muaddib-scanner 2.9.5 → 2.9.7

package/bin/muaddib.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-const { exec } = require('child_process');
+const { execFile } = require('child_process');
 const { run } = require('../src/index.js');
 const { updateIOCs } = require('../src/ioc/updater.js');
 const { watch } = require('../src/watch.js');
@@ -33,6 +33,7 @@ let breakdownMode = false;
 let noDeobfuscate = false;
 let noModuleGraph = false;
 let noReachability = false;
+let configPath = null;
 let feedLimit = null;
 let feedSeverity = null;
 let feedSince = null;
@@ -124,6 +125,18 @@ for (let i = 0; i < options.length; i++) {
     noModuleGraph = true;
   } else if (options[i] === '--no-reachability') {
     noReachability = true;
+  } else if (options[i] === '--config') {
+    const cfgPath = options[i + 1];
+    if (!cfgPath || cfgPath.startsWith('-')) {
+      console.error('[ERROR] --config requires a file path argument');
+      process.exit(1);
+    }
+    if (cfgPath.includes('..')) {
+      console.error('[ERROR] --config path must not contain path traversal (..)');
+      process.exit(1);
+    }
+    configPath = cfgPath;
+    i++;
   } else if (options[i] === '--temporal') {
     temporalMode = true;
   } else if (options[i] === '--limit') {
@@ -160,7 +173,8 @@ for (let i = 0; i < options.length; i++) {
 if (!jsonOutput && !sarifOutput && command !== 'feed' && command !== 'serve') {
   try {
     const currentVersion = require('../package.json').version;
-    exec('npm view muaddib-scanner version', { timeout: 5000 }, (err, stdout) => {
+    const npmBin = process.platform === 'win32' ? 'npm.cmd' : 'npm';
+    execFile(npmBin, ['view', 'muaddib-scanner', 'version'], { timeout: 5000 }, (err, stdout) => {
       if (err) return; // No network or npm unavailable
       const latest = (stdout || '').toString().trim();
       if (!latest || latest === currentVersion) return;
@@ -425,6 +439,7 @@ const helpText = `
     --since [date]      Filter detections after date (ISO 8601)
     --port [n]          HTTP server port (default: 3000, serve only)
     --entropy-threshold [n]  Custom string-level entropy threshold (default: 5.5)
+    --config [file]     Custom config file (.muaddibrc.json format)
     --save-dev, -D      Install as dev dependency
     -g, --global        Install globally
     --force             Force install despite threats
@@ -466,7 +481,8 @@ if (command === 'version' || command === '--version' || command === '-v') {
     breakdown: breakdownMode,
     noDeobfuscate: noDeobfuscate,
     noModuleGraph: noModuleGraph,
-    noReachability: noReachability
+    noReachability: noReachability,
+    configPath: configPath
   }).then(exitCode => {
     process.exit(exitCode);
   }).catch(err => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.9.5",
+  "version": "2.9.7",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/src/config.js

