#10786: fix: strip thinking signatures from sessions_list and add includeThinking param

## Problem `sessions_list` with `messageLimit > 0` returns raw messages with no sanitization of thinking blocks or encrypted thinking signatures. These multi-KB base64 blobs waste agent context tokens and can cause context overflow when agents inspect other sessions. `sessions_history` already has sanitization (strips `thinkingSignature`, truncates thinking text, enforces 80KB cap), but `sessions_list` does not. ## Changes - **Extract shared sanitizer** (`sanitizeAndCapSessionMessages`) in `sessions-helpers.ts` that handles: - Stripping `thinkingSignature` from thinking blocks - Truncating `thinking` text to 4000 chars - Stripping `details`, `usage`, `cost` from messages - Truncating `text`, `partialJson` to 4000 chars - Stripping image `data` (replaced with `{ omitted: true, bytes }`) - **Wire sanitizer into `sessions-list-tool.ts`** when `messageLimit > 0` - **Add `includeThinking` parameter** (default `false`) to both `sessions_list` and `sessions_history` tools - when false, drops `type:"thinking"` content blocks entirely - **Refactor `sessions-history-tool.ts`** to use the shared sanitizer instead of inline sanitization - **Apply 80KB hard cap** (`SESSIONS_HISTORY_MAX_BYTES`) to `sessions_list` message payloads - **Add tests** for the new sanitization logic ## Impact Prevents context overflow when agents use `sessions_list` to inspect other sessions that contain large thinking signatures (e.g., OpenAI Codex reasoning blocks with encrypted content). Fixes #10759 <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> - Adds a shared `sanitizeAndCapSessionMessages` helper to strip large `thinkingSignature` blobs, truncate long text fields, strip tool payload fields, and enforce an 80KB JSON cap. - Wires the sanitizer into `sessions_list` when `messageLimit > 0`, and refactors `sessions_history` to use the shared helper. - Introduces `includeThinking` (default false) for both tools to optionally drop `type:"thinking"` blocks entirely. - Adds unit tests covering thinking omission, signature stripping, truncation behavior, and size capping. <h3>Confidence Score: 4/5</h3> - This PR is close to safe to merge, with one behavior edge case to address in the new sanitizer. - Core changes are localized and covered by tests, and the sanitizer/cap logic is consistent between sessions_list and sessions_history. Main remaining concern is the use of `"thinkingSignature" in entry` to classify a block as “thinking-like”, which will drop content even when the property exists with an undefined/non-string value; that can lead to unexpected data loss when includeThinking=false. - src/agents/tools/sessions-helpers.ts <!-- greptile_other_comments_section --> <!-- /greptile_comment -->