muaddib-scanner 2.11.36 → 2.11.37

package/bin/muaddib.js

@@ -56,6 +56,7 @@ let temporalPublishMode = false;
 let temporalMaintainerMode = false;
 let temporalFullMode = false;
 let breakdownMode = false;
+let domainFilter = null;  // P0a: --domain malware,author → filter output by risk domain
 let noDeobfuscate = false;
 let noModuleGraph = false;
 let noReachability = false;
@@ -146,6 +147,24 @@ for (let i = 0; i < options.length; i++) {
     temporalMaintainerMode = true;
   } else if (options[i] === '--breakdown') {
     breakdownMode = true;
+  } else if (options[i] === '--domain') {
+    // P0a: comma-separated list of risk domains to DISPLAY (filter only, not
+    // a score modifier). Valid values: malware, author, engineering,
+    // vulnerability, license, unknown. Example: --domain malware,author
+    const val = options[i + 1];
+    if (!val || val.startsWith('-')) {
+      console.error('[ERROR] --domain requires a comma-separated list (e.g. malware,author)');
+      process.exit(1);
+    }
+    const VALID = new Set(['malware', 'author', 'engineering', 'vulnerability', 'license', 'unknown']);
+    const parts = val.split(',').map(s => s.trim().toLowerCase()).filter(Boolean);
+    const invalid = parts.filter(p => !VALID.has(p));
+    if (invalid.length > 0) {
+      console.error('[ERROR] --domain invalid value(s): ' + invalid.join(',') + ' (valid: ' + Array.from(VALID).join('|') + ')');
+      process.exit(1);
+    }
+    domainFilter = parts;
+    i++;
   } else if (options[i] === '--no-deobfuscate') {
     noDeobfuscate = true;
   } else if (options[i] === '--no-module-graph') {
@@ -265,6 +284,7 @@ if (command === 'version' || command === '--version' || command === '-v') {
     exclude: excludeDirs,
     entropyThreshold: entropyThreshold,
     breakdown: breakdownMode,
+    domainFilter: domainFilter,
     noDeobfuscate: noDeobfuscate,
     noModuleGraph: noModuleGraph,
     noReachability: noReachability,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.36",
+  "version": "2.11.37",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.36.json → self-scan-v2.11.37.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-05-24T21:02:11.478Z",
+  "timestamp": "2026-05-24T21:28:43.647Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",
@@ -14,6 +14,7 @@
       "rule_id": "MUADDIB-AST-074",
       "rule_name": "String Mutation Obfuscation",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/",
         "https://attack.mitre.org/techniques/T1140/"
@@ -34,6 +35,7 @@
       "rule_id": "MUADDIB-AST-074",
       "rule_name": "String Mutation Obfuscation",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/",
         "https://attack.mitre.org/techniques/T1140/"
@@ -54,6 +56,7 @@
       "rule_id": "MUADDIB-AST-074",
       "rule_name": "String Mutation Obfuscation",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/",
         "https://attack.mitre.org/techniques/T1140/"
@@ -74,6 +77,7 @@
       "rule_id": "MUADDIB-AST-074",
       "rule_name": "String Mutation Obfuscation",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/",
         "https://attack.mitre.org/techniques/T1140/"
@@ -94,6 +98,7 @@
       "rule_id": "MUADDIB-AST-074",
       "rule_name": "String Mutation Obfuscation",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/",
         "https://attack.mitre.org/techniques/T1140/"
@@ -114,6 +119,7 @@
       "rule_id": "MUADDIB-AST-074",
       "rule_name": "String Mutation Obfuscation",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/",
         "https://attack.mitre.org/techniques/T1140/"
@@ -134,6 +140,7 @@
       "rule_id": "MUADDIB-AST-074",
       "rule_name": "String Mutation Obfuscation",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/",
         "https://attack.mitre.org/techniques/T1140/"
@@ -154,6 +161,7 @@
       "rule_id": "MUADDIB-AST-075",
       "rule_name": "Module Internals Hijack",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://nodejs.org/api/modules.html",
         "https://attack.mitre.org/techniques/T1574.006/"
@@ -174,6 +182,7 @@
       "rule_id": "MUADDIB-AST-006",
       "rule_name": "Dynamic Require with Concatenation",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/"
       ],
@@ -193,6 +202,7 @@
       "rule_id": "MUADDIB-AST-002",
       "rule_name": "Sensitive Environment Variable Access",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://blog.phylum.io/shai-hulud-npm-worm",
