muaddib-scanner 2.11.76 → 2.11.77

package/.githooks/pre-commit

@@ -0,0 +1,18 @@
+#!/bin/sh
+# Pre-commit guard — block committing a typosquat/forbidden dependency
+# (loadash, lodash, lodahs, …). Local mirror of the CI gate
+# (scripts/check-deps-typosquats.js, run in the `test` job of .github/workflows/scan.yml)
+# and defense-in-depth with the package.json `preinstall` denylist.
+#
+# Enable once per clone:  git config core.hooksPath .githooks
+#
+# This repo uses NEITHER lodash NOR loadash (CLAUDE.md interdiction). The loadash
+# typosquat has re-entered package.json repeatedly; this stops it at commit time.
+
+node scripts/check-deps-typosquats.js
+status=$?
+if [ "$status" -ne 0 ]; then
+  echo "pre-commit: ABORTED — remove the typosquat dependency from package.json (see above)." >&2
+  exit 1
+fi
+exit 0

package/README.md

@@ -30,7 +30,7 @@
 
 npm and PyPI supply-chain attacks are exploding. Shai-Hulud compromised 25K+ repos in 2025. Existing tools detect threats but don't help you respond.
 
-MUAD'DIB combines **20 parallel scanners** (262 detection rules), a **deobfuscation engine**, **inter-module dataflow analysis**, **compound scoring** (17 compound rules), and a gVisor/Docker sandbox to detect known threats and suspicious behavioral patterns in npm and PyPI packages. An XGBoost classifier exists in the codebase but is **currently inactive** (see [Evaluation Metrics](#evaluation-metrics) → ML Classifier section).
+MUAD'DIB combines **20 parallel scanners** (264 detection rules), a **deobfuscation engine**, **inter-module dataflow analysis**, **compound scoring** (17 compound rules), and a gVisor/Docker sandbox to detect known threats and suspicious behavioral patterns in npm and PyPI packages. An XGBoost classifier exists in the codebase but is **currently inactive** (see [Evaluation Metrics](#evaluation-metrics) → ML Classifier section).
 
 ---
 
@@ -202,9 +202,9 @@ muaddib replay                     # Ground truth validation (90/94 TPR@3, v2.11
 | Python Source (PYSRC) | Import-time / install-time RCE patterns in `__init__.py` / `setup.py` (v2.11.41 — closes TrapDoor PyPI gap) |
 | Python AST (PYAST) | Tree-sitter-Python AST with taint-aware detectors (v2.11.42+) |
 
-### 259 detection rules
+### 264 detection rules
 
-All rules (254 RULES + 5 PARANOID) are mapped to MITRE ATT&CK techniques. See [SECURITY.md](SECURITY.md#detection-rules-v21147) for the complete rules reference.
+All rules (259 RULES + 5 PARANOID) are mapped to MITRE ATT&CK techniques. See [SECURITY.md](SECURITY.md#detection-rules-v21176) for the complete rules reference.
 
 ### Detected campaigns
 
@@ -278,7 +278,7 @@ With pre-commit framework:
 ```yaml
 repos:
   - repo: https://github.com/DNSZLSK/muad-dib
-    rev: v2.11.48
+    rev: v2.11.76
     hooks:
       - id: muaddib-scan
 ```
@@ -303,11 +303,20 @@ These are the numbers a user gets when running `muaddib scan` against npm or PyP
 | **FPR PyPI** (v2.11.48, first honest measurement) | **9.68%** (12/124 scanned, 132 total) | **Track D fixed the PyPI downloader** — removed `pip --no-binary :all:` flag (forced compile of wheel-only packages, timed out 38% of the time) + added `.whl` extraction via `extractArchive()`. Brought 42 previously-skipped giants (numpy/pandas/django/matplotlib/scikit-learn/...) into scope. All 12 FPs cluster at score 25-35: this is the cap-PyPI-35 artifact, not new rule misfires. Lifting the cap (Track E) would drop FPR PyPI to ≈0%. 8 residual fails are >500MB packages (torch, tensorflow, scipy, opencv-python, ansible…) hitting the 30s `PACK_TIMEOUT_MS`. |
 | **ADR** (Adversarial + Holdout, v2.11.48) | **96.26%** (103/107) | 67 adversarial + 40 holdout, global threshold=20. Stable vs v2.10.95. |
 
-**3969 tests** across 109 files. **262 rules** (257 RULES + 5 PARANOID — Track D added 3: AST-093, AST-094, COMPOUND-016).
+**4132 tests** across 115 files. **264 rules** (259 RULES + 5 PARANOID; v2.11.67/70 Phantom Gyp added PKG-023 + COMPOUND-017).
 
 **Known issues (v2.11.48):**
 - *Cap PyPI à 35/100*: Python samples plafonnent à `riskScore=35` even when `globalRiskScore=100`. Confirmed empirically — all 12 PyPI FPs at score 25-35 (flask 32, django 35, tornado 35, bottle 30, pandas 25, matplotlib 25, plotly 25, bokeh 25, pymongo 35, coverage 32, fabric 35, websockets 35). Lifting the cap will simultaneously drop FPR PyPI to ≈0% and unblock PyPI MALWARE detection at higher thresholds. Track E target.
 
