Bump firewall to v0.25.8 and surface token-usage.jsonl in audit and step summary

[lpcox]

Summary

Bump the AWF firewall from v0.25.5 to v0.25.8 and integrate the new token-usage.jsonl log into the gh aw audit command and the workflow step summary.

Background

Firewall v0.25.8 introduces a new log file at sandbox/firewall/logs/api-proxy-logs/token-usage.jsonl that captures per-request token usage from the AI provider's API. Each line is a JSON object:

{
  "timestamp": "2026-04-01T17:56:38.042Z",
  "request_id": "71d28291-222c-44fa-ae50-f21bdd2a7fa4",
  "provider": "anthropic",
  "model": "claude-sonnet-4-6",
  "path": "/v1/messages?beta=true",
  "status": 200,
  "streaming": true,
  "input_tokens": 3,
  "output_tokens": 414,
  "cache_read_tokens": 14044,
  "cache_write_tokens": 26035,
  "duration_ms": 6383,
  "response_bytes": 2843
}

Example artifacts: gh-aw-firewall run #23862883375 (see agent-artifacts/sandbox/firewall/logs/api-proxy-logs/token-usage.jsonl).

This data is significantly richer than the current TokenUsage field in logs_report.go (a single integer from Copilot metrics). The firewall's proxy intercepts all AI API calls regardless of engine, giving us provider, model, cache hit/miss, latency, and per-request token breakdowns.

Proposed Changes

1. Bump firewall version

Update DefaultFirewallVersion in pkg/constants/constants.go from v0.25.5 to v0.25.8.

2. Parse token-usage.jsonl in the audit command

Add a new parser in pkg/cli/ that reads token-usage.jsonl from downloaded run artifacts and produces an aggregated summary:

type TokenUsageSummary struct {
    TotalInputTokens      int            `json:"total_input_tokens"`
    TotalOutputTokens     int            `json:"total_output_tokens"`
    TotalCacheReadTokens  int            `json:"total_cache_read_tokens"`
    TotalCacheWriteTokens int            `json:"total_cache_write_tokens"`
    TotalRequests         int            `json:"total_requests"`
    TotalDurationMs       int            `json:"total_duration_ms"`
    ByModel               map[string]ModelTokenUsage `json:"by_model"`
}

type ModelTokenUsage struct {
    InputTokens      int `json:"input_tokens"`
    OutputTokens     int `json:"output_tokens"`
    CacheReadTokens  int `json:"cache_read_tokens"`
    CacheWriteTokens int `json:"cache_write_tokens"`
    Requests         int `json:"requests"`
    DurationMs       int `json:"duration_ms"`
}

3. Surface in gh aw audit output

Add a "Token Usage" section to the audit report that shows:

📊 Token Usage
  Total: 42,891 tokens (772 input, 950 output, 41,169 cache)
  Requests: 6 (avg 1,303ms)
  By model:
    claude-sonnet-4-6:     41,541 tokens across 4 requests
    claude-haiku-4-5:         580 tokens across 2 requests
  Cache efficiency: 95.8% (cache_read / total_input)

Integrate into the existing PerformanceMetrics struct in audit_report.go, or add a new TokenUsageMetrics field to AuditReport.

4. Include in workflow step summary

The agent job step summary (appended via append_agent_step_summary.sh) should include a token usage table when token-usage.jsonl is available. This would appear alongside the existing agent summary:

### 📊 Token Usage
| Model | Input | Output | Cache Read | Cache Write | Requests | Duration |
|-------|-------|--------|------------|-------------|----------|----------|
| claude-sonnet-4-6 | 6 | 864 | 137,028 | 17,062 | 4 | 18.4s |
| claude-haiku-4-5 | 769 | 86 | 0 | 0 | 2 | 1.4s |
| **Total** | **775** | **950** | **137,028** | **17,062** | **6** | **19.8s** |

This could be generated by a new step (e.g., parse_token_usage.sh or a JS script using actions/github-script) that reads the jsonl file after agent execution and before summary append.

5. Include in WorkflowRunReport for gh aw logs

Extend the WorkflowRunReport struct in logs_report.go to include the parsed TokenUsageSummary, replacing or augmenting the existing TokenUsage int field. This provides richer data for gh aw logs --json.

Files to Modify

File	Change
pkg/constants/constants.go	Bump DefaultFirewallVersion to v0.25.8
pkg/cli/token_usage.go (new)	Parser for token-usage.jsonl → TokenUsageSummary
pkg/cli/token_usage_test.go (new)	Tests for token usage parsing
pkg/cli/audit.go	Integrate token usage into audit report
pkg/cli/audit_report.go	Add TokenUsageMetrics to report structs
pkg/cli/logs_report.go	Extend WorkflowRunReport with TokenUsageSummary
pkg/cli/logs_parsing.go	Parse token-usage.jsonl from downloaded artifacts
pkg/workflow/compiler_yaml_main_job.go	Add token usage summary step after agent execution
actions/setup/sh/parse_token_usage.sh or actions/setup/js/parse_token_usage.cjs (new)	Runtime script to parse jsonl and emit markdown summary

Token Usage File Location

The file is at sandbox/firewall/logs/api-proxy-logs/token-usage.jsonl inside the agent-artifacts artifact. The gh aw audit and gh aw logs commands already download artifacts — the parser just needs to look for this path in the extracted archive.

For the step summary, the file is available at runtime on the runner at the same relative path under the firewall logs directory.

References

• Current firewall version: v0.25.5 (pkg/constants/constants.go:372)
• Current TokenUsage field: pkg/cli/logs_report.go:83 (single int from Copilot metrics)
• Existing PerformanceMetrics: pkg/cli/audit_report.go:71
• Example artifact: gh-aw-firewall run #23862883375

[lpcox]

@pelikhan please take a look

[Mossaka]

AWF v0.25.9 has been released. Please bump to this version. Key changes:

• feat: Auto-detect host DNS resolvers instead of hardcoding Google DNS (Fix GITHUB_TOOLSETS environment variable configuration for Docker containers #1513)

Release: https://github.com/github/gh-aw-firewall/releases/tag/v0.25.9