muaddib-scanner 2.11.4 → 2.11.7

package/src/rules/confidence-tiers.js

@@ -0,0 +1,187 @@
+/**
+ * FPR plan Chantier 6 - multi-tier confidence classification.
+ *
+ * Socket and Endor distinguish "AI-detected potential" from "Known Malware"
+ * (post-revue) ; muad-dib has only severity (CRITICAL/HIGH/MEDIUM/LOW), which
+ * collapses two very different signals - a deterministic IOC match and a
+ * heuristic obfuscation guess - into the same bucket. This module adds a
+ * second dimension : confidenceTier in {verified, high, medium, low}.
+ *
+ * Tier semantics :
+ *
+ *   - verified : the threat is observed against a known-malicious artifact
+ *     (IOC match, known hash, known package, Shai-Hulud marker). Zero
+ *     residual doubt ; never decays through any FP-reduction path.
+ *
+ *   - high : compound or co-occurrence evidence, intent-graph proven flows,
+ *     HIGH_CONFIDENCE_MALICE_TYPES. Multi-signal correlation that no benign
+ *     pattern reproduces ; manual review almost always confirms.
+ *
+ *   - medium : a single deterministic rule fires (eval, dangerous_exec,
+ *     dynamic_require). Sometimes legitimate (build tools, plugin loaders)
+ *     so the FP rate is non-trivial but the signal is exact when triggered.
+ *
+ *   - low : heuristic (possible_obfuscation, high_entropy_string), count-
+ *     based (>N occurrences of a type), or a single sensitive-string match.
+ *     Useful for triage but should not drive automated alerts.
+ *
+ * Output filtering : the CLI shows verified+high by default. JSON / SARIF
+ * always include all tiers (no information loss). The evaluate.js corpus
+ * reports two FPR numbers : "FPR all" (status quo) and "FPR perceived"
+ * (verified + high only) - the latter is the metric Socket / Endor publish.
+ */
+
+'use strict';
+
+const { HIGH_CONFIDENCE_MALICE_TYPES } = require('../monitor/classify.js');
+
+// ---------------------------------------------------------------------------
+// Type-to-tier mapping. Each set is mutually exclusive ; a threat type that
+// appears in VERIFIED never appears in HIGH, etc. Order of evaluation is
+// VERIFIED > HIGH > LOW > (default by severity).
+// ---------------------------------------------------------------------------
+
+// Deterministic match against a known artifact - never decays.
+const VERIFIED_TYPES = new Set([
+  'ioc_match',
+  'ioc_string_match',
+  'known_malicious_hash',
+  'known_malicious_package',
+  'pypi_malicious_package',
+  'shai_hulud_marker',
+  'dependency_ioc_match'
+]);
+
+// Multi-signal compound evidence + proven flows. These are unambiguous when
+// they fire because each requires multiple correlated signals or a static
+// dataflow proof. The set extends HIGH_CONFIDENCE_MALICE_TYPES with intent
+// graph results and the scoring compound types.
+const HIGH_TIER_EXTRA = new Set([
+  // Intent graph (intra-file dataflow proven)
+  'intent_credential_exfil',
+  'intent_command_exfil',
+  // Scoring compounds (require co-occurrence)
+  'crypto_staged_payload',
+  'lifecycle_typosquat',
+  'lifecycle_inline_exec',
+  'lifecycle_remote_require',
+  'lifecycle_dataflow',
+  'lifecycle_dangerous_exec',
+  'obfuscated_lifecycle_env',
+  'lifecycle_file_exec',
+  // Cross-file proven dataflow
+  'cross_file_dataflow',
+  // Single-fire critical types from classify.js
+  'reverse_shell',
+  'fetch_decrypt_exec',
+  'download_exec_binary',
+  'staged_eval_decode',
+  'function_constructor_require',
+  'self_destruct_eval',
+  'curl_env_exfil',
+  'function_runtime_args',
+  'external_tarball_dep',
+  // Worm propagation patterns
+  'node_modules_write',
+  'npm_publish_worm',
