muaddib-scanner 2.11.77 → 2.11.79

package/bin/muaddib.js

@@ -31,6 +31,23 @@ const { diff, showRefs } = require('../src/diff.js');
 const { initHooks, removeHooks } = require('../src/hooks-init.js');
 const { showHelp, commandHelp } = require('../src/commands/help.js');
 const { interactiveMenu } = require('../src/commands/interactive.js');
+const { isPromptCancellation } = require('../src/utils.js');
+
+// Global safety net: turn an unhandled async error into a clean one-line message
+// instead of a raw stack trace. Ctrl-C inside an interactive prompt exits 130
+// (POSIX SIGINT convention); any other error exits 1. Set MUADDIB_DEBUG=1 to see
+// the full stack.
+function handleFatal(err) {
+  if (isPromptCancellation(err)) {
+    console.log('\nCancelled.');
+    process.exit(130);
+  }
+  console.error('[ERROR]', err && err.message ? err.message : String(err));
+  if (process.env.MUADDIB_DEBUG && err && err.stack) console.error(err.stack);
+  process.exit(1);
+}
+process.on('unhandledRejection', handleFatal);
+process.on('uncaughtException', handleFatal);
 
 const args = process.argv.slice(2);
 const command = args[0];
@@ -274,10 +291,7 @@ if (command === 'version' || command === '--version' || command === '-v') {
   if (command === '--help' || command === '-h') {
     showHelp();
   }
-  interactiveMenu().catch(err => {
-    console.error('[ERROR]', err.message);
-    process.exit(1);
-  });
+  interactiveMenu().catch(handleFatal);
 } else if (command === 'scan') {
   if (wantHelp) showHelp('scan');
   run(target, {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.77",
+  "version": "2.11.79",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.77.json → self-scan-v2.11.79.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-08T14:52:28.323Z",
+  "timestamp": "2026-06-10T12:04:24.243Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/commands/interactive.js

@@ -8,16 +8,15 @@ const { safeInstall } = require('../safe-install.js');
 const { buildSandboxImage, runSandbox, generateNetworkReport } = require('../sandbox/index.js');
 const { diff } = require('../diff.js');
 const { initHooks } = require('../hooks-init.js');
+const { banner } = require('../utils.js');
 
 async function interactiveMenu() {
   const { select, input, confirm } = await import('@inquirer/prompts');
 
-  console.log(`
-  ╔═══════════════════════════════════════════════╗
-  ║   MUAD'DIB - npm & PyPI Supply Chain Hunter  ║
-  ║   "The worms must die."                      ║
-  ╚═══════════════════════════════════════════════╝
-  `);
+  console.log('\n' + banner([
+    "MUAD'DIB - npm & PyPI Supply Chain Hunter",
+    '"The worms must die."'
+  ]) + '\n');
 
   const action = await select({
     message: 'What do you want to do?',

package/src/commands/safe-install.js

@@ -8,6 +8,7 @@ const path = require('path');
 const cp = require('child_process');
 const { loadCachedIOCs } = require('../ioc/updater.js');
 const { REHABILITATED_PACKAGES, NPM_PACKAGE_REGEX } = require('../shared/constants.js');
+const { banner } = require('../utils.js');
 
 /**
  * Validates that a package name is safe (no command injection)
@@ -212,12 +213,10 @@ async function scanPackageRecursive(pkg, depth = 0, maxDepth = 3) {
 async function safeInstall(packages, options = {}) {
   const { isDev, isGlobal, force } = options;
   
-  console.log(`
-╔══════════════════════════════════════════╗
-║   MUAD'DIB Safe Install                  ║
-║   Scanning packages + dependencies...    ║
-╚══════════════════════════════════════════╝
-`);
+  console.log('\n' + banner([
+    "MUAD'DIB Safe Install",
+    'Scanning packages + dependencies...'
+  ]) + '\n');
 
