muaddib-scanner 2.11.76 → 2.11.78

package/src/monitor/queue.js

@@ -32,8 +32,7 @@ const {
   tarballCacheKey,
   tarballCachePath,
   appendAlert,
-  getParisHour,
-  hasReportBeenSentToday,
+  isDailyReportDue,
   MAX_DAILY_ALERTS,
   loadScanMemory,
   shouldSuppressByMemory,
@@ -64,8 +63,7 @@ const {
   computeReputationFactor,
   triageRisk,
   sendDailyReport,
-  alertedPackageRules,
-  DAILY_REPORT_HOUR
+  alertedPackageRules
 } = require('./webhook.js');
 
 // From ./temporal.js
@@ -99,10 +97,11 @@ let _targetConcurrency = BASE_CONCURRENCY;
 const SCAN_CONCURRENCY = BASE_CONCURRENCY; // legacy export — tests check this value
 let _activeWorkers = 0;
 const _workerPromises = new Set();
-// Live static-scan Worker threads — tracked so the daemon's EMERGENCY memory
-// handler can terminate orphaned workers (each retains its isolate heap + parsed
-// ASTs). Bounded by concurrency, so it stays tiny.
-const _liveWorkers = new Set();
+// Live static-scan Worker threads, mapped to the {name,version,ecosystem} of the scan they
+// run — tracked so the daemon's EMERGENCY memory handler can terminate orphaned workers
+// (each retains its isolate heap + parsed ASTs) AND name the in-flight scans it kills.
+// Bounded by concurrency, so it stays tiny.
+const _liveWorkers = new Map();
 
 function getTargetConcurrency() { return _targetConcurrency; }
 function setTargetConcurrency(n) { _targetConcurrency = Math.max(MIN_CONCURRENCY, Math.min(MAX_CONCURRENCY, n)); }
@@ -115,10 +114,20 @@ function getActiveWorkers() { return _activeWorkers; }
  */
 function terminateAllWorkers() {
   let n = 0;
-  for (const w of Array.from(_liveWorkers)) {
-    try { w.terminate(); n++; } catch { /* already gone */ }
+  const dropped = [];
+  for (const [w, item] of Array.from(_liveWorkers.entries())) {
+    try {
+      w.terminate(); n++;
+      if (item && item.name) dropped.push(`${item.name}@${item.version || '?'}`);
+    } catch { /* already gone */ }
     _liveWorkers.delete(w);
   }
+  if (dropped.length) {
+    // The terminate rejects each scan's worker promise; that reject propagates to
+    // scanPackage's catch, which ledgers it (outcome:'error', source scan_error) — so these
+    // in-flight scans are NOT lost from the scan-ledger. This line names them for the operator.
+    console.error(`[MONITOR] EMERGENCY worker-terminate killed ${dropped.length} in-flight scan(s): ${dropped.slice(0, 20).join(', ')}${dropped.length > 20 ? ` (+${dropped.length - 20} more)` : ''}`);
+  }
   return n;
 }
 const SCAN_TIMEOUT_MS = 300_000; // 5 minutes per package (3 sandbox runs × 90s + static scan headroom)
@@ -388,7 +397,8 @@ function runScanInWorker(extractedDir, timeoutMs, scanContext = null, signal = n
     const worker = new Worker(SCAN_WORKER_PATH, {
       workerData: { extractedDir, scanContext: scanContext || {} }
     });
-    _liveWorkers.add(worker);
+    const _sc = scanContext || {};
+    _liveWorkers.set(worker, { name: _sc.name, version: _sc.version, ecosystem: _sc.ecosystem });
 
