npm - @modelstatus/cli - Versions diffs - 0.1.74 → 0.1.76 - Mend

@modelstatus/cli 0.1.74 → 0.1.76

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -8,16 +8,19 @@ The free CLI + TUI for [LLM Status](https://llmstatus.ai) — scans your repo fo
 npx @modelstatus/cli status
 ```
-That's it. No sign-in, no account, no telemetry — just a snapshot of every model in your repo plus health badges and replacement suggestions.
+That's it. No sign-in, no account, and the scan runs entirely on your machine — you get a snapshot of every model in your repo plus health badges and replacement suggestions. (The CLI sends anonymous usage analytics — event names + counts only, never code, model names, or paths; a one-time notice says so and `MM_NO_ANALYTICS=1` turns it off.)
 ## Install
 Pick whichever fits your stack:
 ```bash
-# Self-contained binary, no Node required:
+# Self-contained binary, no Node required (sha256 + signature verified by the installer):
 curl -fsSL https://llmstatus.ai/install.sh | bash
+# Homebrew (macOS + Linux):
+brew install randomartifact/tap/modelstatus-cli
 # Via npm (needs Node ≥18):
 npm i -g @modelstatus/cli
 ```
@@ -49,6 +52,19 @@ Models in use:
 Works **fully offline** after the first run (cached snapshot at `~/.config/llmstatus/registry-cache.json`).
+### Free: fix the dying ones
+```bash
+mm fix [dir] --dry-run    # preview the rewrites
+mm fix [dir]              # apply (asks first)
+```
+Rewrites deprecated/retiring model ids to their current registry replacement, in
+place. Boundary-safe (`gpt-4` never rewrites inside `gpt-4o`), style-preserving
+(prefixed stays prefixed), and chain-aware — if the replacement is itself dying,
+it follows the chain to the first live model. In the TUI, press `f` for a
+red/green diff preview; nothing is written until you confirm.
 ### Sign in for cloud features
 ```bash
@@ -65,7 +81,9 @@ You get two binaries — `mm` (short) and `llmstatus` (descriptive). Same binary
 | Command | What it does |
 |---|---|
 | `mm status [dir]` | Free offline model-health check — no account |
-| `mm` | Launch the TUI (inventory, scan, what's-new, alerts, account) |
+| `mm fix [dir]` | Rewrite dying model ids to their replacement (`--dry-run` to preview) |
+| `mm [dir]` | Launch the TUI on a folder (defaults to the current one) — runs locally |
+| `mm update` | Update the binary in place (Homebrew installs: `brew upgrade`) |
 | `mm login [api_key]` | Browser sign-in with polling (or paste a key) |
 | `mm signup` | Create an account in the browser |
 | `mm scan [dir]` | Scan for model usage; interactive TUI, or `--ci`/`--json` for pipelines |
@@ -96,7 +114,9 @@ Secret sources shell out to your already-authenticated CLIs, run **read-only**,
 | Signed registry snapshot, offline cache | ✓ | ✓ |
 | Resolve + health locally, on-device | ✓ | ✓ |
 | Secret-source aware (`env`, `aws-secrets`, `k8s`, `helm`, `sql`) | ✓ | ✓ |
+| `mm fix` — rewrite dying ids to replacements | ✓ | ✓ |
 | Cloud inventory across projects/teams | — | ✓ |
+| GitHub App: PR checks + one-click fix PRs | — | ✓ |
 | Alerts on deprecations/retirements (email/Slack/SMS) | — | ✓ |
 | CI integrations + web dashboard | — | ✓ |
@@ -113,6 +133,11 @@ pinned root key (in the CLI binary)
 The CLI verifies every byte before trusting the snapshot, refuses any rollback to an older version, and falls back to its local cache when the network's down. The signing key can be rotated without shipping a new CLI release.
+The binaries get the same treatment: macOS builds are Developer ID signed and
+Apple-notarized, every release manifest is Ed25519-signed and verified — against
+a public key embedded in the installer and the self-updater, not fetched from the
+CDN — and both refuse to proceed if any check fails.
 ## Links
 - Website: [llmstatus.ai](https://llmstatus.ai)

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@modelstatus/cli",
-  "version": "0.1.74",
+  "version": "0.1.76",
   "description": "Track which AI models you use, where, and never get surprised by a retirement. Free offline model-health for any repo (mm status), browser sign-in for cloud inventory + alerts.",
   "keywords": [
     "llm",

