From bc3fd161418802bca347bd183f60e81853377b54 Mon Sep 17 00:00:00 2001 From: Uri Gil Date: Sat, 30 May 2026 18:51:04 +0300 Subject: [PATCH] fix(CostTracker): treat package.json/lockfiles as non-executable manifests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit classifyCallSite() special-cased .md as non-executable but never handled dependency manifests. An @anthropic-ai/* entry in a package.json under a scan root matched a RISK_PATTERN, fell through to the 'SDK' branch, and was misclassified as a BYPASS call site — a false positive that fires a phantom cost alert against an empty/stale baseline. Mirror the existing .md rule for package.json / package-lock.json / bun.lock / bun.lockb / yarn.lock. Co-Authored-By: Claude Opus 4.8 (1M context) --- Releases/v5.0.0/.claude/PAI/TOOLS/CostTracker.ts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Releases/v5.0.0/.claude/PAI/TOOLS/CostTracker.ts b/Releases/v5.0.0/.claude/PAI/TOOLS/CostTracker.ts index f5eeb8f817..9d8cc7158e 100644 --- a/Releases/v5.0.0/.claude/PAI/TOOLS/CostTracker.ts +++ b/Releases/v5.0.0/.claude/PAI/TOOLS/CostTracker.ts @@ -191,6 +191,12 @@ function classifyCallSite(file: string, reason: string): { classification: "bypa if (file.endsWith(".md")) { return { classification: "legit", note: "markdown (docs/template) — no runtime billing risk" }; } + // Dependency manifests / lockfiles declare packages — they don't execute, so an + // SDK name appearing here is a declaration, not a billing call site. + if (file.endsWith("package.json") || file.endsWith("package-lock.json") || + file.endsWith("bun.lock") || file.endsWith("bun.lockb") || file.endsWith("yarn.lock")) { + return { classification: "legit", note: "dependency manifest — declaration, not a runtime call" }; + } for (const [hint, note] of Object.entries(LEGIT_HINTS)) { if (file.includes(hint)) return { classification: "legit", note }; }