@@ -0,0 +1,250 @@
+/**
+ * MUAD'DIB Configuration Loader
+ *
+ * Loads and validates .muaddibrc.json configuration files.
+ * All fields are optional — missing values fall back to hardcoded defaults.
+ *
+ * Configurable: riskThresholds, maxFileSize, severityWeights
+ * NOT configurable: ADR_THRESHOLD, BENIGN_THRESHOLD, GT_THRESHOLD (evaluation constants),
+ *   FP_COUNT_THRESHOLDS, CONFIDENCE_FACTORS (too granular, modifying without expertise breaks the model)
+ *
+ * Security: parsed into Object.create(null) to prevent prototype pollution.
+ * Config files > 10KB are rejected (no legitimate config is that large).
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+const MAX_CONFIG_SIZE = 10 * 1024; // 10KB
+
+const DEFAULTS = Object.freeze({
+  riskThresholds: Object.freeze({ critical: 75, high: 50, medium: 25 }),
+  maxFileSize: 10 * 1024 * 1024, // 10MB
+  severityWeights: Object.freeze({ critical: 25, high: 10, medium: 3, low: 1 })
+});
+
+const VALID_TOP_KEYS = new Set(['riskThresholds', 'maxFileSize', 'severityWeights']);
+const PROTO_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
+
+/**
+ * Load and parse a JSON config file.
+ * Uses JSON.parse (never require) to prevent code execution.
+ * @param {string} filePath - absolute path to config file
+ * @returns {{ raw: object|null, error: string|null }}
+ */
+function loadConfigFile(filePath) {
+  try {
+    const stat = fs.statSync(filePath);
+    if (stat.size > MAX_CONFIG_SIZE) {
+      return { raw: null, error: `Config file exceeds 10KB limit (${stat.size} bytes)` };
+    }
+    const content = fs.readFileSync(filePath, 'utf8');
+    // Parse into null-prototype object to prevent prototype pollution
+    const parsed = JSON.parse(content);
+    if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+      return { raw: null, error: 'Config file must contain a JSON object' };
+    }
+    // Deep copy into null-prototype objects
+    const safe = Object.create(null);
+    for (const key of Object.keys(parsed)) {
+      if (typeof parsed[key] === 'object' && parsed[key] !== null && !Array.isArray(parsed[key])) {
+        const inner = Object.create(null);
+        for (const k of Object.keys(parsed[key])) {
+          inner[k] = parsed[key][k];
+        }
+        safe[key] = inner;
+      } else {
+        safe[key] = parsed[key];
+      }
+    }
+    return { raw: safe, error: null };
+  } catch (err) {
+    if (err.code === 'ENOENT') {
+      return { raw: null, error: null }; // file not found is not an error for auto-detection
+    }
+    return { raw: null, error: `Failed to parse config: ${err.message}` };
+  }
+}
+
+/**
+ * Validate a parsed config object.
+ * @param {object} raw - parsed config (null-prototype object)
+ * @returns {{ config: object|null, warnings: string[], errors: string[] }}
+ */
+function validateConfig(raw) {
+  const warnings = [];
+  const errors = [];
+  const config = Object.create(null);
+
+  if (!raw) return { config: null, warnings, errors };
+
+  // Check for prototype pollution keys at all levels
+  for (const key of Object.keys(raw)) {
+    if (PROTO_KEYS.has(key)) {
+      errors.push(`Forbidden key "${key}" detected (prototype pollution attempt)`);
+      return { config: null, warnings, errors };
+    }
+    if (typeof raw[key] === 'object' && raw[key] !== null) {
+      for (const k of Object.keys(raw[key])) {
+        if (PROTO_KEYS.has(k)) {
+          errors.push(`Forbidden key "${key}.${k}" detected (prototype pollution attempt)`);
+          return { config: null, warnings, errors };
+        }
+      }
+    }
+  }
+
+  // Check for unknown top-level keys
+  for (const key of Object.keys(raw)) {
+    if (!VALID_TOP_KEYS.has(key)) {
+      warnings.push(`Unknown config key "${key}" — ignored`);
+    }
+  }
+
+  // Validate riskThresholds
+  if (raw.riskThresholds !== undefined) {
+    const rt = raw.riskThresholds;
+    if (typeof rt !== 'object' || rt === null || Array.isArray(rt)) {
+      errors.push('riskThresholds must be an object');
+    } else {
+      const validKeys = new Set(['critical', 'high', 'medium']);
+      for (const k of Object.keys(rt)) {
+        if (!validKeys.has(k)) {
+          warnings.push(`Unknown riskThresholds key "${k}" — ignored`);
+        }
+      }
+      const vals = Object.create(null);
+      for (const k of ['critical', 'high', 'medium']) {
+        if (rt[k] !== undefined) {
+          if (typeof rt[k] !== 'number' || !Number.isFinite(rt[k])) {
+            errors.push(`riskThresholds.${k} must be a finite number`);
+          } else if (rt[k] <= 0) {
+            errors.push(`riskThresholds.${k} must be > 0 (got ${rt[k]})`);
+          } else {
+            vals[k] = rt[k];
+          }
+        } else {
