muaddib-scanner 2.11.17 → 2.11.19

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.17",
+  "version": "2.11.19",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/pipeline/executor.js

@@ -9,6 +9,7 @@ const { scanHashes } = require('../scanner/hash.js');
 const { scanIocStrings } = require('../scanner/ioc-strings.js');
 const { scanAntiForensic } = require('../scanner/anti-forensic.js');
 const { scanStubPackage } = require('../scanner/stub-package.js');
+const { scanMonorepo } = require('../scanner/monorepo.js');
 const { analyzeDataFlow } = require('../scanner/dataflow.js');
 const { scanTyposquatting, findPyPITyposquatMatch } = require('../scanner/typosquat.js');
 const { scanGitHubActions } = require('../scanner/github-actions.js');
@@ -127,12 +128,25 @@ async function execute(targetPath, options, pythonDeps, warnings) {
   // Bounded: 5s timeout to prevent DoS on large/adversarial packages
   const MODULE_GRAPH_TIMEOUT_MS = 5000;
   let crossFileFlows = [];
+  // Threats ABOUT the module graph (audit DF-C1): truncation when the package
+  // exceeds MAX_GRAPH_NODES. Separate from crossFileFlows because the latter
+  // gets filtered/reshaped (line ~316 requires sourceFile && sinkFile).
+  const moduleGraphThreats = [];
   if (!options.noModuleGraph) {
     const moduleGraphWork = async () => {
-      const graph = await yieldThen(() => buildModuleGraph(targetPath));
-      if (Object.keys(graph).length === 0) {
-        // buildModuleGraph returns empty when MAX_GRAPH_NODES exceeded
-        warnings.push('Module graph skipped: package exceeds 100 files limit');
+      const graphMeta = {};
+      const graph = await yieldThen(() => buildModuleGraph(targetPath, graphMeta));
+      if (graphMeta.truncated) {
+        warnings.push(`Module graph skipped: ${graphMeta.fileCount} files exceeds MAX_GRAPH_NODES (${graphMeta.maxNodes})`);
+        moduleGraphThreats.push({
+          type: 'large_package_graph_truncated',
+          severity: 'MEDIUM',
+          message: `Cross-file analysis désactivée : ${graphMeta.fileCount} fichiers dépassent la limite (${graphMeta.maxNodes}). Risque de blind spot sur monorepo / large package — auditer les sous-modules manuellement.`,
+          file: 'package.json',
+          line: 0,
+          fileCount: graphMeta.fileCount,
+          maxNodes: graphMeta.maxNodes
+        });
       }
       const tainted = await yieldThen(() => annotateTaintedExports(graph, targetPath));
       const sinkAnnotations = await yieldThen(() => annotateSinkExports(graph, targetPath));
@@ -187,7 +201,7 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     'scanDependencies', 'scanHashes', 'analyzeDataFlow', 'scanTyposquatting',
     'scanGitHubActions', 'matchPythonIOCs', 'checkPyPITyposquatting',
     'scanEntropy', 'scanAIConfig', 'scanIocStrings', 'scanAntiForensic',
-    'scanStubPackage'
+    'scanStubPackage', 'scanMonorepo'
   ];
 
   const settledResults = await Promise.allSettled([
@@ -206,7 +220,8 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     yieldThen(() => scanAIConfig(targetPath)),
     yieldThen(() => scanIocStrings(targetPath)),
     withTimeout(() => scanAntiForensic(targetPath), 'scanAntiForensic'),
-    yieldThen(() => scanStubPackage(targetPath))
+    yieldThen(() => scanStubPackage(targetPath)),
+    yieldThen(() => scanMonorepo(targetPath))
   ]);
 
   // Extract results: use empty array for rejected scanners, log errors
@@ -234,7 +249,8 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     aiConfigThreats,
     iocStringThreats,
     antiForensicThreats,
-    stubPackageThreats
+    stubPackageThreats,
+    monorepoThreats
   ] = scanResult;
 
