * state, so the backlog never drained. With the marge ceiling the drain is a
+ * self-throttling trickle — it auto-stops the moment pressure rises (≥ ELEVATED)
+ * or the queue climbs toward backpressure, so it never starves fresh ingestion.
  */
 function shouldDrain(pressureLevel, queueLen, threshold) {
   return pressureLevel === 0 && queueLen < threshold;

package/src/monitor/webhook.js

@@ -1117,10 +1117,17 @@ function safeLedgerRollup() {
 function formatLedgerField(rollup) {
   if (!rollup || rollup.total <= 0) return null;
   const pct = rollup.alertRate != null ? (rollup.alertRate * 100).toFixed(2) : '0.00';
-  const lines = [`Scanned ${rollup.scanned} · Alerted ${rollup.alerted} (${pct}%)`];
+  // All counts here are name@version scan EVENTS (NOT distinct package names — that
+  // ratio is the headline's "Noms uniques"). alertRate = suspect+confirmed / scanned
+  // (NOT a TPR — see computeLedgerRollup's HONEST METRIC NOTE).
+  const lines = [`Scans: ${rollup.scanned} events · alertés ${rollup.alerted} (${pct}%)`];
   if (rollup.dropped > 0) {
     const vanishedNote = rollup.exactVanished ? `${rollup.vanished}` : `≥${rollup.vanished}`;
-    lines.push(`Dropped ${rollup.dropped} (${vanishedNote} vanished)`);
+    // `dropped` folds in recoverable spill (backlog awaiting drain) + queue-cap evictions
+    // + burst-extras; `vanished` is the distinct name@version subset never (re)scanned
+    // in-window — still version-granular (a name with 50 dropped versions = 50 here) and
+    // it too still includes not-yet-drained spill, so it is NOT a registry-removal count.
+    lines.push(`Non scannés: ${rollup.dropped} events (${vanishedNote} name@ver jamais (re)scannés)`);
   }
   const ecos = Object.keys(rollup.byEcosystem)
     .sort((a, b) => rollup.byEcosystem[b].total - rollup.byEcosystem[a].total);
@@ -1235,36 +1242,35 @@ function buildDailyReportEmbed(stats, dailyAlerts, ledgerRollup) {
   const pypiPub = stats.pypiChangelogPackages || 0;
   const published = npmPub + pypiPub;
   const catchupSkipped = (stats.npmCatchupSkippedSeqs || 0) + (stats.pypiCatchupSkippedEvents || 0);
-  // Clarify the Ops headline so it isn't read as an overnight drop: it counts
-  // COMPLETED scans in the exact ledger window [last report → now], version/
-  // dedup-collapsed — intentionally lower than the in-memory counter (stats.scanned),
-  // which also tallies retries, burst extras and size-cap rejections
-  // (cf. queue.js uniqueScanAttempts). Surface the raw counter when it diverges.
-  const opsQualifier = headline ? ' (completed, deduped, 24h)' : '';
+  // UNIT DISCIPLINE (2026-06-18): the Coverage field stacked three counting units
+  // with no labels, so the headline read as self-contradictory — e.g.
+  // "30K/90K pkgs · 112K vanished" looks like 112K > 90K packages (impossible), but
+  // `vanished` counts name@VERSION events while the ratio counts distinct NAMES.
+  // Each line below now states its unit; the version-granular drop/vanished detail
+  // lives in the Ops embed's Ledger field, NOT next to a name ratio.
+  //   • "Noms uniques" → distinct package NAMES (version-collapsed) — the honest headline
+  //   • "Scans"        → name@version scan events (same unit as Clean/Suspects/Errors)
+  //   • "compteur"     → in-memory stats.scanned (events + retries + burst + size-cap)
+  const opsQualifier = headline ? ' (events terminés)' : '';
   const rawCounter = (headline && typeof stats.scanned === 'number' && stats.scanned > hScanned)
-    ? ` · counter ${stats.scanned} (incl. retries/burst)`
+    ? ` · compteur ${stats.scanned} (retries/burst inclus)`
     : '';
   const opsSuffix = catchupSkipped > 0
-    ? `\nOps: ${hScanned}${opsQualifier}${rawCounter} | Catch-up skip: ${catchupSkipped}`
-    : `\nOps: ${hScanned}${opsQualifier}${rawCounter}`;
+    ? `\nScans: ${hScanned}${opsQualifier}${rawCounter} | Catch-up skip: ${catchupSkipped}`
+    : `\nScans: ${hScanned}${opsQualifier}${rawCounter}`;
   let coverageText;
   if (ledger && ledger.distinctPackages > 0 && ledger.distinctCoverage != null) {
