tracer-sh 0.1.0

package/LICENSE

@@ -0,0 +1,93 @@
+Elastic License 2.0
+
+URL: https://www.elastic.co/licensing/elastic-license
+
+## Acceptance
+
+By using the software, you agree to all of the terms and conditions below.
+
+## Copyright License
+
+The licensor grants you a non-exclusive, royalty-free, worldwide,
+non-sublicensable, non-transferable license to use, copy, distribute, make
+available, and prepare derivative works of the software, in each case subject to
+the limitations and conditions below.
+
+## Limitations
+
+You may not provide the software to third parties as a hosted or managed
+service, where the service provides users with access to any substantial set of
+the features or functionality of the software.
+
+You may not move, change, disable, or circumvent the license key functionality
+in the software, and you may not remove or obscure any functionality in the
+software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other notices
+of the licensor in the software. Any use of the licensor’s trademarks is subject
+to applicable law.
+
+## Patents
+
+The licensor grants you a license, under any patent claims the licensor can
+license, or becomes able to license, to make, have made, use, sell, offer for
+sale, import and have imported the software, in each case subject to the
+limitations and conditions in this license. This license does not cover any
+patent claims that you cause to be infringed by modifications or additions to
+the software. If you or your company make any written claim that the software
+infringes or contributes to infringement of any patent, your patent license for
+the software granted under these terms ends immediately. If your company makes
+such a claim, your patent license ends immediately for work on behalf of your
+company.
+
+## Notices
+
+You must ensure that anyone who gets a copy of any part of the software from you
+also gets a copy of these terms.
+
+If you modify the software, you must include in any modified copies of the
+software prominent notices stating that you have modified the software.
+
+## No Other Rights
+
+These terms do not imply any licenses other than those expressly granted in
+these terms.
+
+## Termination
+
+If you use the software in violation of these terms, such use is not licensed,
+and your licenses will automatically terminate. If the licensor provides you
+with a notice of your violation, and you cease all violation of this license no
+later than 30 days after you receive that notice, your licenses will be
+reinstated retroactively. However, if you violate these terms after such
+reinstatement, any additional violation of these terms will cause your licenses
+to terminate automatically and permanently.
+
+## No Liability
+
+*As far as the law allows, the software comes as is, without any warranty or
+condition, and the licensor will not be liable to you for any damages arising
+out of these terms or the use or nature of the software, under any kind of
+legal claim.*
+
+## Definitions
+
+The **licensor** is the entity offering these terms, and the **software** is the
+software the licensor makes available under these terms, including any portion
+of it.
+
+**you** refers to the individual or entity agreeing to these terms.
+
+**your company** is any legal entity, sole proprietorship, or other kind of
+organization that you work for, plus all organizations that have control over,
+are under the control of, or are under common control with that
+organization. **control** means ownership of substantially all the assets of an
+entity, or the power to direct its management and policies by vote, contract, or
+otherwise. Control can be direct or indirect.
+
+**your licenses** are all the licenses granted to you for the software under
+these terms.
+
+**use** means anything you do with the software requiring one of your licenses.
+
+**trademark** means trademarks, service marks, and similar rights.

package/README.md

@@ -0,0 +1,113 @@
+# Tracer
+
+[![npm version](https://img.shields.io/npm/v/tracer-sh)](https://www.npmjs.com/package/tracer-sh)
+[![CI](https://github.com/sholub-dev/tracer/actions/workflows/ci.yml/badge.svg)](https://github.com/sholub-dev/tracer/actions/workflows/ci.yml)
+[![CodeQL](https://github.com/sholub-dev/tracer/actions/workflows/codeql.yml/badge.svg)](https://github.com/sholub-dev/tracer/actions/workflows/codeql.yml)
+
+Local-first AI-powered observability platform.
+
+During an incident, most time goes to switching between observability tools
+and gathering context — not fixing the problem. Tracer connects your providers
+to a single AI chat interface so you find the root cause in one place.
