muaddib-scanner 2.11.80 → 2.11.82

package/bin/muaddib.js

@@ -21,6 +21,15 @@ if (process.argv[2] === 'evaluate') {
   }
 }
 
+// Load /opt/muaddib/.env (project root) if present, BEFORE anything reads env, so
+// one-shot CLI invocations (notably `report --now` / `report --resend`) see
+// MUADDIB_WEBHOOK_URL even when not launched by the systemd unit that sets
+// EnvironmentFile. Real environment variables are never overwritten. Optional file.
+try {
+  const { loadDotEnv } = require('../src/env-loader.js');
+  loadDotEnv(require('path').join(__dirname, '..', '.env'));
+} catch { /* non-fatal: .env is optional */ }
+
 const { run } = require('../src/index.js');
 const { updateIOCs } = require('../src/ioc/updater.js');
 const { watch } = require('../src/watch.js');
@@ -721,6 +730,26 @@ if (command === 'version' || command === '--version' || command === '-v') {
       console.error('[ERROR]', err.message);
       process.exit(1);
     });
+  } else if (options.includes('--resend')) {
+    // Redeliver an already-persisted daily report (default: the latest) to the
+    // webhook — for when the original send failed (e.g. a DNS blip). No stats
+    // reconstruction; the exact persisted embed is re-sent.
+    const { resendReport } = require('../src/monitor.js');
+    const dateArg = options.find(o => !o.startsWith('--')) || null;
+    resendReport(dateArg).then(result => {
+      const color = process.stdout.isTTY;
+      if (result.sent) {
+        const check = color ? '\x1b[32m✓\x1b[0m' : '✓';
+        console.log(`\n  ${check} ${result.message}\n`);
+      } else {
+        const warn = color ? '\x1b[33m!\x1b[0m' : '!';
+        console.log(`\n  ${warn} ${result.message}\n`);
+      }
+      process.exit(result.sent ? 0 : 1);
+    }).catch(err => {
+      console.error('[ERROR]', err.message);
+      process.exit(1);
+    });
   } else if (options.includes('--status')) {
     const { getReportStatus } = require('../src/monitor.js');
     const status = getReportStatus();
@@ -731,7 +760,7 @@ if (command === 'version' || command === '--version' || command === '-v') {
     console.log('');
     process.exit(0);
   } else {
-    console.log('Usage: muaddib report --now | --status');
+    console.log('Usage: muaddib report --now | --resend [YYYY-MM-DD] | --status');
     process.exit(1);
   }
 } else if (command === 'relabel') {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.11.80",
+  "version": "2.11.82",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/{self-scan-v2.11.80.json → self-scan-v2.11.82.json}

@@ -1,6 +1,6 @@
 {
   "target": "node_modules",
-  "timestamp": "2026-06-10T12:26:12.478Z",
+  "timestamp": "2026-06-10T12:51:04.328Z",
   "threats": [
     {
       "type": "string_mutation_obfuscation",

package/src/env-loader.js

@@ -0,0 +1,57 @@
+'use strict';
+
+const fs = require('fs');
+
+// Minimal .env loader — zero dependency (the project forbids new runtime deps, so
+// no dotenv). Parses KEY=VALUE lines, ignores blanks / # comments / `export `
+// prefixes, strips one pair of surrounding quotes, and by default NEVER overwrites
+// a variable already present in process.env (the real environment / systemd
+// EnvironmentFile always wins over the on-disk file).
+
+function parseDotEnv(content) {
+  const out = {};
+  for (const rawLine of String(content).split(/\r?\n/)) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith('#')) continue;
+    const eq = line.indexOf('=');
+    if (eq <= 0) continue;
+    let key = line.slice(0, eq).trim();
+    if (key.startsWith('export ')) key = key.slice(7).trim();
+    if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(key)) continue; // skip malformed keys
+    let val = line.slice(eq + 1).trim();
+    if ((val.startsWith('"') && val.endsWith('"')) ||
+        (val.startsWith("'") && val.endsWith("'"))) {
+      val = val.slice(1, -1);
+    }
+    out[key] = val;
+  }
+  return out;
+}
+
+/**
+ * Load a .env file into process.env. Missing / unreadable file is a silent no-op
+ * (the file is optional). Returns { loaded, keys } where keys are the names that
+ * were actually applied.
+ * @param {string} filePath
+ * @param {{override?: boolean}} [opts] override=true replaces existing vars (default false)
+ */
+function loadDotEnv(filePath, opts = {}) {
+  const override = opts.override === true;
+  let content;
+  try {
+    content = fs.readFileSync(filePath, 'utf8');
+  } catch {
+    return { loaded: false, keys: [] };
+  }
+  const parsed = parseDotEnv(content);
+  const applied = [];
+  for (const [k, v] of Object.entries(parsed)) {
+    if (override || process.env[k] === undefined) {
+      process.env[k] = v;
+      applied.push(k);
+    }
+  }
+  return { loaded: true, keys: applied };
+}
+
+module.exports = { parseDotEnv, loadDotEnv };