+  // Sandbox correlated signals
+  'sandbox_network_after_sensitive_read',
+  'sandbox_known_exfil_domain',
+  'canary_exfiltration',
+  // Known-bad lifecycle anomalies
+  'lifecycle_added_critical',
+  'systemd_persistence',
+  'npm_token_steal',
+  'root_filesystem_wipe',
+  'proc_mem_scan',
+  'trusted_new_unknown_dependency',
+  'newsletter_auto_follow',
+  // Anti-forensic signatures
+  'anti_forensic_xor_autodelete',
+  'detached_credential_exfil',
+  // Workflow injection
+  'workflow_write'
+]);
+
+// Heuristic / count-based / weak-signal types. Always low tier regardless
+// of severity to honor the plan's metric definition. If the same threat is
+// also in VERIFIED or HIGH it does not reach this set - the order of checks
+// in getConfidenceTier prevents that.
+const LOW_TIER_TYPES = new Set([
+  'possible_obfuscation',
+  'sensitive_string',
+  'high_entropy_string',
+  'large_string_array',
+  'string_mutation_obfuscation',
+  'js_obfuscation_pattern'
+]);
+
+/**
+ * Resolve the confidence tier of a threat. Pure function : takes only the
+ * fields we care about so it can be unit-tested without a full threat shape.
+ *
+ *   - threatType : the threat.type string (required).
+ *   - severity   : 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW'. Used as the fallback
+ *                  signal when the type is not classified explicitly.
+ *   - flags      : optional { isCountDowngrade, isUnreachable } extra hints.
+ *                  isCountDowngrade=true forces the threat to LOW even if its
+ *                  type would otherwise be MEDIUM (count thresholds typically
+ *                  signal benign frameworks). isUnreachable=true forces LOW
+ *                  (dead-code findings carry no execution risk).
+ */
+function getConfidenceTier(threatType, severity, flags) {
+  if (typeof threatType !== 'string' || threatType.length === 0) return 'low';
+  if (VERIFIED_TYPES.has(threatType)) return 'verified';
+  if (HIGH_TIER_EXTRA.has(threatType)) return 'high';
+  if (HIGH_CONFIDENCE_MALICE_TYPES.has(threatType)) return 'high';
+  if (LOW_TIER_TYPES.has(threatType)) return 'low';
+
+  if (flags) {
+    if (flags.isCountDowngrade) return 'low';
+    if (flags.isUnreachable) return 'low';
+  }
+
+  // Fall back to severity. CRITICAL/HIGH single-rule heuristics get medium ;
+  // MEDIUM/LOW heuristics get low.
+  if (severity === 'CRITICAL' || severity === 'HIGH') return 'medium';
+  return 'low';
+}
+
+/**
+ * Decorate a threats array in place with t.confidenceTier. Idempotent :
+ * threats already carrying a tier are not overwritten so callers can fix up
+ * specific findings before this is invoked.
+ */
+function annotateConfidenceTiers(threats) {
+  if (!Array.isArray(threats)) return 0;
+  let annotated = 0;
+  for (const t of threats) {
+    if (!t || typeof t !== 'object') continue;
+    if (typeof t.confidenceTier === 'string' && t.confidenceTier.length > 0) continue;
+    const isCountDowngrade = Array.isArray(t.reductions) &&
+      t.reductions.some(r => r && /count|threshold/.test(r.rule || ''));
+    const isUnreachable = t.unreachable === true || !!t.unreachableFunction;
+    t.confidenceTier = getConfidenceTier(t.type, t.severity, {
+      isCountDowngrade,
+      isUnreachable
+    });
+    annotated++;
+  }
+  return annotated;
+}
+
+const TIER_ORDER = { verified: 4, high: 3, medium: 2, low: 1 };
+
+function tierAtLeast(tier, minTier) {
+  return (TIER_ORDER[tier] || 0) >= (TIER_ORDER[minTier] || 0);
+}
+
+module.exports = {
+  getConfidenceTier,
+  annotateConfidenceTiers,
+  tierAtLeast,
+  VERIFIED_TYPES,
+  HIGH_TIER_EXTRA,
+  LOW_TIER_TYPES,
+  TIER_ORDER
+};