+          vals[k] = DEFAULTS.riskThresholds[k];
+        }
+      }
+      // Ordering: critical > high > medium
+      if (!errors.length) {
+        const c = vals.critical, h = vals.high, m = vals.medium;
+        if (c <= h || h <= m) {
+          errors.push(`riskThresholds ordering violation: critical (${c}) > high (${h}) > medium (${m}) required`);
+        }
+      }
+      if (!errors.length) {
+        config.riskThresholds = vals;
+        // Warn if thresholds are relaxed beyond defaults
+        if ((vals.critical > DEFAULTS.riskThresholds.critical) ||
+            (vals.high > DEFAULTS.riskThresholds.high) ||
+            (vals.medium > DEFAULTS.riskThresholds.medium)) {
+          warnings.push('Risk thresholds relaxed — detection sensitivity reduced');
+        }
+      }
+    }
+  }
+
+  // Validate maxFileSize
+  if (raw.maxFileSize !== undefined) {
+    const mfs = raw.maxFileSize;
+    if (typeof mfs !== 'number' || !Number.isFinite(mfs) || !Number.isInteger(mfs)) {
+      errors.push('maxFileSize must be a finite integer');
+    } else if (mfs < 1024 * 1024) {
+      errors.push(`maxFileSize must be >= 1MB (got ${mfs})`);
+    } else if (mfs > 100 * 1024 * 1024) {
+      errors.push(`maxFileSize must be <= 100MB (got ${mfs})`);
+    } else {
+      config.maxFileSize = mfs;
+    }
+  }
+
+  // Validate severityWeights
+  if (raw.severityWeights !== undefined) {
+    const sw = raw.severityWeights;
+    if (typeof sw !== 'object' || sw === null || Array.isArray(sw)) {
+      errors.push('severityWeights must be an object');
+    } else {
+      const validKeys = new Set(['critical', 'high', 'medium', 'low']);
+      for (const k of Object.keys(sw)) {
+        if (!validKeys.has(k)) {
+          warnings.push(`Unknown severityWeights key "${k}" — ignored`);
+        }
+      }
+      const vals = Object.create(null);
+      for (const k of ['critical', 'high', 'medium', 'low']) {
+        if (sw[k] !== undefined) {
+          if (typeof sw[k] !== 'number' || !Number.isFinite(sw[k])) {
+            errors.push(`severityWeights.${k} must be a finite number`);
+          } else if (sw[k] < 0) {
+            errors.push(`severityWeights.${k} must be >= 0 (got ${sw[k]})`);
+          } else {
+            vals[k] = sw[k];
+          }
+        } else {
+          vals[k] = DEFAULTS.severityWeights[k];
+        }
+      }
+      // Ordering: critical >= high >= medium >= low
+      if (!errors.length) {
+        const c = vals.critical, h = vals.high, m = vals.medium, l = vals.low;
+        if (c < h || h < m || m < l) {
+          errors.push(`severityWeights ordering violation: critical (${c}) >= high (${h}) >= medium (${m}) >= low (${l}) required`);
+        }
+      }
+      if (!errors.length) {
+        config.severityWeights = vals;
+      }
+    }
+  }
+
+  const hasKeys = Object.keys(config).length > 0;
+  return { config: hasKeys ? config : null, warnings, errors };
+}
+
+/**
+ * Resolve which config file to load.
+ * Priority: --config <path> > .muaddibrc.json at targetPath root
+ * @param {string} targetPath - scan target directory
+ * @param {string|null} configPath - explicit --config path (or null)
+ * @returns {{ config: object|null, warnings: string[], errors: string[], source: string|null }}
+ */
+function resolveConfig(targetPath, configPath) {
+  // Explicit --config path
+  if (configPath) {
+    const absPath = path.isAbsolute(configPath) ? configPath : path.resolve(configPath);
+    if (!fs.existsSync(absPath)) {
+      return { config: null, warnings: [], errors: [`Config file not found: ${configPath}`], source: null };
+    }
+    const { raw, error } = loadConfigFile(absPath);
+    if (error) {
+      return { config: null, warnings: [], errors: [error], source: null };
+    }
+    const result = validateConfig(raw);
+    if (result.config) {
+      result.warnings.unshift(`Loaded custom thresholds from ${configPath}`);
+    }
+    result.source = configPath;
+    return result;
+  }
+
+  // Auto-detect .muaddibrc.json at target root
+  const rcPath = path.join(targetPath, '.muaddibrc.json');
+  if (!fs.existsSync(rcPath)) {
+    return { config: null, warnings: [], errors: [], source: null };
+  }
+  const { raw, error } = loadConfigFile(rcPath);
+  if (error) {
+    // Auto-detected config with errors is a warning, not a fatal error
+    return { config: null, warnings: [`[CONFIG] ${error} — .muaddibrc.json ignored`], errors: [], source: null };
+  }
+  const result = validateConfig(raw);
+  if (result.config) {
+    result.warnings.unshift('Loaded custom thresholds from .muaddibrc.json');
+  }
+  result.source = rcPath;
+  return result;
+}
+
+module.exports = { DEFAULTS, loadConfigFile, validateConfig, resolveConfig };

