[Change] CHANGELOG: v2.0.1 dedup — consolidate #480/#482/#483, trim section drift

[Change] Collapse issue #482 into one consolidated [Fix] (field parity + scaling)
[Change] Collapse issue #483 into one consolidated [Fix] (sort + started_epoch + .html glob)
[Change] Collapse issue #480 into one [New] + one [Fix] (two-file union model)
[Change] Correct #483 scope — only reports[] is globally sorted; active[]/stopped[] gain started_epoch for consumer-side sortability
[Change] Tag #482's three Lifecycle-JSON / _json_escape_string [Change] entries with issue ref
[Change] Move 14 mis-tagged entries to correct sections (Fix→Fixes, New→Features, Change→Changes)
[Change] Drop internal-only entries — comment-normalization T1/T2/T3, batsman CI-infra bumps, test-only announcements
[Change] Drop fluff — docs-housekeeping entries for features already announced as [New]
[Change] Trim verbose multi-line entries — vendored-lib sync, DEB override_dh_fixperms, --test-alert digest, _json_escape_string sed→bash
[Change] Collapse Monitor 12-defects [Fix] into the parent [New] supervisor entry (was duplicated)
[Change] Remove stale intermediate vendored-lib sync ([Change] tlog_lib 2.0.5 etc) superseded by current 2.0.6 sync
[Change] v2.0.1 entry count 131 -> 112 (35 New / 24 Change / 53 Fix); CHANGELOG.RELEASE byte-parity preserved

Author: rfxn

CHANGELOG

@@ -2,7 +2,7 @@ v2.0.1 | Mar 25 2026:
 
   -- New Features --
 
-[New] Monitor mode: supervisor model replaces double-fork; 12 pre-existing defects resolved
+[New] Monitor mode: supervisor model replaces double-fork; 12 pre-existing defects resolved (graceful shutdown, crash recovery, session rotation, event filter, PID guard, ClamAV cache); issue #454, #447, #459
 [New] Config: digest_interval, digest_escalate_hits, monitor_paths_extra for monitor mode
 [New] TSV canonical session format: 11-field hit records replace plaintext session files;
       session_legacy_compat config (auto/0/1) for backward compatibility
@@ -72,45 +72,15 @@ v2.0.1 | Mar 25 2026:
       supports args/file/json output tiers, sync/async execution, timeout
       with SIGTERM/SIGKILL, elog audit trail, min_hits threshold, scan type filter;
       scan_start epoch in JSON payload (LMD_SCAN_START env); issue #477
-[New] ignore_inotify: versioned defaults file ($inspath/internals/ignore_inotify.defaults) consulted in addition to user ignore_inotify; refreshed for systemd-private tmpdirs, modern MariaDB, PostgreSQL, Redis; issue #480
-[Fix] ignore_inotify: replace dead legacy regex defaults (broken since 2026-03-19 _monitor_escape_ere change) with user-template header; live defaults now ship in ignore_inotify.defaults; issue #480
-[Fix] monitor: union-load ignore_inotify + ignore_inotify.defaults; new _monitor_load_ignore_inotify_union helper skips blanks+comments, dedupes across both files; issue #480
-[New] packaging: ship ignore_inotify.defaults in RPM spec, DEB rules, links, symlink-manifest; non-conffile under /usr/lib/maldet/internals/ so upgrades refresh the file; override_dh_fixperms preserves 640 mode on DEB; issue #480
-[Change] docs: document ignore_inotify.defaults two-file union model in README §5/§7 and maldet.1 MONITOR MODE; issue #480
-[Fix] ignore_inotify.defaults: scope 'sql_' to /tmp/#sql_ + /var/tmp/#sql_ and drop bare 'scantemp' to prevent matching user files like sql_backup.php and scantemplate.php; add /var/lib/maldet/ for FHS scan-temp coverage; sentinel remediation for issue #480
+[New] ignore_inotify: two-file union model — LMD-managed defaults
+      ($inspath/internals/ignore_inotify.defaults) refreshed for systemd-private
+      tmpdirs, modern MariaDB, PostgreSQL, Redis, ClamAV runtime; user-owned
+      ignore_inotify retained for site overrides; dead legacy regex defaults
+      replaced (broken since _monitor_escape_ere change); issue #480
 