package/src/rules/index.js

@@ -261,6 +261,18 @@ const RULES = {
     ],
     mitre: 'T1195.002'
   },
+  staged_remote_loader: {
+    id: 'MUADDIB-COMPOUND-012',
+    name: 'Staged Remote Loader (Function.constructor + shadowed process)',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Compound: new Function.constructor("require", body) co-occurs with `const process = {...}` shadowing in the same file. Pattern observed in the chai-* / poxios-chain / express-guardrail / justenv campaign (semaine 2026-05-04 a 2026-05-09): fork de pino avec caller.js qui decode une URL base64 (jsonkeeper.com), fetch le payload distant via axios, et l\'execute via Function.constructor en passant require comme parametre. Le tarball npm ne contient aucun code malveillant statique — la charge utile est externalisee sur un pastebin.',
+    references: [
+      'project_detection_gap_chai_staged_loader memory entry',
+      'data/security-review-2026-05-04-10.md'
+    ],
+    mitre: 'T1059.007'
+  },
   lifecycle_script_dependency: {
     id: 'MUADDIB-DEP-004',
     name: 'Lifecycle Script in Dependency',
@@ -1117,6 +1129,81 @@ const RULES = {
     mitre: 'T1041'
   },
 
+  // Honey-trap and 2026 supply chain runtime signals
+  sandbox_honey_read: {
+    id: 'MUADDIB-SANDBOX-017',
+    name: 'Sandbox: Honeypot Decoy File Read',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Le package lit un fichier decoy de credentials plante par la sandbox (.npmrc-decoy, .ssh/id_rsa-decoy, wallet decoy, etc.). Aucun outil legitime ne lit ces chemins. Capture les zero-days qui scannent aveuglement les chemins de credentials connus.',
+    references: [
+      'https://attack.mitre.org/techniques/T1552/001/',
+      'https://blog.phylum.io/shai-hulud-npm-worm'
+    ],
+    mitre: 'T1552.001'
+  },
+  sandbox_credential_target_read: {
+    id: 'MUADDIB-SANDBOX-018',
+    name: 'Sandbox: Credential Target File Read',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'Le package lit un fichier de credentials cible des malwares 2026 (cloud creds, wallets, browser data, GPG, kubernetes config). Pattern PhantomRaven, Shai-Hulud.',
+    references: [
+      'https://attack.mitre.org/techniques/T1552/001/',
+      'https://attack.mitre.org/techniques/T1555/'
+    ],
+    mitre: 'T1555'
+  },
+  sandbox_persistence_write: {
+    id: 'MUADDIB-SANDBOX-019',
+    name: 'Sandbox: Persistence File Write',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Le package ecrit dans un emplacement de persistance (.bashrc, .zshrc, autostart, cron, systemd user, LaunchAgents, registry Run keys). Aucun cas legitime en npm install.',
+    references: [
+      'https://attack.mitre.org/techniques/T1547/',
+      'https://attack.mitre.org/techniques/T1546/004/'
+    ],
+    mitre: 'T1547'
+  },
+  sandbox_execve_chain_depth: {
