muaddib-scanner 2.11.7 → 2.11.9

package/.env.example

@@ -0,0 +1,39 @@
+# MUAD'DIB environment variables — template
+# Copy to .env (local dev) or /opt/muaddib/.env (VPS) and fill in real values.
+# .env files are gitignored. NEVER commit a real token.
+
+# ----------------------------------------------------------------------------
+# Threat-feed API tokens (all OPTIONAL — scrapers degrade gracefully if absent)
+# ----------------------------------------------------------------------------
+
+# OpenSourceMalware.com — community-verified threat intel
+# Free tier: 60 req/min, /query-latest gives 100 most recent threats per ecosystem.
+# Sign up + generate at: https://opensourcemalware.com/auth → profile → API Tokens
+# Format: osm_<random-32+chars>
+# Used by: src/ioc/scraper.js → scrapeOSMQueryLatest()
+OSM_API_TOKEN=
+
+# ----------------------------------------------------------------------------
+# Webhook destinations (optional — monitor alerts)
+# ----------------------------------------------------------------------------
+
+# Discord webhook for monitor alerts (P1/P2/P3 triage)
+# DISCORD_WEBHOOK_URL=
+
+# ----------------------------------------------------------------------------
+# FPR plan gates — DEFAULT ON since v2.11.9 (no need to set these unless opting OUT)
+# ----------------------------------------------------------------------------
+# Measured impact on the v2.11.4 evaluation corpus (1054 packages):
+#   FPR curated 15.6% -> 9.36% (-6.24 pp), FPR random 7.0% -> 2.0% (-5.00 pp).
+#   TPR@3 / TPR@20 / ADR strictly unchanged.
+#
+# Opt-OUT individual gates (uncomment + set to 0):
+# MUADDIB_FN_REACHABILITY=0   # function-level reachability gating
+# MUADDIB_DECAY=0             # group score decay on bundled outputs
+# MUADDIB_MATURE_CAP=0        # cap mature, well-trafficked packages at MEDIUM
+# MUADDIB_METADATA_FACTOR=0   # registry signals -> reputation multiplier
+# MUADDIB_DELTA_MODE=0        # delta scoring against prior versions
+#
+# Skip the npm registry fetch ENTIRELY (disables MATURE_CAP + METADATA_FACTOR
+# + DELTA_MODE in one shot, useful for air-gap / offline CI / perf-critical):
+# MUADDIB_NO_REGISTRY_FETCH=1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.7",
+  "version": "2.11.9",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {
@@ -46,7 +46,7 @@
     "node": ">=18.0.0"
   },
   "dependencies": {
-    "@inquirer/prompts": "8.4.1",
+    "@inquirer/prompts": "8.4.2",
     "acorn": "8.16.0",
     "acorn-walk": "8.3.5",
     "adm-zip": "0.5.17",
@@ -57,8 +57,8 @@
   },
   "devDependencies": {
     "@eslint/js": "10.0.1",
-    "eslint": "10.2.1",
+    "eslint": "10.3.0",
     "eslint-plugin-security": "^4.0.0",
-    "globals": "17.5.0"
+    "globals": "17.6.0"
   }
 }

package/src/ioc/scraper.js

@@ -12,10 +12,37 @@ const { Spinner } = require('../utils.js');
 const { NPM_PACKAGE_REGEX } = require('../shared/constants.js');
 
 // Version format validation (semver-like + wildcard)
-const VERSION_RE = /^(\*|0|[1-9]\d*(\.\d+){0,2}(-[\w.]+)?(\+[\w.]+)?)$/;
+// Permissive version validator — accepts:
+//   - npm semver (1.2.3, 1.2.3-beta.1+build42, 0.x.y)
+//   - PEP 440 (0.1.0b7, 1.2.post1, 1.2.dev0, 0.1.0rc1)
+//   - calendar versioning (2024.5.0)
+//   - 4-segment versions (99.99.99.1, 0.0.7.5)
+//   - wildcard (*)
+// Rejects only structural abuse: path traversal (..), shell metachars,
+// whitespace, slashes, length > 100. The previous regex required first
+// char in [1-9] after a '0' which broke ALL 0.x.y versions (false negative
+// spam in scraper logs ; ~600 valid PyPI/npm versions wrongly skipped per scrape).
+const VERSION_INVALID_CHARS = /[\s\\/'"`;|&$<>(){}\[\]?]/;
+function isValidVersion(version) {
+  if (!version || typeof version !== 'string') return false;
+  if (version === '*') return true;
+  if (version.length > 100) return false;
+  if (version.includes('..')) return false;
+  if (VERSION_INVALID_CHARS.test(version)) return false;
+  // Must start with a digit (or 'v' prefix), and contain only word chars / . / + / -
+  if (!/^v?\d/.test(version)) return false;
+  return /^[\w.+\-]+$/.test(version);
+}
+// Backwards compat: keep VERSION_RE as a no-op test wrapper for any legacy
+// caller that imports it. Prefer isValidVersion() in new code.
+const VERSION_RE = { test: isValidVersion };
 
-// Aggregated warning counter for noisy logs (reset per scraper run)
+// Aggregated warning counters for noisy logs (reset per scraper run).
+// Avoids spamming hundreds of WARN lines for malware feeds with non-standard
+// version strings — a single summary line is logged at the end of runScraper.
 let _noVersionSkipCount = 0;
+let _invalidVersionSkipCount = 0;
+let _invalidVersionSamples = [];  // first 3 samples for context
 
 /**
  * Validate an IOC package entry before insertion.
@@ -37,9 +64,13 @@ function validateIOCEntry(pkgName, version, ecosystem) {
       return false;
     }
   }
-  // Version validation
+  // Version validation — silent counter (aggregated log emitted by runScraper).
+  // The previous per-line WARN was spamming ~600 lines per scrape on PyPI feeds.
   if (version && !VERSION_RE.test(version)) {
-    console.warn(`[WARN] Invalid version skipped: ${version} for ${pkgName}`);
+    _invalidVersionSkipCount++;
+    if (_invalidVersionSamples.length < 3) {
+      _invalidVersionSamples.push(`${version} for ${pkgName}`);
+    }
     return false;
   }
   return true;
@@ -980,12 +1011,14 @@ async function scrapeGitHubAdvisory() {
 // ============================================
 async function runScraper() {
   console.log('\n' + '='.repeat(60));
-  console.log('  MUAD\'DIB IOC Scraper v4.0');
-  console.log('  OSV + OSSF + GenSecAI + DataDog + Snyk');
+  console.log('  MUAD\'DIB IOC Scraper v4.1');
+  console.log('  OSV + OSSF + GenSecAI + DataDog + Aikido + OSM');
   console.log('='.repeat(60) + '\n');
 
   // Reset aggregated warning counters
   _noVersionSkipCount = 0;
+  _invalidVersionSkipCount = 0;
+  _invalidVersionSamples = [];
 
   // Create data directory if needed
   const dataDir = path.dirname(IOC_FILE);
@@ -1038,7 +1071,8 @@ async function runScraper() {
     scrapeOSSFMaliciousPackages(osvResult.knownIds),
     scrapeGitHubAdvisory(),
     scrapeOSVPyPIDataDump(),
-    scrapeAikidoMalwareFeed()
+    scrapeAikidoMalwareFeed(),
+    scrapeOSMQueryLatest()
   ]);
 
   const shaiHuludResult = results[0];
@@ -1047,11 +1081,18 @@ async function runScraper() {
   const githubPackages = results[3];
   const pypiPackages = results[4];
   const aikidoResult = results[5];
+  const osmResult = results[6];
 
   // Log aggregated warnings
   if (_noVersionSkipCount > 0) {
     console.log('[SCRAPER] WARN: ' + _noVersionSkipCount + ' packages skipped (no version info, wildcard fallback avoided)');
   }
+  if (_invalidVersionSkipCount > 0) {
+    const samples = _invalidVersionSamples.length > 0
+      ? ' (samples: ' + _invalidVersionSamples.join(', ') + ')'
+      : '';
+    console.log('[SCRAPER] WARN: ' + _invalidVersionSkipCount + ' entries skipped (malformed version)' + samples);
+  }
 