   -- Changes --
 
-[Change] comments: T3 inline prose rehousing + restatement sweep across 18 files
-[Change] comments: T2 function-header normalization — collapse signature-restatement blocks
-[Change] comments: T1 mechanical cleanup — strip banner separators and file-header catalogues
-[Change]   - Delete 20 pure-dash banners (lmd_hook.sh: 14, lmd_alert.sh: 6)
-[Change]   - Transform 95 labeled banners (# --- label --- -> # label)
-[Change]   - Trim file-header catalogues (hookscan.sh, importconf, tlog, cron.watchdog, pkg-postinst.sh, uninstall.sh, files/uninstall.sh)
-[Change]   - Applies parent CLAUDE.md §Code Comments primitive (one-line headers, no banners, no tombstones)
-[Change]   - Preserves load-bearing keeps: BEGIN INIT INFO (service/maldet.sh), flock rationale (cron.daily), cron.watchdog decoupling invariant
-[Change] Vendored lib sync: tlog_lib 2.0.5 → 2.0.6, alert_lib 1.0.6 → 1.0.7,
-         elog_lib 1.0.5 → 1.0.6, pkg_lib 1.0.9 → 1.0.10. All four are
-         comment-discipline cascade bumps from canonical (banner separators
-         removed, signature-restatement prose deleted from function headers,
-         prose config catalogues replaced with README cross-references).
-         Zero functional change in any of the four libraries; load-bearing
-         rationale (TLS posture, symlink-safety, eval-guard validation,
-         pkg_config_merge invariants, SIEM/CEF/GELF contract docs, journal
-         filter contracts, alert dispatch invariants) preserved intact.
-         Byte-identical to canonical: tlog_lib d65158c (v2.0.6),
-         alert_lib 3b66050 (v1.0.7), elog_lib 7a60165 (v1.0.6),
-         pkg_lib cdd0814 (v1.0.10).
-[Change] files/internals/tlog (standalone CLI wrapper): 2.0.4 → 2.0.6 —
-         byte-synced to canonical. Wrapper had been drifting (skipped
-         during prior 2.0.5 sync); colocated with tlog_lib.sh so no
-         BFD-style fallback required. install.sh BASERUN sed pattern
-         still matches the canonical line format.
-[Change] tests/infra: batsman 1.4.1 → 1.4.2 — runs-on input for
-         self-hosted runner support (CI workflow only, no test behaviour
-         changes).
-[Change] Vendored lib sync: tlog_lib 2.0.5, alert_lib 1.0.6, elog_lib 1.0.5,
-         pkg_lib 1.0.8
+[Change] Vendored libs synced to canonical: tlog_lib 2.0.6, alert_lib 1.0.7, elog_lib 1.0.6, pkg_lib 1.0.10 (zero functional change)
 [Change] Alert templates: consolidate summary into headers; drop "TOTAL" prefix from
          labels (HITS/CLEANED/QUARANTINED); add quarantine metrics; aligned column spacing
 [Change] Hook scans write to rolling hook.hits.log instead of creating session files;
@@ -120,8 +90,6 @@ v2.0.1 | Mar 25 2026:
 [Change] CLI: modifier flags (-x, -i, -hscan, -qd, -co, --format, --mailto) are now
          position-independent; -co uses in-memory parser; -qd with non-existent
          directory exits 1
-[Change] Documentation: man page, README, and usage rewritten with complete option/config
-         coverage
 [Change] Rename sig_import_*_url config variables (from import_custsigs_*_url) for
          sig_* namespace consistency; compat.conf migration maps old names
 [Change] scan_workers default changed from "0" to "auto"; "0" silently accepted as
@@ -155,80 +123,46 @@ v2.0.1 | Mar 25 2026:
          maint_archive_age (both disableable with 0)
 [Change] cron.daily: run --maintenance after sigup/versionup for automated history
          rotation and session cleanup; hardcoded log paths replaced with $maldet_log
-[Change] Tests: batsman v1.4.2; per-test 180s timeout prevents hung scans;
-         GHA 24-way parallel matrix; JUnit XML reports
+[Change] Lifecycle JSON (-L --format json): "scan_id" is now the canonical field name;
+         "scanid" remains as a deprecated alias for one release cycle and will be
+         removed in v2.1.0. Consumers should switch to "scan_id"; issue #482
+[Change] Lifecycle JSON (-L --format json): "workers" field type normalized to
+         unquoted number to match the field's underlying integer value; issue #482
+[Change] _json_escape_string: promoted to lmd.lib.sh shared utilities so all JSON
+         emitters (scan list, active lifecycle, post-scan hook, ELK dispatch) share
+         one helper; sibling _json_escape_var out-parameter helper for hot loops
+         that must avoid a subshell fork per iteration; issue #482
+[Change] conf.maldet / maldet.1: correct post_scan_hook_timeout documentation — prior
+         text claimed a 5-second grace period before SIGKILL, but timeout(1) is invoked
+         without --kill-after, so a hook that traps SIGTERM will run indefinitely; pr#478
 
