False-positive auth error when summary content contains auth-related keywords

[catgodtwno1]

Bug Description

When the LCM summary model (e.g., anthropic/claude-haiku-4-5) successfully produces a summary, but the summary content happens to contain words like "401", "unauthorized", or "invalid api key" (because it is summarizing a conversation about auth errors), the auth-error detection logic incorrectly classifies the successful response as a provider auth failure.

Root Cause

In src/summarize.ts, function pickAuthInspectionValue() (line ~365):

When the Anthropic API responds successfully, none of the error-related keys (error, errorMessage, message, status, statusCode, etc.) are present in the response object. The subset dict ends up empty, so the function falls back to returning the full response object:

return Object.keys(subset).length > 0 ? subset : value;  // BUG: returns full response

collectAuthFailureText() then recursively walks all fields of the response, including content[].text (the actual summary text). If the summary text contains words matching AUTH_ERROR_TEXT_PATTERN:

/\b401\b|unauthorized|unauthorised|invalid[_ -]?token|invalid[_ -]?api[_ -]?key|authentication failed|authorization failed|missing scope|insufficient scope|model\.request\b/i

...the pattern matches → false positive auth error classification.

Impact

• LCM compaction silently fails for any conversation that discusses auth errors
• Context grows unbounded until token limit is hit, then crude truncation instead of graceful summarization
• The error log shows Detail: assistant text {actual summary content} (distinguishable from real auth errors which show Detail: 401 {json})

Fix

Return {} instead of value when the subset is empty (no error-related fields found):

-  return Object.keys(subset).length > 0 ? subset : value;
+  // Return empty object when no error-related fields found, so that
+  // collectAuthFailureText does NOT walk assistant content which could
+  // contain auth-related keywords from the conversation being summarized.
+  return Object.keys(subset).length > 0 ? subset : {};

This ensures that when the API response is successful (no error fields), collectAuthFailureText() receives an empty object and produces no text to match against AUTH_ERROR_TEXT_PATTERN.

Environment

• lossless-claw v0.5.1
• OpenClaw gateway on macOS (Apple Silicon)
• Summary model: anthropic/claude-haiku-4-5 (also reproduces with claude-sonnet-4-6)
• The bug does NOT occur with MiniMax models because their real 401 errors have actual error fields present

Reproduction

1. Configure LCM with an Anthropic model as summaryModel
2. Have a conversation that discusses HTTP 401 errors, auth failures, or "invalid api key"
3. Wait for compaction threshold to trigger
4. Observe: compaction logged as auth failure despite successful API response
5. Gateway log shows the summary text in the error detail field

Verified Fix

Patch applied locally on 2026-03-24. After fix:

• 33 consecutive Haiku compressions with zero false positives
• Conversations about auth errors are now summarized correctly

Note

This is separate from issue #162 (authProfileId inheritance causing auth drift), which was fixed in v0.5.1. The content-scanning false-positive is a different code path.