+
+## Debug
+
+Chat with an AI agent that queries your providers in real-time and finds root causes — all from a single conversation.
+
+- Natural language investigation
+- Live query execution with inline charts
+- Post-mortem reports — download as Markdown to share
+- Share investigations as PNG — drop the exported image back into Tracer to re-open the analysis
+- Agent memory across sessions
+- Session history and cost tracking
+
+![Debug page](docs/screenshots/debug_page.png)
+
+## Settings
+
+Configure providers, LLM credentials, agent behavior, and memory. All data is stored locally — nothing leaves your machine except the API calls you configure.
+
+- Anthropic (Claude) and Google (Gemini) API keys
+- Data provider setup with connectivity tests
+- Thinking budgets and step limits
+- Agent memory management
+
+![Settings page](docs/screenshots/settings_page.png)
+
+## How it works
+
+```
+┌─────────┐       your API keys         ┌──────────────────┐
+│         │ ◄──────────────────────────►│  Observability   │
+│ Tracer  │                             │  Providers       │
+│  local  │       your API keys         ├──────────────────┤
+│         │ ◄──────────────────────────►│  LLM Providers   │
+└─────────┘                             └──────────────────┘
+```
+
+Everything runs on your machine. Your data stays local in a SQLite database.
+Tracer talks directly to your provider and LLM APIs using your own API keys —
+no intermediary servers, no data leaves your machine except API calls you control.
+
+## Install
+
+Requires [Node.js 20+](https://nodejs.org/).
+
+```bash
+npx tracer-sh
+```
+
+Or install globally:
+
+```bash
+npm install -g tracer-sh
+tracer-sh
+```
+
+Open `http://localhost:3579`, go to **Settings** to add your API keys and choose an LLM — done.
+
+## Supported Providers
+
+**Data:** New Relic (NRQL via NerdGraph), Google Cloud (Logs, Traces, Metrics, Errors)
+
+**LLM:** Anthropic (Claude), Google (Gemini)
+
+## Uninstall
+
+```bash
+npm uninstall -g tracer-sh
+```
+
+To also remove your local database (settings, sessions, API keys):
+
+```bash
+rm -rf ~/.tracer
+```
+
+## Troubleshooting
+
+| Problem | Fix |
+|---------|-----|
+| `better-sqlite3` build fails | macOS: `xcode-select --install` / Linux: `sudo apt install build-essential python3` |
+| Port in use | `TRACER_PORT=3580 tracer-sh` |
+| No LLM responses | Add an API key in Settings |
+
+## Contributing
+
+Contributions are welcome! There are two main ways to help:
+
+**Report bugs or request features** — [open an issue](https://github.com/sholub-dev/tracer/issues). Include steps to reproduce for bugs, or a clear description for feature requests.
+
+**Submit a code change:**
+
+1. Fork this repo
+2. Create a branch (`git checkout -b fix/my-fix`)
+3. Make your changes and commit
+4. Push to your fork (`git push origin fix/my-fix`)
+5. Open a pull request against `master`
+
+All PRs require approval before merging.
+
+## License
+
+[Elastic License 2.0](https://www.elastic.co/licensing/elastic-license) — free for any use, including internal business use, modification, and redistribution. You may not offer it as a hosted or managed service competing with Tracer.

