4runr-os 2.10.63 → 2.10.65

package/apps/gateway/package-lock.json

@@ -199,20 +199,20 @@
       }
     },
     "node_modules/@aws-sdk/client-kms": {
-      "version": "3.1058.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-kms/-/client-kms-3.1058.0.tgz",
-      "integrity": "sha512-sZ+vpNFa7ACfV0sMPCYR4dIMN9LUH/M/7OStsTADSNzTKiRQKTt//Vsfu7ku0tHEjjVX5fOc6oSeu9LRu4tD6Q==",
+      "version": "3.1059.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-kms/-/client-kms-3.1059.0.tgz",
+      "integrity": "sha512-4FPu9hM3Lvb98hWpuwLeaGrFcuc59tdP2tpTLpONTTaf8H3umJNNriSAu/0FDK656XIh9pzj4E4a3qLK4RkQEw==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/credential-provider-node": "^3.972.48",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/fetch-http-handler": "^5.4.5",
-        "@smithy/node-http-handler": "^4.7.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/credential-provider-node": "^3.972.49",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/fetch-http-handler": "^5.4.6",
+        "@smithy/node-http-handler": "^4.7.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -220,20 +220,20 @@
       }
     },
     "node_modules/@aws-sdk/client-secrets-manager": {
-      "version": "3.1058.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-secrets-manager/-/client-secrets-manager-3.1058.0.tgz",
-      "integrity": "sha512-m6u7ns0aA1dJGKVhqz7HQFEyvMu5ae67bxVmolSH3rQwHnvjRxWMCgGKWljgHI/Pd2OiRtodZlLikafjo65EPg==",
+      "version": "3.1059.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-secrets-manager/-/client-secrets-manager-3.1059.0.tgz",
+      "integrity": "sha512-gAxWLTS5DKdIEDUgc6ulyGZTG6ExvGjer/yQCPR02SrQ4e2957t0dsFBVfVk+qgXKLcHit4NPJJCC5BLdxPvpA==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/credential-provider-node": "^3.972.48",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/fetch-http-handler": "^5.4.5",
-        "@smithy/node-http-handler": "^4.7.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/credential-provider-node": "^3.972.49",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/fetch-http-handler": "^5.4.6",
+        "@smithy/node-http-handler": "^4.7.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -241,20 +241,20 @@
       }
     },
     "node_modules/@aws-sdk/client-ssm": {
-      "version": "3.1058.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-ssm/-/client-ssm-3.1058.0.tgz",
-      "integrity": "sha512-xvJ0IahS3aepnIW1400dApwH3i/eJk+ggXNbNxnjHxjN8gozTFKn80HaboT/husAImv8qzJhZG/9ZeeT7o2USg==",
+      "version": "3.1059.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-ssm/-/client-ssm-3.1059.0.tgz",
+      "integrity": "sha512-c6VaL8BKDeDSHWz59ELsYZcQit7r4aofVm07acWnxw1DQy5amQagOymPDhYwIpB6H3wZNMDu4FK3FxecNDzGww==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/credential-provider-node": "^3.972.48",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/fetch-http-handler": "^5.4.5",
-        "@smithy/node-http-handler": "^4.7.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/credential-provider-node": "^3.972.49",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/fetch-http-handler": "^5.4.6",
+        "@smithy/node-http-handler": "^4.7.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -262,17 +262,17 @@
       }
     },
     "node_modules/@aws-sdk/core": {
-      "version": "3.974.15",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/core/-/core-3.974.15.tgz",
-      "integrity": "sha512-UpA0rTGW/tHGITcCqHisbuuEPraYg9GG+mWmXjY5+RxZBMLGe6aL9oe0ix50LztwAcPIkGZLH0yWdMIkCM10hw==",
+      "version": "3.974.16",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/core/-/core-3.974.16.tgz",
+      "integrity": "sha512-WXPvTfG7J2H4Ae6ewhd0285UC+8+9p/pKoibXXQlbXSqHexFLGM0oXHTwDfQEPmrNnvuWPpVjgoAUfW+cUFbXw==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "^3.973.9",
-        "@aws-sdk/xml-builder": "^3.972.26",
+        "@aws-sdk/types": "^3.973.10",
+        "@aws-sdk/xml-builder": "^3.972.27",
         "@aws/lambda-invoke-store": "^0.2.2",
-        "@smithy/core": "^3.24.5",
-        "@smithy/signature-v4": "^5.4.5",
-        "@smithy/types": "^4.14.2",
+        "@smithy/core": "^3.24.6",
+        "@smithy/signature-v4": "^5.4.6",
+        "@smithy/types": "^4.14.3",
         "bowser": "^2.11.0",
         "tslib": "^2.6.2"
       },
@@ -281,15 +281,15 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-env": {
-      "version": "3.972.41",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-env/-/credential-provider-env-3.972.41.tgz",
-      "integrity": "sha512-n1EbJ98yvPWWdHZZv8bRBMqqDQJrtgtxyJ4xLy2Uqrh25BCOZQ7nnS1CsFXvuH8r0b0KVHDZEGEH5FxmEMP8jg==",
+      "version": "3.972.42",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-env/-/credential-provider-env-3.972.42.tgz",
+      "integrity": "sha512-0+MCOYqeHyADFdeVr5/e1G8JJoWm7/szZAiKssqJS84E9+tO07509YNyQRJ5a7x5wO9YFAV324syrwm6yIcs5w==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -297,17 +297,17 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-http": {
-      "version": "3.972.43",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-http/-/credential-provider-http-3.972.43.tgz",
-      "integrity": "sha512-TT76RN1NkI9WoyZqCNxOw6/WBMF7pYOTJcXbMokNFU+euSG40Kaf/t/FhDACVZWP+43wEM6ZynIPIkzS1wR1iA==",
+      "version": "3.972.44",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-http/-/credential-provider-http-3.972.44.tgz",
+      "integrity": "sha512-auuhqlnv4PUdfqcdHLKGTdoCceXOuby6WNeCMoxtZmQGWNCibbz95/lSYzNWq9cExN17UlRFqo1nvTcC+zHfEg==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/fetch-http-handler": "^5.4.5",
-        "@smithy/node-http-handler": "^4.7.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/fetch-http-handler": "^5.4.6",
+        "@smithy/node-http-handler": "^4.7.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -315,23 +315,23 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-ini": {