         "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions"
@@ -213,6 +223,7 @@
       "rule_id": "MUADDIB-AST-006",
       "rule_name": "Dynamic Require with Concatenation",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/"
       ],
@@ -232,6 +243,7 @@
       "rule_id": "MUADDIB-AST-006",
       "rule_name": "Dynamic Require with Concatenation",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/"
       ],
@@ -251,6 +263,7 @@
       "rule_id": "MUADDIB-AST-019",
       "rule_name": "Require Cache Poisoning",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1574/006/"
       ],
@@ -270,6 +283,7 @@
       "rule_id": "MUADDIB-AST-006",
       "rule_name": "Dynamic Require with Concatenation",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/"
       ],
@@ -289,6 +303,7 @@
       "rule_id": "MUADDIB-AST-008",
       "rule_name": "Dynamic import() of Dangerous Module",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/"
       ],
@@ -308,6 +323,7 @@
       "rule_id": "MUADDIB-AST-005",
       "rule_name": "new Function() Constructor",
       "confidence": "high",
+      "domain": "vulnerability",
       "references": [
         "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function"
       ],
@@ -327,6 +343,7 @@
       "rule_id": "MUADDIB-AST-074",
       "rule_name": "String Mutation Obfuscation",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/",
         "https://attack.mitre.org/techniques/T1140/"
@@ -347,6 +364,7 @@
       "rule_id": "MUADDIB-AST-074",
       "rule_name": "String Mutation Obfuscation",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/",
         "https://attack.mitre.org/techniques/T1140/"
@@ -367,6 +385,7 @@
       "rule_id": "MUADDIB-AST-008",
       "rule_name": "Dynamic import() of Dangerous Module",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/"
       ],
@@ -386,6 +405,7 @@
       "rule_id": "MUADDIB-AST-019",
       "rule_name": "Require Cache Poisoning",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1574/006/"
       ],
@@ -405,6 +425,7 @@
       "rule_id": "MUADDIB-AST-008",
       "rule_name": "Dynamic import() of Dangerous Module",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/"
       ],
@@ -424,6 +445,7 @@
       "rule_id": "MUADDIB-AST-008",
       "rule_name": "Dynamic import() of Dangerous Module",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/"
       ],
@@ -443,6 +465,7 @@
       "rule_id": "MUADDIB-AST-070",
       "rule_name": "Shared Memory IPC",
       "confidence": "medium",
+      "domain": "malware",
       "references": [
         "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer",
         "https://attack.mitre.org/techniques/T1559/"
@@ -465,6 +488,7 @@
       "rule_id": "MUADDIB-AST-007",
       "rule_name": "Dangerous Shell Command Execution",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://owasp.org/www-community/attacks/Command_Injection"
       ],
@@ -486,6 +510,7 @@
       "rule_id": "MUADDIB-AST-007",
       "rule_name": "Dangerous Shell Command Execution",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://owasp.org/www-community/attacks/Command_Injection"
       ],
@@ -507,6 +532,7 @@
       "rule_id": "MUADDIB-AST-007",
       "rule_name": "Dangerous Shell Command Execution",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://owasp.org/www-community/attacks/Command_Injection"
       ],
@@ -528,6 +554,7 @@
       "rule_id": "MUADDIB-AST-007",
       "rule_name": "Dangerous Shell Command Execution",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://owasp.org/www-community/attacks/Command_Injection"
       ],
@@ -549,6 +576,7 @@
       "rule_id": "MUADDIB-AST-007",
       "rule_name": "Dangerous Shell Command Execution",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://owasp.org/www-community/attacks/Command_Injection"
       ],
@@ -570,6 +598,7 @@
       "rule_id": "MUADDIB-AST-007",
       "rule_name": "Dangerous Shell Command Execution",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://owasp.org/www-community/attacks/Command_Injection"
       ],
@@ -591,6 +620,7 @@
       "rule_id": "MUADDIB-AST-007",
       "rule_name": "Dangerous Shell Command Execution",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://owasp.org/www-community/attacks/Command_Injection"
       ],
@@ -612,6 +642,7 @@