   -- Bug Fixes --
 
-[Fix] --json-report list: reports[] entries now include a "path" field, matching
-      the text-mode list output; active[] entries gain the lifecycle schema
-      (eta, workers, sig_version, progress{}) so --json-report list and
-      -L/--list-active emit the same shape; stopped[] entries gain an elapsed
-      field; all string fields in active[] and stopped[] are now JSON-escaped
-      via the shared _json_escape_string helper (previously only "path" was
-      escaped — stage, engine, stopped_hr, stages, sig_version could emit
-      invalid JSON if scan.meta contained quotes, backslashes, or control
-      characters); issue #482
-[Change] Lifecycle JSON (-L --format json): "scan_id" is now the canonical
-      field name; "scanid" remains as a deprecated alias for one release cycle
-      and will be removed in v2.1.0. Consumers should switch to "scan_id"
-[Change] Lifecycle JSON (-L --format json): "workers" field type normalized to
-      unquoted number to match the field's underlying integer value
-[Change] _json_escape_string: promoted from lmd_hook.sh (optional sub-lib) to
-      lmd.lib.sh shared utilities so all JSON emitters — scan list, active
-      lifecycle, post-scan hook, and ELK dispatch — share one helper. Three
-      call sites in lmd_alert.sh previously using _alert_json_escape (from the
-      vendored alert_lib) now use the project-owned helper; vendored library
-      coupling reduced to the lib's internal self-use. A sibling out-parameter
-      helper _json_escape_var (sets _JSON_ESC_OUT) is also defined for hot
-      loops that must avoid a subshell fork per iteration
-[Fix] --json-report list: scaling regression at large session counts. Pre-fix
-      the function exhibited effective hang at ~20K indexed sessions from two
-      compounding costs: (1) _seen_ids built as a whitespace-joined string
-      that grew O(N^2) with glob-pattern dedup, and (2) one subshell fork per
-      report for path escaping. Dedup now uses a function-scoped local -A
-      associative array (O(N) total), and the reports[]/legacy hot loops use
-      the new _json_escape_var out-parameter helper instead of $() command
-      substitution. Measured: 20K reports 82s -> 1.7s; 50K reports now ~1.7s
-      (linear). Regression guard: tests/31-json-report.bats test 27 runs a
-      10K-entry synthetic index under a 30s timeout
+[Fix] monitor: union-load ignore_inotify + ignore_inotify.defaults; new _monitor_load_ignore_inotify_union helper skips blanks+comments, dedupes across both files; issue #480
+[Fix] --json-report list: path field parity with text mode; unified JSON escaping
+      across reports[]/active[]/stopped[]; dedup+escape rewrite eliminates O(N^2)
+      hang at ~20K sessions (82s → 1.7s); active[] gains lifecycle schema
+      (eta/workers/sig_version/progress); stopped[] gains elapsed; issue #482
+[Fix] --json-report list: reports[] now globally sorted by started_epoch
+      (newest first) across TSV index + legacy-session passes (pre-fix emitted
+      index entries in append-order then legacy, producing visible date
+      inversions); reports[]/active[]/stopped[] all gain started_epoch integer;
+      stopped[] gains stopped_epoch; pass-2 glob skips legacy session.*.html
+      artifacts (fixes 12s+ hangs on installs with pre-on-demand-HTML files);
+      issue #483
 [Fix] clamav_linksigs: guard mktemp staging failure to prevent writing signature
       files into the filesystem root. When mktemp -d fails, the empty _staging
       variable caused "cp -f ... /" as root; pr#478
-[Fix] _json_escape_string: replace sed pipeline with bash parameter expansion.
-      Two defects fixed in one rewrite: (1) the quoted "$sed" invocation tried
-      to execve a binary literally named "sed -E" on FreeBSD (where
-      internals.conf sets sed="$sed -E"), silently breaking post_scan_hook
-      JSON payload construction; (2) the N;s/\n/\\n/;P;D sed cycle only
-      escaped the first newline in multi-line input, emitting raw LF bytes
-      in JSON output for paths with two or more embedded newlines. The bash
-      parameter expansion form is portable, correct for any number of
-      newlines, and removes an external process from the hook hot path.
-      BATS coverage added (J-01 through J-15) including a structural guard
-      against sed reintroduction; pr#478
-[Change] conf.maldet / maldet.1: correct post_scan_hook_timeout documentation.
-      The prior text claimed a 5-second grace period before SIGKILL, but the
-      code invokes timeout(1) without --kill-after, so a hook that traps
-      SIGTERM will run indefinitely. Updated to match actual behavior;
-      pr#478
-[Fix] DEB: override_dh_fixperms target restores 640/750 modes after debhelper's
-      dh_fixperms normalizes executables to 755 and non-executables to 644.
-      Without this, 72 files shipped in the data.tar at the wrong mode including
-      all internals/*.sh sub-libraries, alert templates, cron fragments, and