   // Emit warning if file count cap was hit + quick-scan overflow files
@@ -313,12 +329,14 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     ...iocStringThreats,
     ...antiForensicThreats,
     ...stubPackageThreats,
+    ...monorepoThreats,
     ...crossFileFlows.filter(f => f && f.sourceFile && f.sinkFile).map(f => ({
       type: f.type,
       severity: f.severity,
       message: `Cross-file dataflow: ${f.source} in ${f.sourceFile} → ${f.sink} in ${f.sinkFile}`,
       file: f.sinkFile
-    }))
+    })),
+    ...moduleGraphThreats
   ];
 
   // Paranoid mode

package/src/response/playbooks.js

@@ -683,6 +683,16 @@ const PLAYBOOKS = {
     'Verifier si des donnees sensibles sont envoyees via ce canal. ' +
     'Les proxies HTTP classiques ne filtrent pas ce trafic.',
 
+  large_package_graph_truncated:
+    'Package volumineux (> MAX_GRAPH_NODES fichiers). Cross-file dataflow non analyse. ' +
+    'Auditer les sous-modules manuellement ou scanner par sous-paquet. ' +
+    'Sur un monorepo, scanner chaque workspace independamment.',
+
+  monorepo_detected:
+    'Monorepo detecte — scanner chaque workspace individuellement pour un verdict per-package. ' +
+    'Le score global reflete un perimetre agrege ; muaddib ne supporte pas encore le scoring per-workspace. ' +
+    'Ignorer les FP structurels (.yarn/, packages/*/test/, fixtures/) sera ajoute en v2.12.',
+
   bin_field_hijack:
     'CRITIQUE: Le champ "bin" de package.json shadow une commande systeme (node, npm, git, bash, etc.). ' +
     'A l\'installation, npm cree un symlink dans node_modules/.bin/ qui intercepte la commande reelle. ' +

package/src/rules/index.js

@@ -94,6 +94,17 @@ const RULES = {
     ],
     mitre: 'T1195.002'
   },
+  monorepo_detected: {
+    id: 'MUADDIB-PKG-021',
+    name: 'Monorepo Detected',
+    severity: 'MEDIUM',
+    confidence: 'high',
+    description: 'Workspace monorepo detecte (yarn/pnpm/lerna/turbo). Le perimetre du scan depasse un seul package — auditer chaque workspace separement pour un scoring per-package.',
+    references: [
+      'https://docs.npmjs.com/cli/v10/using-npm/workspaces'
+    ],
+    mitre: 'T1195.002'
+  },
 
   // Obfuscation detections
   obfuscation_detected: {
@@ -2110,6 +2121,17 @@ const RULES = {
     ],
     mitre: 'T1071'
   },
+  large_package_graph_truncated: {
+    id: 'MUADDIB-FLOW-006',
+    name: 'Large Package Graph Truncated',
+    severity: 'MEDIUM',
+    confidence: 'medium',
+    description: 'Le graphe de modules depasse la limite (MAX_GRAPH_NODES). Cross-file dataflow non analyse — risque de blind spot sur monorepo ou large package. Auditer les sous-modules manuellement.',
+    references: [
+      'https://attack.mitre.org/techniques/T1195/002/'
+    ],
+    mitre: 'T1195.002'
+  },
 
   // Audit v3 Bypass Detections (AST-062 to AST-069)
   reflect_apply_require: {

package/src/scanner/dataflow.js

@@ -40,13 +40,39 @@ const MODULE_SINK_METHODS = {
   ws: { send: 'network_send', write: 'network_send' },
   mqtt: { publish: 'network_send', send: 'network_send' },
   'socket.io-client': { emit: 'network_send', send: 'network_send' },
-  'socket.io': { emit: 'network_send', send: 'network_send' }
+  'socket.io': { emit: 'network_send', send: 'network_send' },
+  // audit DF-H1 v2.11.15: 2026 sinks with clean direct call patterns
+  undici: { request: 'network_send', fetch: 'network_send', stream: 'network_send' },
+  'graphql-request': { request: 'network_send', gql: 'network_send' },
+  '@apollo/client': { query: 'network_send', mutate: 'network_send' },
+  '@grpc/grpc-js': {
+    makeUnaryRequest: 'network_send',
+    makeClientStreamRequest: 'network_send',
+    makeServerStreamRequest: 'network_send',
+    makeBidiStreamRequest: 'network_send'
+  }
 };
 