-      "version": "3.972.46",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-ini/-/credential-provider-ini-3.972.46.tgz",
-      "integrity": "sha512-hvcgcwOiS0nb2XFb5Op1Pz/vYaWz5K8kKullziGpdNRuG0NwzRXseuPt2CoBqknHGaSPVesu1aOn2OcctEYdCA==",
+      "version": "3.972.47",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-ini/-/credential-provider-ini-3.972.47.tgz",
+      "integrity": "sha512-G+8JuG0CfLcC2IQXFVqMR1+KDF1rksebr+YL6+HHYbNjs/hiwX53ye45sU3pJKljpS2uIXqOrOsicHIv02vWrw==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/credential-provider-env": "^3.972.41",
-        "@aws-sdk/credential-provider-http": "^3.972.43",
-        "@aws-sdk/credential-provider-login": "^3.972.45",
-        "@aws-sdk/credential-provider-process": "^3.972.41",
-        "@aws-sdk/credential-provider-sso": "^3.972.45",
-        "@aws-sdk/credential-provider-web-identity": "^3.972.45",
-        "@aws-sdk/nested-clients": "^3.997.13",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/credential-provider-imds": "^4.3.6",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/credential-provider-env": "^3.972.42",
+        "@aws-sdk/credential-provider-http": "^3.972.44",
+        "@aws-sdk/credential-provider-login": "^3.972.46",
+        "@aws-sdk/credential-provider-process": "^3.972.42",
+        "@aws-sdk/credential-provider-sso": "^3.972.46",
+        "@aws-sdk/credential-provider-web-identity": "^3.972.46",
+        "@aws-sdk/nested-clients": "^3.997.14",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/credential-provider-imds": "^4.3.7",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -339,16 +339,16 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-login": {
-      "version": "3.972.45",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-login/-/credential-provider-login-3.972.45.tgz",
-      "integrity": "sha512-MZQv4SNjByk1iOKmrqmzcUF/uCB05wjvEHyXKxmGQTUANTIVayX6HPUF0bzkWLvtnkH7sAn9kUCfkXbSpj9sDA==",
+      "version": "3.972.46",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-login/-/credential-provider-login-3.972.46.tgz",
+      "integrity": "sha512-+H6h2/1Q+iIJ4w+FPCKM//xwy4C9yADknDTR68+K3PbOtB/uLup3zIH8PUKn6QwnttME4VM4ftSTnbvoDf5wXg==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/nested-clients": "^3.997.13",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/nested-clients": "^3.997.14",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -356,21 +356,21 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-node": {
-      "version": "3.972.48",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-node/-/credential-provider-node-3.972.48.tgz",
-      "integrity": "sha512-QIbtJP0olSLZ2ImEu636pP+7JJbPfaL3xSJIFXhu472CWuondCc4bGOa8OeyhOFet8z4H1D/ZFKXc39FboWwYA==",
+      "version": "3.972.49",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-node/-/credential-provider-node-3.972.49.tgz",
+      "integrity": "sha512-hlyoc+2352BhC+HF91t9avIDJu1+EvQGGltxFB8ADCpAHGYNNLEQAZJIPzw3O/bRiiDSE2B8pdj/fFCXlDTEDg==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/credential-provider-env": "^3.972.41",
-        "@aws-sdk/credential-provider-http": "^3.972.43",
-        "@aws-sdk/credential-provider-ini": "^3.972.46",
-        "@aws-sdk/credential-provider-process": "^3.972.41",
-        "@aws-sdk/credential-provider-sso": "^3.972.45",
-        "@aws-sdk/credential-provider-web-identity": "^3.972.45",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/credential-provider-imds": "^4.3.6",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/credential-provider-env": "^3.972.42",
+        "@aws-sdk/credential-provider-http": "^3.972.44",
+        "@aws-sdk/credential-provider-ini": "^3.972.47",
+        "@aws-sdk/credential-provider-process": "^3.972.42",
+        "@aws-sdk/credential-provider-sso": "^3.972.46",
+        "@aws-sdk/credential-provider-web-identity": "^3.972.46",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/credential-provider-imds": "^4.3.7",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -378,15 +378,15 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-process": {
-      "version": "3.972.41",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-process/-/credential-provider-process-3.972.41.tgz",
-      "integrity": "sha512-7I/n1zkysouLOWvkEhjNEP4vMnD2v4kzzr3/3QBdrripEpn7ap1/I5DF3Hou1SUqkKWo1f3oPGMyFAA1FAMvsQ==",
+      "version": "3.972.42",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-process/-/credential-provider-process-3.972.42.tgz",
+      "integrity": "sha512-r996IYVtQ7rWa5UfSs3fZLT/Dq/SSgH9wv9zahx9lcg6vvaPPQHFpTy45nZajZu/+OUdEQxEjTn9rOMons59mA==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -394,17 +394,17 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-sso": {
-      "version": "3.972.45",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-sso/-/credential-provider-sso-3.972.45.tgz",
-      "integrity": "sha512-oHgbz/eFD8IKiksqDsz9ZMU4A59BpQq4QwJedBnGD80ZqYcHPPHZBwjBnxLVkB7iRVVHWpDclR8yWdD2PkQIUA==",
+      "version": "3.972.46",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-sso/-/credential-provider-sso-3.972.46.tgz",
+      "integrity": "sha512-vd+UqRbiYLvXXH3kTAuTxq+Vdb3rOgg29/FeB35ETsgdJTTB7x3YuqtpRckATsL5bDRXFVQo0uBj0/vxCJ8hHg==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/nested-clients": "^3.997.13",
-        "@aws-sdk/token-providers": "3.1056.0",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/nested-clients": "^3.997.14",
+        "@aws-sdk/token-providers": "3.1059.0",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -412,16 +412,16 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-web-identity": {
-      "version": "3.972.45",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-web-identity/-/credential-provider-web-identity-3.972.45.tgz",
-      "integrity": "sha512-CDhzKdb2onv5bpnjn/acgdNmJOQthPDLsPizU7rZflsEcgMMp8Mlri+U5hdxf8ldvZJpvM3vLU6D56vfJm5AMQ==",
