npm - modelstat - Versions diffs - 0.3.0 → 0.3.2 - Mend

modelstat 0.3.0 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/cli.mjs CHANGED Viewed

@@ -4620,9 +4620,13 @@ var init_redact_floor = __esm({
         replacement: "<REDACTED:modelstat_device_secret>"
       },
       // Generic env-style KEY=VALUE where KEY names a secret. Keeps the var name.
+      // The keyword may be the WHOLE name (`SECRET=`, `TOKEN=`) or part of it
+      // (`AWS_SECRET_ACCESS_KEY=`), so the prefix is `[A-Z0-9_]*` (zero-or-more) —
+      // a mandatory leading `[A-Z]` here used to eat the first letter and miss every
+      // bare-keyword name, leaking `SECRET="…"` / `TOKEN="…"` straight to the wire.
       {
         name: "env_secret",
-        pattern: /\b([A-Z][A-Z0-9_]*(?:TOKEN|KEY|SECRET|PASSWORD|PASSWD|API)[A-Z0-9_]*)\s*[:=]\s*['"]?([^\s'"]{12,})['"]?/g,
+        pattern: /\b([A-Z0-9_]*(?:TOKEN|KEY|SECRET|PASSWORD|PASSWD|PASSPHRASE|CREDENTIAL|API)[A-Z0-9_]*)\s*[:=]\s*['"]?([^\s'"]{12,})['"]?/g,
         replacement: "$1=<REDACTED:env_secret>"
       },
       {
@@ -5200,7 +5204,7 @@ var init_schemas = __esm({
       scripts: external_exports.array(external_exports.object({ token: external_exports.string().max(200), summary: external_exports.string().max(200) })).max(8).default([]),
       /** Extractor confidence in [0, 1]. */
       confidence: external_exports.number().min(0).max(1).default(0),
-      /** Provenance of the extraction, e.g. `shell.v2`. */
+      /** Provenance of the extraction, e.g. `shell.v3`. */
       extractor: external_exports.string().max(40)
     }).strict();
     ToolCallWire = external_exports.object({
@@ -5390,6 +5394,214 @@ var init_src = __esm({
   }
 });
+// ../../packages/parsers/src/tool-action/executable.ts
+function splitStatements(command) {
+  const out = [];
+  let cur = "";
+  let single = false;
+  let double = false;
+  for (let i = 0; i < command.length; i++) {
+    const c = command[i];
+    if (single) {
+      cur += c;
+      if (c === "'") single = false;
+      continue;
+    }
+    if (double) {
+      if (c === "\\" && i + 1 < command.length) {
+        cur += c + command[i + 1];
+        i++;
+        continue;
+      }
+      cur += c;
+      if (c === '"') double = false;
+      continue;
+    }
+    if (c === "'") {
+      single = true;
+      cur += c;
+      continue;
+    }
+    if (c === '"') {
+      double = true;
+      cur += c;
+      continue;
+    }
+    if (c === "\\" && i + 1 < command.length) {
+      cur += c + command[i + 1];
+      i++;
+      continue;
+    }
+    if (c === "#" && (cur === "" || /\s$/.test(cur))) {
+      out.push(cur);
+      cur = "";
+      while (i + 1 < command.length && command[i + 1] !== "\n") i++;
+      continue;
+    }
+    if (c === "\n" || c === ";") {
+      out.push(cur);
+      cur = "";
+      continue;
+    }
+    if (c === "&" || c === "|") {
+      out.push(cur);
+      cur = "";
+      if (command[i + 1] === c) i++;
+      continue;
+    }
+    cur += c;
+  }
+  out.push(cur);
+  return out;
+}
+function basename(token) {
+  const parts = token.split("/");