+    id: 'MUADDIB-SANDBOX-020',
+    name: 'Sandbox: Suspicious Execve Chain Depth',
+    severity: 'HIGH',
+    confidence: 'medium',
+    description: 'Chaine de processus depuis npm install au-dela de la profondeur attendue (npm install -> script -> binaire externe). Pattern Shai-Hulud preinstall worm avec curl/wget/bash final.',
+    references: [
+      'https://unit42.paloaltonetworks.com/npm-supply-chain-attack/',
+      'https://attack.mitre.org/techniques/T1059/'
+    ],
+    mitre: 'T1059'
+  },
+  sandbox_npm_self_invoke: {
+    id: 'MUADDIB-SANDBOX-021',
+    name: 'Sandbox: npm CLI Self-Invocation',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    description: 'Le package invoque npm publish/deprecate/owner/token/access (ou yarn publish) depuis l\'arborescence npm install. Pattern CanisterWorm self-propagation. Aucun cas legitime.',
+    references: [
+      'https://www.stepsecurity.io/blog/canisterworm-how-a-self-propagating-npm-worm-is-spreading-backdoors-across-the-ecosystem/',
+      'https://attack.mitre.org/techniques/T1195.002/'
+    ],
+    mitre: 'T1195.002'
+  },
+  sandbox_runtime_deobfuscation_executed: {
+    id: 'MUADDIB-SANDBOX-022',
+    name: 'Sandbox: Runtime Deobfuscation Executed',
+    severity: 'HIGH',
+    confidence: 'high',
+    description: 'new Function() ou eval() execute avec un body de plus de 500 octets, derive d\'une string source obfusquee (high entropy ou taille >1KB). Pattern Axios 2026 OrDeR_7077: XOR + base64 decoded at runtime then executed.',
+    references: [
+      'https://snyk.io/blog/axios-npm-package-compromised-supply-chain-attack-delivers-cross-platform/',
+      'https://attack.mitre.org/techniques/T1027/',
+      'https://attack.mitre.org/techniques/T1059.007/'
+    ],
+    mitre: 'T1027'
+  },
+
   // Entropy detections
   high_entropy_string: {
     id: 'MUADDIB-ENTROPY-001',
@@ -1723,7 +1810,7 @@ const RULES = {
   },
   dangerous_constructor: {
     id: 'MUADDIB-AST-057',
-    name: 'Prototype Chain Constructor Access',
+    name: 'AsyncFunction/GeneratorFunction Constructor via Prototype Chain',
     severity: 'CRITICAL',
     confidence: 'high',
     description: 'Acces au constructeur AsyncFunction ou GeneratorFunction via Object.getPrototypeOf(). Technique d\'evasion permettant d\'executer du code arbitraire sans reference directe a eval() ou Function().',
@@ -2237,7 +2324,7 @@ const RULES = {
   },
   prototype_chain_constructor: {
     id: 'MUADDIB-AST-081',
-    name: 'Prototype Chain Constructor Access',
+    name: 'Prototype Chain Constructor Access via Variable',
     severity: 'CRITICAL',
     confidence: 'high',
     description: 'Object.getPrototypeOf(variable).constructor extrait dans une variable — traversee de la chaine de prototypes pour atteindre le constructeur Function et executer du code arbitraire.',