package/src/index.js

@@ -28,10 +28,11 @@ const { computeReachableFiles } = require('./scanner/reachability.js');
 const { runTemporalAnalyses } = require('./temporal-runner.js');
 const { formatOutput } = require('./output-formatter.js');
 const { setExtraExcludes, getExtraExcludes, Spinner, listInstalledPackages, clearFileListCache, debugLog } = require('./utils.js');
-const { SEVERITY_WEIGHTS, RISK_THRESHOLDS, MAX_RISK_SCORE, isPackageLevelThreat, computeGroupScore, applyFPReductions, applyCompoundBoosts, calculateRiskScore } = require('./scoring.js');
+const { SEVERITY_WEIGHTS, RISK_THRESHOLDS, MAX_RISK_SCORE, isPackageLevelThreat, computeGroupScore, applyFPReductions, applyCompoundBoosts, calculateRiskScore, applyConfigOverrides, resetConfigOverrides, getSeverityWeights } = require('./scoring.js');
+const { resolveConfig } = require('./config.js');
 const { buildIntentPairs } = require('./intent-graph.js');
 
-const { MAX_FILE_SIZE, safeParse } = require('./shared/constants.js');
+const { MAX_FILE_SIZE, getMaxFileSize, setMaxFileSize, resetMaxFileSize, safeParse } = require('./shared/constants.js');
 const walk = require('acorn-walk');
 
 // Paranoid mode scanner
@@ -75,7 +76,7 @@ function scanParanoid(targetPath) {
   function scanFileAST(filePath) {
     try {
       const stat = fs.statSync(filePath);
-      if (stat.size > MAX_FILE_SIZE) return;
+      if (stat.size > getMaxFileSize()) return;
       const content = fs.readFileSync(filePath, 'utf8');
       const relFile = path.relative(targetPath, filePath);
 
@@ -186,8 +187,8 @@ function scanParanoid(targetPath) {
           }
         }
       });
-    } catch {
-      // Ignore read/parse errors
+    } catch (e) {
+      debugLog('[PARANOID] AST parse error:', e?.message);
     }
   }
 
@@ -209,7 +210,7 @@ function scanParanoid(targetPath) {
   function scanFile(filePath) {
     try {
       const stat = fs.statSync(filePath);
-      if (stat.size > MAX_FILE_SIZE) return;
+      if (stat.size > getMaxFileSize()) return;
       const ext = path.extname(filePath);
       if (ext === '.js' || ext === '.mjs' || ext === '.cjs') {
         scanFileAST(filePath);
@@ -218,8 +219,8 @@ function scanParanoid(targetPath) {
         const relFile = path.relative(targetPath, filePath);
         scanFileContent(filePath, content, relFile);
       }
-    } catch {
-      // Ignore read errors
+    } catch (e) {
+      debugLog('[PARANOID] file read error:', e?.message);
     }
   }
 
@@ -247,8 +248,8 @@ function scanParanoid(targetPath) {
           scanFile(fullPath);
         }
       }
-    } catch {
-      // Ignore walk errors
+    } catch (e) {
+      debugLog('[PARANOID] walkDir error:', e?.message);
     }
   }
 
@@ -353,6 +354,19 @@ async function run(targetPath, options = {}) {
     setExtraExcludes(options.exclude, targetPath);
   }
 
+  // Load custom configuration (.muaddibrc.json or --config)
+  let configApplied = false;
+  const configResult = resolveConfig(targetPath, options.configPath || null);
+  if (configResult.errors.length > 0) {
+    for (const err of configResult.errors) console.error(`[CONFIG ERROR] ${err}`);
+    throw new Error('Invalid configuration file.');
+  }
+  if (configResult.config) {
+    applyConfigOverrides(configResult.config);
+    if (configResult.config.maxFileSize) setMaxFileSize(configResult.config.maxFileSize);
+    configApplied = true;
+  }
+
   // Detect Python project (synchronous, fast file reads)
   const pythonDeps = detectPythonProject(targetPath);
 