+  return parts[parts.length - 1] ?? token;
+}
+function stripOpener(token) {
+  let t = token;
+  if (t.startsWith("$(")) t = t.slice(2);
+  else if (t.startsWith("(")) t = t.slice(1);
+  if (t.startsWith("`")) t = t.slice(1);
+  return t;
+}
+function substitutionProgram(token) {
+  const rhs = token.slice(token.indexOf("=") + 1);
+  if (rhs.startsWith("$((")) return null;
+  if (rhs.startsWith("$(") || rhs.startsWith("`")) {
+    const inner = stripOpener(rhs);
+    return inner || null;
+  }
+  return null;
+}
+function looksLikeProgram(cand) {
+  if (!PROGRAM.test(cand)) return false;
+  if (/^\d+$/.test(cand)) return false;
+  if ((cand.match(/\./g)?.length ?? 0) >= 2) return false;
+  const lower = cand.toLowerCase();
+  return !DATA_EXTENSIONS.some((ext) => lower.endsWith(ext));
+}
+function scanStatement(stmt) {
+  for (const tok of stmt.split(/\s+/).filter(Boolean)) {
+    let t = tok;
+    if (BRACKETS.has(t) || FUNCTION_DEF.test(t) || WRAPPERS.has(t)) continue;
+    if (ASSIGNMENT.test(t)) {
+      const sub = substitutionProgram(t);
+      if (sub) t = sub;
+      else continue;
+    }
+    const cand = basename(stripOpener(t).replace(/[)"'`;,]+$/, "")).toLowerCase();
+    if (!cand || cand.startsWith("-")) break;
+    if (NOISE_BUILTINS.has(cand)) return { builtin: cand };
+    if (looksLikeProgram(cand)) return { program: cand };
+    break;
+  }
+  return {};
+}
+function extractExecutable(command) {
+  let fallback = null;
+  for (const raw of splitStatements(command)) {
+    const stmt = raw.trim();
+    if (!stmt || stmt.startsWith("#")) continue;
+    const { program, builtin } = scanStatement(stmt);
+    if (program) {
+      return program.length > MAX_EXECUTABLE_CHARS ? OTHER_BUCKET : program;
+    }
+    if (builtin && !fallback) fallback = builtin;
+  }
+  return fallback ?? OTHER_BUCKET;
+}
+var OTHER_BUCKET, MAX_EXECUTABLE_CHARS, WRAPPERS, BRACKETS, NOISE_BUILTINS, DATA_EXTENSIONS, ASSIGNMENT, FUNCTION_DEF, PROGRAM;
+var init_executable = __esm({
+  "../../packages/parsers/src/tool-action/executable.ts"() {
+    "use strict";
+    OTHER_BUCKET = "(other)";
+    MAX_EXECUTABLE_CHARS = 80;
+    WRAPPERS = /* @__PURE__ */ new Set([
+      "sudo",
+      "doas",
+      "env",
+      "command",
+      "exec",
+      "builtin",
+      "nohup",
+      "setsid",
+      "time",
+      "nice",
+      "ionice",
+      "chrt",
+      "stdbuf",
+      "xargs",
+      // control-flow openers that immediately precede a command
+      "then",
+      "do",
+      "else"
+    ]);
+    BRACKETS = /* @__PURE__ */ new Set(["{", "}", "(", ")"]);
+    NOISE_BUILTINS = /* @__PURE__ */ new Set([
+      "cd",
+      "pushd",
+      "popd",
+      "echo",
+      "printf",
+      "export",
+      "unset",
+      "set",
+      "readonly",
+      "typeset",
+      "declare",
+      "local",
+      "alias",
+      "source",
+      ".",
+      "eval",
+      ":",
+      "true",
+      "false",
+      "read",
+      "wait",
+      "trap",
+      "umask",
+      "shift",
+      "return",
+      "getopts",
+      "hash",
+      "let",
+      "test",
+      "[",
+      "[[",
+      // loop / conditional keywords