package/bin/tracer.mjs

@@ -0,0 +1,31 @@
+#!/usr/bin/env node
+
+import { spawnSync } from "node:child_process";
+import { fileURLToPath } from "node:url";
+import { dirname, resolve } from "node:path";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const serverPath = resolve(__dirname, "../packages/server/dist/index.js");
+
+// Must match RESTART_EXIT_CODE in packages/server/src/updater.ts
+const RESTART_EXIT_CODE = 75;
+
+const banner = `
+  ╔═══════════════════════════════════╗
+  ║       Tracer Debug Platform       ║
+  ╚═══════════════════════════════════╝
+`;
+
+console.log(banner);
+
+// Restart loop: if server exits with code 75, it means an update was applied
+while (true) {
+  const result = spawnSync(process.execPath, [serverPath], {
+    stdio: "inherit",
+    env: process.env,
+  });
+  if (result.status !== RESTART_EXIT_CODE) {
+    process.exit(result.status ?? 1);
+  }
+  console.log("\nRestarting after update...\n");
+}

package/package.json

@@ -0,0 +1,46 @@
+{
+  "name": "tracer-sh",
+  "version": "0.1.0",
+  "type": "module",
+  "description": "Local-first debugging & analysis platform",
+  "license": "SEE LICENSE IN LICENSE",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/sholub-dev/tracer.git"
+  },
+  "packageManager": "pnpm@10.10.0",
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "bin": {
+    "tracer-sh": "./bin/tracer.mjs"
+  },
+  "files": [
+    "bin/tracer.mjs",
+    "packages/server/dist/",
+    "packages/web/dist/"
+  ],
+  "scripts": {
+    "predev": "pnpm install --frozen-lockfile 2>/dev/null || pnpm install",
+    "dev": "concurrently --kill-others -n server,web -c blue,green \"pnpm --filter @tracer-sh/server dev\" \"pnpm --filter @tracer-sh/web dev\"",
+    "build": "pnpm --filter @tracer-sh/shared build && pnpm --filter @tracer-sh/server build && pnpm --filter @tracer-sh/web build",
+    "start": "node packages/server/dist/index.js",
+    "lint": "pnpm -r --parallel run typecheck",
+    "release": "bin/release.sh",
+    "prepublishOnly": "if [ -z \"${CI:-}\" ]; then echo 'ERROR: Do not publish manually. Use: pnpm release <version>' && exit 1; fi && pnpm build"
+  },
+  "dependencies": {
+    "better-sqlite3": "^12.6.2"
+  },
+  "pnpm": {
+    "onlyBuiltDependencies": [
+      "better-sqlite3",
+      "esbuild"
+    ]
+  },
+  "devDependencies": {
+    "concurrently": "^9.2.1",
+    "tsx": "^4.21.0",
+    "typescript": "^5.9.3"
+  }
+}

package/packages/server/dist/chunk-4VNS5WPM.js

@@ -0,0 +1,42 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+var __commonJS = (cb, mod) => function __require2() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+export {
+  __require,
+  __commonJS,
+  __export,
+  __toESM
+};

package/packages/server/dist/chunk-5IQ4TST5.js

@@ -0,0 +1,233 @@
+// src/providers/newrelic/domain-knowledge.ts
+var NR_AUTH_STOP_RULE = `## Authentication Failure \u2014 STOP IMMEDIATELY
+If any query returns an authentication or permission error (e.g. "Invalid API key", "401", "403", "Unauthorized"), **STOP ALL FURTHER TOOL CALLS** and report:
+1. The exact error message received.
+2. That the New Relic API key needs to be checked in Settings.
+Do NOT retry \u2014 auth errors cannot be resolved by the sub-agent.`;
+var NRQL_QUICK_REFERENCE = `## NRQL Reference
+
+### Clauses
+- \`SELECT func(attr) FROM EventType\` \u2014 required. Event types are **case-sensitive** (\`Transaction\` not \`transaction\`).
+- \`WHERE attr op value\` \u2014 filter. Operators: \`=\`, \`!=\`, \`<\`, \`>\`, \`<=\`, \`>=\`, \`IN ('a','b')\`, \`IS [NOT] NULL\`.
+  - \`LIKE '%pattern%'\` \u2014 **case-sensitive**, \`%\` wildcard. Leading wildcard \`LIKE '%x'\` is slow.
+  - \`RLIKE '(?i)timeout|refused'\` \u2014 regex (RE2 syntax). Must match ENTIRE string for extraction; use \`.*pattern.*\` for partial matching. Use \`(?i)\` flag for case-insensitive matching.