@@ -376,6 +390,9 @@ async function run(targetPath, options = {}) {
   const MODULE_GRAPH_TIMEOUT_MS = 5000;
   const warnings = [];
   if (iocStalenessWarning) warnings.push(iocStalenessWarning);
+  if (configResult.warnings.length > 0) {
+    for (const w of configResult.warnings) warnings.push(`[CONFIG] ${w}`);
+  }
   let crossFileFlows = [];
   if (!options.noModuleGraph) {
     const moduleGraphWork = async () => {
@@ -550,7 +567,8 @@ async function run(targetPath, options = {}) {
       if (!reachability.skipped) {
         reachableFiles = reachability.reachableFiles;
       }
-    } catch {
+    } catch (e) {
+      debugLog('[REACHABILITY] error:', e?.message);
       // Graceful fallback — treat all files as reachable
     }
   }
@@ -629,7 +647,7 @@ async function run(targetPath, options = {}) {
   const enrichedThreats = deduped.map(t => {
     const rule = getRule(t.type);
     const confFactor = { high: 1.0, medium: 0.85, low: 0.6 }[rule.confidence] || 1.0;
-    const points = Math.round((SEVERITY_WEIGHTS[t.severity] || 0) * confFactor);
+    const points = Math.round((getSeverityWeights()[t.severity] || 0) * confFactor);
     return {
       ...t,
       rule_id: rule.id || t.type,
@@ -694,6 +712,7 @@ async function run(targetPath, options = {}) {
   if (options._capture) {
     setExtraExcludes([]);
     clearFileListCache();
+    if (configApplied) { resetConfigOverrides(); resetMaxFileSize(); }
     return result;
   }
 
@@ -728,6 +747,7 @@ async function run(targetPath, options = {}) {
   // Clear runtime state
   setExtraExcludes([]);
   clearFileListCache();
+  if (configApplied) { resetConfigOverrides(); resetMaxFileSize(); }
 
   return Math.min(failingThreats.length, 125);
 }

package/src/scanner/ast-detectors.js

@@ -1495,10 +1495,15 @@ function handleCallExpression(node, ctx) {
     if (prop.type === 'Identifier' && obj?.type === 'Identifier' &&
         (ctx.globalThisAliases.has(obj.name) || obj.name === 'globalThis' || obj.name === 'global')) {
       ctx.hasEvalInFile = true;
+      // Resolve variable value via stringVarValues (e.g., const f = 'eval'; globalThis[f]())
+      const resolvedValue = ctx.stringVarValues.get(prop.name);
+      const isEvalOrFunction = resolvedValue === 'eval' || resolvedValue === 'Function';
       ctx.threats.push({
         type: 'dangerous_call_eval',
-        severity: 'HIGH',
-        message: `Dynamic global dispatch via computed property (${obj.name}[${prop.name}]) — likely indirect eval evasion.`,
+        severity: isEvalOrFunction ? 'CRITICAL' : 'HIGH',
+        message: isEvalOrFunction
+          ? `Resolved indirect ${resolvedValue}() via computed property (${obj.name}[${prop.name}="${resolvedValue}"]) — confirmed eval evasion.`
+          : `Dynamic global dispatch via computed property (${obj.name}[${prop.name}]) — likely indirect eval evasion.`,
         file: ctx.relFile
       });
     }

package/src/scanner/deobfuscate.js

@@ -154,6 +154,27 @@ function deobfuscate(sourceCode) {
       const hexResult = tryResolveHexArrayMap(node, sourceCode);
       if (hexResult !== null) {
         replacements.push(hexResult);
+        return;
+      }
+
+      // ---- 5. ARRAY JOIN ----
+      // ['e','v','a','l'].join('') → "eval"
+      if (node.callee?.type === 'MemberExpression' &&
+          node.callee.property?.name === 'join' &&
+          node.callee.object?.type === 'ArrayExpression' &&
+          node.arguments?.length === 1 &&
+          node.arguments[0]?.type === 'Literal' &&
+          node.arguments[0].value === '') {
+        const elements = node.callee.object.elements;
+        if (elements.length > 0 && elements.every(el => el?.type === 'Literal' && typeof el.value === 'string')) {
+          const joined = elements.map(el => el.value).join('');
+          const before = sourceCode.slice(node.start, node.end);
+          replacements.push({
+            start: node.start, end: node.end,
+            value: quoteString(joined),
+            type: 'array_join', before
+          });
+        }
       }
     }
   });

package/src/scanner/github-actions.js

@@ -1,7 +1,7 @@
 const fs = require('fs');
 const path = require('path');
 