   // Reset the cache for each install
   scannedPackages.clear();
@@ -226,11 +225,7 @@ async function safeInstall(packages, options = {}) {
     const result = await scanPackageRecursive(pkg);
     
     if (!result.safe) {
-      console.log(`
-╔══════════════════════════════════════════╗
-║   [!] MALICIOUS PACKAGE DETECTED         ║
-╚══════════════════════════════════════════╝
-`);
+      console.log('\n' + banner(['[!] MALICIOUS PACKAGE DETECTED']) + '\n');
       if (result.depth > 0) {
         console.log(`Requested package: ${pkg}`);
         console.log(`Malicious dependency: ${result.package} (depth: ${result.depth})`);
@@ -245,11 +240,11 @@ async function safeInstall(packages, options = {}) {
         console.log('[!] Installation BLOCKED.');
         return { blocked: true, package: result.package, threats: [{ type: 'known_malicious', severity: 'CRITICAL', message: result.description }] };
       } else {
-        console.log('╔══════════════════════════════════════════╗');
-        console.log('║   [!!!] WARNING: FORCE INSTALL ACTIVE    ║');
-        console.log('║   Known malicious package detected!       ║');
-        console.log('║   Installing despite security threats.    ║');
-        console.log('╚══════════════════════════════════════════╝');
+        console.log(banner([
+          '[!!!] WARNING: FORCE INSTALL ACTIVE',
+          'Known malicious package detected!',
+          'Installing despite security threats.'
+        ]));
         console.log('[AUDIT] Force-install override for malicious package: ' + result.package);
 
         // SFI-004: Write audit log for force-install overrides

package/src/ioc/scraper.js

@@ -7,9 +7,10 @@ const AdmZip = require('adm-zip');
 const IOC_FILE = path.join(__dirname, 'data/iocs.json');
 const COMPACT_IOC_FILE = path.join(__dirname, 'data/iocs-compact.json');
 const HOME_IOC_FILE = path.join(os.homedir(), '.muaddib', 'data', 'iocs.json');
-const { generateCompactIOCs, NEVER_WILDCARD } = require('./updater.js');
+const { generateCompactIOCs, NEVER_WILDCARD, expandCompactIOCs } = require('./updater.js');
 const { Spinner } = require('../utils.js');
 const { NPM_PACKAGE_REGEX } = require('../shared/constants.js');
+const { version: PKG_VERSION } = require('../../package.json');
 
 // Version format validation (semver-like + wildcard)
 // Permissive version validator — accepts:
@@ -43,6 +44,8 @@ const VERSION_RE = { test: isValidVersion };
 let _noVersionSkipCount = 0;
 let _invalidVersionSkipCount = 0;
 let _invalidVersionSamples = [];  // first 3 samples for context
+let _invalidNameSkipCount = 0;
+let _invalidNameSamples = [];  // first 3 samples for context
 
 /**
  * Validate an IOC package entry before insertion.
@@ -53,14 +56,18 @@ function validateIOCEntry(pkgName, version, ecosystem) {
   // npm: validate with NPM_PACKAGE_REGEX
   if (ecosystem === 'npm' || !ecosystem) {
     if (!NPM_PACKAGE_REGEX.test(pkgName)) {
-      console.warn(`[WARN] Invalid ${ecosystem || 'npm'} package name skipped: ${pkgName}`);
+      // Aggregated counter (summary emitted by runScraper) — was a per-line
+      // console.warn that spammed 100+ lines on feeds carrying non-spec names.
+      _invalidNameSkipCount++;
+      if (_invalidNameSamples.length < 3) _invalidNameSamples.push(pkgName);
       return false;
     }
   }
   // PyPI: basic check — no path traversal, no slashes
   if (ecosystem === 'pypi') {
     if (/[/\\]|\.\./.test(pkgName)) {
-      console.warn(`[WARN] Invalid PyPI package name skipped: ${pkgName}`);
+      _invalidNameSkipCount++;
+      if (_invalidNameSamples.length < 3) _invalidNameSamples.push(pkgName);
       return false;
     }
   }
@@ -955,14 +962,16 @@ async function scrapeGitHubAdvisory() {
 // ============================================
 async function runScraper() {
   console.log('\n' + '='.repeat(60));
-  console.log('  MUAD\'DIB IOC Scraper v4.1');
-  console.log('  OSV + OSSF + GenSecAI + DataDog + Aikido + OSM');
+  console.log('  MUAD\'DIB IOC Scraper v' + PKG_VERSION);
+  console.log('  OSV + OSSF + GitHub Advisory + GenSecAI + DataDog + Aikido + OSM');
   console.log('='.repeat(60) + '\n');
 
