muaddib-scanner 2.11.79 → 2.11.81

package/bin/muaddib.js

@@ -21,6 +21,15 @@ if (process.argv[2] === 'evaluate') {
   }
 }
 
+// Load /opt/muaddib/.env (project root) if present, BEFORE anything reads env, so
+// one-shot CLI invocations (notably `report --now` / `report --resend`) see
+// MUADDIB_WEBHOOK_URL even when not launched by the systemd unit that sets
+// EnvironmentFile. Real environment variables are never overwritten. Optional file.
+try {
+  const { loadDotEnv } = require('../src/env-loader.js');
+  loadDotEnv(require('path').join(__dirname, '..', '.env'));
+} catch { /* non-fatal: .env is optional */ }
+
 const { run } = require('../src/index.js');
 const { updateIOCs } = require('../src/ioc/updater.js');
 const { watch } = require('../src/watch.js');
@@ -721,6 +730,26 @@ if (command === 'version' || command === '--version' || command === '-v') {
       console.error('[ERROR]', err.message);
       process.exit(1);
     });
+  } else if (options.includes('--resend')) {
+    // Redeliver an already-persisted daily report (default: the latest) to the
+    // webhook — for when the original send failed (e.g. a DNS blip). No stats
+    // reconstruction; the exact persisted embed is re-sent.
+    const { resendReport } = require('../src/monitor.js');
+    const dateArg = options.find(o => !o.startsWith('--')) || null;
+    resendReport(dateArg).then(result => {
+      const color = process.stdout.isTTY;
+      if (result.sent) {
+        const check = color ? '\x1b[32m✓\x1b[0m' : '✓';
+        console.log(`\n  ${check} ${result.message}\n`);
+      } else {
+        const warn = color ? '\x1b[33m!\x1b[0m' : '!';
+        console.log(`\n  ${warn} ${result.message}\n`);
+      }
+      process.exit(result.sent ? 0 : 1);
+    }).catch(err => {
+      console.error('[ERROR]', err.message);
+      process.exit(1);
+    });
   } else if (options.includes('--status')) {
     const { getReportStatus } = require('../src/monitor.js');
     const status = getReportStatus();
@@ -731,7 +760,7 @@ if (command === 'version' || command === '--version' || command === '-v') {
     console.log('');
     process.exit(0);
   } else {
-    console.log('Usage: muaddib report --now | --status');
+    console.log('Usage: muaddib report --now | --resend [YYYY-MM-DD] | --status');
     process.exit(1);
   }
 } else if (command === 'relabel') {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.79",
+  "version": "2.11.81",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.79.json → self-scan-v2.11.81.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-10T12:04:24.243Z",
+  "timestamp": "2026-06-10T12:42:10.126Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/env-loader.js

@@ -0,0 +1,57 @@
+'use strict';
+
+const fs = require('fs');
+
+// Minimal .env loader — zero dependency (the project forbids new runtime deps, so
+// no dotenv). Parses KEY=VALUE lines, ignores blanks / # comments / `export `
+// prefixes, strips one pair of surrounding quotes, and by default NEVER overwrites
+// a variable already present in process.env (the real environment / systemd
+// EnvironmentFile always wins over the on-disk file).
+
+function parseDotEnv(content) {
+  const out = {};
+  for (const rawLine of String(content).split(/\r?\n/)) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith('#')) continue;
+    const eq = line.indexOf('=');
+    if (eq <= 0) continue;
+    let key = line.slice(0, eq).trim();
+    if (key.startsWith('export ')) key = key.slice(7).trim();
+    if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(key)) continue; // skip malformed keys
+    let val = line.slice(eq + 1).trim();
+    if ((val.startsWith('"') && val.endsWith('"')) ||
+        (val.startsWith("'") && val.endsWith("'"))) {
+      val = val.slice(1, -1);
+    }
+    out[key] = val;
+  }
+  return out;
+}
+
+/**
+ * Load a .env file into process.env. Missing / unreadable file is a silent no-op
+ * (the file is optional). Returns { loaded, keys } where keys are the names that
+ * were actually applied.
+ * @param {string} filePath
+ * @param {{override?: boolean}} [opts] override=true replaces existing vars (default false)
+ */
+function loadDotEnv(filePath, opts = {}) {
+  const override = opts.override === true;
+  let content;
+  try {
+    content = fs.readFileSync(filePath, 'utf8');
+  } catch {
+    return { loaded: false, keys: [] };
+  }
+  const parsed = parseDotEnv(content);
+  const applied = [];
+  for (const [k, v] of Object.entries(parsed)) {
+    if (override || process.env[k] === undefined) {
+      process.env[k] = v;
+      applied.push(k);
+    }
+  }
+  return { loaded: true, keys: applied };
+}
+
+module.exports = { parseDotEnv, loadDotEnv };

package/src/integrations/webhook.js

@@ -70,20 +70,15 @@ async function sendWebhook(url, results, options = {}) {
   const urlObj = new URL(url);
   let resolvedAddress;
   try {
-    const [ipv4Addresses, ipv6Addresses] = await Promise.all([
-      dns.promises.resolve4(urlObj.hostname).catch(() => []),
-      dns.promises.resolve6(urlObj.hostname).catch(() => [])
-    ]);
-    const allAddresses = [...ipv4Addresses, ...ipv6Addresses];
-    if (allAddresses.length === 0) {
-      throw new Error(`Webhook blocked: no DNS records found for ${urlObj.hostname}`);
-    }
+    // Retries transient resolver failures (the 2026-06-10 DNS blip). The SSRF
+    // private-IP check below runs on the resolved addresses and is NOT retried.
+    const { ipv4, all: allAddresses } = await resolveHostWithRetry(urlObj.hostname);
     for (const address of allAddresses) {
       if (PRIVATE_IP_PATTERNS.some(pattern => pattern.test(address))) {
         throw new Error(`Webhook blocked: hostname ${urlObj.hostname} resolves to private IP ${address}`);
       }
     }
-    resolvedAddress = ipv4Addresses[0] || null;
+    resolvedAddress = ipv4[0] || null;
   } catch (e) {
     if (e.message.startsWith('Webhook blocked')) throw e;
     throw new Error(`Webhook blocked: DNS resolution failed for ${urlObj.hostname}`, { cause: e });
@@ -365,6 +360,17 @@ const MAX_RESPONSE_SIZE = 1024 * 1024; // 1MB
 const MAX_RETRIES = 3;
 const BACKOFF_BASE_MS = 1000; // 1s, 2s, 4s exponential backoff
 const RETRYABLE_STATUS_CODES = new Set([429, 500, 502, 503, 504]);
+// Transient socket/DNS errors worth retrying — a flaky resolver or reset connection
+// is exactly the 2026-06-10 "no DNS records for discord.com" failure mode. NEVER
+// includes SSRF blocks (private IP / disallowed domain) — those are hard rejects.
+const RETRYABLE_ERROR_CODES = new Set([
+  'ECONNRESET', 'ETIMEDOUT', 'ENETUNREACH', 'EHOSTUNREACH',
+  'EAI_AGAIN', 'ENOTFOUND', 'ECONNREFUSED', 'EPIPE'
+]);
+// DNS resolution retry (separate from HTTP retry — a name that won't resolve never
+// reaches the request). 3 retries → 4 attempts, backoff 0.5s/1s/2s ≈ 3.5s worst case.
+const DNS_MAX_RETRIES = 3;
+const DNS_BACKOFF_BASE_MS = 500;
 
 // Rate limiting: max 1 webhook per second (Discord limit is 30/min)
 const RATE_LIMIT_MS = 1000;
@@ -383,6 +389,36 @@ function sleepMs(ms) {
   return new Promise(resolve => setTimeout(resolve, ms));
 }
 
+/**
+ * Resolve a hostname to IPv4+IPv6, retrying on transient DNS failures (empty
+ * answer / EAI_AGAIN). Returns { ipv4, ipv6, all } on success. Throws after the
+ * retry budget is exhausted. Does NOT perform the SSRF private-IP check — the
+ * caller does that on the returned addresses so a hard block is never retried.
+ */
+async function resolveHostWithRetry(hostname, opts = {}) {
+  const maxRetries = opts.maxRetries != null ? opts.maxRetries : DNS_MAX_RETRIES;
+  const backoffBase = opts.backoffMs != null ? opts.backoffMs : DNS_BACKOFF_BASE_MS;
+  let lastErr;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    let ipv4 = [], ipv6 = [];
+    try {
+      [ipv4, ipv6] = await Promise.all([
+        dns.promises.resolve4(hostname).catch(() => []),
+        dns.promises.resolve6(hostname).catch(() => [])
+      ]);
+    } catch (e) { lastErr = e; }
+    const all = [...ipv4, ...ipv6];
+    if (all.length > 0) return { ipv4, ipv6, all };
+    lastErr = new Error(`Webhook blocked: no DNS records found for ${hostname}`);
+    if (attempt < maxRetries) {
+      const backoff = backoffBase * Math.pow(2, attempt);
+      console.error(`[WEBHOOK] DNS for ${hostname} returned no records, retrying in ${backoff}ms (attempt ${attempt + 1}/${maxRetries})...`);
+      await sleepMs(backoff);
+    }
+  }
+  throw lastErr;
+}
+
 function sendOnce(url, payload, resolvedAddress) {
   return new Promise((resolve, reject) => {
     const urlObj = new URL(url);
@@ -449,7 +485,13 @@ async function send(url, payload, resolvedAddress) {
       return result;
     } catch (err) {
       lastError = err;
-      const isRetryable = err.statusCode && RETRYABLE_STATUS_CODES.has(err.statusCode);
+      // Retry on retryable HTTP status, transient socket errors, OR a request
+      // timeout (no statusCode/code, identified by message). A 1MB-overflow or
+      // any other non-transient error falls through and throws immediately.
+      const isRetryable =
+        (err.statusCode && RETRYABLE_STATUS_CODES.has(err.statusCode)) ||
+        (err.code && RETRYABLE_ERROR_CODES.has(err.code)) ||
+        /timeout/i.test(err.message || '');
       if (!isRetryable || attempt >= MAX_RETRIES) {
         throw err;
       }
@@ -461,7 +503,8 @@ async function send(url, payload, resolvedAddress) {
       } else {
         backoffMs = BACKOFF_BASE_MS * Math.pow(2, attempt);
       }
-      console.error(`[WEBHOOK] HTTP ${err.statusCode}, retrying in ${backoffMs}ms (attempt ${attempt + 1}/${MAX_RETRIES})...`);
+      const reason = err.statusCode ? `HTTP ${err.statusCode}` : (err.code || err.message);
+      console.error(`[WEBHOOK] ${reason}, retrying in ${backoffMs}ms (attempt ${attempt + 1}/${MAX_RETRIES})...`);
       await sleepMs(backoffMs);
     }
   }
@@ -470,5 +513,7 @@ async function send(url, payload, resolvedAddress) {
 
 module.exports = {
   sendWebhook, validateWebhookUrl, formatDiscord, formatSlack, formatGeneric,
-  MAX_RETRIES, BACKOFF_BASE_MS, RETRYABLE_STATUS_CODES, RATE_LIMIT_MS
+  resolveHostWithRetry,
+  MAX_RETRIES, BACKOFF_BASE_MS, RETRYABLE_STATUS_CODES, RATE_LIMIT_MS,
+  RETRYABLE_ERROR_CODES, DNS_MAX_RETRIES, DNS_BACKOFF_BASE_MS
 };