+### Operational coverage (v2.11.67-76)
+
+The static ground-truth TPR above is measured offline. Since v2.11.67 the monitor also tracks **operational** coverage on live npm/PyPI ingestion:
+- A per-scan **ledger** (`data/scan-ledger.jsonl`) records every scanned package's outcome; `computeLedgerRollup()` produces a 24h rollup (`alertRate`, per-ecosystem). Note: `alertRate` is a throughput signal, **not** detection TPR.
+- An active **GHSA poller** (~15 min; npm, pypi, crates) builds an authoritative "what should we have caught" denominator (`data/ghsa-malware.jsonl`), plus a **feed-health** alarm that fires when an IOC feed silently goes dark.
+- The Phase 5 **coverage-audit** (`scripts/coverage-audit.js`, daily 05:00 UTC) joins that denominator against ledger outcomes + the tarball archive to compute an honest GHSA-denominated **operational TPR** (`alerted / total`), and surfaces `scannedClean` misses as human-gated ground-truth candidates.
+
+This operational TPR is the real production detection rate, distinct from the static GT TPR (which has not been re-measured since v2.11.48).
+
 ### ML Classifier (offline only)
 
 `src/ml/classifier.js` is **not wired into `muaddib scan`**. The XGBoost model is currently exercised only by `muaddib evaluate` (offline metric replay) and `muaddib monitor` (LOG-ONLY since 2026-04-08, model collapsed pending retrain — see `src/monitor/queue.js:628`). The v2.11.48 evaluate-time replay shows the same 1.10% FPR (no additional FPs filtered) — kept as a reference for retrain validation, but the published operational FPR is the rules-only number above.
@@ -371,7 +380,7 @@ npm test
 
 ### Testing
 
-- **3913 tests** across 109 modular test files
+- **4132 tests** across 115 modular test files
 - **56 fuzz tests** - Malformed inputs, ReDoS, unicode, binary
 - **Datadog 17K benchmark** - 14,587 confirmed malware samples (in-scope)
 - **Ground truth validation** - 96 real-world attacks (95.74% TPR@3, 88.30% TPR@20 — v2.11.48 full measure on 94 in-scope)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.76",
+  "version": "2.11.77",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {
@@ -52,7 +52,6 @@
     "acorn-walk": "8.3.5",
     "adm-zip": "0.5.17",
     "js-yaml": "4.2.0",
-    "loadash": "^1.0.0",
     "web-tree-sitter": "^0.26.9"
   },
   "devDependencies": {

package/{self-scan-v2.11.76.json → self-scan-v2.11.77.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-07T19:47:48.330Z",
+  "timestamp": "2026-06-08T14:52:28.323Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/commands/safe-install.js

@@ -1,6 +1,11 @@
 const fs = require('fs');
 const path = require('path');
-const { spawnSync } = require('child_process');
+// NB: keep the module object (cp.spawnSync), NOT a destructured `spawnSync`. Destructuring
+// captures the original reference at load time, which makes the function impossible to mock
+// from tests (`cp.spawnSync = ...` wouldn't be seen here) — that's exactly how the
+// safe-install test's mock silently failed and a real `npm install loadash` ran every test
+// run, re-contaminating package.json. Property access keeps it interceptable.
+const cp = require('child_process');
 const { loadCachedIOCs } = require('../ioc/updater.js');
 const { REHABILITATED_PACKAGES, NPM_PACKAGE_REGEX } = require('../shared/constants.js');
 
@@ -172,7 +177,7 @@ async function scanPackageRecursive(pkg, depth = 0, maxDepth = 3) {
   // Get the package info (uses spawnSync to avoid injection)
   let pkgInfo;
   try {
-    const result = spawnSync('npm', ['view', pkgName, '--json'], { encoding: 'utf8', shell: false });
+    const result = cp.spawnSync('npm', ['view', pkgName, '--json'], { encoding: 'utf8', shell: false });
     if (result.status !== 0 || !result.stdout) {
       if (depth === 0) console.log(`[!] Package ${pkgName} not found on npm`);
       return { safe: false, package: pkgName, reason: 'npm_unreachable', source: 'npm-registry', description: 'Package not found on npm registry', depth };
@@ -276,7 +281,7 @@ async function safeInstall(packages, options = {}) {
   if (isDev) npmArgs.push('--save-dev');
   if (isGlobal) npmArgs.push('-g');
 