   // Reset aggregated warning counters
   _noVersionSkipCount = 0;
   _invalidVersionSkipCount = 0;
   _invalidVersionSamples = [];
+  _invalidNameSkipCount = 0;
+  _invalidNameSamples = [];
 
   // Create data directory if needed
   const dataDir = path.dirname(IOC_FILE);
@@ -997,11 +1006,28 @@ async function runScraper() {
     }
   }
 
+  // Fresh-install fallback: the full iocs.json is gitignored / not shipped in the
+  // npm package, but the compact baseline IS. Seed from it (the same path that
+  // `muaddib update` uses) so a first scrape augments the shipped baseline instead
+  // of appearing to start from zero and re-downloading everything.
+  let seededFromCompact = false;
+  if (existingIOCs.packages.length === 0 && fs.existsSync(COMPACT_IOC_FILE)) {
+    try {
+      const compactData = JSON.parse(fs.readFileSync(COMPACT_IOC_FILE, 'utf8'));
+      existingIOCs = expandCompactIOCs(compactData);
+      if (!existingIOCs.pypi_packages) existingIOCs.pypi_packages = [];
+      seededFromCompact = true;
+    } catch {
+      console.log('[WARN] Compact IOC baseline unreadable, starting fresh');
+    }
+  }
+
   const initialCount = existingIOCs.packages.length;
   const initialPyPICount = existingIOCs.pypi_packages.length;
   const initialHashCount = existingIOCs.hashes ? existingIOCs.hashes.length : 0;
 
-  console.log('[INFO] Existing IOCs: ' + initialCount + ' packages, ' + initialHashCount + ' hashes\n');
+  const baselineLabel = seededFromCompact ? 'Baseline IOCs loaded (shipped compact)' : 'Existing IOCs';
+  console.log('[INFO] ' + baselineLabel + ': ' + initialCount + ' packages, ' + initialHashCount + ' hashes\n');
 
   // Phase 1: OSV data dump first (bulk, primary source)
   // This returns knownIds so OSSF can skip already-known entries
@@ -1037,6 +1063,12 @@ async function runScraper() {
       : '';
     console.log('[SCRAPER] WARN: ' + _invalidVersionSkipCount + ' entries skipped (malformed version)' + samples);
   }
+  if (_invalidNameSkipCount > 0) {
+    const nameSamples = _invalidNameSamples.length > 0
+      ? ' (samples: ' + _invalidNameSamples.join(', ') + ')'
+      : '';
+    console.log('[SCRAPER] WARN: ' + _invalidNameSkipCount + ' invalid package names skipped' + nameSamples);
+  }
 
   // Merge all scraped packages
   const allPackages = [
@@ -1297,12 +1329,13 @@ async function runScraper() {
     console.log('     - ' + source + ': ' + count);
   }
 
-  // Target check
+  // Sanity check: a drop vs the previously-loaded baseline is a real signal of a
+  // feed outage or a corrupted merge — surface that instead of a meaningless target.
   const total = existingIOCs.packages.length;
-  if (total >= 5000) {
-    console.log('\n  [OK] Target reached: ' + total + ' IOCs (>= 5000)');
+  if (total < initialCount) {
+    console.log('\n  [WARN] IOC count decreased: ' + total + ' (was ' + initialCount + ') — possible source outage');
   } else {
-    console.log('\n  [WARN] Target NOT reached: ' + total + ' IOCs (< 5000)');
+    console.log('\n  [OK] IOC database: ' + total + ' npm IOCs');
   }
 
