agentaudit 3.9.44 → 3.9.45

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentaudit",
-  "version": "3.9.44",
+  "version": "3.9.45",
   "description": "Security scanner for AI packages — MCP server + CLI",
   "type": "module",
   "bin": {

package/prompts/audit-prompt.md

@@ -409,12 +409,9 @@ If **any** fails → real vulnerability (`by_design: false`).
 
 ## 3.10 Final Triage
 
-### Finding Count Cap: Maximum 8 real findings per audit.
+### Finding Quality Check
 
-If more than 8 candidates after triage:
-1. Keep highest severity + highest confidence
-2. Merge ONLY when same pattern_id + same file
-3. Drop LOW-confidence findings first
+Report ALL genuine findings — do not artificially limit the count. If a package has 20 real vulnerabilities, report all 20. However, if you have more than 15 candidates, double-check each against the Self-Check (§3.1) to ensure every finding has concrete evidence and is not a duplicate.
 
 ### Anti-Merging Rules
 
@@ -654,10 +651,6 @@ Consult these patterns during Phase 2 evidence collection. Remember: a pattern m
 - risk_score > 50 for a package with no confirmed exploit path
 - Multiple credential-config findings for the same .env/env-var system — merge or drop
 
-## Ideal Distribution (benchmark)
+## Quality Guidance
 
-- ~60-70% of packages: `safe` (0-25 risk)
-- ~20-25%: `caution` (26-50)
-- ~5-10%: `unsafe` (51-100) — only confirmed malware or severe vulnerabilities
-- CRITICAL findings in <5% of audits
-- Average findings per audit: 1-3 (not 5-10)
+Judge each audit on its own merits. A clean package should have 0 findings; a heavily vulnerable package may have 20+. Do not target a specific distribution — report what you find with evidence.