-  const result = spawnSync('npm', npmArgs, { stdio: 'inherit', shell: false });
+  const result = cp.spawnSync('npm', npmArgs, { stdio: 'inherit', shell: false });
 
   if (result.status !== 0) {
     console.log('');

package/src/monitor/daemon.js

@@ -5,14 +5,15 @@ const os = require('os');
 const v8 = require('v8');
 const { isDockerAvailable, SANDBOX_CONCURRENCY_MAX, killAllSandboxContainers } = require('../sandbox/index.js');
 const { setVerboseMode, isSandboxEnabled, isCanaryEnabled, isLlmDetectiveEnabled, getLlmDetectiveMode, DOWNLOADS_CACHE_TTL } = require('./classify.js');
-const { loadState, saveState, loadDailyStats, saveDailyStats, purgeTarballCache, getParisHour, atomicWriteFileSync, saveNpmSeq, ALERTS_FILE, runStateMigrations, loadRecentlyScanned, saveRecentlyScanned } = require('./state.js');
+const { loadState, saveState, loadDailyStats, saveDailyStats, purgeTarballCache, isDailyReportDue, atomicWriteFileSync, saveNpmSeq, ALERTS_FILE, runStateMigrations, loadRecentlyScanned, saveRecentlyScanned } = require('./state.js');
 const { isTemporalEnabled, isTemporalAstEnabled, isTemporalPublishEnabled, isTemporalMaintainerEnabled } = require('./temporal.js');
-const { pendingGrouped, flushScopeGroup, sendDailyReport, DAILY_REPORT_HOUR, alertedPackageRules, ALERTED_PACKAGES_MAX: MAX_ALERTED_PACKAGES } = require('./webhook.js');
+const { pendingGrouped, flushScopeGroup, sendDailyReport, alertedPackageRules, ALERTED_PACKAGES_MAX: MAX_ALERTED_PACKAGES } = require('./webhook.js');
 const { poll, getPollBackoffMs } = require('./ingestion.js');
 const { ensureWorkers, drainWorkers, getTargetConcurrency, setTargetConcurrency, getActiveWorkers, terminateAllWorkers } = require('./queue.js');
 const { computeTarget, ADJUST_INTERVAL_MS, BASE_CONCURRENCY } = require('./adaptive-concurrency.js');
 const { startHealthcheck } = require('./healthcheck.js');
 const { startDeferredWorker, stopDeferredWorker, persistDeferredQueue, restoreDeferredQueue, clearDeferredQueue } = require('./deferred-sandbox.js');
+const { evictFromScanQueueBulk } = require('./scan-queue.js');
 const { startGhsaPoller, stopGhsaPoller } = require('../ioc/ghsa-poller.js');
 const { cleanupOldArchives, getRetentionDays, startPeriodicCleanup } = require('./tarball-archive.js');
 const { clearMetadataCache } = require('../scanner/temporal-analysis.js');
@@ -532,8 +533,13 @@ function pruneMemoryCaches(recentlyScanned, downloadsCache, alertedPackageRules)
  * Worker spawning is gated separately in the main loop (ensureWorkers skipped at HIGH+).
  * Ingestion is gated in ingestion.js via getMemoryPressureLevel() (skipped at CRITICAL+).
  */
-function handleMemoryPressure(level, ratio, recentlyScanned, downloadsCache, scanQueue) {
+function handleMemoryPressure(level, ratio, rssRatio, recentlyScanned, downloadsCache, scanQueue, stats) {
   const pct = (ratio * 100).toFixed(0);
+  // Show BOTH arms: an EMERGENCY almost always fires on RSS (off-heap — gVisor containers,
+  // tarball buffers) while the heap sits low (~15%). Logging only heap made every breaker
+  // line read "heap at 15%" and hid the real cause; memPctLabel surfaces which arm tripped.
+  const rssPct = (rssRatio != null && isFinite(rssRatio)) ? (rssRatio * 100).toFixed(0) : '?';
+  const memPctLabel = `heap ${pct}% / rss ${rssPct}%`;
   // Structured summary of what the breaker actually did this tick. Returned (the poll loop
   // at the call site ignores it) so the reclaim is observable to callers and tests without
   // scraping console output — CLAUDE.md §3 "Toujours logger un resume". The two kill fields
@@ -543,7 +549,7 @@ function handleMemoryPressure(level, ratio, recentlyScanned, downloadsCache, sca
 
   // HIGH (85%+): clear auxiliary caches — same as old emergency prune
   if (level >= MEMORY_PRESSURE_LEVELS.HIGH) {
-    console.error(`[MONITOR] MEMORY PRESSURE HIGH: heap at ${pct}% — pruning caches, stopping new workers`);
+    console.error(`[MONITOR] MEMORY PRESSURE HIGH: ${memPctLabel} — pruning caches, stopping new workers`);
     recentlyScanned.clear();
     downloadsCache.clear();
     alertedPackageRules.clear();
@@ -552,7 +558,7 @@ function handleMemoryPressure(level, ratio, recentlyScanned, downloadsCache, sca
 