-// All tracked module names (for filtering in buildTaintMap)
+// audit DF-H1 v2.11.15: 2026 exfil-prone modules. When imported, ANY call with a
+// credential/env source in the same file → suspicious_module_sink MEDIUM with
+// module attribution. Catches chained access (bot.telegram.sendMessage), dynamic
+// methods (actor.exfil), and SDK fluent APIs that direct method matching misses.
+const EXFIL_PRONE_MODULES = new Set([
+  'telegraf', 'node-telegram-bot-api',
+  'discord.js',
+  '@dfinity/agent',
+  'undici',
+  '@grpc/grpc-js',
+  '@apollo/client', 'graphql-request'
+]);
+
+// All tracked module names (for filtering in buildTaintMap). EXFIL_PRONE_MODULES
+// must be tracked even when not in MODULE_SINK_METHODS so buildTaintMap registers
+// them (e.g. require('telegraf') populates taintMap, enabling the heuristic).
 const TRACKED_MODULES = new Set([
   ...Object.keys(MODULE_SOURCE_METHODS),
-  ...Object.keys(MODULE_SINK_METHODS)
+  ...Object.keys(MODULE_SINK_METHODS),
+  ...EXFIL_PRONE_MODULES
 ]);
 
 // Methods that execute commands — used for exec result capture detection
@@ -805,7 +831,7 @@ function analyzeFile(content, filePath, basePath) {
             const envVar = node.property?.name || '';
             if (isSensitiveEnv(envVar)) {
               sources.push({
-                type: 'env_read',
+                type: isCredentialEnv(envVar) ? 'credential_env_read' : 'env_read',
                 name: envVar,
                 line: node.loc?.start?.line,
                 taint_tracked: true
@@ -831,7 +857,7 @@ function analyzeFile(content, filePath, basePath) {
         const envVar = node.property?.name || '';
         if (isSensitiveEnv(envVar)) {
           sources.push({
-            type: 'env_read',
+            type: isCredentialEnv(envVar) ? 'credential_env_read' : 'env_read',
             name: envVar,
             line: node.loc?.start?.line
           });
@@ -911,6 +937,29 @@ function analyzeFile(content, filePath, basePath) {
     });
   }
 
+  // audit DF-H1 v2.11.15: 2026 exfil-prone module heuristic.
+  // If any EXFIL_PRONE_MODULES (telegraf, discord.js, @dfinity/agent, undici, gRPC,
+  // GraphQL clients) is imported AND a credential/env_read source is present in
+  // the same file, emit suspicious_module_sink with module attribution. Catches
+  // chained access (bot.telegram.sendMessage) and dynamic methods (actor.exfil)
+  // that direct MODULE_SINK_METHODS matching cannot reach.
+  const exfilProneInScope = [];
+  for (const taint of taintMap.values()) {
+    if (taint && EXFIL_PRONE_MODULES.has(taint.source)) exfilProneInScope.push(taint.source);
+  }
+  if (exfilProneInScope.length > 0 &&
+      sources.some(s => s.type === 'env_read' || s.type === 'credential_env_read' || s.type === 'credential_read')) {
+    const moduleList = [...new Set(exfilProneInScope)].join(', ');
+    const firstSourceLine = sources.find(s => s.line)?.line || 0;
+    threats.push({
+      type: 'suspicious_module_sink',
+      severity: 'MEDIUM',
+      message: `Module exfil-prone 2026 (${moduleList}) avec credential/env source dans le meme fichier — canal d'exfiltration potentiel.`,
+      file: path.relative(basePath, filePath),
+      line: firstSourceLine
+    });
+  }
+
   // Detect staged payload: network fetch + eval in same file (no credential source needed)
   const hasNetworkSink = sinks.some(s => s.type === 'network_send' || s.type === 'exec_network');
   const hasEvalSink = sinks.some(s => s.type === 'eval_exec');
@@ -979,12 +1028,16 @@ function analyzeFile(content, filePath, basePath) {
     }
 