       "rule_id": "MUADDIB-AST-007",
       "rule_name": "Dangerous Shell Command Execution",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://owasp.org/www-community/attacks/Command_Injection"
       ],
@@ -633,6 +664,7 @@
       "rule_id": "MUADDIB-AST-007",
       "rule_name": "Dangerous Shell Command Execution",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://owasp.org/www-community/attacks/Command_Injection"
       ],
@@ -654,6 +686,7 @@
       "rule_id": "MUADDIB-AST-007",
       "rule_name": "Dangerous Shell Command Execution",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://owasp.org/www-community/attacks/Command_Injection"
       ],
@@ -675,6 +708,7 @@
       "rule_id": "MUADDIB-AST-007",
       "rule_name": "Dangerous Shell Command Execution",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://owasp.org/www-community/attacks/Command_Injection"
       ],
@@ -696,6 +730,7 @@
       "rule_id": "MUADDIB-AST-007",
       "rule_name": "Dangerous Shell Command Execution",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://owasp.org/www-community/attacks/Command_Injection"
       ],
@@ -717,6 +752,7 @@
       "rule_id": "MUADDIB-AST-007",
       "rule_name": "Dangerous Shell Command Execution",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://owasp.org/www-community/attacks/Command_Injection"
       ],
@@ -738,6 +774,7 @@
       "rule_id": "MUADDIB-AST-007",
       "rule_name": "Dangerous Shell Command Execution",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://owasp.org/www-community/attacks/Command_Injection"
       ],
@@ -759,6 +796,7 @@
       "rule_id": "MUADDIB-AST-007",
       "rule_name": "Dangerous Shell Command Execution",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://owasp.org/www-community/attacks/Command_Injection"
       ],
@@ -780,6 +818,7 @@
       "rule_id": "MUADDIB-AST-007",
       "rule_name": "Dangerous Shell Command Execution",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://owasp.org/www-community/attacks/Command_Injection"
       ],
@@ -801,6 +840,7 @@
       "rule_id": "MUADDIB-AST-007",
       "rule_name": "Dangerous Shell Command Execution",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://owasp.org/www-community/attacks/Command_Injection"
       ],
@@ -822,6 +862,7 @@
       "rule_id": "MUADDIB-AST-007",
       "rule_name": "Dangerous Shell Command Execution",
       "confidence": "high",
+      "domain": "malware",
       "references": [
         "https://owasp.org/www-community/attacks/Command_Injection"
       ],
@@ -847,6 +888,7 @@
       "rule_id": "MUADDIB-ENTROPY-001",
       "rule_name": "High Entropy String",
       "confidence": "medium",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/"
       ],
@@ -872,6 +914,7 @@
       "rule_id": "MUADDIB-ENTROPY-001",
       "rule_name": "High Entropy String",
       "confidence": "medium",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/"
       ],
@@ -897,6 +940,7 @@
       "rule_id": "MUADDIB-ENTROPY-001",
       "rule_name": "High Entropy String",
       "confidence": "medium",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/"
       ],
@@ -922,6 +966,7 @@
       "rule_id": "MUADDIB-ENTROPY-001",
       "rule_name": "High Entropy String",
       "confidence": "medium",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/"
       ],
@@ -947,6 +992,7 @@
       "rule_id": "MUADDIB-ENTROPY-001",
       "rule_name": "High Entropy String",
       "confidence": "medium",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/"
       ],
@@ -972,6 +1018,7 @@
       "rule_id": "MUADDIB-ENTROPY-001",
       "rule_name": "High Entropy String",
       "confidence": "medium",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/"
       ],
@@ -997,6 +1044,7 @@
       "rule_id": "MUADDIB-ENTROPY-001",
       "rule_name": "High Entropy String",
       "confidence": "medium",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/"
       ],
@@ -1022,6 +1070,7 @@
       "rule_id": "MUADDIB-ENTROPY-001",
       "rule_name": "High Entropy String",
       "confidence": "medium",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/"
       ],
@@ -1047,6 +1096,7 @@
       "rule_id": "MUADDIB-ENTROPY-001",
       "rule_name": "High Entropy String",
       "confidence": "medium",
+      "domain": "malware",
       "references": [
         "https://attack.mitre.org/techniques/T1027/"
       ],

