From 60873a1ed11d5b46bf8cc301f667b56ea0c26315 Mon Sep 17 00:00:00 2001
From: jonisjongithub <jonisjongithub@users.noreply.github.com>
Date: Tue, 27 Jan 2026 12:20:40 -0800
Subject: [PATCH] fix(security): recognize Venice-style claude-opus-45 as
 top-tier model

The security audit was incorrectly flagging venice/claude-opus-45 as
'Below Claude 4.5' because the regex expected -4-5 (with dash) but
Venice uses -45 (without dash between 4 and 5).

Updated isClaude45OrHigher() regex to match both formats.
Added test case to prevent regression.
---
 src/security/audit-extra.ts |  5 ++++-
 src/security/audit.test.ts  | 17 +++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/src/security/audit-extra.ts b/src/security/audit-extra.ts
index 6dce5c896..d9cf25c40 100644
--- a/src/security/audit-extra.ts
+++ b/src/security/audit-extra.ts
@@ -311,7 +311,10 @@ function isClaudeModel(id: string): boolean {
 }
 
 function isClaude45OrHigher(id: string): boolean {
-  return /\bclaude-[^\s/]*?(?:-4-5\b|4\.5\b)/i.test(id);
+  // Match claude-*-4-5, claude-*-45, claude-*4.5, or opus-4-5/opus-45 variants
+  // Examples that should match:
+  //   claude-opus-4-5, claude-opus-45, claude-4.5, venice/claude-opus-45
+  return /\bclaude-[^\s/]*?(?:-4-?5\b|4\.5\b)/i.test(id);
 }
 
 export function collectModelHygieneFindings(cfg: ClawdbotConfig): SecurityAuditFinding[] {
diff --git a/src/security/audit.test.ts b/src/security/audit.test.ts
index 2ee7e27ee..0811aedda 100644
--- a/src/security/audit.test.ts
+++ b/src/security/audit.test.ts
@@ -687,6 +687,23 @@ describe("security audit", () => {
     );
   });
 
+  it("does not warn on Venice-style opus-45 model names", async () => {
+    // Venice uses "claude-opus-45" format (no dash between 4 and 5)
+    const cfg: ClawdbotConfig = {
+      agents: { defaults: { model: { primary: "venice/claude-opus-45" } } },
+    };
+
+    const res = await runSecurityAudit({
+      config: cfg,
+      includeFilesystem: false,
+      includeChannelSecurity: false,
+    });
+
+    // Should NOT contain weak_tier warning for opus-45
+    const weakTierFinding = res.findings.find((f) => f.checkId === "models.weak_tier");
+    expect(weakTierFinding).toBeUndefined();
+  });
+
   it("warns when hooks token looks short", async () => {
     const cfg: ClawdbotConfig = {
       hooks: { enabled: true, token: "short" },