+      "version": "3.972.46",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-web-identity/-/credential-provider-web-identity-3.972.46.tgz",
+      "integrity": "sha512-xuxBbMorygYsbDV6E/tUGQUgIDfhnzxz8uJYX8rByzehI6gLUu8RPsgOpLmh9YWerqeHZxJbqzgheBSB7tpooQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/nested-clients": "^3.997.13",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/nested-clients": "^3.997.14",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -429,20 +429,20 @@
       }
     },
     "node_modules/@aws-sdk/nested-clients": {
-      "version": "3.997.13",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/nested-clients/-/nested-clients-3.997.13.tgz",
-      "integrity": "sha512-2pA6eyb5nSo/ZD2cayhOTEMoGQYgspq0RI05GDLkzQ3ajZ6isS6waV6E92Am/hz4LIlLUTrbwPLurJ/fuiHvkg==",
+      "version": "3.997.14",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/nested-clients/-/nested-clients-3.997.14.tgz",
+      "integrity": "sha512-T5CS1r4P27FjkBYIWwVibWqEuq32BbCga2Z5m5OBSdSdi2wPfW2vl6zLWAB/5MeeyC4s2pY/MY3cj2Gd3rgSkg==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/signature-v4-multi-region": "^3.996.30",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/fetch-http-handler": "^5.4.5",
-        "@smithy/node-http-handler": "^4.7.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/signature-v4-multi-region": "^3.996.31",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/fetch-http-handler": "^5.4.6",
+        "@smithy/node-http-handler": "^4.7.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -450,14 +450,14 @@
       }
     },
     "node_modules/@aws-sdk/signature-v4-multi-region": {
-      "version": "3.996.30",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/signature-v4-multi-region/-/signature-v4-multi-region-3.996.30.tgz",
-      "integrity": "sha512-HULDLMVzkmTSEv6//7kx2kRevp/VYUpm8hJNNFbmhxDn0fUiGTxVcM9yg31TukvTq8nyOBDUN2gH0o5IRbKjdw==",
+      "version": "3.996.31",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/signature-v4-multi-region/-/signature-v4-multi-region-3.996.31.tgz",
+      "integrity": "sha512-Kn2up9SlG1KC6wRtwf0d7waTGF6rvp9DxYqB54x6UCKdQ6kyaXCqHL4WGb5vUJga5kS8FxnjhY0LqM28aMvnNQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/signature-v4": "^5.4.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/signature-v4": "^5.4.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -465,16 +465,16 @@
       }
     },
     "node_modules/@aws-sdk/token-providers": {
-      "version": "3.1056.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/token-providers/-/token-providers-3.1056.0.tgz",
-      "integrity": "sha512-81duvlltQlsfn5K+o8zILcystBRdbT1G2JJYVCML5NZHBz4CL/zf+sAemCtBh/uh6RQUMyInGeZLQ7/8igZhbA==",
+      "version": "3.1059.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/token-providers/-/token-providers-3.1059.0.tgz",
+      "integrity": "sha512-xql+7YBAE7WYb9xJfY0vcAXM8rJXfClmB2wkt+g/EoLUMog0pOb7o741fE96wFqha0uQTEgTo/5lGGguzavxmw==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.974.15",
-        "@aws-sdk/nested-clients": "^3.997.13",
-        "@aws-sdk/types": "^3.973.9",
-        "@smithy/core": "^3.24.5",
-        "@smithy/types": "^4.14.2",
+        "@aws-sdk/core": "^3.974.16",
+        "@aws-sdk/nested-clients": "^3.997.14",
+        "@aws-sdk/types": "^3.973.10",
+        "@smithy/core": "^3.24.6",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -482,12 +482,12 @@
       }
     },
     "node_modules/@aws-sdk/types": {
-      "version": "3.973.9",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/types/-/types-3.973.9.tgz",
-      "integrity": "sha512-kuBfgQVdcz5Bmapc4A13YbpVw/pXkesfhetcFYwbntqas8sF41OHyd4o28+/TG2ZQdHBsv90Lsu5y6oitvYCdg==",
+      "version": "3.973.10",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/types/-/types-3.973.10.tgz",
+      "integrity": "sha512-992QrTO7G9qCvKD0fx1rMlqcL14plUcRAbwmqqYVsuF3GrqcvlAL9qxR+baMafarEZ+l7DUQ5lCMmt5mbMhF7g==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.14.2",
+        "@smithy/types": "^4.14.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -507,12 +507,12 @@
       }
     },
     "node_modules/@aws-sdk/xml-builder": {
-      "version": "3.972.26",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/xml-builder/-/xml-builder-3.972.26.tgz",
-      "integrity": "sha512-cDbrqvDS73whl6YAPSPq0U6whzG6UWI9PuWh0wrUuGoZexhWEqhdunbukV7iBoaWnFV1AODutM5hOD6rtn439g==",
+      "version": "3.972.27",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/xml-builder/-/xml-builder-3.972.27.tgz",
+      "integrity": "sha512-hpsCXCOI436kxWpjtRuIHVvuPP81MOw8f18jzfZeg+UOiiOvlqWcmWChzEhJEu16cOC6+ku4ncBN+7rdt+DZ9g==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.14.2",
+        "@smithy/types": "^4.14.3",
         "fast-xml-parser": "5.7.3",
         "tslib": "^2.6.2"
       },
@@ -4123,9 +4123,9 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.364",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.364.tgz",
-      "integrity": "sha512-G/dYE3+AYhyHwzTwg8UbnXf7zqMERYh7l2jJ3QujhFsH8agSYwtnGAR2aZ7f0AakIKJXd5En/Hre4igIUrdlYw==",
+      "version": "1.5.366",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.366.tgz",
+      "integrity": "sha512-OlRuhb688YTCzzU3gXPLn6nGyd+F+53INE1qaKKlu6kETErE8FYsyDh0XqXEU+uBRn0MpCzz2vfNwORhkap8qg==",
       "dev": true,
       "license": "ISC"
     },
@@ -6860,9 +6860,9 @@
       "license": "MIT"
     },
     "node_modules/node-releases": {
-      "version": "2.0.46",
-      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.46.tgz",
-      "integrity": "sha512-GYVXHE2KnrzAfsAjl4uP++evGFCrAU1jta4ubEjIG7YWt/64Gqv66a30yKwWczVjA6j3bM4nBwH7Pk1JmDHaxQ==",
+      "version": "2.0.47",
+      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.47.tgz",
+      "integrity": "sha512-Uzmd6LXpouKo8EUK68IjH4+E01w/hXyV3R3g/geCJo+rXLNfh1xucB+LOzYEOQPSiUK3h/xZf0cQGcSsmyL2Og==",
       "dev": true,
       "license": "MIT",
       "engines": {