+      "for",
+      "while",
+      "until",
+      "if",
+      "elif",
+      "fi",
+      "case",
+      "esac",
+      "select",
+      "function",
+      "done"
+    ]);
+    DATA_EXTENSIONS = [
+      ".output",
+      ".txt",
+      ".log",
+      ".json",
+      ".jsonl",
+      ".md",
+      ".csv",
+      ".tmp",
+      ".out",
+      ".git",
+      ".lock"
+    ];
+    ASSIGNMENT = /^[A-Za-z_][A-Za-z0-9_]*=/;
+    FUNCTION_DEF = /^[A-Za-z_][A-Za-z0-9_]*\(\)?$/;
+    PROGRAM = /^[A-Za-z0-9][A-Za-z0-9._+-]*$/;
+  }
+});
 // ../../packages/parsers/src/tool-action/scripts.ts
 function detectScriptRefs(command) {
   const refs = [];
@@ -5462,9 +5674,9 @@ function extractToolAction(call) {
   let param_shape = null;
   let command_redacted = null;
   if (command != null) {
-    const [head = "", ...rest] = command.trim().split(/\s+/);
-    executable = basename(head) || null;
-    param_shape = clampChars(paramShape(rest.join(" ")), MAX_FIELD_CHARS) || null;
+    executable = extractExecutable(command);
+    const args = command.trim().split(/\s+/).slice(1).join(" ");
+    param_shape = clampChars(paramShape(args), MAX_FIELD_CHARS) || null;
     command_redacted = clampChars(redact(command, call.cwd ?? void 0).text, MAX_FIELD_CHARS) || null;
   }
   return {
@@ -5479,7 +5691,9 @@ function extractToolAction(call) {
     command_redacted,
     scripts: [],
     confidence: 0,
-    extractor: `${surface}.v1`
+    // Per-surface provenance. shell bumped to v3 (normalized executable, see
+    // `extractExecutable`); builtin/mcp extraction is unchanged → still v1.
+    extractor: `${surface}.${surface === "shell" ? "v3" : "v1"}`
   };
 }
 function extractLocalToolContext(call) {
@@ -5500,14 +5714,13 @@ function shellCommandOf(input) {
   }
   return null;
 }
-function basename(token) {
-  return token.split("/").pop() ?? token;
-}
 var MAX_FIELD_CHARS;
 var init_tool_action = __esm({
   "../../packages/parsers/src/tool-action/index.ts"() {
     "use strict";
     init_src();
+    init_executable();
+    init_executable();
     init_scripts();
     MAX_FIELD_CHARS = 16384;
   }
@@ -47573,7 +47786,7 @@ var init_scan = __esm({
     init_api();
     init_config2();
     init_pipeline2();
-    DAEMON_VERSION = true ? "daemon-0.3.0" : "daemon-dev";
+    DAEMON_VERSION = true ? "daemon-0.3.2" : "daemon-dev";
     BATCH_MAX_EVENTS = INGEST_BATCH_MAX_EVENTS;
     BATCH_MAX_TOOL_CALLS = 2e4;
     BATCH_BUFFER_HARD_CAP = BATCH_MAX_EVENTS * 2;
@@ -50083,7 +50296,7 @@ var init_daemon = __esm({
     init_machine_key();
     init_scan();
     init_single_flight();
-    DAEMON_VERSION2 = true ? "daemon-0.3.0" : "daemon-dev";
+    DAEMON_VERSION2 = true ? "daemon-0.3.2" : "daemon-dev";
     HEARTBEAT_INTERVAL_MS = 1e4;
     SCAN_INTERVAL_MS = 5 * 60 * 1e3;
     DISCOVERY_INTERVAL_MS = 6e4;
@@ -50685,7 +50898,7 @@ function tryOpenBrowser(url) {
     return false;
   }
 }
-var DAEMON_VERSION3 = true ? "daemon-0.3.0" : "daemon-dev";
+var DAEMON_VERSION3 = true ? "daemon-0.3.2" : "daemon-dev";
 function osFamily() {
   const p = platform5();
   if (p === "darwin") return "macos";