muaddib-scanner 2.11.66 → 2.11.68

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.66",
+  "version": "2.11.68",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.66.json → self-scan-v2.11.68.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-06T20:23:04.305Z",
+  "timestamp": "2026-06-07T13:41:08.649Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/monitor/classify.js

@@ -73,7 +73,9 @@ const HIGH_CONFIDENCE_MALICE_TYPES = new Set([
   // cap since the attack uses optionalDependencies + prepare hook (no direct lifecycle).
   'env_charcode_reconstruction',           // fromCharCode + process.env[computed] (TeamPCP credential stealer)
   'ide_hook_autoexec',                     // .claude/settings.json SessionStart hook, .vscode/tasks.json folderOpen (Shai-Hulud)
-  'workflow_secrets_dump'                  // toJSON(secrets) in GitHub Actions workflow (Shai-Hulud)
+  'workflow_secrets_dump',                  // toJSON(secrets) in GitHub Actions workflow (Shai-Hulud)
+  // Phantom Gyp 2026-06: binding.gyp command-substitution = install-time RCE, quasi-never legit in benign packages
+  'gyp_command_exec'
 ]);
 
 // Lifecycle compound types that indicate real malicious intent beyond a simple postinstall

package/src/monitor/queue.js

@@ -26,6 +26,7 @@ const {
   cacheTarball,
   updateScanStats,
   appendDetection,
+  appendScanLedger,
   maybePersistDailyStats,
   appendTemporalDetection,
   tarballCacheKey,
@@ -221,6 +222,20 @@ function recordTrainingSample(result, params) {
       sandboxResult: params.sandboxResult || null
     });
     appendTrainingRecord(record);
+    // Phase 0a: per-scan coverage ledger — record this terminal outcome (best-effort;
+    // appendScanLedger swallows its own write errors and never throws).
+    appendScanLedger({
+      name: params.name,
+      version: params.version,
+      ecosystem: params.ecosystem,
+      outcome: params.label || 'clean',
+      score: (result.summary && typeof result.summary.riskScore === 'number') ? result.summary.riskScore : null,
+      tier: params.tier,
+      maxSeverity: result.summary ? result.summary.riskLevel : null,
+      types: [...new Set((result.threats || []).map(t => t.type))],
+      sandbox: params.sandboxResult ? 'run' : 'none',
+      source: 'scan'
+    });
   } catch (err) {
     // Non-fatal: ML export must never crash the monitor
     console.error(`[ML] Failed to record training sample for ${params.name}: ${err.message}`);
@@ -521,6 +536,7 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
             stats.totalTimeMs += Date.now() - startTime;
             stats.clean++;
             updateScanStats('clean');
+            appendScanLedger({ name, version, ecosystem, outcome: 'size_skip', score: 0, source: 'size_skip_quick_clean' });
             return;
           }
         } catch {
@@ -541,6 +557,7 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
             stats.totalTimeMs += Date.now() - startTime;
             stats.clean++;
             updateScanStats('clean');
+            appendScanLedger({ name, version, ecosystem, outcome: 'size_skip', score: 0, source: 'size_skip_extract_failed' });
             return;
           }
         }

package/src/monitor/scan-queue.js

@@ -32,9 +32,20 @@ let _lastHardDropLog = 0;
 function enqueueScan(scanQueue, item, stats, max = MAX_SCAN_QUEUE) {
   let dropped = false;
   if (scanQueue.length >= max) {
-    scanQueue.shift(); // drop oldest
+    const evicted = scanQueue.shift(); // drop oldest
     dropped = true;
     if (stats) stats.queueHardDrops = (stats.queueHardDrops || 0) + 1;
+    // Phase 0a: record the dropped item so a coverage loss keeps an identity — answers
+    // "which versions were never scanned" (e.g. the Miasma 72s/96-version burst). Lazy
+    // require avoids any top-level coupling with state.js; best-effort, never throws.
+    try {
+      if (evicted && evicted.name) {
+        require('./state.js').appendScanLedger({
+          name: evicted.name, version: evicted.version, ecosystem: evicted.ecosystem,
+          outcome: 'dropped', source: 'queue_cap'
+        });
+      }
+    } catch { /* ledger is best-effort */ }
     const now = Date.now();
     if (now - _lastHardDropLog > HARD_DROP_LOG_INTERVAL_MS) {
       _lastHardDropLog = now;

