4runr-os 2.10.62 → 2.10.64

package/apps/gateway/package-lock.json

@@ -199,20 +199,20 @@
       }
     },
     "node_modules/@aws-sdk/client-kms": {
-      "version": "3.1058.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-kms/-/client-kms-3.1058.0.tgz",
-      "integrity": "sha512-sZ+vpNFa7ACfV0sMPCYR4dIMN9LUH/M/7OStsTADSNzTKiRQKTt//Vsfu7ku0tHEjjVX5fOc6oSeu9LRu4tD6Q==",
+      "version": "3.1059.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-kms/-/client-kms-3.1059.0.tgz",
+      "integrity": "sha512-4FPu9hM3Lvb98hWpuwLeaGrFcuc59tdP2tpTLpONTTaf8H3umJNNriSAu/0FDK656XIh9pzj4E4a3qLK4RkQEw==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/credential-provider-node": "^3.972.48",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/fetch-http-handler": "^5.4.5",
-        "@smithy/node-http-handler": "^4.7.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/credential-provider-node": "^3.972.49",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/fetch-http-handler": "^5.4.6",
+        "@smithy/node-http-handler": "^4.7.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -220,20 +220,20 @@
       }
     },
     "node_modules/@aws-sdk/client-secrets-manager": {
-      "version": "3.1058.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-secrets-manager/-/client-secrets-manager-3.1058.0.tgz",
-      "integrity": "sha512-m6u7ns0aA1dJGKVhqz7HQFEyvMu5ae67bxVmolSH3rQwHnvjRxWMCgGKWljgHI/Pd2OiRtodZlLikafjo65EPg==",
+      "version": "3.1059.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-secrets-manager/-/client-secrets-manager-3.1059.0.tgz",
+      "integrity": "sha512-gAxWLTS5DKdIEDUgc6ulyGZTG6ExvGjer/yQCPR02SrQ4e2957t0dsFBVfVk+qgXKLcHit4NPJJCC5BLdxPvpA==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/credential-provider-node": "^3.972.48",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/fetch-http-handler": "^5.4.5",
-        "@smithy/node-http-handler": "^4.7.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/credential-provider-node": "^3.972.49",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/fetch-http-handler": "^5.4.6",
+        "@smithy/node-http-handler": "^4.7.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -241,20 +241,20 @@
       }
     },
     "node_modules/@aws-sdk/client-ssm": {
-      "version": "3.1058.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-ssm/-/client-ssm-3.1058.0.tgz",
-      "integrity": "sha512-xvJ0IahS3aepnIW1400dApwH3i/eJk+ggXNbNxnjHxjN8gozTFKn80HaboT/husAImv8qzJhZG/9ZeeT7o2USg==",
+      "version": "3.1059.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-ssm/-/client-ssm-3.1059.0.tgz",
+      "integrity": "sha512-c6VaL8BKDeDSHWz59ELsYZcQit7r4aofVm07acWnxw1DQy5amQagOymPDhYwIpB6H3wZNMDu4FK3FxecNDzGww==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/credential-provider-node": "^3.972.48",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/fetch-http-handler": "^5.4.5",
-        "@smithy/node-http-handler": "^4.7.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/credential-provider-node": "^3.972.49",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/fetch-http-handler": "^5.4.6",
+        "@smithy/node-http-handler": "^4.7.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -262,17 +262,17 @@
       }
     },
     "node_modules/@aws-sdk/core": {
-      "version": "3.974.15",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/core/-/core-3.974.15.tgz",
-      "integrity": "sha512-UpA0rTGW/tHGITcCqHisbuuEPraYg9GG+mWmXjY5+RxZBMLGe6aL9oe0ix50LztwAcPIkGZLH0yWdMIkCM10hw==",
+      "version": "3.974.16",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/core/-/core-3.974.16.tgz",
+      "integrity": "sha512-WXPvTfG7J2H4Ae6ewhd0285UC+8+9p/pKoibXXQlbXSqHexFLGM0oXHTwDfQEPmrNnvuWPpVjgoAUfW+cUFbXw==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "^3.973.9",
-        "@aws-sdk/xml-builder": "^3.972.26",
+        "@aws-sdk/types": "^3.973.10",
+        "@aws-sdk/xml-builder": "^3.972.27",
         "@aws/lambda-invoke-store": "^0.2.2",
-        "@smithy/core": "^3.24.5",
-        "@smithy/signature-v4": "^5.4.5",
-        "@smithy/types": "^4.14.2",
+        "@smithy/core": "^3.24.6",
+        "@smithy/signature-v4": "^5.4.6",
+        "@smithy/types": "^4.14.3",
         "bowser": "^2.11.0",
         "tslib": "^2.6.2"
       },
@@ -281,15 +281,15 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-env": {
-      "version": "3.972.41",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-env/-/credential-provider-env-3.972.41.tgz",
-      "integrity": "sha512-n1EbJ98yvPWWdHZZv8bRBMqqDQJrtgtxyJ4xLy2Uqrh25BCOZQ7nnS1CsFXvuH8r0b0KVHDZEGEH5FxmEMP8jg==",
+      "version": "3.972.42",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-env/-/credential-provider-env-3.972.42.tgz",
+      "integrity": "sha512-0+MCOYqeHyADFdeVr5/e1G8JJoWm7/szZAiKssqJS84E9+tO07509YNyQRJ5a7x5wO9YFAV324syrwm6yIcs5w==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -297,17 +297,17 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-http": {
-      "version": "3.972.43",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-http/-/credential-provider-http-3.972.43.tgz",
-      "integrity": "sha512-TT76RN1NkI9WoyZqCNxOw6/WBMF7pYOTJcXbMokNFU+euSG40Kaf/t/FhDACVZWP+43wEM6ZynIPIkzS1wR1iA==",
+      "version": "3.972.44",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-http/-/credential-provider-http-3.972.44.tgz",
+      "integrity": "sha512-auuhqlnv4PUdfqcdHLKGTdoCceXOuby6WNeCMoxtZmQGWNCibbz95/lSYzNWq9cExN17UlRFqo1nvTcC+zHfEg==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/fetch-http-handler": "^5.4.5",
-        "@smithy/node-http-handler": "^4.7.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/fetch-http-handler": "^5.4.6",
+        "@smithy/node-http-handler": "^4.7.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -315,23 +315,23 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-ini": {