     const pct = (ledger.distinctCoverage * 100).toFixed(0);
     const approx = ledger.exactVanished === false ? '~' : '';
-    coverageText = `${ledger.distinctScanned}/${ledger.distinctPackages} pkgs (${approx}${pct}%)`;
-    // Honest 24h coverage loss surfaced next to coverage: `vanished` = distinct names
-    // dropped and never re-scanned in the window — the real miss count. The raw
-    // `dropped` aggregate (which also folds in recoverable spill + retries, so it
-    // OVERSTATES loss) is relegated to the Ops embed's Ledger field, not the headline.
-    if (ledger.vanished > 0) {
-      coverageText += ` · ${ledger.exactVanished ? '' : '≥'}${ledger.vanished} vanished`;
-    }
-    if (published > 0) coverageText += `\nRaw events: ${attempted}/${published}`;
+    // Headline = distinct package NAMES scanned vs seen (version-collapsed, immune to
+    // version-spam). The name@version drop/vanished detail is in the Ledger field below.
+    coverageText = `Noms uniques: ${ledger.distinctScanned}/${ledger.distinctPackages} (${approx}${pct}%)`;
+    if (published > 0) coverageText += `\nPubliés: ${attempted}/${published}`;
     coverageText += opsSuffix;
   } else if (published > 0) {
     // Fallback: ledger unavailable (first boot / empty ledger) → legacy event ratio.
     const coverageRatio = (attempted / published * 100).toFixed(0);
-    coverageText = `${attempted}/${published} (${coverageRatio}%)${opsSuffix}`;
+    coverageText = `Publiés: ${attempted}/${published} (${coverageRatio}%)${opsSuffix}`;
   } else {
     coverageText = `${attempted} attempted${opsSuffix}`;
   }
@@ -1363,16 +1369,19 @@ function buildDailyReportEmbed(stats, dailyAlerts, ledgerRollup) {
       // --- Embed 2: Ops / system state (kept OUT of the daily headline) ---
       // Operator feedback: a daily that mixes 24h outcome with multi-day system state
       // reads as failure when it isn't. Each line here carries its own clock:
-      //   • Ledger      → 24h window. Its `dropped` folds in recoverable spill + retries,
-      //                   so it OVERSTATES loss — `vanished` (in the Coverage field) is the
-      //                   honest miss count, which is why dropped sits here, not the headline.
+      //   • Ledger      → 24h window, in name@version scan EVENTS (NOT package names —
+      //                   the name ratio is the headline's "Noms uniques"). `dropped` folds
+      //                   in recoverable spill (backlog awaiting drain) + queue-cap evictions
+      //                   + burst-extras; `vanished` is the distinct name@version subset never
+      //                   (re)scanned in-window — also version-granular, and it too still
+      //                   includes not-yet-drained spill, so neither is a registry-removal count.
       //   • Stability   → cumulative since the 08:00 reset (backlog = point-in-time depth
       //                   of the persistent spill file, the one snapshot in this field).
       //   • Degradations / System → instantaneous snapshot (degradations have no TTL: if
       //                   shown, the condition is active right now, not earlier in the window).
       title: '⚙️ Ops / état système',
       color: 0x95a5a6,
-      description: 'Ledger = fenêtre 24h (dropped inclut le spill récupérable — voir « vanished » pour la perte réelle) · Stability = cumulé depuis 08:00 (backlog = instantané) · Degradations/System = instantané',
+      description: 'Ledger = fenêtre 24h en events name@version (pas des noms de paquets — voir « Noms uniques » dans le headline) · « Non scannés » inclut le spill récupérable en attente de drain · Stability = cumulé depuis 08:00 (backlog = instantané) · Degradations/System = instantané',
       fields: [
         ...((stats.sandboxDeferred || stats.deferredProcessed || stats.deferredExpired)
           ? [{ name: 'Deferred Sandbox', value: `Enqueued: ${stats.sandboxDeferred || 0} | Processed: ${stats.deferredProcessed || 0} | Expired: ${stats.deferredExpired || 0}`, inline: false }]