     // Graduation: HIGH → MEDIUM for env/telemetry-only sources (no credential file reads,
-    // no fingerprint reads, no command output). Distant env/telemetry → network_send
-    // is the dominant FP pattern (SDK/API usage, binary wrappers, config libraries).
-    // Real credential exfiltration uses credential_read or fingerprint_read sources.
+    // no fingerprint reads, no command output, no credential-tier env vars). Distant
+    // env/telemetry → network_send is the dominant FP pattern (SDK/API usage, binary
+    // wrappers, config libraries). Real credential exfiltration uses credential_read,
+    // fingerprint_read, or credential_env_read sources (audit 2026-05 DF-C4: NPM_TOKEN,
+    // GITHUB_TOKEN, AWS_SECRET_* now classified as credential_env_read upstream and
+    // retained at HIGH instead of downgrading to MEDIUM with the rest of env_read).
     if (severity === 'HIGH') {
       const hasHighRiskSource = sources.some(s =>
-        s.type === 'credential_read' || s.type === 'fingerprint_read' || s.type === 'command_output'
+        s.type === 'credential_read' || s.type === 'fingerprint_read' ||
+        s.type === 'command_output' || s.type === 'credential_env_read'
       );
       if (!hasHighRiskSource) {
         severity = 'MEDIUM';
@@ -1120,4 +1173,29 @@ function isSensitiveEnv(name) {
   return sensitive.some(s => upper.includes(s));
 }
 
+// Audit 2026-05 DF-C4: credential-tier env vars distinguished from generic env_read.
+// These represent authentication material (NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY,
+// STRIPE_API_KEY etc.) — strictly narrower than isSensitiveEnv. Sources of this type
+// participate in hasHighRiskSource so credential exfil patterns are NOT downgraded by the
+// HIGH→MEDIUM graduation. System identity vars (HOME, USER) remain plain env_read since
+// they are fingerprinting signals, not credentials.
+const KNOWN_CREDENTIAL_ENV_VARS = new Set([
+  'NPM_TOKEN', 'GITHUB_TOKEN', 'GH_TOKEN', 'NODE_AUTH_TOKEN',
+  'CIRCLE_TOKEN', 'GITLAB_TOKEN', 'CARGO_REGISTRY_TOKEN', 'PYPI_TOKEN',
+  'GOOGLE_APPLICATION_CREDENTIALS', 'AZURE_CLIENT_SECRET',
+  'SENTRY_AUTH_TOKEN', 'NPM_AUTH_TOKEN', 'NPM_CONFIG_AUTHTOKEN'
+]);
+
+const CREDENTIAL_ENV_SUFFIX_RE = /(?:^|_)(?:TOKEN|SECRET|PASSWORD|PASSPHRASE|CREDENTIAL|CREDENTIALS|API_KEY|ACCESS_KEY|ACCESS_KEY_ID|SECRET_KEY|PRIVATE_KEY|SIGNING_KEY|SESSION_TOKEN|REFRESH_TOKEN|AUTH_TOKEN)$/;
+
+function isCredentialEnv(name) {
+  const upper = name.toUpperCase();
+  // System identity vars are fingerprinting, not credentials
+  if (SYSTEM_IDENTITY_ENVS.has(upper)) return false;
+  // Public keys are not credentials (e.g., SSH_PUBLIC_KEY, GPG_PUBLIC_KEY)
+  if (upper.includes('PUBLIC_KEY') || upper.includes('PUBKEY')) return false;
+  if (KNOWN_CREDENTIAL_ENV_VARS.has(upper)) return true;
+  return CREDENTIAL_ENV_SUFFIX_RE.test(upper);
+}
+
 module.exports = { analyzeDataFlow };