     let settled = false;
     let timer = null;
@@ -639,6 +649,11 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
         // deliberately hangs the parser to evade analysis would otherwise be relabelled
         // benign. Count as inconclusive (excluded from the FP/TP denominator).
         updateScanStats('sandbox_inconclusive');
+        // Ledger the inconclusive timeout — the 'static_timeout' outcome existed but was
+        // emitted nowhere, so a parser-hang evasion vanished from coverage. Best-effort.
+        try {
+          appendScanLedger({ name, version, ecosystem, outcome: 'static_timeout', source: 'static_timeout' });
+        } catch { /* ledger is best-effort */ }
         return { sandboxResult: null, staticClean: false };
       }
       throw staticErr;
@@ -1215,6 +1230,12 @@ async function scanPackage(name, version, ecosystem, tarballUrl, registryMeta, s
     stats.scanned++;
     stats.totalTimeMs += Date.now() - startTime;
     console.error(`[MONITOR] ERROR scanning ${name}@${version}: ${err.message}`);
+    // Ledger the terminal failure so the scan-ledger never over-states coverage (an errored
+    // package is NOT clean). Also captures EMERGENCY worker-terminate losses, whose reject
+    // propagates here (CLAUDE.md "no silent caps"). Best-effort; never throws.
+    try {
+      appendScanLedger({ name, version, ecosystem, outcome: 'error', source: 'scan_error' });
+    } catch { /* ledger is best-effort */ }
     return { sandboxResult: null, staticClean: false };
   } finally {
     // Cleanup temp dir
@@ -1256,15 +1277,9 @@ function timeoutPromise(ms) {
   });
 }
 
-/**
- * Helper: check if a daily report is due (Paris timezone).
- * Extracted here to avoid circular dependency with monitor.js.
- */
-function isDailyReportDue(stats) {
-  const parisHour = getParisHour();
-  if (parisHour < DAILY_REPORT_HOUR) return false;
-  return !hasReportBeenSentToday(stats);
-}
+// isDailyReportDue is the canonical gate in state.js (imported above), called per scan in
+// processQueueItem below. Previously a local `parisHour < 8` copy here diverged from the
+// daemon's `!== 8` copy; unifying in state.js removes the divergence. Still re-exported below.
 
 /**
  * Process a single item from the scan queue.
@@ -1358,6 +1373,37 @@ function computeWorkersToSpawn(targetConcurrency, activeWorkers, queueLength) {
   return Math.max(0, Math.min(targetConcurrency - activeWorkers, queueLength));
 }
 
+// ── RSS-aware worker admission (P1 OOM durable fix) ──
+// The pressure breaker is reactive: it stops spawning at HIGH, but the workers already in
+// flight overshoot RSS by ~2GB (each isolate + gVisor sandbox ~0.55GB, draining up to
+// SCAN_TIMEOUT) before EMERGENCY truncates the queue + kills them. This caps the OVERSHOOT at
+// the source — refuse a new spawn when current RSS + one worker's footprint would breach a
+// soft ceiling (default 80% of the EMERGENCY RSS limit), leaving headroom for in-flight drain.
+const RSS_SOFT_LIMIT_MB = (() => {
+  const parsed = parseInt(process.env.MUADDIB_RSS_SOFT_LIMIT_MB, 10);
+  if (Number.isFinite(parsed) && parsed > 0) return parsed;
+  const hard = parseInt(process.env.MUADDIB_RSS_LIMIT_MB, 10);
+  const base = (Number.isFinite(hard) && hard > 0) ? hard : 8500;
+  return Math.round(base * 0.80);
+})();
+const EST_WORKER_RSS_MB = (() => {
+  const parsed = parseInt(process.env.MUADDIB_EST_WORKER_RSS_MB, 10);
+  return (Number.isFinite(parsed) && parsed > 0) ? parsed : 600;
+})();
+
+/**
+ * Pure: how many NEW scan workers the current RSS headroom allows under the soft ceiling.
+ * `currentRssBytes` already includes the active workers, so this answers "how many MORE fit".
+ * Returns 0 (never negative) once RSS reaches the soft limit — existing workers are NOT killed
+ * here, they drain and free memory; ensureWorkers keeps the queue alive with 1 worker if
+ * nothing is running. softLimitMb / estWorkerMb are injectable for tests.
+ */
+function rssAdmissionCap(currentRssBytes, softLimitMb = RSS_SOFT_LIMIT_MB, estWorkerMb = EST_WORKER_RSS_MB) {
+  const headroomMb = softLimitMb - (currentRssBytes / 1024 / 1024);
+  if (headroomMb <= 0) return 0;
+  return Math.max(0, Math.floor(headroomMb / estWorkerMb));
+}
+
 /**
  * Ensure the target number of workers are running. Non-blocking: spawns
  * missing workers as background promises. Called from the daemon main loop
@@ -1365,7 +1411,23 @@ function computeWorkersToSpawn(targetConcurrency, activeWorkers, queueLength) {
  */
 function ensureWorkers(scanQueue, stats, dailyAlerts, recentlyScanned, downloadsCache, sandboxAvailable) {
   if (scanQueue.length === 0) return;
-  const toSpawn = computeWorkersToSpawn(_targetConcurrency, _activeWorkers, scanQueue.length);
+  let toSpawn = computeWorkersToSpawn(_targetConcurrency, _activeWorkers, scanQueue.length);
+  if (toSpawn <= 0) return;
+
+  // RSS-aware admission (P1 OOM durable fix): cap NEW spawns by memory headroom so the
+  // in-flight worker set can't overshoot the soft RSS ceiling. Never fully deadlock: if
+  // headroom is gone AND nothing is running, allow exactly one so the queue still makes
+  // forward progress (its completion frees memory). Bounds peak RSS BEFORE the reactive breaker.
+  const rssNow = process.memoryUsage().rss;
+  const rssCap = rssAdmissionCap(rssNow);
+  if (toSpawn > rssCap) {
+    if (rssCap === 0 && _activeWorkers === 0) {
+      toSpawn = 1;
+    } else {
+      console.log(`[MONITOR] RSS admission: capping spawn ${toSpawn}->${rssCap} (rss=${Math.round(rssNow / 1024 / 1024)}MB soft=${RSS_SOFT_LIMIT_MB}MB active=${_activeWorkers})`);
+      toSpawn = rssCap;
+    }
+  }
   if (toSpawn <= 0) return;
 