   // Merge all scraped packages
   const allPackages = [
@@ -1060,7 +1101,8 @@ async function runScraper() {
     ...datadogResult.packages,
     ...ossfPackages,
     ...githubPackages,
-    ...aikidoResult.packages
+    ...aikidoResult.packages,
+    ...osmResult.packages
   ];
 
   // Merge all hashes
@@ -1072,7 +1114,7 @@ async function runScraper() {
   // Smart deduplication: build map of best entry per key
   // For duplicates, keep the one with highest confidence, then most recent date
   const dedupSpinner = new Spinner();
-  dedupSpinner.start('Deduplicating ' + allPackages.length + ' npm + ' + (pypiPackages.length + (aikidoResult.pypi_packages || []).length) + ' PyPI entries...');
+  dedupSpinner.start('Deduplicating ' + allPackages.length + ' npm + ' + (pypiPackages.length + (aikidoResult.pypi_packages || []).length + (osmResult.pypi_packages || []).length) + ' PyPI entries...');
   const dedupMap = new Map();
 
   // Seed with existing IOCs (with sanitization of stale comma-in-version entries)
@@ -1173,7 +1215,7 @@ async function runScraper() {
   }
   let addedPyPIPackages = 0;
   // Merge Aikido PyPI feed into the same loop
-  const allPyPIPackages = pypiPackages.concat(aikidoResult.pypi_packages || []);
+  const allPyPIPackages = pypiPackages.concat(aikidoResult.pypi_packages || [], osmResult.pypi_packages || []);
   for (const pkg of allPyPIPackages) {
     if (!validateIOCEntry(pkg.name, pkg.version, 'pypi')) {
       skippedInvalid++;
@@ -1411,6 +1453,131 @@ async function scrapeAikidoMalwareFeed() {
   return { packages: npmPackages, pypi_packages: pypiPackages };
 }
 
