muaddib-scanner 2.11.75 → 2.11.77

package/.githooks/pre-commit

@@ -0,0 +1,18 @@
+#!/bin/sh
+# Pre-commit guard — block committing a typosquat/forbidden dependency
+# (loadash, lodash, lodahs, …). Local mirror of the CI gate
+# (scripts/check-deps-typosquats.js, run in the `test` job of .github/workflows/scan.yml)
+# and defense-in-depth with the package.json `preinstall` denylist.
+#
+# Enable once per clone:  git config core.hooksPath .githooks
+#
+# This repo uses NEITHER lodash NOR loadash (CLAUDE.md interdiction). The loadash
+# typosquat has re-entered package.json repeatedly; this stops it at commit time.
+
+node scripts/check-deps-typosquats.js
+status=$?
+if [ "$status" -ne 0 ]; then
+  echo "pre-commit: ABORTED — remove the typosquat dependency from package.json (see above)." >&2
+  exit 1
+fi
+exit 0

package/README.md

@@ -30,7 +30,7 @@
 
 npm and PyPI supply-chain attacks are exploding. Shai-Hulud compromised 25K+ repos in 2025. Existing tools detect threats but don't help you respond.
 
-MUAD'DIB combines **20 parallel scanners** (262 detection rules), a **deobfuscation engine**, **inter-module dataflow analysis**, **compound scoring** (17 compound rules), and a gVisor/Docker sandbox to detect known threats and suspicious behavioral patterns in npm and PyPI packages. An XGBoost classifier exists in the codebase but is **currently inactive** (see [Evaluation Metrics](#evaluation-metrics) → ML Classifier section).
+MUAD'DIB combines **20 parallel scanners** (264 detection rules), a **deobfuscation engine**, **inter-module dataflow analysis**, **compound scoring** (17 compound rules), and a gVisor/Docker sandbox to detect known threats and suspicious behavioral patterns in npm and PyPI packages. An XGBoost classifier exists in the codebase but is **currently inactive** (see [Evaluation Metrics](#evaluation-metrics) → ML Classifier section).
 
 ---
 
@@ -202,9 +202,9 @@ muaddib replay                     # Ground truth validation (90/94 TPR@3, v2.11
 | Python Source (PYSRC) | Import-time / install-time RCE patterns in `__init__.py` / `setup.py` (v2.11.41 — closes TrapDoor PyPI gap) |
 | Python AST (PYAST) | Tree-sitter-Python AST with taint-aware detectors (v2.11.42+) |
 
-### 259 detection rules
+### 264 detection rules
 
-All rules (254 RULES + 5 PARANOID) are mapped to MITRE ATT&CK techniques. See [SECURITY.md](SECURITY.md#detection-rules-v21147) for the complete rules reference.
+All rules (259 RULES + 5 PARANOID) are mapped to MITRE ATT&CK techniques. See [SECURITY.md](SECURITY.md#detection-rules-v21176) for the complete rules reference.
 
 ### Detected campaigns
 
@@ -278,7 +278,7 @@ With pre-commit framework:
 ```yaml
 repos:
   - repo: https://github.com/DNSZLSK/muad-dib
-    rev: v2.11.48
+    rev: v2.11.76
     hooks:
       - id: muaddib-scan
 ```
@@ -303,11 +303,20 @@ These are the numbers a user gets when running `muaddib scan` against npm or PyP
 | **FPR PyPI** (v2.11.48, first honest measurement) | **9.68%** (12/124 scanned, 132 total) | **Track D fixed the PyPI downloader** — removed `pip --no-binary :all:` flag (forced compile of wheel-only packages, timed out 38% of the time) + added `.whl` extraction via `extractArchive()`. Brought 42 previously-skipped giants (numpy/pandas/django/matplotlib/scikit-learn/...) into scope. All 12 FPs cluster at score 25-35: this is the cap-PyPI-35 artifact, not new rule misfires. Lifting the cap (Track E) would drop FPR PyPI to ≈0%. 8 residual fails are >500MB packages (torch, tensorflow, scipy, opencv-python, ansible…) hitting the 30s `PACK_TIMEOUT_MS`. |
 | **ADR** (Adversarial + Holdout, v2.11.48) | **96.26%** (103/107) | 67 adversarial + 40 holdout, global threshold=20. Stable vs v2.10.95. |
 
-**3969 tests** across 109 files. **262 rules** (257 RULES + 5 PARANOID — Track D added 3: AST-093, AST-094, COMPOUND-016).
+**4132 tests** across 115 files. **264 rules** (259 RULES + 5 PARANOID; v2.11.67/70 Phantom Gyp added PKG-023 + COMPOUND-017).
 
 **Known issues (v2.11.48):**
 - *Cap PyPI à 35/100*: Python samples plafonnent à `riskScore=35` even when `globalRiskScore=100`. Confirmed empirically — all 12 PyPI FPs at score 25-35 (flask 32, django 35, tornado 35, bottle 30, pandas 25, matplotlib 25, plotly 25, bokeh 25, pymongo 35, coverage 32, fabric 35, websockets 35). Lifting the cap will simultaneously drop FPR PyPI to ≈0% and unblock PyPI MALWARE detection at higher thresholds. Track E target.
 
