feat(sec-core): add session report command

[jfeng18]

Summary

• Add agent-sec-cli observability report command: per-session debrief aggregating observability and security event data from existing DBs into one view.
• Supports --last (most recent session), --session-id, and --format json.
• Graceful degradation with actionable hints when data sources are empty or unavailable.

Example output

Session eb5d7f37-9d1  (2026-06-03 14:06:34 — 14:06:46, 12s, 9 turns)
  LLM calls:       2
  Payload:         99,668 bytes sent, 1,581 bytes received
  Tools used:      run_shell_command(1)
  Security:        code_scan succeeded: 1

Changes

• New: observability/session_report.py — SessionReport dataclass + build_session_report() aggregator + format_text() renderer
• Modified: observability/cli.py — added report subcommand with --last/--session-id/--format
• New: tests/unit-test/observability/test_session_report.py — 9 tests covering empty session, basic aggregation, security verdicts, format rendering, JSON roundtrip, and hint coverage
• Modified: tests/unit-test/observability/test_cli.py — 8 integration tests for the report CLI subcommand (arg validation, text/JSON output, --last flag, security reader wiring)

Data sources (read-only, no writes)

1. Observability SQLite (session/run/event timeline, LLM call metrics, tool breakdown)
2. Security events SQLite via query_correlation_candidates (security verdicts by category)

Test plan

• 已 E2E: on Agentic ECS (short prompt / large output / multi-turn resume)
  • Observability + security data segments verified with real data
  • Empty-data hints verified (security session_id gap)
  • JSON output validated
  • Session-not-found error message verified
• 仅单测: 9 unit tests (session_report module) + 8 CLI integration tests, all with mocked readers

🤖 Generated with Claude Code

[RemindD]

1. 目前agent-sec-cli observability更多还是为安全能力的展示。将tokenless数据集成容易有歧义。退一步说，与tokenless的集成也应该使用API接口，避免直接访问后端sqldb
2. format 问题需要使用make python-code-pretty

[jfeng18]

Agree on both points. Updated:

1. Removed all tokenless integration — report now only aggregates observability + security data, scoped to security observability. No more import sqlite3, no direct DB access to tokenless stats.db.
2. Ran black + isort for formatting.

Thanks for the review.

[jfeng18]

Updated per review feedback:

1. Stale docstring fixed: removed "compression" from cli.py:149 docstring — tokenless code was already removed, this reference was stale
2. Formatting applied: ran isort --profile black + black, verified zero diff after
3. PR scope confirmed: only 2 data sources remain (Observability + Security), all tokenless/sqlite3 code was already removed in previous commit

Changes pushed in 81d59f4. Ready for re-review.

[jfeng18]

Review feedback addressed. Ready for re-review.

[jfeng18]

Hi @RemindD, gentle ping — I've addressed your earlier feedback. Ready for re-review when convenient.

[RemindD]

Please add E2E tests as well. @edonyzpc any comment?

[jfeng18]

Added E2E tests (tests/e2e/cli/test_session_report_e2e.py):

• test_report_last_json — seeds session, verifies JSON fields (session_id, llm_calls, bytes, tool_breakdown)
• test_report_last_text — verifies text output contains specific values (500 bytes, read_file(1))
• test_report_session_id_json — lookup by specific session ID
• test_report_unknown_session_fails — unknown session → exit 1
• test_report_no_args_fails — missing args → exit 1
• test_report_invalid_format_fails — invalid format → exit 1
• test_report_last_empty_db_fails — empty database → exit 1

All 7 tests pass on ECS (Python 3.11, agent-sec-cli 0.5.0). Follows existing tests/e2e/cli/conftest.py patterns (isolated_data_dir fixture, run_cli helper).