package/src/scanner/module-graph/build-graph.js

@@ -8,17 +8,30 @@ const { parseFile, isLocalImport, resolveLocal, toRel } = require('./parse-utils
 /**
  * Build a dependency graph of local modules within a package.
  * Only tracks local imports (./  ../) — node_modules are ignored.
+ *
+ * @param {string} packagePath
+ * @param {Object} [meta] - Optional out-param: mutated with { fileCount, truncated, maxNodes }
+ *                          so the caller can emit a `large_package_graph_truncated` threat
+ *                          when the package exceeds MAX_GRAPH_NODES (audit DF-C1).
  */
-function buildModuleGraph(packagePath) {
+function buildModuleGraph(packagePath, meta = {}) {
   const graph = {};
+  // maxFiles: 0 (unlimited) — we need the true count to detect monorepo / large package
+  // truncation. MAX_GRAPH_NODES below caps the AST work; MODULE_GRAPH_TIMEOUT_MS in
+  // executor.js bounds the wall-time (audit DF-C1).
   const files = findFiles(packagePath, {
     extensions: ['.js', '.mjs', '.cjs'],
     excludedDirs: EXCLUDED_DIRS,
+    maxFiles: 0,
   });
 
+  meta.fileCount = files.length;
+  meta.maxNodes = MAX_GRAPH_NODES;
+
   // Bounded path: skip module graph for very large packages
   if (files.length > MAX_GRAPH_NODES) {
     debugLog(`[MODULE-GRAPH] Skipping: ${files.length} files exceeds MAX_GRAPH_NODES (${MAX_GRAPH_NODES})`);
+    meta.truncated = true;
     return graph;
   }
 

package/src/scanner/module-graph/constants.js

@@ -3,7 +3,7 @@
 const { ACORN_OPTIONS: BASE_ACORN_OPTIONS } = require('../../shared/constants.js');
 
 // --- Bounded path limits ---
-const MAX_GRAPH_NODES = 100;  // Max files in dependency graph (covers ~86% of npm packages)
+const MAX_GRAPH_NODES = 5000; // Max files in dependency graph (covers ~99.5% of npm packages — audit DF-C1 v2.11.15)
 const MAX_GRAPH_EDGES = 400;  // Max total import edges
 const MAX_FLOWS = 20;         // Max cross-file flow findings per package
 const MAX_TAINT_DEPTH = 50;   // Max AST recursion depth (DoS guard)

package/src/scanner/monorepo.js

@@ -0,0 +1,104 @@
+'use strict';
+
+/**
+ * Monorepo Detection Scanner (audit 2026-05 MR-C1)
+ *
+ * Detects when the scan target is a monorepo root (Yarn/npm workspaces, pnpm,
+ * Lerna, Turbo). Emits ONE informational MEDIUM threat `monorepo_detected`
+ * so the user knows the score reflects an aggregated perimeter rather than a
+ * single package, and that per-workspace scanning is the correct strategy
+ * until full workspace-aware scoring lands (backlog v2.13).
+ *
+ * Detection precedence (manager priority on first match):
+ *   1. pnpm-workspace.yaml         → manager='pnpm'
+ *   2. lerna.json                  → manager='lerna'
+ *   3. turbo.json + pkg.workspaces → manager='turbo'
+ *   4. pkg.workspaces (array or {packages: [...]}) → manager='yarn' (also npm 8+)
+ *
+ * @param {string} targetPath
+ * @returns {Array} threats — empty if not a monorepo, one entry otherwise.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+function readJsonSafe(filePath) {
+  try {
+    return JSON.parse(fs.readFileSync(filePath, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function countYamlListEntries(filePath) {
+  try {
+    const content = fs.readFileSync(filePath, 'utf8');
+    const matches = content.match(/^\s*-\s+\S/gm);
+    return matches ? matches.length : 0;
+  } catch {
+    return 0;
+  }
+}
+
+function workspacesCount(workspaces) {
+  if (Array.isArray(workspaces)) return workspaces.length;
+  if (workspaces && typeof workspaces === 'object' && Array.isArray(workspaces.packages)) {
+    return workspaces.packages.length;
+  }
+  return 0;
+}
+
+function scanMonorepo(targetPath) {
+  const threats = [];
+
+  const pnpmWs = path.join(targetPath, 'pnpm-workspace.yaml');
+  const lernaJson = path.join(targetPath, 'lerna.json');
+  const turboJson = path.join(targetPath, 'turbo.json');
+  const pkgJson = path.join(targetPath, 'package.json');
+
+  let manager = null;
+  let manifest = 'package.json';
+  let workspaceCount = 0;
+
+  if (fs.existsSync(pnpmWs)) {
+    manager = 'pnpm';
+    manifest = 'pnpm-workspace.yaml';
+    workspaceCount = countYamlListEntries(pnpmWs);
+  } else if (fs.existsSync(lernaJson)) {
+    manager = 'lerna';
+    manifest = 'lerna.json';
+    const lerna = readJsonSafe(lernaJson);
+    workspaceCount = lerna && Array.isArray(lerna.packages) ? lerna.packages.length : 0;
+    if (workspaceCount === 0 && lerna && lerna.workspaces) {
+      workspaceCount = workspacesCount(lerna.workspaces);
+    }
+  } else {
+    const pkg = fs.existsSync(pkgJson) ? readJsonSafe(pkgJson) : null;
+    const wsCount = pkg && pkg.workspaces ? workspacesCount(pkg.workspaces) : 0;
+    if (fs.existsSync(turboJson) && wsCount > 0) {
+      manager = 'turbo';
+      manifest = 'turbo.json';
+      workspaceCount = wsCount;
+    } else if (wsCount > 0) {
+      manager = 'yarn';
+      manifest = 'package.json';
+      workspaceCount = wsCount;
+    }
+  }
+
+  if (!manager) return threats;
+
+  threats.push({
+    type: 'monorepo_detected',
+    severity: 'MEDIUM',
+    message: `Monorepo ${manager} detecte (${workspaceCount} workspace${workspaceCount > 1 ? 's' : ''}). Perimetre elargi — scanner chaque package independamment pour un verdict per-workspace.`,
+    file: manifest,
+    line: 0,
+    manager,
+    workspaceCount
+  });
+
+  return threats;
+}
+
+module.exports = { scanMonorepo };