+### Operational coverage (v2.11.67-76)
+
+The static ground-truth TPR above is measured offline. Since v2.11.67 the monitor also tracks **operational** coverage on live npm/PyPI ingestion:
+- A per-scan **ledger** (`data/scan-ledger.jsonl`) records every scanned package's outcome; `computeLedgerRollup()` produces a 24h rollup (`alertRate`, per-ecosystem). Note: `alertRate` is a throughput signal, **not** detection TPR.
+- An active **GHSA poller** (~15 min; npm, pypi, crates) builds an authoritative "what should we have caught" denominator (`data/ghsa-malware.jsonl`), plus a **feed-health** alarm that fires when an IOC feed silently goes dark.
+- The Phase 5 **coverage-audit** (`scripts/coverage-audit.js`, daily 05:00 UTC) joins that denominator against ledger outcomes + the tarball archive to compute an honest GHSA-denominated **operational TPR** (`alerted / total`), and surfaces `scannedClean` misses as human-gated ground-truth candidates.
+
+This operational TPR is the real production detection rate, distinct from the static GT TPR (which has not been re-measured since v2.11.48).
+
 ### ML Classifier (offline only)
 
 `src/ml/classifier.js` is **not wired into `muaddib scan`**. The XGBoost model is currently exercised only by `muaddib evaluate` (offline metric replay) and `muaddib monitor` (LOG-ONLY since 2026-04-08, model collapsed pending retrain — see `src/monitor/queue.js:628`). The v2.11.48 evaluate-time replay shows the same 1.10% FPR (no additional FPs filtered) — kept as a reference for retrain validation, but the published operational FPR is the rules-only number above.
@@ -371,7 +380,7 @@ npm test
 
 ### Testing
 
-- **3913 tests** across 109 modular test files
+- **4132 tests** across 115 modular test files
 - **56 fuzz tests** - Malformed inputs, ReDoS, unicode, binary
 - **Datadog 17K benchmark** - 14,587 confirmed malware samples (in-scope)
 - **Ground truth validation** - 96 real-world attacks (95.74% TPR@3, 88.30% TPR@20 — v2.11.48 full measure on 94 in-scope)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.75",
+  "version": "2.11.77",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {
@@ -52,7 +52,6 @@
     "acorn-walk": "8.3.5",
     "adm-zip": "0.5.17",
     "js-yaml": "4.2.0",
-    "loadash": "^1.0.0",
     "web-tree-sitter": "^0.26.9"
   },
   "devDependencies": {

package/{self-scan-v2.11.75.json → self-scan-v2.11.77.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-07T19:18:50.434Z",
+  "timestamp": "2026-06-08T14:52:28.323Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/commands/safe-install.js

@@ -1,6 +1,11 @@
 const fs = require('fs');
 const path = require('path');
-const { spawnSync } = require('child_process');
+// NB: keep the module object (cp.spawnSync), NOT a destructured `spawnSync`. Destructuring
+// captures the original reference at load time, which makes the function impossible to mock
+// from tests (`cp.spawnSync = ...` wouldn't be seen here) — that's exactly how the
+// safe-install test's mock silently failed and a real `npm install loadash` ran every test
+// run, re-contaminating package.json. Property access keeps it interceptable.
+const cp = require('child_process');
 const { loadCachedIOCs } = require('../ioc/updater.js');
 const { REHABILITATED_PACKAGES, NPM_PACKAGE_REGEX } = require('../shared/constants.js');
 
@@ -172,7 +177,7 @@ async function scanPackageRecursive(pkg, depth = 0, maxDepth = 3) {
   // Get the package info (uses spawnSync to avoid injection)
   let pkgInfo;
   try {
-    const result = spawnSync('npm', ['view', pkgName, '--json'], { encoding: 'utf8', shell: false });
+    const result = cp.spawnSync('npm', ['view', pkgName, '--json'], { encoding: 'utf8', shell: false });
     if (result.status !== 0 || !result.stdout) {
       if (depth === 0) console.log(`[!] Package ${pkgName} not found on npm`);
       return { safe: false, package: pkgName, reason: 'npm_unreachable', source: 'npm-registry', description: 'Package not found on npm registry', depth };
@@ -276,7 +281,7 @@ async function safeInstall(packages, options = {}) {
   if (isDev) npmArgs.push('--save-dev');
   if (isGlobal) npmArgs.push('-g');
 