-      "version": "3.972.46",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-ini/-/credential-provider-ini-3.972.46.tgz",
-      "integrity": "sha512-hvcgcwOiS0nb2XFb5Op1Pz/vYaWz5K8kKullziGpdNRuG0NwzRXseuPt2CoBqknHGaSPVesu1aOn2OcctEYdCA==",
+      "version": "3.972.47",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-ini/-/credential-provider-ini-3.972.47.tgz",
+      "integrity": "sha512-G+8JuG0CfLcC2IQXFVqMR1+KDF1rksebr+YL6+HHYbNjs/hiwX53ye45sU3pJKljpS2uIXqOrOsicHIv02vWrw==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/credential-provider-env": "^3.972.41",
-        "@aws-sdk/credential-provider-http": "^3.972.43",
-        "@aws-sdk/credential-provider-login": "^3.972.45",
-        "@aws-sdk/credential-provider-process": "^3.972.41",
-        "@aws-sdk/credential-provider-sso": "^3.972.45",
-        "@aws-sdk/credential-provider-web-identity": "^3.972.45",
-        "@aws-sdk/nested-clients": "^3.997.13",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/credential-provider-imds": "^4.3.6",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/credential-provider-env": "^3.972.42",
+        "@aws-sdk/credential-provider-http": "^3.972.44",
+        "@aws-sdk/credential-provider-login": "^3.972.46",
+        "@aws-sdk/credential-provider-process": "^3.972.42",
+        "@aws-sdk/credential-provider-sso": "^3.972.46",
+        "@aws-sdk/credential-provider-web-identity": "^3.972.46",
+        "@aws-sdk/nested-clients": "^3.997.14",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/credential-provider-imds": "^4.3.7",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -339,16 +339,16 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-login": {
-      "version": "3.972.45",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-login/-/credential-provider-login-3.972.45.tgz",
-      "integrity": "sha512-MZQv4SNjByk1iOKmrqmzcUF/uCB05wjvEHyXKxmGQTUANTIVayX6HPUF0bzkWLvtnkH7sAn9kUCfkXbSpj9sDA==",
+      "version": "3.972.46",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-login/-/credential-provider-login-3.972.46.tgz",
+      "integrity": "sha512-+H6h2/1Q+iIJ4w+FPCKM//xwy4C9yADknDTR68+K3PbOtB/uLup3zIH8PUKn6QwnttME4VM4ftSTnbvoDf5wXg==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/nested-clients": "^3.997.13",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/nested-clients": "^3.997.14",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -356,21 +356,21 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-node": {
-      "version": "3.972.48",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-node/-/credential-provider-node-3.972.48.tgz",
-      "integrity": "sha512-QIbtJP0olSLZ2ImEu636pP+7JJbPfaL3xSJIFXhu472CWuondCc4bGOa8OeyhOFet8z4H1D/ZFKXc39FboWwYA==",
+      "version": "3.972.49",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-node/-/credential-provider-node-3.972.49.tgz",
+      "integrity": "sha512-hlyoc+2352BhC+HF91t9avIDJu1+EvQGGltxFB8ADCpAHGYNNLEQAZJIPzw3O/bRiiDSE2B8pdj/fFCXlDTEDg==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/credential-provider-env": "^3.972.41",
-        "@aws-sdk/credential-provider-http": "^3.972.43",
-        "@aws-sdk/credential-provider-ini": "^3.972.46",
-        "@aws-sdk/credential-provider-process": "^3.972.41",
-        "@aws-sdk/credential-provider-sso": "^3.972.45",
-        "@aws-sdk/credential-provider-web-identity": "^3.972.45",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/credential-provider-imds": "^4.3.6",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/credential-provider-env": "^3.972.42",
+        "@aws-sdk/credential-provider-http": "^3.972.44",
+        "@aws-sdk/credential-provider-ini": "^3.972.47",
+        "@aws-sdk/credential-provider-process": "^3.972.42",
+        "@aws-sdk/credential-provider-sso": "^3.972.46",
+        "@aws-sdk/credential-provider-web-identity": "^3.972.46",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/credential-provider-imds": "^4.3.7",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -378,15 +378,15 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-process": {
-      "version": "3.972.41",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-process/-/credential-provider-process-3.972.41.tgz",
-      "integrity": "sha512-7I/n1zkysouLOWvkEhjNEP4vMnD2v4kzzr3/3QBdrripEpn7ap1/I5DF3Hou1SUqkKWo1f3oPGMyFAA1FAMvsQ==",
+      "version": "3.972.42",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-process/-/credential-provider-process-3.972.42.tgz",
+      "integrity": "sha512-r996IYVtQ7rWa5UfSs3fZLT/Dq/SSgH9wv9zahx9lcg6vvaPPQHFpTy45nZajZu/+OUdEQxEjTn9rOMons59mA==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -394,17 +394,17 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-sso": {
-      "version": "3.972.45",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-sso/-/credential-provider-sso-3.972.45.tgz",
-      "integrity": "sha512-oHgbz/eFD8IKiksqDsz9ZMU4A59BpQq4QwJedBnGD80ZqYcHPPHZBwjBnxLVkB7iRVVHWpDclR8yWdD2PkQIUA==",
+      "version": "3.972.46",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-sso/-/credential-provider-sso-3.972.46.tgz",
+      "integrity": "sha512-vd+UqRbiYLvXXH3kTAuTxq+Vdb3rOgg29/FeB35ETsgdJTTB7x3YuqtpRckATsL5bDRXFVQo0uBj0/vxCJ8hHg==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/nested-clients": "^3.997.13",
-        "@aws-sdk/token-providers": "3.1056.0",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/nested-clients": "^3.997.14",
+        "@aws-sdk/token-providers": "3.1059.0",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -412,16 +412,16 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-web-identity": {
-      "version": "3.972.45",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-web-identity/-/credential-provider-web-identity-3.972.45.tgz",
