npm - modelstat - Versions diffs - 0.3.1 → 0.4.0 - Mend

modelstat 0.3.1 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/cli.mjs CHANGED Viewed

@@ -4620,9 +4620,13 @@ var init_redact_floor = __esm({
         replacement: "<REDACTED:modelstat_device_secret>"
       },
       // Generic env-style KEY=VALUE where KEY names a secret. Keeps the var name.
+      // The keyword may be the WHOLE name (`SECRET=`, `TOKEN=`) or part of it
+      // (`AWS_SECRET_ACCESS_KEY=`), so the prefix is `[A-Z0-9_]*` (zero-or-more) —
+      // a mandatory leading `[A-Z]` here used to eat the first letter and miss every
+      // bare-keyword name, leaking `SECRET="…"` / `TOKEN="…"` straight to the wire.
       {
         name: "env_secret",
-        pattern: /\b([A-Z][A-Z0-9_]*(?:TOKEN|KEY|SECRET|PASSWORD|PASSWD|API)[A-Z0-9_]*)\s*[:=]\s*['"]?([^\s'"]{12,})['"]?/g,
+        pattern: /\b([A-Z0-9_]*(?:TOKEN|KEY|SECRET|PASSWORD|PASSWD|PASSPHRASE|CREDENTIAL|API)[A-Z0-9_]*)\s*[:=]\s*['"]?([^\s'"]{12,})['"]?/g,
         replacement: "$1=<REDACTED:env_secret>"
       },
       {
@@ -46288,6 +46292,83 @@ var init_session_metadata2 = __esm({
   }
 });
+// ../../packages/daemon-core/src/pipeline/redaction.ts
+function composeRedactors(...redactors) {
+  return async (text) => {
+    let out = text;
+    const counts = {};
+    for (const r of redactors) {
+      try {
+        const res = await r(out);
+        out = res.text;
+        for (const [k, v] of Object.entries(res.counts)) counts[k] = (counts[k] ?? 0) + v;
+      } catch {
+      }
+    }
+    return { text: out, counts };
+  };
+}
+function shouldDeepRedact(text) {
+  if (!text) return false;
+  if (/[=]|--|:\/\/|@|\bbearer\b|token|secret|password|passwd|credential|api[_-]?key|private[_-]?key/i.test(text)) {
+    return true;
+  }
+  return /[A-Za-z0-9/+_-]{20,}/.test(text);
+}
+function parseRedactReply(raw) {
+  const out = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const line of raw.split("\n")) {
+    const s = line.trim().replace(/^["'`]+|["'`]+$/g, "");
+    if (!s || s.toUpperCase() === "NONE") continue;
+    if (s.length < MIN_CANDIDATE_CHARS) continue;
+    if (SAFE_WORDS.has(s.toLowerCase())) continue;
+    if (s.startsWith("[REDACTED")) continue;
+    if (seen.has(s)) continue;
+    seen.add(s);
+    out.push(s);
+  }
+  return out;
+}
+function escapeRe(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function applyLlmRedactions(text, candidates) {
+  let out = text;
+  let count = 0;
+  for (const cand of [...candidates].sort((a, b) => b.length - a.length)) {
+    if (!out.includes(cand)) continue;
+    const before = out;
+    out = out.replace(new RegExp(escapeRe(cand), "g"), LLM_REDACTION_MARKER);
+    if (out !== before) count += 1;
+  }
+  return { text: out, count };
+}
+var LLM_REDACTION_MARKER, MIN_CANDIDATE_CHARS, SAFE_WORDS, REDACT_SYSTEM_PROMPT, REDACT_MAX_TOKENS, REDACT_TEMPERATURE;
+var init_redaction = __esm({
+  "../../packages/daemon-core/src/pipeline/redaction.ts"() {
+    "use strict";
+    LLM_REDACTION_MARKER = "[REDACTED:llm]";
+    MIN_CANDIDATE_CHARS = 8;
+    SAFE_WORDS = /* @__PURE__ */ new Set([
+      "production",
+      "staging",
+      "localhost",
+      "endpoint",
+      "database",
+      "password",
+      // the literal word (e.g. a flag name), not a value
+      "secret",
+      "token",
+      "credential",
+      "[redacted"
+    ]);
+    REDACT_SYSTEM_PROMPT = "You are a security redaction reviewer. You are given a single shell command that has already been partly redacted. Find any remaining SECRETS or sensitive credentials still present in plaintext: API keys, access tokens, bearer tokens, passwords, private keys, connection strings with credentials, or other high-entropy secret values. Do NOT flag: program names, flags, file paths, hostnames, service/environment names (prod, dev), or existing [REDACTED:...] markers. Output ONLY the exact secret substrings, one per line, copied verbatim character-for-character as they appear in the command. If there are no remaining secrets, output exactly NONE. Output nothing else \u2014 no prose, no explanation, no numbering.";
+    REDACT_MAX_TOKENS = 512;
+    REDACT_TEMPERATURE = 0;
+  }
+});
 // ../../packages/daemon-core/src/pipeline/index.ts
 async function buildSegmentsForSession(events, adapters2, onProgress) {
   if (events.length === 0) return [];
@@ -46602,6 +46683,7 @@ var init_pipeline = __esm({
     init_script_summary();
