fixup! fixup! feat: add git node security --validate-reports

RafaelGSS · RafaelGSS · commit 9c4223a77d0c · 2026-05-27T16:41:45.000-03:00
diff --git a/components/git/security.js b/components/git/security.js
@@ -82,6 +82,10 @@ const securityOptions = {
     describe: 'Override the command used for --llm. The report prompt is sent on stdin.',
     type: 'string'
   },
+  'llm-allow-paid-usage': {
+    describe: 'Allow LLM providers that may incur token-based charges without prompting',
+    type: 'boolean'
+  },
   'node-repo': {
     default: process.cwd(),
     describe: 'Node.js checkout path the LLM should use to read SECURITY.md and doc/',
diff --git a/docs/git-node.md b/docs/git-node.md
@@ -527,6 +527,7 @@ only a local triage aid and still requires human review.
   git node security --validate-reports --llm=codex --llm-model=gpt-5.5
   git node security --validate-reports --llm=codex --no-validate-reports-confirm
   git node security --validate-reports --llm=codex --no-validate-reports-cache
+  git node security --validate-reports --llm=codex --llm-allow-paid-usage --no-validate-reports-confirm
   git node security --validate-reports --llm=claude --node-repo=/path/to/node
   git node security --validate-reports --llm=copilot --node-repo=/path/to/node
   git node security --validate-reports --llm=copilot --llm-command="copilot -p"
@@ -570,6 +571,11 @@ then asks whether to continue to the next report. Use
 Use `--validate-reports-limit=<n>` to test the flow against a smaller number of
 reports.
 
+Some LLM providers or custom commands may incur token-based charges beyond a
+regular subscription. The command asks for confirmation once before running those
+providers. Batch runs with `--no-validate-reports-confirm` must also pass
+`--llm-allow-paid-usage`.
+
 #### LLM prompt and reasoning
 
 The LLM prompt is designed to keep the model anchored to the Node.js threat
@@ -640,6 +646,7 @@ assessment.
 | `--llm=none\|codex\|claude\|copilot` | Print prompts for manual LLM use or ask an LLM CLI to assess each report. Defaults to `none`. |
 | `--llm-model=<model>` | Override the provider model and cache identity. |
 | `--llm-command=<command>` | Override the command used for LLM assessment. The prompt is sent on stdin. |
+| `--llm-allow-paid-usage` | Allow providers or custom commands that may incur token-based charges without prompting. Required for non-interactive paid-usage runs. |
 | `--node-repo=<path>` | Path to a Node.js checkout containing `SECURITY.md` and `doc/`. Defaults to the current directory. |
 
 ## `git node status`
diff --git a/lib/validate_reports.js b/lib/validate_reports.js
@@ -17,6 +17,7 @@ const H1_TRIAGED_REPORTS_URL =
 const CACHE_FOLDER = '.ncu-cache/security-report-validation';
 const MANUAL_REVIEW_VALIDITY = 'needs-manual-review';
 const MANUAL_LLM_PROVIDER = 'none';
+const PAID_USAGE_LLM_PROVIDERS = new Set(['codex', 'claude']);
 
 const CVSS_WEIGHTS = {
   AV: { N: 0.85, A: 0.62, L: 0.55, P: 0.2 },
@@ -855,6 +856,37 @@ function buildProviderCommand(provider, nodeRepo, commandOverride, model) {
   }
 }
 
+function llmMayUsePaidTokens(provider, commandOverride) {
+  return provider !== MANUAL_LLM_PROVIDER &&
+    (commandOverride || PAID_USAGE_LLM_PROVIDERS.has(provider));
+}
+
+async function confirmPaidLLMUsage(provider, argv, cli) {
+  if (!llmMayUsePaidTokens(provider, argv['llm-command']) ||
+      argv['llm-allow-paid-usage']) {
+    return;
+  }
+
+  const message = argv['llm-command']
+    ? 'The configured --llm-command may incur token-based usage charges. Continue?'
+    : `${provider} may incur token-based usage charges beyond a regular ` +
+      'subscription. Continue?';
+
+  if (!argv['validate-reports-confirm']) {
+    throw new Error(
+      'LLM provider may incur token-based usage charges. Pass ' +
+      '--llm-allow-paid-usage to run non-interactively.'
+    );
+  }
+
+  const confirmed = await cli.prompt(message, {
+    defaultAnswer: false
+  });
+  if (!confirmed) {
+    throw new Error('LLM assessment cancelled by user');
+  }
+}
+
 function printLLMPrompt(result, prompt, cli) {
   cli.separator(`H1 ${result.id} LLM Prompt`);
   cli.log([
@@ -1100,6 +1132,8 @@ async function assessReportsWithLLM(reports, results, argv, cli) {
   );
 
   try {
+    await confirmPaidLLMUsage(provider, argv, cli);
+
     for (let i = 0; i < reports.length; i++) {
       const shouldContinue = await assessOneReportWithLLM({
         report: reports[i],
