muaddib-scanner 2.11.67 → 2.11.69

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.67",
+  "version": "2.11.69",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.67.json → self-scan-v2.11.69.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-07T12:54:23.816Z",
+  "timestamp": "2026-06-07T14:26:49.150Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/monitor/deferred-sandbox.js

@@ -37,6 +37,25 @@ const DEFERRED_MIN_SCORE = 5;
 // (90s) + the sandbox watchdog grace; this AbortController is belt-and-suspenders.
 const DEFERRED_SANDBOX_TIMEOUT_MS = 150_000;
 
+// Tier priority for the deferred queue. Phase 3 routes T1a's sandbox here (async)
+// instead of block-waiting a scan worker, so T1a is the highest-confidence tier and
+// must be processed first and evicted last — it must never sit behind a high-score
+// T1b/T2. Minimal blast radius: ONLY T1a is elevated (rank 0); T1b and T2 keep the
+// same rank (1) so their existing riskScore-DESC ordering between them is unchanged.
+// Map (not a plain object) keeps numeric tier 2 and string tiers distinct and avoids
+// an object-injection sink.
+const _TIER_RANK = new Map([['1a', 0], ['1b', 1], [2, 1]]);
+function _tierRank(tier) {
+  return _TIER_RANK.has(tier) ? _TIER_RANK.get(tier) : 1;
+}
+function _deferredCompare(a, b) {
+  const r = _tierRank(a.tier) - _tierRank(b.tier);
+  return r !== 0 ? r : (b.riskScore - a.riskScore);
+}
+function _tierLabel(tier) {
+  return tier === '1a' ? 'T1a' : tier === 2 ? 'T2' : 'T1b';
+}
+
 // ── Mutable state ──
 const _deferredQueue = [];
 const _deferredSeen = new Set(); // name@version dedup
@@ -55,8 +74,10 @@ let _deferredSlotBusy = false;   // Dedicated slot: true while deferred sandbox
  * @returns {boolean} true if enqueued, false if rejected
  */
 function enqueueDeferred(item) {
-  // Guard: only T1b and T2 are allowed
-  if (item.tier !== '1b' && item.tier !== 2) {
+  // Guard: T1a (Phase 3 async-routed high-confidence tier), T1b and T2 are eligible.
+  // T1a was previously block-waited in the scan worker; it now runs on the dedicated
+  // deferred slot at top priority (see _deferredCompare).
+  if (item.tier !== '1a' && item.tier !== '1b' && item.tier !== 2) {
     console.error(`[DEFERRED] REJECTED: ${item.name}@${item.version} — tier ${item.tier} not eligible`);
     return false;
   }
@@ -74,9 +95,11 @@ function enqueueDeferred(item) {
   // still warrant sandbox verification — an adversary could otherwise
   // tune their malware to fire only LOW-severity TIER1 patterns to
   // bypass sandbox entirely.
+  // T1a is high-confidence malice by classification — it always bypasses the
+  // min-score floor (it must never be dropped before its sandbox runs).
   const itemThreats = (item.staticResult && item.staticResult.threats) || [];
   const hasTier1Signal = itemThreats.some(t => TIER1_TYPES.has(t.type));
-  if ((item.riskScore || 0) < DEFERRED_MIN_SCORE && !hasTier1Signal) {
+  if (item.tier !== '1a' && (item.riskScore || 0) < DEFERRED_MIN_SCORE && !hasTier1Signal) {
     console.error(`[DEFERRED] REJECTED: ${item.name}@${item.version} — score=${item.riskScore || 0} below minimum ${DEFERRED_MIN_SCORE}, no TIER1 signal (possible classification regression)`);
     return false;
   }
@@ -89,16 +112,18 @@ function enqueueDeferred(item) {
     return false;
   }
 
