fix(gateway): preserve OpenAI usage aliases in chat history

[steipete]

Summary

• preserve OpenAI-compatible assistant usage aliases through sanitized chat history
• add regression coverage for prompt_tokens, completion_tokens, and total_tokens
• keep unrelated provider payload fields stripped from the display projection

Fixes #77992.

Verification

• /Users/steipete/.local/share/fnm/node-versions/v24.13.0/installation/bin/node ./node_modules/.bin/tsx -e "...sanitizeChatHistoryMessages usage alias assertion..."
• git diff --check
• .agents/skills/autoreview/scripts/autoreview --mode local

Behavior addressed: llama.cpp/OpenAI-compatible usage metadata no longer loses prompt_tokens, completion_tokens, and total_tokens before chat/session display code can compute context usage.
Real environment tested: local OpenClaw checkout on Node 24.13.0 with the gateway chat display sanitizer executed directly; GitHub CI will run the full repository gates.
Exact steps or command run after this patch: direct Node 24 tsx assertion for sanitizeChatHistoryMessages, git diff --check, and Codex autoreview local mode.
Evidence after fix: the direct assertion verified sanitized assistant history preserves the three OpenAI-compatible numeric usage fields and still discards an unrelated provider payload field.
Observed result after fix: direct assertion printed usage aliases ok; autoreview reported no accepted/actionable findings.
What was not tested: a live llama.cpp server; this patch covers the deterministic projection path that was dropping the reported usage fields.

[clawsweeper]

Codex review: needs maintainer review before merge.

Latest ClawSweeper review: 2026-05-22 13:59 UTC / May 22, 2026, 9:59 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR preserves OpenAI-compatible usage aliases in sanitized gateway chat history, adds regression coverage, and records the fix in the changelog.

Reproducibility: yes. for source reproduction: current main's sanitizer allowlist drops the exact OpenAI-compatible usage aliases reported by llama.cpp, and downstream usage normalization already knows how to consume them. I did not run a live llama.cpp server, so this is source-reproducible rather than fully reproduced end to end.

PR rating
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Summary: The patch is small, targeted, and backed by direct execution of the changed path plus regression coverage, with the main remaining gap being no live provider smoke.

Rank-up moves:

• none

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (terminal): The PR body reports after-fix direct execution of the changed sanitizeChatHistoryMessages path with the OpenAI-compatible aliases preserved and an unrelated payload field discarded; that is adequate for this deterministic projection fix.

Risk before merge

• The submitted proof exercises the deterministic sanitizer path but does not include an end-to-end llama.cpp or Telegram status-display run after the patch.

Maintainer options:

1. Decide the mitigation before merge
   Land the narrow sanitizer allowlist and regression test after maintainer review, then close the linked llama.cpp context-display bug once the PR is merged and CI or a focused live-provider check confirms the behavior.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge
The protected maintainer label makes this a maintainer-handled PR rather than an automated cleanup or repair candidate.

Security
Cleared: The diff only extends a numeric usage metadata allowlist, adds a regression test, and updates the changelog; it does not touch secrets, auth, dependency resolution, CI, install, or code execution paths.

Review details

Best possible solution:

Land the narrow sanitizer allowlist and regression test after maintainer review, then close the linked llama.cpp context-display bug once the PR is merged and CI or a focused live-provider check confirms the behavior.

Do we have a high-confidence way to reproduce the issue?

Yes for source reproduction: current main's sanitizer allowlist drops the exact OpenAI-compatible usage aliases reported by llama.cpp, and downstream usage normalization already knows how to consume them. I did not run a live llama.cpp server, so this is source-reproducible rather than fully reproduced end to end.

Is this the best way to solve the issue?

Yes, the PR appears to solve the issue in the right layer by preserving known numeric usage aliases while continuing to strip unrelated provider payload fields. A live provider smoke would improve confidence, but the code path and regression test are the narrow maintainable fix.

