@integrity-labs/agt-cli 0.27.82 → 0.27.84

package/dist/mcp/slack-channel.js

@@ -14449,6 +14449,232 @@ function probeAgentSessionCached(codeName, ttlMs = SESSION_PROBE_TTL_MS, now = D
   return value;
 }
 
+// src/pane-tail.ts
+import { execFile } from "child_process";
+import { promisify } from "util";
+import { open, stat } from "fs/promises";
+
+// src/channel-attachments.ts
+import { homedir } from "os";
+import { join as join2, resolve, sep } from "path";
+function resolveChannelInboundDir(codeName, channelSlug) {
+  const base = join2(homedir(), ".augmented");
+  const allowedSegment = /^[A-Za-z0-9_-]+$/;
+  if (!allowedSegment.test(codeName) || !allowedSegment.test(channelSlug)) {
+    throw new Error(
+      `Refusing to resolve inbound dir \u2014 invalid codeName/channelSlug (got ${JSON.stringify({ codeName, channelSlug })})`
+    );
+  }
+  const candidate = resolve(base, codeName, channelSlug);
+  if (!isPathInside(candidate, base)) {
+    throw new Error(`Refusing inbound dir outside ${base} (got ${candidate})`);
+  }
+  return candidate;
+}
+function classifyMimetype(mimetype) {
+  if (typeof mimetype === "string" && mimetype.startsWith("image/")) return "image";
+  return "attachment";
+}
+function buildSafeInboundPath(root, fileId, mimetype) {
+  const safeId = fileId.replace(/[^A-Za-z0-9_-]/g, "");
+  if (!safeId) throw new Error("Refusing to build inbound path for empty/invalid file id");
+  const ext = extensionForMimetype(mimetype);
+  const candidate = resolve(root, `${safeId}${ext}`);
+  if (!isPathInside(candidate, root)) {
+    throw new Error(`Refusing to build inbound path outside agent dir (got ${candidate})`);
+  }
+  return candidate;
+}
+function extensionForMimetype(mimetype) {
+  if (!mimetype) return ".bin";
+  switch (mimetype) {
+    // Images
+    case "image/png":
+      return ".png";
+    case "image/jpeg":
+    case "image/jpg":
+      return ".jpg";
+    case "image/gif":
+      return ".gif";
+    case "image/webp":
+      return ".webp";
+    case "image/svg+xml":
+      return ".svg";
+    // Docs
+    case "application/pdf":
+      return ".pdf";
+    case "text/plain":
+      return ".txt";
+    case "text/csv":
+      return ".csv";
+    case "application/json":
+      return ".json";
+    case "application/vnd.openxmlformats-officedocument.wordprocessingml.document":
+      return ".docx";
+    case "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet":
+      return ".xlsx";
+    // Audio (Telegram voice notes are typically audio/ogg; regular
+    // audio messages are audio/mpeg)
+    case "audio/ogg":
+      return ".ogg";
+    case "audio/mpeg":
+      return ".mp3";
+    case "audio/mp4":
+      return ".m4a";
+    // Video
+    case "video/mp4":
+      return ".mp4";
+    case "video/quicktime":
+      return ".mov";
+    default:
+      return ".bin";
+  }
+}
+function isPathInside(target, root) {
+  const normalizedRoot = resolve(root) + sep;
+  const normalizedTarget = resolve(target);
+  return normalizedTarget === resolve(root) || normalizedTarget.startsWith(normalizedRoot);
+}
+function redactAugmentedPaths(msg) {
+  const homePrefix = homedir().replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  return msg.replaceAll(
+    new RegExp(`${homePrefix}[\\\\/]\\.augmented(?:[\\\\/][^\\s'"\`]*)*`, "g"),
+    "<augmented-path>"
+  );
+}
+
+// src/pane-tail.ts
+var execFileAsync = promisify(execFile);
+function evaluateDebugGate(opts) {
+  if (!opts.channelId || !opts.channelId.startsWith("D")) {
+    return { ok: false, reason: "not-dm" };
+  }
+  if (opts.allowedUsers.size === 0) {
+    return { ok: false, reason: "allowlist-empty" };
+  }
+  if (!opts.userId || !opts.allowedUsers.has(opts.userId)) {
+    return { ok: false, reason: "not-allowlisted" };
+  }
+  return { ok: true };
+}
+var PANE_LOG_TAIL_BYTES = 64 * 1024;
+var TMUX_CAPTURE_TIMEOUT_MS = 2e3;
+async function capturePaneSnapshot(opts) {
+  const scrollback = opts.scrollbackLines ?? 200;
+  try {
+    const { stdout } = await execFileAsync(
+      "tmux",
+      ["capture-pane", "-p", "-t", agentTmuxSessionName(opts.codeName), "-S", `-${scrollback}`],
+      { timeout: TMUX_CAPTURE_TIMEOUT_MS, maxBuffer: 4 * 1024 * 1024 }
+    );
+    return { source: "tmux", text: stdout };
+  } catch {
+  }
+  if (!opts.agentDir) return null;
+  const paneLogPath = `${opts.agentDir}/pane.log`;
+  try {
+    const tail = await readFileTail(paneLogPath, PANE_LOG_TAIL_BYTES);
+    if (tail === null) return null;
+    return { source: "pane-log", text: stripAnsi(tail) };
+  } catch {
+    return null;
+  }
+}
+async function readFileTail(path, maxBytes) {
+  const st = await stat(path);
+  if (!st.isFile()) return null;
+  const start = Math.max(0, st.size - maxBytes);
+  const length = st.size - start;
+  if (length === 0) return "";
+  const handle = await open(path, "r");
+  try {
+    const buf = Buffer.alloc(length);
+    await handle.read(buf, 0, length, start);
+    let text = buf.toString("utf8");
+    if (start > 0) {
+      const nl = text.indexOf("\n");
+      if (nl !== -1) text = text.slice(nl + 1);
+    }
+    return text;
+  } finally {
+    await handle.close();
+  }
+}
+function stripAnsi(text) {
+  return text.replace(/\x1b\][^\x07\x1b]*(?:\x07|\x1b\\)/g, "").replace(/\x1b\[[0-9;?<=>!]*[ -\/]*[@-~]/g, "").replace(/\x1b./g, "").replace(/[\x00-\x08\x0b-\x1f\x7f]/g, "");
+}
+var SECRET_PATTERNS = [
+  // Augmented host API keys
+  { re: /tlk_[A-Za-z0-9]{8,}/g, label: "agt-api-key" },
+  // Slack tokens: bot/app/user/refresh/config
+  { re: /x(?:ox[abprs]|app)-[A-Za-z0-9-]{8,}/g, label: "slack-token" },
+  // JWTs (three base64url segments, first one always starts with eyJ)
+  { re: /eyJ[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}/g, label: "jwt" },
+  // OpenAI / Anthropic-style keys (sk-..., sk-ant-...)
+  { re: /sk-[A-Za-z0-9_-]{16,}/g, label: "sk-key" },
+  // AWS access key IDs
+  { re: /(?:AKIA|ASIA)[0-9A-Z]{16}/g, label: "aws-key" },
+  // GitHub tokens
+  { re: /gh[pousr]_[A-Za-z0-9]{20,}/g, label: "github-token" }
+];
+function redactPaneText(text) {
+  let out = redactAugmentedPaths(text);
+  for (const { re, label } of SECRET_PATTERNS) {
+    out = out.replace(re, `<redacted:${label}>`);
+  }
+  return out;
+}
+var DEFAULT_MAX_CHARS = 3900;
+var REFLOW_COLS = 80;
+function formatPaneSnapshot(opts) {
+  const maxChars = opts.maxChars ?? DEFAULT_MAX_CHARS;
+  const header = opts.status.kind === "live" ? `\u{1F50E} Live pane tail for \`${opts.codeName}\` \u2014 captured ${opts.capturedAtLabel} \xB7 updates ~3s \xB7 expires in ${formatCountdown(opts.status.secondsRemaining)}` : `\u{1F50E} Pane tail for \`${opts.codeName}\` \u2014 captured ${opts.capturedAtLabel} \xB7 *expired* \u2014 run \`/debug\` to restart`;
+  const fenceOverhead = header.length + "\n```\n".length + "\n```".length + 16;
+  const contentBudget = Math.max(0, maxChars - fenceOverhead);
+  const lines = reflowLines(sanitizeForCodeBlock(opts.text), REFLOW_COLS);
+  const kept = [];
+  let used = 0;
+  for (let i = lines.length - 1; i >= 0; i--) {
+    const cost = lines[i].length + 1;
+    if (used + cost > contentBudget) break;
+    kept.unshift(lines[i]);
+    used += cost;
+  }
+  const truncated = kept.length < lines.length;
+  const body = kept.join("\n").trimEnd();
+  const block = body.length > 0 ? `\`\`\`
+${truncated ? "\u2026\n" : ""}${body}
+\`\`\`` : "_(pane is empty)_";
+  return `${header}
+${block}`;
+}
+function formatCountdown(totalSeconds) {
+  const s = Math.max(0, Math.floor(totalSeconds));
+  return `${Math.floor(s / 60)}:${String(s % 60).padStart(2, "0")}`;
+}
+function sanitizeForCodeBlock(text) {
+  return text.replace(/```/g, "`\u200B`\u200B`");
+}
+function reflowLines(text, cols) {
+  const out = [];
+  for (const rawLine of text.split("\n")) {
+    const line = rawLine.replace(/\s+$/, "");
+    if (line.length <= cols) {
+      out.push(line);
+      continue;
+    }
+    for (let i = 0; i < line.length; i += cols) {
+      out.push(line.slice(i, i + cols));
+    }
+  }
+  const collapsed = [];
+  for (const line of out) {
+    if (line === "" && collapsed[collapsed.length - 1] === "") continue;
+    collapsed.push(line);
+  }
+  return collapsed;
+}
+
 // src/slack-loop-throttle.ts
 var DEFAULT_THROTTLE = {
   threshold: 3,
@@ -14658,7 +14884,7 @@ var SLACK_EGRESS_TOOLS = /* @__PURE__ */ new Set([
 
 // src/slack-pending-inbound-cleanup.ts
 import { existsSync, readdirSync as readdirSync2, statSync, unlinkSync } from "fs";
-import { join as join2 } from "path";
+import { join as join3 } from "path";
 function sanitizeMarkerSegment(value) {
   return value.replace(/[^A-Za-z0-9_-]/g, "_");
 }
@@ -14675,7 +14901,7 @@ function clearAllSlackPendingMarkersForThread(dir, channel, threadTs, clear = de
   try {
     for (const f of readdirSync2(dir)) {
       if (!f.startsWith(prefix) || !f.endsWith(".json")) continue;
-      clear(join2(dir, f));
+      clear(join3(dir, f));
       cleared += 1;
     }
   } catch {
@@ -14690,7 +14916,7 @@ function clearSlackPendingMarkerByMessageTs(dir, channel, messageTs, clear = def
   try {
     for (const f of readdirSync2(dir)) {
       if (!f.startsWith(channelPrefix) || !f.endsWith(messageSuffix)) continue;
-      clear(join2(dir, f));
+      clear(join3(dir, f));
       cleared += 1;
     }
   } catch {
@@ -14702,7 +14928,7 @@ function clearOldestSlackPendingMarkerInChannel(dir, channel, clear = defaultCle
   const channelPrefix = `${sanitizeMarkerSegment(channel)}__`;
   try {
     const entries = readdirSync2(dir).filter((f) => f.startsWith(channelPrefix) && f.endsWith(".json")).map((f) => {
-      const full = join2(dir, f);
+      const full = join3(dir, f);
       let mtime = 0;
       try {
         mtime = statSync(full).mtimeMs;
@@ -14954,88 +15180,6 @@ async function runOrRetry(fn, opts) {
   }
 }
 
-// src/channel-attachments.ts
-import { homedir } from "os";
-import { join as join3, resolve, sep } from "path";
-function resolveChannelInboundDir(codeName, channelSlug) {
-  const base = join3(homedir(), ".augmented");
-  const allowedSegment = /^[A-Za-z0-9_-]+$/;
-  if (!allowedSegment.test(codeName) || !allowedSegment.test(channelSlug)) {
-    throw new Error(
-      `Refusing to resolve inbound dir \u2014 invalid codeName/channelSlug (got ${JSON.stringify({ codeName, channelSlug })})`
-    );
-  }
-  const candidate = resolve(base, codeName, channelSlug);
-  if (!isPathInside(candidate, base)) {
-    throw new Error(`Refusing inbound dir outside ${base} (got ${candidate})`);
-  }
-  return candidate;
-}
-function classifyMimetype(mimetype) {
-  if (typeof mimetype === "string" && mimetype.startsWith("image/")) return "image";
-  return "attachment";
-}
-function buildSafeInboundPath(root, fileId, mimetype) {
-  const safeId = fileId.replace(/[^A-Za-z0-9_-]/g, "");
-  if (!safeId) throw new Error("Refusing to build inbound path for empty/invalid file id");
-  const ext = extensionForMimetype(mimetype);
-  const candidate = resolve(root, `${safeId}${ext}`);
-  if (!isPathInside(candidate, root)) {
-    throw new Error(`Refusing to build inbound path outside agent dir (got ${candidate})`);
-  }
-  return candidate;
-}
-function extensionForMimetype(mimetype) {
-  if (!mimetype) return ".bin";
-  switch (mimetype) {
-    // Images
-    case "image/png":
-      return ".png";
-    case "image/jpeg":
-    case "image/jpg":
-      return ".jpg";
-    case "image/gif":
-      return ".gif";
-    case "image/webp":
-      return ".webp";
-    case "image/svg+xml":
-      return ".svg";
-    // Docs
-    case "application/pdf":
-      return ".pdf";
-    case "text/plain":
-      return ".txt";
-    case "text/csv":
-      return ".csv";
-    case "application/json":
-      return ".json";
-    case "application/vnd.openxmlformats-officedocument.wordprocessingml.document":
-      return ".docx";
-    case "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet":
-      return ".xlsx";
-    // Audio (Telegram voice notes are typically audio/ogg; regular
-    // audio messages are audio/mpeg)
-    case "audio/ogg":
-      return ".ogg";
-    case "audio/mpeg":
-      return ".mp3";
-    case "audio/mp4":
-      return ".m4a";
-    // Video
-    case "video/mp4":
-      return ".mp4";
-    case "video/quicktime":
-      return ".mov";
-    default:
-      return ".bin";
-  }
-}
-function isPathInside(target, root) {
-  const normalizedRoot = resolve(root) + sep;
-  const normalizedTarget = resolve(target);
-  return normalizedTarget === resolve(root) || normalizedTarget.startsWith(normalizedRoot);
-}
-
 // src/slack-inbound-files.ts
 function classifySlackFile(file) {
   if (!file || typeof file.id !== "string" || !file.id) return null;
@@ -16346,7 +16490,8 @@ function buildSlackHelpMessage(codeName) {
     "\u2022 `/restart` \u2014 restart this agent",
     "\u2022 `/agent-status` \u2014 report whether this agent is online + last activity",
     "\u2022 `/kill` \u2014 silence all agents in this thread for 6h (use as a thread reply)",
-    "\u2022 `/unkill` \u2014 clear a kill (use as a thread reply)"
+    "\u2022 `/unkill` \u2014 clear a kill (use as a thread reply)",
+    "\u2022 `/debug` \u2014 live tail of this agent's terminal pane (DM only, allowlisted users; works while the channel process is alive \u2014 a wedged host still needs SSM diagnostics)"
   ].join("\n");
 }
 var lastActivityAt = null;
@@ -16435,6 +16580,193 @@ async function postEphemeralViaResponseUrl(responseUrl, text, logTag) {
     );
   }
 }
+var DEBUG_TAIL_WINDOW_MS = 12e4;
+var DEBUG_TAIL_INTERVAL_MS = 3e3;
+var DEBUG_TAIL_MAX_CONSECUTIVE_FAILURES = 4;
+var activeDebugTailExpiresAtMs = null;
+function debugAuditLog(line) {
+  process.stderr.write(`slack-channel(${AGENT_CODE_NAME ?? "unknown"}): /debug ${line}
+`);
+}
+function debugSleep(ms) {
+  return new Promise((resolve3) => setTimeout(resolve3, ms));
+}
+function nowUtcLabel() {
+  return `${(/* @__PURE__ */ new Date()).toISOString().slice(11, 19)} UTC`;
+}
+async function updateSlackMessage(channel, ts, text) {
+  try {
+    const res = await fetch("https://slack.com/api/chat.update", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json; charset=utf-8",
+        Authorization: `Bearer ${BOT_TOKEN}`
+      },
+      body: JSON.stringify({ channel, ts, text }),
+      signal: AbortSignal.timeout(SLACK_DOWNLOAD_TIMEOUT_MS)
+    });
+    const retryAfterHeader = res.headers.get("retry-after");
+    const retryAfterSec = retryAfterHeader ? parseInt(retryAfterHeader, 10) : NaN;
+    const retryAfterMs = Number.isFinite(retryAfterSec) ? Math.max(0, retryAfterSec * 1e3) : null;
+    const data = await res.json().catch(() => ({ ok: false, error: `http-${res.status}` }));
+    return { ok: data.ok === true, error: data.error, retryAfterMs };
+  } catch (err) {
+    return { ok: false, error: err.message, retryAfterMs: null };
+  }
+}
+async function runDebugTailLoop(opts) {
+  const expiresAtMs = opts.expiresAtMs;
+  let last = opts.initialFrame;
+  let consecutiveFailures = 0;
+  let delayMs = DEBUG_TAIL_INTERVAL_MS;
+  try {
+    while (Date.now() + delayMs < expiresAtMs) {
+      await debugSleep(delayMs);
+      delayMs = DEBUG_TAIL_INTERVAL_MS;
+      const snapshot = await capturePaneSnapshot({
+        codeName: opts.codeName,
+        agentDir: SLACK_AGENT_DIR
+      });
+      if (!snapshot) continue;
+      const body = redactPaneText(snapshot.text);
+      if (body === last.body) continue;
+      const frame = { body, source: snapshot.source, capturedAtLabel: nowUtcLabel() };
+      const secondsRemaining = Math.max(0, Math.round((expiresAtMs - Date.now()) / 1e3));
+      const result = await updateSlackMessage(
+        opts.channel,
+        opts.ts,
+        formatPaneSnapshot({
+          codeName: opts.codeName,
+          text: frame.body,
+          source: frame.source,
+          capturedAtLabel: frame.capturedAtLabel,
+          status: { kind: "live", secondsRemaining }
+        })
+      );
+      if (result.ok) {
+        last = frame;
+        consecutiveFailures = 0;
+        continue;
+      }
+      if (result.retryAfterMs !== null || result.error === "ratelimited") {
+        delayMs = Math.max(result.retryAfterMs ?? 0, DEBUG_TAIL_INTERVAL_MS * 2);
+        continue;
+      }
+      consecutiveFailures++;
+      if (consecutiveFailures >= DEBUG_TAIL_MAX_CONSECUTIVE_FAILURES) {
+        debugAuditLog(
+          `tail aborted after ${consecutiveFailures} consecutive update failures (last: ${result.error ?? "unknown"})`
+        );
+        break;
+      }
+    }
+  } finally {
+    activeDebugTailExpiresAtMs = null;
+    await updateSlackMessage(
+      opts.channel,
+      opts.ts,
+      formatPaneSnapshot({
+        codeName: opts.codeName,
+        text: last.body,
+        source: last.source,
+        capturedAtLabel: last.capturedAtLabel,
+        status: { kind: "expired" }
+      })
+    );
+  }
+}
+async function handleDebugSlashCommand(payload, responseUrl) {
+  const codeName = AGENT_CODE_NAME ?? "unknown";
+  const verdict = evaluateDebugGate({
+    channelId: payload.channel_id,
+    userId: payload.user_id,
+    allowedUsers: ALLOWED_USERS
+  });
+  if (!verdict.ok) {
+    debugAuditLog(`denied reason=${verdict.reason} user=${payload.user_id ?? "unknown"}`);
+    const denialText = verdict.reason === "not-dm" ? `:warning: \`/debug\` only works in a direct message with \`${codeName}\` \u2014 it shows the agent's raw terminal, so it stays 1:1. Open a DM with the bot and run \`/debug\` there.` : verdict.reason === "allowlist-empty" ? `\u{1F6AB} \`/debug\` is disabled for \`${codeName}\` \u2014 no diagnostic allowlist is configured. Because it exposes the agent's raw terminal, \`/debug\` requires a non-empty \`SLACK_ALLOWED_USERS\` on the host (unlike \`/restart\`, it does not open up when the allowlist is unset).` : `\u{1F6AB} \`/debug\` denied \u2014 your Slack user isn't on the diagnostic allowlist for \`${codeName}\`. Ask whoever operates this host to add you to \`SLACK_ALLOWED_USERS\`.`;
+    await postEphemeralViaResponseUrl(responseUrl, denialText, codeName);
+    return;
+  }
+  const channelId = payload.channel_id;
+  if (!channelId || !BOT_TOKEN) {
+    debugAuditLog(
+      `not-started reason=missing-${channelId ? "bot-token" : "channel"} user=${payload.user_id ?? "unknown"}`
+    );
+    await postEphemeralViaResponseUrl(
+      responseUrl,
+      `:warning: \`/debug\` can't run \u2014 this channel process has no bot token wired.`,
+      codeName
+    );
+    return;
+  }
+  if (activeDebugTailExpiresAtMs !== null && activeDebugTailExpiresAtMs > Date.now()) {
+    const remaining = formatCountdown((activeDebugTailExpiresAtMs - Date.now()) / 1e3);
+    debugAuditLog(
+      `not-started reason=tail-already-running user=${payload.user_id ?? "unknown"} remaining=${remaining}`
+    );
+    await postEphemeralViaResponseUrl(
+      responseUrl,
+      `:hourglass: A \`/debug\` tail is already running for \`${codeName}\` (one at a time) \u2014 it expires in ${remaining}.`,
+      codeName
+    );
+    return;
+  }
+  const reservedExpiresAtMs = Date.now() + DEBUG_TAIL_WINDOW_MS;
+  activeDebugTailExpiresAtMs = reservedExpiresAtMs;
+  const snapshot = await capturePaneSnapshot({ codeName, agentDir: SLACK_AGENT_DIR });
+  if (!snapshot) {
+    activeDebugTailExpiresAtMs = null;
+    debugAuditLog(`not-started reason=no-pane-output user=${payload.user_id ?? "unknown"}`);
+    await postEphemeralViaResponseUrl(
+      responseUrl,
+      `:warning: No pane output available for \`${codeName}\` yet \u2014 the agent session may not have started. (If the whole host is wedged, \`/debug\` can't reach it either \u2014 fall back to the SSM diagnostics runbook.)`,
+      codeName
+    );
+    return;
+  }
+  debugAuditLog(`granted user=${payload.user_id ?? "unknown"} \u2014 starting live tail (source=${snapshot.source})`);
+  const initialFrame = {
+    body: redactPaneText(snapshot.text),
+    source: snapshot.source,
+    capturedAtLabel: nowUtcLabel()
+  };
+  const posted = await postSlackMessageWithTs({
+    channel: channelId,
+    text: formatPaneSnapshot({
+      codeName,
+      text: initialFrame.body,
+      source: initialFrame.source,
+      capturedAtLabel: initialFrame.capturedAtLabel,
+      status: {
+        kind: "live",
+        secondsRemaining: Math.max(0, Math.round((reservedExpiresAtMs - Date.now()) / 1e3))
+      }
+    })
+  });
+  if (!posted.ok || !posted.ts) {
+    activeDebugTailExpiresAtMs = null;
+    debugAuditLog(
+      `not-started reason=post-failed error=${posted.error ?? "unknown"} user=${payload.user_id ?? "unknown"}`
+    );
+    await postEphemeralViaResponseUrl(
+      responseUrl,
+      `:x: Failed to post the pane snapshot${posted.error ? ` (${posted.error})` : ""}. Try again in a moment.`,
+      codeName
+    );
+    return;
+  }
+  void runDebugTailLoop({
+    channel: channelId,
+    ts: posted.ts,
+    codeName,
+    initialFrame,
+    expiresAtMs: reservedExpiresAtMs
+  }).catch((err) => {
+    activeDebugTailExpiresAtMs = null;
+    debugAuditLog(`tail loop crashed: ${redactAugmentedPaths2(err.message)}`);
+  });
+}
 async function handleSlashCommandEnvelope(payload) {
   const command = payload.command;
   const responseUrl = payload.response_url;
@@ -16497,7 +16829,7 @@ async function handleSlashCommandEnvelope(payload) {
       );
     } catch (err) {
       process.stderr.write(
-        `slack-channel(${codeName}): /restart slash-command flag write failed: ${redactAugmentedPaths(err.message)}
+        `slack-channel(${codeName}): /restart slash-command flag write failed: ${redactAugmentedPaths2(err.message)}
 `
       );
       await postEphemeralViaResponseUrl(
@@ -16508,6 +16840,10 @@ async function handleSlashCommandEnvelope(payload) {
     }
     return;
   }
+  if (command === "/debug") {
+    await handleDebugSlashCommand(payload, responseUrl);
+    return;
+  }
   if (command === "/kill" || command === "/unkill") {
     if (!AGT_HOST || !AGT_API_KEY || !AGT_AGENT_ID) {
       await postEphemeralViaResponseUrl(
@@ -16611,7 +16947,7 @@ async function handleRestartCommand(opts) {
     }
   } catch (err) {
     process.stderr.write(
-      `slack-channel(${codeName}): /restart flag write failed: ${redactAugmentedPaths(err.message)}
+      `slack-channel(${codeName}): /restart flag write failed: ${redactAugmentedPaths2(err.message)}
 `
     );
     await postSlackMessage({
@@ -17253,14 +17589,14 @@ ${result.formatted}` : "Thread is empty or not found."
     let bytes;
     let size;
     try {
-      const stat = statSync2(resolvedPath);
-      if (!stat.isFile()) {
+      const stat2 = statSync2(resolvedPath);
+      if (!stat2.isFile()) {
         return {
           content: [{ type: "text", text: `Upload refused: ${resolvedPath} is not a regular file.` }],
           isError: true
         };
       }
-      size = stat.size;
+      size = stat2.size;
       bytes = readFileSync4(resolvedPath);
     } catch (err) {
       return {
@@ -17371,7 +17707,7 @@ ${result.formatted}` : "Thread is empty or not found."
       return {
         content: [{
           type: "text",
-          text: `Failed to download attachment: ${redactAugmentedPaths(err.message)}`
+          text: `Failed to download attachment: ${redactAugmentedPaths2(err.message)}`
         }],
         isError: true
       };
@@ -17928,7 +18264,7 @@ function isDownloadableFileId(fileId, channel) {
   }
   return entry.channel === channel;
 }
-function redactAugmentedPaths(msg) {
+function redactAugmentedPaths2(msg) {
   return msg.replaceAll(
     new RegExp(`${homedir2().replace(/[.*+?^${}()|[\\]\\\\]/g, "\\\\$&")}/\\.augmented/[^\\s'"\`]*`, "g"),
     "<augmented-path>"
@@ -18010,7 +18346,7 @@ async function buildInboundFileMeta(rawFiles, codeName, channel) {
         });
       } catch (err) {
         process.stderr.write(
-          `slack-channel: image auto-download failed for ${classified.id}: ${redactAugmentedPaths(err.message)}
+          `slack-channel: image auto-download failed for ${classified.id}: ${redactAugmentedPaths2(err.message)}
 `
         );
         registerDownloadableFileId(classified.id, channel);

package/dist/{persistent-session-B5SRS4N4.js → persistent-session-BTXWOKJ6.js}

@@ -21,8 +21,8 @@ import {
   stopPersistentSession,
   takeZombieDetection,
   writePersistentClaudeWrapper
-} from "./chunk-3JXDBRNG.js";
-import "./chunk-GNIA4KN5.js";
+} from "./chunk-S2QLE5BQ.js";
+import "./chunk-TXE2LLKI.js";
 import "./chunk-XWVM4KPK.js";
 export {
   SEND_KEYS_ENTER_DELAY_MS,
@@ -48,4 +48,4 @@ export {
   takeZombieDetection,
   writePersistentClaudeWrapper
 };
-//# sourceMappingURL=persistent-session-B5SRS4N4.js.map
+//# sourceMappingURL=persistent-session-BTXWOKJ6.js.map

package/dist/{responsiveness-probe-2QWNZTF4.js → responsiveness-probe-Y6TCM6T4.js}

@@ -1,7 +1,7 @@
 import {
   paneLogPath
-} from "./chunk-3JXDBRNG.js";
-import "./chunk-GNIA4KN5.js";
+} from "./chunk-S2QLE5BQ.js";
+import "./chunk-TXE2LLKI.js";
 import "./chunk-XWVM4KPK.js";
 
 // src/lib/responsiveness-probe.ts
@@ -70,4 +70,4 @@ export {
   collectResponsivenessProbes,
   getResponsivenessIntervalMs
 };
-//# sourceMappingURL=responsiveness-probe-2QWNZTF4.js.map
+//# sourceMappingURL=responsiveness-probe-Y6TCM6T4.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@integrity-labs/agt-cli",
-  "version": "0.27.82",
+  "version": "0.27.84",
   "description": "Augmented Team CLI — agent provisioning and management",
   "type": "module",
   "engines": {