package/src/scoring.js

@@ -126,7 +126,11 @@ const PACKAGE_LEVEL_TYPES = new Set([
   // intel-triage P1.3: stub-package detector closes ltidi gap (memory project_detection_gap_ltidi_chain)
   'stub_package_external_payload', 'stub_package_external_dep',
   // intel-triage P3.1 family compounds
-  'axios_family', 'stub_with_string_ioc'
+  'axios_family', 'stub_with_string_ioc',
+  // audit DF-C1: emitted when MAX_GRAPH_NODES exceeded so cross-file blind spot is visible in scoring
+  'large_package_graph_truncated',
+  // audit MR-C1: informational signal that the scan target is a monorepo root (per-workspace scoring TBD)
+  'monorepo_detected'
 ]);
 
 // ============================================
@@ -179,13 +183,11 @@ function isPackageLevelThreat(threat) {
  * @param {Array} threats - array of threat objects (after FP reductions)
  * @returns {number} score 0-100
  */
-// Hybrid v3 Phase 3: when enabled, threats tagged with replacedByCompound
-// (their compound has fired and represents their score) contribute 0 to the
-// group score. Avoids the additive double-count of compound + constituents.
-const _COMPOUND_REPLACE_ENABLED = () => process.env.MUADDIB_COMPOUND_REPLACE === '1';
-function _isReplacedByCompound(t) {
-  return _COMPOUND_REPLACE_ENABLED() && t.replacedByCompound;
-}
+// Hybrid v3 Phase 3: threats tagged with replacedByCompound (their compound has
+// fired and represents their score) contribute 0 to the group score. Avoids the
+// additive double-count of compound + constituents. Audit 2026-05 SC-C1: the
+// previous MUADDIB_COMPOUND_REPLACE env-var gate is removed — the tag posed by
+// applyCompoundBoosts is now honored unconditionally.
 
 function computeGroupScore(threats) {
   // Score decay default ON since v2.11.9 (FPR plan Chantier 1). Opt-out: MUADDIB_DECAY=0.
@@ -195,7 +197,7 @@ function computeGroupScore(threats) {
   let dataflowMediumPoints = 0;
 
   for (const t of threats) {
-    if (_isReplacedByCompound(t)) continue;
+    if (t.replacedByCompound) continue;
     const weight = _severityWeights[t.severity] || 0;
     const rule = getRule(t.type);
     const factor = CONFIDENCE_FACTORS[rule.confidence] || 1.0;
@@ -253,7 +255,7 @@ function computeGroupScoreDecay(threats) {
   const typeBuckets = new Map();
 