package/apps/gateway/scripts/verify-sentinel-persist.mjs

@@ -0,0 +1,81 @@
+/**
+ * One-shot: prove sentinel-limits.json round-trip changes Sentinel.getConfig()
+ * and policy thresholds (simulates Gateway restart without HTTP).
+ *
+ * Usage: node scripts/verify-sentinel-persist.mjs
+ */
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+
+const tmp = fs.mkdtempSync(path.join(os.tmpdir(), '4runr-persist-verify-'));
+process.env['APPDATA'] = tmp;
+
+const { Sentinel, policyManager } = await import('@4runr/sentinel');
+const {
+  saveSentinelLimitsToDisk,
+  loadSentinelLimitsFromDisk,
+  applyPersistedSentinelConfig,
+  getSentinelLimitsFilePath,
+} = await import('../dist/security/sentinel-config-store.js');
+
+const distinctive = {
+  enabled: true,
+  runMaxDurationMs: 111_000,
+  runMaxTokens: 22_000,
+  runIdleMs: 12_345,
+  loopWindow: 9,
+  loopMax: 4,
+  runMaxCost: 2.75,
+};
+
+saveSentinelLimitsToDisk(distinctive);
+const filePath = getSentinelLimitsFilePath();
+if (!fs.existsSync(filePath)) {
+  console.error('FAIL: file not written', filePath);
+  process.exit(1);
+}
+const onDisk = JSON.parse(fs.readFileSync(filePath, 'utf8'));
+console.log('OK: wrote', filePath);
+console.log('   config.runIdleMs on disk:', onDisk.config?.runIdleMs);
+
+const loaded = loadSentinelLimitsFromDisk();
+if (loaded?.runIdleMs !== distinctive.runIdleMs) {
+  console.error('FAIL: load from disk', loaded);
+  process.exit(1);
+}
+console.log('OK: loadSentinelLimitsFromDisk matches');
+
+Sentinel.resetInstance();
+const sentinel = Sentinel.getInstance();
+const before = sentinel.getConfig().runIdleMs;
+applyPersistedSentinelConfig(sentinel);
+const after = sentinel.getConfig().runIdleMs;
+if (after !== distinctive.runIdleMs) {
+  console.error('FAIL: after boot apply', { before, after, expected: distinctive.runIdleMs });
+  process.exit(1);
+}
+console.log('OK: fresh singleton after applyPersistedSentinelConfig', { before, after });
+
+const violations = policyManager.evaluatePolicies(
+  'verify-run',
+  {
+    runId: 'verify-run',
+    createdAt: Date.now(),
+    startedAt: Date.now() - 30_000,
+    lastTokenAt: Date.now() - 30_000,
+    tokenCount: 0,
+    status: 'running',
+    events: [],
+  },
+  sentinel.getConfig()
+);
+const idle = violations.find((v) => v.policy === 'idle');
+if (!idle || idle.threshold !== distinctive.runIdleMs) {
+  console.error('FAIL: policy threshold', idle);
+  process.exit(1);
+}
+console.log('OK: idle policy threshold = persisted runIdleMs', idle.threshold);
+
+fs.rmSync(tmp, { recursive: true, force: true });
+console.log('\nAll persistence checks passed (fundamental, not UI-only).');

package/apps/gateway/src/__tests__/sentinel-config-persist-http.test.ts

@@ -0,0 +1,93 @@
+/**
+ * HTTP apply → disk → simulated restart (proves route wiring, not UI-only).
+ */
+
+import { describe, it, expect, beforeEach, afterEach } from '@jest/globals';
+import Fastify from 'fastify';
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+import { Sentinel } from '@4runr/sentinel';
+import {
+  getSentinelLimitsFilePath,
+  applyPersistedSentinelConfig,
+  hydrateSentinelConfigFromDisk,
+} from '../security/sentinel-config-store.js';
+
+jest.mock('../middleware/rateLimit.js', () => ({
+  writeRateLimit: async () => {},
+  readRateLimit: async () => {},
+}));
+
+jest.mock('../middleware/auth.js', () => ({
+  requireAuth: async () => {},
+}));
+
+describe('POST /api/sentinel/policies/custom persistence', () => {
+  const originalAppData = process.env['APPDATA'];
+  let tmpDir: string;
+  let app: ReturnType<typeof Fastify>;
+
+  beforeEach(async () => {
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), '4runr-sentinel-http-'));
+    process.env['APPDATA'] = tmpDir;
+    delete process.env['RUN_IDLE_MS'];
+    delete process.env['SENTINEL_IDLE_MS'];
+    Sentinel.resetInstance();
+
+    const { sentinelPolicyRoutes } = await import('../routes/sentinel-policies.js');
+    app = Fastify();
+    await sentinelPolicyRoutes(app);
+    await app.ready();
+  });
+
+  afterEach(async () => {
+    await app.close();
+    Sentinel.resetInstance();
+    if (originalAppData === undefined) delete process.env['APPDATA'];
+    else process.env['APPDATA'] = originalAppData;
+    fs.rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  it('writes sentinel-limits.json and reloads after simulated Gateway restart', async () => {
+    const distinctiveIdle = 77_777;
+
+    const res = await app.inject({
+      method: 'POST',
+      url: '/api/sentinel/policies/custom',
+      payload: {
+        enabled: true,
+        runMaxDurationMs: 120_000,
+        runMaxTokens: 16_000,
+        runIdleMs: distinctiveIdle,
+        loopWindow: 15,
+        loopMax: 5,
+        runMaxCost: 1.5,
+      },
+    });
+
+    expect(res.statusCode).toBe(200);
+    const body = res.json() as { success?: boolean; config?: { runIdleMs?: number } };
+    expect(body.success).toBe(true);
+    expect(body.config?.runIdleMs).toBe(distinctiveIdle);
+
+    const filePath = getSentinelLimitsFilePath();
+    expect(fs.existsSync(filePath)).toBe(true);
+    const onDisk = JSON.parse(fs.readFileSync(filePath, 'utf8')) as {
+      config: { runIdleMs: number };
+    };
+    expect(onDisk.config.runIdleMs).toBe(distinctiveIdle);
+
+    Sentinel.resetInstance();
+    const sentinel = Sentinel.getInstance();
+    expect(applyPersistedSentinelConfig(sentinel)).toBe(true);
+    expect(sentinel.getConfig().runIdleMs).toBe(distinctiveIdle);
+
+    Sentinel.resetInstance();
+    const stale = Sentinel.getInstance();
+    expect(stale.getConfig().runIdleMs).not.toBe(distinctiveIdle);
+
+    hydrateSentinelConfigFromDisk(stale);
+    expect(stale.getConfig().runIdleMs).toBe(distinctiveIdle);
+  });
+});