   console.log('\n');
@@ -1606,6 +1639,8 @@ async function queryOSVBatch(packageNames) {
 // Test helpers for aggregated warning counters
 function getNoVersionSkipCount() { return _noVersionSkipCount; }
 function resetNoVersionSkipCount() { _noVersionSkipCount = 0; }
+function getInvalidNameSkipCount() { return _invalidNameSkipCount; }
+function resetInvalidNameSkipCount() { _invalidNameSkipCount = 0; _invalidNameSamples = []; }
 
 /**
  * Source-aware confidence: a package reported by N distinct feeds is more
@@ -1643,6 +1678,7 @@ module.exports = {
   createFreshness, isAllowedRedirect,
   validateIOCEntry,
   getNoVersionSkipCount, resetNoVersionSkipCount,
+  getInvalidNameSkipCount, resetInvalidNameSkipCount,
   CONFIDENCE_ORDER, ALLOWED_REDIRECT_DOMAINS,
   MAX_ENTRY_UNCOMPRESSED, MAX_TOTAL_UNCOMPRESSED
 };

package/src/monitor/daemon.js

@@ -4,6 +4,7 @@ const path = require('path');
 const os = require('os');
 const v8 = require('v8');
 const { isDockerAvailable, SANDBOX_CONCURRENCY_MAX, killAllSandboxContainers } = require('../sandbox/index.js');
+const { banner } = require('../utils.js');
 const { setVerboseMode, isSandboxEnabled, isCanaryEnabled, isLlmDetectiveEnabled, getLlmDetectiveMode, DOWNLOADS_CACHE_TTL } = require('./classify.js');
 const { loadState, saveState, loadDailyStats, saveDailyStats, purgeTarballCache, isDailyReportDue, atomicWriteFileSync, saveNpmSeq, ALERTS_FILE, runStateMigrations, loadRecentlyScanned, saveRecentlyScanned } = require('./state.js');
 const { isTemporalEnabled, isTemporalAstEnabled, isTemporalPublishEnabled, isTemporalMaintainerEnabled } = require('./temporal.js');
@@ -787,12 +788,10 @@ async function startMonitor(options, stats, dailyAlerts, recentlyScanned, downlo
     console.warn(`[Archive] Failed to start periodic cleanup: ${err.message}`);
   }
 
-  console.log(`
-╔════════════════════════════════════════════╗
-║     MUAD'DIB - Registry Monitor           ║
-║     Scanning npm + PyPI new packages      ║
-╚════════════════════════════════════════════╝
-  `);
+  console.log('\n' + banner([
+    "MUAD'DIB - Registry Monitor",
+    'Scanning npm + PyPI new packages'
+  ]) + '\n');
 
   // Note: alerts file migrated from .json to .jsonl in v2.10.89
   const oldAlertsJson = ALERTS_FILE.replace('.jsonl', '.json');

package/src/output/formatter.js

@@ -3,6 +3,7 @@ const { saveSARIF } = require('../sarif.js');
 const { saveCycloneDX } = require('./cyclonedx.js');
 const { getPlaybook } = require('../response/playbooks.js');
 const { DOMAIN_CODES, getRuleDomain } = require('../rules/index.js');
+const { renderScoreBar } = require('../utils.js');
 
 // P0a — domain tag formatter for CLI text output.
 // Returns a bracketed 3-letter code like "[MAL]" / "[AUT]" / "[ENG]" / "[VUL]"
@@ -63,8 +64,7 @@ function formatOutput(result, options, ctx) {
     if (!spinner) console.log(`\n[MUADDIB] Scanning ${targetPath}\n`);
     else console.log('');
 