     init_session_metadata2();
     init_title();
+    init_redaction();
     SEGMENT_TIME_GAP_MS = 15 * 6e4;
     SEGMENT_TOPIC_THRESHOLD = 0.35;
     SEGMENT_MAX_TURNS = 100;
@@ -46895,7 +46977,14 @@ async function loadOnce(cfg) {
       contextSequence: linkExtractContext.getSequence(),
       systemPrompt: LINK_EXTRACT_SYSTEM_PROMPT
     });
-    loaded = { summarizer, cognizer, entitler, scriptSummarizer: scriptSummarizer2, linkExtractor };
+    const redactorContext = await model.createContext({
+      contextSize: Math.min(cfg.contextSize, 2048)
+    });
+    const redactor = new llamaMod.LlamaChatSession({
+      contextSequence: redactorContext.getSequence(),
+      systemPrompt: REDACT_SYSTEM_PROMPT
+    });
+    loaded = { summarizer, cognizer, entitler, scriptSummarizer: scriptSummarizer2, linkExtractor, redactor };
     return loaded;
   })();
   try {
@@ -47042,6 +47131,39 @@ function llamaExtractLinks(cfg = defaultLlamaConfig()) {
     }
   };
 }
+function llamaRedact(cfg = defaultLlamaConfig()) {
+  return async (text) => {
+    const unchanged = { text, counts: {} };
+    if (!shouldDeepRedact(text)) return unchanged;
+    let loadedSessions;
+    try {
+      loadedSessions = await loadOnce(cfg);
+    } catch {
+      return unchanged;
+    }
+    const { redactor } = loadedSessions;
+    const run = inflight.then(async () => {
+      redactor.resetChatHistory();
+      const raw = await redactor.prompt(text, {
+        temperature: REDACT_TEMPERATURE,
+        // Thinking budget on top of the short list of substrings.
+        maxTokens: REDACT_MAX_TOKENS + 400
+      });
+      return stripThinking(raw ?? "");
+    });
+    inflight = run.catch(() => void 0);
+    let reply;
+    try {
+      reply = await run;
+    } catch {
+      return unchanged;
+    }
+    const candidates = parseRedactReply(reply);
+    if (candidates.length === 0) return unchanged;
+    const { text: redacted, count } = applyLlmRedactions(text, candidates);
+    return { text: redacted, counts: count > 0 ? { llm_secrets: count } : {} };
+  };
+}
 var DEFAULT_LLAMA_MODEL_URL, LLAMA_MAX_TOKENS, loaded, loadPromise, inflight, llamaInstance;
 var init_llama = __esm({
   "../../packages/daemon-core/src/node/llama.ts"() {
@@ -47050,6 +47172,7 @@ var init_llama = __esm({
     init_prompts();
     init_script_summary();
     init_session_metadata2();
+    init_redaction();
     init_title();
     DEFAULT_LLAMA_MODEL_URL = "https://huggingface.co/lmstudio-community/Qwen3.5-4B-GGUF/resolve/main/Qwen3.5-4B-Q4_K_M.gguf";
     LLAMA_MAX_TOKENS = 1024;
@@ -47270,6 +47393,7 @@ __export(node_exports, {
   llamaCognize: () => llamaCognize,
   llamaEntitle: () => llamaEntitle,
   llamaExtractLinks: () => llamaExtractLinks,
+  llamaRedact: () => llamaRedact,
   llamaScriptSummarize: () => llamaScriptSummarize,
   llamaSummarize: () => llamaSummarize,
   ollamaCognize: () => ollamaCognize,
@@ -47400,6 +47524,23 @@ var init_privacy_filter = __esm({
 });
 // src/enrich-scripts.ts
+async function enrichToolCallRedaction(drafts, redactModel) {
+  const cache2 = /* @__PURE__ */ new Map();
+  for (const draft of drafts) {
+    const action = draft.action;
+    const cmd = action?.command_redacted;
+    if (!action || !cmd) continue;
+    try {
+      let deep = cache2.get(cmd);
+      if (deep === void 0) {
+        deep = (await redactModel(cmd)).text;
+        cache2.set(cmd, deep);
+      }
+      action.command_redacted = deep;
+    } catch {
+    }
+  }
+}
 function defaultRoots(cwd) {
   if (!cwd) return [];
   const seg = cwd.replace(/\/+$/, "").split("/");
@@ -47449,7 +47590,14 @@ async function enrichOneAction(action, ctx, deps) {
     if (!content.trim()) continue;
     const summaryRaw = await deps.summarize({ ref, content });
     if (!summaryRaw) continue;
-    const summary = redact(summaryRaw).text.trim().slice(0, MAX_SUMMARY_CHARS);
+    let summaryText = redact(summaryRaw).text;
+    if (deps.modelRedact) {
+      try {
+        summaryText = (await deps.modelRedact(summaryText)).text;
+      } catch {
+      }
+    }
+    const summary = summaryText.trim().slice(0, MAX_SUMMARY_CHARS);
     if (!summary) continue;
     seen.add(token);
     out.push({ token, summary });
@@ -47510,7 +47658,12 @@ async function bundledAdapters() {
     // @huggingface/transformers — if the optional peer dep isn't
     // installed it returns a pass-through redactor (regex pass is
     // still the last line of defence).