package/src/scanner/ast-detectors/handle-import-expression.js

@@ -3,6 +3,55 @@
 const {
   SOLANA_PACKAGES
 } = require('./constants.js');
+const { containsDecodePattern } = require('./helpers.js');
+
+// Gate #2 (FPR 2026-06-15 — Étape 0 adjudication): a computed dynamic import() is only
+// remote-code-loading when there is positive evidence of a remote/decoded/env-driven target
+// (URL literal, .replace() URL manipulation, atob/Buffer decode, or a process.env-sourced
+// specifier). Bounded-local imports — CLI subcommand dispatchers (import(MAP[cmd])), layout/i18n
+// loaders (import(`../x/${name}.js`)), dep-resolve / own-dist shims (import(join(dir,'dist/main.js')))
+// — were ~19% of the band-20-49 false positives with 0 TP. Without evidence, computed imports
+// stay HIGH (still fires, but ~25→10 pts: sub-threshold alone) instead of CRITICAL. Flag-gated;
+// when the flag is off the legacy CRITICAL-on-Identifier/TemplateLiteral behavior is preserved.
+function _importStaticText(node) {
+  if (!node) return '';
+  if (node.type === 'Literal') return typeof node.value === 'string' ? node.value : '';
+  if (node.type === 'TemplateLiteral') {
+    return (node.quasis || [])
+      .map(q => (q.value && (q.value.cooked != null ? q.value.cooked : q.value.raw)) || '')
+      .join(' ');
+  }
+  if (node.type === 'BinaryExpression' && node.operator === '+') {
+    return _importStaticText(node.left) + ' ' + _importStaticText(node.right);
+  }
+  return '';
+}
+
+function _isProcessEnvMember(node) {
+  return !!node && node.type === 'MemberExpression' &&
+    node.object && node.object.type === 'MemberExpression' &&
+    node.object.object && node.object.object.type === 'Identifier' && node.object.object.name === 'process' &&
+    node.object.property && node.object.property.type === 'Identifier' && node.object.property.name === 'env';
+}
+
+function _importRemoteEvidence(src, ctx) {
+  // URL manipulation (GlassWorm): import(x.replace(...))
+  if (src.type === 'CallExpression' && src.callee && src.callee.type === 'MemberExpression' &&
+      src.callee.property && src.callee.property.name === 'replace') return true;
+  // env-driven specifier: import(process.env.X), or import(v) where v was assigned from process.env.X
+  if (_isProcessEnvMember(src)) return true;
+  if (src.type === 'Identifier' && ctx.varSource && ctx.varSource.get(src.name) === 'env_var') return true;
+  // identifier resolving to a URL string literal: const u = 'https://evil/x.js'; import(u)
+  if (src.type === 'Identifier' && ctx.stringVarValues) {
+    const resolved = ctx.stringVarValues.get(src.name);
+    if (resolved && /https?:|:\/\//i.test(resolved)) return true;
+  }
+  // runtime decode: import(atob(...)) / import(Buffer.from(...).toString())
+  if (containsDecodePattern(src)) return true;
+  // explicit URL scheme in the static parts of the specifier
+  if (/https?:|:\/\//i.test(_importStaticText(src))) return true;
+  return false;
+}
 