-      "integrity": "sha512-CDhzKdb2onv5bpnjn/acgdNmJOQthPDLsPizU7rZflsEcgMMp8Mlri+U5hdxf8ldvZJpvM3vLU6D56vfJm5AMQ==",
+      "version": "3.972.46",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-web-identity/-/credential-provider-web-identity-3.972.46.tgz",
+      "integrity": "sha512-xuxBbMorygYsbDV6E/tUGQUgIDfhnzxz8uJYX8rByzehI6gLUu8RPsgOpLmh9YWerqeHZxJbqzgheBSB7tpooQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/nested-clients": "^3.997.13",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/nested-clients": "^3.997.14",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -429,20 +429,20 @@
       }
     },
     "node_modules/@aws-sdk/nested-clients": {
-      "version": "3.997.13",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/nested-clients/-/nested-clients-3.997.13.tgz",
-      "integrity": "sha512-2pA6eyb5nSo/ZD2cayhOTEMoGQYgspq0RI05GDLkzQ3ajZ6isS6waV6E92Am/hz4LIlLUTrbwPLurJ/fuiHvkg==",
+      "version": "3.997.14",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/nested-clients/-/nested-clients-3.997.14.tgz",
+      "integrity": "sha512-T5CS1r4P27FjkBYIWwVibWqEuq32BbCga2Z5m5OBSdSdi2wPfW2vl6zLWAB/5MeeyC4s2pY/MY3cj2Gd3rgSkg==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/signature-v4-multi-region": "^3.996.30",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/fetch-http-handler": "^5.4.5",
-        "@smithy/node-http-handler": "^4.7.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/signature-v4-multi-region": "^3.996.31",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/fetch-http-handler": "^5.4.6",
+        "@smithy/node-http-handler": "^4.7.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -450,14 +450,14 @@
       }
     },
     "node_modules/@aws-sdk/signature-v4-multi-region": {
-      "version": "3.996.30",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/signature-v4-multi-region/-/signature-v4-multi-region-3.996.30.tgz",
-      "integrity": "sha512-HULDLMVzkmTSEv6//7kx2kRevp/VYUpm8hJNNFbmhxDn0fUiGTxVcM9yg31TukvTq8nyOBDUN2gH0o5IRbKjdw==",
+      "version": "3.996.31",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/signature-v4-multi-region/-/signature-v4-multi-region-3.996.31.tgz",
+      "integrity": "sha512-Kn2up9SlG1KC6wRtwf0d7waTGF6rvp9DxYqB54x6UCKdQ6kyaXCqHL4WGb5vUJga5kS8FxnjhY0LqM28aMvnNQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/signature-v4": "^5.4.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/signature-v4": "^5.4.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -465,16 +465,16 @@
       }
     },
     "node_modules/@aws-sdk/token-providers": {
-      "version": "3.1056.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/token-providers/-/token-providers-3.1056.0.tgz",
-      "integrity": "sha512-81duvlltQlsfn5K+o8zILcystBRdbT1G2JJYVCML5NZHBz4CL/zf+sAemCtBh/uh6RQUMyInGeZLQ7/8igZhbA==",
+      "version": "3.1059.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/token-providers/-/token-providers-3.1059.0.tgz",
+      "integrity": "sha512-xql+7YBAE7WYb9xJfY0vcAXM8rJXfClmB2wkt+g/EoLUMog0pOb7o741fE96wFqha0uQTEgTo/5lGGguzavxmw==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/nested-clients": "^3.997.13",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/nested-clients": "^3.997.14",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -482,12 +482,12 @@
       }
     },
     "node_modules/@aws-sdk/types": {
-      "version": "3.973.9",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/types/-/types-3.973.9.tgz",
-      "integrity": "sha512-kuBfgQVdcz5Bmapc4A13YbpVw/pXkesfhetcFYwbntqas8sF41OHyd4o28+/TG2ZQdHBsv90Lsu5y6oitvYCdg==",
+      "version": "3.973.10",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/types/-/types-3.973.10.tgz",
+      "integrity": "sha512-992QrTO7G9qCvKD0fx1rMlqcL14plUcRAbwmqqYVsuF3GrqcvlAL9qxR+baMafarEZ+l7DUQ5lCMmt5mbMhF7g==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.14.2",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -507,12 +507,12 @@
       }
     },
     "node_modules/@aws-sdk/xml-builder": {
-      "version": "3.972.26",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/xml-builder/-/xml-builder-3.972.26.tgz",
-      "integrity": "sha512-cDbrqvDS73whl6YAPSPq0U6whzG6UWI9PuWh0wrUuGoZexhWEqhdunbukV7iBoaWnFV1AODutM5hOD6rtn439g==",
+      "version": "3.972.27",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/xml-builder/-/xml-builder-3.972.27.tgz",
+      "integrity": "sha512-hpsCXCOI436kxWpjtRuIHVvuPP81MOw8f18jzfZeg+UOiiOvlqWcmWChzEhJEu16cOC6+ku4ncBN+7rdt+DZ9g==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.14.2",
+        "@smithy/types": "^4.14.3",
         "fast-xml-parser": "5.7.3",
         "tslib": "^2.6.2"
       },
@@ -4123,9 +4123,9 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.364",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.364.tgz",
-      "integrity": "sha512-G/dYE3+AYhyHwzTwg8UbnXf7zqMERYh7l2jJ3QujhFsH8agSYwtnGAR2aZ7f0AakIKJXd5En/Hre4igIUrdlYw==",
+      "version": "1.5.366",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.366.tgz",
+      "integrity": "sha512-OlRuhb688YTCzzU3gXPLn6nGyd+F+53INE1qaKKlu6kETErE8FYsyDh0XqXEU+uBRn0MpCzz2vfNwORhkap8qg==",
       "dev": true,
       "license": "ISC"
     },
@@ -6860,9 +6860,9 @@
       "license": "MIT"
     },
     "node_modules/node-releases": {
-      "version": "2.0.46",
-      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.46.tgz",
-      "integrity": "sha512-GYVXHE2KnrzAfsAjl4uP++evGFCrAU1jta4ubEjIG7YWt/64Gqv66a30yKwWczVjA6j3bM4nBwH7Pk1JmDHaxQ==",
+      "version": "2.0.47",
+      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.47.tgz",
+      "integrity": "sha512-Uzmd6LXpouKo8EUK68IjH4+E01w/hXyV3R3g/geCJo+rXLNfh1xucB+LOzYEOQPSiUK3h/xZf0cQGcSsmyL2Og==",
       "dev": true,
       "license": "MIT",
       "engines": {