package/src/monitor/state.js

@@ -951,6 +951,224 @@ function _compactDetectionsJsonl() {
   }
 }
 
+// --- Per-scan ledger (Phase 0a: operational coverage observability) ---
+// Append-only record of EVERY package the monitor dequeues + its terminal outcome,
+// so we can distinguish never-scanned vs scanned-clean vs suspect vs dropped and
+// measure TRUE operational coverage (not just rule-TPR on the static corpus).
+// Mirrors the detections JSONL machinery (chunked iterate + periodic compaction).
+// Differences vs detections: (1) NO dedup — every scan event is a distinct record;
+// (2) higher cap + compaction interval since this logs every scan, not just findings.
+const SCAN_LEDGER_FILE = process.env.MUADDIB_SCAN_LEDGER_FILE || path.join(__dirname, '..', '..', 'data', 'scan-ledger.jsonl');
+const MAX_SCAN_LEDGER = (() => {
+  const raw = process.env.MUADDIB_SCAN_LEDGER_MAX;
+  const n = raw ? parseInt(raw, 10) : NaN;
+  return (Number.isFinite(n) && n >= 10 && n <= 5_000_000) ? n : 500_000;
+})();
+const SCAN_LEDGER_COMPACT_INTERVAL = 2000;
+let _scanLedgerAppendedSinceCompact = 0;
+
+// Terminal outcomes a dequeued package can reach. Unknown values normalize to 'clean'
+// so a typo at a call site can never crash the pipeline.
+const SCAN_LEDGER_OUTCOMES = new Set([
+  'clean', 'clean_low_signal', 'clean_tooling', 'suspect', 'ml_clean', 'llm_benign',
+  'sandbox_inconclusive', 'sandbox_unconfirmed', 'confirmed',
+  'static_timeout', 'size_skip', 'dropped'
+]);
+
+/**
+ * Append one per-scan ledger entry recording the terminal outcome of a dequeued
+ * package. Best-effort: NEVER throws (a ledger failure must not break scanning).
+ * No dedup — repeated scans of the same package are intentionally all recorded.
+ *
+ * @param {object} e
+ * @param {string}  e.name        package name (required)
+ * @param {string} [e.version]
+ * @param {string} [e.ecosystem]  'npm' | 'pypi' | ...
+ * @param {string} [e.outcome]    one of SCAN_LEDGER_OUTCOMES (default 'clean')
+ * @param {number} [e.score]      riskScore at the terminal decision
+ * @param {string} [e.tier]       suspect tier ('1a'|'1b'|2|3) if applicable
+ * @param {string} [e.maxSeverity]
+ * @param {string[]} [e.types]    threat types (capped to 12)
+ * @param {string} [e.sandbox]    'none' | 'run' | 'deferred' | 'skip'
+ * @param {boolean} [e.firstPublish]
+ * @param {string} [e.source]     where the record originated ('scan','queue_cap',...)
+ */
+function appendScanLedger(e) {
+  try {
+    if (!e || !e.name) return;
+    const dir = path.dirname(SCAN_LEDGER_FILE);
+    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+    const entry = {
+      ts: new Date().toISOString(),
+      name: e.name,
+      version: e.version || null,
+      ecosystem: e.ecosystem || null,
+      outcome: SCAN_LEDGER_OUTCOMES.has(e.outcome) ? e.outcome : 'clean',
+      score: (typeof e.score === 'number') ? e.score : null,
+      tier: (e.tier !== undefined && e.tier !== null) ? String(e.tier) : null,
+      maxSeverity: e.maxSeverity || null,
+      types: Array.isArray(e.types) ? e.types.slice(0, 12) : [],
+      sandbox: e.sandbox || 'none',
+      firstPublish: !!e.firstPublish,
+      source: e.source || 'scan'
+    };
+    fs.appendFileSync(SCAN_LEDGER_FILE, JSON.stringify(entry) + '\n', 'utf8');
+    _scanLedgerAppendedSinceCompact++;
+    if (_scanLedgerAppendedSinceCompact >= SCAN_LEDGER_COMPACT_INTERVAL) {
+      _scanLedgerAppendedSinceCompact = 0;
+      _compactScanLedgerJsonl();
+    }
+  } catch (err) {
+    if (err.code === 'EROFS' || err.code === 'EACCES' || err.code === 'EPERM') return;
+    if (err.code === 'ENOSPC') {
+      console.warn('[MONITOR] WARNING: disk full (ENOSPC) — cannot persist scan-ledger.');
+      return;
+    }
+    console.error(`[MONITOR] Failed to write scan-ledger: ${err.message}`);
+  }
+}
+
+/**
+ * Compact the scan-ledger JSONL: keep only the most recent MAX_SCAN_LEDGER entries.
+ * No-op when already under cap. Streams (never loads the whole file at once).
+ */
+function _compactScanLedgerJsonl() {
+  try {
+    const total = _countJsonlLines(SCAN_LEDGER_FILE);
+    if (total <= MAX_SCAN_LEDGER) return;
+    const toDrop = total - MAX_SCAN_LEDGER;
+    let skipped = 0;
+    const kept = [];
+    _iterateJsonlSync(SCAN_LEDGER_FILE, (entry) => {
+      if (skipped < toDrop) { skipped++; return; }
+      kept.push(JSON.stringify(entry));
+    });
+    const tmpFile = SCAN_LEDGER_FILE + '.tmp';
+    fs.writeFileSync(tmpFile, kept.length ? kept.join('\n') + '\n' : '', 'utf8');
+    fs.renameSync(tmpFile, SCAN_LEDGER_FILE);
+    console.log(`[MONITOR] COMPACT scan-ledger: ${total} -> ${kept.length} entries`);
+  } catch (err) {
+    console.error(`[MONITOR] Scan-ledger compaction failed: ${err.message}`);
+  }
+}
+
+/** Stream the scan-ledger into an array (tests + Phase 0b rollup). */
+function loadScanLedger() {
+  const entries = [];
+  try { _iterateJsonlSync(SCAN_LEDGER_FILE, (e) => { entries.push(e); }); } catch { /* ignore */ }