-    const explainScoreBar = '█'.repeat(Math.floor(result.summary.riskScore / 5)) + '░'.repeat(20 - Math.floor(result.summary.riskScore / 5));
-    console.log(`[SCORE] ${result.summary.riskScore}/100 [${explainScoreBar}] ${result.summary.riskLevel}`);
+    console.log(`[SCORE] ${result.summary.riskScore}/100 [${renderScoreBar(result.summary.riskScore)}] ${result.summary.riskLevel}`);
     if (mostSuspiciousFile) {
       console.log(`        Max file: ${mostSuspiciousFile} (${maxFileScore} pts)`);
       if (packageScore > 0) {
@@ -140,8 +140,7 @@ function formatOutput(result, options, ctx) {
     if (!spinner) console.log(`\n[MUADDIB] Scanning ${targetPath}\n`);
     else console.log('');
 
-    const scoreBar = '█'.repeat(Math.floor(result.summary.riskScore / 5)) + '░'.repeat(20 - Math.floor(result.summary.riskScore / 5));
-    console.log(`[SCORE] ${result.summary.riskScore}/100 [${scoreBar}] ${result.summary.riskLevel}`);
+    console.log(`[SCORE] ${result.summary.riskScore}/100 [${renderScoreBar(result.summary.riskScore)}] ${result.summary.riskLevel}`);
     if (mostSuspiciousFile) {
       console.log(`        Max file: ${mostSuspiciousFile} (${maxFileScore} pts)`);
       if (packageScore > 0) {

package/src/pipeline/executor.js

@@ -121,6 +121,11 @@ async function execute(targetPath, options, pythonDeps, warnings) {
     spinner.start(`[MUADDIB] Scanning ${targetPath}...`);
   }
 
+  // try/finally guarantees the spinner's setInterval is always cleared. A scanner
+  // throwing before the succeed() below would otherwise leave it animating AND keep
+  // the event loop alive (process hang). _stop() is idempotent.
+  try {
+
   // Deobfuscation pre-processor (pass to AST/dataflow scanners unless disabled)
   const deobfuscateFn = options.noDeobfuscate ? null : deobfuscate;
 
@@ -152,7 +157,7 @@ async function execute(targetPath, options, pythonDeps, warnings) {
         moduleGraphThreats.push({
           type: 'large_package_graph_truncated',
           severity: 'MEDIUM',
-          message: `Cross-file analysis désactivée : ${graphMeta.fileCount} fichiers dépassent la limite (${graphMeta.maxNodes}). Risque de blind spot sur monorepo / large package — auditer les sous-modules manuellement.`,
+          message: `Cross-file analysis disabled: ${graphMeta.fileCount} files exceed the limit (${graphMeta.maxNodes}). Risk of a blind spot on a monorepo / large package — audit the sub-modules manually.`,
           file: 'package.json',
           line: 0,
           fileCount: graphMeta.fileCount,
@@ -441,6 +446,9 @@ async function execute(targetPath, options, pythonDeps, warnings) {
   }
 
   return { threats, scannerErrors };
+  } finally {
+    if (spinner) spinner._stop();
+  }
 }
 
 module.exports = { execute, matchPythonIOCs, checkPyPITyposquatting };

package/src/runtime/daemon.js

@@ -1,24 +1,23 @@
 const fs = require('fs');
 const path = require('path');
 const { run } = require('../index.js');
+const { banner } = require('../utils.js');
 
 let webhookUrl = null;
 
 async function startDaemon(options = {}) {
   webhookUrl = options.webhook || null;
 
-  console.log(`
-╔════════════════════════════════════════════╗
-║         MUAD'DIB Security Daemon           ║
-║      Surveillance npm install active       ║
-╚════════════════════════════════════════════╝
-  `);
+  console.log('\n' + banner([
+    "MUAD'DIB Security Daemon",
+    'Monitoring npm installs'
+  ]) + '\n');
 
-  console.log('[DAEMON] Demarrage...');
-  console.log(`[DAEMON] Webhook: ${webhookUrl ? 'Configure' : 'Non configure'}`);
-  console.log('[DAEMON] Ctrl+C pour arreter\n');
+  console.log('[DAEMON] Starting...');
+  console.log(`[DAEMON] Webhook: ${webhookUrl ? 'Configured' : 'Not configured'}`);
+  console.log('[DAEMON] Press Ctrl+C to stop\n');
 