   // CRITICAL (90%+): clear scanner caches, force GC
   if (level >= MEMORY_PRESSURE_LEVELS.CRITICAL) {
-    console.error(`[MONITOR] MEMORY PRESSURE CRITICAL: heap at ${pct}% — stopping ingestion, clearing scanner caches`);
+    console.error(`[MONITOR] MEMORY PRESSURE CRITICAL: ${memPctLabel} — stopping ingestion, clearing scanner caches`);
     // temporal-analysis._metadataCache (200 entries × full npm registry metadata)
     try { clearMetadataCache(); } catch {}
     // typosquat metadataCache (500 entries × npm registry metadata for typosquat scoring)
@@ -578,21 +584,30 @@ function handleMemoryPressure(level, ratio, recentlyScanned, downloadsCache, sca
   if (level >= MEMORY_PRESSURE_LEVELS.EMERGENCY) {
     const queueBefore = scanQueue.length;
     if (queueBefore > EMERGENCY_QUEUE_KEEP) {
-      // Keep the LAST N items (most recently added = newest packages).
-      // These are the packages most likely to still exist on npm for re-scan later.
-      // Dropped items are public packages — they'll appear again on republish or
-      // can be re-fetched from the registry if needed.
-      const dropped = queueBefore - EMERGENCY_QUEUE_KEEP;
-      // splice from the front: older items were pushed first
-      scanQueue.splice(0, dropped);
+      // Protected-aware bulk eviction — SINGLE SOURCE OF TRUTH with the queue-cap path
+      // (scan-queue.js evictFromScanQueueBulk / enqueueScan share _isProtected). Keeps
+      // IOC-match / burst / first-publish / ATO scans, drops the oldest UNPROTECTED items
+      // first (newest survive — most likely to still exist for re-scan), protected only as
+      // a last resort, and LEDGERS every drop. Closes the v2.10.88 gap where the raw
+      // splice(0,n) silently dropped protected scans (CLAUDE.md "ne jamais perdre de scan").
+      const { dropped, droppedProtected } = evictFromScanQueueBulk(scanQueue, EMERGENCY_QUEUE_KEEP, 'mem_emergency');
       summary.queueDropped = dropped;
-      console.error(`[MONITOR] MEMORY EMERGENCY: heap at ${pct}% — truncated queue ${queueBefore} → ${scanQueue.length} (dropped ${dropped} oldest items)`);
+      summary.queueDroppedProtected = droppedProtected;
+      if (stats) {
+        stats.queueEmergencyDrops = (stats.queueEmergencyDrops || 0) + dropped;
+        if (droppedProtected) stats.queueEmergencyProtectedDrops = (stats.queueEmergencyProtectedDrops || 0) + droppedProtected;
+      }
+      console.error(`[MONITOR] MEMORY EMERGENCY: ${memPctLabel} — truncated queue ${queueBefore} → ${scanQueue.length} (dropped ${dropped} oldest UNPROTECTED${droppedProtected ? ` + ${droppedProtected} protected as last resort` : ''}, all ledgered)`);
     }
     // Clear deferred sandbox queue (holds full staticResult objects)
     const deferredDropped = clearDeferredQueue();
     summary.deferredDropped = deferredDropped;
     if (deferredDropped > 0) {
-      console.error(`[MONITOR] MEMORY EMERGENCY: cleared ${deferredDropped} deferred sandbox items`);
+      // Observability only (counter, NOT a ledger 'dropped' entry): the deferred queue holds
+      // post-scan sandbox ENRICHMENT for packages already statically scanned + alerted, so
+      // clearing it is not a coverage loss — ledgering them as 'dropped' would mislabel them.
+      if (stats) stats.deferredDroppedEmergency = (stats.deferredDroppedEmergency || 0) + deferredDropped;
+      console.error(`[MONITOR] MEMORY EMERGENCY: cleared ${deferredDropped} deferred sandbox items (post-scan enrichment only — primary alerts already sent)`);
     }
     // Free the off-heap leak that queue truncation can't touch: orphaned sandbox
     // containers (gVisor runsc survives `docker kill`) and wedged scan workers.
@@ -642,13 +657,10 @@ function reportStats(stats) {
   stats.lastReportTime = Date.now();
 }
 
-function isDailyReportDue(stats) {
-  const hour = getParisHour();
-  if (hour !== DAILY_REPORT_HOUR) return false;
-  // Check if already sent today
-  const { hasReportBeenSentToday } = require('./state.js');
-  return !hasReportBeenSentToday(stats);
-}
+// isDailyReportDue is the canonical gate in state.js (imported above) — re-exported below
+// so monitor.js (daemonModule.isDailyReportDue) keeps resolving. The old local copy used a
+// `hour !== 8` gate that lost a whole day whenever the daemon missed the single 08:00 minute
+// (OOM crash-loop); state.js uses the catch-up `hour >= 8` gate instead.
 
 // ─── P1.0 — memory-trend instrumentation ───
 // Append one sample per memory-watchdog tick so the off-heap leak can be localised
@@ -1087,7 +1099,7 @@ async function startMonitor(options, stats, dailyAlerts, recentlyScanned, downlo
 
       // Graduated response at HIGH+
       if (pressureLevel >= MEMORY_PRESSURE_LEVELS.HIGH) {
-        handleMemoryPressure(pressureLevel, heapRatio, recentlyScanned, downloadsCache, scanQueue);
+        handleMemoryPressure(pressureLevel, heapRatio, rssRatio, recentlyScanned, downloadsCache, scanQueue, stats);
       }
       lastMemoryLogTime = Date.now();
     }

package/src/monitor/ingestion.js

@@ -13,7 +13,7 @@ const { loadCachedIOCs } = require('../ioc/updater.js');
 const { enqueueScan } = require('./scan-queue.js');
 const {
   saveNpmSeq, CHANGES_STREAM_URL, CHANGES_LIMIT, CHANGES_CATCHUP_MAX,
-  savePypiSerial, PYPI_XMLRPC_URL, PYPI_CATCHUP_MAX
+  savePypiSerial, PYPI_XMLRPC_URL, PYPI_CATCHUP_MAX, appendScanLedger
 } = require('./state.js');
 const { sendIOCPreAlert, sendCampaignPreAlert } = require('./webhook.js');
 