   console.log(`[MONITOR] Spawning ${toSpawn} worker(s) (active: ${_activeWorkers}, target: ${_targetConcurrency}, queue: ${scanQueue.length})`);
@@ -1757,6 +1819,7 @@ module.exports = {
   getActiveWorkers,
   terminateAllWorkers,
   computeWorkersToSpawn,
+  rssAdmissionCap,
   ensureWorkers,
   drainWorkers,
 

package/src/monitor/scan-queue.js

@@ -82,4 +82,71 @@ function enqueueScan(scanQueue, item, stats, max = MAX_SCAN_QUEUE) {
   return dropped;
 }
 
-module.exports = { enqueueScan, MAX_SCAN_QUEUE };
+/**
+ * Bulk-evict the scan queue down to `targetKeep`, honoring the SAME protection predicate
+ * as enqueueScan and ledgering EVERY dropped item — the single-source-of-truth eviction
+ * the daemon's EMERGENCY memory breaker must use instead of a raw `splice(0, n)`.
+ *
+ * Selection: drop the oldest UNPROTECTED items first; only dip into protected items
+ * (oldest-first) if there aren't enough unprotected ones to reach the target. This keeps
+ * IOC-match / burst / first-publish / ATO scans alive through a memory emergency, exactly
+ * like the per-item cap path — closing the gap where the v2.10.88 circuit breaker silently
+ * dropped protected scans (CLAUDE.md "ne jamais perdre de scan" / "no silent caps").
+ *
+ * In-place compaction (write-pointer, O(n), preserves insertion order, no giant spread) so
+ * the daemon (which holds the same array reference) sees the mutation. Best-effort ledger;
+ * never throws. `ledgerFn` is injectable for tests; defaults to state.appendScanLedger.
+ *
+ * @returns {{dropped:number, droppedProtected:number}}
+ */
+function evictFromScanQueueBulk(scanQueue, targetKeep, source = 'bulk_evict', ledgerFn = null) {
+  const before = scanQueue.length;
+  const keep = Math.max(0, targetKeep | 0);
+  if (before <= keep) return { dropped: 0, droppedProtected: 0 };
+  const toDrop = before - keep;
+
+  // Victim set: oldest unprotected first, then (only if short) oldest protected.
+  const dropSet = new Set();
+  for (let i = 0; i < before && dropSet.size < toDrop; i++) {
+    if (!_isProtected(scanQueue[i])) dropSet.add(i);
+  }
+  let droppedProtected = 0;
+  if (dropSet.size < toDrop) {
+    // Not enough unprotected items: every unprotected one is already marked, so the
+    // remaining oldest-first items are protected — drop them as a last resort.
+    for (let i = 0; i < before && dropSet.size < toDrop; i++) {
+      if (!dropSet.has(i)) { dropSet.add(i); droppedProtected++; }
+    }
+  }
+
+  // Resolve the ledger sink once (per-call require would be 500+ lookups under emergency).
+  let appendLedger = ledgerFn;
+  if (!appendLedger) {
+    try { appendLedger = require('./state.js').appendScanLedger; } catch { appendLedger = null; }
+  }
+
+  // Compact survivors in place, ledgering each evicted item with an identity-preserving
+  // source (protected drops get a distinct suffix so the rare case stays visible in the rollup).
+  let w = 0;
+  for (let r = 0; r < before; r++) {
+    if (dropSet.has(r)) {
+      const item = scanQueue[r];
+      if (appendLedger && item && item.name) {
+        try {
+          appendLedger({
+            name: item.name, version: item.version, ecosystem: item.ecosystem,
+            outcome: 'dropped',
+            source: _isProtected(item) ? `${source}_protected` : source
+          });
+        } catch { /* ledger is best-effort — must never break the breaker */ }
+      }
+    } else {
+      scanQueue[w++] = scanQueue[r];
+    }
+  }
+  scanQueue.length = w;
+
+  return { dropped: toDrop, droppedProtected };
+}
+
+module.exports = { enqueueScan, evictFromScanQueueBulk, isProtected: _isProtected, MAX_SCAN_QUEUE };