package/src/monitor/daemon.js

@@ -8,7 +8,7 @@ const { banner } = require('../utils.js');
 const { setVerboseMode, isSandboxEnabled, isCanaryEnabled, isLlmDetectiveEnabled, getLlmDetectiveMode, DOWNLOADS_CACHE_TTL } = require('./classify.js');
 const { loadState, saveState, loadDailyStats, saveDailyStats, purgeTarballCache, isDailyReportDue, atomicWriteFileSync, saveNpmSeq, ALERTS_FILE, runStateMigrations, loadRecentlyScanned, saveRecentlyScanned } = require('./state.js');
 const { isTemporalEnabled, isTemporalAstEnabled, isTemporalPublishEnabled, isTemporalMaintainerEnabled } = require('./temporal.js');
-const { pendingGrouped, flushScopeGroup, sendDailyReport, alertedPackageRules, ALERTED_PACKAGES_MAX: MAX_ALERTED_PACKAGES } = require('./webhook.js');
+const { pendingGrouped, flushScopeGroup, sendDailyReport, redeliverPendingReportOnBoot, alertedPackageRules, ALERTED_PACKAGES_MAX: MAX_ALERTED_PACKAGES } = require('./webhook.js');
 const { poll, getPollBackoffMs } = require('./ingestion.js');
 const { ensureWorkers, drainWorkers, getTargetConcurrency, setTargetConcurrency, getActiveWorkers, terminateAllWorkers } = require('./queue.js');
 const { computeTarget, ADJUST_INTERVAL_MS, BASE_CONCURRENCY } = require('./adaptive-concurrency.js');
@@ -964,6 +964,11 @@ async function startMonitor(options, stats, dailyAlerts, recentlyScanned, downlo
   // Best-effort and fire-and-forget; never blocks the daemon.
   startGhsaPoller(stats);
 
+  // AUDIT 3: if the last daily report failed to deliver (e.g. a DNS blip at 08:00),
+  // it sits on disk with delivered=false. Redeliver it once now. Fire-and-forget —
+  // never blocks startup, never throws (legacy reports without the flag are skipped).
+  redeliverPendingReportOnBoot().catch(() => { /* logged inside; non-fatal */ });
+
   // ─── Initial poll ───
   // Fills the queue with pending packages. Processing starts in the main loop
   // via ensureWorkers (non-blocking) — NOT await processQueue (blocking).

package/src/monitor/state.js

@@ -1115,6 +1115,12 @@ function computeLedgerRollup(sinceTs, opts = {}) {
   const scannedKeys = new Set();
   const droppedKeys = new Set();
   let exactVanished = true;
+  // Distinct package NAMES (version-collapsed) for honest coverage. A package is
+  // "covered" if at least one of its versions reached a real scan (non-dropped).
+  // Bounded: names are only added while underCap, so |names| ≤ |keys| ≤ MAX_ROLLUP_KEYS.
+  // Exactness mirrors exactVanished (false iff the cap was hit mid-window).
+  const allNames = new Set();
+  const scannedNames = new Set();
 
   _iterateJsonlSync(file, (e) => {
     if (!e || !e.name) return;
@@ -1140,11 +1146,11 @@ function computeLedgerRollup(sinceTs, opts = {}) {
     const underCap = exactVanished && (scannedKeys.size + droppedKeys.size) < MAX_ROLLUP_KEYS;
     if (outcome === 'dropped') {
       dropped++; ecoNode.dropped++;
-      if (underCap) droppedKeys.add(key); else exactVanished = false;
+      if (underCap) { droppedKeys.add(key); allNames.add(e.name); } else exactVanished = false;
     } else {
       scanned++; ecoNode.scanned++;
       if (outcome === 'suspect' || outcome === 'confirmed') { alerted++; ecoNode.alerted++; }
-      if (underCap) scannedKeys.add(key); else exactVanished = false;
+      if (underCap) { scannedKeys.add(key); allNames.add(e.name); scannedNames.add(e.name); } else exactVanished = false;
     }
   });
 