package/src/runtime/monitor-feed.js

@@ -0,0 +1,241 @@
+'use strict';
+
+/**
+ * monitor-feed.js — Aggregator for /monitor HTTP endpoints.
+ *
+ * Reads the same persistent files the monitor writes to data/ and exposes
+ * three views consumed by muad-api -> muad-front:
+ *   - buildMonitorDaily()         today's stats from daily-stats.json
+ *   - buildMonitorWindow(range)   per-day rollup from scan-stats.json
+ *   - buildMonitorAll()           all-time totals + detection breakdown
+ *
+ * Defensive: every read is wrapped — missing files yield zeros, never throws.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+const {
+  DAILY_STATS_FILE,
+  SCAN_STATS_FILE,
+  STATE_FILE,
+  LAST_DAILY_REPORT_FILE,
+  loadScanStats,
+  loadStateRaw,
+  loadLastDailyReportDate,
+  getDetectionStats,
+  getParisDateString
+} = require('../monitor/state.js');
+
+const pkg = require('../../package.json');
+
+const SUPPORTED_RANGES = new Set(['7d', '30d', 'all']);
+const RANGE_DAYS = { '7d': 7, '30d': 30 };
+
+function safeReadJson(file) {
+  try {
+    if (!fs.existsSync(file)) return null;
+    const raw = fs.readFileSync(file, 'utf8');
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+
+function emptyToday(date) {
+  return {
+    date,
+    scanned: 0,
+    clean: 0,
+    suspect: 0,
+    suspectByTier: { t1: 0, t1a: 0, t1b: 0, t2: 0, t3: 0 },
+    errors: 0,
+    errorsByType: { too_large: 0, tar_failed: 0, http_error: 0, timeout: 0, static_timeout: 0, other: 0 },
+    totalTimeMs: 0,
+    mlFiltered: 0,
+    llmAnalyzed: 0,
+    llmSuppressed: 0,
+    changesStreamPackages: 0
+  };
+}
+
+function readToday() {
+  const date = getParisDateString();
+  const data = safeReadJson(DAILY_STATS_FILE);
+  if (!data || typeof data.scanned !== 'number') return emptyToday(date);
+  return {
+    date,
+    scanned: data.scanned || 0,
+    clean: data.clean || 0,
+    suspect: data.suspect || 0,
+    suspectByTier: {
+      t1: (data.suspectByTier && data.suspectByTier.t1) || 0,
+      t1a: (data.suspectByTier && data.suspectByTier.t1a) || 0,
+      t1b: (data.suspectByTier && data.suspectByTier.t1b) || 0,
+      t2: (data.suspectByTier && data.suspectByTier.t2) || 0,
+      t3: (data.suspectByTier && data.suspectByTier.t3) || 0
+    },
+    errors: data.errors || 0,
+    errorsByType: {
+      too_large: (data.errorsByType && data.errorsByType.too_large) || 0,
+      tar_failed: (data.errorsByType && data.errorsByType.tar_failed) || 0,
+      http_error: (data.errorsByType && data.errorsByType.http_error) || 0,
+      timeout: (data.errorsByType && data.errorsByType.timeout) || 0,
+      static_timeout: (data.errorsByType && data.errorsByType.static_timeout) || 0,
+      other: (data.errorsByType && data.errorsByType.other) || 0
+    },
+    totalTimeMs: data.totalTimeMs || 0,
+    mlFiltered: data.mlFiltered || 0,
+    llmAnalyzed: data.llmAnalyzed || 0,
+    llmSuppressed: data.llmSuppressed || 0,
+    changesStreamPackages: data.changesStreamPackages || 0
+  };
+}
+
+function readLastReportAt() {
+  const fromFile = safeReadJson(LAST_DAILY_REPORT_FILE);
+  if (fromFile && typeof fromFile.lastReportDate === 'string') return fromFile.lastReportDate;
+  const date = loadLastDailyReportDate();
+  return date || null;
+}
+
+function readMonitorState() {
+  try {
+    return loadStateRaw() || {};
+  } catch {
+    return {};
+  }
+}
+
+/**
+ * Build the /monitor/daily payload.
+ */
+function buildMonitorDaily() {
+  const today = readToday();
+  const lastReportAt = readLastReportAt();
+  const monitorState = readMonitorState();
+
+  return {
+    generated_at: new Date().toISOString(),