package/src/monitor/state.js

@@ -972,7 +972,7 @@ let _scanLedgerAppendedSinceCompact = 0;
 const SCAN_LEDGER_OUTCOMES = new Set([
   'clean', 'clean_low_signal', 'clean_tooling', 'suspect', 'ml_clean', 'llm_benign',
   'sandbox_inconclusive', 'sandbox_unconfirmed', 'confirmed',
-  'static_timeout', 'size_skip', 'dropped'
+  'static_timeout', 'size_skip', 'dropped', 'error'
 ]);
 
 /**
@@ -1453,6 +1453,27 @@ function getParisDateString() {
   return formatter.format(new Date());
 }
 
+// Hour (Europe/Paris) at/after which the once-daily report may fire. Single source of
+// truth — imported by webhook.js, daemon.js and queue.js (each previously redefined it,
+// and webhook.js still re-exports it for back-compat).
+const DAILY_REPORT_HOUR = 8; // 08:00 Paris time (Europe/Paris)
+
+/**
+ * Canonical "is the daily report due?" predicate — the ONE gate, defined here in state.js
+ * (a leaf module that daemon.js and queue.js already import, so no require cycle).
+ *
+ * Catch-up semantics: fire at OR AFTER 08:00 Paris, so a missed 08:00 (e.g. the daemon was
+ * down/OOM-restarting at that minute) still fires later the SAME day — losing a whole day
+ * was the old daemon.js `hour === 8` behaviour. But NEVER fire during the 00:00–07:59 Paris
+ * "dead zone": a fire then stamps the NEW day's date before its 08:00 window and, because
+ * hasReportBeenSentToday() keys off the Paris CALENDAR date, permanently suppresses that
+ * day's real report. Replaces the two divergent copies (daemon.js `!== 8`, queue.js `< 8`).
+ */
+function isDailyReportDue(stats) {
+  if (getParisHour() < DAILY_REPORT_HOUR) return false;
+  return !hasReportBeenSentToday(stats);
+}
+
 // --- recentlyScanned dedup-set persistence (survives restarts → no re-scan storm) ---
 //
 // The dedup Set is in-memory only, so every restart starts it empty and re-scans the
@@ -1703,5 +1724,7 @@ module.exports = {
   loadRecentlyScanned,
   getParisHour,
   getParisDateString,
+  DAILY_REPORT_HOUR,
+  isDailyReportDue,
   loadStateRaw
 };

package/src/monitor/webhook.js

@@ -16,6 +16,7 @@ const {
   DAILY_REPORTS_LOG_DIR,
   getParisDateString,
   getParisHour,
+  DAILY_REPORT_HOUR,
   loadScanStats,
   loadDetections,
   saveLastDailyReportDate,
@@ -60,7 +61,8 @@ const HIGH_INTENT_TYPES = new Set([
   'remote_code_load', 'obfuscation_detected'
 ]);
 
-const DAILY_REPORT_HOUR = 8; // 08:00 Paris time (Europe/Paris)
+// DAILY_REPORT_HOUR (=8) is imported from state.js (single source of truth) and
+// re-exported below for back-compat (monitor.js / tests import it via webhook).
 