package/src/integrations/webhook.js

@@ -70,20 +70,15 @@ async function sendWebhook(url, results, options = {}) {
   const urlObj = new URL(url);
   let resolvedAddress;
   try {
-    const [ipv4Addresses, ipv6Addresses] = await Promise.all([
-      dns.promises.resolve4(urlObj.hostname).catch(() => []),
-      dns.promises.resolve6(urlObj.hostname).catch(() => [])
-    ]);
-    const allAddresses = [...ipv4Addresses, ...ipv6Addresses];
-    if (allAddresses.length === 0) {
-      throw new Error(`Webhook blocked: no DNS records found for ${urlObj.hostname}`);
-    }
+    // Retries transient resolver failures (the 2026-06-10 DNS blip). The SSRF
+    // private-IP check below runs on the resolved addresses and is NOT retried.
+    const { ipv4, all: allAddresses } = await resolveHostWithRetry(urlObj.hostname);
     for (const address of allAddresses) {
       if (PRIVATE_IP_PATTERNS.some(pattern => pattern.test(address))) {
         throw new Error(`Webhook blocked: hostname ${urlObj.hostname} resolves to private IP ${address}`);
       }
     }
-    resolvedAddress = ipv4Addresses[0] || null;
+    resolvedAddress = ipv4[0] || null;
   } catch (e) {
     if (e.message.startsWith('Webhook blocked')) throw e;
     throw new Error(`Webhook blocked: DNS resolution failed for ${urlObj.hostname}`, { cause: e });
@@ -365,6 +360,17 @@ const MAX_RESPONSE_SIZE = 1024 * 1024; // 1MB
 const MAX_RETRIES = 3;
 const BACKOFF_BASE_MS = 1000; // 1s, 2s, 4s exponential backoff
 const RETRYABLE_STATUS_CODES = new Set([429, 500, 502, 503, 504]);
+// Transient socket/DNS errors worth retrying — a flaky resolver or reset connection
+// is exactly the 2026-06-10 "no DNS records for discord.com" failure mode. NEVER
+// includes SSRF blocks (private IP / disallowed domain) — those are hard rejects.
+const RETRYABLE_ERROR_CODES = new Set([
+  'ECONNRESET', 'ETIMEDOUT', 'ENETUNREACH', 'EHOSTUNREACH',
+  'EAI_AGAIN', 'ENOTFOUND', 'ECONNREFUSED', 'EPIPE'
+]);
+// DNS resolution retry (separate from HTTP retry — a name that won't resolve never
+// reaches the request). 3 retries → 4 attempts, backoff 0.5s/1s/2s ≈ 3.5s worst case.
+const DNS_MAX_RETRIES = 3;
+const DNS_BACKOFF_BASE_MS = 500;
 
 // Rate limiting: max 1 webhook per second (Discord limit is 30/min)
 const RATE_LIMIT_MS = 1000;
@@ -383,6 +389,36 @@ function sleepMs(ms) {
   return new Promise(resolve => setTimeout(resolve, ms));
 }
 