package/apps/gateway/src/__tests__/sentinel-config-store.test.ts

@@ -0,0 +1,133 @@
+/**
+ * Sentinel limits disk persistence
+ */
+
+import { describe, it, expect, beforeEach, afterEach } from '@jest/globals';
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+import {
+  getSentinelLimitsFilePath,
+  loadSentinelLimitsFromDisk,
+  saveSentinelLimitsToDisk,
+  applyPersistedSentinelConfig,
+} from '../security/sentinel-config-store.js';
+import { Sentinel, policyManager } from '@4runr/sentinel';
+import type { RunState } from '@4runr/sentinel';
+
+describe('sentinel-config-store', () => {
+  const originalAppData = process.env['APPDATA'];
+  let tmpDir: string;
+
+  beforeEach(() => {
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), '4runr-sentinel-'));
+    process.env['APPDATA'] = tmpDir;
+    Sentinel.resetInstance();
+  });
+
+  afterEach(() => {
+    Sentinel.resetInstance();
+    if (originalAppData === undefined) {
+      delete process.env['APPDATA'];
+    } else {
+      process.env['APPDATA'] = originalAppData;
+    }
+    fs.rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  it('round-trips config to disk', () => {
+    const config = {
+      enabled: true,
+      runMaxDurationMs: 90_000,
+      runMaxTokens: 8_000,
+      runIdleMs: 45_000,
+      loopWindow: 10,
+      loopMax: 3,
+      runMaxCost: 1.25,
+    };
+    saveSentinelLimitsToDisk(config);
+    expect(fs.existsSync(getSentinelLimitsFilePath())).toBe(true);
+    const loaded = loadSentinelLimitsFromDisk();
+    expect(loaded).toMatchObject(config);
+  });
+
+  it('applyPersistedSentinelConfig merges when env field unset', () => {
+    delete process.env['RUN_IDLE_MS'];
+    delete process.env['SENTINEL_IDLE_MS'];
+    saveSentinelLimitsToDisk({
+      enabled: true,
+      runMaxDurationMs: 60_000,
+      runMaxTokens: 16_000,
+      runIdleMs: 99_000,
+      loopWindow: 15,
+      loopMax: 5,
+      runMaxCost: 2.0,
+    });
+    const sentinel = Sentinel.getInstance();
+    applyPersistedSentinelConfig(sentinel);
+    expect(sentinel.getConfig().runIdleMs).toBe(99_000);
+  });
+
+  it('simulates Gateway restart: disk limits reload into a fresh Sentinel singleton', () => {
+    delete process.env['RUN_IDLE_MS'];
+    delete process.env['SENTINEL_IDLE_MS'];
+
+    const distinctiveIdle = 12_345;
+    saveSentinelLimitsToDisk({
+      enabled: true,
+      runMaxDurationMs: 600_000,
+      runMaxTokens: 50_000,
+      runIdleMs: distinctiveIdle,
+      loopWindow: 15,
+      loopMax: 5,
+      runMaxCost: 3.5,
+    });
+
+    Sentinel.resetInstance();
+    const sentinel = Sentinel.getInstance();
+    expect(sentinel.getConfig().runIdleMs).not.toBe(distinctiveIdle);
+
+    expect(applyPersistedSentinelConfig(sentinel)).toBe(true);
+    expect(sentinel.getConfig().runIdleMs).toBe(distinctiveIdle);
+    expect(sentinel.getConfig().runMaxCost).toBe(3.5);
+  });
+
+  it('persisted limits drive real policy evaluation (not display-only)', () => {
+    delete process.env['RUN_IDLE_MS'];
+    delete process.env['SENTINEL_IDLE_MS'];
+
+    const idleMs = 8_000;
+    saveSentinelLimitsToDisk({
+      enabled: true,
+      runMaxDurationMs: 600_000,
+      runMaxTokens: 50_000,
+      runIdleMs: idleMs,
+      loopWindow: 15,
+      loopMax: 5,
+      runMaxCost: 1.0,
+    });
+
+    Sentinel.resetInstance();
+    const sentinel = Sentinel.getInstance();
+    applyPersistedSentinelConfig(sentinel);
+
+    const runState: RunState = {
+      runId: 'run-persist-verify',
+      createdAt: Date.now(),
+      startedAt: Date.now() - 20_000,
+      lastTokenAt: Date.now() - 20_000,
+      tokenCount: 0,
+      status: 'running',
+      events: [],
+    };
+
+    const violations = policyManager.evaluatePolicies(
+      'run-persist-verify',
+      runState,
+      sentinel.getConfig()
+    );
+    const idleViolation = violations.find((v) => v.policy === 'idle');
+    expect(idleViolation).toBeDefined();
+    expect(idleViolation!.threshold).toBe(idleMs);
+  });
+});

package/apps/gateway/src/index.ts

@@ -81,6 +81,7 @@ import { ddosProtection } from './middleware/ddos-protection.js';
 import { wrapLoggerForMonitoring } from './middleware/log-capture.js';
 import { initializeDatabase, shutdownDatabase } from './db/init.js';
 import type { PrismaClient } from '@prisma/client';
+import { applyPersistedSentinelConfig } from './security/sentinel-config-store.js';
 
 // Initialize no-persistence mode BEFORE any other initialization (only in memory mode)
 // This must happen before any filesystem writes or database connections
@@ -364,6 +365,7 @@ const sseConnections = new Map<string, Set<any>>();
 // Sentinel integration - event streams for each run
 const sentinelEventStreams = new Map<string, GatewayEventStream>();
 const sentinel = Sentinel.getInstance();
+applyPersistedSentinelConfig(sentinel, baseLogger);
 
 // Shield integration - AI Safety Layer (mode from SENTINEL_SHIELD_MODE — see shield-config.ts)
 const shield = Shield.getInstance();

package/apps/gateway/src/routes/sentinel-policies.ts

@@ -12,6 +12,11 @@ import {
 } from '@4runr/sentinel';
 import { requireAuth } from '../middleware/auth.js';
 import { readRateLimit, writeRateLimit } from '../middleware/rateLimit.js';
+import {
+  persistSentinelConfigAfterApply,
+  hydrateSentinelConfigFromDisk,
+  getSentinelLimitsFilePath,
+} from '../security/sentinel-config-store.js';
 