-const { MAX_FILE_SIZE } = require('../shared/constants.js');
+const { MAX_FILE_SIZE, getMaxFileSize } = require('../shared/constants.js');
 
 const YAML_EXTENSIONS = ['.yml', '.yaml'];
 const MAX_DEPTH = 10;
@@ -40,7 +40,7 @@ function scanDirRecursive(dirPath, targetPath, threats, depth = 0) {
         continue;
       }
       if (!stat.isFile()) continue;
-      if (stat.size > MAX_FILE_SIZE) continue;
+      if (stat.size > getMaxFileSize()) continue;
     } catch {
       continue;
     }

package/src/scanner/hash.js

@@ -3,7 +3,7 @@ const path = require('path');
 const nodeCrypto = require('crypto');
 const { loadCachedIOCs } = require('../ioc/updater.js');
 const { findFiles } = require('../utils.js');
-const { MAX_FILE_SIZE } = require('../shared/constants.js');
+const { MAX_FILE_SIZE, getMaxFileSize } = require('../shared/constants.js');
 
 // Hash cache: filePath -> { hash, mtime }
 const hashCache = new Map();
@@ -57,7 +57,7 @@ async function scanHashes(targetPath) {
 function computeHashCached(filePath) {
   try {
     const stat = fs.statSync(filePath);
-    if (stat.size > MAX_FILE_SIZE) return null;
+    if (stat.size > getMaxFileSize()) return null;
     const mtime = stat.mtimeMs;
 
     // Check the cache

package/src/scanner/shell.js

@@ -1,7 +1,7 @@
 const fs = require('fs');
 const path = require('path');
-const { findFiles, forEachSafeFile } = require('../utils.js');
-const { MAX_FILE_SIZE } = require('../shared/constants.js');
+const { findFiles, forEachSafeFile, debugLog } = require('../utils.js');
+const { MAX_FILE_SIZE, getMaxFileSize } = require('../shared/constants.js');
 
 const SHELL_EXCLUDED_DIRS = ['node_modules', '.git', '.muaddib-cache'];
 
@@ -56,7 +56,7 @@ function scanFileContent(file, content, targetPath, threats) {
 function findExtensionlessFiles(dir, excludedDirs, results = [], depth = 0) {
   if (depth > 20) return results;
   let items;
-  try { items = fs.readdirSync(dir); } catch { return results; }
+  try { items = fs.readdirSync(dir); } catch (e) { debugLog('[SHELL] readdirSync error:', e?.message); return results; }
 
   for (const item of items) {
     if (excludedDirs.includes(item)) continue;
@@ -66,10 +66,10 @@ function findExtensionlessFiles(dir, excludedDirs, results = [], depth = 0) {
       if (lstat.isSymbolicLink()) continue;
       if (lstat.isDirectory()) {
         findExtensionlessFiles(fullPath, excludedDirs, results, depth + 1);
-      } else if (lstat.isFile() && !path.extname(item) && lstat.size <= MAX_FILE_SIZE) {
+      } else if (lstat.isFile() && !path.extname(item) && lstat.size <= getMaxFileSize()) {
         results.push(fullPath);
       }
-    } catch { /* permission error */ }
+    } catch (e) { debugLog('[SHELL] stat error:', e?.message); }
   }
   return results;
 }
@@ -94,7 +94,7 @@ async function scanShellScripts(targetPath) {
       if (SHEBANG_RE.test(firstLine)) {
         scanFileContent(file, content, targetPath, threats);
       }
-    } catch { /* ignore unreadable files */ }
+    } catch (e) { debugLog('[SHELL] readFile error:', e?.message); }
   }
 
   return threats;

package/src/scoring.js

@@ -47,6 +47,44 @@ const PROTO_HOOK_MEDIUM_CAP = 15;
 // Unknown/paranoid rules default to 1.0 (no penalty).
 const CONFIDENCE_FACTORS = { high: 1.0, medium: 0.85, low: 0.6 };
 