@@ -109,6 +109,14 @@ function httpsGet(url, timeoutMs = 30_000, deadlineMs = Math.max(timeoutMs * 2,
         clearTimeout(deadline);
         return httpsGet(location, timeoutMs, deadlineMs).then(resolve, reject);
       }
+      if (res.statusCode === 429) {
+        res.resume();
+        // Coordinated backoff: drain the SHARED token bucket so every in-flight registry fetch
+        // slows together. This high-volume packument/changes path must signal 429 like the
+        // metadata path (npm-registry.js) does — not just acquire a slot (CLAUDE.md 429 storm).
+        try { require('../shared/http-limiter.js').signal429(); } catch { /* limiter best-effort */ }
+        return done(new Error(`HTTP 429 rate limited for ${url}`));
+      }
       if (res.statusCode < 200 || res.statusCode >= 300) {
         res.resume();
         return done(new Error(`HTTP ${res.statusCode} for ${url}`));
@@ -166,6 +174,11 @@ function httpsPost(url, body, headers = {}, timeoutMs = 30_000, deadlineMs = Mat
       if (err) reject(err); else resolve(value);
     };
     req = _deps.https.request(options, (res) => {
+      if (res.statusCode === 429) {
+        res.resume();
+        try { require('../shared/http-limiter.js').signal429(); } catch { /* limiter best-effort */ }
+        return done(new Error(`HTTP 429 rate limited for POST ${url}`));
+      }
       if (res.statusCode < 200 || res.statusCode >= 300) {
         res.resume();
         return done(new Error(`HTTP ${res.statusCode} for POST ${url}`));
@@ -418,6 +431,7 @@ function selectMostRecentVersion(packument, options = {}) {
     description: (typeof versionData.description === 'string') ? versionData.description : '',
     latestTagVersion,
     recentVersions: [],
+    droppedBurstVersions: [],
   };
 
   // Burst extras: other versions published within the recent window, excluding the
@@ -432,7 +446,13 @@ function selectMostRecentVersion(packument, options = {}) {
       const [v, ts] = versionTimes[i];
       if (ts < cutoff) break; // sorted desc, so once we cross the cutoff we're done
       result.recentWindowCount++;
-      if (result.recentVersions.length >= maxRecent) continue; // enqueue list capped; count continues
+      if (result.recentVersions.length >= maxRecent) {
+        // Burst beyond the enqueue cap: collect the version so the caller ledgers it as a
+        // coverage loss (it is never enqueued/scanned). Keeps a Miasma-style burst that
+        // outruns maxRecent visible instead of vanishing silently (CLAUDE.md "no silent caps").
+        result.droppedBurstVersions.push(v);
+        continue; // enqueue list capped; count continues
+      }
       const vData = versions[v];
       if (!vData) continue;
       result.recentVersions.push({
@@ -502,6 +522,16 @@ async function getNpmLatestTarball(packageName) {
       age_days: null, version_count: 0,
     };
   }
+  // A3: ledger burst versions dropped by the maxRecent enqueue cap — they are never scanned,
+  // so record each as a 'dropped' coverage loss (source burst_extras_cap) for the coverage
+  // audit. Best-effort; never throws. selectMostRecentVersion stays pure (it only collects).
+  if (result.droppedBurstVersions && result.droppedBurstVersions.length) {
+    for (const v of result.droppedBurstVersions) {
+      try {
+        appendScanLedger({ name: packageName, version: v, ecosystem: 'npm', outcome: 'dropped', source: 'burst_extras_cap' });
+      } catch { /* ledger is best-effort */ }
+    }
+  }
   // Stage 2.1 — extract reputation signals from the packument we already have,
   // so triageRisk in queue.js doesn't have to refetch metadata via
   // getPackageMetadata. Two fields are derivable from the packument alone:

package/src/monitor/queue.js

@@ -32,8 +32,7 @@ const {
   tarballCacheKey,
   tarballCachePath,
   appendAlert,
-  getParisHour,
-  hasReportBeenSentToday,
+  isDailyReportDue,
   MAX_DAILY_ALERTS,
   loadScanMemory,
   shouldSuppressByMemory,
@@ -64,8 +63,7 @@ const {
   computeReputationFactor,
   triageRisk,
   sendDailyReport,
-  alertedPackageRules,
-  DAILY_REPORT_HOUR
+  alertedPackageRules
 } = require('./webhook.js');
 
