[codex] add Telegram monitor trace history

[zooey-sys]

Summary

Adds durable Telegram monitor trace history so every Telegram message can expose where it reached in the routing/triage/task pipeline, including messages that do not become tasks.

What changed

• Records monitor trace events through the Telegram subscriber, subscription router, monitor digest, workflow dispatch, and task creation path.
• Adds daemon workflow/API support for reading recent Telegram monitor trace history.
• Persists triage no-task reasoning as a structured trace event instead of only relying on model prose.
• Adds tests for trace emission and triage decision extraction/promotion.

Impact

This supports the Bobo desktop Telegram Task History panel and gives developers a stable way to debug why a Telegram message did not generate a task without digging through raw daemon logs.

Paired PR

• Bobo UI: https://github.com/berabuddies/bobo/pull/72

Validation

• cargo test -p puffer-cli extract_no_task_decisions_parses_marked_json_block
• cargo test -p puffer-cli render_triage_batch_prompt_renders_one_trigger
• cargo test -p puffer-cli finalize_promotes_latest_triage_decision
• cargo test -p puffer-subscriptions batch_triage_decision_trace_is_written_only_to_matching_envelope

Existing warnings are still present in the workspace; no new test failure observed.

[vercel]

@zooey-sys is attempting to deploy a commit to the fuzzland Team on Vercel.

A member of the Team first needs to authorize it.

[hypotyposis]

Addressed the monitor trace privacy blocker in 3ee0a6ea.

Changes:

• include_payload=false now bounds messages[].text to the same 200-character preview shape used by Telegram diagnostics before summaries are generated.
• MonitorTraceStore now stores only a bounded text preview when traces are recorded/merged, so new monitor_trace.json writes do not persist full message bodies.
• Added regressions for both surfaces: handler output privacy and on-disk store privacy.

Verification:

• RED first: cargo test -p puffer-cli store_message_text_is_bounded_when_payload_is_hidden -- --nocapture failed because full text was returned.
• RED first: cargo test -p puffer-subscriptions persisted_trace_text_is_bounded -- --nocapture failed because full text was written to monitor-trace.json.
• GREEN: cargo test -p puffer-cli daemon_workflows::monitor_trace::tests -- --nocapture
• GREEN: cargo test -p puffer-subscriptions monitor_trace::tests -- --nocapture
• GREEN: cargo test -p puffer-subscriptions
• GREEN: cargo fmt --package puffer-subscriptions -- --check
• GREEN: touched-file rustfmt --edition 2021 --check for crates/puffer-cli/src/daemon_workflows/monitor_trace.rs and crates/puffer-subscriptions/src/monitor_trace.rs
• GREEN: git diff --check

I kept the write-amplification/debounce item out of this patch as follow-up-sized, per the CR note. The task-link write-side association and batch router_no_monitor_binding reason are also behavior changes outside the privacy blocker; they can be picked up separately if you want them before undrafting.

[zooey-sys]

LGTM (review for the record) — head 3ee0a6e. The privacy BLOCKER from the prior review is fixed at both layers and verified:

• Store: trace_text_preview (200-char + ellipsis) is applied at envelope->identity, message creation, merge, and on every record_stage (puffer-subscriptions/src/monitor_trace.rs), so monitor_trace.json can no longer persist >200 chars of message text. Covered by persisted_trace_text_is_bounded.
• Handler: bound_text_field truncates text to 200 chars when include_payload=false (puffer-cli/src/daemon_workflows/monitor_trace.rs). Covered by store_message_text_is_bounded_when_payload_is_hidden (asserts text != full, <=203, ends with ellipsis, payload null).
• Net: full message body is never exposed (store cap + diagnostic text_prefix), so the include_payload=false contract holds.

Strengths confirmed in the first pass still stand: concurrency is safe (single in-process Arc<Mutex>, load-once + mutex-serialized + atomic tmp+rename — does not repeat the stale-snapshot/lost-update class), and pipeline stage coverage is thorough and best-effort (non-blocking).

Tiny non-blocking nit: pre-fix on-disk entries that still hold full text self-heal (handler bounds output when include_payload=false; store re-bounds on the next stage write); the only residual is a stale entry fetched with include_payload=true before any rewrite.

Deferred to follow-up (agreed, not blocking): write-amplification (per-stage full-file re-serialize+rename under one mutex on the per-message path -> dirty/debounce/async flush, preserving the current mutex+atomic correctness boundary); write-side task-creation tracing (today task_created is reconstructed at read time via metadata.monitor_envelope_id); and the batch path's missing router_no_monitor_binding reason.