 // --- Webhook alerting ---
 
@@ -1152,6 +1154,14 @@ function buildDailyReportEmbed(stats, dailyAlerts, ledgerRollup) {
  * @param {Map} downloadsCache - In-memory downloads cache (will be cleared)
  */
 async function sendDailyReport(stats, dailyAlerts, recentlyScanned, downloadsCache) {
+  // Dead-zone guard (defense in depth): never send or stamp before the 08:00 Paris window.
+  // The scheduled gate (isDailyReportDue) already excludes 00:00–07:59, but an ungated /
+  // manual / test caller firing at e.g. 00:43 would otherwise write-ahead the NEW day's date
+  // (below) and suppress that day's real report. This makes the early stamp impossible.
+  if (getParisHour() < DAILY_REPORT_HOUR) {
+    console.log(`[MONITOR] Daily report suppressed: before ${DAILY_REPORT_HOUR}:00 Paris (hour=${getParisHour()})`);
+    return;
+  }
   // Crash-safe headline: a restart-storm around report time can zero the in-memory
   // counter (the monitor OOM-restarts ~10×/day). Floor scanned/clean/suspect at the
   // durable scan-stats delta so we never publish "5" when ~44k were really scanned.
@@ -1171,6 +1181,10 @@ async function sendDailyReport(stats, dailyAlerts, recentlyScanned, downloadsCac
   // Persist the monotonic scan-stats counter as the baseline for the NEXT report's
   // delta. Written before the (now last) webhook so a mid-send kill can't double-count.
   saveLastDailyReportDate(today, captureScanStatsBaseline());
+  // Observability: the success path previously logged nothing, which made the late-fire bug
+  // invisible in the journal. Log the stamped date + the actual Paris hour (an on-time 08:00
+  // fire vs a catch-up at hour 14 are now distinguishable) + the headline count.
+  console.log(`[MONITOR] Daily report firing for ${today} (hour=${getParisHour()} Paris, scanned=${stats.scanned})`);
 
   // Phase 0b: compute the ledger rollup ONCE so the embed shows exactly the numbers
   // we persist (no double-scan, no drift between Discord and the on-disk metrics).
@@ -1365,16 +1379,23 @@ async function sendReportNow(stats) {
     return { sent: false, message: `Webhook failed: ${err.message}` };
   }
 
-  // Update lastDailyReportDate on disk
-  const today = getParisDateString();
-  const stateRaw = loadStateRaw();
-  const state = {
-    npmLastPackage: stateRaw.npmLastPackage || '',
-    pypiLastPackage: stateRaw.pypiLastPackage || ''
-  };
-  stats.lastDailyReportDate = today;
-  saveState(state, stats);
-  saveLastDailyReportDate(today);
+  // Update lastDailyReportDate on disk — but ONLY at/after 08:00 Paris. A manual report run
+  // before 08:00 is a deliberate operator override (we still SEND it), but it must NOT stamp
+  // today's date: hasReportBeenSentToday() keys off the Paris calendar date, so an early
+  // stamp would suppress that day's scheduled 08:00 report (the exact failure we're fixing).
+  if (getParisHour() >= DAILY_REPORT_HOUR) {
+    const today = getParisDateString();
+    const stateRaw = loadStateRaw();
+    const state = {
+      npmLastPackage: stateRaw.npmLastPackage || '',
+      pypiLastPackage: stateRaw.pypiLastPackage || ''
+    };
+    stats.lastDailyReportDate = today;
+    saveState(state, stats);
+    saveLastDailyReportDate(today);
+  } else {
+    console.log(`[MONITOR] Manual report sent; not stamping (before ${DAILY_REPORT_HOUR}:00 Paris — the scheduled report will still fire today)`);
+  }
 
   return { sent: true, message: 'Daily report sent' };
 }

package/src/output/formatter.js

@@ -3,6 +3,7 @@ const { saveSARIF } = require('../sarif.js');
 const { saveCycloneDX } = require('./cyclonedx.js');
 const { getPlaybook } = require('../response/playbooks.js');
 const { DOMAIN_CODES, getRuleDomain } = require('../rules/index.js');
+const { renderScoreBar } = require('../utils.js');
 
 // P0a — domain tag formatter for CLI text output.
 // Returns a bracketed 3-letter code like "[MAL]" / "[AUT]" / "[ENG]" / "[VUL]"
@@ -63,8 +64,7 @@ function formatOutput(result, options, ctx) {
     if (!spinner) console.log(`\n[MUADDIB] Scanning ${targetPath}\n`);
     else console.log('');
 