-  // Queue full — evict lowest or reject
+  // Queue full — evict the lowest-priority item (by tier then score) if the new
+  // item outranks it, else reject. Tier-aware so a T1a can always displace a
+  // lower-tier item even when its score is lower.
   if (_deferredQueue.length >= DEFERRED_QUEUE_MAX) {
     const lowest = _deferredQueue[_deferredQueue.length - 1];
-    if (item.riskScore > lowest.riskScore) {
+    if (_deferredCompare(item, lowest) < 0) {
       const evictKey = `${lowest.name}@${lowest.version}`;
       _deferredQueue.pop();
       _deferredSeen.delete(evictKey);
-      console.log(`[DEFERRED] EVICTED: ${evictKey} (score=${lowest.riskScore}) to make room for ${key} (score=${item.riskScore})`);
+      console.log(`[DEFERRED] EVICTED: ${evictKey} (${_tierLabel(lowest.tier)}, score=${lowest.riskScore}) to make room for ${key} (${_tierLabel(item.tier)}, score=${item.riskScore})`);
     } else {
-      console.log(`[DEFERRED] QUEUE FULL: ${key} (score=${item.riskScore}) rejected — all ${DEFERRED_QUEUE_MAX} items have higher scores`);
+      console.log(`[DEFERRED] QUEUE FULL: ${key} (${_tierLabel(item.tier)}, score=${item.riskScore}) rejected — all ${DEFERRED_QUEUE_MAX} items rank higher`);
       return false;
     }
   }
@@ -122,9 +147,9 @@ function enqueueDeferred(item) {
     };
   }
   delete item.npmRegistryMeta;
-  // Sort by riskScore DESC (highest first)
-  _deferredQueue.sort((a, b) => b.riskScore - a.riskScore);
-  console.log(`[DEFERRED] ENQUEUED: ${key} (tier=${item.tier === 2 ? 'T2' : 'T1b'}, score=${item.riskScore}, queue=${_deferredQueue.length})`);
+  // Sort by tier priority then riskScore DESC (T1a first, then highest score)
+  _deferredQueue.sort(_deferredCompare);
+  console.log(`[DEFERRED] ENQUEUED: ${key} (tier=${_tierLabel(item.tier)}, score=${item.riskScore}, queue=${_deferredQueue.length})`);
   return true;
 }
 
@@ -133,9 +158,10 @@ function getDeferredQueue() {
 }
 
 function getDeferredQueueStats() {
-  const tierBreakdown = { t1b: 0, t2: 0 };
+  const tierBreakdown = { t1a: 0, t1b: 0, t2: 0 };
   for (const item of _deferredQueue) {
-    if (item.tier === '1b') tierBreakdown.t1b++;
+    if (item.tier === '1a') tierBreakdown.t1a++;
+    else if (item.tier === '1b') tierBreakdown.t1b++;
     else if (item.tier === 2) tierBreakdown.t2++;
   }
   return {
@@ -189,7 +215,7 @@ async function processDeferredItem(stats) {
   const key = `${item.name}@${item.version}`;
   _deferredSeen.delete(key);
 
-  console.log(`[DEFERRED] PROCESSING: ${key} (tier=${item.tier === 2 ? 'T2' : 'T1b'}, score=${item.riskScore}, retries=${item.retries})`);
+  console.log(`[DEFERRED] PROCESSING: ${key} (tier=${_tierLabel(item.tier)}, score=${item.riskScore}, retries=${item.retries})`);
 
   // 4. Run sandbox on dedicated slot (bypasses shared semaphore)
   _deferredSlotBusy = true;
@@ -198,10 +224,13 @@ async function processDeferredItem(stats) {
   const deadline = setTimeout(() => ac.abort(), DEFERRED_SANDBOX_TIMEOUT_MS);
   try {
     const canary = isCanaryEnabled();
-    // maxRuns=1: deferred items are T1b/T2, time bomb detection (3 runs) is a luxury.
-    // 90s instead of 270s per item → 3× faster deferred queue drain.
+    // T1a keeps multi-run time-bomb detection (maxRuns=undefined) — that was its
+    // behavior on the old blocking in-worker path, preserved here for detection
+    // parity (Phase 3 only moves WHERE it runs, not how thoroughly). T1b/T2 stay
+    // single-run (maxRuns=1, ~90s vs ~270s) for fast deferred-queue drain.
+    const maxRuns = item.tier === '1a' ? undefined : 1;
     markSandboxed(item.name); // stamp for sandbox-revalidation cadence (matches the synchronous path)
-    sandboxResult = await runSandbox(item.name, { canary, skipSemaphore: true, maxRuns: 1, signal: ac.signal });
+    sandboxResult = await runSandbox(item.name, { canary, skipSemaphore: true, maxRuns, signal: ac.signal });
     console.log(`[DEFERRED] SANDBOX COMPLETE: ${key} -> score=${sandboxResult.score}, severity=${sandboxResult.severity}`);
   } catch (err) {
     console.error(`[DEFERRED] SANDBOX ERROR: ${key} — ${err.message}`);
@@ -212,7 +241,7 @@ async function processDeferredItem(stats) {
       // Re-enqueue for retry
       _deferredQueue.push(item);
       _deferredSeen.add(key);
-      _deferredQueue.sort((a, b) => b.riskScore - a.riskScore);
+      _deferredQueue.sort(_deferredCompare);
       console.log(`[DEFERRED] RE-ENQUEUED: ${key} for retry (attempt ${item.retries + 1}/${DEFERRED_MAX_RETRIES})`);
     }
     return null;
@@ -414,7 +443,7 @@ function restoreDeferredQueue() {
     }
 
