docs/prds/settings/feedback-db-diagnostics.md
Status: Draft Date: 2026-07-07
User feedback in Sentry already includes type=user-feedback, selected module, description, logs, and screenshots. Real feedback samples show that this is often insufficient for conversation/model/team issues: logs can say a turn failed, but not always show the final persisted conversation state, message status, selected provider/model, ACP session config, or team backlog.
The diagnostic attachment should add a small, privacy-safe database snapshot to feedback reports. It must not upload the SQLite DB file, arbitrary SQL results, prompts, message content, provider API keys, or raw error messages.
AionUi owns only feedback orchestration:
route_at_open and route_at_submitconversation_id, provider_id, team_id, agent_id, or mcp_server_idGET /api/system/diagnostics/feedback-reportdb-diagnostics.json.gz when gzip is available, otherwise db-diagnostics.jsonaionCore owns all diagnostic logic:
AionUi main process must not read SQLite or expose feedback:collect-db-diagnostics.
Route context is more trustworthy than the selected module because the user can choose the wrong module. The selected module is still useful user intent. aionCore must use the union of:
global-summaryExample: if the feedback is opened on #/conversations/conv-1 and the user selects system-settings, the attachment should include at least conversation-session, model-auth, mcp-tools, and global-summary.
conversation-sessionDetailed key: conversation_id
Useful for cases seen in Sentry:
UserLlmProviderAuthFailedAllowed output:
Never output raw messages.content, prompts, raw session_config, rules_content, provider API keys, or raw error messages.
model-authDetailed key: provider_id, or derived from conversation_id
Allowed output:
api_key_configured booleanNever output api_key_encrypted, full URLs, URL query strings, bearer tokens, or Bedrock config.
agent-teamDetailed key: team_id, or derived from conversation_id
Allowed output:
Never output workspace absolute paths, task subject/description, mailbox content, or mailbox summary.
mcp-toolsDetailed key: mcp_server_id
Allowed output:
Never output raw transport config, original JSON, headers, env values, or tokens.
global-summaryAlways included as low-cost context.
Allowed output:
The response should preserve diagnostic value while excluding the few categories that create real privacy or credential risk:
providers.api_key_encryptedusers.password_hash, users.jwt_secret, or users.emailConversation titles are allowed because they are needed to correlate the database snapshot with the screenshot and Sentry feedback. They are not separately redacted for generic sk-..., token, or bearer string shapes.
The aionCore response includes a privacy block:
{
"raw_content_included": false,
"api_keys_included": false
}
Tests must assert that representative provider API keys, encrypted provider keys, raw prompt text, and raw error messages do not appear in the serialized diagnostics response.