 // From ./temporal.js
@@ -99,10 +97,11 @@ let _targetConcurrency = BASE_CONCURRENCY;
 const SCAN_CONCURRENCY = BASE_CONCURRENCY; // legacy export — tests check this value
 let _activeWorkers = 0;
 const _workerPromises = new Set();
-// Live static-scan Worker threads — tracked so the daemon's EMERGENCY memory
-// handler can terminate orphaned workers (each retains its isolate heap + parsed
-// ASTs). Bounded by concurrency, so it stays tiny.
-const _liveWorkers = new Set();
+// Live static-scan Worker threads, mapped to the {name,version,ecosystem} of the scan they
+// run — tracked so the daemon's EMERGENCY memory handler can terminate orphaned workers
+// (each retains its isolate heap + parsed ASTs) AND name the in-flight scans it kills.
+// Bounded by concurrency, so it stays tiny.
+const _liveWorkers = new Map();
 
 function getTargetConcurrency() { return _targetConcurrency; }
 function setTargetConcurrency(n) { _targetConcurrency = Math.max(MIN_CONCURRENCY, Math.min(MAX_CONCURRENCY, n)); }
@@ -115,10 +114,20 @@ function getActiveWorkers() { return _activeWorkers; }
  */
 function terminateAllWorkers() {
   let n = 0;
-  for (const w of Array.from(_liveWorkers)) {
-    try { w.terminate(); n++; } catch { /* already gone */ }
+  const dropped = [];
+  for (const [w, item] of Array.from(_liveWorkers.entries())) {
+    try {
+      w.terminate(); n++;
+      if (item && item.name) dropped.push(`${item.name}@${item.version || '?'}`);
+    } catch { /* already gone */ }
     _liveWorkers.delete(w);
   }
+  if (dropped.length) {
+    // The terminate rejects each scan's worker promise; that reject propagates to
+    // scanPackage's catch, which ledgers it (outcome:'error', source scan_error) — so these
+    // in-flight scans are NOT lost from the scan-ledger. This line names them for the operator.
+    console.error(`[MONITOR] EMERGENCY worker-terminate killed ${dropped.length} in-flight scan(s): ${dropped.slice(0, 20).join(', ')}${dropped.length > 20 ? ` (+${dropped.length - 20} more)` : ''}`);
+  }
   return n;
 }
 const SCAN_TIMEOUT_MS = 300_000; // 5 minutes per package (3 sandbox runs × 90s + static scan headroom)
@@ -388,7 +397,8 @@ function runScanInWorker(extractedDir, timeoutMs, scanContext = null, signal = n
     const worker = new Worker(SCAN_WORKER_PATH, {
       workerData: { extractedDir, scanContext: scanContext || {} }
     });
-    _liveWorkers.add(worker);
+    const _sc = scanContext || {};
+    _liveWorkers.set(worker, { name: _sc.name, version: _sc.version, ecosystem: _sc.ecosystem });
 
     let settled = false;
     let timer = null;
@@ -639,6 +649,11 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
         // deliberately hangs the parser to evade analysis would otherwise be relabelled
         // benign. Count as inconclusive (excluded from the FP/TP denominator).
         updateScanStats('sandbox_inconclusive');
+        // Ledger the inconclusive timeout — the 'static_timeout' outcome existed but was
+        // emitted nowhere, so a parser-hang evasion vanished from coverage. Best-effort.
+        try {
+          appendScanLedger({ name, version, ecosystem, outcome: 'static_timeout', source: 'static_timeout' });
+        } catch { /* ledger is best-effort */ }
         return { sandboxResult: null, staticClean: false };
       }
       throw staticErr;
@@ -1215,6 +1230,12 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
     stats.scanned++;
     stats.totalTimeMs += Date.now() - startTime;
     console.error(`[MONITOR] ERROR scanning ${name}@${version}: ${err.message}`);
+    // Ledger the terminal failure so the scan-ledger never over-states coverage (an errored
+    // package is NOT clean). Also captures EMERGENCY worker-terminate losses, whose reject
+    // propagates here (CLAUDE.md "no silent caps"). Best-effort; never throws.
+    try {
+      appendScanLedger({ name, version, ecosystem, outcome: 'error', source: 'scan_error' });
+    } catch { /* ledger is best-effort */ }
     return { sandboxResult: null, staticClean: false };
   } finally {
     // Cleanup temp dir
@@ -1256,15 +1277,9 @@ function timeoutPromise(ms) {
   });
 }
 
-/**
- * Helper: check if a daily report is due (Paris timezone).
- * Extracted here to avoid circular dependency with monitor.js.
- */
-function isDailyReportDue(stats) {
-  const parisHour = getParisHour();
-  if (parisHour < DAILY_REPORT_HOUR) return false;
-  return !hasReportBeenSentToday(stats);
-}
+// isDailyReportDue is the canonical gate in state.js (imported above), called per scan in
+// processQueueItem below. Previously a local `parisHour < 8` copy here diverged from the
+// daemon's `!== 8` copy; unifying in state.js removes the divergence. Still re-exported below.
 