     // Sort after bulk insert
-    _deferredQueue.sort((a, b) => b.riskScore - a.riskScore);
+    _deferredQueue.sort(_deferredCompare);
 
     if (restored > 0) {
       console.log(`[DEFERRED] Restored ${restored} items from disk (saved at ${data.savedAt})`);

package/src/monitor/queue.js

@@ -950,10 +950,23 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
             const maxRuns = tier === '1a' ? undefined : 1;
 
             if (tier === '1a') {
-              // T1a: mandatory sandbox — block-wait (high-confidence threats MUST get sandbox)
-              console.log(`[MONITOR] SANDBOX: launching for ${name}@${version}${canary ? ' (canary: on)' : ''}...`);
-              markSandboxed(name); // stamp before the await: an aborted/inconclusive run still spent the time
-              sandboxResult = await runSandbox(name, { canary, maxRuns, signal });
+              // Phase 3 (throughput decoupling): T1a no longer block-waits a scan
+              // worker. The high-confidence STATIC alert still fires synchronously
+              // below (trySendWebhook, with sandboxResult=null — same as the T1b/T2
+              // defer paths today); the sandbox runs ASYNC on the dedicated deferred
+              // slot at top priority (processed first, never evicted, keeps multi-run
+              // time-bomb detection) and sends a follow-up webhook if it confirms.
+              // Crash-safe: the deferred queue is persisted across restarts, unlike
+              // the old in-worker await which lost the sandbox on an OOM restart.
+              console.log(`[MONITOR] SANDBOX DEFER (T1a, async high-priority): ${name}@${version} (score=${riskScore})`);
+              enqueueDeferred({
+                name, version, ecosystem, tier, riskScore, tarballUrl,
+                enqueuedAt: Date.now(),
+                staticResult: result,
+                npmRegistryMeta,
+                retries: 0
+              });
+              stats.sandboxDeferred = (stats.sandboxDeferred || 0) + 1;
             } else if (tryAcquireSandboxSlot()) {
               // T1b/T2: non-blocking — slot acquired atomically, run with skipSemaphore
               const reason = tier === 2 ? ' (T2, queue low)' : ' (T1b, conditional)';
@@ -1148,8 +1161,13 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
                 // Safety: never suppress packages with high-confidence threats or positive sandbox
                 const hasHC = hasHighConfidenceThreat(result);
                 const hasSandboxEvidence = sandboxResult && sandboxResult.score > 0;
+                // Phase 3: T1a sandboxes are now deferred (async), so sandboxResult is
+                // null here — the sandbox evidence that previously guarded a T1a from
+                // LLM suppression hasn't run yet. Never let the LLM clear a T1a before
+                // its deferred sandbox confirms; T1a is the highest-confidence tier and
+                // MUST get sandbox verification (it can come via the follow-up webhook).
                 if (llmMode === 'active' && llmResult.verdict === 'benign' && llmResult.confidence > 0.85
-                    && !hasHC && !hasSandboxEvidence) {
+                    && !hasHC && !hasSandboxEvidence && tier !== '1a') {
                   console.log(`[LLM] SUPPRESS: ${name}@${version} cleared (benign, confidence=${llmResult.confidence})`);
                   stats.llmSuppressed = (stats.llmSuppressed || 0) + 1;
                   stats.scanned++;