+  return entries;
+}
+
+// Bounded distinct-key tracking for the `vanished` cross-reference (CLAUDE.md §2).
+// Sits above the MAX_SCAN_LEDGER file ceiling so it is a pure safety valve: in normal
+// operation the in-window key sets are far smaller than the file, so `exactVanished`
+// stays true. Only an operator setting MUADDIB_SCAN_LEDGER_MAX above this would trip it.
+const MAX_ROLLUP_KEYS = 1_200_000;
+
+/**
+ * Phase 0b: roll up the per-scan ledger into operational-coverage metrics.
+ *
+ * Single streaming pass (never loads the whole file at once — same machinery as
+ * getDetectionStats). It distinguishes:
+ *   - scanned : entries that reached a real verdict (outcome !== 'dropped')
+ *   - dropped : queue-cap evictions (outcome === 'dropped') — never scanned
+ *   - vanished: DISTINCT name@version that were dropped AND never (re)scanned in-window
+ *               = a permanent coverage hole (the "which Miasma versions never ran" case)
+ *
+ * HONEST METRIC NOTE — `alertRate` is (suspect+confirmed) / scanned, i.e. "of what we
+ * scanned, the fraction we flagged". It is NOT a true-positive rate: the ledger carries
+ * no ground truth. The GHSA-denominated operational TPR (the 105/429 audit number) needs
+ * the ledger cross-referenced against the GHSA malware feed — that is the Phase 5
+ * coverage-audit, not this rollup. Do not relabel `alertRate` as TPR (CLAUDE.md: pas
+ * d'embellissement des métriques).
+ *
+ * @param {number|string|null} [sinceTs] window start — ms epoch, ISO string, or null for
+ *        "whole ledger". Entries with ts < sinceTs (or unparseable ts) are skipped.
+ * @param {object} [opts]
+ * @param {string} [opts.file] ledger path override (tests). Defaults to SCAN_LEDGER_FILE.
+ * @returns {{
+ *   generatedAt:string, since:string|null, windowStart:string|null, windowEnd:string|null,
+ *   total:number, scanned:number, dropped:number, vanished:number, exactVanished:boolean,
+ *   alerted:number, alertRate:number|null,
+ *   byOutcome:Object.<string,number>,
+ *   byEcosystem:Object.<string,{total:number,scanned:number,dropped:number,alerted:number}>
+ * }}
+ */
+function computeLedgerRollup(sinceTs, opts = {}) {
+  const file = opts.file || SCAN_LEDGER_FILE;
+
+  let sinceMs = null;
+  if (typeof sinceTs === 'number' && Number.isFinite(sinceTs)) {
+    sinceMs = sinceTs;
+  } else if (typeof sinceTs === 'string') {
+    const p = Date.parse(sinceTs);
+    if (!Number.isNaN(p)) sinceMs = p;
+  }
+
+  const byOutcome = Object.create(null);
+  const byEcosystem = Object.create(null);
+  let total = 0, scanned = 0, dropped = 0, alerted = 0;
+  let earliest = null, latest = null;
+  // Two sets so `vanished` is correct regardless of drop/scan ordering in the file.
+  // droppedKeys is small (drops only happen under queue-cap pressure); scannedKeys is
+  // bounded by the in-window line count (≤ MAX_SCAN_LEDGER), and further by MAX_ROLLUP_KEYS.
+  const scannedKeys = new Set();
+  const droppedKeys = new Set();
+  let exactVanished = true;
+
+  _iterateJsonlSync(file, (e) => {
+    if (!e || !e.name) return;
+    let t = null;
+    if (e.ts) { const p = Date.parse(e.ts); if (!Number.isNaN(p)) t = p; }
+    if (sinceMs !== null && (t === null || t < sinceMs)) return;
+
+    total++;
+    if (t !== null) {
+      if (earliest === null || t < earliest) earliest = t;
+      if (latest === null || t > latest) latest = t;
+    }
+
+    const outcome = (typeof e.outcome === 'string' && e.outcome) ? e.outcome : 'clean';
+    byOutcome[outcome] = (byOutcome[outcome] || 0) + 1;
+
+    const eco = e.ecosystem || 'unknown';
+    let ecoNode = byEcosystem[eco];
+    if (!ecoNode) ecoNode = byEcosystem[eco] = { total: 0, scanned: 0, dropped: 0, alerted: 0 };
+    ecoNode.total++;
+
+    const key = `${e.name}@${e.version || ''}`;
+    const underCap = exactVanished && (scannedKeys.size + droppedKeys.size) < MAX_ROLLUP_KEYS;
+    if (outcome === 'dropped') {
+      dropped++; ecoNode.dropped++;
+      if (underCap) droppedKeys.add(key); else exactVanished = false;
+    } else {
+      scanned++; ecoNode.scanned++;
+      if (outcome === 'suspect' || outcome === 'confirmed') { alerted++; ecoNode.alerted++; }
+      if (underCap) scannedKeys.add(key); else exactVanished = false;
+    }
+  });
+
+  let vanished = 0;
+  for (const k of droppedKeys) { if (!scannedKeys.has(k)) vanished++; }
+
+  return {
+    generatedAt: new Date().toISOString(),
+    since: sinceMs !== null ? new Date(sinceMs).toISOString() : null,
+    windowStart: earliest !== null ? new Date(earliest).toISOString() : null,
+    windowEnd: latest !== null ? new Date(latest).toISOString() : null,
+    total,
+    scanned,
+    dropped,
+    vanished,
+    exactVanished,
+    alerted,
+    // NOT a TPR — see the HONEST METRIC NOTE above. null when nothing was scanned.
+    alertRate: scanned > 0 ? alerted / scanned : null,
+    byOutcome,
+    byEcosystem
+  };
+}
+
 // --- Scan stats (FP rate tracking) ---
 
