chore(agent-builder): diagnostic logs for /daily 403 root-cause hunt

[eanzhao]

Summary

After #418 merged, production /daily still fails with github_proxy_access_denied. Independent manual reproduction (session-token-minted child key, both narrow and broad scopes) succeeds end-to-end against the same NyxID account, GitHub UserService, and proxy slug. The production-only failure has to live in either the deployed POST /api-keys payload or the preflight response shape, neither of which is visible in current logs.

This PR adds diagnostic-only log lines on the daily-report create path so the next failed /daily captures ground truth, then revert.

What's logged

• Before CreateApiKeyAsync: resolved per-user UserService.ids and the literal payload JSON. Tells us whether the deployed binary actually carries allow_all_services=false and whether ResolveProxyServiceIdsAsync returned per-user ids vs catalog ids.
• After successful create: the new api-key id, for correlating to NyxID-side proxy_request_denied audit records.
• Inside PreflightGitHubProxyAsync (Information level): the raw probe response. The parsed proxy_body we return only carries the inner Lark/GitHub body string when SendAsync wraps non-2xx; the unparsed probe is the only place we see exactly what NyxID returned. Distinguishes:
  • NyxID ApiKeyScopeForbidden (error_code:9000, our payload is still wrong somehow)
  • GitHub upstream 403 (Bad credentials, OAuth grant revoked)
  • Other shapes
• On preflight failure (Warning level): the structured envelope we hand back to the user, so the failure is one self-contained log line.

Why this PR exists separately

These logs are temporary debugging — once the production log captures the real failure shape, this PR (or just the four log lines) gets reverted. Splitting it off keeps the revert clean and avoids re-opening the #418 conversation.

Test plan

• dotnet build agents/Aevatar.GAgents.ChannelRuntime/Aevatar.GAgents.ChannelRuntime.csproj — clean (40 pre-existing warnings, 0 errors).
• dotnet test test/Aevatar.GAgents.ChannelRuntime.Tests/Aevatar.GAgents.ChannelRuntime.Tests.csproj --filter AgentBuilderToolTests — 30/30 passing.
• Deploy + trigger /daily alice from Lark, capture log lines tagged Diagnostic[#417]. Revert this PR after.

Follow-up after capture

Depending on what Diagnostic[#417]: GitHub preflight probe response shows:

• If NyxID error_code:9000 → resolver still returns wrong ids despite the apparent fix; need to revisit ResolveProxyServiceIdsAsync or how the relay-token auth path lists user-services
• If GitHub Bad credentials → OAuth grant on the bot owner's GitHub binding is unhealthy on the relay-token path even though it's healthy on session-token reads; need to look at how NyxID picks the credential to inject for relay-scoped api-keys
• If something else → analyze case-by-case

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.39%. Comparing base (87568b6) to head (c81879a).
⚠️ Report is 4 commits behind head on dev.

@@            Coverage Diff             @@
##              dev     #420      +/-   ##
==========================================
+ Coverage   70.37%   70.39%   +0.01%     
==========================================
  Files        1175     1175              
  Lines       84453    84453              
  Branches    11124    11124              
==========================================
+ Hits        59438    59447       +9     
+ Misses      20723    20715       -8     
+ Partials     4292     4291       -1     

Flag	Coverage Δ
ci	70.39% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 3 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.