-    const explainScoreBar = '█'.repeat(Math.floor(result.summary.riskScore / 5)) + '░'.repeat(20 - Math.floor(result.summary.riskScore / 5));
-    console.log(`[SCORE] ${result.summary.riskScore}/100 [${explainScoreBar}] ${result.summary.riskLevel}`);
+    console.log(`[SCORE] ${result.summary.riskScore}/100 [${renderScoreBar(result.summary.riskScore)}] ${result.summary.riskLevel}`);
     if (mostSuspiciousFile) {
       console.log(`        Max file: ${mostSuspiciousFile} (${maxFileScore} pts)`);
       if (packageScore > 0) {
@@ -140,8 +140,7 @@ function formatOutput(result, options, ctx) {
     if (!spinner) console.log(`\n[MUADDIB] Scanning ${targetPath}\n`);
     else console.log('');
 
-    const scoreBar = '█'.repeat(Math.floor(result.summary.riskScore / 5)) + '░'.repeat(20 - Math.floor(result.summary.riskScore / 5));
-    console.log(`[SCORE] ${result.summary.riskScore}/100 [${scoreBar}] ${result.summary.riskLevel}`);
+    console.log(`[SCORE] ${result.summary.riskScore}/100 [${renderScoreBar(result.summary.riskScore)}] ${result.summary.riskLevel}`);
     if (mostSuspiciousFile) {
       console.log(`        Max file: ${mostSuspiciousFile} (${maxFileScore} pts)`);
       if (packageScore > 0) {

package/src/pipeline/executor.js

@@ -121,6 +121,11 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     spinner.start(`[MUADDIB] Scanning ${targetPath}...`);
   }
 
+  // try/finally guarantees the spinner's setInterval is always cleared. A scanner
+  // throwing before the succeed() below would otherwise leave it animating AND keep
+  // the event loop alive (process hang). _stop() is idempotent.
+  try {
+
   // Deobfuscation pre-processor (pass to AST/dataflow scanners unless disabled)
   const deobfuscateFn = options.noDeobfuscate ? null : deobfuscate;
 
@@ -152,7 +157,7 @@ async function execute(targetPath, options, pythonDeps, warnings) {
         moduleGraphThreats.push({
           type: 'large_package_graph_truncated',
           severity: 'MEDIUM',
-          message: `Cross-file analysis désactivée : ${graphMeta.fileCount} fichiers dépassent la limite (${graphMeta.maxNodes}). Risque de blind spot sur monorepo / large package — auditer les sous-modules manuellement.`,
+          message: `Cross-file analysis disabled: ${graphMeta.fileCount} files exceed the limit (${graphMeta.maxNodes}). Risk of a blind spot on a monorepo / large package — audit the sub-modules manually.`,
           file: 'package.json',
           line: 0,
           fileCount: graphMeta.fileCount,
@@ -441,6 +446,9 @@ async function execute(targetPath, options, pythonDeps, warnings) {
   }
 
   return { threats, scannerErrors };
+  } finally {
+    if (spinner) spinner._stop();
+  }
 }
 
 module.exports = { execute, matchPythonIOCs, checkPyPITyposquatting };

package/src/runtime/daemon.js

@@ -1,24 +1,23 @@
 const fs = require('fs');
 const path = require('path');
 const { run } = require('../index.js');
+const { banner } = require('../utils.js');
 
 let webhookUrl = null;
 
 async function startDaemon(options = {}) {
   webhookUrl = options.webhook || null;
 
-  console.log(`
-╔════════════════════════════════════════════╗
-║         MUAD'DIB Security Daemon           ║
-║      Surveillance npm install active       ║
-╚════════════════════════════════════════════╝
-  `);
+  console.log('\n' + banner([
+    "MUAD'DIB Security Daemon",
+    'Monitoring npm installs'
+  ]) + '\n');
 
-  console.log('[DAEMON] Demarrage...');
-  console.log(`[DAEMON] Webhook: ${webhookUrl ? 'Configure' : 'Non configure'}`);
-  console.log('[DAEMON] Ctrl+C pour arreter\n');
+  console.log('[DAEMON] Starting...');
+  console.log(`[DAEMON] Webhook: ${webhookUrl ? 'Configured' : 'Not configured'}`);
+  console.log('[DAEMON] Press Ctrl+C to stop\n');
 