Label changes:

• add P2: This is a narrow regression fix for gateway chat context display with limited blast radius and no evidence of a core outage or security impact.
• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body reports after-fix direct execution of the changed sanitizeChatHistoryMessages path with the OpenAI-compatible aliases preserved and an unrelated payload field discarded; that is adequate for this deterministic projection fix.
• add rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🐚 platinum hermit, patch quality is 🐚 platinum hermit, and The patch is small, targeted, and backed by direct execution of the changed path plus regression coverage, with the main remaining gap being no live provider smoke.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body reports after-fix direct execution of the changed sanitizeChatHistoryMessages path with the OpenAI-compatible aliases preserved and an unrelated payload field discarded; that is adequate for this deterministic projection fix.

Label justifications:

• P2: This is a narrow regression fix for gateway chat context display with limited blast radius and no evidence of a core outage or security impact.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🐚 platinum hermit, patch quality is 🐚 platinum hermit, and The patch is small, targeted, and backed by direct execution of the changed path plus regression coverage, with the main remaining gap being no live provider smoke.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body reports after-fix direct execution of the changed sanitizeChatHistoryMessages path with the OpenAI-compatible aliases preserved and an unrelated payload field discarded; that is adequate for this deterministic projection fix.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body reports after-fix direct execution of the changed sanitizeChatHistoryMessages path with the OpenAI-compatible aliases preserved and an unrelated payload field discarded; that is adequate for this deterministic projection fix.

Acceptance criteria:

• node scripts/run-vitest.mjs src/gateway/server-methods/server-methods.test.ts
• git diff --check

What I checked:

• Protected maintainer label: The provided live PR context lists the maintainer label, which makes this a keep-open item for explicit maintainer handling rather than conservative cleanup closure.
• Current sanitizer allowlist drops the reported aliases: On current main, sanitizeUsage copies only a fixed allowlist of usage keys and does not include prompt_tokens, completion_tokens, or total_tokens. (src/gateway/chat-display-projection.ts:222, c21ca883b0cc)
• Chat history projection sends assistant usage through that allowlist: sanitizeChatHistoryMessage sanitizes assistant usage via sanitizeUsage, so dropped aliases disappear before downstream display/session surfaces can normalize them. (src/gateway/chat-display-projection.ts:292, c21ca883b0cc)
• Downstream usage normalization already understands OpenAI aliases: normalizeUsage maps prompt_tokens and completion_tokens into normalized input/output usage, so preserving those numeric fields through the display sanitizer feeds the existing normalization contract. (src/agents/usage.ts:124, c21ca883b0cc)
• PR diff is narrow and covered: The PR adds the reported aliases to knownFields, adds a regression test that preserves them while discarding an unrelated provider payload field, and adds one changelog line. (src/gateway/chat-display-projection.ts:228, 1249a8d0a539)
• Linked issue has concrete provider evidence: The linked bug report says llama.cpp returns usage.prompt_tokens, usage.completion_tokens, and usage.total_tokens, while the context display shows unknown usage after upgrading; that matches the current sanitizer gap.

Likely related people:

• Vincent Koc: Authored the current-main commit that added src/gateway/chat-display-projection.ts, the sanitizeUsage allowlist, and the adjacent sanitizer tests. (role: introduced current behavior; confidence: high; commits: 82f69a269bbb; files: src/gateway/chat-display-projection.ts, src/gateway/server-methods/server-methods.test.ts, src/agents/usage.ts)
• Peter Steinberger: Committed the current-main commit that introduced the display projection path and also authored the focused PR branch under review. (role: recent merger and area contributor; confidence: medium; commits: 82f69a269bbb, 1249a8d0a539; files: src/gateway/chat-display-projection.ts, src/gateway/server-methods/server-methods.test.ts, CHANGELOG.md)

Codex review notes: model gpt-5.5, reasoning high; reviewed against c21ca883b0cc.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Pearl Branchling

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: sparkles near resolved comments.
Image traits: location review cove; accessory rollback rope; palette pearl, teal, and neon green; mood celebratory; pose sitting proudly on a smooth stone; shell paper lantern shell; lighting calm overcast light; background subtle branch markers.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Pearl Branchling in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.