package/apps/gateway/scripts/verify-sentinel-persist.mjs

@@ -0,0 +1,81 @@
+/**
+ * One-shot: prove sentinel-limits.json round-trip changes Sentinel.getConfig()
+ * and policy thresholds (simulates Gateway restart without HTTP).
+ *
+ * Usage: node scripts/verify-sentinel-persist.mjs
+ */
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+
+const tmp = fs.mkdtempSync(path.join(os.tmpdir(), '4runr-persist-verify-'));
+process.env['APPDATA'] = tmp;
+
+const { Sentinel, policyManager } = await import('@4runr/sentinel');
+const {
+  saveSentinelLimitsToDisk,
+  loadSentinelLimitsFromDisk,
+  applyPersistedSentinelConfig,
+  getSentinelLimitsFilePath,
+} = await import('../dist/security/sentinel-config-store.js');
+
+const distinctive = {
+  enabled: true,
+  runMaxDurationMs: 111_000,
+  runMaxTokens: 22_000,
+  runIdleMs: 12_345,
+  loopWindow: 9,
+  loopMax: 4,
+  runMaxCost: 2.75,
+};
+
+saveSentinelLimitsToDisk(distinctive);
+const filePath = getSentinelLimitsFilePath();
+if (!fs.existsSync(filePath)) {
+  console.error('FAIL: file not written', filePath);
+  process.exit(1);
+}
+const onDisk = JSON.parse(fs.readFileSync(filePath, 'utf8'));
+console.log('OK: wrote', filePath);
+console.log('   config.runIdleMs on disk:', onDisk.config?.runIdleMs);
+
+const loaded = loadSentinelLimitsFromDisk();
+if (loaded?.runIdleMs !== distinctive.runIdleMs) {
+  console.error('FAIL: load from disk', loaded);
+  process.exit(1);
+}
+console.log('OK: loadSentinelLimitsFromDisk matches');
+
+Sentinel.resetInstance();
+const sentinel = Sentinel.getInstance();
+const before = sentinel.getConfig().runIdleMs;
+applyPersistedSentinelConfig(sentinel);
+const after = sentinel.getConfig().runIdleMs;
+if (after !== distinctive.runIdleMs) {
+  console.error('FAIL: after boot apply', { before, after, expected: distinctive.runIdleMs });
+  process.exit(1);
+}
+console.log('OK: fresh singleton after applyPersistedSentinelConfig', { before, after });
+
+const violations = policyManager.evaluatePolicies(
+  'verify-run',
+  {
+    runId: 'verify-run',
+    createdAt: Date.now(),
+    startedAt: Date.now() - 30_000,
+    lastTokenAt: Date.now() - 30_000,
+    tokenCount: 0,
+    status: 'running',
+    events: [],
+  },
+  sentinel.getConfig()
+);
+const idle = violations.find((v) => v.policy === 'idle');
+if (!idle || idle.threshold !== distinctive.runIdleMs) {
+  console.error('FAIL: policy threshold', idle);
+  process.exit(1);
+}
+console.log('OK: idle policy threshold = persisted runIdleMs', idle.threshold);
+
+fs.rmSync(tmp, { recursive: true, force: true });
+console.log('\nAll persistence checks passed (fundamental, not UI-only).');