-  // Surveille le dossier courant
+  // Watch the current directory
   const cwd = process.cwd();
   const watchers = watchDirectory(cwd);
 
@@ -32,7 +31,7 @@ async function startDaemon(options = {}) {
   // Keep process alive until SIGINT
   await new Promise((resolve) => {
     process.once('SIGINT', () => {
-      console.log('\n[DAEMON] Arret...');
+      console.log('\n[DAEMON] Stopping...');
       cleanup();
       resolve();
     });
@@ -47,26 +46,26 @@ function watchDirectory(dir) {
   const packageLockPath = path.join(dir, 'package-lock.json');
   const yarnLockPath = path.join(dir, 'yarn.lock');
 
-  console.log(`[DAEMON] Surveillance de ${dir}`);
+  console.log(`[DAEMON] Watching ${dir}`);
 
-  // Surveille package-lock.json
+  // Watch package-lock.json
   if (fs.existsSync(packageLockPath)) {
     const w = watchFile(packageLockPath, dir);
     if (w) watchers.push(w);
   }
 
-  // Surveille yarn.lock
+  // Watch yarn.lock
   if (fs.existsSync(yarnLockPath)) {
     const w = watchFile(yarnLockPath, dir);
     if (w) watchers.push(w);
   }
 
-  // Surveille node_modules
+  // Watch node_modules
   if (fs.existsSync(nodeModulesPath)) {
     watchers.push(watchNodeModules(nodeModulesPath, dir));
   }
 
-  // Surveille la creation de node_modules
+  // Watch for node_modules creation
   if (process.platform === 'linux') {
     console.log('[DAEMON] Note: recursive fs.watch may not work on Linux');
   }
@@ -75,12 +74,12 @@ function watchDirectory(dir) {
     if (filename === 'node_modules' && eventType === 'rename') {
       const nmPath = path.join(dir, 'node_modules');
       if (fs.existsSync(nmPath)) {
-        console.log('[DAEMON] node_modules detecte, scan en cours...');
+        console.log('[DAEMON] node_modules detected, scanning...');
         triggerScan(dir);
       }
     }
     if (filename === 'package-lock.json' || filename === 'yarn.lock') {
-      console.log(`[DAEMON] ${filename} modifie, scan en cours...`);
+      console.log(`[DAEMON] ${filename} modified, scanning...`);
       triggerScan(dir);
     }
   });
@@ -106,7 +105,7 @@ function watchFile(filePath, projectDir) {
         const currentMtime = fs.statSync(filePath).mtime.getTime();
         if (currentMtime !== lastMtime) {
           lastMtime = currentMtime;
-          console.log(`[DAEMON] ${path.basename(filePath)} modifie`);
+          console.log(`[DAEMON] ${path.basename(filePath)} modified`);
           triggerScan(projectDir);
         }
       } catch {
@@ -123,7 +122,7 @@ function watchFile(filePath, projectDir) {
 function watchNodeModules(nodeModulesPath, projectDir) {
   const watcher = fs.watch(nodeModulesPath, { recursive: true }, (eventType, filename) => {
     if (filename && filename.includes('package.json')) {
-      console.log(`[DAEMON] Nouveau package detecte: ${filename}`);
+      console.log(`[DAEMON] New package detected: ${filename}`);
       triggerScan(projectDir);
     }
   });
@@ -147,12 +146,12 @@ function triggerScan(dir) {
   const now = Date.now();
   const state = getScanState(dir);
 
-  // Debounce: attend 3 secondes avant de scanner
+  // Debounce: wait 3 seconds before scanning
   if (state.timeout) {
     clearTimeout(state.timeout);
   }
 
