9a89d588b6
Triaged gadfly's P1 review (advisory). Fixed the three clearly-correct, low-risk items; the rest were pre-existing mort behavior or theoretical: - model/call.go: recordUsage dropped fully-cached responses (input==0 && output==0 early-return missed CacheRead/CacheWrite-only usage, which Anthropic/OpenAI prompt-caching bills). Guard now also checks cache tokens. - llmmeta/helper.go: recordLedger swallowed Storage.RecordMetaCall errors; now logs them (slog.Warn) so a non-logging Storage impl can't silently drop audit rows. - model/cloud_sync.go: the ollama.com limit-cache used unbounded io.ReadAll; wrapped both reads in io.LimitReader(1 MiB) so a misbehaving endpoint can't exhaust memory before the 15s timeout. Noted-not-fixed (follow-ups / pre-existing mort semantics): tier_not_allowed ledger label on resolution failure, unknown-model usage attribution, the cloud_sync https scheme allowlist, and several theoretical/cosmetic items. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>