package/apps/gateway/src/__tests__/sentinel-config-persist-http.test.ts

@@ -0,0 +1,85 @@
+/**
+ * HTTP apply → disk → simulated restart (proves route wiring, not UI-only).
+ */
+
+import { describe, it, expect, beforeEach, afterEach } from '@jest/globals';
+import Fastify from 'fastify';
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+import { Sentinel } from '@4runr/sentinel';
+import {
+  getSentinelLimitsFilePath,
+  applyPersistedSentinelConfig,
+} from '../security/sentinel-config-store.js';
+
+jest.mock('../middleware/rateLimit.js', () => ({
+  writeRateLimit: async () => {},
+  readRateLimit: async () => {},
+}));
+
+jest.mock('../middleware/auth.js', () => ({
+  requireAuth: async () => {},
+}));
+
+describe('POST /api/sentinel/policies/custom persistence', () => {
+  const originalAppData = process.env['APPDATA'];
+  let tmpDir: string;
+  let app: ReturnType<typeof Fastify>;
+
+  beforeEach(async () => {
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), '4runr-sentinel-http-'));
+    process.env['APPDATA'] = tmpDir;
+    delete process.env['RUN_IDLE_MS'];
+    delete process.env['SENTINEL_IDLE_MS'];
+    Sentinel.resetInstance();
+
+    const { sentinelPolicyRoutes } = await import('../routes/sentinel-policies.js');
+    app = Fastify();
+    await sentinelPolicyRoutes(app);
+    await app.ready();
+  });
+
+  afterEach(async () => {
+    await app.close();
+    Sentinel.resetInstance();
+    if (originalAppData === undefined) delete process.env['APPDATA'];
+    else process.env['APPDATA'] = originalAppData;
+    fs.rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  it('writes sentinel-limits.json and reloads after simulated Gateway restart', async () => {
+    const distinctiveIdle = 77_777;
+
+    const res = await app.inject({
+      method: 'POST',
+      url: '/api/sentinel/policies/custom',
+      payload: {
+        enabled: true,
+        runMaxDurationMs: 120_000,
+        runMaxTokens: 16_000,
+        runIdleMs: distinctiveIdle,
+        loopWindow: 15,
+        loopMax: 5,
+        runMaxCost: 1.5,
+      },
+    });
+
+    expect(res.statusCode).toBe(200);
+    const body = res.json() as { success?: boolean; config?: { runIdleMs?: number } };
+    expect(body.success).toBe(true);
+    expect(body.config?.runIdleMs).toBe(distinctiveIdle);
+
+    const filePath = getSentinelLimitsFilePath();
+    expect(fs.existsSync(filePath)).toBe(true);
+    const onDisk = JSON.parse(fs.readFileSync(filePath, 'utf8')) as {
+      config: { runIdleMs: number };
+    };
+    expect(onDisk.config.runIdleMs).toBe(distinctiveIdle);
+
+    Sentinel.resetInstance();
+    const sentinel = Sentinel.getInstance();
+    expect(applyPersistedSentinelConfig(sentinel)).toBe(true);
+    expect(sentinel.getConfig().runIdleMs).toBe(distinctiveIdle);
+  });
+});

package/apps/gateway/src/__tests__/sentinel-config-store.test.ts

@@ -0,0 +1,133 @@
+/**
+ * Sentinel limits disk persistence
+ */
+
+import { describe, it, expect, beforeEach, afterEach } from '@jest/globals';
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+import {
+  getSentinelLimitsFilePath,
+  loadSentinelLimitsFromDisk,
+  saveSentinelLimitsToDisk,
+  applyPersistedSentinelConfig,
+} from '../security/sentinel-config-store.js';
+import { Sentinel, policyManager } from '@4runr/sentinel';
+import type { RunState } from '@4runr/sentinel';
+
+describe('sentinel-config-store', () => {
+  const originalAppData = process.env['APPDATA'];
+  let tmpDir: string;
+
+  beforeEach(() => {
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), '4runr-sentinel-'));
+    process.env['APPDATA'] = tmpDir;
+    Sentinel.resetInstance();
+  });
+
+  afterEach(() => {
+    Sentinel.resetInstance();
+    if (originalAppData === undefined) {
+      delete process.env['APPDATA'];
+    } else {
+      process.env['APPDATA'] = originalAppData;
+    }
+    fs.rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  it('round-trips config to disk', () => {
+    const config = {
+      enabled: true,
+      runMaxDurationMs: 90_000,
+      runMaxTokens: 8_000,
+      runIdleMs: 45_000,
+      loopWindow: 10,
+      loopMax: 3,
+      runMaxCost: 1.25,
+    };
+    saveSentinelLimitsToDisk(config);
+    expect(fs.existsSync(getSentinelLimitsFilePath())).toBe(true);
+    const loaded = loadSentinelLimitsFromDisk();
+    expect(loaded).toMatchObject(config);
+  });
+
+  it('applyPersistedSentinelConfig merges when env field unset', () => {
+    delete process.env['RUN_IDLE_MS'];
+    delete process.env['SENTINEL_IDLE_MS'];
+    saveSentinelLimitsToDisk({
+      enabled: true,
+      runMaxDurationMs: 60_000,
+      runMaxTokens: 16_000,
+      runIdleMs: 99_000,
+      loopWindow: 15,
+      loopMax: 5,
+      runMaxCost: 2.0,
+    });
+    const sentinel = Sentinel.getInstance();
+    applyPersistedSentinelConfig(sentinel);
+    expect(sentinel.getConfig().runIdleMs).toBe(99_000);
+  });
+
+  it('simulates Gateway restart: disk limits reload into a fresh Sentinel singleton', () => {
+    delete process.env['RUN_IDLE_MS'];
+    delete process.env['SENTINEL_IDLE_MS'];
+
+    const distinctiveIdle = 12_345;
+    saveSentinelLimitsToDisk({
+      enabled: true,
+      runMaxDurationMs: 600_000,
+      runMaxTokens: 50_000,
+      runIdleMs: distinctiveIdle,
+      loopWindow: 15,
+      loopMax: 5,
+      runMaxCost: 3.5,
+    });
+
+    Sentinel.resetInstance();
+    const sentinel = Sentinel.getInstance();
+    expect(sentinel.getConfig().runIdleMs).not.toBe(distinctiveIdle);
+
+    expect(applyPersistedSentinelConfig(sentinel)).toBe(true);
+    expect(sentinel.getConfig().runIdleMs).toBe(distinctiveIdle);
+    expect(sentinel.getConfig().runMaxCost).toBe(3.5);
+  });
+
+  it('persisted limits drive real policy evaluation (not display-only)', () => {
+    delete process.env['RUN_IDLE_MS'];
+    delete process.env['SENTINEL_IDLE_MS'];
+
+    const idleMs = 8_000;
+    saveSentinelLimitsToDisk({
+      enabled: true,
+      runMaxDurationMs: 600_000,
+      runMaxTokens: 50_000,
+      runIdleMs: idleMs,
+      loopWindow: 15,
+      loopMax: 5,
+      runMaxCost: 1.0,
+    });
+
+    Sentinel.resetInstance();
+    const sentinel = Sentinel.getInstance();
+    applyPersistedSentinelConfig(sentinel);
+
+    const runState: RunState = {
+      runId: 'run-persist-verify',
+      createdAt: Date.now(),
+      startedAt: Date.now() - 20_000,
+      lastTokenAt: Date.now() - 20_000,
+      tokenCount: 0,
+      status: 'running',
+      events: [],
+    };
+
+    const violations = policyManager.evaluatePolicies(
+      'run-persist-verify',
+      runState,
+      sentinel.getConfig()
+    );
+    const idleViolation = violations.find((v) => v.policy === 'idle');
+    expect(idleViolation).toBeDefined();
+    expect(idleViolation!.threshold).toBe(idleMs);
+  });
+});