-  const result = spawnSync('npm', npmArgs, { stdio: 'inherit', shell: false });
+  const result = cp.spawnSync('npm', npmArgs, { stdio: 'inherit', shell: false });
 
   if (result.status !== 0) {
     console.log('');

package/src/monitor/daemon.js

@@ -5,14 +5,15 @@ const os = require('os');
 const v8 = require('v8');
 const { isDockerAvailable, SANDBOX_CONCURRENCY_MAX, killAllSandboxContainers } = require('../sandbox/index.js');
 const { setVerboseMode, isSandboxEnabled, isCanaryEnabled, isLlmDetectiveEnabled, getLlmDetectiveMode, DOWNLOADS_CACHE_TTL } = require('./classify.js');
-const { loadState, saveState, loadDailyStats, saveDailyStats, purgeTarballCache, getParisHour, atomicWriteFileSync, saveNpmSeq, ALERTS_FILE, runStateMigrations, loadRecentlyScanned, saveRecentlyScanned } = require('./state.js');
+const { loadState, saveState, loadDailyStats, saveDailyStats, purgeTarballCache, isDailyReportDue, atomicWriteFileSync, saveNpmSeq, ALERTS_FILE, runStateMigrations, loadRecentlyScanned, saveRecentlyScanned } = require('./state.js');
 const { isTemporalEnabled, isTemporalAstEnabled, isTemporalPublishEnabled, isTemporalMaintainerEnabled } = require('./temporal.js');
-const { pendingGrouped, flushScopeGroup, sendDailyReport, DAILY_REPORT_HOUR, alertedPackageRules, ALERTED_PACKAGES_MAX: MAX_ALERTED_PACKAGES } = require('./webhook.js');
+const { pendingGrouped, flushScopeGroup, sendDailyReport, alertedPackageRules, ALERTED_PACKAGES_MAX: MAX_ALERTED_PACKAGES } = require('./webhook.js');
 const { poll, getPollBackoffMs } = require('./ingestion.js');
 const { ensureWorkers, drainWorkers, getTargetConcurrency, setTargetConcurrency, getActiveWorkers, terminateAllWorkers } = require('./queue.js');
 const { computeTarget, ADJUST_INTERVAL_MS, BASE_CONCURRENCY } = require('./adaptive-concurrency.js');
 const { startHealthcheck } = require('./healthcheck.js');
 const { startDeferredWorker, stopDeferredWorker, persistDeferredQueue, restoreDeferredQueue, clearDeferredQueue } = require('./deferred-sandbox.js');
+const { evictFromScanQueueBulk } = require('./scan-queue.js');
 const { startGhsaPoller, stopGhsaPoller } = require('../ioc/ghsa-poller.js');
 const { cleanupOldArchives, getRetentionDays, startPeriodicCleanup } = require('./tarball-archive.js');
 const { clearMetadataCache } = require('../scanner/temporal-analysis.js');
@@ -532,8 +533,13 @@ function pruneMemoryCaches(recentlyScanned, downloadsCache, alertedPackageRules)
  * Worker spawning is gated separately in the main loop (ensureWorkers skipped at HIGH+).
  * Ingestion is gated in ingestion.js via getMemoryPressureLevel() (skipped at CRITICAL+).
  */
-function handleMemoryPressure(level, ratio, recentlyScanned, downloadsCache, scanQueue) {
+function handleMemoryPressure(level, ratio, rssRatio, recentlyScanned, downloadsCache, scanQueue, stats) {
   const pct = (ratio * 100).toFixed(0);
+  // Show BOTH arms: an EMERGENCY almost always fires on RSS (off-heap — gVisor containers,
+  // tarball buffers) while the heap sits low (~15%). Logging only heap made every breaker
+  // line read "heap at 15%" and hid the real cause; memPctLabel surfaces which arm tripped.
+  const rssPct = (rssRatio != null && isFinite(rssRatio)) ? (rssRatio * 100).toFixed(0) : '?';
+  const memPctLabel = `heap ${pct}% / rss ${rssPct}%`;
   // Structured summary of what the breaker actually did this tick. Returned (the poll loop
   // at the call site ignores it) so the reclaim is observable to callers and tests without
   // scraping console output — CLAUDE.md §3 "Toujours logger un resume". The two kill fields
@@ -543,7 +549,7 @@ function handleMemoryPressure(level, ratio, recentlyScanned, downloadsCache, sca
 
   // HIGH (85%+): clear auxiliary caches — same as old emergency prune
   if (level >= MEMORY_PRESSURE_LEVELS.HIGH) {
-    console.error(`[MONITOR] MEMORY PRESSURE HIGH: heap at ${pct}% — pruning caches, stopping new workers`);
+    console.error(`[MONITOR] MEMORY PRESSURE HIGH: ${memPctLabel} — pruning caches, stopping new workers`);
     recentlyScanned.clear();
     downloadsCache.clear();
     alertedPackageRules.clear();
@@ -552,7 +558,7 @@ function handleMemoryPressure(level, ratio, recentlyScanned, downloadsCache, sca
 