-  // Surveille le dossier courant
+  // Watch the current directory
   const cwd = process.cwd();
   const watchers = watchDirectory(cwd);
 
@@ -32,7 +31,7 @@ async function startDaemon(options = {}) {
   // Keep process alive until SIGINT
   await new Promise((resolve) => {
     process.once('SIGINT', () => {
-      console.log('\n[DAEMON] Arret...');
+      console.log('\n[DAEMON] Stopping...');
       cleanup();
       resolve();
     });
@@ -47,26 +46,26 @@ function watchDirectory(dir) {
   const packageLockPath = path.join(dir, 'package-lock.json');
   const yarnLockPath = path.join(dir, 'yarn.lock');
 
-  console.log(`[DAEMON] Surveillance de ${dir}`);
+  console.log(`[DAEMON] Watching ${dir}`);
 
-  // Surveille package-lock.json
+  // Watch package-lock.json
   if (fs.existsSync(packageLockPath)) {
     const w = watchFile(packageLockPath, dir);
     if (w) watchers.push(w);
   }
 
-  // Surveille yarn.lock
+  // Watch yarn.lock
   if (fs.existsSync(yarnLockPath)) {
     const w = watchFile(yarnLockPath, dir);
     if (w) watchers.push(w);
   }
 
-  // Surveille node_modules
+  // Watch node_modules
   if (fs.existsSync(nodeModulesPath)) {
     watchers.push(watchNodeModules(nodeModulesPath, dir));
   }
 
-  // Surveille la creation de node_modules
+  // Watch for node_modules creation
   if (process.platform === 'linux') {
     console.log('[DAEMON] Note: recursive fs.watch may not work on Linux');
   }
@@ -75,12 +74,12 @@ function watchDirectory(dir) {
     if (filename === 'node_modules' && eventType === 'rename') {
       const nmPath = path.join(dir, 'node_modules');
       if (fs.existsSync(nmPath)) {
-        console.log('[DAEMON] node_modules detecte, scan en cours...');
+        console.log('[DAEMON] node_modules detected, scanning...');
         triggerScan(dir);
       }
     }
     if (filename === 'package-lock.json' || filename === 'yarn.lock') {
-      console.log(`[DAEMON] ${filename} modifie, scan en cours...`);
+      console.log(`[DAEMON] ${filename} modified, scanning...`);
       triggerScan(dir);
     }
   });
@@ -106,7 +105,7 @@ function watchFile(filePath, projectDir) {
         const currentMtime = fs.statSync(filePath).mtime.getTime();
         if (currentMtime !== lastMtime) {
           lastMtime = currentMtime;
-          console.log(`[DAEMON] ${path.basename(filePath)} modifie`);
+          console.log(`[DAEMON] ${path.basename(filePath)} modified`);
           triggerScan(projectDir);
         }
       } catch {
@@ -123,7 +122,7 @@ function watchFile(filePath, projectDir) {
 function watchNodeModules(nodeModulesPath, projectDir) {
   const watcher = fs.watch(nodeModulesPath, { recursive: true }, (eventType, filename) => {
     if (filename && filename.includes('package.json')) {
-      console.log(`[DAEMON] Nouveau package detecte: ${filename}`);
+      console.log(`[DAEMON] New package detected: ${filename}`);
       triggerScan(projectDir);
     }
   });
@@ -147,12 +146,12 @@ function triggerScan(dir) {
   const now = Date.now();
   const state = getScanState(dir);
 
-  // Debounce: attend 3 secondes avant de scanner
+  // Debounce: wait 3 seconds before scanning
   if (state.timeout) {
     clearTimeout(state.timeout);
   }
 