package/src/index.js CHANGED Viewed

@@ -373,9 +373,11 @@ async function ciReport(dir, flags, res) {
   const uniq = [...new Set(res.candidates.map((c) => c.model_string))];
   const resolved = uniq.length ? (await client.resolve(uniq)).data || [] : [];
   const byStr = new Map(resolved.map((r) => [r.input.toLowerCase(), r]));
+  const { dropResolvedFragments } = await import("./registry/local.js");
+  const uploadable = dropResolvedFragments(res.candidates, (c) => !!byStr.get(c.model_string.toLowerCase())?.model_id);
   const seen = new Set();
   const usages = [];
-  for (const c of res.candidates) {
+  for (const c of uploadable) {
     const r = byStr.get(c.model_string.toLowerCase());
     const k = `${r?.model_id ?? "custom:" + c.model_string}|${c.location_label}`;
     if (seen.has(k)) continue;
@@ -685,12 +687,14 @@ function cmdIntegrations(positional, flags) {
 async function cmdStatus(positional, flags) {
   const dir = path.resolve(positional[1] || flags.dir || ".");
   const { getRegistry } = await import("./registry/fetch.js");
-  const { resolveLocal, computeHealth } = await import("./registry/local.js");
+  const { resolveLocal, computeHealth, dropResolvedFragments } = await import("./registry/local.js");
   const snapshot = await getRegistry({ offline: !!flags.offline, log: (m) => process.stderr.write(`! ${m}\n`) });
-  const candidates = await collectFrom(parseSources(flags), scanOpts(flags, dir), snapshot.detection, explicitSources(flags));
+  let candidates = await collectFrom(parseSources(flags), scanOpts(flags, dir), snapshot.detection, explicitSources(flags));
   const resolved = resolveLocal(snapshot, [...new Set(candidates.map((c) => c.model_string))]);
   const byStr = new Map(resolved.map((r) => [r.input.toLowerCase(), r]));
+  // Suppress detector fragments of resolved aliases (see dropResolvedFragments).
+  candidates = dropResolvedFragments(candidates, (c) => !!byStr.get(c.model_string.toLowerCase())?.model_slug);
   // Aggregate locations per known model / per custom string.
   const known = new Map(); // slug -> { model, count }

package/src/registry/local.js CHANGED Viewed

@@ -51,3 +51,34 @@ export function needsAttention(snapshot, retiringWindowDays = 90, today = new Da
     .filter((m) => m.health !== "ok")
     .sort((a, b) => String(a.retires_date || "9999-99-99").localeCompare(String(b.retires_date || "9999-99-99")));
 }
+/**
+ * Drop unresolved (custom) candidates that NEST with a resolved match at the
+ * same location (either direction of containment). The detector often emits
+ * overlapping spans for one id — e.g. from the Bedrock ARN
+ * "anthropic.claude-3-sonnet-20240229-v1:0" it emits both
+ * "claude-3-sonnet-20240229" (resolves → claude-3-sonnet) and the longer
+ * fragment "claude-3-sonnet-20240229-v1" (doesn't resolve) — which would
+ * double-count the line as a known model AND a phantom custom id. Both
+ * directions are intentional: for variants like "ft:gpt-4:acme", the resolved
+ * base model carries the lifecycle signal (a fine-tune dies with its base), so
+ * the custom row is noise there too. Customs that share a line with a resolved
+ * model WITHOUT string overlap (two different ids on one line) are kept.
+ */
+export function dropResolvedFragments(candidates, isResolved) {
+  const locOf = (c) => (c.source_path || c.location_label || "") + ":" + (c.source_line || "");
+  const resolvedByLoc = new Map(); // loc → [lowercased resolved strings]
+  for (const c of candidates) {
+    if (!isResolved(c)) continue;
+    const k = locOf(c);
+    if (!resolvedByLoc.has(k)) resolvedByLoc.set(k, []);
+    resolvedByLoc.get(k).push(c.model_string.toLowerCase());
+  }
+  return candidates.filter((c) => {
+    if (isResolved(c)) return true;
+    const here = resolvedByLoc.get(locOf(c));
+    if (!here) return true;
+    const s = c.model_string.toLowerCase();
+    return !here.some((rs) => rs !== s && (rs.includes(s) || s.includes(rs)));
+  });
+}

package/src/tui/scan-stream.js CHANGED Viewed

@@ -11,7 +11,7 @@ import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import { getRegistry } from "../registry/fetch.js";
-import { resolveLocal, computeHealth } from "../registry/local.js";
+import { resolveLocal, computeHealth, dropResolvedFragments } from "../registry/local.js";
 import { scanFilesystemStreaming } from "../sources/filesystem.js";
 import { compilePatterns } from "../detect/core.js";
@@ -76,6 +76,9 @@ export function loadRegistry(log = () => {}) {
 export function summarize(snapshot, candidates) {
   const resolved = resolveLocal(snapshot, [...new Set(candidates.map((c) => c.model_string))]);
   const byStr = new Map(resolved.map((r) => [r.input.toLowerCase(), r]));
+  // A custom id that's a fragment of a resolved alias on the same line is a
+  // detector artifact, not a finding (e.g. the inner piece of a Bedrock ARN).
+  candidates = dropResolvedFragments(candidates, (c) => !!byStr.get(c.model_string.toLowerCase())?.model_slug);
   const known = new Map(); // slug → { model, count }
   const custom = new Map(); // string → count
   const refsBySlug = new Map(); // slug → [candidate]