+    engineVersion: pkg.version,
+    today,
+    lastReportAt,
+    monitor: {
+      npmLastPackage: monitorState.npmLastPackage || null,
+      pypiLastPackage: monitorState.pypiLastPackage || null,
+      lastDailyReportDate: monitorState.lastDailyReportDate || null
+    }
+  };
+}
+
+function emptyDayEntry(date) {
+  return {
+    date,
+    scanned: 0,
+    clean: 0,
+    suspect: 0,
+    false_positive: 0,
+    confirmed: 0,
+    sandbox_inconclusive: 0,
+    fp_rate: 0
+  };
+}
+
+function aggregateDays(days) {
+  const totals = { scanned: 0, clean: 0, suspect: 0, false_positive: 0, confirmed: 0, sandbox_inconclusive: 0 };
+  let fpRateSum = 0;
+  let fpRateCount = 0;
+  for (const d of days) {
+    totals.scanned += d.scanned || 0;
+    totals.clean += d.clean || 0;
+    totals.suspect += d.suspect || 0;
+    totals.false_positive += d.false_positive || 0;
+    totals.confirmed += d.confirmed || 0;
+    totals.sandbox_inconclusive += d.sandbox_inconclusive || 0;
+    if (typeof d.fp_rate === 'number' && d.fp_rate >= 0) {
+      fpRateSum += d.fp_rate;
+      fpRateCount++;
+    }
+  }
+  const fp_rate_avg = fpRateCount > 0 ? fpRateSum / fpRateCount : 0;
+  return { ...totals, fp_rate_avg: Math.round(fp_rate_avg * 1000) / 1000 };
+}
+
+/**
+ * Build the /monitor/window payload for a given range ('7d' | '30d').
+ */
+function buildMonitorWindow(range) {
+  if (!SUPPORTED_RANGES.has(range) || range === 'all') {
+    throw new Error(`Unsupported range: ${range}. Use 7d or 30d.`);
+  }
+  const days = RANGE_DAYS[range];
+  const data = loadScanStats();
+  const allDaily = Array.isArray(data.daily) ? data.daily : [];
+
+  const today = getParisDateString();
+  const todayMs = Date.parse(`${today}T00:00:00Z`);
+  const cutoffMs = todayMs - (days - 1) * 24 * 60 * 60 * 1000;
+
+  const inRange = allDaily.filter(d => {
+    if (!d || typeof d.date !== 'string') return false;
+    const ms = Date.parse(`${d.date}T00:00:00Z`);
+    return Number.isFinite(ms) && ms >= cutoffMs && ms <= todayMs;
+  });
+
+  const dateIndex = new Map(inRange.map(d => [d.date, d]));
+  const byDay = [];
+  for (let i = days - 1; i >= 0; i--) {
+    const ms = todayMs - i * 24 * 60 * 60 * 1000;
+    const dateStr = new Date(ms).toISOString().slice(0, 10);
+    byDay.push(dateIndex.get(dateStr) || emptyDayEntry(dateStr));
+  }
+
+  return {
+    generated_at: new Date().toISOString(),
+    engineVersion: pkg.version,
+    range,
+    from: byDay[0].date,
+    to: byDay[byDay.length - 1].date,
+    totals: aggregateDays(byDay),
+    byDay
+  };
+}
+
+/**
+ * Build the /monitor/stats payload (all-time totals + detection breakdown).
+ */
+function buildMonitorAll() {
+  const data = loadScanStats();
+  const stats = data.stats || {};
+  let detection = { total: 0, bySeverity: {}, byEcosystem: {}, leadTime: null };
+  try {
+    detection = getDetectionStats();
+  } catch {
+    // keep defaults
+  }
+  return {
+    generated_at: new Date().toISOString(),
+    engineVersion: pkg.version,
+    allTime: {
+      total_scanned: stats.total_scanned || 0,
+      clean: stats.clean || 0,
+      suspect: stats.suspect || 0,
+      false_positive: stats.false_positive || 0,
+      confirmed_malicious: stats.confirmed_malicious || 0,
+      sandbox_inconclusive: stats.sandbox_inconclusive || 0,
+      sandbox_unconfirmed: stats.sandbox_unconfirmed || 0
+    },
+    detectionStats: detection
+  };
+}
+
+module.exports = {
+  buildMonitorDaily,
+  buildMonitorWindow,
+  buildMonitorAll,
+  SUPPORTED_RANGES,
+  // exported for tests
+  _safeReadJson: safeReadJson,
+  _readToday: readToday,
+  _aggregateDays: aggregateDays
+};