+- \`FACET attr [, attr2]\` \u2014 group by (max 5 attributes). Default LIMIT 10 facet values, max 5000. LIMIT applies per-facet group.
+- \`FACET CASES (WHERE cond AS 'label', ...)\` \u2014 custom grouping buckets. Order matters: first match wins.
+- \`LIMIT n\` \u2014 max rows/facets. Default 10 for FACET, 100 for non-FACET. \`LIMIT MAX\` for maximum allowed.
+- \`SINCE time_expr\` \u2014 always include. NR default is 1 hour if omitted. Supports: \`N hours ago\`, \`today\`, \`yesterday\`, \`'2024-01-15T14:00'\`, epoch ms.
+- \`UNTIL time_expr\` \u2014 end time (default NOW).
+- \`COMPARE WITH N time_unit ago\` \u2014 overlay current vs prior period. Requires SINCE.
+- \`TIMESERIES N time_unit\` or \`TIMESERIES AUTO\` \u2014 time-bucketed series. Max 366 buckets. Be explicit with bucket size \u2014 AUTO can hide short spikes.
+- \`SLIDE BY N time_unit\` \u2014 sliding windows. Cannot use with TIMESERIES AUTO.
+- \`EXTRAPOLATE\` \u2014 compensate for APM event sampling. Only works with: count, average, sum, histogram, rate, percentage, apdex, stddev. Does NOT work with: uniqueCount, percentile, min, max, latest, earliest.
+- \`ORDER BY attr [ASC|DESC]\` \u2014 sort non-aggregation results only (not for FACET queries).
+- \`WITH TIMEZONE 'America/New_York'\` \u2014 affects time display and time functions. Default UTC.
+- Subqueries: \`WHERE x IN (SELECT ... FROM ...)\` or \`FROM (SELECT ... FACET y) WHERE ...\` \u2014 max 3 per query, cannot reference outer query attributes.
+
+### Key Functions
+**Aggregation:** \`count(*)\`, \`average(attr)\`, \`sum\`, \`min\`, \`max\`, \`percentile(attr, 50, 95, 99)\`, \`uniqueCount(attr)\`, \`uniques(attr)\`, \`histogram(attr)\`, \`median(attr)\`, \`stddev\`, \`latest(attr)\`, \`earliest(attr)\`.
+**Rate/trend:** \`rate(aggregator, interval)\` \u2014 frequency per time unit. \`derivative(attr)\` \u2014 rate of change. \`filter(aggregator, WHERE cond)\` \u2014 conditional aggregation in SELECT, e.g. \`filter(count(*), WHERE error IS TRUE)\`. \`percentage(count(*), WHERE cond)\` \u2014 % matching condition.
+**String/extraction:** \`capture(attr, r'.*(?P<name>pattern).*')\` \u2014 RE2 regex extraction. Named groups \`(?P<name>...)\`. Must match FULL string. \`aparse(attr, 'anchor*pattern')\` \u2014 simpler/faster anchor-based extraction. \`concat(a, b)\`, \`lower()\`, \`upper()\`, \`length()\`, \`substring(attr, start, end)\`, \`position(str, sub)\`, \`replace(str, search, repl)\`.
+**Conditional:** \`if(condition, true_val, false_val)\` \u2014 per-row conditional.
+**Time grouping:** \`hourOf(timestamp)\`, \`dateOf()\`, \`weekdayOf()\`, \`dayOfMonthOf()\`, \`monthOf()\` \u2014 UTC by default, use WITH TIMEZONE.
+**Type conversion:** \`numeric(val)\`, \`string(val)\`, \`boolean(val)\`. JSON: \`jsonParse(str_attr)\`, \`mapKeys()\`, \`mapValues()\`.
+**Discovery:** \`keyset() FROM EventType\` \u2014 list all attributes. \`SHOW EVENT TYPES\` \u2014 list all event types.
+
+### Case Sensitivity
+- **Event types**: case-sensitive (\`Transaction\`, not \`transaction\`).