-  // Evite les scans trop frequents (minimum 10 secondes entre chaque)
+  // Avoid over-frequent scans (minimum 10 seconds between each)
   if (now - state.lastScanTime < 10000) {
     state.timeout = setTimeout(() => triggerScan(dir), 10000 - (now - state.lastScanTime));
     return;
@@ -160,19 +159,19 @@ function triggerScan(dir) {
 
   state.timeout = setTimeout(async () => {
     state.lastScanTime = Date.now();
-    console.log(`\n[DAEMON] ========== SCAN AUTOMATIQUE ==========`);
-    console.log(`[DAEMON] Cible: ${dir}`);
-    console.log(`[DAEMON] Heure: ${new Date().toLocaleTimeString()}\n`);
+    console.log(`\n[DAEMON] ========== AUTOMATIC SCAN ==========`);
+    console.log(`[DAEMON] Target: ${dir}`);
+    console.log(`[DAEMON] Time: ${new Date().toLocaleTimeString()}\n`);
 
     try {
       await run(dir, { webhook: webhookUrl });
     } catch (err) {
-      console.log(`[DAEMON] Erreur scan: ${err.message}`);
+      console.log(`[DAEMON] Scan error: ${err.message}`);
     }
 
     console.log(`\n[DAEMON] ======================================\n`);
-    console.log('[DAEMON] En attente de modifications...');
+    console.log('[DAEMON] Waiting for changes...');
   }, 3000);
 }
 
-module.exports = { startDaemon, watchDirectory, watchFile, watchNodeModules, triggerScan, getScanState };
+module.exports = { startDaemon, watchDirectory, watchFile, watchNodeModules, triggerScan, getScanState };

package/src/runtime/watch.js

@@ -6,13 +6,13 @@ function watch(targetPath) {
   let debounceTimer = null;
   const watchers = [];
 
-  console.log(`[MUADDIB] Surveillance de ${targetPath}\n`);
-  console.log('[INFO] Ctrl+C pour arreter\n');
+  console.log(`[MUADDIB] Watching ${targetPath}\n`);
+  console.log('[INFO] Press Ctrl+C to stop\n');
 
-  // Scan initial
+  // Initial scan
   run(targetPath, { json: false }).catch(err => console.error('[ERROR]', err.message));
 
-  // Surveille les changements
+  // Watch for changes
   const watchPaths = [
     path.join(targetPath, 'package.json'),
     path.join(targetPath, 'package-lock.json'),
@@ -30,7 +30,7 @@ function watch(targetPath) {
         if (debounceTimer) clearTimeout(debounceTimer);
 
         debounceTimer = setTimeout(() => {
-          console.log(`\n[CHANGE] ${filename || 'unknown file'} modifie`);
+          console.log(`\n[CHANGE] ${filename || 'unknown file'} modified`);
           console.log('[MUADDIB] Re-scan...\n');
           run(targetPath, { json: false }).catch(err => console.error('[ERROR]', err.message));
         }, 1000);
@@ -45,7 +45,7 @@ function watch(targetPath) {
 
   // Cleanup on SIGINT
   process.once('SIGINT', () => {
-    console.log('\n[MUADDIB] Arret surveillance...');
+    console.log('\n[MUADDIB] Stopping watch...');
     for (const w of watchers) {
       try { w.close(); } catch { /* ignore */ }
     }
@@ -53,4 +53,4 @@ function watch(targetPath) {
   });
 }
 
-module.exports = { watch };
+module.exports = { watch };