 function handleImportExpression(node, ctx) {
   if (node.source) {
@@ -25,11 +74,29 @@ function handleImportExpression(node, ctx) {
       if (SOLANA_PACKAGES.some(pkg => src.value === pkg)) {
         ctx.hasSolanaImport = true;
       }
+    } else if (process.env.MUADDIB_DYNIMPORT_BOUNDED === '1') {
+      // Gate #2 (downgrade-only — never escalates above legacy severity, so it cannot raise FPR):
+      // a legacy-CRITICAL computed import (Identifier / TemplateLiteral / .replace URL) drops to HIGH
+      // when there is NO remote/decode/env evidence (bounded/local: CLI dispatchers, layout/i18n
+      // loaders, dep-resolve shims). With evidence it stays CRITICAL; a legacy-HIGH argument stays HIGH.
+      const legacyCritical = src.type === 'Identifier' || src.type === 'TemplateLiteral' ||
+        (src.type === 'CallExpression' && src.callee?.property?.name === 'replace');
+      const bounded = legacyCritical && !_importRemoteEvidence(src, ctx);
+      ctx.threats.push({
+        type: 'dynamic_import',
+        severity: bounded ? 'HIGH' : (legacyCritical ? 'CRITICAL' : 'HIGH'),
+        message: bounded
+          ? 'Dynamic import() with computed (bounded/local) argument — possible obfuscation.'
+          : (legacyCritical
+              ? 'Dynamic import() with computed URL argument — remote code loading from dynamically constructed URL.'
+              : 'Dynamic import() with computed argument (possible obfuscation).'),
+        file: ctx.relFile
+      });
     } else {
-      // Blue Team v8b (C6): Dynamic import with non-literal arg — if it's a variable
-      // built from URL manipulation, this is remote code loading
-      const isCritical = node.source.type === 'Identifier' || node.source.type === 'TemplateLiteral' ||
-        (node.source.type === 'CallExpression' && node.source.callee?.property?.name === 'replace');
+      // Legacy behavior (gate off): Blue Team v8b (C6) — non-literal arg is CRITICAL when it
+      // looks like a constructed URL (Identifier / TemplateLiteral / .replace()).
+      const isCritical = src.type === 'Identifier' || src.type === 'TemplateLiteral' ||
+        (src.type === 'CallExpression' && src.callee?.property?.name === 'replace');
       ctx.threats.push({
         type: 'dynamic_import',
         severity: isCritical ? 'CRITICAL' : 'HIGH',

package/src/scanner/ast-detectors/handle-post-walk.js

@@ -216,6 +216,11 @@ function handlePostWalk(ctx) {
     });
   }
 
+  // Per-file network-destination verdict (decoy-safe): true iff every literal host is
+  // local/reserved or a curated provider; any public-IP/suspicious/unknown host — or no host —
+  // ⇒ false. Reused by the detached/uncaught-exfil compounds below.
+  const destAllBenign = ctx._content ? networkDestinationsAllBenign(ctx._content) : false;
+
   // Credential regex harvesting: credential-matching regex + network call in same file
   // Real-world pattern: Transform/stream that scans data for tokens/passwords and exfiltrates
   if (ctx.hasCredentialRegex && ctx.hasNetworkCallInFile) {
@@ -328,7 +333,7 @@ function handlePostWalk(ctx) {
   // destination in the file is first-party/local/provider (e.g. an otel collector on
   // localhost, an SDK POST to its own API). A suspicious/unknown/public-IP host — or no
   // literal host at all — leaves it firing (conservative: confirmed-benign only).
-  const destAllBenign = ctx._content ? networkDestinationsAllBenign(ctx._content) : false;
+  // (destAllBenign is computed once above, at the credential_regex_harvest emission site.)
   if (hasDetachedInFile && hasSensitiveEnvInFile && ctx.hasNetworkCallInFile && !destAllBenign) {
     ctx.threats.push({
       type: 'detached_credential_exfil',

package/src/scanner/dataflow.js

@@ -1043,6 +1043,40 @@ function analyzeFile(content, filePath, basePath) {
       }
     }
 