 function loadScanStats() {
@@ -1420,6 +1638,8 @@ module.exports = {
   MAX_TEMPORAL_DETECTIONS,
   MAX_DAILY_ALERTS,
   DETECTION_COMPACT_INTERVAL,
+  SCAN_LEDGER_FILE,
+  MAX_SCAN_LEDGER,
 
   // Mutable state getters/setters
   getScanMemoryCache,
@@ -1456,6 +1676,10 @@ module.exports = {
   appendAlert,
   loadDetections,
   appendDetection,
+  appendScanLedger,
+  loadScanLedger,
+  computeLedgerRollup,
+  _compactScanLedgerJsonl,
   getDetectionStats,
   runStateMigrations,
   // Internal — exported for tests and for the daemon hourly housekeeping.

package/src/monitor/tarball-archive.js

@@ -45,6 +45,18 @@ function getMinFreeBytes() {
   return gb * 1024 * 1024 * 1024;
 }
 
+// Tarball download is gated on this score so the heavy .tgz is kept ONLY for
+// alert-threshold packages; the cheap JSON metadata is still written for every
+// suspect. Aligns with the webhook alert floor (20). Bounded to [0, 100], default 20.
+const DEFAULT_TGZ_MIN_SCORE = 20;
+function getArchiveTgzMinScore() {
+  const raw = process.env.MUADDIB_ARCHIVE_TGZ_MIN_SCORE;
+  if (raw === undefined || raw === '') return DEFAULT_TGZ_MIN_SCORE;
+  const n = parseInt(raw, 10);
+  if (!Number.isFinite(n) || n < 0 || n > 100) return DEFAULT_TGZ_MIN_SCORE;
+  return n;
+}
+
 function hasEnoughSpace(targetDir) {
   try {
     if (typeof fs.statfsSync !== 'function') return true; // Node <18.15 — fail-open
@@ -109,14 +121,20 @@ async function archiveSuspectTarball(packageName, version, tarballUrl, scanResul
 
   // Defense-in-depth: never archive packages that are statically clean.
   // Callers in the pipeline already gate on tier 1a/1b/2 classification, but a
-  // numeric score of 0 with no triggered rules is unambiguously CLEAN — those
-  // dominated archive volume in production.
+  // numeric score of 0 with no triggered rules is unambiguously CLEAN.
   const score = (scanResult && typeof scanResult.score === 'number') ? scanResult.score : 0;
   const rules = (scanResult && Array.isArray(scanResult.rulesTriggered)) ? scanResult.rulesTriggered : [];
   if (score === 0 && rules.length === 0) {
     return false;
   }
 
