agentaudit 3.9.10 → 3.9.12

package/cli.mjs

@@ -343,38 +343,47 @@ function extractJSON(text) {
   // 1. Try parsing the entire text as JSON directly
   try { return JSON.parse(text.trim()); } catch {}
   
-  // 2. Strip markdown code fences (```json ... ``` or ``` ... ```)
-  const fenceMatch = text.match(/```(?:json)?\s*\n?([\s\S]*?)\n?\s*```/);
-  if (fenceMatch) {
-    try { return JSON.parse(fenceMatch[1].trim()); } catch {}
+  // 2. Strip markdown code fences — try last fence first (report is usually at the end)
+  const fenceMatches = [...text.matchAll(/```(?:json)?\s*\n?([\s\S]*?)\n?\s*```/g)];
+  for (let i = fenceMatches.length - 1; i >= 0; i--) {
+    try { 
+      const parsed = JSON.parse(fenceMatches[i][1].trim());
+      if (parsed && typeof parsed === 'object' && ('risk_score' in parsed || 'findings' in parsed || 'result' in parsed)) return parsed;
+    } catch {}
+  }
+  // Try any fence even without report keys
+  for (let i = fenceMatches.length - 1; i >= 0; i--) {
+    try { return JSON.parse(fenceMatches[i][1].trim()); } catch {}
   }
   
-  // 3. Find the first balanced top-level { ... } block
-  const start = text.indexOf('{');
-  if (start === -1) return null;
-  let depth = 0;
-  let inString = false;
-  let escape = false;
-  for (let i = start; i < text.length; i++) {
-    const ch = text[i];
-    if (escape) { escape = false; continue; }
-    if (ch === '\\' && inString) { escape = true; continue; }
-    if (ch === '"') { inString = !inString; continue; }
-    if (inString) continue;
-    if (ch === '{') depth++;
-    else if (ch === '}') {
-      depth--;
-      if (depth === 0) {
-        try { return JSON.parse(text.slice(start, i + 1)); } catch {}
-        break;
-      }
+  // 3. Find ALL balanced top-level { ... } blocks, try each (prefer largest valid one)
+  const blocks = [];
+  let searchFrom = 0;
+  while (searchFrom < text.length) {
+    const start = text.indexOf('{', searchFrom);
+    if (start === -1) break;
+    let depth = 0, inStr = false, esc = false;
+    let end = -1;
+    for (let i = start; i < text.length; i++) {
+      const ch = text[i];
+      if (esc) { esc = false; continue; }
+      if (ch === '\\' && inStr) { esc = true; continue; }
+      if (ch === '"') { inStr = !inStr; continue; }
+      if (inStr) continue;
+      if (ch === '{') depth++;
+      else if (ch === '}') { depth--; if (depth === 0) { end = i; break; } }
+    }
+    if (end > start) {
+      blocks.push(text.slice(start, end + 1));
+      searchFrom = end + 1;
+    } else {
+      searchFrom = start + 1;
     }
   }
-  
-  // 4. Last resort: greedy match
-  const greedy = text.match(/\{[\s\S]*\}/);
-  if (greedy) {
-    try { return JSON.parse(greedy[0]); } catch {}
+  // Try largest block first (the report JSON is usually the biggest)
+  blocks.sort((a, b) => b.length - a.length);
+  for (const block of blocks) {
+    try { return JSON.parse(block); } catch {}
   }
   
   return null;
@@ -1300,6 +1309,7 @@ async function auditRepo(url) {
   // Check for API keys to determine which LLM to use
   const anthropicKey = process.env.ANTHROPIC_API_KEY;
   const openaiKey = process.env.OPENAI_API_KEY;
+  const activeProvider = anthropicKey ? 'Anthropic (Claude)' : openaiKey ? 'OpenAI (GPT-4o)' : null;
   
   if (!anthropicKey && !openaiKey) {
     // No LLM API key — clear explanation
@@ -1364,7 +1374,7 @@ async function auditRepo(url) {
   }
   
   // We have an API key — run LLM audit
-  process.stdout.write(`  ${c.dim}[4/4]${c.reset} Running LLM analysis...`);
+  process.stdout.write(`  ${c.dim}[4/4]${c.reset} Running LLM analysis ${c.dim}(${activeProvider})${c.reset}...`);
   
   const systemPrompt = auditPrompt || 'You are a security auditor. Analyze the code and report findings as JSON.';
   const userMessage = [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentaudit",
-  "version": "3.9.10",
+  "version": "3.9.12",
   "description": "Security scanner for AI packages — MCP server + CLI",
   "type": "module",
   "bin": {