+/**
+ * Resolve a hostname to IPv4+IPv6, retrying on transient DNS failures (empty
+ * answer / EAI_AGAIN). Returns { ipv4, ipv6, all } on success. Throws after the
+ * retry budget is exhausted. Does NOT perform the SSRF private-IP check — the
+ * caller does that on the returned addresses so a hard block is never retried.
+ */
+async function resolveHostWithRetry(hostname, opts = {}) {
+  const maxRetries = opts.maxRetries != null ? opts.maxRetries : DNS_MAX_RETRIES;
+  const backoffBase = opts.backoffMs != null ? opts.backoffMs : DNS_BACKOFF_BASE_MS;
+  let lastErr;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    let ipv4 = [], ipv6 = [];
+    try {
+      [ipv4, ipv6] = await Promise.all([
+        dns.promises.resolve4(hostname).catch(() => []),
+        dns.promises.resolve6(hostname).catch(() => [])
+      ]);
+    } catch (e) { lastErr = e; }
+    const all = [...ipv4, ...ipv6];
+    if (all.length > 0) return { ipv4, ipv6, all };
+    lastErr = new Error(`Webhook blocked: no DNS records found for ${hostname}`);
+    if (attempt < maxRetries) {
+      const backoff = backoffBase * Math.pow(2, attempt);
+      console.error(`[WEBHOOK] DNS for ${hostname} returned no records, retrying in ${backoff}ms (attempt ${attempt + 1}/${maxRetries})...`);
+      await sleepMs(backoff);
+    }
+  }
+  throw lastErr;
+}
+
 function sendOnce(url, payload, resolvedAddress) {
   return new Promise((resolve, reject) => {
     const urlObj = new URL(url);
@@ -449,7 +485,13 @@ async function send(url, payload, resolvedAddress) {
       return result;
     } catch (err) {
       lastError = err;
-      const isRetryable = err.statusCode && RETRYABLE_STATUS_CODES.has(err.statusCode);
+      // Retry on retryable HTTP status, transient socket errors, OR a request
+      // timeout (no statusCode/code, identified by message). A 1MB-overflow or
+      // any other non-transient error falls through and throws immediately.
+      const isRetryable =
+        (err.statusCode && RETRYABLE_STATUS_CODES.has(err.statusCode)) ||
+        (err.code && RETRYABLE_ERROR_CODES.has(err.code)) ||
+        /timeout/i.test(err.message || '');
       if (!isRetryable || attempt >= MAX_RETRIES) {
         throw err;
       }
@@ -461,7 +503,8 @@ async function send(url, payload, resolvedAddress) {
       } else {
         backoffMs = BACKOFF_BASE_MS * Math.pow(2, attempt);
       }
-      console.error(`[WEBHOOK] HTTP ${err.statusCode}, retrying in ${backoffMs}ms (attempt ${attempt + 1}/${MAX_RETRIES})...`);
+      const reason = err.statusCode ? `HTTP ${err.statusCode}` : (err.code || err.message);
+      console.error(`[WEBHOOK] ${reason}, retrying in ${backoffMs}ms (attempt ${attempt + 1}/${MAX_RETRIES})...`);
       await sleepMs(backoffMs);
     }
   }
@@ -470,5 +513,7 @@ async function send(url, payload, resolvedAddress) {
 
 module.exports = {
   sendWebhook, validateWebhookUrl, formatDiscord, formatSlack, formatGeneric,
-  MAX_RETRIES, BACKOFF_BASE_MS, RETRYABLE_STATUS_CODES, RATE_LIMIT_MS
+  resolveHostWithRetry,
+  MAX_RETRIES, BACKOFF_BASE_MS, RETRYABLE_STATUS_CODES, RATE_LIMIT_MS,
+  RETRYABLE_ERROR_CODES, DNS_MAX_RETRIES, DNS_BACKOFF_BASE_MS
 };

package/src/ml/feature-extractor.js

@@ -751,6 +751,75 @@ function mcpServerEnvAccess(result, meta) {
   return true;
 }
 
