fix: preserve visible JAX findings in oversized JSON

[mldangelo-oai]

Summary

• follow up on merged fix: route padded and renamed JAX JSON checkpoints #1281 so oversized JAX JSON checkpoints still report suspicious strings already visible inside the bounded prefix
• preserve fail-closed behavior when coverage is incomplete, including non-cacheable bounded-prefix reread failures and intentionally ambiguous oversized routing
• align bounded inspection with normal JSON semantics for complete visible roots while conservatively handling truncated roots

Review Feedback Addressed

• implements the post-merge request to preserve bounded-prefix JSON pattern findings on oversized JAX checkpoints
• retains fail-closed routing for oversized prefixes with an apparent non-JAX field when a later JAX identity could still be hidden beyond the bounded read
• hardens follow-up review discoveries: nested documentation suppression, arrays, truncated long strings, JSON-escaped truncated strings, trailing second roots, duplicate-key complete-root semantics, and operational read failures

Validation

• uv --no-config run --no-sync ruff format modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/
• uv --no-config run --no-sync ruff check --fix modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/
• uv --no-config run --no-sync mypy modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/ (451 source files clean)
• node /private/tmp/node_modules/prettier/bin/prettier.cjs --check CHANGELOG.md README.md docs/user/compatibility-matrix.md
• affected JAX/routing/core matrix: 687 passed, 3 warnings
• exact required full lane: 6364 passed, 16 skipped, 22 warnings in 200.18s
• independent final read-only review: no actionable issues found

End-to-End Proof

• oversized encoded visible threat (jax\u002eexperimental\u002eio_callback) reports a critical bounded-prefix finding at json_checkpoint_bounded_prefix.payload and exits 1
• oversized encoded documentation mention remains incomplete without a critical finding and exits 2
• a complete visible duplicate-key root honors the final benign value and exits 2 without a critical pattern finding
• a truncated duplicate-key root preserves the visible threat finding and exits 1
• malformed trailing-second-root input does not promote a critical pattern from outside the first JSON document

[github-actions]

Workflow run and artifacts

Performance Benchmarks

Compared 12 shared benchmarks with a regression threshold of 15%.
Status: 0 regressions, 0 improved, 12 stable, 0 new, 0 missing.
Aggregate shared-benchmark median: 642.32ms -> 640.70ms (-0.3%).

Workload	Benchmark	Target	Size	Files	Baseline	Current	Change	Status
nested-payload-review	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_hex]	nested_hex	130 B	1	397.8us	410.6us	+3.2%	stable
nested-payload-review	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_raw]	nested_raw	78 B	1	399.6us	387.3us	-3.1%	stable
suspicious-pickle-intake	tests/benchmarks/test_scan_benchmarks.py::test_scan_suspicious_pickle_intake	suspicious-intake	183.8 KiB	4	89.89ms	87.37ms	-2.8%	stable
padded-multi-stream-upload	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_padded_multi_stream_upload	multi_stream_padded	4.1 KiB	1	1.35ms	1.37ms	+1.5%	stable
clean-training-checkpoint	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_clean_training_checkpoint	safe_large	278.2 KiB	1	10.62ms	10.77ms	+1.5%	stable
duplicate-heavy-registry	tests/benchmarks/test_scan_benchmarks.py::test_scan_duplicate_registry_snapshot	registry-snapshot	915.2 KiB	13	185.09ms	183.18ms	-1.0%	stable
mixed-model-repository	tests/benchmarks/test_scan_benchmarks.py::test_scan_release_candidate_repository	release-candidate	547.3 KiB	32	251.78ms	254.28ms	+1.0%	stable
nested-payload-review	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_base64]	nested_base64	98 B	1	396.7us	399.8us	+0.8%	stable
chunked-upload-stream	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_chunked_upload_stream	chunked_stream	278.2 KiB	1	13.75ms	13.64ms	-0.8%	stable
warm-cache-rescan	tests/benchmarks/test_scan_benchmarks.py::test_scan_warm_cached_repository_rescan	release-candidate	547.3 KiB	32	52.90ms	53.29ms	+0.7%	stable
single-checkpoint-preflight	tests/benchmarks/test_scan_benchmarks.py::test_scan_single_checkpoint_before_load	single_checkpoint.pkl	183.0 KiB	1	34.47ms	34.33ms	-0.4%	stable
direct-malicious-upload	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_direct_malicious_upload	malicious_reduce	52 B	1	1.27ms	1.27ms	-0.4%	stable

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0a9001a32c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".