package/apps/gateway/src/index.ts

@@ -81,6 +81,7 @@ import { ddosProtection } from './middleware/ddos-protection.js';
 import { wrapLoggerForMonitoring } from './middleware/log-capture.js';
 import { initializeDatabase, shutdownDatabase } from './db/init.js';
 import type { PrismaClient } from '@prisma/client';
+import { applyPersistedSentinelConfig } from './security/sentinel-config-store.js';
 
 // Initialize no-persistence mode BEFORE any other initialization (only in memory mode)
 // This must happen before any filesystem writes or database connections
@@ -364,6 +365,7 @@ const sseConnections = new Map<string, Set<any>>();
 // Sentinel integration - event streams for each run
 const sentinelEventStreams = new Map<string, GatewayEventStream>();
 const sentinel = Sentinel.getInstance();
+applyPersistedSentinelConfig(sentinel, baseLogger);
 
 // Shield integration - AI Safety Layer (mode from SENTINEL_SHIELD_MODE — see shield-config.ts)
 const shield = Shield.getInstance();

package/apps/gateway/src/routes/sentinel-policies.ts

@@ -12,6 +12,7 @@ import {
 } from '@4runr/sentinel';
 import { requireAuth } from '../middleware/auth.js';
 import { readRateLimit, writeRateLimit } from '../middleware/rateLimit.js';
+import { persistSentinelConfigAfterApply } from '../security/sentinel-config-store.js';
 
 /**
  * Register Sentinel policy management routes
@@ -170,11 +171,12 @@ export async function sentinelPolicyRoutes(fastify: FastifyInstance) {
       
       try {
         sentinel.updateConfig(config);
+        const savedTo = persistSentinelConfigAfterApply(sentinel, config);
         return {
           success: true,
           template: templateName,
           config: config,
-          message: `Template '${templateName}' applied successfully. New limits are now active.`
+          message: `Template '${templateName}' applied. Limits active and saved to ${savedTo}.`,
         };
       } catch (error: any) {
         return reply.status(400).send({
@@ -229,10 +231,11 @@ export async function sentinelPolicyRoutes(fastify: FastifyInstance) {
 
         try {
           sentinel.updateConfig(config);
+          const savedTo = persistSentinelConfigAfterApply(sentinel, config);
           return {
             success: true,
             config,
-            message: 'Custom Sentinel limits applied. Active until Gateway restart unless set via env.',
+            message: `Custom Sentinel limits applied and saved to ${savedTo}. Survives Gateway restart; env vars override individual fields when set.`,
           };
         } catch (error: unknown) {
           const msg = error instanceof Error ? error.message : String(error);