 /**
  * Register Sentinel policy management routes
@@ -170,11 +175,12 @@ export async function sentinelPolicyRoutes(fastify: FastifyInstance) {
       
       try {
         sentinel.updateConfig(config);
+        const savedTo = persistSentinelConfigAfterApply(sentinel, config);
         return {
           success: true,
           template: templateName,
           config: config,
-          message: `Template '${templateName}' applied successfully. New limits are now active.`
+          message: `Template '${templateName}' applied. Limits active and saved to ${savedTo}.`,
         };
       } catch (error: any) {
         return reply.status(400).send({
@@ -229,10 +235,11 @@ export async function sentinelPolicyRoutes(fastify: FastifyInstance) {
 
         try {
           sentinel.updateConfig(config);
+          const savedTo = persistSentinelConfigAfterApply(sentinel, config);
           return {
             success: true,
             config,
-            message: 'Custom Sentinel limits applied. Active until Gateway restart unless set via env.',
+            message: `Custom limits saved (${savedTo}). Reopen Sentinel or restart Gateway to reload; env vars override fields when set.`,
           };
         } catch (error: unknown) {
           const msg = error instanceof Error ? error.message : String(error);
@@ -267,10 +274,12 @@ export async function sentinelPolicyRoutes(fastify: FastifyInstance) {
     try {
       const { Sentinel } = await import('@4runr/sentinel');
       const sentinel = Sentinel.getInstance();
-      
+      hydrateSentinelConfigFromDisk(sentinel);
+
       return {
         success: true,
-        config: sentinel.getConfig()
+        config: sentinel.getConfig(),
+        persistedPath: getSentinelLimitsFilePath(),
       };
     } catch (error: any) {
       return reply.status(500).send({

package/apps/gateway/src/security/sentinel-config-store.ts

@@ -0,0 +1,160 @@
+/**
+ * Persist operator Sentinel limits to disk (survives Gateway restart).
+ * File: {4Runr data dir}/config/sentinel-limits.json
+ *
+ * Boot order: env defaults (packages/sentinel) → overlay saved file when present.
+ * Explicit env vars for a field are not overwritten by the saved file.
+ */
+
+import * as fs from 'fs';
+import * as path from 'path';
+import { get4RunrConfigDir } from '@4runr/shared';
+import { Sentinel, type SentinelConfig } from '@4runr/sentinel';
+
+const FILE_NAME = 'sentinel-limits.json';
+
+const ENV_FIELD_KEYS: Array<{
+  field: keyof SentinelConfig;
+  envKeys: string[];
+}> = [
+  { field: 'enabled', envKeys: ['SENTINEL_ENABLED'] },
+  { field: 'runMaxDurationMs', envKeys: ['RUN_MAX_DURATION_MS'] },
+  { field: 'runMaxTokens', envKeys: ['RUN_MAX_TOKENS'] },
+  { field: 'runIdleMs', envKeys: ['SENTINEL_IDLE_MS', 'RUN_IDLE_MS'] },
+  { field: 'loopWindow', envKeys: ['SENTINEL_LOOP_WINDOW'] },
+  { field: 'loopMax', envKeys: ['SENTINEL_LOOP_MAX'] },
+  { field: 'runMaxCost', envKeys: ['RUN_MAX_COST', 'SENTINEL_MAX_COST'] },
+];
+
+export function getSentinelLimitsFilePath(): string {
+  return path.join(get4RunrConfigDir(), FILE_NAME);
+}
+
+function envDefinesField(field: keyof SentinelConfig): boolean {
+  const entry = ENV_FIELD_KEYS.find((e) => e.field === field);
+  if (!entry) return false;
+  return entry.envKeys.some((k) => {
+    const v = process.env[k];
+    return v !== undefined && v.trim() !== '';
+  });
+}
+
+function parseSavedPayload(raw: unknown): SentinelConfig | null {
+  if (!raw || typeof raw !== 'object') return null;
+  const o = raw as Record<string, unknown>;
+  const num = (key: string): number | undefined => {
+    const v = o[key];
+    if (typeof v === 'number' && Number.isFinite(v)) return v;
+    return undefined;
+  };
+  const enabled = o['enabled'];
+  if (typeof enabled !== 'boolean') return null;
+  const runMaxDurationMs = num('runMaxDurationMs');
+  const runMaxTokens = num('runMaxTokens');
+  const runIdleMs = num('runIdleMs');
+  const loopWindow = num('loopWindow');
+  const loopMax = num('loopMax');
+  if (
+    runMaxDurationMs === undefined ||
+    runMaxTokens === undefined ||
+    runIdleMs === undefined ||
+    loopWindow === undefined ||
+    loopMax === undefined
+  ) {
+    return null;
+  }
+  const runMaxCost = num('runMaxCost');
+  return {
+    enabled,
+    runMaxDurationMs,
+    runMaxTokens,
+    runIdleMs,
+    loopWindow,
+    loopMax,
+    ...(runMaxCost !== undefined ? { runMaxCost } : {}),
+  };
+}
+
+export function loadSentinelLimitsFromDisk(): SentinelConfig | null {
+  const filePath = getSentinelLimitsFilePath();
+  try {
+    if (!fs.existsSync(filePath)) return null;
+    const text = fs.readFileSync(filePath, 'utf8');
+    const parsed = JSON.parse(text) as unknown;
+    const inner =
+      parsed && typeof parsed === 'object' && 'config' in (parsed as object)
+        ? (parsed as { config: unknown }).config
+        : parsed;
+    return parseSavedPayload(inner);
+  } catch {
+    return null;
+  }
+}
+
+export function saveSentinelLimitsToDisk(config: SentinelConfig): void {
+  const filePath = getSentinelLimitsFilePath();
+  const payload = {
+    version: 1,
+    updatedAt: new Date().toISOString(),
+    config: {
+      enabled: config.enabled,
+      runMaxDurationMs: config.runMaxDurationMs,
+      runMaxTokens: config.runMaxTokens,
+      runIdleMs: config.runIdleMs,
+      loopWindow: config.loopWindow,
+      loopMax: config.loopMax,
+      runMaxCost: config.runMaxCost ?? 1.0,
+    },
+  };
+  fs.writeFileSync(filePath, JSON.stringify(payload, null, 2), { mode: 0o600 });
+}
+
+/** Merge saved limits from disk into the live Sentinel singleton (env wins per field). */
+export function mergePersistedSentinelConfig(sentinel: Sentinel): boolean {
+  const saved = loadSentinelLimitsFromDisk();
+  if (!saved) return false;
+
+  const current = sentinel.getConfig();
+  const merged: SentinelConfig = { ...current };
+
+  for (const { field } of ENV_FIELD_KEYS) {
+    if (envDefinesField(field)) continue;
+    (merged as Record<string, unknown>)[field] = saved[field];
+  }
+
+  try {
+    sentinel.updateConfig(merged);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Apply saved limits on Gateway boot. Env-defined fields keep env values.
+ */
+export function applyPersistedSentinelConfig(sentinel: Sentinel, logger?: {
+  info: (msg: string, meta?: Record<string, unknown>) => void;
+  warn: (msg: string, meta?: Record<string, unknown>) => void;
+}): boolean {
+  const ok = mergePersistedSentinelConfig(sentinel);
+  if (ok) {
+    logger?.info('Sentinel limits loaded from disk', {
+      path: getSentinelLimitsFilePath(),
+    });
+  }
+  return ok;
+}
+
+/** Call before returning policy config to clients so long-lived Gateway picks up disk saves. */
+export function hydrateSentinelConfigFromDisk(sentinel: Sentinel): void {
+  mergePersistedSentinelConfig(sentinel);
+}
+
+export function persistSentinelConfigAfterApply(
+  sentinel: Sentinel,
+  config: SentinelConfig
+): string {
+  saveSentinelLimitsToDisk(config);
+  return getSentinelLimitsFilePath();
+}