+    // Gate #1 (FPR 2026-06-15 — Étape 0 adjudication): the C7 block above only covers pure
+    // env_read sources; the dominant live FP cluster (~25% of band 20-49, 0 TP) is a
+    // credential_env_read API key (OPENAI_API_KEY, YINGDAO_ACCESS_TOKEN, …) flowing to the
+    // package's OWN first-party API or a curated provider. The decoy-safe discriminant is
+    // brand coherence (env-var brand ↔ host label) + curated providers + local hosts, applied
+    // to EVERY destination. Limited to env-like sources (a credential_read FILE, command_output,
+    // or fingerprint_read source stays CRITICAL — those are genuinely higher-risk). Downgrade to
+    // MEDIUM so the signal survives; residual = compromised first-party domain, the same risk the
+    // mature/MT-1 cap already accepts. Flag-gated (default off) for measure-then-flip rollout.
+    if (process.env.MUADDIB_DF_SDK_GATE === '1' &&
+        (severity === 'CRITICAL' || severity === 'HIGH')) {
+      const envLike = sources.filter(s => s.type === 'env_read' || s.type === 'credential_env_read');
+      const onlyEnvLike = sources.every(s =>
+        s.type === 'env_read' || s.type === 'credential_env_read' || s.type === 'telemetry_read');
+      if (envLike.length > 0 && onlyEnvLike) {
+        try {
+          const { extractBrandFromEnvVar, networkDestinationsAllBenignOrBrand } = require('../sdk-destination.js');
+          const gateContent = fs.readFileSync(filePath, 'utf8');
+          const brands = envLike.map(s => {
+            const envVar = s.name
+              .replace(/^process\.env\./, '')
+              .replace(/^process\.env\[['"]/, '')
+              .replace(/['"]\]$/, '');
+            return extractBrandFromEnvVar(envVar);
+          }).filter(Boolean);
+          if (networkDestinationsAllBenignOrBrand(gateContent, brands)) {
+            severity = 'MEDIUM';
+          }
+        } catch {
+          // sdk-destination / file read unavailable — keep severity
+        }
+      }
+    }
+
     const sourceDesc = hasCommandOutput ? 'command output' : 'credentials read';
     threats.push({
       type: 'suspicious_dataflow',

package/src/scoring.js

@@ -1051,6 +1051,25 @@ function _hasExfilSink(threats) {
   return threats.some(t => EXFIL_SINK_TYPES.has(t.type) && t.severity !== 'LOW');
 }
 
+// Sink-coupling (chantier 2026-06-15): the subset of EXFIL_SINK_TYPES that PROVES taint or
+// unambiguous structural malice — NOT mere host-reputation string presence. When one of these
+// co-occurs with credential_regex_harvest it stays HIGH (anti-FN floor: protects cross-file
+// read→exfil and the intent/detached/staged compounds). The complement (suspicious_domain,
+// direct_ip_exfil, ioc_string_match, ioc_match) is host-reputation-only.
+const PROVEN_EXFIL_SINK_TYPES = new Set([
+  'known_malicious_package', 'pypi_malicious_package', 'shai_hulud_marker',
+  'detached_credential_exfil', 'silent_stealth_process',
+  'curl_pipe_shell', 'curl_env_exfil', 'reverse_shell', 'dns_exfil', 'oast_callback',
+  'function_constructor_require', 'staged_remote_loader', 'staged_eval_decode',
+  'fetch_decrypt_exec', 'download_exec_binary', 'self_destruct_eval',
+  'newsletter_auto_follow', 'cross_file_dataflow', 'intent_credential_exfil',
+  'intent_command_exfil', 'sandbox_known_exfil_domain', 'sandbox_network_after_sensitive_read'
+]);
+function _hasProvenExfilSink(threats) {
+  if (!Array.isArray(threats)) return false;
+  return threats.some(t => PROVEN_EXFIL_SINK_TYPES.has(t.type) && t.severity !== 'LOW');
+}
+
 function applyFPReductions(threats, reachableFiles, packageName, packageDeps, reachableFunctions) {
   // Initialize reductions audit trail on each threat
   // Store original severity before any FP reductions, so compound
@@ -1206,13 +1225,23 @@ function applyFPReductions(threats, reachableFiles, packageName, packageDeps, re
   // taint ...). When no such sink is present, downgrade HIGH/CRITICAL → LOW. Runs after the dilution
   // floor so the floor's restored instance is also gated (the floor protects real exfil; with no sink
   // there is nothing to protect). No GT sample relies on credential_regex_harvest (verified).
-  if (!_hasExfilSink(threats)) {
-    for (const t of threats) {
-      if (t.type === 'credential_regex_harvest' && (t.severity === 'HIGH' || t.severity === 'CRITICAL')) {
-        t.reductions.push({ rule: 'sink_coupling', from: t.severity, to: 'LOW' });
-        t.severity = 'LOW';
-      }
+  // Sink-coupling for credential_regex_harvest (per-instance, two-way): a proven taint /
+  // structural-malice sink ⇒ keep HIGH (anti-FN floor); no exfil sink at all ⇒ LOW.
+  const _crhProvenSink = _hasProvenExfilSink(threats);
+  const _crhAnySink = _hasExfilSink(threats);
+  for (const t of threats) {
+    if (t.type !== 'credential_regex_harvest') continue;
+    if (t.severity !== 'HIGH' && t.severity !== 'CRITICAL') continue;
+    // (1) anti-FN floor: a proven taint / structural-malice sink ⇒ keep HIGH (host/flag irrelevant).
+    if (_crhProvenSink) continue;
+    // (2) no exfil sink at all ⇒ LOW (legacy behavior, flag-independent).
+    if (!_crhAnySink) {
+      t.reductions.push({ rule: 'sink_coupling', from: t.severity, to: 'LOW' });
+      t.severity = 'LOW';
+      continue;
     }
+    // (3) only host-reputation sink(s) co-occur ⇒ keep HIGH (fall-through). A host-coupling
+    //     downgrade here (gate #3, MUADDIB_CRH_HOST_GATE) was measured inert and removed 2026-06-15.
   }
 