   for (const t of threats) {
-    if (_isReplacedByCompound(t)) continue;
+    if (t.replacedByCompound) continue;
     const weight = _severityWeights[t.severity] || 0;
     const rule = getRule(t.type);
     const factor = CONFIDENCE_FACTORS[rule.confidence] || 1.0;
@@ -299,7 +301,11 @@ const FP_COUNT_THRESHOLDS = {
   // Real malware uses 1-2 targeted Function() calls.
   dangerous_call_function: { maxCount: 5, to: 'LOW' },
   require_cache_poison: { maxCount: 3, from: 'CRITICAL', to: 'LOW' },
-  suspicious_dataflow: { maxCount: 3, to: 'LOW' },
+  // Audit 2026-05 SC-C2: floorEligible: true opts suspicious_dataflow into the
+  // dilution floor without adding a `from` constraint (which would block MEDIUM
+  // count-threshold downgrades). Restores 1 instance at original severity so an
+  // attacker can't dilute real exfil flows by injecting benign data flows.
+  suspicious_dataflow: { maxCount: 3, to: 'LOW', floorEligible: true },
   obfuscation_detected: { maxCount: 3, to: 'LOW' },
   module_compile_dynamic: { maxCount: 3, from: 'HIGH', to: 'LOW' },
   module_compile: { maxCount: 3, from: 'HIGH', to: 'LOW' },
@@ -318,8 +324,10 @@ const FP_COUNT_THRESHOLDS = {
   // P6: HTTP client libraries (undici, aws-sdk, nodemailer, jsdom) parse Authorization/Bearer headers
   // with 3+ credential regexes. Real harvesters use 1-2 targeted regexes.
   // Audit v3: removed `from` constraint — ALL severity levels downgraded when count > 2.
-  // This eliminates the dilution floor (floor requires `from` field) for complete suppression.
-  credential_regex_harvest: { maxCount: 2, to: 'LOW' },
+  // Audit 2026-05 SC-C2: floorEligible: true restores 1 instance at original
+  // severity. Without it an attacker injects 3+ benign header regexes (Authorization,
+  // Cookie, X-Forwarded-For) and downgrades all real exfil regexes to LOW.
+  credential_regex_harvest: { maxCount: 2, to: 'LOW', floorEligible: true },
   // P7→Audit v3: Config frameworks (pm2, nx, dotenv, aws-sdk, oclif) read 5+ env vars — not credential theft.
   // Real stealers access 1-4 targeted env vars. Count >4 = config loader pattern.
   // Lowered from 10→4 for better FP reduction. B5 network_sink_immunity protects genuine exfiltration.
@@ -1011,16 +1019,16 @@ function applyFPReductions(threats, reachableFiles, packageName, packageDeps, re
 
   // Dilution floor: retain at least one instance at original severity per type
   // to prevent complete count-threshold dilution by injected benign patterns.
-  // Only applies to types with low maxCount (≤3) and a severity constraint (from field),
-  // where injection of benign patterns is feasible. High-count types (dynamic_require,
-  // env_access) and unconstrained types (suspicious_dataflow) represent legitimate
-  // framework patterns and should allow full downgrade.
+  // Applies to types with low maxCount (≤3) AND either a `from` severity
+  // constraint OR an explicit `floorEligible: true` opt-in (audit 2026-05 SC-C2).
+  // High-count types (dynamic_require, env_access) represent legitimate framework
+  // patterns and remain ineligible (no floor → full downgrade allowed).
   const restoredTypes = new Set();
   for (const t of threats) {
     const lastReduction = t.reductions?.find(r => r.rule === 'count_threshold');
     if (lastReduction && !restoredTypes.has(t.type)) {
       const rule = FP_COUNT_THRESHOLDS[t.type];
-      if (rule && rule.from && rule.maxCount <= 3) {
+      if (rule && (rule.from || rule.floorEligible) && rule.maxCount <= 3) {
         t.severity = lastReduction.from;
         t.reductions = t.reductions.filter(r => r.rule !== 'count_threshold');
         t.reductions.push({ rule: 'count_threshold_floor', note: 'retained one instance at original severity' });