modelstat 0.1.2 → 0.1.3

package/dist/cli.mjs

@@ -4624,16 +4624,22 @@ function redact(text, repoRootAbs) {
     });
   }
   out = out.replace(TOKEN_CANDIDATE, (match) => {
-    if (/^[a-f0-9]+$/i.test(match)) return match;
-    if (/^[A-Z]+$/.test(match)) return match;
-    const hasLetter = /[A-Za-z]/.test(match);
+    if (/^[a-fA-F0-9]{32,}$/.test(match)) {
+      counts.secrets_found += 1;
+      return "[REDACTED:hash]";
+    }
+    if (/^[A-Z0-9_]+$/.test(match)) return match;
+    if (/=$|\+/.test(match) && entropy(match) >= 3.5) {
+      counts.secrets_found += 1;
+      return "[REDACTED:base64]";
+    }
     const hasDigit = /\d/.test(match);
     const hasUpper = /[A-Z]/.test(match);
     const hasLower = /[a-z]/.test(match);
-    if (!(hasLetter && hasDigit && hasUpper && hasLower)) return match;
+    if (!(hasDigit && hasUpper && hasLower)) return match;
     if (entropy(match) < 3.6) return match;
     counts.secrets_found += 1;
-    return `[REDACTED:hi-entropy]`;
+    return "[REDACTED:hi-entropy]";
   });
   out = out.replace(EMAIL_PATTERN, () => {
     counts.emails_redacted += 1;
@@ -5107,8 +5113,10 @@ var init_schemas = __esm({
       object: external_exports.string().max(60).nullable().default(null),
       /** Governed safe flags (`destructive`, `remote`, …). (tier 0) */
       qualifiers: external_exports.array(external_exports.string().max(40)).max(8).default([]),
-      /** Value-masked argument skeleton (every value → `§`). (tier 1) */
-      param_shape: external_exports.string().max(200).nullable().default(null),
+      /** Value-masked argument skeleton (every value → `§`). Carried in full up
+       * to a malicious-size guard (mirrors backend `MAX_TOOL_ACTION_PARAM_SHAPE_CHARS`);
+       * the companion clamps rather than truncating semantically. (tier 1) */
+      param_shape: external_exports.string().max(16384).nullable().default(null),
       /** Relevant non-sensitive keywords (e.g. ["rollout","restart","prod"]),
        * OpenAI-redacted on-device. (tier 0) */
       keywords: external_exports.array(external_exports.string().max(40)).max(12).default([]),
@@ -5118,7 +5126,7 @@ var init_schemas = __esm({
       /** The compliance-redacted command text — PII/secrets stripped on-device
        * (SOC2/GDPR), org-internal infra intact; the server derives semantics from
        * it. Un-redacted raw never ships. (tier 0, post-redaction) */
-      command_redacted: external_exports.string().max(1e3).nullable().default(null),
+      command_redacted: external_exports.string().max(16384).nullable().default(null),
       /** Per-script content abstracts for any script/bash FILES the command runs
        * — summarized on-device by the local model, then redacted. Ordered by
        * appearance; `token` is the script's token exactly as it appears in
@@ -5377,6 +5385,10 @@ var init_scripts = __esm({
 });
 
 // ../../packages/parsers/src/tool-action/index.ts
+function clampChars(s, max) {
+  const cps = [...s];
+  return cps.length > max ? cps.slice(0, max).join("") : s;
+}
 function extractToolAction(call) {
   const isMcp = call.server.startsWith("mcp:");
   const command = isMcp ? null : shellCommandOf(call.input);
@@ -5387,8 +5399,8 @@ function extractToolAction(call) {
   if (command != null) {
     const [head = "", ...rest] = command.trim().split(/\s+/);
     executable = basename(head) || null;
-    param_shape = paramShape(rest.join(" ")) || null;
-    command_redacted = redact(command, call.cwd ?? void 0).text.slice(0, MAX_COMMAND_REDACTED) || null;
+    param_shape = clampChars(paramShape(rest.join(" ")), MAX_FIELD_CHARS) || null;
+    command_redacted = clampChars(redact(command, call.cwd ?? void 0).text, MAX_FIELD_CHARS) || null;
   }
   return {
     surface,
@@ -5426,13 +5438,13 @@ function shellCommandOf(input) {
 function basename(token) {
   return token.split("/").pop() ?? token;
 }
-var MAX_COMMAND_REDACTED;
+var MAX_FIELD_CHARS;
 var init_tool_action = __esm({
   "../../packages/parsers/src/tool-action/index.ts"() {
     "use strict";
     init_src();
     init_scripts();
-    MAX_COMMAND_REDACTED = 1e3;
+    MAX_FIELD_CHARS = 16384;
   }
 });
 