   for (const t of threats) {

package/src/sdk-destination.js

@@ -308,6 +308,45 @@ function networkDestinationsAllBenign(fileContent) {
   return true;
 }
 
+/**
+ * Gate #1 variant of networkDestinationsAllBenign: a host ALSO passes if one of its labels
+ * matches a credential env-var BRAND (e.g. YINGDAO_ACCESS_TOKEN → api.yingdao.com). This covers
+ * the dominant credential→own-API FP cluster (Étape 0 2026-06-15: ~25% of band 20-49, 0 TP) that
+ * networkDestinationsAllBenign rejects because a package's own domain is not a curated provider.
+ * Decoy-safe by construction: EVERY host must be local/reserved OR a curated provider OR
+ * brand-coherent; any unknown / public-IP / suspicious-tunnel host ⇒ false. No hosts ⇒ false.
+ * Brand coherence is not attacker-spoofable for the credential-theft case: stealing a VICTIM's
+ * OTHER-service key (OPENAI_API_KEY) and sending it to attacker.com yields brand "openai" vs label
+ * "attacker" ⇒ mismatch ⇒ keeps firing.
+ *
+ * @param {string} fileContent - source of the file containing the network sink
+ * @param {string[]} brands - brand tokens extracted from the credential env-var names
+ * @returns {boolean}
+ */
+function networkDestinationsAllBenignOrBrand(fileContent, brands) {
+  const hosts = extractHostsFromContent(fileContent);
+  if (hosts.length === 0) return false;
+  // RFC 2606 / 6761 documentation & test placeholders (example.com/.net/.org, *.test, *.invalid)
+  // are NOT real SDK destinations — no benign SDK ships a live credential flow to example.com.
+  // A credential→placeholder flow is either a synthetic exfil sample or an evasion stand-in, so it
+  // must keep firing (it is deliberately NOT in the local-IPC benign class, unlike loopback/RFC1918).
+  const DOC_DOMAIN_RE = /(^|\.)example\.(?:com|net|org)$|\.(?:test|example|invalid)$/i;
+  const brandSet = (brands || [])
+    .map(b => String(b || '').toLowerCase())
+    .filter(b => b.length >= 3);
+  for (const h of hosts) {
+    if (SUSPICIOUS_DOMAIN_PATTERNS.test(h)) return false;
+    if (isPublicIpHost(h)) return false;
+    if (DOC_DOMAIN_RE.test(h)) return false;
+    if (isLocalOrReservedHost(h)) continue;
+    if (PROVIDER_DOMAIN_SUFFIXES.some(s => domainMatchesSuffix(h, [s]))) continue;
+    const labels = String(h).toLowerCase().split('.');
+    if (brandSet.length && labels.some(l => brandSet.includes(l))) continue;
+    return false; // unknown / unrecognised destination → keep firing
+  }
+  return true;
+}
+
 module.exports = {
   SDK_ENV_DOMAIN_MAP,
   ENV_NOISE_TOKENS,
@@ -320,6 +359,7 @@ module.exports = {
   extractDomain,
   domainMatchesSuffix,
   isSDKPattern,
+  networkDestinationsAllBenignOrBrand,
   stripPort,
   isLocalOrReservedHost,
   isPublicIpHost,