+// Mutable copies for configurable overrides (reset after each scan)
+let _severityWeights = { ...SEVERITY_WEIGHTS };
+let _riskThresholds = { ...RISK_THRESHOLDS };
+
+/**
+ * Apply config overrides to scoring parameters.
+ * @param {object} config - validated config from config.js
+ */
+function applyConfigOverrides(config) {
+  if (config.severityWeights) {
+    if (config.severityWeights.critical !== undefined) _severityWeights.CRITICAL = config.severityWeights.critical;
+    if (config.severityWeights.high !== undefined) _severityWeights.HIGH = config.severityWeights.high;
+    if (config.severityWeights.medium !== undefined) _severityWeights.MEDIUM = config.severityWeights.medium;
+    if (config.severityWeights.low !== undefined) _severityWeights.LOW = config.severityWeights.low;
+  }
+  if (config.riskThresholds) {
+    if (config.riskThresholds.critical !== undefined) _riskThresholds.CRITICAL = config.riskThresholds.critical;
+    if (config.riskThresholds.high !== undefined) _riskThresholds.HIGH = config.riskThresholds.high;
+    if (config.riskThresholds.medium !== undefined) _riskThresholds.MEDIUM = config.riskThresholds.medium;
+  }
+}
+
+/** Reset scoring parameters to defaults (call after each scan to prevent state leak). */
+function resetConfigOverrides() {
+  _severityWeights = { ...SEVERITY_WEIGHTS };
+  _riskThresholds = { ...RISK_THRESHOLDS };
+}
+
+/** Get current severity weights (for enrichment in index.js). */
+function getSeverityWeights() {
+  return _severityWeights;
+}
+
+/** Get current risk thresholds (for external consumers). */
+function getRiskThresholds() {
+  return _riskThresholds;
+}
+
 // ============================================
 // PER-FILE MAX SCORING (v2.2.11)
 // ============================================
@@ -91,7 +129,7 @@ function computeGroupScore(threats) {
   let protoHookMediumPoints = 0;
 
   for (const t of threats) {
-    const weight = SEVERITY_WEIGHTS[t.severity] || 0;
+    const weight = _severityWeights[t.severity] || 0;
     const rule = getRule(t.type);
     const factor = CONFIDENCE_FACTORS[rule.confidence] || 1.0;
 
@@ -279,11 +317,11 @@ function applyCompoundBoosts(threats) {
 
     // Check all required types are present
     if (compound.requires.every(req => typeSet.has(req))) {
-      // Severity gate: at least one component must have severity >= MEDIUM
-      // after FP reductions. If all components were downgraded to LOW,
-      // the compound signal is not strong enough to justify a CRITICAL boost.
+      // Severity gate: at least one component must have had original severity >= MEDIUM.
+      // Uses originalSeverity (pre-FP-reduction) to prevent attackers from
+      // manipulating compound gates via count-threshold or dist-file downgrades.
       const hasSignificantComponent = compound.requires.some(req =>
-        threats.some(t => t.type === req && t.severity !== 'LOW')
+        threats.some(t => t.type === req && (t.originalSeverity || t.severity) !== 'LOW')
       );
       if (!hasSignificantComponent) continue;
 
@@ -323,8 +361,11 @@ const FRAMEWORK_PROTO_RE = new RegExp(
 
 function applyFPReductions(threats, reachableFiles, packageName, packageDeps) {
   // Initialize reductions audit trail on each threat
+  // Store original severity before any FP reductions, so compound
+  // severity gates can check pre-reduction severity (GAP 4b).
   for (const t of threats) {
     t.reductions = [];
+    t.originalSeverity = t.severity;
   }
 
   // Count occurrences of each threat type (package-level, across all files)
@@ -384,6 +425,29 @@ function applyFPReductions(threats, reachableFiles, packageName, packageDeps) {
     // The READ/WRITE distinction in ast-detectors already handles the FP case:
     // READ-only → LOW (hot-reload, introspection), WRITE → CRITICAL (malicious replacement).
     // A single cache WRITE is genuinely malicious — no downgrade needed.
+  }
+
+  // Dilution floor: retain at least one instance at original severity per type
+  // to prevent complete count-threshold dilution by injected benign patterns.
+  // Only applies to types with low maxCount (≤3) and a severity constraint (from field),
+  // where injection of benign patterns is feasible. High-count types (dynamic_require,
+  // env_access) and unconstrained types (suspicious_dataflow) represent legitimate
+  // framework patterns and should allow full downgrade.
+  const restoredTypes = new Set();
+  for (const t of threats) {
+    const lastReduction = t.reductions?.find(r => r.rule === 'count_threshold');
+    if (lastReduction && !restoredTypes.has(t.type)) {
+      const rule = FP_COUNT_THRESHOLDS[t.type];
+      if (rule && rule.from && rule.maxCount <= 3) {
+        t.severity = lastReduction.from;
+        t.reductions = t.reductions.filter(r => r.rule !== 'count_threshold');
+        t.reductions.push({ rule: 'count_threshold_floor', note: 'retained one instance at original severity' });
+        restoredTypes.add(t.type);
+      }
+    }
+  }
+
+  for (const t of threats) {
 