-      runtime config files. conf.maldet was masked at runtime by an explicit
-      chmod in postinst, but conf.maldet.hookscan.default, /etc/default/maldet,
-      and the 15 sub-library shell files were genuinely wrong on installed
-      systems. RPM uses %attr() declarations and was unaffected; pr#478
-[Fix] --test-alert digest email: seed $tmpdir/digest.hook.alert cursor to
-      _orig_size before dispatching through genalert. Three related defects in
-      the prior implementation: (1) first-run tlog_read path silently swallowed
-      the synthetic test hits on fresh installs, so the function printed
-      "test email digest alert sent" without actually dispatching anything;
-      (2) a trailing cursor caused unalerted real hook hits to leak into the
-      test email; (3) the cursor restore left those same hits to be re-sent
-      on the next real digest. Also guards post-dispatch truncate against
-      trim_log having shortened the log mid-digest. Positive-path BATS
-      coverage added to prevent regression; pr#478
+[Fix] _json_escape_string: replaced sed pipeline with bash parameter expansion;
+      fixes FreeBSD breakage (sed="$sed -E" execve) and multi-newline escaping
+      for post_scan_hook JSON payloads; pr#478
+[Fix] DEB: override_dh_fixperms restores 640/750 modes (72 files incl.
+      conf.maldet.hookscan.default, /etc/default/maldet, and 15 sub-library shell
+      files) after debhelper normalizes executables to 755 and non-executables
+      to 644; RPM uses %attr() and is unaffected; pr#478
+[Fix] --test-alert digest: seed $tmpdir/digest.hook.alert cursor to _orig_size
+      so first-run tlog_read dispatches synthetic hits on fresh installs; prevents
+      real-hit leakage into test email and re-send on next real digest; pr#478
 [Fix] Hook validation: world-writable detection used broken glob extraction that always
       returned empty string; replaced with bash substring to correctly extract last octal
       digit; pr#478
@@ -260,8 +194,6 @@ v2.0.1 | Mar 25 2026:
       man page compression on fresh install; backup robustness; no longer kills inotify
       monitoring; Slackware init per rc.NAME convention; preserve hookscan config and
       pub/ state; issue #414
-[Fix] Docs: missing config vars (scan_hashtype, scan_find_timeout, scan_yara auto),
-      pkg_lib.sh in FILES section, CLI aliases, --cron-sigup
 [Fix] purge() dotfile glob: replace * glob with find -delete to catch dotfiles in
       tmp/quarantine/sess
 [Fix] Quarantine: correct scan ID in report warning; TOCTOU mv exit code check; inode
@@ -285,8 +217,6 @@ v2.0.1 | Mar 25 2026:
       concurrent scan conflicts
 [Fix] scan(): exit 1 when all provided scan paths do not exist
 [Fix] Hash scanning: handle md5sum/sha256sum backslash-escaped filenames
-[Fix] Monitor mode: 12 defects fixed (graceful shutdown, crash recovery, session
-      rotation, event filter, PID guard, ClamAV cache); issue #454, #447, #459
 [Fix] Alerting: Slack migrated from deprecated files.upload API; Telegram /bot prefix;
       token security via curl -K; genalert() state isolation; issue #387, #458, #461, #426
 [Fix] Security: _safe_source_conf() allowlist (79 vars); conf.maldet 0640; dirs 750;
@@ -326,26 +256,6 @@ v2.0.1 | Mar 25 2026:
 [Fix] RPM/DEB %pre: defensive detection for dir-vs-symlink cpio conflict; install
       no longer fails with "rename failed - Is a directory" when prior install.sh
       or partial install left real directories at symlink-target paths
-[Fix] --json-report list: reports[] now globally sorted by started_epoch
-      (newest first) across TSV index + legacy-session passes; pre-fix
-      code emitted index entries in append-order then legacy entries,
-      producing visible date-order inversions (e.g. Mar 29 legacy after
-      Apr 18 TSV); issue #483
-[New] --json-report list: reports[] entries include started_epoch integer
-      field for machine-readable absolute timestamps; additive schema
-      change (existing "started" string preserved); issue #483
-[New] tests: 3 BATS regressions for --json-report list sort order,
-      started_epoch field, and legacy-session epoch derivation; issue #483
-[New] --json-report list: active[] and stopped[] entries now include
-      started and started_epoch for consistency with reports[]; stopped[]
-      also gains stopped_epoch alongside existing stopped_hr; issue #483
-[Fix] --report list / --json-report list / -e newest: pass-2 glob now
-      skips legacy session.*.html artifacts (caught pre-fix by
-      session.[0-9]* glob). _parse_session_metadata was slurping
-      multi-MB HTML files line-by-line searching for break markers that
-      never appear in HTML, producing 12s+ hangs on installs carrying
-      pre-on-demand-HTML legacy artifacts. Fix at 3 sites in lmd_alert.sh
-      + lmd_session.sh
 
 v1.6.6.1 | Feb 25 2025:
 [Fix] find_recentopts incorrectly escaping find options to the right of ( -mtime .. -ctime ); previously normalized by eval; issue #440, pr#442