@modelstatus/cli 0.1.25 → 0.1.26

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@modelstatus/cli",
-  "version": "0.1.25",
+  "version": "0.1.26",
   "description": "Track which AI models you use, where, and never get surprised by a retirement. Free offline model-health for any repo (mm status), browser sign-in for cloud inventory + alerts.",
   "keywords": [
     "llm",

package/src/detect/core.js

@@ -3,9 +3,11 @@
  * returns the model strings found per line. No I/O. */
 
 // File extensions / TLDs the family globs accidentally swallow
-// (e.g. "command-2.0.0.tgz", "grok-free.app"). Used to reject generic matches.
+// (e.g. "command-2.0.0.tgz", "grok-free.app", "llama-3.gguf"). Used to reject
+// generic matches. Includes model-WEIGHT/data/media extensions so a weight-file
+// reference (llama-3.safetensors) isn't mistaken for a model usage.
 const BANNED_TAIL =
-  /\.(tgz|tar|gz|zip|js|ts|tsx|jsx|mjs|py|go|rb|json|md|lock|sh|css|html|txt|log|yaml|yml|toml|ini|conf|cfg|env|pem|crt|key|csv|xml|pdf|sql|app|com|net|io|dev|org|ai|co)\b/;
+  /\.(tgz|tar|gz|zip|js|ts|tsx|jsx|mjs|py|go|rb|json|md|lock|sh|css|html|txt|log|yaml|yml|toml|ini|conf|cfg|env|pem|crt|key|csv|xml|pdf|sql|gguf|safetensors|bin|onnx|pt|pth|ckpt|h5|npz|parquet|arrow|jpeg|jpg|png|gif|webp|bmp|svg|mp4|wav|app|com|net|io|dev|org|ai|co)\b/;
 
 /** Trim leading/trailing separators a greedy family glob can capture. */
 function cleanGeneric(s) {
@@ -19,17 +21,31 @@ function isTokenChar(ch) {
   return /[A-Za-z0-9._/:-]/.test(ch);
 }
 
-/** True when `term` occurs in `haystack` at a word-ish boundary (not embedded
- * inside a longer identifier). Both are already lower-cased. This is what stops
- * the alias "gpt-4" from matching inside "gpt-4o-mini" (→ wrong, older model). */
+// Provider prefixes legitimately precede an id ("anthropic.claude-…", "ft:gpt-…",
+// "us.anthropic.…", "openrouter/…"), so '.' ':' '/' on the LEFT is still a boundary.
+function isPrefixSep(ch) {
+  return ch === "." || ch === ":" || ch === "/";
+}
+// Known model-id SUFFIXES seen in real configs: Bedrock ':0'/'-v1', dated
+// '-20250514' snapshots, '@version'. The remainder starting with one is still a
+// boundary — so "claude-opus-4-20250514" resolves inside a Bedrock ARN, while
+// "gpt-4" still does NOT match inside "gpt-4o". Kept identical to scan-pr.ts.
+const MODEL_SUFFIX = /^(:|-v[0-9]|-[0-9]{6,}|@)/;
+
+/** True when `term` occurs in `haystack` at a model-id boundary — tolerating
+ * provider prefixes + known version/region/snapshot suffixes, but NOT a plain
+ * embedded match. Both are already lower-cased. */
 function matchesAtBoundary(haystack, term) {
   let from = 0;
   for (;;) {
     const at = haystack.indexOf(term, from);
     if (at < 0) return false;
     const before = at > 0 ? haystack[at - 1] : "";
-    const after = at + term.length < haystack.length ? haystack[at + term.length] : "";
-    if ((before === "" || !isTokenChar(before)) && (after === "" || !isTokenChar(after))) return true;
+    const rest = haystack.slice(at + term.length);
+    const after = rest[0] ?? "";
+    const boundedLeft = before === "" || !isTokenChar(before) || isPrefixSep(before);
+    const boundedRight = after === "" || !isTokenChar(after) || MODEL_SUFFIX.test(rest);
+    if (boundedLeft && boundedRight) return true;
     from = at + 1; // a later occurrence may be bounded
   }
 }
@@ -45,7 +61,10 @@ function looksLikeModel(s) {
 export function compilePatterns(patterns) {
   const exact = [];
   for (const ms of patterns.model_strings || []) {
-    if (ms.match && ms.match.length >= 4) exact.push(ms.match.toLowerCase());
+    // Registry strings are curated, and the boundary matcher prevents embedded
+    // matches — so a low floor is safe and lets short real ids (o1, o3) resolve.
+    // (The old >=4 floor silently dropped the entire OpenAI o-series.)
+    if (ms.match && ms.match.length >= 2) exact.push(ms.match.toLowerCase());
   }
   const generic = (patterns.generic_model_regexes || []).map((r) => new RegExp(r, "gi"));
   return { exact, generic };

package/src/index.js

@@ -4,6 +4,7 @@ import path from "node:path";
 import { resolveAuth, loadConfig, saveConfig, clearAuth, configFilePath } from "./config.js";
 import { createClient } from "./api.js";
 import { collectFrom, availability, ALL_SOURCE_IDS } from "./sources/index.js";
+import { redactValue } from "./redact.js";
 import { loginViaBrowser } from "./auth.js";
 import { maybeCheckForUpdate } from "./updater.js";
 import { track, maybeAnalyticsNotice } from "./telemetry.js";
@@ -170,7 +171,9 @@ async function cmdScan(positional, flags) {
 
   const usages = rows.map((r) => ({
     model_id: r.model_id ?? undefined,
-    custom_model_name: r.model_id ? undefined : r.model_string,
+    // Redact + bound the custom id: a generic-glob hit on an .env line can over-
+    // capture a secret-ish fragment, and only the snippet was being redacted.
+    custom_model_name: r.model_id ? undefined : redactValue(r.model_string).slice(0, 120),
     environment: r.environment,
     location_label: r.location_label,
     source_repo: ghRepoSlug() || undefined,
@@ -241,7 +244,7 @@ async function ciReport(dir, flags, res) {
     seen.add(k);
     usages.push({
       model_id: r?.model_id ?? undefined,
-      custom_model_name: r?.model_id ? undefined : c.model_string,
+      custom_model_name: r?.model_id ? undefined : redactValue(c.model_string).slice(0, 120),
       environment: c.environment,
       location_label: c.location_label,
       source_path: c.source_path,