     // Prototype hook: framework class prototypes → MEDIUM
     // Core Node.js prototypes (http.IncomingMessage, net.Socket) stay CRITICAL
@@ -559,9 +623,9 @@ function calculateRiskScore(deduped, intentResult) {
   const mediumCount = deduped.filter(t => t.severity === 'MEDIUM').length;
   const lowCount = deduped.filter(t => t.severity === 'LOW').length;
 
-  const riskLevel = riskScore >= RISK_THRESHOLDS.CRITICAL ? 'CRITICAL'
-                  : riskScore >= RISK_THRESHOLDS.HIGH ? 'HIGH'
-                  : riskScore >= RISK_THRESHOLDS.MEDIUM ? 'MEDIUM'
+  const riskLevel = riskScore >= _riskThresholds.CRITICAL ? 'CRITICAL'
+                  : riskScore >= _riskThresholds.HIGH ? 'HIGH'
+                  : riskScore >= _riskThresholds.MEDIUM ? 'MEDIUM'
                   : riskScore > 0 ? 'LOW'
                   : 'SAFE';
 
@@ -574,5 +638,6 @@ function calculateRiskScore(deduped, intentResult) {
 
 module.exports = {
   SEVERITY_WEIGHTS, RISK_THRESHOLDS, MAX_RISK_SCORE, CONFIDENCE_FACTORS,
-  isPackageLevelThreat, computeGroupScore, applyFPReductions, applyCompoundBoosts, calculateRiskScore
+  isPackageLevelThreat, computeGroupScore, applyFPReductions, applyCompoundBoosts, calculateRiskScore,
+  applyConfigOverrides, resetConfigOverrides, getSeverityWeights, getRiskThresholds
 };

package/src/shared/constants.js

@@ -88,6 +88,14 @@ const DOWNLOAD_TIMEOUT = 30_000; // 30 seconds
 
 // Shared scanner constants
 const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB — skip files larger than this to avoid memory issues
+let _maxFileSize = MAX_FILE_SIZE;
+
+/** Get current max file size (configurable via .muaddibrc.json). */
+function getMaxFileSize() { return _maxFileSize; }
+/** Set max file size override. */
+function setMaxFileSize(size) { _maxFileSize = size; }
+/** Reset max file size to default. */
+function resetMaxFileSize() { _maxFileSize = MAX_FILE_SIZE; }
 const ACORN_OPTIONS = { ecmaVersion: 2024, sourceType: 'module', allowHashBang: true };
 
 const acorn = require('acorn');
@@ -110,4 +118,4 @@ function safeParse(code, extraOptions = {}) {
   }
 }
 
-module.exports = { REHABILITATED_PACKAGES, NPM_PACKAGE_REGEX, MAX_TARBALL_SIZE, DOWNLOAD_TIMEOUT, MAX_FILE_SIZE, ACORN_OPTIONS, safeParse };
+module.exports = { REHABILITATED_PACKAGES, NPM_PACKAGE_REGEX, MAX_TARBALL_SIZE, DOWNLOAD_TIMEOUT, MAX_FILE_SIZE, ACORN_OPTIONS, safeParse, getMaxFileSize, setMaxFileSize, resetMaxFileSize };

package/src/temporal-ast-diff.js

@@ -8,7 +8,7 @@ const { findJsFiles, forEachSafeFile, debugLog } = require('./utils.js');
 const { fetchPackageMetadata, getLatestVersions } = require('./temporal-analysis.js');
 const { downloadToFile, extractTarGz, sanitizePackageName } = require('./shared/download.js');
 
-const { MAX_FILE_SIZE, ACORN_OPTIONS, safeParse } = require('./shared/constants.js');
+const { MAX_FILE_SIZE, getMaxFileSize, ACORN_OPTIONS, safeParse } = require('./shared/constants.js');
 
 const REGISTRY_URL = 'https://registry.npmjs.org';
 const METADATA_TIMEOUT = 10_000;

package/src/utils.js

@@ -1,6 +1,6 @@
 const fs = require('fs');
 const path = require('path');
-const { MAX_FILE_SIZE } = require('./shared/constants.js');
+const { MAX_FILE_SIZE, getMaxFileSize } = require('./shared/constants.js');
 
 /**
  * Directories excluded from scanning.
@@ -285,7 +285,7 @@ function forEachSafeFile(files, callback) {
   for (const file of files) {
     try {
       const stat = fs.statSync(file);
-      if (stat.size > MAX_FILE_SIZE) continue;
+      if (stat.size > getMaxFileSize()) continue;
     } catch { continue; }
     let content;
     try {