package/src/monitor/state.js

@@ -1059,6 +1059,116 @@ function loadScanLedger() {
   return entries;
 }
 
+// Bounded distinct-key tracking for the `vanished` cross-reference (CLAUDE.md §2).
+// Sits above the MAX_SCAN_LEDGER file ceiling so it is a pure safety valve: in normal
+// operation the in-window key sets are far smaller than the file, so `exactVanished`
+// stays true. Only an operator setting MUADDIB_SCAN_LEDGER_MAX above this would trip it.
+const MAX_ROLLUP_KEYS = 1_200_000;
+
+/**
+ * Phase 0b: roll up the per-scan ledger into operational-coverage metrics.
+ *
+ * Single streaming pass (never loads the whole file at once — same machinery as
+ * getDetectionStats). It distinguishes:
+ *   - scanned : entries that reached a real verdict (outcome !== 'dropped')
+ *   - dropped : queue-cap evictions (outcome === 'dropped') — never scanned
+ *   - vanished: DISTINCT name@version that were dropped AND never (re)scanned in-window
+ *               = a permanent coverage hole (the "which Miasma versions never ran" case)
+ *
+ * HONEST METRIC NOTE — `alertRate` is (suspect+confirmed) / scanned, i.e. "of what we
+ * scanned, the fraction we flagged". It is NOT a true-positive rate: the ledger carries
+ * no ground truth. The GHSA-denominated operational TPR (the 105/429 audit number) needs
+ * the ledger cross-referenced against the GHSA malware feed — that is the Phase 5
+ * coverage-audit, not this rollup. Do not relabel `alertRate` as TPR (CLAUDE.md: pas
+ * d'embellissement des métriques).
+ *
+ * @param {number|string|null} [sinceTs] window start — ms epoch, ISO string, or null for
+ *        "whole ledger". Entries with ts < sinceTs (or unparseable ts) are skipped.
+ * @param {object} [opts]
+ * @param {string} [opts.file] ledger path override (tests). Defaults to SCAN_LEDGER_FILE.
+ * @returns {{
+ *   generatedAt:string, since:string|null, windowStart:string|null, windowEnd:string|null,
+ *   total:number, scanned:number, dropped:number, vanished:number, exactVanished:boolean,
+ *   alerted:number, alertRate:number|null,
+ *   byOutcome:Object.<string,number>,
+ *   byEcosystem:Object.<string,{total:number,scanned:number,dropped:number,alerted:number}>
+ * }}
+ */
+function computeLedgerRollup(sinceTs, opts = {}) {
+  const file = opts.file || SCAN_LEDGER_FILE;
+
+  let sinceMs = null;
+  if (typeof sinceTs === 'number' && Number.isFinite(sinceTs)) {
+    sinceMs = sinceTs;
+  } else if (typeof sinceTs === 'string') {
+    const p = Date.parse(sinceTs);
+    if (!Number.isNaN(p)) sinceMs = p;
+  }
+
+  const byOutcome = Object.create(null);
+  const byEcosystem = Object.create(null);
+  let total = 0, scanned = 0, dropped = 0, alerted = 0;
+  let earliest = null, latest = null;
+  // Two sets so `vanished` is correct regardless of drop/scan ordering in the file.
+  // droppedKeys is small (drops only happen under queue-cap pressure); scannedKeys is
+  // bounded by the in-window line count (≤ MAX_SCAN_LEDGER), and further by MAX_ROLLUP_KEYS.
+  const scannedKeys = new Set();
+  const droppedKeys = new Set();
+  let exactVanished = true;
+
+  _iterateJsonlSync(file, (e) => {
+    if (!e || !e.name) return;
+    let t = null;
+    if (e.ts) { const p = Date.parse(e.ts); if (!Number.isNaN(p)) t = p; }
+    if (sinceMs !== null && (t === null || t < sinceMs)) return;
+
+    total++;
+    if (t !== null) {
+      if (earliest === null || t < earliest) earliest = t;
+      if (latest === null || t > latest) latest = t;
+    }
+
+    const outcome = (typeof e.outcome === 'string' && e.outcome) ? e.outcome : 'clean';
+    byOutcome[outcome] = (byOutcome[outcome] || 0) + 1;
+
+    const eco = e.ecosystem || 'unknown';
+    let ecoNode = byEcosystem[eco];
+    if (!ecoNode) ecoNode = byEcosystem[eco] = { total: 0, scanned: 0, dropped: 0, alerted: 0 };
+    ecoNode.total++;
+
+    const key = `${e.name}@${e.version || ''}`;
+    const underCap = exactVanished && (scannedKeys.size + droppedKeys.size) < MAX_ROLLUP_KEYS;
+    if (outcome === 'dropped') {
+      dropped++; ecoNode.dropped++;
+      if (underCap) droppedKeys.add(key); else exactVanished = false;
+    } else {
+      scanned++; ecoNode.scanned++;
+      if (outcome === 'suspect' || outcome === 'confirmed') { alerted++; ecoNode.alerted++; }
+      if (underCap) scannedKeys.add(key); else exactVanished = false;
+    }
+  });
+
+  let vanished = 0;
+  for (const k of droppedKeys) { if (!scannedKeys.has(k)) vanished++; }
+
+  return {
+    generatedAt: new Date().toISOString(),
+    since: sinceMs !== null ? new Date(sinceMs).toISOString() : null,
+    windowStart: earliest !== null ? new Date(earliest).toISOString() : null,
+    windowEnd: latest !== null ? new Date(latest).toISOString() : null,
+    total,
+    scanned,
+    dropped,
+    vanished,
+    exactVanished,
+    alerted,
+    // NOT a TPR — see the HONEST METRIC NOTE above. null when nothing was scanned.
+    alertRate: scanned > 0 ? alerted / scanned : null,
+    byOutcome,
+    byEcosystem
+  };
+}
+
 // --- Scan stats (FP rate tracking) ---
 