+// ============================================================================
+// Feature 15 — mcp_server_benign_lifecycle (AUDIT 2, 2026-06)
+// ============================================================================
+//
+// Like F9 (mcpServerEnvAccess) but TOLERATES a benign install lifecycle. F9
+// vetoes on ANY preinstall/install/postinstall (its C3), which makes it
+// inoperative for the ~77% of legitimate MCP installers that ship a build/setup
+// hook (`husky install`, `node build.js`, `tsc`). Those packages stack
+// mcp_config_injection (CRIT) + suspicious_dataflow (CRIT, env→first-party POST)
+// + env_access (HIGH) + lifecycle_script (MEDIUM) and score ~150 on `muaddib
+// scan` — the recurring @recapp/mcp-style false positives in the daily report.
+//
+// F15 instead allows a lifecycle that is only flagged as a plain MEDIUM/LOW
+// `lifecycle_script`, and vetoes the moment the lifecycle does anything
+// malicious. Ground-truth safety (verified by replay before/after):
+//   GT-060 mcp-config-inject  → vetoed by lifecycle_file_exec (malicious postinstall)
+//   GT-088 defi-threat-scanner → vetoed by HARD exfil (suspicious_domain) + cred files
+//   GT-066 ai-agent-exploit    → never emits mcp_config_injection (C2 excludes it)
+//   GT-097 / GT-099            → HARD exfil / not an mcp_config_injection JS package
+// Same cap (30 = MEDIUM) and identity/provider-key machinery as F9.
+const F15_LIFECYCLE_MALICE_TYPES = new Set([
+  'lifecycle_file_exec',        // postinstall executes a file containing HIGH/CRIT threats
+  'lifecycle_dataflow',         // install-time credential read + network send (compound)
+  'lifecycle_shell_pipe',       // curl | sh during install
+  'lifecycle_missing_script',   // phantom install script (payload injected later)
+  'intent_credential_exfil',    // multi-file credential→network intent
+  'intent_command_exfil',
+  'detached_credential_exfil',
+  'staged_payload'
+]);
+
+function mcpServerBenignLifecycle(result, meta) {
+  // C1 — MCP identity (same as F9)
+  if (!_f9HasMcpIdentity(meta)) return false;
+  const threats = (result && result.threats) || [];
+  if (threats.length === 0) return false;
+  // C2 — mcp_config_injection present (proves real MCP work, not just a name claim)
+  if (!threats.some(t => t.type === 'mcp_config_injection')) return false;
+  // C3' (relaxed) — a lifecycle MAY exist, but it must be benign: no malicious
+  // lifecycle compound, and a plain lifecycle_script (if any) must not itself be
+  // HIGH/CRITICAL (a benign husky/build hook is MEDIUM/LOW).
+  for (const t of threats) {
+    if (F15_LIFECYCLE_MALICE_TYPES.has(t.type)) return false;
+    if (t.type === 'lifecycle_script' && (t.severity === 'HIGH' || t.severity === 'CRITICAL')) return false;
+  }
+  // C4 — env_access / credential threats cite ONLY known provider keys or infra
+  // vars; never credential file paths (same machinery as F9).
+  for (const t of threats) {
+    if (t.type !== 'env_access' && t.type !== 'credential_regex_harvest' &&
+        t.type !== 'env_charcode_reconstruction') continue;
+    const msg = String(t.message || '');
+    if (F9_CREDENTIAL_FILE_RE.test(msg)) return false;
+    const candidates = msg.match(/\b[A-Z][A-Z0-9_]{2,}\b/g);
+    if (!candidates) continue;
+    for (const v of candidates) {
+      if (KNOWN_PROVIDER_KEYS_LITERAL.has(v)) continue;
+      if (PROVIDER_KEY_SUFFIX_RE.test(v)) continue;
+      if (F9_INFRA_KEYS.has(v)) continue;
+      return false;
+    }
+  }
+  // C5 — no HARD third-party exfil capability (SOFT suspicious_dataflow to a
+  // first-party endpoint is intrinsic to MCP installers — see F9/F14)
+  for (const t of threats) {
+    if (HARD_EXFIL_TYPES.has(t.type)) return false;
+  }
+  return true;
+}
+
 // ============================================================================
 // Feature 10 — vendor_cli_sdk (v2.11.23, audit week3 cluster, 96 FP)
 // ============================================================================
@@ -1426,6 +1495,7 @@ module.exports = {
   placeholderAntiDepConfusion,
   installScriptNoNetworkEgress,
   mcpServerEnvAccess,
+  mcpServerBenignLifecycle,
   vendorCliSdk,
   aiAgentBot,
   vendorMinifiedBundle,