 /**
  * Process a single item from the scan queue.
@@ -1358,6 +1373,37 @@ function computeWorkersToSpawn(targetConcurrency, activeWorkers, queueLength) {
   return Math.max(0, Math.min(targetConcurrency - activeWorkers, queueLength));
 }
 
+// ── RSS-aware worker admission (P1 OOM durable fix) ──
+// The pressure breaker is reactive: it stops spawning at HIGH, but the workers already in
+// flight overshoot RSS by ~2GB (each isolate + gVisor sandbox ~0.55GB, draining up to
+// SCAN_TIMEOUT) before EMERGENCY truncates the queue + kills them. This caps the OVERSHOOT at
+// the source — refuse a new spawn when current RSS + one worker's footprint would breach a
+// soft ceiling (default 80% of the EMERGENCY RSS limit), leaving headroom for in-flight drain.
+const RSS_SOFT_LIMIT_MB = (() => {
+  const parsed = parseInt(process.env.MUADDIB_RSS_SOFT_LIMIT_MB, 10);
+  if (Number.isFinite(parsed) && parsed > 0) return parsed;
+  const hard = parseInt(process.env.MUADDIB_RSS_LIMIT_MB, 10);
+  const base = (Number.isFinite(hard) && hard > 0) ? hard : 8500;
+  return Math.round(base * 0.80);
+})();
+const EST_WORKER_RSS_MB = (() => {
+  const parsed = parseInt(process.env.MUADDIB_EST_WORKER_RSS_MB, 10);
+  return (Number.isFinite(parsed) && parsed > 0) ? parsed : 600;
+})();
+
+/**
+ * Pure: how many NEW scan workers the current RSS headroom allows under the soft ceiling.
+ * `currentRssBytes` already includes the active workers, so this answers "how many MORE fit".
+ * Returns 0 (never negative) once RSS reaches the soft limit — existing workers are NOT killed
+ * here, they drain and free memory; ensureWorkers keeps the queue alive with 1 worker if
+ * nothing is running. softLimitMb / estWorkerMb are injectable for tests.
+ */
+function rssAdmissionCap(currentRssBytes, softLimitMb = RSS_SOFT_LIMIT_MB, estWorkerMb = EST_WORKER_RSS_MB) {
+  const headroomMb = softLimitMb - (currentRssBytes / 1024 / 1024);
+  if (headroomMb <= 0) return 0;
+  return Math.max(0, Math.floor(headroomMb / estWorkerMb));
+}
+
 /**
  * Ensure the target number of workers are running. Non-blocking: spawns
  * missing workers as background promises. Called from the daemon main loop
@@ -1365,7 +1411,23 @@ function computeWorkersToSpawn(targetConcurrency, activeWorkers, queueLength) {
  */
 function ensureWorkers(scanQueue, stats, dailyAlerts, recentlyScanned, downloadsCache, sandboxAvailable) {
   if (scanQueue.length === 0) return;
-  const toSpawn = computeWorkersToSpawn(_targetConcurrency, _activeWorkers, scanQueue.length);
+  let toSpawn = computeWorkersToSpawn(_targetConcurrency, _activeWorkers, scanQueue.length);
+  if (toSpawn <= 0) return;
+
+  // RSS-aware admission (P1 OOM durable fix): cap NEW spawns by memory headroom so the
+  // in-flight worker set can't overshoot the soft RSS ceiling. Never fully deadlock: if
+  // headroom is gone AND nothing is running, allow exactly one so the queue still makes
+  // forward progress (its completion frees memory). Bounds peak RSS BEFORE the reactive breaker.
+  const rssNow = process.memoryUsage().rss;
+  const rssCap = rssAdmissionCap(rssNow);
+  if (toSpawn > rssCap) {
+    if (rssCap === 0 && _activeWorkers === 0) {
+      toSpawn = 1;
+    } else {
+      console.log(`[MONITOR] RSS admission: capping spawn ${toSpawn}->${rssCap} (rss=${Math.round(rssNow / 1024 / 1024)}MB soft=${RSS_SOFT_LIMIT_MB}MB active=${_activeWorkers})`);
+      toSpawn = rssCap;
+    }
+  }
   if (toSpawn <= 0) return;
 
   console.log(`[MONITOR] Spawning ${toSpawn} worker(s) (active: ${_activeWorkers}, target: ${_targetConcurrency}, queue: ${scanQueue.length})`);
@@ -1757,6 +1819,7 @@ module.exports = {
   getActiveWorkers,
   terminateAllWorkers,
   computeWorkersToSpawn,
+  rssAdmissionCap,
   ensureWorkers,
   drainWorkers,
 

package/src/monitor/scan-queue.js

@@ -82,4 +82,71 @@ function enqueueScan(scanQueue, item, stats, max = MAX_SCAN_QUEUE) {
   return dropped;
 }
 