package/src/sandbox/index.js

@@ -1035,16 +1035,18 @@ function scoreFindings(report) {
 
 // ── Network report (detailed, colored) ──
 
-function generateNetworkReport(report) {
+function generateNetworkReport(report, useColor = process.stdout.isTTY) {
   const lines = [];
-  const RED = '\x1b[31m';
-  const YELLOW = '\x1b[33m';
-  const GREEN = '\x1b[32m';
-  const CYAN = '\x1b[36m';
-  const MAGENTA = '\x1b[35m';
-  const BOLD = '\x1b[1m';
-  const DIM = '\x1b[2m';
-  const RESET = '\x1b[0m';
+  // Gate ANSI on TTY so piping `sandbox-report` to a file yields clean text
+  // (was unconditionally colored — escape codes leaked into redirected output).
+  const RED = useColor ? '\x1b[31m' : '';
+  const YELLOW = useColor ? '\x1b[33m' : '';
+  const GREEN = useColor ? '\x1b[32m' : '';
+  const CYAN = useColor ? '\x1b[36m' : '';
+  const MAGENTA = useColor ? '\x1b[35m' : '';
+  const BOLD = useColor ? '\x1b[1m' : '';
+  const DIM = useColor ? '\x1b[2m' : '';
+  const RESET = useColor ? '\x1b[0m' : '';
 
   lines.push('');
   lines.push(`${BOLD}${MAGENTA}╔══════════════════════════════════════════════════╗${RESET}`);

package/src/utils.js

@@ -392,6 +392,62 @@ function debugLog(...args) {
   if (process.env.MUADDIB_DEBUG) console.error('[DEBUG]', ...args);
 }
 
+// eslint-disable-next-line no-control-regex -- ESC (\x1b) is required to strip ANSI color sequences before measuring visible width
+const _ANSI_RE = /\x1b\[[0-9;]*m/g;
+
+/**
+ * Draws an aligned box-drawing banner around the given content line(s).
+ * Width auto-fits the widest VISIBLE line (ANSI stripped before measuring),
+ * so the right border is always straight — replacing the hand-padded boxes
+ * that drifted out of alignment. Returns the banner as a string (no leading or
+ * trailing blank lines — callers add spacing as needed).
+ *
+ * @param {string[]|string} lines - content line(s)
+ * @returns {string}
+ */
+function banner(lines) {
+  const content = Array.isArray(lines) ? lines : [String(lines)];
+  const visibleLen = (s) => String(s).replace(_ANSI_RE, '').length;
+  const PAD = 1; // spaces of padding on each side
+  const inner = content.reduce((max, l) => Math.max(max, visibleLen(l)), 0) + PAD * 2;
+  const top = '╔' + '═'.repeat(inner) + '╗';
+  const bottom = '╚' + '═'.repeat(inner) + '╝';
+  const body = content.map((l) => {
+    const trailing = inner - PAD - visibleLen(l);
+    return '║' + ' '.repeat(PAD) + l + ' '.repeat(Math.max(0, trailing)) + '║';
+  });
+  return [top, ...body, bottom].join('\n');
+}
+
+/**
+ * True when an error represents a user-initiated prompt cancellation — Ctrl-C
+ * inside an @inquirer/prompts prompt, which throws an ExitPromptError whose
+ * message contains "force closed the prompt with SIGINT". Lets the CLI exit
+ * cleanly (code 130) instead of dumping an [ERROR] line or a stack trace.
+ *
+ * @param {*} err
+ * @returns {boolean}
+ */
+function isPromptCancellation(err) {
+  if (!err) return false;
+  if (err.name === 'ExitPromptError') return true;
+  return /SIGINT|force closed the prompt/i.test(err.message || '');
+}
+
+/**
+ * Renders a fixed-width 20-cell [██░░] bar for a 0–100 risk score. Clamps and
+ * guards against undefined / NaN / out-of-range so the CLI never throws a
+ * RangeError from String.prototype.repeat on a malformed score.
+ *
+ * @param {number} score
+ * @returns {string} a 20-character bar
+ */
+function renderScoreBar(score) {
+  const s = Number.isFinite(score) ? Math.max(0, Math.min(100, score)) : 0;
+  const filled = Math.floor(s / 5);
+  return '█'.repeat(filled) + '░'.repeat(20 - filled);
+}
+
 module.exports = {
   EXCLUDED_DIRS,
   MAX_SCAN_FILES,
@@ -409,5 +465,8 @@ module.exports = {
   getExtraExcludes,
   forEachSafeFile,
   listInstalledPackages,
-  debugLog
+  debugLog,
+  banner,
+  isPromptCancellation,
+  renderScoreBar
 };