+// ============================================
+// SOURCE 7: OpenSourceMalware.com (community-verified threat intel)
+// Free tier: 60 req/min, /query-latest returns 100 most recent verified threats per
+// ecosystem. Token stored in OSM_API_TOKEN env var (NEVER hardcoded — public repo).
+// API: https://api.opensourcemalware.com/functions/v1/query-latest?ecosystem={npm|pypi}
+// Docs: https://docs.opensourcemalware.com/api/query-latest.md
+// Rate-limit ref: https://docs.opensourcemalware.com/api/rate-limits.md
+// ============================================
+async function scrapeOSMQueryLatest() {
+  console.log('[SCRAPER] OpenSourceMalware.com query-latest...');
+  const token = process.env.OSM_API_TOKEN;
+  if (!token) {
+    console.log('[SCRAPER]   OSM_API_TOKEN not set — skipping (graceful, no error).');
+    return { packages: [], pypi_packages: [] };
+  }
+  // Defensive token shape check (don't log the value)
+  if (typeof token !== 'string' || !token.startsWith('osm_') || token.length < 16) {
+    console.log('[SCRAPER]   OSM_API_TOKEN malformed (expected osm_<chars>) — skipping.');
+    return { packages: [], pypi_packages: [] };
+  }
+
+  const npmPackages = [];
+  const pypiPackages = [];
+  const headers = { Authorization: 'Bearer ' + token };
+
+  // Map OSM severity_level (low/medium/high/critical) to MUAD'DIB severity (lowercase).
+  // OSM doesn't always populate severity; default to 'high' (verified threats are high-confidence by definition).
+  function mapSeverity(s) {
+    if (!s || typeof s !== 'string') return 'high';
+    const v = s.toLowerCase().trim();
+    if (v === 'low' || v === 'medium' || v === 'high' || v === 'critical') return v;
+    return 'high';
+  }
+
+  function buildReferences(threat, ecosystem) {
+    const refs = [];
+    if (threat.osv_advisory_url && typeof threat.osv_advisory_url === 'string') refs.push(threat.osv_advisory_url);
+    if (threat.ghsa_advisory_url && typeof threat.ghsa_advisory_url === 'string') refs.push(threat.ghsa_advisory_url);
+    // Canonical OSM page for this threat. Best-effort URL — if 404 it's harmless metadata.
+    if (threat.package_name) {
+      refs.push('https://opensourcemalware.com/' + ecosystem + '/' + encodeURIComponent(threat.package_name));
+    }
+    return refs;
+  }
+
+  function buildDescription(threat) {
+    const parts = [];
+    if (threat.threat_description) parts.push(String(threat.threat_description));
+    if (Array.isArray(threat.tags) && threat.tags.length > 0) {
+      parts.push('Tags: ' + threat.tags.filter(t => typeof t === 'string').join(', '));
+    }
+    if (threat.researcher) parts.push('Reporter: ' + String(threat.researcher));
+    return parts.length > 0 ? parts.join(' — ') : 'Verified by OpenSourceMalware.com community';
+  }
+
+  async function pull(ecosystem, target) {
+    try {
+      const { status, data } = await fetchJSON(
+        'https://api.opensourcemalware.com/functions/v1/query-latest?ecosystem=' + encodeURIComponent(ecosystem),
+        { headers }
+      );
+      if (status === 401 || status === 403) {
+        console.log('[SCRAPER]   OSM ' + ecosystem + ': HTTP ' + status + ' — token rejected, check OSM_API_TOKEN.');
+        return;
+      }
+      if (status !== 200) {
+        console.log('[SCRAPER]   OSM ' + ecosystem + ' feed: HTTP ' + status);
+        return;
+      }
+      if (!data || !Array.isArray(data.threats)) {
+        console.log('[SCRAPER]   OSM ' + ecosystem + ' feed: unexpected response shape (no threats[]).');
+        return;
+      }
+      let count = 0;
+      for (const t of data.threats) {
+        if (!t || typeof t.package_name !== 'string' || t.package_name.length === 0) continue;
+        // OSM verifies report_type === 'package' threats. Skip anything else (repository/url/domain).
+        // The query is filtered by ecosystem, but defensive check on registry field.
+        if (t.report_type && t.report_type !== 'package') continue;
+        // Normalize version: OSM uses free-form strings ('all', 'any', 'unknown', null, etc.)
+        // Wildcard placeholders must be MUAD'DIB's canonical '*' so the IOC matcher hits.
+        let ver = '*';
+        if (t.version_info && typeof t.version_info === 'string') {
+          const trimmed = t.version_info.trim();
+          const lc = trimmed.toLowerCase();
+          if (trimmed !== '' && lc !== 'all' && lc !== 'any' && lc !== 'unknown' && lc !== '*' && lc !== 'n/a') {
+            ver = trimmed;
+          }
+        }
+        const severity = mapSeverity(t.severity_level);
+        const addedAt = t.verified_at || t.created_at || t.first_seen || new Date().toISOString();
+        const idPrefix = ecosystem === 'pypi' ? 'OSM-PYPI-' : 'OSM-';
+        target.push({
+          id: idPrefix + t.package_name + '-' + ver,
+          name: t.package_name,
+          version: ver,
+          severity: severity,
+          confidence: 'high',
+          source: 'osm',
+          description: buildDescription(t),
+          references: buildReferences(t, ecosystem),
+          mitre: 'T1195.002',
+          freshness: {
+            added_at: addedAt,
+            source: 'osm',
+            confidence: 'high'
+          }
+        });
+        count++;
+      }
+      console.log('[SCRAPER]   ' + count + ' ' + ecosystem + ' verified threats from OSM');
+    } catch (e) {
+      // Defensive: do NOT echo any token-bearing URL or header in the error.
+      console.log('[SCRAPER]   OSM ' + ecosystem + ' error: ' + (e && e.message ? e.message : 'unknown'));
+    }
+  }
+
+  // Sequential (not parallel): keeps us well under the 60 req/min rate limit
+  // and gives clearer logs. Two ecosystems = ~200ms total.
+  await pull('npm', npmPackages);
+  await pull('pypi', pypiPackages);
+
+  return { packages: npmPackages, pypi_packages: pypiPackages };
+}
+
 // ============================================
 // SOURCE 5: OSV.dev Lightweight API
 // Used by `muaddib update` (fast, no zip download)
@@ -1529,6 +1696,7 @@ function getSourceConfidence(pkg) {
 module.exports = {
   runScraper, scrapeShaiHuludDetector, scrapeDatadogIOCs,
   scrapeAikidoMalwareFeed,
+  scrapeOSMQueryLatest,
   scrapeOSVLightweightAPI, queryOSVBatch,
   getSourceConfidence,
   // Pure utility functions (exported for testing)