   // CRITICAL (90%+): clear scanner caches, force GC
   if (level >= MEMORY_PRESSURE_LEVELS.CRITICAL) {
-    console.error(`[MONITOR] MEMORY PRESSURE CRITICAL: heap at ${pct}% — stopping ingestion, clearing scanner caches`);
+    console.error(`[MONITOR] MEMORY PRESSURE CRITICAL: ${memPctLabel} — stopping ingestion, clearing scanner caches`);
     // temporal-analysis._metadataCache (200 entries × full npm registry metadata)
     try { clearMetadataCache(); } catch {}
     // typosquat metadataCache (500 entries × npm registry metadata for typosquat scoring)
@@ -578,21 +584,30 @@ function handleMemoryPressure(level, ratio, recentlyScanned, downloadsCache, sca
   if (level >= MEMORY_PRESSURE_LEVELS.EMERGENCY) {
     const queueBefore = scanQueue.length;
     if (queueBefore > EMERGENCY_QUEUE_KEEP) {
-      // Keep the LAST N items (most recently added = newest packages).
-      // These are the packages most likely to still exist on npm for re-scan later.
-      // Dropped items are public packages — they'll appear again on republish or
-      // can be re-fetched from the registry if needed.
-      const dropped = queueBefore - EMERGENCY_QUEUE_KEEP;
-      // splice from the front: older items were pushed first
-      scanQueue.splice(0, dropped);
+      // Protected-aware bulk eviction — SINGLE SOURCE OF TRUTH with the queue-cap path
+      // (scan-queue.js evictFromScanQueueBulk / enqueueScan share _isProtected). Keeps
+      // IOC-match / burst / first-publish / ATO scans, drops the oldest UNPROTECTED items
+      // first (newest survive — most likely to still exist for re-scan), protected only as
+      // a last resort, and LEDGERS every drop. Closes the v2.10.88 gap where the raw
+      // splice(0,n) silently dropped protected scans (CLAUDE.md "ne jamais perdre de scan").
+      const { dropped, droppedProtected } = evictFromScanQueueBulk(scanQueue, EMERGENCY_QUEUE_KEEP, 'mem_emergency');
       summary.queueDropped = dropped;
-      console.error(`[MONITOR] MEMORY EMERGENCY: heap at ${pct}% — truncated queue ${queueBefore} → ${scanQueue.length} (dropped ${dropped} oldest items)`);
+      summary.queueDroppedProtected = droppedProtected;
+      if (stats) {
+        stats.queueEmergencyDrops = (stats.queueEmergencyDrops || 0) + dropped;
+        if (droppedProtected) stats.queueEmergencyProtectedDrops = (stats.queueEmergencyProtectedDrops || 0) + droppedProtected;
+      }
+      console.error(`[MONITOR] MEMORY EMERGENCY: ${memPctLabel} — truncated queue ${queueBefore} → ${scanQueue.length} (dropped ${dropped} oldest UNPROTECTED${droppedProtected ? ` + ${droppedProtected} protected as last resort` : ''}, all ledgered)`);
     }
     // Clear deferred sandbox queue (holds full staticResult objects)
     const deferredDropped = clearDeferredQueue();
     summary.deferredDropped = deferredDropped;
     if (deferredDropped > 0) {
-      console.error(`[MONITOR] MEMORY EMERGENCY: cleared ${deferredDropped} deferred sandbox items`);
+      // Observability only (counter, NOT a ledger 'dropped' entry): the deferred queue holds
+      // post-scan sandbox ENRICHMENT for packages already statically scanned + alerted, so
+      // clearing it is not a coverage loss — ledgering them as 'dropped' would mislabel them.
+      if (stats) stats.deferredDroppedEmergency = (stats.deferredDroppedEmergency || 0) + deferredDropped;
+      console.error(`[MONITOR] MEMORY EMERGENCY: cleared ${deferredDropped} deferred sandbox items (post-scan enrichment only — primary alerts already sent)`);
     }
     // Free the off-heap leak that queue truncation can't touch: orphaned sandbox
     // containers (gVisor runsc survives `docker kill`) and wedged scan workers.
@@ -642,13 +657,10 @@ function reportStats(stats) {
   stats.lastReportTime = Date.now();
 }
 
-function isDailyReportDue(stats) {
-  const hour = getParisHour();
-  if (hour !== DAILY_REPORT_HOUR) return false;
-  // Check if already sent today
-  const { hasReportBeenSentToday } = require('./state.js');
-  return !hasReportBeenSentToday(stats);
-}
+// isDailyReportDue is the canonical gate in state.js (imported above) — re-exported below
+// so monitor.js (daemonModule.isDailyReportDue) keeps resolving. The old local copy used a
+// `hour !== 8` gate that lost a whole day whenever the daemon missed the single 08:00 minute
+// (OOM crash-loop); state.js uses the catch-up `hour >= 8` gate instead.
 
 // ─── P1.0 — memory-trend instrumentation ───
 // Append one sample per memory-watchdog tick so the off-heap leak can be localised
@@ -1087,7 +1099,7 @@ async function startMonitor(options, stats, dailyAlerts, recentlyScanned, downlo
 
       // Graduated response at HIGH+
       if (pressureLevel >= MEMORY_PRESSURE_LEVELS.HIGH) {
-        handleMemoryPressure(pressureLevel, heapRatio, recentlyScanned, downloadsCache, scanQueue);
+        handleMemoryPressure(pressureLevel, heapRatio, rssRatio, recentlyScanned, downloadsCache, scanQueue, stats);
       }
       lastMemoryLogTime = Date.now();
     }

package/src/monitor/ingestion.js

@@ -13,7 +13,7 @@ const { loadCachedIOCs } = require('../ioc/updater.js');
 const { enqueueScan } = require('./scan-queue.js');
 const {
   saveNpmSeq, CHANGES_STREAM_URL, CHANGES_LIMIT, CHANGES_CATCHUP_MAX,
-  savePypiSerial, PYPI_XMLRPC_URL, PYPI_CATCHUP_MAX
+  savePypiSerial, PYPI_XMLRPC_URL, PYPI_CATCHUP_MAX, appendScanLedger
 } = require('./state.js');
 const { sendIOCPreAlert, sendCampaignPreAlert } = require('./webhook.js');
 