 function loadScanStats() {
@@ -1568,6 +1678,7 @@ module.exports = {
   appendDetection,
   appendScanLedger,
   loadScanLedger,
+  computeLedgerRollup,
   _compactScanLedgerJsonl,
   getDetectionStats,
   runStateMigrations,

package/src/monitor/webhook.js

@@ -28,7 +28,8 @@ const {
   saveState,
   loadStateRaw,
   getScansSinceLastMemoryPersist,
-  setScansSinceLastMemoryPersist
+  setScansSinceLastMemoryPersist,
+  computeLedgerRollup
 } = require('./state.js');
 const {
   HIGH_CONFIDENCE_MALICE_TYPES,
@@ -897,7 +898,52 @@ function formatDelta(current, previous) {
   return '=0';
 }
 
-function buildDailyReportEmbed(stats, dailyAlerts) {
+// Phase 0b: rolling window for the daily report's ledger section. The report runs
+// once/day, so 24h is the natural "what happened today" view and keeps the rollup's
+// distinct-key sets small (one day of scans, far below MAX_ROLLUP_KEYS). Env-tunable.
+const LEDGER_ROLLUP_WINDOW_MS = (() => {
+  const v = parseInt(process.env.MUADDIB_LEDGER_ROLLUP_WINDOW_MS, 10);
+  return Number.isFinite(v) && v > 0 ? v : 24 * 60 * 60 * 1000;
+})();
+
+/**
+ * Compute the per-scan ledger rollup for the daily-report window. Best-effort: a
+ * rollup failure (corrupt ledger, I/O) must NEVER break the daily report, so this
+ * swallows errors and returns null. Also returns null when the ledger is empty so
+ * the report omits the section instead of showing a noise row of zeros.
+ */
+function safeLedgerRollup() {
+  try {
+    const rollup = computeLedgerRollup(Date.now() - LEDGER_ROLLUP_WINDOW_MS);
+    return (rollup && rollup.total > 0) ? rollup : null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Format the ledger rollup as a Discord embed field, or null to omit it (no data).
+ * Surfaces operational scan coverage: scanned, alert rate (NOT a TPR — see
+ * computeLedgerRollup's HONEST METRIC NOTE), the dropped/vanished coverage holes,
+ * and a per-ecosystem split. Compact, well under Discord's 1024-char field limit.
+ */
+function formatLedgerField(rollup) {
+  if (!rollup || rollup.total <= 0) return null;
+  const pct = rollup.alertRate != null ? (rollup.alertRate * 100).toFixed(2) : '0.00';
+  const lines = [`Scanned ${rollup.scanned} · Alerted ${rollup.alerted} (${pct}%)`];
+  if (rollup.dropped > 0) {
+    const vanishedNote = rollup.exactVanished ? `${rollup.vanished}` : `≥${rollup.vanished}`;
+    lines.push(`Dropped ${rollup.dropped} (${vanishedNote} vanished)`);
+  }
+  const ecos = Object.keys(rollup.byEcosystem)
+    .sort((a, b) => rollup.byEcosystem[b].total - rollup.byEcosystem[a].total);
+  if (ecos.length > 0) {
+    lines.push(ecos.slice(0, 4).map(e => `${e} ${rollup.byEcosystem[e].total}`).join(' · '));
+  }
+  return { name: 'Ledger (24h)', value: lines.join('\n'), inline: false };
+}
+
+function buildDailyReportEmbed(stats, dailyAlerts, ledgerRollup) {
   // Use in-memory stats (accumulated since last reset, restored from disk on restart)
   // instead of disk-based daily entries which can undercount due to UTC/Paris date mismatch
   const { top3: diskTop3 } = buildReportFromDisk();
@@ -1000,6 +1046,12 @@ function buildDailyReportEmbed(stats, dailyAlerts) {
   } catch { /* non-fatal */ }
   const healthText = `Up ${uptimeH}h${uptimeM}m | Heap ${heapMB}MB${jsonlInfo}`;
 
