Diagnostics — opt-in error reporting¶
When Veracium hits a genuine error, it can send its local log to the maintainers so the bug can be diagnosed. This is a separate, more careful channel than telemetry: telemetry is content-free by construction, but a log can incidentally contain fragments of memory content (e.g. inside an exception message). So error reporting is local-first and never sends without consent.
How it works¶
- Local first. When a reporter is attached, genuine errors from
remember/recall/answer/maintainare written to a local, user-owned rotating log file — and the original error is re-raised unchanged. Reporting is strictly additive; it never swallows or delays the real exception. - Sending is consented. A log is transmitted only with advance permission (opt-in auto-send) or an explicit per-incident "yes". Default: neither.
- Transparent + redacted.
previewshows exactly what would be sent. A redaction pass (on by default) scrubs emails, phone/account/card-like number runs, and grouped amounts from the tail first. Redaction is best-effort — the real safeguard is that you see the payload and choose. - Anonymous + bounded. A random install id (shared with telemetry if you have one), minimal environment (Veracium / python / os), and only the log tail up to a byte cap (default 64 KB).
- No endpoint shipped. Veracium bundles no URL, so even "enabled" sends nothing until an endpoint is configured.
What a report contains¶
{
"schema_version": 1,
"install_id": "<random>",
"reason": "manual | auto:<op>",
"veracium_version": "0.1.0",
"python": "3.12.3",
"os": "Linux",
"redacted": true,
"log_tail": "…the last N KB of the local error log, redacted…"
}
log_tail is the sensitive part. It is Veracium's own log lines — timestamps, the
operation that failed, a hashed user id, and the Python traceback. Tracebacks show
Veracium's source lines (not memory content); the residual risk is an exception
message that quoted a value, which is why redaction + preview + consent apply.
Raw user ids are never logged — only a truncated SHA-256 hash of the id.
CLI¶
veracium diagnostics status # setting + resolved log path
veracium diagnostics path # just the log file location
veracium diagnostics preview # EXACTLY what a report would send (redacted)
veracium diagnostics report # send the current log now — asks first, shows the preview
# advance permission (auto-send on future errors):
veracium diagnostics prompt # the consent question
veracium diagnostics enable --endpoint https://your-collector.example/report
veracium diagnostics disable # revoke send (local logging is unaffected)
The MCP server attaches a reporter automatically (local logging on). Because its
stdio transport isn't a terminal it never prompts and never auto-sends unless you
granted advance permission with veracium diagnostics enable; otherwise the log
stays local until you run veracium diagnostics report.
Embedded in a host application¶
The host decides whether Veracium manages a log at all, and owns the consent UX.
from veracium import Memory
from veracium import diagnostics
reporter = diagnostics.load_reporter() # None if local logging is disabled
mem = Memory(llm=your_llm, diagnostics=reporter)
try:
mem.remember(user_id, text)
except Exception:
# veracium already logged it locally and re-raised. Offer to report:
preview = mem.diagnostics_preview() # show the user what would be sent
if user_agrees:
mem.report_error(interactive=False) # sends iff an endpoint is configured
raise
mem.report_error(interactive=…)— send the captured log, subject to consent (advance permission, or an interactive yes). No-ops if nothing was captured or no endpoint is set; never raises.mem.diagnostics_preview()— the exact (redacted) payload, orNoneif off.
If you granted advance permission (diagnostics.set_report_enabled(True,
endpoint=…)), Veracium auto-sends on error — throttled so an error loop can't flood
the endpoint.
Config file¶
Stored at $XDG_CONFIG_HOME/veracium/diagnostics.json; the log defaults to
$XDG_STATE_HOME/veracium/veracium.log (override with log_path). Fields:
{log_enabled, report_enabled, prompt_on_error, redact, endpoint, log_path,
install_id, max_report_bytes, report_min_interval_s, last_report}. Set
log_enabled: false to turn off local logging entirely.
Guarantees, restated¶
- The real error is always re-raised; reporting never hides a failure.
- Nothing is sent without consent (advance permission or an explicit yes).
- You can see the exact payload first (
preview); redaction is on by default. - Anonymous (random install id); no raw user ids in the log.
- A reporting failure never affects memory (the reporter never raises).