@@ -1164,6 +1170,13 @@ function computeLedgerRollup(sinceTs, opts = {}) {
     alerted,
     // NOT a TPR — see the HONEST METRIC NOTE above. null when nothing was scanned.
     alertRate: scanned > 0 ? alerted / scanned : null,
+    // Honest, version-collapsed coverage: distinct package names seen vs scanned.
+    // Bounded ≤100% by construction (scannedNames ⊆ allNames). Unlike the raw
+    // event-count coverage in the embed, this is immune to version-spam inflation
+    // (e.g. a package publishing thousands of versions counts once).
+    distinctPackages: allNames.size,
+    distinctScanned: scannedNames.size,
+    distinctCoverage: allNames.size > 0 ? scannedNames.size / allNames.size : null,
     byOutcome,
     byEcosystem
   };

package/src/monitor/webhook.js

@@ -455,6 +455,10 @@ function persistDailyReport(reportPayload, rawMetrics) {
     const data = {
       date: today,
       timestamp: new Date().toISOString(),
+      // delivered=false until the webhook confirms — markReportDelivered() flips it
+      // after a successful send. The boot redelivery path keys off this (AUDIT 3).
+      delivered: false,
+      deliveredAt: null,
       embed: reportPayload,
       metrics: rawMetrics
     };
@@ -465,6 +469,92 @@ function persistDailyReport(reportPayload, rawMetrics) {
   }
 }
 
+// --- AUDIT 3: persisted-report redelivery (resend + boot recovery) ---
+
+/** List persisted daily-report dates (YYYY-MM-DD), sorted ascending. */
+function listPersistedReportDates() {
+  try {
+    return fs.readdirSync(DAILY_REPORTS_LOG_DIR)
+      .filter(f => /^\d{4}-\d{2}-\d{2}\.json$/.test(f))
+      .map(f => f.slice(0, -5))
+      .sort();
+  } catch { return []; }
+}
+
+/**
+ * Load a persisted daily report by date (default: latest). Returns
+ * { date, filePath, data } or null if none / unreadable.
+ */
+function loadPersistedReport(date) {
+  let d = date;
+  if (!d) {
+    const all = listPersistedReportDates();
+    if (all.length === 0) return null;
+    d = all[all.length - 1];
+  }
+  const filePath = path.join(DAILY_REPORTS_LOG_DIR, `${d}.json`);
+  try {
+    return { date: d, filePath, data: JSON.parse(fs.readFileSync(filePath, 'utf8')) };
+  } catch { return null; }
+}
+
+/** Mark a persisted report file as delivered (idempotent, best-effort). */
+function markReportDelivered(filePath, data) {
+  try {
+    data.delivered = true;
+    data.deliveredAt = new Date().toISOString();
+    atomicWriteFileSync(filePath, JSON.stringify(data, null, 2));
+  } catch (err) {
+    console.error(`[MONITOR] Failed to mark report delivered: ${err.message}`);
+  }
+}
+
+/**
+ * Resend a persisted daily report's EXACT embed to the webhook — faithful
+ * redelivery, no stats reconstruction. Used by `report --resend [date]` and the
+ * boot redelivery path. Returns { sent, message, date }.
+ */
+async function resendDailyReport(date) {
+  const url = getWebhookUrl();
+  if (!url) return { sent: false, message: 'MUADDIB_WEBHOOK_URL not configured' };
+  const report = loadPersistedReport(date);
+  if (!report) {
+    return { sent: false, message: date ? `No persisted report for ${date}` : 'No persisted reports found' };
+  }
+  const payload = report.data && report.data.embed;
+  if (!payload) return { sent: false, message: `Report ${report.date} has no embed payload`, date: report.date };
+  try {
+    await sendWebhook(url, payload, { rawPayload: true });
+  } catch (err) {
+    return { sent: false, message: `Webhook failed: ${err.message}`, date: report.date };
+  }
+  markReportDelivered(report.filePath, report.data);
+  return { sent: true, message: `Daily report ${report.date} resent`, date: report.date };
+}
+
+/**
+ * Boot redelivery: if the most recent persisted report was never confirmed
+ * delivered (last webhook failed — e.g. the 2026-06-10 DNS blip) AND a webhook URL
+ * is configured, attempt exactly one resend. Best-effort; never throws. Reports
+ * with delivered === undefined (written before this feature) are treated as
+ * delivered, so upgrading never spams historical reports.
+ */
+async function redeliverPendingReportOnBoot() {
+  try {
+    const report = loadPersistedReport(null); // latest
+    if (!report) return { attempted: false, reason: 'no_reports' };
+    if (report.data.delivered !== false) return { attempted: false, reason: 'already_delivered_or_legacy' };
+    if (!getWebhookUrl()) return { attempted: false, reason: 'no_webhook_url' };
+    console.log(`[MONITOR] Last daily report (${report.date}) was not delivered — attempting boot redelivery...`);
+    const res = await resendDailyReport(report.date);
+    console.log(`[MONITOR] Boot redelivery of ${report.date}: ${res.sent ? 'sent' : 'failed — ' + res.message}`);
+    return { attempted: true, sent: res.sent, date: report.date };
+  } catch (err) {
+    console.error(`[MONITOR] Boot redelivery error (non-fatal): ${err.message}`);
+    return { attempted: false, reason: 'error' };
+  }
+}
+
 function computeAlertPriority(result, sandboxResult) {
   const threats = (result && result.threats) || [];
   const score = (result && result.summary) ? (result.summary.riskScore || 0) : 0;
@@ -1027,25 +1117,41 @@ function buildDailyReportEmbed(stats, dailyAlerts, ledgerRollup) {
   // Avg scan time from in-memory stats
   const avg = stats.scanned > 0 ? (stats.totalTimeMs / stats.scanned / 1000).toFixed(1) : '0.0';
 