+  // Tarballs dominate archive volume (~439MB/day of .tgz vs ~3.6MB/day of JSON).
+  // Keep the cheap JSON metadata for EVERY suspect (audit trail + GT-promotion index),
+  // but download/retain the heavy .tgz ONLY for packages at/above the alert threshold
+  // (score >= MUADDIB_ARCHIVE_TGZ_MIN_SCORE, default 20 = webhook floor). This shrinks
+  // the archive from tens of GB to hundreds of MB without losing the record of what was seen.
+  const keepTarball = score >= getArchiveTgzMinScore();
+
   const dateStr = getArchiveDateString();
   const dayDir = path.join(ARCHIVE_DIR, dateStr);
   const safeName = sanitizeForFilename(packageName);
@@ -124,32 +142,55 @@ async function archiveSuspectTarball(packageName, version, tarballUrl, scanResul
   const tgzPath = path.join(dayDir, `${basename}.tgz`);
   const jsonPath = path.join(dayDir, `${basename}.json`);
 
-  // Dedup: skip if already archived
-  if (fs.existsSync(tgzPath)) {
-    return false;
-  }
+  // At/above the alert threshold: archive the full .tgz (existing behavior, unchanged).
+  // Below it: keep only the cheap JSON metadata (audit trail + GT-promotion index).
+  if (keepTarball) {
+    // Dedup: skip if already archived
+    if (fs.existsSync(tgzPath)) {
+      return false;
+    }
 
-  // Defense layer 3: skip if disk is nearly full, even if retention is well-configured.
-  // Prevents a burst of malicious campaigns from blowing past the 7-day budget
-  // before the 6h periodic cleanup tick can catch up.
-  if (!hasEnoughSpace(ARCHIVE_DIR)) {
-    console.warn(`[Archive] Skip ${packageName}@${version}: free space below ${DEFAULT_MIN_FREE_GB}GB threshold`);
-    return false;
-  }
+    // Disk-space gate: don't let a burst of suspects run the volume to 100% between
+    // the periodic cleanups. Guards the heavy .tgz download.
+    if (!hasEnoughSpace(ARCHIVE_DIR)) {
+      console.warn(`[Archive] Skip ${packageName}@${version}: free space below ${DEFAULT_MIN_FREE_GB}GB threshold`);
+      return false;
+    }
 
-  // Ensure day directory exists
-  fs.mkdirSync(dayDir, { recursive: true });
+    // Ensure day directory exists
+    fs.mkdirSync(dayDir, { recursive: true });
 
-  // Download with semaphore (shares concurrency with rest of pipeline)
-  await acquireRegistrySlot();
-  try {
-    await downloadToFile(tarballUrl, tgzPath, ARCHIVE_TIMEOUT_MS);
-  } finally {
-    releaseRegistrySlot();
+    // Download with semaphore (shares concurrency with rest of pipeline). Download
+    // errors propagate to the fire-and-forget .catch() in the caller (queue.js).
+    await acquireRegistrySlot();
+    try {
+      await downloadToFile(tarballUrl, tgzPath, ARCHIVE_TIMEOUT_MS);
+    } finally {
+      releaseRegistrySlot();
+    }
+
+    const tarballSha256 = sha256File(tgzPath);
+    const metadata = {
+      package: packageName,
+      version,
+      timestamp: new Date().toISOString(),
+      score: scanResult.score || 0,
+      priority: scanResult.priority || null,
+      rules_triggered: scanResult.rulesTriggered || [],
+      llm_verdict: scanResult.llmVerdict || null,
+      tarball_archived: true,
+      tarball_sha256: tarballSha256
+    };
+    fs.writeFileSync(jsonPath, JSON.stringify(metadata, null, 2));
+    return true;
   }
 
-  // Compute hash and write metadata
-  const tarballSha256 = sha256File(tgzPath);
+  // Below the alert threshold — record cheap JSON metadata only, skip the tarball.
+  // Dedup on the JSON record so re-scans of the same package@version don't rewrite it.
+  if (fs.existsSync(jsonPath)) {
+    return false;
+  }
+  fs.mkdirSync(dayDir, { recursive: true });
   const metadata = {
     package: packageName,
     version,
@@ -158,9 +199,9 @@ async function archiveSuspectTarball(packageName, version, tarballUrl, scanResul
     priority: scanResult.priority || null,
     rules_triggered: scanResult.rulesTriggered || [],
     llm_verdict: scanResult.llmVerdict || null,
-    tarball_sha256: tarballSha256
+    tarball_archived: false,
+    tarball_sha256: null
   };
-
   fs.writeFileSync(jsonPath, JSON.stringify(metadata, null, 2));
   return true;
 }
@@ -272,5 +313,6 @@ module.exports = {
   getArchiveDateString,
   getRetentionDays,
   getMinFreeBytes,
+  getArchiveTgzMinScore,
   parseArchiveDayDir
 };