package/apps/gateway/src/security/sentinel-config-store.ts

@@ -0,0 +1,150 @@
+/**
+ * Persist operator Sentinel limits to disk (survives Gateway restart).
+ * File: {4Runr data dir}/config/sentinel-limits.json
+ *
+ * Boot order: env defaults (packages/sentinel) → overlay saved file when present.
+ * Explicit env vars for a field are not overwritten by the saved file.
+ */
+
+import * as fs from 'fs';
+import * as path from 'path';
+import { get4RunrConfigDir } from '@4runr/shared';
+import { Sentinel, type SentinelConfig } from '@4runr/sentinel';
+
+const FILE_NAME = 'sentinel-limits.json';
+
+const ENV_FIELD_KEYS: Array<{
+  field: keyof SentinelConfig;
+  envKeys: string[];
+}> = [
+  { field: 'enabled', envKeys: ['SENTINEL_ENABLED'] },
+  { field: 'runMaxDurationMs', envKeys: ['RUN_MAX_DURATION_MS'] },
+  { field: 'runMaxTokens', envKeys: ['RUN_MAX_TOKENS'] },
+  { field: 'runIdleMs', envKeys: ['SENTINEL_IDLE_MS', 'RUN_IDLE_MS'] },
+  { field: 'loopWindow', envKeys: ['SENTINEL_LOOP_WINDOW'] },
+  { field: 'loopMax', envKeys: ['SENTINEL_LOOP_MAX'] },
+  { field: 'runMaxCost', envKeys: ['RUN_MAX_COST', 'SENTINEL_MAX_COST'] },
+];
+
+export function getSentinelLimitsFilePath(): string {
+  return path.join(get4RunrConfigDir(), FILE_NAME);
+}
+
+function envDefinesField(field: keyof SentinelConfig): boolean {
+  const entry = ENV_FIELD_KEYS.find((e) => e.field === field);
+  if (!entry) return false;
+  return entry.envKeys.some((k) => {
+    const v = process.env[k];
+    return v !== undefined && v.trim() !== '';
+  });
+}
+
+function parseSavedPayload(raw: unknown): SentinelConfig | null {
+  if (!raw || typeof raw !== 'object') return null;
+  const o = raw as Record<string, unknown>;
+  const num = (key: string): number | undefined => {
+    const v = o[key];
+    if (typeof v === 'number' && Number.isFinite(v)) return v;
+    return undefined;
+  };
+  const enabled = o['enabled'];
+  if (typeof enabled !== 'boolean') return null;
+  const runMaxDurationMs = num('runMaxDurationMs');
+  const runMaxTokens = num('runMaxTokens');
+  const runIdleMs = num('runIdleMs');
+  const loopWindow = num('loopWindow');
+  const loopMax = num('loopMax');
+  if (
+    runMaxDurationMs === undefined ||
+    runMaxTokens === undefined ||
+    runIdleMs === undefined ||
+    loopWindow === undefined ||
+    loopMax === undefined
+  ) {
+    return null;
+  }
+  const runMaxCost = num('runMaxCost');
+  return {
+    enabled,
+    runMaxDurationMs,
+    runMaxTokens,
+    runIdleMs,
+    loopWindow,
+    loopMax,
+    ...(runMaxCost !== undefined ? { runMaxCost } : {}),
+  };
+}
+
+export function loadSentinelLimitsFromDisk(): SentinelConfig | null {
+  const filePath = getSentinelLimitsFilePath();
+  try {
+    if (!fs.existsSync(filePath)) return null;
+    const text = fs.readFileSync(filePath, 'utf8');
+    const parsed = JSON.parse(text) as unknown;
+    const inner =
+      parsed && typeof parsed === 'object' && 'config' in (parsed as object)
+        ? (parsed as { config: unknown }).config
+        : parsed;
+    return parseSavedPayload(inner);
+  } catch {
+    return null;
+  }
+}
+
+export function saveSentinelLimitsToDisk(config: SentinelConfig): void {
+  const filePath = getSentinelLimitsFilePath();
+  const payload = {
+    version: 1,
+    updatedAt: new Date().toISOString(),
+    config: {
+      enabled: config.enabled,
+      runMaxDurationMs: config.runMaxDurationMs,
+      runMaxTokens: config.runMaxTokens,
+      runIdleMs: config.runIdleMs,
+      loopWindow: config.loopWindow,
+      loopMax: config.loopMax,
+      runMaxCost: config.runMaxCost ?? 1.0,
+    },
+  };
+  fs.writeFileSync(filePath, JSON.stringify(payload, null, 2), { mode: 0o600 });
+}
+
+/**
+ * Apply saved limits on Gateway boot. Env-defined fields keep env values.
+ */
+export function applyPersistedSentinelConfig(sentinel: Sentinel, logger?: {
+  info: (msg: string, meta?: Record<string, unknown>) => void;
+  warn: (msg: string, meta?: Record<string, unknown>) => void;
+}): boolean {
+  const saved = loadSentinelLimitsFromDisk();
+  if (!saved) return false;
+
+  const current = sentinel.getConfig();
+  const merged: SentinelConfig = { ...current };
+
+  for (const { field } of ENV_FIELD_KEYS) {
+    if (envDefinesField(field)) continue;
+    (merged as Record<string, unknown>)[field] = saved[field];
+  }
+
+  try {
+    sentinel.updateConfig(merged);
+    logger?.info('Sentinel limits loaded from disk', {
+      path: getSentinelLimitsFilePath(),
+    });
+    return true;
+  } catch (err) {
+    logger?.warn('Failed to apply saved Sentinel limits', {
+      error: err instanceof Error ? err.message : String(err),
+    });
+    return false;
+  }
+}
+
+export function persistSentinelConfigAfterApply(
+  sentinel: Sentinel,
+  config: SentinelConfig
+): string {
+  saveSentinelLimitsToDisk(config);
+  return getSentinelLimitsFilePath();
+}

package/mk3-tui/src/ui/sentinel_config.rs

@@ -256,11 +256,11 @@ impl SentinelConfigState {
                 }
             }
             CustomField::MaxCost => {
-                let step = 0.25;
+                let step = 0.05;
                 if increase {
-                    d.max_cost = (d.max_cost + step).min(100.0);
+                    d.max_cost = round_cost((d.max_cost + step).min(100.0));
                 } else {
-                    d.max_cost = (d.max_cost - step).max(0.01);
+                    d.max_cost = round_cost((d.max_cost - step).max(0.05));
                 }
             }
             CustomField::LoopWindow => {
@@ -430,10 +430,28 @@ pub fn parse_health(v: &Value) -> SentinelHealthSnapshot {
 }
 