+- **Attribute names**: case-sensitive (\`appName\`, not \`appname\`).
+- **NRQL keywords/functions**: case-insensitive (\`SELECT\`, \`select\`, \`Count()\` all work).
+- **\`=\` and \`LIKE\`**: case-sensitive. For case-insensitive matching, use \`RLIKE '(?i)pattern'\` or normalize with \`lower()\`.`;
+var NR_ANTI_PATTERNS = `## Common Mistakes \u2014 AVOID THESE
+- No \`DISTINCT\` keyword \u2014 use \`uniques(field)\` or \`FACET field\`.
+- No \`GROUP BY\` \u2014 use \`FACET\`.
+- No backslashes in NRQL strings. Backtick dotted field names: \`SELECT \\\`error.message\\\` FROM TransactionError\`.
+- \`WHERE attr != 'value'\` does NOT include rows where attr is NULL. Use \`WHERE attr != 'value' OR attr IS NULL\`.
+- NULL values are excluded from FACET groups.
+- \`count(*)\` counts all rows. \`count(attr)\` counts non-null values only.
+- \`SELECT *\` over long ranges is slow \u2014 always aggregate for > 1 hour.
+- \`Span\` data is sampled \u2014 never use for aggregate metrics (counts, averages). Use \`Transaction\` or \`Metric\` instead.
+- RLIKE is slower than LIKE \u2014 use LIKE when wildcards suffice.
+- \`COMPARE WITH\` + \`percentile()\` returns a JSON object (\`{"99": 0.984375}\`) instead of a plain number. To compare percentile values across periods, run two separate queries with explicit \`SINCE\`/\`UNTIL\` ranges rather than using \`COMPARE WITH\`.`;
+var NR_INSIDE_OUT_DEBUGGING = `## Inside-Out Debugging
+
+**With a specific identifier** (ID, error message, trace ID, user):
+1. Find it \u2014 TransactionError first (\`\\\`error.message\\\` LIKE '%value%'\`, \`request.uri LIKE '%value%'\`). No match \u2192 Transaction \u2192 Log.
+2. Extract context \u2014 traceId, appName, transactionName, error.class, timestamp.
+3. Expand ONLY if needed \u2014 \`FROM Transaction WHERE traceId = '...'\` for the request chain, but only if the error context doesn't already answer the question.
+4. If multiple identifiers surface, investigate 1-2 representative samples. If they show the same pattern, stop \u2014 that IS the pattern.
+
+**Without a specific identifier** (vague symptoms):
+1. Golden Signals \u2014 \`SELECT count(*), average(duration), percentage(count(*), WHERE error IS TRUE) FROM Transaction WHERE appName = '...' SINCE 1 hour ago\` \u2014 get multiple signals in ONE query.
+2. FACET to scope \u2014 drill by appName, transactionName, or error.class to narrow down.
+3. Once you have a specific identifier, switch to the "with identifier" flow above.
+
+**Diagnostic safeguards:**
+- **No data?** If your first 2 queries across different event types return empty, verify data exists: \`SELECT count(*) FROM Transaction SINCE 1 day ago\`. If zero, report no data \u2014 stop investigating.
+
+**Identifier extraction:** \`error.message\` often contains IDs \u2014 extract with \`capture()\` or \`LIKE\` and search across types. \`request.uri\` has entity IDs (e.g. \`/api/users/12345\`). Custom attributes: \`keyset() FROM Transaction\`.
+
+NEVER start with schema discovery (\`keyset()\`, \`SHOW EVENT TYPES\`) when you have a specific value.`;
+var NR_SERVICE_HEALTH_RUNBOOK = `## Service Health Runbook
+
+### Step 0 \u2014 Identify Entity Types
+Before running any checks, determine which entity types exist for the service:
+- **APM application present** \u2192 run the APM Health Checklist below
+- **Browser application present** \u2192 run the Browser Health Checklist below
+- **Both present** \u2192 run both checklists
+- **Neither found** \u2192 report that no monitorable entity was found and stop
+
+---
+
+### APM Health Checklist
+Run all 4 checks for any APM application entity.