-    redact: await createPrivacyFilterRedactor()
+    // Defense-in-depth redaction, layers 2+3, stacked behind one adapter and
+    // applied to BOTH the abstract (in daemon-core) and `command_redacted` (in
+    // enrichRedaction below): the OpenAI Privacy Filter (NER/PII) then the
+    // local-LLM backstop for secrets the fixed patterns miss. Layer 1 (the
+    // deterministic regex floor in @modelstat/core/redact) already ran first.
+    redact: composeRedactors(await createPrivacyFilterRedactor(), llamaRedact(llamaCfg))
   };
 }
 async function getAdapters() {
@@ -47542,8 +47695,10 @@ async function buildSessionMetadata2(segments, events) {
   });
 }
 async function enrichScripts(drafts, contexts = []) {
-  if (contexts.length === 0 || drafts.length === 0) return;
-  await getAdapters();
+  if (drafts.length === 0) return;
+  const built = await getAdapters();
+  if (built.redact) await enrichToolCallRedaction(drafts, built.redact);
+  if (contexts.length === 0) return;
   if (!scriptSummarizer) scriptSummarizer = llamaScriptSummarize(defaultLlamaConfig());
   await enrichToolCallScripts(drafts, contexts, {
     summarize: scriptSummarizer,
@@ -47551,7 +47706,8 @@ async function enrichScripts(drafts, contexts = []) {
     readFile: async (path5) => {
       const buf = await fsReadFile(path5);
       return buf.subarray(0, MAX_SCRIPT_READ_BYTES).toString("utf8");
-    }
+    },
+    modelRedact: built.redact
   });
 }
 async function preflightSummariser() {
@@ -47782,7 +47938,7 @@ var init_scan = __esm({
     init_api();
     init_config2();
     init_pipeline2();
-    DAEMON_VERSION = true ? "daemon-0.3.1" : "daemon-dev";
+    DAEMON_VERSION = true ? "daemon-0.4.0" : "daemon-dev";
     BATCH_MAX_EVENTS = INGEST_BATCH_MAX_EVENTS;
     BATCH_MAX_TOOL_CALLS = 2e4;
     BATCH_BUFFER_HARD_CAP = BATCH_MAX_EVENTS * 2;
@@ -47995,7 +48151,7 @@ var PROCESSING_VERSION;
 var init_processing_version = __esm({
   "src/processing-version.ts"() {
     "use strict";
-    PROCESSING_VERSION = 5;
+    PROCESSING_VERSION = 6;
   }
 });
@@ -50292,7 +50448,7 @@ var init_daemon = __esm({
     init_machine_key();
     init_scan();
     init_single_flight();
-    DAEMON_VERSION2 = true ? "daemon-0.3.1" : "daemon-dev";
+    DAEMON_VERSION2 = true ? "daemon-0.4.0" : "daemon-dev";
     HEARTBEAT_INTERVAL_MS = 1e4;
     SCAN_INTERVAL_MS = 5 * 60 * 1e3;
     DISCOVERY_INTERVAL_MS = 6e4;
@@ -50894,7 +51050,7 @@ function tryOpenBrowser(url) {
     return false;
   }
 }
-var DAEMON_VERSION3 = true ? "daemon-0.3.1" : "daemon-dev";
+var DAEMON_VERSION3 = true ? "daemon-0.4.0" : "daemon-dev";
 function osFamily() {
   const p = platform5();
   if (p === "darwin") return "macos";