@@ -8538,6 +8550,33 @@ async function probeIdentities(os2) {
     } catch {
     }
   }
+  const claudeConfigs = [`${homedir()}/.claude.json`];
+  if (process.env.CLAUDE_CONFIG_DIR) {
+    claudeConfigs.unshift(`${process.env.CLAUDE_CONFIG_DIR}/.claude.json`);
+  }
+  for (const candidate of claudeConfigs) {
+    if (!existsSync3(candidate)) continue;
+    try {
+      const data = await fs4.promises.readFile(candidate, "utf8");
+      const obj = JSON.parse(data);
+      const acct = obj.oauthAccount;
+      const stableId = acct?.accountUuid ?? acct?.organizationUuid;
+      if (acct && stableId) {
+        ids.push({
+          provider: "anthropic",
+          provider_account_id: stableId,
+          provider_account_label: acct.emailAddress ?? acct.organizationName ?? acct.displayName ?? "Claude account",
+          account_email: acct.emailAddress ?? null,
+          account_org: acct.organizationName ?? acct.billingType ?? null,
+          display_name: acct.displayName ?? null,
+          owner_scope: "unassigned",
+          detection_source: "claude_json_oauth"
+        });
+        break;
+      }
+    } catch {
+    }
+  }
   for (const candidate of [
     `${homedir()}/.codex/auth.json`,
     `${homedir()}/.config/codex/auth.json`
@@ -47440,7 +47479,7 @@ var init_scan = __esm({
     init_api();
     init_config2();
     init_pipeline2();
-    AGENT_VERSION = true ? "agent-0.1.2" : "agent-dev";
+    AGENT_VERSION = true ? "agent-0.1.3" : "agent-dev";
     BATCH_MAX_EVENTS = INGEST_BATCH_MAX_EVENTS;
     BATCH_MAX_TOOL_CALLS = 2e4;
     BATCH_BUFFER_HARD_CAP = BATCH_MAX_EVENTS * 2;
@@ -49950,7 +49989,7 @@ var init_daemon = __esm({
     init_machine_key();
     init_scan();
     init_single_flight();
-    AGENT_VERSION2 = true ? "agent-0.1.2" : "agent-dev";
+    AGENT_VERSION2 = true ? "agent-0.1.3" : "agent-dev";
     HEARTBEAT_INTERVAL_MS = 1e4;
     SCAN_INTERVAL_MS = 5 * 60 * 1e3;
     DISCOVERY_INTERVAL_MS = 6e4;
@@ -50082,6 +50121,7 @@ import { createInterface as createInterface3 } from "readline";
 // src/service.ts
 import { spawn, spawnSync as spawnSync2 } from "child_process";
 import {
+  chmodSync as chmodSync3,
   copyFileSync,
   existsSync as existsSync9,
   mkdirSync as mkdirSync3,
@@ -50396,6 +50436,7 @@ function installTrayApp(sourceAppPath) {
   if (r.status !== 0) {
     throw new Error(`cp ModelstatTray.app failed: ${r.stderr?.trim() || `exit ${r.status}`}`);
   }
+  chmodSync3(join7(dest, "Contents", "MacOS", "modelstat-tray"), 493);
   return { installedAt: dest };
 }
 async function bundledTrayAppPath(progress) {
@@ -50550,7 +50591,7 @@ function tryOpenBrowser(url) {
     return false;
   }
 }
-var AGENT_VERSION3 = true ? "agent-0.1.2" : "agent-dev";
+var AGENT_VERSION3 = true ? "agent-0.1.3" : "agent-dev";
 function osFamily() {
   const p = platform5();
   if (p === "darwin") return "macos";