package/src/monitor/daemon.js

@@ -8,7 +8,7 @@ const { banner } = require('../utils.js');
 const { setVerboseMode, isSandboxEnabled, isCanaryEnabled, isLlmDetectiveEnabled, getLlmDetectiveMode, DOWNLOADS_CACHE_TTL } = require('./classify.js');
 const { loadState, saveState, loadDailyStats, saveDailyStats, purgeTarballCache, isDailyReportDue, atomicWriteFileSync, saveNpmSeq, ALERTS_FILE, runStateMigrations, loadRecentlyScanned, saveRecentlyScanned } = require('./state.js');
 const { isTemporalEnabled, isTemporalAstEnabled, isTemporalPublishEnabled, isTemporalMaintainerEnabled } = require('./temporal.js');
-const { pendingGrouped, flushScopeGroup, sendDailyReport, alertedPackageRules, ALERTED_PACKAGES_MAX: MAX_ALERTED_PACKAGES } = require('./webhook.js');
+const { pendingGrouped, flushScopeGroup, sendDailyReport, redeliverPendingReportOnBoot, alertedPackageRules, ALERTED_PACKAGES_MAX: MAX_ALERTED_PACKAGES } = require('./webhook.js');
 const { poll, getPollBackoffMs } = require('./ingestion.js');
 const { ensureWorkers, drainWorkers, getTargetConcurrency, setTargetConcurrency, getActiveWorkers, terminateAllWorkers } = require('./queue.js');
 const { computeTarget, ADJUST_INTERVAL_MS, BASE_CONCURRENCY } = require('./adaptive-concurrency.js');
@@ -964,6 +964,11 @@ async function startMonitor(options, stats, dailyAlerts, recentlyScanned, downlo
   // Best-effort and fire-and-forget; never blocks the daemon.
   startGhsaPoller(stats);
 
+  // AUDIT 3: if the last daily report failed to deliver (e.g. a DNS blip at 08:00),
+  // it sits on disk with delivered=false. Redeliver it once now. Fire-and-forget —
+  // never blocks startup, never throws (legacy reports without the flag are skipped).
+  redeliverPendingReportOnBoot().catch(() => { /* logged inside; non-fatal */ });
+
   // ─── Initial poll ───
   // Fills the queue with pending packages. Processing starts in the main loop
   // via ensureWorkers (non-blocking) — NOT await processQueue (blocking).

package/src/monitor/webhook.js

@@ -455,6 +455,10 @@ function persistDailyReport(reportPayload, rawMetrics) {
     const data = {
       date: today,
       timestamp: new Date().toISOString(),
+      // delivered=false until the webhook confirms — markReportDelivered() flips it
+      // after a successful send. The boot redelivery path keys off this (AUDIT 3).
+      delivered: false,
+      deliveredAt: null,
       embed: reportPayload,
       metrics: rawMetrics
     };
@@ -465,6 +469,92 @@ function persistDailyReport(reportPayload, rawMetrics) {
   }
 }
 