@@ -109,6 +109,14 @@ function httpsGet(url, timeoutMs = 30_000, deadlineMs = Math.max(timeoutMs * 2,
         clearTimeout(deadline);
         return httpsGet(location, timeoutMs, deadlineMs).then(resolve, reject);
       }
+      if (res.statusCode === 429) {
+        res.resume();
+        // Coordinated backoff: drain the SHARED token bucket so every in-flight registry fetch
+        // slows together. This high-volume packument/changes path must signal 429 like the
+        // metadata path (npm-registry.js) does — not just acquire a slot (CLAUDE.md 429 storm).
+        try { require('../shared/http-limiter.js').signal429(); } catch { /* limiter best-effort */ }
+        return done(new Error(`HTTP 429 rate limited for ${url}`));
+      }
       if (res.statusCode < 200 || res.statusCode >= 300) {
         res.resume();
         return done(new Error(`HTTP ${res.statusCode} for ${url}`));
@@ -166,6 +174,11 @@ function httpsPost(url, body, headers = {}, timeoutMs = 30_000, deadlineMs = Mat
       if (err) reject(err); else resolve(value);
     };
     req = _deps.https.request(options, (res) => {
+      if (res.statusCode === 429) {
+        res.resume();
+        try { require('../shared/http-limiter.js').signal429(); } catch { /* limiter best-effort */ }
+        return done(new Error(`HTTP 429 rate limited for POST ${url}`));
+      }
       if (res.statusCode < 200 || res.statusCode >= 300) {
         res.resume();
         return done(new Error(`HTTP ${res.statusCode} for POST ${url}`));
@@ -370,7 +383,8 @@ const RECENT_PUBLISH_MAX = 5;
  * @returns {Object|null} - {
  *   version, tarball, unpackedSize, scripts, homepage, description,
  *   latestTagVersion,       // dist-tags.latest (may differ from `version` under ATO)
- *   recentVersions: [{ version, tarball, unpackedSize, scripts }, ...]
+ *   recentVersions: [{ version, tarball, unpackedSize, scripts }, ...],  // capped at maxRecent
+ *   recentWindowCount,      // TRUE (uncapped) count of versions in the window (Phase 2b burst)
  * } or null if no usable version found
  */
 function selectMostRecentVersion(packument, options = {}) {
@@ -417,16 +431,28 @@ function selectMostRecentVersion(packument, options = {}) {
     description: (typeof versionData.description === 'string') ? versionData.description : '',
     latestTagVersion,
     recentVersions: [],
+    droppedBurstVersions: [],
   };
 
-  // Burst extras: other versions published within the recent window, excluding
-  // the most-recent one. Bounded by maxRecent. Each extra carries enough
-  // metadata for the queue to enqueue it directly without re-fetching the packument.
+  // Burst extras: other versions published within the recent window, excluding the
+  // most-recent one. The enqueue list is bounded by maxRecent, but recentWindowCount is
+  // the TRUE (uncapped) number of versions in the window — Phase 2b burst detection uses it
+  // so a 96-version Miasma burst is distinguishable from a legit 3-5 patch-release day (the
+  // capped list alone tops out at maxRecent+1 and can't tell them apart).
+  result.recentWindowCount = 1; // includes the most-recent version itself
   if (versionTimes.length > 1) {
     const cutoff = versionTimes[0][1] - recentWindowMs;
-    for (let i = 1; i < versionTimes.length && result.recentVersions.length < maxRecent; i++) {
+    for (let i = 1; i < versionTimes.length; i++) {
       const [v, ts] = versionTimes[i];
       if (ts < cutoff) break; // sorted desc, so once we cross the cutoff we're done
+      result.recentWindowCount++;
+      if (result.recentVersions.length >= maxRecent) {
+        // Burst beyond the enqueue cap: collect the version so the caller ledgers it as a
+        // coverage loss (it is never enqueued/scanned). Keeps a Miasma-style burst that
+        // outruns maxRecent visible instead of vanishing silently (CLAUDE.md "no silent caps").
+        result.droppedBurstVersions.push(v);
+        continue; // enqueue list capped; count continues
+      }
       const vData = versions[v];
       if (!vData) continue;
       result.recentVersions.push({
@@ -496,6 +522,16 @@ async function getNpmLatestTarball(packageName) {
       age_days: null, version_count: 0,
     };
   }
+  // A3: ledger burst versions dropped by the maxRecent enqueue cap — they are never scanned,
+  // so record each as a 'dropped' coverage loss (source burst_extras_cap) for the coverage
+  // audit. Best-effort; never throws. selectMostRecentVersion stays pure (it only collects).
+  if (result.droppedBurstVersions && result.droppedBurstVersions.length) {
+    for (const v of result.droppedBurstVersions) {
+      try {
+        appendScanLedger({ name: packageName, version: v, ecosystem: 'npm', outcome: 'dropped', source: 'burst_extras_cap' });
+      } catch { /* ledger is best-effort */ }
+    }
+  }
   // Stage 2.1 — extract reputation signals from the packument we already have,
   // so triageRisk in queue.js doesn't have to refetch metadata via
   // getPackageMetadata. Two fields are derivable from the packument alone:
@@ -819,6 +855,7 @@ async function pollNpmChanges(state, scanQueue, stats) {
         unpackedSize: docMeta ? docMeta.unpackedSize : 0,
         registryScripts: docMeta ? docMeta.scripts : null,
         _cacheTrigger: cacheTrigger.shouldCache ? cacheTrigger : null,
+        firstPublish: cacheTrigger.shouldCache && cacheTrigger.reason === 'first_publish',
         isIOCMatch: isKnownIOC
       });
       queued++;

