feat(cli): add request log inspection and diagnostics

[dantrapp]

Summary

Adds CLI access to Agent Vault request logs and a small diagnostic layer for failed proxied requests.

Agent Vault intentionally avoids recording bodies, header values, query strings, or credential values. This keeps that security model intact while making the existing safe request metadata easier to use when debugging failed agent traffic.

What changed

• Added agent-vault logs
• Added filters for vault, status bucket, service, ingress, limit, tailing, and JSON output
• Added agent-vault inspect request --id
• Added agent-vault inspect explain plus inspect logs alias
• Added rule-based diagnostics for common proxy/adoption failures
• Sanitized human-readable request-derived output to avoid terminal control characters
• Updated CLI docs and agent skill docs

Why

When an agent request fails, users need to quickly distinguish between no service match, credential/auth format issues, proxy/session issues, upstream provider failures, high latency, and plain HTTP traffic hitting the transparent HTTPS proxy.

The inspector works only from existing secret-free request-log metadata.

Test plan

• npm ci
• npm run build
• go test ./internal/inspect ./cmd
• go test ./...
• go build -trimpath -o /tmp/agent-vault-check .

[claude]

Claude Code Review

This pull request is from a fork — automated review is disabled. A repository maintainer can comment @claude review to run a one-time review.