+  // --- Phase 0b: per-scan ledger rollup (operational coverage) ---
+  // Caller may pass a precomputed rollup (sendDailyReport does, to persist the same
+  // numbers it displays); undefined → compute here; explicit null → omit the section.
+  const ledger = ledgerRollup !== undefined ? ledgerRollup : safeLedgerRollup();
+  const ledgerField = formatLedgerField(ledger);
+
   const now = new Date();
   const readableTime = now.toISOString().replace('T', ' ').replace(/\.\d+Z$/, ' UTC');
 
@@ -1022,6 +1074,7 @@ function buildDailyReportEmbed(stats, dailyAlerts) {
           ? [{ name: 'Deferred Sandbox', value: `Enqueued: ${stats.sandboxDeferred || 0} | Processed: ${stats.deferredProcessed || 0} | Expired: ${stats.deferredExpired || 0}`, inline: false }]
           : []),
         { name: 'Stability', value: `Restarts (24h): ${stats.restartsToday || 0} | Temporal load-shed: ${stats.temporalLoadShed || 0} | Queue hard-drops: ${stats.queueHardDrops || 0}`, inline: false },
+        ...(ledgerField ? [ledgerField] : []),
         { name: 'System', value: healthText, inline: false }
       ],
       footer: {
@@ -1060,7 +1113,10 @@ async function sendDailyReport(stats, dailyAlerts, recentlyScanned, downloadsCac
   // delta. Written before the (now last) webhook so a mid-send kill can't double-count.
   saveLastDailyReportDate(today, captureScanStatsBaseline());
 
-  const payload = buildDailyReportEmbed(stats, dailyAlerts);
+  // Phase 0b: compute the ledger rollup ONCE so the embed shows exactly the numbers
+  // we persist (no double-scan, no drift between Discord and the on-disk metrics).
+  const ledgerRollup = safeLedgerRollup();
+  const payload = buildDailyReportEmbed(stats, dailyAlerts, ledgerRollup);
 
   // Persist locally with full raw metrics (independent of webhook — enables trend analysis)
   persistDailyReport(payload, {
@@ -1081,6 +1137,7 @@ async function sendDailyReport(stats, dailyAlerts, recentlyScanned, downloadsCac
     restartsToday: stats.restartsToday || 0,
     temporalLoadShed: stats.temporalLoadShed || 0,
     queueHardDrops: stats.queueHardDrops || 0,
+    ledger: ledgerRollup || null,
     topSuspects: dailyAlerts.slice().sort((a, b) => (b.score || 0) - (a.score || 0) || b.findingsCount - a.findingsCount).slice(0, 10)
   });
 
@@ -1337,6 +1394,7 @@ module.exports = {
   buildMaintainerChangeWebhookEmbed,
   buildCanaryExfiltrationWebhookEmbed,
   buildDailyReportEmbed,
+  formatLedgerField,
   sendDailyReport,
   buildReportFromDisk,
   buildReportEmbedFromDisk,