package/src/monitor/queue.js

@@ -32,8 +32,7 @@ const {
   tarballCacheKey,
   tarballCachePath,
   appendAlert,
-  getParisHour,
-  hasReportBeenSentToday,
+  isDailyReportDue,
   MAX_DAILY_ALERTS,
   loadScanMemory,
   shouldSuppressByMemory,
@@ -57,14 +56,14 @@ const {
   buildAlertData,
   persistAlert,
   sendIOCPreAlert,
+  sendBurstPreAlert,
   matchVersionedIOC,
   buildCanaryExfiltrationWebhookEmbed,
   getWebhookUrl,
   computeReputationFactor,
   triageRisk,
   sendDailyReport,
-  alertedPackageRules,
-  DAILY_REPORT_HOUR
+  alertedPackageRules
 } = require('./webhook.js');
 
 // From ./temporal.js
@@ -98,10 +97,11 @@ let _targetConcurrency = BASE_CONCURRENCY;
 const SCAN_CONCURRENCY = BASE_CONCURRENCY; // legacy export — tests check this value
 let _activeWorkers = 0;
 const _workerPromises = new Set();
-// Live static-scan Worker threads — tracked so the daemon's EMERGENCY memory
-// handler can terminate orphaned workers (each retains its isolate heap + parsed
-// ASTs). Bounded by concurrency, so it stays tiny.
-const _liveWorkers = new Set();
+// Live static-scan Worker threads, mapped to the {name,version,ecosystem} of the scan they
+// run — tracked so the daemon's EMERGENCY memory handler can terminate orphaned workers
+// (each retains its isolate heap + parsed ASTs) AND name the in-flight scans it kills.
+// Bounded by concurrency, so it stays tiny.
+const _liveWorkers = new Map();
 
 function getTargetConcurrency() { return _targetConcurrency; }
 function setTargetConcurrency(n) { _targetConcurrency = Math.max(MIN_CONCURRENCY, Math.min(MAX_CONCURRENCY, n)); }
@@ -114,10 +114,20 @@ function getActiveWorkers() { return _activeWorkers; }
  */
 function terminateAllWorkers() {
   let n = 0;
-  for (const w of Array.from(_liveWorkers)) {
-    try { w.terminate(); n++; } catch { /* already gone */ }
+  const dropped = [];
+  for (const [w, item] of Array.from(_liveWorkers.entries())) {
+    try {
+      w.terminate(); n++;
+      if (item && item.name) dropped.push(`${item.name}@${item.version || '?'}`);
+    } catch { /* already gone */ }
     _liveWorkers.delete(w);
   }
+  if (dropped.length) {
+    // The terminate rejects each scan's worker promise; that reject propagates to
+    // scanPackage's catch, which ledgers it (outcome:'error', source scan_error) — so these
+    // in-flight scans are NOT lost from the scan-ledger. This line names them for the operator.
+    console.error(`[MONITOR] EMERGENCY worker-terminate killed ${dropped.length} in-flight scan(s): ${dropped.slice(0, 20).join(', ')}${dropped.length > 20 ? ` (+${dropped.length - 20} more)` : ''}`);
+  }
   return n;
 }
 const SCAN_TIMEOUT_MS = 300_000; // 5 minutes per package (3 sandbox runs × 90s + static scan headroom)
@@ -130,6 +140,21 @@ const RECENTLY_SCANNED_MAX = 50_000; // FIFO cap for the dedup Set (P0c — boun
 const FIRST_PUBLISH_SANDBOX_MAX_QUEUE = parseInt(process.env.MUADDIB_FIRST_PUBLISH_SANDBOX_MAX_QUEUE, 10) || 10;
 const FIRST_PUBLISH_SANDBOX_ENABLED = process.env.MUADDIB_FIRST_PUBLISH_SANDBOX !== '0';
 