package/mk3-tui/src/app.rs

@@ -828,13 +828,30 @@ impl App {
         }
     }
 
+    pub fn open_sentinel_config(&mut self, ws: Option<&WebSocketClient>) {
+        self.state.pending_sentinel_load_id = None;
+        self.state.pending_sentinel_apply_id = None;
+        self.push_overlay(Screen::SentinelConfig);
+        self.state
+            .logs
+            .push_back("[NAV] Opening Sentinel Configuration...".into());
+        if self.state.operation_mode == OperationMode::Connected {
+            if let Some(ws) = ws {
+                self.begin_sentinel_load_request(ws);
+            }
+        } else {
+            self.state.sentinel_config.error = Some(
+                "Connect to Gateway first (connect portal).".to_string(),
+            );
+        }
+        self.request_immediate_render("open_sentinel_config");
+    }
+
     pub fn begin_sentinel_load_request(&mut self, ws: &WebSocketClient) {
         if self.state.operation_mode != OperationMode::Connected {
             return;
         }
-        if self.state.pending_sentinel_load_id.is_some()
-            || self.state.pending_sentinel_apply_id.is_some()
-        {
+        if self.state.pending_sentinel_load_id.is_some() {
             return;
         }
         self.state.sentinel_config.loading = true;
@@ -1551,19 +1568,7 @@ impl App {
                             }
                         }
                         "sentinel" | "sentinel config" | "sentinel policies" => {
-                            self.push_overlay(Screen::SentinelConfig);
-                            self.state
-                                .logs
-                                .push_back("[NAV] Opening Sentinel Configuration...".into());
-                            if self.state.operation_mode == OperationMode::Connected {
-                                if let Some(ws) = ws_client {
-                                    self.begin_sentinel_load_request(ws);
-                                }
-                            } else {
-                                self.state.sentinel_config.error = Some(
-                                    "Connect to Gateway first (connect portal).".to_string(),
-                                );
-                            }
+                            self.open_sentinel_config(ws_client);
                         }
                         "config" | "settings" => {
                             self.push_overlay(Screen::Settings);
@@ -2514,7 +2519,7 @@ impl App {
 
         match key.code {
             KeyCode::Tab => {
-                self.state.sentinel_config.toggle_view_mode();
+                self.state.sentinel_config.cycle_view_mode();
                 self.request_immediate_render("sentinel_tab");
             }
             KeyCode::Up => {
@@ -2567,6 +2572,10 @@ impl App {
                         Some("Connect to Gateway first.".to_string());
                 } else if let Some(ws) = ws_client {
                     match self.state.sentinel_config.view_mode {
+                        SentinelViewMode::About => {
+                            self.begin_sentinel_load_request(ws);
+                            self.request_render("sentinel_about_refresh");
+                        }
                         SentinelViewMode::Templates => {
                             if let Some(t) = self.state.sentinel_config.selected_template() {
                                 let key = t.key.clone();

package/mk3-tui/src/ui/sentinel_config.rs

@@ -14,10 +14,29 @@ const BG_PANEL: Color = Color::Rgb(18, 18, 25);
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum SentinelViewMode {
+    About,
     Templates,
     Custom,
 }
 
+const ABOUT_SENTINEL_LINES: &[&str] = &[
+    "Sentinel is 4Runr's runtime safety layer for agent executions on this Gateway.",
+    "",
+    "What it does:",
+    "  • Watches each run while it is running (queue processor path)",
+    "  • Enforces limits: idle time, max duration, token cap, cost, loop detection",
+    "  • On violation: kills the run (status killed, policy_violation:* in logs)",
+    "",
+    "Scope today:",
+    "  • One policy for ALL runs on this Gateway (not per-agent yet)",
+    "  • A run = one agent execution (POST /api/runs → start → agent runs)",
+    "",
+    "How to use this screen:",
+    "  • Templates: apply a preset · Custom: tune fields · Enter: save to disk",
+    "  • Saved file survives Gateway restart (see path in Custom help)",
+    "  • Env vars in docker-compose override individual fields when set",
+];
+
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum CustomField {
     Enabled,
@@ -165,13 +184,14 @@ impl SentinelConfigState {
         self.templates.get(self.selected_index)
     }
 