package/src/ioc/updater.js

@@ -39,25 +39,28 @@ async function updateIOCs() {
   mergeIOCs(baseIOCs, yamlStandard);
   console.log('[2/4] YAML IOCs: ' + yamlStandard.packages.length + ' packages, ' + yamlStandard.hashes.length + ' hashes');
 
-  // Step 3: Download additional IOCs from GitHub + OSV API (GenSecAI + DataDog + OSV lightweight)
-  const { scrapeShaiHuludDetector, scrapeDatadogIOCs, scrapeOSVLightweightAPI } = require('./scraper.js');
-  console.log('[3/4] Downloading GitHub + OSV API IOCs...');
+  // Step 3: Download additional IOCs from GitHub + OSV API (GenSecAI + DataDog + OSV lightweight + OSM)
+  // Light path: JSON/REST only, NO heavy zip dumps. Designed to be safe at 15min cadence.
+  // For the deep refresh (OSV zip dumps + OSSF + Aikido + GitHub Advisory), use `muaddib scrape` (~5min).
+  const { scrapeShaiHuludDetector, scrapeDatadogIOCs, scrapeOSVLightweightAPI, scrapeOSMQueryLatest } = require('./scraper.js');
+  console.log('[3/4] Downloading GitHub + OSV API + OSM IOCs...');
 
-  const [shaiHulud, datadog, osvApi] = await Promise.all([
+  const [shaiHulud, datadog, osvApi, osmResult] = await Promise.all([
     scrapeShaiHuludDetector(),
     scrapeDatadogIOCs(),
-    scrapeOSVLightweightAPI()
+    scrapeOSVLightweightAPI(),
+    scrapeOSMQueryLatest()
   ]);
 
   const githubIOCs = {
-    packages: [].concat(shaiHulud.packages, datadog.packages, osvApi),
-    pypi_packages: [],
+    packages: [].concat(shaiHulud.packages, datadog.packages, osvApi, osmResult.packages),
+    pypi_packages: (osmResult.pypi_packages || []).slice(),
     hashes: [].concat(shaiHulud.hashes || [], datadog.hashes || []),
     markers: [],
     files: []
   };
   mergeIOCs(baseIOCs, githubIOCs);
-  console.log('     +' + shaiHulud.packages.length + ' GenSecAI, +' + datadog.packages.length + ' DataDog, +' + osvApi.length + ' OSV API');
+  console.log('     +' + shaiHulud.packages.length + ' GenSecAI, +' + datadog.packages.length + ' DataDog, +' + osvApi.length + ' OSV API, +' + osmResult.packages.length + ' OSM npm, +' + (osmResult.pypi_packages || []).length + ' OSM PyPI');
 
   // Step 3b: Load existing cache IOCs (from bootstrap download or previous update)
   if (fs.existsSync(CACHE_IOC_FILE)) {