package/src/output/formatter.js

@@ -1,6 +1,17 @@
 const { saveReport } = require('../report.js');
 const { saveSARIF } = require('../sarif.js');
 const { getPlaybook } = require('../response/playbooks.js');
+const { DOMAIN_CODES, getRuleDomain } = require('../rules/index.js');
+
+// P0a — domain tag formatter for CLI text output.
+// Returns a bracketed 3-letter code like "[MAL]" / "[AUT]" / "[ENG]" / "[VUL]"
+// to display next to the severity prefix. Resolves the domain from the threat
+// type if not already set on the threat object (defense in depth).
+function domainTag(threat) {
+  const d = (threat && threat.domain) || (threat && threat.type ? getRuleDomain(threat.type) : 'malware');
+  const code = DOMAIN_CODES[d] || 'UNK';
+  return '[' + code + ']';
+}
 
 /**
  * Format and print scan output in the requested format.
@@ -85,8 +96,9 @@ function formatOutput(result, options, ctx) {
       enrichedThreats.forEach((t, i) => {
         console.log(`━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━`);
         const countStr = t.count > 1 ? ` (x${t.count})` : '';
-        console.log(`  ${i + 1}. [${t.severity}] ${t.rule_name}${countStr}`);
+        console.log(`  ${i + 1}. [${t.severity}] ${domainTag(t)} ${t.rule_name}${countStr}`);
         console.log(`     Rule ID:    ${t.rule_id}`);
+        console.log(`     Domain:     ${t.domain || getRuleDomain(t.type)}`);
         console.log(`     File:       ${t.file}`);
         if (t.line) console.log(`     Line:       ${t.line}`);
         console.log(`     Confidence: ${t.confidence}`);
@@ -162,14 +174,28 @@ function formatOutput(result, options, ctx) {
       // clutter the output on monorepos. Show with --verbose. Scoring, JSON,
       // SARIF, and HTML output are unaffected — this is display-only.
       const hiddenCount = options.verbose ? 0 : deduped.filter(t => t.degraded && t.severity === 'LOW').length;
-      const displayThreats = options.verbose ? deduped : deduped.filter(t => !(t.degraded && t.severity === 'LOW'));
+      let displayThreats = options.verbose ? deduped : deduped.filter(t => !(t.degraded && t.severity === 'LOW'));
+      // P0a — --domain filter is DISPLAY ONLY. Score/exit code are computed
+      // from the full set; this only narrows the printed threats. Allows
+      // workflows like "show me only author-risk threats" without changing
+      // the underlying alert level.
+      let domainFilteredOut = 0;
+      if (Array.isArray(options.domainFilter) && options.domainFilter.length > 0) {
+        const allowed = new Set(options.domainFilter);
+        const before = displayThreats.length;
+        displayThreats = displayThreats.filter(t => {
+          const d = t.domain || getRuleDomain(t.type);
+          return allowed.has(d);
+        });
+        domainFilteredOut = before - displayThreats.length;
+      }
       if (displayThreats.length === 0 && hiddenCount > 0) {
         console.log(`[OK] No high-confidence threats detected (${hiddenCount} low-confidence signal(s) hidden, use --verbose to show).\n`);
       } else {
         console.log(`[ALERT] ${displayThreats.length} threat(s) detected:\n`);
         displayThreats.forEach((t, i) => {
           const countStr = t.count > 1 ? ` (x${t.count})` : '';
-          console.log(`  ${i + 1}. [${t.severity}] ${t.type}${countStr}`);
+          console.log(`  ${i + 1}. [${t.severity}] ${domainTag(t)} ${t.type}${countStr}`);
           console.log(`     ${t.message}`);
           console.log(`     File: ${t.file}`);
           const playbook = getPlaybook(t.type);
@@ -181,6 +207,9 @@ function formatOutput(result, options, ctx) {
         if (hiddenCount > 0) {
           console.log(`  + ${hiddenCount} low-confidence signal(s) hidden (use --verbose to show)\n`);
         }
+        if (domainFilteredOut > 0) {
+          console.log(`  + ${domainFilteredOut} threat(s) hidden by --domain filter (score unchanged)\n`);
+        }
       }
     }
 

package/src/output/report.js

@@ -1,12 +1,39 @@
 const fs = require('fs');
 const { escapeHtml } = require('../utils.js');
+const { DOMAIN_CODES, getRuleDomain } = require('../rules/index.js');
+
+// P0a — color palette for risk domain badges in the HTML report.
+const DOMAIN_COLORS = {
+  malware: '#e94560',        // red — top threat
+  author: '#ff6b35',         // orange — identity/maintainer issues
+  engineering: '#f9c74f',    // yellow — quality/hygiene
+  vulnerability: '#9b59b6',  // purple — CWE-class defects
+  license: '#4ecdc4',        // cyan — reserved
+  unknown: '#888888'         // gray — fallback
+};
+
+function domainBadge(threat) {
+  const d = (threat && threat.domain) || (threat && threat.type ? getRuleDomain(threat.type) : 'malware');
+  const code = DOMAIN_CODES[d] || 'UNK';
+  const color = DOMAIN_COLORS[d] || DOMAIN_COLORS.unknown;
+  return `<span class="domain-badge" style="background:${color};color:#fff;padding:2px 8px;border-radius:3px;font-size:11px;font-weight:bold;">${escapeHtml(code)}</span>`;
+}
 
 function generateHTML(results) {
   const { target, timestamp, threats, summary } = results;
 