+
+**[ ] Check 1 \u2014 Response Time P99**
+Measure the 99th percentile response time for all transactions.
+_Why:_ P99 catches worst-case latency that average metrics hide. Degradation here means the slowest 1% of users are experiencing a significant problem even if the average looks fine.
+_Baseline:_ Compare against the same time range exactly 1 week ago (same day of week).
+_Flag if:_ Current P99 is more than 50% higher than the baseline.
+
+**[ ] Check 2 \u2014 Transaction Error Rate**
+Measure the percentage of all transactions that ended in an error.
+_Why:_ Error rate directly reflects the fraction of user requests that are failing. Even a small uptick is significant because it represents real users hitting errors.
+_Baseline:_ Compare against the same time range 1 week ago (same day of week).
+_Flag if:_ Current rate is more than 50% relatively higher than baseline, OR the absolute increase is more than 1 percentage point when the baseline was near zero.
+
+**[ ] Check 3 \u2014 External Services Errors**
+Measure the error rate of outbound HTTP calls this service makes to external services or APIs.
+_Why:_ A failing downstream dependency will cascade into this service's errors. This distinguishes "our code is broken" from "something we depend on is broken."
+_Applicability:_ Only run this check if the service makes external calls. If it does not, mark as N/A.
+_Baseline:_ Compare non-2xx response rate against the same time range 1 week ago (same day of week).
+_Flag if:_ Non-2xx rate is more than 2\xD7 the baseline, or it newly appears where the baseline was near zero.
+
+**[ ] Check 4 \u2014 Success Transactions Drop**
+Measure the count of transactions that completed successfully (no error).
+_Why:_ A drop in successful transactions signals a blockage or anomaly even when the error rate is stable \u2014 requests may simply not be arriving or being processed at expected volumes.
+_Baseline:_ Compare count against the same time range exactly 1 week ago (same day of week). **Never compare different days of the week \u2014 traffic patterns differ significantly between weekdays and weekends.**
+_Flag if:_ Count is more than 20% lower than the baseline.
+
+---
+
+### Browser Health Checklist
+Run all 5 checks for any Browser application entity.
+
+**[ ] Check 1 \u2014 Browser JS Errors**
+Measure the count of JavaScript errors recorded in users' browsers.
+_Why:_ JS errors silently break features and flows without producing HTTP errors \u2014 they are completely invisible to server-side APM.
+_Baseline:_ Compare count against the same time range 1 week ago (same day of week).
+_Flag if:_ Count is more than 50% higher than baseline.
+
+**[ ] Check 2 \u2014 AJAX Request Error Rate**
+Measure the percentage of AJAX/XHR requests from the browser that received a non-2xx HTTP response.
+_Why:_ Catches API failures from the client's perspective, including calls to third-party APIs or CDN endpoints that server-side APM may miss entirely.
+_Baseline:_ Compare against the same time range 1 week ago (same day of week).
+_Flag if:_ Error rate is more than 50% relatively higher than baseline, or the absolute increase is more than 1 percentage point when baseline was near zero.
+
+**[ ] Check 3 \u2014 Browser LCP P75**
+Measure the 75th percentile of Largest Contentful Paint (LCP) \u2014 the time until the page's primary content is visible to the user.
+_Why:_ LCP is the primary user-perceived load speed signal. P75 means 3 out of 4 users experience this load time or better. A regression here directly impacts perceived performance for the majority of users.
+_Baseline:_ Compare against the same time range 1 week ago (same day of week).
+_Flag if:_ P75 is more than 30% higher (slower) than baseline.
+
+**[ ] Check 4 \u2014 AJAX Response Time P75**
+Measure the 75th percentile of AJAX request round-trip time as measured from the browser.
+_Why:_ Slow AJAX responses degrade interactivity even when the initial page load looks fine. This catches API latency that users feel during active interactions.