package/src/monitor/webhook.js

@@ -28,7 +28,8 @@ const {
   saveState,
   loadStateRaw,
   getScansSinceLastMemoryPersist,
-  setScansSinceLastMemoryPersist
+  setScansSinceLastMemoryPersist,
+  computeLedgerRollup
 } = require('./state.js');
 const {
   HIGH_CONFIDENCE_MALICE_TYPES,
@@ -897,7 +898,52 @@ function formatDelta(current, previous) {
   return '=0';
 }
 
-function buildDailyReportEmbed(stats, dailyAlerts) {
+// Phase 0b: rolling window for the daily report's ledger section. The report runs
+// once/day, so 24h is the natural "what happened today" view and keeps the rollup's
+// distinct-key sets small (one day of scans, far below MAX_ROLLUP_KEYS). Env-tunable.
+const LEDGER_ROLLUP_WINDOW_MS = (() => {
+  const v = parseInt(process.env.MUADDIB_LEDGER_ROLLUP_WINDOW_MS, 10);
+  return Number.isFinite(v) && v > 0 ? v : 24 * 60 * 60 * 1000;
+})();
+
+/**
+ * Compute the per-scan ledger rollup for the daily-report window. Best-effort: a
+ * rollup failure (corrupt ledger, I/O) must NEVER break the daily report, so this
+ * swallows errors and returns null. Also returns null when the ledger is empty so
+ * the report omits the section instead of showing a noise row of zeros.
+ */
+function safeLedgerRollup() {
+  try {
+    const rollup = computeLedgerRollup(Date.now() - LEDGER_ROLLUP_WINDOW_MS);
+    return (rollup && rollup.total > 0) ? rollup : null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Format the ledger rollup as a Discord embed field, or null to omit it (no data).
+ * Surfaces operational scan coverage: scanned, alert rate (NOT a TPR — see
+ * computeLedgerRollup's HONEST METRIC NOTE), the dropped/vanished coverage holes,
+ * and a per-ecosystem split. Compact, well under Discord's 1024-char field limit.
+ */
+function formatLedgerField(rollup) {
+  if (!rollup || rollup.total <= 0) return null;
+  const pct = rollup.alertRate != null ? (rollup.alertRate * 100).toFixed(2) : '0.00';
+  const lines = [`Scanned ${rollup.scanned} · Alerted ${rollup.alerted} (${pct}%)`];
+  if (rollup.dropped > 0) {
+    const vanishedNote = rollup.exactVanished ? `${rollup.vanished}` : `≥${rollup.vanished}`;
+    lines.push(`Dropped ${rollup.dropped} (${vanishedNote} vanished)`);
+  }
+  const ecos = Object.keys(rollup.byEcosystem)
+    .sort((a, b) => rollup.byEcosystem[b].total - rollup.byEcosystem[a].total);
+  if (ecos.length > 0) {
+    lines.push(ecos.slice(0, 4).map(e => `${e} ${rollup.byEcosystem[e].total}`).join(' · '));
+  }
+  return { name: 'Ledger (24h)', value: lines.join('\n'), inline: false };
+}
+
+function buildDailyReportEmbed(stats, dailyAlerts, ledgerRollup) {
   // Use in-memory stats (accumulated since last reset, restored from disk on restart)
   // instead of disk-based daily entries which can undercount due to UTC/Paris date mismatch
   const { top3: diskTop3 } = buildReportFromDisk();
@@ -1000,6 +1046,12 @@ function buildDailyReportEmbed(stats, dailyAlerts) {
   } catch { /* non-fatal */ }
   const healthText = `Up ${uptimeH}h${uptimeM}m | Heap ${heapMB}MB${jsonlInfo}`;
 
+  // --- Phase 0b: per-scan ledger rollup (operational coverage) ---
+  // Caller may pass a precomputed rollup (sendDailyReport does, to persist the same
+  // numbers it displays); undefined → compute here; explicit null → omit the section.
+  const ledger = ledgerRollup !== undefined ? ledgerRollup : safeLedgerRollup();
+  const ledgerField = formatLedgerField(ledger);
+
   const now = new Date();
   const readableTime = now.toISOString().replace('T', ' ').replace(/\.\d+Z$/, ' UTC');
 