package/src/pipeline/processor.js

@@ -131,11 +131,12 @@ async function process(threats, targetPath, options, pythonDeps, warnings, scann
       debugLog('[REACHABILITY] error:', e?.message);
       // Graceful fallback — treat all files as reachable
     }
-    // FPR plan C2 : function-level reachability sits behind a flag while we
-    // measure FPR delta on the corpus. Off by default so production scans stay
-    // identical until the flag is flipped. Activated only when file-level
-    // reachability succeeded (otherwise no entry-point context to seed from).
-    if (reachableFiles && globalThis.process.env.MUADDIB_FN_REACHABILITY === '1') {
+    // FPR plan C2 : function-level reachability. Default ON since v2.11.9 after
+    // measuring -2.0 pp FPR (curated 11.4% -> 9.4%) with zero TPR/ADR regression
+    // on the full evaluation corpus (1054 packages). Opt-out via
+    // MUADDIB_FN_REACHABILITY=0. Activated only when file-level reachability
+    // succeeded (otherwise no entry-point context to seed from).
+    if (reachableFiles && globalThis.process.env.MUADDIB_FN_REACHABILITY !== '0') {
       try {
         reachableFunctions = computeReachableFunctions(targetPath, reachableFiles);
       } catch (e) {
@@ -169,21 +170,25 @@ async function process(threats, targetPath, options, pythonDeps, warnings, scann
     }
   } catch { /* graceful fallback */ }
 
-  // FPR plan Chantier 4 + 5 wiring : when a package name is known and at least
-  // one of the metadata-driven gates is ON, fetch the npm registry packument
-  // and attach it as _pkgMeta.npmRegistryMeta. Without this, applyReputation-
-  // Factor and applyMatureStableCap cannot fire outside the monitor's own
-  // queue.js (which already pre-fetches the metadata bundle). getPackageMeta-
-  // data has its own in-process cache, so repeated scans of the same package
-  // hit the cache and never re-fetch. Network failure / unknown package -> the
-  // call returns null and both downstream functions degrade gracefully.
+  // FPR plan Chantier 4 + 5 wiring : fetch npm registry packument and attach
+  // it as _pkgMeta.npmRegistryMeta so applyReputationFactor, applyMatureStable-
+  // Cap, and applyDeltaMultiplier can fire. getPackageMetadata has an in-
+  // process cache, so repeated scans of the same package hit the cache and
+  // never re-fetch. Network failure / unknown package -> returns null and all
+  // downstream functions degrade gracefully.
+  //
+  // Default ON since v2.11.9. To skip the fetch entirely (air-gap, offline CI,
+  // perf-critical batch), set MUADDIB_NO_REGISTRY_FETCH=1 — this disables the
+  // 3 metadata-dependent gates (METADATA_FACTOR, MATURE_CAP, DELTA_MODE) in
+  // one shot. Individual gates can still be turned off via their own =0 flag.
   if (
     packageName &&
     _pkgMeta &&
+    globalThis.process.env.MUADDIB_NO_REGISTRY_FETCH !== '1' &&
     (
-      globalThis.process.env.MUADDIB_METADATA_FACTOR === '1' ||
-      globalThis.process.env.MUADDIB_MATURE_CAP === '1' ||
-      globalThis.process.env.MUADDIB_DELTA_MODE === '1'
+      globalThis.process.env.MUADDIB_METADATA_FACTOR !== '0' ||
+      globalThis.process.env.MUADDIB_MATURE_CAP !== '0' ||
+      globalThis.process.env.MUADDIB_DELTA_MODE !== '0'
     )
   ) {
     try {
@@ -293,13 +298,15 @@ async function process(threats, targetPath, options, pythonDeps, warnings, scann
   applyFPReductions(deduped, reachableFiles, packageName, packageDeps, reachableFunctions);
 