-  // --- Coverage estimation ---
-  // Numerator: unique (ecosystem, name, version) tuples that reached a scan
-  // attempt (post-dedup). Denominator: raw publish events seen on either
-  // changes stream BEFORE per-package filtering, plus npm catch-up gaps and
-  // PyPI publish events that survived per-(name,version) dedup. This stays
-  // bounded near 100% — old "scanned/changesStreamPackages" was racing PyPI
-  // scans and ATO burst extras against an npm-only denominator.
+  // --- Phase 0b: per-scan ledger rollup (resolved early so Coverage can use it) ---
+  // Caller may pass a precomputed rollup (sendDailyReport does, to persist the same
+  // numbers it displays); undefined → compute here; explicit null → omit the section.
+  const ledger = ledgerRollup !== undefined ? ledgerRollup : safeLedgerRollup();
+
+  // --- Coverage ---
+  // HEADLINE: honest, version-collapsed coverage from the scan-ledger — distinct
+  // package NAMES actually scanned vs distinct names seen (scanned + dropped) in
+  // the window. Bounded ≤100% by construction and immune to version-spam (a
+  // package publishing thousands of versions counts once). The raw publish-event
+  // ratio is kept as a SECONDARY line for continuity but is no longer the headline:
+  // it races re-scans / PyPI / burst extras against an npm-only event denominator
+  // and routinely exceeds 100% (see AUDIT 4 — daily-reports-analysis.md).
   const attempted = stats.uniqueScanAttempts || 0;
   const npmPub = stats.npmPublishEventsSeen || 0;
   const pypiPub = stats.pypiChangelogPackages || 0;
   const published = npmPub + pypiPub;
-  const coverageRatio = published > 0 ? (attempted / published * 100).toFixed(0) : '0';
   const catchupSkipped = (stats.npmCatchupSkippedSeqs || 0) + (stats.pypiCatchupSkippedEvents || 0);
   const opsSuffix = catchupSkipped > 0
     ? `\nOps: ${stats.scanned} | Catch-up skip: ${catchupSkipped}`
     : `\nOps: ${stats.scanned}`;
-  const coverageText = published > 0
-    ? `${attempted}/${published} (${coverageRatio}%)${opsSuffix}`
-    : `${attempted} attempted${opsSuffix}`;
+  let coverageText;
+  if (ledger && ledger.distinctPackages > 0 && ledger.distinctCoverage != null) {
+    const pct = (ledger.distinctCoverage * 100).toFixed(0);
+    const approx = ledger.exactVanished === false ? '~' : '';
+    coverageText = `${ledger.distinctScanned}/${ledger.distinctPackages} pkgs (${approx}${pct}%)`;
+    if (published > 0) coverageText += `\nRaw events: ${attempted}/${published}`;
+    coverageText += opsSuffix;
+  } else if (published > 0) {
+    // Fallback: ledger unavailable (first boot / empty ledger) → legacy event ratio.
+    const coverageRatio = (attempted / published * 100).toFixed(0);
+    coverageText = `${attempted}/${published} (${coverageRatio}%)${opsSuffix}`;
+  } else {
+    coverageText = `${attempted} attempted${opsSuffix}`;
+  }
 