+// --- AUDIT 3: persisted-report redelivery (resend + boot recovery) ---
+
+/** List persisted daily-report dates (YYYY-MM-DD), sorted ascending. */
+function listPersistedReportDates() {
+  try {
+    return fs.readdirSync(DAILY_REPORTS_LOG_DIR)
+      .filter(f => /^\d{4}-\d{2}-\d{2}\.json$/.test(f))
+      .map(f => f.slice(0, -5))
+      .sort();
+  } catch { return []; }
+}
+
+/**
+ * Load a persisted daily report by date (default: latest). Returns
+ * { date, filePath, data } or null if none / unreadable.
+ */
+function loadPersistedReport(date) {
+  let d = date;
+  if (!d) {
+    const all = listPersistedReportDates();
+    if (all.length === 0) return null;
+    d = all[all.length - 1];
+  }
+  const filePath = path.join(DAILY_REPORTS_LOG_DIR, `${d}.json`);
+  try {
+    return { date: d, filePath, data: JSON.parse(fs.readFileSync(filePath, 'utf8')) };
+  } catch { return null; }
+}
+
+/** Mark a persisted report file as delivered (idempotent, best-effort). */
+function markReportDelivered(filePath, data) {
+  try {
+    data.delivered = true;
+    data.deliveredAt = new Date().toISOString();
+    atomicWriteFileSync(filePath, JSON.stringify(data, null, 2));
+  } catch (err) {
+    console.error(`[MONITOR] Failed to mark report delivered: ${err.message}`);
+  }
+}
+
+/**
+ * Resend a persisted daily report's EXACT embed to the webhook — faithful
+ * redelivery, no stats reconstruction. Used by `report --resend [date]` and the
+ * boot redelivery path. Returns { sent, message, date }.
+ */
+async function resendDailyReport(date) {
+  const url = getWebhookUrl();
+  if (!url) return { sent: false, message: 'MUADDIB_WEBHOOK_URL not configured' };
+  const report = loadPersistedReport(date);
+  if (!report) {
+    return { sent: false, message: date ? `No persisted report for ${date}` : 'No persisted reports found' };
+  }
+  const payload = report.data && report.data.embed;
+  if (!payload) return { sent: false, message: `Report ${report.date} has no embed payload`, date: report.date };
+  try {
+    await sendWebhook(url, payload, { rawPayload: true });
+  } catch (err) {
+    return { sent: false, message: `Webhook failed: ${err.message}`, date: report.date };
+  }
+  markReportDelivered(report.filePath, report.data);
+  return { sent: true, message: `Daily report ${report.date} resent`, date: report.date };
+}
+
+/**
+ * Boot redelivery: if the most recent persisted report was never confirmed
+ * delivered (last webhook failed — e.g. the 2026-06-10 DNS blip) AND a webhook URL
+ * is configured, attempt exactly one resend. Best-effort; never throws. Reports
+ * with delivered === undefined (written before this feature) are treated as
+ * delivered, so upgrading never spams historical reports.
+ */
+async function redeliverPendingReportOnBoot() {
+  try {
+    const report = loadPersistedReport(null); // latest
+    if (!report) return { attempted: false, reason: 'no_reports' };
+    if (report.data.delivered !== false) return { attempted: false, reason: 'already_delivered_or_legacy' };
+    if (!getWebhookUrl()) return { attempted: false, reason: 'no_webhook_url' };
+    console.log(`[MONITOR] Last daily report (${report.date}) was not delivered — attempting boot redelivery...`);
+    const res = await resendDailyReport(report.date);
+    console.log(`[MONITOR] Boot redelivery of ${report.date}: ${res.sent ? 'sent' : 'failed — ' + res.message}`);
+    return { attempted: true, sent: res.sent, date: report.date };
+  } catch (err) {
+    console.error(`[MONITOR] Boot redelivery error (non-fatal): ${err.message}`);
+    return { attempted: false, reason: 'error' };
+  }
+}
+
 function computeAlertPriority(result, sandboxResult) {
   const threats = (result && result.threats) || [];
   const score = (result && result.summary) ? (result.summary.riskScore || 0) : 0;
@@ -1298,8 +1388,13 @@ async function sendDailyReport(stats, dailyAlerts, recentlyScanned, downloadsCac
     try {
       await sendWebhook(url, payload, { rawPayload: true });
       console.log('[MONITOR] Daily report sent');
+      // Confirm delivery on the just-persisted file so boot redelivery won't resend it.
+      const persisted = loadPersistedReport(today);
+      if (persisted) markReportDelivered(persisted.filePath, persisted.data);
     } catch (err) {
-      console.error(`[MONITOR] Daily report webhook failed: ${err.message}`);
+      // Webhook failed (DNS/network/5xx after retries). The report stays on disk with
+      // delivered=false → it will be redelivered on the next daemon boot (AUDIT 3).
+      console.error(`[MONITOR] Daily report webhook failed: ${err.message} — left undelivered for boot redelivery`);
     }
   } else {
     console.log('[MONITOR] Daily report persisted locally (no webhook URL configured)');
@@ -1487,6 +1582,11 @@ module.exports = {
   triageRisk,
   persistAlert,
   persistDailyReport,
+  listPersistedReportDates,
+  loadPersistedReport,
+  markReportDelivered,
+  resendDailyReport,
+  redeliverPendingReportOnBoot,
   computeAlertPriority,
   buildAlertData,
   trySendWebhook,

package/src/scoring.js

@@ -1506,6 +1506,7 @@ const {
   obfuscationWithoutVector,
   placeholderAntiDepConfusion,
   mcpServerEnvAccess,
+  mcpServerBenignLifecycle,
   vendorCliSdk,
   aiAgentBot,
   vendorMinifiedBundle,
@@ -1559,6 +1560,13 @@ function applyContextualFPCaps(result, pkgMeta) {
   if (mcpServerEnvAccess(result, meta)) {
     applied.push({ feature: 'mcp_server_env_access', cap: 30 });
   }
+  // F15: legit MCP installer/server WITH a benign install lifecycle (AUDIT 2) →
+  // MAX 30. Extends F9 to the ~77% of MCP installers that ship a build/setup hook
+  // (husky install, node build.js). Vetoes on malicious lifecycle (lifecycle_file_exec
+  // etc.), HARD exfil, or credential-file access — so GT MCP malware stays uncapped.
+  if (mcpServerBenignLifecycle(result, meta)) {
+    applied.push({ feature: 'mcp_server_benign_lifecycle', cap: 30 });
+  }
   // F2: binary installer from GitHub Releases → MAX 35
   if (installUrlGithubReleases(result)) {
     applied.push({ feature: 'install_url_github_releases', cap: 35 });