-    pub fn toggle_view_mode(&mut self) {
+    pub fn cycle_view_mode(&mut self) {
         self.view_mode = match self.view_mode {
+            SentinelViewMode::About => SentinelViewMode::Templates,
             SentinelViewMode::Templates => {
                 self.sync_custom_draft_from_current();
                 SentinelViewMode::Custom
             }
-            SentinelViewMode::Custom => SentinelViewMode::Templates,
+            SentinelViewMode::Custom => SentinelViewMode::About,
         };
         self.error = None;
         self.status_message = None;
@@ -191,6 +211,7 @@ impl SentinelConfigState {
 
     pub fn select_previous(&mut self) {
         match self.view_mode {
+            SentinelViewMode::About => {}
             SentinelViewMode::Templates => {
                 if self.selected_index > 0 {
                     self.selected_index -= 1;
@@ -210,6 +231,7 @@ impl SentinelConfigState {
 
     pub fn select_next(&mut self) {
         match self.view_mode {
+            SentinelViewMode::About => {}
             SentinelViewMode::Templates => {
                 if self.selected_index + 1 < self.templates.len() {
                     self.selected_index += 1;
@@ -489,6 +511,7 @@ pub fn render(f: &mut Frame, state: &AppState) {
         .split(area);
 
     let mode_label = match sc.view_mode {
+        SentinelViewMode::About => "About",
         SentinelViewMode::Templates => "Templates",
         SentinelViewMode::Custom => "Custom",
     };
@@ -514,6 +537,9 @@ pub fn render(f: &mut Frame, state: &AppState) {
         .split(chunks[1]);
 
     match sc.view_mode {
+        SentinelViewMode::About => {
+            render_about_panel(f, chunks[1], sc);
+        }
         SentinelViewMode::Templates => {
             render_active_panel(f, body[0], sc);
             render_templates_panel(f, body[1], sc);
@@ -525,11 +551,14 @@ pub fn render(f: &mut Frame, state: &AppState) {
     }
 
     let default_footer = match sc.view_mode {
+        SentinelViewMode::About => {
+            "Tab: Templates · R: reload from Gateway · ESC: Close"
+        }
         SentinelViewMode::Templates => {
-            "Tab Custom · ↑/↓ Template · Enter Apply · R Refresh · ESC Close"
+            "Tab: next view · ↑/↓ Template · Enter Apply · R Refresh · ESC Close"
         }
         SentinelViewMode::Custom => {
-            "Tab Templates · ↑/↓ Field · ←/→ or +/- Value · Space ON/OFF · Enter Apply · ESC Close"
+            "Tab: next view · ↑/↓ Field · ←/→ Value · Enter Apply (saves to disk) · ESC Close"
         }
     };
     const CUSTOM_SHORTCUTS: &str =
@@ -573,6 +602,48 @@ pub fn render(f: &mut Frame, state: &AppState) {
     );
 }
 
+fn render_about_panel(f: &mut Frame, area: Rect, sc: &SentinelConfigState) {
+    let block = Block::default()
+        .title(" 📖  What is Sentinel? ")
+        .borders(Borders::ALL)
+        .border_style(Style::default().fg(CYBER_CYAN))
+        .style(Style::default().bg(BG_PANEL));
+    let inner = block.inner(area);
+    f.render_widget(block, area);
+
+    let mut lines: Vec<Line> = Vec::new();
+    for line in ABOUT_SENTINEL_LINES {
+        if line.is_empty() {
+            lines.push(Line::from(""));
+            continue;
+        }
+        let style = if line.starts_with("  •") {
+            Style::default().fg(TEXT_PRIMARY)
+        } else if line.ends_with(':') && !line.starts_with(' ') {
+            Style::default().fg(NEON_GREEN).bold()
+        } else {
+            Style::default().fg(TEXT_DIM)
+        };
+        lines.push(Line::from(Span::styled(*line, style)));
+    }
+    lines.push(Line::from(""));
+    lines.push(Line::from(vec![
+        Span::styled("Active limits now: ", Style::default().fg(TEXT_DIM)),
+        Span::styled(
+            if sc.current_enabled { "ON" } else { "OFF" },
+            Style::default().fg(NEON_GREEN),
+        ),
+        Span::styled(" · idle ", Style::default().fg(TEXT_DIM)),
+        Span::styled(fmt_ms(sc.current_idle_ms), Style::default().fg(TEXT_PRIMARY)),
+        Span::styled(" · max ", Style::default().fg(TEXT_DIM)),
+        Span::styled(fmt_ms(sc.current_duration_ms), Style::default().fg(TEXT_PRIMARY)),
+        Span::styled(" · cost ", Style::default().fg(TEXT_DIM)),
+        Span::styled(fmt_cost(sc.current_max_cost), Style::default().fg(AMBER_WARN)),
+    ]));
+
+    f.render_widget(Paragraph::new(lines).wrap(Wrap { trim: false }), inner);
+}
+
 fn render_active_panel(f: &mut Frame, area: Rect, sc: &SentinelConfigState) {
     let block = Block::default()
         .title(" ⚙️  Active limits (live) ")
@@ -627,7 +698,7 @@ fn render_active_panel(f: &mut Frame, area: Rect, sc: &SentinelConfigState) {
             ),
         ]),
         Line::from(""),
-        Line::from("Press Tab → Custom to tune your own limits.").style(Style::default().fg(TEXT_MUTED)),
+        Line::from("Tab → About / Custom / Templates to switch views.").style(Style::default().fg(TEXT_MUTED)),
     ];
     f.render_widget(Paragraph::new(lines).wrap(Wrap { trim: false }), inner);
 }
@@ -741,15 +812,15 @@ fn render_custom_help(f: &mut Frame, area: Rect, sc: &SentinelConfigState) {
     lines.push(Line::from(field.env_var()).style(Style::default().fg(CYBER_CYAN)));
     lines.push(Line::from(""));
     lines.push(
-        Line::from("UI Apply = live in memory until Gateway restarts.")
-            .style(Style::default().fg(TEXT_MUTED)),
+        Line::from("Enter Apply → Gateway + disk (%APPDATA%\\4runr\\config\\sentinel-limits.json).")
+            .style(Style::default().fg(NEON_GREEN)),
     );
     lines.push(
-        Line::from("D in 4r disconnect respawns Gateway → env defaults return.")
+        Line::from("Survives Gateway restart. Env vars in docker-compose override fields when set.")
             .style(Style::default().fg(TEXT_MUTED)),
     );
     lines.push(
-        Line::from("Set env in docker-compose / shell before connect to keep forever.")
+        Line::from("Scope: all agent runs on this Gateway (one policy per run execution).")
             .style(Style::default().fg(TEXT_MUTED)),
     );
     lines.push(Line::from(""));

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "4runr-os",
-  "version": "2.10.63",
+  "version": "2.10.65",
   "type": "module",
-  "description": "4Runr AI Agent OS - Secure terminal interface for AI agents. v2.10.63: Sentinel Custom — M:SS time display, cent-level cost steps.",
+  "description": "4Runr AI Agent OS - Secure terminal interface for AI agents. v2.10.65: Sentinel limits reload from disk on open; About tab explains purpose.",
   "main": "dist/index.js",
   "bin": {
     "4runr": "dist/index.js",