-  // Evite les scans trop frequents (minimum 10 secondes entre chaque)
+  // Avoid over-frequent scans (minimum 10 seconds between each)
   if (now - state.lastScanTime < 10000) {
     state.timeout = setTimeout(() => triggerScan(dir), 10000 - (now - state.lastScanTime));
     return;
@@ -160,19 +159,19 @@ function triggerScan(dir) {
 
   state.timeout = setTimeout(async () => {
     state.lastScanTime = Date.now();
-    console.log(`\n[DAEMON] ========== SCAN AUTOMATIQUE ==========`);
-    console.log(`[DAEMON] Cible: ${dir}`);
-    console.log(`[DAEMON] Heure: ${new Date().toLocaleTimeString()}\n`);
+    console.log(`\n[DAEMON] ========== AUTOMATIC SCAN ==========`);
+    console.log(`[DAEMON] Target: ${dir}`);
+    console.log(`[DAEMON] Time: ${new Date().toLocaleTimeString()}\n`);
 
     try {
       await run(dir, { webhook: webhookUrl });
     } catch (err) {
-      console.log(`[DAEMON] Erreur scan: ${err.message}`);
+      console.log(`[DAEMON] Scan error: ${err.message}`);
     }
 
     console.log(`\n[DAEMON] ======================================\n`);
-    console.log('[DAEMON] En attente de modifications...');
+    console.log('[DAEMON] Waiting for changes...');
   }, 3000);
 }
 
-module.exports = { startDaemon, watchDirectory, watchFile, watchNodeModules, triggerScan, getScanState };
+module.exports = { startDaemon, watchDirectory, watchFile, watchNodeModules, triggerScan, getScanState };

package/src/runtime/watch.js

@@ -6,13 +6,13 @@ function watch(targetPath) {
   let debounceTimer = null;
   const watchers = [];
 
-  console.log(`[MUADDIB] Surveillance de ${targetPath}\n`);
-  console.log('[INFO] Ctrl+C pour arreter\n');
+  console.log(`[MUADDIB] Watching ${targetPath}\n`);
+  console.log('[INFO] Press Ctrl+C to stop\n');
 
-  // Scan initial
+  // Initial scan
   run(targetPath, { json: false }).catch(err => console.error('[ERROR]', err.message));
 
-  // Surveille les changements
+  // Watch for changes
   const watchPaths = [
     path.join(targetPath, 'package.json'),
     path.join(targetPath, 'package-lock.json'),
@@ -30,7 +30,7 @@ function watch(targetPath) {
         if (debounceTimer) clearTimeout(debounceTimer);
 
         debounceTimer = setTimeout(() => {
-          console.log(`\n[CHANGE] ${filename || 'unknown file'} modifie`);
+          console.log(`\n[CHANGE] ${filename || 'unknown file'} modified`);
           console.log('[MUADDIB] Re-scan...\n');
           run(targetPath, { json: false }).catch(err => console.error('[ERROR]', err.message));
         }, 1000);
@@ -45,7 +45,7 @@ function watch(targetPath) {
 
   // Cleanup on SIGINT
   process.once('SIGINT', () => {
-    console.log('\n[MUADDIB] Arret surveillance...');
+    console.log('\n[MUADDIB] Stopping watch...');
     for (const w of watchers) {
       try { w.close(); } catch { /* ignore */ }
     }
@@ -53,4 +53,4 @@ function watch(targetPath) {
   });
 }
 
-module.exports = { watch };
+module.exports = { watch };

package/src/sandbox/index.js

@@ -1035,16 +1035,18 @@ function scoreFindings(report) {
 
 // ── Network report (detailed, colored) ──
 
-function generateNetworkReport(report) {
+function generateNetworkReport(report, useColor = process.stdout.isTTY) {
   const lines = [];
-  const RED = '\x1b[31m';
-  const YELLOW = '\x1b[33m';
-  const GREEN = '\x1b[32m';
-  const CYAN = '\x1b[36m';
-  const MAGENTA = '\x1b[35m';
-  const BOLD = '\x1b[1m';
-  const DIM = '\x1b[2m';
-  const RESET = '\x1b[0m';
+  // Gate ANSI on TTY so piping `sandbox-report` to a file yields clean text
+  // (was unconditionally colored — escape codes leaked into redirected output).
+  const RED = useColor ? '\x1b[31m' : '';
+  const YELLOW = useColor ? '\x1b[33m' : '';
+  const GREEN = useColor ? '\x1b[32m' : '';
+  const CYAN = useColor ? '\x1b[36m' : '';
+  const MAGENTA = useColor ? '\x1b[35m' : '';
+  const BOLD = useColor ? '\x1b[1m' : '';
+  const DIM = useColor ? '\x1b[2m' : '';
+  const RESET = useColor ? '\x1b[0m' : '';
 
   lines.push('');
   lines.push(`${BOLD}${MAGENTA}╔══════════════════════════════════════════════════╗${RESET}`);