package/src/runtime/serve.js

@@ -3,6 +3,40 @@
 const http = require('http');
 const url = require('url');
 const { getFeed } = require('../threat-feed.js');
+// Monitor-feed routes : optional out-of-tree dependency. Lazy-load so the
+// /feed and /health routes still work when the file is absent. Missing-file
+// case returns 503 on /monitor/* routes instead of crashing module load.
+let _monitorFeedCache = null;
+function _loadMonitorFeed() {
+  if (_monitorFeedCache !== null) return _monitorFeedCache;
+  try {
+    _monitorFeedCache = require('./monitor-feed.js');
+  } catch {
+    _monitorFeedCache = {
+      buildMonitorDaily: null,
+      buildMonitorWindow: null,
+      buildMonitorAll: null,
+      SUPPORTED_RANGES: new Set(['7d', '30d'])
+    };
+  }
+  return _monitorFeedCache;
+}
+function buildMonitorDaily() {
+  const m = _loadMonitorFeed();
+  if (!m.buildMonitorDaily) throw new Error('monitor-feed module not installed');
+  return m.buildMonitorDaily();
+}
+function buildMonitorWindow(range) {
+  const m = _loadMonitorFeed();
+  if (!m.buildMonitorWindow) throw new Error('monitor-feed module not installed');
+  return m.buildMonitorWindow(range);
+}
+function buildMonitorAll() {
+  const m = _loadMonitorFeed();
+  if (!m.buildMonitorAll) throw new Error('monitor-feed module not installed');
+  return m.buildMonitorAll();
+}
+const SUPPORTED_RANGES = _loadMonitorFeed().SUPPORTED_RANGES;
 const pkg = require('../../package.json');
 
 const SECURITY_HEADERS = {
@@ -108,16 +142,39 @@ function startServer(options = {}) {
 
       const result = getFeed(feedOptions);
       sendJson(res, 200, result);
+    } else if (pathname === '/monitor/daily') {
+      try {
+        sendJson(res, 200, buildMonitorDaily());
+      } catch (err) {
+        sendJson(res, 500, { error: 'monitor_daily_failed', message: err.message });
+      }
+    } else if (pathname === '/monitor/window') {
+      const range = (parsed.query && parsed.query.range) ? String(parsed.query.range) : '7d';
+      if (!SUPPORTED_RANGES.has(range) || range === 'all') {
+        sendJson(res, 400, { error: 'invalid_range', message: 'range must be one of: 7d, 30d' });
+        return;
+      }
+      try {
+        sendJson(res, 200, buildMonitorWindow(range));
+      } catch (err) {
+        sendJson(res, 500, { error: 'monitor_window_failed', message: err.message });
+      }
+    } else if (pathname === '/monitor/stats') {
+      try {
+        sendJson(res, 200, buildMonitorAll());
+      } catch (err) {
+        sendJson(res, 500, { error: 'monitor_stats_failed', message: err.message });
+      }
     } else if (pathname === '/health') {
       sendJson(res, 200, { status: 'ok', version: pkg.version });
     } else {
-      sendJson(res, 404, { error: 'Not found. Available: GET /feed, GET /health' });
+      sendJson(res, 404, { error: 'Not found. Available: GET /feed, GET /monitor/daily, GET /monitor/window?range=7d|30d, GET /monitor/stats, GET /health' });
     }
   });
 
   server.listen(port, '127.0.0.1', () => {
     console.log(`[SERVE] Threat feed server listening on http://127.0.0.1:${port}`);
-    console.log(`[SERVE] Endpoints: GET /feed, GET /health`);
+    console.log(`[SERVE] Endpoints: GET /feed, GET /monitor/daily, GET /monitor/window?range=7d|30d, GET /monitor/stats, GET /health`);
   });
 
   return server;