+_Baseline:_ Compare against the same time range 1 week ago (same day of week).
+_Flag if:_ P75 is more than 30% higher than baseline.
+
+**[ ] Check 5 \u2014 AJAX Success Requests Drop**
+Measure the count of AJAX requests that completed with a successful (2xx) response.
+_Why:_ A drop can indicate a broken feature preventing users from reaching certain flows, a routing or CDN blockage, or an authentication/session issue causing requests to be rejected upstream.
+_Baseline:_ Compare against the same time range exactly 1 week ago (same day of week). **Never compare different days of the week.**
+_Flag if:_ Count is more than 20% lower than the baseline.
+
+---
+
+### Baseline Comparison Rule
+**Always compare the same day of week, same time range, 7 days prior.**
+- Correct: "Tuesday 14:00\u201315:00" vs "last Tuesday 14:00\u201315:00"
+- **WRONG: comparing Monday vs Tuesday, or weekday vs weekend.** Traffic patterns differ significantly \u2014 cross-day comparisons produce false positives and miss real issues.
+
+---
+
+### Reporting Format
+After completing all applicable checks, report results as a table:
+
+| Check | Current | Baseline (1w ago) | Delta | Status |
+|-------|---------|-------------------|-------|--------|
+| Response Time P99 | ... | ... | +X% | \u2705 Pass / \u26A0\uFE0F Flagged |
+| Transaction Error Rate | ... | ... | +X% | \u2705 Pass / \u26A0\uFE0F Flagged |
+| External Services Errors | ... | ... | ... | \u2705 Pass / \u26A0\uFE0F Flagged / \u2014 N/A |
+| Success Transactions | ... | ... | -X% | \u2705 Pass / \u26A0\uFE0F Flagged |
+
+End with an overall verdict on its own line:
+- \`Service appears healthy.\` \u2014 all checks pass
+- \`X check(s) flagged: [list check names].\` \u2014 one or more checks flagged
+
+If a check could not be evaluated (no baseline data available, service has no external calls, etc.), mark it as **N/A** with a brief note. Never silently skip a check.`;
+var NR_QUERY_DEFAULTS = `## Query Defaults
+- Always include \`SINCE\`. Default: \`SINCE 24 hours ago\`. "recent" \u2192 1 hour. "today" \u2192 today.
+- Default: \`LIMIT 10\`. Increase to 20\u201350 only when needed. Never start with 100+.`;
+var NR_EVENT_TYPES = `## Event Types & Field Reference
+
+### CRITICAL: Field Name Mismatches Across Event Types
+| Concept | Transaction/Span | Log | Infrastructure |
+|---------|-----------------|-----|----------------|
+| Trace ID | \`traceId\` (camelCase) | \`trace.id\` (dotted, needs backticks) | \u2014 |
+| Span ID | \`guid\` | \`span.id\` (dotted, needs backticks) | \u2014 |
+| App/Service | \`appName\` | \`entity.name\` | \u2014 |
+| Host | \`host\` | \`hostname\` | \`hostname\` |
+| Txn name | \`name\` | \u2014 | \u2014 |
+| Txn name (error) | \u2014 (use \`transactionName\` in TransactionError) | \u2014 | \u2014 |
+
+Same values, different field names. \`FROM Transaction WHERE traceId = 'abc'\` but \`FROM Log WHERE \\\`trace.id\\\` = 'abc'\`.
+
+### Event Types
+
+**Transaction** \u2014 One event per request per service. ~2000 events/min/instance before sampling.
+Fields: \`duration\`, \`name\`, \`appName\`, \`traceId\`, \`guid\`, \`httpResponseCode\`, \`request.uri\`, \`request.method\`, \`error\` (boolean), \`host\`, \`entity.guid\`, \`databaseDuration\`, \`externalDuration\`, \`parent.app\`/\`parent.type\`/\`parent.transportDuration\`.
+Use for: health checks, error rates, latency, throughput, cross-service tracing.
