agentaudit 3.9.23 → 3.9.25

package/cli.mjs

@@ -52,11 +52,18 @@ function resolveProvider(flagOverride, keys) {
     return p;
   }
   
-  // Smart inference: if model override looks like "provider/model" (e.g. z-ai/glm-5, anthropic/claude-sonnet-4)
-  // → auto-select OpenRouter (which uses that format)
+  // Smart inference: if model is set, try to match it to a provider
   const activeModel = globalModelOverride || process.env.AGENTAUDIT_MODEL || loadConfig()?.preferred_model;
-  if (activeModel && activeModel.includes('/') && providers.openrouter) {
-    return providers.openrouter;
+  if (activeModel) {
+    const lm = activeModel.toLowerCase();
+    // Direct provider models (no slash = native format)
+    if (!lm.includes('/')) {
+      if (lm.startsWith('claude') && providers.anthropic) return providers.anthropic;
+      if ((lm.startsWith('gpt') || lm.startsWith('o3') || lm.startsWith('o4') || lm.startsWith('o1')) && providers.openai) return providers.openai;
+      if (providers.ollama && (process.env.OLLAMA_MODEL || process.env.OLLAMA_HOST)) return providers.ollama;
+    }
+    // Slash format = OpenRouter convention (provider/model)
+    if (lm.includes('/') && providers.openrouter) return providers.openrouter;
   }
   
   // Auto-detect priority: Anthropic > OpenAI > OpenRouter > Custom > Ollama (local last — usually weaker)
@@ -1499,6 +1506,7 @@ async function auditRepo(url) {
   
   let report = null;
   let _lastLlmText = '';
+  let providerMeta = {}; // Collect provider metadata for attestation
   
   try {
     if (resolvedProvider.id === 'anthropic') {
@@ -1527,6 +1535,12 @@ async function auditRepo(url) {
       const text = data.content?.[0]?.text || '';
       _lastLlmText = text;
       report = extractJSON(text);
+      providerMeta = {
+        provider_msg_id: data.id || null,
+        input_tokens: data.usage?.input_tokens || null,
+        output_tokens: data.usage?.output_tokens || null,
+        reported_model: data.model || null,
+      };
     } else {
       // OpenAI, OpenRouter, Ollama, or Custom (all use OpenAI-compatible chat completions API)
       let apiUrl, modelName, authHeaders;
@@ -1575,6 +1589,13 @@ async function auditRepo(url) {
       const text = data.choices?.[0]?.message?.content || '';
       _lastLlmText = text;
       report = extractJSON(text);
+      providerMeta = {
+        provider_msg_id: data.id || null,
+        provider_fingerprint: data.system_fingerprint || null,
+        input_tokens: data.usage?.prompt_tokens || null,
+        output_tokens: data.usage?.completion_tokens || null,
+        reported_model: data.model || null,
+      };
     }
     
     console.log(` ${c.green}done${c.reset} ${c.dim}(${elapsed(start)})${c.reset}`);
@@ -1635,7 +1656,16 @@ async function auditRepo(url) {
           'Authorization': `Bearer ${creds.api_key}`,
           'Content-Type': 'application/json',
         },
-        body: JSON.stringify({ ...report, audit_model: actualModel, audit_provider: resolvedProvider.id }),
+        body: JSON.stringify({
+          ...report,
+          audit_model: providerMeta.reported_model || actualModel,
+          audit_provider: resolvedProvider.id,
+          provider_msg_id: providerMeta.provider_msg_id || undefined,
+          provider_fingerprint: providerMeta.provider_fingerprint || undefined,
+          input_tokens: providerMeta.input_tokens || undefined,
+          output_tokens: providerMeta.output_tokens || undefined,
+          audit_duration_ms: Date.now() - start,
+        }),
         signal: AbortSignal.timeout(15_000),
       });
       if (res.ok) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentaudit",
-  "version": "3.9.23",
+  "version": "3.9.25",
   "description": "Security scanner for AI packages — MCP server + CLI",
   "type": "module",
   "bin": {