+// Phase 2b: burst (Miasma) pre-alert. A burst = >= this many versions of ONE name in the
+// recent-publish window (the TRUE uncapped count, selectMostRecentVersion.recentWindowCount).
+// Default 10: detection is PER-NAME, so legit multi-PLATFORM publishers (different names,
+// e.g. @opencode-ai/cli-*-* binaries) are never caught; legit same-name release days rarely
+// reach 10; Miasma's 96-in-72s clears it easily. Per-name + deduped + non-scoring (Discord
+// heads-up only, no FPR impact). Env-tunable up if a feed proves noisy.
+const BURST_PREALERT_MIN_VERSIONS = (() => {
+  const n = parseInt(process.env.MUADDIB_BURST_MIN_VERSIONS, 10);
+  return Number.isFinite(n) && n >= 2 ? n : 10;
+})();
+// Dedup burst pings: one per name per process window (bounded — cleared at the cap so it
+// can never grow without limit, CLAUDE.md §2).
+const _burstAlerted = new Set();
+const BURST_ALERTED_MAX = 20_000;
+
 // Stage 3 — sandbox gate. Static-score threshold below which T1b/T2 packages
 // are NOT sandboxed (static result alone is authoritative). Tightens the prior
 // "T1b sandbox if score >= 25 or queue < 20" to remove low-signal sandbox runs
@@ -372,7 +397,8 @@ function runScanInWorker(extractedDir, timeoutMs, scanContext = null, signal = n
     const worker = new Worker(SCAN_WORKER_PATH, {
       workerData: { extractedDir, scanContext: scanContext || {} }
     });
-    _liveWorkers.add(worker);
+    const _sc = scanContext || {};
+    _liveWorkers.set(worker, { name: _sc.name, version: _sc.version, ecosystem: _sc.ecosystem });
 
     let settled = false;
     let timer = null;
@@ -623,6 +649,11 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
         // deliberately hangs the parser to evade analysis would otherwise be relabelled
         // benign. Count as inconclusive (excluded from the FP/TP denominator).
         updateScanStats('sandbox_inconclusive');
+        // Ledger the inconclusive timeout — the 'static_timeout' outcome existed but was
+        // emitted nowhere, so a parser-hang evasion vanished from coverage. Best-effort.
+        try {
+          appendScanLedger({ name, version, ecosystem, outcome: 'static_timeout', source: 'static_timeout' });
+        } catch { /* ledger is best-effort */ }
         return { sandboxResult: null, staticClean: false };
       }
       throw staticErr;
@@ -1199,6 +1230,12 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
     stats.scanned++;
     stats.totalTimeMs += Date.now() - startTime;
     console.error(`[MONITOR] ERROR scanning ${name}@${version}: ${err.message}`);
+    // Ledger the terminal failure so the scan-ledger never over-states coverage (an errored
+    // package is NOT clean). Also captures EMERGENCY worker-terminate losses, whose reject
+    // propagates here (CLAUDE.md "no silent caps"). Best-effort; never throws.
+    try {
+      appendScanLedger({ name, version, ecosystem, outcome: 'error', source: 'scan_error' });
+    } catch { /* ledger is best-effort */ }
     return { sandboxResult: null, staticClean: false };
   } finally {
     // Cleanup temp dir
@@ -1240,15 +1277,9 @@ function timeoutPromise(ms) {
   });
 }
 
-/**
- * Helper: check if a daily report is due (Paris timezone).
- * Extracted here to avoid circular dependency with monitor.js.
- */
-function isDailyReportDue(stats) {
-  const parisHour = getParisHour();
-  if (parisHour < DAILY_REPORT_HOUR) return false;
-  return !hasReportBeenSentToday(stats);
-}
+// isDailyReportDue is the canonical gate in state.js (imported above), called per scan in
+// processQueueItem below. Previously a local `parisHour < 8` copy here diverged from the
+// daemon's `!== 8` copy; unifying in state.js removes the divergence. Still re-exported below.
 
 /**
  * Process a single item from the scan queue.
@@ -1342,6 +1373,37 @@ function computeWorkersToSpawn(targetConcurrency, activeWorkers, queueLength) {
   return Math.max(0, Math.min(targetConcurrency - activeWorkers, queueLength));
 }
 