   // FPR plan Chantier 3 - delta-aware decay. Threats present in the last 3
-  // published versions (and not HC/IOC) decay to LOW. Off by default until
-  // the cache is warm and we've measured the FPR delta on the corpus.
+  // published versions (and not HC/IOC) decay to LOW. Default ON since v2.11.9.
+  // Opt-out: MUADDIB_DELTA_MODE=0 (or set MUADDIB_NO_REGISTRY_FETCH=1 to skip
+  // the registry fetch upstream). No-op when registry meta is absent (CLI
+  // scans on private packages, offline, or unknown package).
   let _deltaResult = null;
   if (
     packageName && packageVersion &&
     _pkgMeta && _pkgMeta.npmRegistryMeta &&
-    globalThis.process.env.MUADDIB_DELTA_MODE === '1'
+    globalThis.process.env.MUADDIB_DELTA_MODE !== '0'
   ) {
     try {
       const packument = _pkgMeta.npmRegistryMeta.packument || _pkgMeta.npmRegistryMeta;
@@ -446,9 +453,9 @@ async function process(threats, targetPath, options, pythonDeps, warnings, scann
   // FPR plan Chantier 5 : mature stable cap — caps mature, well-owned, high-
   // traffic packages at MEDIUM unless an HC type or IOC is present. Sits
   // BETWEEN the contextual caps (which it composes with) and the single-fire
-  // floor (which can override on hard signals). Gated behind
-  // MUADDIB_MATURE_CAP=1 until measured against the full evaluation corpus.
-  if (globalThis.process.env.MUADDIB_MATURE_CAP === '1') {
+  // floor (which can override on hard signals). Default ON since v2.11.9.
+  // Opt-out: MUADDIB_MATURE_CAP=0. No-op when registry meta is absent.
+  if (globalThis.process.env.MUADDIB_MATURE_CAP !== '0') {
     const matureCap = applyMatureStableCap(result, _pkgMeta && _pkgMeta.npmRegistryMeta);
     if (matureCap && matureCap.applied) {
       debugLog('[MATURE-CAP] ' + (packageName || targetPath) + ': ' +
@@ -470,12 +477,13 @@ async function process(threats, targetPath, options, pythonDeps, warnings, scann
   // Hybrid v3 Phase 4: metadata-first reputation factor — multiplies the score
   // by a factor in [0.10, 1.5] derived from npm registry signals. Applied LAST
   // so all severity logic completes first; the factor is the final, package-
-  // wide context filter. Gated behind MUADDIB_METADATA_FACTOR=1; no-op when
-  // metadata is absent (CLI scans, offline) or the gate is off.
+  // wide context filter. Default ON since v2.11.9. Opt-out:
+  // MUADDIB_METADATA_FACTOR=0. No-op when metadata is absent (CLI scans on
+  // unknown package, offline, MUADDIB_NO_REGISTRY_FETCH=1).
   // NOTE: this module's exported function is named `process`, which shadows
   // the global `process` inside its body. Use globalThis.process.env to reach
   // the real environment.
-  if (globalThis.process.env.MUADDIB_METADATA_FACTOR === '1') {
+  if (globalThis.process.env.MUADDIB_METADATA_FACTOR !== '0') {
     const repAdjust = applyReputationFactor(result, _pkgMeta && _pkgMeta.npmRegistryMeta);
     if (repAdjust) {
       debugLog('[META-FACTOR] ' + (packageName || targetPath) + ': factor=' +
@@ -501,10 +509,10 @@ async function process(threats, targetPath, options, pythonDeps, warnings, scann
   // FPR plan Chantier 3 : persist this version's signature set so future scans
   // (or future versions) can use it as a baseline for delta decay. Best-effort
   // and idempotent ; cache misses on read are silent so a missed write never
-  // blocks scoring. Only write when the user opted in to delta-mode AND we
+  // blocks scoring. Write whenever delta-mode is enabled (default ON) AND we
   // have a concrete package@version pair.
   if (
-    globalThis.process.env.MUADDIB_DELTA_MODE === '1' &&
+    globalThis.process.env.MUADDIB_DELTA_MODE !== '0' &&
     packageName && packageVersion
   ) {
     try {

package/src/scoring.js

@@ -186,7 +186,8 @@ function _isReplacedByCompound(t) {
 }
 
 function computeGroupScore(threats) {
-  if (process.env.MUADDIB_DECAY === '1') return computeGroupScoreDecay(threats);
+  // Score decay default ON since v2.11.9 (FPR plan Chantier 1). Opt-out: MUADDIB_DECAY=0.
+  if (process.env.MUADDIB_DECAY !== '0') return computeGroupScoreDecay(threats);
   let score = 0;
   let protoHookMediumPoints = 0;
   let dataflowMediumPoints = 0;