fix(agents): honor explicit long Anthropic cache TTL on custom hosts by MonkeyLeeT · Pull Request #67800 · openclaw/openclaw

MonkeyLeeT · 2026-04-16T19:54:47Z

Summary

honor explicit cacheRetention: "long" for custom anthropic-messages providers when building Anthropic cache-control payloads
keep the existing hostname allowlist behavior for implicit or env-driven long retention so defaults remain conservative
add regression coverage for explicit long, explicit short, and env-driven long retention on custom hosts

Why

Custom Anthropic-compatible proxies can support 1-hour prompt-cache TTLs even when they do not use Anthropic or Vertex hostnames. OpenClaw was silently downgrading explicit cacheRetention: "long" to the default 5-minute ephemeral cache for those providers.

Closes #67164.

Root Cause

src/agents/anthropic-payload-policy.ts only emitted ttl: "1h" when cacheRetention was long and the baseUrl hostname matched a hardcoded Anthropic/Vertex allowlist. That made explicit long-retention opt-ins ineffective for custom anthropic-messages endpoints.

Behavior Change

explicit cacheRetention: "long" now emits cache_control: { type: "ephemeral", ttl: "1h" } even for custom hosts
implicit/env-driven long retention still requires an allowlisted host
explicit short and none behavior are unchanged

Validation

pnpm test src/agents/anthropic-payload-policy.test.ts

greptile-apps · 2026-04-16T19:59:54Z

Greptile Summary

This PR fixes a bug where explicit cacheRetention: "long" on custom anthropic-messages providers was silently downgraded to 5-minute ephemeral cache because the TTL gate required an allowlisted hostname. The fix adds a short-circuit: if cacheRetention is explicitly "long", the 1h TTL is applied regardless of hostname, while implicit/env-driven long retention still requires an allowlisted endpoint. The implementation is minimal and correct, with three new test cases covering explicit long, env-driven long, and explicit short retention on custom hosts.

Confidence Score: 5/5

Safe to merge — minimal, targeted fix with correct logic and comprehensive regression tests.

The logic change is provably correct across all four input cases (explicit long, env-driven long, explicit short, none). Tests cover the new behavioral paths. No P0/P1 findings.

No files require special attention.

_{Reviews (1): Last reviewed commit: "Merge branch 'main' into codex/anthropic..." | Re-trigger Greptile}

suboss87

Nice fix. The distinction between explicit user opt-in vs env-driven defaults is the right call for custom proxy hosts.

One thing to watch: retention is derived from cacheRetention (possibly after env defaults), so the condition retention === "long" && (cacheRetention === "long" || isLongTtlEligibleEndpoint(baseUrl)) works correctly but the relationship between the two variables is implicit. If someone later changes how retention is resolved without updating this site, the behavior could drift. Might be worth a comment noting that cacheRetention === "long" is the "was this explicitly set by the user" check vs the env/hostname path.

The env save/restore in the test is clean. Tests look solid.

MonkeyLeeT · 2026-04-17T15:29:06Z

@hxy91819 PTAL

mujiannan · 2026-04-20T03:44:10Z

The security bot's concern seems overstated for this use case. When a user explicitly sets cacheRetention: "long", they've already made a deliberate configuration choice — they know they're routing traffic through a custom/proxy host and have accepted that relationship. The previous silent downgrade to 5-minute TTL is the surprising behavior here, not the fix.

The allowLongTtlOnCustomHosts flag suggestion just adds friction without meaningful security benefit: anyone who configures cacheRetention: "long" on a custom host is presumably already aware of and trusting that host. Requiring a second opt-in flag doesn't change the trust model, it just makes the feature harder to use.

Option 3 from the original issue is the right call — honor explicit user intent. The allowlist can remain as the default guard when cacheRetention is unset or "auto".

Cherry-pick of openclaw#67800 (ad9f567) - Explicit cacheRetention: 'long' now emits ttl: '1h' for any host - Implicit/env-driven long retention still requires allowlisted host - Tests added for explicit long, implicit long, explicit short

hxy91819 · 2026-04-20T14:01:56Z

Review: Honor explicit long Anthropic cache TTL on custom hosts

APPROVED — this is completing an already-open capability path, not introducing new behavior.

Custom anthropic-messages providers with explicit cacheRetention: "long" already emit cache_control: { type: "ephemeral" } (5-min TTL) via #59049. This PR just adds the ttl: "1h" variant that was incorrectly blocked by the hostname allowlist. The explicit-vs-implicit distinction is clean: cacheRetention === "long" bypasses the allowlist (explicit opt-in), while PI_CACHE_RETENTION=long still requires allowlist membership (conservative default preserved).

Why the gap exists — historical investigation

The allowlist and custom-provider support evolved independently:

fix(agents): honor cacheRetention for custom anthropic providers #59049 — resolveCacheRetention() extended to admit custom-anthropic-api providers with explicit config. Door opened.
067496b129 — Policy logic refactored into anthropic-payload-policy.ts with baseUrl.includes("api.anthropic.com"). Wall built — only Anthropic official endpoints get 1h TTL.
fix(cache): enable prompt cache retention for Anthropic Vertex AI #60888 — Wall upgraded to proper isLongTtlEligibleEndpoint() allowlist + Vertex AI hostnames. Window added, but the custom-anthropic-api family from step 1 was not accounted for.
This PR — Adds explicit-config escape hatch. Door and wall aligned.

The gap was not an intentional security boundary — it was an alignment miss between two layers implemented at different times.

No blocking issues. Optional nice-to-have: warn-level log when ttl: "1h" is applied to a non-allowlisted endpoint, to help operators validate the configuration is intentional.

Note: Do not merge until after the next release.

hxy91819 · 2026-04-21T09:45:35Z

Merged via squash.

Prepared head SHA: 0ffde15713b68c6953da826fca06a67000086b9b
Merge commit: 4bacdc882454fa6ae557d6522f778b630cb4c4a2

Thanks @MonkeyLeeT!

Made-with: Cursor

* fix(changelog): remove duplicate entry for PR #67800 * docs(changelog): move #67800 note from Unreleased into 2026.4.20

* 'main' of https://github.com/openclaw/openclaw: (653 commits) docs(changelog): deduplicate openclaw#67800 entries in Unreleased (openclaw#69670) fix(agents): honor explicit long Anthropic cache TTL on custom hosts (openclaw#67800) fix: fix Telegram media file delivery (openclaw#69641) fix(media): preserve outbound attachment filenames fix(media): parse lowercase media directives fix(bluebubbles): add opt-in coalesceSameSenderDms for split-send DMs (openclaw#69258) fix: centralize provider thinking profiles docs: prepare 2026.4.20 changelog fix: stage ACP and Codex runtime deps fix(gateway): drop stale service env on reinstall test: add bundled channel dependency Docker smoke test: relax detached task recovery timing assertion fix: ignore placeholder shells in runtime detection (openclaw#69308) shell: fall back to sh when SHELL is /usr/bin/false or nologin fix(browser): clarify DevToolsActivePort attach failures fix: sanitize mcp transport warning fields fix: launch Windows startup gateway directly fix(openai-codex): normalize legacy copilot transport fix: narrow MCP stdio env safety filter (openclaw#69540) fix(mcp): block dangerous stdio env overrides ...

@hxy91819