agentaudit 3.13.8 → 3.13.10

package/cli.mjs

@@ -2875,6 +2875,39 @@ async function safeJsonParse(res, llmConfig) {
   }
 }
 
+function getMaxOutputTokens(model) {
+  // Known max_completion_tokens from provider docs (2026-02)
+  // Array (not object) to guarantee match order — specific keys before generic ones
+  const limits = [
+    // Anthropic (specific versions first, then generic)
+    ['claude-haiku-4-5', 8192], ['claude-3-haiku', 4096], ['claude-3-5-haiku', 8192],
+    ['claude-sonnet-4-6', 64000], ['claude-sonnet-4-5', 16384], ['claude-3-5-sonnet', 8192], ['claude-sonnet-4', 16384],
+    ['claude-opus-4-6', 32768], ['claude-opus-4', 32768],
+    // Google Gemini
+    ['gemini-3', 65536], ['gemini-2.5', 65536], ['gemini-2.0', 65536],
+    // Qwen (OpenRouter)
+    ['qwen3.5', 65536], ['qwen3', 32768], ['qwen2.5', 32768],
+    // xAI
+    ['grok-4', 32768], ['grok-3', 16384],
+    // OpenAI
+    ['gpt-4.1', 32768], ['gpt-4o', 16384], ['gpt-4-turbo', 4096], ['o3', 100000], ['o4-mini', 100000],
+    // DeepSeek (8K standard mode — thinking mode allows 64K but we use standard)
+    ['deepseek', 8192],
+    // Mistral
+    ['mistral-large', 32768], ['mistral-medium', 32768], ['mistral-small', 32768],
+    // Meta Llama (served by Groq 32K, Together, Fireworks, Cerebras)
+    ['llama-3.3', 32768], ['llama-v3p3', 32768], ['llama-3.1', 32768], ['llama-v3p1', 32768],
+    ['llama-4', 32768], ['llama-3', 16384],
+    // Zhipu / z.ai
+    ['glm-4', 16384], ['glm-3', 8192],
+  ];
+  const m = (model || '').toLowerCase();
+  for (const [key, val] of limits) {
+    if (m.includes(key)) return val;
+  }
+  return 8192; // conservative fallback — safe for all providers
+}
+
 async function callLlm(llmConfig, systemPrompt, userMessage) {
   const apiKey = process.env[llmConfig.key];
   if (!apiKey) return { error: `Missing API key: ${llmConfig.key}` };
@@ -2896,7 +2929,7 @@ async function callLlm(llmConfig, systemPrompt, userMessage) {
       const res = await fetch(llmConfig.url, {
         method: 'POST',
         headers: { 'x-api-key': apiKey, 'anthropic-version': '2023-06-01', 'content-type': 'application/json' },
-        body: JSON.stringify({ model: llmConfig.model, max_tokens: 32768, system: systemPrompt, messages: [{ role: 'user', content: userMessage }] }),
+        body: JSON.stringify({ model: llmConfig.model, max_tokens: getMaxOutputTokens(llmConfig.model), system: systemPrompt, messages: [{ role: 'user', content: userMessage }] }),
         signal: AbortSignal.timeout(180_000),
       });
       data = await safeJsonParse(res, llmConfig);
@@ -2928,7 +2961,7 @@ async function callLlm(llmConfig, systemPrompt, userMessage) {
         body: JSON.stringify({
           systemInstruction: { parts: [{ text: systemPrompt }] },
           contents: [{ role: 'user', parts: [{ text: userMessage }] }],
-          generationConfig: { maxOutputTokens: 65536, responseMimeType: 'application/json', thinkingConfig: { thinkingBudget: 8192 } },
+          generationConfig: { maxOutputTokens: getMaxOutputTokens(llmConfig.model), responseMimeType: 'application/json', thinkingConfig: { thinkingBudget: 8192 } },
         }),
         signal: AbortSignal.timeout(180_000),
       });
@@ -2957,7 +2990,7 @@ async function callLlm(llmConfig, systemPrompt, userMessage) {
       const res = await fetch(llmConfig.url, {
         method: 'POST',
         headers,
-        body: JSON.stringify({ model: llmConfig.model, max_tokens: 32768, messages: [{ role: 'system', content: systemPrompt }, { role: 'user', content: userMessage }] }),
+        body: JSON.stringify({ model: llmConfig.model, max_tokens: getMaxOutputTokens(llmConfig.model), messages: [{ role: 'system', content: systemPrompt }, { role: 'user', content: userMessage }] }),
         signal: AbortSignal.timeout(180_000),
       });
       data = await safeJsonParse(res, llmConfig);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentaudit",
-  "version": "3.13.8",
+  "version": "3.13.10",
   "description": "Security scanner for AI agent packages — CLI + MCP server",
   "type": "module",
   "bin": {