+// ── RSS-aware worker admission (P1 OOM durable fix) ──
+// The pressure breaker is reactive: it stops spawning at HIGH, but the workers already in
+// flight overshoot RSS by ~2GB (each isolate + gVisor sandbox ~0.55GB, draining up to
+// SCAN_TIMEOUT) before EMERGENCY truncates the queue + kills them. This caps the OVERSHOOT at
+// the source — refuse a new spawn when current RSS + one worker's footprint would breach a
+// soft ceiling (default 80% of the EMERGENCY RSS limit), leaving headroom for in-flight drain.
+const RSS_SOFT_LIMIT_MB = (() => {
+  const parsed = parseInt(process.env.MUADDIB_RSS_SOFT_LIMIT_MB, 10);
+  if (Number.isFinite(parsed) && parsed > 0) return parsed;
+  const hard = parseInt(process.env.MUADDIB_RSS_LIMIT_MB, 10);
+  const base = (Number.isFinite(hard) && hard > 0) ? hard : 8500;
+  return Math.round(base * 0.80);
+})();
+const EST_WORKER_RSS_MB = (() => {
+  const parsed = parseInt(process.env.MUADDIB_EST_WORKER_RSS_MB, 10);
+  return (Number.isFinite(parsed) && parsed > 0) ? parsed : 600;
+})();
+
+/**
+ * Pure: how many NEW scan workers the current RSS headroom allows under the soft ceiling.
+ * `currentRssBytes` already includes the active workers, so this answers "how many MORE fit".
+ * Returns 0 (never negative) once RSS reaches the soft limit — existing workers are NOT killed
+ * here, they drain and free memory; ensureWorkers keeps the queue alive with 1 worker if
+ * nothing is running. softLimitMb / estWorkerMb are injectable for tests.
+ */
+function rssAdmissionCap(currentRssBytes, softLimitMb = RSS_SOFT_LIMIT_MB, estWorkerMb = EST_WORKER_RSS_MB) {
+  const headroomMb = softLimitMb - (currentRssBytes / 1024 / 1024);
+  if (headroomMb <= 0) return 0;
+  return Math.max(0, Math.floor(headroomMb / estWorkerMb));
+}
+
 /**
  * Ensure the target number of workers are running. Non-blocking: spawns
  * missing workers as background promises. Called from the daemon main loop
@@ -1349,7 +1411,23 @@ function computeWorkersToSpawn(targetConcurrency, activeWorkers, queueLength) {
  */
 function ensureWorkers(scanQueue, stats, dailyAlerts, recentlyScanned, downloadsCache, sandboxAvailable) {
   if (scanQueue.length === 0) return;
-  const toSpawn = computeWorkersToSpawn(_targetConcurrency, _activeWorkers, scanQueue.length);
+  let toSpawn = computeWorkersToSpawn(_targetConcurrency, _activeWorkers, scanQueue.length);
+  if (toSpawn <= 0) return;
+
+  // RSS-aware admission (P1 OOM durable fix): cap NEW spawns by memory headroom so the
+  // in-flight worker set can't overshoot the soft RSS ceiling. Never fully deadlock: if
+  // headroom is gone AND nothing is running, allow exactly one so the queue still makes
+  // forward progress (its completion frees memory). Bounds peak RSS BEFORE the reactive breaker.
+  const rssNow = process.memoryUsage().rss;
+  const rssCap = rssAdmissionCap(rssNow);
+  if (toSpawn > rssCap) {
+    if (rssCap === 0 && _activeWorkers === 0) {
+      toSpawn = 1;
+    } else {
+      console.log(`[MONITOR] RSS admission: capping spawn ${toSpawn}->${rssCap} (rss=${Math.round(rssNow / 1024 / 1024)}MB soft=${RSS_SOFT_LIMIT_MB}MB active=${_activeWorkers})`);
+      toSpawn = rssCap;
+    }
+  }
   if (toSpawn <= 0) return;
 
   console.log(`[MONITOR] Spawning ${toSpawn} worker(s) (active: ${_activeWorkers}, target: ${_targetConcurrency}, queue: ${scanQueue.length})`);
@@ -1429,6 +1507,25 @@ async function resolveTarballAndScan(item, stats, dailyAlerts, recentlyScanned,
         // only scan whichever version happened to be the most recent at resolution
         // time, racing the publish stream.
         const recents = Array.isArray(npmInfo.recentVersions) ? npmInfo.recentVersions : [];
+        // Phase 2b: burst = TRUE count of versions of this name in the recent window
+        // (uncapped recentWindowCount), NOT the capped extras list — so a 96-version Miasma
+        // burst is distinguishable from a legit multi-version day. At/above the threshold,
+        // flag the item (protects it + its extras from queue-cap eviction) and fire ONE
+        // burst pre-alert per name (deduped, bounded).
+        const burstCount = Number.isFinite(npmInfo.recentWindowCount) ? npmInfo.recentWindowCount : (recents.length + 1);
+        const isBurst = burstCount >= BURST_PREALERT_MIN_VERSIONS;
+        if (isBurst) {
+          item.isBurst = true;
+          if (!_burstAlerted.has(item.name)) {
+            if (_burstAlerted.size >= BURST_ALERTED_MAX) _burstAlerted.clear();
+            _burstAlerted.add(item.name);
+            stats.burstPreAlerts = (stats.burstPreAlerts || 0) + 1;
+            console.log(`[MONITOR] BURST PRE-ALERT: ${item.name} — ${burstCount} versions in the recent window`);
+            sendBurstPreAlert(item.name, burstCount, item.ecosystem).catch(err => {
+              console.error(`[MONITOR] burst pre-alert webhook failed for ${item.name}: ${err.message}`);
+            });
+          }
+        }
         for (const recent of recents) {
           if (!recent || !recent.tarball || !recent.version) continue;
           const dedupeKey = `${item.name}@${recent.version}`;
@@ -1441,6 +1538,7 @@ async function resolveTarballAndScan(item, stats, dailyAlerts, recentlyScanned,
             unpackedSize: recent.unpackedSize || 0,
             registryScripts: recent.scripts || null,
             atoSignal: item.atoSignal === true,
+            isBurst,
             isATOBurstExtra: true,
           }, stats);
         }
@@ -1721,6 +1819,7 @@ module.exports = {
   getActiveWorkers,
   terminateAllWorkers,
   computeWorkersToSpawn,
+  rssAdmissionCap,
   ensureWorkers,
   drainWorkers,