-module.exports = { enqueueScan, MAX_SCAN_QUEUE };
+/**
+ * Bulk-evict the scan queue down to `targetKeep`, honoring the SAME protection predicate
+ * as enqueueScan and ledgering EVERY dropped item — the single-source-of-truth eviction
+ * the daemon's EMERGENCY memory breaker must use instead of a raw `splice(0, n)`.
+ *
+ * Selection: drop the oldest UNPROTECTED items first; only dip into protected items
+ * (oldest-first) if there aren't enough unprotected ones to reach the target. This keeps
+ * IOC-match / burst / first-publish / ATO scans alive through a memory emergency, exactly
+ * like the per-item cap path — closing the gap where the v2.10.88 circuit breaker silently
+ * dropped protected scans (CLAUDE.md "ne jamais perdre de scan" / "no silent caps").
+ *
+ * In-place compaction (write-pointer, O(n), preserves insertion order, no giant spread) so
+ * the daemon (which holds the same array reference) sees the mutation. Best-effort ledger;
+ * never throws. `ledgerFn` is injectable for tests; defaults to state.appendScanLedger.
+ *
+ * @returns {{dropped:number, droppedProtected:number}}
+ */
+function evictFromScanQueueBulk(scanQueue, targetKeep, source = 'bulk_evict', ledgerFn = null) {
+  const before = scanQueue.length;
+  const keep = Math.max(0, targetKeep | 0);
+  if (before <= keep) return { dropped: 0, droppedProtected: 0 };
+  const toDrop = before - keep;
+
+  // Victim set: oldest unprotected first, then (only if short) oldest protected.
+  const dropSet = new Set();
+  for (let i = 0; i < before && dropSet.size < toDrop; i++) {
+    if (!_isProtected(scanQueue[i])) dropSet.add(i);
+  }
+  let droppedProtected = 0;
+  if (dropSet.size < toDrop) {
+    // Not enough unprotected items: every unprotected one is already marked, so the
+    // remaining oldest-first items are protected — drop them as a last resort.
+    for (let i = 0; i < before && dropSet.size < toDrop; i++) {
+      if (!dropSet.has(i)) { dropSet.add(i); droppedProtected++; }
+    }
+  }
+
+  // Resolve the ledger sink once (per-call require would be 500+ lookups under emergency).
+  let appendLedger = ledgerFn;
+  if (!appendLedger) {
+    try { appendLedger = require('./state.js').appendScanLedger; } catch { appendLedger = null; }
+  }
+
+  // Compact survivors in place, ledgering each evicted item with an identity-preserving
+  // source (protected drops get a distinct suffix so the rare case stays visible in the rollup).
+  let w = 0;
+  for (let r = 0; r < before; r++) {
+    if (dropSet.has(r)) {
+      const item = scanQueue[r];
+      if (appendLedger && item && item.name) {
+        try {
+          appendLedger({
+            name: item.name, version: item.version, ecosystem: item.ecosystem,
+            outcome: 'dropped',
+            source: _isProtected(item) ? `${source}_protected` : source
+          });
+        } catch { /* ledger is best-effort — must never break the breaker */ }
+      }
+    } else {
+      scanQueue[w++] = scanQueue[r];
+    }
+  }
+  scanQueue.length = w;
+
+  return { dropped: toDrop, droppedProtected };
+}
+
+module.exports = { enqueueScan, evictFromScanQueueBulk, isProtected: _isProtected, MAX_SCAN_QUEUE };

package/src/monitor/state.js

@@ -972,7 +972,7 @@ let _scanLedgerAppendedSinceCompact = 0;
 const SCAN_LEDGER_OUTCOMES = new Set([
   'clean', 'clean_low_signal', 'clean_tooling', 'suspect', 'ml_clean', 'llm_benign',
   'sandbox_inconclusive', 'sandbox_unconfirmed', 'confirmed',
-  'static_timeout', 'size_skip', 'dropped'
+  'static_timeout', 'size_skip', 'dropped', 'error'
 ]);
 
 /**
@@ -1453,6 +1453,27 @@ function getParisDateString() {
   return formatter.format(new Date());
 }
 
+// Hour (Europe/Paris) at/after which the once-daily report may fire. Single source of
+// truth — imported by webhook.js, daemon.js and queue.js (each previously redefined it,
+// and webhook.js still re-exports it for back-compat).
+const DAILY_REPORT_HOUR = 8; // 08:00 Paris time (Europe/Paris)
+
+/**
+ * Canonical "is the daily report due?" predicate — the ONE gate, defined here in state.js
+ * (a leaf module that daemon.js and queue.js already import, so no require cycle).
+ *
+ * Catch-up semantics: fire at OR AFTER 08:00 Paris, so a missed 08:00 (e.g. the daemon was
+ * down/OOM-restarting at that minute) still fires later the SAME day — losing a whole day
+ * was the old daemon.js `hour === 8` behaviour. But NEVER fire during the 00:00–07:59 Paris
+ * "dead zone": a fire then stamps the NEW day's date before its 08:00 window and, because
+ * hasReportBeenSentToday() keys off the Paris CALENDAR date, permanently suppresses that
+ * day's real report. Replaces the two divergent copies (daemon.js `!== 8`, queue.js `< 8`).
+ */
+function isDailyReportDue(stats) {
+  if (getParisHour() < DAILY_REPORT_HOUR) return false;
+  return !hasReportBeenSentToday(stats);
+}
+
 // --- recentlyScanned dedup-set persistence (survives restarts → no re-scan storm) ---
 //
 // The dedup Set is in-memory only, so every restart starts it empty and re-scans the
@@ -1703,5 +1724,7 @@ module.exports = {
   loadRecentlyScanned,
   getParisHour,
   getParisDateString,
+  DAILY_REPORT_HOUR,
+  isDailyReportDue,
   loadStateRaw
 };