 fn fmt_ms(ms: u64) -> String {
-    if ms >= 60_000 {
-        format!("{:.0}m", ms as f64 / 60_000.0)
+    let total_secs = ms / 1000;
+    let mins = total_secs / 60;
+    let secs = total_secs % 60;
+    if mins > 0 {
+        format!("{}:{:02}", mins, secs)
     } else {
-        format!("{:.0}s", ms as f64 / 1000.0)
+        format!("{}s", secs)
+    }
+}
+
+fn round_cost(usd: f64) -> f64 {
+    (usd * 100.0).round() / 100.0
+}
+
+fn fmt_cost(usd: f64) -> String {
+    let cents = (round_cost(usd) * 100.0).round() as i64;
+    let dollars = cents / 100;
+    let rem = cents.abs() % 100;
+    if rem == 0 {
+        format!("${}", dollars)
+    } else {
+        format!("${}.{:02}", dollars, rem)
     }
 }
 
@@ -449,7 +467,7 @@ fn custom_field_value(d: &SentinelCurrentConfig, field: CustomField) -> String {
         CustomField::IdleMs => fmt_ms(d.idle_ms),
         CustomField::MaxDurationMs => fmt_ms(d.duration_ms),
         CustomField::MaxTokens => format!("{}", d.max_tokens),
-        CustomField::MaxCost => format!("${:.2}", d.max_cost),
+        CustomField::MaxCost => fmt_cost(d.max_cost),
         CustomField::LoopWindow => format!("{}s", d.loop_window),
         CustomField::LoopMax => format!("{}", d.loop_max),
     }
@@ -511,7 +529,7 @@ pub fn render(f: &mut Frame, state: &AppState) {
             "Tab Custom · ↑/↓ Template · Enter Apply · R Refresh · ESC Close"
         }
         SentinelViewMode::Custom => {
-            "Tab Templates · ↑/↓ Field · ←/→ or +/- Value · Space ON/OFF · Enter Apply · ESC Close"
+            "Tab Templates · ↑/↓ Field · ←/→ Value · Enter Apply (saves to disk) · ESC Close"
         }
     };
     const CUSTOM_SHORTCUTS: &str =
@@ -599,10 +617,7 @@ fn render_active_panel(f: &mut Frame, area: Rect, sc: &SentinelConfigState) {
         ]),
         Line::from(vec![
             Span::styled("Max cost: ", Style::default().fg(TEXT_DIM)),
-            Span::styled(
-                format!("${:.2}", sc.current_max_cost),
-                Style::default().fg(AMBER_WARN),
-            ),
+            Span::styled(fmt_cost(sc.current_max_cost), Style::default().fg(AMBER_WARN)),
         ]),
         Line::from(vec![
             Span::styled("Loop detect: ", Style::default().fg(TEXT_DIM)),
@@ -726,15 +741,15 @@ fn render_custom_help(f: &mut Frame, area: Rect, sc: &SentinelConfigState) {
     lines.push(Line::from(field.env_var()).style(Style::default().fg(CYBER_CYAN)));
     lines.push(Line::from(""));
     lines.push(
-        Line::from("UI Apply = live in memory until Gateway restarts.")
-            .style(Style::default().fg(TEXT_MUTED)),
+        Line::from("Enter Apply → Gateway + disk (%APPDATA%\\4runr\\config\\sentinel-limits.json).")
+            .style(Style::default().fg(NEON_GREEN)),
     );
     lines.push(
-        Line::from("D in 4r disconnect respawns Gateway → env defaults return.")
+        Line::from("Survives Gateway restart. Env vars in docker-compose override fields when set.")
             .style(Style::default().fg(TEXT_MUTED)),
     );
     lines.push(
-        Line::from("Set env in docker-compose / shell before connect to keep forever.")
+        Line::from("Scope: all agent runs on this Gateway (one policy per run execution).")
             .style(Style::default().fg(TEXT_MUTED)),
     );
     lines.push(Line::from(""));
@@ -745,3 +760,25 @@ fn render_custom_help(f: &mut Frame, area: Rect, sc: &SentinelConfigState) {
 
     f.render_widget(Paragraph::new(lines).wrap(Wrap { trim: false }), inner);
 }
+
+#[cfg(test)]
+mod format_tests {
+    use super::{fmt_cost, fmt_ms};
+
+    #[test]
+    fn fmt_ms_shows_minutes_and_seconds() {
+        assert_eq!(fmt_ms(30_000), "30s");
+        assert_eq!(fmt_ms(60_000), "1:00");
+        assert_eq!(fmt_ms(75_000), "1:15");
+        assert_eq!(fmt_ms(240_000), "4:00");
+        assert_eq!(fmt_ms(255_000), "4:15");
+    }
+
+    #[test]
+    fn fmt_cost_shows_cents_when_present() {
+        assert_eq!(fmt_cost(1.0), "$1");
+        assert_eq!(fmt_cost(1.05), "$1.05");
+        assert_eq!(fmt_cost(1.15), "$1.15");
+        assert_eq!(fmt_cost(1.25), "$1.25");
+    }
+}

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "4runr-os",
-  "version": "2.10.62",
+  "version": "2.10.64",
   "type": "module",
-  "description": "4Runr AI Agent OS - Secure terminal interface for AI agents. v2.10.62: Sentinel Custom tab — edit limits with arrow keys, +/-, and mouse wheel.",
+  "description": "4Runr AI Agent OS - Secure terminal interface for AI agents. v2.10.64: Sentinel limits persist to disk; Custom tab edit with arrow keys and M:SS display.",
   "main": "dist/index.js",
   "bin": {
     "4runr": "dist/index.js",