   // --- Timeouts ---
   const staticTimeouts = (stats.errorsByType && stats.errorsByType.static_timeout) || 0;
@@ -1108,9 +1214,7 @@ function buildDailyReportEmbed(stats, dailyAlerts, ledgerRollup) {
   const healthText = `Up ${uptimeH}h${uptimeM}m | Heap ${heapMB}MB${jsonlInfo}`;
 
   // --- Phase 0b: per-scan ledger rollup (operational coverage) ---
-  // Caller may pass a precomputed rollup (sendDailyReport does, to persist the same
-  // numbers it displays); undefined → compute here; explicit null → omit the section.
-  const ledger = ledgerRollup !== undefined ? ledgerRollup : safeLedgerRollup();
+  // `ledger` was resolved above (Coverage uses it). explicit null → omit the section.
   const ledgerField = formatLedgerField(ledger);
 
   const now = new Date();
@@ -1207,6 +1311,12 @@ async function sendDailyReport(stats, dailyAlerts, recentlyScanned, downloadsCac
     deferredProcessed: stats.deferredProcessed || 0,
     deferredExpired: stats.deferredExpired || 0,
     changesStreamPackages: stats.changesStreamPackages || 0,
+    // Honest version-collapsed coverage (AUDIT 4): top-level mirror of the
+    // ledger fields so trend analysis can read them without descending into
+    // metrics.ledger. null when the ledger window was empty.
+    distinctPackages: ledgerRollup ? (ledgerRollup.distinctPackages ?? null) : null,
+    distinctScanned: ledgerRollup ? (ledgerRollup.distinctScanned ?? null) : null,
+    distinctCoverage: ledgerRollup ? (ledgerRollup.distinctCoverage ?? null) : null,
     restartsToday: stats.restartsToday || 0,
     temporalLoadShed: stats.temporalLoadShed || 0,
     queueHardDrops: stats.queueHardDrops || 0,
@@ -1278,8 +1388,13 @@ async function sendDailyReport(stats, dailyAlerts, recentlyScanned, downloadsCac
     try {
       await sendWebhook(url, payload, { rawPayload: true });
       console.log('[MONITOR] Daily report sent');
+      // Confirm delivery on the just-persisted file so boot redelivery won't resend it.
+      const persisted = loadPersistedReport(today);
+      if (persisted) markReportDelivered(persisted.filePath, persisted.data);
     } catch (err) {
-      console.error(`[MONITOR] Daily report webhook failed: ${err.message}`);
+      // Webhook failed (DNS/network/5xx after retries). The report stays on disk with
+      // delivered=false → it will be redelivered on the next daemon boot (AUDIT 3).
+      console.error(`[MONITOR] Daily report webhook failed: ${err.message} — left undelivered for boot redelivery`);
     }
   } else {
     console.log('[MONITOR] Daily report persisted locally (no webhook URL configured)');
@@ -1467,6 +1582,11 @@ module.exports = {
   triageRisk,
   persistAlert,
   persistDailyReport,
+  listPersistedReportDates,
+  loadPersistedReport,
+  markReportDelivered,
+  resendDailyReport,
+  redeliverPendingReportOnBoot,
   computeAlertPriority,
   buildAlertData,
   trySendWebhook,