@@ -1022,6 +1074,7 @@ function buildDailyReportEmbed(stats, dailyAlerts) {
           ? [{ name: 'Deferred Sandbox', value: `Enqueued: ${stats.sandboxDeferred || 0} | Processed: ${stats.deferredProcessed || 0} | Expired: ${stats.deferredExpired || 0}`, inline: false }]
           : []),
         { name: 'Stability', value: `Restarts (24h): ${stats.restartsToday || 0} | Temporal load-shed: ${stats.temporalLoadShed || 0} | Queue hard-drops: ${stats.queueHardDrops || 0}`, inline: false },
+        ...(ledgerField ? [ledgerField] : []),
         { name: 'System', value: healthText, inline: false }
       ],
       footer: {
@@ -1060,7 +1113,10 @@ async function sendDailyReport(stats, dailyAlerts, recentlyScanned, downloadsCac
   // delta. Written before the (now last) webhook so a mid-send kill can't double-count.
   saveLastDailyReportDate(today, captureScanStatsBaseline());
 
-  const payload = buildDailyReportEmbed(stats, dailyAlerts);
+  // Phase 0b: compute the ledger rollup ONCE so the embed shows exactly the numbers
+  // we persist (no double-scan, no drift between Discord and the on-disk metrics).
+  const ledgerRollup = safeLedgerRollup();
+  const payload = buildDailyReportEmbed(stats, dailyAlerts, ledgerRollup);
 
   // Persist locally with full raw metrics (independent of webhook — enables trend analysis)
   persistDailyReport(payload, {
@@ -1081,6 +1137,7 @@ async function sendDailyReport(stats, dailyAlerts, recentlyScanned, downloadsCac
     restartsToday: stats.restartsToday || 0,
     temporalLoadShed: stats.temporalLoadShed || 0,
     queueHardDrops: stats.queueHardDrops || 0,
+    ledger: ledgerRollup || null,
     topSuspects: dailyAlerts.slice().sort((a, b) => (b.score || 0) - (a.score || 0) || b.findingsCount - a.findingsCount).slice(0, 10)
   });
 
@@ -1337,6 +1394,7 @@ module.exports = {
   buildMaintainerChangeWebhookEmbed,
   buildCanaryExfiltrationWebhookEmbed,
   buildDailyReportEmbed,
+  formatLedgerField,
   sendDailyReport,
   buildReportFromDisk,
   buildReportEmbedFromDisk,

package/src/response/playbooks.js

@@ -1001,6 +1001,10 @@ const PLAYBOOKS = {
     'HAUTE: binding.gyp avec script lifecycle non-standard. Code natif compile a l\'installation. ' +
     'Verifier le contenu de binding.gyp et les sources C/C++. Installer avec --ignore-scripts si suspect.',
 
+  gyp_command_exec:
+    'CRITIQUE: binding.gyp utilise la command-substitution GYP <!(...) / <!@(...) — execution de code a l\'installation via node-gyp, sans script lifecycle (pattern Phantom Gyp). ' +
+    'Decoder la commande substituee. NE PAS installer : node-gyp l\'execute au build meme avec --ignore-scripts. Verifier la source officielle du package.',
+
   string_mutation_obfuscation:
     'HAUTE: Chaine de .replace() reconstruisant des noms d\'API dangereuses (leet-speak). ' +
     'Technique d\'evasion par substitution de caracteres. Decoder la chaine finale. Supprimer si malveillant.',

package/src/rules/index.js

@@ -2949,6 +2949,19 @@ const RULES = {
     ],
     mitre: 'T1195.002'
   },
+  gyp_command_exec: {
+    id: 'MUADDIB-PKG-023',
+    name: 'GYP Command-Substitution Install Execution',
+    severity: 'CRITICAL',
+    confidence: 'high',
+    domain: 'malware',
+    description: 'binding.gyp utilise la command-substitution GYP <!(...) / <!@(...) — execution de code a l\'installation via node-gyp, sans script lifecycle package.json (pattern Phantom Gyp, juin 2026).',
+    references: [
+      'https://gyp.gsrc.io/docs/InputFormatReference.md',
+      'https://attack.mitre.org/techniques/T1195.002/'
+    ],
+    mitre: 'T1195.002'
+  },
   string_mutation_obfuscation: {
     id: 'MUADDIB-AST-074',
     name: 'String Mutation Obfuscation',

package/src/scanner/package.js

@@ -252,6 +252,51 @@ async function scanPackageJson(targetPath) {
     // Check if binding.gyp references C/C++ source files
     const hasNativeSources = /\.(c|cc|cpp|cxx|h|hpp)\b/.test(gypContent);
 