+
+**TransactionError** \u2014 Error details. Separate sampling pool (~100/harvest cycle).
+Fields: \`error.message\`, \`error.class\`, \`error.expected\`, \`transactionName\`, \`request.uri\`, \`traceId\`, \`appName\`. Plus most Transaction fields.
+Key difference: Transaction only has boolean \`error\`; TransactionError has the actual error message/class.
+
+**Log** \u2014 Forensic detail. Auto-decorated with trace linking when logs-in-context is enabled.
+Fields: \`message\`, \`level\` / \`log.level\`, \`entity.name\`, \`hostname\`, \`trace.id\`, \`span.id\`, \`entity.guid\`.
+Note: Linking fields (\`trace.id\`, \`span.id\`) require agent logs-in-context. Missing = agent too old or feature not enabled.
+
+**Span** \u2014 Sub-transaction operations (DB, HTTP, method timings). **HEAVILY SAMPLED: ~10 traces/min (120 for Java), max 2000 spans/min.** Never use for aggregate counts/averages \u2014 counts will be far too low.
+Fields: \`name\`, \`duration\`, \`category\` (generic/http/datastore/external), \`span.kind\`, \`traceId\`, \`parentId\`, \`nr.entryPoint\`, \`http.url\`, \`http.statusCode\`, \`db.statement\`, \`error.class\`, \`error.message\`.
+Use ONLY for: tracing individual request paths when Transaction's \`duration\` isn't granular enough.
+
+**Metric** \u2014 Dimensional metrics. **NEVER SAMPLED** \u2014 always accurate. Use when event sampling is suspected.
+Query: \`FROM Metric SELECT average(apm.service.transaction.duration) WHERE appName = 'x'\`.
+
+**SystemSample / ProcessSample** \u2014 Infrastructure host/process metrics. **Requires separate infrastructure agent** (not guaranteed with APM).
+Fields: \`cpuPercent\`, \`memoryUsedPercent\`, \`diskUsedPercent\`, \`hostname\`, \`processDisplayName\`.`;
+var NR_CROSS_SIGNAL = `## Cross-Signal Correlation
+- **Transaction \u2192 TransactionError**: Same \`traceId\`. Transaction has boolean \`error\`; TransactionError has \`error.message\`/\`error.class\`.
+- **Transaction \u2192 Log**: \`traceId\` (Transaction) = \`trace.id\` (Log, backtick-quoted). \`appName\` (Transaction) = \`entity.name\` (Log).
+- **Transaction \u2192 Span**: Same \`traceId\`. Use Span ONLY for sub-request breakdown \u2014 never for aggregates (heavily sampled).
+- **Any \u2192 Metric**: When event counts seem low, compare: \`FROM Transaction SELECT count(*)\` vs \`FROM Metric SELECT rate(count(apm.service.transaction.duration), 1 minute)\`. If Metric is significantly higher, events are sampled \u2014 add \`EXTRAPOLATE\`.
+- **\`entity.guid\`**: Universal cross-type linker across Transaction, Span, Log, Metric, Infrastructure.
+- **Diagnostic shortcut**: Health \u2192 Transaction | Error cause \u2192 TransactionError | Slow? \u2192 Transaction FACET name, then Span for breakdown | Which service? \u2192 Transaction WHERE traceId | Infra \u2192 SystemSample WHERE hostname = '...'`;
+var NR_DOMAIN_KNOWLEDGE = `${NR_QUERY_DEFAULTS}
+
+${NR_EVENT_TYPES}
+
+${NR_CROSS_SIGNAL}
+
+${NRQL_QUICK_REFERENCE}
+
+${NR_ANTI_PATTERNS}
+
+${NR_SERVICE_HEALTH_RUNBOOK}`;
+
+export {
+  NR_AUTH_STOP_RULE,
+  NR_INSIDE_OUT_DEBUGGING,
+  NR_SERVICE_HEALTH_RUNBOOK,
+  NR_DOMAIN_KNOWLEDGE
+};