+  // P0a — Risk by Domain breakdown
+  const domainCounts = { malware: 0, author: 0, engineering: 0, vulnerability: 0, license: 0, unknown: 0 };
+  for (const t of threats) {
+    const d = t.domain || getRuleDomain(t.type);
+    if (domainCounts[d] !== undefined) domainCounts[d]++;
+    else domainCounts.unknown++;
+  }
+
   const threatRows = threats.map(t => `
     <tr class="${escapeHtml(t.severity).toLowerCase()}">
       <td>${escapeHtml(t.severity)}</td>
+      <td>${domainBadge(t)}</td>
       <td>${escapeHtml(t.type)}</td>
       <td>${escapeHtml(t.message)}</td>
       <td>${escapeHtml(t.file)}</td>
@@ -142,10 +169,23 @@ function generateHTML(results) {
     </div>
 
     ${threats.length > 0 ? `
+    <div class="domain-breakdown" style="background:#16213e;padding:20px;border-radius:8px;margin:20px 0;">
+      <h3 style="color:#e94560;margin-top:0;">Risk by Domain</h3>
+      <div style="display:flex;gap:12px;flex-wrap:wrap;">
+        ${Object.entries(domainCounts).filter(([, n]) => n > 0).map(([d, n]) => `
+          <div style="background:${DOMAIN_COLORS[d]};color:#fff;padding:8px 14px;border-radius:6px;min-width:90px;">
+            <div style="font-size:11px;opacity:0.8;">${escapeHtml(DOMAIN_CODES[d])}</div>
+            <div style="font-size:22px;font-weight:bold;">${n}</div>
+            <div style="font-size:11px;opacity:0.8;text-transform:capitalize;">${escapeHtml(d)}</div>
+          </div>
+        `).join('')}
+      </div>
+    </div>
     <table>
       <thead>
         <tr>
           <th>Severity</th>
+          <th>Domain</th>
           <th>Type</th>
           <th>Message</th>
           <th>File</th>

package/src/output/sarif.js

@@ -1,6 +1,6 @@
 const fs = require('fs');
 const path = require('path');
-const { RULES } = require('../rules/index.js');
+const { RULES, getRuleDomain } = require('../rules/index.js');
 
 const pkgVersion = (() => {
   try {
@@ -26,7 +26,7 @@ function generateSARIF(results) {
             name: 'MUADDIB',
             version: pkgVersion,
             informationUri: 'https://github.com/DNSZLSK/muad-dib',
-            rules: Object.values(RULES).map(rule => ({
+            rules: Object.entries(RULES).map(([type, rule]) => ({
               id: rule.id,
               name: rule.name,
               shortDescription: { text: rule.description },
@@ -35,7 +35,10 @@ function generateSARIF(results) {
               properties: {
                 severity: rule.severity,
                 confidence: rule.confidence,
-                mitre: rule.mitre
+                mitre: rule.mitre,
+                // P0a — Risk Domains taxonomy. Either set explicitly on the rule
+                // or resolved via getRuleDomain default (currently 'malware').
+                risk_domain: getRuleDomain(type)
               }
             }))
           }
@@ -66,7 +69,9 @@ function generateSARIF(results) {
           ],
           properties: {
             confidence: threat.confidence,
-            mitre: threat.mitre
+            mitre: threat.mitre,
+            // P0a — per-result risk domain (resolved from threat.type).
+            risk_domain: getRuleDomain(threat.type)
           }
         }))
       }

package/src/pipeline/processor.js

@@ -1,6 +1,6 @@
 const fs = require('fs');
 const path = require('path');
-const { getRule } = require('../rules/index.js');
+const { getRule, getRuleDomain } = require('../rules/index.js');
 const { getPlaybook } = require('../response/playbooks.js');
 const { computeReachableFiles, computeReachableFunctions } = require('../scanner/reachability.js');
 const { applyFPReductions, applyCompoundBoosts, calculateRiskScore, getSeverityWeights, applyContextualFPCaps, applySingleFireCriticalFloor, applyReputationFactor, applyMatureStableCap, applySandboxVerdict, applyDeltaMultiplier } = require('../scoring.js');
@@ -399,6 +399,10 @@ async function process(threats, targetPath, options, pythonDeps, warnings, scann
       rule_name: rule.name || t.type,
       confidence: rule.confidence || 'medium',
       confidenceTier: t.confidenceTier || 'medium',
+      // P0a — Risk Domains taxonomy (inspired by Phylum's 5-domain model).
+      // Lets downstream tooling filter by risk category (malware/author/
+      // engineering/vulnerability/license) without re-mapping threat types.
+      domain: getRuleDomain(t.type),
       references: rule.references || [],
       mitre: t.mitre || rule.mitre,
       playbook: getPlaybook(t.type),