+    // Phantom Gyp (June 2026): GYP command-substitution <!(...) / <!@(...) runs a command at
+    // *configure* time via `node-gyp`, which npm auto-runs on install whenever a binding.gyp is
+    // present — NO package.json lifecycle script required, so it slips past every lifecycle-gated
+    // check below. Distinct from <(...) / <@(...) (plain variable expansion, benign) which MUST
+    // NOT fire — the required `!` gates command execution.
+    //
+    // Legit native addons use <!(...) heavily for build-env queries — `node -p process.versions`,
+    // `node ./util/has_lib.js`, `pkg-config ... | sed`, `node -p "require('node-addon-api').include"`
+    // — and a build-helper `<!(node x.js)` is statically INDISTINGUISHABLE from a payload
+    // `<!(node index.js)`. To honor "FPR must never increase" we flag a command-sub ONLY when it
+    // carries a malice-specific marker, never the bare "runs a script" shape:
+    //   (1) GYP_DANGER — shell-level malice in the command line itself: the Phantom Gyp fake-source
+    //       trick (`; / && / | echo <name>.c`, returning a fabricated source so node-gyp doesn't
+    //       error), network fetch (curl/wget), pipe-to-shell (| sh, sh -c), eval/base64//dev/tcp,
+    //       char-code obfuscation (fromCharCode/atob);
+    //   (2) an inline interpreter payload — node|python|ruby|perl running -e/-c/-p/--eval/--print code
+    //       that reaches the NETWORK (require/import of https|http|net|dgram|dns|tls, optional node:
+    //       prefix; fetch; urllib/requests/httpx/http.client/urlopen; socket). Network at configure
+    //       time is never a legit build query. We deliberately do NOT key on child_process/exec/spawn
+    //       here — legit addons shell out to detect the toolchain (`node -e "...execSync('gcc
+    //       --version')..."`), which would FP; an exec of curl/wget is still caught by GYP_DANGER.
+    //       Catches `<!(node --eval require('node:https')...)`, `<!(python3 -c import requests)`.
+    // Honest limitation: this is a line-by-line SPEED-BUMP, not coverage. A bare `<!(node payload.js)`
+    // and any non-network inline payload are NOT flagged (indistinguishable from canvas/node-sass
+    // build helpers without false positives, FPR-first by design). Real closure needs a compound
+    // (configure-time sink × the run script's AST/dataflow verdict) — a separate effort.
+    const GYP_DANGER = /[;&|]\s*echo\s+[^|;&]*\.(?:c|cc|cpp|cxx|m|mm|cs)\b|\bcurl\b|\bwget\b|\|\s*(?:sh|bash|zsh)\b|\b(?:sh|bash|zsh)\s+-c\b|\beval\b|\bbase64\b|\/dev\/tcp|fromCharCode|\batob\b/i;
+    const GYP_INTERP = /\b(?:node|nodejs|python[0-9.]*|ruby|perl)\b[^|;&\n]{0,40}?\s--?(?:eval|print|e|c|p)\b/i;
+    const GYP_PAYLOAD_API = /(?:require|import)\s*\(\s*['"](?:node:)?(?:https?|net|dgram|dns|tls)['"]|\bfetch\s*\(|\burllib\b|\brequests\b|\bhttpx\b|http\.client|\burlopen\b|socket\.(?:socket|create_connection)/i;
+    let gypCommandExec = false;
+    const gypCmdSubRe = /<!@?\(([^\n]{0,400})/g;
+    let _gm;
+    while ((_gm = gypCmdSubRe.exec(gypContent)) !== null) {
+      const body = _gm[1];
+      if (GYP_DANGER.test(body) || (GYP_INTERP.test(body) && GYP_PAYLOAD_API.test(body))) { gypCommandExec = true; break; }
+    }
+    if (gypCommandExec) {
+      threats.push({
+        type: 'gyp_command_exec',
+        severity: 'CRITICAL',
+        message: `binding.gyp uses GYP command-substitution (<!(...) / <!@(...)) running a non-build command at install time via node-gyp, no lifecycle script required (Phantom Gyp pattern).`,
+        file: 'binding.gyp'
+      });
+    }
+
     if (hasShellActions) {
       threats.push({
         type: 'native_addon_install',

package/src/scoring.js

@@ -130,7 +130,9 @@ const PACKAGE_LEVEL_TYPES = new Set([
   // audit DF-C1: emitted when MAX_GRAPH_NODES exceeded so cross-file blind spot is visible in scoring
   'large_package_graph_truncated',
   // audit MR-C1: informational signal that the scan target is a monorepo root (per-workspace scoring TBD)
-  'monorepo_detected'
+  'monorepo_detected',
+  // Phantom Gyp: binding.gyp command-substitution is a package-level (manifest) finding
+  'gyp_command_exec'
 ]);
 
 // ============================================