feat: update dependencies and add token usage reporting for AI providers

[cmd-ob]

Description

Upgrades the smart E2E selector's AI provider stack and adds token usage
and cost reporting to make it easier to monitor and compare provider costs.

Provider changes

• Default provider switched to OpenAI (openai → anthropic → google priority)
• OpenAI model: gpt-5.2-chat-latest
• Anthropic model: claude-sonnet-4-6 (was claude-opus-4-5-20251101)

SDK upgrades

• openai: ^4.77.0 → ^6.25.0
• @anthropic-ai/sdk: ^0.71.0 → ^0.78.0
• Fixed breaking change from openai v6: ChatCompletionMessageToolCall is now
  a discriminated union — added toolCall.type === 'function' guard before
  accessing .function

Error visibility

• Provider isAvailable() catch blocks now log the actual API error instead
  of silently returning false
• Availability check output now distinguishes between missing API key and
  failed API call

Token cost tracking

• Added LLMUsage type to LLMResponse — all three providers now return
  inputTokens / outputTokens per API call
• analyzeWithAgent accumulates totals across iterations and prints a cost
  report on completion
• MODEL_PRICING table added to config.ts (keyed to the three active models)

Changelog

CHANGELOG entry:

Related issues

Fixes:

Manual testing steps

Feature: Smart E2E provider selection and cost tracking                                            
                                                                                                
  Scenario: user runs analyzer with valid OpenAI key
    Given E2E_OPENAI_API_KEY is set to a valid key
    When user runs node -r esbuild-register tests/tools/e2e-ai-analyzer --pr <number> -p openai
    Then the output shows "✅ OpenAI GPT is available"
    And a "💰 Token Usage Report" is printed with input tokens, output tokens, and total cost in
USD

  Scenario: user runs analyzer with missing API key
    Given E2E_OPENAI_API_KEY is not set
    When user runs node -r esbuild-register tests/tools/e2e-ai-analyzer --pr <number>
    Then the output shows "❌ OpenAI GPT is not available — missing E2E_OPENAI_API_KEY"
    And the analyzer falls back to the next available provider

  Scenario: user runs analyzer with an invalid API key
    Given E2E_OPENAI_API_KEY is set to an invalid value
    When user runs node -r esbuild-register tests/tools/e2e-ai-analyzer --pr <number>
    Then the output shows "⚠️   OpenAI API error: <error message>"
    And the output shows "❌ OpenAI GPT is not available — API call failed (see warning above)"

  Scenario: user runs analyzer with only Anthropic key set
    Given E2E_OPENAI_API_KEY is not set and E2E_CLAUDE_API_KEY is valid
    When user runs node -r esbuild-register tests/tools/e2e-ai-analyzer --pr <number>
    Then Anthropic is used as the active provider
    And the token report shows model "claude-sonnet-4-6" with cost in USD

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Medium risk due to major openai SDK upgrade and provider/model default changes that can alter analyzer behavior and costs, though the impact is confined to test tooling.

Overview
Updates the tests/tools/e2e-ai-analyzer provider stack by upgrading openai to v6 and @anthropic-ai/sdk, switching the default provider priority to OpenAI → Anthropic → Google, and updating the default OpenAI/Anthropic model IDs.

Adds token usage + estimated cost reporting: introduces LLMUsage on LLMResponse, populates usage from all three providers, accumulates totals across agent iterations in analyzeWithAgent, and prints a final report using a new MODEL_PRICING table.

Improves provider diagnostics by logging underlying API errors during isAvailable() checks and making availability output distinguish between missing API keys and failed API calls; also adds an OpenAI v6 tool-call type guard (toolCall.type === 'function') when decoding tool uses.

^{Written by Cursor Bugbot for commit 8389bd8. This will update automatically on new commits. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​anthropic-ai/​sdk@​0.71.2 ⏵ 0.78.0	+1		+1
	npm/​openai@​6.25.0

View full report

[socket-security]

Warning

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm openai is 100.0% likely to have a medium risk anomaly Notes: The code implements a standard WebSocket client for OpenAI realtime events with proper handling of API keys (including Azure-specific behavior) and structured error handling. Data flows primarily involve WebSocket messages and Authorization headers. There is no clear evidence of malicious behavior, backdoors, or data exfiltration. The main security considerations are prudent handling of API keys in headers and ensuring that keys are resolved before connection in create() usage. Overall risk is moderate due to network exposure of credentials but typical for legitimate API usage. Confidence: 1.00 Severity: 0.60 From: package.json → npm/openai@6.25.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/openai@6.25.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

[github-actions]

✅ E2E Fixture Validation — Schema is up to date
6 value mismatches detected (expected — fixture represents an existing user).
View details

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: None (no tests recommended)
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 94%

click to see 🤖 AI reasoning details

E2E Test Selection:
All changes are limited to package.json, yarn.lock, and files under tests/tools/e2e-ai-analyzer/. These files belong to an internal AI-based test analysis utility and provider integrations (OpenAI, Anthropic, Google) used for tooling purposes. There are no changes to app/ source code, controllers, Engine, UI components, navigation, or Detox test flows. There are also no changes to tests/framework/, tests/smoke/, or CI workflows that would affect E2E execution behavior. Therefore, no wallet functionality, confirmations, network flows, trade flows, identity, snaps, or other user-facing features are impacted. Running Detox E2E suites would not provide additional validation value for these tooling-only changes.

Performance Test Selection:
No application runtime, UI, controller, or state-management code was modified. The changes do not affect rendering, startup, asset loading, swaps, onboarding, or any critical user flow. Therefore, performance characteristics of the mobile app are unaffected and no performance tests are required.

View GitHub Actions results

[cmd-ob]

@SocketSecurity ignore npm/openai@6.25.0.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud