@slock-ai/daemon 0.55.0 → 0.55.1

package/dist/{chunk-6Q3U5STT.js → chunk-QQRU3GA6.js}

@@ -1061,13 +1061,14 @@ Use the \`slock\` CLI for chat / task / attachment operations. The daemon inject
 19. **\`slock profile update\`** \u2014 Update your own profile. Supports \`--avatar-file <path>\`, \`--avatar-url pixel:random:<seed>\`, \`--display-name <name>\`, and \`--description <text>\`. Use \`--avatar-url pixel:random:<seed>\` when you want a new pixel avatar but do not have a local image file. Values must be non-empty. Provide at least one flag per call; multiple flags can be combined.
 20. **\`slock integration list\`** \u2014 List registered third-party services and this agent's active Slock Agent Logins.
 21. **\`slock integration login\`** \u2014 Provision or reuse this agent's login for a registered third-party service.
-22. **\`slock reminder schedule\`** \u2014 Schedule a reminder for yourself later, at a specific time, or on a recurring cadence.
-23. **\`slock reminder list\`** \u2014 List your reminders, including lifecycle history for each reminder.
-24. **\`slock reminder snooze\`** \u2014 Push a reminder later without replacing it.
-25. **\`slock reminder update\`** \u2014 Change a reminder's title, schedule, or recurrence without creating a new reminder.
-26. **\`slock reminder cancel\`** \u2014 Cancel one of your reminders by ID.
-27. **\`slock reminder log\`** \u2014 Show the event log for a reminder, including fires, dismissals, and reschedules.
-28. **\`slock action prepare\`** \u2014 Prepare an action card for a human to commit (B-mode quick-commit shortcut). Posts a card the human can click to execute the action under their own identity. Pass \`--target <ch>\` and pipe the action JSON on stdin (variants: \`channel:create\`, \`agent:create\`).
+22. **\`slock integration env\`** \u2014 Print per-agent local CLI environment for a manifest-backed service that requires isolated HOME/XDG state.
+23. **\`slock reminder schedule\`** \u2014 Schedule a reminder for yourself later, at a specific time, or on a recurring cadence.
+24. **\`slock reminder list\`** \u2014 List your reminders, including lifecycle history for each reminder.
+25. **\`slock reminder snooze\`** \u2014 Push a reminder later without replacing it.
+26. **\`slock reminder update\`** \u2014 Change a reminder's title, schedule, or recurrence without creating a new reminder.
+27. **\`slock reminder cancel\`** \u2014 Cancel one of your reminders by ID.
+28. **\`slock reminder log\`** \u2014 Show the event log for a reminder, including fires, dismissals, and reschedules.
+29. **\`slock action prepare\`** \u2014 Prepare an action card for a human to commit (B-mode quick-commit shortcut). Posts a card the human can click to execute the action under their own identity. Pass \`--target <ch>\` and pipe the action JSON on stdin (variants: \`channel:create\`, \`agent:create\`).
 
 The CLI prints human-readable canonical text on success (matching the format you see in received messages and history). On failure it prints JSON to stderr:
 - failure \u2192 stderr \`{"ok":false,"code":"...","message":"..."}\` with non-zero exit
@@ -1173,7 +1174,7 @@ Each channel has a **name** and optionally a **description** that define its pur
 - If unsure where something belongs, call ${serverInfoCmd} to review channel descriptions.`;
   const thirdPartyIntegrationsSection = isCli ? `### Third-party integrations
 
-If a registered third-party service requires login, use Slock Agent Login through the CLI instead of asking the human to copy tokens or complete human OAuth for you. If a human asks you to sign into, open, use, or fetch identity from a third-party app, first run \`slock integration list\` and match the app to a registered service before browsing the app. Use \`slock integration login --service <service>\` to provision or reuse your agent login for that service. If the CLI reports that the \`integration\` command is unknown, the local daemon/CLI is too old for Slock Agent Login; report that the machine must be upgraded/restarted instead of calling internal HTTP endpoints yourself. When the command returns \`Agent login ready\` or \`Already logged in\`, the agent-side login is ready. If the output includes an app URL, open that URL as the service-provided third-party app surface; it should look like the service's normal Login with Slock callback and not require you to understand Slock's internal grant/request protocol. Do not crawl third-party routes looking for a session before trying the registered-service login path. Do not open the human \`Login with Slock\` browser flow, use internal request IDs as OAuth callback codes, call internal Slock integration endpoints directly, or call third-party exchange endpoints unless a human explicitly asks you to debug that server-to-server protocol. If the service or human asks for your Slock Agent identity card, use \`slock profile show\`. Third-party pages may show \`Login with Slock\`; for agent-facing access, prefer the registered service / Slock Agent Login path.` : `### Third-party integrations
+If a registered third-party service requires login, use Slock Agent Login through the CLI instead of asking the human to copy tokens or complete human OAuth for you. If a human asks you to sign into, open, use, or fetch identity from a third-party app, first run \`slock integration list\` and match the app to a registered service before browsing the app. Use \`slock integration login --service <service>\` to provision or reuse your agent login for that service. If the service exposes an agent behavior manifest and you need to run its local CLI, run \`slock integration env --service <service>\` before invoking that CLI; if it prints exports, apply them first so service credentials stay under a per-agent profile HOME/XDG tree instead of the host user's global HOME. If it reports that no local env is required, do not invent HOME/XDG overrides. If it fails, do not run that local CLI with the host user's HOME; report that the service manifest is unsupported. Slock does not execute commands from remote manifests automatically. If the CLI reports that the \`integration\` command is unknown, the local daemon/CLI is too old for Slock Agent Login; report that the machine must be upgraded/restarted instead of calling internal HTTP endpoints yourself. When the command returns \`Agent login ready\` or \`Already logged in\`, the agent-side login is ready. If the output includes an app URL, open that URL as the service-provided third-party app surface; it should look like the service's normal Login with Slock callback and not require you to understand Slock's internal grant/request protocol. Do not crawl third-party routes looking for a session before trying the registered-service login path. Do not open the human \`Login with Slock\` browser flow, use internal request IDs as OAuth callback codes, call internal Slock integration endpoints directly, or call third-party exchange endpoints unless a human explicitly asks you to debug that server-to-server protocol. If the service or human asks for your Slock Agent identity card, use \`slock profile show\`. Third-party pages may show \`Login with Slock\`; for agent-facing access, prefer the registered service / Slock Agent Login path.` : `### Third-party integrations
 
 If a registered third-party service requires login, use Slock Agent Login through the available registered-service interface instead of asking the human to copy tokens or complete human OAuth for you. If a human asks you to sign into, open, use, or fetch identity from a third-party app, first inspect the registered-service interface and match the app to a registered service before browsing the app. Once the registered-service interface reports the agent login is ready, the agent-side login is ready. If that interface provides an app URL, use it as the service-provided third-party app surface; it should look like the service's normal Login with Slock callback and not require you to understand Slock's internal grant/request protocol. Do not crawl third-party routes looking for a session before trying the registered-service login path. Do not open the human \`Login with Slock\` browser flow or treat internal request IDs as OAuth callback codes unless a human explicitly asks you to debug that server-to-server protocol. If the service or human asks for your Slock Agent identity card, use your Slock profile view. Third-party pages may show \`Login with Slock\`; for agent-facing access, prefer the registered service / Slock Agent Login path.`;
   const readingHistorySection = isCli ? `### Reading history
@@ -1548,6 +1549,17 @@ var proxyServerState = null;
 var proxyServerStartPromise = null;
 var proxyServerFactory = createProxyServer;
 var DECODED_RESPONSE_HEADERS = /* @__PURE__ */ new Set(["content-encoding", "content-length", "transfer-encoding"]);
+var HOP_BY_HOP_REQUEST_HEADERS = /* @__PURE__ */ new Set([
+  "connection",
+  "keep-alive",
+  "proxy-authenticate",
+  "proxy-authorization",
+  "proxy-connection",
+  "te",
+  "trailer",
+  "transfer-encoding",
+  "upgrade"
+]);
 var LOCAL_HELD_CONTEXT_LIMIT = 3;
 var AGENT_CREDENTIAL_PROXY_HOST = "127.0.0.1";
 var AGENT_CREDENTIAL_PROXY_BIND_MAX_ATTEMPTS = 3;
@@ -1647,9 +1659,12 @@ async function handleProxyRequest(req, res) {
     target = new URL2(req.url ?? "/", registration.serverUrl);
     const headers = new Headers();
     for (const [name, value] of Object.entries(req.headers)) {
+      const normalizedName = name.toLowerCase();
       if (value === void 0) continue;
-      if (name.toLowerCase() === "host") continue;
-      if (name.toLowerCase() === "authorization") continue;
+      if (normalizedName === "host") continue;
+      if (normalizedName === "authorization") continue;
+      if (normalizedName === "content-length") continue;
+      if (HOP_BY_HOP_REQUEST_HEADERS.has(normalizedName)) continue;
       if (Array.isArray(value)) {
         for (const item of value) headers.append(name, item);
       } else {
@@ -1660,7 +1675,15 @@ async function handleProxyRequest(req, res) {
     headers.set("X-Agent-Id", registration.agentId);
     headers.set("X-Slock-Client", "cli");
     headers.set("X-Slock-Agent-Active-Capabilities", registration.activeCapabilities);
-    let body = method === "GET" || method === "HEAD" ? void 0 : req;
+    let body;
+    let rawBodyBuffer;
+    if (method !== "GET" && method !== "HEAD") {
+      rawBodyBuffer = await readRequestBody(req);
+      const bodyBuffer = new ArrayBuffer(rawBodyBuffer.byteLength);
+      new Uint8Array(bodyBuffer).set(rawBodyBuffer);
+      body = bodyBuffer;
+      headers.set("content-length", String(rawBodyBuffer.byteLength));
+    }
     let sendTarget;
     const sideEffectAction = agentApiSideEffectAction(target.pathname);
     if (method === "GET" && target.pathname === "/internal/agent-api/events") {
@@ -1672,7 +1695,7 @@ async function handleProxyRequest(req, res) {
       }
     }
     if (method === "POST" && sideEffectAction) {
-      const rawBody = await readRequestBody(req);
+      const rawBody = rawBodyBuffer?.toString("utf8") ?? "";
       const prepared = await prepareAgentApiSideEffectForward(registration, headers, rawBody, sideEffectAction);
       if (prepared.localResponse) {
         const responseText = JSON.stringify(prepared.localResponse);
@@ -1688,10 +1711,13 @@ async function handleProxyRequest(req, res) {
     const upstream = await daemonFetch(target, {
       method,
       headers,
-      body,
-      // Required by undici when forwarding a Node stream.
-      duplex: body ? "half" : void 0
+      body
     });
+    if (upstream.status >= 500) {
+      registration.inboxCoordinator?.recordTransportNormalizedError?.(
+        transportNormalizedErrorForHttpStatus(target, upstream.status, registration.launchId)
+      );
+    }
     if (shouldBufferJsonResponse(upstream, target.pathname, registration)) {
       const responseText = await upstream.text();
       consumeVisibleResponse(registration, target, sendTarget, responseText);
@@ -1714,9 +1740,12 @@ async function handleProxyRequest(req, res) {
   } catch (err) {
     const failure = proxyFailureForError(method, target, err);
     logger.warn(
-      `[Agent Credential Proxy] request failed (agent=${registration.agentId}, launch=${registration.launchId ?? "none"}, method=${failure.method}, path=${failure.pathname}, query_keys=${failure.queryKeys.join(",") || "none"}): ${failure.errorName}: ${failure.errorMessage}`
+      `[Agent Credential Proxy] request failed (agent=${registration.agentId}, launch=${registration.launchId ?? "none"}, method=${failure.method}, path=${failure.pathname}, query_keys=${failure.queryKeys.join(",") || "none"}): ${failure.errorName}: ${failure.errorMessage}${failure.errorCause ? ` (cause=${failure.errorCause})` : ""}`
     );
     registration.inboxCoordinator?.recordProxyFailure?.(failure);
+    registration.inboxCoordinator?.recordTransportNormalizedError?.(
+      transportNormalizedErrorForError(target, err, registration.launchId)
+    );
     writeProxyFailureResponse(res, failure);
   }
 }
@@ -1735,25 +1764,125 @@ function writeProxyFailureResponse(res, failure) {
 }
 function proxyFailureForError(method, target, err) {
   const queryKeys = target ? [.../* @__PURE__ */ new Set([...target.searchParams.keys()])].sort() : [];
-  return {
+  const cause = err instanceof Error ? err.cause : void 0;
+  const failure = {
     method,
     pathname: target?.pathname ?? "unknown",
     queryKeys,
     errorName: err instanceof Error ? err.name : typeof err,
     errorMessage: truncateProxyErrorMessage(err instanceof Error ? err.message : String(err))
   };
+  const errorCause = describeProxyErrorCause(cause);
+  if (errorCause) failure.errorCause = errorCause;
+  return failure;
+}
+function describeProxyErrorCause(cause) {
+  if (!cause) return void 0;
+  if (cause instanceof Error) {
+    const errorWithCode = cause;
+    const code = typeof errorWithCode.code === "string" ? errorWithCode.code : void 0;
+    return truncateProxyErrorMessage([code, cause.message].filter(Boolean).join(" "));
+  }
+  if (typeof cause === "object") {
+    const causeObject = cause;
+    const code = typeof causeObject.code === "string" ? causeObject.code : void 0;
+    const message = typeof causeObject.message === "string" ? causeObject.message : void 0;
+    const detail = [code, message].filter(Boolean).join(" ");
+    if (detail) return truncateProxyErrorMessage(detail);
+  }
+  return truncateProxyErrorMessage(String(cause));
 }
 function truncateProxyErrorMessage(message) {
   const normalized = message.replace(/\s+/g, " ").trim();
   return normalized.length > 500 ? `${normalized.slice(0, 497)}...` : normalized;
 }
+function transportNormalizedErrorForHttpStatus(target, status, launchId) {
+  return {
+    normalizedCode: "server_5xx",
+    routeFamily: routeFamilyForPath(target.pathname),
+    responseStarted: true,
+    upstreamLayer: "http_status",
+    upstreamStatus: status,
+    launchId,
+    targetHostClass: daemonUpstreamTargetHostClass(target),
+    // Today the local credential proxy is only used by CLI wrappers. If runtime
+    // or daemon-internal callers use it later, plumb the caller identity here.
+    downstreamCaller: "cli",
+    upstream: "server"
+  };
+}
+function transportNormalizedErrorForError(target, err, launchId) {
+  return {
+    normalizedCode: "transport_failure",
+    routeFamily: routeFamilyForPath(target?.pathname ?? "unknown"),
+    responseStarted: false,
+    upstreamLayer: target ? upstreamLayerForProxyError(err) : "unknown",
+    originalMessage: sanitizeTransportOriginalMessage(err instanceof Error ? err.message : String(err)),
+    launchId,
+    targetHostClass: target ? daemonUpstreamTargetHostClass(target) : "custom_server",
+    // Today the local credential proxy is only used by CLI wrappers. If runtime
+    // or daemon-internal callers use it later, plumb the caller identity here.
+    downstreamCaller: "cli",
+    upstream: "server"
+  };
+}
+function routeFamilyForPath(pathname) {
+  if (pathname === "/internal/agent-api/send") return "agent-api/send";
+  if (pathname === "/internal/agent-api/events") return "agent-api/events";
+  if (pathname === "/internal/agent-api/receive-ack") return "agent-api/events";
+  if (pathname === "/internal/agent-api/tasks/claim") return "tasks/claim";
+  if (pathname === "/internal/agent-api/tasks/update-status") return "tasks/update";
+  if (pathname === "/internal/agent-api/tasks" || pathname.startsWith("/internal/agent-api/tasks/")) return "tasks";
+  if (pathname.startsWith("/internal/agent-api/attachments/")) return "agent-api/attachments";
+  if (/^\/internal\/agent-api\/messages\/[^/]+\/reactions$/.test(pathname)) return "agent-api/messages/reactions";
+  if (pathname === "/internal/agent-api/server") return "server";
+  if (pathname.startsWith("/internal/agent-api/history")) return "agent-api/events";
+  if (pathname.startsWith("/internal/agent-api/search")) return "agent-api/events";
+  if (pathname.startsWith("/internal/agent-api/channel-members")) return "channel-members";
+  if (pathname.startsWith("/internal/agent-api/knowledge")) return "knowledge";
+  if (pathname === "/internal/agent-api/profile" || pathname.startsWith("/internal/agent-api/profile/")) return "profile";
+  if (pathname === "/internal/agent-api/integrations" || pathname.startsWith("/internal/agent-api/integrations/")) return "integrations";
+  if (pathname === "/internal/agent-api/upload") return "attachments/upload";
+  if (pathname === "/internal/agent-api/resolve-channel") return "resolve-channel";
+  if (pathname === "/internal/agent-api/threads/unfollow") return "threads/unfollow";
+  if (pathname === "/internal/agent-api/prepare-action") return "action/prepare";
+  if (pathname === "/internal/agent-api/reminders" || pathname.startsWith("/internal/agent-api/reminders/")) return "reminders";
+  if (/^\/internal\/agent-api\/channels\/[^/]+\/join$/.test(pathname)) return "channels/join";
+  if (/^\/internal\/agent-api\/channels\/[^/]+\/leave$/.test(pathname)) return "channels/leave";
+  return "unknown";
+}
+function daemonUpstreamTargetHostClass(url) {
+  const hostname = url.hostname.toLowerCase();
+  if (hostname === "api.slock.ai") return "api.slock.ai";
+  return "custom_server";
+}
+function upstreamLayerForProxyError(err) {
+  const code = errorCode(err).toUpperCase();
+  const message = (err instanceof Error ? err.message : String(err)).toLowerCase();
+  if (code === "ENOTFOUND" || code === "EAI_AGAIN" || message.includes("dns")) return "dns";
+  if (code === "ECONNREFUSED" || code === "ECONNRESET" || code === "EPIPE" || code === "UND_ERR_SOCKET" || message.includes("socket")) return "tcp";
+  if (code.includes("TLS") || message.includes("certificate") || message.includes("tls")) return "tls";
+  if (code === "UND_ERR_HEADERS_TIMEOUT" || code === "UND_ERR_BODY_TIMEOUT" || message.includes("timeout")) return "read_timeout";
+  if (message.includes("proxy")) return "proxy_connect";
+  if (message.includes("fly")) return "fly_edge";
+  return "unknown";
+}
+function errorCode(err) {
+  if (typeof err === "object" && err && "code" in err && typeof err.code === "string") {
+    return err.code;
+  }
+  if (typeof err === "object" && err && "cause" in err) return errorCode(err.cause);
+  return "";
+}
+function sanitizeTransportOriginalMessage(message) {
+  return truncateProxyErrorMessage(message).replace(/sk_(?:agent|machine|computer)_[A-Za-z0-9_-]+/g, "sk_[redacted]").replace(/sap_[A-Za-z0-9_-]+/g, "sap_[redacted]").replace(/https?:\/\/\S+/g, "[url]");
+}
 async function readRequestBody(req) {
-  let body = "";
-  req.setEncoding("utf8");
+  const chunks = [];
   for await (const chunk of req) {
-    body += String(chunk);
+    chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
   }
-  return body;
+  return Buffer.concat(chunks);
 }
 function messageSeq(message) {
   return Number(message.seq ?? 0);
@@ -1928,7 +2057,7 @@ async function loadRecentTargetMessages(registration, headers, target) {
   const historyHeaders = new Headers(headers);
   historyHeaders.delete("content-length");
   historyHeaders.delete("content-type");
-  const res = await daemonFetch(historyUrl, { method: "GET", headers: historyHeaders });
+  const res = await fetch(historyUrl, { method: "GET", headers: historyHeaders });
   if (!res.ok) return [];
   const parsed = await res.json().catch(() => null);
   return Array.isArray(parsed?.messages) ? normalizeVisibleMessages(parsed.messages, target) : [];
@@ -2131,6 +2260,7 @@ var shellSingleQuote = (value) => `'${value.replace(/'/g, `'\\''`)}'`;
 var powershellSingleQuote = (value) => `'${value.replace(/'/g, "''")}'`;
 var DEFAULT_ACTIVE_CAPABILITIES = "send,read,mentions,tasks,reactions,server,channels,knowledge";
 var LOOPBACK_NO_PROXY = "127.0.0.1,localhost";
+var CLI_TRANSPORT_TRACE_DIR_ENV = "SLOCK_CLI_TRANSPORT_TRACE_DIR";
 var safePathPart = (value) => value.replace(/[^a-zA-Z0-9_.-]/g, "_");
 var RAW_CREDENTIAL_ENV_DENYLIST = [
   "SLOCK_AGENT_CREDENTIAL_KEY"
@@ -2343,6 +2473,7 @@ exec ${shellSingleQuote(process.execPath)} ${shellSingleQuote(opencliBinPath)} "
     [SLOCK_HOME_ENV]: slockHome,
     SLOCK_AGENT_ID: ctx.agentId,
     ...ctx.launchId ? { SLOCK_AGENT_LAUNCH_ID: ctx.launchId } : {},
+    ...ctx.cliTransportTraceDir ? { [CLI_TRANSPORT_TRACE_DIR_ENV]: ctx.cliTransportTraceDir } : {},
     SLOCK_SERVER_URL: ctx.config.serverUrl,
     ...agentCredentialProxy ? {} : { SLOCK_AGENT_TOKEN_FILE: tokenFile },
     PATH: `${slockDir}${path2.delimiter}${process.env.PATH ?? ""}`
@@ -6617,6 +6748,7 @@ var AgentProcessManager = class _AgentProcessManager {
   driverResolver;
   defaultAgentEnvVarsProvider;
   tracer;
+  cliTransportTraceDir = null;
   deliveryTraceContexts = /* @__PURE__ */ new WeakMap();
   processExitTraceAttrs = /* @__PURE__ */ new WeakMap();
   agentVisibleBoundaries = /* @__PURE__ */ new Map();
@@ -6647,6 +6779,9 @@ var AgentProcessManager = class _AgentProcessManager {
   setTracer(tracer) {
     this.tracer = tracer;
   }
+  setCliTransportTraceDir(traceDir) {
+    this.cliTransportTraceDir = traceDir;
+  }
   visibleBoundaryMap(agentId) {
     let map = this.agentVisibleBoundaries.get(agentId);
     if (!map) {
@@ -6751,6 +6886,7 @@ var AgentProcessManager = class _AgentProcessManager {
         });
       },
       recordProxyFailure: (input) => this.recordAgentProxyFailure(agentId, input),
+      recordTransportNormalizedError: (input) => this.recordAgentProxyTransportNormalizedError(agentId, input),
       recordFreshnessDecision: (input) => {
         this.recordDaemonTrace("daemon.agent.inbox.freshness_decision", {
           agentId,
@@ -6779,6 +6915,22 @@ var AgentProcessManager = class _AgentProcessManager {
       error_message: input.errorMessage
     }, "error");
   }
+  recordAgentProxyTransportNormalizedError(agentId, input) {
+    this.recordDaemonTrace("daemon.transport.normalized_error", {
+      producer: "daemon",
+      agentId,
+      normalized_code: input.normalizedCode,
+      route_family: input.routeFamily,
+      response_started: input.responseStarted,
+      upstream_layer: input.upstreamLayer,
+      ...typeof input.upstreamStatus === "number" ? { upstream_status: input.upstreamStatus } : {},
+      ...input.originalMessage ? { original_message: input.originalMessage } : {},
+      launchId: input.launchId,
+      target_host_class: input.targetHostClass,
+      downstream_caller: input.downstreamCaller,
+      upstream: input.upstream
+    }, "error");
+  }
   recordFreshnessDecisionActivity(agentId, input) {
     if (input.decision !== "local_hold" && input.decision !== "syncing_hold") return;
     const ap = this.agents.get(agentId);
@@ -7178,7 +7330,8 @@ Use ${communicationCommand(driver, "read_history")} to catch up on the channels
         slockCliPath: this.slockCliPath,
         daemonApiKey: this.daemonApiKey,
         launchId: launchId || null,
-        agentCredentialProxyInboxCoordinator: this.createAgentProxyInboxCoordinator(agentId)
+        agentCredentialProxyInboxCoordinator: this.createAgentProxyInboxCoordinator(agentId),
+        cliTransportTraceDir: this.cliTransportTraceDir
       });
       this.recordDaemonTrace("daemon.agent.spawn.created", {
         ...this.startQueueTraceAttrs(agentId, effectiveConfig, wakeMessage, unreadSummary, resumePrompt, launchId),
@@ -9880,7 +10033,8 @@ var DIAGNOSTIC_ERROR_ATTRS = /* @__PURE__ */ new Set([
   "runtime_error_message_present",
   "runtime_error_message_length_bucket",
   "runtime_error_message_truncated",
-  "runtime_error_message_excerpt"
+  "runtime_error_message_excerpt",
+  "original_message"
 ]);
 var LocalRotatingTraceSink = class {
   traceDir;
@@ -9974,14 +10128,13 @@ function sanitizeAttrs(attrs) {
   if (!attrs) return void 0;
   const sanitized = {};
   for (const [key, value] of Object.entries(attrs)) {
+    if (value === null || value === void 0 || value === "") continue;
     if (isDiagnosticIdAttr(key)) {
-      if (value === null || value === void 0 || value === "") continue;
       sanitized[key] = sanitizeValue(value);
       continue;
     }
     if (isDiagnosticErrorAttr(key)) {
-      if (value === null || value === void 0 || value === "") continue;
-      sanitized[key] = sanitizeValue(value);
+      sanitized[key] = sanitizeDiagnosticErrorValue(key, value);
       continue;
     }
     if (shouldDropAttr(key)) continue;
@@ -10001,6 +10154,11 @@ function sanitizeValue(value) {
   }
   return String(value);
 }
+function sanitizeDiagnosticErrorValue(key, value) {
+  if (key !== "original_message" || typeof value !== "string") return sanitizeValue(value);
+  const normalized = value.replace(/sk_(?:agent|machine|computer)_[A-Za-z0-9_-]+/g, "sk_[redacted]").replace(/sap_[A-Za-z0-9_-]+/g, "sap_[redacted]").replace(/https?:\/\/\S+/g, "[url]").replace(/\s+/g, " ").trim();
+  return normalized.length > 240 ? `${normalized.slice(0, 237)}...` : normalized;
+}
 function shouldDropAttr(key) {
   const normalized = key.replace(/([a-z0-9])([A-Z])/g, "$1_$2").toLowerCase();
   if (/(^|_)(api_key|auth_token|token|secret|password|cookie|credential)(_|$)/i.test(normalized)) {
@@ -10648,6 +10806,7 @@ var DaemonCore = class {
       sink: this.localTraceSink
     });
     this.agentManager.setTracer(this.tracer);
+    this.agentManager.setCliTransportTraceDir(path16.join(machineDir, "traces"));
   }
   installTraceBundleUploader(machineDir) {
     if (!this.shouldEnableLocalTrace()) return;